Re: OpenSSL 3.0.0 compatibility
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-09-19T02:11:48Z
Lists: pgsql-hackers
On Fri, Sep 18, 2020 at 04:11:13PM +0200, Daniel Gustafsson wrote: > Since we support ciphers that are now deprecated, we have no other choice than > to load the legacy provider. Ah, thanks. I actually tried something similar to that when I had my mind on it by loading the legacy providers, but missed the padding part. Nice find. > The other problem was that the cipher context > padding must be explicitly set, whereas in previous versions relying on the > default worked fine. EVP_CIPHER_CTX_set_padding always returns 1 so thats why > it isn't checking the returnvalue as the other nearby initialization calls. It seems to me that it would be a good idea to still check for the return value of EVP_CIPHER_CTX_set_padding() and just return with a PXE_CIPHER_INIT. By looking at the upstream code, it is true that it always returns true for <= 1.1.1, but that's not the case for 3.0.0. Some code paths of upstream also check after it. Also, what's the impact with disabling the padding for <= 1.1.1? This part of the upstream code is still a bit obscure to me.. > To avoid problems with the by LibreSSL overloaded OPENSSL_VERSION_NUMBER macro > (which too is deprecated in 3.0.0), I used the new macro which is only set in > 3.0.0. Not sure if that's considered acceptable or if we should invent our own > version macro in autoconf. OSSL_PROVIDER_load() is new as of 3.0.0, so using a configure switch similarly as what we do for the other functions should be more consistent and enough, no? > For the main SSL tests, the incorrect password test has a new errormessage > which is added in 0002. Hmm. I am linking to a build of alpha6 here, but I still see the error being reported as a bad decrypt for this test. Interesting. -- Michael
Commits
-
Define OPENSSL_API_COMPAT
- 96f96398d398 11.21 landed
- 265c9138da58 12.16 landed
- 8aa9a26236aa 13.12 landed
- 4d3db13621be 14.0 landed
-
Add alternative output for OpenSSL 3 without legacy loaded
- eb643536b9f1 10.19 landed
- 8e7199453bf9 13.5 landed
- 7b6ce36fbab5 12.9 landed
- 6d0001aabf2a 14.0 landed
- 19e91a40bf26 11.14 landed
- 72bbff4cd6ea 15.0 landed
-
Disable OpenSSL EVP digest padding in pgcrypto
- e802b594e794 10.19 landed
- 4fa2b15e1c9c 14.0 landed
- 135d8687adf1 13.5 landed
- 11901cd9628b 11.14 landed
- 00c72da4a22d 12.9 landed
- 318df8023559 15.0 landed
-
pgcrypto: Check for error return of px_cipher_decrypt()
- a69e1506f618 13.5 landed
- 90cfd269f226 12.9 landed
- 841075a65cdc 10.19 landed
- 0f28d267c7e0 11.14 landed
- 22e1943f13b6 14.0 landed
-
OpenSSL 3.0.0 compatibility in tests
- f0d2c65f17ca 13.0 landed
-
Make ssl certificate for ssl_passphrase_callback test via Makefile
- b846091fd0a7 13.0 landed
-
Provide a TLS init hook
- 896fcdb230e7 13.0 cited