Home > mailing lists

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Date	February 20 15:24:49
Msg-id	CA+TgmoYR+zPhsJa+MSirjeA5i4Dy1AJGGf3=ZEQaaaFOhgnQpg@mail.gmail.com Whole thread Raw
In response to	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL (Daniel Gustafsson <daniel@yesql.se>)
Responses	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
List	pgsql-hackers

Tree view

On Tue, Feb 20, 2024 at 5:09 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> A fifth option is to throw away our in-tree implementations and use the OpenSSL
> API's for everything, which is where this thread started.  If the effort to
> payoff ratio is palatable to anyone then patches are for sure welcome.

That generally seems fine, although I'm fuzzy on what our policy
actually is. We have fallback implementations for some things and not
others, IIRC.

> > Does Linux provide some way of asking whether "fips=1" was specified
> > at kernel boot time?
>
> There is a crypto.fips_enabled sysctl but I have no idea how portable that is
> across distributions etc.

My guess would be that it's pretty portable, but my guesses about
Linux might not be very good. Still, if we wanted to go this route, it
probably wouldn't be too hard to figure out how portable this is.

--
Robert Haas
EDB: http://www.enterprisedb.com

pgsql-hackers by date:

From: Robert Haas
Date: 20 February, 15:22:48
Subject: Re: Integer undeflow in fprintf in dsa.c

From: "Hayato Kuroda (Fujitsu)"
Date: 20 February, 15:28:29
Subject: RE: Have pg_basebackup write "dbname" in "primary_conninfo"?

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

Previous

Next