diff options
Diffstat (limited to 'dev-db/postgresql/files/postgresql-14-openssl3.2.patch')
| -rw-r--r-- | dev-db/postgresql/files/postgresql-14-openssl3.2.patch | 195 |
1 files changed, 195 insertions, 0 deletions
diff --git a/dev-db/postgresql/files/postgresql-14-openssl3.2.patch b/dev-db/postgresql/files/postgresql-14-openssl3.2.patch new file mode 100644 index 000000000000..c8064adc23a6 --- /dev/null +++ b/dev-db/postgresql/files/postgresql-14-openssl3.2.patch @@ -0,0 +1,195 @@ +commit 50e866f5f3be671620490e3cb3eea533f1677f6c +Author: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue Nov 28 12:34:03 2023 -0500 + + Use BIO_{get,set}_app_data instead of BIO_{get,set}_data. + + We should have done it this way all along, but we accidentally got + away with using the wrong BIO field up until OpenSSL 3.2. There, + the library's BIO routines that we rely on use the "data" field + for their own purposes, and our conflicting use causes assorted + weird behaviors up to and including core dumps when SSL connections + are attempted. Switch to using the approved field for the purpose, + i.e. app_data. + + While at it, remove our configure probes for BIO_get_data as well + as the fallback implementation. BIO_{get,set}_app_data have been + there since long before any OpenSSL version that we still support, + even in the back branches. + + Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor + change in an error message spelling that evidently came in with 3.2. + + Tristan Partin and Bo Andreson. Back-patch to all supported branches. + + Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com + +diff --git a/configure b/configure +index 62a921b5e7..f74b9862a0 100755 +--- a/configure ++++ b/configure +@@ -13071,7 +13071,7 @@ done + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free ++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.ac b/configure.ac +index a3243cc7e8..46624d2a11 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1311,7 +1311,7 @@ if test "$with_ssl" = openssl ; then + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) ++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. +diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c +index 13ac961442..e39952494e 100644 +--- a/src/backend/libpq/be-secure-openssl.c ++++ b/src/backend/libpq/be-secure-openssl.c +@@ -823,11 +823,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- + static BIO_METHOD *my_bio_methods = NULL; + + static int +@@ -837,7 +832,7 @@ my_sock_read(BIO *h, char *buf, int size) + + if (buf != NULL) + { +- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -857,7 +852,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res = 0; + +- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -933,7 +928,7 @@ my_SSL_set_fd(Port *port, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, port); ++ BIO_set_app_data(bio, port); + + BIO_set_fd(bio, fd, BIO_NOCLOSE); + SSL_set_bio(port->ssl, bio, bio); +diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in +index 40d513c128..51fa911fb6 100644 +--- a/src/include/pg_config.h.in ++++ b/src/include/pg_config.h.in +@@ -86,9 +86,6 @@ + /* Define to 1 if you have the `backtrace_symbols' function. */ + #undef HAVE_BACKTRACE_SYMBOLS + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-#undef HAVE_BIO_GET_DATA +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + #undef HAVE_BIO_METH_NEW + +diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c +index 7f27767da6..383fdbe80e 100644 +--- a/src/interfaces/libpq/fe-secure-openssl.c ++++ b/src/interfaces/libpq/fe-secure-openssl.c +@@ -1661,11 +1661,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- ++/* protected by ssl_config_mutex */ + static BIO_METHOD *my_bio_methods; + + static int +@@ -1673,7 +1669,7 @@ my_sock_read(BIO *h, char *buf, int size) + { + int res; + +- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1703,7 +1699,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res; + +- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1794,7 +1790,7 @@ my_SSL_set_fd(PGconn *conn, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, conn); ++ BIO_set_app_data(bio, conn); + + SSL_set_bio(conn->ssl, bio, bio); + BIO_set_fd(bio, fd, BIO_NOCLOSE); +diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl +index 8cdd0d2e68..cc7bd98c83 100644 +--- a/src/test/ssl/t/001_ssltests.pl ++++ b/src/test/ssl/t/001_ssltests.pl +@@ -538,7 +538,7 @@ $node->connect_fails( + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key", + "certificate authorization fails with revoked client cert", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + # revoked certificates should not authenticate the user + log_unlike => [qr/connection authenticated:/],); + +@@ -591,7 +591,7 @@ switch_server_cert($node, 'server-cn-only', undef, undef, + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key", + "certificate authorization fails with revoked client cert with server-side CRL directory", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/); ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|); + + # clean up + foreach my $key (@keys) +diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm +index 577b5afea7..53d60dbd25 100644 +--- a/src/tools/msvc/Solution.pm ++++ b/src/tools/msvc/Solution.pm +@@ -229,7 +229,6 @@ sub GenerateFiles + HAVE_ATOMICS => 1, + HAVE_ATOMIC_H => undef, + HAVE_BACKTRACE_SYMBOLS => undef, +- HAVE_BIO_GET_DATA => undef, + HAVE_BIO_METH_NEW => undef, + HAVE_CLOCK_GETTIME => undef, + HAVE_COMPUTED_GOTO => undef, +@@ -562,7 +561,6 @@ sub GenerateFiles + || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) + { + $define{HAVE_ASN1_STRING_GET0_DATA} = 1; +- $define{HAVE_BIO_GET_DATA} = 1; + $define{HAVE_BIO_METH_NEW} = 1; + $define{HAVE_HMAC_CTX_FREE} = 1; + $define{HAVE_HMAC_CTX_NEW} = 1; |