Quick Links

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

From:	Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To:	Daniel Gustafsson <daniel(at)yesql(dot)se>, Michael Paquier <michael(at)paquier(dot)xyz>
Cc:	Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject:	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date:	2020-09-24 16:21:44
Message-ID:	bb971fb4-da73-18fe-636f-10a4d19e3503@iki.fi
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On 24/09/2020 17:21, Daniel Gustafsson wrote:
> If we really want to support it (which would require more evidence of it being
> a problem IMO), using the non-OpenSSL sha256 code would be one option I guess?

That would technically work, but wouldn't it make the product as whole
not FIPS compliant? I'm not a FIPS lawyer, but as I understand it the
point of FIPS is that all the crypto code is encapsulated in a certified
module. Having your own SHA-256 implementation would defeat that.

- Heikki

In response to

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 at 2020-09-24 14:21:24 from Daniel Gustafsson

Responses

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 at 2020-09-24 16:28:25 from Daniel Gustafsson
Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 at 2020-09-24 17:56:43 from Peter Eisentraut

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Daniel Gustafsson	2020-09-24 16:28:25	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Previous Message	Konstantin Knizhnik	2020-09-24 16:15:22	Custom options for building extensions with --with--llvm