Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

On 1/22/25 17:49, Daniel Gustafsson wrote:
>> On 22 Jan 2025, at 19:59, Joe Conway <mail@joeconway.com> wrote:
> 
>> I found it necessary to add:
>>  #include <openssl/crypto.h>
>> in
>>  contrib/pgcrypto/openssl.c
>> to avoid a symbol not defined warning.
> 
> Makes sense, it doesn't reproduce in my tree but reading OpenSSL code it seems
> very plausible (and clearly happens in your environment).
> 
>> Although come to think of it, probably:
>>  "use of non-FIPS certified crypto"
>>                   ^^^^^^^^^
>> should rather say:
>>  "use of non-FIPS validated crypto"
>>                   ^^^^^^^^^
> 
> That's probably better yes.  I was under the impression that the terminology
> used was "FIPS certified" but reading the OpenSSL and FIPS documentation they
> too use "FIPS validated" so I've switched to that as per your comment.
> 
>> FWIW, I tested with non-FIPS (OpenSSL 3.0.13 30 Jan 2024) on Linux Mint 22.1 and FIPS (aws-lc [1][2]) on Amazon
Linux2023.
 
> 
> Thanks.  My testing has been with a range of plain upstream OpenSSL trees from
> 1.1.1 to 3.4 (compiled on macOS).
> 
> Rebased v10 with the above fixed attached.


LGTM

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com