Re: Allow tests to pass in OpenSSL FIPS mode

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Michael Paquier <michael@paquier.xyz>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2023-03-06T14:55:06Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes:
>> On 5 Mar 2023, at 00:04, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I've gone through this and have a modest suggestion: let's invent some
>> wrapper functions around encode(sha256()) to reduce the cosmetic diffs
>> and consequent need for closer study of patch changes.  In the attached
>> I called them "notmd5()", but I'm surely not wedded to that name.

> For readers without all context, wouldn't it be better to encode in the
> function name why we're not just calling a hash like md5?  Something like
> fips_allowed_hash() or similar?

I'd prefer shorter than that --- all these queries are laid out on the
expectation of a very short function name.  Maybe "fipshash()"?

We could make the comment introducing the function declarations more
elaborate, too.

			regards, tom lane



Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file