Fix openssl3 build issue

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2008773
2021-10-06 12:07:45 +02:00 · 2021-10-06 12:07:45 +02:00 · 21b8d7a7d2
commit 21b8d7a7d2
parent f7fb7fc25d
3 changed files with 146 additions and 2 deletions
--- a/postgresql-pgcrypto-openssl3-init.patch
+++ b/postgresql-pgcrypto-openssl3-init.patch
@ -0,0 +1,33 @@
+Upstream patch: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=135d8687ad
+author	Daniel Gustafsson <dgustafsson@postgresql.org>
+
+The PX layer in pgcrypto is handling digest padding on its own uniformly
+for all backend implementations. Starting with OpenSSL 3.0.0, DecryptUpdate
+doesn't flush the last block in case padding is enabled so explicitly
+disable it as we don't use it.
+
+This will be backpatched to all supported version once there is sufficient
+testing in the buildfarm of OpenSSL 3.
+
+diff -ur postgresql-14rc1/contrib/pgcrypto/openssl.c postgresql-p/contrib/pgcrypto/openssl.c
+--- postgresql-14rc1/contrib/pgcrypto/openssl.c	2021-09-20 17:33:01.000000000 -0400
+++ postgresql-p/contrib/pgcrypto/openssl.c	2021-10-06 04:07:24.628836908 -0400
+@@ -379,6 +379,8 @@
+ 	{
+ 		if (!EVP_DecryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
+ 			return PXE_CIPHER_INIT;
+		 if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))
+           		return PXE_CIPHER_INIT;
+ 		if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
+ 			return PXE_CIPHER_INIT;
+ 		if (!EVP_DecryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
+@@ -403,6 +405,8 @@
+ 	{
+ 		if (!EVP_EncryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
+ 			return PXE_CIPHER_INIT;
+		if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))
+           		return PXE_CIPHER_INIT;
+ 		if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
+ 			return PXE_CIPHER_INIT;
+ 		if (!EVP_EncryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
+
--- a/postgresql-pgcrypto-openssl3-tests.patch
+++ b/postgresql-pgcrypto-openssl3-tests.patch
@ -0,0 +1,102 @@
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out	2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out	2021-09-01 08:16:48.138600886 -0400
+@@ -4,20 +4,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+- pgp_sym_decrypt 
+------------------
+- Secret message.
+-(1 row)
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-09-01 08:05:27.750172653 -0400
+@@ -594,13 +594,6 @@
+ (1 row)
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+- pgp_pub_decrypt 
+------------------
+- Secret msg
+-(1 row)
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+  pgp_pub_decrypt 
+ -----------------
+diff -ur postgresql-13.4/contrib/pgcrypto/Makefile postgresql-13.4.patched/contrib/pgcrypto/Makefile
+--- postgresql-13.4/contrib/pgcrypto/Makefile	2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/Makefile	2021-09-01 08:26:47.207164873 -0400
+@@ -5,7 +5,7 @@
+ INT_TESTS = sha2
+ 
+ OSSL_SRCS = openssl.c pgp-mpi-openssl.c
+-OSSL_TESTS = sha2 des 3des cast5
+OSSL_TESTS = sha2
+ 
+ ZLIB_TST = pgp-compression
+ ZLIB_OFF_TST = pgp-zlib-DISABLED
+@@ -49,12 +49,13 @@
+ 	pgcrypto--1.0--1.1.sql
+ PGFILEDESC = "pgcrypto - cryptographic functions"
+ 
+-REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
+REGRESS = init md5 sha1 hmac-md5 hmac-sha1 rijndael \
+ 	$(CF_TESTS) \
+-	crypt-des crypt-md5 crypt-blowfish crypt-xdes \
+	crypt-md5 \
+ 	pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \
+ 	pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info
+ 
+#REGRESS = init pgp-pubkey-decrypt pgp-decrypt \
+ EXTRA_CLEAN = gen-rtab
+ 
+ ifdef USE_PGXS
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-09-01 08:16:12.525212175 -0400
+@@ -5,16 +5,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-09-01 08:06:18.963732342 -0400
+@@ -606,9 +606,6 @@
+ from keytbl, encdata where keytbl.id=1 and encdata.id=1;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
--- a/postgresql.spec
+++ b/postgresql.spec
@ -61,7 +61,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 13
 Version: %{majorversion}.4
-Release: 2%{?dist}
+Release: 3%{?dist}

 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@ -112,6 +112,10 @@ Patch9: postgresql-server-pg_config.patch
 # rhbz#1940964
 Patch10: postgresql-datalayout-mismatch-on-s390.patch
 Patch12: postgresql-no-libecpg.patch
+# Upstream patch - it's assumed removal of this patch with the next upstream release
+Patch13: postgresql-pgcrypto-openssl3-init.patch
+# This patch disables deprecated ciphers in the test suite
+Patch14: postgresql-pgcrypto-openssl3-tests.patch

 BuildRequires: make
 BuildRequires: gcc
@ -426,7 +430,8 @@ goal of accelerating analytics queries.
 %endif
 %patch9 -p1
 %patch10 -p1
-
+%patch13 -p1
+%patch14 -p1
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.

@ -1240,6 +1245,10 @@ make -C postgresql-setup-%{setup_version} check


 %changelog
+* Wed Oct 06 2021 Filip Januš <fjanus@redhat.com> - 13.4-3
+- Add patch 13 - corrects initialization of ciphers
+- Add patch 14 - disable unsupported ciphers in test suite
+
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 13.4-2
 - Rebuilt with OpenSSL 3.0.0