Quick Links

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

From:	Michael Paquier <michael(at)paquier(dot)xyz>
To:	Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc:	Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject:	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date:	2020-09-25 03:19:44
Message-ID:	20200925031944.GD3571@paquier.xyz
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Thu, Sep 24, 2020 at 06:28:25PM +0200, Daniel Gustafsson wrote:
> Doh, of course, I blame a lack of caffeine this afternoon. Having a private
> local sha256 implementation using the EVP_* API inside scram-common would
> maintain FIPS compliance and ABI compatibility, but would also be rather ugly.

Even if we'd try to force our internal implementation of SHA256 on
already-released branches instead of the one of OpenSSL, this would be
an ABI break for compiled modules expected to work on this released
branch as OpenSSL's internal SHA structures don't exactly match with
our own implementation (think just about sizeof() or such).
--
Michael

In response to

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 at 2020-09-24 16:28:25 from Daniel Gustafsson

Responses

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 at 2020-09-25 04:21:05 from Michael Paquier

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Paquier	2020-09-25 03:32:22	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Previous Message	Amit Kapila	2020-09-25 03:18:19	Re: Parallel INSERT (INTO ... SELECT ...)