On Wed, Sep 05, 2018 at 03:29:31AM +0000, Alessandro Gherardi wrote:
> It looks like scram-sha-256 doesn't work when postgres is linked
> against FIPS-enabled OpenSSL and FIPS mode is turned on.
>
> Specifically, all login attempts fail with an OpenSSL error saying
> something along the lines of "Low level API call to digest SHA256
> forbidden in fips mode".
The error comes from libc, right? Postgres can of course be configured
to work with FIPS without patching it, it just needs to be enabled
system-wide, which is what RedHat does, and what you are doing I guess?
> I think this issue could be solved by refactoring the code in
> sha2_openssl.c to use the OpenSSL EVP interface
> (see https://wiki.openssl.org/index.php/EVP_Message_Digests ).
> Any thoughts? Is this a known issue?
This report is the first of this kind since Postgres 10, which is where
the SHA2 interface for OpenSSL has been introduced. So likely we'd need
to look into that more deeply.. This has the strong smell of a bug. If
your system is new enough, you should have sha256() & co as system
functions, so you would see the failure as well? The regression tests
would have likely complained.
--
Michael
