Re: Allow tests to pass in OpenSSL FIPS mode
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
Michael Paquier <michael@paquier.xyz>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2023-03-06T14:55:06Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes: >> On 5 Mar 2023, at 00:04, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I've gone through this and have a modest suggestion: let's invent some >> wrapper functions around encode(sha256()) to reduce the cosmetic diffs >> and consequent need for closer study of patch changes. In the attached >> I called them "notmd5()", but I'm surely not wedded to that name. > For readers without all context, wouldn't it be better to encode in the > function name why we're not just calling a hash like md5? Something like > fips_allowed_hash() or similar? I'd prefer shorter than that --- all these queries are laid out on the expectation of a very short function name. Maybe "fipshash()"? We could make the comment introducing the function declarations more elaborate, too. regards, tom lane
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed