Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers

From Peter Eisentraut
Subject Re: Allow tests to pass in OpenSSL FIPS mode
Date
Msg-id 6885f06b-79a4-8ded-2261-85a7be68ef4c@enterprisedb.com
Whole thread Raw
In response to Re: Allow tests to pass in OpenSSL FIPS mode  (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
Responses Re: Allow tests to pass in OpenSSL FIPS mode
List pgsql-hackers
On 13.10.22 12:26, Peter Eisentraut wrote:
>> I think that the other md5() computations done in the main regression
>> test suite could just be switched to use one of the sha*() functions
>> as they just want to put their hands on text values.  It looks like a
>> few of them have some expections with the output size and
>> generate_series(), though, but this could be tweaked by making the
>> series shorter, for example.
> 
> Right, that's the rest of my original patch.  I'll come back with an 
> updated version of that.

Here is the next step.  To contain the scope, I focused on just "make 
check" for now.  This patch removes all incidental calls to md5(), 
replacing them with sha256(), so that they'd pass with or without FIPS 
mode.  (Two tests would need alternative expected files: md5 and 
password.  I have not included those here.)

Some tests inspect the actual md5 result strings or build statistics 
based on them.  I have tried to carefully preserve the meaning of the 
original tests, to the extent that they could be inferred, in some cases 
adjusting example values by matching the md5 outputs to the equivalent 
sha256 outputs.  Some cases are tricky or mysterious or both and could 
use another look.

Attachment

pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Error-safe user functions
Next
From: Tom Lane
Date:
Subject: Re: Error-safe user functions