Re: OpenSSL 1.1 breaks configure and more

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Andreas Karlsson <andreas@proxel.se>, Victor Wagner <vitus@wagner.pp.ru>, pgsql-hackers@postgresql.org, Christoph Berg <myon@debian.org>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2016-09-12T16:51:09Z
Lists: pgsql-hackers

Attachments

On 09/05/2016 02:52 PM, Heikki Linnakangas wrote:
> On 09/05/2016 03:23 AM, Tom Lane wrote:
>> Judging by the number of people who have popped up recently with their
>> own OpenSSL 1.1 patches, I think there is going to be a lot of demand for
>> back-patching some sort of 1.1 support into our back branches.  All this
>> talk of refactoring does not sound very back-patchable.  Should we be
>> thinking of what we can extract that is back-patchable?
>
> Yes, I think you're right.

I planned to commit this today, but while reading through it and 
testing, I ended up doing a bunch more changes, so this deserves another 
round of review.

Changes since last version:

* Added more error checks to the my_BIO_s_socket() function. Check for 
NULL result from malloc(). Check the return code of BIO_meth_set_*() 
functions; looking at OpenSSL sources, they always succeed, but all the 
test/example programs that come with OpenSSL do check them.

* Use BIO_get_new_index() to get the index number for the wrapper BIO.

* Also call BIO_meth_set_puts(). It was missing in previous patch versions.

* Fixed src/test/ssl test suite to also work with OpenSSL 1.1.0.

* Changed all references (in existing code) to SSLEAY_VERSION_NUMBER 
into OPENSSL_VERSION_NUMBER, for consistency.

* Squashed all into one patch.

I intend to apply this to all supported branches, so please have a look! 
This is now against REL9_6_STABLE, but there should be little difference 
between branches in the code that this touches.

- Heikki

Commits

  1. Back-patch 9.4-era SSL renegotiation code into 9.3 and 9.2.