public inbox for [email protected]
help / color / mirror / Atom feedFrom: Daniel Gustafsson <[email protected]>
To: PostgreSQL-development <[email protected]>
Subject: PostgreSQL and OpenSSL 4.0.0
Date: Thu, 16 Apr 2026 15:32:54 +0200
Message-ID: <[email protected]> (raw)
With OpenSSL 4.0.0 shipping GA a few days ago I tried compiling PostgreSQL
against it and run the tests. Unsurpisingly the test pass just fine and it
compiles without error since they aren't removing any API's we use (they are
deprecating more APIs we use, more on that in later threads). There are
however a number of warnings since they changed constness on a number of API's.
Sadly, just adopting const cause similar warnings on OpenSSL 1.1.1 and LibreSSL
so we need to do uglier tricks with casting away constness.
The attached patch, while not pretty, allows libpq and sslinfo to build without
warnings on OpenSSL 1.1.1 through 4.0.0 as well as on LibreSSL (and there is
quite some variability in constness across all these API versions).
--
Daniel Gustafsson
Attachments:
[application/octet-stream] 0001-ssl-Declare-variables-const-as-per-OpenSSL-4-API-upd.patch (6.4K, 2-0001-ssl-Declare-variables-const-as-per-OpenSSL-4-API-upd.patch)
download | inline diff:
From 8c878a8c98816bd47c6e7f39e86f5e477fc230ec Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Thu, 16 Apr 2026 15:20:13 +0200
Subject: [PATCH] ssl: Declare variables const as per OpenSSL 4 API updates
OpenSSL 4.0.0 changed some parameters and return values to const,
update our declarations and subsequently cast away constness from
a few callsites to make libpq build without warnings with OpenSSL
1.1.1 through 4.0.0. as well as LibreSSL.
---
contrib/sslinfo/sslinfo.c | 20 ++++++++++----------
src/backend/libpq/be-secure-openssl.c | 14 +++++++-------
src/interfaces/libpq/fe-secure-openssl.c | 9 +++++----
3 files changed, 22 insertions(+), 21 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 2b9eb90b093..c4ae847880d 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -24,8 +24,8 @@ PG_MODULE_MAGIC_EXT(
.version = PG_VERSION
);
-static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName);
+static Datum ASN1_STRING_to_text(const ASN1_STRING *str);
/*
* Function context for data persisting over repeated calls.
@@ -148,7 +148,7 @@ ssl_client_serial(PG_FUNCTION_ARGS)
* function.
*/
static Datum
-ASN1_STRING_to_text(ASN1_STRING *str)
+ASN1_STRING_to_text(const ASN1_STRING *str)
{
BIO *membuf;
size_t size;
@@ -194,12 +194,12 @@ ASN1_STRING_to_text(ASN1_STRING *str)
* part of name
*/
static Datum
-X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
+X509_NAME_field_to_text(const X509_NAME *name, text *fieldName)
{
char *string_fieldname;
int nid,
index;
- ASN1_STRING *data;
+ const ASN1_STRING *data;
string_fieldname = text_to_cstring(fieldName);
nid = OBJ_txt2nid(string_fieldname);
@@ -209,7 +209,7 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
errmsg("invalid X.509 field name: \"%s\"",
string_fieldname)));
pfree(string_fieldname);
- index = X509_NAME_get_index_by_NID(name, nid, -1);
+ index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1);
if (index < 0)
return (Datum) 0;
data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
@@ -421,8 +421,8 @@ ssl_extension_info(PG_FUNCTION_ARGS)
HeapTuple tuple;
Datum result;
BIO *membuf;
- X509_EXTENSION *ext;
- ASN1_OBJECT *obj;
+ const X509_EXTENSION *ext;
+ const ASN1_OBJECT *obj;
int nid;
int len;
@@ -435,7 +435,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
- obj = X509_EXTENSION_get_object(ext);
+ obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext));
/* Get the extension name */
nid = OBJ_obj2nid(obj);
@@ -448,7 +448,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
nulls[0] = false;
/* Get the extension value */
- if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index a3e222f3a3d..3bf96022e1b 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -106,7 +106,7 @@ static void host_context_cleanup_cb(void *arg);
static int sni_clienthello_cb(SSL *ssl, int *al, void *arg);
#endif
-static char *X509_NAME_to_cstring(X509_NAME *name);
+static char *X509_NAME_to_cstring(const X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
static MemoryContext SSL_hosts_memcxt = NULL;
@@ -1071,18 +1071,18 @@ aloop:
if (port->peer != NULL)
{
int len;
- X509_NAME *x509name = X509_get_subject_name(port->peer);
+ const X509_NAME *x509name = X509_get_subject_name(port->peer);
char *peer_dn;
BIO *bio = NULL;
BUF_MEM *bio_buf = NULL;
- len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);
+ len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
if (len != -1)
{
char *peer_cn;
peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
- r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,
+ r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
len + 1);
peer_cn[len] = '\0';
if (r != len)
@@ -2333,14 +2333,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
*
*/
static char *
-X509_NAME_to_cstring(X509_NAME *name)
+X509_NAME_to_cstring(const X509_NAME *name)
{
BIO *membuf = BIO_new(BIO_s_mem());
int i,
nid,
count = X509_NAME_entry_count(name);
- X509_NAME_ENTRY *e;
- ASN1_STRING *v;
+ const X509_NAME_ENTRY *e;
+ const ASN1_STRING *v;
const char *field_name;
size_t size;
char nullterm;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index fbd3c63fb5d..6b44eeb68eb 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -67,7 +67,7 @@
static int verify_cb(int ok, X509_STORE_CTX *ctx);
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
- ASN1_STRING *name_entry,
+ const ASN1_STRING *name_entry,
char **store_name);
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
ASN1_OCTET_STRING *addr_entry,
@@ -467,7 +467,8 @@ cert_cb(SSL *ssl, void *arg)
* into a plain C string.
*/
static int
-openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
+openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
+ const ASN1_STRING *name_entry,
char **store_name)
{
int len;
@@ -650,14 +651,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
*/
if (check_cn)
{
- X509_NAME *subject_name;
+ const X509_NAME *subject_name;
subject_name = X509_get_subject_name(conn->peer);
if (subject_name != NULL)
{
int cn_index;
- cn_index = X509_NAME_get_index_by_NID(subject_name,
+ cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name),
NID_commonName, -1);
if (cn_index >= 0)
{
--
2.39.3 (Apple Git-146)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: PostgreSQL and OpenSSL 4.0.0
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox