Обсуждение: Replace current implementations in crypt() and gen_salt() to OpenSSL

Hi
This is Shibagaki.

When FIPS mode is enabled, some encryption algorithms cannot be used.
Since PostgreSQL15, pgcrypto requires OpenSSL[1], digest() and other functions
also follow this policy.

However, crypt() and gen_salt() do not use OpenSSL as mentioned in [2].
Therefore, if we run crypt() and gen_salt() on a machine with FIPS mode enabled,
they are not affected by FIPS mode. This means we can use encryption algorithms
disallowed in FIPS.

I would like to change the proprietary implementations of crypt() and gen_salt()
to use OpenSSL API.
If it's not a problem, I am going to create a patch, but if you have a better
approach, please let me know.

Thank you


[1] https://github.com/postgres/postgres/commit/db7d1a7b0530e8cbd045744e1c75b0e63fb6916f
[2] https://peter.eisentraut.org/blog/2023/12/05/postgresql-and-fips-mode

crypt() and gen_salt() are performed on in example below.

/////

-- OS RHEL8.6

$openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

$fips-mode-setup --check
FIPS mode is enabled.

$./pgsql17/bin/psql
psql (17devel)
Type "help" for help.

postgres=# SHOW server_version;
 server_version
----------------
 17devel
(1 row)

postgres=# SELECT digest('data','md5');
ERROR:  Cannot use "md5": Cipher cannot be initialized

postgres=# SELECT crypt('new password',gen_salt('md5')); -- md5 is not available when fips mode is turned on. This is a
normalbehavior 
ERROR:  crypt(3) returned NULL

postgres=# SELECT crypt('new password',gen_salt('des')); -- however, des is avalable. This may break a FIPS rule
     crypt
---------------
 32REGk7H6dSnE
(1 row)

/////

FYI - OpenSSL itself cannot use DES algorithm while encrypting files. This is an expected behavior.

-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com

On 15.02.24 13:42, Koshi Shibagaki (Fujitsu) wrote:
> However, crypt() and gen_salt() do not use OpenSSL as mentioned in [2].
> Therefore, if we run crypt() and gen_salt() on a machine with FIPS mode enabled,
> they are not affected by FIPS mode. This means we can use encryption algorithms
> disallowed in FIPS.
> 
> I would like to change the proprietary implementations of crypt() and gen_salt()
> to use OpenSSL API.
> If it's not a problem, I am going to create a patch, but if you have a better
> approach, please let me know.

The problems are:

1. All the block ciphers currently supported by crypt() and gen_salt() 
are not FIPS-compliant.

2. The crypt() and gen_salt() methods built on top of them (modes of 
operation, kind of) are not FIPS-compliant.

3. The implementations (crypt-blowfish.c, crypt-des.c, etc.) are not 
structured in a way that OpenSSL calls can easily be patched in.

So if you want FIPS-compliant cryptography, these interfaces look like a 
dead end.  I don't know if there are any modern equivalents of these 
functions that we should be supplying instead.

> On 15 Feb 2024, at 16:49, Peter Eisentraut <peter@eisentraut.org> wrote:

> 1. All the block ciphers currently supported by crypt() and gen_salt() are not FIPS-compliant.
>
> 2. The crypt() and gen_salt() methods built on top of them (modes of operation, kind of) are not FIPS-compliant.

I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
ciphers when the compiled against OpenSSL is running with FIPS mode enabled, or
raise a WARNING when used?  It seems rather unlikely that someone running
OpenSSL with FIPS=yes want to use our DES cipher without there being an error
or misconfiguration somewhere.

Something like the below untested pseudocode.

diff --git a/contrib/pgcrypto/pgcrypto.c b/contrib/pgcrypto/pgcrypto.c
index 96447c5757..3d4391ebe1 100644
--- a/contrib/pgcrypto/pgcrypto.c
+++ b/contrib/pgcrypto/pgcrypto.c
@@ -187,6 +187,14 @@ pg_crypt(PG_FUNCTION_ARGS)
                *resbuf;
     text       *res;

+#if defined FIPS_mode
+    if (FIPS_mode())
+#else
+    if (EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX_get0_global_default()))
+#endif
+        ereport(ERROR,
+                (errmsg("not available when using OpenSSL in FIPS mode")));
+
     buf0 = text_to_cstring(arg0);
     buf1 = text_to_cstring(arg1);

Greenplum implemented similar functionality but with a GUC, fips_mode=<bool>.
The problem with that is that it gives the illusion that enabling such a GUC
gives any guarantees about FIPS which isn't really the case since postgres
isn't FIPS certified.

--
Daniel Gustafsson

Dear Peter

Thanks for the replying

> 1. All the block ciphers currently supported by crypt() and gen_salt() are not
> FIPS-compliant.
>
> 2. The crypt() and gen_salt() methods built on top of them (modes of operation,
> kind of) are not FIPS-compliant.
> 
> 3. The implementations (crypt-blowfish.c, crypt-des.c, etc.) are not structured
> in a way that OpenSSL calls can easily be patched in.

Indeed, all the algorithm could not be used in FIPS and huge engineering might 
be needed for the replacement. If the benefit is smaller than the cost, we 
should consider another way - e.g., prohibit to call these functions in FIPS 
mode as in the pseudocode Daniel sent. Replacing OpenSSL is a way, the objective
is to eliminate the user's error in choosing an encryption algorithm.


-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com

Dear Daniel

Thanks for your reply.

> I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
> ciphers when the compiled against OpenSSL is running with FIPS mode
> enabled, or raise a WARNING when used?  It seems rather unlikely that
> someone running OpenSSL with FIPS=yes want to use our DES cipher without
> there being an error or misconfiguration somewhere.

Indeed, users do not use non-FIPS compliant ciphers in crypt() and gen_salt()
such as DES with FIPS mode enabled.
However, can we reduce human error by having these functions make the judgment
as to whether ciphers can or cannot be used?

If pgcrypto checks if FIPS enabled or not as in the pseudocode, it is easier to
achieve than replacing to OpenSSL.
Currently, OpenSSL internally determines if it is in FIPS mode or not, but would
it be a problem to have PostgreSQL take on that role?

-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com

On 2/16/24 04:16, Daniel Gustafsson wrote:
>> On 15 Feb 2024, at 16:49, Peter Eisentraut <peter@eisentraut.org> wrote:
> 
>> 1. All the block ciphers currently supported by crypt() and gen_salt() are not FIPS-compliant.
>> 
>> 2. The crypt() and gen_salt() methods built on top of them (modes of operation, kind of) are not FIPS-compliant.
> 
> I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
> ciphers when the compiled against OpenSSL is running with FIPS mode enabled, or
> raise a WARNING when used?  It seems rather unlikely that someone running
> OpenSSL with FIPS=yes want to use our DES cipher without there being an error
> or misconfiguration somewhere.
> 
> Something like the below untested pseudocode.
> 
> diff --git a/contrib/pgcrypto/pgcrypto.c b/contrib/pgcrypto/pgcrypto.c
> index 96447c5757..3d4391ebe1 100644
> --- a/contrib/pgcrypto/pgcrypto.c
> +++ b/contrib/pgcrypto/pgcrypto.c
> @@ -187,6 +187,14 @@ pg_crypt(PG_FUNCTION_ARGS)
>                  *resbuf;
>       text       *res;
>   
> +#if defined FIPS_mode
> +    if (FIPS_mode())
> +#else
> +    if (EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX_get0_global_default()))
> +#endif
> +        ereport(ERROR,
> +                (errmsg("not available when using OpenSSL in FIPS mode")));

Makes sense +1

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

On 16.02.24 10:16, Daniel Gustafsson wrote:
>> 2. The crypt() and gen_salt() methods built on top of them (modes of operation, kind of) are not FIPS-compliant.
> I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
> ciphers when the compiled against OpenSSL is running with FIPS mode enabled, or
> raise a WARNING when used?  It seems rather unlikely that someone running
> OpenSSL with FIPS=yes want to use our DES cipher without there being an error
> or misconfiguration somewhere.

I wonder on what level this kind of check would be done.  For example, 
the password hashing done for SCRAM is not FIPS-compliant either, but 
surely we don't want to disallow that.  Maybe this should be done on the 
level of block ciphers.  So if someone wanted to add a "crypt-aes" 
module, that would then continue to work.

> On 16 Feb 2024, at 13:57, Peter Eisentraut <peter@eisentraut.org> wrote:
>
> On 16.02.24 10:16, Daniel Gustafsson wrote:
>>> 2. The crypt() and gen_salt() methods built on top of them (modes of operation, kind of) are not FIPS-compliant.
>> I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
>> ciphers when the compiled against OpenSSL is running with FIPS mode enabled, or
>> raise a WARNING when used?  It seems rather unlikely that someone running
>> OpenSSL with FIPS=yes want to use our DES cipher without there being an error
>> or misconfiguration somewhere.
>
> I wonder on what level this kind of check would be done.  For example, the password hashing done for SCRAM is not
FIPS-complianteither, but surely we don't want to disallow that. 

Can you elaborate?  When building with OpenSSL all SCRAM hashing will use the
OpenSSL implementation of pg_hmac and pg_cryptohash, so it would be subject to
OpenSSL FIPS configuration no?

> Maybe this should be done on the level of block ciphers.  So if someone wanted to add a "crypt-aes" module, that
wouldthen continue to work. 

That's a fair point, we can check individual ciphers.  I'll hack up a version
doing this.

--
Daniel Gustafsson

On 16.02.24 14:30, Daniel Gustafsson wrote:
>> On 16 Feb 2024, at 13:57, Peter Eisentraut <peter@eisentraut.org> wrote:
>>
>> On 16.02.24 10:16, Daniel Gustafsson wrote:
>>>> 2. The crypt() and gen_salt() methods built on top of them (modes of operation, kind of) are not FIPS-compliant.
>>> I wonder if it's worth trying to make pgcrypto disallow non-FIPS compliant
>>> ciphers when the compiled against OpenSSL is running with FIPS mode enabled, or
>>> raise a WARNING when used?  It seems rather unlikely that someone running
>>> OpenSSL with FIPS=yes want to use our DES cipher without there being an error
>>> or misconfiguration somewhere.
>>
>> I wonder on what level this kind of check would be done.  For example, the password hashing done for SCRAM is not
FIPS-complianteither, but surely we don't want to disallow that.
 
> 
> Can you elaborate?  When building with OpenSSL all SCRAM hashing will use the
> OpenSSL implementation of pg_hmac and pg_cryptohash, so it would be subject to
> OpenSSL FIPS configuration no?

Yes, but the overall methods of composing all this into secrets and 
protocol messages etc. are not covered by FIPS.

>> Maybe this should be done on the level of block ciphers.  So if someone wanted to add a "crypt-aes" module, that
wouldthen continue to work.
 
> 
> That's a fair point, we can check individual ciphers.  I'll hack up a version
> doing this.

Like, if we did a "crypt-aes", would that be FIPS-compliant?  I don't know.

> On 16 Feb 2024, at 15:49, Peter Eisentraut <peter@eisentraut.org> wrote:

> Like, if we did a "crypt-aes", would that be FIPS-compliant?  I don't know.

If I remember my FIPS correct: Only if it used a FIPS certified implementation,
like the one in OpenSSL when the fips provider has been loaded.  The cipher
must be allowed *and* the implementation must be certified.

--
Daniel Gustafsson

Let me confirm the discussion in threads. I think there are two topics.
1. prohibit the use of ciphers disallowed in FIPS mode at the level of block
cipher (crypt-bf, etc...) in crypt() and gen_salt()
2. adding new "crypt-aes" module.

If this is correct, I would like to make a patch for the first topic, as I think
I can handle it.
Daniel, please let me know if you have been making a patch based on the idea.


Also, I think the second one should be discussed in a separate thread, so could
you split it into a separate thread?

Thank you

-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com

> On 20 Feb 2024, at 10:56, Koshi Shibagaki (Fujitsu) <shibagaki.koshi@fujitsu.com> wrote:

> Let me confirm the discussion in threads. I think there are two topics.
> 1. prohibit the use of ciphers disallowed in FIPS mode at the level of block
> cipher (crypt-bf, etc...) in crypt() and gen_salt()

That level might be overkill given that any cipher not in the FIPS certfied
module mustn't be used, but it's also not the wrong place to put it IMHO.

> 2. adding new "crypt-aes" module.

I think this was a hypothetical scenario and not a concrete proposal.

> If this is correct, I would like to make a patch for the first topic, as I think
> I can handle it.
> Daniel, please let me know if you have been making a patch based on the idea.

I haven't yet started on that so feel free to take a stab at it, I'd be happy
to review it.  Note that there are different API's for doing this in OpenSSL
1.0.2 and OpenSSL 3.x, so a solution must take both into consideration.

--
Daniel Gustafsson

On 20.02.24 11:09, Daniel Gustafsson wrote:
>> On 20 Feb 2024, at 10:56, Koshi Shibagaki (Fujitsu) <shibagaki.koshi@fujitsu.com> wrote:
> 
>> Let me confirm the discussion in threads. I think there are two topics.
>> 1. prohibit the use of ciphers disallowed in FIPS mode at the level of block
>> cipher (crypt-bf, etc...) in crypt() and gen_salt()
> 
> That level might be overkill given that any cipher not in the FIPS certfied
> module mustn't be used, but it's also not the wrong place to put it IMHO.

I think we are going about this the wrong way.  It doesn't make sense to 
ask OpenSSL what a piece of code that doesn't use OpenSSL should do. 
(And would that even give a sensible answer?  Like, you can configure 
OpenSSL to load the fips module, but you can also load the legacy module 
alongside it(??).)  And as you say, even if this code supported modern 
block ciphers, it wouldn't be FIPS compliant.

I think there are several less weird ways to address this:

* Just document it.

* Make a pgcrypto-level GUC setting.

* Split out these functions into a separate extension.

* Deprecate these functions.

Or some combination of these.

On Tue, Feb 20, 2024 at 4:49 PM Peter Eisentraut <peter@eisentraut.org> wrote:
> I think there are several less weird ways to address this:
>
> * Just document it.
>
> * Make a pgcrypto-level GUC setting.
>
> * Split out these functions into a separate extension.
>
> * Deprecate these functions.
>
> Or some combination of these.

I don't think the first two of these proposals help anything. AIUI,
FIPS mode is supposed to be a system wide toggle that affects
everything on the machine. The third one might help if you can be
compliant by just choosing not to install that extension, and the
fourth one solves the problem by sledgehammer.

Does Linux provide some way of asking whether "fips=1" was specified
at kernel boot time?

--
Robert Haas
EDB: http://www.enterprisedb.com

> On 20 Feb 2024, at 12:27, Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Tue, Feb 20, 2024 at 4:49 PM Peter Eisentraut <peter@eisentraut.org> wrote:
>> I think there are several less weird ways to address this:
>>
>> * Just document it.
>>
>> * Make a pgcrypto-level GUC setting.
>>
>> * Split out these functions into a separate extension.
>>
>> * Deprecate these functions.
>>
>> Or some combination of these.
>
> I don't think the first two of these proposals help anything. AIUI,
> FIPS mode is supposed to be a system wide toggle that affects
> everything on the machine. The third one might help if you can be
> compliant by just choosing not to install that extension, and the
> fourth one solves the problem by sledgehammer.

A fifth option is to throw away our in-tree implementations and use the OpenSSL
API's for everything, which is where this thread started.  If the effort to
payoff ratio is palatable to anyone then patches are for sure welcome.

> Does Linux provide some way of asking whether "fips=1" was specified
> at kernel boot time?

There is a crypto.fips_enabled sysctl but I have no idea how portable that is
across distributions etc.

--
Daniel Gustafsson

> On 20 Feb 2024, at 12:18, Peter Eisentraut <peter@eisentraut.org> wrote:

> I think we are going about this the wrong way.  It doesn't make sense to ask OpenSSL what a piece of code that
doesn'tuse OpenSSL should do. 

Given that pgcrypto cannot be built without OpenSSL, and ideally we should be
using the OpenSSL implementations for everything, I don't think it's too far
fetched.

--
Daniel Gustafsson

On Tue, Feb 20, 2024 at 5:09 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> A fifth option is to throw away our in-tree implementations and use the OpenSSL
> API's for everything, which is where this thread started.  If the effort to
> payoff ratio is palatable to anyone then patches are for sure welcome.

That generally seems fine, although I'm fuzzy on what our policy
actually is. We have fallback implementations for some things and not
others, IIRC.

> > Does Linux provide some way of asking whether "fips=1" was specified
> > at kernel boot time?
>
> There is a crypto.fips_enabled sysctl but I have no idea how portable that is
> across distributions etc.

My guess would be that it's pretty portable, but my guesses about
Linux might not be very good. Still, if we wanted to go this route, it
probably wouldn't be too hard to figure out how portable this is.

--
Robert Haas
EDB: http://www.enterprisedb.com

On 20.02.24 12:27, Robert Haas wrote:
> I don't think the first two of these proposals help anything. AIUI,
> FIPS mode is supposed to be a system wide toggle that affects
> everything on the machine. The third one might help if you can be
> compliant by just choosing not to install that extension, and the
> fourth one solves the problem by sledgehammer.
> 
> Does Linux provide some way of asking whether "fips=1" was specified
> at kernel boot time?

What you are describing only happens on Red Hat systems, I think.  They 
have built additional integration around this, which is great.  But 
that's not something you can rely on being the case on all systems, not 
even all Linux systems.

> On 20 Feb 2024, at 13:24, Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Tue, Feb 20, 2024 at 5:09 PM Daniel Gustafsson <daniel@yesql.se> wrote:
>> A fifth option is to throw away our in-tree implementations and use the OpenSSL
>> API's for everything, which is where this thread started.  If the effort to
>> payoff ratio is palatable to anyone then patches are for sure welcome.
>
> That generally seems fine, although I'm fuzzy on what our policy
> actually is. We have fallback implementations for some things and not
> others, IIRC.

I'm not sure there is a well-formed policy, but IIRC the idea with cryptohash
was to provide in-core functionality iff OpenSSL isn't used, and only use the
OpenSSL implementations if it is.  Since pgcrypto cannot be built without
OpenSSL (since db7d1a7b0530e8cbd045744e1c75b0e63fb6916f) I don't think it's a
problem to continue the work from that commit and replace more with OpenSSL
implementations.

--
Daniel Gustafsson

On 20.02.24 12:39, Daniel Gustafsson wrote:
> A fifth option is to throw away our in-tree implementations and use the OpenSSL
> API's for everything, which is where this thread started.  If the effort to
> payoff ratio is palatable to anyone then patches are for sure welcome.

The problem is that, as I understand it, these crypt routines are not 
designed in a way that you can just plug in a crypto library underneath. 
  Effectively, the definition of what, say, blowfish crypt does, is 
whatever is in that source file, and transitively, whatever OpenBSD 
does.  (Fun question: Does OpenBSD care about FIPS?)  Of course, you 
could reimplement the same algorithms independently, using OpenSSL or 
whatever.  But I don't think this will really improve the state of the 
world in aggregate, because to a large degree we are relying on the 
upstream to keep these implementations maintained, and if we rewrite 
them, we become the upstream.

> On 20 Feb 2024, at 13:40, Peter Eisentraut <peter@eisentraut.org> wrote:
>
> On 20.02.24 12:39, Daniel Gustafsson wrote:
>> A fifth option is to throw away our in-tree implementations and use the OpenSSL
>> API's for everything, which is where this thread started.  If the effort to
>> payoff ratio is palatable to anyone then patches are for sure welcome.
>
> The problem is that, as I understand it, these crypt routines are not designed in a way that you can just plug in a
cryptolibrary underneath.  Effectively, the definition of what, say, blowfish crypt does, is whatever is in that source
file,and transitively, whatever OpenBSD does.   

I don't disagree, but if the OP is willing to take a stab at it then..

> (Fun question: Does OpenBSD care about FIPS?)

No, LibreSSL ripped out FIPS support early on.

>  Of course, you could reimplement the same algorithms independently, using OpenSSL or whatever.  But I don't think
thiswill really improve the state of the world in aggregate, because to a large degree we are relying on the upstream
tokeep these implementations maintained, and if we rewrite them, we become the upstream. 

As a sidenote, we are already trailing behind upstream on this, the patch in
[0] sits on my TODO, but given the lack of complaints over the years it's not
been bumped to the top.

--
Daniel Gustafsson

[0]
https://www.postgresql.org/message-id/flat/CAA-7PziyARoKi_9e2xdC75RJ068XPVk1CHDDdscu2BGrPuW9TQ%40mail.gmail.com#b20783dd6c72e95a8a0f6464d1228ed5