#include <openssl/blowfish.h>
#include <openssl/cast.h>
#include <openssl/des.h>
+#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#define MAX_KEY (512/8)
#define MAX_IV (128/8)
-/*
- * Compatibility with OpenSSL 0.9.6
- *
- * It needs AES and newer DES and digest API.
- */
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
-/*
- * Nothing needed for OpenSSL 0.9.7+
- */
-
-#include <openssl/aes.h>
-#else /* old OPENSSL */
-
-/*
- * Emulate OpenSSL AES.
- */
-
-#include "rijndael.c"
-
-#define AES_ENCRYPT 1
-#define AES_DECRYPT 0
-#define AES_KEY rijndael_ctx
-
-static int
-AES_set_encrypt_key(const uint8 *key, int kbits, AES_KEY *ctx)
-{
- aes_set_key(ctx, key, kbits, 1);
- return 0;
-}
-
-static int
-AES_set_decrypt_key(const uint8 *key, int kbits, AES_KEY *ctx)
-{
- aes_set_key(ctx, key, kbits, 0);
- return 0;
-}
-
-static void
-AES_ecb_encrypt(const uint8 *src, uint8 *dst, AES_KEY *ctx, int enc)
-{
- memcpy(dst, src, 16);
- if (enc)
- aes_ecb_encrypt(ctx, dst, 16);
- else
- aes_ecb_decrypt(ctx, dst, 16);
-}
-
-static void
-AES_cbc_encrypt(const uint8 *src, uint8 *dst, int len, AES_KEY *ctx, uint8 *iv, int enc)
-{
- memcpy(dst, src, len);
- if (enc)
- {
- aes_cbc_encrypt(ctx, iv, dst, len);
- memcpy(iv, dst + len - 16, 16);
- }
- else
- {
- aes_cbc_decrypt(ctx, iv, dst, len);
- memcpy(iv, src + len - 16, 16);
- }
-}
-
-/*
- * Emulate DES_* API
- */
-
-#define DES_key_schedule des_key_schedule
-#define DES_cblock des_cblock
-#define DES_set_key(k, ks) \
- des_set_key((k), *(ks))
-#define DES_ecb_encrypt(i, o, k, e) \
- des_ecb_encrypt((i), (o), *(k), (e))
-#define DES_ncbc_encrypt(i, o, l, k, iv, e) \
- des_ncbc_encrypt((i), (o), (l), *(k), (iv), (e))
-#define DES_ecb3_encrypt(i, o, k1, k2, k3, e) \
- des_ecb3_encrypt((des_cblock *)(i), (des_cblock *)(o), \
- *(k1), *(k2), *(k3), (e))
-#define DES_ede3_cbc_encrypt(i, o, l, k1, k2, k3, iv, e) \
- des_ede3_cbc_encrypt((i), (o), \
- (l), *(k1), *(k2), *(k3), (iv), (e))
-
-/*
- * Emulate newer digest API.
- */
-
-static void
-EVP_MD_CTX_init(EVP_MD_CTX *ctx)
-{
- memset(ctx, 0, sizeof(*ctx));
-}
-
-static int
-EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
-{
- px_memset(ctx, 0, sizeof(*ctx));
- return 1;
-}
-
-static int
-EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
-{
- EVP_DigestInit(ctx, md);
- return 1;
-}
-
-static int
-EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *res, unsigned int *len)
-{
- EVP_DigestFinal(ctx, res, len);
- return 1;
-}
-#endif /* old OpenSSL */
-
-/*
- * Provide SHA2 for older OpenSSL < 0.9.8
- */
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-
-#include "sha2.c"
-#include "internal-sha2.c"
-
-typedef void (*init_f) (PX_MD *md);
-
-static int
-compat_find_digest(const char *name, PX_MD **res)
-{
- init_f init = NULL;
-
- if (pg_strcasecmp(name, "sha224") == 0)
- init = init_sha224;
- else if (pg_strcasecmp(name, "sha256") == 0)
- init = init_sha256;
- else if (pg_strcasecmp(name, "sha384") == 0)
- init = init_sha384;
- else if (pg_strcasecmp(name, "sha512") == 0)
- init = init_sha512;
- else
- return PXE_NO_HASH;
-
- *res = px_alloc(sizeof(PX_MD));
- init(*res);
- return 0;
-}
-#else
-#define compat_find_digest(name, res) (PXE_NO_HASH)
-#endif
-
/*
* Hashes
*/
md = EVP_get_digestbyname(name);
if (md == NULL)
- return compat_find_digest(name, res);
+ return PXE_NO_HASH;
digest = px_alloc(sizeof(*digest));
digest->algo = md;
<listitem>
<para>
- You need <application>Kerberos</>, <productname>OpenSSL</>,
- <productname>OpenLDAP</>, and/or
- <application>PAM</>, if you want to support authentication or
- encryption using those services.
+ You need <productname>OpenSSL</>, if you want to support
+ encrypted client connections. The minimum required version is
+ 0.9.8.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ You need <application>Kerberos</>, <productname>OpenLDAP</>,
+ and/or <application>PAM</>, if you want to support authentication
+ using those services.
</para>
</listitem>
</para>
</sect3>
- <sect3>
- <title>Problems with OpenSSL</title>
-
- <para>
- When you build PostgreSQL with OpenSSL support you might get
- compilation errors in the following files:
- <itemizedlist>
- <listitem><para><filename>src/backend/libpq/crypt.c</filename></para></listitem>
- <listitem><para><filename>src/backend/libpq/password.c</filename></para></listitem>
- <listitem><para><filename>src/interfaces/libpq/fe-auth.c</filename></para></listitem>
- <listitem><para><filename>src/interfaces/libpq/fe-connect.c</filename></para></listitem>
- </itemizedlist>
-
- This is because of a namespace conflict between the standard
- <filename>/usr/include/crypt.h</filename> header and the header
- files provided by OpenSSL.
- </para>
-
- <para>
- Upgrading your OpenSSL installation to version 0.9.6a fixes this
- problem. Solaris 9 and above has a newer version of OpenSSL.
- </para>
- </sect3>
-
<sect3>
<title>configure Complains About a Failed Test Program</title>
projects / postgresql / commitdiff