Re: OpenSSL 3.0.0 compatibility

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2021-09-22T07:49:10Z
Lists: pgsql-hackers
On Tue, Sep 07, 2021 at 02:04:23PM +0200, Daniel Gustafsson wrote:
> On 10 Aug 2021, at 15:27, Daniel Gustafsson <daniel@yesql.se> wrote:
> 
>> These have now been committed, when OpenSSL 3.0.0 ships and there is coverage
>> in the buildfarm I’ll revisit this for the backbranches.
> 
> As an update to this, I’ve tested the tree frozen for the upcoming 3.0.0
> release (scheduled for today AFAIK) and postgres still builds and tests clean
> with the patches that were applied.

I think that the time to do a backpatch of 318df8 has come.  caiman,
that runs Fedora 35, has just failed:
https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=caiman&dt=2021-09-22%2006%3A28%3A00

Here is a diff:
@@ -8,168 +8,88 @@
 decode('0000000000000000', 'hex'),
 decode('0000000000000000', 'hex'),
 'bf-ecb/pad:none'), 'hex');
-      encode      
-------------------
- 4ef997456198dd78
-(1 row)
-
+ERROR:  encrypt error: Cipher cannot be initialized ?

And if I look at the list of packages at the top of Fedora, I see an
update to OpenSSL 3.0.0:
https://fedora.pkgs.org/rawhide/fedora-aarch64/openssl-libs-3.0.0-1.fc36.aarch64.rpm.html

So the coverage is here.  HEAD passes, not the stabele branches.  At
least for 14 it would be nice to do that before the release of next
week.
--
Michael

Commits

  1. Define OPENSSL_API_COMPAT

  2. Add alternative output for OpenSSL 3 without legacy loaded

  3. Disable OpenSSL EVP digest padding in pgcrypto

  4. pgcrypto: Check for error return of px_cipher_decrypt()

  5. OpenSSL 3.0.0 compatibility in tests

  6. Make ssl certificate for ssl_passphrase_callback test via Makefile

  7. Provide a TLS init hook