| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 |
| Date: | 2020-09-24 17:56:43 |
| Message-ID: | b13ac74d-7321-711d-b438-c68850922b45@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2020-09-24 18:21, Heikki Linnakangas wrote:
> That would technically work, but wouldn't it make the product as whole
> not FIPS compliant? I'm not a FIPS lawyer, but as I understand it the
> point of FIPS is that all the crypto code is encapsulated in a certified
> module. Having your own SHA-256 implementation would defeat that.
Depends on what one considers to be covered by FIPS. The entire rest of
SCRAM is custom code, so running it on top of the world's greatest
SHA-256 implementation isn't going to make the end product any more
trustworthy.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2020-09-24 18:37:34 | Re: Custom options for building extensions with --with--llvm |
| Previous Message | Pavel Stehule | 2020-09-24 17:47:32 | Re: proposal: possibility to read dumped table's name from file |