granicus.if.org Git - postgresql/commit

Support OpenSSL 1.1.0.

Changes needed to build at all:

- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
  pgcrypto, to use the resource owner mechanism to ensure that we don't
  leak OpenSSL handles, now that we can't embed them in other structs
  anymore.
- RAND_SSLeay() -> RAND_OpenSSL()

Changes that were needed to silence deprecation warnings, but were not
strictly necessary:

- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
  riddance!)

Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.

Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.

Backpatch to 9.5 and 9.6, per popular demand. The file structure was
somewhat different in earlier branches, so I didn't bother to go further
than that. In back-branches, we still support OpenSSL 0.9.7 and above.
OpenSSL 0.9.6 should still work too, but I didn't test it. In master, we
only support 0.9.8 and above.

Patch by Andreas Karlsson, with additional changes by me.

Discussion: <20160627151604.GD1051@msg.df7cb.de>

author	Heikki Linnakangas <heikki.linnakangas@iki.fi>
	Thu, 15 Sep 2016 09:55:38 +0000 (12:55 +0300)
committer	Heikki Linnakangas <heikki.linnakangas@iki.fi>
	Thu, 15 Sep 2016 09:55:38 +0000 (12:55 +0300)
commit	fcd93e4af943fc444a5928355c9471d36f077538
tree	532e9bd4568ee2c7d8157a788bf92a7433841c34	tree \| snapshot
parent	18ae680632b5c7a1550a768f1a4dc8e31b08215d	commit \| diff

configure		diff \| blob \| history
configure.in		diff \| blob \| history
contrib/pgcrypto/internal.c		diff \| blob \| history
contrib/pgcrypto/openssl.c		diff \| blob \| history
contrib/pgcrypto/pgcrypto.c		diff \| blob \| history
contrib/pgcrypto/pgp-s2k.c		diff \| blob \| history
contrib/pgcrypto/px-crypt.c		diff \| blob \| history
contrib/pgcrypto/px.h		diff \| blob \| history
contrib/sslinfo/sslinfo.c		diff \| blob \| history
src/backend/libpq/be-secure-openssl.c		diff \| blob \| history
src/interfaces/libpq/fe-secure-openssl.c		diff \| blob \| history
src/interfaces/libpq/libpq-int.h		diff \| blob \| history
src/test/ssl/Makefile		diff \| blob \| history
src/test/ssl/cas.config		diff \| blob \| history
src/test/ssl/root_ca.config		diff \| blob \| history
src/test/ssl/server-cn-only.config		diff \| blob \| history
src/test/ssl/server-no-names.config		diff \| blob \| history
src/test/ssl/server-revoked.config		diff \| blob \| history
src/test/ssl/ssl/both-cas-1.crt		diff \| blob \| history
src/test/ssl/ssl/both-cas-2.crt		diff \| blob \| history
src/test/ssl/ssl/client-revoked.crt		diff \| blob \| history
src/test/ssl/ssl/client-revoked.key		diff \| blob \| history
src/test/ssl/ssl/client.crl		diff \| blob \| history
src/test/ssl/ssl/client.crt		diff \| blob \| history
src/test/ssl/ssl/client.key		diff \| blob \| history
src/test/ssl/ssl/client_ca.crt		diff \| blob \| history
src/test/ssl/ssl/client_ca.key		diff \| blob \| history
src/test/ssl/ssl/root+client.crl		diff \| blob \| history
src/test/ssl/ssl/root+client_ca.crt		diff \| blob \| history
src/test/ssl/ssl/root+server.crl		diff \| blob \| history
src/test/ssl/ssl/root+server_ca.crt		diff \| blob \| history
src/test/ssl/ssl/root.crl		diff \| blob \| history
src/test/ssl/ssl/root_ca.crt		diff \| blob \| history
src/test/ssl/ssl/root_ca.key		diff \| blob \| history
src/test/ssl/ssl/server-cn-and-alt-names.crt		diff \| blob \| history
src/test/ssl/ssl/server-cn-and-alt-names.key		diff \| blob \| history
src/test/ssl/ssl/server-cn-only.crt		diff \| blob \| history
src/test/ssl/ssl/server-cn-only.key		diff \| blob \| history
src/test/ssl/ssl/server-multiple-alt-names.crt		diff \| blob \| history
src/test/ssl/ssl/server-multiple-alt-names.key		diff \| blob \| history
src/test/ssl/ssl/server-no-names.crt		diff \| blob \| history
src/test/ssl/ssl/server-no-names.key		diff \| blob \| history
src/test/ssl/ssl/server-revoked.crt		diff \| blob \| history
src/test/ssl/ssl/server-revoked.key		diff \| blob \| history
src/test/ssl/ssl/server-single-alt-name.crt		diff \| blob \| history
src/test/ssl/ssl/server-single-alt-name.key		diff \| blob \| history
src/test/ssl/ssl/server-ss.crt		diff \| blob \| history
src/test/ssl/ssl/server-ss.key		diff \| blob \| history
src/test/ssl/ssl/server.crl		diff \| blob \| history
src/test/ssl/ssl/server_ca.crt		diff \| blob \| history
src/test/ssl/ssl/server_ca.key		diff \| blob \| history