Remove support for OpenSSL 1.0.1
authorMichael Paquier <michael@paquier.xyz>
Mon, 3 Jul 2023 04:20:27 +0000 (13:20 +0900)
committerMichael Paquier <michael@paquier.xyz>
Mon, 3 Jul 2023 04:20:27 +0000 (13:20 +0900)
Here are some notes about this change:
- As X509_get_signature_nid() should always exist (OpenSSL and
LibreSSL), hence HAVE_X509_GET_SIGNATURE_NID is now gone.
- OPENSSL_API_COMPAT is bumped to 0x10002000L.
- One comment related to 1.0.1e introduced by 74242c2 is removed.

Upstream OpenSSL still provides long-term support for 1.0.2 in a closed
fashion, so removing it is out of scope for a few years, at least.

Reviewed-by: Jacob Champion, Daniel Gustafsson
Discussion: https://postgr.es/m/ZG3JNursG69dz1lr@paquier.xyz

14 files changed:
configure
configure.ac
doc/src/sgml/installation.sgml
meson.build
src/backend/libpq/auth-scram.c
src/backend/libpq/be-secure-openssl.c
src/include/libpq/libpq-be.h
src/include/pg_config.h.in
src/interfaces/libpq/fe-auth-scram.c
src/interfaces/libpq/fe-auth.c
src/interfaces/libpq/fe-secure-openssl.c
src/interfaces/libpq/libpq-int.h
src/test/ssl/t/002_scram.pl
src/tools/msvc/Solution.pm

index 8e5006bd4f7aef5f97ede011511800682460fed5..997d42d8f71962dfeef4175734a6eee5e00e8a54 100755 (executable)
--- a/configure
+++ b/configure
@@ -12744,9 +12744,9 @@ if test "$with_openssl" = yes ; then
 fi
 
 if test "$with_ssl" = openssl ; then
-    # Minimum required OpenSSL version is 1.0.1
+    # Minimum required OpenSSL version is 1.0.2
 
-$as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h
+$as_echo "#define OPENSSL_API_COMPAT 0x10002000L" >>confdefs.h
 
   if test "$PORTNAME" != "win32"; then
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
@@ -12961,15 +12961,13 @@ else
 fi
 
   fi
-  # Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
-  # SSL_CTX_set_cert_cb().
-  for ac_func in X509_get_signature_nid SSL_CTX_set_cert_cb
+  # LibreSSL does not have SSL_CTX_set_cert_cb().
+  for ac_func in SSL_CTX_set_cert_cb
 do :
-  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
+if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+#define HAVE_SSL_CTX_SET_CERT_CB 1
 _ACEOF
 
 fi
index 0e8158a5e69abb6f3b480801ac25c50f8cbb201e..6052675fb8ee3e552f838246adca0be5d039c376 100644 (file)
@@ -1367,8 +1367,8 @@ fi
 
 if test "$with_ssl" = openssl ; then
   dnl Order matters!
-  # Minimum required OpenSSL version is 1.0.1
-  AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L],
+  # Minimum required OpenSSL version is 1.0.2
+  AC_DEFINE(OPENSSL_API_COMPAT, [0x10002000L],
             [Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
   if test "$PORTNAME" != "win32"; then
      AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
@@ -1377,9 +1377,9 @@ if test "$with_ssl" = openssl ; then
      AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
      AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
   fi
-  # Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
+  # Function introduced in OpenSSL 1.0.2. LibreSSL does not have
   # SSL_CTX_set_cert_cb().
-  AC_CHECK_FUNCS([X509_get_signature_nid SSL_CTX_set_cert_cb])
+  AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
   # Functions introduced in OpenSSL 1.1.0. We used to check for
   # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
   # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
index 75dc81a0a9e25c6f5a50a7caaf9b7191c309fa12..e9d797417ad50d859ff47bced4e8bae6466cb6c0 100644 (file)
@@ -275,7 +275,7 @@ documentation.  See standalone-profile.xsl for details.
       encrypted client connections.  <productname>OpenSSL</productname> is
       also required for random number generation on platforms that do not
       have <filename>/dev/urandom</filename> (except Windows).  The minimum
-      required version is 1.0.1.
+      required version is 1.0.2.
      </para>
     </listitem>
 
index e408967fd42776a1c4fb3997cf03f654f5e9265c..aaa9daf266f17c2119ca9dbe7685d050ba1f1d4f 100644 (file)
@@ -1266,9 +1266,8 @@ if sslopt in ['auto', 'openssl']
       ['CRYPTO_new_ex_data', {'required': true}],
       ['SSL_new', {'required': true}],
 
-      # Functions introduced in OpenSSL 1.0.2.
-      ['X509_get_signature_nid'],
-      ['SSL_CTX_set_cert_cb'], # not in LibreSSL
+      # Functions introduced in OpenSSL 1.0.2, not in LibreSSL.
+      ['SSL_CTX_set_cert_cb'],
 
       # Functions introduced in OpenSSL 1.1.0. We used to check for
       # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
@@ -1310,7 +1309,7 @@ if sslopt in ['auto', 'openssl']
     if are_openssl_funcs_complete
       cdata.set('USE_OPENSSL', 1,
                 description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
-      cdata.set('OPENSSL_API_COMPAT', '0x10001000L',
+      cdata.set('OPENSSL_API_COMPAT', '0x10002000L',
                 description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
       ssl_library = 'openssl'
     else
index 9b286aa4d7fad615f7075561bb20474347b45169..118d15b1a119fd4d171a5ad7fb0e3ac18aa3b30d 100644 (file)
@@ -209,10 +209,9 @@ scram_get_mechanisms(Port *port, StringInfo buf)
        /*
         * Advertise the mechanisms in decreasing order of importance.  So the
         * channel-binding variants go first, if they are supported.  Channel
-        * binding is only supported with SSL, and only if the SSL implementation
-        * has a function to get the certificate's hash.
+        * binding is only supported with SSL.
         */
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
        if (port->ssl_in_use)
        {
                appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
@@ -251,13 +250,12 @@ scram_init(Port *port, const char *selected_mech, const char *shadow_pass)
        /*
         * Parse the selected mechanism.
         *
-        * Note that if we don't support channel binding, either because the SSL
-        * implementation doesn't support it or we're not using SSL at all, we
-        * would not have advertised the PLUS variant in the first place.  If the
-        * client nevertheless tries to select it, it's a protocol violation like
-        * selecting any other SASL mechanism we don't support.
+        * Note that if we don't support channel binding, or if we're not using
+        * SSL at all, we would not have advertised the PLUS variant in the first
+        * place.  If the client nevertheless tries to select it, it's a protocol
+        * violation like selecting any other SASL mechanism we don't support.
         */
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
        if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
                state->channel_binding_in_use = true;
        else
@@ -1010,7 +1008,7 @@ read_client_first_message(scram_state *state, const char *input)
                                                 errmsg("malformed SCRAM message"),
                                                 errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
 
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
                        if (state->port->ssl_in_use)
                                ereport(ERROR,
                                                (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -1306,7 +1304,7 @@ read_client_final_message(scram_state *state, const char *input)
        channel_binding = read_attr_value(&p, 'c');
        if (state->channel_binding_in_use)
        {
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
                const char *cbind_data = NULL;
                size_t          cbind_data_len = 0;
                size_t          cbind_header_len;
index 05276ab95cee07f5a284a4358cae41005970ac86..658b09988d6c9eaca5b5a5201d4a3f3563f72409 100644 (file)
@@ -831,8 +831,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
  *
  * These functions are closely modelled on the standard socket BIO in OpenSSL;
  * see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
- * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
- * to retry; do we need to adopt their logic for that?
  */
 
 #ifndef HAVE_BIO_GET_DATA
@@ -1429,7 +1427,6 @@ be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
                ptr[0] = '\0';
 }
 
-#if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
 char *
 be_tls_get_certificate_hash(Port *port, size_t *len)
 {
@@ -1488,7 +1485,6 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
 
        return cert_hash;
 }
-#endif
 
 /*
  * Convert an X509 subject name to a cstring.
index 3b2ce9908f81d685af82de64ed554524ac38f5a7..a0b74c8095fe879c2ece29a7ed09abf3746f88de 100644 (file)
@@ -305,14 +305,8 @@ extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len);
  *
  * The result is a palloc'd hash of the server certificate with its
  * size, and NULL if there is no certificate available.
- *
- * This is not supported with old versions of OpenSSL that don't have
- * the X509_get_signature_nid() function.
  */
-#if defined(USE_OPENSSL) && (defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO))
-#define HAVE_BE_TLS_GET_CERTIFICATE_HASH
 extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
-#endif
 
 /* init hook for SSL, the default sets the password callback if appropriate */
 #ifdef USE_OPENSSL
index 6d572c38204201221b00dc39381a3dfec99991ee..ca3a49c552671fea7fa3fc3f33971feb170d2969 100644 (file)
 /* Define to 1 if you have the `X509_get_signature_info' function. */
 #undef HAVE_X509_GET_SIGNATURE_INFO
 
-/* Define to 1 if you have the `X509_get_signature_nid' function. */
-#undef HAVE_X509_GET_SIGNATURE_NID
-
 /* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
 #undef HAVE_X86_64_POPCNTQ
 
index 6b779ec7ffd1e77bae0d9bf9d16c658d302132e5..61e6cd84d284700c4cdbd43df217cf76371424d4 100644 (file)
@@ -401,7 +401,7 @@ build_client_first_message(fe_scram_state *state)
                Assert(conn->ssl_in_use);
                appendPQExpBufferStr(&buf, "p=tls-server-end-point");
        }
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
        else if (conn->channel_binding[0] != 'd' && /* disable */
                         conn->ssl_in_use)
        {
@@ -474,7 +474,7 @@ build_client_final_message(fe_scram_state *state)
         */
        if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) == 0)
        {
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
                char       *cbind_data = NULL;
                size_t          cbind_data_len = 0;
                size_t          cbind_header_len;
@@ -540,9 +540,9 @@ build_client_final_message(fe_scram_state *state)
                appendPQExpBufferStr(&conn->errorMessage,
                                                         "channel binding not supported by this build\n");
                return NULL;
-#endif                                                 /* HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH */
+#endif                                                 /* USE_SSL */
        }
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
        else if (conn->channel_binding[0] != 'd' && /* disable */
                         conn->ssl_in_use)
                appendPQExpBufferStr(&buf, "c=eSws");   /* base64 of "y,," */
index 88fd0f3d80220c974fbb1b499c90e5b71ce27d83..f8e09d3b415bc04f54a2d8269409e2214dc7d512 100644 (file)
@@ -478,7 +478,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
                        {
                                /* The server has offered SCRAM-SHA-256-PLUS. */
 
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
                                /*
                                 * The client supports channel binding, which is chosen if
                                 * channel_binding is not disabled.
index 390c888c9628bb8bb147ddc1ea093b18aada58ef..bea71660ab8af99a8e945bf81696826396b4977c 100644 (file)
@@ -364,7 +364,6 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
        return n;
 }
 
-#if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
 char *
 pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
 {
@@ -439,7 +438,6 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
 
        return cert_hash;
 }
-#endif                                                 /* HAVE_X509_GET_SIGNATURE_NID */
 
 /* ------------------------------------------------------------ */
 /*                                             OpenSSL specific code                                   */
@@ -1826,8 +1824,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
  *
  * These functions are closely modelled on the standard socket BIO in OpenSSL;
  * see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
- * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
- * to retry; do we need to adopt their logic for that?
  */
 
 #ifndef HAVE_BIO_GET_DATA
index 0045f83cbfde8cc98a0f08ad84426ec56e43dc90..b70d4aee6a179349ff6eac2d1804c0626c53879b 100644 (file)
@@ -833,14 +833,8 @@ extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
  *
  * NULL is sent back to the caller in the event of an error, with an
  * error message for the caller to consume.
- *
- * This is not supported with old versions of OpenSSL that don't have
- * the X509_get_signature_nid() function.
  */
-#if defined(USE_OPENSSL) && (defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO))
-#define HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
 extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
-#endif
 
 /*
  * Verify that the server certificate matches the host name we connected to.
index 28c54bdb09f432bf88b886bf5ba9a127067cb403..3a798e1a56088fa256555aa139ff284da95dfe17 100644 (file)
@@ -44,9 +44,6 @@ my $SERVERHOSTADDR = '127.0.0.1';
 # This is the pattern to use in pg_hba.conf to match incoming connections.
 my $SERVERHOSTCIDR = '127.0.0.1/32';
 
-# Determine whether build supports tls-server-end-point.
-my $supports_tls_server_end_point =
-  check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
 # Determine whether build supports detection of hash algorithms for
 # RSA-PSS certificates.
 my $supports_rsapss_certs =
@@ -90,21 +87,9 @@ $node->connect_fails(
        expected_stderr => qr/invalid channel_binding value: "invalid_value"/);
 $node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable",
        "SCRAM with SSL and channel_binding=disable");
-if ($supports_tls_server_end_point)
-{
-       $node->connect_ok(
-               "$common_connstr user=ssltestuser channel_binding=require",
-               "SCRAM with SSL and channel_binding=require");
-}
-else
-{
-       $node->connect_fails(
-               "$common_connstr user=ssltestuser channel_binding=require",
-               "SCRAM with SSL and channel_binding=require",
-               expected_stderr =>
-                 qr/channel binding is required, but server did not offer an authentication method that supports channel binding/
-       );
-}
+$node->connect_ok(
+       "$common_connstr user=ssltestuser channel_binding=require",
+       "SCRAM with SSL and channel_binding=require");
 
 # Now test when the user has an MD5-encrypted password; should fail
 $node->connect_fails(
@@ -152,22 +137,10 @@ $node->connect_fails(
        expected_stderr =>
          qr/channel binding required but not supported by server's authentication request/
 );
-if ($supports_tls_server_end_point)
-{
-       $node->connect_ok(
-               "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
-               "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"
-       );
-}
-else
-{
-       $node->connect_fails(
-               "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
-               "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256",
-               expected_stderr =>
-                 qr/channel binding is required, but server did not offer an authentication method that supports channel binding/
-       );
-}
+$node->connect_ok(
+       "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
+       "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"
+);
 
 # Now test with a server certificate that uses the RSA-PSS algorithm.
 # This checks that the certificate can be loaded and that channel binding
index b6d31c358356f767c438fc42821ec3049d9d2f67..e6d8f9fedc0f90cca367920c2f25457f28f4edec 100644 (file)
@@ -371,7 +371,6 @@ sub GenerateFiles
                HAVE_UUID_UUID_H => undef,
                HAVE_WCSTOMBS_L => 1,
                HAVE_VISIBILITY_ATTRIBUTE => undef,
-               HAVE_X509_GET_SIGNATURE_NID => 1,
                HAVE_X509_GET_SIGNATURE_INFO => undef,
                HAVE_X86_64_POPCNTQ => undef,
                HAVE__BOOL => undef,
@@ -488,6 +487,7 @@ sub GenerateFiles
        if ($self->{options}->{openssl})
        {
                $define{USE_OPENSSL} = 1;
+               $define{HAVE_SSL_CTX_SET_CERT_CB} = 1;
 
                my ($digit1, $digit2, $digit3) = $self->GetOpenSSLVersion();
 
@@ -509,14 +509,6 @@ sub GenerateFiles
                        $define{HAVE_HMAC_CTX_NEW} = 1;
                        $define{HAVE_OPENSSL_INIT_SSL} = 1;
                }
-
-               # Symbols needed with OpenSSL 1.0.2 and above.
-               if (   ($digit1 >= '3' && $digit2 >= '0' && $digit3 >= '0')
-                       || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')
-                       || ($digit1 >= '1' && $digit2 >= '0' && $digit3 >= '2'))
-               {
-                       $define{HAVE_SSL_CTX_SET_CERT_CB} = 1;
-               }
        }
 
        $self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1);