Backport OpenSSL 3.2 fix from upstream master
https://git.postgresql.org/gitweb/?p=postgresql.git;h=b2b1f12882fb561c7d474b834044dd8ed570bfea
This commit is contained in:
Yaakov Selkowitz
parent
e7a8590fe3
commit
7831b20fe3
@ -4,7 +4,7 @@
|
||||
Summary: PostgreSQL client library
|
||||
Name: libpq
|
||||
Version: %{majorversion}.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
|
||||
License: PostgreSQL
|
||||
Url: http://www.postgresql.org/
|
||||
@ -17,6 +17,7 @@ Source1: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}
|
||||
Patch1: libpq-10.3-rpm-pgsql.patch
|
||||
Patch2: libpq-10.3-var-run-socket.patch
|
||||
Patch3: libpq-12.1-symbol-versioning.patch
|
||||
Patch4: postgresql-openssl32.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: glibc-devel bison flex gawk
|
||||
@ -131,6 +132,9 @@ find_lang_bins %name-devel.lst pg_config
|
||||
%_libdir/pkgconfig/libpq.pc
|
||||
|
||||
%changelog
|
||||
* Tue Feb 20 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 16.1-4
|
||||
- Backport OpenSSL 3.2 fix from upstream master
|
||||
|
||||
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 16.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
|
||||
142
postgresql-openssl32.patch
Normal file
142
postgresql-openssl32.patch
Normal file
@ -0,0 +1,142 @@
|
||||
Backport of commit b2b1f12882fb561c7d474b834044dd8ed570bfea to 16.1
|
||||
|
||||
Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
|
||||
|
||||
We should have done it this way all along, but we accidentally got
|
||||
away with using the wrong BIO field up until OpenSSL 3.2. There,
|
||||
the library's BIO routines that we rely on use the "data" field
|
||||
for their own purposes, and our conflicting use causes assorted
|
||||
weird behaviors up to and including core dumps when SSL connections
|
||||
are attempted. Switch to using the approved field for the purpose,
|
||||
i.e. app_data.
|
||||
|
||||
While at it, remove our configure probes for BIO_get_data as well
|
||||
as the fallback implementation. BIO_{get,set}_app_data have been
|
||||
there since long before any OpenSSL version that we still support,
|
||||
even in the back branches.
|
||||
|
||||
Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor
|
||||
change in an error message spelling that evidently came in with 3.2.
|
||||
|
||||
Tristan Partin and Bo Andreson. Back-patch to all supported branches.
|
||||
|
||||
Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
|
||||
---
|
||||
|
||||
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
|
||||
index 31b6a6eacdf0..1b8b32c5b39e 100644
|
||||
--- a/src/backend/libpq/be-secure-openssl.c
|
||||
+++ b/src/backend/libpq/be-secure-openssl.c
|
||||
@@ -842,11 +842,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
|
||||
* to retry; do we need to adopt their logic for that?
|
||||
*/
|
||||
|
||||
-#ifndef HAVE_BIO_GET_DATA
|
||||
-#define BIO_get_data(bio) (bio->ptr)
|
||||
-#define BIO_set_data(bio, data) (bio->ptr = data)
|
||||
-#endif
|
||||
-
|
||||
static BIO_METHOD *my_bio_methods = NULL;
|
||||
|
||||
static int
|
||||
@@ -856,7 +851,7 @@ my_sock_read(BIO *h, char *buf, int size)
|
||||
|
||||
if (buf != NULL)
|
||||
{
|
||||
- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
|
||||
+ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size);
|
||||
BIO_clear_retry_flags(h);
|
||||
if (res <= 0)
|
||||
{
|
||||
@@ -876,7 +871,7 @@ my_sock_write(BIO *h, const char *buf, int size)
|
||||
{
|
||||
int res = 0;
|
||||
|
||||
- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
|
||||
+ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size);
|
||||
BIO_clear_retry_flags(h);
|
||||
if (res <= 0)
|
||||
{
|
||||
@@ -952,7 +947,7 @@ my_SSL_set_fd(Port *port, int fd)
|
||||
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
|
||||
goto err;
|
||||
}
|
||||
- BIO_set_data(bio, port);
|
||||
+ BIO_set_app_data(bio, port);
|
||||
|
||||
BIO_set_fd(bio, fd, BIO_NOCLOSE);
|
||||
SSL_set_bio(port->ssl, bio, bio);
|
||||
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
|
||||
index 4aeaf08312ce..e669bdbf1d2d 100644
|
||||
--- a/src/interfaces/libpq/fe-secure-openssl.c
|
||||
+++ b/src/interfaces/libpq/fe-secure-openssl.c
|
||||
@@ -1815,11 +1815,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
|
||||
* to retry; do we need to adopt their logic for that?
|
||||
*/
|
||||
|
||||
-#ifndef HAVE_BIO_GET_DATA
|
||||
-#define BIO_get_data(bio) (bio->ptr)
|
||||
-#define BIO_set_data(bio, data) (bio->ptr = data)
|
||||
-#endif
|
||||
-
|
||||
static BIO_METHOD *my_bio_methods;
|
||||
|
||||
static int
|
||||
@@ -1828,7 +1823,7 @@ my_sock_read(BIO *h, char *buf, int size)
|
||||
{
|
||||
int res;
|
||||
|
||||
- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
|
||||
+ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size);
|
||||
BIO_clear_retry_flags(h);
|
||||
if (res < 0)
|
||||
{
|
||||
@@ -1858,7 +1853,7 @@ my_sock_write(BIO *h, const char *buf, int size)
|
||||
{
|
||||
int res;
|
||||
|
||||
- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
|
||||
+ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size);
|
||||
BIO_clear_retry_flags(h);
|
||||
if (res < 0)
|
||||
{
|
||||
@@ -1968,7 +1963,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
|
||||
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
|
||||
goto err;
|
||||
}
|
||||
- BIO_set_data(bio, conn);
|
||||
+ BIO_set_app_data(bio, conn);
|
||||
|
||||
SSL_set_bio(conn->ssl, bio, bio);
|
||||
BIO_set_fd(bio, fd, BIO_NOCLOSE);
|
||||
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
|
||||
index a049fd2ff03a..d921f1dde9fa 100644
|
||||
--- a/src/test/ssl/t/001_ssltests.pl
|
||||
+++ b/src/test/ssl/t/001_ssltests.pl
|
||||
@@ -776,7 +776,7 @@ sub switch_server_cert
|
||||
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
|
||||
. sslkey('client-revoked.key'),
|
||||
"certificate authorization fails with revoked client cert",
|
||||
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
|
||||
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
|
||||
# temporarily(?) skip this check due to timing issue
|
||||
# log_like => [
|
||||
# qr{Client certificate verification failed at depth 0: certificate revoked},
|
||||
@@ -881,7 +881,7 @@ sub switch_server_cert
|
||||
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
|
||||
. sslkey('client-revoked.key'),
|
||||
"certificate authorization fails with revoked client cert with server-side CRL directory",
|
||||
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
|
||||
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
|
||||
# temporarily(?) skip this check due to timing issue
|
||||
# log_like => [
|
||||
# qr{Client certificate verification failed at depth 0: certificate revoked},
|
||||
@@ -894,7 +894,7 @@ sub switch_server_cert
|
||||
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
|
||||
. sslkey('client-revoked-utf8.key'),
|
||||
"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
|
||||
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
|
||||
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
|
||||
# temporarily(?) skip this check due to timing issue
|
||||
# log_like => [
|
||||
# qr{Client certificate verification failed at depth 0: certificate revoked},
|
||||
Loading…
Reference in New Issue
Block a user