Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb2b1f12

Browse files
committed
Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
We should have done it this way all along, but we accidentally gotaway with using the wrong BIO field up until OpenSSL 3.2. There,the library's BIO routines that we rely on use the "data" fieldfor their own purposes, and our conflicting use causes assortedweird behaviors up to and including core dumps when SSL connectionsare attempted. Switch to using the approved field for the purpose,i.e. app_data.While at it, remove our configure probes for BIO_get_data as wellas the fallback implementation. BIO_{get,set}_app_data have beenthere since long before any OpenSSL version that we still support,even in the back branches.Also, update src/test/ssl/t/001_ssltests.pl to allow for a minorchange in an error message spelling that evidently came in with 3.2.Tristan Partin and Bo Andreson. Back-patch to all supported branches.Discussion:https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
1 parent59c62a2 commitb2b1f12

File tree

7 files changed

+10
-25
lines changed

7 files changed

+10
-25
lines changed

‎configure

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13071,7 +13071,7 @@ done
1307113071
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
1307213072
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
1307313073
# functions.
13074-
for ac_func in OPENSSL_init_sslBIO_get_dataBIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free
13074+
for ac_func in OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free
1307513075
do :
1307613076
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
1307713077
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

‎configure.ac

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1311,7 +1311,7 @@ if test "$with_ssl" = openssl ; then
13111311
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
13121312
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
13131313
# functions.
1314-
AC_CHECK_FUNCS([OPENSSL_init_sslBIO_get_dataBIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free])
1314+
AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free])
13151315
# OpenSSL versions before 1.1.0 required setting callback functions, for
13161316
# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
13171317
# function was removed.

‎src/backend/libpq/be-secure-openssl.c

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -823,11 +823,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
823823
* to retry; do we need to adopt their logic for that?
824824
*/
825825

826-
#ifndefHAVE_BIO_GET_DATA
827-
#defineBIO_get_data(bio) (bio->ptr)
828-
#defineBIO_set_data(bio,data) (bio->ptr = data)
829-
#endif
830-
831826
staticBIO_METHOD*my_bio_methods=NULL;
832827

833828
staticint
@@ -837,7 +832,7 @@ my_sock_read(BIO *h, char *buf, int size)
837832

838833
if (buf!=NULL)
839834
{
840-
res=secure_raw_read(((Port*)BIO_get_data(h)),buf,size);
835+
res=secure_raw_read(((Port*)BIO_get_app_data(h)),buf,size);
841836
BIO_clear_retry_flags(h);
842837
if (res <=0)
843838
{
@@ -857,7 +852,7 @@ my_sock_write(BIO *h, const char *buf, int size)
857852
{
858853
intres=0;
859854

860-
res=secure_raw_write(((Port*)BIO_get_data(h)),buf,size);
855+
res=secure_raw_write(((Port*)BIO_get_app_data(h)),buf,size);
861856
BIO_clear_retry_flags(h);
862857
if (res <=0)
863858
{
@@ -933,7 +928,7 @@ my_SSL_set_fd(Port *port, int fd)
933928
SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
934929
gotoerr;
935930
}
936-
BIO_set_data(bio,port);
931+
BIO_set_app_data(bio,port);
937932

938933
BIO_set_fd(bio,fd,BIO_NOCLOSE);
939934
SSL_set_bio(port->ssl,bio,bio);

‎src/include/pg_config.h.in

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -86,9 +86,6 @@
8686
/* Define to 1 if you have the `backtrace_symbols' function. */
8787
#undef HAVE_BACKTRACE_SYMBOLS
8888

89-
/* Define to 1 if you have the `BIO_get_data' function. */
90-
#undef HAVE_BIO_GET_DATA
91-
9289
/* Define to 1 if you have the `BIO_meth_new' function. */
9390
#undef HAVE_BIO_METH_NEW
9491

‎src/interfaces/libpq/fe-secure-openssl.c

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1661,11 +1661,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
16611661
* to retry; do we need to adopt their logic for that?
16621662
*/
16631663

1664-
#ifndefHAVE_BIO_GET_DATA
1665-
#defineBIO_get_data(bio) (bio->ptr)
1666-
#defineBIO_set_data(bio,data) (bio->ptr = data)
1667-
#endif
1668-
16691664
/* protected by ssl_config_mutex */
16701665
staticBIO_METHOD*my_bio_methods;
16711666

@@ -1674,7 +1669,7 @@ my_sock_read(BIO *h, char *buf, int size)
16741669
{
16751670
intres;
16761671

1677-
res=pqsecure_raw_read((PGconn*)BIO_get_data(h),buf,size);
1672+
res=pqsecure_raw_read((PGconn*)BIO_get_app_data(h),buf,size);
16781673
BIO_clear_retry_flags(h);
16791674
if (res<0)
16801675
{
@@ -1704,7 +1699,7 @@ my_sock_write(BIO *h, const char *buf, int size)
17041699
{
17051700
intres;
17061701

1707-
res=pqsecure_raw_write((PGconn*)BIO_get_data(h),buf,size);
1702+
res=pqsecure_raw_write((PGconn*)BIO_get_app_data(h),buf,size);
17081703
BIO_clear_retry_flags(h);
17091704
if (res<0)
17101705
{
@@ -1823,7 +1818,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
18231818
SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
18241819
gotoerr;
18251820
}
1826-
BIO_set_data(bio,conn);
1821+
BIO_set_app_data(bio,conn);
18271822

18281823
SSL_set_bio(conn->ssl,bio,bio);
18291824
BIO_set_fd(bio,fd,BIO_NOCLOSE);

‎src/test/ssl/t/001_ssltests.pl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -538,7 +538,7 @@
538538
$node->connect_fails(
539539
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
540540
"certificate authorization fails with revoked client cert",
541-
expected_stderr=>qr/SSL error:sslv3 alert certificate revoked/,
541+
expected_stderr=>qr|SSL error:ssl[a-z0-9/]* alert certificate revoked|,
542542
# revoked certificates should not authenticate the user
543543
log_unlike=> [qr/connection authenticated:/],);
544544

@@ -591,7 +591,7 @@
591591
$node->connect_fails(
592592
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
593593
"certificate authorization fails with revoked client cert with server-side CRL directory",
594-
expected_stderr=>qr/SSL error:sslv3 alert certificate revoked/);
594+
expected_stderr=>qr|SSL error:ssl[a-z0-9/]* alert certificate revoked|);
595595

596596
# clean up
597597
foreachmy$key (@keys)

‎src/tools/msvc/Solution.pm

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -229,7 +229,6 @@ sub GenerateFiles
229229
HAVE_ATOMICS=> 1,
230230
HAVE_ATOMIC_H=>undef,
231231
HAVE_BACKTRACE_SYMBOLS=>undef,
232-
HAVE_BIO_GET_DATA=>undef,
233232
HAVE_BIO_METH_NEW=>undef,
234233
HAVE_CLOCK_GETTIME=>undef,
235234
HAVE_COMPUTED_GOTO=>undef,
@@ -562,7 +561,6 @@ sub GenerateFiles
562561
|| ($digit1 >='1' &&$digit2 >='1' &&$digit3 >='0'))
563562
{
564563
$define{HAVE_ASN1_STRING_GET0_DATA} = 1;
565-
$define{HAVE_BIO_GET_DATA} = 1;
566564
$define{HAVE_BIO_METH_NEW} = 1;
567565
$define{HAVE_HMAC_CTX_FREE} = 1;
568566
$define{HAVE_HMAC_CTX_NEW} = 1;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp