Allow tests to pass in OpenSSL FIPS mode

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2022-10-04T15:45:32Z
Lists: pgsql-hackers

Attachments

While working on the column encryption patch, I wanted to check that 
what is implemented also works in OpenSSL FIPS mode.  I tried running 
the normal test suites after switching the OpenSSL installation to FIPS 
mode, but that failed all over the place.  So I embarked on fixing that. 
  Attached is a first iteration of a patch.

The main issue is liberal use of the md5() function in tests to generate 
random strings.  For example, this is a common pattern:

     SELECT x, md5(x::text) FROM generate_series(-10,10) x;

This can be replaced by

     SELECT x, encode(sha256(x::text::bytea), 'hex')
         FROM generate_series(-10,10) x;

In most cases, this could be further simplified by not using text but 
bytea for the column types, thus skipping the encode step.

Some tests are carefully calibrated to achieve a certain column size or 
something like that.  These will need to be checked in more detail.

Another set of issues is in the SSL tests, where apparently some 
certificates are generated with obsolete hash methods, probably SHA1 
(and possibly MD5 again).  Some of this can be addressed by just 
regenerating everything with a newer OpenSSL installation, in some other 
cases it appears to need additional command-line options or a local 
configuration file change.  This needs more research.  I think we should 
augment the setup used to generate these test files in a way that they 
don't depend on the local configuration of whoever runs it.

Of course, there are some some tests where we do want to test MD5 
functionality, such as in the authentication tests or in the tests of 
the md5() function itself.  I think we can conditionalize these somehow. 
  That looks like a smaller issue compared to the issues above.

Commits

  1. Add regression expected-files for older OpenSSL in FIPS mode.

  2. Allow tests to pass in OpenSSL FIPS mode (rest)

  3. Allow tests to pass in OpenSSL FIPS mode (TAP tests)

  4. pgcrypto: Allow tests to pass in OpenSSL FIPS mode

  5. pgcrypto: Split off pgp-encrypt-md5 test

  6. citext: Allow tests to pass in OpenSSL FIPS mode

  7. Remove incidental md5() function uses from main regression tests

  8. Improve/correct comments

  9. Put tests of md5() function into separate test file