diff options
Diffstat (limited to 'contrib/pgcrypto/openssl.c')
| -rw-r--r-- | contrib/pgcrypto/openssl.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c index e6870c72c9a..75f40a2d034 100644 --- a/contrib/pgcrypto/openssl.c +++ b/contrib/pgcrypto/openssl.c @@ -31,6 +31,7 @@ #include "postgres.h" +#include <openssl/crypto.h> #include <openssl/evp.h> #include <openssl/err.h> #include <openssl/rand.h> @@ -821,3 +822,28 @@ CheckFIPSMode(void) return (fips_enabled == 1); } + +/* + * CheckBuiltinCryptoMode + * + * Function for erroring out in case built-in crypto is executed when the user + * has disabled it. If builtin_crypto_enabled is set to BC_OFF or BC_FIPS and + * OpenSSL is operating in FIPS mode the function will error out, else the + * query executing built-in crypto can proceed. + */ +void +CheckBuiltinCryptoMode(void) +{ + if (builtin_crypto_enabled == BC_ON) + return; + + if (builtin_crypto_enabled == BC_OFF) + ereport(ERROR, + errmsg("use of built-in crypto functions is disabled")); + + Assert(builtin_crypto_enabled == BC_FIPS); + + if (CheckFIPSMode() == true) + ereport(ERROR, + errmsg("use of non-FIPS validated crypto not allowed when OpenSSL is in FIPS mode")); +} |