Configuration Parameters

=== Applying patches on top of PostgreSQL commit ID 79e872fedb4d2f73baa0a80ba572480774edc61b === /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf. Sat Feb 1 07:54:30 UTC 2025 On branch cf/5332 nothing to commit, working tree clean === applying patch ./v10-0001-pgcrypto-Add-function-to-check-FIPS-mode.patch Applied patch to 'contrib/pgcrypto/Makefile' cleanly. Applied patch to 'contrib/pgcrypto/meson.build' cleanly. Applied patch to 'contrib/pgcrypto/openssl.c' with conflicts. Performing three-way merge... Applied patch to 'contrib/pgcrypto/pgcrypto--1.3--1.4.sql' cleanly. Applied patch to 'contrib/pgcrypto/pgcrypto.c' cleanly. Applied patch to 'contrib/pgcrypto/pgcrypto.control' cleanly. Applied patch to 'contrib/pgcrypto/px.h' with conflicts. Applied patch to 'doc/src/sgml/pgcrypto.sgml' with conflicts. U contrib/pgcrypto/openssl.c U contrib/pgcrypto/px.h U doc/src/sgml/pgcrypto.sgml diff --cc contrib/pgcrypto/openssl.c index 75f40a2d03,b298404598..0000000000 --- a/contrib/pgcrypto/openssl.c +++ b/contrib/pgcrypto/openssl.c @@@ -805,12 -804,11 +805,19 @@@ boo CheckFIPSMode(void) { int fips_enabled = 0; ++<<<<<<< ours + ++======= ++>>>>>>> theirs /* * EVP_default_properties_is_fips_enabled was added in OpenSSL 3.0, before * that FIPS_mode() was used to test for FIPS being enabled. The last * upstream OpenSSL version before 3.0 which supported FIPS was 1.0.2, but ++<<<<<<< ours + * there are forks of 1.1.1 which are FIPS validated so we still need to ++======= + * there are forks of 1.1.1 which are FIPS certified so we still need to ++>>>>>>> theirs * test with FIPS_mode() even though we don't support 1.0.2. */ fips_enabled = @@@ -822,28 -820,3 +829,31 @@@ return (fips_enabled == 1); } ++<<<<<<< ours + +/* + * CheckBuiltinCryptoMode + * + * Function for erroring out in case built-in crypto is executed when the user + * has disabled it. If builtin_crypto_enabled is set to BC_OFF or BC_FIPS and + * OpenSSL is operating in FIPS mode the function will error out, else the + * query executing built-in crypto can proceed. + */ +void +CheckBuiltinCryptoMode(void) +{ + if (builtin_crypto_enabled == BC_ON) + return; + + if (builtin_crypto_enabled == BC_OFF) + ereport(ERROR, + errmsg("use of built-in crypto functions is disabled")); + + Assert(builtin_crypto_enabled == BC_FIPS); + + if (CheckFIPSMode() == true) + ereport(ERROR, + errmsg("use of non-FIPS validated crypto not allowed when OpenSSL is in FIPS mode")); +} ++======= ++>>>>>>> theirs diff --cc contrib/pgcrypto/px.h index 37013cd9f8,c2c2fc3124..0000000000 --- a/contrib/pgcrypto/px.h +++ b/contrib/pgcrypto/px.h @@@ -191,7 -183,6 +191,10 @@@ void px_set_debug_handler(void (*handl void px_memset(void *ptr, int c, size_t len); bool CheckFIPSMode(void); ++<<<<<<< ours +void CheckBuiltinCryptoMode(void); ++======= ++>>>>>>> theirs #ifdef PX_DEBUG void px_debug(const char *fmt,...) pg_attribute_printf(1, 2); diff --cc doc/src/sgml/pgcrypto.sgml index a4d035eabd,838d7532a5..0000000000 --- a/doc/src/sgml/pgcrypto.sgml +++ b/doc/src/sgml/pgcrypto.sgml @@@ -1165,44 -1165,6 +1165,47 @@@ fips_mode() returns boolea ++<<<<<<< ours + + Configuration Parameters + + + There is one configuration parameter that controls the behavior of + pgcrypto. + + + + + + pgcrypto.builtin_crypto_enabled (enum) + + pgcrypto.builtin_crypto_enabled configuration + parameter + + + + + pgcrypto.builtin_crypto_enabled determines if the + built in crypto functions gen_salt(), and + crypt() are available for use. Setting this to + off disables these functions. on + (the default) enables these functions to work normally. + fips disables these functions if + OpenSSL is detected to operate in FIPS mode. + + + + + + + In ordinary usage, this parameter is set + in postgresql.conf, although superusers can alter it + on-the-fly within their own sessions. + + + ++======= ++>>>>>>> theirs Notes