Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date: 2020-11-24 10:52:08
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Sat, Nov 21, 2020 at 10:19:42AM +0900, Michael Paquier wrote:
> What you meant and what I meant was slightly different here. I meant
> publishing a header in src/include/common/ that would get installed,
> and I'd rather avoid that. And you mean to have the header for local
> consumption in src/common/. I would be fine with your third option as
> well. Your suggestion is more consistent with what we do for the rest
> of src/common/ and libpq actually. So I don't mind switching to
> that.

I got to look at your suggestion, and finished with the attached which
is pretty close my previous set, except that MSVC scripts as well as
the header includes needed a slight refresh.

Please note that the OpenSSL docs tell that EVP_DigestInit() is
obsolete and that applications should just use EVP_DigestInit_ex(), so
I have kept the original:

The PG_CRYPTOHASH macro in cryptohash.h has been changed as you
suggested. What do you think?

Attachment Content-Type Size
v5-0001-Rework-SHA2-and-crypto-hash-APIs.patch text/x-diff 70.2 KB
v5-0002-Switch-cryptohash_openssl.c-to-use-EVP.patch text/x-diff 8.6 KB
v5-0003-Move-pgcrypto-to-use-in-core-resowner-facility-fo.patch text/x-diff 3.7 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Hou, Zhijie 2020-11-24 11:13:28 RE: Parallel Inserts in CREATE TABLE AS
Previous Message Anastasia Lubennikova 2020-11-24 10:36:58 Re: LogwrtResult contended spinlock