Re: OpenSSL 3.0.0 compatibility
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-07-07T20:52:47Z
Lists: pgsql-hackers
> On 7 Jul 2020, at 19:53, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes: >> Trying to move this along, Thanks, this has stalled a bit on my TODO. >> where would be a good place to define >> OPENSSL_API_COMPAT? The only place that's shared between frontend and >> backend code is c.h. The attached patch does it that way. > > pg_config_manual.h, perhaps? I don't have a strong preference. When starting hacking on this I went for the quick and simple option of adding it to CFLAGS in configure.in for the time being since I wasn't sure where to put it. A slightly more complicated problem arise when trying to run the pgcrypto regress tests, and make it run the tests for the now deprecated ciphers, as they require the legacy provider to be loaded via the openssl configuration file. As was mentioned upthread, this requires us to inject our own openssl.cnf in OPENSSL_CONF, load the legacy provider there and then from that file include the system openssl.cnf (or override the system one completely during testing which doesn't seem like a good idea). Hacking this up in a crude PoC I added a REGRESS_ENV option in pgxs.mk which then pgcrypto/Makefile could use to set an OPENSSL_CONF, which in turn ends with a .include=<path> for my system config. This enables pgcrypto to load the now deprecated ciphers, but even as PoC's goes this is awfully brittle and a significant amount of bricks shy. Actually running the tests with the legacy provider loaded yields a fair number of errors like these, and somewhere around there I ran out of time for now as the CF started. - decrypt ----------------------------- - Lets try a longer message. + decrypt +---------------------------------------------------------- + Lets try a longer messag\177\177\177\177\177\177\177\177 Memorizing the "cannot load cipher" errors in an alternative output and documenting how to use old ciphers in pgcrypto together with OpenSSL 3.0.0+ might be the least bad option? Anyone else have any good ideas on how to get this into the testrunner? cheers ./daniel
Commits
-
Define OPENSSL_API_COMPAT
- 96f96398d398 11.21 landed
- 265c9138da58 12.16 landed
- 8aa9a26236aa 13.12 landed
- 4d3db13621be 14.0 landed
-
Add alternative output for OpenSSL 3 without legacy loaded
- eb643536b9f1 10.19 landed
- 8e7199453bf9 13.5 landed
- 7b6ce36fbab5 12.9 landed
- 6d0001aabf2a 14.0 landed
- 19e91a40bf26 11.14 landed
- 72bbff4cd6ea 15.0 landed
-
Disable OpenSSL EVP digest padding in pgcrypto
- e802b594e794 10.19 landed
- 4fa2b15e1c9c 14.0 landed
- 135d8687adf1 13.5 landed
- 11901cd9628b 11.14 landed
- 00c72da4a22d 12.9 landed
- 318df8023559 15.0 landed
-
pgcrypto: Check for error return of px_cipher_decrypt()
- a69e1506f618 13.5 landed
- 90cfd269f226 12.9 landed
- 841075a65cdc 10.19 landed
- 0f28d267c7e0 11.14 landed
- 22e1943f13b6 14.0 landed
-
OpenSSL 3.0.0 compatibility in tests
- f0d2c65f17ca 13.0 landed
-
Make ssl certificate for ssl_passphrase_callback test via Makefile
- b846091fd0a7 13.0 landed
-
Provide a TLS init hook
- 896fcdb230e7 13.0 cited