Re: Allow tests to pass in OpenSSL FIPS mode

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Michael Paquier <michael@paquier.xyz>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2023-03-06T09:02:55Z
Lists: pgsql-hackers
> On 5 Mar 2023, at 00:04, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Peter Eisentraut <peter.eisentraut@enterprisedb.com> writes:
>> [ v2-0001-Remove-incidental-md5-function-uses-from-main-reg.patch ]
> 
> I've gone through this and have a modest suggestion: let's invent some
> wrapper functions around encode(sha256()) to reduce the cosmetic diffs
> and consequent need for closer study of patch changes.  In the attached
> I called them "notmd5()", but I'm surely not wedded to that name.

For readers without all context, wouldn't it be better to encode in the
function name why we're not just calling a hash like md5?  Something like
fips_allowed_hash() or similar?

--
Daniel Gustafsson




Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file