diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2023-11-28 12:34:03 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2023-11-28 12:34:03 -0500 |
| commit | efa8f606402c3d7ca361932418cbcc2600b6c059 (patch) | |
| tree | f886968f567835f61178af9dd08de672ada46a2d /src | |
| parent | 9fee3232a1d3661981c3cbf87227bfd02ee36c7b (diff) | |
| download | postgresql-efa8f606402c3d7ca361932418cbcc2600b6c059.tar.gz postgresql-efa8f606402c3d7ca361932418cbcc2600b6c059.zip | |
Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
We should have done it this way all along, but we accidentally got
away with using the wrong BIO field up until OpenSSL 3.2. There,
the library's BIO routines that we rely on use the "data" field
for their own purposes, and our conflicting use causes assorted
weird behaviors up to and including core dumps when SSL connections
are attempted. Switch to using the approved field for the purpose,
i.e. app_data.
While at it, remove our configure probes for BIO_get_data as well
as the fallback implementation. BIO_{get,set}_app_data have been
there since long before any OpenSSL version that we still support,
even in the back branches.
Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor
change in an error message spelling that evidently came in with 3.2.
Tristan Partin and Bo Andreson. Back-patch to all supported branches.
Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 11 | ||||
| -rw-r--r-- | src/include/pg_config.h.in | 3 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 11 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 6 | ||||
| -rw-r--r-- | src/tools/msvc/Solution.pm | 2 |
5 files changed, 9 insertions, 24 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index e9c86d08df2..49dca0cda9f 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -844,11 +844,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) * to retry; do we need to adopt their logic for that? */ -#ifndef HAVE_BIO_GET_DATA -#define BIO_get_data(bio) (bio->ptr) -#define BIO_set_data(bio, data) (bio->ptr = data) -#endif - static BIO_METHOD *my_bio_methods = NULL; static int @@ -858,7 +853,7 @@ my_sock_read(BIO *h, char *buf, int size) if (buf != NULL) { - res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size); + res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size); BIO_clear_retry_flags(h); if (res <= 0) { @@ -878,7 +873,7 @@ my_sock_write(BIO *h, const char *buf, int size) { int res = 0; - res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size); + res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size); BIO_clear_retry_flags(h); if (res <= 0) { @@ -954,7 +949,7 @@ my_SSL_set_fd(Port *port, int fd) SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); goto err; } - BIO_set_data(bio, port); + BIO_set_app_data(bio, port); BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(port->ssl, bio, bio); diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 6d572c38204..174544630e3 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -70,9 +70,6 @@ /* Define to 1 if you have the `backtrace_symbols' function. */ #undef HAVE_BACKTRACE_SYMBOLS -/* Define to 1 if you have the `BIO_get_data' function. */ -#undef HAVE_BIO_GET_DATA - /* Define to 1 if you have the `BIO_meth_new' function. */ #undef HAVE_BIO_METH_NEW diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 5a44ac5c305..93cf70b0ed6 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1830,11 +1830,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) * to retry; do we need to adopt their logic for that? */ -#ifndef HAVE_BIO_GET_DATA -#define BIO_get_data(bio) (bio->ptr) -#define BIO_set_data(bio, data) (bio->ptr = data) -#endif - /* protected by ssl_config_mutex */ static BIO_METHOD *my_bio_methods; @@ -1843,7 +1838,7 @@ my_sock_read(BIO *h, char *buf, int size) { int res; - res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size); + res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size); BIO_clear_retry_flags(h); if (res < 0) { @@ -1873,7 +1868,7 @@ my_sock_write(BIO *h, const char *buf, int size) { int res; - res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size); + res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size); BIO_clear_retry_flags(h); if (res < 0) { @@ -1992,7 +1987,7 @@ my_SSL_set_fd(PGconn *conn, int fd) SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); goto err; } - BIO_set_data(bio, conn); + BIO_set_app_data(bio, conn); SSL_set_bio(conn->ssl, bio, bio); BIO_set_fd(bio, fd, BIO_NOCLOSE); diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 76442de063f..9bb28fbc832 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -781,7 +781,7 @@ $node->connect_fails( "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert", - expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, + expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked}, @@ -886,7 +886,7 @@ $node->connect_fails( "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert with server-side CRL directory", - expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, + expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked}, @@ -899,7 +899,7 @@ $node->connect_fails( "$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt " . sslkey('client-revoked-utf8.key'), "certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory", - expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, + expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked}, diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index b6d31c35835..711fae853f8 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -225,7 +225,6 @@ sub GenerateFiles HAVE_ATOMICS => 1, HAVE_ATOMIC_H => undef, HAVE_BACKTRACE_SYMBOLS => undef, - HAVE_BIO_GET_DATA => undef, HAVE_BIO_METH_NEW => undef, HAVE_COMPUTED_GOTO => undef, HAVE_COPYFILE => undef, @@ -503,7 +502,6 @@ sub GenerateFiles || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')) { $define{HAVE_ASN1_STRING_GET0_DATA} = 1; - $define{HAVE_BIO_GET_DATA} = 1; $define{HAVE_BIO_METH_NEW} = 1; $define{HAVE_HMAC_CTX_FREE} = 1; $define{HAVE_HMAC_CTX_NEW} = 1; |