Re: scram-sha-256 authentication broken in FIPS mode

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Michael Paquier <michael@paquier.xyz>, Alessandro Gherardi <alessandro.gherardi@yahoo.com>
Cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2018-09-11T14:32:27Z
Lists: pgsql-general
On 11/09/2018 05:02, Michael Paquier wrote:
> Hence, intrinsically, we are in contradiction with the upstream docs.  I
> have worked on the problem with the patch, which works down to OpenSSL
> 0.9.8, and should fix your issue.  This is based on what you sent
> previously, except that I was not able to apply what was sent, so I
> reworked the whole.  Alessandro, does this fix your problems?  I would
> like to apply that down to v10 where SCRAM has been introduced.

I recommend letting this bake in the master branch for a while.  There
are a lot weirdly patched and alternative OpenSSL versions out there
that defy any documentation.

Of course, we should also see if this actually fixes the reported problem.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Commits

  1. Change SHA2 implementation based on OpenSSL to use EVP digest routines