Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Michael Paquier <michael(at)paquier(dot)xyz>
Cc: Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date: 2020-09-24 14:21:24
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

> On 24 Sep 2020, at 04:53, Michael Paquier <michael(at)paquier(dot)xyz> wrote:

> Enabling FIPS with OpenSSL 1.0.2 causes direct calls to the SHAXXX
> routines to fail:
> "Low level API call to digest SHA256 forbidden in fips mode"

Confirmed by running 1.0.2s-fips with fips_mode=yes in the alg_section in

> This got discussed back in 2018, but I never got back to it:
> One thing I did not like back in the past patch was that we did not
> handle failures if one of OpenSSL's call failed, but this can easily
> be handled by using a trick similar to jsonapi.c to fail hard if that
> happens.
> It is worth noting that the low-level SHA routines are not recommended
> for years in OpenSSL, and that these have been officially marked as
> deprecated in 3.0.0. So, while the changes in sha2.h don't make this
> stuff back-patchable per the ABI breakage it introduces, switching
> sha2_openssl.c to use EVP is a better move in the long term,

Agreed. Commit 5ff4a67f63f [0] moved contrib/pgcrypto from using low-level
functions for pretty much exactly the same reasons: they are advised against
and break FIPS.

With your patch I can run the SSL tests successfully both with and without
FIPS. I'm in favor of moving to the EVP API.

> ..even if
> that means that SCRAM+FIPS would not work with PG 10~13, so the
> attached is something for HEAD, even if this would be possible to do
> in older releases as the routines used in the attached are available
> in versions of OpenSSL older than 1.0.1.

Thats kind of a shame, but given the low volume of reports to -bugs and
-hackers, the combination SCRAM and FIPS might not be all too common. Since
OpenSSL FIPS is EOL it might also not increase until 3.0.0 comes with FIPS

If we really want to support it (which would require more evidence of it being
a problem IMO), using the non-OpenSSL sha256 code would be one option I guess?

cheers ./daniel


In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Anastasia Lubennikova 2020-09-24 14:24:27 Re: [patch] Fix checksum verification in base backups for zero page headers
Previous Message Jonathan S. Katz 2020-09-24 14:14:12 Re: PostgreSQL 13 Release Timeline