mirror of
https://github.com/postgres/postgres.git
synced 2026-03-01 21:01:12 -05:00
5fd61055ea
OpenSSL 1.1.1 and newer versions have added support for RSA-PSS certificates, which requires the use of a specific routine in OpenSSL to determine which hash function to use when compiling it when using channel binding in SCRAM-SHA-256. X509_get_signature_nid(), that is the original routine the channel binding code has relied on, is not able to determine which hash algorithm to use for such certificates. However, X509_get_signature_info(), new to OpenSSL 1.1.1, is able to do it. This commit switches the channel binding logic to rely on X509_get_signature_info() over X509_get_signature_nid(), which would be the choice when building with 1.1.1 or newer. The error could have been triggered on the client or the server, hence libpq and the backend need to have their related code paths patched. Note that attempting to load an RSA-PSS certificate with OpenSSL 1.1.0 or older leads to a failure due to an unsupported algorithm. The discovery of relying on X509_get_signature_info() comes from Jacob, the tests have been written by Heikki (with few tweaks from me), while I have bundled the whole together while adding the bits needed for MSVC and meson. This issue exists since channel binding exists, so backpatch all the way down. Some tests are added in 15~, triggered if compiling with OpenSSL 1.1.1 or newer, where the certificate and key files can easily be generated for RSA-PSS. Reported-by: Gunnar "Nick" Bluth Author: Jacob Champion, Heikki Linnakangas Discussion: https://postgr.es/m/17760-b6c61e752ec07060@postgresql.org Backpatch-through: 11 |
||
|---|---|---|
| .. | ||
| access | ||
| backup | ||
| bootstrap | ||
| catalog | ||
| commands | ||
| common | ||
| datatype | ||
| executor | ||
| fe_utils | ||
| foreign | ||
| jit | ||
| lib | ||
| libpq | ||
| mb | ||
| nodes | ||
| optimizer | ||
| parser | ||
| partitioning | ||
| port | ||
| portability | ||
| postmaster | ||
| regex | ||
| replication | ||
| rewrite | ||
| snowball | ||
| statistics | ||
| storage | ||
| tcop | ||
| tsearch | ||
| utils | ||
| .gitignore | ||
| c.h | ||
| fmgr.h | ||
| funcapi.h | ||
| getaddrinfo.h | ||
| getopt_long.h | ||
| Makefile | ||
| miscadmin.h | ||
| pg_config.h.in | ||
| pg_config_ext.h.in | ||
| pg_config_manual.h | ||
| pg_getopt.h | ||
| pg_trace.h | ||
| pgstat.h | ||
| pgtar.h | ||
| pgtime.h | ||
| port.h | ||
| postgres.h | ||
| postgres_ext.h | ||
| postgres_fe.h | ||
| rusagestub.h | ||
| windowapi.h | ||