Re: Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-11-15T11:44:36Z
Lists: pgsql-hackers
On 15.11.23 00:07, Tom Lane wrote:
> I'm more concerned about the 3DES situation.  Fedora might be a bit
> ahead of the curve here, but according to the link above, everybody is
> supposed to be in compliance by the end of 2023.  So I'd be inclined
> to guess that the 3DES-is-rejected case is going to be mainstream
> before v17 ships.

Right.  It is curious that I have not found any activity in the OpenSSL 
issue trackers about this.  But if you send me your results file, then I 
can include it in the patch as an alternative expected.




Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file