Home > mailing lists

RE: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

From	Koshi Shibagaki (Fujitsu)
Subject	RE: Replace current implementations in crypt() and gen_salt() to OpenSSL
Date	February 16 14:35:41
Msg-id	TYCPR01MB1168485BDD0392462C7D1D79CFA4C2@TYCPR01MB11684.jpnprd01.prod.outlook.com Whole thread Raw
In response to	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL (Daniel Gustafsson <daniel@yesql.se>)
List	pgsql-hackers

Tree view

Dear Daniel

Thanks for your reply.

> I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
> ciphers when the compiled against OpenSSL is running with FIPS mode
> enabled, or raise a WARNING when used?  It seems rather unlikely that
> someone running OpenSSL with FIPS=yes want to use our DES cipher without
> there being an error or misconfiguration somewhere.

Indeed, users do not use non-FIPS compliant ciphers in crypt() and gen_salt()
such as DES with FIPS mode enabled.
However, can we reduce human error by having these functions make the judgment
as to whether ciphers can or cannot be used?

If pgcrypto checks if FIPS enabled or not as in the pseudocode, it is easier to
achieve than replacing to OpenSSL.
Currently, OpenSSL internally determines if it is in FIPS mode or not, but would
it be a problem to have PostgreSQL take on that role?

-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com

pgsql-hackers by date:

From: "Koshi Shibagaki (Fujitsu)"
Date: 16 February, 14:32:44
Subject: RE: Replace current implementations in crypt() and gen_salt() to OpenSSL

From: Joe Conway
Date: 16 February, 14:56:13
Subject: Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

RE: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

Previous

Next