Re: OpenSSL 1.1 breaks configure and more

Andreas Karlsson <andreas@proxel.se>

From: Andreas Karlsson <andreas@proxel.se>
To: Christoph Berg <myon@debian.org>, Tom Lane <tgl@sss.pgh.pa.us>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2016-07-02T00:02:48Z
Lists: pgsql-hackers

Attachments

On 07/01/2016 11:41 AM, Christoph Berg wrote:
> thanks for the patches. I applied all there patches on top of HEAD
> (10c0558f). The server builds and passes "make check", pgcrypto still
> needs work, though:

Thanks, I had forgotten pgcrypto.

When fixing pgcrypto I noticed that the OpenSSL team has deprecated 
RAND_pseudo_bytes() and recommend using RAND_bytes() instead (see 
302d38e3f73d5fd2ba2fd30bb7798778cb9f18dd).

As far as I can tell the only difference is that RAND_bytes() adds an 
error to the error queue if there is not enough entropy for generating 
secure data. And since we already always use strong random with the 
Fortuna algorithm, why not just drop px_get_pseudo_random_bytes()? It 
feels like a potential security problem with to me unclear benefit.

I also found that client CA loading is broken in OpenSSL 1.1-pre5 
(reported as https://github.com/openssl/openssl/pull/1279). This might 
be good to be aware of when testing my patches.

Attached a new set of patches:

0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch

The fixes necessary to build with OpenSSL 1.1. Mostly fixes surrounding 
direct access to struct fields.

0002-Remove-OpenSSL-1.1-deprecation-warnings-v2.patch

Fix deprecation warnings. Mostly trusting OpenSSL 1.1 to handle 
threading and initialization automatically.

0003-Remove-px_get_pseudo_random_bytes-v2.patch

Remove the px_get_pseudo_random_bytes() from pgcrypto. Also silcences 
deprecation warning about RAND_pseudo_bytes().

0004-Define-CRYPTO_LOCK-for-OpenSSL-1.1-compat-v2.patch

Useful if you want to play around with 
0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch before they release a 
new version where CRYPTO_LOCK is added back. See 
https://github.com/openssl/openssl/issues/1260

Andreas

Commits

  1. Back-patch 9.4-era SSL renegotiation code into 9.3 and 9.2.