(Adding Mikael Kjellstrom in CC as OpenBSD owner) On Thu, Apr 04, 2024 at 11:03:35AM -0700, Jacob Champion wrote: > v3 does that by putting back checks for symbols that aren't part of > LibreSSL (tested back to 2.7, which is where the 1.1.x APIs started to > arrive).
From where did you pull the LibreSSL sources? Directly from the OpenBSD tree? > It also makes adjustments for the new OPENSSL_API_COMPAT > version, getting rid of OpenSSL_add_all_algorithms() and adding a > missing header. Ah, right. OpenSSL_add_all_algorithms() is documented as having no effect in 1.1.0. > This patch has a deficiency where 1.1.0 itself isn't actually rejected > at configure time; Daniel's working on an explicit check for the > OPENSSL/LIBRESSL_VERSION_NUMBER that should fix that up. There's an > open question about which version we should pin for LibreSSL, which > should ultimately come down to which versions of OpenBSD we want PG17 > to support. I would be OK to draw a line to what we test in the buildfarm if it comes to that, down to OpenBSD 6.9. This version is already not supported, and we had a number of issues with older versions and timestamps going backwards. -/* Define to 1 if you have the `CRYPTO_lock' function. */ -#undef HAVE_CRYPTO_LOCK I'm happy to see that gone for good. + # Functions introduced in OpenSSL 1.1.0/LibreSSL 2.7.0. + ['OPENSSL_init_ssl', {'required': true}], + ['BIO_meth_new', {'required': true}], + ['ASN1_STRING_get0_data', {'required': true}], + ['HMAC_CTX_new', {'required': true}], + ['HMAC_CTX_free', {'required': true}], These should be removed to save cycles in ./configure and meson, no? We don't have any more of their HAVE_* flags in the tree with this patch applied. - cdata.set('OPENSSL_API_COMPAT', '0x10002000L', + cdata.set('OPENSSL_API_COMPAT', '0x10100000L', Seems to me that this should also document in meson.build why 1.1.0 is chosen, same as ./configure. It seems to me that src/common/protocol_openssl.c could be cleaned up; I see SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version listed in LibreSSL (looking at some past version of https://github.com/libressl/libressl.git that I still have around). There is an extra thing in pg_strong_random.c once we cut OpenSSL < 1.1.1.. Do we still need pg_strong_random_init() and its RAND_poll() when it comes to LibreSSL? This is a sensitive area, so we should be careful. -- Michael
signature.asc
Description: PGP signature