Re: Allow tests to pass in OpenSSL FIPS mode

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2023-10-05T14:17:38Z
Lists: pgsql-hackers
> On 5 Oct 2023, at 15:44, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> 
> On 04.10.22 17:45, Peter Eisentraut wrote:
>> While working on the column encryption patch, I wanted to check that what is implemented also works in OpenSSL FIPS mode.  I tried running the normal test suites after switching the OpenSSL installation to FIPS mode, but that failed all over the place.  So I embarked on fixing that.   Attached is a first iteration of a patch.
> 
> Continuing this, we have fixed many issues since.  Here is a patch set to fix all remaining issues.
> 
> v4-0001-citext-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch
> v4-0002-pgcrypto-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch

+ERROR:  crypt(3) returned NULL

Not within scope here, but I wish we had a better error message here. That's for another patch though clearly.

> v4-0003-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-TAP-test.patch
> 
> This one does some delicate surgery and could use some thorough review.

I don't have a FIPS enabled build handy to test in, but reading the patch I
don't see anything that sticks out apart from very minor comments:

+my $md5_works = ($node->psql('postgres', "select md5('')") == 0);

I think this warrants an explanatory comment for readers not familiar with
FIPS, without that it may seem quite an odd test.

+), 0, 'created user with scram password');

Tiny nitpick, I think we use SCRAM when writing it in text.

> v4-0004-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-rest.patch
> 
> This just adds alternative expected files.  The question is mainly just whether there are better ways to organize this.

Without inventing a new structure for alternative outputs I don't see how.

--
Daniel Gustafsson




Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file