NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit6c66b74

committed

Raise the minimum supported OpenSSL version to 1.1.1

Commita70e01d retired support for OpenSSL 1.0.2 in order to getrid of the need for manual initialization of the library. This left ourAPI usage compatible with 1.1.0 which was defined as the minimum requiredversion. Also mention that 3.4 is the minimum version required when usingLibreSSL.An upcoming commit will introduce support for configuring TLSv1.3 ciphersuites which require an API call in OpenSSL 1.1.1 and onwards. In orderto support this setting this commit will set v1.1.1 as the new minimumrequired version. The version-specific call for randomness init addedin commitc3333db is removed as it's no longer needed.Author: Daniel Gustafsson <daniel@yesql.se>Discussion:https://postgr.es/m/909A668B-06AD-47D1-B8EB-A164211AAD16@yesql.seDiscussion:https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com

1 parentf818551 commit6c66b74Copy full SHA for 6c66b74

File tree

6 files changed

+38

-48

lines changed

configure
configure.ac
doc/src/sgml
- installation.sgml
meson.build
src
- include
  - pg_config.h.in
- port
  - pg_strong_random.c

6 files changed

+38

-48

lines changed

`‎configure`

Lines changed: 14 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -12224,9 +12224,9 @@ if test "$with_openssl" = yes ; then`
`12224`	`12224`	`fi`
`12225`	`12225`
`12226`	`12226`	`if test "$with_ssl" = openssl ; then`
`12227`		`- # Minimum required OpenSSL version is 1.1.0`
	`12227`	`+ # Minimum required OpenSSL version is 1.1.1`
`12228`	`12228`
`12229`		`-$as_echo "#define OPENSSL_API_COMPAT0x10100000L" >>confdefs.h`
	`12229`	`+$as_echo "#define OPENSSL_API_COMPAT0x10101000L" >>confdefs.h`
`12230`	`12230`
`12231`	`12231`	`if test "$PORTNAME" != "win32"; then`
`12232`	`12232`	`{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5`
`@@ -12441,33 +12441,29 @@ else`
`12441`	`12441`	`fi`
`12442`	`12442`
`12443`	`12443`	`fi`
`12444`		`- #Function introduced in OpenSSL 1.0.2, not in LibreSSL.`
`12445`		`- for ac_func inSSL_CTX_set_cert_cb`
	`12444`	`+ #Functions introduced in OpenSSL 1.1.1.`
	`12445`	`+ for ac_func inSSL_CTX_set_ciphersuites`
`12446`	`12446`	`do :`
`12447`		`- ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"`
`12448`		`-if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :`
	`12447`	`+ ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites"`
	`12448`	`+if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then :`
`12449`	`12449`	`cat >>confdefs.h <<_ACEOF`
`12450`		`-#defineHAVE_SSL_CTX_SET_CERT_CB 1`
	`12450`	`+#defineHAVE_SSL_CTX_SET_CIPHERSUITES 1`
`12451`	`12451`	`_ACEOF`
`12452`	`12452`
	`12453`	`+else`
	`12454`	`+ as_fn_error $? "OpenSSL version >= 1.1.1 is required for SSL support" "$LINENO" 5`
`12453`	`12455`	`fi`
`12454`	`12456`	`done`
`12455`	`12457`
`12456`		`- # Functions introduced in OpenSSL 1.1.0. We used to check for`
`12457`		`- # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
`12458`		`- # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it`
`12459`		`- # doesn't have these OpenSSL 1.1.0 functions. So check for individual`
`12460`		`- # functions.`
`12461`		`- for ac_func in OPENSSL_init_ssl`
	`12458`	`+ # Function introduced in OpenSSL 1.0.2, not in LibreSSL.`
	`12459`	`+ for ac_func in SSL_CTX_set_cert_cb`
`12462`	`12460`	`do :`
`12463`		`- ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"`
`12464`		`-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :`
	`12461`	`+ ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"`
	`12462`	`+if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :`
`12465`	`12463`	`cat >>confdefs.h <<_ACEOF`
`12466`		`-#defineHAVE_OPENSSL_INIT_SSL 1`
	`12464`	`+#defineHAVE_SSL_CTX_SET_CERT_CB 1`
`12467`	`12465`	`_ACEOF`
`12468`	`12466`
`12469`		`-else`
`12470`		`- as_fn_error $? "OpenSSL version >= 1.1.0 is required for SSL support" "$LINENO" 5`
`12471`	`12467`	`fi`
`12472`	`12468`	`done`
`12473`	`12469`

`‎configure.ac`

Lines changed: 4 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1311,8 +1311,8 @@ fi`
`1311`	`1311`
`1312`	`1312`	`if test "$with_ssl" = openssl ; then`
`1313`	`1313`	`dnl Order matters!`
`1314`		`-# Minimum required OpenSSL version is 1.1.0`
`1315`		`-AC_DEFINE(OPENSSL_API_COMPAT,[0x10100000L],`
	`1314`	`+# Minimum required OpenSSL version is 1.1.1`
	`1315`	`+AC_DEFINE(OPENSSL_API_COMPAT,[0x10101000L],`
`1316`	`1316`	`[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])`
`1317`	`1317`	`if test "$PORTNAME" != "win32"; then`
`1318`	`1318`	`AC_CHECK_LIB(crypto,CRYPTO_new_ex_data,[],[AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])`
`@@ -1321,14 +1321,10 @@ if test "$with_ssl" = openssl ; then`
`1321`	`1321`	`AC_SEARCH_LIBS(CRYPTO_new_ex_data,[eay32 crypto],[],[AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])`
`1322`	`1322`	`AC_SEARCH_LIBS(SSL_new,[ssleay32 ssl],[],[AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])`
`1323`	`1323`	`fi`
	`1324`	`+# Functions introduced in OpenSSL 1.1.1.`
	`1325`	`+AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites],[],[AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])])`
`1324`	`1326`	`# Function introduced in OpenSSL 1.0.2, not in LibreSSL.`
`1325`	`1327`	`AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])`
`1326`		`-# Functions introduced in OpenSSL 1.1.0. We used to check for`
`1327`		`-# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
`1328`		`-# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it`
`1329`		`-# doesn't have these OpenSSL 1.1.0 functions. So check for individual`
`1330`		`-# functions.`
`1331`		`-AC_CHECK_FUNCS([OPENSSL_init_ssl],[],[AC_MSG_ERROR([OpenSSL version >= 1.1.0 is required for SSL support])])`
`1332`	`1328`	`# Function introduced in OpenSSL 1.1.1, not in LibreSSL.`
`1333`	`1329`	`AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])`
`1334`	`1330`	`AC_DEFINE([USE_OPENSSL],1,[Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])`

`‎doc/src/sgml/installation.sgml`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -293,7 +293,13 @@`
`293`	`293`	`encrypted client connections. <productname>OpenSSL</productname> is`
`294`	`294`	`also required for random number generation on platforms that do not`
`295`	`295`	`have <filename>/dev/urandom</filename> (except Windows). The minimum`
`296`		`- required version is 1.1.0.`
	`296`	`+ required version is 1.1.1.`
	`297`	`+ </para>`
	`298`	`+ <para>`
	`299`	`+ Additionally, <productname>LibreSSL</productname> is supported using the`
	`300`	`+ <productname>OpenSSL</productname> compatibility layer. The minimum`
	`301`	`+ required version is 3.4 (from <systemitem class="osname">OpenBSD</systemitem>`
	`302`	`+ version 7.0).`
`297`	`303`	`</para>`
`298`	`304`	`</listitem>`
`299`	`305`
`@@ -989,7 +995,9 @@ build-postgresql:`
`989`	`995`	`<para>`
`990`	`996`	`Build with support for <acronym>SSL</acronym> (encrypted)`
`991`	`997`	`connections. The only <replaceable>LIBRARY</replaceable>`
`992`		`- supported is <option>openssl</option>. This requires the`
	`998`	`+ supported is <option>openssl</option>, which is used for both`
	`999`	`+ <productname>OpenSSL</productname>`
	`1000`	`+ and <productname>LibreSSL</productname>. This requires the`
`993`	`1001`	`<productname>OpenSSL</productname> package to be installed.`
`994`	`1002`	`<filename>configure</filename> will check for the required`
`995`	`1003`	`header files and libraries to make sure that your`

`‎meson.build`

Lines changed: 3 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -1361,12 +1361,8 @@ if sslopt in ['auto', 'openssl']`
`1361`	`1361`	`['CRYPTO_new_ex_data', {'required':true}],`
`1362`	`1362`	`['SSL_new', {'required':true}],`
`1363`	`1363`
`1364`		`-# Functions introduced in OpenSSL 1.1.0. We used to check for`
`1365`		`-# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
`1366`		`-# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it`
`1367`		`-# doesn't have these OpenSSL 1.1.0 functions. So check for individual`
`1368`		`-# functions.`
`1369`		`- ['OPENSSL_init_ssl', {'required':true}],`
	`1364`	`+# Functions introduced in OpenSSL 1.1.1.`
	`1365`	`+ ['SSL_CTX_set_ciphersuites', {'required':true}],`
`1370`	`1366`
`1371`	`1367`	`# Function introduced in OpenSSL 1.0.2, not in LibreSSL.`
`1372`	`1368`	`['SSL_CTX_set_cert_cb'],`
`@@ -1395,7 +1391,7 @@ if sslopt in ['auto', 'openssl']`
`1395`	`1391`	`if are_openssl_funcs_complete`
`1396`	`1392`	`cdata.set('USE_OPENSSL',1,`
`1397`	`1393`	`description:'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')`
`1398`		`- cdata.set('OPENSSL_API_COMPAT','0x10100000L',`
	`1394`	`+ cdata.set('OPENSSL_API_COMPAT','0x10101000L',`
`1399`	`1395`	`description:'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')`
`1400`	`1396`	`ssl_library='openssl'`
`1401`	`1397`	`else`

`‎src/include/pg_config.h.in`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -280,9 +280,6 @@`
`280`	`280`	/* Define to 1 if you have the `mkdtemp' function. */
`281`	`281`	`#undef HAVE_MKDTEMP`
`282`	`282`
`283`		-/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
`284`		`-#undef HAVE_OPENSSL_INIT_SSL`
`285`		`-`
`286`	`283`	`/* Define to 1 if you have the <ossp/uuid.h> header file. */`
`287`	`284`	`#undef HAVE_OSSP_UUID_H`
`288`	`285`
`@@ -358,6 +355,9 @@`
`358`	`355`	/* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */
`359`	`356`	`#undef HAVE_SSL_CTX_SET_CERT_CB`
`360`	`357`
	`358`	+/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
	`359`	`+#undef HAVE_SSL_CTX_SET_CIPHERSUITES`
	`360`	`+`
`361`	`361`	/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
`362`	`362`	`#undef HAVE_SSL_CTX_SET_NUM_TICKETS`
`363`	`363`

`‎src/port/pg_strong_random.c`

Lines changed: 4 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,9 @@`
`31`	`31`	`* cryptographically secure, suitable for use e.g. in authentication.`
`32`	`32`	`*`
`33`	`33`	`* Before pg_strong_random is called in any process, the generator must first`
`34`		`- * be initialized by calling pg_strong_random_init().`
	`34`	`+ * be initialized by calling pg_strong_random_init(). Initialization is a no-`
	`35`	`+ * op for all supported randomness sources, it is kept to maintain backwards`
	`36`	`+ * compatibility with extensions.`
`35`	`37`	`*`
`36`	`38`	`* We rely on system facilities for actually generating the numbers.`
`37`	`39`	`* We support a number of sources:`
`@@ -50,20 +52,12 @@`
`50`	`52`
`51`	`53`	`#ifdefUSE_OPENSSL`
`52`	`54`
`53`		`-#include<openssl/opensslv.h>`
`54`	`55`	`#include<openssl/rand.h>`
`55`	`56`
`56`	`57`	`void`
`57`	`58`	`pg_strong_random_init(void)`
`58`	`59`	`{`
`59`		`-#if (OPENSSL_VERSION_NUMBER<0x10101000L)`
`60`		`-/*`
`61`		`- * Make sure processes do not share OpenSSL randomness state. This is not`
`62`		`- * required on LibreSSL and no longer required in OpenSSL 1.1.1 and later`
`63`		`- * versions.`
`64`		`- */`
`65`		`-RAND_poll();`
`66`		`-#endif`
	`60`	`+/* No initialization needed */`
`67`	`61`	`}`
`68`	`62`
`69`	`63`	`bool`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6c66b74

File tree

6 files changed

6 files changed

`‎configure`

`‎configure.ac`

`‎doc/src/sgml/installation.sgml`

`‎meson.build`

`‎src/include/pg_config.h.in`

`‎src/port/pg_strong_random.c`

0 commit comments