diff options
| -rw-r--r-- | contrib/pgcrypto/openssl.c | 152 | ||||
| -rw-r--r-- | doc/src/sgml/installation.sgml | 39 | ||||
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 3 | ||||
| -rw-r--r-- | doc/src/sgml/pgcrypto.sgml | 18 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 8 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 4 | ||||
| -rw-r--r-- | src/interfaces/libpq/libpq-int.h | 2 |
7 files changed, 20 insertions, 206 deletions
diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c index 976af705915..ffab5d2bb0e 100644 --- a/contrib/pgcrypto/openssl.c +++ b/contrib/pgcrypto/openssl.c @@ -37,6 +37,7 @@ #include <openssl/blowfish.h> #include <openssl/cast.h> #include <openssl/des.h> +#include <openssl/aes.h> #include <openssl/rand.h> #include <openssl/err.h> @@ -47,155 +48,6 @@ #define MAX_IV (128/8) /* - * Compatibility with OpenSSL 0.9.6 - * - * It needs AES and newer DES and digest API. - */ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - -/* - * Nothing needed for OpenSSL 0.9.7+ - */ - -#include <openssl/aes.h> -#else /* old OPENSSL */ - -/* - * Emulate OpenSSL AES. - */ - -#include "rijndael.c" - -#define AES_ENCRYPT 1 -#define AES_DECRYPT 0 -#define AES_KEY rijndael_ctx - -static int -AES_set_encrypt_key(const uint8 *key, int kbits, AES_KEY *ctx) -{ - aes_set_key(ctx, key, kbits, 1); - return 0; -} - -static int -AES_set_decrypt_key(const uint8 *key, int kbits, AES_KEY *ctx) -{ - aes_set_key(ctx, key, kbits, 0); - return 0; -} - -static void -AES_ecb_encrypt(const uint8 *src, uint8 *dst, AES_KEY *ctx, int enc) -{ - memcpy(dst, src, 16); - if (enc) - aes_ecb_encrypt(ctx, dst, 16); - else - aes_ecb_decrypt(ctx, dst, 16); -} - -static void -AES_cbc_encrypt(const uint8 *src, uint8 *dst, int len, AES_KEY *ctx, uint8 *iv, int enc) -{ - memcpy(dst, src, len); - if (enc) - { - aes_cbc_encrypt(ctx, iv, dst, len); - memcpy(iv, dst + len - 16, 16); - } - else - { - aes_cbc_decrypt(ctx, iv, dst, len); - memcpy(iv, src + len - 16, 16); - } -} - -/* - * Emulate DES_* API - */ - -#define DES_key_schedule des_key_schedule -#define DES_cblock des_cblock -#define DES_set_key(k, ks) \ - des_set_key((k), *(ks)) -#define DES_ecb_encrypt(i, o, k, e) \ - des_ecb_encrypt((i), (o), *(k), (e)) -#define DES_ncbc_encrypt(i, o, l, k, iv, e) \ - des_ncbc_encrypt((i), (o), (l), *(k), (iv), (e)) -#define DES_ecb3_encrypt(i, o, k1, k2, k3, e) \ - des_ecb3_encrypt((des_cblock *)(i), (des_cblock *)(o), \ - *(k1), *(k2), *(k3), (e)) -#define DES_ede3_cbc_encrypt(i, o, l, k1, k2, k3, iv, e) \ - des_ede3_cbc_encrypt((i), (o), \ - (l), *(k1), *(k2), *(k3), (iv), (e)) - -/* - * Emulate newer digest API. - */ - -static void -EVP_MD_CTX_init(EVP_MD_CTX *ctx) -{ - memset(ctx, 0, sizeof(*ctx)); -} - -static int -EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) -{ - px_memset(ctx, 0, sizeof(*ctx)); - return 1; -} - -static int -EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) -{ - EVP_DigestInit(ctx, md); - return 1; -} - -static int -EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *res, unsigned int *len) -{ - EVP_DigestFinal(ctx, res, len); - return 1; -} -#endif /* old OpenSSL */ - -/* - * Provide SHA2 for older OpenSSL < 0.9.8 - */ -#if OPENSSL_VERSION_NUMBER < 0x00908000L - -#include "sha2.c" -#include "internal-sha2.c" - -typedef void (*init_f) (PX_MD *md); - -static int -compat_find_digest(const char *name, PX_MD **res) -{ - init_f init = NULL; - - if (pg_strcasecmp(name, "sha224") == 0) - init = init_sha224; - else if (pg_strcasecmp(name, "sha256") == 0) - init = init_sha256; - else if (pg_strcasecmp(name, "sha384") == 0) - init = init_sha384; - else if (pg_strcasecmp(name, "sha512") == 0) - init = init_sha512; - else - return PXE_NO_HASH; - - *res = px_alloc(sizeof(PX_MD)); - init(*res); - return 0; -} -#else -#define compat_find_digest(name, res) (PXE_NO_HASH) -#endif - -/* * Hashes */ @@ -275,7 +127,7 @@ px_find_digest(const char *name, PX_MD **res) md = EVP_get_digestbyname(name); if (md == NULL) - return compat_find_digest(name, res); + return PXE_NO_HASH; digest = px_alloc(sizeof(*digest)); digest->algo = md; diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index a9968756e65..14a6d57aeaf 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -252,10 +252,17 @@ su - postgres <listitem> <para> - You need <application>Kerberos</>, <productname>OpenSSL</>, - <productname>OpenLDAP</>, and/or - <application>PAM</>, if you want to support authentication or - encryption using those services. + You need <productname>OpenSSL</>, if you want to support + encrypted client connections. The minimum required version is + 0.9.8. + </para> + </listitem> + + <listitem> + <para> + You need <application>Kerberos</>, <productname>OpenLDAP</>, + and/or <application>PAM</>, if you want to support authentication + using those services. </para> </listitem> @@ -2827,30 +2834,6 @@ MANPATH=/usr/lib/scohelp/%L/man:/usr/dt/man:/usr/man:/usr/share/man:scohelp:/usr </sect3> <sect3> - <title>Problems with OpenSSL</title> - - <para> - When you build PostgreSQL with OpenSSL support you might get - compilation errors in the following files: - <itemizedlist> - <listitem><para><filename>src/backend/libpq/crypt.c</filename></para></listitem> - <listitem><para><filename>src/backend/libpq/password.c</filename></para></listitem> - <listitem><para><filename>src/interfaces/libpq/fe-auth.c</filename></para></listitem> - <listitem><para><filename>src/interfaces/libpq/fe-connect.c</filename></para></listitem> - </itemizedlist> - - This is because of a namespace conflict between the standard - <filename>/usr/include/crypt.h</filename> header and the header - files provided by OpenSSL. - </para> - - <para> - Upgrading your OpenSSL installation to version 0.9.6a fixes this - problem. Solaris 9 and above has a newer version of OpenSSL. - </para> - </sect3> - - <sect3> <title>configure Complains About a Failed Test Program</title> <para> diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 2f9350b10e1..4e34f00e44d 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1238,8 +1238,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname <listitem> <para> If set to 1 (default), data sent over SSL connections will be - compressed (this requires <productname>OpenSSL</> version - 0.9.8 or later). + compressed. If set to 0, compression will be disabled (this requires <productname>OpenSSL</> 1.0.0 or later). This parameter is ignored if a connection without SSL is made, diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml index c4cefde4f78..bf514aacf35 100644 --- a/doc/src/sgml/pgcrypto.sgml +++ b/doc/src/sgml/pgcrypto.sgml @@ -1184,12 +1184,12 @@ gen_random_uuid() returns uuid <row> <entry>SHA224/256/384/512</entry> <entry>yes</entry> - <entry>yes (Note 1)</entry> + <entry>yes</entry> </row> <row> <entry>Other digest algorithms</entry> <entry>no</entry> - <entry>yes (Note 2)</entry> + <entry>yes (Note 1)</entry> </row> <row> <entry>Blowfish</entry> @@ -1199,7 +1199,7 @@ gen_random_uuid() returns uuid <row> <entry>AES</entry> <entry>yes</entry> - <entry>yes (Note 3)</entry> + <entry>yes</entry> </row> <row> <entry>DES/3DES/CAST5</entry> @@ -1232,23 +1232,11 @@ gen_random_uuid() returns uuid <orderedlist> <listitem> <para> - SHA2 algorithms were added to OpenSSL in version 0.9.8. For - older versions, <filename>pgcrypto</> will use built-in code. - </para> - </listitem> - <listitem> - <para> Any digest algorithm OpenSSL supports is automatically picked up. This is not possible with ciphers, which need to be supported explicitly. </para> </listitem> - <listitem> - <para> - AES is included in OpenSSL since version 0.9.7. For - older versions, <filename>pgcrypto</> will use built-in code. - </para> - </listitem> </orderedlist> </sect3> diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index f6adb155c6e..e5f434ca17a 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -53,10 +53,8 @@ #include <openssl/ssl.h> #include <openssl/dh.h> -#if SSLEAY_VERSION_NUMBER >= 0x0907000L #include <openssl/conf.h> -#endif -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_ECDH) +#ifndef OPENSSL_NO_ECDH #include <openssl/ec.h> #endif @@ -166,9 +164,7 @@ be_tls_init(void) if (!SSL_context) { -#if SSLEAY_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); -#endif SSL_library_init(); SSL_load_error_strings(); @@ -978,7 +974,7 @@ info_cb(const SSL *ssl, int type, int args) static void initialize_ecdh(void) { -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_ECDH) +#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; int nid; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index f6ce1c7a13d..d8716128ec9 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -54,9 +54,7 @@ #endif #include <openssl/ssl.h> -#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) #include <openssl/conf.h> -#endif #ifdef USE_SSL_ENGINE #include <openssl/engine.h> #endif @@ -848,9 +846,7 @@ pgtls_init(PGconn *conn) { if (pq_init_ssl_lib) { -#if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); -#endif SSL_library_init(); SSL_load_error_strings(); } diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 1183323a445..a94ead04ff3 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -77,7 +77,7 @@ typedef struct #include <openssl/ssl.h> #include <openssl/err.h> -#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE) +#ifndef OPENSSL_NO_ENGINE #define USE_SSL_ENGINE #endif #endif /* USE_OPENSSL */ |