diff options
Diffstat (limited to 'dev-db/postgresql/files')
| -rw-r--r-- | dev-db/postgresql/files/postgresql-12-openssl3.2.patch | 178 | ||||
| -rw-r--r-- | dev-db/postgresql/files/postgresql-13-openssl3.2.patch | 172 | ||||
| -rw-r--r-- | dev-db/postgresql/files/postgresql-14-openssl3.2.patch | 195 | ||||
| -rw-r--r-- | dev-db/postgresql/files/postgresql-15-openssl3.2.patch | 194 | ||||
| -rw-r--r-- | dev-db/postgresql/files/postgresql-16-openssl3.2.patch | 216 |
5 files changed, 955 insertions, 0 deletions
diff --git a/dev-db/postgresql/files/postgresql-12-openssl3.2.patch b/dev-db/postgresql/files/postgresql-12-openssl3.2.patch new file mode 100644 index 000000000000..62b254d220c6 --- /dev/null +++ b/dev-db/postgresql/files/postgresql-12-openssl3.2.patch @@ -0,0 +1,178 @@ +commit 6bb4ce36b302296fd09abb097b5e28b66117be92 +Author: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue Nov 28 12:34:03 2023 -0500 + + Use BIO_{get,set}_app_data instead of BIO_{get,set}_data. + + We should have done it this way all along, but we accidentally got + away with using the wrong BIO field up until OpenSSL 3.2. There, + the library's BIO routines that we rely on use the "data" field + for their own purposes, and our conflicting use causes assorted + weird behaviors up to and including core dumps when SSL connections + are attempted. Switch to using the approved field for the purpose, + i.e. app_data. + + While at it, remove our configure probes for BIO_get_data as well + as the fallback implementation. BIO_{get,set}_app_data have been + there since long before any OpenSSL version that we still support, + even in the back branches. + + Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor + change in an error message spelling that evidently came in with 3.2. + + Tristan Partin and Bo Andreson. Back-patch to all supported branches. + + Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com + +diff --git a/configure b/configure +index cce104aebb..346ea8e2c1 100755 +--- a/configure ++++ b/configure +@@ -12641,7 +12641,7 @@ done + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data ++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.in b/configure.in +index 3c93e7a944..2c15b20049 100644 +--- a/configure.in ++++ b/configure.in +@@ -1290,7 +1290,7 @@ if test "$with_openssl" = yes ; then + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data]) ++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. +diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c +index b0a1f7258a..34f8f9e71e 100644 +--- a/src/backend/libpq/be-secure-openssl.c ++++ b/src/backend/libpq/be-secure-openssl.c +@@ -699,11 +699,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- + static BIO_METHOD *my_bio_methods = NULL; + + static int +@@ -713,7 +708,7 @@ my_sock_read(BIO *h, char *buf, int size) + + if (buf != NULL) + { +- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -733,7 +728,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res = 0; + +- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -809,7 +804,7 @@ my_SSL_set_fd(Port *port, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, port); ++ BIO_set_app_data(bio, port); + + BIO_set_fd(bio, fd, BIO_NOCLOSE); + SSL_set_bio(port->ssl, bio, bio); +diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in +index 457a8713cc..1e9d21c3e4 100644 +--- a/src/include/pg_config.h.in ++++ b/src/include/pg_config.h.in +@@ -96,9 +96,6 @@ + /* Define to 1 if you have the <atomic.h> header file. */ + #undef HAVE_ATOMIC_H + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-#undef HAVE_BIO_GET_DATA +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + #undef HAVE_BIO_METH_NEW + +diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32 +index 42fd7067f1..37accc560b 100644 +--- a/src/include/pg_config.h.win32 ++++ b/src/include/pg_config.h.win32 +@@ -75,9 +75,6 @@ + /* Define to 1 if you have the `ASN1_STRING_get0_data' function. */ + /* #undef HAVE_ASN1_STRING_GET0_DATA */ + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-/* #undef HAVE_BIO_GET_DATA */ +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + /* #undef HAVE_BIO_METH_NEW */ + +diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c +index 5948a37983..5729dd9acf 100644 +--- a/src/interfaces/libpq/fe-secure-openssl.c ++++ b/src/interfaces/libpq/fe-secure-openssl.c +@@ -1491,10 +1491,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif ++/* protected by ssl_config_mutex */ + + static BIO_METHOD *my_bio_methods; + +@@ -1503,7 +1500,7 @@ my_sock_read(BIO *h, char *buf, int size) + { + int res; + +- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1533,7 +1530,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res; + +- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1624,7 +1621,7 @@ my_SSL_set_fd(PGconn *conn, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, conn); ++ BIO_set_app_data(bio, conn); + + SSL_set_bio(conn->ssl, bio, bio); + BIO_set_fd(bio, fd, BIO_NOCLOSE); +diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm +index 20ce233af4..a7e5fdbda9 100644 +--- a/src/tools/msvc/Solution.pm ++++ b/src/tools/msvc/Solution.pm +@@ -273,7 +273,6 @@ sub GenerateFiles + || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) + { + print $o "#define HAVE_ASN1_STRING_GET0_DATA 1\n"; +- print $o "#define HAVE_BIO_GET_DATA 1\n"; + print $o "#define HAVE_BIO_METH_NEW 1\n"; + print $o "#define HAVE_OPENSSL_INIT_SSL 1\n"; + } diff --git a/dev-db/postgresql/files/postgresql-13-openssl3.2.patch b/dev-db/postgresql/files/postgresql-13-openssl3.2.patch new file mode 100644 index 000000000000..fbb80a3ecb20 --- /dev/null +++ b/dev-db/postgresql/files/postgresql-13-openssl3.2.patch @@ -0,0 +1,172 @@ +commit dc8936b9dba79c80aaba8e7232434fb200e95725 +Author: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue Nov 28 12:34:03 2023 -0500 + + Use BIO_{get,set}_app_data instead of BIO_{get,set}_data. + + We should have done it this way all along, but we accidentally got + away with using the wrong BIO field up until OpenSSL 3.2. There, + the library's BIO routines that we rely on use the "data" field + for their own purposes, and our conflicting use causes assorted + weird behaviors up to and including core dumps when SSL connections + are attempted. Switch to using the approved field for the purpose, + i.e. app_data. + + While at it, remove our configure probes for BIO_get_data as well + as the fallback implementation. BIO_{get,set}_app_data have been + there since long before any OpenSSL version that we still support, + even in the back branches. + + Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor + change in an error message spelling that evidently came in with 3.2. + + Tristan Partin and Bo Andreson. Back-patch to all supported branches. + + Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com + +diff --git a/configure b/configure +index 2fc7dca504..b7caf88229 100755 +--- a/configure ++++ b/configure +@@ -12713,7 +12713,7 @@ done + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data ++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.in b/configure.in +index eaca132607..9aec28c8d1 100644 +--- a/configure.in ++++ b/configure.in +@@ -1275,7 +1275,7 @@ if test "$with_openssl" = yes ; then + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data]) ++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. +diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c +index 55fe59276a..9e22911379 100644 +--- a/src/backend/libpq/be-secure-openssl.c ++++ b/src/backend/libpq/be-secure-openssl.c +@@ -748,11 +748,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- + static BIO_METHOD *my_bio_methods = NULL; + + static int +@@ -762,7 +757,7 @@ my_sock_read(BIO *h, char *buf, int size) + + if (buf != NULL) + { +- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -782,7 +777,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res = 0; + +- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -858,7 +853,7 @@ my_SSL_set_fd(Port *port, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, port); ++ BIO_set_app_data(bio, port); + + BIO_set_fd(bio, fd, BIO_NOCLOSE); + SSL_set_bio(port->ssl, bio, bio); +diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in +index 13fc4e0db6..978e685c70 100644 +--- a/src/include/pg_config.h.in ++++ b/src/include/pg_config.h.in +@@ -86,9 +86,6 @@ + /* Define to 1 if you have the `backtrace_symbols' function. */ + #undef HAVE_BACKTRACE_SYMBOLS + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-#undef HAVE_BIO_GET_DATA +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + #undef HAVE_BIO_METH_NEW + +diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c +index 07d5daf4d9..73b1720c4c 100644 +--- a/src/interfaces/libpq/fe-secure-openssl.c ++++ b/src/interfaces/libpq/fe-secure-openssl.c +@@ -1602,10 +1602,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif ++/* protected by ssl_config_mutex */ + + static BIO_METHOD *my_bio_methods; + +@@ -1614,7 +1611,7 @@ my_sock_read(BIO *h, char *buf, int size) + { + int res; + +- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1644,7 +1641,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res; + +- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1735,7 +1732,7 @@ my_SSL_set_fd(PGconn *conn, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, conn); ++ BIO_set_app_data(bio, conn); + + SSL_set_bio(conn->ssl, bio, bio); + BIO_set_fd(bio, fd, BIO_NOCLOSE); +diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm +index 78328e1fac..e88e3967cd 100644 +--- a/src/tools/msvc/Solution.pm ++++ b/src/tools/msvc/Solution.pm +@@ -226,7 +226,6 @@ sub GenerateFiles + HAVE_ATOMICS => 1, + HAVE_ATOMIC_H => undef, + HAVE_BACKTRACE_SYMBOLS => undef, +- HAVE_BIO_GET_DATA => undef, + HAVE_BIO_METH_NEW => undef, + HAVE_CLOCK_GETTIME => undef, + HAVE_COMPUTED_GOTO => undef, +@@ -543,7 +542,6 @@ sub GenerateFiles + || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) + { + $define{HAVE_ASN1_STRING_GET0_DATA} = 1; +- $define{HAVE_BIO_GET_DATA} = 1; + $define{HAVE_BIO_METH_NEW} = 1; + $define{HAVE_OPENSSL_INIT_SSL} = 1; + } diff --git a/dev-db/postgresql/files/postgresql-14-openssl3.2.patch b/dev-db/postgresql/files/postgresql-14-openssl3.2.patch new file mode 100644 index 000000000000..c8064adc23a6 --- /dev/null +++ b/dev-db/postgresql/files/postgresql-14-openssl3.2.patch @@ -0,0 +1,195 @@ +commit 50e866f5f3be671620490e3cb3eea533f1677f6c +Author: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue Nov 28 12:34:03 2023 -0500 + + Use BIO_{get,set}_app_data instead of BIO_{get,set}_data. + + We should have done it this way all along, but we accidentally got + away with using the wrong BIO field up until OpenSSL 3.2. There, + the library's BIO routines that we rely on use the "data" field + for their own purposes, and our conflicting use causes assorted + weird behaviors up to and including core dumps when SSL connections + are attempted. Switch to using the approved field for the purpose, + i.e. app_data. + + While at it, remove our configure probes for BIO_get_data as well + as the fallback implementation. BIO_{get,set}_app_data have been + there since long before any OpenSSL version that we still support, + even in the back branches. + + Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor + change in an error message spelling that evidently came in with 3.2. + + Tristan Partin and Bo Andreson. Back-patch to all supported branches. + + Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com + +diff --git a/configure b/configure +index 62a921b5e7..f74b9862a0 100755 +--- a/configure ++++ b/configure +@@ -13071,7 +13071,7 @@ done + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free ++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.ac b/configure.ac +index a3243cc7e8..46624d2a11 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1311,7 +1311,7 @@ if test "$with_ssl" = openssl ; then + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) ++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. +diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c +index 13ac961442..e39952494e 100644 +--- a/src/backend/libpq/be-secure-openssl.c ++++ b/src/backend/libpq/be-secure-openssl.c +@@ -823,11 +823,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- + static BIO_METHOD *my_bio_methods = NULL; + + static int +@@ -837,7 +832,7 @@ my_sock_read(BIO *h, char *buf, int size) + + if (buf != NULL) + { +- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -857,7 +852,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res = 0; + +- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -933,7 +928,7 @@ my_SSL_set_fd(Port *port, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, port); ++ BIO_set_app_data(bio, port); + + BIO_set_fd(bio, fd, BIO_NOCLOSE); + SSL_set_bio(port->ssl, bio, bio); +diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in +index 40d513c128..51fa911fb6 100644 +--- a/src/include/pg_config.h.in ++++ b/src/include/pg_config.h.in +@@ -86,9 +86,6 @@ + /* Define to 1 if you have the `backtrace_symbols' function. */ + #undef HAVE_BACKTRACE_SYMBOLS + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-#undef HAVE_BIO_GET_DATA +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + #undef HAVE_BIO_METH_NEW + +diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c +index 7f27767da6..383fdbe80e 100644 +--- a/src/interfaces/libpq/fe-secure-openssl.c ++++ b/src/interfaces/libpq/fe-secure-openssl.c +@@ -1661,11 +1661,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- ++/* protected by ssl_config_mutex */ + static BIO_METHOD *my_bio_methods; + + static int +@@ -1673,7 +1669,7 @@ my_sock_read(BIO *h, char *buf, int size) + { + int res; + +- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1703,7 +1699,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res; + +- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1794,7 +1790,7 @@ my_SSL_set_fd(PGconn *conn, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, conn); ++ BIO_set_app_data(bio, conn); + + SSL_set_bio(conn->ssl, bio, bio); + BIO_set_fd(bio, fd, BIO_NOCLOSE); +diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl +index 8cdd0d2e68..cc7bd98c83 100644 +--- a/src/test/ssl/t/001_ssltests.pl ++++ b/src/test/ssl/t/001_ssltests.pl +@@ -538,7 +538,7 @@ $node->connect_fails( + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key", + "certificate authorization fails with revoked client cert", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + # revoked certificates should not authenticate the user + log_unlike => [qr/connection authenticated:/],); + +@@ -591,7 +591,7 @@ switch_server_cert($node, 'server-cn-only', undef, undef, + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key", + "certificate authorization fails with revoked client cert with server-side CRL directory", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/); ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|); + + # clean up + foreach my $key (@keys) +diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm +index 577b5afea7..53d60dbd25 100644 +--- a/src/tools/msvc/Solution.pm ++++ b/src/tools/msvc/Solution.pm +@@ -229,7 +229,6 @@ sub GenerateFiles + HAVE_ATOMICS => 1, + HAVE_ATOMIC_H => undef, + HAVE_BACKTRACE_SYMBOLS => undef, +- HAVE_BIO_GET_DATA => undef, + HAVE_BIO_METH_NEW => undef, + HAVE_CLOCK_GETTIME => undef, + HAVE_COMPUTED_GOTO => undef, +@@ -562,7 +561,6 @@ sub GenerateFiles + || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) + { + $define{HAVE_ASN1_STRING_GET0_DATA} = 1; +- $define{HAVE_BIO_GET_DATA} = 1; + $define{HAVE_BIO_METH_NEW} = 1; + $define{HAVE_HMAC_CTX_FREE} = 1; + $define{HAVE_HMAC_CTX_NEW} = 1; diff --git a/dev-db/postgresql/files/postgresql-15-openssl3.2.patch b/dev-db/postgresql/files/postgresql-15-openssl3.2.patch new file mode 100644 index 000000000000..6e0b954a9f0b --- /dev/null +++ b/dev-db/postgresql/files/postgresql-15-openssl3.2.patch @@ -0,0 +1,194 @@ +commit a4927ebffae000198f6054eea26191ac2e50697f +Author: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue Nov 28 12:34:03 2023 -0500 + + Use BIO_{get,set}_app_data instead of BIO_{get,set}_data. + + We should have done it this way all along, but we accidentally got + away with using the wrong BIO field up until OpenSSL 3.2. There, + the library's BIO routines that we rely on use the "data" field + for their own purposes, and our conflicting use causes assorted + weird behaviors up to and including core dumps when SSL connections + are attempted. Switch to using the approved field for the purpose, + i.e. app_data. + + While at it, remove our configure probes for BIO_get_data as well + as the fallback implementation. BIO_{get,set}_app_data have been + there since long before any OpenSSL version that we still support, + even in the back branches. + + Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor + change in an error message spelling that evidently came in with 3.2. + + Tristan Partin and Bo Andreson. Back-patch to all supported branches. + + Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com + +diff --git a/configure b/configure +index d83a402ea1..d55440cd6a 100755 +--- a/configure ++++ b/configure +@@ -13239,7 +13239,7 @@ done + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free ++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.ac b/configure.ac +index 570daced81..2bc752ca1a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1347,7 +1347,7 @@ if test "$with_ssl" = openssl ; then + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) ++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. +diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c +index f5c5ed210e..aed8a75345 100644 +--- a/src/backend/libpq/be-secure-openssl.c ++++ b/src/backend/libpq/be-secure-openssl.c +@@ -839,11 +839,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- + static BIO_METHOD *my_bio_methods = NULL; + + static int +@@ -853,7 +848,7 @@ my_sock_read(BIO *h, char *buf, int size) + + if (buf != NULL) + { +- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -873,7 +868,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res = 0; + +- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -949,7 +944,7 @@ my_SSL_set_fd(Port *port, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, port); ++ BIO_set_app_data(bio, port); + + BIO_set_fd(bio, fd, BIO_NOCLOSE); + SSL_set_bio(port->ssl, bio, bio); +diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in +index d09e9f9a1c..768e3d719c 100644 +--- a/src/include/pg_config.h.in ++++ b/src/include/pg_config.h.in +@@ -77,9 +77,6 @@ + /* Define to 1 if you have the `backtrace_symbols' function. */ + #undef HAVE_BACKTRACE_SYMBOLS + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-#undef HAVE_BIO_GET_DATA +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + #undef HAVE_BIO_METH_NEW + +diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c +index af59ff49f7..c19b0dc078 100644 +--- a/src/interfaces/libpq/fe-secure-openssl.c ++++ b/src/interfaces/libpq/fe-secure-openssl.c +@@ -1800,11 +1800,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- ++/* protected by ssl_config_mutex */ + static BIO_METHOD *my_bio_methods; + + static int +@@ -1812,7 +1808,7 @@ my_sock_read(BIO *h, char *buf, int size) + { + int res; + +- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1842,7 +1838,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res; + +- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1933,7 +1929,7 @@ my_SSL_set_fd(PGconn *conn, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, conn); ++ BIO_set_app_data(bio, conn); + + SSL_set_bio(conn->ssl, bio, bio); + BIO_set_fd(bio, fd, BIO_NOCLOSE); +diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl +index 707f4005af..c570b48a1b 100644 +--- a/src/test/ssl/t/001_ssltests.pl ++++ b/src/test/ssl/t/001_ssltests.pl +@@ -682,7 +682,7 @@ $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), + "certificate authorization fails with revoked client cert", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + # revoked certificates should not authenticate the user + log_unlike => [qr/connection authenticated:/],); + +@@ -743,6 +743,6 @@ $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), + "certificate authorization fails with revoked client cert with server-side CRL directory", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/); ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|); + + done_testing(); +diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm +index 790f03b05e..a53239fa28 100644 +--- a/src/tools/msvc/Solution.pm ++++ b/src/tools/msvc/Solution.pm +@@ -226,7 +226,6 @@ sub GenerateFiles + HAVE_ATOMICS => 1, + HAVE_ATOMIC_H => undef, + HAVE_BACKTRACE_SYMBOLS => undef, +- HAVE_BIO_GET_DATA => undef, + HAVE_BIO_METH_NEW => undef, + HAVE_CLOCK_GETTIME => undef, + HAVE_COMPUTED_GOTO => undef, +@@ -566,7 +565,6 @@ sub GenerateFiles + || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) + { + $define{HAVE_ASN1_STRING_GET0_DATA} = 1; +- $define{HAVE_BIO_GET_DATA} = 1; + $define{HAVE_BIO_METH_NEW} = 1; + $define{HAVE_HMAC_CTX_FREE} = 1; + $define{HAVE_HMAC_CTX_NEW} = 1; diff --git a/dev-db/postgresql/files/postgresql-16-openssl3.2.patch b/dev-db/postgresql/files/postgresql-16-openssl3.2.patch new file mode 100644 index 000000000000..2740187d9f4e --- /dev/null +++ b/dev-db/postgresql/files/postgresql-16-openssl3.2.patch @@ -0,0 +1,216 @@ +commit 9140a24b312176ebb4e6eb6458b33ce640c04440 +Author: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue Nov 28 12:34:03 2023 -0500 + + Use BIO_{get,set}_app_data instead of BIO_{get,set}_data. + + We should have done it this way all along, but we accidentally got + away with using the wrong BIO field up until OpenSSL 3.2. There, + the library's BIO routines that we rely on use the "data" field + for their own purposes, and our conflicting use causes assorted + weird behaviors up to and including core dumps when SSL connections + are attempted. Switch to using the approved field for the purpose, + i.e. app_data. + + While at it, remove our configure probes for BIO_get_data as well + as the fallback implementation. BIO_{get,set}_app_data have been + there since long before any OpenSSL version that we still support, + even in the back branches. + + Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor + change in an error message spelling that evidently came in with 3.2. + + Tristan Partin and Bo Andreson. Back-patch to all supported branches. + + Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com + +diff --git a/configure b/configure +index 82e45657b2..907c777b9c 100755 +--- a/configure ++++ b/configure +@@ -12982,7 +12982,7 @@ done + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free ++ for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.ac b/configure.ac +index fcea0bcab4..ab32bfdd08 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1385,7 +1385,7 @@ if test "$with_ssl" = openssl ; then + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. +- AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) ++ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. +diff --git a/meson.build b/meson.build +index 51b5285924..96fc2e139a 100644 +--- a/meson.build ++++ b/meson.build +@@ -1278,7 +1278,6 @@ if sslopt in ['auto', 'openssl'] + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. + ['OPENSSL_init_ssl'], +- ['BIO_get_data'], + ['BIO_meth_new'], + ['ASN1_STRING_get0_data'], + ['HMAC_CTX_new'], +diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c +index e9c86d08df..49dca0cda9 100644 +--- a/src/backend/libpq/be-secure-openssl.c ++++ b/src/backend/libpq/be-secure-openssl.c +@@ -844,11 +844,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- + static BIO_METHOD *my_bio_methods = NULL; + + static int +@@ -858,7 +853,7 @@ my_sock_read(BIO *h, char *buf, int size) + + if (buf != NULL) + { +- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -878,7 +873,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res = 0; + +- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); ++ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); + BIO_clear_retry_flags(h); + if (res <= 0) + { +@@ -954,7 +949,7 @@ my_SSL_set_fd(Port *port, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, port); ++ BIO_set_app_data(bio, port); + + BIO_set_fd(bio, fd, BIO_NOCLOSE); + SSL_set_bio(port->ssl, bio, bio); +diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in +index 6d572c3820..174544630e 100644 +--- a/src/include/pg_config.h.in ++++ b/src/include/pg_config.h.in +@@ -70,9 +70,6 @@ + /* Define to 1 if you have the `backtrace_symbols' function. */ + #undef HAVE_BACKTRACE_SYMBOLS + +-/* Define to 1 if you have the `BIO_get_data' function. */ +-#undef HAVE_BIO_GET_DATA +- + /* Define to 1 if you have the `BIO_meth_new' function. */ + #undef HAVE_BIO_METH_NEW + +diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c +index 390c888c96..fb6404ade0 100644 +--- a/src/interfaces/libpq/fe-secure-openssl.c ++++ b/src/interfaces/libpq/fe-secure-openssl.c +@@ -1830,11 +1830,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) + * to retry; do we need to adopt their logic for that? + */ + +-#ifndef HAVE_BIO_GET_DATA +-#define BIO_get_data(bio) (bio->ptr) +-#define BIO_set_data(bio, data) (bio->ptr = data) +-#endif +- ++/* protected by ssl_config_mutex */ + static BIO_METHOD *my_bio_methods; + + static int +@@ -1842,7 +1838,7 @@ my_sock_read(BIO *h, char *buf, int size) + { + int res; + +- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1872,7 +1868,7 @@ my_sock_write(BIO *h, const char *buf, int size) + { + int res; + +- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); ++ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); + BIO_clear_retry_flags(h); + if (res < 0) + { +@@ -1963,7 +1959,7 @@ my_SSL_set_fd(PGconn *conn, int fd) + SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); + goto err; + } +- BIO_set_data(bio, conn); ++ BIO_set_app_data(bio, conn); + + SSL_set_bio(conn->ssl, bio, bio); + BIO_set_fd(bio, fd, BIO_NOCLOSE); +diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl +index 76442de063..9bb28fbc83 100644 +--- a/src/test/ssl/t/001_ssltests.pl ++++ b/src/test/ssl/t/001_ssltests.pl +@@ -781,7 +781,7 @@ $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), + "certificate authorization fails with revoked client cert", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + # temporarily(?) skip this check due to timing issue + # log_like => [ + # qr{Client certificate verification failed at depth 0: certificate revoked}, +@@ -886,7 +886,7 @@ $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), + "certificate authorization fails with revoked client cert with server-side CRL directory", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + # temporarily(?) skip this check due to timing issue + # log_like => [ + # qr{Client certificate verification failed at depth 0: certificate revoked}, +@@ -899,7 +899,7 @@ $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt " + . sslkey('client-revoked-utf8.key'), + "certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory", +- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, ++ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + # temporarily(?) skip this check due to timing issue + # log_like => [ + # qr{Client certificate verification failed at depth 0: certificate revoked}, +diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm +index b6d31c3583..711fae853f 100644 +--- a/src/tools/msvc/Solution.pm ++++ b/src/tools/msvc/Solution.pm +@@ -225,7 +225,6 @@ sub GenerateFiles + HAVE_ATOMICS => 1, + HAVE_ATOMIC_H => undef, + HAVE_BACKTRACE_SYMBOLS => undef, +- HAVE_BIO_GET_DATA => undef, + HAVE_BIO_METH_NEW => undef, + HAVE_COMPUTED_GOTO => undef, + HAVE_COPYFILE => undef, +@@ -503,7 +502,6 @@ sub GenerateFiles + || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) + { + $define{HAVE_ASN1_STRING_GET0_DATA} = 1; +- $define{HAVE_BIO_GET_DATA} = 1; + $define{HAVE_BIO_METH_NEW} = 1; + $define{HAVE_HMAC_CTX_FREE} = 1; + $define{HAVE_HMAC_CTX_NEW} = 1; |