NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit9b7cd59

committed

Remove support for OpenSSL versions older than 0.9.8.

OpenSSL officially only supports 1.0.1 and newer. Some OS distributionsstill provide patches for 0.9.8, but anything older than that is notinteresting anymore. Let's simplify things by removing compatibility code.Andreas Karlsson, with small changes by me.

1 parentcf34fdb commit9b7cd59Copy full SHA for 9b7cd59

File tree

7 files changed

+20

-206

lines changed

contrib/pgcrypto
- openssl.c
doc/src/sgml
src
- backend/libpq
  - be-secure-openssl.c
- interfaces/libpq
  - fe-secure-openssl.c
  - libpq-int.h

7 files changed

+20

-206

lines changed

`‎contrib/pgcrypto/openssl.c`

Lines changed: 2 additions & 150 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@`
`37`	`37`	`#include<openssl/blowfish.h>`
`38`	`38`	`#include<openssl/cast.h>`
`39`	`39`	`#include<openssl/des.h>`
	`40`	`+#include<openssl/aes.h>`
`40`	`41`	`#include<openssl/rand.h>`
`41`	`42`	`#include<openssl/err.h>`
`42`	`43`
`@@ -46,155 +47,6 @@`
`46`	`47`	`#defineMAX_KEY(512/8)`
`47`	`48`	`#defineMAX_IV(128/8)`
`48`	`49`
`49`		`-/*`
`50`		`- * Compatibility with OpenSSL 0.9.6`
`51`		`- *`
`52`		`- * It needs AES and newer DES and digest API.`
`53`		`- */`
`54`		`-#ifOPENSSL_VERSION_NUMBER >=0x00907000L`
`55`		`-`
`56`		`-/*`
`57`		`- * Nothing needed for OpenSSL 0.9.7+`
`58`		`- */`
`59`		`-`
`60`		`-#include<openssl/aes.h>`
`61`		`-#else/* old OPENSSL */`
`62`		`-`
`63`		`-/*`
`64`		`- * Emulate OpenSSL AES.`
`65`		`- */`
`66`		`-`
`67`		`-#include"rijndael.c"`
`68`		`-`
`69`		`-#defineAES_ENCRYPT 1`
`70`		`-#defineAES_DECRYPT 0`
`71`		`-#defineAES_KEYrijndael_ctx`
`72`		`-`
`73`		`-staticint`
`74`		`-AES_set_encrypt_key(constuint8key,intkbits,AES_KEYctx)`
`75`		`-{`
`76`		`-aes_set_key(ctx,key,kbits,1);`
`77`		`-return0;`
`78`		`-}`
`79`		`-`
`80`		`-staticint`
`81`		`-AES_set_decrypt_key(constuint8key,intkbits,AES_KEYctx)`
`82`		`-{`
`83`		`-aes_set_key(ctx,key,kbits,0);`
`84`		`-return0;`
`85`		`-}`
`86`		`-`
`87`		`-staticvoid`
`88`		`-AES_ecb_encrypt(constuint8src,uint8dst,AES_KEY*ctx,intenc)`
`89`		`-{`
`90`		`-memcpy(dst,src,16);`
`91`		`-if (enc)`
`92`		`-aes_ecb_encrypt(ctx,dst,16);`
`93`		`-else`
`94`		`-aes_ecb_decrypt(ctx,dst,16);`
`95`		`-}`
`96`		`-`
`97`		`-staticvoid`
`98`		`-AES_cbc_encrypt(constuint8src,uint8dst,intlen,AES_KEYctx,uint8iv,intenc)`
`99`		`-{`
`100`		`-memcpy(dst,src,len);`
`101`		`-if (enc)`
`102`		`-{`
`103`		`-aes_cbc_encrypt(ctx,iv,dst,len);`
`104`		`-memcpy(iv,dst+len-16,16);`
`105`		`-}`
`106`		`-else`
`107`		`-{`
`108`		`-aes_cbc_decrypt(ctx,iv,dst,len);`
`109`		`-memcpy(iv,src+len-16,16);`
`110`		`-}`
`111`		`-}`
`112`		`-`
`113`		`-/*`
`114`		`- * Emulate DES_* API`
`115`		`- */`
`116`		`-`
`117`		`-#defineDES_key_schedule des_key_schedule`
`118`		`-#defineDES_cblock des_cblock`
`119`		`-#defineDES_set_key(k,ks) \`
`120`		`-des_set_key((k), *(ks))`
`121`		`-#defineDES_ecb_encrypt(i,o,k,e) \`
`122`		`-des_ecb_encrypt((i), (o), *(k), (e))`
`123`		`-#defineDES_ncbc_encrypt(i,o,l,k,iv,e) \`
`124`		`-des_ncbc_encrypt((i), (o), (l), *(k), (iv), (e))`
`125`		`-#defineDES_ecb3_encrypt(i,o,k1,k2,k3,e) \`
`126`		`-des_ecb3_encrypt((des_cblock )(i), (des_cblock )(o), \`
`127`		`-(k1), (k2), *(k3), (e))`
`128`		`-#defineDES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) \`
`129`		`-des_ede3_cbc_encrypt((i), (o), \`
`130`		`-(l), (k1), (k2), *(k3), (iv), (e))`
`131`		`-`
`132`		`-/*`
`133`		`- * Emulate newer digest API.`
`134`		`- */`
`135`		`-`
`136`		`-staticvoid`
`137`		`-EVP_MD_CTX_init(EVP_MD_CTX*ctx)`
`138`		`-{`
`139`		`-memset(ctx,0,sizeof(*ctx));`
`140`		`-}`
`141`		`-`
`142`		`-staticint`
`143`		`-EVP_MD_CTX_cleanup(EVP_MD_CTX*ctx)`
`144`		`-{`
`145`		`-px_memset(ctx,0,sizeof(*ctx));`
`146`		`-return1;`
`147`		`-}`
`148`		`-`
`149`		`-staticint`
`150`		`-EVP_DigestInit_ex(EVP_MD_CTXctx,constEVP_MDmd,void*engine)`
`151`		`-{`
`152`		`-EVP_DigestInit(ctx,md);`
`153`		`-return1;`
`154`		`-}`
`155`		`-`
`156`		`-staticint`
`157`		`-EVP_DigestFinal_ex(EVP_MD_CTXctx,unsignedcharres,unsignedint*len)`
`158`		`-{`
`159`		`-EVP_DigestFinal(ctx,res,len);`
`160`		`-return1;`
`161`		`-}`
`162`		`-#endif/* old OpenSSL */`
`163`		`-`
`164`		`-/*`
`165`		`- * Provide SHA2 for older OpenSSL < 0.9.8`
`166`		`- */`
`167`		`-#ifOPENSSL_VERSION_NUMBER<0x00908000L`
`168`		`-`
`169`		`-#include"sha2.c"`
`170`		`-#include"internal-sha2.c"`
`171`		`-`
`172`		`-typedefvoid (init_f) (PX_MDmd);`
`173`		`-`
`174`		`-staticint`
`175`		`-compat_find_digest(constcharname,PX_MD*res)`
`176`		`-{`
`177`		`-init_finit=NULL;`
`178`		`-`
`179`		`-if (pg_strcasecmp(name,"sha224")==0)`
`180`		`-init=init_sha224;`
`181`		`-elseif (pg_strcasecmp(name,"sha256")==0)`
`182`		`-init=init_sha256;`
`183`		`-elseif (pg_strcasecmp(name,"sha384")==0)`
`184`		`-init=init_sha384;`
`185`		`-elseif (pg_strcasecmp(name,"sha512")==0)`
`186`		`-init=init_sha512;`
`187`		`-else`
`188`		`-returnPXE_NO_HASH;`
`189`		`-`
`190`		`-*res=px_alloc(sizeof(PX_MD));`
`191`		`-init(*res);`
`192`		`-return0;`
`193`		`-}`
`194`		`-#else`
`195`		`-#definecompat_find_digest(name,res) (PXE_NO_HASH)`
`196`		`-#endif`
`197`		`-`
`198`	`50`	`/*`
`199`	`51`	`* Hashes`
`200`	`52`	`*/`
`@@ -275,7 +127,7 @@ px_find_digest(const char name, PX_MD *res)`
`275`	`127`
`276`	`128`	`md=EVP_get_digestbyname(name);`
`277`	`129`	`if (md==NULL)`
`278`		`-returncompat_find_digest(name,res);`
	`130`	`+returnPXE_NO_HASH;`
`279`	`131`
`280`	`132`	`digest=px_alloc(sizeof(*digest));`
`281`	`133`	`digest->algo=md;`

`‎doc/src/sgml/installation.sgml`

Lines changed: 11 additions & 28 deletions

Original file line number	Diff line number	Diff line change
`@@ -252,10 +252,17 @@ su - postgres`
`252`	`252`
`253`	`253`	`<listitem>`
`254`	`254`	`<para>`
`255`		`- You need <application>Kerberos</>, <productname>OpenSSL</>,`
`256`		`- <productname>OpenLDAP</>, and/or`
`257`		`- <application>PAM</>, if you want to support authentication or`
`258`		`- encryption using those services.`
	`255`	`+ You need <productname>OpenSSL</>, if you want to support`
	`256`	`+ encrypted client connections. The minimum required version is`
	`257`	`+ 0.9.8.`
	`258`	`+ </para>`
	`259`	`+ </listitem>`
	`260`	`+`
	`261`	`+ <listitem>`
	`262`	`+ <para>`
	`263`	`+ You need <application>Kerberos</>, <productname>OpenLDAP</>,`
	`264`	`+ and/or <application>PAM</>, if you want to support authentication`
	`265`	`+ using those services.`
`259`	`266`	`</para>`
`260`	`267`	`</listitem>`
`261`	`268`
`@@ -2826,30 +2833,6 @@ MANPATH=/usr/lib/scohelp/%L/man:/usr/dt/man:/usr/man:/usr/share/man:scohelp:/usr`
`2826`	`2833`	`</para>`
`2827`	`2834`	`</sect3>`
`2828`	`2835`
`2829`		`- <sect3>`
`2830`		`- <title>Problems with OpenSSL</title>`
`2831`		`-`
`2832`		`- <para>`
`2833`		`- When you build PostgreSQL with OpenSSL support you might get`
`2834`		`- compilation errors in the following files:`
`2835`		`- <itemizedlist>`
`2836`		`- <listitem><para><filename>src/backend/libpq/crypt.c</filename></para></listitem>`
`2837`		`- <listitem><para><filename>src/backend/libpq/password.c</filename></para></listitem>`
`2838`		`- <listitem><para><filename>src/interfaces/libpq/fe-auth.c</filename></para></listitem>`
`2839`		`- <listitem><para><filename>src/interfaces/libpq/fe-connect.c</filename></para></listitem>`
`2840`		`- </itemizedlist>`
`2841`		`-`
`2842`		`- This is because of a namespace conflict between the standard`
`2843`		`- <filename>/usr/include/crypt.h</filename> header and the header`
`2844`		`- files provided by OpenSSL.`
`2845`		`- </para>`
`2846`		`-`
`2847`		`- <para>`
`2848`		`- Upgrading your OpenSSL installation to version 0.9.6a fixes this`
`2849`		`- problem. Solaris 9 and above has a newer version of OpenSSL.`
`2850`		`- </para>`
`2851`		`- </sect3>`
`2852`		`-`
`2853`	`2836`	`<sect3>`
`2854`	`2837`	`<title>configure Complains About a Failed Test Program</title>`
`2855`	`2838`

`‎doc/src/sgml/libpq.sgml`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1238,8 +1238,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname`
`1238`	`1238`	`<listitem>`
`1239`	`1239`	`<para>`
`1240`	`1240`	`If set to 1 (default), data sent over SSL connections will be`
`1241`		`- compressed (this requires <productname>OpenSSL</> version`
`1242`		`- 0.9.8 or later).`
	`1241`	`+ compressed.`
`1243`	`1242`	`If set to 0, compression will be disabled (this requires`
`1244`	`1243`	`<productname>OpenSSL</> 1.0.0 or later).`
`1245`	`1244`	`This parameter is ignored if a connection without SSL is made,`

`‎doc/src/sgml/pgcrypto.sgml`

Lines changed: 3 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -1184,12 +1184,12 @@ gen_random_uuid() returns uuid`
`1184`	`1184`	`<row>`
`1185`	`1185`	`<entry>SHA224/256/384/512</entry>`
`1186`	`1186`	`<entry>yes</entry>`
`1187`		`- <entry>yes (Note 1)</entry>`
	`1187`	`+ <entry>yes</entry>`
`1188`	`1188`	`</row>`
`1189`	`1189`	`<row>`
`1190`	`1190`	`<entry>Other digest algorithms</entry>`
`1191`	`1191`	`<entry>no</entry>`
`1192`		`- <entry>yes (Note2)</entry>`
	`1192`	`+ <entry>yes (Note1)</entry>`
`1193`	`1193`	`</row>`
`1194`	`1194`	`<row>`
`1195`	`1195`	`<entry>Blowfish</entry>`
`@@ -1199,7 +1199,7 @@ gen_random_uuid() returns uuid`
`1199`	`1199`	`<row>`
`1200`	`1200`	`<entry>AES</entry>`
`1201`	`1201`	`<entry>yes</entry>`
`1202`		`- <entry>yes (Note 3)</entry>`
	`1202`	`+ <entry>yes</entry>`
`1203`	`1203`	`</row>`
`1204`	`1204`	`<row>`
`1205`	`1205`	`<entry>DES/3DES/CAST5</entry>`
`@@ -1230,25 +1230,13 @@ gen_random_uuid() returns uuid`
`1230`	`1230`	`</para>`
`1231`	`1231`
`1232`	`1232`	`<orderedlist>`
`1233`		`- <listitem>`
`1234`		`- <para>`
`1235`		`- SHA2 algorithms were added to OpenSSL in version 0.9.8. For`
`1236`		`- older versions, <filename>pgcrypto</> will use built-in code.`
`1237`		`- </para>`
`1238`		`- </listitem>`
`1239`	`1233`	`<listitem>`
`1240`	`1234`	`<para>`
`1241`	`1235`	`Any digest algorithm OpenSSL supports is automatically picked up.`
`1242`	`1236`	`This is not possible with ciphers, which need to be supported`
`1243`	`1237`	`explicitly.`
`1244`	`1238`	`</para>`
`1245`	`1239`	`</listitem>`
`1246`		`- <listitem>`
`1247`		`- <para>`
`1248`		`- AES is included in OpenSSL since version 0.9.7. For`
`1249`		`- older versions, <filename>pgcrypto</> will use built-in code.`
`1250`		`- </para>`
`1251`		`- </listitem>`
`1252`	`1240`	`</orderedlist>`
`1253`	`1241`	`</sect3>`
`1254`	`1242`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 2 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,8 @@`
`53`	`53`
`54`	`54`	`#include<openssl/ssl.h>`
`55`	`55`	`#include<openssl/dh.h>`
`56`		`-#ifSSLEAY_VERSION_NUMBER >=0x0907000L`
`57`	`56`	`#include<openssl/conf.h>`
`58`		`-#endif`
`59`		`-#if (OPENSSL_VERSION_NUMBER >=0x0090800fL)&& !defined(OPENSSL_NO_ECDH)`
	`57`	`+#ifndefOPENSSL_NO_ECDH`
`60`	`58`	`#include<openssl/ec.h>`
`61`	`59`	`#endif`
`62`	`60`
`@@ -166,9 +164,7 @@ be_tls_init(void)`
`166`	`164`
`167`	`165`	`if (!SSL_context)`
`168`	`166`	`{`
`169`		`-#ifSSLEAY_VERSION_NUMBER >=0x0907000L`
`170`	`167`	`OPENSSL_config(NULL);`
`171`		`-#endif`
`172`	`168`	`SSL_library_init();`
`173`	`169`	`SSL_load_error_strings();`
`174`	`170`
`@@ -978,7 +974,7 @@ info_cb(const SSL *ssl, int type, int args)`
`978`	`974`	`staticvoid`
`979`	`975`	`initialize_ecdh(void)`
`980`	`976`	`{`
`981`		`-#if (OPENSSL_VERSION_NUMBER >=0x0090800fL)&& !defined(OPENSSL_NO_ECDH)`
	`977`	`+#ifndefOPENSSL_NO_ECDH`
`982`	`978`	`EC_KEY*ecdh;`
`983`	`979`	`intnid;`
`984`	`980`

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,9 +54,7 @@`
`54`	`54`	`#endif`
`55`	`55`
`56`	`56`	`#include<openssl/ssl.h>`
`57`		`-#if (SSLEAY_VERSION_NUMBER >=0x00907000L)`
`58`	`57`	`#include<openssl/conf.h>`
`59`		`-#endif`
`60`	`58`	`#ifdefUSE_SSL_ENGINE`
`61`	`59`	`#include<openssl/engine.h>`
`62`	`60`	`#endif`
`@@ -848,9 +846,7 @@ pgtls_init(PGconn *conn)`
`848`	`846`	`{`
`849`	`847`	`if (pq_init_ssl_lib)`
`850`	`848`	`{`
`851`		`-#ifSSLEAY_VERSION_NUMBER >=0x00907000L`
`852`	`849`	`OPENSSL_config(NULL);`
`853`		`-#endif`
`854`	`850`	`SSL_library_init();`
`855`	`851`	`SSL_load_error_strings();`
`856`	`852`	`}`

`‎src/interfaces/libpq/libpq-int.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ typedef struct`
`77`	`77`	`#include<openssl/ssl.h>`
`78`	`78`	`#include<openssl/err.h>`
`79`	`79`
`80`		`-#if (SSLEAY_VERSION_NUMBER >=0x00907000L)&& !defined(OPENSSL_NO_ENGINE)`
	`80`	`+#ifndefOPENSSL_NO_ENGINE`
`81`	`81`	`#defineUSE_SSL_ENGINE`
`82`	`82`	`#endif`
`83`	`83`	`#endif/* USE_OPENSSL */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9b7cd59

File tree

7 files changed

7 files changed

`‎contrib/pgcrypto/openssl.c`

`‎doc/src/sgml/installation.sgml`

`‎doc/src/sgml/libpq.sgml`

`‎doc/src/sgml/pgcrypto.sgml`

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/interfaces/libpq/fe-secure-openssl.c`

`‎src/interfaces/libpq/libpq-int.h`

0 commit comments