Re: Allow tests to pass in OpenSSL FIPS mode
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Tom Lane <tgl@sss.pgh.pa.us>, Daniel Gustafsson <daniel@yesql.se>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2023-11-17T18:45:56Z
Lists: pgsql-hackers
On 15.11.23 21:29, Tom Lane wrote: > Daniel Gustafsson <daniel@yesql.se> writes: >> Since the 3DES/DES deprecations aren't limited to FIPS, do we want to do >> anything for pgcrypto where we have DES/3DES encryption? Maybe a doc patch >> which mentions the deprecation with a link to the SP could be in order? > > A docs patch that marks both MD5 and 3DES as deprecated is probably > appropriate, but it seems like a matter for a separate thread and patch. > > In the meantime, I've done a pass of review of Peter's v4 patches. > v4-0001 is already committed, so that's not considered here. > > v4-0002: I think it is worth splitting up contrib/pgcrypto's > pgp-encrypt test, which has only one test case whose output changes, > and a bunch of others that don't. v5-0002, attached, does it > like that. It's otherwise the same as v4. > > (It might be worth doing something similar for uuid_ossp's test, > but I have not bothered here. That test script is stable enough > that I'm not too worried about future maintenance.) > > The attached 0003, 0004, 0005 patches are identical to Peter's. > I think that it is possibly worth modifying the password test so that > we don't fail to create the roles, so as to reduce the delta between > password.out and password_1.out (and thereby ease future maintenance > of those files). However you might disagree, so I split my proposal > out as a separate patch v5-0007-password-test-delta.patch; you can > drop that from the set if you don't like it. > > v5-0006-allow-for-disabled-3DES.patch adds the necessary expected > file to make that pass on my Fedora 38 system. > > With or without 0007, as you choose, I think it's committable. All done, thanks.
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed