summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHeikki Linnakangas2016-08-29 17:16:02 +0000
committerHeikki Linnakangas2016-08-29 17:16:02 +0000
commit9b7cd59af1afcfbd786921d5cf73befb5fefa2f7 (patch)
tree6020bf1a8fbd72fa73ac490b2a72b2f50c9800db
parentcf34fdbbe1452b9e19c0956bc48494889e1b2777 (diff)
Remove support for OpenSSL versions older than 0.9.8.
OpenSSL officially only supports 1.0.1 and newer. Some OS distributions still provide patches for 0.9.8, but anything older than that is not interesting anymore. Let's simplify things by removing compatibility code. Andreas Karlsson, with small changes by me.
-rw-r--r--contrib/pgcrypto/openssl.c152
-rw-r--r--doc/src/sgml/installation.sgml39
-rw-r--r--doc/src/sgml/libpq.sgml3
-rw-r--r--doc/src/sgml/pgcrypto.sgml18
-rw-r--r--src/backend/libpq/be-secure-openssl.c8
-rw-r--r--src/interfaces/libpq/fe-secure-openssl.c4
-rw-r--r--src/interfaces/libpq/libpq-int.h2
7 files changed, 20 insertions, 206 deletions
diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c
index 976af70591..ffab5d2bb0 100644
--- a/contrib/pgcrypto/openssl.c
+++ b/contrib/pgcrypto/openssl.c
@@ -37,6 +37,7 @@
#include <openssl/blowfish.h>
#include <openssl/cast.h>
#include <openssl/des.h>
+#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/err.h>
@@ -47,155 +48,6 @@
#define MAX_IV (128/8)
/*
- * Compatibility with OpenSSL 0.9.6
- *
- * It needs AES and newer DES and digest API.
- */
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
-/*
- * Nothing needed for OpenSSL 0.9.7+
- */
-
-#include <openssl/aes.h>
-#else /* old OPENSSL */
-
-/*
- * Emulate OpenSSL AES.
- */
-
-#include "rijndael.c"
-
-#define AES_ENCRYPT 1
-#define AES_DECRYPT 0
-#define AES_KEY rijndael_ctx
-
-static int
-AES_set_encrypt_key(const uint8 *key, int kbits, AES_KEY *ctx)
-{
- aes_set_key(ctx, key, kbits, 1);
- return 0;
-}
-
-static int
-AES_set_decrypt_key(const uint8 *key, int kbits, AES_KEY *ctx)
-{
- aes_set_key(ctx, key, kbits, 0);
- return 0;
-}
-
-static void
-AES_ecb_encrypt(const uint8 *src, uint8 *dst, AES_KEY *ctx, int enc)
-{
- memcpy(dst, src, 16);
- if (enc)
- aes_ecb_encrypt(ctx, dst, 16);
- else
- aes_ecb_decrypt(ctx, dst, 16);
-}
-
-static void
-AES_cbc_encrypt(const uint8 *src, uint8 *dst, int len, AES_KEY *ctx, uint8 *iv, int enc)
-{
- memcpy(dst, src, len);
- if (enc)
- {
- aes_cbc_encrypt(ctx, iv, dst, len);
- memcpy(iv, dst + len - 16, 16);
- }
- else
- {
- aes_cbc_decrypt(ctx, iv, dst, len);
- memcpy(iv, src + len - 16, 16);
- }
-}
-
-/*
- * Emulate DES_* API
- */
-
-#define DES_key_schedule des_key_schedule
-#define DES_cblock des_cblock
-#define DES_set_key(k, ks) \
- des_set_key((k), *(ks))
-#define DES_ecb_encrypt(i, o, k, e) \
- des_ecb_encrypt((i), (o), *(k), (e))
-#define DES_ncbc_encrypt(i, o, l, k, iv, e) \
- des_ncbc_encrypt((i), (o), (l), *(k), (iv), (e))
-#define DES_ecb3_encrypt(i, o, k1, k2, k3, e) \
- des_ecb3_encrypt((des_cblock *)(i), (des_cblock *)(o), \
- *(k1), *(k2), *(k3), (e))
-#define DES_ede3_cbc_encrypt(i, o, l, k1, k2, k3, iv, e) \
- des_ede3_cbc_encrypt((i), (o), \
- (l), *(k1), *(k2), *(k3), (iv), (e))
-
-/*
- * Emulate newer digest API.
- */
-
-static void
-EVP_MD_CTX_init(EVP_MD_CTX *ctx)
-{
- memset(ctx, 0, sizeof(*ctx));
-}
-
-static int
-EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
-{
- px_memset(ctx, 0, sizeof(*ctx));
- return 1;
-}
-
-static int
-EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
-{
- EVP_DigestInit(ctx, md);
- return 1;
-}
-
-static int
-EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *res, unsigned int *len)
-{
- EVP_DigestFinal(ctx, res, len);
- return 1;
-}
-#endif /* old OpenSSL */
-
-/*
- * Provide SHA2 for older OpenSSL < 0.9.8
- */
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-
-#include "sha2.c"
-#include "internal-sha2.c"
-
-typedef void (*init_f) (PX_MD *md);
-
-static int
-compat_find_digest(const char *name, PX_MD **res)
-{
- init_f init = NULL;
-
- if (pg_strcasecmp(name, "sha224") == 0)
- init = init_sha224;
- else if (pg_strcasecmp(name, "sha256") == 0)
- init = init_sha256;
- else if (pg_strcasecmp(name, "sha384") == 0)
- init = init_sha384;
- else if (pg_strcasecmp(name, "sha512") == 0)
- init = init_sha512;
- else
- return PXE_NO_HASH;
-
- *res = px_alloc(sizeof(PX_MD));
- init(*res);
- return 0;
-}
-#else
-#define compat_find_digest(name, res) (PXE_NO_HASH)
-#endif
-
-/*
* Hashes
*/
@@ -275,7 +127,7 @@ px_find_digest(const char *name, PX_MD **res)
md = EVP_get_digestbyname(name);
if (md == NULL)
- return compat_find_digest(name, res);
+ return PXE_NO_HASH;
digest = px_alloc(sizeof(*digest));
digest->algo = md;
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index a9968756e6..14a6d57aea 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -252,10 +252,17 @@ su - postgres
<listitem>
<para>
- You need <application>Kerberos</>, <productname>OpenSSL</>,
- <productname>OpenLDAP</>, and/or
- <application>PAM</>, if you want to support authentication or
- encryption using those services.
+ You need <productname>OpenSSL</>, if you want to support
+ encrypted client connections. The minimum required version is
+ 0.9.8.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ You need <application>Kerberos</>, <productname>OpenLDAP</>,
+ and/or <application>PAM</>, if you want to support authentication
+ using those services.
</para>
</listitem>
@@ -2827,30 +2834,6 @@ MANPATH=/usr/lib/scohelp/%L/man:/usr/dt/man:/usr/man:/usr/share/man:scohelp:/usr
</sect3>
<sect3>
- <title>Problems with OpenSSL</title>
-
- <para>
- When you build PostgreSQL with OpenSSL support you might get
- compilation errors in the following files:
- <itemizedlist>
- <listitem><para><filename>src/backend/libpq/crypt.c</filename></para></listitem>
- <listitem><para><filename>src/backend/libpq/password.c</filename></para></listitem>
- <listitem><para><filename>src/interfaces/libpq/fe-auth.c</filename></para></listitem>
- <listitem><para><filename>src/interfaces/libpq/fe-connect.c</filename></para></listitem>
- </itemizedlist>
-
- This is because of a namespace conflict between the standard
- <filename>/usr/include/crypt.h</filename> header and the header
- files provided by OpenSSL.
- </para>
-
- <para>
- Upgrading your OpenSSL installation to version 0.9.6a fixes this
- problem. Solaris 9 and above has a newer version of OpenSSL.
- </para>
- </sect3>
-
- <sect3>
<title>configure Complains About a Failed Test Program</title>
<para>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 2f9350b10e..4e34f00e44 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1238,8 +1238,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<listitem>
<para>
If set to 1 (default), data sent over SSL connections will be
- compressed (this requires <productname>OpenSSL</> version
- 0.9.8 or later).
+ compressed.
If set to 0, compression will be disabled (this requires
<productname>OpenSSL</> 1.0.0 or later).
This parameter is ignored if a connection without SSL is made,
diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml
index c4cefde4f7..bf514aacf3 100644
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -1184,12 +1184,12 @@ gen_random_uuid() returns uuid
<row>
<entry>SHA224/256/384/512</entry>
<entry>yes</entry>
- <entry>yes (Note 1)</entry>
+ <entry>yes</entry>
</row>
<row>
<entry>Other digest algorithms</entry>
<entry>no</entry>
- <entry>yes (Note 2)</entry>
+ <entry>yes (Note 1)</entry>
</row>
<row>
<entry>Blowfish</entry>
@@ -1199,7 +1199,7 @@ gen_random_uuid() returns uuid
<row>
<entry>AES</entry>
<entry>yes</entry>
- <entry>yes (Note 3)</entry>
+ <entry>yes</entry>
</row>
<row>
<entry>DES/3DES/CAST5</entry>
@@ -1232,23 +1232,11 @@ gen_random_uuid() returns uuid
<orderedlist>
<listitem>
<para>
- SHA2 algorithms were added to OpenSSL in version 0.9.8. For
- older versions, <filename>pgcrypto</> will use built-in code.
- </para>
- </listitem>
- <listitem>
- <para>
Any digest algorithm OpenSSL supports is automatically picked up.
This is not possible with ciphers, which need to be supported
explicitly.
</para>
</listitem>
- <listitem>
- <para>
- AES is included in OpenSSL since version 0.9.7. For
- older versions, <filename>pgcrypto</> will use built-in code.
- </para>
- </listitem>
</orderedlist>
</sect3>
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index f6adb155c6..e5f434ca17 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -53,10 +53,8 @@
#include <openssl/ssl.h>
#include <openssl/dh.h>
-#if SSLEAY_VERSION_NUMBER >= 0x0907000L
#include <openssl/conf.h>
-#endif
-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_ECDH)
+#ifndef OPENSSL_NO_ECDH
#include <openssl/ec.h>
#endif
@@ -166,9 +164,7 @@ be_tls_init(void)
if (!SSL_context)
{
-#if SSLEAY_VERSION_NUMBER >= 0x0907000L
OPENSSL_config(NULL);
-#endif
SSL_library_init();
SSL_load_error_strings();
@@ -978,7 +974,7 @@ info_cb(const SSL *ssl, int type, int args)
static void
initialize_ecdh(void)
{
-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_ECDH)
+#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh;
int nid;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index f6ce1c7a13..d8716128ec 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -54,9 +54,7 @@
#endif
#include <openssl/ssl.h>
-#if (SSLEAY_VERSION_NUMBER >= 0x00907000L)
#include <openssl/conf.h>
-#endif
#ifdef USE_SSL_ENGINE
#include <openssl/engine.h>
#endif
@@ -848,9 +846,7 @@ pgtls_init(PGconn *conn)
{
if (pq_init_ssl_lib)
{
-#if SSLEAY_VERSION_NUMBER >= 0x00907000L
OPENSSL_config(NULL);
-#endif
SSL_library_init();
SSL_load_error_strings();
}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 1183323a44..a94ead04ff 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -77,7 +77,7 @@ typedef struct
#include <openssl/ssl.h>
#include <openssl/err.h>
-#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
+#ifndef OPENSSL_NO_ENGINE
#define USE_SSL_ENGINE
#endif
#endif /* USE_OPENSSL */