Re: Allow tests to pass in OpenSSL FIPS mode
| От | Daniel Gustafsson |
|---|---|
| Тема | Re: Allow tests to pass in OpenSSL FIPS mode |
| Дата | |
| Msg-id | 301F4EDD-27B9-460F-B462-B9DB2BDE4ACF@yesql.se обсуждение исходный текст |
| Ответ на | Re: Allow tests to pass in OpenSSL FIPS mode (Peter Eisentraut <peter.eisentraut@enterprisedb.com>) |
| Ответы |
Re: Allow tests to pass in OpenSSL FIPS mode
|
| Список | pgsql-hackers |
> On 8 Mar 2023, at 10:30, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > On 08.03.23 10:21, Daniel Gustafsson wrote: >>> On 8 Mar 2023, at 09:49, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: >>> It occurred to me that it would be easier to maintain this in the long run if we could enable a "fake FIPS" mode thatwould have the same effect but didn't require fiddling with the OpenSSL configuration or installation. >>> >>> The attached patch shows how this could work. Thoughts? >> - * Initialize a hash context. Note that this implementation is designed >> - * to never fail, so this always returns 0. >> + * Initialize a hash context. >> Regardless of which, we wan't this hunk since the code clearly can return -1. > > I was a bit puzzled by these comments in that file. While the existing implementations (mostly) never fail, they are clearlynot *designed* to never fail, since the parallel OpenSSL implementations can fail (which is the point of this thread). So I would remove these comments altogether, really. The comment in question was missed in 55fe26a4b58, but I agree that it's a false claim given the OpenSSL implementation so removing or at least mimicking the comments in cryptohash_openssl.c would be better. -- Daniel Gustafsson
В списке pgsql-hackers по дате отправления: