Re: OpenSSL 3.0.0 compatibility

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Michael Paquier <michael@paquier.xyz>
Date: 2021-09-23T21:26:46Z
Lists: pgsql-hackers
On 23.09.21 20:51, Daniel Gustafsson wrote:
> For the 13- backbranches we also need to backport 22e1943f1 ("pgcrypto: Check
> for error return of px_cipher_decrypt()" by Peter E) in order to avoid
> incorrect results for decrypt tests on disallowed ciphers.  Does anyone have
> any concerns about applying this to backbranches?

This should be backpatched as a bug fix.

> 13 and older will, when compiled against OpenSSL 3.0.0, produce a fair amount
> of compiler warnings on usage of depreceted functionality but there is really
> anything we can do as suppressing that is beyond the scope of a backpatchable
> fix IMHO.

Right, that's just a matter of adjusting the compiler warnings.

Earlier in this thread, I had suggested backpatching the 
OPENSSL_API_COMPAT definition to PG13, but now I'm thinking I wouldn't 
bother, since that still wouldn't help with anything older.




Commits

  1. Define OPENSSL_API_COMPAT

  2. Add alternative output for OpenSSL 3 without legacy loaded

  3. Disable OpenSSL EVP digest padding in pgcrypto

  4. pgcrypto: Check for error return of px_cipher_decrypt()

  5. OpenSSL 3.0.0 compatibility in tests

  6. Make ssl certificate for ssl_passphrase_callback test via Makefile

  7. Provide a TLS init hook