Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Michael Paquier <michael(at)paquier(dot)xyz>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Daniel Gustafsson <daniel(at)yesql(dot)se>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date: 2020-10-14 07:40:12
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 14/10/2020 06:29, Michael Paquier wrote:
> With 0001 in place, switching the SHA2 implementation of OpenSSL to
> use EVP is straight-forward, as the only thing that's actually needed
> here is to put in place a callback to clean up the EVP contexts
> allocated by OpenSSL. This is rather similar to what we do in
> pgcrypto in some ways, but that's actually simpler and I made things
> so as we only track down the EVP_MD_CTX members to free on abort.

Since this is going to be core backend code (and also frontend), we
don't need to use the generic reource owner callback mechanism, we could
add a built-in ResourceOwnerData field and functions in resowner.c. The
callback mechanism is a bit clunky.

- Heikki

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message David Rowley 2020-10-14 08:05:16 Re: Use appendStringInfoString and appendPQExpBufferStr where possible
Previous Message Luc Vlaming 2020-10-14 07:38:08 Re: allow partial union-all and improve parallel subquery costing