On 09.12.22 05:16, Michael Paquier wrote:
On Wed, Dec 07, 2022 at 03:14:09PM +0100, Peter Eisentraut wrote:
Here is the next step. To contain the scope, I focused on just "make check"
for now. This patch removes all incidental calls to md5(), replacing them
with sha256(), so that they'd pass with or without FIPS mode. (Two tests
would need alternative expected files: md5 and password. I have not
included those here.)
Yeah, fine by me to do that step-by-step.
It occurred to me that it would be easier to maintain this in the long
run if we could enable a "fake FIPS" mode that would have the same
effect but didn't require fiddling with the OpenSSL configuration or
installation.
The attached patch shows how this could work. Thoughts?
From e195c7f13e445ca657a1d33de79e619ede6c8436 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Wed, 8 Mar 2023 09:48:27 +0100
Subject: [PATCH] Add FAKE_FIPS_MODE
When this is defined, it emulates the OpenSSL FIPS module by disabling
old cryptographic functions such as MD5. This is meant for ensuring
that the test suites are FIPS-clean. Not intended for production
builds.
---
src/common/cryptohash.c | 18 +++++++++++++++---
src/common/cryptohash_openssl.c | 11 +++++++++++
src/include/pg_config_manual.h | 7 +++++++
3 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/src/common/cryptohash.c b/src/common/cryptohash.c
index b3da9a99bd..85b77d65a1 100644
--- a/src/common/cryptohash.c
+++ b/src/common/cryptohash.c
@@ -44,7 +44,8 @@
typedef enum pg_cryptohash_errno
{
PG_CRYPTOHASH_ERROR_NONE = 0,
- PG_CRYPTOHASH_ERROR_DEST_LEN
+ PG_CRYPTOHASH_ERROR_DEST_LEN,
+ PG_CRYPTOHASH_ERROR_UNSUPPORTED,
} pg_cryptohash_errno;
/* Internal pg_cryptohash_ctx structure */
@@ -94,8 +95,7 @@ pg_cryptohash_create(pg_cryptohash_type type)
/*
* pg_cryptohash_init
*
- * Initialize a hash context. Note that this implementation is designed
- * to never fail, so this always returns 0.
+ * Initialize a hash context.
*/
int
pg_cryptohash_init(pg_cryptohash_ctx *ctx)
@@ -103,6 +103,16 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx)
if (ctx == NULL)
return -1;
+#ifdef FAKE_FIPS_MODE
+ switch (ctx->type)
+ {
+ case PG_MD5:
+ ctx->error = PG_CRYPTOHASH_ERROR_UNSUPPORTED;
+ return -1;
+ default:
+ }
+#endif
+
switch (ctx->type)
{
case PG_MD5:
@@ -271,6 +281,8 @@ pg_cryptohash_error(pg_cryptohash_ctx *ctx)
return _("success");
case PG_CRYPTOHASH_ERROR_DEST_LEN:
return _("destination buffer too small");
+ case PG_CRYPTOHASH_ERROR_UNSUPPORTED:
+ return _("unsupported");
}
Assert(false);
diff --git a/src/common/cryptohash_openssl.c b/src/common/cryptohash_openssl.c
index a654cd4ad4..d2dd246532 100644
--- a/src/common/cryptohash_openssl.c
+++ b/src/common/cryptohash_openssl.c
@@ -158,6 +158,17 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx)
if (ctx == NULL)
return -1;
+#ifdef FAKE_FIPS_MODE
+ switch (ctx->type)
+ {
+ case PG_MD5:
+ ctx->errreason = SSLerrmessage(ERR_R_UNSUPPORTED);
+ ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL;
+ return -1;
+ default:
+ }
+#endif
+
switch (ctx->type)
{
case PG_MD5:
diff --git a/src/include/pg_config_manual.h b/src/include/pg_config_manual.h
index b586ee269a..4a604039d1 100644
--- a/src/include/pg_config_manual.h
+++ b/src/include/pg_config_manual.h
@@ -364,3 +364,10 @@
* Enable tracing of syncscan operations (see also the trace_syncscan GUC var).
*/
/* #define TRACE_SYNCSCAN */
+
+/*
+ * When this is defined, it emulates the OpenSSL FIPS module by disabling old
+ * cryptographic functions such as MD5. This is meant for ensuring that the
+ * test suites are FIPS-clean. Not intended for production builds.
+ */
+/* #define FAKE_FIPS_MODE */
--
2.39.2
