Hi This is Shibagaki. When FIPS mode is enabled, some encryption algorithms cannot be used. Since PostgreSQL15, pgcrypto requires OpenSSL[1], digest() and other functions also follow this policy.
However, crypt() and gen_salt() do not use OpenSSL as mentioned in [2]. Therefore, if we run crypt() and gen_salt() on a machine with FIPS mode enabled, they are not affected by FIPS mode. This means we can use encryption algorithms disallowed in FIPS. I would like to change the proprietary implementations of crypt() and gen_salt() to use OpenSSL API. If it's not a problem, I am going to create a patch, but if you have a better approach, please let me know. Thank you [1] https://github.com/postgres/postgres/commit/db7d1a7b0530e8cbd045744e1c75b0e63fb6916f [2] https://peter.eisentraut.org/blog/2023/12/05/postgresql-and-fips-mode crypt() and gen_salt() are performed on in example below. ///// -- OS RHEL8.6 $openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $fips-mode-setup --check FIPS mode is enabled. $./pgsql17/bin/psql psql (17devel) Type "help" for help. postgres=# SHOW server_version; server_version ---------------- 17devel (1 row) postgres=# SELECT digest('data','md5'); ERROR: Cannot use "md5": Cipher cannot be initialized postgres=# SELECT crypt('new password',gen_salt('md5')); -- md5 is not available when fips mode is turned on. This is a normal behavior ERROR: crypt(3) returned NULL postgres=# SELECT crypt('new password',gen_salt('des')); -- however, des is avalable. This may break a FIPS rule crypt --------------- 32REGk7H6dSnE (1 row) ///// FYI - OpenSSL itself cannot use DES algorithm while encrypting files. This is an expected behavior. ----------------------------------------------- Fujitsu Limited Shibagaki Koshi shibagaki.ko...@fujitsu.com