agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings 88+ messages / 2 participants [nested] [flat]
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config --- src/backend/libpq/be-secure-openssl.c | 25 ++++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 12 +++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..86ede00 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,15 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +858,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +946,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aaf27c5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,17 +843,22 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if SSLEAY_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -906,7 +912,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------030278BCE28368DA431175D2 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v3.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL - Use OPENSSL_init_ssl instead of deprecated OPENSSL_config - Use ASN1_STRING_get0_data instead of ASN1_STRING_data squash! Remove OpenSSL 1.1 deprecation warnings --- src/backend/libpq/be-secure-openssl.c | 21 ++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++++++++++-------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 565e845..afe4694 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -164,9 +164,13 @@ be_tls_init(void) if (!SSL_context) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -850,6 +854,21 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -919,7 +938,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 12cab74..388215f 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -506,6 +506,9 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif /* * Check if a name from a server's certificate matches the peer's hostname. @@ -520,10 +523,10 @@ static int verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name) { - int len; - char *name; - unsigned char *namedata; - int result; + int len; + char *name; + const unsigned char *namedata; + int result; *store_name = NULL; @@ -541,7 +544,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_get0_data(name_entry); len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -729,7 +732,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -761,7 +764,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -800,6 +803,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -840,15 +844,20 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); +#endif } /* @@ -902,7 +911,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.9.3 --------------9CBFCED4AE08A89AD874AB68 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v4.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 15 +++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 56bc279..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,16 +731,11 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ -/* OpenSSL 1.1 no longer defines CRYPTO_LOCK */ -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - static unsigned long pq_threadidcallback(void) { @@ -768,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -807,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -847,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -859,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -911,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------DE698287B513FDFBBD5199C2 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers --------------DE698287B513FDFBBD5199C2-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings @ 2016-06-28 05:51 Andreas Karlsson <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Andreas Karlsson @ 2016-06-28 05:51 UTC (permalink / raw) - Fix deprecation warning about DH_generate_parameters - Fix warnigns resulting from the automatic initialization - Fix warnigns resulting from the new thread support in OpenSSL --- src/backend/libpq/be-secure-openssl.c | 23 ++++++++++++++++++++++- src/interfaces/libpq/fe-secure-openssl.c | 10 +++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 2fa2793..926dbf2 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -166,11 +166,13 @@ be_tls_init(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L #if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -854,6 +856,25 @@ load_dh_buffer(const char *buffer, size_t len) return dh; } +static DH * +generate_dh_params(int prime_len, int generator) +{ +#if SSLEAY_VERSION_NUMBER >= 0x00908000L + DH *dh; + + if ((dh = DH_new()) == NULL) + return NULL; + + if (DH_generate_parameters_ex(dh, prime_len, generator, NULL)) + return dh; + + DH_free(dh); + return NULL; +#else + return DH_generate_parameters(prime_len, generator, NULL, NULL); +#endif +} + /* * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the @@ -923,7 +944,7 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) ereport(DEBUG2, (errmsg_internal("DH: generating parameters (%d bits)", keylength))); - r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); + r = generate_dh_params(keylength, DH_GENERATOR_2); } return r; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 520dcd7..aa80284 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -731,7 +731,7 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* * Callback functions for OpenSSL internal locking */ @@ -763,7 +763,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY */ +#endif /* ENABLE_THREAD_SAFETY && && SSLEAY_VERSION_NUMBER < 0x10100000L */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -802,6 +802,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_crypto_lib) { /* @@ -842,10 +843,12 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } +#endif #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER < 0x10100000L if (pq_init_ssl_lib) { #if SSLEAY_VERSION_NUMBER >= 0x00907000L @@ -854,6 +857,7 @@ pgtls_init(PGconn *conn) SSL_library_init(); SSL_load_error_strings(); } +#endif /* * We use SSLv23_method() because it can negotiate use of the highest @@ -906,7 +910,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#ifdef ENABLE_THREAD_SAFETY +#if defined(ENABLE_THREAD_SAFETY) && SSLEAY_VERSION_NUMBER < 0x10100000L /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; -- 2.8.1 --------------4DB1F28AF6A9296C8B774BA1 Content-Type: text/x-patch; name="0003-Remove-px_get_pseudo_random_bytes-v2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Remove-px_get_pseudo_random_bytes-v2.patch" ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH] Introduce an option to make logical replication database specific. @ 2026-04-03 10:34 Antonin Houska <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Antonin Houska @ 2026-04-03 10:34 UTC (permalink / raw) By default, the logical decoding assumes access to shared catalogs, so the snapshot builder needs to consider cluster-wide XIDs during startup. That in turn means that, if any transaction is already running (and has XID assigned), the snapshot builder needs to wait for its completion, as it does not know if that transaction performed catalog changes earlier. Possible problem with this concept is that if REPACK (CONCURRENTLY) is running in some database, backends running the same command in other databases get stuck until the first one has committed. Thus only as single backend in the cluster can run REPACK (CONCURRENTLY) at any time. Likewise, REPACK (CONCURRENTLY) can block walsenders starting on behalf of subscriptions throughout the cluster. This patch introduces the possibility for a backend to declare that its output plugin does not use shared catalogs (i.e. catalogs that can be changed by transactions running in other databases in the cluster). In that case, no snapshot the backend will use during the decoding needs to contain information about transactions running in other databases. Thus the snapshot builder only needs to wait for completion of transactions in the current database. Currently we only use this option in the REPACK background worker. It could possibly be used in walsender involved in logical replication too, however that would need thorough analysis of its output plugin. The patch bumps WAL version number, due to a new field in xl_running_xacts. --- contrib/pg_visibility/pg_visibility.c | 4 ++-- src/backend/access/index/genam.c | 18 ++++++++++++++++ src/backend/access/rmgrdesc/standbydesc.c | 2 ++ src/backend/access/transam/xlog.c | 2 +- src/backend/access/transam/xlogfuncs.c | 2 +- src/backend/commands/repack_worker.c | 8 +++++++ src/backend/postmaster/bgwriter.c | 2 +- src/backend/replication/logical/snapbuild.c | 10 ++++++++- src/backend/replication/slot.c | 12 +++++++++-- src/backend/storage/ipc/procarray.c | 23 ++++++++++++++++++++- src/backend/storage/ipc/standby.c | 14 +++++++++++-- src/include/access/genam.h | 8 +++++++ src/include/access/xlog_internal.h | 2 +- src/include/storage/procarray.h | 2 +- src/include/storage/standby.h | 3 ++- src/include/storage/standbydefs.h | 1 + 16 files changed, 99 insertions(+), 14 deletions(-) diff --git a/contrib/pg_visibility/pg_visibility.c b/contrib/pg_visibility/pg_visibility.c index dfab0b64cf5..d564bd2a00c 100644 --- a/contrib/pg_visibility/pg_visibility.c +++ b/contrib/pg_visibility/pg_visibility.c @@ -621,7 +621,7 @@ GetStrictOldestNonRemovableTransactionId(Relation rel) else if (rel == NULL || rel->rd_rel->relisshared) { /* Shared relation: take into account all running xids */ - runningTransactions = GetRunningTransactionData(); + runningTransactions = GetRunningTransactionData(InvalidOid); LWLockRelease(ProcArrayLock); LWLockRelease(XidGenLock); return runningTransactions->oldestRunningXid; @@ -632,7 +632,7 @@ GetStrictOldestNonRemovableTransactionId(Relation rel) * Normal relation: take into account xids running within the current * database */ - runningTransactions = GetRunningTransactionData(); + runningTransactions = GetRunningTransactionData(InvalidOid); LWLockRelease(ProcArrayLock); LWLockRelease(XidGenLock); return runningTransactions->oldestDatabaseRunningXid; diff --git a/src/backend/access/index/genam.c b/src/backend/access/index/genam.c index 1408989c568..97ea882cf71 100644 --- a/src/backend/access/index/genam.c +++ b/src/backend/access/index/genam.c @@ -37,6 +37,14 @@ #include "utils/ruleutils.h" #include "utils/snapmgr.h" +/* + * If a backend is going to do logical decoding and if the output plugin does + * not need to access shared catalogs, setting this variable to false can make + * the decoding startup faster. In particular, the backend will not need to + * wait for completion of already running transactions in other databases. + */ +bool accessSharedCatalogsInDecoding = true; + /* ---------------------------------------------------------------- * general access method routines @@ -394,6 +402,16 @@ systable_beginscan(Relation heapRelation, SysScanDesc sysscan; Relation irel; + /* + * If this backend promised that it won't access shared catalogs during + * logical decoding, this seems to be the right place to check. + * + * XXX Should this be ereport(ERROR) ? + */ + Assert(!HistoricSnapshotActive() || + accessSharedCatalogsInDecoding || + !heapRelation->rd_rel->relisshared); + if (indexOK && !IgnoreSystemIndexes && !ReindexIsProcessingIndex(indexId)) diff --git a/src/backend/access/rmgrdesc/standbydesc.c b/src/backend/access/rmgrdesc/standbydesc.c index 0a291354ae2..685d1bdb024 100644 --- a/src/backend/access/rmgrdesc/standbydesc.c +++ b/src/backend/access/rmgrdesc/standbydesc.c @@ -41,6 +41,8 @@ standby_desc_running_xacts(StringInfo buf, xl_running_xacts *xlrec) for (i = 0; i < xlrec->subxcnt; i++) appendStringInfo(buf, " %u", xlrec->xids[xlrec->xcnt + i]); } + + appendStringInfo(buf, "; dbid: %u", xlrec->dbid); } void diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index 2c1c6f88b74..8da8eff93e4 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -7336,7 +7336,7 @@ CreateCheckPoint(int flags) * recovery we don't need to write running xact data. */ if (!shutdown && XLogStandbyInfoActive()) - LogStandbySnapshot(); + LogStandbySnapshot(InvalidOid); START_CRIT_SECTION(); diff --git a/src/backend/access/transam/xlogfuncs.c b/src/backend/access/transam/xlogfuncs.c index 65bbaeda59c..0f5979691e6 100644 --- a/src/backend/access/transam/xlogfuncs.c +++ b/src/backend/access/transam/xlogfuncs.c @@ -245,7 +245,7 @@ pg_log_standby_snapshot(PG_FUNCTION_ARGS) (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), errmsg("pg_log_standby_snapshot() can only be used if \"wal_level\" >= \"replica\""))); - recptr = LogStandbySnapshot(); + recptr = LogStandbySnapshot(InvalidOid); /* * As a convenience, return the WAL location of the last inserted record diff --git a/src/backend/commands/repack_worker.c b/src/backend/commands/repack_worker.c index 00b21ede481..c25dbeadff3 100644 --- a/src/backend/commands/repack_worker.c +++ b/src/backend/commands/repack_worker.c @@ -16,6 +16,7 @@ */ #include "postgres.h" +#include "access/genam.h" #include "access/table.h" #include "access/xlog_internal.h" #include "access/xlogutils.h" @@ -233,6 +234,13 @@ repack_setup_logical_decoding(Oid relid) EnsureLogicalDecodingEnabled(); + /* + * By declaring that our output plugin does not need shared catalogs, we + * avoid waiting for completion of transactions running in other databases + * than the one we're connected to. + */ + accessSharedCatalogsInDecoding = false; + /* * Neither prepare_write nor do_write callback nor update_progress is * useful for us. diff --git a/src/backend/postmaster/bgwriter.c b/src/backend/postmaster/bgwriter.c index 1d8947774a9..a30de4262eb 100644 --- a/src/backend/postmaster/bgwriter.c +++ b/src/backend/postmaster/bgwriter.c @@ -289,7 +289,7 @@ BackgroundWriterMain(const void *startup_data, size_t startup_data_len) if (now >= timeout && last_snapshot_lsn <= GetLastImportantRecPtr()) { - last_snapshot_lsn = LogStandbySnapshot(); + last_snapshot_lsn = LogStandbySnapshot(InvalidOid); last_snapshot_ts = now; } } diff --git a/src/backend/replication/logical/snapbuild.c b/src/backend/replication/logical/snapbuild.c index 0f6b5df322c..16009fa75a4 100644 --- a/src/backend/replication/logical/snapbuild.c +++ b/src/backend/replication/logical/snapbuild.c @@ -125,6 +125,7 @@ #include <sys/stat.h> #include <unistd.h> +#include "access/genam.h" #include "access/heapam_xlog.h" #include "access/transam.h" #include "access/xact.h" @@ -1470,7 +1471,14 @@ SnapBuildWaitSnapshot(xl_running_xacts *running, TransactionId cutoff) */ if (!RecoveryInProgress()) { - LogStandbySnapshot(); + Oid dbid; + + /* + * Only consider transactions of the current database if our plugin is + * not supposed to access shared catalogs. + */ + dbid = accessSharedCatalogsInDecoding ? InvalidOid : MyDatabaseId; + LogStandbySnapshot(dbid); } } diff --git a/src/backend/replication/slot.c b/src/backend/replication/slot.c index fe6bfeba25e..0d415f5f8f2 100644 --- a/src/backend/replication/slot.c +++ b/src/backend/replication/slot.c @@ -39,6 +39,7 @@ #include <unistd.h> #include <sys/stat.h> +#include "access/genam.h" #include "access/transam.h" #include "access/xlog_internal.h" #include "access/xlogrecovery.h" @@ -1776,9 +1777,16 @@ ReplicationSlotReserveWal(void) if (!RecoveryInProgress() && SlotIsLogical(slot)) { XLogRecPtr flushptr; + Oid dbid; - /* make sure we have enough information to start */ - flushptr = LogStandbySnapshot(); + /* + * Make sure we have enough information to start. + * + * Only consider transactions of the current database if our plugin + * is not supposed to access shared catalogs. + */ + dbid = accessSharedCatalogsInDecoding ? InvalidOid : MyDatabaseId; + flushptr = LogStandbySnapshot(dbid); /* and make sure it's fsynced to disk */ XLogFlush(flushptr); diff --git a/src/backend/storage/ipc/procarray.c b/src/backend/storage/ipc/procarray.c index cc207cb56e3..49d1bf4bfac 100644 --- a/src/backend/storage/ipc/procarray.c +++ b/src/backend/storage/ipc/procarray.c @@ -2631,9 +2631,11 @@ ProcArrayInstallRestoredXmin(TransactionId xmin, PGPROC *proc) * * Note that if any transaction has overflowed its cached subtransactions * then there is no real need include any subtransactions. + * + * If 'dbid' is valid, only gather transactions running in that database. */ RunningTransactions -GetRunningTransactionData(void) +GetRunningTransactionData(Oid dbid) { /* result workspace */ static RunningTransactionsData CurrentRunningXactsData; @@ -2708,6 +2710,18 @@ GetRunningTransactionData(void) if (!TransactionIdIsValid(xid)) continue; + /* + * Filter by database OID if requested. + */ + if (OidIsValid(dbid)) + { + int pgprocno = arrayP->pgprocnos[index]; + PGPROC *proc = &allProcs[pgprocno]; + + if (proc->databaseId != dbid) + continue; + } + /* * Be careful not to exclude any xids before calculating the values of * oldestRunningXid and suboverflowed, since these are used to clean @@ -2758,6 +2772,12 @@ GetRunningTransactionData(void) PGPROC *proc = &allProcs[pgprocno]; int nsubxids; + /* + * Filter by database OID if requested. + */ + if (OidIsValid(dbid) && proc->databaseId != dbid) + continue; + /* * Save subtransaction XIDs. Other backends can't add or remove * entries while we're holding XidGenLock. @@ -2791,6 +2811,7 @@ GetRunningTransactionData(void) * increases if slots do. */ + CurrentRunningXacts->dbid = dbid; CurrentRunningXacts->xcnt = count - subcount; CurrentRunningXacts->subxcnt = subcount; CurrentRunningXacts->subxid_status = suboverflowed ? SUBXIDS_IN_SUBTRANS : SUBXIDS_IN_ARRAY; diff --git a/src/backend/storage/ipc/standby.c b/src/backend/storage/ipc/standby.c index de9092fdf5b..c653ea742bc 100644 --- a/src/backend/storage/ipc/standby.c +++ b/src/backend/storage/ipc/standby.c @@ -1188,6 +1188,14 @@ standby_redo(XLogReaderState *record) xl_running_xacts *xlrec = (xl_running_xacts *) XLogRecGetData(record); RunningTransactionsData running; + /* + * Records issued for specific database are not suitable for physical + * replication because that affects the whole cluster. In particular, + * the list of XID is probably incomplete here. + */ + if (OidIsValid(xlrec->dbid)) + return; + running.xcnt = xlrec->xcnt; running.subxcnt = xlrec->subxcnt; running.subxid_status = xlrec->subxid_overflow ? SUBXIDS_MISSING : SUBXIDS_IN_ARRAY; @@ -1277,11 +1285,12 @@ standby_redo(XLogReaderState *record) * as there's no independent knob to just enable logical decoding. For * details of how this is used, check snapbuild.c's introductory comment. * + * If 'dbid' is valid, only gather transactions running in that database. * * Returns the RecPtr of the last inserted record. */ XLogRecPtr -LogStandbySnapshot(void) +LogStandbySnapshot(Oid dbid) { XLogRecPtr recptr; RunningTransactions running; @@ -1314,7 +1323,7 @@ LogStandbySnapshot(void) * Log details of all in-progress transactions. This should be the last * record we write, because standby will open up when it sees this. */ - running = GetRunningTransactionData(); + running = GetRunningTransactionData(dbid); /* * GetRunningTransactionData() acquired ProcArrayLock, we must release it. @@ -1358,6 +1367,7 @@ LogCurrentRunningXacts(RunningTransactions CurrRunningXacts) xl_running_xacts xlrec; XLogRecPtr recptr; + xlrec.dbid = CurrRunningXacts->dbid; xlrec.xcnt = CurrRunningXacts->xcnt; xlrec.subxcnt = CurrRunningXacts->subxcnt; xlrec.subxid_overflow = (CurrRunningXacts->subxid_status != SUBXIDS_IN_ARRAY); diff --git a/src/include/access/genam.h b/src/include/access/genam.h index b69320a7fc8..56c573399ab 100644 --- a/src/include/access/genam.h +++ b/src/include/access/genam.h @@ -136,6 +136,14 @@ typedef struct IndexOrderByDistance bool isnull; } IndexOrderByDistance; +/* + * Is the backend interested in shared catalogs when performing logical + * decoding? + * + * XXX Is there a better place for this declaration? + */ +extern bool accessSharedCatalogsInDecoding; + /* * generalized index_ interface routines (in indexam.c) */ diff --git a/src/include/access/xlog_internal.h b/src/include/access/xlog_internal.h index 755835d63bf..ae19982d88d 100644 --- a/src/include/access/xlog_internal.h +++ b/src/include/access/xlog_internal.h @@ -31,7 +31,7 @@ /* * Each page of XLOG file has a header like this: */ -#define XLOG_PAGE_MAGIC 0xD11E /* can be used as WAL version indicator */ +#define XLOG_PAGE_MAGIC 0xD11F /* can be used as WAL version indicator */ typedef struct XLogPageHeaderData { diff --git a/src/include/storage/procarray.h b/src/include/storage/procarray.h index abdf021e66e..377b3060b9f 100644 --- a/src/include/storage/procarray.h +++ b/src/include/storage/procarray.h @@ -49,7 +49,7 @@ extern bool ProcArrayInstallImportedXmin(TransactionId xmin, VirtualTransactionId *sourcevxid); extern bool ProcArrayInstallRestoredXmin(TransactionId xmin, PGPROC *proc); -extern RunningTransactions GetRunningTransactionData(void); +extern RunningTransactions GetRunningTransactionData(Oid dbid); extern bool TransactionIdIsInProgress(TransactionId xid); extern TransactionId GetOldestNonRemovableTransactionId(Relation rel); diff --git a/src/include/storage/standby.h b/src/include/storage/standby.h index 6a314c693cd..8715c08e94f 100644 --- a/src/include/storage/standby.h +++ b/src/include/storage/standby.h @@ -126,6 +126,7 @@ typedef enum typedef struct RunningTransactionsData { + Oid dbid; /* only track xacts in this database */ int xcnt; /* # of xact ids in xids[] */ int subxcnt; /* # of subxact ids in xids[] */ subxids_array_status subxid_status; @@ -143,7 +144,7 @@ typedef RunningTransactionsData *RunningTransactions; extern void LogAccessExclusiveLock(Oid dbOid, Oid relOid); extern void LogAccessExclusiveLockPrepare(void); -extern XLogRecPtr LogStandbySnapshot(void); +extern XLogRecPtr LogStandbySnapshot(Oid dbid); extern void LogStandbyInvalidations(int nmsgs, SharedInvalidationMessage *msgs, bool relcacheInitFileInval); diff --git a/src/include/storage/standbydefs.h b/src/include/storage/standbydefs.h index 231d251fd51..e75b7078766 100644 --- a/src/include/storage/standbydefs.h +++ b/src/include/storage/standbydefs.h @@ -46,6 +46,7 @@ typedef struct xl_standby_locks */ typedef struct xl_running_xacts { + Oid dbid; /* only track xacts in this database */ int xcnt; /* # of xact ids in xids[] */ int subxcnt; /* # of subxact ids in xids[] */ bool subxid_overflow; /* snapshot overflowed, subxids missing */ -- 2.47.3 --=-=-=-- ^ permalink raw reply [nested|flat] 88+ messages in thread
* [PATCH 1/2] Minor cleanup in initialize_change_context(). @ 2026-07-01 12:58 Antonin Houska <[email protected]> 0 siblings, 0 replies; 88+ messages in thread From: Antonin Houska @ 2026-07-01 12:58 UTC (permalink / raw) First, use makeNode() to create an instance of ResultRelInfo, like we do elsewhere in the tree. Second, pass NULL for the 'partition_root_rri' argument of InitResultRelInfo instead of 0. --- src/backend/commands/repack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 4d177c868bb..c9b0c047477 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -3010,8 +3010,8 @@ initialize_change_context(ChangeContext *chgcxt, /* Only initialize fields needed by ExecInsertIndexTuples(). */ chgcxt->cc_estate = CreateExecutorState(); - chgcxt->cc_rri = (ResultRelInfo *) palloc(sizeof(ResultRelInfo)); - InitResultRelInfo(chgcxt->cc_rri, relation, 0, 0, 0); + chgcxt->cc_rri = makeNode(ResultRelInfo); + InitResultRelInfo(chgcxt->cc_rri, relation, 0, NULL, 0); ExecOpenIndices(chgcxt->cc_rri, false); /* -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=0002-Provide-the-executor-with-information-on-updated-col.patch ^ permalink raw reply [nested|flat] 88+ messages in thread
end of thread, other threads:[~2026-07-01 12:58 UTC | newest] Thread overview: 88+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 3/3] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2016-06-28 05:51 [PATCH 2/4] Remove OpenSSL 1.1 deprecation warnings Andreas Karlsson <[email protected]> 2026-04-03 10:34 [PATCH] Introduce an option to make logical replication database specific. Antonin Houska <[email protected]> 2026-07-01 12:58 [PATCH 1/2] Minor cleanup in initialize_change_context(). Antonin Houska <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox