0001-ssl-Declare-variables-const-as-per-OpenSSL-4-API-upd.patch
application/octet-stream
Filename: 0001-ssl-Declare-variables-const-as-per-OpenSSL-4-API-upd.patch
Type: application/octet-stream
Part: 0
Message:
PostgreSQL and OpenSSL 4.0.0
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: format-patch
Series: patch 0001
Subject: ssl: Declare variables const as per OpenSSL 4 API updates
| File | + | − |
|---|---|---|
| contrib/sslinfo/sslinfo.c | 10 | 10 |
| src/backend/libpq/be-secure-openssl.c | 7 | 7 |
| src/interfaces/libpq/fe-secure-openssl.c | 5 | 4 |
From 8c878a8c98816bd47c6e7f39e86f5e477fc230ec Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Thu, 16 Apr 2026 15:20:13 +0200
Subject: [PATCH] ssl: Declare variables const as per OpenSSL 4 API updates
OpenSSL 4.0.0 changed some parameters and return values to const,
update our declarations and subsequently cast away constness from
a few callsites to make libpq build without warnings with OpenSSL
1.1.1 through 4.0.0. as well as LibreSSL.
---
contrib/sslinfo/sslinfo.c | 20 ++++++++++----------
src/backend/libpq/be-secure-openssl.c | 14 +++++++-------
src/interfaces/libpq/fe-secure-openssl.c | 9 +++++----
3 files changed, 22 insertions(+), 21 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 2b9eb90b093..c4ae847880d 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -24,8 +24,8 @@ PG_MODULE_MAGIC_EXT(
.version = PG_VERSION
);
-static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName);
+static Datum ASN1_STRING_to_text(const ASN1_STRING *str);
/*
* Function context for data persisting over repeated calls.
@@ -148,7 +148,7 @@ ssl_client_serial(PG_FUNCTION_ARGS)
* function.
*/
static Datum
-ASN1_STRING_to_text(ASN1_STRING *str)
+ASN1_STRING_to_text(const ASN1_STRING *str)
{
BIO *membuf;
size_t size;
@@ -194,12 +194,12 @@ ASN1_STRING_to_text(ASN1_STRING *str)
* part of name
*/
static Datum
-X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
+X509_NAME_field_to_text(const X509_NAME *name, text *fieldName)
{
char *string_fieldname;
int nid,
index;
- ASN1_STRING *data;
+ const ASN1_STRING *data;
string_fieldname = text_to_cstring(fieldName);
nid = OBJ_txt2nid(string_fieldname);
@@ -209,7 +209,7 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
errmsg("invalid X.509 field name: \"%s\"",
string_fieldname)));
pfree(string_fieldname);
- index = X509_NAME_get_index_by_NID(name, nid, -1);
+ index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1);
if (index < 0)
return (Datum) 0;
data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
@@ -421,8 +421,8 @@ ssl_extension_info(PG_FUNCTION_ARGS)
HeapTuple tuple;
Datum result;
BIO *membuf;
- X509_EXTENSION *ext;
- ASN1_OBJECT *obj;
+ const X509_EXTENSION *ext;
+ const ASN1_OBJECT *obj;
int nid;
int len;
@@ -435,7 +435,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
- obj = X509_EXTENSION_get_object(ext);
+ obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext));
/* Get the extension name */
nid = OBJ_obj2nid(obj);
@@ -448,7 +448,7 @@ ssl_extension_info(PG_FUNCTION_ARGS)
nulls[0] = false;
/* Get the extension value */
- if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index a3e222f3a3d..3bf96022e1b 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -106,7 +106,7 @@ static void host_context_cleanup_cb(void *arg);
static int sni_clienthello_cb(SSL *ssl, int *al, void *arg);
#endif
-static char *X509_NAME_to_cstring(X509_NAME *name);
+static char *X509_NAME_to_cstring(const X509_NAME *name);
static SSL_CTX *SSL_context = NULL;
static MemoryContext SSL_hosts_memcxt = NULL;
@@ -1071,18 +1071,18 @@ aloop:
if (port->peer != NULL)
{
int len;
- X509_NAME *x509name = X509_get_subject_name(port->peer);
+ const X509_NAME *x509name = X509_get_subject_name(port->peer);
char *peer_dn;
BIO *bio = NULL;
BUF_MEM *bio_buf = NULL;
- len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);
+ len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
if (len != -1)
{
char *peer_cn;
peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
- r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,
+ r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
len + 1);
peer_cn[len] = '\0';
if (r != len)
@@ -2333,14 +2333,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
*
*/
static char *
-X509_NAME_to_cstring(X509_NAME *name)
+X509_NAME_to_cstring(const X509_NAME *name)
{
BIO *membuf = BIO_new(BIO_s_mem());
int i,
nid,
count = X509_NAME_entry_count(name);
- X509_NAME_ENTRY *e;
- ASN1_STRING *v;
+ const X509_NAME_ENTRY *e;
+ const ASN1_STRING *v;
const char *field_name;
size_t size;
char nullterm;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index fbd3c63fb5d..6b44eeb68eb 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -67,7 +67,7 @@
static int verify_cb(int ok, X509_STORE_CTX *ctx);
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
- ASN1_STRING *name_entry,
+ const ASN1_STRING *name_entry,
char **store_name);
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
ASN1_OCTET_STRING *addr_entry,
@@ -467,7 +467,8 @@ cert_cb(SSL *ssl, void *arg)
* into a plain C string.
*/
static int
-openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
+openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
+ const ASN1_STRING *name_entry,
char **store_name)
{
int len;
@@ -650,14 +651,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
*/
if (check_cn)
{
- X509_NAME *subject_name;
+ const X509_NAME *subject_name;
subject_name = X509_get_subject_name(conn->peer);
if (subject_name != NULL)
{
int cn_index;
- cn_index = X509_NAME_get_index_by_NID(subject_name,
+ cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name),
NID_commonName, -1);
if (cn_index >= 0)
{
--
2.39.3 (Apple Git-146)