mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-25 13:17:41 +03:00 
			
		
		
		
	When using OpenSSL and/or the underlying operating system in FIPS mode no non-FIPS certified crypto implementations should be used. While that is already possible by just not invoking the built-in crypto in pgcrypto, this adds a GUC which prohibit the code from being called. This doesn't change the FIPS status of PostgreSQL but can make it easier for sites which target FIPS compliance to ensure that violations cannot occur. Author: Daniel Gustafsson <daniel@yesql.se> Author: Joe Conway <mail@joeconway.com> Reviewed-by: Joe Conway <mail@joeconway.com> Reviewed-by: Peter Eisentraut <peter@eisentraut.org> Reviewed-by: Hayato Kuroda <kuroda.hayato@fujitsu.com> Discussion: https://postgr.es/m/16b4a157-9ea1-44d0-b7b3-4c85df5de97b@joeconway.com
		
			
				
	
	
		
			39 lines
		
	
	
		
			947 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			39 lines
		
	
	
		
			947 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| --
 | |
| -- crypt() and gen_salt(): crypt-des
 | |
| --
 | |
| SELECT crypt('', 'NB');
 | |
|      crypt     
 | |
| ---------------
 | |
|  NBPx/38Y48kHg
 | |
| (1 row)
 | |
| 
 | |
| SELECT crypt('foox', 'NB');
 | |
|      crypt     
 | |
| ---------------
 | |
|  NB53EGGqrrb5E
 | |
| (1 row)
 | |
| 
 | |
| -- We are supposed to pass in a 2-character salt.
 | |
| -- error since salt is too short:
 | |
| SELECT crypt('password', 'a');
 | |
| ERROR:  invalid salt
 | |
| CREATE TABLE ctest (data text, res text, salt text);
 | |
| INSERT INTO ctest VALUES ('password', '', '');
 | |
| UPDATE ctest SET salt = gen_salt('des');
 | |
| UPDATE ctest SET res = crypt(data, salt);
 | |
| SELECT res = crypt(data, res) AS "worked"
 | |
| FROM ctest;
 | |
|  worked 
 | |
| --------
 | |
|  t
 | |
| (1 row)
 | |
| 
 | |
| -- check disabling of built in crypto functions
 | |
| SET pgcrypto.builtin_crypto_enabled = off;
 | |
| UPDATE ctest SET salt = gen_salt('des');
 | |
| ERROR:  use of built-in crypto functions is disabled
 | |
| UPDATE ctest SET res = crypt(data, salt);
 | |
| ERROR:  use of built-in crypto functions is disabled
 | |
| RESET pgcrypto.builtin_crypto_enabled;
 | |
| DROP TABLE ctest;
 |