Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wKz2F-001Rtg-2l
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 07 May 2026 13:45:04 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wKz2E-004NaB-14
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 07 May 2026 13:45:02 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <daniel@yesql.se>)
	id 1wKz2D-004NZz-2y
	for pgsql-hackers@lists.postgresql.org;
	Thu, 07 May 2026 13:45:02 +0000
Received: from smtp.outgoing.loopia.se ([93.188.3.37])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <daniel@yesql.se>)
	id 1wKz29-000000010gL-1Xn8
	for pgsql-hackers@lists.postgresql.org;
	Thu, 07 May 2026 13:45:01 +0000
Received: from s807.loopia.se (localhost [127.0.0.1])
	by s807.loopia.se (Postfix) with ESMTP id 7E5F65DDA92
	for <pgsql-hackers@lists.postgresql.org>;
 Thu, 07 May 2026 15:44:56 +0200 (CEST)
Received: from s934.loopia.se (unknown [172.22.191.6])
	by s807.loopia.se (Postfix) with ESMTP id 64E705DD1B3;
	Thu, 07 May 2026 15:44:56 +0200 (CEST)
Received: from localhost (unknown [172.22.191.6])
	by s934.loopia.se (Postfix) with ESMTP id 5FC57A3D602;
	Thu, 07 May 2026 15:44:56 +0200 (CEST)
X-Virus-Scanned: amavis at amavis.loopia.se
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2
 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1] autolearn=disabled
Authentication-Results: s474.loopia.se (amavis); dkim=pass (2048-bit key)
 header.d=yesql.se
Received: from s934.loopia.se ([172.22.191.5])
 by localhost (s474.loopia.se [172.22.190.14]) (amavis, port 10024) with LMTP
 id B-KOthYzgdtV; Thu,  7 May 2026 15:44:55 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: daniel@yesql.se
X-Loopia-Originating-IP: 89.255.232.236
Received: from smtpclient.apple (customer-89-255-232-236.stosn.net
 [89.255.232.236])
	(Authenticated sender: daniel@yesql.se)
	by s934.loopia.se (Postfix) with ESMTPSA id 9C82A917F03;
	Thu, 07 May 2026 15:44:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se;
	s=loopiadkim1707475645; t=1778161495;
	bh=HBhh3+1dslKY51XdgDzgtnW50QkhOU6DmLAriIQ7ZHY=;
	h=From:Subject:Date:In-Reply-To:Cc:To:References;
	b=fimQx///tCOwbGRc70AtiUjIAGKiZqCH9OPb/6fMoQWVCZ0WJrFRqmmyIszrv6NQ/
	 jgIFaPDb1ju3w0BuRewm2ZI3t8/d2v3AkwFVwJ8F2gSDJoip0BBHKjI96/mUPO1ImD
	 XbOMVMaFlgmyz6TOAoYcZ3q05FVHjo9hhKeqhXmTgi9bpruEoAhZ3YrSeb4alXM4Lf
	 71a4QSOQ6S2lk3A1Sk/IE8EZMtSqgXBdaI/TxNnqzPGeQofqg3lcY6mYUzzP6Oj0QC
	 3rJ4ajcl8DVGmC61Hb+wG9llASMHIAD5KJIdkJjlXTtb0rAB2i8MNT1qB/VKupOgPg
	 eibA2ulCixsiw==
From: Daniel Gustafsson <daniel@yesql.se>
Message-Id: <65C5DC15-DE27-4D36-8AEE-A854C23B3834@yesql.se>
Content-Type: multipart/mixed;
	boundary="Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\))
Subject: Re: PostgreSQL and OpenSSL 4.0.0
Date: Thu, 7 May 2026 15:44:45 +0200
In-Reply-To: <aeKrQfeyDLVE3cmw@paquier.xyz>
Cc: PostgreSQL-development <pgsql-hackers@lists.postgresql.org>
To: Michael Paquier <michael@paquier.xyz>
References: <066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se>
 <aeKrQfeyDLVE3cmw@paquier.xyz>
X-Mailer: Apple Mail (2.3776.700.51.11.2)
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/65C5DC15-DE27-4D36-8AEE-A854C23B3834%40yesql.se>
Precedence: bulk


--Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

> On 17 Apr 2026, at 23:50, Michael Paquier <michael@paquier.xyz> wrote:
>=20
> On Thu, Apr 16, 2026 at 03:32:54PM +0200, Daniel Gustafsson wrote:
>> The attached patch, while not pretty, allows libpq and sslinfo to =
build without
>> warnings on OpenSSL 1.1.1 through 4.0.0 as well as on LibreSSL (and =
there is
>> quite some variability in constness across all these API versions).
>=20
> Thanks for that.  That is super fast.
>=20
> This is likely going to require a backpatch at some point, right?
> What's the impact of the blast in branches where we need to support
> OpenSSL down to 1.0.1, which is the minimum version in REL_14_STABLE?

Indeed, we probably want to backpatch this at some point since OpenSSL 4 =
is
equally likely to be used regardless of which branch users compile.  =
Whether we
want to apply this already before 19 goes beta I'll leave for the RMT to
decide.

For 14 through master the attached compiles without warnings and tests =
green on
all the supported versions of OpenSSL and LibreSSL.  That being said, =
I'm not
sure that we want to go all the way to 14 since if something does break, =
we
can't really go around fixing it - I think amending the docs in 14 =
stating that
OpenSSL 3.6 is the highest supported version is a better solution.

--
Daniel Gustafsson


--Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0
Content-Disposition: attachment;
	filename=vmaster--18-0001-Support-OpenSSL-4.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="vmaster--18-0001-Support-OpenSSL-4.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=20585563a1559666925acf125ee30f4ff73e27ca8e=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20Daniel=20Gustafsson=20=
<dgustafsson@postgresql.org>=0ADate:=20Thu,=2016=20Apr=202026=2015:20:13=20=
+0200=0ASubject:=20[PATCH=20vmaster]=20Support=20OpenSSL=204=0A=0A=
OpenSSL=204.0.0=20changed=20some=20parameters=20and=20returnvalues=20to=20=
const,=20so=0Awe=20need=20to=20update=20our=20declarations=20and=20=
subsequently=20cast=20away=20const-=0Aness=20from=20a=20few=20callsites=20=
to=20make=20libpq=20build=20without=20warnings.=20This=0Ais=20tested=20=
with=20OpenSSL=201.1.1=20through=204.0.0=20as=20well=20as=20with=20=
LibreSSL.=0A=0AThere=20is=20also=20an=20errormessage=20change=20in=20=
OpenSSL=204.0.0=20which=20needs=20to=0Abe=20covered=20by=20our=20=
testharness.=0A=0AAuthor:=20Daniel=20Gustafsson=20<daniel@yesql.se>=0A=
Discussion:=20=
https://postgr.es/m/066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se=0A---=0A=
=20contrib/sslinfo/sslinfo.c=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20|=2020=20++++++++++----------=0A=20=
src/backend/libpq/be-secure-openssl.c=20=20=20=20|=2014=20+++++++-------=0A=
=20src/interfaces/libpq/fe-secure-openssl.c=20|=20=209=20+++++----=0A=20=
src/test/ssl/t/001_ssltests.pl=20=20=20=20=20=20=20=20=20=20=20|=20=206=20=
+++---=0A=204=20files=20changed,=2025=20insertions(+),=2024=20=
deletions(-)=0A=0Adiff=20--git=20a/contrib/sslinfo/sslinfo.c=20=
b/contrib/sslinfo/sslinfo.c=0Aindex=202b9eb90b093..c4ae847880d=20100644=0A=
---=20a/contrib/sslinfo/sslinfo.c=0A+++=20b/contrib/sslinfo/sslinfo.c=0A=
@@=20-24,8=20+24,8=20@@=20PG_MODULE_MAGIC_EXT(=0A=20=09=09=09=09=09=
.version=20=3D=20PG_VERSION=0A=20);=0A=20=0A-static=20Datum=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName);=0A=
-static=20Datum=20ASN1_STRING_to_text(ASN1_STRING=20*str);=0A+static=20=
Datum=20X509_NAME_field_to_text(const=20X509_NAME=20*name,=20text=20=
*fieldName);=0A+static=20Datum=20ASN1_STRING_to_text(const=20ASN1_STRING=20=
*str);=0A=20=0A=20/*=0A=20=20*=20Function=20context=20for=20data=20=
persisting=20over=20repeated=20calls.=0A@@=20-148,7=20+148,7=20@@=20=
ssl_client_serial(PG_FUNCTION_ARGS)=0A=20=20*=20function.=0A=20=20*/=0A=20=
static=20Datum=0A-ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=
+ASN1_STRING_to_text(const=20ASN1_STRING=20*str)=0A=20{=0A=20=09BIO=09=09=
=20=20=20*membuf;=0A=20=09size_t=09=09size;=0A@@=20-194,12=20+194,12=20=
@@=20ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=20*=20part=20of=20=
name=0A=20=20*/=0A=20static=20Datum=0A-X509_NAME_field_to_text(X509_NAME=20=
*name,=20text=20*fieldName)=0A+X509_NAME_field_to_text(const=20X509_NAME=20=
*name,=20text=20*fieldName)=0A=20{=0A=20=09char=09=20=20=20=
*string_fieldname;=0A=20=09int=09=09=09nid,=0A=20=09=09=09=09index;=0A-=09=
ASN1_STRING=20*data;=0A+=09const=20ASN1_STRING=20*data;=0A=20=0A=20=09=
string_fieldname=20=3D=20text_to_cstring(fieldName);=0A=20=09nid=20=3D=20=
OBJ_txt2nid(string_fieldname);=0A@@=20-209,7=20+209,7=20@@=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName)=0A=20=09=09=
=09=09=20errmsg("invalid=20X.509=20field=20name:=20\"%s\"",=0A=20=09=09=09=
=09=09=09string_fieldname)));=0A=20=09pfree(string_fieldname);=0A-=09=
index=20=3D=20X509_NAME_get_index_by_NID(name,=20nid,=20-1);=0A+=09index=20=
=3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20name),=20=
nid,=20-1);=0A=20=09if=20(index=20<=200)=0A=20=09=09return=20(Datum)=20=
0;=0A=20=09data=20=3D=20=
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,=20index));=0A@@=20=
-421,8=20+421,8=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09=
HeapTuple=09tuple;=0A=20=09=09Datum=09=09result;=0A=20=09=09BIO=09=09=20=20=
=20*membuf;=0A-=09=09X509_EXTENSION=20*ext;=0A-=09=09ASN1_OBJECT=20*obj;=0A=
+=09=09const=20X509_EXTENSION=20*ext;=0A+=09=09const=20ASN1_OBJECT=20=
*obj;=0A=20=09=09int=09=09=09nid;=0A=20=09=09int=09=09=09len;=0A=20=0A@@=20=
-435,7=20+435,7=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=0A=20=09=
=09/*=20Get=20the=20extension=20from=20the=20certificate=20*/=0A=20=09=09=
ext=20=3D=20X509_get_ext(cert,=20call_cntr);=0A-=09=09obj=20=3D=20=
X509_EXTENSION_get_object(ext);=0A+=09=09obj=20=3D=20=
X509_EXTENSION_get_object(unconstify(X509_EXTENSION=20*,=20ext));=0A=20=0A=
=20=09=09/*=20Get=20the=20extension=20name=20*/=0A=20=09=09nid=20=3D=20=
OBJ_obj2nid(obj);=0A@@=20-448,7=20+448,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09nulls[0]=20=3D=20false;=0A=
=20=0A=20=09=09/*=20Get=20the=20extension=20value=20*/=0A-=09=09if=20=
(X509V3_EXT_print(membuf,=20ext,=200,=200)=20<=3D=200)=0A+=09=09if=20=
(X509V3_EXT_print(membuf,=20unconstify(X509_EXTENSION=20*,=20ext),=200,=20=
0)=20<=3D=200)=0A=20=09=09=09ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20print=20extension=20value=20in=20certificate=20at=20=
position=20%d",=0Adiff=20--git=20a/src/backend/libpq/be-secure-openssl.c=20=
b/src/backend/libpq/be-secure-openssl.c=0Aindex=20=
b978497b5d4..8a06fb11ec3=20100644=0A---=20=
a/src/backend/libpq/be-secure-openssl.c=0A+++=20=
b/src/backend/libpq/be-secure-openssl.c=0A@@=20-106,7=20+106,7=20@@=20=
static=20void=20host_context_cleanup_cb(void=20*arg);=0A=20static=20int=09=
sni_clienthello_cb(SSL=20*ssl,=20int=20*al,=20void=20*arg);=0A=20#endif=0A=
=20=0A-static=20char=20*X509_NAME_to_cstring(X509_NAME=20*name);=0A=
+static=20char=20*X509_NAME_to_cstring(const=20X509_NAME=20*name);=0A=20=0A=
=20static=20SSL_CTX=20*SSL_context=20=3D=20NULL;=0A=20static=20=
MemoryContext=20SSL_hosts_memcxt=20=3D=20NULL;=0A@@=20-1071,18=20=
+1071,18=20@@=20aloop:=0A=20=09if=20(port->peer=20!=3D=20NULL)=0A=20=09{=0A=
=20=09=09int=09=09=09len;=0A-=09=09X509_NAME=20=20*x509name=20=3D=20=
X509_get_subject_name(port->peer);=0A+=09=09const=20X509_NAME=20=
*x509name=20=3D=20X509_get_subject_name(port->peer);=0A=20=09=09char=09=20=
=20=20*peer_dn;=0A=20=09=09BIO=09=09=20=20=20*bio=20=3D=20NULL;=0A=20=09=09=
BUF_MEM=20=20=20=20*bio_buf=20=3D=20NULL;=0A=20=0A-=09=09len=20=3D=20=
X509_NAME_get_text_by_NID(x509name,=20NID_commonName,=20NULL,=200);=0A+=09=
=09len=20=3D=20X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20=
x509name),=20NID_commonName,=20NULL,=200);=0A=20=09=09if=20(len=20!=3D=20=
-1)=0A=20=09=09{=0A=20=09=09=09char=09=20=20=20*peer_cn;=0A=20=0A=20=09=09=
=09peer_cn=20=3D=20MemoryContextAlloc(TopMemoryContext,=20len=20+=201);=0A=
-=09=09=09r=20=3D=20X509_NAME_get_text_by_NID(x509name,=20=
NID_commonName,=20peer_cn,=0A+=09=09=09r=20=3D=20=
X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20x509name),=20=
NID_commonName,=20peer_cn,=0A=20=09=09=09=09=09=09=09=09=09=09=20=20len=20=
+=201);=0A=20=09=09=09peer_cn[len]=20=3D=20'\0';=0A=20=09=09=09if=20(r=20=
!=3D=20len)=0A@@=20-2333,14=20+2333,14=20@@=20=
be_tls_get_certificate_hash(Port=20*port,=20size_t=20*len)=0A=20=20*=0A=20=
=20*/=0A=20static=20char=20*=0A-X509_NAME_to_cstring(X509_NAME=20*name)=0A=
+X509_NAME_to_cstring(const=20X509_NAME=20*name)=0A=20{=0A=20=09BIO=09=09=
=20=20=20*membuf=20=3D=20BIO_new(BIO_s_mem());=0A=20=09int=09=09=09i,=0A=20=
=09=09=09=09nid,=0A=20=09=09=09=09count=20=3D=20=
X509_NAME_entry_count(name);=0A-=09X509_NAME_ENTRY=20*e;=0A-=09=
ASN1_STRING=20*v;=0A+=09const=20X509_NAME_ENTRY=20*e;=0A+=09const=20=
ASN1_STRING=20*v;=0A=20=09const=20char=20*field_name;=0A=20=09size_t=09=09=
size;=0A=20=09char=09=09nullterm;=0Adiff=20--git=20=
a/src/interfaces/libpq/fe-secure-openssl.c=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0Aindex=20=
fbd3c63fb5d..6b44eeb68eb=20100644=0A---=20=
a/src/interfaces/libpq/fe-secure-openssl.c=0A+++=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0A@@=20-67,7=20+67,7=20@@=0A=20=
=0A=20static=20int=09verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx);=0A=20=
static=20int=09openssl_verify_peer_name_matches_certificate_name(PGconn=20=
*conn,=0A-=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20ASN1_STRING=20=
*name_entry,=0A+=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20const=20=
ASN1_STRING=20*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=09=09=
=09=20=20char=20**store_name);=0A=20static=20int=09=
openssl_verify_peer_name_matches_certificate_ip(PGconn=20*conn,=0A=20=09=09=
=09=09=09=09=09=09=09=09=09=09=09=09=09ASN1_OCTET_STRING=20*addr_entry,=0A=
@@=20-467,7=20+467,8=20@@=20cert_cb(SSL=20*ssl,=20void=20*arg)=0A=20=20*=20=
into=20a=20plain=20C=20string.=0A=20=20*/=0A=20static=20int=0A=
-openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=20=
ASN1_STRING=20*name_entry,=0A=
+openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=0A+=09=
=09=09=09=09=09=09=09=09=09=09=09=20=20const=20ASN1_STRING=20=
*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20char=20=
**store_name)=0A=20{=0A=20=09int=09=09=09len;=0A@@=20-650,14=20+651,14=20=
@@=20pgtls_verify_peer_name_matches_certificate_guts(PGconn=20*conn,=0A=20=
=09=20*/=0A=20=09if=20(check_cn)=0A=20=09{=0A-=09=09X509_NAME=20=20=
*subject_name;=0A+=09=09const=20X509_NAME=20*subject_name;=0A=20=0A=20=09=
=09subject_name=20=3D=20X509_get_subject_name(conn->peer);=0A=20=09=09if=20=
(subject_name=20!=3D=20NULL)=0A=20=09=09{=0A=20=09=09=09int=09=09=09=
cn_index;=0A=20=0A-=09=09=09cn_index=20=3D=20=
X509_NAME_get_index_by_NID(subject_name,=0A+=09=09=09cn_index=20=3D=20=
X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20subject_name),=0A=20=
=09=09=09=09=09=09=09=09=09=09=09=09=20=20NID_commonName,=20-1);=0A=20=09=
=09=09if=20(cn_index=20>=3D=200)=0A=20=09=09=09{=0Adiff=20--git=20=
a/src/test/ssl/t/001_ssltests.pl=20b/src/test/ssl/t/001_ssltests.pl=0A=
index=200af887caa63..01f3573e1fd=20100644=0A---=20=
a/src/test/ssl/t/001_ssltests.pl=0A+++=20=
b/src/test/ssl/t/001_ssltests.pl=0A@@=20-885,7=20+885,7=20@@=20=
$node->connect_fails(=0A=20=09"$common_connstr=20user=3Dssltestuser=20=
sslcert=3Dssl/client-revoked.crt=20"=0A=20=09=20=20.=20=
sslkey('client-revoked.key'),=0A=20=09"certificate=20authorization=20=
fails=20with=20revoked=20client=20cert",=0A-=09expected_stderr=20=3D>=20=
qr|SSL=20error:=20ssl[a-z0-9/]*=20alert=20certificate=20revoked|,=0A+=09=
expected_stderr=20=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20=
certificate=20revoked!,=0A=20=09log_like=20=3D>=20[=0A=20=09=09qr{Client=20=
certificate=20verification=20failed=20at=20depth=200:=20certificate=20=
revoked},=0A=20=09=09qr{Failed=20certificate=20data=20\(unverified\):=20=
subject=20"/CN=3Dssltestuser",=20serial=20number=20\d+,=20issuer=20=
"/CN=3DTest=20CA=20for=20PostgreSQL=20SSL=20regression=20test=20client=20=
certs"},=0A@@=20-987,7=20+987,7=20@@=20$node->connect_fails(=0A=20=09=
"$common_connstr=20user=3Dssltestuser=20sslcert=3Dssl/client-revoked.crt=20=
"=0A=20=09=20=20.=20sslkey('client-revoked.key'),=0A=20=09"certificate=20=
authorization=20fails=20with=20revoked=20client=20cert=20with=20=
server-side=20CRL=20directory",=0A-=09expected_stderr=20=3D>=20qr|SSL=20=
error:=20ssl[a-z0-9/]*=20alert=20certificate=20revoked|,=0A+=09=
expected_stderr=20=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20=
certificate=20revoked!,=0A=20=09log_like=20=3D>=20[=0A=20=09=09qr{Client=20=
certificate=20verification=20failed=20at=20depth=200:=20certificate=20=
revoked},=0A=20=09=09qr{Failed=20certificate=20data=20\(unverified\):=20=
subject=20"/CN=3Dssltestuser",=20serial=20number=20\d+,=20issuer=20=
"/CN=3DTest=20CA=20for=20PostgreSQL=20SSL=20regression=20test=20client=20=
certs"},=0A@@=20-998,7=20+998,7=20@@=20$node->connect_fails(=0A=20=09=
"$common_connstr=20user=3Dssltestuser=20=
sslcert=3Dssl/client-revoked-utf8.crt=20"=0A=20=09=20=20.=20=
sslkey('client-revoked-utf8.key'),=0A=20=09"certificate=20authorization=20=
fails=20with=20revoked=20UTF-8=20client=20cert=20with=20server-side=20=
CRL=20directory",=0A-=09expected_stderr=20=3D>=20qr|SSL=20error:=20=
ssl[a-z0-9/]*=20alert=20certificate=20revoked|,=0A+=09expected_stderr=20=
=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20certificate=20=
revoked!,=0A=20=09log_like=20=3D>=20[=0A=20=09=09qr{Client=20certificate=20=
verification=20failed=20at=20depth=200:=20certificate=20revoked},=0A=20=09=
=09qr{Failed=20certificate=20data=20\(unverified\):=20subject=20=
"/CN=3D\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\=
xb1\\xcf\\x82",=20serial=20number=20\d+,=20issuer=20"/CN=3DTest=20CA=20=
for=20PostgreSQL=20SSL=20regression=20test=20client=20certs"},=0A--=20=0A=
2.39.3=20(Apple=20Git-146)=0A=0A=

--Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0
Content-Disposition: attachment;
	filename=vREL_17--REL_16-0001-Support-OpenSSL-4.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="vREL_17--REL_16-0001-Support-OpenSSL-4.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=204964aaf322bfd55aa27065d2e732c6e69775e0bf=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20Daniel=20Gustafsson=20=
<dgustafsson@postgresql.org>=0ADate:=20Thu,=207=20May=202026=2010:46:18=20=
+0200=0ASubject:=20[PATCH=20vREL_17]=20Support=20OpenSSL=204=0A=0A=
OpenSSL=204.0.0=20changed=20some=20parameters=20and=20returnvalues=20to=20=
const,=20so=0Awe=20need=20to=20update=20our=20declarations=20and=20=
subsequently=20cast=20away=20const-=0Aness=20from=20a=20few=20callsites=20=
to=20make=20libpq=20build=20without=20warnings.=20This=0Ais=20tested=20=
with=20OpenSSL=201.1.1=20through=204.0.0=20as=20well=20as=20with=20=
LibreSSL.=0A=0AThere=20is=20also=20an=20errormessage=20change=20in=20=
OpenSSL=204.0.0=20which=20needs=20to=0Abe=20covered=20by=20our=20=
testharness.=0A=0AAuthor:=20Daniel=20Gustafsson=20<daniel@yesql.se>=0A=
Discussion:=20=
https://postgr.es/m/066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se=0A---=0A=
=20contrib/sslinfo/sslinfo.c=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20|=2024=20+++++++++++-----------=0A=20=
src/backend/libpq/be-secure-openssl.c=20=20=20=20|=2026=20=
++++++++++++------------=0A=20src/interfaces/libpq/fe-secure-openssl.c=20=
|=2013=20++++++------=0A=20src/test/ssl/t/001_ssltests.pl=20=20=20=20=20=20=
=20=20=20=20=20|=20=204=20++--=0A=204=20files=20changed,=2034=20=
insertions(+),=2033=20deletions(-)=0A=0Adiff=20--git=20=
a/contrib/sslinfo/sslinfo.c=20b/contrib/sslinfo/sslinfo.c=0Aindex=20=
5fd46b98741..4251ccfd174=20100644=0A---=20a/contrib/sslinfo/sslinfo.c=0A=
+++=20b/contrib/sslinfo/sslinfo.c=0A@@=20-32,8=20+32,8=20@@=0A=20=0A=20=
PG_MODULE_MAGIC;=0A=20=0A-static=20Datum=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName);=0A=
-static=20Datum=20ASN1_STRING_to_text(ASN1_STRING=20*str);=0A+static=20=
Datum=20X509_NAME_field_to_text(const=20X509_NAME=20*name,=20text=20=
*fieldName);=0A+static=20Datum=20ASN1_STRING_to_text(const=20ASN1_STRING=20=
*str);=0A=20=0A=20/*=0A=20=20*=20Function=20context=20for=20data=20=
persisting=20over=20repeated=20calls.=0A@@=20-156,7=20+156,7=20@@=20=
ssl_client_serial(PG_FUNCTION_ARGS)=0A=20=20*=20function.=0A=20=20*/=0A=20=
static=20Datum=0A-ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=
+ASN1_STRING_to_text(const=20ASN1_STRING=20*str)=0A=20{=0A=20=09BIO=09=09=
=20=20=20*membuf;=0A=20=09size_t=09=09size;=0A@@=20-171,7=20+171,7=20@@=20=
ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=09=09=09=09=
(errcode(ERRCODE_OUT_OF_MEMORY),=0A=20=09=09=09=09=20errmsg("could=20not=20=
create=20OpenSSL=20BIO=20structure")));=0A=20=09(void)=20=
BIO_set_close(membuf,=20BIO_CLOSE);=0A-=09ASN1_STRING_print_ex(membuf,=20=
str,=0A+=09ASN1_STRING_print_ex(membuf,=20unconstify(ASN1_STRING=20*,=20=
str),=0A=20=09=09=09=09=09=09=20((ASN1_STRFLGS_RFC2253=20&=20=
~ASN1_STRFLGS_ESC_MSB)=0A=20=09=09=09=09=09=09=20=20|=20=
ASN1_STRFLGS_UTF8_CONVERT));=0A=20=09/*=20ensure=20null=20termination=20=
of=20the=20BIO's=20content=20*/=0A@@=20-202,12=20+202,12=20@@=20=
ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=20*=20part=20of=20name=0A=20=
=20*/=0A=20static=20Datum=0A-X509_NAME_field_to_text(X509_NAME=20*name,=20=
text=20*fieldName)=0A+X509_NAME_field_to_text(const=20X509_NAME=20*name,=20=
text=20*fieldName)=0A=20{=0A=20=09char=09=20=20=20*string_fieldname;=0A=20=
=09int=09=09=09nid,=0A=20=09=09=09=09index;=0A-=09ASN1_STRING=20*data;=0A=
+=09const=20ASN1_STRING=20*data;=0A=20=0A=20=09string_fieldname=20=3D=20=
text_to_cstring(fieldName);=0A=20=09nid=20=3D=20=
OBJ_txt2nid(string_fieldname);=0A@@=20-217,10=20+217,10=20@@=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName)=0A=20=09=09=
=09=09=20errmsg("invalid=20X.509=20field=20name:=20\"%s\"",=0A=20=09=09=09=
=09=09=09string_fieldname)));=0A=20=09pfree(string_fieldname);=0A-=09=
index=20=3D=20X509_NAME_get_index_by_NID(name,=20nid,=20-1);=0A+=09index=20=
=3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20name),=20=
nid,=20-1);=0A=20=09if=20(index=20<=200)=0A=20=09=09return=20(Datum)=20=
0;=0A-=09data=20=3D=20X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,=20=
index));=0A+=09data=20=3D=20=
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME=20*,=20=
name),=20index));=0A=20=09return=20ASN1_STRING_to_text(data);=0A=20}=0A=20=
=0A@@=20-429,8=20+429,8=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=
=09=09HeapTuple=09tuple;=0A=20=09=09Datum=09=09result;=0A=20=09=09BIO=09=09=
=20=20=20*membuf;=0A-=09=09X509_EXTENSION=20*ext;=0A-=09=09ASN1_OBJECT=20=
*obj;=0A+=09=09const=20X509_EXTENSION=20*ext;=0A+=09=09const=20=
ASN1_OBJECT=20*obj;=0A=20=09=09int=09=09=09nid;=0A=20=09=09int=09=09=09=
len;=0A=20=0A@@=20-443,7=20+443,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=0A=20=09=09/*=20Get=20the=20=
extension=20from=20the=20certificate=20*/=0A=20=09=09ext=20=3D=20=
X509_get_ext(cert,=20call_cntr);=0A-=09=09obj=20=3D=20=
X509_EXTENSION_get_object(ext);=0A+=09=09obj=20=3D=20=
X509_EXTENSION_get_object(unconstify(X509_EXTENSION=20*,=20ext));=0A=20=0A=
=20=09=09/*=20Get=20the=20extension=20name=20*/=0A=20=09=09nid=20=3D=20=
OBJ_obj2nid(obj);=0A@@=20-456,7=20+456,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09nulls[0]=20=3D=20false;=0A=
=20=0A=20=09=09/*=20Get=20the=20extension=20value=20*/=0A-=09=09if=20=
(X509V3_EXT_print(membuf,=20ext,=200,=200)=20<=3D=200)=0A+=09=09if=20=
(X509V3_EXT_print(membuf,=20unconstify(X509_EXTENSION=20*,=20ext),=200,=20=
0)=20<=3D=200)=0A=20=09=09=09ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20print=20extension=20value=20in=20certificate=20at=20=
position=20%d",=0Adiff=20--git=20a/src/backend/libpq/be-secure-openssl.c=20=
b/src/backend/libpq/be-secure-openssl.c=0Aindex=20=
486a66b0bf1..8c101528618=20100644=0A---=20=
a/src/backend/libpq/be-secure-openssl.c=0A+++=20=
b/src/backend/libpq/be-secure-openssl.c=0A@@=20-77,7=20+77,7=20@@=20=
static=20bool=20initialize_dh(SSL_CTX=20*context,=20bool=20=
isServerStart);=0A=20static=20bool=20initialize_ecdh(SSL_CTX=20*context,=20=
bool=20isServerStart);=0A=20static=20const=20char=20=
*SSLerrmessage(unsigned=20long=20ecode);=0A=20=0A-static=20char=20=
*X509_NAME_to_cstring(X509_NAME=20*name);=0A+static=20char=20=
*X509_NAME_to_cstring(const=20X509_NAME=20*name);=0A=20=0A=20static=20=
SSL_CTX=20*SSL_context=20=3D=20NULL;=0A=20static=20bool=20=
SSL_initialized=20=3D=20false;=0A@@=20-634,18=20+634,18=20@@=20aloop:=0A=20=
=09if=20(port->peer=20!=3D=20NULL)=0A=20=09{=0A=20=09=09int=09=09=09len;=0A=
-=09=09X509_NAME=20=20*x509name=20=3D=20=
X509_get_subject_name(port->peer);=0A+=09=09const=20X509_NAME=20=
*x509name=20=3D=20X509_get_subject_name(port->peer);=0A=20=09=09char=09=20=
=20=20*peer_dn;=0A=20=09=09BIO=09=09=20=20=20*bio=20=3D=20NULL;=0A=20=09=09=
BUF_MEM=20=20=20=20*bio_buf=20=3D=20NULL;=0A=20=0A-=09=09len=20=3D=20=
X509_NAME_get_text_by_NID(x509name,=20NID_commonName,=20NULL,=200);=0A+=09=
=09len=20=3D=20X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20=
x509name),=20NID_commonName,=20NULL,=200);=0A=20=09=09if=20(len=20!=3D=20=
-1)=0A=20=09=09{=0A=20=09=09=09char=09=20=20=20*peer_cn;=0A=20=0A=20=09=09=
=09peer_cn=20=3D=20MemoryContextAlloc(TopMemoryContext,=20len=20+=201);=0A=
-=09=09=09r=20=3D=20X509_NAME_get_text_by_NID(x509name,=20=
NID_commonName,=20peer_cn,=0A+=09=09=09r=20=3D=20=
X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20x509name),=20=
NID_commonName,=20peer_cn,=0A=20=09=09=09=09=09=09=09=09=09=09=20=20len=20=
+=201);=0A=20=09=09=09peer_cn[len]=20=3D=20'\0';=0A=20=09=09=09if=20(r=20=
!=3D=20len)=0A@@=20-689,7=20+689,7=20@@=20aloop:=0A=20=09=09=20*=20which=20=
make=20regular=20expression=20matching=20a=20bit=20easier.=20Also=20note=20=
that=0A=20=09=09=20*=20it=20prints=20the=20Subject=20fields=20in=20=
reverse=20order.=0A=20=09=09=20*/=0A-=09=09if=20(X509_NAME_print_ex(bio,=20=
x509name,=200,=20XN_FLAG_RFC2253)=20=3D=3D=20-1=20||=0A+=09=09if=20=
(X509_NAME_print_ex(bio,=20unconstify(X509_NAME=20*,=20x509name),=200,=20=
XN_FLAG_RFC2253)=20=3D=3D=20-1=20||=0A=20=09=09=09BIO_get_mem_ptr(bio,=20=
&bio_buf)=20<=3D=200)=0A=20=09=09{=0A=20=09=09=09BIO_free(bio);=0A@@=20=
-1615,14=20+1615,14=20@@=20be_tls_get_certificate_hash(Port=20*port,=20=
size_t=20*len)=0A=20=20*=0A=20=20*/=0A=20static=20char=20*=0A=
-X509_NAME_to_cstring(X509_NAME=20*name)=0A+X509_NAME_to_cstring(const=20=
X509_NAME=20*name)=0A=20{=0A=20=09BIO=09=09=20=20=20*membuf=20=3D=20=
BIO_new(BIO_s_mem());=0A=20=09int=09=09=09i,=0A=20=09=09=09=09nid,=0A-=09=
=09=09=09count=20=3D=20X509_NAME_entry_count(name);=0A-=09=
X509_NAME_ENTRY=20*e;=0A-=09ASN1_STRING=20*v;=0A+=09=09=09=09count=20=3D=20=
X509_NAME_entry_count(unconstify(X509_NAME=20*,=20name));=0A+=09const=20=
X509_NAME_ENTRY=20*e;=0A+=09const=20ASN1_STRING=20*v;=0A=20=09const=20=
char=20*field_name;=0A=20=09size_t=09=09size;=0A=20=09char=09=09=
nullterm;=0A@@=20-1638,13=20+1638,13=20@@=20=
X509_NAME_to_cstring(X509_NAME=20*name)=0A=20=09(void)=20=
BIO_set_close(membuf,=20BIO_CLOSE);=0A=20=09for=20(i=20=3D=200;=20i=20<=20=
count;=20i++)=0A=20=09{=0A-=09=09e=20=3D=20X509_NAME_get_entry(name,=20=
i);=0A-=09=09nid=20=3D=20OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));=0A+=09=
=09e=20=3D=20X509_NAME_get_entry(unconstify(X509_NAME=20*,=20name),=20=
i);=0A+=09=09nid=20=3D=20=
OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY=20*,=20=
e)));=0A=20=09=09if=20(nid=20=3D=3D=20NID_undef)=0A=20=09=09=09=
ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20get=20NID=20for=20ASN1_OBJECT=20object")));=0A-=09=09=
v=20=3D=20X509_NAME_ENTRY_get_data(e);=0A+=09=09v=20=3D=20=
X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY=20*,=20e));=0A=20=09=09=
field_name=20=3D=20OBJ_nid2sn(nid);=0A=20=09=09if=20(field_name=20=3D=3D=20=
NULL)=0A=20=09=09=09field_name=20=3D=20OBJ_nid2ln(nid);=0A@@=20-1653,7=20=
+1653,7=20@@=20X509_NAME_to_cstring(X509_NAME=20*name)=0A=20=09=09=09=09=09=
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20convert=20NID=20%d=20to=20an=20ASN1_OBJECT=20=
structure",=20nid)));=0A=20=09=09BIO_printf(membuf,=20"/%s=3D",=20=
field_name);=0A-=09=09ASN1_STRING_print_ex(membuf,=20v,=0A+=09=09=
ASN1_STRING_print_ex(membuf,=20unconstify(ASN1_STRING=20*,=20v),=0A=20=09=
=09=09=09=09=09=09=20((ASN1_STRFLGS_RFC2253=20&=20~ASN1_STRFLGS_ESC_MSB)=0A=
=20=09=09=09=09=09=09=09=20=20|=20ASN1_STRFLGS_UTF8_CONVERT));=0A=20=09}=0A=
diff=20--git=20a/src/interfaces/libpq/fe-secure-openssl.c=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0Aindex=20=
b6fffd7b9b0..33ce6d5ffe3=20100644=0A---=20=
a/src/interfaces/libpq/fe-secure-openssl.c=0A+++=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0A@@=20-66,7=20+66,7=20@@=0A=20=
=0A=20static=20int=09verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx);=0A=20=
static=20int=09openssl_verify_peer_name_matches_certificate_name(PGconn=20=
*conn,=0A-=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20ASN1_STRING=20=
*name_entry,=0A+=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20const=20=
ASN1_STRING=20*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=09=09=
=09=20=20char=20**store_name);=0A=20static=20int=09=
openssl_verify_peer_name_matches_certificate_ip(PGconn=20*conn,=0A=20=09=09=
=09=09=09=09=09=09=09=09=09=09=09=09=09ASN1_OCTET_STRING=20*addr_entry,=0A=
@@=20-489,7=20+489,8=20@@=20cert_cb(SSL=20*ssl,=20void=20*arg)=0A=20=20*=20=
into=20a=20plain=20C=20string.=0A=20=20*/=0A=20static=20int=0A=
-openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=20=
ASN1_STRING=20*name_entry,=0A=
+openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=0A+=09=
=09=09=09=09=09=09=09=09=09=09=09=20=20const=20ASN1_STRING=20=
*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20char=20=
**store_name)=0A=20{=0A=20=09int=09=09=09len;=0A@@=20-508,7=20+509,7=20=
@@=20openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=20=
ASN1_STRING=20*nam=0A=20#ifdef=20HAVE_ASN1_STRING_GET0_DATA=0A=20=09=
namedata=20=3D=20ASN1_STRING_get0_data(name_entry);=0A=20#else=0A-=09=
namedata=20=3D=20ASN1_STRING_data(name_entry);=0A+=09namedata=20=3D=20=
ASN1_STRING_data(unconstify(ASN1_STRING=20*,=20name_entry));=0A=20#endif=0A=
=20=09len=20=3D=20ASN1_STRING_length(name_entry);=0A=20=0A@@=20-680,14=20=
+681,14=20@@=20pgtls_verify_peer_name_matches_certificate_guts(PGconn=20=
*conn,=0A=20=09=20*/=0A=20=09if=20(check_cn)=0A=20=09{=0A-=09=09=
X509_NAME=20=20*subject_name;=0A+=09=09const=20X509_NAME=20=
*subject_name;=0A=20=0A=20=09=09subject_name=20=3D=20=
X509_get_subject_name(conn->peer);=0A=20=09=09if=20(subject_name=20!=3D=20=
NULL)=0A=20=09=09{=0A=20=09=09=09int=09=09=09cn_index;=0A=20=0A-=09=09=09=
cn_index=20=3D=20X509_NAME_get_index_by_NID(subject_name,=0A+=09=09=09=
cn_index=20=3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20=
subject_name),=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20=
NID_commonName,=20-1);=0A=20=09=09=09if=20(cn_index=20>=3D=200)=0A=20=09=09=
=09{=0A@@=20-695,7=20+696,7=20@@=20=
pgtls_verify_peer_name_matches_certificate_guts(PGconn=20*conn,=0A=20=0A=20=
=09=09=09=09(*names_examined)++;=0A=20=09=09=09=09rc=20=3D=20=
openssl_verify_peer_name_matches_certificate_name(conn,=0A-=09=09=09=09=09=
=09=09=09=09=09=09=09=09=09=09=09=09=20=20=20=
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name,=20cn_index)),=0A=
+=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20=20=
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME=20*,=20=
subject_name),=20cn_index)),=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=09=
=09=09=09=09=20=20=20&common_name);=0A=20=0A=20=09=09=09=09if=20=
(common_name)=0Adiff=20--git=20a/src/test/ssl/t/001_ssltests.pl=20=
b/src/test/ssl/t/001_ssltests.pl=0Aindex=2017dd3964b76..4880d8a75b9=20=
100644=0A---=20a/src/test/ssl/t/001_ssltests.pl=0A+++=20=
b/src/test/ssl/t/001_ssltests.pl=0A@@=20-773,7=20+773,7=20@@=20=
$node->connect_fails(=0A=20=09"$common_connstr=20user=3Dssltestuser=20=
sslcert=3Dssl/client-revoked.crt=20"=0A=20=09=20=20.=20=
sslkey('client-revoked.key'),=0A=20=09"certificate=20authorization=20=
fails=20with=20revoked=20client=20cert",=0A-=09expected_stderr=20=3D>=20=
qr|SSL=20error:=20ssl[a-z0-9/]*=20alert=20certificate=20revoked|,=0A+=09=
expected_stderr=20=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20=
certificate=20revoked!,=0A=20=09#=20temporarily(?)=20skip=20this=20check=20=
due=20to=20timing=20issue=0A=20=09#=09log_like=20=3D>=20[=0A=20=09#=09=09=
qr{Client=20certificate=20verification=20failed=20at=20depth=200:=20=
certificate=20revoked},=0A@@=20-878,7=20+878,7=20@@=20=
$node->connect_fails(=0A=20=09"$common_connstr=20user=3Dssltestuser=20=
sslcert=3Dssl/client-revoked.crt=20"=0A=20=09=20=20.=20=
sslkey('client-revoked.key'),=0A=20=09"certificate=20authorization=20=
fails=20with=20revoked=20client=20cert=20with=20server-side=20CRL=20=
directory",=0A-=09expected_stderr=20=3D>=20qr|SSL=20error:=20=
ssl[a-z0-9/]*=20alert=20certificate=20revoked|,=0A+=09expected_stderr=20=
=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20certificate=20=
revoked!,=0A=20=09#=20temporarily(?)=20skip=20this=20check=20due=20to=20=
timing=20issue=0A=20=09#=09log_like=20=3D>=20[=0A=20=09#=09=09qr{Client=20=
certificate=20verification=20failed=20at=20depth=200:=20certificate=20=
revoked},=0A--=20=0A2.39.3=20(Apple=20Git-146)=0A=0A=

--Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0
Content-Disposition: attachment;
	filename=vREL_15-0001-Support-OpenSSL-4.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="vREL_15-0001-Support-OpenSSL-4.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=2055515764f958ce6c7e1cb212d043584dfa55d6a8=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20Daniel=20Gustafsson=20=
<dgustafsson@postgresql.org>=0ADate:=20Thu,=207=20May=202026=2010:46:18=20=
+0200=0ASubject:=20[PATCH=20vREL_15]=20Support=20OpenSSL=204=0A=0A=
OpenSSL=204.0.0=20changed=20some=20parameters=20and=20returnvalues=20to=20=
const,=20so=0Awe=20need=20to=20update=20our=20declarations=20and=20=
subsequently=20cast=20away=20const-=0Aness=20from=20a=20few=20callsites=20=
to=20make=20libpq=20build=20without=20warnings.=20This=0Ais=20tested=20=
with=20OpenSSL=201.1.1=20through=204.0.0=20as=20well=20as=20with=20=
LibreSSL.=0A=0AThere=20is=20also=20an=20errormessage=20change=20in=20=
OpenSSL=204.0.0=20which=20needs=20to=0Abe=20covered=20by=20our=20=
testharness.=0A=0AAuthor:=20Daniel=20Gustafsson=20<daniel@yesql.se>=0A=
Discussion:=20=
https://postgr.es/m/066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se=0A---=0A=
=20contrib/sslinfo/sslinfo.c=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20|=2024=20+++++++++++-----------=0A=20=
src/backend/libpq/be-secure-openssl.c=20=20=20=20|=2026=20=
++++++++++++------------=0A=20src/interfaces/libpq/fe-secure-openssl.c=20=
|=20=209=20++++----=0A=20src/test/ssl/t/001_ssltests.pl=20=20=20=20=20=20=
=20=20=20=20=20|=20=204=20++--=0A=204=20files=20changed,=2032=20=
insertions(+),=2031=20deletions(-)=0A=0Adiff=20--git=20=
a/contrib/sslinfo/sslinfo.c=20b/contrib/sslinfo/sslinfo.c=0Aindex=20=
5fd46b98741..4251ccfd174=20100644=0A---=20a/contrib/sslinfo/sslinfo.c=0A=
+++=20b/contrib/sslinfo/sslinfo.c=0A@@=20-32,8=20+32,8=20@@=0A=20=0A=20=
PG_MODULE_MAGIC;=0A=20=0A-static=20Datum=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName);=0A=
-static=20Datum=20ASN1_STRING_to_text(ASN1_STRING=20*str);=0A+static=20=
Datum=20X509_NAME_field_to_text(const=20X509_NAME=20*name,=20text=20=
*fieldName);=0A+static=20Datum=20ASN1_STRING_to_text(const=20ASN1_STRING=20=
*str);=0A=20=0A=20/*=0A=20=20*=20Function=20context=20for=20data=20=
persisting=20over=20repeated=20calls.=0A@@=20-156,7=20+156,7=20@@=20=
ssl_client_serial(PG_FUNCTION_ARGS)=0A=20=20*=20function.=0A=20=20*/=0A=20=
static=20Datum=0A-ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=
+ASN1_STRING_to_text(const=20ASN1_STRING=20*str)=0A=20{=0A=20=09BIO=09=09=
=20=20=20*membuf;=0A=20=09size_t=09=09size;=0A@@=20-171,7=20+171,7=20@@=20=
ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=09=09=09=09=
(errcode(ERRCODE_OUT_OF_MEMORY),=0A=20=09=09=09=09=20errmsg("could=20not=20=
create=20OpenSSL=20BIO=20structure")));=0A=20=09(void)=20=
BIO_set_close(membuf,=20BIO_CLOSE);=0A-=09ASN1_STRING_print_ex(membuf,=20=
str,=0A+=09ASN1_STRING_print_ex(membuf,=20unconstify(ASN1_STRING=20*,=20=
str),=0A=20=09=09=09=09=09=09=20((ASN1_STRFLGS_RFC2253=20&=20=
~ASN1_STRFLGS_ESC_MSB)=0A=20=09=09=09=09=09=09=20=20|=20=
ASN1_STRFLGS_UTF8_CONVERT));=0A=20=09/*=20ensure=20null=20termination=20=
of=20the=20BIO's=20content=20*/=0A@@=20-202,12=20+202,12=20@@=20=
ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=20*=20part=20of=20name=0A=20=
=20*/=0A=20static=20Datum=0A-X509_NAME_field_to_text(X509_NAME=20*name,=20=
text=20*fieldName)=0A+X509_NAME_field_to_text(const=20X509_NAME=20*name,=20=
text=20*fieldName)=0A=20{=0A=20=09char=09=20=20=20*string_fieldname;=0A=20=
=09int=09=09=09nid,=0A=20=09=09=09=09index;=0A-=09ASN1_STRING=20*data;=0A=
+=09const=20ASN1_STRING=20*data;=0A=20=0A=20=09string_fieldname=20=3D=20=
text_to_cstring(fieldName);=0A=20=09nid=20=3D=20=
OBJ_txt2nid(string_fieldname);=0A@@=20-217,10=20+217,10=20@@=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName)=0A=20=09=09=
=09=09=20errmsg("invalid=20X.509=20field=20name:=20\"%s\"",=0A=20=09=09=09=
=09=09=09string_fieldname)));=0A=20=09pfree(string_fieldname);=0A-=09=
index=20=3D=20X509_NAME_get_index_by_NID(name,=20nid,=20-1);=0A+=09index=20=
=3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20name),=20=
nid,=20-1);=0A=20=09if=20(index=20<=200)=0A=20=09=09return=20(Datum)=20=
0;=0A-=09data=20=3D=20X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,=20=
index));=0A+=09data=20=3D=20=
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME=20*,=20=
name),=20index));=0A=20=09return=20ASN1_STRING_to_text(data);=0A=20}=0A=20=
=0A@@=20-429,8=20+429,8=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=
=09=09HeapTuple=09tuple;=0A=20=09=09Datum=09=09result;=0A=20=09=09BIO=09=09=
=20=20=20*membuf;=0A-=09=09X509_EXTENSION=20*ext;=0A-=09=09ASN1_OBJECT=20=
*obj;=0A+=09=09const=20X509_EXTENSION=20*ext;=0A+=09=09const=20=
ASN1_OBJECT=20*obj;=0A=20=09=09int=09=09=09nid;=0A=20=09=09int=09=09=09=
len;=0A=20=0A@@=20-443,7=20+443,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=0A=20=09=09/*=20Get=20the=20=
extension=20from=20the=20certificate=20*/=0A=20=09=09ext=20=3D=20=
X509_get_ext(cert,=20call_cntr);=0A-=09=09obj=20=3D=20=
X509_EXTENSION_get_object(ext);=0A+=09=09obj=20=3D=20=
X509_EXTENSION_get_object(unconstify(X509_EXTENSION=20*,=20ext));=0A=20=0A=
=20=09=09/*=20Get=20the=20extension=20name=20*/=0A=20=09=09nid=20=3D=20=
OBJ_obj2nid(obj);=0A@@=20-456,7=20+456,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09nulls[0]=20=3D=20false;=0A=
=20=0A=20=09=09/*=20Get=20the=20extension=20value=20*/=0A-=09=09if=20=
(X509V3_EXT_print(membuf,=20ext,=200,=200)=20<=3D=200)=0A+=09=09if=20=
(X509V3_EXT_print(membuf,=20unconstify(X509_EXTENSION=20*,=20ext),=200,=20=
0)=20<=3D=200)=0A=20=09=09=09ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20print=20extension=20value=20in=20certificate=20at=20=
position=20%d",=0Adiff=20--git=20a/src/backend/libpq/be-secure-openssl.c=20=
b/src/backend/libpq/be-secure-openssl.c=0Aindex=20=
b0492c443ec..96e60a97f04=20100644=0A---=20=
a/src/backend/libpq/be-secure-openssl.c=0A+++=20=
b/src/backend/libpq/be-secure-openssl.c=0A@@=20-71,7=20+71,7=20@@=20=
static=20bool=20initialize_dh(SSL_CTX=20*context,=20bool=20=
isServerStart);=0A=20static=20bool=20initialize_ecdh(SSL_CTX=20*context,=20=
bool=20isServerStart);=0A=20static=20const=20char=20=
*SSLerrmessage(unsigned=20long=20ecode);=0A=20=0A-static=20char=20=
*X509_NAME_to_cstring(X509_NAME=20*name);=0A+static=20char=20=
*X509_NAME_to_cstring(const=20X509_NAME=20*name);=0A=20=0A=20static=20=
SSL_CTX=20*SSL_context=20=3D=20NULL;=0A=20static=20bool=20=
SSL_initialized=20=3D=20false;=0A@@=20-587,18=20+587,18=20@@=20aloop:=0A=20=
=09if=20(port->peer=20!=3D=20NULL)=0A=20=09{=0A=20=09=09int=09=09=09len;=0A=
-=09=09X509_NAME=20=20*x509name=20=3D=20=
X509_get_subject_name(port->peer);=0A+=09=09const=20X509_NAME=20=
*x509name=20=3D=20X509_get_subject_name(port->peer);=0A=20=09=09char=09=20=
=20=20*peer_dn;=0A=20=09=09BIO=09=09=20=20=20*bio=20=3D=20NULL;=0A=20=09=09=
BUF_MEM=20=20=20=20*bio_buf=20=3D=20NULL;=0A=20=0A-=09=09len=20=3D=20=
X509_NAME_get_text_by_NID(x509name,=20NID_commonName,=20NULL,=200);=0A+=09=
=09len=20=3D=20X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20=
x509name),=20NID_commonName,=20NULL,=200);=0A=20=09=09if=20(len=20!=3D=20=
-1)=0A=20=09=09{=0A=20=09=09=09char=09=20=20=20*peer_cn;=0A=20=0A=20=09=09=
=09peer_cn=20=3D=20MemoryContextAlloc(TopMemoryContext,=20len=20+=201);=0A=
-=09=09=09r=20=3D=20X509_NAME_get_text_by_NID(x509name,=20=
NID_commonName,=20peer_cn,=0A+=09=09=09r=20=3D=20=
X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20x509name),=20=
NID_commonName,=20peer_cn,=0A=20=09=09=09=09=09=09=09=09=09=09=20=20len=20=
+=201);=0A=20=09=09=09peer_cn[len]=20=3D=20'\0';=0A=20=09=09=09if=20(r=20=
!=3D=20len)=0A@@=20-642,7=20+642,7=20@@=20aloop:=0A=20=09=09=20*=20which=20=
make=20regular=20expression=20matching=20a=20bit=20easier.=20Also=20note=20=
that=0A=20=09=09=20*=20it=20prints=20the=20Subject=20fields=20in=20=
reverse=20order.=0A=20=09=09=20*/=0A-=09=09if=20(X509_NAME_print_ex(bio,=20=
x509name,=200,=20XN_FLAG_RFC2253)=20=3D=3D=20-1=20||=0A+=09=09if=20=
(X509_NAME_print_ex(bio,=20unconstify(X509_NAME=20*,=20x509name),=200,=20=
XN_FLAG_RFC2253)=20=3D=3D=20-1=20||=0A=20=09=09=09BIO_get_mem_ptr(bio,=20=
&bio_buf)=20<=3D=200)=0A=20=09=09{=0A=20=09=09=09BIO_free(bio);=0A@@=20=
-1422,14=20+1422,14=20@@=20be_tls_get_certificate_hash(Port=20*port,=20=
size_t=20*len)=0A=20=20*=0A=20=20*/=0A=20static=20char=20*=0A=
-X509_NAME_to_cstring(X509_NAME=20*name)=0A+X509_NAME_to_cstring(const=20=
X509_NAME=20*name)=0A=20{=0A=20=09BIO=09=09=20=20=20*membuf=20=3D=20=
BIO_new(BIO_s_mem());=0A=20=09int=09=09=09i,=0A=20=09=09=09=09nid,=0A-=09=
=09=09=09count=20=3D=20X509_NAME_entry_count(name);=0A-=09=
X509_NAME_ENTRY=20*e;=0A-=09ASN1_STRING=20*v;=0A+=09=09=09=09count=20=3D=20=
X509_NAME_entry_count(unconstify(X509_NAME=20*,=20name));=0A+=09const=20=
X509_NAME_ENTRY=20*e;=0A+=09const=20ASN1_STRING=20*v;=0A=20=09const=20=
char=20*field_name;=0A=20=09size_t=09=09size;=0A=20=09char=09=09=
nullterm;=0A@@=20-1445,13=20+1445,13=20@@=20=
X509_NAME_to_cstring(X509_NAME=20*name)=0A=20=09(void)=20=
BIO_set_close(membuf,=20BIO_CLOSE);=0A=20=09for=20(i=20=3D=200;=20i=20<=20=
count;=20i++)=0A=20=09{=0A-=09=09e=20=3D=20X509_NAME_get_entry(name,=20=
i);=0A-=09=09nid=20=3D=20OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));=0A+=09=
=09e=20=3D=20X509_NAME_get_entry(unconstify(X509_NAME=20*,=20name),=20=
i);=0A+=09=09nid=20=3D=20=
OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY=20*,=20=
e)));=0A=20=09=09if=20(nid=20=3D=3D=20NID_undef)=0A=20=09=09=09=
ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20get=20NID=20for=20ASN1_OBJECT=20object")));=0A-=09=09=
v=20=3D=20X509_NAME_ENTRY_get_data(e);=0A+=09=09v=20=3D=20=
X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY=20*,=20e));=0A=20=09=09=
field_name=20=3D=20OBJ_nid2sn(nid);=0A=20=09=09if=20(field_name=20=3D=3D=20=
NULL)=0A=20=09=09=09field_name=20=3D=20OBJ_nid2ln(nid);=0A@@=20-1460,7=20=
+1460,7=20@@=20X509_NAME_to_cstring(X509_NAME=20*name)=0A=20=09=09=09=09=09=
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20convert=20NID=20%d=20to=20an=20ASN1_OBJECT=20=
structure",=20nid)));=0A=20=09=09BIO_printf(membuf,=20"/%s=3D",=20=
field_name);=0A-=09=09ASN1_STRING_print_ex(membuf,=20v,=0A+=09=09=
ASN1_STRING_print_ex(membuf,=20unconstify(ASN1_STRING=20*,=20v),=0A=20=09=
=09=09=09=09=09=09=20((ASN1_STRFLGS_RFC2253=20&=20~ASN1_STRFLGS_ESC_MSB)=0A=
=20=09=09=09=09=09=09=09=20=20|=20ASN1_STRFLGS_UTF8_CONVERT));=0A=20=09}=0A=
diff=20--git=20a/src/interfaces/libpq/fe-secure-openssl.c=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0Aindex=20=
50d14eac0ee..d22b5279b12=20100644=0A---=20=
a/src/interfaces/libpq/fe-secure-openssl.c=0A+++=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0A@@=20-70,7=20+70,7=20@@=0A=20=
=0A=20static=20int=09verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx);=0A=20=
static=20int=09openssl_verify_peer_name_matches_certificate_name(PGconn=20=
*conn,=0A-=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20ASN1_STRING=20=
*name,=0A+=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20const=20=
ASN1_STRING=20*name,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=
=20char=20**store_name);=0A=20static=20int=09=
openssl_verify_peer_name_matches_certificate_ip(PGconn=20*conn,=0A=20=09=09=
=09=09=09=09=09=09=09=09=09=09=09=09=09ASN1_OCTET_STRING=20*addr_entry,=0A=
@@=20-490,7=20+490,8=20@@=20verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx)=0A=
=20=20*=20into=20a=20plain=20C=20string.=0A=20=20*/=0A=20static=20int=0A=
-openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=20=
ASN1_STRING=20*name_entry,=0A=
+openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=0A+=09=
=09=09=09=09=09=09=09=09=09=09=09=20=20const=20ASN1_STRING=20=
*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20char=20=
**store_name)=0A=20{=0A=20=09int=09=09=09len;=0A@@=20-683,14=20+684,14=20=
@@=20pgtls_verify_peer_name_matches_certificate_guts(PGconn=20*conn,=0A=20=
=09=20*/=0A=20=09if=20(check_cn)=0A=20=09{=0A-=09=09X509_NAME=20=20=
*subject_name;=0A+=09=09const=20X509_NAME=20*subject_name;=0A=20=0A=20=09=
=09subject_name=20=3D=20X509_get_subject_name(conn->peer);=0A=20=09=09if=20=
(subject_name=20!=3D=20NULL)=0A=20=09=09{=0A=20=09=09=09int=09=09=09=
cn_index;=0A=20=0A-=09=09=09cn_index=20=3D=20=
X509_NAME_get_index_by_NID(subject_name,=0A+=09=09=09cn_index=20=3D=20=
X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20subject_name),=0A=20=
=09=09=09=09=09=09=09=09=09=09=09=09=20=20NID_commonName,=20-1);=0A=20=09=
=09=09if=20(cn_index=20>=3D=200)=0A=20=09=09=09{=0Adiff=20--git=20=
a/src/test/ssl/t/001_ssltests.pl=20b/src/test/ssl/t/001_ssltests.pl=0A=
index=20c570b48a1bd..756745b7bec=20100644=0A---=20=
a/src/test/ssl/t/001_ssltests.pl=0A+++=20=
b/src/test/ssl/t/001_ssltests.pl=0A@@=20-682,7=20+682,7=20@@=20=
$node->connect_fails(=0A=20=09"$common_connstr=20user=3Dssltestuser=20=
sslcert=3Dssl/client-revoked.crt=20"=0A=20=09=20=20.=20=
sslkey('client-revoked.key'),=0A=20=09"certificate=20authorization=20=
fails=20with=20revoked=20client=20cert",=0A-=09expected_stderr=20=3D>=20=
qr|SSL=20error:=20ssl[a-z0-9/]*=20alert=20certificate=20revoked|,=0A+=09=
expected_stderr=20=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20=
certificate=20revoked!,=0A=20=09#=20revoked=20certificates=20should=20=
not=20authenticate=20the=20user=0A=20=09log_unlike=20=3D>=20=
[qr/connection=20authenticated:/],);=0A=20=0A@@=20-743,6=20+743,6=20@@=20=
$node->connect_fails(=0A=20=09"$common_connstr=20user=3Dssltestuser=20=
sslcert=3Dssl/client-revoked.crt=20"=0A=20=09=20=20.=20=
sslkey('client-revoked.key'),=0A=20=09"certificate=20authorization=20=
fails=20with=20revoked=20client=20cert=20with=20server-side=20CRL=20=
directory",=0A-=09expected_stderr=20=3D>=20qr|SSL=20error:=20=
ssl[a-z0-9/]*=20alert=20certificate=20revoked|);=0A+=09expected_stderr=20=
=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20certificate=20=
revoked!);=0A=20=0A=20done_testing();=0A--=20=0A2.39.3=20(Apple=20=
Git-146)=0A=0A=

--Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0
Content-Disposition: attachment;
	filename=vREL_14-0001-Support-OpenSSL-4.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="vREL_14-0001-Support-OpenSSL-4.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=20e6d002430017de95107283cf89b61c1d5cdccf9c=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20Daniel=20Gustafsson=20=
<dgustafsson@postgresql.org>=0ADate:=20Thu,=207=20May=202026=2010:46:18=20=
+0200=0ASubject:=20[PATCH=20vREL_14]=20Support=20OpenSSL=204=0A=0A=
OpenSSL=204.0.0=20changed=20some=20parameters=20and=20returnvalues=20to=20=
const,=20so=0Awe=20need=20to=20update=20our=20declarations=20and=20=
subsequently=20cast=20away=20const-=0Aness=20from=20a=20few=20callsites=20=
to=20make=20libpq=20build=20without=20warnings.=20This=0Ais=20tested=20=
with=20OpenSSL=201.1.1=20through=204.0.0=20as=20well=20as=20with=20=
LibreSSL.=0A=0AThere=20is=20also=20an=20errormessage=20change=20in=20=
OpenSSL=204.0.0=20which=20needs=20to=0Abe=20covered=20by=20our=20=
testharness.=0A=0AAuthor:=20Daniel=20Gustafsson=20<daniel@yesql.se>=0A=
Discussion:=20=
https://postgr.es/m/066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se=0A---=0A=
=20contrib/sslinfo/sslinfo.c=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20|=2024=20+++++++++++-----------=0A=20=
src/backend/libpq/be-secure-openssl.c=20=20=20=20|=2026=20=
++++++++++++------------=0A=20src/interfaces/libpq/fe-secure-openssl.c=20=
|=20=209=20++++----=0A=20src/test/ssl/t/001_ssltests.pl=20=20=20=20=20=20=
=20=20=20=20=20|=20=204=20++--=0A=204=20files=20changed,=2032=20=
insertions(+),=2031=20deletions(-)=0A=0Adiff=20--git=20=
a/contrib/sslinfo/sslinfo.c=20b/contrib/sslinfo/sslinfo.c=0Aindex=20=
30cae0bb98..4f8a118bc9=20100644=0A---=20a/contrib/sslinfo/sslinfo.c=0A=
+++=20b/contrib/sslinfo/sslinfo.c=0A@@=20-21,8=20+21,8=20@@=0A=20=0A=20=
PG_MODULE_MAGIC;=0A=20=0A-static=20Datum=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName);=0A=
-static=20Datum=20ASN1_STRING_to_text(ASN1_STRING=20*str);=0A+static=20=
Datum=20X509_NAME_field_to_text(const=20X509_NAME=20*name,=20text=20=
*fieldName);=0A+static=20Datum=20ASN1_STRING_to_text(const=20ASN1_STRING=20=
*str);=0A=20=0A=20/*=0A=20=20*=20Function=20context=20for=20data=20=
persisting=20over=20repeated=20calls.=0A@@=20-145,7=20+145,7=20@@=20=
ssl_client_serial(PG_FUNCTION_ARGS)=0A=20=20*=20function.=0A=20=20*/=0A=20=
static=20Datum=0A-ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=
+ASN1_STRING_to_text(const=20ASN1_STRING=20*str)=0A=20{=0A=20=09BIO=09=09=
=20=20=20*membuf;=0A=20=09size_t=09=09size;=0A@@=20-160,7=20+160,7=20@@=20=
ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=09=09=09=09=
(errcode(ERRCODE_OUT_OF_MEMORY),=0A=20=09=09=09=09=20errmsg("could=20not=20=
create=20OpenSSL=20BIO=20structure")));=0A=20=09(void)=20=
BIO_set_close(membuf,=20BIO_CLOSE);=0A-=09ASN1_STRING_print_ex(membuf,=20=
str,=0A+=09ASN1_STRING_print_ex(membuf,=20unconstify(ASN1_STRING=20*,=20=
str),=0A=20=09=09=09=09=09=09=20((ASN1_STRFLGS_RFC2253=20&=20=
~ASN1_STRFLGS_ESC_MSB)=0A=20=09=09=09=09=09=09=20=20|=20=
ASN1_STRFLGS_UTF8_CONVERT));=0A=20=09/*=20ensure=20null=20termination=20=
of=20the=20BIO's=20content=20*/=0A@@=20-191,12=20+191,12=20@@=20=
ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=20*=20part=20of=20name=0A=20=
=20*/=0A=20static=20Datum=0A-X509_NAME_field_to_text(X509_NAME=20*name,=20=
text=20*fieldName)=0A+X509_NAME_field_to_text(const=20X509_NAME=20*name,=20=
text=20*fieldName)=0A=20{=0A=20=09char=09=20=20=20*string_fieldname;=0A=20=
=09int=09=09=09nid,=0A=20=09=09=09=09index;=0A-=09ASN1_STRING=20*data;=0A=
+=09const=20ASN1_STRING=20*data;=0A=20=0A=20=09string_fieldname=20=3D=20=
text_to_cstring(fieldName);=0A=20=09nid=20=3D=20=
OBJ_txt2nid(string_fieldname);=0A@@=20-206,10=20+206,10=20@@=20=
X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName)=0A=20=09=09=
=09=09=20errmsg("invalid=20X.509=20field=20name:=20\"%s\"",=0A=20=09=09=09=
=09=09=09string_fieldname)));=0A=20=09pfree(string_fieldname);=0A-=09=
index=20=3D=20X509_NAME_get_index_by_NID(name,=20nid,=20-1);=0A+=09index=20=
=3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20name),=20=
nid,=20-1);=0A=20=09if=20(index=20<=200)=0A=20=09=09return=20(Datum)=20=
0;=0A-=09data=20=3D=20X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,=20=
index));=0A+=09data=20=3D=20=
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME=20*,=20=
name),=20index));=0A=20=09return=20ASN1_STRING_to_text(data);=0A=20}=0A=20=
=0A@@=20-418,8=20+418,8=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=
=09=09HeapTuple=09tuple;=0A=20=09=09Datum=09=09result;=0A=20=09=09BIO=09=09=
=20=20=20*membuf;=0A-=09=09X509_EXTENSION=20*ext;=0A-=09=09ASN1_OBJECT=20=
*obj;=0A+=09=09const=20X509_EXTENSION=20*ext;=0A+=09=09const=20=
ASN1_OBJECT=20*obj;=0A=20=09=09int=09=09=09nid;=0A=20=09=09int=09=09=09=
len;=0A=20=0A@@=20-432,7=20+432,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=0A=20=09=09/*=20Get=20the=20=
extension=20from=20the=20certificate=20*/=0A=20=09=09ext=20=3D=20=
X509_get_ext(cert,=20call_cntr);=0A-=09=09obj=20=3D=20=
X509_EXTENSION_get_object(ext);=0A+=09=09obj=20=3D=20=
X509_EXTENSION_get_object(unconstify(X509_EXTENSION=20*,=20ext));=0A=20=0A=
=20=09=09/*=20Get=20the=20extension=20name=20*/=0A=20=09=09nid=20=3D=20=
OBJ_obj2nid(obj);=0A@@=20-445,7=20+445,7=20@@=20=
ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09nulls[0]=20=3D=20false;=0A=
=20=0A=20=09=09/*=20Get=20the=20extension=20value=20*/=0A-=09=09if=20=
(X509V3_EXT_print(membuf,=20ext,=200,=200)=20<=3D=200)=0A+=09=09if=20=
(X509V3_EXT_print(membuf,=20unconstify(X509_EXTENSION=20*,=20ext),=200,=20=
0)=20<=3D=200)=0A=20=09=09=09ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20print=20extension=20value=20in=20certificate=20at=20=
position=20%d",=0Adiff=20--git=20a/src/backend/libpq/be-secure-openssl.c=20=
b/src/backend/libpq/be-secure-openssl.c=0Aindex=208df8ed3c90..8fa4963ced=20=
100644=0A---=20a/src/backend/libpq/be-secure-openssl.c=0A+++=20=
b/src/backend/libpq/be-secure-openssl.c=0A@@=20-64,7=20+64,7=20@@=20=
static=20bool=20initialize_dh(SSL_CTX=20*context,=20bool=20=
isServerStart);=0A=20static=20bool=20initialize_ecdh(SSL_CTX=20*context,=20=
bool=20isServerStart);=0A=20static=20const=20char=20=
*SSLerrmessage(unsigned=20long=20ecode);=0A=20=0A-static=20char=20=
*X509_NAME_to_cstring(X509_NAME=20*name);=0A+static=20char=20=
*X509_NAME_to_cstring(const=20X509_NAME=20*name);=0A=20=0A=20static=20=
SSL_CTX=20*SSL_context=20=3D=20NULL;=0A=20static=20bool=20=
SSL_initialized=20=3D=20false;=0A@@=20-580,18=20+580,18=20@@=20aloop:=0A=20=
=09if=20(port->peer=20!=3D=20NULL)=0A=20=09{=0A=20=09=09int=09=09=09len;=0A=
-=09=09X509_NAME=20=20*x509name=20=3D=20=
X509_get_subject_name(port->peer);=0A+=09=09const=20X509_NAME=20=
*x509name=20=3D=20X509_get_subject_name(port->peer);=0A=20=09=09char=09=20=
=20=20*peer_dn;=0A=20=09=09BIO=09=09=20=20=20*bio=20=3D=20NULL;=0A=20=09=09=
BUF_MEM=20=20=20=20*bio_buf=20=3D=20NULL;=0A=20=0A-=09=09len=20=3D=20=
X509_NAME_get_text_by_NID(x509name,=20NID_commonName,=20NULL,=200);=0A+=09=
=09len=20=3D=20X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20=
x509name),=20NID_commonName,=20NULL,=200);=0A=20=09=09if=20(len=20!=3D=20=
-1)=0A=20=09=09{=0A=20=09=09=09char=09=20=20=20*peer_cn;=0A=20=0A=20=09=09=
=09peer_cn=20=3D=20MemoryContextAlloc(TopMemoryContext,=20len=20+=201);=0A=
-=09=09=09r=20=3D=20X509_NAME_get_text_by_NID(x509name,=20=
NID_commonName,=20peer_cn,=0A+=09=09=09r=20=3D=20=
X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20x509name),=20=
NID_commonName,=20peer_cn,=0A=20=09=09=09=09=09=09=09=09=09=09=20=20len=20=
+=201);=0A=20=09=09=09peer_cn[len]=20=3D=20'\0';=0A=20=09=09=09if=20(r=20=
!=3D=20len)=0A@@=20-632,7=20+632,7=20@@=20aloop:=0A=20=09=09=20*=20which=20=
make=20regular=20expression=20matching=20a=20bit=20easier.=20Also=20note=20=
that=0A=20=09=09=20*=20it=20prints=20the=20Subject=20fields=20in=20=
reverse=20order.=0A=20=09=09=20*/=0A-=09=09X509_NAME_print_ex(bio,=20=
x509name,=200,=20XN_FLAG_RFC2253);=0A+=09=09X509_NAME_print_ex(bio,=20=
unconstify(X509_NAME=20*,=20x509name),=200,=20XN_FLAG_RFC2253);=0A=20=09=09=
if=20(BIO_get_mem_ptr(bio,=20&bio_buf)=20<=3D=200)=0A=20=09=09{=0A=20=09=09=
=09BIO_free(bio);=0A@@=20-1406,14=20+1406,14=20@@=20=
be_tls_get_certificate_hash(Port=20*port,=20size_t=20*len)=0A=20=20*=0A=20=
=20*/=0A=20static=20char=20*=0A-X509_NAME_to_cstring(X509_NAME=20*name)=0A=
+X509_NAME_to_cstring(const=20X509_NAME=20*name)=0A=20{=0A=20=09BIO=09=09=
=20=20=20*membuf=20=3D=20BIO_new(BIO_s_mem());=0A=20=09int=09=09=09i,=0A=20=
=09=09=09=09nid,=0A-=09=09=09=09count=20=3D=20=
X509_NAME_entry_count(name);=0A-=09X509_NAME_ENTRY=20*e;=0A-=09=
ASN1_STRING=20*v;=0A+=09=09=09=09count=20=3D=20=
X509_NAME_entry_count(unconstify(X509_NAME=20*,=20name));=0A+=09const=20=
X509_NAME_ENTRY=20*e;=0A+=09const=20ASN1_STRING=20*v;=0A=20=09const=20=
char=20*field_name;=0A=20=09size_t=09=09size;=0A=20=09char=09=09=
nullterm;=0A@@=20-1429,13=20+1429,13=20@@=20=
X509_NAME_to_cstring(X509_NAME=20*name)=0A=20=09(void)=20=
BIO_set_close(membuf,=20BIO_CLOSE);=0A=20=09for=20(i=20=3D=200;=20i=20<=20=
count;=20i++)=0A=20=09{=0A-=09=09e=20=3D=20X509_NAME_get_entry(name,=20=
i);=0A-=09=09nid=20=3D=20OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));=0A+=09=
=09e=20=3D=20X509_NAME_get_entry(unconstify(X509_NAME=20*,=20name),=20=
i);=0A+=09=09nid=20=3D=20=
OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY=20*,=20=
e)));=0A=20=09=09if=20(nid=20=3D=3D=20NID_undef)=0A=20=09=09=09=
ereport(ERROR,=0A=20=09=09=09=09=09=
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20get=20NID=20for=20ASN1_OBJECT=20object")));=0A-=09=09=
v=20=3D=20X509_NAME_ENTRY_get_data(e);=0A+=09=09v=20=3D=20=
X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY=20*,=20e));=0A=20=09=09=
field_name=20=3D=20OBJ_nid2sn(nid);=0A=20=09=09if=20(field_name=20=3D=3D=20=
NULL)=0A=20=09=09=09field_name=20=3D=20OBJ_nid2ln(nid);=0A@@=20-1444,7=20=
+1444,7=20@@=20X509_NAME_to_cstring(X509_NAME=20*name)=0A=20=09=09=09=09=09=
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),=0A=20=09=09=09=09=09=20=
errmsg("could=20not=20convert=20NID=20%d=20to=20an=20ASN1_OBJECT=20=
structure",=20nid)));=0A=20=09=09BIO_printf(membuf,=20"/%s=3D",=20=
field_name);=0A-=09=09ASN1_STRING_print_ex(membuf,=20v,=0A+=09=09=
ASN1_STRING_print_ex(membuf,=20unconstify(ASN1_STRING=20*,=20v),=0A=20=09=
=09=09=09=09=09=09=20((ASN1_STRFLGS_RFC2253=20&=20~ASN1_STRFLGS_ESC_MSB)=0A=
=20=09=09=09=09=09=09=09=20=20|=20ASN1_STRFLGS_UTF8_CONVERT));=0A=20=09}=0A=
diff=20--git=20a/src/interfaces/libpq/fe-secure-openssl.c=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0Aindex=20=
5f340494b7..908a3261f2=20100644=0A---=20=
a/src/interfaces/libpq/fe-secure-openssl.c=0A+++=20=
b/src/interfaces/libpq/fe-secure-openssl.c=0A@@=20-64,7=20+64,7=20@@=0A=20=
=0A=20static=20int=09verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx);=0A=20=
static=20int=09openssl_verify_peer_name_matches_certificate_name(PGconn=20=
*conn,=0A-=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20ASN1_STRING=20=
*name,=0A+=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20const=20=
ASN1_STRING=20*name,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=
=20char=20**store_name);=0A=20static=20void=20destroy_ssl_system(void);=0A=
=20static=20int=09initialize_SSL(PGconn=20*conn);=0A@@=20-481,7=20+481,8=20=
@@=20verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx)=0A=20=20*=20into=20a=20=
plain=20C=20string.=0A=20=20*/=0A=20static=20int=0A=
-openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=20=
ASN1_STRING=20*name_entry,=0A=
+openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=0A+=09=
=09=09=09=09=09=09=09=09=09=09=09=20=20const=20ASN1_STRING=20=
*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20char=20=
**store_name)=0A=20{=0A=20=09int=09=09=09len;=0A@@=20-570,14=20+571,14=20=
@@=20pgtls_verify_peer_name_matches_certificate_guts(PGconn=20*conn,=0A=20=
=09=20*/=0A=20=09if=20(*names_examined=20=3D=3D=200)=0A=20=09{=0A-=09=09=
X509_NAME=20=20*subject_name;=0A+=09=09const=20X509_NAME=20=
*subject_name;=0A=20=0A=20=09=09subject_name=20=3D=20=
X509_get_subject_name(conn->peer);=0A=20=09=09if=20(subject_name=20!=3D=20=
NULL)=0A=20=09=09{=0A=20=09=09=09int=09=09=09cn_index;=0A=20=0A-=09=09=09=
cn_index=20=3D=20X509_NAME_get_index_by_NID(subject_name,=0A+=09=09=09=
cn_index=20=3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20=
subject_name),=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20=
NID_commonName,=20-1);=0A=20=09=09=09if=20(cn_index=20>=3D=200)=0A=20=09=09=
=09{=0Adiff=20--git=20a/src/test/ssl/t/001_ssltests.pl=20=
b/src/test/ssl/t/001_ssltests.pl=0Aindex=20cc7bd98c83..f6b20186f1=20=
100644=0A---=20a/src/test/ssl/t/001_ssltests.pl=0A+++=20=
b/src/test/ssl/t/001_ssltests.pl=0A@@=20-538,7=20+538,7=20@@=20=
$node->connect_fails(=0A=20$node->connect_fails(=0A=20=09=
"$common_connstr=20user=3Dssltestuser=20sslcert=3Dssl/client-revoked.crt=20=
sslkey=3Dssl/client-revoked_tmp.key",=0A=20=09"certificate=20=
authorization=20fails=20with=20revoked=20client=20cert",=0A-=09=
expected_stderr=20=3D>=20qr|SSL=20error:=20ssl[a-z0-9/]*=20alert=20=
certificate=20revoked|,=0A+=09expected_stderr=20=3D>=20qr!SSL=20error:=20=
(ssl[a-z0-9/]*|tls)=20alert=20certificate=20revoked!,=0A=20=09#=20=
revoked=20certificates=20should=20not=20authenticate=20the=20user=0A=20=09=
log_unlike=20=3D>=20[qr/connection=20authenticated:/],);=0A=20=0A@@=20=
-591,7=20+591,7=20@@=20switch_server_cert($node,=20'server-cn-only',=20=
undef,=20undef,=0A=20$node->connect_fails(=0A=20=09"$common_connstr=20=
user=3Dssltestuser=20sslcert=3Dssl/client-revoked.crt=20=
sslkey=3Dssl/client-revoked_tmp.key",=0A=20=09"certificate=20=
authorization=20fails=20with=20revoked=20client=20cert=20with=20=
server-side=20CRL=20directory",=0A-=09expected_stderr=20=3D>=20qr|SSL=20=
error:=20ssl[a-z0-9/]*=20alert=20certificate=20revoked|);=0A+=09=
expected_stderr=20=3D>=20qr!SSL=20error:=20(ssl[a-z0-9/]*|tls)=20alert=20=
certificate=20revoked!);=0A=20=0A=20#=20clean=20up=0A=20foreach=20my=20=
$key=20(@keys)=0A--=20=0A2.39.3=20(Apple=20Git-146)=0A=0A=

--Apple-Mail=_97912F1B-D81E-4D60-9205-633481B08FF0--