agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings 87+ messages / 2 participants [nested] [flat]
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
* [PATCH v43 5/7] Fix crash caused by involuntary decoding of unrelated relations @ 2026-03-19 18:48 Álvaro Herrera <[email protected]> 0 siblings, 0 replies; 87+ messages in thread From: Álvaro Herrera @ 2026-03-19 18:48 UTC (permalink / raw) Author: Srinath Reddy Sadipiralla <[email protected]> --- src/backend/commands/cluster.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c index b0ecc769ee4..36950aea780 100644 --- a/src/backend/commands/cluster.c +++ b/src/backend/commands/cluster.c @@ -2666,6 +2666,21 @@ repack_setup_logical_decoding(Oid relid) */ Assert(!ctx->fast_forward); + /* Avoid logical decoding of other relations. */ + rel = table_open(relid, AccessShareLock); + repacked_rel_locator = rel->rd_locator; + toastrelid = rel->rd_rel->reltoastrelid; + if (OidIsValid(toastrelid)) + { + Relation toastrel; + + /* Avoid logical decoding of other TOAST relations. */ + toastrel = table_open(toastrelid, AccessShareLock); + repacked_rel_toast_locator = toastrel->rd_locator; + table_close(toastrel, AccessShareLock); + } + table_close(rel, AccessShareLock); + DecodingContextFindStartpoint(ctx); /* @@ -2702,21 +2717,6 @@ repack_setup_logical_decoding(Oid relid) "REPACK - change", ALLOCSET_DEFAULT_SIZES); - /* Avoid logical decoding of other relations. */ - rel = table_open(relid, AccessShareLock); - repacked_rel_locator = rel->rd_locator; - toastrelid = rel->rd_rel->reltoastrelid; - if (OidIsValid(toastrelid)) - { - Relation toastrel; - - /* Avoid logical decoding of other TOAST relations. */ - toastrel = table_open(toastrelid, AccessShareLock); - repacked_rel_toast_locator = toastrel->rd_locator; - table_close(toastrel, AccessShareLock); - } - table_close(rel, AccessShareLock); - /* The file will be set as soon as we have it opened. */ dstate->file = NULL; -- 2.47.3 --nzintiedl6o4kcyp Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="v43-0006-Fix-a-few-problems-in-index-build-progress-repor.patch" ^ permalink raw reply [nested|flat] 87+ messages in thread
end of thread, other threads:[~2026-03-19 18:48 UTC | newest] Thread overview: 87+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2026-03-19 18:48 [PATCH v43 5/7] Fix crash caused by involuntary decoding of unrelated relations Álvaro Herrera <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox