public inbox for [email protected]  
help / color / mirror / Atom feed
[PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
87+ messages / 2 participants
[nested] [flat]

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -854,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -906,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------4DB1F28AF6A9296C8B774BA1
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
---
 src/backend/libpq/be-secure-openssl.c    | 25 ++++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..86ede00 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,15 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 520dcd7..aaf27c5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -802,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -842,17 +843,22 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if SSLEAY_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
 			OPENSSL_config(NULL);
 #endif
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -906,7 +912,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------030278BCE28368DA431175D2
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v3.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

---
 src/backend/libpq/be-secure-openssl.c    | 23 ++++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++--------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 2fa2793..926dbf2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -166,11 +166,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 #if SSLEAY_VERSION_NUMBER >= 0x0907000L
 		OPENSSL_config(NULL);
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+#if SSLEAY_VERSION_NUMBER >= 0x00908000L
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+#else
+	return DH_generate_parameters(prime_len, generator, NULL, NULL);
+#endif
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 56bc279..aa80284 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
 
-/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
-
 static unsigned long
 pq_threadidcallback(void)
 {
@@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -807,6 +802,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -847,10 +843,12 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
+#if SSLEAY_VERSION_NUMBER < 0x10100000L
 		if (pq_init_ssl_lib)
 		{
 #if SSLEAY_VERSION_NUMBER >= 0x00907000L
@@ -859,6 +857,7 @@ pgtls_init(PGconn *conn)
 			SSL_library_init();
 			SSL_load_error_strings();
 		}
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -911,7 +910,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.8.1


--------------DE698287B513FDFBBD5199C2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--------------DE698287B513FDFBBD5199C2--




^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings
@ 2016-06-28 05:51 Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw)

- Fix deprecation warning about DH_generate_parameters
- Fix warnigns resulting from the automatic initialization
- Fix warnigns resulting from the new thread support in OpenSSL
- Use OPENSSL_init_ssl instead of deprecated OPENSSL_config
- Use ASN1_STRING_get0_data instead of ASN1_STRING_data

squash! Remove OpenSSL 1.1 deprecation warnings
---
 src/backend/libpq/be-secure-openssl.c    | 21 ++++++++++++++++++++-
 src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++--------
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 565e845..afe4694 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -164,9 +164,13 @@ be_tls_init(void)
 
 	if (!SSL_context)
 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 		OPENSSL_config(NULL);
 		SSL_library_init();
 		SSL_load_error_strings();
+#endif
 
 		/*
 		 * We use SSLv23_method() because it can negotiate use of the highest
@@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len)
 	return dh;
 }
 
+static DH  *
+generate_dh_params(int prime_len, int generator)
+{
+	DH *dh;
+
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+
+	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
+		return dh;
+
+	DH_free(dh);
+	return NULL;
+}
+
 /*
  *	Generate an ephemeral DH key.  Because this can take a long
  *	time to compute, we can use precomputed parameters of the
@@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
 		ereport(DEBUG2,
 				(errmsg_internal("DH: generating parameters (%d bits)",
 								 keylength)));
-		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+		r = generate_dh_params(keylength, DH_GENERATOR_2);
 	}
 
 	return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 12cab74..388215f 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string)
 	return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
 
 /*
  * Check if a name from a server's certificate matches the peer's hostname.
@@ -520,10 +523,10 @@ static int
 verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 										  char **store_name)
 {
-	int			len;
-	char	   *name;
-	unsigned char *namedata;
-	int			result;
+	int						len;
+	char			  	   *name;
+	const unsigned char    *namedata;
+	int						result;
 
 	*store_name = NULL;
 
@@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
 	 * There is no guarantee the string returned from the certificate is
 	 * NULL-terminated, so make a copy that is.
 	 */
-	namedata = ASN1_STRING_data(name_entry);
+	namedata = ASN1_STRING_get0_data(name_entry);
 	len = ASN1_STRING_length(name_entry);
 	name = malloc(len + 1);
 	if (name == NULL)
@@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
 	return found_match && !got_error;
 }
 
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /*
  *	Callback functions for OpenSSL internal locking
  */
@@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 			PGTHREAD_ERROR("failed to unlock mutex");
 	}
 }
-#endif   /* ENABLE_THREAD_SAFETY */
+#endif   /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 /*
  * Initialize SSL system, in particular creating the SSL_context object
@@ -800,6 +803,7 @@ pgtls_init(PGconn *conn)
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (pq_init_crypto_lib)
 	{
 		/*
@@ -840,15 +844,20 @@ pgtls_init(PGconn *conn)
 				CRYPTO_set_locking_callback(pq_lockingcallback);
 		}
 	}
+#endif
 #endif   /* ENABLE_THREAD_SAFETY */
 
 	if (!SSL_context)
 	{
 		if (pq_init_ssl_lib)
 		{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
 			OPENSSL_config(NULL);
 			SSL_library_init();
 			SSL_load_error_strings();
+#endif
 		}
 
 		/*
@@ -902,7 +911,7 @@ pgtls_init(PGconn *conn)
 static void
 destroy_ssl_system(void)
 {
-#ifdef ENABLE_THREAD_SAFETY
+#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* Mutex is created in initialize_ssl_system() */
 	if (pthread_mutex_lock(&ssl_config_mutex))
 		return;
-- 
2.9.3


--------------9CBFCED4AE08A89AD874AB68
Content-Type: text/x-patch;
 name="0003-Remove-px_get_pseudo_random_bytes-v4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch"



^ permalink  raw  reply  [nested|flat] 87+ messages in thread

* [PATCH 9/9] reuse existing variable by overwriting it
@ 2026-03-12 15:14 Álvaro Herrera <[email protected]>
  0 siblings, 0 replies; 87+ messages in thread

From: Álvaro Herrera @ 2026-03-12 15:14 UTC (permalink / raw)

---
 src/backend/replication/pgoutput_repack/pgoutput_repack.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/backend/replication/pgoutput_repack/pgoutput_repack.c b/src/backend/replication/pgoutput_repack/pgoutput_repack.c
index c77564c4024..67442d07ab1 100644
--- a/src/backend/replication/pgoutput_repack/pgoutput_repack.c
+++ b/src/backend/replication/pgoutput_repack/pgoutput_repack.c
@@ -250,12 +250,8 @@ store_change(LogicalDecodingContext *ctx, Relation relation,
 	/* ... and the attributes themselves, if any */
 	foreach_ptr(varlena, attr_val, attrs_ext)
 	{
-		varlena    *ext_val;
-		Size		ext_val_size;
-
-		ext_val = detoast_external_attr(attr_val);
-		ext_val_size = VARSIZE_ANY(ext_val);
-		BufFileWrite(file, ext_val, ext_val_size);
+		attr_val = detoast_external_attr(attr_val);
+		BufFileWrite(file, attr_val, VARSIZE_ANY(attr_val));
 	}
 
 	/* Finally write the tuple size ... */
-- 
2.47.3


--pnppmxqkefjd4hu2--





^ permalink  raw  reply  [nested|flat] 87+ messages in thread


end of thread, other threads:[~2026-03-12 15:14 UTC | newest]

Thread overview: 87+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]>
2026-03-12 15:14 [PATCH 9/9] reuse existing variable by overwriting it Álvaro Herrera <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox