Home > mailing lists

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Date	February 20 14:27:02
Msg-id	CA+TgmoapPRHmFKPbnL90jomKv3Yrs2odA4gVN4UgBA6PjLsHiw@mail.gmail.com Whole thread Raw
In response to	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL (Peter Eisentraut <peter@eisentraut.org>)
Responses	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
List	pgsql-hackers

Tree view

On Tue, Feb 20, 2024 at 4:49 PM Peter Eisentraut <peter@eisentraut.org> wrote:
> I think there are several less weird ways to address this:
>
> * Just document it.
>
> * Make a pgcrypto-level GUC setting.
>
> * Split out these functions into a separate extension.
>
> * Deprecate these functions.
>
> Or some combination of these.

I don't think the first two of these proposals help anything. AIUI,
FIPS mode is supposed to be a system wide toggle that affects
everything on the machine. The third one might help if you can be
compliant by just choosing not to install that extension, and the
fourth one solves the problem by sledgehammer.

Does Linux provide some way of asking whether "fips=1" was specified
at kernel boot time?

--
Robert Haas
EDB: http://www.enterprisedb.com

pgsql-hackers by date:

From: Robert Haas
Date: 20 February, 14:20:27
Subject: Re: A new message seems missing a punctuation

From: Ильясов Ян
Date: 20 February, 14:28:03
Subject: Integer undeflow in fprintf in dsa.c

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

Previous

Next