On 04.10.22 17:45, Peter Eisentraut wrote:
While working on the column encryption patch, I wanted to check that what is implemented also works in OpenSSL FIPS mode. I tried running the normal test suites after switching the OpenSSL installation to FIPS mode, but that failed all over the place. So I embarked on fixing that.
Of course, there are some some tests where we do want to test MD5 functionality, such as in the authentication tests or in the tests of the md5() function itself. I think we can conditionalize these somehow.
Let's make a small start on this. The attached patch moves the tests of the md5() function to a separate test file. That would ultimately make it easier to maintain a variant expected file for FIPS mode where that function will fail (similar to how we have done it for the pgcrypto tests).
From 78b6032444ca7db540a82ab72637c3571afbae82 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut <pe...@eisentraut.org> Date: Tue, 11 Oct 2022 10:33:30 +0200 Subject: [PATCH] Put tests of md5() function into separate test file In FIPS mode, these calls will fail. By having them in a separate file, it would make it easier to have an alternative output file or selectively disable these tests. This isn't done here; this is just some preparation. --- src/test/regress/expected/md5.out | 91 +++++++++++++++++++++++++++ src/test/regress/expected/strings.out | 88 -------------------------- src/test/regress/parallel_schedule | 2 +- src/test/regress/sql/md5.sql | 36 +++++++++++ src/test/regress/sql/strings.sql | 32 ---------- 5 files changed, 128 insertions(+), 121 deletions(-) create mode 100644 src/test/regress/expected/md5.out create mode 100644 src/test/regress/sql/md5.sql diff --git a/src/test/regress/expected/md5.out b/src/test/regress/expected/md5.out new file mode 100644 index 000000000000..c5dd801cef2d --- /dev/null +++ b/src/test/regress/expected/md5.out @@ -0,0 +1,91 @@ +-- +-- MD5 test suite - from IETF RFC 1321 +-- (see: https://www.rfc-editor.org/rfc/rfc1321) +-- +-- (The md5() function will error in OpenSSL FIPS mode. By keeping +-- this test in a separate file, it is easier to manage variant +-- results.) +select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('abc') = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('message digest') = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('abcdefghijklmnopqrstuvwxyz') = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890') = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5(''::bytea) = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('a'::bytea) = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('abc'::bytea) = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('message digest'::bytea) = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('abcdefghijklmnopqrstuvwxyz'::bytea) = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'::bytea) = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; + TRUE +------ + t +(1 row) + +select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890'::bytea) = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; + TRUE +------ + t +(1 row) + diff --git a/src/test/regress/expected/strings.out b/src/test/regress/expected/strings.out index 0f95b9400b69..69d7ed4ef1cf 100644 --- a/src/test/regress/expected/strings.out +++ b/src/test/regress/expected/strings.out @@ -2118,94 +2118,6 @@ select to_hex(256::bigint*256::bigint*256::bigint*256::bigint - 1) AS "ffffffff" ffffffff (1 row) --- --- MD5 test suite - from IETF RFC 1321 --- (see: ftp://ftp.rfc-editor.org/in-notes/rfc1321.txt) --- -select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('abc') = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('message digest') = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('abcdefghijklmnopqrstuvwxyz') = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890') = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5(''::bytea) = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('a'::bytea) = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('abc'::bytea) = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('message digest'::bytea) = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('abcdefghijklmnopqrstuvwxyz'::bytea) = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'::bytea) = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; - TRUE ------- - t -(1 row) - -select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890'::bytea) = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; - TRUE ------- - t -(1 row) - -- -- SHA-2 -- diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule index 9f644a0c1b2c..9a139f1e2487 100644 --- a/src/test/regress/parallel_schedule +++ b/src/test/regress/parallel_schedule @@ -26,7 +26,7 @@ test: boolean char name varchar text int2 int4 int8 oid float4 float8 bit numeri # multirangetypes depends on rangetypes # multirangetypes shouldn't run concurrently with type_sanity # ---------- -test: strings numerology point lseg line box path polygon circle date time timetz timestamp timestamptz interval inet macaddr macaddr8 multirangetypes +test: strings md5 numerology point lseg line box path polygon circle date time timetz timestamp timestamptz interval inet macaddr macaddr8 multirangetypes # ---------- # Another group of parallel tests diff --git a/src/test/regress/sql/md5.sql b/src/test/regress/sql/md5.sql new file mode 100644 index 000000000000..fff101f57517 --- /dev/null +++ b/src/test/regress/sql/md5.sql @@ -0,0 +1,36 @@ +-- +-- MD5 test suite - from IETF RFC 1321 +-- (see: https://www.rfc-editor.org/rfc/rfc1321) +-- + +-- (The md5() function will error in OpenSSL FIPS mode. By keeping +-- this test in a separate file, it is easier to manage variant +-- results.) + +select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; + +select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; + +select md5('abc') = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; + +select md5('message digest') = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; + +select md5('abcdefghijklmnopqrstuvwxyz') = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; + +select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; + +select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890') = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; + +select md5(''::bytea) = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; + +select md5('a'::bytea) = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; + +select md5('abc'::bytea) = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; + +select md5('message digest'::bytea) = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; + +select md5('abcdefghijklmnopqrstuvwxyz'::bytea) = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; + +select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'::bytea) = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; + +select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890'::bytea) = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; diff --git a/src/test/regress/sql/strings.sql b/src/test/regress/sql/strings.sql index 8c379182cb9d..04109f599dda 100644 --- a/src/test/regress/sql/strings.sql +++ b/src/test/regress/sql/strings.sql @@ -685,38 +685,6 @@ CREATE TABLE toasttest (c char(4096)); select to_hex(256::bigint*256::bigint*256::bigint*256::bigint - 1) AS "ffffffff"; --- --- MD5 test suite - from IETF RFC 1321 --- (see: ftp://ftp.rfc-editor.org/in-notes/rfc1321.txt) --- -select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; - -select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; - -select md5('abc') = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; - -select md5('message digest') = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; - -select md5('abcdefghijklmnopqrstuvwxyz') = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; - -select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; - -select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890') = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; - -select md5(''::bytea) = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE"; - -select md5('a'::bytea) = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE"; - -select md5('abc'::bytea) = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE"; - -select md5('message digest'::bytea) = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE"; - -select md5('abcdefghijklmnopqrstuvwxyz'::bytea) = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE"; - -select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'::bytea) = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE"; - -select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890'::bytea) = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE"; - -- -- SHA-2 -- -- 2.37.3
