Re: FIPS mode?

On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
<curtis(dot)ruck+pgsql(dot)hackers(at)gmail(dot)com> wrote:
> I've got a requirement for enabling FIPS support in our environment.
> Looking at postgresql's be-secure-openssl.c and mucking with it, it seems
> fairly straight forward to just add a few ifdefs and enable fips with a new
> configure flag and a new postgresql.conf configuration setting.
>
> If I clean this up some, maintain styleguide, what is the likely hood of
> getting this included in the redhat packages, since redhat ships a certified
> FIPS implementation?

So they are applying a custom patch to it already?

> For what its worth, I've got the FIPS_mode_set(1) working and postgresql
> seems to function properly. I'd just like to see this in upstream so I
> don't end up maintaining a long-lived branch.
>
> Looking at scope, logically it seems mostly confined to libpq, and
> be-secure-openssl.c, though i'd expect pgcrypto to be affected.

Yes, I would imagine atht this is located into be-secure-openssl.c and
fe-secure-openssl.c as everything should be done when initializing the
SSL context.

Here is a manual about patch submission:
https://wiki.postgresql.org/wiki/Submitting_a_Patch

As things are now, the next version where new features are accepted
will be 11, with a commit fest beginning in September. Here is its
website where patches need to be registered for review and possible
integration into the tree:
https://commitfest.postgresql.org/
--
Michael