Re: scram-sha-256 authentication broken in FIPS mode

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: Alessandro Gherardi <alessandro(dot)gherardi(at)yahoo(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: scram-sha-256 authentication broken in FIPS mode
Date: 2018-09-13 03:11:14
Message-ID: 20180913031114.GA3578@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Wed, Sep 12, 2018 at 07:24:24AM +0900, Michael Paquier wrote:
> Good point. Such things have bitten in the past. Okay, then let's do
> something about sha2_openssl.c only on HEAD for now then, which I am
> fine to finish wrapping.

I was looking at trying to commit this patch, however more needs to be
done in terms of error handling, as the proposed patch would happily
crash if EVP_MD_CTX cannot be allocated (understand OOM) in
EVP_DigestInit_ex if I read the OpenSSL code correctly (see
crypto/evp/digest.c). Our lives would be facilitated if it was possible
to use directly EVP_MD_CTX and EVP_MD_CTX_init so as no allocation is
done but that's not doable as of 1.0.2.
--
Michael

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Arup Rakshit 2018-09-13 18:17:00 Can I add Index to make a query faster which involves joins on unnest ?
Previous Message Tom Lane 2018-09-13 00:09:47 Re: constraint exclusion with a tsrange type