Enable FIPS on PostgreSQL database

Question

Can someone please specify the steps to enable FIPS on Postgres Database? I have googled but was not able to find anything concrete.

Answer 1

Can someone please specify the steps to enable FIPS on Postgres Database?

I don't believe you can run Postgres in "FIPS mode" because of its use of non-approved cryptography. From a past audit, I know it makes extensive use of MD5 (see, for example, Postgres Mailing List: Use of MD5. So lots of stuff is going to break in practice.

Notwithstanding, here are the steps to try and do it via OpenSSL. There are three parts because Postgres is not FIPS-aware, and you need to make some modifications to Postgres.

---

Step One

You have to build OpenSSL for the configuration. This is a two step process. First you build the FIPS Object Module; and second, you build the FIPS Capable Library.

To build the FIPS Object Module, first you download `openssl-fips-2.n.n.tar.gz. After unpacking, you perform:

./configure
make
sudo make install

After you run the above commands, the fipscanister will be located in /usr/local/ssl/fips-2.0. The FIPS Capable Library will use it to provide the FIPS Validated Cryptography.

Second, you download openssl-1.n.n.tar.gz. After unpacking, you perform:

./configure fips shared <other options>
make all
sudo make install

The critical part is the fips option during configure.

After you run the above commands, you will have a FIPS Capable Library. The library will be located in /usr/local/ssl/lib. Use libcrypto.so and libssl.so as always.

The FIPS Capable Library uses the fipscanister, so you don't need to worry about what's in /usr/local/ssl/fips-2.0. Its just an artifact from building FIPS Object Module (some hand waiving).

Step Two

Find where Postgres calls SSL_library_init:

$ grep -R SSL_library_init *
...
src/backend/libpq/be-secure.c:      SSL_library_init();
src/interfaces/libpq/fe-secure.c:           SSL_library_init();

Open be-secure.c and fe-secure.c, and add a call to FIPS_mode_set.

/* be-secure.c, near line 725 */
static void
initialize_SSL(void)
{
    struct stat buf;

    STACK_OF(X509_NAME) *root_cert_list = NULL;

#if defined(OPENSSL_FIPS)
    int rc;
    rc = FIPS_mode();
    if(rc == 0)
    {
        rc = FIPS_mode_set(1);
        assert(1 == rc);
    }
#endif

    if (!SSL_context)
    {
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
        OPENSSL_config(NULL);
#endif
        SSL_library_init();
        SSL_load_error_strings();
        ...
    }
    ...
}

If the call to FIPS_mode_set succeeds, then you will be using FIPS Validated cryptography. If it fails, you will still be using OpenSSL's cryptography, but it will not be FIPS Validated cryptography.

You will also need to add the following headers to be-secure.c and fe-secure.c:

#include <openssl/opensslconf.h>
#include <openssl/fips.h>

Step Three

The final step is to ensure you are using the FIPS Capable Library from step one. Do that via CFLAGS and LDFLAGS:

cd postgres-9.3.2
export CFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"

./config --with-openssl <other options>
...

Answer 2

For PostgreSQL on Red Hat Linux, the https://public.cyber.mil/stigs/downloads/ web site has a Security Technical Implementation Guide for PostgreSQL 9.x which has this check.

Rule Title: PostgreSQL must implement NIST FIPS 140-2 validated 
cryptographic modules to protect unclassified information requiring
confidentiality and cryptographic protection, in accordance with the data
owners requirements.
STIG ID:    PGS9-00-008200
Rule ID:    SV-87645r1_rule
Vuln ID:    V-72993

The "Fix Text" reads

Configure OpenSSL to be FIPS compliant. 

PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to
be FIPS 140-2 compliant, see the official RHEL Documentation:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html

For more information on configuring PostgreSQL to use SSL, see supplementary
content APPENDIX-G.

Joseph Conway pointed out "the Appendix G the STIG refers to is in the PostgreSQL STIG supplement, not the [postgresql.org] docs. You can get the supplement (and the rest of the STIG) here: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_SQL_9-x_V2R1_STIG.zip