Quick Links

scram-sha-256 authentication broken in FIPS mode

From:	Alessandro Gherardi <alessandro(dot)gherardi(at)yahoo(dot)com>
To:	"pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject:	scram-sha-256 authentication broken in FIPS mode
Date:	2018-09-05 03:29:31
Message-ID:	898098721.1290085.1536118171911@mail.yahoo.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

It looks like scram-sha-256 doesn't work when postgres is linked against FIPS-enabled OpenSSL and FIPS mode is turned on.

Specifically, all login attempts fail with an OpenSSL error saying something along the lines of "Low level API call to digest SHA256 forbidden in fips mode".
I think this issue could be solved by refactoring the code in sha2_openssl.c to use the OpenSSL EVP interface (see https://wiki.openssl.org/index.php/EVP_Message_Digests ).
Any thoughts? Is this a known issue?
Thank you in advance.Alessandro

Responses

Re: scram-sha-256 authentication broken in FIPS mode at 2018-09-05 04:27:17 from Michael Paquier

Browse pgsql-general by date

	From	Date	Subject
Next Message	Michael Paquier	2018-09-05 04:27:17	Re: scram-sha-256 authentication broken in FIPS mode
Previous Message	Dimitri Maziuk	2018-09-04 18:46:06	Re: PostgreSQL: Copy from File missing data error