Hi
This is Shibagaki.
When FIPS mode is enabled, some encryption algorithms cannot be used.
Since PostgreSQL15, pgcrypto requires OpenSSL[1], digest() and other functions
also follow this policy.
However, crypt() and gen_salt() do not use OpenSSL as mentioned in [2].
Therefore, if we run crypt() and gen_salt() on a machine with FIPS mode enabled,
they are not affected by FIPS mode. This means we can use encryption algorithms
disallowed in FIPS.
I would like to change the proprietary implementations of crypt() and gen_salt()
to use OpenSSL API.
If it's not a problem, I am going to create a patch, but if you have a better
approach, please let me know.
Thank you
[1] https://github.com/postgres/postgres/commit/db7d1a7b0530e8cbd045744e1c75b0e63fb6916f
[2] https://peter.eisentraut.org/blog/2023/12/05/postgresql-and-fips-mode
crypt() and gen_salt() are performed on in example below.
/////
-- OS RHEL8.6
$openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
$fips-mode-setup --check
FIPS mode is enabled.
$./pgsql17/bin/psql
psql (17devel)
Type "help" for help.
postgres=# SHOW server_version;
server_version
----------------
17devel
(1 row)
postgres=# SELECT digest('data','md5');
ERROR: Cannot use "md5": Cipher cannot be initialized
postgres=# SELECT crypt('new password',gen_salt('md5')); -- md5 is not available when fips mode is turned on. This is a
normalbehavior
ERROR: crypt(3) returned NULL
postgres=# SELECT crypt('new password',gen_salt('des')); -- however, des is avalable. This may break a FIPS rule
crypt
---------------
32REGk7H6dSnE
(1 row)
/////
FYI - OpenSSL itself cannot use DES algorithm while encrypting files. This is an expected behavior.
-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com