Re: Allow tests to pass in OpenSSL FIPS mode
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: Michael Paquier <michael@paquier.xyz>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-03-04T23:04:37Z
Lists: pgsql-hackers
Attachments
- v3-0001-Remove-incidental-md5-function-uses-from-main-reg.patch (text/x-diff) patch v3-0001
Peter Eisentraut <peter.eisentraut@enterprisedb.com> writes: > [ v2-0001-Remove-incidental-md5-function-uses-from-main-reg.patch ] I've gone through this and have a modest suggestion: let's invent some wrapper functions around encode(sha256()) to reduce the cosmetic diffs and consequent need for closer study of patch changes. In the attached I called them "notmd5()", but I'm surely not wedded to that name. This also accounts for some relatively recent additions to stats_ext.sql that introduced yet more uses of md5(). This passes for me on a FIPS-enabled Fedora system, with the exception of md5.sql and password.sql. I agree that the right thing for md5.sql is just to add a variant expected-file. password.sql could perhaps use some refactoring so that we don't have two large expected-files to manage. The only other place that perhaps needs discussion is rowsecurity.sql, which has some surprisingly large changes: not only do the random strings change, but there are rowcount differences in some results. I believe this is because there are RLS policy checks and view conditions that actually examine the contents of the "md5" strings, eg CREATE POLICY p1 ON s1 USING (a in (select x from s2 where y like '%2f%')); My recommendation is to just accept those changes as OK and move on. I doubt that anybody checked the existing results line-by-line either. So, once we've done something about md5.sql and password.sql, I think this is committable. regards, tom lane
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed