Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit924d89a

Browse files
pgcrypto: Add function to check FIPS mode
This adds a SQL callable function for reading and returning the statusof FIPS configuration of OpenSSL. If OpenSSL is operating with FIPSenabled it will return true, otherwise false. As this adds a functionto the SQL file, bump the extension version to 1.4.Author: Daniel Gustafsson <daniel@yesql.se>Reviewed-by: Joe Conway <mail@joeconway.com>Discussion:https://postgr.es/m/8f979145-e206-475a-a31b-73c977a4134c@joeconway.com
1 parentc44c2d2 commit924d89a

File tree

8 files changed

+65
-2
lines changed

8 files changed

+65
-2
lines changed

‎contrib/pgcrypto/Makefile‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ MODULE_big= pgcrypto
3636

3737
EXTENSION = pgcrypto
3838
DATA = pgcrypto--1.3.sql pgcrypto--1.2--1.3.sql pgcrypto--1.1--1.2.sql\
39-
pgcrypto--1.0--1.1.sql
39+
pgcrypto--1.0--1.1.sql pgcrypto--1.3--1.4.sql
4040
PGFILEDESC = "pgcrypto - cryptographic functions"
4141

4242
REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael\

‎contrib/pgcrypto/meson.build‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ install_data(
9393
'pgcrypto--1.1--1.2.sql',
9494
'pgcrypto--1.2--1.3.sql',
9595
'pgcrypto--1.3.sql',
96+
'pgcrypto--1.3--1.4.sql',
9697
'pgcrypto.control',
9798
kwargs: contrib_data_args,
9899
)

‎contrib/pgcrypto/openssl.c‎

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -794,3 +794,30 @@ ResOwnerReleaseOSSLCipher(Datum res)
794794
{
795795
free_openssl_cipher((OSSLCipher*)DatumGetPointer(res));
796796
}
797+
798+
/*
799+
* CheckFIPSMode
800+
*
801+
* Returns the FIPS mode of the underlying OpenSSL installation.
802+
*/
803+
bool
804+
CheckFIPSMode(void)
805+
{
806+
intfips_enabled=0;
807+
808+
/*
809+
* EVP_default_properties_is_fips_enabled was added in OpenSSL 3.0, before
810+
* that FIPS_mode() was used to test for FIPS being enabled. The last
811+
* upstream OpenSSL version before 3.0 which supported FIPS was 1.0.2, but
812+
* there are forks of 1.1.1 which are FIPS validated so we still need to
813+
* test with FIPS_mode() even though we don't support 1.0.2.
814+
*/
815+
fips_enabled=
816+
#ifOPENSSL_VERSION_NUMBER >=0x30000000L
817+
EVP_default_properties_is_fips_enabled(NULL);
818+
#else
819+
FIPS_mode();
820+
#endif
821+
822+
return (fips_enabled==1);
823+
}
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
/* contrib/pgcrypto/pgcrypto--1.3--1.4.sql*/
2+
3+
-- complain if script is sourced in psql, rather than via ALTER EXTENSION
4+
\echo Use"ALTER EXTENSION pgcrypto UPDATE TO '1.4'" to load this file. \quit
5+
6+
CREATEFUNCTIONfips_mode()
7+
RETURNS bool
8+
AS'MODULE_PATHNAME','pg_check_fipsmode'
9+
LANGUAGE C VOLATILE STRICT PARALLEL SAFE;

‎contrib/pgcrypto/pgcrypto.c‎

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -450,6 +450,14 @@ pg_random_uuid(PG_FUNCTION_ARGS)
450450
returngen_random_uuid(fcinfo);
451451
}
452452

453+
PG_FUNCTION_INFO_V1(pg_check_fipsmode);
454+
455+
Datum
456+
pg_check_fipsmode(PG_FUNCTION_ARGS)
457+
{
458+
PG_RETURN_BOOL(CheckFIPSMode());
459+
}
460+
453461
staticvoid*
454462
find_provider(text*name,
455463
PFNprovider_lookup,

‎contrib/pgcrypto/pgcrypto.control‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# pgcrypto extension
22
comment = 'cryptographic functions'
3-
default_version = '1.3'
3+
default_version = '1.4'
44
module_pathname = '$libdir/pgcrypto'
55
relocatable = true
66
trusted = true

‎contrib/pgcrypto/px.h‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,6 +182,8 @@ voidpx_set_debug_handler(void (*handler) (const char *));
182182

183183
voidpx_memset(void*ptr,intc,size_tlen);
184184

185+
boolCheckFIPSMode(void);
186+
185187
#ifdefPX_DEBUG
186188
voidpx_debug(constchar*fmt,...)pg_attribute_printf(1,2);
187189
#else

‎doc/src/sgml/pgcrypto.sgml‎

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1149,6 +1149,22 @@ gen_random_uuid() returns uuid
11491149
</para>
11501150
</sect2>
11511151

1152+
<sect2 id="pgcrypto-openssl-support-funcs">
1153+
<title>OpenSSL Support Functions</title>
1154+
1155+
<indexterm>
1156+
<primary>fips_mode</primary>
1157+
</indexterm>
1158+
1159+
<synopsis>
1160+
fips_mode() returns boolean
1161+
</synopsis>
1162+
<para>
1163+
Returns <literal>true</literal> if <productname>OpenSSL</productname> is
1164+
running with FIPS mode enabled, otherwise <literal>false</literal>.
1165+
</para>
1166+
</sect2>
1167+
11521168
<sect2 id="pgcrypto-notes">
11531169
<title>Notes</title>
11541170

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp