rpms/postgresql16
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport OpenSSL 3.2 fix from upstream master

Browse Source 
https://git.postgresql.org/gitweb/?p=postgresql.git;h=b2b1f12882fb561c7d474b834044dd8ed570bfea
This commit is contained in:
Yaakov Selkowitz 2024-02-19 21:52:30 -05:00
parent 9647cd2b64
commit 9b9a8eb409
2 changed files with 148 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
postgresql-openssl32.patch Normal file
View File

@ -0,0 +1,142 @@
Backport of commit b2b1f12882fb561c7d474b834044dd8ed570bfea to 16.1
Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
We should have done it this way all along, but we accidentally got
away with using the wrong BIO field up until OpenSSL 3.2. There,
the library's BIO routines that we rely on use the "data" field
for their own purposes, and our conflicting use causes assorted
weird behaviors up to and including core dumps when SSL connections
are attempted. Switch to using the approved field for the purpose,
i.e. app_data.
While at it, remove our configure probes for BIO_get_data as well
as the fallback implementation. BIO_{get,set}_app_data have been
there since long before any OpenSSL version that we still support,
even in the back branches.
Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor
change in an error message spelling that evidently came in with 3.2.
Tristan Partin and Bo Andreson. Back-patch to all supported branches.
Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
---
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 31b6a6eacdf0..1b8b32c5b39e 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -842,11 +842,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
* to retry; do we need to adopt their logic for that?
*/
-#ifndef HAVE_BIO_GET_DATA
-#define BIO_get_data(bio) (bio->ptr)
-#define BIO_set_data(bio, data) (bio->ptr = data)
-#endif
-
static BIO_METHOD *my_bio_methods = NULL;
static int
@@ -856,7 +851,7 @@ my_sock_read(BIO *h, char *buf, int size)
if (buf != NULL)
{
- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
+ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size);
BIO_clear_retry_flags(h);
if (res <= 0)
{
@@ -876,7 +871,7 @@ my_sock_write(BIO *h, const char *buf, int size)
{
int res = 0;
- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
+ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size);
BIO_clear_retry_flags(h);
if (res <= 0)
{
@@ -952,7 +947,7 @@ my_SSL_set_fd(Port *port, int fd)
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
goto err;
}
- BIO_set_data(bio, port);
+ BIO_set_app_data(bio, port);
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(port->ssl, bio, bio);
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 4aeaf08312ce..e669bdbf1d2d 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1815,11 +1815,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
* to retry; do we need to adopt their logic for that?
*/
-#ifndef HAVE_BIO_GET_DATA
-#define BIO_get_data(bio) (bio->ptr)
-#define BIO_set_data(bio, data) (bio->ptr = data)
-#endif
-
static BIO_METHOD *my_bio_methods;
static int
@@ -1828,7 +1823,7 @@ my_sock_read(BIO *h, char *buf, int size)
{
int res;
- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
+ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size);
BIO_clear_retry_flags(h);
if (res < 0)
{
@@ -1858,7 +1853,7 @@ my_sock_write(BIO *h, const char *buf, int size)
{
int res;
- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
+ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size);
BIO_clear_retry_flags(h);
if (res < 0)
{
@@ -1968,7 +1963,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
goto err;
}
- BIO_set_data(bio, conn);
+ BIO_set_app_data(bio, conn);
SSL_set_bio(conn->ssl, bio, bio);
BIO_set_fd(bio, fd, BIO_NOCLOSE);
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index a049fd2ff03a..d921f1dde9fa 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -776,7 +776,7 @@ sub switch_server_cert
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert",
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
@@ -881,7 +881,7 @@ sub switch_server_cert
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert with server-side CRL directory",
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
@@ -894,7 +894,7 @@ sub switch_server_cert
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
. sslkey('client-revoked-utf8.key'),
"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},

7
postgresql16.spec
View File

@ -48,7 +48,7 @@
Summary: PostgreSQL client programs Summary: PostgreSQL client programs
Name: %{majorname}%{majorversion} Name: %{majorname}%{majorversion}
Version: %{majorversion}.1 Version: %{majorversion}.1
Release: 5%{?dist} Release: 6%{?dist}
# The PostgreSQL license is very similar to other MIT licenses, but the OSI # The PostgreSQL license is very similar to other MIT licenses, but the OSI
# recognizes it as an independent license, so we do as well. # recognizes it as an independent license, so we do as well.
@ -97,6 +97,7 @@ Patch10: postgresql-datalayout-mismatch-on-s390.patch
Patch12: postgresql-no-libecpg.patch Patch12: postgresql-no-libecpg.patch
Patch13: postgresql-libxml2.patch Patch13: postgresql-libxml2.patch
Patch14: postgresql15-libxml2.patch Patch14: postgresql15-libxml2.patch
Patch15: postgresql-openssl32.patch
# This macro is used for package names in the files section # This macro is used for package names in the files section
%if %?postgresql_default %if %?postgresql_default
@ -520,6 +521,7 @@ goal of accelerating analytics queries.
%patch 9 -p1 %patch 9 -p1
%patch 10 -p1 %patch 10 -p1
%patch 13 -p1 %patch 13 -p1
%patch 15 -p1
%if ! %external_libpq %if ! %external_libpq
@ -1336,6 +1338,9 @@ make -C postgresql-setup-%{setup_version} check
%changelog %changelog
* Tue Feb 20 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 16.1-6
- Backport OpenSSL 3.2 fix from upstream master
* Mon Feb 5 2024 Filip Janus <fjanus@redhat.com> - 16.1-5 * Mon Feb 5 2024 Filip Janus <fjanus@redhat.com> - 16.1-5
- Add versioned provide to the default version - Add versioned provide to the default version
- Obsolete versioned is no more needed since only default stream provides - Obsolete versioned is no more needed since only default stream provides