Обсуждение: pgsql: Fix compilation on OpenSSL 1.0.2 and LibreSSL

Fix compilation on OpenSSL 1.0.2 and LibreSSL

SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0.

While we're at it, add a link to the related OpenSSL github issue to
the comment.

Per buildfarm and Tom Lane.

Discussion: https://www.postgresql.org/message-id/1452995.1714433552@sss.pgh.pa.us

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/5bcbe9813bf91bcf14ef3a580162f1600dd3d1d4

Modified Files
--------------
src/interfaces/libpq/fe-secure-openssl.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

> On 30 Apr 2024, at 07:26, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote:

> Fix compilation on OpenSSL 1.0.2 and LibreSSL
>
> SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0.

+        * https://github.com/openssl/openssl/issues/24300.  This is available in
+        * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL.

I'm a bit confused, as far as I can tell this has been in LibreSSL since the
OpenBSD 6.9 release.

https://github.com/openbsd/src/blob/master/lib/libssl/ssl_tlsext.c#L130

Or am I missing something?

--
Daniel Gustafsson

On 02/05/2024 12:09, Daniel Gustafsson wrote:
>> On 30 Apr 2024, at 07:26, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote:
> 
>> Fix compilation on OpenSSL 1.0.2 and LibreSSL
>>
>> SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0.
> 
> +        * https://github.com/openssl/openssl/issues/24300.  This is available in
> +        * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL.
> 
> I'm a bit confused, as far as I can tell this has been in LibreSSL since the
> OpenBSD 6.9 release.
> 
> https://github.com/openbsd/src/blob/master/lib/libssl/ssl_tlsext.c#L130
> 
> Or am I missing something?

Hmm, I'm not sure how exactly LibreSSL is versioned. But morepork runs 
OpenBSD 6.9, and it was one of the failing buildfarm members: 
https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=morepork&dt=2024-04-30%2004%3A30%3A28. 
And I don't see the symbol in a fresh checkout of the portable libressl 
repository at https://github.com/libressl/portable.

-- 
Heikki Linnakangas
Neon (https://neon.tech)

> On 2 May 2024, at 11:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>
> On 02/05/2024 12:09, Daniel Gustafsson wrote:
>>> On 30 Apr 2024, at 07:26, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote:
>>> Fix compilation on OpenSSL 1.0.2 and LibreSSL
>>>
>>> SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0.
>> +        * https://github.com/openssl/openssl/issues/24300.  This is available in
>> +        * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL.
>> I'm a bit confused, as far as I can tell this has been in LibreSSL since the
>> OpenBSD 6.9 release.
>> https://github.com/openbsd/src/blob/master/lib/libssl/ssl_tlsext.c#L130
>> Or am I missing something?
>
> Hmm, I'm not sure how exactly LibreSSL is versioned. But morepork runs OpenBSD 6.9, and it was one of the failing
buildfarmmembers: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=morepork&dt=2024-04-30%2004%3A30%3A28. 

Turns out I fat-fingered my grep, it's available starting with OpenBSD 7.0 so
the morepork failure makes sense.

> And I don't see the symbol in a fresh checkout of the portable libressl repository at
https://github.com/libressl/portable.

The portable repo only contains the portable parts, did you pull the libssl
code with ./autogen?  If so you should be able to see it, like below:

:~/dev/tls/libressl $ git clone git@github.com:libressl/portable.git
:~/dev/tls/libressl $ cd portable/
:~/dev/tls/libressl/portable (master) $ git checkout OPENBSD_7_0
branch 'OPENBSD_7_0' set up to track 'origin/OPENBSD_7_0'.
Switched to a new branch 'OPENBSD_7_0'
:~/dev/tls/libressl/portable (OPENBSD_7_0) $ ./autogen.sh
    ...
:~/dev/tls/libressl/portable (OPENBSD_7_0) $ cd openbsd/
:~/dev/tls/libressl/portable/openbsd (OPENBSD_7_0) $ git grep SSL_AD_NO_APPLICATION_PROTOCOL
src/lib/libssl/ssl.h:#define SSL_AD_NO_APPLICATION_PROTOCOL             120
src/lib/libssl/ssl_tlsext.c:    *alert = SSL_AD_NO_APPLICATION_PROTOCOL;

This makes targeting 7.0 as the lowest LibreSSL version appealing in my
patchset for removing support for old OpenSSL and LibreSSL versions.

--
Daniel Gustafsson

On 02/05/2024 13:24, Daniel Gustafsson wrote:
>> On 2 May 2024, at 11:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> And I don't see the symbol in a fresh checkout of the portable libressl repository at
https://github.com/libressl/portable.
> 
> The portable repo only contains the portable parts, did you pull the libssl
> code with ./autogen?

Ah, ok, I did not.

   If so you should be able to see it, like below:
> 
> :~/dev/tls/libressl $ git clone git@github.com:libressl/portable.git
> :~/dev/tls/libressl $ cd portable/
> :~/dev/tls/libressl/portable (master) $ git checkout OPENBSD_7_0
> branch 'OPENBSD_7_0' set up to track 'origin/OPENBSD_7_0'.
> Switched to a new branch 'OPENBSD_7_0'
> :~/dev/tls/libressl/portable (OPENBSD_7_0) $ ./autogen.sh
>     ...
> :~/dev/tls/libressl/portable (OPENBSD_7_0) $ cd openbsd/
> :~/dev/tls/libressl/portable/openbsd (OPENBSD_7_0) $ git grep SSL_AD_NO_APPLICATION_PROTOCOL
> src/lib/libssl/ssl.h:#define SSL_AD_NO_APPLICATION_PROTOCOL             120
> src/lib/libssl/ssl_tlsext.c:    *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
> 
> This makes targeting 7.0 as the lowest LibreSSL version appealing in my
> patchset for removing support for old OpenSSL and LibreSSL versions.

Works for me. Although there's little harm in keeping the "#ifdef 
SSL_AD_NO_APPLICATION_PROTOCOL" either, if that's the only thing missing 
from 6.9.

-- 
Heikki Linnakangas
Neon (https://neon.tech)

> On 2 May 2024, at 12:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> On 02/05/2024 13:24, Daniel Gustafsson wrote:

>> This makes targeting 7.0 as the lowest LibreSSL version appealing in my
>> patchset for removing support for old OpenSSL and LibreSSL versions.
>
> Works for me. Although there's little harm in keeping the "#ifdef SSL_AD_NO_APPLICATION_PROTOCOL" either, if that's
theonly thing missing from 6.9. 

In the meantime I'll apply the below to keep the comment correct and to help
future-me when revisiting SSL library support =)

-        * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL.
+        * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
+        * later.

Any objections to that?

--
Daniel Gustafsson

On 03/05/2024 11:44, Daniel Gustafsson wrote:
>> On 2 May 2024, at 12:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> On 02/05/2024 13:24, Daniel Gustafsson wrote:
> 
>>> This makes targeting 7.0 as the lowest LibreSSL version appealing in my
>>> patchset for removing support for old OpenSSL and LibreSSL versions.
>>
>> Works for me. Although there's little harm in keeping the "#ifdef SSL_AD_NO_APPLICATION_PROTOCOL" either, if that's
theonly thing missing from 6.9.
 
> 
> In the meantime I'll apply the below to keep the comment correct and to help
> future-me when revisiting SSL library support =)
> 
> -        * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL.
> +        * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
> +        * later.
> 
> Any objections to that?

Sounds good

-- 
Heikki Linnakangas
Neon (https://neon.tech)