pgsql: Support OpenSSL 1.1.0.
Support OpenSSL 1.1.0.
Changes needed to build at all:
- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
pgcrypto, to use the resource owner mechanism to ensure that we don't
leak OpenSSL handles, now that we can't embed them in other structs
anymore.
- RAND_SSLeay() -> RAND_OpenSSL()
Changes that were needed to silence deprecation warnings, but were not
strictly necessary:
- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
riddance!)
Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.
Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.
Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.
Patch by Andreas Karlsson, with additional changes by me.
Discussion: <20160627151604.GD1051@msg.df7cb.de>
Branch
------
master
Details
-------
http://git.postgresql.org/pg/commitdiff/593d4e47db7af1a3a5dd6b6b1971f181b5566dbd
Modified Files
--------------
configure | 44 ++++-----
configure.in | 4 +-
contrib/pgcrypto/internal.c | 9 --
contrib/pgcrypto/openssl.c | 130 +++++++++++++++++++------
contrib/pgcrypto/pgcrypto.c | 2 +-
contrib/pgcrypto/pgp-s2k.c | 6 +-
contrib/pgcrypto/px-crypt.c | 2 +-
contrib/pgcrypto/px.h | 1 -
contrib/sslinfo/sslinfo.c | 14 +--
src/backend/libpq/be-secure-openssl.c | 93 +++++++++++++++---
src/interfaces/libpq/fe-secure-openssl.c | 94 ++++++++++++++----
src/test/ssl/Makefile | 5 +-
src/test/ssl/cas.config | 7 +-
src/test/ssl/root_ca.config | 4 +
src/test/ssl/server-cn-only.config | 1 -
src/test/ssl/server-no-names.config | 1 -
src/test/ssl/server-revoked.config | 1 -
src/test/ssl/ssl/both-cas-1.crt | 67 ++++++-------
src/test/ssl/ssl/both-cas-2.crt | 67 ++++++-------
src/test/ssl/ssl/client-revoked.crt | 16 +--
src/test/ssl/ssl/client-revoked.key | 26 ++---
src/test/ssl/ssl/client.crl | 12 +--
src/test/ssl/ssl/client.crt | 16 +--
src/test/ssl/ssl/client.key | 26 ++---
src/test/ssl/ssl/client_ca.crt | 22 ++---
src/test/ssl/ssl/client_ca.key | 26 ++---
src/test/ssl/ssl/root+client.crl | 22 ++---
src/test/ssl/ssl/root+client_ca.crt | 45 ++++-----
src/test/ssl/ssl/root+server.crl | 22 ++---
src/test/ssl/ssl/root+server_ca.crt | 45 ++++-----
src/test/ssl/ssl/root.crl | 10 +-
src/test/ssl/ssl/root_ca.crt | 23 ++---
src/test/ssl/ssl/root_ca.key | 26 ++---
src/test/ssl/ssl/server-cn-and-alt-names.crt | 18 ++--
src/test/ssl/ssl/server-cn-and-alt-names.key | 26 ++---
src/test/ssl/ssl/server-cn-only.crt | 16 +--
src/test/ssl/ssl/server-cn-only.key | 26 ++---
src/test/ssl/ssl/server-multiple-alt-names.crt | 16 +--
src/test/ssl/ssl/server-multiple-alt-names.key | 26 ++---
src/test/ssl/ssl/server-no-names.crt | 14 +--
src/test/ssl/ssl/server-no-names.key | 26 ++---
src/test/ssl/ssl/server-revoked.crt | 16 +--
src/test/ssl/ssl/server-revoked.key | 26 ++---
src/test/ssl/ssl/server-single-alt-name.crt | 14 +--
src/test/ssl/ssl/server-single-alt-name.key | 26 ++---
src/test/ssl/ssl/server-ss.crt | 16 +--
src/test/ssl/ssl/server-ss.key | 26 ++---
src/test/ssl/ssl/server.crl | 12 +--
src/test/ssl/ssl/server_ca.crt | 22 ++---
src/test/ssl/ssl/server_ca.key | 26 ++---
50 files changed, 707 insertions(+), 534 deletions(-)
--
Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-committers
Heikki Linnakangas <heikki.linnakangas@iki.fi> writes:
Support OpenSSL 1.1.0.
Buildfarm member curculio doesn't like this patch. I suspect the reason
is it's got some slightly-too-old version of OpenSSL, but if so, we ought
to try to fix configure's probe so the problem gets reported at configure
time, not somewhere down in the build.
Mikael, what openssl version is on that box exactly? (And could you
fix it to start building the 9.6 branch?)
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 09/15/2016 07:41 PM, Tom Lane wrote:
Heikki Linnakangas <heikki.linnakangas@iki.fi> writes:
Support OpenSSL 1.1.0.
Buildfarm member curculio doesn't like this patch. I suspect the reason
is it's got some slightly-too-old version of OpenSSL, but if so, we ought
to try to fix configure's probe so the problem gets reported at configure
time, not somewhere down in the build.Mikael, what openssl version is on that box exactly? (And could you
fix it to start building the 9.6 branch?)
Hmm, that's odd:
be-secure-openssl.c: In function 'my_BIO_s_socket':
be-secure-openssl.c:732: warning: implicit declaration of function 'BIO_get_new_index'
be-secure-openssl.c:735: warning: implicit declaration of function 'BIO_meth_new'
be-secure-openssl.c:735: warning: assignment makes pointer from integer without a cast
...
It looks it's taking the OpenSSL 1.1.0 codepath:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
int my_bio_index;my_bio_index = BIO_get_new_index();
if (my_bio_index == -1)
return NULL;
...
Wild guess: curculio is building with LibreSSL, which claims to be
OpenSSL >= 1.1.0, but it doesn't actually implement all the functions
that OpenSSL 1.1.0 does.
Looks like we need some more autoconf scripting to detect LibreSSL. Or
switch to detecting the existence of individual functions, rather than
checking the version number. That would be more autoconf-like anyway.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 09/15/2016 07:51 PM, Heikki Linnakangas wrote:
Wild guess: curculio is building with LibreSSL, which claims to be
OpenSSL >= 1.1.0, but it doesn't actually implement all the functions
that OpenSSL 1.1.0 does.Looks like we need some more autoconf scripting to detect LibreSSL. Or
switch to detecting the existence of individual functions, rather than
checking the version number. That would be more autoconf-like anyway.
I downloaded LibreSSL and I'm getting similar errors on my laptop. So
yes, that seems to be the problem. LibreSSL defines:
/* These will change with each release of LibreSSL-portable */
#define LIBRESSL_VERSION_NUMBER 0x2040200fL
#define LIBRESSL_VERSION_TEXT "LibreSSL 2.4.2"/* These will never change */
#define OPENSSL_VERSION_NUMBER 0x20000000L
#define OPENSSL_VERSION_TEXT LIBRESSL_VERSION_TEXT
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
I'm going to replace the OPENSSL_VERSION_NUMBER #ifdefs with autoconf
AC_CHECK_FUNCS checks for the actual functions we need.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers