Hi,
Attached is a patch to make it build with OpenSSL 1.1.0.
There is probably a minor problem on windows where the name of the
dlls got changed. Someone probably should look into that.
Kurt
>From efd7aa3499b2b4eedd4c4d4164b75175f3c10d2f Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <k...@roeckx.be>
Date: Thu, 1 Sep 2016 23:24:07 +0200
Subject: [PATCH] Add support for OpenSSL 1.1.0
---
configure | 68 +++++++++++++++++++-------------
configure.in | 4 +-
src/backend/libpq/be-secure-openssl.c | 49 ++++++++++++++++++-----
src/interfaces/libpq/fe-secure-openssl.c | 54 ++++++++++++++++++++-----
4 files changed, 127 insertions(+), 48 deletions(-)
diff --git a/configure b/configure
index 45c8eef..930da6e 100755
--- a/configure
+++ b/configure
@@ -774,6 +774,7 @@ infodir
docdir
oldincludedir
includedir
+runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -896,6 +897,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1148,6 +1150,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
+ -runstatedir | --runstatedir | --runstatedi | --runstated \
+ | --runstate | --runstat | --runsta | --runst | --runs \
+ | --run | --ru | --r)
+ ac_prev=runstatedir ;;
+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+ | --run=* | --ru=* | --r=*)
+ runstatedir=$ac_optarg ;;
+
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1285,7 +1296,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
+ libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1438,6 +1449,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -9538,9 +9550,9 @@ else
as_fn_error $? "library 'crypto' is required for OpenSSL" "$LINENO" 5
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_library_init in -lssl" >&5
-$as_echo_n "checking for SSL_library_init in -lssl... " >&6; }
-if ${ac_cv_lib_ssl_SSL_library_init+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_new in -lssl" >&5
+$as_echo_n "checking for SSL_CTX_new in -lssl... " >&6; }
+if ${ac_cv_lib_ssl_SSL_CTX_new+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -9554,27 +9566,27 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
#ifdef __cplusplus
extern "C"
#endif
-char SSL_library_init ();
+char SSL_CTX_new ();
int
main ()
{
-return SSL_library_init ();
+return SSL_CTX_new ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_ssl_SSL_library_init=yes
+ ac_cv_lib_ssl_SSL_CTX_new=yes
else
- ac_cv_lib_ssl_SSL_library_init=no
+ ac_cv_lib_ssl_SSL_CTX_new=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_library_init" >&5
-$as_echo "$ac_cv_lib_ssl_SSL_library_init" >&6; }
-if test "x$ac_cv_lib_ssl_SSL_library_init" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_new" >&5
+$as_echo "$ac_cv_lib_ssl_SSL_CTX_new" >&6; }
+if test "x$ac_cv_lib_ssl_SSL_CTX_new" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBSSL 1
_ACEOF
@@ -9644,9 +9656,9 @@ else
as_fn_error $? "library 'eay32' or 'crypto' is required for OpenSSL" "$LINENO" 5
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5
-$as_echo_n "checking for library containing SSL_library_init... " >&6; }
-if ${ac_cv_search_SSL_library_init+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_CTX_new" >&5
+$as_echo_n "checking for library containing SSL_CTX_new... " >&6; }
+if ${ac_cv_search_SSL_CTX_new+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
@@ -9659,11 +9671,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
#ifdef __cplusplus
extern "C"
#endif
-char SSL_library_init ();
+char SSL_CTX_new ();
int
main ()
{
-return SSL_library_init ();
+return SSL_CTX_new ();
;
return 0;
}
@@ -9676,25 +9688,25 @@ for ac_lib in '' ssleay32 ssl; do
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_SSL_library_init=$ac_res
+ ac_cv_search_SSL_CTX_new=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
- if ${ac_cv_search_SSL_library_init+:} false; then :
+ if ${ac_cv_search_SSL_CTX_new+:} false; then :
break
fi
done
-if ${ac_cv_search_SSL_library_init+:} false; then :
+if ${ac_cv_search_SSL_CTX_new+:} false; then :
else
- ac_cv_search_SSL_library_init=no
+ ac_cv_search_SSL_CTX_new=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_SSL_library_init" >&5
-$as_echo "$ac_cv_search_SSL_library_init" >&6; }
-ac_res=$ac_cv_search_SSL_library_init
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_SSL_CTX_new" >&5
+$as_echo "$ac_cv_search_SSL_CTX_new" >&6; }
+ac_res=$ac_cv_search_SSL_CTX_new
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
@@ -12045,7 +12057,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@@ -12091,7 +12103,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@@ -12115,7 +12127,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@@ -12160,7 +12172,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@@ -12184,7 +12196,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
diff --git a/configure.in b/configure.in
index c878b4e..6bd0377 100644
--- a/configure.in
+++ b/configure.in
@@ -1112,10 +1112,10 @@ if test "$with_openssl" = yes ; then
dnl Order matters!
if test "$PORTNAME" != "win32"; then
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
- AC_CHECK_LIB(ssl, SSL_library_init, [], [AC_MSG_ERROR([library 'ssl' is required for OpenSSL])])
+ AC_CHECK_LIB(ssl, SSL_CTX_new, [], [AC_MSG_ERROR([library 'ssl' is required for OpenSSL])])
else
AC_SEARCH_LIBS(CRYPTO_new_ex_data, eay32 crypto, [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
- AC_SEARCH_LIBS(SSL_library_init, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
+ AC_SEARCH_LIBS(SSL_CTX_new, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
fi
AC_CHECK_FUNCS([SSL_get_current_compression])
fi
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index bb0d2d9..35e49ae 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -82,6 +82,11 @@ static char *X509_NAME_to_cstring(X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define BIO_get_data(bio) (bio->ptr)
+#define BIO_set_data(bio, data) bio->ptr = data
+#endif
+
/* ------------------------------------------------------------ */
/* Hardcoded values */
/* ------------------------------------------------------------ */
@@ -164,9 +169,13 @@ be_tls_init(void)
if (!SSL_context)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
+#else
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#endif
/*
* We use SSLv23_method() because it can negotiate use of the highest
@@ -668,7 +677,7 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
*/
static bool my_bio_initialized = false;
-static BIO_METHOD my_bio_methods;
+static BIO_METHOD *my_bio_methods;
static int
my_sock_read(BIO *h, char *buf, int size)
@@ -677,7 +686,7 @@ my_sock_read(BIO *h, char *buf, int size)
if (buf != NULL)
{
- res = secure_raw_read(((Port *) h->ptr), buf, size);
+ res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
BIO_clear_retry_flags(h);
if (res <= 0)
{
@@ -697,7 +706,7 @@ my_sock_write(BIO *h, const char *buf, int size)
{
int res = 0;
- res = secure_raw_write(((Port *) h->ptr), buf, size);
+ res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
BIO_clear_retry_flags(h);
if (res <= 0)
{
@@ -716,12 +725,27 @@ my_BIO_s_socket(void)
{
if (!my_bio_initialized)
{
- memcpy(&my_bio_methods, BIO_s_socket(), sizeof(BIO_METHOD));
- my_bio_methods.bread = my_sock_read;
- my_bio_methods.bwrite = my_sock_write;
+ BIO_METHOD *s_socket = (BIO_METHOD *)BIO_s_socket();
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ my_bio_methods = malloc(sizeof(BIO_METHOD));
+ memcpy(my_bio_methods, s_socket, sizeof(BIO_METHOD));
+ my_bio_methods->bread = my_sock_read;
+ my_bio_methods->bwrite = my_sock_write;
+#else
+ BIO_meth_set_puts(my_bio_methods, BIO_meth_get_puts(s_socket));
+ BIO_meth_set_gets(my_bio_methods, BIO_meth_get_gets(s_socket));
+ BIO_meth_set_ctrl(my_bio_methods, BIO_meth_get_ctrl(s_socket));
+ BIO_meth_set_create(my_bio_methods, BIO_meth_get_create(s_socket));
+ BIO_meth_set_destroy(my_bio_methods, BIO_meth_get_destroy(s_socket));
+ BIO_meth_set_callback_ctrl(my_bio_methods, BIO_meth_get_callback_ctrl(s_socket));
+
+ BIO_meth_set_read(my_bio_methods, my_sock_read);
+ BIO_meth_set_write(my_bio_methods, my_sock_write);
+#endif
my_bio_initialized = true;
}
- return &my_bio_methods;
+ return my_bio_methods;
}
/* This should exactly match openssl's SSL_set_fd except for using my BIO */
@@ -739,7 +763,7 @@ my_SSL_set_fd(Port *port, int fd)
goto err;
}
/* Use 'ptr' to store pointer to PGconn */
- bio->ptr = port;
+ BIO_set_data(bio, port);
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(port->ssl, bio, bio);
@@ -902,7 +926,14 @@ tmp_dh_cb(SSL *s, int is_export, int keylength)
ereport(DEBUG2,
(errmsg_internal("DH: generating parameters (%d bits)",
keylength)));
- r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+ r = DH_new();
+ if (r == NULL)
+ return NULL;
+ if (DH_generate_parameters_ex(r, keylength, DH_GENERATOR_2, NULL) == 0)
+ {
+ DH_free(r);
+ return NULL;
+ }
}
return r;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index d871612..0ed1bab 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -98,6 +98,11 @@ static long win32_ssl_create_mutex = 0;
#endif
#endif /* ENABLE_THREAD_SAFETY */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define BIO_get_data(bio) (bio->ptr)
+#define BIO_set_data(bio, data) bio->ptr = data
+#endif
+
/* ------------------------------------------------------------ */
/* Procedures common to all secure sessions */
@@ -522,7 +527,7 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
{
int len;
char *name;
- unsigned char *namedata;
+ const unsigned char *namedata;
int result;
*store_name = NULL;
@@ -541,7 +546,11 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
* There is no guarantee the string returned from the certificate is
* NULL-terminated, so make a copy that is.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
namedata = ASN1_STRING_data(name_entry);
+#else
+ namedata = ASN1_STRING_get0_data(name_entry);
+#endif
len = ASN1_STRING_length(name_entry);
name = malloc(len + 1);
if (name == NULL)
@@ -730,6 +739,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
}
#ifdef ENABLE_THREAD_SAFETY
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/*
* Callback functions for OpenSSL internal locking
*/
@@ -761,6 +771,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
PGTHREAD_ERROR("failed to unlock mutex");
}
}
+#endif
#endif /* ENABLE_THREAD_SAFETY */
/*
@@ -806,6 +817,7 @@ pgtls_init(PGconn *conn)
* If necessary, set up an array to hold locks for libcrypto.
* libcrypto will tell us how big to make this array.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (pq_lockarray == NULL)
{
int i;
@@ -827,6 +839,7 @@ pgtls_init(PGconn *conn)
}
}
}
+#endif
if (ssl_open_connections++ == 0)
{
@@ -834,10 +847,12 @@ pgtls_init(PGconn *conn)
* These are only required for threaded libcrypto applications,
* but make sure we don't stomp on them if they're already set.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (CRYPTO_get_id_callback() == NULL)
CRYPTO_set_id_callback(pq_threadidcallback);
if (CRYPTO_get_locking_callback() == NULL)
CRYPTO_set_locking_callback(pq_lockingcallback);
+#endif
}
}
#endif /* ENABLE_THREAD_SAFETY */
@@ -846,9 +861,13 @@ pgtls_init(PGconn *conn)
{
if (pq_init_ssl_lib)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
+#else
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#endif
}
/*
@@ -916,10 +935,12 @@ destroy_ssl_system(void)
* No connections left, unregister libcrypto callbacks, if no one
* registered different ones in the meantime.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (CRYPTO_get_locking_callback() == pq_lockingcallback)
CRYPTO_set_locking_callback(NULL);
if (CRYPTO_get_id_callback() == pq_threadidcallback)
CRYPTO_set_id_callback(NULL);
+#endif
/*
* We don't free the lock array or the SSL_context. If we get another
@@ -1618,14 +1639,14 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
*/
static bool my_bio_initialized = false;
-static BIO_METHOD my_bio_methods;
+static BIO_METHOD *my_bio_methods;
static int
my_sock_read(BIO *h, char *buf, int size)
{
int res;
- res = pqsecure_raw_read((PGconn *) h->ptr, buf, size);
+ res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
BIO_clear_retry_flags(h);
if (res < 0)
{
@@ -1655,7 +1676,7 @@ my_sock_write(BIO *h, const char *buf, int size)
{
int res;
- res = pqsecure_raw_write((PGconn *) h->ptr, buf, size);
+ res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
BIO_clear_retry_flags(h);
if (res <= 0)
{
@@ -1685,12 +1706,27 @@ my_BIO_s_socket(void)
{
if (!my_bio_initialized)
{
- memcpy(&my_bio_methods, BIO_s_socket(), sizeof(BIO_METHOD));
- my_bio_methods.bread = my_sock_read;
- my_bio_methods.bwrite = my_sock_write;
+ BIO_METHOD *s_socket = (BIO_METHOD *)BIO_s_socket();
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ my_bio_methods = malloc(sizeof(BIO_METHOD));
+ memcpy(my_bio_methods, s_socket, sizeof(BIO_METHOD));
+ my_bio_methods->bread = my_sock_read;
+ my_bio_methods->bwrite = my_sock_write;
+#else
+ BIO_meth_set_puts(my_bio_methods, BIO_meth_get_puts(s_socket));
+ BIO_meth_set_gets(my_bio_methods, BIO_meth_get_gets(s_socket));
+ BIO_meth_set_ctrl(my_bio_methods, BIO_meth_get_ctrl(s_socket));
+ BIO_meth_set_create(my_bio_methods, BIO_meth_get_create(s_socket));
+ BIO_meth_set_destroy(my_bio_methods, BIO_meth_get_destroy(s_socket));
+ BIO_meth_set_callback_ctrl(my_bio_methods, BIO_meth_get_callback_ctrl(s_socket));
+
+ BIO_meth_set_read(my_bio_methods, my_sock_read);
+ BIO_meth_set_write(my_bio_methods, my_sock_write);
+#endif
my_bio_initialized = true;
}
- return &my_bio_methods;
+ return my_bio_methods;
}
/* This should exactly match openssl's SSL_set_fd except for using my BIO */
@@ -1707,7 +1743,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
goto err;
}
/* Use 'ptr' to store pointer to PGconn */
- bio->ptr = conn;
+ BIO_set_data(bio, conn);
SSL_set_bio(conn->ssl, bio, bio);
BIO_set_fd(bio, fd, BIO_NOCLOSE);
--
2.9.3
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
