Here's a patch for enabling FIPS in OpenSSL - by calling FIPS_mode_set(1) - on
Windows if the FIPS registry entry
HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to
1. That's the entry that the .NET crypto libraries look at to decide whether or
not to operate in FI
I changed the implementation of the other SHA digests to use EVP also.
I verified that, with these changes, scram-sha-256 works when FIPS is enabled.
sha2.h.diff
Description: Binary data
sha2_openssl.c.diff
Description: Binary data
Hi Michael,
I'm attaching the output of diff .
> If we could prove that sha2-openssl.c is actually
unreliable even if FIPS is enabled system-wide with either SCRAM
authentication or any of the other hashing functions, then I would be
ready to accept a patch. Now, as far as I can see and heard f
mode")); return -1; } }#endif
#ifdef HAVE_OPENSSL_INIT_SSL OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG,
NULL);#else OPENSSL_config(NULL); SSL_library_init();
SSL_load_error_strings();#endif
On Tuesday, September 4, 2018, 10:27:22 PM MDT, Michael Paquier
wrote:
On Wed, Sep 05, 2018 a
It looks like scram-sha-256 doesn't work when postgres is linked against
FIPS-enabled OpenSSL and FIPS mode is turned on.
Specifically, all login attempts fail with an OpenSSL error saying something
along the lines of "Low level API call to digest SHA256 forbidden in fips mode".
I think this iss
