summaryrefslogtreecommitdiff
path: root/contrib/pgcrypto/sql
diff options
context:
space:
mode:
authorDaniel Gustafsson2025-01-24 13:25:08 +0000
committerDaniel Gustafsson2025-01-24 13:25:08 +0000
commit035f99cbebe5ffcaf52f8370394446cd59621ab7 (patch)
tree1d9396c1e7ad2ea07daee1b32ccba55e2b24a461 /contrib/pgcrypto/sql
parent924d89a354750976cdd271d1dfc6c1e97cbb8851 (diff)
pgcrypto: Make it possible to disable built-in crypto
When using OpenSSL and/or the underlying operating system in FIPS mode no non-FIPS certified crypto implementations should be used. While that is already possible by just not invoking the built-in crypto in pgcrypto, this adds a GUC which prohibit the code from being called. This doesn't change the FIPS status of PostgreSQL but can make it easier for sites which target FIPS compliance to ensure that violations cannot occur. Author: Daniel Gustafsson <daniel@yesql.se> Author: Joe Conway <mail@joeconway.com> Reviewed-by: Joe Conway <mail@joeconway.com> Reviewed-by: Peter Eisentraut <peter@eisentraut.org> Reviewed-by: Hayato Kuroda <kuroda.hayato@fujitsu.com> Discussion: https://postgr.es/m/16b4a157-9ea1-44d0-b7b3-4c85df5de97b@joeconway.com
Diffstat (limited to 'contrib/pgcrypto/sql')
-rw-r--r--contrib/pgcrypto/sql/crypt-des.sql6
1 files changed, 6 insertions, 0 deletions
diff --git a/contrib/pgcrypto/sql/crypt-des.sql b/contrib/pgcrypto/sql/crypt-des.sql
index a85ec1e6555..58cc9d2720a 100644
--- a/contrib/pgcrypto/sql/crypt-des.sql
+++ b/contrib/pgcrypto/sql/crypt-des.sql
@@ -18,4 +18,10 @@ UPDATE ctest SET res = crypt(data, salt);
SELECT res = crypt(data, res) AS "worked"
FROM ctest;
+-- check disabling of built in crypto functions
+SET pgcrypto.builtin_crypto_enabled = off;
+UPDATE ctest SET salt = gen_salt('des');
+UPDATE ctest SET res = crypt(data, salt);
+RESET pgcrypto.builtin_crypto_enabled;
+
DROP TABLE ctest;