Re: Allow tests to pass in OpenSSL FIPS mode
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-03-08T08:49:15Z
Lists: pgsql-hackers
Attachments
- 0001-Add-FAKE_FIPS_MODE.patch (text/plain) patch 0001
On 09.12.22 05:16, Michael Paquier wrote: > On Wed, Dec 07, 2022 at 03:14:09PM +0100, Peter Eisentraut wrote: >> Here is the next step. To contain the scope, I focused on just "make check" >> for now. This patch removes all incidental calls to md5(), replacing them >> with sha256(), so that they'd pass with or without FIPS mode. (Two tests >> would need alternative expected files: md5 and password. I have not >> included those here.) > > Yeah, fine by me to do that step-by-step. It occurred to me that it would be easier to maintain this in the long run if we could enable a "fake FIPS" mode that would have the same effect but didn't require fiddling with the OpenSSL configuration or installation. The attached patch shows how this could work. Thoughts?
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed