summaryrefslogtreecommitdiff
path: root/dev-db/postgresql/files/postgresql-12-openssl3.2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'dev-db/postgresql/files/postgresql-12-openssl3.2.patch')
-rw-r--r--dev-db/postgresql/files/postgresql-12-openssl3.2.patch178
1 files changed, 178 insertions, 0 deletions
diff --git a/dev-db/postgresql/files/postgresql-12-openssl3.2.patch b/dev-db/postgresql/files/postgresql-12-openssl3.2.patch
new file mode 100644
index 000000000000..62b254d220c6
--- /dev/null
+++ b/dev-db/postgresql/files/postgresql-12-openssl3.2.patch
@@ -0,0 +1,178 @@
+commit 6bb4ce36b302296fd09abb097b5e28b66117be92
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Date: Tue Nov 28 12:34:03 2023 -0500
+
+ Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
+
+ We should have done it this way all along, but we accidentally got
+ away with using the wrong BIO field up until OpenSSL 3.2. There,
+ the library's BIO routines that we rely on use the "data" field
+ for their own purposes, and our conflicting use causes assorted
+ weird behaviors up to and including core dumps when SSL connections
+ are attempted. Switch to using the approved field for the purpose,
+ i.e. app_data.
+
+ While at it, remove our configure probes for BIO_get_data as well
+ as the fallback implementation. BIO_{get,set}_app_data have been
+ there since long before any OpenSSL version that we still support,
+ even in the back branches.
+
+ Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor
+ change in an error message spelling that evidently came in with 3.2.
+
+ Tristan Partin and Bo Andreson. Back-patch to all supported branches.
+
+ Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
+
+diff --git a/configure b/configure
+index cce104aebb..346ea8e2c1 100755
+--- a/configure
++++ b/configure
+@@ -12641,7 +12641,7 @@ done
+ # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
+ # doesn't have these OpenSSL 1.1.0 functions. So check for individual
+ # functions.
+- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data
++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data
+ do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+diff --git a/configure.in b/configure.in
+index 3c93e7a944..2c15b20049 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1290,7 +1290,7 @@ if test "$with_openssl" = yes ; then
+ # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
+ # doesn't have these OpenSSL 1.1.0 functions. So check for individual
+ # functions.
+- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data])
++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data])
+ # OpenSSL versions before 1.1.0 required setting callback functions, for
+ # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
+ # function was removed.
+diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
+index b0a1f7258a..34f8f9e71e 100644
+--- a/src/backend/libpq/be-secure-openssl.c
++++ b/src/backend/libpq/be-secure-openssl.c
+@@ -699,11 +699,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
+ * to retry; do we need to adopt their logic for that?
+ */
+
+-#ifndef HAVE_BIO_GET_DATA
+-#define BIO_get_data(bio) (bio->ptr)
+-#define BIO_set_data(bio, data) (bio->ptr = data)
+-#endif
+-
+ static BIO_METHOD *my_bio_methods = NULL;
+
+ static int
+@@ -713,7 +708,7 @@ my_sock_read(BIO *h, char *buf, int size)
+
+ if (buf != NULL)
+ {
+- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size);
+ BIO_clear_retry_flags(h);
+ if (res <= 0)
+ {
+@@ -733,7 +728,7 @@ my_sock_write(BIO *h, const char *buf, int size)
+ {
+ int res = 0;
+
+- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size);
+ BIO_clear_retry_flags(h);
+ if (res <= 0)
+ {
+@@ -809,7 +804,7 @@ my_SSL_set_fd(Port *port, int fd)
+ SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
+ goto err;
+ }
+- BIO_set_data(bio, port);
++ BIO_set_app_data(bio, port);
+
+ BIO_set_fd(bio, fd, BIO_NOCLOSE);
+ SSL_set_bio(port->ssl, bio, bio);
+diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
+index 457a8713cc..1e9d21c3e4 100644
+--- a/src/include/pg_config.h.in
++++ b/src/include/pg_config.h.in
+@@ -96,9 +96,6 @@
+ /* Define to 1 if you have the <atomic.h> header file. */
+ #undef HAVE_ATOMIC_H
+
+-/* Define to 1 if you have the `BIO_get_data' function. */
+-#undef HAVE_BIO_GET_DATA
+-
+ /* Define to 1 if you have the `BIO_meth_new' function. */
+ #undef HAVE_BIO_METH_NEW
+
+diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32
+index 42fd7067f1..37accc560b 100644
+--- a/src/include/pg_config.h.win32
++++ b/src/include/pg_config.h.win32
+@@ -75,9 +75,6 @@
+ /* Define to 1 if you have the `ASN1_STRING_get0_data' function. */
+ /* #undef HAVE_ASN1_STRING_GET0_DATA */
+
+-/* Define to 1 if you have the `BIO_get_data' function. */
+-/* #undef HAVE_BIO_GET_DATA */
+-
+ /* Define to 1 if you have the `BIO_meth_new' function. */
+ /* #undef HAVE_BIO_METH_NEW */
+
+diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
+index 5948a37983..5729dd9acf 100644
+--- a/src/interfaces/libpq/fe-secure-openssl.c
++++ b/src/interfaces/libpq/fe-secure-openssl.c
+@@ -1491,10 +1491,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
+ * to retry; do we need to adopt their logic for that?
+ */
+
+-#ifndef HAVE_BIO_GET_DATA
+-#define BIO_get_data(bio) (bio->ptr)
+-#define BIO_set_data(bio, data) (bio->ptr = data)
+-#endif
++/* protected by ssl_config_mutex */
+
+ static BIO_METHOD *my_bio_methods;
+
+@@ -1503,7 +1500,7 @@ my_sock_read(BIO *h, char *buf, int size)
+ {
+ int res;
+
+- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size);
+ BIO_clear_retry_flags(h);
+ if (res < 0)
+ {
+@@ -1533,7 +1530,7 @@ my_sock_write(BIO *h, const char *buf, int size)
+ {
+ int res;
+
+- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size);
+ BIO_clear_retry_flags(h);
+ if (res < 0)
+ {
+@@ -1624,7 +1621,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
+ SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
+ goto err;
+ }
+- BIO_set_data(bio, conn);
++ BIO_set_app_data(bio, conn);
+
+ SSL_set_bio(conn->ssl, bio, bio);
+ BIO_set_fd(bio, fd, BIO_NOCLOSE);
+diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm
+index 20ce233af4..a7e5fdbda9 100644
+--- a/src/tools/msvc/Solution.pm
++++ b/src/tools/msvc/Solution.pm
+@@ -273,7 +273,6 @@ sub GenerateFiles
+ || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0'))
+ {
+ print $o "#define HAVE_ASN1_STRING_GET0_DATA 1\n";
+- print $o "#define HAVE_BIO_GET_DATA 1\n";
+ print $o "#define HAVE_BIO_METH_NEW 1\n";
+ print $o "#define HAVE_OPENSSL_INIT_SSL 1\n";
+ }
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-20 09:40:29 +0000