Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod - Mailing list pgsql-bugs

From Michael Paquier
Subject Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod
Date
Msg-id aervokmPnxlO6Oqs@paquier.xyz
Whole thread
In response to Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod
List pgsql-bugs
On Tue, Apr 21, 2026 at 04:04:40PM +0200, Daniel Gustafsson wrote:
> Not just FIPS, it should check CheckBuiltinCryptoMode() to be consistent with
> the other builtin checks.

I am interesting in getting that fixed for the next point release, so
I have given it a try, finishing with the attached.  This would cause
pgp_sym_encrypt() and pgp_sym_decrypt() to complain when the builtin
mode is disabled, making things more consistent with the surroundings.

I agree that this could break environments where builtin_crypto is
off, as the functions would now be blocked, but I am not sure that
this is worth worrying about as builtin_crypto=on is the default.

Daniel, what do you think?
--
Michael

Attachment

pgsql-bugs by date:

Previous
From: Michael Paquier
Date:
Subject: Re: to_date()/to_timestamp() silently accept month=0 and day=0
Next
From: Daniel Gustafsson
Date:
Subject: Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod