Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers
| From | Tom Lane |
|---|---|
| Subject | Re: Allow tests to pass in OpenSSL FIPS mode |
| Date | |
| Msg-id | 2825088.1696539339@sss.pgh.pa.us Whole thread Raw |
| In response to | Re: Allow tests to pass in OpenSSL FIPS mode (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: Allow tests to pass in OpenSSL FIPS mode
(Peter Eisentraut <peter@eisentraut.org>)
Re: Allow tests to pass in OpenSSL FIPS mode (Peter Eisentraut <peter@eisentraut.org>) |
| List | pgsql-hackers |
I found another bit of fun we'll need to deal with: on my F38 platform, pgcrypto/3des fails as attached. Some googling finds this relevant info: https://github.com/pyca/cryptography/issues/6875 That is, FIPS deprecation of 3DES is happening even as we speak. So apparently we'll have little choice but to deal with two different behaviors for that. As before, I'm not too pleased with the user-friendliness of the error: +ERROR: encrypt error: Cipher cannot be initialized That's even less useful to a user than "unsupported". FWIW, everything else seems to pass with this patchset. I ran check-world as well as the various "must run manually" test suites. regards, tom lane diff -U3 /home/tgl/pgsql/contrib/pgcrypto/expected/3des.out /home/tgl/pgsql/contrib/pgcrypto/results/3des.out --- /home/tgl/pgsql/contrib/pgcrypto/expected/3des.out 2023-10-05 15:25:46.922080156 -0400 +++ /home/tgl/pgsql/contrib/pgcrypto/results/3des.out 2023-10-05 16:29:32.416972002 -0400 @@ -5,61 +5,25 @@ SELECT encrypt('\x8000000000000000', '\x010101010101010101010101010101010101010101010101', '3des-ecb/pad:none'); - encrypt --------------------- - \x95f8a5e5dd31d900 -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized select encrypt('', 'foo', '3des'); - encrypt --------------------- - \x752111e37a2d7ac3 -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized -- 10 bytes key select encrypt('foo', '0123456789', '3des'); - encrypt --------------------- - \xd2fb8baa1717cb02 -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized -- 22 bytes key select encrypt('foo', '0123456789012345678901', '3des'); - encrypt --------------------- - \xa44360e699269817 -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized -- decrypt select encode(decrypt(encrypt('foo', '0123456', '3des'), '0123456', '3des'), 'escape'); - encode --------- - foo -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized -- iv select encrypt_iv('foo', '0123456', 'abcd', '3des'); - encrypt_iv --------------------- - \x50735067b073bb93 -(1 row) - +ERROR: encrypt_iv error: Cipher cannot be initialized select encode(decrypt_iv('\x50735067b073bb93', '0123456', 'abcd', '3des'), 'escape'); - encode --------- - foo -(1 row) - +ERROR: decrypt_iv error: Cipher cannot be initialized -- long message select encrypt('Lets try a longer message.', '0123456789012345678901', '3des'); - encrypt --------------------------------------------------------------------- - \xb71e3422269d0ded19468f33d65cd663c28e0871984792a7b3ba0ddcecec8d2c -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized select encode(decrypt(encrypt('Lets try a longer message.', '0123456789012345678901', '3des'), '0123456789012345678901','3des'), 'escape'); - encode ----------------------------- - Lets try a longer message. -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized
pgsql-hackers by date: