Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2022-10-11T11:51:50Z
Lists: pgsql-hackers

Attachments

On 04.10.22 17:45, Peter Eisentraut wrote:
> While working on the column encryption patch, I wanted to check that 
> what is implemented also works in OpenSSL FIPS mode.  I tried running 
> the normal test suites after switching the OpenSSL installation to FIPS 
> mode, but that failed all over the place.  So I embarked on fixing that. 

> Of course, there are some some tests where we do want to test MD5 
> functionality, such as in the authentication tests or in the tests of 
> the md5() function itself.  I think we can conditionalize these somehow. 

Let's make a small start on this.  The attached patch moves the tests of 
the md5() function to a separate test file.  That would ultimately make 
it easier to maintain a variant expected file for FIPS mode where that 
function will fail (similar to how we have done it for the pgcrypto tests).

Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file