Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Daniel Gustafsson <daniel@yesql.se>, Heikki Linnakangas <hlinnaka@iki.fi>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-09-28T03:55:06Z
Lists: pgsql-hackers
On Fri, Sep 25, 2020 at 12:27:03AM -0400, Tom Lane wrote: > Given the tiny number of complaints to date, it seems sufficient to me > to deal with this in HEAD. Thanks. I have done more tests with the range of OpenSSL versions we support on HEAD, and applied this one. I have noticed that the previous patch forgot two fail-and-abort code paths as of EVP_DigestInit_ex() and EVP_DigestUpdate(). -- Michael
Commits
-
Change SHA2 implementation based on OpenSSL to use EVP digest routines
- 4f48a6fbe2b2 14.0 landed
- e21cbb4b893b 14.0 landed
-
Move SHA2 routines to a new generic API layer for crypto hashes
- 87ae9691d253 14.0 landed
-
Use OpenSSL EVP API for symmetric encryption in pgcrypto.
- 5ff4a67f63fd 10.0 cited