Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-03-08T08:49:15Z
Lists: pgsql-hackers

Attachments

On 09.12.22 05:16, Michael Paquier wrote:
> On Wed, Dec 07, 2022 at 03:14:09PM +0100, Peter Eisentraut wrote:
>> Here is the next step.  To contain the scope, I focused on just "make check"
>> for now.  This patch removes all incidental calls to md5(), replacing them
>> with sha256(), so that they'd pass with or without FIPS mode.  (Two tests
>> would need alternative expected files: md5 and password.  I have not
>> included those here.)
> 
> Yeah, fine by me to do that step-by-step.

It occurred to me that it would be easier to maintain this in the long 
run if we could enable a "fake FIPS" mode that would have the same 
effect but didn't require fiddling with the OpenSSL configuration or 
installation.

The attached patch shows how this could work.  Thoughts?

Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file