> On 5 Oct 2023, at 15:44, Peter Eisentraut <[email protected]>
> wrote:
>
> On 04.10.22 17:45, Peter Eisentraut wrote:
>> While working on the column encryption patch, I wanted to check that what is
>> implemented also works in OpenSSL FIPS mode. I tried running the normal
>> test suites after switching the OpenSSL installation to FIPS mode, but that
>> failed all over the place. So I embarked on fixing that. Attached is a
>> first iteration of a patch.
>
> Continuing this, we have fixed many issues since. Here is a patch set to fix
> all remaining issues.
>
> v4-0001-citext-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch
> v4-0002-pgcrypto-Allow-tests-to-pass-in-OpenSSL-FIPS-mode.patch
+ERROR: crypt(3) returned NULL
Not within scope here, but I wish we had a better error message here. That's
for another patch though clearly.
> v4-0003-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-TAP-test.patch
>
> This one does some delicate surgery and could use some thorough review.
I don't have a FIPS enabled build handy to test in, but reading the patch I
don't see anything that sticks out apart from very minor comments:
+my $md5_works = ($node->psql('postgres', "select md5('')") == 0);
I think this warrants an explanatory comment for readers not familiar with
FIPS, without that it may seem quite an odd test.
+), 0, 'created user with scram password');
Tiny nitpick, I think we use SCRAM when writing it in text.
> v4-0004-Allow-tests-to-pass-in-OpenSSL-FIPS-mode-rest.patch
>
> This just adds alternative expected files. The question is mainly just
> whether there are better ways to organize this.
Without inventing a new structure for alternative outputs I don't see how.
--
Daniel Gustafsson
