问题描述
有人可以指定在 Postgres 数据库上启用 FIPS 的步骤吗?我用谷歌搜索过,但没有找到任何具体的东西.
Can someone please specify the steps to enable FIPS on Postgres Database? I have googled but was not able to find anything concrete.
推荐答案
我不相信您可以在FIPS 模式"下运行 Postgres,因为它使用了未经批准的加密.从过去的审计中,我知道它广泛使用了 MD5(例如,请参见 Postgres 邮件列表:MD5 的使用.所以很多东西在实践中都会失效.
I don't believe you can run Postgres in "FIPS mode" because of its use of non-approved cryptography. From a past audit, I know it makes extensive use of MD5 (see, for example, Postgres Mailing List: Use of MD5. So lots of stuff is going to break in practice.
尽管如此,以下是尝试通过 OpenSSL 执行此操作的步骤.分为三个部分,因为 Postgres 不支持 FIPS,您需要对 Postgres 进行一些修改.
Notwithstanding, here are the steps to try and do it via OpenSSL. There are three parts because Postgres is not FIPS-aware, and you need to make some modifications to Postgres.
第一步
您必须为配置构建 OpenSSL.这是一个两步过程.首先构建 FIPS 对象模块;其次,您构建支持 FIPS 的库.
You have to build OpenSSL for the configuration. This is a two step process. First you build the FIPS Object Module; and second, you build the FIPS Capable Library.
要构建 FIPS 对象模块,首先要下载 `openssl-fips-2.n.n.tar.gz.打开包装后,您执行:
To build the FIPS Object Module, first you download `openssl-fips-2.n.n.tar.gz. After unpacking, you perform:
./configure
make
sudo make install
运行上述命令后,fipscanister
将位于 /usr/local/ssl/fips-2.0
.FIPS Capable Library 将使用它来提供 FIPS Validated Cryptography.
After you run the above commands, the fipscanister
will be located in /usr/local/ssl/fips-2.0
. The FIPS Capable Library will use it to provide the FIPS Validated Cryptography.
其次,您下载openssl-1.n.n.tar.gz
.打开包装后,您执行:
Second, you download openssl-1.n.n.tar.gz
. After unpacking, you perform:
./configure fips shared <other options>
make all
sudo make install
关键部分是配置过程中的 fips
选项.
The critical part is the fips
option during configure.
运行上述命令后,您将拥有一个支持 FIPS 的库.该库将位于 /usr/local/ssl/lib
.一如既往地使用 libcrypto.so
和 libssl.so
.
After you run the above commands, you will have a FIPS Capable Library. The library will be located in /usr/local/ssl/lib
. Use libcrypto.so
and libssl.so
as always.
支持 FIPS 的库使用 fipscanister
,因此您无需担心 /usr/local/ssl/fips-2.0
中的内容.它只是构建 FIPS 对象模块的产物(有些人放弃了).
The FIPS Capable Library uses the fipscanister
, so you don't need to worry about what's in /usr/local/ssl/fips-2.0
. Its just an artifact from building FIPS Object Module (some hand waiving).
第二步
查找 Postgres 调用 SSL_library_init
的位置:
Find where Postgres calls SSL_library_init
:
$ grep -R SSL_library_init *
...
src/backend/libpq/be-secure.c: SSL_library_init();
src/interfaces/libpq/fe-secure.c: SSL_library_init();
打开be-secure.c
和fe-secure.c
,并添加对FIPS_mode_set
的调用.
Open be-secure.c
and fe-secure.c
, and add a call to FIPS_mode_set
.
/* be-secure.c, near line 725 */
static void
initialize_SSL(void)
{
struct stat buf;
STACK_OF(X509_NAME) *root_cert_list = NULL;
#if defined(OPENSSL_FIPS)
int rc;
rc = FIPS_mode();
if(rc == 0)
{
rc = FIPS_mode_set(1);
assert(1 == rc);
}
#endif
if (!SSL_context)
{
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
OPENSSL_config(NULL);
#endif
SSL_library_init();
SSL_load_error_strings();
...
}
...
}
如果对 FIPS_mode_set
的调用成功,那么您将使用 FIPS 验证加密.如果失败,您仍将使用 OpenSSL 的加密技术,但它不是是 FIPS 验证的加密技术.
If the call to FIPS_mode_set
succeeds, then you will be using FIPS Validated cryptography. If it fails, you will still be using OpenSSL's cryptography, but it will not be FIPS Validated cryptography.
您还需要将以下标头添加到 be-secure.c
和 fe-secure.c
:
You will also need to add the following headers to be-secure.c
and fe-secure.c
:
#include <openssl/opensslconf.h>
#include <openssl/fips.h>
第三步
最后一步是确保您从第一步开始使用支持 FIPS 的库.通过 CFLAGS
和 LDFLAGS
做到这一点:
The final step is to ensure you are using the FIPS Capable Library from step one. Do that via CFLAGS
and LDFLAGS
:
cd postgres-9.3.2
export CFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"
./config --with-openssl <other options>
...
这篇关于在 PostgreSQL 数据库上启用 FIPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!