File tree Expand file tree Collapse file tree 8 files changed +65
-2
lines changed Expand file tree Collapse file tree 8 files changed +65
-2
lines changed Original file line number Diff line number Diff line change @@ -36,7 +36,7 @@ MODULE_big = pgcrypto
3636
3737EXTENSION = pgcrypto
3838DATA = pgcrypto--1.3.sql pgcrypto--1.2--1.3.sql pgcrypto--1.1--1.2.sql \
39- pgcrypto--1.0--1.1.sql
39+ pgcrypto--1.0--1.1.sql pgcrypto--1.3--1.4.sql
4040PGFILEDESC = "pgcrypto - cryptographic functions"
4141
4242REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
Original file line number Diff line number Diff line change @@ -93,6 +93,7 @@ install_data(
9393 ' pgcrypto--1.1--1.2.sql'
9494 ' pgcrypto--1.2--1.3.sql'
9595 ' pgcrypto--1.3.sql'
96+ ' pgcrypto--1.3--1.4.sql'
9697 ' pgcrypto.control'
9798 kwargs : contrib_data_args,
9899)
Original file line number Diff line number Diff line change @@ -794,3 +794,30 @@ ResOwnerReleaseOSSLCipher(Datum res)
794794{
795795 free_openssl_cipher ((OSSLCipher * ) DatumGetPointer (res ));
796796}
797+
798+ /*
799+ * CheckFIPSMode
800+ *
801+ * Returns the FIPS mode of the underlying OpenSSL installation.
802+ */
803+ bool
804+ CheckFIPSMode (void )
805+ {
806+ int fips_enabled = 0 ;
807+
808+ /*
809+ * EVP_default_properties_is_fips_enabled was added in OpenSSL 3.0, before
810+ * that FIPS_mode() was used to test for FIPS being enabled. The last
811+ * upstream OpenSSL version before 3.0 which supported FIPS was 1.0.2, but
812+ * there are forks of 1.1.1 which are FIPS validated so we still need to
813+ * test with FIPS_mode() even though we don't support 1.0.2.
814+ */
815+ fips_enabled =
816+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
817+ EVP_default_properties_is_fips_enabled (NULL );
818+ #else
819+ FIPS_mode ();
820+ #endif
821+
822+ return (fips_enabled == 1 );
823+ }
Original file line number Diff line number Diff line change 1+ /* contrib/pgcrypto/pgcrypto--1.3--1.4.sql */
2+
3+ -- complain if script is sourced in psql, rather than via ALTER EXTENSION
4+ \echo Use " ALTER EXTENSION pgcrypto UPDATE TO '1.4'"
5+
6+ CREATE FUNCTION fips_mode ()
7+ RETURNS bool
8+ AS ' MODULE_PATHNAME' ' pg_check_fipsmode'
9+ LANGUAGE C VOLATILE STRICT PARALLEL SAFE;
Original file line number Diff line number Diff line change @@ -450,6 +450,14 @@ pg_random_uuid(PG_FUNCTION_ARGS)
450450 return gen_random_uuid (fcinfo );
451451}
452452
453+ PG_FUNCTION_INFO_V1 (pg_check_fipsmode );
454+
455+ Datum
456+ pg_check_fipsmode (PG_FUNCTION_ARGS )
457+ {
458+ PG_RETURN_BOOL (CheckFIPSMode ());
459+ }
460+
453461static void *
454462find_provider (text * name ,
455463 PFN provider_lookup ,
Original file line number Diff line number Diff line change 11# pgcrypto extension
22comment = 'cryptographic functions'
3- default_version = '1.3 '
3+ default_version = '1.4 '
44module_pathname = '$libdir/pgcrypto'
55relocatable = true
66trusted = true
Original file line number Diff line number Diff line change @@ -182,6 +182,8 @@ void px_set_debug_handler(void (*handler) (const char *));
182182
183183void px_memset (void * ptr , int c , size_t len );
184184
185+ bool CheckFIPSMode (void );
186+
185187#ifdef PX_DEBUG
186188void px_debug (const char * fmt ,...) pg_attribute_printf (1 , 2 );
187189#else
Original file line number Diff line number Diff line change @@ -1149,6 +1149,22 @@ gen_random_uuid() returns uuid
11491149 </para>
11501150 </sect2>
11511151
1152+ <sect2 id="pgcrypto-openssl-support-funcs">
1153+ <title>OpenSSL Support Functions</title>
1154+
1155+ <indexterm>
1156+ <primary>fips_mode</primary>
1157+ </indexterm>
1158+
1159+ <synopsis>
1160+ fips_mode() returns boolean
1161+ </synopsis>
1162+ <para>
1163+ Returns <literal>true</literal> if <productname>OpenSSL</productname> is
1164+ running with FIPS mode enabled, otherwise <literal>false</literal>.
1165+ </para>
1166+ </sect2>
1167+
11521168 <sect2 id="pgcrypto-notes">
11531169 <title>Notes</title>
11541170
You can’t perform that action at this time.
0 commit comments