Postgres Pro
Downloads
Home   >   mailing lists

- Mailing list pgsql-hackers

From Rodney Lott
Subject
Date
Msg-id 5c5a3de8e0094b68bbce362a1989e6a4@WARIO.burlington.evertz.tv
Whole thread Raw
List pgsql-hackers
Tree view 
<div class="WordSection1"><p class="MsoNormal">Hi, there. <p class="MsoNormal"> <p class="MsoNormal">First, my
particulars:<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span
style="font-family:Symbol"><spanstyle="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        
</span></span></span>UbuntuTrusty build and runtime environment <p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0level1 lfo1"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span
style="font:7.0pt"Times New Roman"">         </span></span></span>PostgreSQL 9.3.10 Ubuntu source code<p
class="MsoListParagraph"style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-family:Symbol"><span
style="mso-list:Ignore">·<spanstyle="font:7.0pt "Times New Roman"">         </span></span></span>Using a FIPS enabled
versionof OpenSSL (i.e. 1.0.1p version of the library and 2.0.9 of the FIPS canister source code)<p
class="MsoListParagraph"style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-family:Symbol"><span
style="mso-list:Ignore">·<spanstyle="font:7.0pt "Times New Roman"">         </span></span></span>I initially posted
thisto the pgsql-general list a few weeks ago, but I wasn’t able to get enough specific information to resolve my
issues.Hence, why I am posting this here.<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1
lfo1"><spanstyle="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New
Roman"">        </span></span></span>I am new to FIPS and postgresql in general (i.e. working with them for a few
months)<pclass="MsoNormal"> <p class="MsoNormal">I’ve been trying to get the postgresql packages to work in FIPS mode.
Toaccomplish this, I’ve patched the Ubuntu source code with the patch that is attached to this message. <p
class="MsoNormal"> <pclass="MsoNormal">The main postgresql server runs fine as expected in either FIPS or non-FIPS
modes.However, when I try to use the psql command in FIPS mode, I get the following error: <p class="MsoNormal"> <p
class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""># psql -h 127.0.0.1 -U postgres -d
sslmode=require</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New"">psql: SSL
SYSCALLerror: EOF detected</span><p class="MsoNormal"> <p class="MsoNormal">I used the gdb debugger to try to find
wherein the backend the command was failing. The backtrace on the server side suggests that the problem involves the
key-exchangefailing: <p class="MsoNormal"> <p class="MsoNormal">(gdb) bt<p class="MsoNormal">#0  0x00007f40183e8f20 in
__nanosleep_nocancel() at ../sysdeps/unix/syscall-template.S:81<p class="MsoNormal">#1  0x00007f40183e8dd4 in __sleep
(seconds=0)at ../sysdeps/unix/sysv/linux/sleep.c:137<p class="MsoNormal">#2  0x00007f40196a95ce in DH_generate_key ()
from/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0<p class="MsoNormal">#3  0x00007f40199e8ba6 in
ssl3_send_server_key_exchange() from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0<p class="MsoNormal">#4 
0x00007f40199ec18bin ssl3_accept () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0<p class="MsoNormal">#5 
0x00007f40199fb8b3in ssl23_accept () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0<p class="MsoNormal">#6 
0x00005618082567a4in open_server_SSL (port=0x561808e05700) at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/libpq/be-secure.c:925<p
class="MsoNormal">#7 secure_open_server (port=port@entry=0x561808e05700) at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/libpq/be-secure.c:221<p
class="MsoNormal">#8 0x00005618082c7eb8 in ProcessStartupPacket (port=port@entry=0x561808e05700,
SSLdone=SSLdone@entry=0'\000') at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:1921<p
class="MsoNormal">#9 0x00005618081030f9 in BackendInitialize (port=0x561808e05700) at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:4036<p
class="MsoNormal">#10BackendStartup (port=0x561808e05700) at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:3807<p
class="MsoNormal">#11ServerLoop () at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:1690<p
class="MsoNormal">#120x00005618082cace1 in PostmasterMain (argc=5, argv=<optimized out>) at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:1315<p
class="MsoNormal">#130x0000561808103fb3 in main (argc=5, argv=0x561808db6970) at
/home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/main/main.c:227<pclass="MsoNormal"> <p
class="MsoNormal">Itracked it down to the following code in the OpenSSL 2.0.9 canister code: <p class="MsoNormal"> <p
class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New"">int FIPS_drbg_generate(DRBG_CTX
*dctx,unsigned char *out, size_t outlen,</span><p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"CourierNew"">            int prediction_resistance,</span><p class="MsoNormal"
style="margin-left:.5in"><spanstyle="font-family:"Courier New"">            const unsigned char *adin, size_t
adinlen)</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New"">    {</span><p
class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New"">    int r = 0;</span><p
class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""> </span><p class="MsoNormal"
style="margin-left:.5in"><spanstyle="font-family:"Courier New"">    if (FIPS_selftest_failed())</span><p
class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New"">        {</span><p class="MsoNormal"
style="margin-left:.5in"><spanstyle="font-family:"Courier New"">        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE,
FIPS_R_SELFTEST_FAILED);</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New"">       return 0;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New"">       }</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> </span><p
class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New"">    if
(!fips_drbg_check(dctx))</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New"">       return 0;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New""> </span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New"">    if
(dctx->status!= DRBG_STATUS_READY</span><p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"CourierNew"">        && dctx->status != DRBG_STATUS_RESEED)</span><p class="MsoNormal"
style="margin-left:.5in"><spanstyle="font-family:"Courier New"">        {</span><p class="MsoNormal"
style="margin-left:.5in"><spanstyle="font-family:"Courier New"">        if (dctx->status ==
DRBG_STATUS_ERROR)</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New"">           r = FIPS_R_IN_ERROR_STATE;</span><p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"CourierNew"">        <b>else if(dctx->status == DRBG_STATUS_UNINITIALISED)</b></span><p
class="MsoNormal"style="margin-left:.5in"><b><span style="font-family:"Courier New"">            r =
FIPS_R_NOT_INSTANTIATED;</span></b><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New"">       goto end;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier
New"">       }</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New"">…</span><p
class="MsoNormal"> <pclass="MsoNormal">The place where it fails is where dctx->status == DRBG_STATUS_UNINITIALIZED
(i.e.0). <p class="MsoNormal"> <p class="MsoNormal">So, my question is this: In FIPS mode, what would cause the random
numbergeneration to not initialize? I have put print statements in the postgresql code such that I know that it is in
FIPSmode properly. I know that the dctx->status pointer, which points to a “static DRBG_CTX ossl_dctx” structure, is
initializedto 1 in the main process. It appears that this initialization doesn’t get propagated to other backends or
theSSL transaction above. <p class="MsoNormal"> <p class="MsoNormal">If any of the developers have some insight into
this,I would appreciate it. <p class="MsoNormal"> <p class="MsoNormal">Thanks,<p class="MsoNormal"> <p
class="MsoNormal">RodneyLott<p class="MsoNormal"> </div>

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Lets (not) break all the things. Was: [pgsql-advocacy] 9.6 -> 10.0
Next
From: Bruce Momjian
Date:
Subject: Re: Lets (not) break all the things. Was: [pgsql-advocacy] 9.6 -> 10.0