Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 6c66b74

Browse files
Raise the minimum supported OpenSSL version to 1.1.1
Commit a70e01d retired support for OpenSSL 1.0.2 in order to get rid of the need for manual initialization of the library. This left our API usage compatible with 1.1.0 which was defined as the minimum required version. Also mention that 3.4 is the minimum version required when using LibreSSL. An upcoming commit will introduce support for configuring TLSv1.3 cipher suites which require an API call in OpenSSL 1.1.1 and onwards. In order to support this setting this commit will set v1.1.1 as the new minimum required version. The version-specific call for randomness init added in commit c3333db is removed as it's no longer needed. Author: Daniel Gustafsson <daniel@yesql.se> Discussion: https://postgr.es/m/909A668B-06AD-47D1-B8EB-A164211AAD16@yesql.se Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
1 parent f818551 commit 6c66b74

File tree

6 files changed

+38
-48
lines changed

6 files changed

+38
-48
lines changed

configure

+14-18
Original file line numberDiff line numberDiff line change
@@ -12224,9 +12224,9 @@ if test "$with_openssl" = yes ; then
1222412224
fi
1222512225

1222612226
if test "$with_ssl" = openssl ; then
12227-
# Minimum required OpenSSL version is 1.1.0
12227+
# Minimum required OpenSSL version is 1.1.1
1222812228

12229-
$as_echo "#define OPENSSL_API_COMPAT 0x10100000L" >>confdefs.h
12229+
$as_echo "#define OPENSSL_API_COMPAT 0x10101000L" >>confdefs.h
1223012230

1223112231
if test "$PORTNAME" != "win32"; then
1223212232
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
@@ -12441,33 +12441,29 @@ else
1244112441
fi
1244212442

1244312443
fi
12444-
# Function introduced in OpenSSL 1.0.2, not in LibreSSL.
12445-
for ac_func in SSL_CTX_set_cert_cb
12444+
# Functions introduced in OpenSSL 1.1.1.
12445+
for ac_func in SSL_CTX_set_ciphersuites
1244612446
do :
12447-
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
12448-
if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
12447+
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites"
12448+
if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then :
1244912449
cat >>confdefs.h <<_ACEOF
12450-
#define HAVE_SSL_CTX_SET_CERT_CB 1
12450+
#define HAVE_SSL_CTX_SET_CIPHERSUITES 1
1245112451
_ACEOF
1245212452

12453+
else
12454+
as_fn_error $? "OpenSSL version >= 1.1.1 is required for SSL support" "$LINENO" 5
1245312455
fi
1245412456
done
1245512457

12456-
# Functions introduced in OpenSSL 1.1.0. We used to check for
12457-
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
12458-
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
12459-
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
12460-
# functions.
12461-
for ac_func in OPENSSL_init_ssl
12458+
# Function introduced in OpenSSL 1.0.2, not in LibreSSL.
12459+
for ac_func in SSL_CTX_set_cert_cb
1246212460
do :
12463-
ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
12464-
if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
12461+
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
12462+
if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
1246512463
cat >>confdefs.h <<_ACEOF
12466-
#define HAVE_OPENSSL_INIT_SSL 1
12464+
#define HAVE_SSL_CTX_SET_CERT_CB 1
1246712465
_ACEOF
1246812466

12469-
else
12470-
as_fn_error $? "OpenSSL version >= 1.1.0 is required for SSL support" "$LINENO" 5
1247112467
fi
1247212468
done
1247312469

configure.ac

+4-8
Original file line numberDiff line numberDiff line change
@@ -1311,8 +1311,8 @@ fi
13111311

13121312
if test "$with_ssl" = openssl ; then
13131313
dnl Order matters!
1314-
# Minimum required OpenSSL version is 1.1.0
1315-
AC_DEFINE(OPENSSL_API_COMPAT, [0x10100000L],
1314+
# Minimum required OpenSSL version is 1.1.1
1315+
AC_DEFINE(OPENSSL_API_COMPAT, [0x10101000L],
13161316
[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
13171317
if test "$PORTNAME" != "win32"; then
13181318
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
@@ -1321,14 +1321,10 @@ if test "$with_ssl" = openssl ; then
13211321
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
13221322
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
13231323
fi
1324+
# Functions introduced in OpenSSL 1.1.1.
1325+
AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])])
13241326
# Function introduced in OpenSSL 1.0.2, not in LibreSSL.
13251327
AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
1326-
# Functions introduced in OpenSSL 1.1.0. We used to check for
1327-
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
1328-
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
1329-
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
1330-
# functions.
1331-
AC_CHECK_FUNCS([OPENSSL_init_ssl], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.0 is required for SSL support])])
13321328
# Function introduced in OpenSSL 1.1.1, not in LibreSSL.
13331329
AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])
13341330
AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])

doc/src/sgml/installation.sgml

+10-2
Original file line numberDiff line numberDiff line change
@@ -293,7 +293,13 @@
293293
encrypted client connections. <productname>OpenSSL</productname> is
294294
also required for random number generation on platforms that do not
295295
have <filename>/dev/urandom</filename> (except Windows). The minimum
296-
required version is 1.1.0.
296+
required version is 1.1.1.
297+
</para>
298+
<para>
299+
Additionally, <productname>LibreSSL</productname> is supported using the
300+
<productname>OpenSSL</productname> compatibility layer. The minimum
301+
required version is 3.4 (from <systemitem class="osname">OpenBSD</systemitem>
302+
version 7.0).
297303
</para>
298304
</listitem>
299305

@@ -989,7 +995,9 @@ build-postgresql:
989995
<para>
990996
Build with support for <acronym>SSL</acronym> (encrypted)
991997
connections. The only <replaceable>LIBRARY</replaceable>
992-
supported is <option>openssl</option>. This requires the
998+
supported is <option>openssl</option>, which is used for both
999+
<productname>OpenSSL</productname>
1000+
and <productname>LibreSSL</productname>. This requires the
9931001
<productname>OpenSSL</productname> package to be installed.
9941002
<filename>configure</filename> will check for the required
9951003
header files and libraries to make sure that your

meson.build

+3-7
Original file line numberDiff line numberDiff line change
@@ -1361,12 +1361,8 @@ if sslopt in ['auto', 'openssl']
13611361
['CRYPTO_new_ex_data', {'required': true}],
13621362
['SSL_new', {'required': true}],
13631363

1364-
# Functions introduced in OpenSSL 1.1.0. We used to check for
1365-
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
1366-
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
1367-
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
1368-
# functions.
1369-
['OPENSSL_init_ssl', {'required': true}],
1364+
# Functions introduced in OpenSSL 1.1.1.
1365+
['SSL_CTX_set_ciphersuites', {'required': true}],
13701366

13711367
# Function introduced in OpenSSL 1.0.2, not in LibreSSL.
13721368
['SSL_CTX_set_cert_cb'],
@@ -1395,7 +1391,7 @@ if sslopt in ['auto', 'openssl']
13951391
if are_openssl_funcs_complete
13961392
cdata.set('USE_OPENSSL', 1,
13971393
description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
1398-
cdata.set('OPENSSL_API_COMPAT', '0x10100000L',
1394+
cdata.set('OPENSSL_API_COMPAT', '0x10101000L',
13991395
description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
14001396
ssl_library = 'openssl'
14011397
else

src/include/pg_config.h.in

+3-3
Original file line numberDiff line numberDiff line change
@@ -280,9 +280,6 @@
280280
/* Define to 1 if you have the `mkdtemp' function. */
281281
#undef HAVE_MKDTEMP
282282

283-
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
284-
#undef HAVE_OPENSSL_INIT_SSL
285-
286283
/* Define to 1 if you have the <ossp/uuid.h> header file. */
287284
#undef HAVE_OSSP_UUID_H
288285

@@ -358,6 +355,9 @@
358355
/* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */
359356
#undef HAVE_SSL_CTX_SET_CERT_CB
360357

358+
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
359+
#undef HAVE_SSL_CTX_SET_CIPHERSUITES
360+
361361
/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
362362
#undef HAVE_SSL_CTX_SET_NUM_TICKETS
363363

src/port/pg_strong_random.c

+4-10
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,9 @@
3131
* cryptographically secure, suitable for use e.g. in authentication.
3232
*
3333
* Before pg_strong_random is called in any process, the generator must first
34-
* be initialized by calling pg_strong_random_init().
34+
* be initialized by calling pg_strong_random_init(). Initialization is a no-
35+
* op for all supported randomness sources, it is kept to maintain backwards
36+
* compatibility with extensions.
3537
*
3638
* We rely on system facilities for actually generating the numbers.
3739
* We support a number of sources:
@@ -50,20 +52,12 @@
5052

5153
#ifdef USE_OPENSSL
5254

53-
#include <openssl/opensslv.h>
5455
#include <openssl/rand.h>
5556

5657
void
5758
pg_strong_random_init(void)
5859
{
59-
#if (OPENSSL_VERSION_NUMBER < 0x10101000L)
60-
/*
61-
* Make sure processes do not share OpenSSL randomness state. This is not
62-
* required on LibreSSL and no longer required in OpenSSL 1.1.1 and later
63-
* versions.
64-
*/
65-
RAND_poll();
66-
#endif
60+
/* No initialization needed */
6761
}
6862

6963
bool

0 commit comments

Comments
 (0)