public inbox for [email protected]
help / color / mirror / Atom feedFrom: Daniel Gustafsson <[email protected]>
To: Michael Paquier <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Subject: Re: PostgreSQL and OpenSSL 4.0.0
Date: Thu, 7 May 2026 15:44:45 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
> On 17 Apr 2026, at 23:50, Michael Paquier <[email protected]> wrote:
>
> On Thu, Apr 16, 2026 at 03:32:54PM +0200, Daniel Gustafsson wrote:
>> The attached patch, while not pretty, allows libpq and sslinfo to build without
>> warnings on OpenSSL 1.1.1 through 4.0.0 as well as on LibreSSL (and there is
>> quite some variability in constness across all these API versions).
>
> Thanks for that. That is super fast.
>
> This is likely going to require a backpatch at some point, right?
> What's the impact of the blast in branches where we need to support
> OpenSSL down to 1.0.1, which is the minimum version in REL_14_STABLE?
Indeed, we probably want to backpatch this at some point since OpenSSL 4 is
equally likely to be used regardless of which branch users compile. Whether we
want to apply this already before 19 goes beta I'll leave for the RMT to
decide.
For 14 through master the attached compiles without warnings and tests green on
all the supported versions of OpenSSL and LibreSSL. That being said, I'm not
sure that we want to go all the way to 14 since if something does break, we
can't really go around fixing it - I think amending the docs in 14 stating that
OpenSSL 3.6 is the highest supported version is a better solution.
--
Daniel Gustafsson
Attachments:
[application/octet-stream] vmaster--18-0001-Support-OpenSSL-4.patch (8.9K, 2-vmaster--18-0001-Support-OpenSSL-4.patch)
download | inline diff:
From 585563a1559666925acf125ee30f4ff73e27ca8e Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Thu, 16 Apr 2026 15:20:13 +0200
Subject: [PATCH vmaster] Support OpenSSL 4
OpenSSL 4.0.0 changed some parameters and returnvalues to const, so
we need to update our declarations and subsequently cast away const-
ness from a few callsites to make libpq build without warnings. This
is tested with OpenSSL 1.1.1 through 4.0.0 as well as with LibreSSL.
There is also an errormessage change in OpenSSL 4.0.0 which needs to
be covered by our testharness.
Author: Daniel Gustafsson <[email protected]>
Discussion: https://postgr.es/m/[email protected]
---
contrib/sslinfo/sslinfo.c | 20 ++++++++++----------
src/backend/libpq/be-secure-openssl.c | 14 +++++++-------
src/interfaces/libpq/fe-secure-openssl.c | 9 +++++----
src/test/ssl/t/001_ssltests.pl | 6 +++---
4 files changed, 25 insertions(+), 24 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 2b9eb90b093..c4ae847880d 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -24,8 +24,8 @@ PG_MODULE_MAGIC_EXT(
.version = PG_VERSION
);
-static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName);
+static Datum ASN1_STRING_to_text(const ASN1_STRING *str);
/*
* Function context for data persisting over repeated calls.
@@ -148,7 +148,7 @@ ssl_client_serial(PG_FUNCTION_ARGS)
* function.
*/
static Datum
-ASN1_STRING_to_text(ASN1_STRING *str)
+ASN1_STRING_to_text(const ASN1_STRING *str)
{
BIO *membuf;
size_t size;
@@ -194,12 +194,12 @@ ASN1_STRING_to_text(ASN1_STRING *str)
* part of name
*/
static Datum
-X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
+X509_NAME_field_to_text(const X509_NAME *name, text *fieldName)
{
char *string_fieldname;
int nid,
index;
- ASN1_STRING *data;
+ const ASN1_STRING *data;
string_fieldname = text_to_cstring(fieldName);
nid = OBJ_txt2nid(string_fieldname);
@@ -209,7 +209,7 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
errmsg("invalid X.509 field name: \"%s\"",
string_fieldname)));
pfree(string_fieldname);
- index = X509_NAME_get_index_by_NID(name, nid, -1);
+ index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1);
if (index < 0)
return (Datum) 0;
data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
@@ -421,8 +421,8 @@ ssl_extension_info(PG_FUNCTION_ARGS)
HeapTuple tuple;
Datum result;
BIO *membuf;
- X509_EXTENSION *ext;
- ASN1_OBJECT *obj;
+ const X509_EXTENSION *ext;
+ const ASN1_OBJECT *obj;
int nid;
int len;
@@ -435,7 +435,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
- obj = X509_EXTENSION_get_object(ext);
+ obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext));
/* Get the extension name */
nid = OBJ_obj2nid(obj);
@@ -448,7 +448,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
nulls[0] = false;
/* Get the extension value */
- if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index b978497b5d4..8a06fb11ec3 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -106,7 +106,7 @@ static void host_context_cleanup_cb(void *arg);
static int sni_clienthello_cb(SSL *ssl, int *al, void *arg);
#endif
-static char *X509_NAME_to_cstring(X509_NAME *name);
+static char *X509_NAME_to_cstring(const X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
static MemoryContext SSL_hosts_memcxt = NULL;
@@ -1071,18 +1071,18 @@ aloop:
if (port->peer != NULL)
{
int len;
- X509_NAME *x509name = X509_get_subject_name(port->peer);
+ const X509_NAME *x509name = X509_get_subject_name(port->peer);
char *peer_dn;
BIO *bio = NULL;
BUF_MEM *bio_buf = NULL;
- len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);
+ len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
if (len != -1)
{
char *peer_cn;
peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
- r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,
+ r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
len + 1);
peer_cn[len] = '\0';
if (r != len)
@@ -2333,14 +2333,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
*
*/
static char *
-X509_NAME_to_cstring(X509_NAME *name)
+X509_NAME_to_cstring(const X509_NAME *name)
{
BIO *membuf = BIO_new(BIO_s_mem());
int i,
nid,
count = X509_NAME_entry_count(name);
- X509_NAME_ENTRY *e;
- ASN1_STRING *v;
+ const X509_NAME_ENTRY *e;
+ const ASN1_STRING *v;
const char *field_name;
size_t size;
char nullterm;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index fbd3c63fb5d..6b44eeb68eb 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -67,7 +67,7 @@
static int verify_cb(int ok, X509_STORE_CTX *ctx);
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
- ASN1_STRING *name_entry,
+ const ASN1_STRING *name_entry,
char **store_name);
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
ASN1_OCTET_STRING *addr_entry,
@@ -467,7 +467,8 @@ cert_cb(SSL *ssl, void *arg)
* into a plain C string.
*/
static int
-openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
+openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
+ const ASN1_STRING *name_entry,
char **store_name)
{
int len;
@@ -650,14 +651,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
*/
if (check_cn)
{
- X509_NAME *subject_name;
+ const X509_NAME *subject_name;
subject_name = X509_get_subject_name(conn->peer);
if (subject_name != NULL)
{
int cn_index;
- cn_index = X509_NAME_get_index_by_NID(subject_name,
+ cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name),
NID_commonName, -1);
if (cn_index >= 0)
{
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 0af887caa63..01f3573e1fd 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -885,7 +885,7 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
log_like => [
qr{Client certificate verification failed at depth 0: certificate revoked},
qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number \d+, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
@@ -987,7 +987,7 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert with server-side CRL directory",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
log_like => [
qr{Client certificate verification failed at depth 0: certificate revoked},
qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number \d+, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
@@ -998,7 +998,7 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
. sslkey('client-revoked-utf8.key'),
"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
log_like => [
qr{Client certificate verification failed at depth 0: certificate revoked},
qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number \d+, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
--
2.39.3 (Apple Git-146)
[application/octet-stream] vREL_17--REL_16-0001-Support-OpenSSL-4.patch (10.9K, 3-vREL_17--REL_16-0001-Support-OpenSSL-4.patch)
download | inline diff:
From 4964aaf322bfd55aa27065d2e732c6e69775e0bf Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Thu, 7 May 2026 10:46:18 +0200
Subject: [PATCH vREL_17] Support OpenSSL 4
OpenSSL 4.0.0 changed some parameters and returnvalues to const, so
we need to update our declarations and subsequently cast away const-
ness from a few callsites to make libpq build without warnings. This
is tested with OpenSSL 1.1.1 through 4.0.0 as well as with LibreSSL.
There is also an errormessage change in OpenSSL 4.0.0 which needs to
be covered by our testharness.
Author: Daniel Gustafsson <[email protected]>
Discussion: https://postgr.es/m/[email protected]
---
contrib/sslinfo/sslinfo.c | 24 +++++++++++-----------
src/backend/libpq/be-secure-openssl.c | 26 ++++++++++++------------
src/interfaces/libpq/fe-secure-openssl.c | 13 ++++++------
src/test/ssl/t/001_ssltests.pl | 4 ++--
4 files changed, 34 insertions(+), 33 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 5fd46b98741..4251ccfd174 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -32,8 +32,8 @@
PG_MODULE_MAGIC;
-static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName);
+static Datum ASN1_STRING_to_text(const ASN1_STRING *str);
/*
* Function context for data persisting over repeated calls.
@@ -156,7 +156,7 @@ ssl_client_serial(PG_FUNCTION_ARGS)
* function.
*/
static Datum
-ASN1_STRING_to_text(ASN1_STRING *str)
+ASN1_STRING_to_text(const ASN1_STRING *str)
{
BIO *membuf;
size_t size;
@@ -171,7 +171,7 @@ ASN1_STRING_to_text(ASN1_STRING *str)
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not create OpenSSL BIO structure")));
(void) BIO_set_close(membuf, BIO_CLOSE);
- ASN1_STRING_print_ex(membuf, str,
+ ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, str),
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
| ASN1_STRFLGS_UTF8_CONVERT));
/* ensure null termination of the BIO's content */
@@ -202,12 +202,12 @@ ASN1_STRING_to_text(ASN1_STRING *str)
* part of name
*/
static Datum
-X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
+X509_NAME_field_to_text(const X509_NAME *name, text *fieldName)
{
char *string_fieldname;
int nid,
index;
- ASN1_STRING *data;
+ const ASN1_STRING *data;
string_fieldname = text_to_cstring(fieldName);
nid = OBJ_txt2nid(string_fieldname);
@@ -217,10 +217,10 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
errmsg("invalid X.509 field name: \"%s\"",
string_fieldname)));
pfree(string_fieldname);
- index = X509_NAME_get_index_by_NID(name, nid, -1);
+ index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1);
if (index < 0)
return (Datum) 0;
- data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
+ data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME *, name), index));
return ASN1_STRING_to_text(data);
}
@@ -429,8 +429,8 @@ ssl_extension_info(PG_FUNCTION_ARGS)
HeapTuple tuple;
Datum result;
BIO *membuf;
- X509_EXTENSION *ext;
- ASN1_OBJECT *obj;
+ const X509_EXTENSION *ext;
+ const ASN1_OBJECT *obj;
int nid;
int len;
@@ -443,7 +443,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
- obj = X509_EXTENSION_get_object(ext);
+ obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext));
/* Get the extension name */
nid = OBJ_obj2nid(obj);
@@ -456,7 +456,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
nulls[0] = false;
/* Get the extension value */
- if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 486a66b0bf1..8c101528618 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -77,7 +77,7 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart);
static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
static const char *SSLerrmessage(unsigned long ecode);
-static char *X509_NAME_to_cstring(X509_NAME *name);
+static char *X509_NAME_to_cstring(const X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
static bool SSL_initialized = false;
@@ -634,18 +634,18 @@ aloop:
if (port->peer != NULL)
{
int len;
- X509_NAME *x509name = X509_get_subject_name(port->peer);
+ const X509_NAME *x509name = X509_get_subject_name(port->peer);
char *peer_dn;
BIO *bio = NULL;
BUF_MEM *bio_buf = NULL;
- len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);
+ len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
if (len != -1)
{
char *peer_cn;
peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
- r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,
+ r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
len + 1);
peer_cn[len] = '\0';
if (r != len)
@@ -689,7 +689,7 @@ aloop:
* which make regular expression matching a bit easier. Also note that
* it prints the Subject fields in reverse order.
*/
- if (X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253) == -1 ||
+ if (X509_NAME_print_ex(bio, unconstify(X509_NAME *, x509name), 0, XN_FLAG_RFC2253) == -1 ||
BIO_get_mem_ptr(bio, &bio_buf) <= 0)
{
BIO_free(bio);
@@ -1615,14 +1615,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
*
*/
static char *
-X509_NAME_to_cstring(X509_NAME *name)
+X509_NAME_to_cstring(const X509_NAME *name)
{
BIO *membuf = BIO_new(BIO_s_mem());
int i,
nid,
- count = X509_NAME_entry_count(name);
- X509_NAME_ENTRY *e;
- ASN1_STRING *v;
+ count = X509_NAME_entry_count(unconstify(X509_NAME *, name));
+ const X509_NAME_ENTRY *e;
+ const ASN1_STRING *v;
const char *field_name;
size_t size;
char nullterm;
@@ -1638,13 +1638,13 @@ X509_NAME_to_cstring(X509_NAME *name)
(void) BIO_set_close(membuf, BIO_CLOSE);
for (i = 0; i < count; i++)
{
- e = X509_NAME_get_entry(name, i);
- nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
+ e = X509_NAME_get_entry(unconstify(X509_NAME *, name), i);
+ nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY *, e)));
if (nid == NID_undef)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("could not get NID for ASN1_OBJECT object")));
- v = X509_NAME_ENTRY_get_data(e);
+ v = X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY *, e));
field_name = OBJ_nid2sn(nid);
if (field_name == NULL)
field_name = OBJ_nid2ln(nid);
@@ -1653,7 +1653,7 @@ X509_NAME_to_cstring(X509_NAME *name)
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
BIO_printf(membuf, "/%s=", field_name);
- ASN1_STRING_print_ex(membuf, v,
+ ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, v),
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
| ASN1_STRFLGS_UTF8_CONVERT));
}
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index b6fffd7b9b0..33ce6d5ffe3 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -66,7 +66,7 @@
static int verify_cb(int ok, X509_STORE_CTX *ctx);
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
- ASN1_STRING *name_entry,
+ const ASN1_STRING *name_entry,
char **store_name);
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
ASN1_OCTET_STRING *addr_entry,
@@ -489,7 +489,8 @@ cert_cb(SSL *ssl, void *arg)
* into a plain C string.
*/
static int
-openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
+openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
+ const ASN1_STRING *name_entry,
char **store_name)
{
int len;
@@ -508,7 +509,7 @@ openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *nam
#ifdef HAVE_ASN1_STRING_GET0_DATA
namedata = ASN1_STRING_get0_data(name_entry);
#else
- namedata = ASN1_STRING_data(name_entry);
+ namedata = ASN1_STRING_data(unconstify(ASN1_STRING *, name_entry));
#endif
len = ASN1_STRING_length(name_entry);
@@ -680,14 +681,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
*/
if (check_cn)
{
- X509_NAME *subject_name;
+ const X509_NAME *subject_name;
subject_name = X509_get_subject_name(conn->peer);
if (subject_name != NULL)
{
int cn_index;
- cn_index = X509_NAME_get_index_by_NID(subject_name,
+ cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name),
NID_commonName, -1);
if (cn_index >= 0)
{
@@ -695,7 +696,7 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
(*names_examined)++;
rc = openssl_verify_peer_name_matches_certificate_name(conn,
- X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
+ X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME *, subject_name), cn_index)),
&common_name);
if (common_name)
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 17dd3964b76..4880d8a75b9 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -773,7 +773,7 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
@@ -878,7 +878,7 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert with server-side CRL directory",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
--
2.39.3 (Apple Git-146)
[application/octet-stream] vREL_15-0001-Support-OpenSSL-4.patch (9.9K, 4-vREL_15-0001-Support-OpenSSL-4.patch)
download | inline diff:
From 55515764f958ce6c7e1cb212d043584dfa55d6a8 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Thu, 7 May 2026 10:46:18 +0200
Subject: [PATCH vREL_15] Support OpenSSL 4
OpenSSL 4.0.0 changed some parameters and returnvalues to const, so
we need to update our declarations and subsequently cast away const-
ness from a few callsites to make libpq build without warnings. This
is tested with OpenSSL 1.1.1 through 4.0.0 as well as with LibreSSL.
There is also an errormessage change in OpenSSL 4.0.0 which needs to
be covered by our testharness.
Author: Daniel Gustafsson <[email protected]>
Discussion: https://postgr.es/m/[email protected]
---
contrib/sslinfo/sslinfo.c | 24 +++++++++++-----------
src/backend/libpq/be-secure-openssl.c | 26 ++++++++++++------------
src/interfaces/libpq/fe-secure-openssl.c | 9 ++++----
src/test/ssl/t/001_ssltests.pl | 4 ++--
4 files changed, 32 insertions(+), 31 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 5fd46b98741..4251ccfd174 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -32,8 +32,8 @@
PG_MODULE_MAGIC;
-static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName);
+static Datum ASN1_STRING_to_text(const ASN1_STRING *str);
/*
* Function context for data persisting over repeated calls.
@@ -156,7 +156,7 @@ ssl_client_serial(PG_FUNCTION_ARGS)
* function.
*/
static Datum
-ASN1_STRING_to_text(ASN1_STRING *str)
+ASN1_STRING_to_text(const ASN1_STRING *str)
{
BIO *membuf;
size_t size;
@@ -171,7 +171,7 @@ ASN1_STRING_to_text(ASN1_STRING *str)
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not create OpenSSL BIO structure")));
(void) BIO_set_close(membuf, BIO_CLOSE);
- ASN1_STRING_print_ex(membuf, str,
+ ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, str),
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
| ASN1_STRFLGS_UTF8_CONVERT));
/* ensure null termination of the BIO's content */
@@ -202,12 +202,12 @@ ASN1_STRING_to_text(ASN1_STRING *str)
* part of name
*/
static Datum
-X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
+X509_NAME_field_to_text(const X509_NAME *name, text *fieldName)
{
char *string_fieldname;
int nid,
index;
- ASN1_STRING *data;
+ const ASN1_STRING *data;
string_fieldname = text_to_cstring(fieldName);
nid = OBJ_txt2nid(string_fieldname);
@@ -217,10 +217,10 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
errmsg("invalid X.509 field name: \"%s\"",
string_fieldname)));
pfree(string_fieldname);
- index = X509_NAME_get_index_by_NID(name, nid, -1);
+ index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1);
if (index < 0)
return (Datum) 0;
- data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
+ data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME *, name), index));
return ASN1_STRING_to_text(data);
}
@@ -429,8 +429,8 @@ ssl_extension_info(PG_FUNCTION_ARGS)
HeapTuple tuple;
Datum result;
BIO *membuf;
- X509_EXTENSION *ext;
- ASN1_OBJECT *obj;
+ const X509_EXTENSION *ext;
+ const ASN1_OBJECT *obj;
int nid;
int len;
@@ -443,7 +443,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
- obj = X509_EXTENSION_get_object(ext);
+ obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext));
/* Get the extension name */
nid = OBJ_obj2nid(obj);
@@ -456,7 +456,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
nulls[0] = false;
/* Get the extension value */
- if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index b0492c443ec..96e60a97f04 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -71,7 +71,7 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart);
static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
static const char *SSLerrmessage(unsigned long ecode);
-static char *X509_NAME_to_cstring(X509_NAME *name);
+static char *X509_NAME_to_cstring(const X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
static bool SSL_initialized = false;
@@ -587,18 +587,18 @@ aloop:
if (port->peer != NULL)
{
int len;
- X509_NAME *x509name = X509_get_subject_name(port->peer);
+ const X509_NAME *x509name = X509_get_subject_name(port->peer);
char *peer_dn;
BIO *bio = NULL;
BUF_MEM *bio_buf = NULL;
- len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);
+ len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
if (len != -1)
{
char *peer_cn;
peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
- r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,
+ r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
len + 1);
peer_cn[len] = '\0';
if (r != len)
@@ -642,7 +642,7 @@ aloop:
* which make regular expression matching a bit easier. Also note that
* it prints the Subject fields in reverse order.
*/
- if (X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253) == -1 ||
+ if (X509_NAME_print_ex(bio, unconstify(X509_NAME *, x509name), 0, XN_FLAG_RFC2253) == -1 ||
BIO_get_mem_ptr(bio, &bio_buf) <= 0)
{
BIO_free(bio);
@@ -1422,14 +1422,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
*
*/
static char *
-X509_NAME_to_cstring(X509_NAME *name)
+X509_NAME_to_cstring(const X509_NAME *name)
{
BIO *membuf = BIO_new(BIO_s_mem());
int i,
nid,
- count = X509_NAME_entry_count(name);
- X509_NAME_ENTRY *e;
- ASN1_STRING *v;
+ count = X509_NAME_entry_count(unconstify(X509_NAME *, name));
+ const X509_NAME_ENTRY *e;
+ const ASN1_STRING *v;
const char *field_name;
size_t size;
char nullterm;
@@ -1445,13 +1445,13 @@ X509_NAME_to_cstring(X509_NAME *name)
(void) BIO_set_close(membuf, BIO_CLOSE);
for (i = 0; i < count; i++)
{
- e = X509_NAME_get_entry(name, i);
- nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
+ e = X509_NAME_get_entry(unconstify(X509_NAME *, name), i);
+ nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY *, e)));
if (nid == NID_undef)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("could not get NID for ASN1_OBJECT object")));
- v = X509_NAME_ENTRY_get_data(e);
+ v = X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY *, e));
field_name = OBJ_nid2sn(nid);
if (field_name == NULL)
field_name = OBJ_nid2ln(nid);
@@ -1460,7 +1460,7 @@ X509_NAME_to_cstring(X509_NAME *name)
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
BIO_printf(membuf, "/%s=", field_name);
- ASN1_STRING_print_ex(membuf, v,
+ ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, v),
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
| ASN1_STRFLGS_UTF8_CONVERT));
}
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 50d14eac0ee..d22b5279b12 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -70,7 +70,7 @@
static int verify_cb(int ok, X509_STORE_CTX *ctx);
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
- ASN1_STRING *name,
+ const ASN1_STRING *name,
char **store_name);
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
ASN1_OCTET_STRING *addr_entry,
@@ -490,7 +490,8 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
* into a plain C string.
*/
static int
-openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
+openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
+ const ASN1_STRING *name_entry,
char **store_name)
{
int len;
@@ -683,14 +684,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
*/
if (check_cn)
{
- X509_NAME *subject_name;
+ const X509_NAME *subject_name;
subject_name = X509_get_subject_name(conn->peer);
if (subject_name != NULL)
{
int cn_index;
- cn_index = X509_NAME_get_index_by_NID(subject_name,
+ cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name),
NID_commonName, -1);
if (cn_index >= 0)
{
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index c570b48a1bd..756745b7bec 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -682,7 +682,7 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
# revoked certificates should not authenticate the user
log_unlike => [qr/connection authenticated:/],);
@@ -743,6 +743,6 @@ $node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert with server-side CRL directory",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|);
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!);
done_testing();
--
2.39.3 (Apple Git-146)
[application/octet-stream] vREL_14-0001-Support-OpenSSL-4.patch (10.0K, 5-vREL_14-0001-Support-OpenSSL-4.patch)
download | inline diff:
From e6d002430017de95107283cf89b61c1d5cdccf9c Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Thu, 7 May 2026 10:46:18 +0200
Subject: [PATCH vREL_14] Support OpenSSL 4
OpenSSL 4.0.0 changed some parameters and returnvalues to const, so
we need to update our declarations and subsequently cast away const-
ness from a few callsites to make libpq build without warnings. This
is tested with OpenSSL 1.1.1 through 4.0.0 as well as with LibreSSL.
There is also an errormessage change in OpenSSL 4.0.0 which needs to
be covered by our testharness.
Author: Daniel Gustafsson <[email protected]>
Discussion: https://postgr.es/m/[email protected]
---
contrib/sslinfo/sslinfo.c | 24 +++++++++++-----------
src/backend/libpq/be-secure-openssl.c | 26 ++++++++++++------------
src/interfaces/libpq/fe-secure-openssl.c | 9 ++++----
src/test/ssl/t/001_ssltests.pl | 4 ++--
4 files changed, 32 insertions(+), 31 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 30cae0bb98..4f8a118bc9 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -21,8 +21,8 @@
PG_MODULE_MAGIC;
-static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName);
+static Datum ASN1_STRING_to_text(const ASN1_STRING *str);
/*
* Function context for data persisting over repeated calls.
@@ -145,7 +145,7 @@ ssl_client_serial(PG_FUNCTION_ARGS)
* function.
*/
static Datum
-ASN1_STRING_to_text(ASN1_STRING *str)
+ASN1_STRING_to_text(const ASN1_STRING *str)
{
BIO *membuf;
size_t size;
@@ -160,7 +160,7 @@ ASN1_STRING_to_text(ASN1_STRING *str)
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not create OpenSSL BIO structure")));
(void) BIO_set_close(membuf, BIO_CLOSE);
- ASN1_STRING_print_ex(membuf, str,
+ ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, str),
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
| ASN1_STRFLGS_UTF8_CONVERT));
/* ensure null termination of the BIO's content */
@@ -191,12 +191,12 @@ ASN1_STRING_to_text(ASN1_STRING *str)
* part of name
*/
static Datum
-X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
+X509_NAME_field_to_text(const X509_NAME *name, text *fieldName)
{
char *string_fieldname;
int nid,
index;
- ASN1_STRING *data;
+ const ASN1_STRING *data;
string_fieldname = text_to_cstring(fieldName);
nid = OBJ_txt2nid(string_fieldname);
@@ -206,10 +206,10 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
errmsg("invalid X.509 field name: \"%s\"",
string_fieldname)));
pfree(string_fieldname);
- index = X509_NAME_get_index_by_NID(name, nid, -1);
+ index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1);
if (index < 0)
return (Datum) 0;
- data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
+ data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME *, name), index));
return ASN1_STRING_to_text(data);
}
@@ -418,8 +418,8 @@ ssl_extension_info(PG_FUNCTION_ARGS)
HeapTuple tuple;
Datum result;
BIO *membuf;
- X509_EXTENSION *ext;
- ASN1_OBJECT *obj;
+ const X509_EXTENSION *ext;
+ const ASN1_OBJECT *obj;
int nid;
int len;
@@ -432,7 +432,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
- obj = X509_EXTENSION_get_object(ext);
+ obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext));
/* Get the extension name */
nid = OBJ_obj2nid(obj);
@@ -445,7 +445,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
nulls[0] = false;
/* Get the extension value */
- if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 8df8ed3c90..8fa4963ced 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -64,7 +64,7 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart);
static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
static const char *SSLerrmessage(unsigned long ecode);
-static char *X509_NAME_to_cstring(X509_NAME *name);
+static char *X509_NAME_to_cstring(const X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
static bool SSL_initialized = false;
@@ -580,18 +580,18 @@ aloop:
if (port->peer != NULL)
{
int len;
- X509_NAME *x509name = X509_get_subject_name(port->peer);
+ const X509_NAME *x509name = X509_get_subject_name(port->peer);
char *peer_dn;
BIO *bio = NULL;
BUF_MEM *bio_buf = NULL;
- len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);
+ len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
if (len != -1)
{
char *peer_cn;
peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
- r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,
+ r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
len + 1);
peer_cn[len] = '\0';
if (r != len)
@@ -632,7 +632,7 @@ aloop:
* which make regular expression matching a bit easier. Also note that
* it prints the Subject fields in reverse order.
*/
- X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253);
+ X509_NAME_print_ex(bio, unconstify(X509_NAME *, x509name), 0, XN_FLAG_RFC2253);
if (BIO_get_mem_ptr(bio, &bio_buf) <= 0)
{
BIO_free(bio);
@@ -1406,14 +1406,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
*
*/
static char *
-X509_NAME_to_cstring(X509_NAME *name)
+X509_NAME_to_cstring(const X509_NAME *name)
{
BIO *membuf = BIO_new(BIO_s_mem());
int i,
nid,
- count = X509_NAME_entry_count(name);
- X509_NAME_ENTRY *e;
- ASN1_STRING *v;
+ count = X509_NAME_entry_count(unconstify(X509_NAME *, name));
+ const X509_NAME_ENTRY *e;
+ const ASN1_STRING *v;
const char *field_name;
size_t size;
char nullterm;
@@ -1429,13 +1429,13 @@ X509_NAME_to_cstring(X509_NAME *name)
(void) BIO_set_close(membuf, BIO_CLOSE);
for (i = 0; i < count; i++)
{
- e = X509_NAME_get_entry(name, i);
- nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
+ e = X509_NAME_get_entry(unconstify(X509_NAME *, name), i);
+ nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY *, e)));
if (nid == NID_undef)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("could not get NID for ASN1_OBJECT object")));
- v = X509_NAME_ENTRY_get_data(e);
+ v = X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY *, e));
field_name = OBJ_nid2sn(nid);
if (field_name == NULL)
field_name = OBJ_nid2ln(nid);
@@ -1444,7 +1444,7 @@ X509_NAME_to_cstring(X509_NAME *name)
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
BIO_printf(membuf, "/%s=", field_name);
- ASN1_STRING_print_ex(membuf, v,
+ ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, v),
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
| ASN1_STRFLGS_UTF8_CONVERT));
}
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 5f340494b7..908a3261f2 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -64,7 +64,7 @@
static int verify_cb(int ok, X509_STORE_CTX *ctx);
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
- ASN1_STRING *name,
+ const ASN1_STRING *name,
char **store_name);
static void destroy_ssl_system(void);
static int initialize_SSL(PGconn *conn);
@@ -481,7 +481,8 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
* into a plain C string.
*/
static int
-openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
+openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
+ const ASN1_STRING *name_entry,
char **store_name)
{
int len;
@@ -570,14 +571,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
*/
if (*names_examined == 0)
{
- X509_NAME *subject_name;
+ const X509_NAME *subject_name;
subject_name = X509_get_subject_name(conn->peer);
if (subject_name != NULL)
{
int cn_index;
- cn_index = X509_NAME_get_index_by_NID(subject_name,
+ cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name),
NID_commonName, -1);
if (cn_index >= 0)
{
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index cc7bd98c83..f6b20186f1 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -538,7 +538,7 @@ $node->connect_fails(
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
"certificate authorization fails with revoked client cert",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!,
# revoked certificates should not authenticate the user
log_unlike => [qr/connection authenticated:/],);
@@ -591,7 +591,7 @@ switch_server_cert($node, 'server-cn-only', undef, undef,
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
"certificate authorization fails with revoked client cert with server-side CRL directory",
- expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|);
+ expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!);
# clean up
foreach my $key (@keys)
--
2.39.3 (Apple Git-146)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: PostgreSQL and OpenSSL 4.0.0
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox