Home > mailing lists

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 - Mailing list pgsql-hackers

From	Peter Eisentraut
Subject	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date	September 24, 2020 20:56:43
Msg-id	b13ac74d-7321-711d-b438-c68850922b45@2ndquadrant.com Whole thread Raw
In response to	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 (Heikki Linnakangas <hlinnaka@iki.fi>)
Responses	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

On 2020-09-24 18:21, Heikki Linnakangas wrote:
> That would technically work, but wouldn't it make the product as whole
> not FIPS compliant? I'm not a FIPS lawyer, but as I understand it the
> point of FIPS is that all the crypto code is encapsulated in a certified
> module. Having your own SHA-256 implementation would defeat that.

Depends on what one considers to be covered by FIPS.  The entire rest of 
SCRAM is custom code, so running it on top of the world's greatest 
SHA-256 implementation isn't going to make the end product any more 
trustworthy.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

pgsql-hackers by date:

From: Pavel Stehule
Date: 24 September 2020, 20:47:32
Subject: Re: proposal: possibility to read dumped table's name from file

From: Andres Freund
Date: 24 September 2020, 21:37:34
Subject: Re: Custom options for building extensions with --with--llvm

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 - Mailing list pgsql-hackers

Previous

Next