diff --git a/postgresql-pgcrypto-openssl3-init.patch b/postgresql-pgcrypto-openssl3-init.patch new file mode 100644 index 0000000..7656ba5 --- /dev/null +++ b/postgresql-pgcrypto-openssl3-init.patch @@ -0,0 +1,33 @@ +Upstream patch: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=135d8687ad +author Daniel Gustafsson + +The PX layer in pgcrypto is handling digest padding on its own uniformly +for all backend implementations. Starting with OpenSSL 3.0.0, DecryptUpdate +doesn't flush the last block in case padding is enabled so explicitly +disable it as we don't use it. + +This will be backpatched to all supported version once there is sufficient +testing in the buildfarm of OpenSSL 3. + +diff -ur postgresql-14rc1/contrib/pgcrypto/openssl.c postgresql-p/contrib/pgcrypto/openssl.c +--- postgresql-14rc1/contrib/pgcrypto/openssl.c 2021-09-20 17:33:01.000000000 -0400 ++++ postgresql-p/contrib/pgcrypto/openssl.c 2021-10-06 04:07:24.628836908 -0400 +@@ -379,6 +379,8 @@ + { + if (!EVP_DecryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL)) + return PXE_CIPHER_INIT; ++ if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0)) ++ return PXE_CIPHER_INIT; + if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen)) + return PXE_CIPHER_INIT; + if (!EVP_DecryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv)) +@@ -403,6 +405,8 @@ + { + if (!EVP_EncryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL)) + return PXE_CIPHER_INIT; ++ if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0)) ++ return PXE_CIPHER_INIT; + if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen)) + return PXE_CIPHER_INIT; + if (!EVP_EncryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv)) + diff --git a/postgresql-pgcrypto-openssl3-tests.patch b/postgresql-pgcrypto-openssl3-tests.patch new file mode 100644 index 0000000..16399a4 --- /dev/null +++ b/postgresql-pgcrypto-openssl3-tests.patch @@ -0,0 +1,102 @@ +diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out +--- postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out 2021-08-09 16:49:05.000000000 -0400 ++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out 2021-09-01 08:16:48.138600886 -0400 +@@ -4,20 +4,6 @@ + -- Checking ciphers + select pgp_sym_decrypt(dearmor(' + -----BEGIN PGP MESSAGE----- +-Comment: dat1.blowfish.sha1.mdc.s2k3.z0 +- +-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS +-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE= +-=JcP+ +------END PGP MESSAGE----- +-'), 'foobar'); +- pgp_sym_decrypt +------------------ +- Secret message. +-(1 row) +- +-select pgp_sym_decrypt(dearmor(' +------BEGIN PGP MESSAGE----- + Comment: dat1.aes.sha1.mdc.s2k3.z0 + + jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest +diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out +--- postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out 2021-08-09 16:49:05.000000000 -0400 ++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out 2021-09-01 08:05:27.750172653 -0400 +@@ -594,13 +594,6 @@ + (1 row) + + select pgp_pub_decrypt(dearmor(data), dearmor(seckey)) +-from keytbl, encdata where keytbl.id=2 and encdata.id=2; +- pgp_pub_decrypt +------------------ +- Secret msg +-(1 row) +- +-select pgp_pub_decrypt(dearmor(data), dearmor(seckey)) + from keytbl, encdata where keytbl.id=3 and encdata.id=3; + pgp_pub_decrypt + ----------------- +diff -ur postgresql-13.4/contrib/pgcrypto/Makefile postgresql-13.4.patched/contrib/pgcrypto/Makefile +--- postgresql-13.4/contrib/pgcrypto/Makefile 2021-08-09 16:49:05.000000000 -0400 ++++ postgresql-13.4.patched/contrib/pgcrypto/Makefile 2021-09-01 08:26:47.207164873 -0400 +@@ -5,7 +5,7 @@ + INT_TESTS = sha2 + + OSSL_SRCS = openssl.c pgp-mpi-openssl.c +-OSSL_TESTS = sha2 des 3des cast5 ++OSSL_TESTS = sha2 + + ZLIB_TST = pgp-compression + ZLIB_OFF_TST = pgp-zlib-DISABLED +@@ -49,12 +49,13 @@ + pgcrypto--1.0--1.1.sql + PGFILEDESC = "pgcrypto - cryptographic functions" + +-REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \ ++REGRESS = init md5 sha1 hmac-md5 hmac-sha1 rijndael \ + $(CF_TESTS) \ +- crypt-des crypt-md5 crypt-blowfish crypt-xdes \ ++ crypt-md5 \ + pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \ + pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info + ++#REGRESS = init pgp-pubkey-decrypt pgp-decrypt \ + EXTRA_CLEAN = gen-rtab + + ifdef USE_PGXS +diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql +--- postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql 2021-08-09 16:49:05.000000000 -0400 ++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql 2021-09-01 08:16:12.525212175 -0400 +@@ -5,16 +5,6 @@ + -- Checking ciphers + select pgp_sym_decrypt(dearmor(' + -----BEGIN PGP MESSAGE----- +-Comment: dat1.blowfish.sha1.mdc.s2k3.z0 +- +-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS +-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE= +-=JcP+ +------END PGP MESSAGE----- +-'), 'foobar'); +- +-select pgp_sym_decrypt(dearmor(' +------BEGIN PGP MESSAGE----- + Comment: dat1.aes.sha1.mdc.s2k3.z0 + + jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest +diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql +--- postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql 2021-08-09 16:49:05.000000000 -0400 ++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql 2021-09-01 08:06:18.963732342 -0400 +@@ -606,9 +606,6 @@ + from keytbl, encdata where keytbl.id=1 and encdata.id=1; + + select pgp_pub_decrypt(dearmor(data), dearmor(seckey)) +-from keytbl, encdata where keytbl.id=2 and encdata.id=2; +- +-select pgp_pub_decrypt(dearmor(data), dearmor(seckey)) + from keytbl, encdata where keytbl.id=3 and encdata.id=3; + + select pgp_pub_decrypt(dearmor(data), dearmor(seckey)) diff --git a/postgresql.spec b/postgresql.spec index ced8796..3704b54 100644 --- a/postgresql.spec +++ b/postgresql.spec @@ -61,7 +61,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 13 Version: %{majorversion}.4 -Release: 2%{?dist} +Release: 3%{?dist} # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -112,6 +112,10 @@ Patch9: postgresql-server-pg_config.patch # rhbz#1940964 Patch10: postgresql-datalayout-mismatch-on-s390.patch Patch12: postgresql-no-libecpg.patch +# Upstream patch - it's assumed removal of this patch with the next upstream release +Patch13: postgresql-pgcrypto-openssl3-init.patch +# This patch disables deprecated ciphers in the test suite +Patch14: postgresql-pgcrypto-openssl3-tests.patch BuildRequires: make BuildRequires: gcc @@ -426,7 +430,8 @@ goal of accelerating analytics queries. %endif %patch9 -p1 %patch10 -p1 - +%patch13 -p1 +%patch14 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1240,6 +1245,10 @@ make -C postgresql-setup-%{setup_version} check %changelog +* Wed Oct 06 2021 Filip Januš - 13.4-3 +- Add patch 13 - corrects initialization of ciphers +- Add patch 14 - disable unsupported ciphers in test suite + * Tue Sep 14 2021 Sahana Prasad - 13.4-2 - Rebuilt with OpenSSL 3.0.0