postgres: add ./configure option for ciphers

Version: 9.6.1-4.fc25.ciphers_test

postgresql.spec

@@ -67,7 +67,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 9.6
 Version: 9.6.1
-Release: 3%{?dist}
+Release: 4%{?dist}.ciphers_test
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -114,6 +114,7 @@ Patch2: postgresql-logging.patch
 Patch3: postgresql-perl-rpath.patch
 Patch5: postgresql-var-run-socket.patch
 Patch6: postgresql-man.patch
+Patch7: specific-cipher-set.patch
 
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk help2man
 BuildRequires: perl(ExtUtils::Embed), perl-devel
@@ -363,6 +364,7 @@ benchmarks.
 %patch3 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -450,6 +452,7 @@ export PYTHON=/usr/bin/python3
 %endif
 %if %ssl
 	--with-openssl \
+	--with-openssl-be-ciphers="PROFILE=SYSTEM" \
 %endif
 %if %pam
 	--with-pam \
@@ -513,6 +516,7 @@ unset PYTHON
 %endif
 %if %ssl
 	--with-openssl \
+	--with-openssl-be-ciphers="PROFILE=SYSTEM" \
 %endif
 %if %pam
 	--with-pam \
@@ -1198,6 +1202,9 @@ fi
 %endif
 
 %changelog
+* Thu Jan 19 2017 Pavel Raiskup <praiskup@redhat.com> - 9.6.1-4.fc25.ciphers_test
+- test upstream proposal
+
 * Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 9.6.1-3
 - Rebuild for readline 7.x
 

specific-cipher-set.patch

@@ -0,0 +1,130 @@
+From 4ec0b8204dcf833025a9781d4bb1785e8540be6f Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Wed, 18 Jan 2017 13:34:55 +0100
+Subject: [PATCH] Allow setting distribution-specific cipher set
+
+Fedora OpenSSL maintainers invented a way to specify consolidated,
+per-system cipher set [1] and it is our packaging policy to comply
+(if this is a bit meaningful).
+
+So for such situations ./configure options comes in handy instead
+of downstream-patching, per Red Hat bug report [2].
+
+[1] https://fedoraproject.org/wiki/Packaging:CryptoPolicies
+[2] https://bugzilla.redhat.com/show_bug.cgi?id=1348125
+---
+ configure                    | 32 ++++++++++++++++++++++++++++++++
+ configure.in                 |  8 ++++++++
+ src/backend/utils/misc/guc.c |  4 ++++
+ src/include/pg_config.h.in   |  3 +++
+ 4 files changed, 47 insertions(+)
+
+diff --git a/configure b/configure
+index 9a83f19..0188bfc 100755
+--- a/configure
++++ b/configure
+@@ -832,6 +832,7 @@ with_bsd_auth
+ with_ldap
+ with_bonjour
+ with_openssl
++with_openssl_be_ciphers
+ with_selinux
+ with_systemd
+ with_readline
+@@ -1523,6 +1524,8 @@ Optional Packages:
+   --with-ldap             build with LDAP support
+   --with-bonjour          build with Bonjour support
+   --with-openssl          build with OpenSSL support
++  --with-openssl-be-ciphers=STRING
++                          Replace the default list of server-supported ciphers
+   --with-selinux          build with SELinux support
+   --with-systemd          build with systemd support
+   --without-readline      do not use GNU Readline nor BSD Libedit for editing
+@@ -5740,6 +5743,35 @@ fi
+ $as_echo "$with_openssl" >&6; }
+ 
+ 
++
++
++
++# Check whether --with-openssl-be-ciphers was given.
++if test "${with_openssl_be_ciphers+set}" = set; then :
++  withval=$with_openssl_be_ciphers;
++  case $withval in
++    yes)
++      as_fn_error $? "argument required for --with-openssl-be-ciphers option" "$LINENO" 5
++      ;;
++    no)
++      as_fn_error $? "argument required for --with-openssl-be-ciphers option" "$LINENO" 5
++      ;;
++    *)
++
++cat >>confdefs.h <<_ACEOF
++#define PG_DEFAULT_SSL_CIPHERS "$with_openssl_be_ciphers"
++_ACEOF
++
++      ;;
++  esac
++
++fi
++
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to replace default OpenSSL cypher set" >&5
++$as_echo_n "checking whether to replace default OpenSSL cypher set... " >&6; }
++
+ #
+ # SELinux
+ #
+diff --git a/configure.in b/configure.in
+index 52e4e78..663cbee 100644
+--- a/configure.in
++++ b/configure.in
+@@ -717,6 +717,14 @@ PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
+ AC_MSG_RESULT([$with_openssl])
+ AC_SUBST(with_openssl)
+ 
++PGAC_ARG_REQ(with, openssl-be-ciphers, [STRING],
++             [Replace the default list of server-supported ciphers],
++             [AC_DEFINE_UNQUOTED([PG_DEFAULT_SSL_CIPHERS],
++                                 ["$with_openssl_be_ciphers"],
++                                 [Re-define the default for server ssl_ciphers option])])
++
++AC_MSG_CHECKING([whether to replace default OpenSSL cypher set])
++
+ #
+ # SELinux
+ #
+diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
+index 4e2bd4c..c4a992e 100644
+--- a/src/backend/utils/misc/guc.c
++++ b/src/backend/utils/misc/guc.c
+@@ -3514,7 +3514,11 @@ static struct config_string ConfigureNamesString[] =
+ 		},
+ 		&SSLCipherSuites,
+ #ifdef USE_SSL
++#ifdef PG_DEFAULT_SSL_CIPHERS
++		PG_DEFAULT_SSL_CIPHERS,
++#else
+ 		"HIGH:MEDIUM:+3DES:!aNULL",
++#endif
+ #else
+ 		"none",
+ #endif
+diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
+index b9dfdd4..b3f9a5b 100644
+--- a/src/include/pg_config.h.in
++++ b/src/include/pg_config.h.in
+@@ -744,6 +744,9 @@
+ /* Define to the version of this package. */
+ #undef PACKAGE_VERSION
+ 
++/* Re-define the default for server ssl_ciphers option */
++#undef PG_DEFAULT_SSL_CIPHERS
++
+ /* Define to the name of a signed 128-bit integer type. */
+ #undef PG_INT128_TYPE
+ 
+-- 
+2.9.3
+