Re: Allow tests to pass in OpenSSL FIPS mode
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter@eisentraut.org>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2023-11-15T20:29:16Z
Lists: pgsql-hackers
Attachments
- v5-0002-pgcrypto-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch (text/x-diff) patch v5-0002
- v5-0003-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-TAP-test.patch (text/x-diff) patch v5-0003
- v5-0004-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-rest.patch (text/x-diff) patch v5-0004
- v5-0005-WIP-Use-fipshash-in-brin_multi-test.patch (text/x-diff) patch v5-0005
- v5-0006-allow-for-disabled-3DES.patch (text/x-diff) patch v5-0006
- v5-0007-password-test-delta.patch (text/x-diff) patch v5-0007
Daniel Gustafsson <daniel@yesql.se> writes: > Since the 3DES/DES deprecations aren't limited to FIPS, do we want to do > anything for pgcrypto where we have DES/3DES encryption? Maybe a doc patch > which mentions the deprecation with a link to the SP could be in order? A docs patch that marks both MD5 and 3DES as deprecated is probably appropriate, but it seems like a matter for a separate thread and patch. In the meantime, I've done a pass of review of Peter's v4 patches. v4-0001 is already committed, so that's not considered here. v4-0002: I think it is worth splitting up contrib/pgcrypto's pgp-encrypt test, which has only one test case whose output changes, and a bunch of others that don't. v5-0002, attached, does it like that. It's otherwise the same as v4. (It might be worth doing something similar for uuid_ossp's test, but I have not bothered here. That test script is stable enough that I'm not too worried about future maintenance.) The attached 0003, 0004, 0005 patches are identical to Peter's. I think that it is possibly worth modifying the password test so that we don't fail to create the roles, so as to reduce the delta between password.out and password_1.out (and thereby ease future maintenance of those files). However you might disagree, so I split my proposal out as a separate patch v5-0007-password-test-delta.patch; you can drop that from the set if you don't like it. v5-0006-allow-for-disabled-3DES.patch adds the necessary expected file to make that pass on my Fedora 38 system. With or without 0007, as you choose, I think it's committable. regards, tom lane
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed