pgcrypto: Add function to check FIPS mode

This adds a SQL callable function for reading and returning the status of FIPS configuration of OpenSSL. If OpenSSL is operating with FIPS enabled it will return true, otherwise false. As this adds a function to the SQL file, bump the extension version to 1.4. Author: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Joe Conway <mail@joeconway.com> Discussion: https://postgr.es/m/8f979145-e206-475a-a31b-73c977a4134c@joeconway.com
2025-07-28 23:42:10 +03:00 · 2025-01-24 14:18:40 +01:00
parent c44c2d2759
commit 924d89a354
8 changed files with 65 additions and 2 deletions
--- a/contrib/pgcrypto/openssl.c
+++ b/contrib/pgcrypto/openssl.c
@ -794,3 +794,30 @@ ResOwnerReleaseOSSLCipher(Datum res)
 {
 	free_openssl_cipher((OSSLCipher *) DatumGetPointer(res));
 }
+
+/*
+ * CheckFIPSMode
+ *
+ * Returns the FIPS mode of the underlying OpenSSL installation.
+ */
+bool
+CheckFIPSMode(void)
+{
+	int			fips_enabled = 0;
+
+	/*
+	 * EVP_default_properties_is_fips_enabled was added in OpenSSL 3.0, before
+	 * that FIPS_mode() was used to test for FIPS being enabled.  The last
+	 * upstream OpenSSL version before 3.0 which supported FIPS was 1.0.2, but
+	 * there are forks of 1.1.1 which are FIPS validated so we still need to
+	 * test with FIPS_mode() even though we don't support 1.0.2.
+	 */
+	fips_enabled =
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_default_properties_is_fips_enabled(NULL);
+#else
+		FIPS_mode();
+#endif
+
+	return (fips_enabled == 1);
+}