projects / users / rhaas / postgres.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c99dd5b) | patch
Support OpenSSL 1.1.0.
authorHeikki Linnakangas <heikki.linnakangas@iki.fi>
Thu, 15 Sep 2016 09:36:21 +0000 (12:36 +0300)
committerHeikki Linnakangas <heikki.linnakangas@iki.fi>
Thu, 15 Sep 2016 11:42:29 +0000 (14:42 +0300)
commit593d4e47db7af1a3a5dd6b6b1971f181b5566dbd
treedf6606b16f614ddbd1994f884216619410acd3e6tree
parentc99dd5bfed23d9787dcf7d00197c1ed42bcfdb02commit | diff
Support OpenSSL 1.1.0.

Changes needed to build at all:

- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
  pgcrypto, to use the resource owner mechanism to ensure that we don't
  leak OpenSSL handles, now that we can't embed them in other structs
  anymore.
- RAND_SSLeay() -> RAND_OpenSSL()

Changes that were needed to silence deprecation warnings, but were not
strictly necessary:

- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
  riddance!)

Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.

Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.

Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.

Patch by Andreas Karlsson, with additional changes by me.

Discussion: <20160627151604.GD1051@msg.df7cb.de>
50 files changed:
configure diff | blob | blame | history
configure.in diff | blob | blame | history
contrib/pgcrypto/internal.c diff | blob | blame | history
contrib/pgcrypto/openssl.c diff | blob | blame | history
contrib/pgcrypto/pgcrypto.c diff | blob | blame | history
contrib/pgcrypto/pgp-s2k.c diff | blob | blame | history
contrib/pgcrypto/px-crypt.c diff | blob | blame | history
contrib/pgcrypto/px.h diff | blob | blame | history
contrib/sslinfo/sslinfo.c diff | blob | blame | history
src/backend/libpq/be-secure-openssl.c diff | blob | blame | history
src/interfaces/libpq/fe-secure-openssl.c diff | blob | blame | history
src/test/ssl/Makefile diff | blob | blame | history
src/test/ssl/cas.config diff | blob | blame | history
src/test/ssl/root_ca.config diff | blob | blame | history
src/test/ssl/server-cn-only.config diff | blob | blame | history
src/test/ssl/server-no-names.config diff | blob | blame | history
src/test/ssl/server-revoked.config diff | blob | blame | history
src/test/ssl/ssl/both-cas-1.crt diff | blob | blame | history
src/test/ssl/ssl/both-cas-2.crt diff | blob | blame | history
src/test/ssl/ssl/client-revoked.crt diff | blob | blame | history
src/test/ssl/ssl/client-revoked.key diff | blob | blame | history
src/test/ssl/ssl/client.crl diff | blob | blame | history
src/test/ssl/ssl/client.crt diff | blob | blame | history
src/test/ssl/ssl/client.key diff | blob | blame | history
src/test/ssl/ssl/client_ca.crt diff | blob | blame | history
src/test/ssl/ssl/client_ca.key diff | blob | blame | history
src/test/ssl/ssl/root+client.crl diff | blob | blame | history
src/test/ssl/ssl/root+client_ca.crt diff | blob | blame | history
src/test/ssl/ssl/root+server.crl diff | blob | blame | history
src/test/ssl/ssl/root+server_ca.crt diff | blob | blame | history
src/test/ssl/ssl/root.crl diff | blob | blame | history
src/test/ssl/ssl/root_ca.crt diff | blob | blame | history
src/test/ssl/ssl/root_ca.key diff | blob | blame | history
src/test/ssl/ssl/server-cn-and-alt-names.crt diff | blob | blame | history
src/test/ssl/ssl/server-cn-and-alt-names.key diff | blob | blame | history
src/test/ssl/ssl/server-cn-only.crt diff | blob | blame | history
src/test/ssl/ssl/server-cn-only.key diff | blob | blame | history
src/test/ssl/ssl/server-multiple-alt-names.crt diff | blob | blame | history
src/test/ssl/ssl/server-multiple-alt-names.key diff | blob | blame | history
src/test/ssl/ssl/server-no-names.crt diff | blob | blame | history
src/test/ssl/ssl/server-no-names.key diff | blob | blame | history
src/test/ssl/ssl/server-revoked.crt diff | blob | blame | history
src/test/ssl/ssl/server-revoked.key diff | blob | blame | history
src/test/ssl/ssl/server-single-alt-name.crt diff | blob | blame | history
src/test/ssl/ssl/server-single-alt-name.key diff | blob | blame | history
src/test/ssl/ssl/server-ss.crt diff | blob | blame | history
src/test/ssl/ssl/server-ss.key diff | blob | blame | history
src/test/ssl/ssl/server.crl diff | blob | blame | history
src/test/ssl/ssl/server_ca.crt diff | blob | blame | history
src/test/ssl/ssl/server_ca.key diff | blob | blame | history
Robert Haas's development tree.