On 12/05/2016 05:19 AM, Michael Paquier wrote:
On Thu, Dec 1, 2016 at 11:17 AM, Andreas Karlsson <andr...@proxel.se> wrote:
On 12/01/2016 02:48 AM, Andres Freund wrote:
Yes, I believe this is one of the changes in OpenSSL 1.1. I guess you might
be the first one to try to compile with 1.1 since
5ff4a67f63fd6d3eb01ff9707d4674ed54a89f3b was pushed.

Yes, I can see the failure as well using 1.1.0 on my OSX laptop with
homebrew packages.

Sorry about that! Given that I just dealt with this same issue with EVP_MD_CTX_init, I should've noticed.

Finally, attached is a patch to address the failure. make check is
passing here for 1.1.0 and 1.0.2. The problem is that OpenSSL 1.1
relies on an opaque structure here so we need to have the pgcrypto
code rely on a pointer and not a direct declaration of the structure.
EVP_CIPHER_CTX_free() and EVP_CIPHER_CTX_new() have been introduced in
0.9.8 which is the oldest version supported by HEAD, and 5ff4a67f is
HEAD-only, so there is no need to back-patch here.

I'm afraid if we just start using EVP_CIPHER_CTX_new(), we'll leak the context on any error. We had exactly the same problem with EVP_MD_CTX_init being removed, in the patch that added OpenSSL 1.1.0 support. We'll have to use a resource owner to track it, just like we did with EVP_MD_CTX in commit 593d4e47. Want to do that, or should I?

- Heikki

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to