Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-10-06T13:46:24Z
Lists: pgsql-hackers
On 05.10.23 22:55, Tom Lane wrote:
> I found another bit of fun we'll need to deal with: on my F38
> platform, pgcrypto/3des fails as attached.  Some googling finds
> this relevant info:
> 
> https://github.com/pyca/cryptography/issues/6875
> 
> That is, FIPS deprecation of 3DES is happening even as we speak.
> So apparently we'll have little choice but to deal with two
> different behaviors for that.

Hmm, interesting, so maybe there should be a new openssl 3.x release at 
the end of the year that addresses this?



Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file