Home > mailing lists

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 - Mailing list pgsql-hackers

From	Heikki Linnakangas
Subject	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Date	September 24, 2020 19:21:44
Msg-id	bb971fb4-da73-18fe-636f-10a4d19e3503@iki.fi Whole thread Raw
In response to	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 (Daniel Gustafsson <daniel@yesql.se>)
Responses	Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 (Daniel Gustafsson <daniel@yesql.se>) Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
List	pgsql-hackers

Tree view

On 24/09/2020 17:21, Daniel Gustafsson wrote:
> If we really want to support it (which would require more evidence of it being
> a problem IMO), using the non-OpenSSL sha256 code would be one option I guess?

That would technically work, but wouldn't it make the product as whole 
not FIPS compliant? I'm not a FIPS lawyer, but as I understand it the 
point of FIPS is that all the crypto code is encapsulated in a certified 
module. Having your own SHA-256 implementation would defeat that.

- Heikki

pgsql-hackers by date:

From: Konstantin Knizhnik
Date: 24 September 2020, 19:15:22
Subject: Custom options for building extensions with --with--llvm

From: Daniel Gustafsson
Date: 24 September 2020, 19:28:25
Subject: Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 - Mailing list pgsql-hackers

Previous

Next