From a9b585b854f3139919184eb4ae097a148584db52 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 15 Oct 2024 12:22:37 +0200 Subject: [PATCH v8 2/4] Raise the minimum supported OpenSSL version to 1.1.1 Commit a70e01d4306fdbcd5f retired support for OpenSSL 1.0.2 in order get rid of the need for manual initialization of the library . This left our API usage compatible with 1.1.0 which was defined as the minimum required version. Also mention that 3.4 is the minimum version required when using LibreSSL. An upcoming commit will introduce support for configuring TLSv1.3 cipher suites which require an API call in OpenSSL 1.1.1 and onwards. In order to support this setting this commit will set v1.1.1 as the new minimum required version. There is no function change in this commit, only build infrastructure changes. The version-specific call for randomness init added in commit c3333dbc0c0 is removed by this. Author: Daniel Gustafsson Discussion: https://postgr.es/m/909A668B-06AD-47D1-B8EB-A164211AAD16@yesql.se Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com --- configure | 16 ++++++++-------- configure.ac | 8 ++++---- doc/src/sgml/installation.sgml | 12 ++++++++++-- meson.build | 6 +++--- src/include/pg_config.h.in | 6 +++--- src/port/pg_strong_random.c | 14 ++++---------- 6 files changed, 32 insertions(+), 30 deletions(-) diff --git a/configure b/configure index 3a577e463b..603c767f11 100755 --- a/configure +++ b/configure @@ -12224,9 +12224,9 @@ if test "$with_openssl" = yes ; then fi if test "$with_ssl" = openssl ; then - # Minimum required OpenSSL version is 1.1.0 + # Minimum required OpenSSL version is 1.1.1 -$as_echo "#define OPENSSL_API_COMPAT 0x10100000L" >>confdefs.h +$as_echo "#define OPENSSL_API_COMPAT 0x10101000L" >>confdefs.h if test "$PORTNAME" != "win32"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5 @@ -12453,21 +12453,21 @@ _ACEOF fi done - # Functions introduced in OpenSSL 1.1.0. We used to check for + # Functions introduced in OpenSSL 1.1.1. We used to check for # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it # doesn't have these OpenSSL 1.1.0 functions. So check for individual # functions. - for ac_func in OPENSSL_init_ssl + for ac_func in SSL_CTX_set_ciphersuites do : - ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl" -if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then : + ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites" +if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then : cat >>confdefs.h <<_ACEOF -#define HAVE_OPENSSL_INIT_SSL 1 +#define HAVE_SSL_CTX_SET_CIPHERSUITES 1 _ACEOF else - as_fn_error $? "OpenSSL version >= 1.1.0 is required for SSL support" "$LINENO" 5 + as_fn_error $? "OpenSSL version >= 1.1.1 is required for SSL support" "$LINENO" 5 fi done diff --git a/configure.ac b/configure.ac index 55f6c46d33..26f2161e01 100644 --- a/configure.ac +++ b/configure.ac @@ -1311,8 +1311,8 @@ fi if test "$with_ssl" = openssl ; then dnl Order matters! - # Minimum required OpenSSL version is 1.1.0 - AC_DEFINE(OPENSSL_API_COMPAT, [0x10100000L], + # Minimum required OpenSSL version is 1.1.1 + AC_DEFINE(OPENSSL_API_COMPAT, [0x10101000L], [Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.]) if test "$PORTNAME" != "win32"; then AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])]) @@ -1323,12 +1323,12 @@ if test "$with_ssl" = openssl ; then fi # Function introduced in OpenSSL 1.0.2, not in LibreSSL. AC_CHECK_FUNCS([SSL_CTX_set_cert_cb]) - # Functions introduced in OpenSSL 1.1.0. We used to check for + # Functions introduced in OpenSSL 1.1.1. We used to check for # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it # doesn't have these OpenSSL 1.1.0 functions. So check for individual # functions. - AC_CHECK_FUNCS([OPENSSL_init_ssl], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.0 is required for SSL support])]) + AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])]) # Function introduced in OpenSSL 1.1.1, not in LibreSSL. AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets]) AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)]) diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index 3a491b5989..c078885976 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -293,7 +293,13 @@ encrypted client connections. OpenSSL is also required for random number generation on platforms that do not have /dev/urandom (except Windows). The minimum - required version is 1.1.0. + required version is 1.1.1. + + + Additionally, LibreSSL is supported using the + OpenSSL compatibility layer. The minimum + required version is 3.4 (from OpenBSD + version 7.0. @@ -989,7 +995,9 @@ build-postgresql: Build with support for SSL (encrypted) connections. The only LIBRARY - supported is . This requires the + supported is , which is used for both + OpenSSL + and LibreSSL. This requires the OpenSSL package to be installed. configure will check for the required header files and libraries to make sure that your diff --git a/meson.build b/meson.build index 58e67975e8..c36cb35825 100644 --- a/meson.build +++ b/meson.build @@ -1361,12 +1361,12 @@ if sslopt in ['auto', 'openssl'] ['CRYPTO_new_ex_data', {'required': true}], ['SSL_new', {'required': true}], - # Functions introduced in OpenSSL 1.1.0. We used to check for + # Functions introduced in OpenSSL 1.1.1. We used to check for # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it # doesn't have these OpenSSL 1.1.0 functions. So check for individual # functions. - ['OPENSSL_init_ssl', {'required': true}], + ['SSL_CTX_set_ciphersuites', {'required': true}], # Function introduced in OpenSSL 1.0.2, not in LibreSSL. ['SSL_CTX_set_cert_cb'], @@ -1395,7 +1395,7 @@ if sslopt in ['auto', 'openssl'] if are_openssl_funcs_complete cdata.set('USE_OPENSSL', 1, description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)') - cdata.set('OPENSSL_API_COMPAT', '0x10100000L', + cdata.set('OPENSSL_API_COMPAT', '0x10101000L', description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.') ssl_library = 'openssl' else diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 427030f31a..cdd9a6e935 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -280,9 +280,6 @@ /* Define to 1 if you have the `mkdtemp' function. */ #undef HAVE_MKDTEMP -/* Define to 1 if you have the `OPENSSL_init_ssl' function. */ -#undef HAVE_OPENSSL_INIT_SSL - /* Define to 1 if you have the header file. */ #undef HAVE_OSSP_UUID_H @@ -358,6 +355,9 @@ /* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */ #undef HAVE_SSL_CTX_SET_CERT_CB +/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ +#undef HAVE_SSL_CTX_SET_CIPHERSUITES + /* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */ #undef HAVE_SSL_CTX_SET_NUM_TICKETS diff --git a/src/port/pg_strong_random.c b/src/port/pg_strong_random.c index a8efb2b188..b5f0ea2fdc 100644 --- a/src/port/pg_strong_random.c +++ b/src/port/pg_strong_random.c @@ -31,7 +31,9 @@ * cryptographically secure, suitable for use e.g. in authentication. * * Before pg_strong_random is called in any process, the generator must first - * be initialized by calling pg_strong_random_init(). + * be initialized by calling pg_strong_random_init(). Initialization is a no- + * op for all supported randomness sources, it is kept to maintain backwards + * compatibility with extensions. * * We rely on system facilities for actually generating the numbers. * We support a number of sources: @@ -50,20 +52,12 @@ #ifdef USE_OPENSSL -#include #include void pg_strong_random_init(void) { -#if (OPENSSL_VERSION_NUMBER < 0x10101000L) - /* - * Make sure processes do not share OpenSSL randomness state. This is not - * required on LibreSSL and no longer required in OpenSSL 1.1.1 and later - * versions. - */ - RAND_poll(); -#endif + /* No initialization needed */ } bool -- 2.39.3 (Apple Git-146)