Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-10-06T13:44:40Z
Lists: pgsql-hackers
On 05.10.23 22:04, Tom Lane wrote:
> On the way to testing this, I discovered that we have a usability
> regression with recent OpenSSL releases.  The Fedora 35 installation
> I used to use for testing FIPS-mode behavior would produce errors like

> +ERROR:  could not compute MD5 hash: disabled for FIPS

> In the shiny new Fedora 38 installation I just set up for the
> same purpose, I'm seeing

> +ERROR:  could not compute MD5 hash: unsupported

This makes sense, because the older OpenSSL works basically like

     if (FIPS_mode()) {
         specific_error();
     }

while the new one has all crypto methods in modules, and if you load the 
fips module, then some crypto methods just don't exist.




Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file