Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Daniel Gustafsson <daniel@yesql.se>, Robert Haas <robertmhaas@gmail.com>, Heikki Linnakangas <hlinnaka@iki.fi>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-09-25T06:56:53Z
Lists: pgsql-hackers
On Fri, Sep 25, 2020 at 01:36:44AM -0400, Tom Lane wrote:
> Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
>> However, again, the SCRAM 
>> implementation would already appear to fail that requirement because it 
>> uses a custom HMAC implementation, and HMAC is listed in FIPS 140-2 as a 
>> covered algorithm.
> 
> Ugh.  But is there any available FIPS-approved library code that could be
> used instead?

That's a good point, and I think that this falls down to use OpenSSL's
HMAC_* interface for this job when building with OpenSSL:
https://www.openssl.org/docs/man1.1.1/man3/HMAC.html

Worth noting that these have been deprecated in 3.0.0 as per the
rather-recent commit dbde472, where they recommend the use of
EVP_MAC_*() instead.
--
Michael

Commits

  1. Change SHA2 implementation based on OpenSSL to use EVP digest routines

  2. Move SHA2 routines to a new generic API layer for crypto hashes

  3. Use OpenSSL EVP API for symmetric encryption in pgcrypto.