diff options
Diffstat (limited to 'contrib/pgcrypto/openssl.c')
| -rw-r--r-- | contrib/pgcrypto/openssl.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c index 448db331a0f..e6870c72c9a 100644 --- a/contrib/pgcrypto/openssl.c +++ b/contrib/pgcrypto/openssl.c @@ -794,3 +794,30 @@ ResOwnerReleaseOSSLCipher(Datum res) { free_openssl_cipher((OSSLCipher *) DatumGetPointer(res)); } + +/* + * CheckFIPSMode + * + * Returns the FIPS mode of the underlying OpenSSL installation. + */ +bool +CheckFIPSMode(void) +{ + int fips_enabled = 0; + + /* + * EVP_default_properties_is_fips_enabled was added in OpenSSL 3.0, before + * that FIPS_mode() was used to test for FIPS being enabled. The last + * upstream OpenSSL version before 3.0 which supported FIPS was 1.0.2, but + * there are forks of 1.1.1 which are FIPS validated so we still need to + * test with FIPS_mode() even though we don't support 1.0.2. + */ + fips_enabled = +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_default_properties_is_fips_enabled(NULL); +#else + FIPS_mode(); +#endif + + return (fips_enabled == 1); +} |