agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings 87+ messages / 2 participants [nested] [flat]
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH v1 4/4] combine relopts correctly for VACUUM commands @ 2025-06-23 20:40 Nathan Bossart <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Nathan Bossart @ 2025-06-23 20:40 UTC (permalink / raw) --- src/backend/commands/vacuum.c | 30 +++++++++++++++++++---------- src/backend/postmaster/autovacuum.c | 2 +- src/include/commands/vacuum.h | 2 ++ 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 0015b9ef4b0..a74c3a9e2a2 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -124,7 +124,7 @@ static void vac_truncate_clog(TransactionId frozenXID, TransactionId lastSaneFrozenXid, MultiXactId lastSaneMinMulti); static bool vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, - BufferAccessStrategy bstrategy); + BufferAccessStrategy bstrategy, StdRdOptions *main_opts); static double compute_parallel_delay(void); static VacOptValue get_vacoptval_from_boolean(DefElem *def); static bool vac_tid_reaped(ItemPointer itemptr, void *state); @@ -634,7 +634,7 @@ vacuum(List *relations, VacuumParams *params, BufferAccessStrategy bstrategy, if (params->options & VACOPT_VACUUM) { - if (!vacuum_rel(vrel->oid, vrel->relation, params, bstrategy)) + if (!vacuum_rel(vrel->oid, vrel->relation, params, bstrategy, NULL)) continue; } @@ -1998,7 +1998,7 @@ vac_truncate_clog(TransactionId frozenXID, */ static bool vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, - BufferAccessStrategy bstrategy) + BufferAccessStrategy bstrategy, StdRdOptions *main_opts) { LOCKMODE lmode; Relation rel; @@ -2008,6 +2008,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, Oid save_userid; int save_sec_context; int save_nestlevel; + StdRdOptions saved_opts; + StdRdOptions combined_opts; Assert(params != NULL); @@ -2165,6 +2167,15 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, lockrelid = rel->rd_lockInfo.lockRelId; LockRelationIdForSession(&lockrelid, lmode); + if (rel->rd_options) + { + memcpy(&saved_opts, rel->rd_options, sizeof(StdRdOptions)); + memcpy(&combined_opts, rel->rd_options, sizeof(StdRdOptions)); + + if (main_opts) + combine_relopts(&combined_opts, main_opts); + } + /* * Set index_cleanup option based on index_cleanup reloption if it wasn't * specified in VACUUM command, or when running in an autovacuum worker @@ -2176,8 +2187,7 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, if (rel->rd_options == NULL) vacuum_index_cleanup = STDRD_OPTION_VACUUM_INDEX_CLEANUP_AUTO; else - vacuum_index_cleanup = - ((StdRdOptions *) rel->rd_options)->vacuum_index_cleanup; + vacuum_index_cleanup = combined_opts.vacuum_index_cleanup; if (vacuum_index_cleanup == STDRD_OPTION_VACUUM_INDEX_CLEANUP_AUTO) params->index_cleanup = VACOPTVALUE_AUTO; @@ -2197,9 +2207,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, */ if (params->max_eager_freeze_failure_rate < 0 && rel->rd_options != NULL && - ((StdRdOptions *) rel->rd_options)->vacuum_max_eager_freeze_failure_rate >= 0) + combined_opts.vacuum_max_eager_freeze_failure_rate >= 0) params->max_eager_freeze_failure_rate = - ((StdRdOptions *) rel->rd_options)->vacuum_max_eager_freeze_failure_rate; + combined_opts.vacuum_max_eager_freeze_failure_rate; else params->max_eager_freeze_failure_rate = vacuum_max_eager_freeze_failure_rate; @@ -2211,9 +2221,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, { StdRdOptions *opts = (StdRdOptions *) rel->rd_options; - if (opts && opts->vacuum_truncate_set) + if (opts && combined_opts.vacuum_truncate_set) { - if (opts->vacuum_truncate) + if (combined_opts.vacuum_truncate) params->truncate = VACOPTVALUE_ENABLED; else params->truncate = VACOPTVALUE_DISABLED; @@ -2314,7 +2324,7 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params, toast_vacuum_params.options |= VACOPT_PROCESS_MAIN; toast_vacuum_params.toast_parent = relid; - vacuum_rel(toast_relid, NULL, &toast_vacuum_params, bstrategy); + vacuum_rel(toast_relid, NULL, &toast_vacuum_params, bstrategy, &saved_opts); } /* diff --git a/src/backend/postmaster/autovacuum.c b/src/backend/postmaster/autovacuum.c index 0d1f4e38b58..ca399b6a92e 100644 --- a/src/backend/postmaster/autovacuum.c +++ b/src/backend/postmaster/autovacuum.c @@ -1873,7 +1873,7 @@ get_database_list(void) return dblist; } -static void +void combine_relopts(StdRdOptions *toast_opts, const StdRdOptions *main_opts) { AutoVacOpts *toast_avopts = &toast_opts->autovacuum; diff --git a/src/include/commands/vacuum.h b/src/include/commands/vacuum.h index bc37a80dc74..928f864581b 100644 --- a/src/include/commands/vacuum.h +++ b/src/include/commands/vacuum.h @@ -24,6 +24,7 @@ #include "parser/parse_node.h" #include "storage/buf.h" #include "storage/lock.h" +#include "utils/rel.h" #include "utils/relcache.h" /* @@ -377,6 +378,7 @@ extern IndexBulkDeleteResult *vac_cleanup_one_index(IndexVacuumInfo *ivinfo, /* In postmaster/autovacuum.c */ extern void AutoVacuumUpdateCostLimit(void); extern void VacuumUpdateCosts(void); +extern void combine_relopts(StdRdOptions *toast_opts, const StdRdOptions *main_opts); /* in commands/vacuumparallel.c */ extern ParallelVacuumState *parallel_vacuum_init(Relation rel, Relation *indrels, -- 2.39.5 (Apple Git-154) --QWBYbd5Ar5k8NvSv-- ^ permalink raw reply [nested|flat] 87+ messages in thread
end of thread, other threads:[~2025-06-23 20:40 UTC | newest] Thread overview: 87+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2025-06-23 20:40 [PATCH v1 4/4] combine relopts correctly for VACUUM commands Nathan Bossart <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox