From 6c66b7443cebf3ff09ea76416a20fb6bb1d32a52 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Thu, 24 Oct 2024 15:20:19 +0200
Subject: [PATCH] Raise the minimum supported OpenSSL version to 1.1.1

Commit a70e01d4306fdbcd retired support for OpenSSL 1.0.2 in order to get
rid of the need for manual initialization of the library.  This left our
API usage compatible with 1.1.0 which was defined as the minimum required
version. Also mention that 3.4 is the minimum version required when using
LibreSSL.

An upcoming commit will introduce support for configuring TLSv1.3 cipher
suites which require an API call in OpenSSL 1.1.1 and onwards.  In order
to support this setting this commit will set v1.1.1 as the new minimum
required version.  The version-specific call for randomness init added
in commit c3333dbc0c0 is removed as it's no longer needed.

Author: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/909A668B-06AD-47D1-B8EB-A164211AAD16@yesql.se
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
---
 configure                      | 36 +++++++++++++++-------------------
 configure.ac                   | 12 ++++--------
 doc/src/sgml/installation.sgml | 12 ++++++++++--
 meson.build                    | 10 +++-------
 src/include/pg_config.h.in     |  6 +++---
 src/port/pg_strong_random.c    | 14 ++++---------
 6 files changed, 40 insertions(+), 50 deletions(-)

diff --git a/configure b/configure
index 3a577e463ba..268ac94ae69 100755
--- a/configure
+++ b/configure
@@ -12224,9 +12224,9 @@ if test "$with_openssl" = yes ; then
 fi
 
 if test "$with_ssl" = openssl ; then
-    # Minimum required OpenSSL version is 1.1.0
+    # Minimum required OpenSSL version is 1.1.1
 
-$as_echo "#define OPENSSL_API_COMPAT 0x10100000L" >>confdefs.h
+$as_echo "#define OPENSSL_API_COMPAT 0x10101000L" >>confdefs.h
 
   if test "$PORTNAME" != "win32"; then
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
@@ -12441,6 +12441,20 @@ else
 fi
 
   fi
+  # Functions introduced in OpenSSL 1.1.1.
+  for ac_func in SSL_CTX_set_ciphersuites
+do :
+  ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites"
+if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL_CTX_SET_CIPHERSUITES 1
+_ACEOF
+
+else
+  as_fn_error $? "OpenSSL version >= 1.1.1 is required for SSL support" "$LINENO" 5
+fi
+done
+
   # Function introduced in OpenSSL 1.0.2, not in LibreSSL.
   for ac_func in SSL_CTX_set_cert_cb
 do :
@@ -12450,24 +12464,6 @@ if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
 #define HAVE_SSL_CTX_SET_CERT_CB 1
 _ACEOF
 
-fi
-done
-
-  # Functions introduced in OpenSSL 1.1.0. We used to check for
-  # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
-  # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
-  # doesn't have these OpenSSL 1.1.0 functions. So check for individual
-  # functions.
-  for ac_func in OPENSSL_init_ssl
-do :
-  ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_INIT_SSL 1
-_ACEOF
-
-else
-  as_fn_error $? "OpenSSL version >= 1.1.0 is required for SSL support" "$LINENO" 5
 fi
 done
 
diff --git a/configure.ac b/configure.ac
index 55f6c46d333..3c89b54bf12 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1311,8 +1311,8 @@ fi
 
 if test "$with_ssl" = openssl ; then
   dnl Order matters!
-  # Minimum required OpenSSL version is 1.1.0
-  AC_DEFINE(OPENSSL_API_COMPAT, [0x10100000L],
+  # Minimum required OpenSSL version is 1.1.1
+  AC_DEFINE(OPENSSL_API_COMPAT, [0x10101000L],
             [Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
   if test "$PORTNAME" != "win32"; then
      AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
@@ -1321,14 +1321,10 @@ if test "$with_ssl" = openssl ; then
      AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
      AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
   fi
+  # Functions introduced in OpenSSL 1.1.1.
+  AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])])
   # Function introduced in OpenSSL 1.0.2, not in LibreSSL.
   AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
-  # Functions introduced in OpenSSL 1.1.0. We used to check for
-  # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
-  # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
-  # doesn't have these OpenSSL 1.1.0 functions. So check for individual
-  # functions.
-  AC_CHECK_FUNCS([OPENSSL_init_ssl], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.0 is required for SSL support])])
   # Function introduced in OpenSSL 1.1.1, not in LibreSSL.
   AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])
   AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 3a491b59896..8449c20f798 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -293,7 +293,13 @@
       encrypted client connections.  <productname>OpenSSL</productname> is
       also required for random number generation on platforms that do not
       have <filename>/dev/urandom</filename> (except Windows).  The minimum
-      required version is 1.1.0.
+      required version is 1.1.1.
+     </para>
+     <para>
+      Additionally, <productname>LibreSSL</productname> is supported using the
+      <productname>OpenSSL</productname> compatibility layer.  The minimum
+      required version is 3.4 (from <systemitem class="osname">OpenBSD</systemitem>
+      version 7.0).
      </para>
     </listitem>
 
@@ -989,7 +995,9 @@ build-postgresql:
         <para>
          Build with support for <acronym>SSL</acronym> (encrypted)
          connections. The only <replaceable>LIBRARY</replaceable>
-         supported is <option>openssl</option>. This requires the
+         supported is <option>openssl</option>, which is used for both
+         <productname>OpenSSL</productname>
+         and <productname>LibreSSL</productname>. This requires the
          <productname>OpenSSL</productname> package to be installed.
          <filename>configure</filename> will check for the required
          header files and libraries to make sure that your
diff --git a/meson.build b/meson.build
index 58e67975e85..bb9d7f5a8e8 100644
--- a/meson.build
+++ b/meson.build
@@ -1361,12 +1361,8 @@ if sslopt in ['auto', 'openssl']
       ['CRYPTO_new_ex_data', {'required': true}],
       ['SSL_new', {'required': true}],
 
-      # Functions introduced in OpenSSL 1.1.0. We used to check for
-      # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
-      # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
-      # doesn't have these OpenSSL 1.1.0 functions. So check for individual
-      # functions.
-      ['OPENSSL_init_ssl', {'required': true}],
+      # Functions introduced in OpenSSL 1.1.1.
+      ['SSL_CTX_set_ciphersuites', {'required': true}],
 
       # Function introduced in OpenSSL 1.0.2, not in LibreSSL.
       ['SSL_CTX_set_cert_cb'],
@@ -1395,7 +1391,7 @@ if sslopt in ['auto', 'openssl']
     if are_openssl_funcs_complete
       cdata.set('USE_OPENSSL', 1,
                 description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
-      cdata.set('OPENSSL_API_COMPAT', '0x10100000L',
+      cdata.set('OPENSSL_API_COMPAT', '0x10101000L',
                 description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
       ssl_library = 'openssl'
     else
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 427030f31a7..cdd9a6e9355 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -280,9 +280,6 @@
 /* Define to 1 if you have the `mkdtemp' function. */
 #undef HAVE_MKDTEMP
 
-/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
-#undef HAVE_OPENSSL_INIT_SSL
-
 /* Define to 1 if you have the <ossp/uuid.h> header file. */
 #undef HAVE_OSSP_UUID_H
 
@@ -358,6 +355,9 @@
 /* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */
 #undef HAVE_SSL_CTX_SET_CERT_CB
 
+/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
+#undef HAVE_SSL_CTX_SET_CIPHERSUITES
+
 /* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
 #undef HAVE_SSL_CTX_SET_NUM_TICKETS
 
diff --git a/src/port/pg_strong_random.c b/src/port/pg_strong_random.c
index a8efb2b1886..b5f0ea2fdc1 100644
--- a/src/port/pg_strong_random.c
+++ b/src/port/pg_strong_random.c
@@ -31,7 +31,9 @@
  * cryptographically secure, suitable for use e.g. in authentication.
  *
  * Before pg_strong_random is called in any process, the generator must first
- * be initialized by calling pg_strong_random_init().
+ * be initialized by calling pg_strong_random_init().  Initialization is a no-
+ * op for all supported randomness sources, it is kept to maintain backwards
+ * compatibility with extensions.
  *
  * We rely on system facilities for actually generating the numbers.
  * We support a number of sources:
@@ -50,20 +52,12 @@
 
 #ifdef USE_OPENSSL
 
-#include <openssl/opensslv.h>
 #include <openssl/rand.h>
 
 void
 pg_strong_random_init(void)
 {
-#if (OPENSSL_VERSION_NUMBER < 0x10101000L)
-	/*
-	 * Make sure processes do not share OpenSSL randomness state.  This is not
-	 * required on LibreSSL and no longer required in OpenSSL 1.1.1 and later
-	 * versions.
-	 */
-	RAND_poll();
-#endif
+	/* No initialization needed */
 }
 
 bool