Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Daniel Gustafsson <daniel@yesql.se>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-10-14T07:40:12Z
Lists: pgsql-hackers
On 14/10/2020 06:29, Michael Paquier wrote: > With 0001 in place, switching the SHA2 implementation of OpenSSL to > use EVP is straight-forward, as the only thing that's actually needed > here is to put in place a callback to clean up the EVP contexts > allocated by OpenSSL. This is rather similar to what we do in > pgcrypto in some ways, but that's actually simpler and I made things > so as we only track down the EVP_MD_CTX members to free on abort. Since this is going to be core backend code (and also frontend), we don't need to use the generic reource owner callback mechanism, we could add a built-in ResourceOwnerData field and functions in resowner.c. The callback mechanism is a bit clunky. - Heikki
Commits
-
Change SHA2 implementation based on OpenSSL to use EVP digest routines
- 4f48a6fbe2b2 14.0 landed
- e21cbb4b893b 14.0 landed
-
Move SHA2 routines to a new generic API layer for crypto hashes
- 87ae9691d253 14.0 landed
-
Use OpenSSL EVP API for symmetric encryption in pgcrypto.
- 5ff4a67f63fd 10.0 cited