Re: Allow tests to pass in OpenSSL FIPS mode
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-11-14T23:07:38Z
Lists: pgsql-hackers
Peter Eisentraut <peter@eisentraut.org> writes: > On 05.10.23 22:55, Tom Lane wrote: >> I found another bit of fun we'll need to deal with: on my F38 >> platform, pgcrypto/3des fails as attached. Some googling finds >> this relevant info: >> https://github.com/pyca/cryptography/issues/6875 >> That is, FIPS deprecation of 3DES is happening even as we speak. >> So apparently we'll have little choice but to deal with two >> different behaviors for that. > I've been trying to get some VM set up with the right Red Hat > environment to be able to reproduce the issues you reported. But > somehow switching the OS into FIPS mode messes up the boot environment > of the VM or something. So I haven't been able to make progress on this. Hm. I was just using a native install on a microSD card for my raspberry pi ... > I suggest that if there are no other concerns, we proceed with the patch > set as is for now. After thinking about it for awhile, I guess I'm okay with only bothering to provide expected-files for FIPS failures under OpenSSL 3.x (which is how your patch is set up, I believe). While there are certainly still LTS platforms with 1.x, we don't have to consider FIPS mode on them to be a supported case. I'm more concerned about the 3DES situation. Fedora might be a bit ahead of the curve here, but according to the link above, everybody is supposed to be in compliance by the end of 2023. So I'd be inclined to guess that the 3DES-is-rejected case is going to be mainstream before v17 ships. > The error message difference in the older OpenSSL version would probably > need a small bit of coding. But we can leave that as a separate add-on > project. It's the *newer* version's message that I'm unhappy about ;-). But I agree that that's not a reason to hold up applying what's here. (In reality, people running FIPS mode are probably pretty accustomed to seeing this error, so maybe it's not worth the trouble to improve it.) regards, tom lane
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed