Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2022-10-13T10:26:32Z
Lists: pgsql-hackers
On 12.10.22 03:18, Michael Paquier wrote:
> On Tue, Oct 11, 2022 at 01:51:50PM +0200, Peter Eisentraut wrote:
>> Let's make a small start on this.  The attached patch moves the tests of the
>> md5() function to a separate test file.  That would ultimately make it
>> easier to maintain a variant expected file for FIPS mode where that function
>> will fail (similar to how we have done it for the pgcrypto tests).
> 
> Makes sense to me.  This slice looks fine.

Committed.

> I think that the other md5() computations done in the main regression
> test suite could just be switched to use one of the sha*() functions
> as they just want to put their hands on text values.  It looks like a
> few of them have some expections with the output size and
> generate_series(), though, but this could be tweaked by making the
> series shorter, for example.

Right, that's the rest of my original patch.  I'll come back with an 
updated version of that.




Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file