Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-10-05T13:44:19Z
Lists: pgsql-hackers

Attachments

On 04.10.22 17:45, Peter Eisentraut wrote:
> While working on the column encryption patch, I wanted to check that 
> what is implemented also works in OpenSSL FIPS mode.  I tried running 
> the normal test suites after switching the OpenSSL installation to FIPS 
> mode, but that failed all over the place.  So I embarked on fixing that. 
>   Attached is a first iteration of a patch.

Continuing this, we have fixed many issues since.  Here is a patch set 
to fix all remaining issues.

v4-0001-citext-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch
v4-0002-pgcrypto-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch

These two are pretty straightforward.

v4-0003-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-TAP-test.patch

This one does some delicate surgery and could use some thorough review.

v4-0004-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-rest.patch

This just adds alternative expected files.  The question is mainly just 
whether there are better ways to organize this.

v4-0005-WIP-Use-fipshash-in-brin_multi-test.patch

Here, some previously fixed md5() uses have snuck back in.  I will need 
to track down the origin of this and ask for a proper fix there.  This 
is just included here for completeness.

Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file