Home > mailing lists

Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers

From	Daniel Gustafsson
Subject	Re: Allow tests to pass in OpenSSL FIPS mode
Date	March 8, 2023 12:21:26
Msg-id	7085A535-23CA-47C9-9D13-36D4A1933A1D@yesql.se Whole thread Raw
In response to	Re: Allow tests to pass in OpenSSL FIPS mode (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
Responses	Re: Allow tests to pass in OpenSSL FIPS mode (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
List	pgsql-hackers

Tree view

> On 8 Mar 2023, at 09:49, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:

> It occurred to me that it would be easier to maintain this in the long run if we could enable a "fake FIPS" mode that
wouldhave the same effect but didn't require fiddling with the OpenSSL configuration or installation. 
>
> The attached patch shows how this could work.  Thoughts?

- * Initialize a hash context.  Note that this implementation is designed
- * to never fail, so this always returns 0.
+ * Initialize a hash context.
Regardless of which, we wan't this hunk since the code clearly can return -1.

+#ifdef FAKE_FIPS_MODE
I'm not enthusiastic about this.  If we use this rather than OpenSSL with FIPS
enabled we might end up missing bugs or weird behavior due to changes in
OpenSSL that we didn't test.

--
Daniel Gustafsson

pgsql-hackers by date:

From: Peter Eisentraut
Date: 08 March 2023, 11:49:15
Subject: Re: Allow tests to pass in OpenSSL FIPS mode

From: Peter Eisentraut
Date: 08 March 2023, 12:26:54
Subject: Re: Allow tests to pass in OpenSSL FIPS mode

Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers

Previous

Next