| From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow tests to pass in OpenSSL FIPS mode |
| Date: | 2023-03-08 08:49:15 |
| Message-ID: | d6eebf81-eab6-5ddf-3d72-ec824ff05de6@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 09.12.22 05:16, Michael Paquier wrote:
> On Wed, Dec 07, 2022 at 03:14:09PM +0100, Peter Eisentraut wrote:
>> Here is the next step. To contain the scope, I focused on just "make check"
>> for now. This patch removes all incidental calls to md5(), replacing them
>> with sha256(), so that they'd pass with or without FIPS mode. (Two tests
>> would need alternative expected files: md5 and password. I have not
>> included those here.)
>
> Yeah, fine by me to do that step-by-step.
It occurred to me that it would be easier to maintain this in the long
run if we could enable a "fake FIPS" mode that would have the same
effect but didn't require fiddling with the OpenSSL configuration or
installation.
The attached patch shows how this could work. Thoughts?
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Add-FAKE_FIPS_MODE.patch | text/plain | 3.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2023-03-08 09:21:26 | Re: Allow tests to pass in OpenSSL FIPS mode |
| Previous Message | Michael Paquier | 2023-03-08 08:21:20 | Re: Raising the SCRAM iteration count |