Commit 9b7cd59a authored by Heikki Linnakangas's avatar Heikki Linnakangas

Remove support for OpenSSL versions older than 0.9.8.

OpenSSL officially only supports 1.0.1 and newer. Some OS distributions
still provide patches for 0.9.8, but anything older than that is not
interesting anymore. Let's simplify things by removing compatibility code.

Andreas Karlsson, with small changes by me.
parent cf34fdbb
...@@ -37,6 +37,7 @@ ...@@ -37,6 +37,7 @@
#include <openssl/blowfish.h> #include <openssl/blowfish.h>
#include <openssl/cast.h> #include <openssl/cast.h>
#include <openssl/des.h> #include <openssl/des.h>
#include <openssl/aes.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include <openssl/err.h> #include <openssl/err.h>
...@@ -46,155 +47,6 @@ ...@@ -46,155 +47,6 @@
#define MAX_KEY (512/8) #define MAX_KEY (512/8)
#define MAX_IV (128/8) #define MAX_IV (128/8)
/*
* Compatibility with OpenSSL 0.9.6
*
* It needs AES and newer DES and digest API.
*/
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
/*
* Nothing needed for OpenSSL 0.9.7+
*/
#include <openssl/aes.h>
#else /* old OPENSSL */
/*
* Emulate OpenSSL AES.
*/
#include "rijndael.c"
#define AES_ENCRYPT 1
#define AES_DECRYPT 0
#define AES_KEY rijndael_ctx
static int
AES_set_encrypt_key(const uint8 *key, int kbits, AES_KEY *ctx)
{
aes_set_key(ctx, key, kbits, 1);
return 0;
}
static int
AES_set_decrypt_key(const uint8 *key, int kbits, AES_KEY *ctx)
{
aes_set_key(ctx, key, kbits, 0);
return 0;
}
static void
AES_ecb_encrypt(const uint8 *src, uint8 *dst, AES_KEY *ctx, int enc)
{
memcpy(dst, src, 16);
if (enc)
aes_ecb_encrypt(ctx, dst, 16);
else
aes_ecb_decrypt(ctx, dst, 16);
}
static void
AES_cbc_encrypt(const uint8 *src, uint8 *dst, int len, AES_KEY *ctx, uint8 *iv, int enc)
{
memcpy(dst, src, len);
if (enc)
{
aes_cbc_encrypt(ctx, iv, dst, len);
memcpy(iv, dst + len - 16, 16);
}
else
{
aes_cbc_decrypt(ctx, iv, dst, len);
memcpy(iv, src + len - 16, 16);
}
}
/*
* Emulate DES_* API
*/
#define DES_key_schedule des_key_schedule
#define DES_cblock des_cblock
#define DES_set_key(k, ks) \
des_set_key((k), *(ks))
#define DES_ecb_encrypt(i, o, k, e) \
des_ecb_encrypt((i), (o), *(k), (e))
#define DES_ncbc_encrypt(i, o, l, k, iv, e) \
des_ncbc_encrypt((i), (o), (l), *(k), (iv), (e))
#define DES_ecb3_encrypt(i, o, k1, k2, k3, e) \
des_ecb3_encrypt((des_cblock *)(i), (des_cblock *)(o), \
*(k1), *(k2), *(k3), (e))
#define DES_ede3_cbc_encrypt(i, o, l, k1, k2, k3, iv, e) \
des_ede3_cbc_encrypt((i), (o), \
(l), *(k1), *(k2), *(k3), (iv), (e))
/*
* Emulate newer digest API.
*/
static void
EVP_MD_CTX_init(EVP_MD_CTX *ctx)
{
memset(ctx, 0, sizeof(*ctx));
}
static int
EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
{
px_memset(ctx, 0, sizeof(*ctx));
return 1;
}
static int
EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
{
EVP_DigestInit(ctx, md);
return 1;
}
static int
EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *res, unsigned int *len)
{
EVP_DigestFinal(ctx, res, len);
return 1;
}
#endif /* old OpenSSL */
/*
* Provide SHA2 for older OpenSSL < 0.9.8
*/
#if OPENSSL_VERSION_NUMBER < 0x00908000L
#include "sha2.c"
#include "internal-sha2.c"
typedef void (*init_f) (PX_MD *md);
static int
compat_find_digest(const char *name, PX_MD **res)
{
init_f init = NULL;
if (pg_strcasecmp(name, "sha224") == 0)
init = init_sha224;
else if (pg_strcasecmp(name, "sha256") == 0)
init = init_sha256;
else if (pg_strcasecmp(name, "sha384") == 0)
init = init_sha384;
else if (pg_strcasecmp(name, "sha512") == 0)
init = init_sha512;
else
return PXE_NO_HASH;
*res = px_alloc(sizeof(PX_MD));
init(*res);
return 0;
}
#else
#define compat_find_digest(name, res) (PXE_NO_HASH)
#endif
/* /*
* Hashes * Hashes
*/ */
...@@ -275,7 +127,7 @@ px_find_digest(const char *name, PX_MD **res) ...@@ -275,7 +127,7 @@ px_find_digest(const char *name, PX_MD **res)
md = EVP_get_digestbyname(name); md = EVP_get_digestbyname(name);
if (md == NULL) if (md == NULL)
return compat_find_digest(name, res); return PXE_NO_HASH;
digest = px_alloc(sizeof(*digest)); digest = px_alloc(sizeof(*digest));
digest->algo = md; digest->algo = md;
......
...@@ -252,10 +252,17 @@ su - postgres ...@@ -252,10 +252,17 @@ su - postgres
<listitem> <listitem>
<para> <para>
You need <application>Kerberos</>, <productname>OpenSSL</>, You need <productname>OpenSSL</>, if you want to support
<productname>OpenLDAP</>, and/or encrypted client connections. The minimum required version is
<application>PAM</>, if you want to support authentication or 0.9.8.
encryption using those services. </para>
</listitem>
<listitem>
<para>
You need <application>Kerberos</>, <productname>OpenLDAP</>,
and/or <application>PAM</>, if you want to support authentication
using those services.
</para> </para>
</listitem> </listitem>
...@@ -2826,30 +2833,6 @@ MANPATH=/usr/lib/scohelp/%L/man:/usr/dt/man:/usr/man:/usr/share/man:scohelp:/usr ...@@ -2826,30 +2833,6 @@ MANPATH=/usr/lib/scohelp/%L/man:/usr/dt/man:/usr/man:/usr/share/man:scohelp:/usr
</para> </para>
</sect3> </sect3>
<sect3>
<title>Problems with OpenSSL</title>
<para>
When you build PostgreSQL with OpenSSL support you might get
compilation errors in the following files:
<itemizedlist>
<listitem><para><filename>src/backend/libpq/crypt.c</filename></para></listitem>
<listitem><para><filename>src/backend/libpq/password.c</filename></para></listitem>
<listitem><para><filename>src/interfaces/libpq/fe-auth.c</filename></para></listitem>
<listitem><para><filename>src/interfaces/libpq/fe-connect.c</filename></para></listitem>
</itemizedlist>
This is because of a namespace conflict between the standard
<filename>/usr/include/crypt.h</filename> header and the header
files provided by OpenSSL.
</para>
<para>
Upgrading your OpenSSL installation to version 0.9.6a fixes this
problem. Solaris 9 and above has a newer version of OpenSSL.
</para>
</sect3>
<sect3> <sect3>
<title>configure Complains About a Failed Test Program</title> <title>configure Complains About a Failed Test Program</title>
......
...@@ -1238,8 +1238,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname ...@@ -1238,8 +1238,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<listitem> <listitem>
<para> <para>
If set to 1 (default), data sent over SSL connections will be If set to 1 (default), data sent over SSL connections will be
compressed (this requires <productname>OpenSSL</> version compressed.
0.9.8 or later).
If set to 0, compression will be disabled (this requires If set to 0, compression will be disabled (this requires
<productname>OpenSSL</> 1.0.0 or later). <productname>OpenSSL</> 1.0.0 or later).
This parameter is ignored if a connection without SSL is made, This parameter is ignored if a connection without SSL is made,
......
...@@ -1184,12 +1184,12 @@ gen_random_uuid() returns uuid ...@@ -1184,12 +1184,12 @@ gen_random_uuid() returns uuid
<row> <row>
<entry>SHA224/256/384/512</entry> <entry>SHA224/256/384/512</entry>
<entry>yes</entry> <entry>yes</entry>
<entry>yes (Note 1)</entry> <entry>yes</entry>
</row> </row>
<row> <row>
<entry>Other digest algorithms</entry> <entry>Other digest algorithms</entry>
<entry>no</entry> <entry>no</entry>
<entry>yes (Note 2)</entry> <entry>yes (Note 1)</entry>
</row> </row>
<row> <row>
<entry>Blowfish</entry> <entry>Blowfish</entry>
...@@ -1199,7 +1199,7 @@ gen_random_uuid() returns uuid ...@@ -1199,7 +1199,7 @@ gen_random_uuid() returns uuid
<row> <row>
<entry>AES</entry> <entry>AES</entry>
<entry>yes</entry> <entry>yes</entry>
<entry>yes (Note 3)</entry> <entry>yes</entry>
</row> </row>
<row> <row>
<entry>DES/3DES/CAST5</entry> <entry>DES/3DES/CAST5</entry>
...@@ -1230,12 +1230,6 @@ gen_random_uuid() returns uuid ...@@ -1230,12 +1230,6 @@ gen_random_uuid() returns uuid
</para> </para>
<orderedlist> <orderedlist>
<listitem>
<para>
SHA2 algorithms were added to OpenSSL in version 0.9.8. For
older versions, <filename>pgcrypto</> will use built-in code.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Any digest algorithm OpenSSL supports is automatically picked up. Any digest algorithm OpenSSL supports is automatically picked up.
...@@ -1243,12 +1237,6 @@ gen_random_uuid() returns uuid ...@@ -1243,12 +1237,6 @@ gen_random_uuid() returns uuid
explicitly. explicitly.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
AES is included in OpenSSL since version 0.9.7. For
older versions, <filename>pgcrypto</> will use built-in code.
</para>
</listitem>
</orderedlist> </orderedlist>
</sect3> </sect3>
......
...@@ -53,10 +53,8 @@ ...@@ -53,10 +53,8 @@
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/dh.h> #include <openssl/dh.h>
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
#include <openssl/conf.h> #include <openssl/conf.h>
#endif #ifndef OPENSSL_NO_ECDH
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_ECDH)
#include <openssl/ec.h> #include <openssl/ec.h>
#endif #endif
...@@ -166,9 +164,7 @@ be_tls_init(void) ...@@ -166,9 +164,7 @@ be_tls_init(void)
if (!SSL_context) if (!SSL_context)
{ {
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
OPENSSL_config(NULL); OPENSSL_config(NULL);
#endif
SSL_library_init(); SSL_library_init();
SSL_load_error_strings(); SSL_load_error_strings();
...@@ -978,7 +974,7 @@ info_cb(const SSL *ssl, int type, int args) ...@@ -978,7 +974,7 @@ info_cb(const SSL *ssl, int type, int args)
static void static void
initialize_ecdh(void) initialize_ecdh(void)
{ {
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_ECDH) #ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh; EC_KEY *ecdh;
int nid; int nid;
......
...@@ -54,9 +54,7 @@ ...@@ -54,9 +54,7 @@
#endif #endif
#include <openssl/ssl.h> #include <openssl/ssl.h>
#if (SSLEAY_VERSION_NUMBER >= 0x00907000L)
#include <openssl/conf.h> #include <openssl/conf.h>
#endif
#ifdef USE_SSL_ENGINE #ifdef USE_SSL_ENGINE
#include <openssl/engine.h> #include <openssl/engine.h>
#endif #endif
...@@ -848,9 +846,7 @@ pgtls_init(PGconn *conn) ...@@ -848,9 +846,7 @@ pgtls_init(PGconn *conn)
{ {
if (pq_init_ssl_lib) if (pq_init_ssl_lib)
{ {
#if SSLEAY_VERSION_NUMBER >= 0x00907000L
OPENSSL_config(NULL); OPENSSL_config(NULL);
#endif
SSL_library_init(); SSL_library_init();
SSL_load_error_strings(); SSL_load_error_strings();
} }
......
...@@ -77,7 +77,7 @@ typedef struct ...@@ -77,7 +77,7 @@ typedef struct
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/err.h> #include <openssl/err.h>
#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE) #ifndef OPENSSL_NO_ENGINE
#define USE_SSL_ENGINE #define USE_SSL_ENGINE
#endif #endif
#endif /* USE_OPENSSL */ #endif /* USE_OPENSSL */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment