Re: Allow tests to pass in OpenSSL FIPS mode

On 08.03.23 10:21, Daniel Gustafsson wrote:
>> On 8 Mar 2023, at 09:49, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> 
>> It occurred to me that it would be easier to maintain this in the long run if we could enable a "fake FIPS" mode
thatwould have the same effect but didn't require fiddling with the OpenSSL configuration or installation.
 
>>
>> The attached patch shows how this could work.  Thoughts?
> 
> - * Initialize a hash context.  Note that this implementation is designed
> - * to never fail, so this always returns 0.
> + * Initialize a hash context.
> Regardless of which, we wan't this hunk since the code clearly can return -1.

I was a bit puzzled by these comments in that file.  While the existing 
implementations (mostly) never fail, they are clearly not *designed* to 
never fail, since the parallel OpenSSL implementations can fail (which 
is the point of this thread).  So I would remove these comments 
altogether, really.

> +#ifdef FAKE_FIPS_MODE
> I'm not enthusiastic about this.  If we use this rather than OpenSSL with FIPS
> enabled we might end up missing bugs or weird behavior due to changes in
> OpenSSL that we didn't test.

Valid point.  In any case, the patch is available for ad hoc testing.