diff options
| -rwxr-xr-x | configure | 32 | ||||
| -rw-r--r-- | configure.ac | 12 | ||||
| -rw-r--r-- | doc/src/sgml/installation.sgml | 12 | ||||
| -rw-r--r-- | meson.build | 10 | ||||
| -rw-r--r-- | src/include/pg_config.h.in | 6 | ||||
| -rw-r--r-- | src/port/pg_strong_random.c | 14 |
6 files changed, 38 insertions, 48 deletions
diff --git a/configure b/configure index 3a577e463ba..268ac94ae69 100755 --- a/configure +++ b/configure @@ -12224,9 +12224,9 @@ if test "$with_openssl" = yes ; then fi if test "$with_ssl" = openssl ; then - # Minimum required OpenSSL version is 1.1.0 + # Minimum required OpenSSL version is 1.1.1 -$as_echo "#define OPENSSL_API_COMPAT 0x10100000L" >>confdefs.h +$as_echo "#define OPENSSL_API_COMPAT 0x10101000L" >>confdefs.h if test "$PORTNAME" != "win32"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5 @@ -12441,33 +12441,29 @@ else fi fi - # Function introduced in OpenSSL 1.0.2, not in LibreSSL. - for ac_func in SSL_CTX_set_cert_cb + # Functions introduced in OpenSSL 1.1.1. + for ac_func in SSL_CTX_set_ciphersuites do : - ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb" -if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then : + ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites" +if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then : cat >>confdefs.h <<_ACEOF -#define HAVE_SSL_CTX_SET_CERT_CB 1 +#define HAVE_SSL_CTX_SET_CIPHERSUITES 1 _ACEOF +else + as_fn_error $? "OpenSSL version >= 1.1.1 is required for SSL support" "$LINENO" 5 fi done - # Functions introduced in OpenSSL 1.1.0. We used to check for - # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL - # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it - # doesn't have these OpenSSL 1.1.0 functions. So check for individual - # functions. - for ac_func in OPENSSL_init_ssl + # Function introduced in OpenSSL 1.0.2, not in LibreSSL. + for ac_func in SSL_CTX_set_cert_cb do : - ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl" -if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then : + ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb" +if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then : cat >>confdefs.h <<_ACEOF -#define HAVE_OPENSSL_INIT_SSL 1 +#define HAVE_SSL_CTX_SET_CERT_CB 1 _ACEOF -else - as_fn_error $? "OpenSSL version >= 1.1.0 is required for SSL support" "$LINENO" 5 fi done diff --git a/configure.ac b/configure.ac index 55f6c46d333..3c89b54bf12 100644 --- a/configure.ac +++ b/configure.ac @@ -1311,8 +1311,8 @@ fi if test "$with_ssl" = openssl ; then dnl Order matters! - # Minimum required OpenSSL version is 1.1.0 - AC_DEFINE(OPENSSL_API_COMPAT, [0x10100000L], + # Minimum required OpenSSL version is 1.1.1 + AC_DEFINE(OPENSSL_API_COMPAT, [0x10101000L], [Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.]) if test "$PORTNAME" != "win32"; then AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])]) @@ -1321,14 +1321,10 @@ if test "$with_ssl" = openssl ; then AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])]) AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])]) fi + # Functions introduced in OpenSSL 1.1.1. + AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])]) # Function introduced in OpenSSL 1.0.2, not in LibreSSL. AC_CHECK_FUNCS([SSL_CTX_set_cert_cb]) - # Functions introduced in OpenSSL 1.1.0. We used to check for - # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL - # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it - # doesn't have these OpenSSL 1.1.0 functions. So check for individual - # functions. - AC_CHECK_FUNCS([OPENSSL_init_ssl], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.0 is required for SSL support])]) # Function introduced in OpenSSL 1.1.1, not in LibreSSL. AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets]) AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)]) diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index 3a491b59896..8449c20f798 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -293,7 +293,13 @@ encrypted client connections. <productname>OpenSSL</productname> is also required for random number generation on platforms that do not have <filename>/dev/urandom</filename> (except Windows). The minimum - required version is 1.1.0. + required version is 1.1.1. + </para> + <para> + Additionally, <productname>LibreSSL</productname> is supported using the + <productname>OpenSSL</productname> compatibility layer. The minimum + required version is 3.4 (from <systemitem class="osname">OpenBSD</systemitem> + version 7.0). </para> </listitem> @@ -989,7 +995,9 @@ build-postgresql: <para> Build with support for <acronym>SSL</acronym> (encrypted) connections. The only <replaceable>LIBRARY</replaceable> - supported is <option>openssl</option>. This requires the + supported is <option>openssl</option>, which is used for both + <productname>OpenSSL</productname> + and <productname>LibreSSL</productname>. This requires the <productname>OpenSSL</productname> package to be installed. <filename>configure</filename> will check for the required header files and libraries to make sure that your diff --git a/meson.build b/meson.build index 58e67975e85..bb9d7f5a8e8 100644 --- a/meson.build +++ b/meson.build @@ -1361,12 +1361,8 @@ if sslopt in ['auto', 'openssl'] ['CRYPTO_new_ex_data', {'required': true}], ['SSL_new', {'required': true}], - # Functions introduced in OpenSSL 1.1.0. We used to check for - # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL - # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it - # doesn't have these OpenSSL 1.1.0 functions. So check for individual - # functions. - ['OPENSSL_init_ssl', {'required': true}], + # Functions introduced in OpenSSL 1.1.1. + ['SSL_CTX_set_ciphersuites', {'required': true}], # Function introduced in OpenSSL 1.0.2, not in LibreSSL. ['SSL_CTX_set_cert_cb'], @@ -1395,7 +1391,7 @@ if sslopt in ['auto', 'openssl'] if are_openssl_funcs_complete cdata.set('USE_OPENSSL', 1, description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)') - cdata.set('OPENSSL_API_COMPAT', '0x10100000L', + cdata.set('OPENSSL_API_COMPAT', '0x10101000L', description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.') ssl_library = 'openssl' else diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 427030f31a7..cdd9a6e9355 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -280,9 +280,6 @@ /* Define to 1 if you have the `mkdtemp' function. */ #undef HAVE_MKDTEMP -/* Define to 1 if you have the `OPENSSL_init_ssl' function. */ -#undef HAVE_OPENSSL_INIT_SSL - /* Define to 1 if you have the <ossp/uuid.h> header file. */ #undef HAVE_OSSP_UUID_H @@ -358,6 +355,9 @@ /* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */ #undef HAVE_SSL_CTX_SET_CERT_CB +/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ +#undef HAVE_SSL_CTX_SET_CIPHERSUITES + /* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */ #undef HAVE_SSL_CTX_SET_NUM_TICKETS diff --git a/src/port/pg_strong_random.c b/src/port/pg_strong_random.c index a8efb2b1886..b5f0ea2fdc1 100644 --- a/src/port/pg_strong_random.c +++ b/src/port/pg_strong_random.c @@ -31,7 +31,9 @@ * cryptographically secure, suitable for use e.g. in authentication. * * Before pg_strong_random is called in any process, the generator must first - * be initialized by calling pg_strong_random_init(). + * be initialized by calling pg_strong_random_init(). Initialization is a no- + * op for all supported randomness sources, it is kept to maintain backwards + * compatibility with extensions. * * We rely on system facilities for actually generating the numbers. * We support a number of sources: @@ -50,20 +52,12 @@ #ifdef USE_OPENSSL -#include <openssl/opensslv.h> #include <openssl/rand.h> void pg_strong_random_init(void) { -#if (OPENSSL_VERSION_NUMBER < 0x10101000L) - /* - * Make sure processes do not share OpenSSL randomness state. This is not - * required on LibreSSL and no longer required in OpenSSL 1.1.1 and later - * versions. - */ - RAND_poll(); -#endif + /* No initialization needed */ } bool |