Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8e278b6

Browse files
committed
Remove support for OpenSSL 1.0.1
Here are some notes about this change:- As X509_get_signature_nid() should always exist (OpenSSL andLibreSSL), hence HAVE_X509_GET_SIGNATURE_NID is now gone.- OPENSSL_API_COMPAT is bumped to 0x10002000L.- One comment related to 1.0.1e introduced by74242c2 is removed.Upstream OpenSSL still provides long-term support for 1.0.2 in a closedfashion, so removing it is out of scope for a few years, at least.Reviewed-by: Jacob Champion, Daniel GustafssonDiscussion:https://postgr.es/m/ZG3JNursG69dz1lr@paquier.xyz
1 parent2aeaf80 commit8e278b6

File tree

14 files changed

+37
-100
lines changed

14 files changed

+37
-100
lines changed

‎configure‎

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -12744,9 +12744,9 @@ if test "$with_openssl" = yes ; then
1274412744
fi
1274512745

1274612746
if test "$with_ssl" = openssl ; then
12747-
# Minimum required OpenSSL version is 1.0.1
12747+
# Minimum required OpenSSL version is 1.0.2
1274812748

12749-
$as_echo "#define OPENSSL_API_COMPAT0x10001000L" >>confdefs.h
12749+
$as_echo "#define OPENSSL_API_COMPAT0x10002000L" >>confdefs.h
1275012750

1275112751
if test "$PORTNAME" != "win32"; then
1275212752
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
@@ -12961,15 +12961,13 @@ else
1296112961
fi
1296212962

1296312963
fi
12964-
# Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
12965-
# SSL_CTX_set_cert_cb().
12966-
for ac_func in X509_get_signature_nid SSL_CTX_set_cert_cb
12964+
# LibreSSL does not have SSL_CTX_set_cert_cb().
12965+
for ac_func in SSL_CTX_set_cert_cb
1296712966
do :
12968-
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
12969-
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
12970-
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
12967+
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
12968+
if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
1297112969
cat >>confdefs.h <<_ACEOF
12972-
#define`$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
12970+
#defineHAVE_SSL_CTX_SET_CERT_CB 1
1297312971
_ACEOF
1297412972

1297512973
fi

‎configure.ac‎

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1367,8 +1367,8 @@ fi
13671367

13681368
if test "$with_ssl" = openssl ; then
13691369
dnl Order matters!
1370-
# Minimum required OpenSSL version is 1.0.1
1371-
AC_DEFINE(OPENSSL_API_COMPAT,[0x10001000L],
1370+
# Minimum required OpenSSL version is 1.0.2
1371+
AC_DEFINE(OPENSSL_API_COMPAT,[0x10002000L],
13721372
[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
13731373
if test "$PORTNAME" != "win32"; then
13741374
AC_CHECK_LIB(crypto,CRYPTO_new_ex_data,[],[AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
@@ -1377,9 +1377,9 @@ if test "$with_ssl" = openssl ; then
13771377
AC_SEARCH_LIBS(CRYPTO_new_ex_data,[eay32 crypto],[],[AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
13781378
AC_SEARCH_LIBS(SSL_new,[ssleay32 ssl],[],[AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
13791379
fi
1380-
#Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
1380+
#Function introduced in OpenSSL 1.0.2. LibreSSL does not have
13811381
# SSL_CTX_set_cert_cb().
1382-
AC_CHECK_FUNCS([X509_get_signature_nidSSL_CTX_set_cert_cb])
1382+
AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
13831383
# Functions introduced in OpenSSL 1.1.0. We used to check for
13841384
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
13851385
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it

‎doc/src/sgml/installation.sgml‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -275,7 +275,7 @@ documentation. See standalone-profile.xsl for details.
275275
encrypted client connections. <productname>OpenSSL</productname> is
276276
also required for random number generation on platforms that do not
277277
have <filename>/dev/urandom</filename> (except Windows). The minimum
278-
required version is 1.0.1.
278+
required version is 1.0.2.
279279
</para>
280280
</listitem>
281281

‎meson.build‎

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1266,9 +1266,8 @@ if sslopt in ['auto', 'openssl']
12661266
['CRYPTO_new_ex_data', {'required':true}],
12671267
['SSL_new', {'required':true}],
12681268

1269-
# Functions introduced in OpenSSL 1.0.2.
1270-
['X509_get_signature_nid'],
1271-
['SSL_CTX_set_cert_cb'],# not in LibreSSL
1269+
# Functions introduced in OpenSSL 1.0.2, not in LibreSSL.
1270+
['SSL_CTX_set_cert_cb'],
12721271

12731272
# Functions introduced in OpenSSL 1.1.0. We used to check for
12741273
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
@@ -1310,7 +1309,7 @@ if sslopt in ['auto', 'openssl']
13101309
if are_openssl_funcs_complete
13111310
cdata.set('USE_OPENSSL',1,
13121311
description:'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
1313-
cdata.set('OPENSSL_API_COMPAT','0x10001000L',
1312+
cdata.set('OPENSSL_API_COMPAT','0x10002000L',
13141313
description:'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
13151314
ssl_library='openssl'
13161315
else

‎src/backend/libpq/auth-scram.c‎

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -209,10 +209,9 @@ scram_get_mechanisms(Port *port, StringInfo buf)
209209
/*
210210
* Advertise the mechanisms in decreasing order of importance. So the
211211
* channel-binding variants go first, if they are supported. Channel
212-
* binding is only supported with SSL, and only if the SSL implementation
213-
* has a function to get the certificate's hash.
212+
* binding is only supported with SSL.
214213
*/
215-
#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH
214+
#ifdefUSE_SSL
216215
if (port->ssl_in_use)
217216
{
218217
appendStringInfoString(buf,SCRAM_SHA_256_PLUS_NAME);
@@ -251,13 +250,12 @@ scram_init(Port *port, const char *selected_mech, const char *shadow_pass)
251250
/*
252251
* Parse the selected mechanism.
253252
*
254-
* Note that if we don't support channel binding, either because the SSL
255-
* implementation doesn't support it or we're not using SSL at all, we
256-
* would not have advertised the PLUS variant in the first place. If the
257-
* client nevertheless tries to select it, it's a protocol violation like
258-
* selecting any other SASL mechanism we don't support.
253+
* Note that if we don't support channel binding, or if we're not using
254+
* SSL at all, we would not have advertised the PLUS variant in the first
255+
* place. If the client nevertheless tries to select it, it's a protocol
256+
* violation like selecting any other SASL mechanism we don't support.
259257
*/
260-
#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH
258+
#ifdefUSE_SSL
261259
if (strcmp(selected_mech,SCRAM_SHA_256_PLUS_NAME)==0&&port->ssl_in_use)
262260
state->channel_binding_in_use= true;
263261
else
@@ -1010,7 +1008,7 @@ read_client_first_message(scram_state *state, const char *input)
10101008
errmsg("malformed SCRAM message"),
10111009
errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
10121010

1013-
#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH
1011+
#ifdefUSE_SSL
10141012
if (state->port->ssl_in_use)
10151013
ereport(ERROR,
10161014
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -1306,7 +1304,7 @@ read_client_final_message(scram_state *state, const char *input)
13061304
channel_binding=read_attr_value(&p,'c');
13071305
if (state->channel_binding_in_use)
13081306
{
1309-
#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH
1307+
#ifdefUSE_SSL
13101308
constchar*cbind_data=NULL;
13111309
size_tcbind_data_len=0;
13121310
size_tcbind_header_len;

‎src/backend/libpq/be-secure-openssl.c‎

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -831,8 +831,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
831831
*
832832
* These functions are closely modelled on the standard socket BIO in OpenSSL;
833833
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
834-
* XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
835-
* to retry; do we need to adopt their logic for that?
836834
*/
837835

838836
#ifndefHAVE_BIO_GET_DATA
@@ -1429,7 +1427,6 @@ be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
14291427
ptr[0]='\0';
14301428
}
14311429

1432-
#if defined(HAVE_X509_GET_SIGNATURE_NID)|| defined(HAVE_X509_GET_SIGNATURE_INFO)
14331430
char*
14341431
be_tls_get_certificate_hash(Port*port,size_t*len)
14351432
{
@@ -1488,7 +1485,6 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
14881485

14891486
returncert_hash;
14901487
}
1491-
#endif
14921488

14931489
/*
14941490
* Convert an X509 subject name to a cstring.

‎src/include/libpq/libpq-be.h‎

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -305,14 +305,8 @@ extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len);
305305
*
306306
* The result is a palloc'd hash of the server certificate with its
307307
* size, and NULL if there is no certificate available.
308-
*
309-
* This is not supported with old versions of OpenSSL that don't have
310-
* the X509_get_signature_nid() function.
311308
*/
312-
#if defined(USE_OPENSSL)&& (defined(HAVE_X509_GET_SIGNATURE_NID)|| defined(HAVE_X509_GET_SIGNATURE_INFO))
313-
#defineHAVE_BE_TLS_GET_CERTIFICATE_HASH
314309
externchar*be_tls_get_certificate_hash(Port*port,size_t*len);
315-
#endif
316310

317311
/* init hook for SSL, the default sets the password callback if appropriate */
318312
#ifdefUSE_OPENSSL

‎src/include/pg_config.h.in‎

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -529,9 +529,6 @@
529529
/* Define to 1 if you have the `X509_get_signature_info' function. */
530530
#undef HAVE_X509_GET_SIGNATURE_INFO
531531

532-
/* Define to 1 if you have the `X509_get_signature_nid' function. */
533-
#undef HAVE_X509_GET_SIGNATURE_NID
534-
535532
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
536533
#undef HAVE_X86_64_POPCNTQ
537534

‎src/interfaces/libpq/fe-auth-scram.c‎

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -401,7 +401,7 @@ build_client_first_message(fe_scram_state *state)
401401
Assert(conn->ssl_in_use);
402402
appendPQExpBufferStr(&buf,"p=tls-server-end-point");
403403
}
404-
#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
404+
#ifdefUSE_SSL
405405
elseif (conn->channel_binding[0]!= 'd'&&/* disable */
406406
conn->ssl_in_use)
407407
{
@@ -474,7 +474,7 @@ build_client_final_message(fe_scram_state *state)
474474
*/
475475
if (strcmp(state->sasl_mechanism,SCRAM_SHA_256_PLUS_NAME)==0)
476476
{
477-
#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
477+
#ifdefUSE_SSL
478478
char*cbind_data=NULL;
479479
size_tcbind_data_len=0;
480480
size_tcbind_header_len;
@@ -540,9 +540,9 @@ build_client_final_message(fe_scram_state *state)
540540
appendPQExpBufferStr(&conn->errorMessage,
541541
"channel binding not supported by this build\n");
542542
returnNULL;
543-
#endif/*HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH */
543+
#endif/*USE_SSL */
544544
}
545-
#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
545+
#ifdefUSE_SSL
546546
elseif (conn->channel_binding[0]!= 'd'&&/* disable */
547547
conn->ssl_in_use)
548548
appendPQExpBufferStr(&buf, "c=eSws");/* base64 of "y,,"*/

‎src/interfaces/libpq/fe-auth.c‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -478,7 +478,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
478478
{
479479
/* The server has offered SCRAM-SHA-256-PLUS. */
480480

481-
#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
481+
#ifdefUSE_SSL
482482
/*
483483
* The client supports channel binding, which is chosen if
484484
* channel_binding is not disabled.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp