packages/opengauss-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 6.0.0

Browse Source
This commit is contained in:
liuheng 2024-11-19 14:48:47 +08:00
parent 165ab57137
commit 5532974eb0
24 changed files with 6871 additions and 2531 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1789
3000-add-sw_64-support.patch
View File

File diff suppressed because it is too large Load Diff

BIN
cJSON-1.7.15.tar.gz
View File

Binary file not shown.

9
clonecode.sh
View File

@ -1,9 +1,12 @@
version=5.0.1
current_dir=$(pwd)
cd $current_dir
version=6.0.0
server_repo=https://gitee.com/opengauss/openGauss-server.git
plugin_repo=https://gitee.com/opengauss/Plugin.git
git clone $server_repo -b v5.0.1 openGauss-server-$version
git clone $plugin_repo -b v5.0.1 Plugin-$version
git clone $server_repo -b v6.0.0 openGauss-server-$version
git clone $plugin_repo -b v6.0.0 Plugin-$version
cp -rf Plugin-$version/contrib/* openGauss-server-$version/contrib/
rm -rf openGauss-server-$version/contrib/datavec
cd openGauss-server-$version
gitcommit=$(git log 2>/dev/null | grep commit | head -1 | awk '{print $2}' | cut -b 1-8)
echo $gitcommit > ../COMMIT

335
cmake_compile.patch
View File

@ -1,335 +0,0 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/cmake/src/set_thirdparty_path.cmake openGauss-server-5.0.1-edit/cmake/src/set_thirdparty_path.cmake
*** openGauss-server-5.0.1/cmake/src/set_thirdparty_path.cmake 2024-05-07 20:16:38.988794109 +0800
--- openGauss-server-5.0.1-edit/cmake/src/set_thirdparty_path.cmake 2024-05-09 14:15:39.965184154 +0800
***************
*** 158,163 ****
--- 158,165 ----
if(${WITH_OPENEULER_OS} STREQUAL "ON")
set(SECURE_C_CHECK boundscheck)
+ elseif(${ENABLE_OPENEULER_MAJOR} STREQUAL "ON")
+ set(SECURE_C_CHECK boundscheck)
else()
set(SECURE_C_CHECK securec)
endif()
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/CMakeLists.txt openGauss-server-5.0.1-edit/src/CMakeLists.txt
*** openGauss-server-5.0.1/src/CMakeLists.txt 2024-05-07 20:16:39.156795348 +0800
--- openGauss-server-5.0.1-edit/src/CMakeLists.txt 2024-05-09 15:36:33.381689446 +0800
***************
*** 192,198 ****
endif()
if("${ENABLE_MULTIPLE_NODES}" STREQUAL "OFF")
! install(DIRECTORY ${DCF_LIB_PATH} DESTINATION .)
endif()
if(${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF AND NOT ${ENABLE_LITE_MODE} STREQUAL ON)
if(EXISTS ${DMS_LIB_PATH})
--- 192,200 ----
endif()
if("${ENABLE_MULTIPLE_NODES}" STREQUAL "OFF")
! if(EXISTS ${DCF_LIB_PATH})
! install(DIRECTORY ${DCF_LIB_PATH} DESTINATION .)
! endif()
endif()
if(${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF AND NOT ${ENABLE_LITE_MODE} STREQUAL ON)
if(EXISTS ${DMS_LIB_PATH})
***************
*** 206,218 ****
endif()
endif()
- install(DIRECTORY ${ZSTD_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE)
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(DIRECTORY ${LIBOBS_LIB_PATH} DESTINATION .)
install(DIRECTORY ${LIBOBS_INCLUDE_PATH} DESTINATION include/postgresql/server/access/obs)
endif()
! install(DIRECTORY ${CJSON_LIB_PATH} DESTINATION .)
! install(DIRECTORY ${CJSON_INCLUDE_PATH}/cjson DESTINATION include/postgresql/server)
if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
install(DIRECTORY ${ETCD_BIN_PATH} DESTINATION .)
install(DIRECTORY ${IPERF_LIB_PATH} DESTINATION .)
--- 208,218 ----
endif()
endif()
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(DIRECTORY ${LIBOBS_LIB_PATH} DESTINATION .)
install(DIRECTORY ${LIBOBS_INCLUDE_PATH} DESTINATION include/postgresql/server/access/obs)
endif()
!
if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
install(DIRECTORY ${ETCD_BIN_PATH} DESTINATION .)
install(DIRECTORY ${IPERF_LIB_PATH} DESTINATION .)
***************
*** 222,242 ****
install(DIRECTORY ${KMC_LIB_PATH} DESTINATION .)
endif()
endif()
- install(DIRECTORY ${LIBCURL_LIB_PATH} DESTINATION .)
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
endif()
! install(DIRECTORY ${LZ4_LIB_PATH} DESTINATION .)
! install(DIRECTORY ${LZ4_BIN_PATH} DESTINATION .)
! install(DIRECTORY ${LIBOPENSSL_BIN_PATH} DESTINATION .)
! install(DIRECTORY ${LIBOPENSSL_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE )
install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
list(FIND MACRO_OPTIONS "-D__USE_NUMA" RET_NUMA)
if(NOT ${RET_NUMA} EQUAL -1)
! install(DIRECTORY ${NUMA_LIB_PATH} DESTINATION .)
endif()
if("${ENABLE_MOT}" STREQUAL "ON")
--- 222,240 ----
install(DIRECTORY ${KMC_LIB_PATH} DESTINATION .)
endif()
endif()
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
endif()
!
install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
list(FIND MACRO_OPTIONS "-D__USE_NUMA" RET_NUMA)
if(NOT ${RET_NUMA} EQUAL -1)
! if(EXISTS ${NUMA_LIB_PATH})
! install(DIRECTORY ${NUMA_LIB_PATH} DESTINATION .)
! endif()
endif()
if("${ENABLE_MOT}" STREQUAL "ON")
***************
*** 251,261 ****
install(CODE "message(\"-- Created symlink: libatomic.so.1 -> libatomic.so.1.2.0\")")
endif()
- install(FILES ${SECUREDYNAMICLIB_HOME}/libsecurec.so DESTINATION lib)
- install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgcc_s.so.1 DESTINATION lib)
- install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgomp.so DESTINATION lib)
- install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgomp.so.1 DESTINATION lib)
- install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgomp.so.1.0.0 DESTINATION lib)
install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(FILES ${PLJAVA_HOME}/lib/libpljava.so DESTINATION lib)
--- 249,254 ----
***************
*** 273,295 ****
install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
FILES_MATCHING PATTERN "libatomic.so*")
endif()
-
- install(FILES ${GCC_LIB_PATH}/lib64/libgcc_s.so.1 DESTINATION lib)
- install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
- FILES_MATCHING PATTERN "libgomp.so*")
-
- install(CODE "execute_process(
- COMMAND cp ${GCC_LIB_PATH}/lib64/libstdc++.so.6.0.24 ${prefix_home}/lib/libstdc++.so.6
- WORKING_DIRECTORY ${prefix_home}/lib)"
- )
-
- # install(DIRECTORY ${LIBCGROUP_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libcgroup.so*")
- install(CODE "execute_process(
- COMMAND cp ${LIBCGROUP_LIB_PATH}/libcgroup.so.1.0.42 ${prefix_home}/lib/libcgroup.so
- COMMAND ln -fs libcgroup.so libcgroup.so.1
- WORKING_DIRECTORY ${prefix_home}/lib)"
- )
- install(CODE "message(\"-- Created symlink: libcgroup.so.1 -> libcgroup.so\")")
# fastcheck part
install(FILES ${PROJECT_SRC_DIR}/test/regress/stub/roach_api_stub/roach_api_stub.control
--- 266,271 ----
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/common/interfaces/libpq/CMakeLists.txt openGauss-server-5.0.1-edit/src/common/interfaces/libpq/CMakeLists.txt
*** openGauss-server-5.0.1/src/common/interfaces/libpq/CMakeLists.txt 2024-05-07 20:16:39.540798180 +0800
--- openGauss-server-5.0.1-edit/src/common/interfaces/libpq/CMakeLists.txt 2024-05-09 14:15:40.525188303 +0800
***************
*** 118,129 ****
set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
! target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss securec ssl)
else()
! target_link_libraries(pq PRIVATE crypto securec ssl)
endif()
target_link_directories(pq PUBLIC
! ${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH} ${SECURE_LIB_PATH}
${PROJECT_SRC_DIR}/common/port ${PROJECT_SRC_DIR}/gstrace/common
)
set_target_properties(pq PROPERTIES VERSION 5.5)
--- 118,129 ----
set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
! target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss ${SECURE_C_CHECK} ssl)
else()
! target_link_libraries(pq PRIVATE crypto ${SECURE_C_CHECK} ssl)
endif()
target_link_directories(pq PUBLIC
! ${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH}
${PROJECT_SRC_DIR}/common/port ${PROJECT_SRC_DIR}/gstrace/common
)
set_target_properties(pq PROPERTIES VERSION 5.5)
***************
*** 302,308 ****
endif()
add_dependencies(pq_ce libpq_ce cmk_entity_manager_hooks encryption_hooks client_logic_common client_logic_expressions client_logic_cache client_logic_processor client_logic_fmt client_logic_hooks client_logic_data_fetcher frontend_parser)
target_link_directories(pq_ce PUBLIC
- ${SECURE_LIB_PATH}
${KMC_LIB_PATH}
${LIBOPENSSL_LIB_PATH}
${CJSON_LIB_PATH}
--- 302,307 ----
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp openGauss-server-5.0.1-edit/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp
*** openGauss-server-5.0.1/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp 2024-05-07 20:16:39.608798681 +0800
--- openGauss-server-5.0.1-edit/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp 2024-05-07 20:17:58.873383188 +0800
***************
*** 2417,2423 ****
#else
switch ((comm_sender_flower_pid = fork_process())) {
#endif
! case -1:
ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
return 0;
#ifndef EXEC_BACKEND
--- 2417,2423 ----
#else
switch ((comm_sender_flower_pid = fork_process())) {
#endif
! case (ThreadId)-1:
ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
return 0;
#ifndef EXEC_BACKEND
***************
*** 2454,2460 ****
#else
switch ((comm_receiver_flower_pid = fork_process())) {
#endif
! case -1:
ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
return 0;
#ifndef EXEC_BACKEND
--- 2454,2460 ----
#else
switch ((comm_receiver_flower_pid = fork_process())) {
#endif
! case (ThreadId)-1:
ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
return 0;
#ifndef EXEC_BACKEND
***************
*** 2488,2494 ****
#else
switch ((comm_auxiliary_pid = fork_process())) {
#endif
! case -1:
ereport(LOG, (errmsg("could not fork comm auxiliary flower process: %m")));
return 0;
#ifndef EXEC_BACKEND
--- 2488,2494 ----
#else
switch ((comm_auxiliary_pid = fork_process())) {
#endif
! case (ThreadId)-1:
ereport(LOG, (errmsg("could not fork comm auxiliary flower process: %m")));
return 0;
#ifndef EXEC_BACKEND
***************
*** 2522,2528 ****
switch ((comm_receiver_pid = fork_process()))
#endif
{
! case -1:
ereport(LOG, (errmsg("could not fork comm receiver process: %m")));
return 0;
#ifndef EXEC_BACKEND
--- 2522,2528 ----
switch ((comm_receiver_pid = fork_process()))
#endif
{
! case (ThreadId)-1:
ereport(LOG, (errmsg("could not fork comm receiver process: %m")));
return 0;
#ifndef EXEC_BACKEND
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/storage/smgr/smgr.cpp openGauss-server-5.0.1-edit/src/gausskernel/storage/smgr/smgr.cpp
*** openGauss-server-5.0.1/src/gausskernel/storage/smgr/smgr.cpp 2024-05-07 20:16:39.940801129 +0800
--- openGauss-server-5.0.1-edit/src/gausskernel/storage/smgr/smgr.cpp 2024-05-07 20:17:59.201385607 +0800
***************
*** 949,955 ****
return convertScalarToDatumT<UNKNOWNOID>;
}
default: {
! return convertScalarToDatumT<-2>;
}
}
}
--- 949,955 ----
return convertScalarToDatumT<UNKNOWNOID>;
}
default: {
! return convertScalarToDatumT<((Oid)-2)>;
}
}
}
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' Plugin-5.0.1/contrib/dolphin/cmake.sh Plugin-5.0.1-edit/contrib/dolphin/cmake.sh
*** Plugin-5.0.1/contrib/dolphin/cmake.sh 2024-06-12 20:17:51.731405913 +0800
--- Plugin-5.0.1-edit/contrib/dolphin/cmake.sh 2024-06-12 20:43:24.223308216 +0800
***************
*** 1,5 ****
#!/bin/bash
! CMAKE_OPT="-DENABLE_MULTIPLE_NODES=OFF -DENABLE_PRIVATEGAUSS=OFF -DENABLE_THREAD_SAFETY=ON -DENABLE_LITE_MODE=ON"
cpus_num=$(grep -w processor /proc/cpuinfo|wc -l)
rm -f dolphin--1.0.sql
touch dolphin--1.0.sql
--- 1,5 ----
#!/bin/bash
! CMAKE_OPT="-DENABLE_MULTIPLE_NODES=OFF -DENABLE_PRIVATEGAUSS=OFF -DENABLE_THREAD_SAFETY=ON -DENABLE_LITE_MODE=ON -DENABLE_OPENEULER_MAJOR=ON -DWITH_OPENEULER_OS=ON"
cpus_num=$(grep -w processor /proc/cpuinfo|wc -l)
rm -f dolphin--1.0.sql
touch dolphin--1.0.sql
***************
*** 9,14 ****
--- 9,15 ----
touch dolphin--1.2.sql
cat dolphin--1.0.sql >> dolphin--1.2.sql
cat upgrade_script/dolphin--1.0--1.2.sql >> dolphin--1.2.sql
+ BUILD_TUPLE=$(uname -p)
cp llvmir/openGauss_expr_dolphin_${BUILD_TUPLE}.ir openGauss_expr_dolphin.ir
DOLPHIN_CMAKE_BUILD_DIR=`pwd`/tmp_build
[ -d "${DOLPHIN_CMAKE_BUILD_DIR}" ] && rm -rf ${DOLPHIN_CMAKE_BUILD_DIR}
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/bin/pg_ctl/backup.cpp openGauss-server-5.0.1-edit/src/bin/pg_ctl/backup.cpp
*** openGauss-server-5.0.1/src/bin/pg_ctl/backup.cpp 2024-05-09 14:48:32.000000000 +0800
--- openGauss-server-5.0.1-edit/src/bin/pg_ctl/backup.cpp 2024-06-19 16:22:57.390413059 +0800
***************
*** 1939,1945 ****
}
while (1) {
de = readdir(dir);
! if (de <= 0) {
break;
}
if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
--- 1939,1945 ----
}
while (1) {
de = readdir(dir);
! if (de == NULL) {
break;
}
if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
***************
*** 2799,2802 ****
/* free sysidentifier after use */
pg_free(sysidentifier);
sysidentifier = NULL;
! }
\ No newline at end of file
--- 2799,2802 ----
/* free sysidentifier after use */
pg_free(sysidentifier);
sysidentifier = NULL;
! }

39
compile_2309.patch
View File

@ -1,39 +0,0 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/bin/pg_basebackup/pg_basebackup.cpp openGauss-server-5.0.1-edit/src/bin/pg_basebackup/pg_basebackup.cpp
*** openGauss-server-5.0.1/src/bin/pg_basebackup/pg_basebackup.cpp 2024-05-07 20:16:39.176795495 +0800
--- openGauss-server-5.0.1-edit/src/bin/pg_basebackup/pg_basebackup.cpp 2024-05-07 20:17:58.441380003 +0800
***************
*** 1622,1628 ****
struct dirent* ent;
while (1) {
ent = readdir(dir);
! if (ent <= 0) {
break;
}
if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
--- 1622,1628 ----
struct dirent* ent;
while (1) {
ent = readdir(dir);
! if (ent == NULL) {
break;
}
if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/runtime/opfusion/opfusion_util.cpp openGauss-server-5.0.1-edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp
*** openGauss-server-5.0.1/src/gausskernel/runtime/opfusion/opfusion_util.cpp 2024-05-07 20:16:39.780799949 +0800
--- openGauss-server-5.0.1-edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp 2024-05-07 20:17:59.041384427 +0800
***************
*** 424,430 ****
/* check whether to have order by */
if (node->aggstrategy != AGG_PLAIN ||
! node->groupingSets > 0) {
return NOBYPASS_NOT_PLAIN_AGG;
}
--- 424,430 ----
/* check whether to have order by */
if (node->aggstrategy != AGG_PLAIN ||
! node->groupingSets != NIL) {
return NOBYPASS_NOT_PLAIN_AGG;
}

BIN
krb5-1.18.3-final.tar.gz Normal file
View File

Binary file not shown.

35
krb5-CVE-2023-36054.patch Normal file
View File

@ -0,0 +1,35 @@
diff -Naur a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
--- a/src/lib/kadm5/kadm_rpc_xdr.c 2023-09-01 16:16:12.843658117 +0800
+++ b/src/lib/kadm5/kadm_rpc_xdr.c 2023-09-01 16:12:03.704811364 +0800
@@ -390,6 +390,7 @@
int v)
{
unsigned int n;
+ bool_t r;
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
return (FALSE);
@@ -443,6 +444,9 @@
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
return (FALSE);
}
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+ return (FALSE);
+ }
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
return (FALSE);
}
@@ -451,9 +455,10 @@
return FALSE;
}
n = objp->n_key_data;
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
- &n, ~0, sizeof(krb5_key_data),
- xdr_krb5_key_data_nocontents)) {
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+ objp->n_key_data = n;
+ if (!r) {
return (FALSE);
}

171
krb5-backport-Add-a-simple-DER-support-header.patch Normal file
View File

@ -0,0 +1,171 @@
From 548da160b52b25a106e9f6077d6a42c2c049586c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 7 Mar 2023 00:19:33 -0500
Subject: [PATCH] Add a simple DER support header
Reference: https://github.com/krb5/krb5/commit/548da160b52b25a106e9f6077d6a42c2c049586c
Conflict: NA
---
src/include/k5-der.h | 149 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
create mode 100644 src/include/k5-der.h
diff --git a/src/include/k5-der.h b/src/include/k5-der.h
new file mode 100644
index 0000000..b8371d9
--- /dev/null
+++ b/src/include/k5-der.h
@@ -0,0 +1,149 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/k5-der.h - Distinguished Encoding Rules (DER) declarations */
+/*
+ * Copyright (C) 2023 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Most ASN.1 encoding and decoding is done using the table-driven framework in
+ * libkrb5. When that is not an option, these helpers can be used to encode
+ * and decode simple types.
+ */
+
+#ifndef K5_DER_H
+#define K5_DER_H
+
+#include <stdint.h>
+#include <stdbool.h>
+#include "k5-buf.h"
+#include "k5-input.h"
+
+/* Return the number of bytes needed to encode len as a DER encoding length. */
+static inline size_t
+k5_der_len_len(size_t len)
+{
+ size_t llen;
+
+ if (len < 128)
+ return 1;
+ llen = 1;
+ while (len > 0) {
+ len >>= 8;
+ llen++;
+ }
+ return llen;
+}
+
+/* Return the number of bytes needed to encode a DER value (with identifier
+ * byte and length) for a given contents length. */
+static inline size_t
+k5_der_value_len(size_t contents_len)
+{
+ return 1 + k5_der_len_len(contents_len) + contents_len;
+}
+
+/* Add a DER identifier byte (composed by the caller, including the ASN.1
+ * class, tag, and constructed bit) and length. */
+static inline void
+k5_der_add_taglen(struct k5buf *buf, uint8_t idbyte, size_t len)
+{
+ uint8_t *p;
+ size_t llen = k5_der_len_len(len);
+
+ p = k5_buf_get_space(buf, 1 + llen);
+ if (p == NULL)
+ return;
+ *p++ = idbyte;
+ if (len < 128) {
+ *p = len;
+ } else {
+ *p = 0x80 | (llen - 1);
+ /* Encode the length bytes backwards so the most significant byte is
+ * first. */
+ p += llen;
+ while (len > 0) {
+ *--p = len & 0xFF;
+ len >>= 8;
+ }
+ }
+}
+
+/* Add a DER value (identifier byte, length, and contents). */
+static inline void
+k5_der_add_value(struct k5buf *buf, uint8_t idbyte, const void *contents,
+ size_t len)
+{
+ k5_der_add_taglen(buf, idbyte, len);
+ k5_buf_add_len(buf, contents, len);
+}
+
+/*
+ * If the next byte in in matches idbyte and the subsequent DER length is
+ * valid, advance in past the value, set *contents_out to the value contents,
+ * and return true. Otherwise return false. Only set an error on in if the
+ * next bytes matches idbyte but the ensuing length is invalid. contents_out
+ * may be aliased to in; it will only be written to on successful decoding of a
+ * value.
+ */
+static inline bool
+k5_der_get_value(struct k5input *in, uint8_t idbyte,
+ struct k5input *contents_out)
+{
+ uint8_t lenbyte, i;
+ size_t len;
+ const void *bytes;
+
+ /* Do nothing if in is empty or the next byte doesn't match idbyte. */
+ if (in->status || in->len == 0 || *in->ptr != idbyte)
+ return false;
+
+ /* Advance past the identifier byte and decode the length. */
+ (void)k5_input_get_byte(in);
+ lenbyte = k5_input_get_byte(in);
+ if (lenbyte < 128) {
+ len = lenbyte;
+ } else {
+ len = 0;
+ for (i = 0; i < (lenbyte & 0x7F); i++) {
+ if (len > (SIZE_MAX >> 8)) {
+ k5_input_set_status(in, EOVERFLOW);
+ return false;
+ }
+ len = (len << 8) | k5_input_get_byte(in);
+ }
+ }
+
+ bytes = k5_input_get_bytes(in, len);
+ if (bytes == NULL)
+ return false;
+ k5_input_init(contents_out, bytes, len);
+ return true;
+}
+
+#endif /* K5_DER_H */
--
2.33.0

536
krb5-backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch Normal file
View File

@ -0,0 +1,536 @@
From b0a2f8a5365f2eec3e27d78907de9f9d2c80505a Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 14 Jun 2024 10:56:12 -0400
Subject: [PATCH] Fix vulnerabilities in GSS message token handling
In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.
In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.
In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.
CVE-2024-37370:
In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.
CVE-2024-37371:
In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.
ticket: 9128 (new)
tags: pullup
target_version: 1.21-next
Reference: https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
Conflict: src/tests/gssapi/t_invalid.c
---
src/lib/gssapi/krb5/k5sealv3.c | 5 +
src/lib/gssapi/krb5/k5sealv3iov.c | 3 +-
src/lib/gssapi/krb5/k5unsealiov.c | 80 +++++++++-
src/tests/gssapi/t_invalid.c | 233 +++++++++++++++++++++++++-----
4 files changed, 275 insertions(+), 46 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index e881eee..d3210c1 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -400,10 +400,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
/* Don't use bodysize here! Use the fact that
cipher.ciphertext.length has been adjusted to the
correct length. */
+ if (plain.length < 16 + ec) {
+ free(plain.data);
+ goto defective;
+ }
althdr = (unsigned char *)plain.data + plain.length - 16;
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
+ || load_16_be(althdr+4) != ec
|| memcmp(althdr+8, ptr+8, 8)) {
free(plain.data);
goto defective;
diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index 333ee12..f8e90c3 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context,
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
+ || load_16_be(althdr + 4) != ec
|| memcmp(althdr + 8, ptr + 8, 8) != 0) {
*minor_status = 0;
- return GSS_S_BAD_SIG;
+ return GSS_S_DEFECTIVE_TOKEN;
}
} else {
/* Verify checksum: note EC is checksum size here, not padding */
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 3ce2a90..6a6585d 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -25,6 +25,7 @@
*/
#include "k5-int.h"
+#include "k5-der.h"
#include "gssapiP_krb5.h"
static OM_uint32
@@ -247,6 +248,73 @@ cleanup:
return retval;
}
+/* Similar to k5_der_get_value(), but output an unchecked content length
+ * instead of a k5input containing the contents. */
+static inline bool
+get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out)
+{
+ uint8_t lenbyte, i;
+ size_t len;
+
+ /* Do nothing if in is empty or the next byte doesn't match idbyte. */
+ if (in->status || in->len == 0 || *in->ptr != idbyte)
+ return false;
+
+ /* Advance past the identifier byte and decode the length. */
+ (void)k5_input_get_byte(in);
+ lenbyte = k5_input_get_byte(in);
+ if (lenbyte < 128) {
+ len = lenbyte;
+ } else {
+ len = 0;
+ for (i = 0; i < (lenbyte & 0x7F); i++) {
+ if (len > (SIZE_MAX >> 8)) {
+ k5_input_set_status(in, EOVERFLOW);
+ return false;
+ }
+ len = (len << 8) | k5_input_get_byte(in);
+ }
+ }
+
+ if (in->status)
+ return false;
+
+ *len_out = len;
+ return true;
+}
+
+/*
+ * Similar to g_verify_token_header() without toktype or flags, but do not read
+ * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len
+ * to the remaining number of header bytes. Verify the outer DER tag's length
+ * against token_len, which may be larger (but not smaller) than *header_len.
+ */
+static gss_int32
+verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len,
+ uint8_t **header_in, size_t token_len)
+{
+ struct k5input in, mech_der;
+ gss_OID_desc toid;
+ size_t len;
+
+ k5_input_init(&in, *header_in, *header_len);
+
+ if (get_der_tag(&in, 0x60, &len)) {
+ if (len != token_len - (in.ptr - *header_in))
+ return G_BAD_TOK_HEADER;
+ if (!k5_der_get_value(&in, 0x06, &mech_der))
+ return G_BAD_TOK_HEADER;
+ toid.elements = (uint8_t *)mech_der.ptr;
+ toid.length = mech_der.len;
+ if (!g_OID_equal(&toid, mech))
+ return G_WRONG_MECH;
+ }
+
+ *header_in = (uint8_t *)in.ptr;
+ *header_len = in.len;
+ return 0;
+}
+
/*
* Caller must provide TOKEN | DATA | PADDING | TRAILER, except
* for DCE in which case it can just provide TOKEN | DATA (must
@@ -267,8 +335,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
- size_t input_length;
- unsigned int bodysize;
+ size_t input_length, hlen;
int toktype2;
header = kg_locate_header_iov(iov, iov_count, toktype);
@@ -298,15 +365,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
input_length += trailer->buffer.length;
}
- code = g_verify_token_header(ctx->mech_used,
- &bodysize, &ptr, -1,
- input_length, 0);
+ hlen = header->buffer.length;
+ code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length);
if (code != 0) {
*minor_status = code;
return GSS_S_DEFECTIVE_TOKEN;
}
- if (bodysize < 2) {
+ if (hlen < 2) {
*minor_status = (OM_uint32)G_BAD_TOK_HEADER;
return GSS_S_DEFECTIVE_TOKEN;
}
@@ -314,7 +380,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
toktype2 = load_16_be(ptr);
ptr += 2;
- bodysize -= 2;
+ hlen -= 2;
switch (toktype2) {
case KG2_TOK_MIC_MSG:
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index fb8fe55..d1f019f 100644
--- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c
@@ -36,31 +36,41 @@
*
* 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a
* null pointer dereference. (The token must use SEAL_ALG_NONE or it will
- * be rejected.)
+ * be rejected.) This vulnerability also applies to IOV unwrap.
*
- * 2. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
+ * 2. A CFX wrap token with a different value of EC between the plaintext and
+ * encrypted copies will be erroneously accepted, which allows a message
+ * truncation attack. This vulnerability also applies to IOV unwrap.
+ *
+ * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an
+ * access before the beginning of the input buffer, possibly leading to a
+ * crash.
+ *
+ * 4. A CFX wrap token with a plaintext EC value greater than the plaintext
+ * length - 16 causes an integer underflow when computing the result length,
+ * likely causing a crash.
+ *
+ * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1
+ * wrapper longer than the header buffer is present.
+ *
+ * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
* header causes an input buffer overrun, usually leading to either a segv
* or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or
- * sequence number values.
+ * sequence number values. This vulnerability also applies to IOV unwrap.
*
- * 3. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
+ * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
* header causes an integer underflow when computing the ciphertext length,
* leading to an allocation error on 32-bit platforms or a segv on 64-bit
* platforms. A pre-CFX MIC token of this size causes an input buffer
* overrun when comparing the checksum, perhaps leading to a segv.
*
- * 4. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
+ * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
* ciphertext (where padlen is the last byte of the decrypted ciphertext)
* causes an integer underflow when computing the original message length,
* leading to an allocation error.
*
- * 5. In the mechglue, truncated encapsulation in the initial context token can
+ * 9. In the mechglue, truncated encapsulation in the initial context token can
* cause input buffer overruns in gss_accept_sec_context().
- *
- * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with
- * fewer than 16 bytes after the ASN.1 header will be rejected.
- * Vulnerabilities #2 and #5 can only be robustly detected using a
- * memory-checking environment such as valgrind.
*/
#include "k5-int.h"
@@ -98,16 +108,24 @@ struct test {
};
/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */
+static void *
+ealloc(size_t len)
+{
+ void *ptr = calloc(len, 1);
+
+ if (ptr == NULL)
+ abort();
+ return ptr;
+}
+
+/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key.
+ * The context takes ownership of subkey. */
static gss_ctx_id_t
-make_fake_cfx_context()
+make_fake_cfx_context(krb5_key subkey)
{
gss_union_ctx_id_t uctx;
krb5_gss_ctx_id_t kgctx;
- krb5_keyblock kb;
-
- kgctx = calloc(1, sizeof(*kgctx));
- if (kgctx == NULL)
- abort();
+ kgctx = ealloc(sizeof(*kgctx));
kgctx->established = 1;
kgctx->proto = 1;
if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
@@ -116,15 +134,10 @@ make_fake_cfx_context()
kgctx->sealalg = -1;
kgctx->signalg = -1;
- kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
- kb.length = 16;
- kb.contents = (unsigned char *)"1234567887654321";
- if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0)
- abort();
+ kgctx->subkey = subkey;
+ kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
- uctx = calloc(1, sizeof(*uctx));
- if (uctx == NULL)
- abort();
+ uctx = ealloc(sizeof(*uctx));
uctx->mech_type = &mech_krb5;
uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
return (gss_ctx_id_t)uctx;
@@ -138,9 +151,7 @@ make_fake_context(const struct test *test)
krb5_gss_ctx_id_t kgctx;
krb5_keyblock kb;
- kgctx = calloc(1, sizeof(*kgctx));
- if (kgctx == NULL)
- abort();
+ kgctx = ealloc(sizeof(*kgctx));
kgctx->established = 1;
if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
abort();
@@ -162,9 +173,7 @@ make_fake_context(const struct test *test)
if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
abort();
- uctx = calloc(1, sizeof(*uctx));
- if (uctx == NULL)
- abort();
+ uctx = ealloc(sizeof(*uctx));
uctx->mech_type = &mech_krb5;
uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
return (gss_ctx_id_t)uctx;
@@ -194,9 +203,7 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
assert(mech_krb5.length == 9);
assert(len + 11 < 128);
- wrapped = malloc(len + 13);
- if (wrapped == NULL)
- abort();
+ wrapped = ealloc(len + 13);
wrapped[0] = 0x60;
wrapped[1] = len + 11;
wrapped[2] = 0x06;
@@ -207,6 +214,18 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
out->value = wrapped;
}
+/* Create a 16-byte header for a CFX confidential wrap token to be processed by
+ * the fake CFX context. */
+static void
+write_cfx_header(uint16_t ec, uint8_t *out)
+{
+ memset(out, 0, 16);
+ store_16_be(KG2_TOK_WRAP_MSG, out);
+ out[2] = FLAG_WRAP_CONFIDENTIAL;
+ out[3] = 0xFF;
+ store_16_be(ec, out + 4);
+}
+
/* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with
* regular and IOV unwrap. */
static void
@@ -238,6 +257,134 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
free(in.value);
}
+static void
+test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey)
+{
+ OM_uint32 major, minor;
+ uint8_t tokbuf[128], plainbuf[24];
+ krb5_data plain;
+ krb5_enc_data cipher;
+ gss_buffer_desc in, out;
+ gss_iov_buffer_desc iov[2];
+
+ /* Construct a header with a plaintext EC value of 3. */
+ write_cfx_header(3, tokbuf);
+
+ /* Encrypt a plaintext and a copy of the header with the EC value 0. */
+ memcpy(plainbuf, "truncate", 8);
+ memcpy(plainbuf + 8, tokbuf, 16);
+ store_16_be(0, plainbuf + 12);
+ plain = make_data(plainbuf, 24);
+ cipher.ciphertext.data = (char *)tokbuf + 16;
+ cipher.ciphertext.length = sizeof(tokbuf) - 16;
+ cipher.enctype = subkey->keyblock.enctype;
+ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
+ &plain, &cipher) != 0)
+ abort();
+
+ /* Verify that the token is rejected by gss_unwrap(). */
+ in.value = tokbuf;
+ in.length = 16 + cipher.ciphertext.length;
+ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ (void)gss_release_buffer(&minor, &out);
+
+ /* Verify that the token is rejected by gss_unwrap_iov(). */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ iov[0].buffer = in;
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+}
+
+static void
+test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey)
+{
+ OM_uint32 major, minor;
+ uint8_t tokbuf[128], zerobyte = 0;
+ krb5_data plain;
+ krb5_enc_data cipher;
+ gss_buffer_desc in, out;
+
+ write_cfx_header(0, tokbuf);
+
+ /* Encrypt a single byte, with no copy of the header. */
+ plain = make_data(&zerobyte, 1);
+ cipher.ciphertext.data = (char *)tokbuf + 16;
+ cipher.ciphertext.length = sizeof(tokbuf) - 16;
+ cipher.enctype = subkey->keyblock.enctype;
+ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
+ &plain, &cipher) != 0)
+ abort();
+
+ /* Verify that the token is rejected by gss_unwrap(). */
+ in.value = tokbuf;
+ in.length = 16 + cipher.ciphertext.length;
+ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ (void)gss_release_buffer(&minor, &out);
+}
+
+static void
+test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey)
+{
+ OM_uint32 major, minor;
+ uint8_t tokbuf[128] = { 0 }, plainbuf[20];
+ krb5_data plain;
+ krb5_enc_data cipher;
+ gss_buffer_desc in, out;
+
+ /* Construct a header with an EC value of 5. */
+ write_cfx_header(5, tokbuf);
+
+ /* Encrypt a 4-byte plaintext plus the header. */
+ memcpy(plainbuf, "abcd", 4);
+ memcpy(plainbuf + 4, tokbuf, 16);
+ plain = make_data(plainbuf, 20);
+ cipher.ciphertext.data = (char *)tokbuf + 16;
+ cipher.ciphertext.length = sizeof(tokbuf) - 16;
+ cipher.enctype = subkey->keyblock.enctype;
+ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
+ &plain, &cipher) != 0)
+ abort();
+
+ /* Verify that the token is rejected by gss_unwrap(). */
+ in.value = tokbuf;
+ in.length = 16 + cipher.ciphertext.length;
+ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ (void)gss_release_buffer(&minor, &out);
+}
+
+static void
+test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
+{
+ OM_uint32 minor, major;
+ uint8_t databuf[10] = { 0 };
+ gss_iov_buffer_desc iov[2];
+
+ /*
+ * In this IOV array, the header contains a DER tag with a dangling eight
+ * bytes of length field. The data IOV indicates a total token length
+ * sufficient to contain the length bytes.
+ */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[0].buffer.value = ealloc(2);
+ iov[0].buffer.length = 2;
+ memcpy(iov[0].buffer.value, "\x60\x88", 2);
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.value = databuf;
+ iov[1].buffer.length = 10;
+ major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
+ if (major != GSS_S_DEFECTIVE_TOKEN)
+ abort();
+ free(iov[0].buffer.value);
+}
+
/* Process wrap and MIC tokens with incomplete headers. */
static void
test_short_header(gss_ctx_id_t ctx)
@@ -387,9 +534,7 @@ try_accept(void *value, size_t len)
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
/* Copy the provided value to make input overruns more obvious. */
- in.value = malloc(len);
- if (in.value == NULL)
- abort();
+ in.value = ealloc(len);
memcpy(in.value, value, len);
in.length = len;
(void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in,
@@ -424,11 +569,23 @@ test_short_encapsulation()
int
main(int argc, char **argv)
{
+ krb5_keyblock kb;
+ krb5_key cfx_subkey;
gss_ctx_id_t ctx;
size_t i;
- ctx = make_fake_cfx_context();
+ kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ kb.length = 16;
+ kb.contents = (unsigned char *)"1234567887654321";
+ if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0)
+ abort();
+
+ ctx = make_fake_cfx_context(cfx_subkey);
test_bogus_1964_token(ctx);
+ test_cfx_altered_ec(ctx, cfx_subkey);
+ test_cfx_short_plaintext(ctx, cfx_subkey);
+ test_cfx_large_ec(ctx, cfx_subkey);
+ test_iov_large_asn1_wrapper(ctx);
free_fake_context(ctx);
for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
--
2.33.0

84
krb5-cve-2022-42898.patch Normal file
View File

@ -0,0 +1,84 @@
From ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 17 Oct 2022 20:25:11 -0400
Subject: [PATCH] Fix integer overflows in PAC parsing
In krb5_parse_pac(), check for buffer counts large enough to threaten
integer overflow in the header length and memory length calculations.
Avoid potential integer overflows when checking the length of each
buffer. Credit to OSS-Fuzz for discovering one of the issues.
CVE-2022-42898:
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
able to cause a KDC or kadmind process to crash by reading beyond the
bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can
also cause insufficient memory to be allocated for the result,
potentially leading to remote code execution in a KDC, kadmind, or GSS
or Kerberos application server process. An attacker with the
privileges of a cross-realm KDC may be able to extract secrets from a
KDC process's memory by having them copied into the PAC of a new
ticket.
ticket: 9074 (new)
tags: pullup
target_version: 1.20-next
target_version: 1.19-next
---
src/lib/krb5/krb/pac.c | 9 +++++++--
src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 2f1df8d42..f6c4373de 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
*** 26,31 ****
--- 26,32 ----
#include "k5-int.h"
#include "authdata.h"
+ #define MAX_BUFFERS 4096
/* draft-brezak-win2k-krb-authz-00 */
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
index 0b1b1f056..173bde7ba 100644
--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
};
+static const unsigned char fuzz1[] = {
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
+};
+
+static const unsigned char fuzz2[] = {
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
+ 0x20, 0x20
+};
+
static const char *s4u_principal = "w2k8u@ACME.COM";
static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
@@ -828,6 +838,14 @@ main(int argc, char **argv)
krb5_free_principal(context, sep);
}
+ /* Check problematic PACs found by fuzzing. */
+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
+ if (!ret)
+ err(context, ret, "krb5_pac_parse should have failed");
+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
+ if (!ret)
+ err(context, ret, "krb5_pac_parse should have failed");
+
/*
* Test empty free
*/
--
2.32.0.windows.1

4011
krb5.patch Normal file
View File

File diff suppressed because it is too large Load Diff

293
og-cmake.patch Normal file
View File

@ -0,0 +1,293 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/cmake/src/set_thirdparty_path.cmake opengauss_server_600_edit/cmake/src/set_thirdparty_path.cmake
*** opengauss_server_600/cmake/src/set_thirdparty_path.cmake 2024-11-19 20:01:27.693621300 +0800
--- opengauss_server_600_edit/cmake/src/set_thirdparty_path.cmake 2024-11-21 20:14:05.645621300 +0800
***************
*** 36,105 ****
set(LIB_UNIFIED_SUPPORT comm)
set(MEMCHECK_BUILD_TYPE debug)
set(DEPENDENCY_PATH ${3RD_PATH}/kernel/dependency)
! set(PLATFORM_PATH ${3RD_PATH}/kernel/platform)
! set(BUILDTOOLS_PATH ${3RD_PATH}/buildtools)
! set(COMPONENT_PATH ${3RD_PATH}/kernel/component)
!
! set(CJSON_HOME ${DEPENDENCY_PATH}/cjson/${SUPPORT_LLT})
! set(ETCD_HOME ${DEPENDENCY_PATH}/etcd/${LIB_UNIFIED_SUPPORT})
! set(EVENT_HOME ${DEPENDENCY_PATH}/event/${LIB_UNIFIED_SUPPORT})
! set(FIO_HOME ${DEPENDENCY_PATH}/fio/${SUPPORT_LLT})
! set(IPERF_HOME ${DEPENDENCY_PATH}/iperf/${LIB_UNIFIED_SUPPORT})
if("${VERSION_TYPE}" STREQUAL "debug" OR "${VERSION_TYPE}" STREQUAL "memcheck")
set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/debug${JEMALLOC_SUPPORT_LLT})
else()
set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/${VERSION_TYPE}${JEMALLOC_SUPPORT_LLT})
endif()
set(KERBEROS_HOME ${DEPENDENCY_PATH}/kerberos/${SUPPORT_LLT})
- set(KMC_HOME ${PLATFORM_PATH}/kmc/${LIB_UNIFIED_SUPPORT})
- set(CGROUP_HOME ${DEPENDENCY_PATH}/libcgroup/${SUPPORT_LLT})
- set(CURL_HOME ${DEPENDENCY_PATH}/libcurl/${SUPPORT_LLT})
- set(EDIT_HOME ${DEPENDENCY_PATH}/libedit/${SUPPORT_LLT})
- set(OBS_HOME ${DEPENDENCY_PATH}/libobs/${LIB_UNIFIED_SUPPORT})
- set(XML2_HOME ${DEPENDENCY_PATH}/libxml2/${SUPPORT_LLT})
- set(LLVM_HOME ${DEPENDENCY_PATH}/llvm/${LIB_UNIFIED_SUPPORT})
- set(LZ4_HOME ${DEPENDENCY_PATH}/lz4/${SUPPORT_LLT})
- set(NANOMSG_HOME ${DEPENDENCY_PATH}/nng/${LIB_UNIFIED_SUPPORT})
- set(NCURSES_HOME ${DEPENDENCY_PATH}/ncurses/${SUPPORT_LLT})
- set(AWSSDK_HOME ${DEPENDENCY_PATH}/aws-sdk-cpp/${SUPPORT_LLT})
if(($ENV{WITH_TASSL}) STREQUAL "YES")
set(OPENSSL_HOME ${DEPENDENCY_PATH}/tassl/${LIB_UNIFIED_SUPPORT})
else()
set(OPENSSL_HOME ${DEPENDENCY_PATH}/openssl/${LIB_UNIFIED_SUPPORT})
endif()
! set(PLJAVA_HOME ${DEPENDENCY_PATH}/pljava/${LIB_UNIFIED_SUPPORT})
! if (EXISTS "${PLATFORM_PATH}/openjdk8/${BUILD_TUPLE}/jdk")
! set(JAVA_HOME ${PLATFORM_PATH}/openjdk8/${BUILD_TUPLE}/jdk)
else()
! set(JAVA_HOME ${PLATFORM_PATH}/huaweijdk8/${BUILD_TUPLE}/jdk)
endif()
set(ZLIB_HOME ${DEPENDENCY_PATH}/zlib1.2.11/${SUPPORT_LLT})
set(XGBOOST_HOME ${DEPENDENCY_PATH}/xgboost/${SUPPORT_LLT})
- set(ZSTD_HOME ${DEPENDENCY_PATH}/zstd)
- set(LICENSE_HOME ${PLATFORM_PATH}/AdaptiveLM_C_V100R005C01SPC002/${SUPPORT_LLT})
- set(HOTPATCH_HOME ${PLATFORM_PATH}/hotpatch)
- set(SECURE_HOME ${PLATFORM_PATH}/Huawei_Secure_C/${LIB_UNIFIED_SUPPORT})
- set(SECUREDYNAMICLIB_HOME ${PLATFORM_PATH}/Huawei_Secure_C/Dynamic_Lib)
- set(DCF_HOME ${COMPONENT_PATH}/dcf)
- set(DMS_HOME ${COMPONENT_PATH}/dms)
- set(DSS_HOME ${COMPONENT_PATH}/dss)
-
- set(MOCKCPP_HOME ${BUILDTOOLS_PATH}/mockcpp/${LIB_UNIFIED_SUPPORT})
- set(GTEST_HOME ${BUILDTOOLS_PATH}/gtest/${LIB_UNIFIED_SUPPORT})
- set(MASSTREE_HOME ${BUILDTOOLS_PATH}/masstree/${LIB_UNIFIED_SUPPORT})
- set(NUMA_HOME ${DEPENDENCY_PATH}/numactl/${SUPPORT_LLT})
- set(BOOST_HOME ${DEPENDENCY_PATH}/boost/${SUPPORT_LLT})
- set(ODBC_HOME ${DEPENDENCY_PATH}/unixodbc)
- set(MASSTREE_HOME ${DEPENDENCY_PATH}/masstree/${LIB_UNIFIED_SUPPORT})
- set(LCOV_HOME ${BUILDTOOLS_PATH}/gcc${GCC_VERSION_LIT}/gcc/lib/gcc/${HOST_TUPLE})
- set(GCC_LIB_PATH $ENV{GCC_INSTALL_HOME})
- set(MEMCHECK_LIB_PATH $ENV{GCC_INSTALL_HOME}/lib64/)
- if("${GCC_LIB_PATH}" STREQUAL "")
- set(GCC_LIB_PATH ${BUILDTOOLS_PATH}/gcc${GCC_VERSION_LIT}/gcc)
- set(MEMCHECK_HOME ${DEPENDENCY_PATH}/memcheck/${MEMCHECK_BUILD_TYPE})
- set(MEMCHECK_LIB_PATH ${MEMCHECK_HOME}/gcc${GCC_VERSION}/lib/)
- endif()
#############################################################################
# lcov
--- 36,67 ----
set(LIB_UNIFIED_SUPPORT comm)
set(MEMCHECK_BUILD_TYPE debug)
set(DEPENDENCY_PATH ${3RD_PATH}/kernel/dependency)
!
if("${VERSION_TYPE}" STREQUAL "debug" OR "${VERSION_TYPE}" STREQUAL "memcheck")
set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/debug${JEMALLOC_SUPPORT_LLT})
else()
set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/${VERSION_TYPE}${JEMALLOC_SUPPORT_LLT})
endif()
set(KERBEROS_HOME ${DEPENDENCY_PATH}/kerberos/${SUPPORT_LLT})
if(($ENV{WITH_TASSL}) STREQUAL "YES")
set(OPENSSL_HOME ${DEPENDENCY_PATH}/tassl/${LIB_UNIFIED_SUPPORT})
else()
set(OPENSSL_HOME ${DEPENDENCY_PATH}/openssl/${LIB_UNIFIED_SUPPORT})
endif()
! execute_process(
! COMMAND bash -c "readlink -f $(which java) | sed 's:/jre/bin/java::'"
! OUTPUT_VARIABLE JAVA_HOME_PATH
! OUTPUT_STRIP_TRAILING_WHITESPACE
! )
! if(JAVA_HOME_PATH)
! message(STATUS "Detected JAVA_HOME: ${JAVA_HOME_PATH}")
! set(JAVA_HOME ${JAVA_HOME_PATH})
else()
! message(FATAL_ERROR "Unable to detect JAVA_HOME")
endif()
set(ZLIB_HOME ${DEPENDENCY_PATH}/zlib1.2.11/${SUPPORT_LLT})
set(XGBOOST_HOME ${DEPENDENCY_PATH}/xgboost/${SUPPORT_LLT})
#############################################################################
# lcov
***************
*** 209,230 ****
#############################################################################
# obs component
#############################################################################
- set(LIBOBS_INCLUDE_PATH ${OBS_HOME}/include)
- set(LIBOBS_LIB_PATH ${OBS_HOME}/lib)
#############################################################################
# xml2 component
#############################################################################
! set(LIBXML_INCLUDE_PATH ${XML2_HOME}/include)
! set(LIBXML_LIB_PATH ${XML2_HOME}/lib)
#############################################################################
# llvm component
#############################################################################
! set(LIBLLVM_BIN_PATH ${LLVM_HOME}/bin)
! set(LIBLLVM_INCLUDE_PATH ${LLVM_HOME}/include)
! set(LIBLLVM_LIB_PATH ${LLVM_HOME}/lib)
! set(LLVM_CONFIG ${LIBLLVM_BIN_PATH}/llvm-config)
#############################################################################
# lz4 component
--- 171,187 ----
#############################################################################
# obs component
#############################################################################
#############################################################################
# xml2 component
#############################################################################
! set(LIBXML_INCLUDE_PATH /usr/include)
! set(LIBXML_LIB_PATH /usr/lib64)
#############################################################################
# llvm component
#############################################################################
!
#############################################################################
# lz4 component
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/CMakeLists.txt opengauss_server_600_edit/src/CMakeLists.txt
*** opengauss_server_600/src/CMakeLists.txt 2024-11-19 20:01:27.693621300 +0800
--- opengauss_server_600_edit/src/CMakeLists.txt 2024-11-21 20:14:05.841621300 +0800
***************
*** 176,297 ****
install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/common/config/cm_config.h DESTINATION include)
# special
- install(CODE "execute_process(
- COMMAND rm ${prefix_home}/include/pg_config_os.h
- COMMAND rm ${prefix_home}/include/postgresql/server/pg_config_os.h)"
- )
- install(CODE "execute_process(
- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/include/port/linux.h ${prefix_home}/include/pg_config_os.h
- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/include/port/linux.h ${prefix_home}/include/postgresql/server/pg_config_os.h
- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/include/cm/libpq-fe.h ${prefix_home}/include/cm-libpq-fe.h)"
- )
-
# open source install part
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
- install(DIRECTORY ${JAVA_HOME}/jre/ DESTINATION jre FILE_PERMISSIONS OWNER_EXECUTE GROUP_EXECUTE OWNER_READ GROUP_READ)
- endif()
-
- if("${ENABLE_MULTIPLE_NODES}" STREQUAL "OFF")
- install(DIRECTORY ${DCF_LIB_PATH} DESTINATION .)
- endif()
- if(${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF AND NOT ${ENABLE_LITE_MODE} STREQUAL ON)
- if(EXISTS ${DMS_LIB_PATH})
- install(DIRECTORY ${DMS_LIB_PATH} DESTINATION .)
- endif()
- if(EXISTS ${DSS_LIB_PATH})
- install(DIRECTORY ${DSS_LIB_PATH} DESTINATION .)
- endif()
- if(EXISTS ${DSS_BIN_PATH})
- install(DIRECTORY ${DSS_BIN_PATH} DESTINATION . FILE_PERMISSIONS OWNER_EXECUTE GROUP_EXECUTE WORLD_EXECUTE OWNER_READ GROUP_READ WORLD_READ OWNER_WRITE)
- endif()
- endif()
-
- install(DIRECTORY ${ZSTD_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE)
- if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
- install(DIRECTORY ${LIBOBS_LIB_PATH} DESTINATION .)
- install(DIRECTORY ${LIBOBS_INCLUDE_PATH} DESTINATION include/postgresql/server/access/obs)
- endif()
- install(DIRECTORY ${CJSON_LIB_PATH} DESTINATION .)
- install(DIRECTORY ${CJSON_INCLUDE_PATH}/cjson DESTINATION include/postgresql/server)
- if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
- install(DIRECTORY ${ETCD_BIN_PATH} DESTINATION .)
- install(DIRECTORY ${IPERF_LIB_PATH} DESTINATION .)
- endif()
- if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
- if(NOT ${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF)
- install(DIRECTORY ${KMC_LIB_PATH} DESTINATION .)
- endif()
- endif()
- install(DIRECTORY ${LIBCURL_LIB_PATH} DESTINATION .)
- install(DIRECTORY ${AWSSDK_LIB_PATH} DESTINATION .)
- if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
endif()
- install(DIRECTORY ${LZ4_LIB_PATH} DESTINATION .)
- install(DIRECTORY ${LZ4_BIN_PATH} DESTINATION .)
- install(DIRECTORY ${LIBOPENSSL_BIN_PATH} DESTINATION .)
- install(DIRECTORY ${LIBOPENSSL_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE )
install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
-
- list(FIND MACRO_OPTIONS "-D__USE_NUMA" RET_NUMA)
- if(NOT ${RET_NUMA} EQUAL -1)
- install(DIRECTORY ${NUMA_LIB_PATH} DESTINATION .)
- endif()
-
- if("${ENABLE_MOT}" STREQUAL "ON")
- install(DIRECTORY ${MASSTREE_LIB_PATH} DESTINATION .)
- install(CODE "execute_process(
- COMMAND cp ${GCC_LIB_PATH}/lib64/libatomic.so.1.2.0 ${prefix_home}/lib/libatomic.so.1.2.0
- COMMAND ln -fs libatomic.so.1.2.0 libatomic.so
- COMMAND ln -fs libatomic.so.1.2.0 libatomic.so.1
- WORKING_DIRECTORY ${prefix_home}/lib)"
- )
- install(CODE "message(\"-- Created symlink: libatomic.so -> libatomic.so.1.2.0\")")
- install(CODE "message(\"-- Created symlink: libatomic.so.1 -> libatomic.so.1.2.0\")")
- endif()
-
- install(FILES ${SECUREDYNAMICLIB_HOME}/libsecurec.so DESTINATION lib)
- install(FILES ${GCC_LIB_PATH}/lib64/libgcc_s.so.1 DESTINATION lib)
- install(FILES ${GCC_LIB_PATH}/lib64/libgomp.so DESTINATION lib)
- install(FILES ${GCC_LIB_PATH}/lib64/libgomp.so.1 DESTINATION lib)
- install(FILES ${GCC_LIB_PATH}/lib64/libgomp.so.1.0.0 DESTINATION lib)
- install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
- if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
- install(FILES ${PLJAVA_HOME}/lib/libpljava.so DESTINATION lib)
- install(FILES ${PLJAVA_HOME}/java/pljava.jar DESTINATION lib/postgresql/java)
- install(FILES ${PLJAVA_HOME}/udstools.py DESTINATION share/postgresql/tmp)
- endif()
- if(NOT ${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF)
- if("${SUPPORT_HOTPATCH}" STREQUAL "yes")
- install(FILES ${LIBHOTPATCH_LIB_PATH}/libdoprapatch.a DESTINATION lib)
- endif()
- endif()
-
- if("${ENABLE_MOT}" STREQUAL "ON")
- install(DIRECTORY ${MASSTREE_LIB_PATH} DESTINATION .)
- install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
- FILES_MATCHING PATTERN "libatomic.so*")
- endif()
-
- install(FILES ${GCC_LIB_PATH}/lib64/libgcc_s.so.1 DESTINATION lib)
- install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
- FILES_MATCHING PATTERN "libgomp.so*")
-
- install(CODE "execute_process(
- COMMAND cp ${GCC_LIB_PATH}/lib64/libstdc++.so.6.0.${LIBSTD_SUB_VERSION} ${prefix_home}/lib/libstdc++.so.6
- WORKING_DIRECTORY ${prefix_home}/lib)"
- )
-
- # install(DIRECTORY ${LIBCGROUP_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libcgroup.so*")
- install(CODE "execute_process(
- COMMAND cp ${LIBCGROUP_LIB_PATH}/libcgroup.so.1.0.42 ${prefix_home}/lib/libcgroup.so
- COMMAND ln -fs libcgroup.so libcgroup.so.1
- WORKING_DIRECTORY ${prefix_home}/lib)"
- )
- install(CODE "message(\"-- Created symlink: libcgroup.so.1 -> libcgroup.so\")")
# fastcheck part
install(FILES ${PROJECT_SRC_DIR}/test/regress/stub/roach_api_stub/roach_api_stub.control
DESTINATION share/postgresql/extension/
--- 176,190 ----
install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/common/config/cm_config.h DESTINATION include)
# special
# open source install part
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
endif()
install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
+ install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
# fastcheck part
install(FILES ${PROJECT_SRC_DIR}/test/regress/stub/roach_api_stub/roach_api_stub.control
DESTINATION share/postgresql/extension/

1362
og-delete-obs.patch Normal file
View File

File diff suppressed because it is too large Load Diff

33
og-edit.patch
View File

@ -1,33 +0,0 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/bin/psql/startup.cpp openGauss-server-5.0.1-edit/src/bin/psql/startup.cpp
*** openGauss-server-5.0.1/src/bin/psql/startup.cpp 2024-05-07 20:16:39.232795908 +0800
--- openGauss-server-5.0.1-edit/src/bin/psql/startup.cpp 2024-05-07 20:17:58.501380445 +0800
***************
*** 530,535 ****
--- 530,539 ----
pset.popt.topt.recordSep.separator_zero = false;
}
+ if (options.port == NULL) {
+ options.port = GetEnvStr("PORT");
+ }
+
if (options.username == NULL)
password_prompt = pg_strdup(_("Password: "));
else {
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/dbmind/db4ai/executor/Makefile openGauss-server-5.0.1-edit/src/gausskernel/dbmind/db4ai/executor/Makefile
*** openGauss-server-5.0.1/src/gausskernel/dbmind/db4ai/executor/Makefile 2024-05-07 20:16:39.632798858 +0800
--- openGauss-server-5.0.1-edit/src/gausskernel/dbmind/db4ai/executor/Makefile 2024-05-07 20:17:58.897383365 +0800
***************
*** 11,21 ****
include $(top_builddir)/src/Makefile.global
- PLATFORM_ARCH = $(shell uname -p)
- ifeq ($(PLATFORM_ARCH),x86_64)
- override CPPFLAGS += -mavx
- endif
-
ifneq "$(MAKECMDGOALS)" "clean"
ifneq "$(MAKECMDGOALS)" "distclean"
ifneq "$(shell which g++ |grep hutaf_llt |wc -l)" "1"
--- 11,16 ----

111
og-openssl3-adptor.patch Normal file
View File

@ -0,0 +1,111 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/common/interfaces/libpq/fe-secure.cpp opengauss_server_600_edit/src/common/interfaces/libpq/fe-secure.cpp
*** opengauss_server_600/src/common/interfaces/libpq/fe-secure.cpp 2024-11-19 20:01:27.697621300 +0800
--- opengauss_server_600_edit/src/common/interfaces/libpq/fe-secure.cpp 2024-11-19 20:04:07.461621300 +0800
***************
*** 446,451 ****
--- 446,454 ----
libpq_gettext("SSL error: %s, remote datanode %s, error: %s\n"),
errm, conn->remote_nodename, strerror(errno));
SSLerrfree(errm);
+ #ifdef ENABLE_OPENSSL3
+ REMEMBER_EPIPE(spinfo, errno == EPIPE);
+ #endif
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
***************
*** 596,601 ****
--- 599,607 ----
libpq_gettext("SSL error: %s, remote datanode %s, error: %s\n"), errm,
conn->remote_nodename, strerror(errno));
SSLerrfree(errm);
+ #ifdef ENABLE_OPENSSL3
+ REMEMBER_EPIPE(spinfo, errno == EPIPE);
+ #endif
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp
*** opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp 2024-11-19 20:01:27.705621300 +0800
--- opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp 2024-11-19 20:04:07.773621300 +0800
***************
*** 47,52 ****
--- 47,62 ----
const int RAND_COUNT = 100;
+ #ifdef ENABLE_OPENSSL3
+ void HmacCtxGroup::free_hmac_ctx(HMAC_CTX** ctx_tmp) const
+ {
+ if (*ctx_tmp != NULL) {
+ HMAC_CTX_free(*ctx_tmp);
+ *ctx_tmp = NULL;
+ }
+ }
+ #endif
+
/* Derives all the required keys from the given root key */
AeadAesHamcEncKey::AeadAesHamcEncKey(unsigned char *root_key, size_t root_key_size)
{
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp
*** opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp 2024-11-19 20:01:27.705621300 +0800
--- opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp 2024-11-19 20:04:07.773621300 +0800
***************
*** 163,174 ****
--- 163,176 ----
return CMKEM_EVP_ERR;
}
+ #ifndef ENABLE_OPENSSL3
ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(public_evp_key);
return CMKEM_EVP_ERR;
}
+ #endif
/* do cipher. */
ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
***************
*** 253,264 ****
--- 255,268 ----
return CMKEM_EVP_ERR;
}
+ #ifndef ENABLE_OPENSSL3
ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(private_evp_key);
return CMKEM_EVP_ERR;
}
+ #endif
/* do cipher. */
ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h opengauss_server_600_edit/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h
*** opengauss_server_600/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h 2024-11-19 20:01:27.721621300 +0800
--- opengauss_server_600_edit/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h 2024-11-19 20:04:08.037621300 +0800
***************
*** 49,54 ****
--- 49,57 ----
HMAC_CTX* ctx_worker;
HMAC_CTX* ctx_template;
private:
+ #ifdef ENABLE_OPENSSL3
+ void free_hmac_ctx(HMAC_CTX** ctx_tmp) const;
+ #else
void free_hmac_ctx(HMAC_CTX** ctx_tmp)
{
if (*ctx_tmp != NULL) {
***************
*** 56,61 ****
--- 59,65 ----
*ctx_tmp = NULL;
}
}
+ #endif
};
/*

64
og-security.patch Normal file
View File

@ -0,0 +1,64 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/bin/gs_persist/CMakeLists.txt opengauss_server_600_edit/src/bin/gs_persist/CMakeLists.txt
*** opengauss_server_600/src/bin/gs_persist/CMakeLists.txt 2024-11-19 20:01:27.693621300 +0800
--- opengauss_server_600_edit/src/bin/gs_persist/CMakeLists.txt 2024-11-19 20:04:07.089621300 +0800
***************
*** 13,19 ****
set(gssgpersist_DEF_OPTIONS ${MACRO_OPTIONS})
set(gssgpersist_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS})
set(gssgpersist_LINK_OPTIONS ${BIN_LINK_OPTIONS})
! set(gssgpersist_LINK_LIBS -lsecurec -ldl -lrt)
if("${ENABLE_UT}" STREQUAL "ON")
add_shared_libtarget(ut_gs_persist_lib tgt_gssgpersist_SRC tgt_gssgpersist_INC "${gssgpersist_DEF_OPTIONS}" "${gssgpersist_COMPILE_OPTIONS}" "${gssgpersist_LINK_OPTIONS}")
--- 13,19 ----
set(gssgpersist_DEF_OPTIONS ${MACRO_OPTIONS})
set(gssgpersist_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS})
set(gssgpersist_LINK_OPTIONS ${BIN_LINK_OPTIONS})
! set(gssgpersist_LINK_LIBS -l${SECURE_C_CHECK} -ldl -lrt)
if("${ENABLE_UT}" STREQUAL "ON")
add_shared_libtarget(ut_gs_persist_lib tgt_gssgpersist_SRC tgt_gssgpersist_INC "${gssgpersist_DEF_OPTIONS}" "${gssgpersist_COMPILE_OPTIONS}" "${gssgpersist_LINK_OPTIONS}")
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/common/interfaces/libpq/CMakeLists.txt opengauss_server_600_edit/src/common/interfaces/libpq/CMakeLists.txt
*** opengauss_server_600/src/common/interfaces/libpq/CMakeLists.txt 2024-11-19 20:01:27.697621300 +0800
--- opengauss_server_600_edit/src/common/interfaces/libpq/CMakeLists.txt 2024-11-19 20:04:07.441621300 +0800
***************
*** 118,126 ****
set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
! target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss securec ssl)
else()
! target_link_libraries(pq PRIVATE crypto securec ssl)
endif()
target_link_directories(pq PUBLIC
${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH} ${SECURE_LIB_PATH}
--- 118,126 ----
set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
! target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss ${SECURE_C_CHECK} ssl)
else()
! target_link_libraries(pq PRIVATE crypto ${SECURE_C_CHECK} ssl)
endif()
target_link_directories(pq PUBLIC
${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH} ${SECURE_LIB_PATH}
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/security/keymgr/CMakeLists.txt opengauss_server_600_edit/src/gausskernel/security/keymgr/CMakeLists.txt
*** opengauss_server_600/src/gausskernel/security/keymgr/CMakeLists.txt 2024-11-19 20:01:27.705621300 +0800
--- opengauss_server_600_edit/src/gausskernel/security/keymgr/CMakeLists.txt 2024-11-19 20:04:07.773621300 +0800
***************
*** 64,70 ****
if("${ENABLE_KT}" STREQUAL "ON")
add_dependencies(keymgr gs_ktool)
endif()
! set(libkey_LINKS -lcjson -lcurl -lsecurec -lssl -lcrypto -ldl -lrt)
if("${ENABLE_KT}" STREQUAL "ON")
list(APPEND libkey_LINKS -lgs_ktool -lkmc)
endif()
--- 64,70 ----
if("${ENABLE_KT}" STREQUAL "ON")
add_dependencies(keymgr gs_ktool)
endif()
! set(libkey_LINKS -lcjson -lcurl -l${SECURE_C_CHECK} -lssl -lcrypto -ldl -lrt)
if("${ENABLE_KT}" STREQUAL "ON")
list(APPEND libkey_LINKS -lgs_ktool -lkmc)
endif()

74
og-syntax.patch Normal file
View File

@ -0,0 +1,74 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/bin/pg_basebackup/pg_basebackup.cpp opengauss_server_600_edit/src/bin/pg_basebackup/pg_basebackup.cpp
*** opengauss_server_600/src/bin/pg_basebackup/pg_basebackup.cpp 2024-11-19 20:01:27.697621300 +0800
--- opengauss_server_600_edit/src/bin/pg_basebackup/pg_basebackup.cpp 2024-11-19 20:04:07.105621300 +0800
***************
*** 1689,1695 ****
struct dirent* ent;
while (1) {
ent = readdir(dir);
! if (ent <= 0) {
break;
}
if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
--- 1689,1695 ----
struct dirent* ent;
while (1) {
ent = readdir(dir);
! if (ent == NULL) {
break;
}
if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/bin/pg_ctl/backup.cpp opengauss_server_600_edit/src/bin/pg_ctl/backup.cpp
*** opengauss_server_600/src/bin/pg_ctl/backup.cpp 2024-11-19 20:01:27.697621300 +0800
--- opengauss_server_600_edit/src/bin/pg_ctl/backup.cpp 2024-11-19 20:04:07.109621300 +0800
***************
*** 1985,1991 ****
}
while (1) {
de = readdir(dir);
! if (de <= 0) {
break;
}
if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
--- 1985,1991 ----
}
while (1) {
de = readdir(dir);
! if (de == NULL) {
break;
}
if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/runtime/opfusion/opfusion_util.cpp opengauss_server_600_edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp
*** opengauss_server_600/src/gausskernel/runtime/opfusion/opfusion_util.cpp 2024-11-19 20:01:27.705621300 +0800
--- opengauss_server_600_edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp 2024-11-19 20:04:07.757621300 +0800
***************
*** 446,452 ****
/* check whether to have order by */
if (node->aggstrategy != AGG_PLAIN ||
! node->groupingSets > 0) {
return NOBYPASS_NOT_PLAIN_AGG;
}
--- 446,452 ----
/* check whether to have order by */
if (node->aggstrategy != AGG_PLAIN ||
! node->groupingSets != NULL) {
return NOBYPASS_NOT_PLAIN_AGG;
}
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/include/gs_policy/policy_common.h opengauss_server_600_edit/src/include/gs_policy/policy_common.h
*** opengauss_server_600/src/include/gs_policy/policy_common.h 2024-11-19 20:01:27.721621300 +0800
--- opengauss_server_600_edit/src/include/gs_policy/policy_common.h 2024-11-19 20:04:08.029621300 +0800
***************
*** 30,35 ****
--- 30,37 ----
#include "gs_map.h"
#include "gs_vector.h"
#include "pgaudit.h"
+ #include <vector>
+ #include <string>
struct GsPolicyFQDN {
GsPolicyFQDN():m_value_schema(0), m_value_object(0), is_function(false){}

BIN
openGauss-server-5.0.1.tar.gz → openGauss-server-6.0.0.tar.gz
View File

Binary file not shown.

3
opengauss-bashprofile
View File

@ -2,4 +2,5 @@ export GAUSSHOME=/usr/local/opengauss
export LD_LIBRARY_PATH=/usr/local/opengauss/lib:$LD_LIBRARY_PATH
export PATH=/usr/local/opengauss/bin:$PATH
export PGDATA=/var/lib/opengauss/data
export PORT=7654
export PGPORT=7654
export PGDATABASE=postgres

194
opengauss-server.spec
View File

@ -1,5 +1,7 @@
%define zlib_name zlib
%define zlib_version 1.2.12
%define krb5_name krb5
%define krb5_version 1.18.3-final
%define xgboost_name xgboost
%define xgboost_version v1.4.1
%define dmlc_name dmlc-core
@ -7,44 +9,49 @@
%define port 7654
%define datapath /var/lib/opengauss
%define apppath %{_prefix}/local/opengauss
%define tmppath /var/lib/opengauss/pkg_5.0.1
%define tmppath /var/lib/opengauss/pkg_6.0.0
Name: opengauss
Version: 5.0.1
Release: 15
Version: 6.0.0
Release: 16
Summary: openGauss is an open source relational database management system
License: MulanPSL-2.0 and MIT and BSD and zlib and TCL and Apache-2.0 and BSL-1.0
URL: https://gitee.com/opengauss/openGauss-server
Source0: openGauss-server-%{version}.tar.gz
Source2: %{zlib_name}-%{zlib_version}.tar.gz
Source1: %{zlib_name}-%{zlib_version}.tar.gz
Source2: %{krb5_name}-%{krb5_version}.tar.gz
Source3: %{dmlc_name}-%{dmlc_version}.tar.gz
Source4: %{xgboost_name}-%{xgboost_version}.tar.gz
Source5: opengauss-bashprofile
Source6: opengauss.service
Source7: autostart.sh
Source8: version.cfg
Source9: opengauss_upgrade_start.sh
Source10: opengauss_upgrade_common.sh
Source11: opengauss_upgrade_config.sh
Source12: opengauss_upgrade_errorcode.sh
Patch0: og-edit.patch
Patch1: cmake_compile.patch
Patch2: compile_2309.patch
Patch3: openssl3-adptor.patch
Patch4: upgrade.patch
Patch20: zlib.patch
Patch21: zlib-CVE-2022-37434.patch
Source20: opengauss-bashprofile
Source21: opengauss.service
Source22: autostart.sh
Source23: version.cfg
Source24: opengauss_upgrade_start.sh
Source25: opengauss_upgrade_common.sh
Source26: opengauss_upgrade_config.sh
Source27: opengauss_upgrade_errorcode.sh
Patch0: og-cmake.patch
Patch1: og-delete-obs.patch
Patch2: og-openssl3-adptor.patch
Patch3: og-security.patch
Patch4: og-syntax.patch
Patch11: zlib.patch
Patch12: zlib-CVE-2022-37434.patch
Patch21: krb5-backport-Add-a-simple-DER-support-header.patch
Patch22: krb5-backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
Patch23: krb5-cve-2022-42898.patch
Patch24: krb5-CVE-2023-36054.patch
Patch25: krb5.patch
BuildRequires: cmake gcc gcc-c++ openssl-devel python tar
BuildRequires: cjson lz4-devel zstd-devel boost-devel cjson-devel
BuildRequires: libcgroup-devel libcurl-devel unixODBC-devel jemalloc-devel krb5-devel
BuildRequires: lz4-devel zstd-devel boost-devel cjson-devel
BuildRequires: libcgroup-devel libcurl-devel unixODBC-devel jemalloc-devel
BuildRequires: java-1.8.0-openjdk-devel libedit-devel libaio-devel
BuildRequires: bison flex, DCF >= 5
BuildRequires: numactl-devel
%ifarch sw_64
BuildRequires: libatomic
%endif
BuildRequires: bison flex, DCF >= 6
BuildRequires: numactl-devel libxml2-devel xerces-c-devel pkgconfig(aws-cpp-sdk-core)
BuildRequires: libatomic autoconf
%global _privatelibs lib(cjson|ecpg|z|pg|pq)\\.so*
%global __provides_exclude %{_privatelibs}
@ -53,8 +60,8 @@ BuildRequires: libatomic
Requires: lz4-devel zstd-devel boost-devel cjson-devel tar
Requires: libcgroup-devel libcurl-devel unixODBC-devel jemalloc-devel
Requires: java-1.8.0-openjdk-devel libedit-devel libaio-devel
Requires: DCF >= 5, lsof
Requires: numactl-devel
Requires: DCF >= 6, lsof
Requires: numactl-devel libxml2-devel xerces-c-devel aws-sdk-cpp
%description
openGauss kernel : openGauss is an open source relational database management system.
@ -63,28 +70,51 @@ openGauss kernel : openGauss is an open source relational database management sy
%prep
%setup -q -c -n %{name}-%{version}
%setup -q -D -T -a 1
%setup -q -D -T -a 2
%setup -q -D -T -a 3
%setup -q -D -T -a 4
pushd openGauss-server-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch -P0 -p1
%patch -P1 -p1
%patch -P2 -p1
%patch -P3 -p1
%patch -P4 -p1
popd
pushd %{zlib_name}-%{zlib_version}
%patch20 -p1
%patch21 -p1
%patch -P11 -p1
%patch -P12 -p1
popd
pushd %{krb5_name}-%{krb5_name}-%{krb5_version}
%patch -P21 -p1
%patch -P22 -p1
%patch -P23 -p1
%patch -P24 -p1
%patch -P25 -p1
popd
%build
build_target=$(pwd)/binarylibs/kernel/dependency
########### build krb5 ###########
pushd %{krb5_name}-%{krb5_name}-%{krb5_version}
krb5_dir=${build_target}/kerberos/comm
cd src
autoconf; autoheader; sed -i 's/lcom_err/lcom_err_gauss/g' configure
./configure --prefix=${krb5_dir} LDFLAGS='-Wl,-z,relro,-z,now' CFLAGS='-fstack-protector-strong -fPIC' --disable-rpath --disable-pkinit --with-system-verto=no
make -s %{?_smp_mflags}
make install -s %{?_smp_mflags}
rm -rf ${krb5_dir}/lib/pkgconfig
rm -rf ${krb5_dir}/share
rm -rf ${krb5_dir}/var
popd
########### build zlib ###########
pushd %{zlib_name}-%{zlib_version}
zlib_dir=${build_target}/zlib1.2.11/comm
@ -138,16 +168,18 @@ popd
########### build opengauss ###########
pushd openGauss-server-%{version}
opengauss_source_dir=$(pwd)
export ENABLE_LITE_MODE=ON
export BUILD_TUPLE=$(uname -m)
export DEBUG_TYPE=release
export THIRD_BIN_PATH=${build_target}/../../../binarylibs
export LD_LIBRARY_PATH=$THIRD_BIN_PATH/kernel/dependency/zlib1.2.11/comm/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=$THIRD_BIN_PATH/kernel/dependency/kerberos/comm/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=$THIRD_BIN_PATH/kernel/dependency/xgboost/comm/lib:$LD_LIBRARY_PATH
export PREFIX_HOME=${opengauss_source_dir}/mppdb_temp_install
mkdir -p tmp_build
cd tmp_build
cmake .. -DENABLE_MULTIPLE_NODES=OFF -DENABLE_PRIVATEGAUSS=OFF -DENABLE_THREAD_SAFETY=ON -DENABLE_LITE_MODE=ON -DENABLE_OPENEULER_MAJOR=ON -DWITH_OPENEULER_OS=ON
cmake .. -DENABLE_MULTIPLE_NODES=OFF -DENABLE_THREAD_SAFETY=ON -DWITH_OPENEULER_OS=ON -DENABLE_OPENEULER_MAJOR=ON \
-DENABLE_LLVM_COMPILE=OFF -DENABLE_OBS=OFF -DENABLE_OPENSSL3=ON
make %{?_smp_mflags}
make install
@ -161,35 +193,41 @@ mkdir -p %{buildroot}%{tmppath}/script
# separate_debug_symbol.sh dir
cd ${opengauss_source_dir}/build/script
chmod +x ./separate_debug_information.sh
sed -i '/"$BIN_DIR\/gaussdb\.map"/d' ./separate_debug_information.sh
./separate_debug_information.sh
rm -rf ${opengauss_source_dir}/mppdb_temp_install/packages
rm -rf ${opengauss_source_dir}/mppdb_temp_install/symbols
function get_os_kernel() {
kernel=""
if [[ -f "/etc/euleros-release" ]]; then
kernel=$(cat /etc/euleros-release | awk -F ' ' '{print $1}' | tr a-z A-Z)
if [[ "${kernel}" = "Euleros" ]]; then
kernel="Euler"
fi
elif [[ -f "/etc/openEuler-release" ]]; then
kernel=$(cat /etc/openEuler-release | awk -F ' ' '{print $1}')
elif [[ -f "/etc/centos-release" ]]; then
kernel=$(cat /etc/centos-release | awk -F ' ' '{print $1}')
else
kernel=$(lsb_release -d | awk -F ' ' '{print $2}')
fi
}
get_os_kernel
platform_arch=$(uname -p)
# package
os_name=$(cat /etc/os-release | grep -w NAME | awk -F '"' '{print $2}')
if [[ -f "/etc/openEuler-release" ]]; then
os_name="openEuler"
elif [[ -f "/etc/euleros-release" ]]; then
os_name="EulerOS"
elif [[ -f "/etc/centos-release" ]]; then
os_name="CentOS"
elif [[ -f "/etc/FusionOS-release" ]]; then
os_name="FusionOS"
elif [[ -f "/etc/kylin-release" ]]; then
os_name="Kylin"
elif [[ -f "/etc/asianux-release" ]]; then
os_name="Asianux"
elif [[ -f "/etc/CSIOS-release" ]]; then
os_name="CSIOS"
else
os_name=$(lsb_release -d | awk -F ' ' '{print $2}'| tr A-Z a-z | sed 's/.*/\L&/; s/[a-z]*/\u&/g')
fi
os_version=$(cat /etc/os-release | grep -w VERSION_ID | awk -F '"' '{print $2}')
platform_arch=$(uname -m)
kernel_package_name=openGauss-Server-%{version}-${os_name}-${os_version}-${platform_arch}
cd ${opengauss_source_dir}/mppdb_temp_install
tar -zcf openGauss-Lite-%{version}-${kernel}-${platform_arch}.bin *
sha256sum openGauss-Lite-%{version}-${kernel}-${platform_arch}.bin | awk '{print $1}' > openGauss-Lite-%{version}-${kernel}-${platform_arch}.sha256
tar -zcf ${kernel_package_name}.tar.bz2 *
sha256sum ${kernel_package_name}.tar.bz2 | awk '{print $1}' > ${kernel_package_name}.sha256
# copy binarylibs packages to %{tmppath}
cp -r ${opengauss_source_dir}/mppdb_temp_install/* %{buildroot}%{tmppath}
sed -i "/wal_insert_status_entries/d" ${opengauss_source_dir}/build/script/opengauss_config_file_mini
cp ${opengauss_source_dir}/build/script/opengauss_config_file_mini %{buildroot}%{tmppath}/share/postgresql/
# make package upgrade sql
cd ${opengauss_source_dir}/tmp_build
@ -204,23 +242,23 @@ fi
cp -r upgrade_sql.tar.gz %{buildroot}%{tmppath}
cp -r upgrade_sql.sha256 %{buildroot}%{tmppath}
popd
# opengauss datanode dir.
install -d -m 700 $RPM_BUILD_ROOT%{?_localstatedir}/lib/opengauss/data
# opengauss .bash_profile
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{?_localstatedir}/lib/opengauss/.bash_profile
install -m 644 %{SOURCE20} $RPM_BUILD_ROOT%{?_localstatedir}/lib/opengauss/.bash_profile
# auto start files
install -m 644 %{SOURCE6} %{buildroot}%{tmppath}/script/opengauss.service
install -m 700 %{SOURCE7} %{buildroot}%{tmppath}/script/autostart.sh
install -m 644 %{SOURCE21} %{buildroot}%{tmppath}/script/opengauss.service
install -m 700 %{SOURCE22} %{buildroot}%{tmppath}/script/autostart.sh
# upgrade script
install -m 644 %{SOURCE8} %{buildroot}%{tmppath}/version.cfg
install -m 644 %{SOURCE9} %{buildroot}%{tmppath}/opengauss_upgrade_start.sh
install -m 644 %{SOURCE10} %{buildroot}%{tmppath}/opengauss_upgrade_common.sh
install -m 644 %{SOURCE11} %{buildroot}%{tmppath}/opengauss_upgrade_config.sh
install -m 644 %{SOURCE12} %{buildroot}%{tmppath}/opengauss_upgrade_errorcode.sh
install -m 644 %{SOURCE23} %{buildroot}%{tmppath}/version.cfg
install -m 644 %{SOURCE24} %{buildroot}%{tmppath}/opengauss_upgrade_start.sh
install -m 644 %{SOURCE25} %{buildroot}%{tmppath}/opengauss_upgrade_common.sh
install -m 644 %{SOURCE26} %{buildroot}%{tmppath}/opengauss_upgrade_config.sh
install -m 644 %{SOURCE27} %{buildroot}%{tmppath}/opengauss_upgrade_errorcode.sh
popd
%pre
/usr/sbin/groupadd -r opengauss >/dev/null 2>&1 || :
@ -422,18 +460,18 @@ fi
%files
%defattr (-,root,root)
%{apppath}
%{tmppath}
%doc
%attr(700,opengauss,opengauss) %dir %{?_localstatedir}/lib/opengauss
%attr(700,opengauss,opengauss) %dir %{?_localstatedir}/lib/opengauss/data
%attr(755,opengauss,opengauss) %dir %{apppath}
%attr(755,opengauss,opengauss) %dir %{tmppath}
%attr(644,opengauss,opengauss) %config(noreplace) %{?_localstatedir}/lib/opengauss/.bash_profile
%defattr (755,opengauss,opengauss)
%{apppath}
%defattr (700,opengauss,opengauss)
%{?_localstatedir}/lib/opengauss
%changelog
* Thu Nov 14 2024 liuheng <liuheng76@huawei.com> - 6.0.0-16
- Update version to 6.0.0
* Thu Jun 20 2024 liuheng <liuheng76@huawei.com> - 5.0.1-15
- Fix bugs: Initialize Remove Password

4
opengauss_upgrade_config.sh
View File

@ -13,10 +13,10 @@ GAUSS_ADMIN_USER="opengauss"
GAUSS_LOG_PATH="/var/lib/opengauss/opengauss_upgrade"
#数据库升级根位置
GAUSS_UPGRADE_BASE_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_5.0.1"
GAUSS_UPGRADE_BASE_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_6.0.0"
#数据库SQL包位置
GAUSS_SQL_TAR_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_5.0.1"
GAUSS_SQL_TAR_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_6.0.0"
#数据库低版本备份位置
GAUSS_BACKUP_BASE_PATH="/var/lib/opengauss/opengauss_upgrade/bak"

89
openssl3-adptor.patch
View File

@ -1,89 +0,0 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp openGauss-server-5.0.1-edit/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp
*** openGauss-server-5.0.1/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp 2024-05-07 20:16:39.548798239 +0800
--- openGauss-server-5.0.1-edit/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp 2024-05-07 20:17:58.813382746 +0800
***************
*** 152,165 ****
EVP_PKEY_free(public_evp_key);
return CMKEM_EVP_ERR;
}
!
ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(public_evp_key);
return CMKEM_EVP_ERR;
}
!
/* do cipher. */
ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
EVP_PKEY_free(public_evp_key);
--- 152,165 ----
EVP_PKEY_free(public_evp_key);
return CMKEM_EVP_ERR;
}
! #ifndef WITH_OPENEULER_OS
ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(public_evp_key);
return CMKEM_EVP_ERR;
}
! #endif
/* do cipher. */
ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
EVP_PKEY_free(public_evp_key);
***************
*** 242,255 ****
EVP_PKEY_free(private_evp_key);
return CMKEM_EVP_ERR;
}
!
ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(private_evp_key);
return CMKEM_EVP_ERR;
}
!
/* do cipher. */
ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
EVP_PKEY_free(private_evp_key);
--- 242,255 ----
EVP_PKEY_free(private_evp_key);
return CMKEM_EVP_ERR;
}
! #ifndef WITH_OPENEULER_OS
ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(private_evp_key);
return CMKEM_EVP_ERR;
}
! #endif
/* do cipher. */
ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
EVP_PKEY_free(private_evp_key);
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/include/gs_policy/policy_common.h openGauss-server-5.0.1-edit/src/include/gs_policy/policy_common.h
*** openGauss-server-5.0.1/src/include/gs_policy/policy_common.h 2024-05-07 20:16:40.004801601 +0800
--- openGauss-server-5.0.1-edit/src/include/gs_policy/policy_common.h 2024-05-08 15:15:54.570657064 +0800
***************
*** 22,27 ****
--- 22,28 ----
*/
#ifndef _GS_POLICY_COMMON_H
#define _GS_POLICY_COMMON_H
+ #include <vector>
#include "nodes/parsenodes.h"
#include "nodes/plannodes.h"
***************
*** 31,36 ****
--- 32,39 ----
#include "gs_vector.h"
#include "pgaudit.h"
+ using std::vector;
+
struct GsPolicyFQDN {
GsPolicyFQDN():m_value_schema(0), m_value_object(0), is_function(false){}
Oid m_value_schema; /* schema */

159
upgrade.patch
View File

@ -1,159 +0,0 @@
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/liteom/upgrade_common.sh openGauss-server-5.0.1-edit/liteom/upgrade_common.sh
*** openGauss-server-5.0.1/liteom/upgrade_common.sh 2024-05-09 14:48:32.000000000 +0800
--- openGauss-server-5.0.1-edit/liteom/upgrade_common.sh 2024-06-07 17:31:52.228407016 +0800
***************
*** 273,284 ****
}
function check_version() {
- if [[ ! -f "${GAUSSHOME}/version.cfg" ]]; then
- die "Cannot find current version.cfg!" ${err_upgrade_pre}
- else
- old_version=$(tail -n 1 "$GAUSSHOME"/version.cfg)
- old_cfg=$(sed -n 2p "$GAUSSHOME"/version.cfg | sed 's/\.//g')
- fi
if [[ -f "$GAUSS_UPGRADE_BIN_PATH"/version.cfg ]]; then
new_version_cfg_path="${GAUSS_UPGRADE_BIN_PATH}/version.cfg"
elif [[ -f "$GAUSS_UPGRADE_BASE_PATH"/version.cfg ]]; then
--- 273,278 ----
***************
*** 290,333 ****
new_version=$(tail -n 1 "$new_version_cfg_path")
new_cfg=$(sed -n 2p "$new_version_cfg_path" | sed 's/\.//g')
- if [[ X"$old_version" == X || X"$old_cfg" == X || X"$new_version" == X || X"$new_cfg" == X ]]; then
- die "Maybe version.cfg is not normal" ${err_upgrade_pre}
- fi
- if ! echo "$old_cfg"|grep -Ewq "[0-9]{3,6}";then
- die "Maybe version.cfg is not normal" ${err_upgrade_pre}
- fi
if ! echo "$new_cfg"|grep -Ewq "[0-9]{3,6}";then
die "Maybe version.cfg is not normal" ${err_upgrade_pre}
fi
! if [[ "$old_version" == "$new_version" ]]; then
! die "New version is same as old, the commitId is $old_version!" ${err_version_same}
! fi
! if [[ ${new_cfg} -lt ${old_cfg} ]]; then
! die "Current version is newer!" ${err_upgrade_pre}
! fi
! big_cfg="False"
! if [[ ${new_cfg} -gt ${old_cfg} ]]; then
! log "Big upgrade is needed!"
! big_cfg="True"
! fi
local flag_file="$GAUSS_TMP_PATH"/version_flag
- if echo "old_version=$old_version" > "$flag_file" && chmod 600 "$flag_file"; then
- debug "Begin to generate $flag_file"
- else
- die "Write $flag_file failed" ${err_upgrade_pre}
- fi
if ! echo "new_version=$new_version" >> "$flag_file"; then
die "Write $flag_file failed" ${err_upgrade_pre}
fi
if ! echo "big_cfg=$big_cfg" >> "$flag_file"; then
die "Write $flag_file failed" ${err_upgrade_pre}
fi
- if ! echo "old_cfg=$old_cfg" >> "$flag_file"; then
- die "Write $flag_file failed" ${err_upgrade_pre}
- fi
- log "Old version commitId is $old_version, version info is $old_cfg"
log "New version commitId is $new_version, version info is $new_cfg"
##need version.cfg to check big upgrade,note user exec sql on primary dn
--- 284,302 ----
new_version=$(tail -n 1 "$new_version_cfg_path")
new_cfg=$(sed -n 2p "$new_version_cfg_path" | sed 's/\.//g')
if ! echo "$new_cfg"|grep -Ewq "[0-9]{3,6}";then
die "Maybe version.cfg is not normal" ${err_upgrade_pre}
fi
! big_cfg="True"
local flag_file="$GAUSS_TMP_PATH"/version_flag
if ! echo "new_version=$new_version" >> "$flag_file"; then
die "Write $flag_file failed" ${err_upgrade_pre}
fi
if ! echo "big_cfg=$big_cfg" >> "$flag_file"; then
die "Write $flag_file failed" ${err_upgrade_pre}
fi
log "New version commitId is $new_version, version info is $new_cfg"
##need version.cfg to check big upgrade,note user exec sql on primary dn
***************
*** 1239,1242 ****
fi
rm -f "$GAUSS_TMP_PATH"/version_flag
rm -f "$GAUSS_TMP_PATH"/record_step.txt
! }
\ No newline at end of file
--- 1208,1211 ----
fi
rm -f "$GAUSS_TMP_PATH"/version_flag
rm -f "$GAUSS_TMP_PATH"/record_step.txt
! }
diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/liteom/upgrade_config.sh openGauss-server-5.0.1-edit/liteom/upgrade_config.sh
*** openGauss-server-5.0.1/liteom/upgrade_config.sh 2024-05-09 14:48:32.000000000 +0800
--- openGauss-server-5.0.1-edit/liteom/upgrade_config.sh 2024-06-06 16:56:26.681705002 +0800
***************
*** 4,31 ****
# version: 1.0
# 数据库监听端口
! GAUSS_LISTEN_PORT=""
# 数据库管理员用户名
! GAUSS_ADMIN_USER=""
#数据库升级回退日志路径
! GAUSS_LOG_PATH=""
#数据库升级根位置
! GAUSS_UPGRADE_BASE_PATH=""
#数据库SQL包位置
! GAUSS_SQL_TAR_PATH=""
#数据库低版本备份位置
! GAUSS_BACKUP_BASE_PATH=""
#数据库临时目录
! GAUSS_TMP_PATH=""
#是否使用存在的bin解压包
GAUSS_UPGRADE_BIN_PATH=""
#需要同步的cluster config 列表
! GAUSS_UPGRADE_SYNC_CONFIG_LIST=""
\ No newline at end of file
--- 4,31 ----
# version: 1.0
# 数据库监听端口
! GAUSS_LISTEN_PORT="7654"
# 数据库管理员用户名
! GAUSS_ADMIN_USER="opengauss"
#数据库升级回退日志路径
! GAUSS_LOG_PATH="/usr/local/opengauss_upgrade"
#数据库升级根位置
! GAUSS_UPGRADE_BASE_PATH="/usr/local/opengauss_upgrade/pkg_5.0.1"
#数据库SQL包位置
! GAUSS_SQL_TAR_PATH="/usr/local/opengauss_upgrade/pkg_5.0.1"
#数据库低版本备份位置
! GAUSS_BACKUP_BASE_PATH="/usr/local/opengauss_upgrade/bak"
#数据库临时目录
! GAUSS_TMP_PATH="/usr/local/opengauss_upgrade/tmp"
#是否使用存在的bin解压包
GAUSS_UPGRADE_BIN_PATH=""
#需要同步的cluster config 列表
! GAUSS_UPGRADE_SYNC_CONFIG_LIST=""

7
version.cfg
View File

@ -1,3 +1,4 @@
openGauss-Lite-5.0.1
92.854
33b035fd
openGauss-Server-6.0.0
92.954
798b1578
release