Re: Allow tests to pass in OpenSSL FIPS mode

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2022-10-12T01:18:50Z
Lists: pgsql-hackers
On Tue, Oct 11, 2022 at 01:51:50PM +0200, Peter Eisentraut wrote:
> Let's make a small start on this.  The attached patch moves the tests of the
> md5() function to a separate test file.  That would ultimately make it
> easier to maintain a variant expected file for FIPS mode where that function
> will fail (similar to how we have done it for the pgcrypto tests).

Makes sense to me.  This slice looks fine.

I think that the other md5() computations done in the main regression
test suite could just be switched to use one of the sha*() functions
as they just want to put their hands on text values.  It looks like a
few of them have some expections with the output size and
generate_series(), though, but this could be tweaked by making the
series shorter, for example.
--
Michael

Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file