Support OpenSSL 1.1.0.
authorHeikki Linnakangas <heikki.linnakangas@iki.fi>
Thu, 15 Sep 2016 09:36:21 +0000 (12:36 +0300)
committerHeikki Linnakangas <heikki.linnakangas@iki.fi>
Thu, 15 Sep 2016 11:42:29 +0000 (14:42 +0300)
commit593d4e47db7af1a3a5dd6b6b1971f181b5566dbd
treedf6606b16f614ddbd1994f884216619410acd3e6
parentc99dd5bfed23d9787dcf7d00197c1ed42bcfdb02
Support OpenSSL 1.1.0.

Changes needed to build at all:

- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
  pgcrypto, to use the resource owner mechanism to ensure that we don't
  leak OpenSSL handles, now that we can't embed them in other structs
  anymore.
- RAND_SSLeay() -> RAND_OpenSSL()

Changes that were needed to silence deprecation warnings, but were not
strictly necessary:

- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
  riddance!)

Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.

Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.

Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.

Patch by Andreas Karlsson, with additional changes by me.

Discussion: <20160627151604.GD1051@msg.df7cb.de>
50 files changed:
configure
configure.in
contrib/pgcrypto/internal.c
contrib/pgcrypto/openssl.c
contrib/pgcrypto/pgcrypto.c
contrib/pgcrypto/pgp-s2k.c
contrib/pgcrypto/px-crypt.c
contrib/pgcrypto/px.h
contrib/sslinfo/sslinfo.c
src/backend/libpq/be-secure-openssl.c
src/interfaces/libpq/fe-secure-openssl.c
src/test/ssl/Makefile
src/test/ssl/cas.config
src/test/ssl/root_ca.config
src/test/ssl/server-cn-only.config
src/test/ssl/server-no-names.config
src/test/ssl/server-revoked.config
src/test/ssl/ssl/both-cas-1.crt
src/test/ssl/ssl/both-cas-2.crt
src/test/ssl/ssl/client-revoked.crt
src/test/ssl/ssl/client-revoked.key
src/test/ssl/ssl/client.crl
src/test/ssl/ssl/client.crt
src/test/ssl/ssl/client.key
src/test/ssl/ssl/client_ca.crt
src/test/ssl/ssl/client_ca.key
src/test/ssl/ssl/root+client.crl
src/test/ssl/ssl/root+client_ca.crt
src/test/ssl/ssl/root+server.crl
src/test/ssl/ssl/root+server_ca.crt
src/test/ssl/ssl/root.crl
src/test/ssl/ssl/root_ca.crt
src/test/ssl/ssl/root_ca.key
src/test/ssl/ssl/server-cn-and-alt-names.crt
src/test/ssl/ssl/server-cn-and-alt-names.key
src/test/ssl/ssl/server-cn-only.crt
src/test/ssl/ssl/server-cn-only.key
src/test/ssl/ssl/server-multiple-alt-names.crt
src/test/ssl/ssl/server-multiple-alt-names.key
src/test/ssl/ssl/server-no-names.crt
src/test/ssl/ssl/server-no-names.key
src/test/ssl/ssl/server-revoked.crt
src/test/ssl/ssl/server-revoked.key
src/test/ssl/ssl/server-single-alt-name.crt
src/test/ssl/ssl/server-single-alt-name.key
src/test/ssl/ssl/server-ss.crt
src/test/ssl/ssl/server-ss.key
src/test/ssl/ssl/server.crl
src/test/ssl/ssl/server_ca.crt
src/test/ssl/ssl/server_ca.key