agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings 87+ messages / 2 participants [nested] [flat]
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH v16 7/8] Row pattern recognition patch (tests). @ 2024-04-12 06:49 Tatsuo Ishii <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Tatsuo Ishii @ 2024-04-12 06:49 UTC (permalink / raw) --- src/test/regress/expected/rpr.out | 821 +++++++++++++++++++++++++++++ src/test/regress/parallel_schedule | 2 +- src/test/regress/sql/rpr.sql | 392 ++++++++++++++ 3 files changed, 1214 insertions(+), 1 deletion(-) create mode 100644 src/test/regress/expected/rpr.out create mode 100644 src/test/regress/sql/rpr.sql diff --git a/src/test/regress/expected/rpr.out b/src/test/regress/expected/rpr.out new file mode 100644 index 0000000000..e8998ebf45 --- /dev/null +++ b/src/test/regress/expected/rpr.out @@ -0,0 +1,821 @@ +-- +-- Test for row pattern definition clause +-- +CREATE TEMP TABLE stock ( + company TEXT, + tdate DATE, + price INTEGER +); +INSERT INTO stock VALUES ('company1', '2023-07-01', 100); +INSERT INTO stock VALUES ('company1', '2023-07-02', 200); +INSERT INTO stock VALUES ('company1', '2023-07-03', 150); +INSERT INTO stock VALUES ('company1', '2023-07-04', 140); +INSERT INTO stock VALUES ('company1', '2023-07-05', 150); +INSERT INTO stock VALUES ('company1', '2023-07-06', 90); +INSERT INTO stock VALUES ('company1', '2023-07-07', 110); +INSERT INTO stock VALUES ('company1', '2023-07-08', 130); +INSERT INTO stock VALUES ('company1', '2023-07-09', 120); +INSERT INTO stock VALUES ('company1', '2023-07-10', 130); +INSERT INTO stock VALUES ('company2', '2023-07-01', 50); +INSERT INTO stock VALUES ('company2', '2023-07-02', 2000); +INSERT INTO stock VALUES ('company2', '2023-07-03', 1500); +INSERT INTO stock VALUES ('company2', '2023-07-04', 1400); +INSERT INTO stock VALUES ('company2', '2023-07-05', 1500); +INSERT INTO stock VALUES ('company2', '2023-07-06', 60); +INSERT INTO stock VALUES ('company2', '2023-07-07', 1100); +INSERT INTO stock VALUES ('company2', '2023-07-08', 1300); +INSERT INTO stock VALUES ('company2', '2023-07-09', 1200); +INSERT INTO stock VALUES ('company2', '2023-07-10', 1300); +SELECT * FROM stock; + company | tdate | price +----------+------------+------- + company1 | 07-01-2023 | 100 + company1 | 07-02-2023 | 200 + company1 | 07-03-2023 | 150 + company1 | 07-04-2023 | 140 + company1 | 07-05-2023 | 150 + company1 | 07-06-2023 | 90 + company1 | 07-07-2023 | 110 + company1 | 07-08-2023 | 130 + company1 | 07-09-2023 | 120 + company1 | 07-10-2023 | 130 + company2 | 07-01-2023 | 50 + company2 | 07-02-2023 | 2000 + company2 | 07-03-2023 | 1500 + company2 | 07-04-2023 | 1400 + company2 | 07-05-2023 | 1500 + company2 | 07-06-2023 | 60 + company2 | 07-07-2023 | 1100 + company2 | 07-08-2023 | 1300 + company2 | 07-09-2023 | 1200 + company2 | 07-10-2023 | 1300 +(20 rows) + +-- basic test using PREV +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | nth_second +----------+------------+-------+-------------+------------+------------ + company1 | 07-01-2023 | 100 | 100 | 140 | 07-02-2023 + company1 | 07-02-2023 | 200 | | | + company1 | 07-03-2023 | 150 | | | + company1 | 07-04-2023 | 140 | | | + company1 | 07-05-2023 | 150 | | | + company1 | 07-06-2023 | 90 | 90 | 120 | 07-07-2023 + company1 | 07-07-2023 | 110 | | | + company1 | 07-08-2023 | 130 | | | + company1 | 07-09-2023 | 120 | | | + company1 | 07-10-2023 | 130 | | | + company2 | 07-01-2023 | 50 | 50 | 1400 | 07-02-2023 + company2 | 07-02-2023 | 2000 | | | + company2 | 07-03-2023 | 1500 | | | + company2 | 07-04-2023 | 1400 | | | + company2 | 07-05-2023 | 1500 | | | + company2 | 07-06-2023 | 60 | 60 | 1200 | 07-07-2023 + company2 | 07-07-2023 | 1100 | | | + company2 | 07-08-2023 | 1300 | | | + company2 | 07-09-2023 | 1200 | | | + company2 | 07-10-2023 | 1300 | | | +(20 rows) + +-- basic test using PREV. UP appears twice +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+ UP+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | nth_second +----------+------------+-------+-------------+------------+------------ + company1 | 07-01-2023 | 100 | 100 | 150 | 07-02-2023 + company1 | 07-02-2023 | 200 | | | + company1 | 07-03-2023 | 150 | | | + company1 | 07-04-2023 | 140 | | | + company1 | 07-05-2023 | 150 | | | + company1 | 07-06-2023 | 90 | 90 | 130 | 07-07-2023 + company1 | 07-07-2023 | 110 | | | + company1 | 07-08-2023 | 130 | | | + company1 | 07-09-2023 | 120 | | | + company1 | 07-10-2023 | 130 | | | + company2 | 07-01-2023 | 50 | 50 | 1500 | 07-02-2023 + company2 | 07-02-2023 | 2000 | | | + company2 | 07-03-2023 | 1500 | | | + company2 | 07-04-2023 | 1400 | | | + company2 | 07-05-2023 | 1500 | | | + company2 | 07-06-2023 | 60 | 60 | 1300 | 07-07-2023 + company2 | 07-07-2023 | 1100 | | | + company2 | 07-08-2023 | 1300 | | | + company2 | 07-09-2023 | 1200 | | | + company2 | 07-10-2023 | 1300 | | | +(20 rows) + +-- basic test using PREV. Use '*' +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP* DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | nth_second +----------+------------+-------+-------------+------------+------------ + company1 | 07-01-2023 | 100 | 100 | 140 | 07-02-2023 + company1 | 07-02-2023 | 200 | | | + company1 | 07-03-2023 | 150 | | | + company1 | 07-04-2023 | 140 | | | + company1 | 07-05-2023 | 150 | 150 | 90 | 07-06-2023 + company1 | 07-06-2023 | 90 | | | + company1 | 07-07-2023 | 110 | 110 | 120 | 07-08-2023 + company1 | 07-08-2023 | 130 | | | + company1 | 07-09-2023 | 120 | | | + company1 | 07-10-2023 | 130 | | | + company2 | 07-01-2023 | 50 | 50 | 1400 | 07-02-2023 + company2 | 07-02-2023 | 2000 | | | + company2 | 07-03-2023 | 1500 | | | + company2 | 07-04-2023 | 1400 | | | + company2 | 07-05-2023 | 1500 | 1500 | 60 | 07-06-2023 + company2 | 07-06-2023 | 60 | | | + company2 | 07-07-2023 | 1100 | 1100 | 1200 | 07-08-2023 + company2 | 07-08-2023 | 1300 | | | + company2 | 07-09-2023 | 1200 | | | + company2 | 07-10-2023 | 1300 | | | +(20 rows) + +-- basic test with none greedy pattern +SELECT company, tdate, price, count(*) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (A A A) + DEFINE + A AS price >= 140 AND price <= 150 +); + company | tdate | price | count +----------+------------+-------+------- + company1 | 07-01-2023 | 100 | 0 + company1 | 07-02-2023 | 200 | 0 + company1 | 07-03-2023 | 150 | 3 + company1 | 07-04-2023 | 140 | + company1 | 07-05-2023 | 150 | + company1 | 07-06-2023 | 90 | 0 + company1 | 07-07-2023 | 110 | 0 + company1 | 07-08-2023 | 130 | 0 + company1 | 07-09-2023 | 120 | 0 + company1 | 07-10-2023 | 130 | 0 + company2 | 07-01-2023 | 50 | 0 + company2 | 07-02-2023 | 2000 | 0 + company2 | 07-03-2023 | 1500 | 0 + company2 | 07-04-2023 | 1400 | 0 + company2 | 07-05-2023 | 1500 | 0 + company2 | 07-06-2023 | 60 | 0 + company2 | 07-07-2023 | 1100 | 0 + company2 | 07-08-2023 | 1300 | 0 + company2 | 07-09-2023 | 1200 | 0 + company2 | 07-10-2023 | 1300 | 0 +(20 rows) + +-- last_value() should remain consistent +SELECT company, tdate, price, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | last_value +----------+------------+-------+------------ + company1 | 07-01-2023 | 100 | 140 + company1 | 07-02-2023 | 200 | + company1 | 07-03-2023 | 150 | + company1 | 07-04-2023 | 140 | + company1 | 07-05-2023 | 150 | + company1 | 07-06-2023 | 90 | 120 + company1 | 07-07-2023 | 110 | + company1 | 07-08-2023 | 130 | + company1 | 07-09-2023 | 120 | + company1 | 07-10-2023 | 130 | + company2 | 07-01-2023 | 50 | 1400 + company2 | 07-02-2023 | 2000 | + company2 | 07-03-2023 | 1500 | + company2 | 07-04-2023 | 1400 | + company2 | 07-05-2023 | 1500 | + company2 | 07-06-2023 | 60 | 1200 + company2 | 07-07-2023 | 1100 | + company2 | 07-08-2023 | 1300 | + company2 | 07-09-2023 | 1200 | + company2 | 07-10-2023 | 1300 | +(20 rows) + +-- omit "START" in DEFINE but it is ok because "START AS TRUE" is +-- implicitly defined. per spec. +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | nth_second +----------+------------+-------+-------------+------------+------------ + company1 | 07-01-2023 | 100 | 100 | 140 | 07-02-2023 + company1 | 07-02-2023 | 200 | | | + company1 | 07-03-2023 | 150 | | | + company1 | 07-04-2023 | 140 | | | + company1 | 07-05-2023 | 150 | | | + company1 | 07-06-2023 | 90 | 90 | 120 | 07-07-2023 + company1 | 07-07-2023 | 110 | | | + company1 | 07-08-2023 | 130 | | | + company1 | 07-09-2023 | 120 | | | + company1 | 07-10-2023 | 130 | | | + company2 | 07-01-2023 | 50 | 50 | 1400 | 07-02-2023 + company2 | 07-02-2023 | 2000 | | | + company2 | 07-03-2023 | 1500 | | | + company2 | 07-04-2023 | 1400 | | | + company2 | 07-05-2023 | 1500 | | | + company2 | 07-06-2023 | 60 | 60 | 1200 | 07-07-2023 + company2 | 07-07-2023 | 1100 | | | + company2 | 07-08-2023 | 1300 | | | + company2 | 07-09-2023 | 1200 | | | + company2 | 07-10-2023 | 1300 | | | +(20 rows) + +-- the first row start with less than or equal to 100 +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (LOWPRICE UP+ DOWN+) + DEFINE + LOWPRICE AS price <= 100, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | 100 | 140 + company1 | 07-02-2023 | 200 | | + company1 | 07-03-2023 | 150 | | + company1 | 07-04-2023 | 140 | | + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | 90 | 120 + company1 | 07-07-2023 | 110 | | + company1 | 07-08-2023 | 130 | | + company1 | 07-09-2023 | 120 | | + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | 50 | 1400 + company2 | 07-02-2023 | 2000 | | + company2 | 07-03-2023 | 1500 | | + company2 | 07-04-2023 | 1400 | | + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | 60 | 1200 + company2 | 07-07-2023 | 1100 | | + company2 | 07-08-2023 | 1300 | | + company2 | 07-09-2023 | 1200 | | + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- second row raises 120% +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (LOWPRICE UP+ DOWN+) + DEFINE + LOWPRICE AS price <= 100, + UP AS price > PREV(price) * 1.2, + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | 100 | 140 + company1 | 07-02-2023 | 200 | | + company1 | 07-03-2023 | 150 | | + company1 | 07-04-2023 | 140 | | + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | | + company1 | 07-07-2023 | 110 | | + company1 | 07-08-2023 | 130 | | + company1 | 07-09-2023 | 120 | | + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | 50 | 1400 + company2 | 07-02-2023 | 2000 | | + company2 | 07-03-2023 | 1500 | | + company2 | 07-04-2023 | 1400 | | + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | | + company2 | 07-07-2023 | 1100 | | + company2 | 07-08-2023 | 1300 | | + company2 | 07-09-2023 | 1200 | | + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- using NEXT +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UPDOWN) + DEFINE + START AS TRUE, + UPDOWN AS price > PREV(price) AND price > NEXT(price) +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | 100 | 200 + company1 | 07-02-2023 | 200 | | + company1 | 07-03-2023 | 150 | | + company1 | 07-04-2023 | 140 | 140 | 150 + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | | + company1 | 07-07-2023 | 110 | 110 | 130 + company1 | 07-08-2023 | 130 | | + company1 | 07-09-2023 | 120 | | + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | 50 | 2000 + company2 | 07-02-2023 | 2000 | | + company2 | 07-03-2023 | 1500 | | + company2 | 07-04-2023 | 1400 | 1400 | 1500 + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | | + company2 | 07-07-2023 | 1100 | 1100 | 1300 + company2 | 07-08-2023 | 1300 | | + company2 | 07-09-2023 | 1200 | | + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- using AFTER MATCH SKIP TO NEXT ROW +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP TO NEXT ROW + INITIAL + PATTERN (START UPDOWN) + DEFINE + START AS TRUE, + UPDOWN AS price > PREV(price) AND price > NEXT(price) +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | 100 | 200 + company1 | 07-02-2023 | 200 | | + company1 | 07-03-2023 | 150 | | + company1 | 07-04-2023 | 140 | 140 | 150 + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | | + company1 | 07-07-2023 | 110 | 110 | 130 + company1 | 07-08-2023 | 130 | | + company1 | 07-09-2023 | 120 | | + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | 50 | 2000 + company2 | 07-02-2023 | 2000 | | + company2 | 07-03-2023 | 1500 | | + company2 | 07-04-2023 | 1400 | 1400 | 1500 + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | | + company2 | 07-07-2023 | 1100 | 1100 | 1300 + company2 | 07-08-2023 | 1300 | | + company2 | 07-09-2023 | 1200 | | + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- match everything +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP PAST LAST ROW + INITIAL + PATTERN (A+) + DEFINE + A AS TRUE +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | 100 | 130 + company1 | 07-02-2023 | 200 | | + company1 | 07-03-2023 | 150 | | + company1 | 07-04-2023 | 140 | | + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | | + company1 | 07-07-2023 | 110 | | + company1 | 07-08-2023 | 130 | | + company1 | 07-09-2023 | 120 | | + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | 50 | 1300 + company2 | 07-02-2023 | 2000 | | + company2 | 07-03-2023 | 1500 | | + company2 | 07-04-2023 | 1400 | | + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | | + company2 | 07-07-2023 | 1100 | | + company2 | 07-08-2023 | 1300 | | + company2 | 07-09-2023 | 1200 | | + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- backtracking with reclassification of rows +-- using AFTER MATCH SKIP PAST LAST ROW +SELECT company, tdate, price, first_value(tdate) OVER w, last_value(tdate) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP PAST LAST ROW + INITIAL + PATTERN (A+ B+) + DEFINE + A AS price > 100, + B AS price > 100 +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | | + company1 | 07-02-2023 | 200 | 07-02-2023 | 07-05-2023 + company1 | 07-03-2023 | 150 | | + company1 | 07-04-2023 | 140 | | + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | | + company1 | 07-07-2023 | 110 | 07-07-2023 | 07-10-2023 + company1 | 07-08-2023 | 130 | | + company1 | 07-09-2023 | 120 | | + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | | + company2 | 07-02-2023 | 2000 | 07-02-2023 | 07-05-2023 + company2 | 07-03-2023 | 1500 | | + company2 | 07-04-2023 | 1400 | | + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | | + company2 | 07-07-2023 | 1100 | 07-07-2023 | 07-10-2023 + company2 | 07-08-2023 | 1300 | | + company2 | 07-09-2023 | 1200 | | + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- backtracking with reclassification of rows +-- using AFTER MATCH SKIP TO NEXT ROW +SELECT company, tdate, price, first_value(tdate) OVER w, last_value(tdate) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP TO NEXT ROW + INITIAL + PATTERN (A+ B+) + DEFINE + A AS price > 100, + B AS price > 100 +); + company | tdate | price | first_value | last_value +----------+------------+-------+-------------+------------ + company1 | 07-01-2023 | 100 | | + company1 | 07-02-2023 | 200 | 07-02-2023 | 07-05-2023 + company1 | 07-03-2023 | 150 | 07-03-2023 | 07-05-2023 + company1 | 07-04-2023 | 140 | 07-04-2023 | 07-05-2023 + company1 | 07-05-2023 | 150 | | + company1 | 07-06-2023 | 90 | | + company1 | 07-07-2023 | 110 | 07-07-2023 | 07-10-2023 + company1 | 07-08-2023 | 130 | 07-08-2023 | 07-10-2023 + company1 | 07-09-2023 | 120 | 07-09-2023 | 07-10-2023 + company1 | 07-10-2023 | 130 | | + company2 | 07-01-2023 | 50 | | + company2 | 07-02-2023 | 2000 | 07-02-2023 | 07-05-2023 + company2 | 07-03-2023 | 1500 | 07-03-2023 | 07-05-2023 + company2 | 07-04-2023 | 1400 | 07-04-2023 | 07-05-2023 + company2 | 07-05-2023 | 1500 | | + company2 | 07-06-2023 | 60 | | + company2 | 07-07-2023 | 1100 | 07-07-2023 | 07-10-2023 + company2 | 07-08-2023 | 1300 | 07-08-2023 | 07-10-2023 + company2 | 07-09-2023 | 1200 | 07-09-2023 | 07-10-2023 + company2 | 07-10-2023 | 1300 | | +(20 rows) + +-- ROWS BETWEEN CURRENT ROW AND offset FOLLOWING +SELECT company, tdate, price, first_value(tdate) OVER w, last_value(tdate) OVER w, + count(*) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND 2 FOLLOWING + AFTER MATCH SKIP PAST LAST ROW + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | count +----------+------------+-------+-------------+------------+------- + company1 | 07-01-2023 | 100 | 07-01-2023 | 07-03-2023 | 3 + company1 | 07-02-2023 | 200 | | | + company1 | 07-03-2023 | 150 | | | + company1 | 07-04-2023 | 140 | 07-04-2023 | 07-06-2023 | 3 + company1 | 07-05-2023 | 150 | | | + company1 | 07-06-2023 | 90 | | | + company1 | 07-07-2023 | 110 | 07-07-2023 | 07-09-2023 | 3 + company1 | 07-08-2023 | 130 | | | + company1 | 07-09-2023 | 120 | | | + company1 | 07-10-2023 | 130 | | | 0 + company2 | 07-01-2023 | 50 | 07-01-2023 | 07-03-2023 | 3 + company2 | 07-02-2023 | 2000 | | | + company2 | 07-03-2023 | 1500 | | | + company2 | 07-04-2023 | 1400 | 07-04-2023 | 07-06-2023 | 3 + company2 | 07-05-2023 | 1500 | | | + company2 | 07-06-2023 | 60 | | | + company2 | 07-07-2023 | 1100 | 07-07-2023 | 07-09-2023 | 3 + company2 | 07-08-2023 | 1300 | | | + company2 | 07-09-2023 | 1200 | | | + company2 | 07-10-2023 | 1300 | | | 0 +(20 rows) + +-- +-- Aggregates +-- +-- using AFTER MATCH SKIP PAST LAST ROW +SELECT company, tdate, price, + first_value(price) OVER w, + last_value(price) OVER w, + max(price) OVER w, + min(price) OVER w, + sum(price) OVER w, + avg(price) OVER w, + count(price) OVER w +FROM stock +WINDOW w AS ( +PARTITION BY company +ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING +AFTER MATCH SKIP PAST LAST ROW +INITIAL +PATTERN (START UP+ DOWN+) +DEFINE +START AS TRUE, +UP AS price > PREV(price), +DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | max | min | sum | avg | count +----------+------------+-------+-------------+------------+------+-----+------+-----------------------+------- + company1 | 07-01-2023 | 100 | 100 | 140 | 200 | 100 | 590 | 147.5000000000000000 | 4 + company1 | 07-02-2023 | 200 | | | | | | | + company1 | 07-03-2023 | 150 | | | | | | | + company1 | 07-04-2023 | 140 | | | | | | | + company1 | 07-05-2023 | 150 | | | | | | | 0 + company1 | 07-06-2023 | 90 | 90 | 120 | 130 | 90 | 450 | 112.5000000000000000 | 4 + company1 | 07-07-2023 | 110 | | | | | | | + company1 | 07-08-2023 | 130 | | | | | | | + company1 | 07-09-2023 | 120 | | | | | | | + company1 | 07-10-2023 | 130 | | | | | | | 0 + company2 | 07-01-2023 | 50 | 50 | 1400 | 2000 | 50 | 4950 | 1237.5000000000000000 | 4 + company2 | 07-02-2023 | 2000 | | | | | | | + company2 | 07-03-2023 | 1500 | | | | | | | + company2 | 07-04-2023 | 1400 | | | | | | | + company2 | 07-05-2023 | 1500 | | | | | | | 0 + company2 | 07-06-2023 | 60 | 60 | 1200 | 1300 | 60 | 3660 | 915.0000000000000000 | 4 + company2 | 07-07-2023 | 1100 | | | | | | | + company2 | 07-08-2023 | 1300 | | | | | | | + company2 | 07-09-2023 | 1200 | | | | | | | + company2 | 07-10-2023 | 1300 | | | | | | | 0 +(20 rows) + +-- using AFTER MATCH SKIP TO NEXT ROW +SELECT company, tdate, price, + first_value(price) OVER w, + last_value(price) OVER w, + max(price) OVER w, + min(price) OVER w, + sum(price) OVER w, + avg(price) OVER w, + count(price) OVER w +FROM stock +WINDOW w AS ( +PARTITION BY company +ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING +AFTER MATCH SKIP TO NEXT ROW +INITIAL +PATTERN (START UP+ DOWN+) +DEFINE +START AS TRUE, +UP AS price > PREV(price), +DOWN AS price < PREV(price) +); + company | tdate | price | first_value | last_value | max | min | sum | avg | count +----------+------------+-------+-------------+------------+------+------+------+-----------------------+------- + company1 | 07-01-2023 | 100 | 100 | 140 | 200 | 100 | 590 | 147.5000000000000000 | 4 + company1 | 07-02-2023 | 200 | | | | | | | 0 + company1 | 07-03-2023 | 150 | | | | | | | 0 + company1 | 07-04-2023 | 140 | 140 | 90 | 150 | 90 | 380 | 126.6666666666666667 | 3 + company1 | 07-05-2023 | 150 | | | | | | | 0 + company1 | 07-06-2023 | 90 | 90 | 120 | 130 | 90 | 450 | 112.5000000000000000 | 4 + company1 | 07-07-2023 | 110 | 110 | 120 | 130 | 110 | 360 | 120.0000000000000000 | 3 + company1 | 07-08-2023 | 130 | | | | | | | 0 + company1 | 07-09-2023 | 120 | | | | | | | 0 + company1 | 07-10-2023 | 130 | | | | | | | 0 + company2 | 07-01-2023 | 50 | 50 | 1400 | 2000 | 50 | 4950 | 1237.5000000000000000 | 4 + company2 | 07-02-2023 | 2000 | | | | | | | 0 + company2 | 07-03-2023 | 1500 | | | | | | | 0 + company2 | 07-04-2023 | 1400 | 1400 | 60 | 1500 | 60 | 2960 | 986.6666666666666667 | 3 + company2 | 07-05-2023 | 1500 | | | | | | | 0 + company2 | 07-06-2023 | 60 | 60 | 1200 | 1300 | 60 | 3660 | 915.0000000000000000 | 4 + company2 | 07-07-2023 | 1100 | 1100 | 1200 | 1300 | 1100 | 3600 | 1200.0000000000000000 | 3 + company2 | 07-08-2023 | 1300 | | | | | | | 0 + company2 | 07-09-2023 | 1200 | | | | | | | 0 + company2 | 07-10-2023 | 1300 | | | | | | | 0 +(20 rows) + +-- JOIN case +CREATE TEMP TABLE t1 (i int, v1 int); +CREATE TEMP TABLE t2 (j int, v2 int); +INSERT INTO t1 VALUES(1,10); +INSERT INTO t1 VALUES(1,11); +INSERT INTO t1 VALUES(1,12); +INSERT INTO t2 VALUES(2,10); +INSERT INTO t2 VALUES(2,11); +INSERT INTO t2 VALUES(2,12); +SELECT * FROM t1, t2 WHERE t1.v1 <= 11 AND t2.v2 <= 11; + i | v1 | j | v2 +---+----+---+---- + 1 | 10 | 2 | 10 + 1 | 10 | 2 | 11 + 1 | 11 | 2 | 10 + 1 | 11 | 2 | 11 +(4 rows) + +SELECT *, count(*) OVER w FROM t1, t2 +WINDOW w AS ( + PARTITION BY t1.i + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (A) + DEFINE + A AS v1 <= 11 AND v2 <= 11 +); + i | v1 | j | v2 | count +---+----+---+----+------- + 1 | 10 | 2 | 10 | 1 + 1 | 10 | 2 | 11 | 1 + 1 | 10 | 2 | 12 | 0 + 1 | 11 | 2 | 10 | 1 + 1 | 11 | 2 | 11 | 1 + 1 | 11 | 2 | 12 | 0 + 1 | 12 | 2 | 10 | 0 + 1 | 12 | 2 | 11 | 0 + 1 | 12 | 2 | 12 | 0 +(9 rows) + +-- WITH case +WITH wstock AS ( + SELECT * FROM stock WHERE tdate < '2023-07-08' +) +SELECT tdate, price, +first_value(tdate) OVER w, +count(*) OVER w + FROM wstock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + tdate | price | first_value | count +------------+-------+-------------+------- + 07-01-2023 | 100 | 07-01-2023 | 4 + 07-02-2023 | 200 | | + 07-03-2023 | 150 | | + 07-04-2023 | 140 | | + 07-05-2023 | 150 | | 0 + 07-06-2023 | 90 | | 0 + 07-07-2023 | 110 | | 0 + 07-01-2023 | 50 | 07-01-2023 | 4 + 07-02-2023 | 2000 | | + 07-03-2023 | 1500 | | + 07-04-2023 | 1400 | | + 07-05-2023 | 1500 | | 0 + 07-06-2023 | 60 | | 0 + 07-07-2023 | 1100 | | 0 +(14 rows) + +-- +-- Error cases +-- +-- row pattern definition variable name must not appear more than once +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + ORDER BY tdate + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price), + UP AS price > PREV(price) +); +ERROR: syntax error at or near "ORDER" +LINE 6: ORDER BY tdate + ^ +-- pattern variable name must appear in DEFINE +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+ END) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); +ERROR: syntax error at or near "END" +LINE 8: PATTERN (START UP+ DOWN+ END) + ^ +-- FRAME must start at current row when row patttern recognition is used +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN UNBOUNDED PRECEDING AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); +ERROR: FRAME must start at current row when row patttern recognition is used +-- SEEK is not supported +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP TO NEXT ROW + SEEK + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); +ERROR: SEEK is not supported +LINE 8: SEEK + ^ +HINT: Use INITIAL. diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule index 675c567617..0ca2713c3d 100644 --- a/src/test/regress/parallel_schedule +++ b/src/test/regress/parallel_schedule @@ -98,7 +98,7 @@ test: publication subscription # Another group of parallel tests # select_views depends on create_view # ---------- -test: select_views portals_p2 foreign_key cluster dependency guc bitmapops combocid tsearch tsdicts foreign_data window xmlmap functional_deps advisory_lock indirect_toast equivclass +test: select_views portals_p2 foreign_key cluster dependency guc bitmapops combocid tsearch tsdicts foreign_data window xmlmap functional_deps advisory_lock indirect_toast equivclass rpr # ---------- # Another group of parallel tests (JSON related) diff --git a/src/test/regress/sql/rpr.sql b/src/test/regress/sql/rpr.sql new file mode 100644 index 0000000000..0a69cc0e11 --- /dev/null +++ b/src/test/regress/sql/rpr.sql @@ -0,0 +1,392 @@ +-- +-- Test for row pattern definition clause +-- + +CREATE TEMP TABLE stock ( + company TEXT, + tdate DATE, + price INTEGER +); +INSERT INTO stock VALUES ('company1', '2023-07-01', 100); +INSERT INTO stock VALUES ('company1', '2023-07-02', 200); +INSERT INTO stock VALUES ('company1', '2023-07-03', 150); +INSERT INTO stock VALUES ('company1', '2023-07-04', 140); +INSERT INTO stock VALUES ('company1', '2023-07-05', 150); +INSERT INTO stock VALUES ('company1', '2023-07-06', 90); +INSERT INTO stock VALUES ('company1', '2023-07-07', 110); +INSERT INTO stock VALUES ('company1', '2023-07-08', 130); +INSERT INTO stock VALUES ('company1', '2023-07-09', 120); +INSERT INTO stock VALUES ('company1', '2023-07-10', 130); +INSERT INTO stock VALUES ('company2', '2023-07-01', 50); +INSERT INTO stock VALUES ('company2', '2023-07-02', 2000); +INSERT INTO stock VALUES ('company2', '2023-07-03', 1500); +INSERT INTO stock VALUES ('company2', '2023-07-04', 1400); +INSERT INTO stock VALUES ('company2', '2023-07-05', 1500); +INSERT INTO stock VALUES ('company2', '2023-07-06', 60); +INSERT INTO stock VALUES ('company2', '2023-07-07', 1100); +INSERT INTO stock VALUES ('company2', '2023-07-08', 1300); +INSERT INTO stock VALUES ('company2', '2023-07-09', 1200); +INSERT INTO stock VALUES ('company2', '2023-07-10', 1300); + +SELECT * FROM stock; + +-- basic test using PREV +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- basic test using PREV. UP appears twice +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+ UP+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- basic test using PREV. Use '*' +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP* DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- basic test with none greedy pattern +SELECT company, tdate, price, count(*) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (A A A) + DEFINE + A AS price >= 140 AND price <= 150 +); + +-- last_value() should remain consistent +SELECT company, tdate, price, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- omit "START" in DEFINE but it is ok because "START AS TRUE" is +-- implicitly defined. per spec. +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w, + nth_value(tdate, 2) OVER w AS nth_second + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- the first row start with less than or equal to 100 +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (LOWPRICE UP+ DOWN+) + DEFINE + LOWPRICE AS price <= 100, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- second row raises 120% +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (LOWPRICE UP+ DOWN+) + DEFINE + LOWPRICE AS price <= 100, + UP AS price > PREV(price) * 1.2, + DOWN AS price < PREV(price) +); + +-- using NEXT +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UPDOWN) + DEFINE + START AS TRUE, + UPDOWN AS price > PREV(price) AND price > NEXT(price) +); + +-- using AFTER MATCH SKIP TO NEXT ROW +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP TO NEXT ROW + INITIAL + PATTERN (START UPDOWN) + DEFINE + START AS TRUE, + UPDOWN AS price > PREV(price) AND price > NEXT(price) +); + +-- match everything + +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP PAST LAST ROW + INITIAL + PATTERN (A+) + DEFINE + A AS TRUE +); + +-- backtracking with reclassification of rows +-- using AFTER MATCH SKIP PAST LAST ROW +SELECT company, tdate, price, first_value(tdate) OVER w, last_value(tdate) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP PAST LAST ROW + INITIAL + PATTERN (A+ B+) + DEFINE + A AS price > 100, + B AS price > 100 +); + +-- backtracking with reclassification of rows +-- using AFTER MATCH SKIP TO NEXT ROW +SELECT company, tdate, price, first_value(tdate) OVER w, last_value(tdate) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP TO NEXT ROW + INITIAL + PATTERN (A+ B+) + DEFINE + A AS price > 100, + B AS price > 100 +); + +-- ROWS BETWEEN CURRENT ROW AND offset FOLLOWING +SELECT company, tdate, price, first_value(tdate) OVER w, last_value(tdate) OVER w, + count(*) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND 2 FOLLOWING + AFTER MATCH SKIP PAST LAST ROW + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- +-- Aggregates +-- + +-- using AFTER MATCH SKIP PAST LAST ROW +SELECT company, tdate, price, + first_value(price) OVER w, + last_value(price) OVER w, + max(price) OVER w, + min(price) OVER w, + sum(price) OVER w, + avg(price) OVER w, + count(price) OVER w +FROM stock +WINDOW w AS ( +PARTITION BY company +ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING +AFTER MATCH SKIP PAST LAST ROW +INITIAL +PATTERN (START UP+ DOWN+) +DEFINE +START AS TRUE, +UP AS price > PREV(price), +DOWN AS price < PREV(price) +); + +-- using AFTER MATCH SKIP TO NEXT ROW +SELECT company, tdate, price, + first_value(price) OVER w, + last_value(price) OVER w, + max(price) OVER w, + min(price) OVER w, + sum(price) OVER w, + avg(price) OVER w, + count(price) OVER w +FROM stock +WINDOW w AS ( +PARTITION BY company +ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING +AFTER MATCH SKIP TO NEXT ROW +INITIAL +PATTERN (START UP+ DOWN+) +DEFINE +START AS TRUE, +UP AS price > PREV(price), +DOWN AS price < PREV(price) +); + +-- JOIN case +CREATE TEMP TABLE t1 (i int, v1 int); +CREATE TEMP TABLE t2 (j int, v2 int); +INSERT INTO t1 VALUES(1,10); +INSERT INTO t1 VALUES(1,11); +INSERT INTO t1 VALUES(1,12); +INSERT INTO t2 VALUES(2,10); +INSERT INTO t2 VALUES(2,11); +INSERT INTO t2 VALUES(2,12); + +SELECT * FROM t1, t2 WHERE t1.v1 <= 11 AND t2.v2 <= 11; + +SELECT *, count(*) OVER w FROM t1, t2 +WINDOW w AS ( + PARTITION BY t1.i + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (A) + DEFINE + A AS v1 <= 11 AND v2 <= 11 +); + +-- WITH case +WITH wstock AS ( + SELECT * FROM stock WHERE tdate < '2023-07-08' +) +SELECT tdate, price, +first_value(tdate) OVER w, +count(*) OVER w + FROM wstock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- +-- Error cases +-- + +-- row pattern definition variable name must not appear more than once +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + ORDER BY tdate + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price), + UP AS price > PREV(price) +); + +-- pattern variable name must appear in DEFINE +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+ END) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- FRAME must start at current row when row patttern recognition is used +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN UNBOUNDED PRECEDING AND UNBOUNDED FOLLOWING + INITIAL + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); + +-- SEEK is not supported +SELECT company, tdate, price, first_value(price) OVER w, last_value(price) OVER w + FROM stock + WINDOW w AS ( + PARTITION BY company + ORDER BY tdate + ROWS BETWEEN CURRENT ROW AND UNBOUNDED FOLLOWING + AFTER MATCH SKIP TO NEXT ROW + SEEK + PATTERN (START UP+ DOWN+) + DEFINE + START AS TRUE, + UP AS price > PREV(price), + DOWN AS price < PREV(price) +); -- 2.25.1 ----Next_Part(Fri_Apr_12_16_09_08_2024_262)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="v16-0008-Allow-to-print-raw-parse-tree.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
end of thread, other threads:[~2024-04-12 06:49 UTC | newest] Thread overview: 87+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2024-04-12 06:49 [PATCH v16 7/8] Row pattern recognition patch (tests). Tatsuo Ishii <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox