- Mailing list pgsql-hackers
From | Rodney Lott |
---|---|
Subject | |
Date | |
Msg-id | 5c5a3de8e0094b68bbce362a1989e6a4@WARIO.burlington.evertz.tv Whole thread Raw |
List | pgsql-hackers |
<div class="WordSection1"><p class="MsoNormal">Hi, there. <p class="MsoNormal"> <p class="MsoNormal">First, my particulars:<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-family:Symbol"><spanstyle="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman""> </span></span></span>UbuntuTrusty build and runtime environment <p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0level1 lfo1"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt"Times New Roman""> </span></span></span>PostgreSQL 9.3.10 Ubuntu source code<p class="MsoListParagraph"style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<spanstyle="font:7.0pt "Times New Roman""> </span></span></span>Using a FIPS enabled versionof OpenSSL (i.e. 1.0.1p version of the library and 2.0.9 of the FIPS canister source code)<p class="MsoListParagraph"style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<spanstyle="font:7.0pt "Times New Roman""> </span></span></span>I initially posted thisto the pgsql-general list a few weeks ago, but I wasn’t able to get enough specific information to resolve my issues.Hence, why I am posting this here.<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><spanstyle="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman""> </span></span></span>I am new to FIPS and postgresql in general (i.e. working with them for a few months)<pclass="MsoNormal"> <p class="MsoNormal">I’ve been trying to get the postgresql packages to work in FIPS mode. Toaccomplish this, I’ve patched the Ubuntu source code with the patch that is attached to this message. <p class="MsoNormal"> <pclass="MsoNormal">The main postgresql server runs fine as expected in either FIPS or non-FIPS modes.However, when I try to use the psql command in FIPS mode, I get the following error: <p class="MsoNormal"> <p class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""># psql -h 127.0.0.1 -U postgres -d sslmode=require</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New"">psql: SSL SYSCALLerror: EOF detected</span><p class="MsoNormal"> <p class="MsoNormal">I used the gdb debugger to try to find wherein the backend the command was failing. The backtrace on the server side suggests that the problem involves the key-exchangefailing: <p class="MsoNormal"> <p class="MsoNormal">(gdb) bt<p class="MsoNormal">#0 0x00007f40183e8f20 in __nanosleep_nocancel() at ../sysdeps/unix/syscall-template.S:81<p class="MsoNormal">#1 0x00007f40183e8dd4 in __sleep (seconds=0)at ../sysdeps/unix/sysv/linux/sleep.c:137<p class="MsoNormal">#2 0x00007f40196a95ce in DH_generate_key () from/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0<p class="MsoNormal">#3 0x00007f40199e8ba6 in ssl3_send_server_key_exchange() from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0<p class="MsoNormal">#4 0x00007f40199ec18bin ssl3_accept () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0<p class="MsoNormal">#5 0x00007f40199fb8b3in ssl23_accept () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0<p class="MsoNormal">#6 0x00005618082567a4in open_server_SSL (port=0x561808e05700) at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/libpq/be-secure.c:925<p class="MsoNormal">#7 secure_open_server (port=port@entry=0x561808e05700) at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/libpq/be-secure.c:221<p class="MsoNormal">#8 0x00005618082c7eb8 in ProcessStartupPacket (port=port@entry=0x561808e05700, SSLdone=SSLdone@entry=0'\000') at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:1921<p class="MsoNormal">#9 0x00005618081030f9 in BackendInitialize (port=0x561808e05700) at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:4036<p class="MsoNormal">#10BackendStartup (port=0x561808e05700) at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:3807<p class="MsoNormal">#11ServerLoop () at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:1690<p class="MsoNormal">#120x00005618082cace1 in PostmasterMain (argc=5, argv=<optimized out>) at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/postmaster/postmaster.c:1315<p class="MsoNormal">#130x0000561808103fb3 in main (argc=5, argv=0x561808db6970) at /home/rlott/git/stash/postgresql-fips/postgresql-9.3-9.3.10/build/../src/backend/main/main.c:227<pclass="MsoNormal"> <p class="MsoNormal">Itracked it down to the following code in the OpenSSL 2.0.9 canister code: <p class="MsoNormal"> <p class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New"">int FIPS_drbg_generate(DRBG_CTX *dctx,unsigned char *out, size_t outlen,</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"CourierNew""> int prediction_resistance,</span><p class="MsoNormal" style="margin-left:.5in"><spanstyle="font-family:"Courier New""> const unsigned char *adin, size_t adinlen)</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> {</span><p class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""> int r = 0;</span><p class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""> </span><p class="MsoNormal" style="margin-left:.5in"><spanstyle="font-family:"Courier New""> if (FIPS_selftest_failed())</span><p class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""> {</span><p class="MsoNormal" style="margin-left:.5in"><spanstyle="font-family:"Courier New""> FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> return 0;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> }</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> </span><p class="MsoNormal"style="margin-left:.5in"><span style="font-family:"Courier New""> if (!fips_drbg_check(dctx))</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> return 0;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> </span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> if (dctx->status!= DRBG_STATUS_READY</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"CourierNew""> && dctx->status != DRBG_STATUS_RESEED)</span><p class="MsoNormal" style="margin-left:.5in"><spanstyle="font-family:"Courier New""> {</span><p class="MsoNormal" style="margin-left:.5in"><spanstyle="font-family:"Courier New""> if (dctx->status == DRBG_STATUS_ERROR)</span><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> r = FIPS_R_IN_ERROR_STATE;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"CourierNew""> <b>else if(dctx->status == DRBG_STATUS_UNINITIALISED)</b></span><p class="MsoNormal"style="margin-left:.5in"><b><span style="font-family:"Courier New""> r = FIPS_R_NOT_INSTANTIATED;</span></b><pclass="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> goto end;</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New""> }</span><p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier New"">…</span><p class="MsoNormal"> <pclass="MsoNormal">The place where it fails is where dctx->status == DRBG_STATUS_UNINITIALIZED (i.e.0). <p class="MsoNormal"> <p class="MsoNormal">So, my question is this: In FIPS mode, what would cause the random numbergeneration to not initialize? I have put print statements in the postgresql code such that I know that it is in FIPSmode properly. I know that the dctx->status pointer, which points to a “static DRBG_CTX ossl_dctx” structure, is initializedto 1 in the main process. It appears that this initialization doesn’t get propagated to other backends or theSSL transaction above. <p class="MsoNormal"> <p class="MsoNormal">If any of the developers have some insight into this,I would appreciate it. <p class="MsoNormal"> <p class="MsoNormal">Thanks,<p class="MsoNormal"> <p class="MsoNormal">RodneyLott<p class="MsoNormal"> </div>
pgsql-hackers by date: