| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 |
| Date: | 2020-10-15 06:56:21 |
| Message-ID: | 20201015065621.GB2305@paquier.xyz |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 14, 2020 at 05:18:51PM +0900, Michael Paquier wrote:
> Sure, thanks. I wanted to keep things isolated in sha2_openssl.c as
> that's something specific to the implementation. Thinking more about
> it, your suggestion makes a lot of sense in the long-term by including
> MD5 and HMAC in the picture. These also go through EVP in OpenSSL,
> and we are kind of incorrect currently to not use the OpenSSL flavor
> if available (MD5 is not authorized in FIPS, but we still allow it to
> be used with the in-core implementation).
I got my hands on that, and this proves to simplify a lot things. In
bonus, attached is a 0003 that cleans up some code in pgcrypto so as
it uses the in-core resowner facility to handle EVP contexts.
--
Michael
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0001-Rework-SHA2-APIs.patch | text/x-diff | 61.9 KB |
| v2-0002-Switch-sha2_openssl.c-to-use-EVP.patch | text/x-diff | 8.5 KB |
| v2-0003-Move-pgcrypto-to-use-in-core-resowner-facility-fo.patch | text/x-diff | 3.7 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | denni.pat | 2020-10-15 06:57:11 | Re: BUG #16663: DROP INDEX did not free up disk space: idle connection hold file marked as deleted |
| Previous Message | tsunakawa.takay@fujitsu.com | 2020-10-15 06:55:22 | RE: [Patch] Optimize dropping of relation buffers using dlist |