From e195c7f13e445ca657a1d33de79e619ede6c8436 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Wed, 8 Mar 2023 09:48:27 +0100 Subject: [PATCH] Add FAKE_FIPS_MODE When this is defined, it emulates the OpenSSL FIPS module by disabling old cryptographic functions such as MD5. This is meant for ensuring that the test suites are FIPS-clean. Not intended for production builds. --- src/common/cryptohash.c | 18 +++++++++++++++--- src/common/cryptohash_openssl.c | 11 +++++++++++ src/include/pg_config_manual.h | 7 +++++++ 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/src/common/cryptohash.c b/src/common/cryptohash.c index b3da9a99bd..85b77d65a1 100644 --- a/src/common/cryptohash.c +++ b/src/common/cryptohash.c @@ -44,7 +44,8 @@ typedef enum pg_cryptohash_errno { PG_CRYPTOHASH_ERROR_NONE = 0, - PG_CRYPTOHASH_ERROR_DEST_LEN + PG_CRYPTOHASH_ERROR_DEST_LEN, + PG_CRYPTOHASH_ERROR_UNSUPPORTED, } pg_cryptohash_errno; /* Internal pg_cryptohash_ctx structure */ @@ -94,8 +95,7 @@ pg_cryptohash_create(pg_cryptohash_type type) /* * pg_cryptohash_init * - * Initialize a hash context. Note that this implementation is designed - * to never fail, so this always returns 0. + * Initialize a hash context. */ int pg_cryptohash_init(pg_cryptohash_ctx *ctx) @@ -103,6 +103,16 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx) if (ctx == NULL) return -1; +#ifdef FAKE_FIPS_MODE + switch (ctx->type) + { + case PG_MD5: + ctx->error = PG_CRYPTOHASH_ERROR_UNSUPPORTED; + return -1; + default: + } +#endif + switch (ctx->type) { case PG_MD5: @@ -271,6 +281,8 @@ pg_cryptohash_error(pg_cryptohash_ctx *ctx) return _("success"); case PG_CRYPTOHASH_ERROR_DEST_LEN: return _("destination buffer too small"); + case PG_CRYPTOHASH_ERROR_UNSUPPORTED: + return _("unsupported"); } Assert(false); diff --git a/src/common/cryptohash_openssl.c b/src/common/cryptohash_openssl.c index a654cd4ad4..d2dd246532 100644 --- a/src/common/cryptohash_openssl.c +++ b/src/common/cryptohash_openssl.c @@ -158,6 +158,17 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx) if (ctx == NULL) return -1; +#ifdef FAKE_FIPS_MODE + switch (ctx->type) + { + case PG_MD5: + ctx->errreason = SSLerrmessage(ERR_R_UNSUPPORTED); + ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL; + return -1; + default: + } +#endif + switch (ctx->type) { case PG_MD5: diff --git a/src/include/pg_config_manual.h b/src/include/pg_config_manual.h index b586ee269a..4a604039d1 100644 --- a/src/include/pg_config_manual.h +++ b/src/include/pg_config_manual.h @@ -364,3 +364,10 @@ * Enable tracing of syncscan operations (see also the trace_syncscan GUC var). */ /* #define TRACE_SYNCSCAN */ + +/* + * When this is defined, it emulates the OpenSSL FIPS module by disabling old + * cryptographic functions such as MD5. This is meant for ensuring that the + * test suites are FIPS-clean. Not intended for production builds. + */ +/* #define FAKE_FIPS_MODE */ -- 2.39.2