My last message showed a failed delivery, so resending it.
> Daniel should have the last word on that, I guess, as it is his
> feature, but the semantics I have chosen are harder than that:
> - If the GUC is off, block everything.
> - If the GUC is on, allow everything.
> - If the GUC is fips, block the non-fips ciphers and allow the fips
> ciphers.
>
> This behavior would be more consistent and symmetric with the other
> functions, at least IMHO.
The intent behind gating the check on fips_allowed was that the GUC
(commit 035f99c) was designed to block built-in crypto (gen_salt,
crypt) which use PostgreSQL's own implementations. PGP with AES goes
through OpenSSL's FIPS-validated EVP interface, so blocking it under
builtin_crypto_enabled=off felt like it went beyond what the GUC was
designed for.
That said, you and Daniel have far more context on the codebase and its
history than I do, so I'm happy to adjust or defer to whichever
approach you both prefer.
