Re: OpenSSL 1.1 breaks configure and more

From: Andreas Karlsson <andreas(at)proxel(dot)se>
To: Christoph Berg <myon(at)debian(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: OpenSSL 1.1 breaks configure and more
Date: 2016-07-02 00:02:48
Message-ID: a5f4b79e-a9ea-200d-e17e-2da3ad187e5b@proxel.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 07/01/2016 11:41 AM, Christoph Berg wrote:
> thanks for the patches. I applied all there patches on top of HEAD
> (10c0558f). The server builds and passes "make check", pgcrypto still
> needs work, though:

Thanks, I had forgotten pgcrypto.

When fixing pgcrypto I noticed that the OpenSSL team has deprecated
RAND_pseudo_bytes() and recommend using RAND_bytes() instead (see
302d38e3f73d5fd2ba2fd30bb7798778cb9f18dd).

As far as I can tell the only difference is that RAND_bytes() adds an
error to the error queue if there is not enough entropy for generating
secure data. And since we already always use strong random with the
Fortuna algorithm, why not just drop px_get_pseudo_random_bytes()? It
feels like a potential security problem with to me unclear benefit.

I also found that client CA loading is broken in OpenSSL 1.1-pre5
(reported as https://github.com/openssl/openssl/pull/1279). This might
be good to be aware of when testing my patches.

Attached a new set of patches:

0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch

The fixes necessary to build with OpenSSL 1.1. Mostly fixes surrounding
direct access to struct fields.

0002-Remove-OpenSSL-1.1-deprecation-warnings-v2.patch

Fix deprecation warnings. Mostly trusting OpenSSL 1.1 to handle
threading and initialization automatically.

0003-Remove-px_get_pseudo_random_bytes-v2.patch

Remove the px_get_pseudo_random_bytes() from pgcrypto. Also silcences
deprecation warning about RAND_pseudo_bytes().

0004-Define-CRYPTO_LOCK-for-OpenSSL-1.1-compat-v2.patch

Useful if you want to play around with
0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch before they release a
new version where CRYPTO_LOCK is added back. See
https://github.com/openssl/openssl/issues/1260

Andreas

Attachment Content-Type Size
0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch text/x-patch 14.5 KB
0002-Remove-OpenSSL-1.1-deprecation-warnings-v2.patch text/x-patch 3.7 KB
0003-Remove-px_get_pseudo_random_bytes-v2.patch text/x-patch 3.7 KB
0004-Define-CRYPTO_LOCK-for-OpenSSL-1.1-compat-v2.patch text/x-patch 824 bytes

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2016-07-02 00:28:46 Re: OpenSSL 1.1 breaks configure and more
Previous Message Karl O. Pinc 2016-07-01 23:56:21 Re: Patch to implement pg_current_logfile() function