Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: Alvaro Herrera <alvherre@alvh.no-ip.org>, pgsql-hackers <pgsql-hackers@postgresql.org>, Tomas Vondra <tomas.vondra@enterprisedb.com>
Date: 2023-02-28T07:25:00Z
Lists: pgsql-hackers
On 28.02.23 06:01, Michael Paquier wrote:
> On Mon, Feb 27, 2023 at 08:23:34AM +0100, Peter Eisentraut wrote:
>> On 27.02.23 08:16, Michael Paquier wrote:
>>> This refers to brin_minmax_multi_distance_macaddr8(), no?  This is
>>> amazing.  I have a hard time imagining how FIPS would interact with
>>> what we do in mac8.c to explain that, so it may be something entirely
>>> different.  Is that reproducible?
>>
>> This is no longer present in the v2 patch.
> 
> Sure, but why was it happening in the first place?

Because the earlier patch only changed the test input values (which were 
generated on the fly using md5()), but did not adjust the expected test 
results in all the places.




Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file