Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Shishir Sharma <[email protected]>
To: Michael Paquier <[email protected]>
Cc: Daniel Gustafsson <[email protected]>
Cc: [email protected]
Subject: Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod
Date: Sat, 25 Apr 2026 11:38:50 +0530
Message-ID: <CABV8eT1HBwmssr8=Xqp2Q65uN1=L=zuJK9hAgqc_gxnq7gaQcw@mail.gmail.com> (raw)
In-Reply-To: <CABV8eT0YZzKmedQsYGP9AkHSK+rKr=rjUFrRQnFfeg1UsVKsXg@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CABV8eT0YZzKmedQsYGP9AkHSK+rKr=rjUFrRQnFfeg1UsVKsXg@mail.gmail.com>

My last message showed a failed delivery, so resending it.

> Daniel should have the last word on that, I guess, as it is his
> feature, but the semantics I have chosen are harder than that:
> - If the GUC is off, block everything.
> - If the GUC is on, allow everything.
> - If the GUC is fips, block the non-fips ciphers and allow the fips
> ciphers.
>
> This behavior would be more consistent and symmetric with the other
> functions, at least IMHO.

The intent behind gating the check on fips_allowed was that the GUC
(commit *035f99c*) was designed to block built-in crypto (gen_salt,
crypt) which use PostgreSQL's own implementations. PGP with AES goes
through OpenSSL's FIPS-validated EVP interface, so blocking it under
builtin_crypto_enabled=off felt like it went beyond what the GUC was
designed for.

That said, you and Daniel have far more context on the codebase and its
history than I do, so I'm happy to adjust or defer to whichever
approach you both prefer.

>

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod
  In-Reply-To: <CABV8eT1HBwmssr8=Xqp2Q65uN1=L=zuJK9hAgqc_gxnq7gaQcw@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox