Re: scram-sha-256 authentication broken in FIPS mode

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: Alessandro Gherardi <alessandro(dot)gherardi(at)yahoo(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: scram-sha-256 authentication broken in FIPS mode
Date: 2018-09-11 22:24:24
Message-ID: 20180911222424.GB25160@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Tue, Sep 11, 2018 at 04:32:27PM +0200, Peter Eisentraut wrote:
> I recommend letting this bake in the master branch for a while. There
> are a lot weirdly patched and alternative OpenSSL versions out there
> that defy any documentation.

Good point. Such things have bitten in the past. Okay, then let's do
something about sha2_openssl.c only on HEAD for now then, which I am
fine to finish wrapping.

> Of course, we should also see if this actually fixes the reported problem.

It seems to me that addressing FIPS concerns on Windows and getting our
hashing functions plugged with OpenSSL correctly are two separate
issues. The second one also says that we are in the grey based on
OpenSSL docs, which worryies me. And EVP_DigestInit is used in pgcrypto
for ages, where I don't recall seeing reports about that.
--
Michael

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Márcio Antônio Sepp 2018-09-12 02:11:57 Table cannot be partiotioned using domain in argument
Previous Message Peter Eisentraut 2018-09-11 14:32:27 Re: scram-sha-256 authentication broken in FIPS mode