Allow tests to pass in OpenSSL FIPS mode
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2022-10-04T15:45:32Z
Lists: pgsql-hackers
Attachments
- v1-0001-WIP-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch (text/plain) patch v1-0001
While working on the column encryption patch, I wanted to check that
what is implemented also works in OpenSSL FIPS mode. I tried running
the normal test suites after switching the OpenSSL installation to FIPS
mode, but that failed all over the place. So I embarked on fixing that.
Attached is a first iteration of a patch.
The main issue is liberal use of the md5() function in tests to generate
random strings. For example, this is a common pattern:
SELECT x, md5(x::text) FROM generate_series(-10,10) x;
This can be replaced by
SELECT x, encode(sha256(x::text::bytea), 'hex')
FROM generate_series(-10,10) x;
In most cases, this could be further simplified by not using text but
bytea for the column types, thus skipping the encode step.
Some tests are carefully calibrated to achieve a certain column size or
something like that. These will need to be checked in more detail.
Another set of issues is in the SSL tests, where apparently some
certificates are generated with obsolete hash methods, probably SHA1
(and possibly MD5 again). Some of this can be addressed by just
regenerating everything with a newer OpenSSL installation, in some other
cases it appears to need additional command-line options or a local
configuration file change. This needs more research. I think we should
augment the setup used to generate these test files in a way that they
don't depend on the local configuration of whoever runs it.
Of course, there are some some tests where we do want to test MD5
functionality, such as in the authentication tests or in the tests of
the md5() function itself. I think we can conditionalize these somehow.
That looks like a smaller issue compared to the issues above.
Commits
-
Add regression expected-files for older OpenSSL in FIPS mode.
- ef5ee0e34618 18.0 landed
- e633fa6351bd 19 (unreleased) landed
- 047306a3fe26 17.7 landed
- c7b0cb367d3c 19 (unreleased) landed
- a865b654c773 17.7 landed
- 9e2c58417342 18.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (rest)
- 3c44e7d8d4fe 17.0 landed
-
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
- 284cbaea7c4b 17.0 landed
-
pgcrypto: Allow tests to pass in OpenSSL FIPS mode
- 795592865c96 17.0 landed
-
pgcrypto: Split off pgp-encrypt-md5 test
- 3af0d17acef7 17.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 landed
-
Remove incidental md5() function uses from main regression tests
- 208bf364a9cc 16.0 landed
-
Improve/correct comments
- 36ea345f8fa6 16.0 landed
-
Put tests of md5() function into separate test file
- 9786b89bd1b4 16.0 landed