143 lines
5.4 KiB
Diff
143 lines
5.4 KiB
Diff
|
Backport of commit b2b1f12882fb561c7d474b834044dd8ed570bfea to 16.1
|
||
|
|
||
|
Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.
|
||
|
|
||
|
We should have done it this way all along, but we accidentally got
|
||
|
away with using the wrong BIO field up until OpenSSL 3.2. There,
|
||
|
the library's BIO routines that we rely on use the "data" field
|
||
|
for their own purposes, and our conflicting use causes assorted
|
||
|
weird behaviors up to and including core dumps when SSL connections
|
||
|
are attempted. Switch to using the approved field for the purpose,
|
||
|
i.e. app_data.
|
||
|
|
||
|
While at it, remove our configure probes for BIO_get_data as well
|
||
|
as the fallback implementation. BIO_{get,set}_app_data have been
|
||
|
there since long before any OpenSSL version that we still support,
|
||
|
even in the back branches.
|
||
|
|
||
|
Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor
|
||
|
change in an error message spelling that evidently came in with 3.2.
|
||
|
|
||
|
Tristan Partin and Bo Andreson. Back-patch to all supported branches.
|
||
|
|
||
|
Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com
|
||
|
---
|
||
|
|
||
|
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
|
||
|
index 31b6a6eacdf0..1b8b32c5b39e 100644
|
||
|
--- a/src/backend/libpq/be-secure-openssl.c
|
||
|
+++ b/src/backend/libpq/be-secure-openssl.c
|
||
|
@@ -842,11 +842,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
|
||
|
* to retry; do we need to adopt their logic for that?
|
||
|
*/
|
||
|
|
||
|
-#ifndef HAVE_BIO_GET_DATA
|
||
|
-#define BIO_get_data(bio) (bio->ptr)
|
||
|
-#define BIO_set_data(bio, data) (bio->ptr = data)
|
||
|
-#endif
|
||
|
-
|
||
|
static BIO_METHOD *my_bio_methods = NULL;
|
||
|
|
||
|
static int
|
||
|
@@ -856,7 +851,7 @@ my_sock_read(BIO *h, char *buf, int size)
|
||
|
|
||
|
if (buf != NULL)
|
||
|
{
|
||
|
- res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
|
||
|
+ res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf, size);
|
||
|
BIO_clear_retry_flags(h);
|
||
|
if (res <= 0)
|
||
|
{
|
||
|
@@ -876,7 +871,7 @@ my_sock_write(BIO *h, const char *buf, int size)
|
||
|
{
|
||
|
int res = 0;
|
||
|
|
||
|
- res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
|
||
|
+ res = secure_raw_write(((Port *) BIO_get_app_data(h)), buf, size);
|
||
|
BIO_clear_retry_flags(h);
|
||
|
if (res <= 0)
|
||
|
{
|
||
|
@@ -952,7 +947,7 @@ my_SSL_set_fd(Port *port, int fd)
|
||
|
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
|
||
|
goto err;
|
||
|
}
|
||
|
- BIO_set_data(bio, port);
|
||
|
+ BIO_set_app_data(bio, port);
|
||
|
|
||
|
BIO_set_fd(bio, fd, BIO_NOCLOSE);
|
||
|
SSL_set_bio(port->ssl, bio, bio);
|
||
|
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
|
||
|
index 4aeaf08312ce..e669bdbf1d2d 100644
|
||
|
--- a/src/interfaces/libpq/fe-secure-openssl.c
|
||
|
+++ b/src/interfaces/libpq/fe-secure-openssl.c
|
||
|
@@ -1815,11 +1815,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
|
||
|
* to retry; do we need to adopt their logic for that?
|
||
|
*/
|
||
|
|
||
|
-#ifndef HAVE_BIO_GET_DATA
|
||
|
-#define BIO_get_data(bio) (bio->ptr)
|
||
|
-#define BIO_set_data(bio, data) (bio->ptr = data)
|
||
|
-#endif
|
||
|
-
|
||
|
static BIO_METHOD *my_bio_methods;
|
||
|
|
||
|
static int
|
||
|
@@ -1828,7 +1823,7 @@ my_sock_read(BIO *h, char *buf, int size)
|
||
|
{
|
||
|
int res;
|
||
|
|
||
|
- res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
|
||
|
+ res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size);
|
||
|
BIO_clear_retry_flags(h);
|
||
|
if (res < 0)
|
||
|
{
|
||
|
@@ -1858,7 +1853,7 @@ my_sock_write(BIO *h, const char *buf, int size)
|
||
|
{
|
||
|
int res;
|
||
|
|
||
|
- res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
|
||
|
+ res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size);
|
||
|
BIO_clear_retry_flags(h);
|
||
|
if (res < 0)
|
||
|
{
|
||
|
@@ -1968,7 +1963,7 @@ my_SSL_set_fd(PGconn *conn, int fd)
|
||
|
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
|
||
|
goto err;
|
||
|
}
|
||
|
- BIO_set_data(bio, conn);
|
||
|
+ BIO_set_app_data(bio, conn);
|
||
|
|
||
|
SSL_set_bio(conn->ssl, bio, bio);
|
||
|
BIO_set_fd(bio, fd, BIO_NOCLOSE);
|
||
|
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
|
||
|
index a049fd2ff03a..d921f1dde9fa 100644
|
||
|
--- a/src/test/ssl/t/001_ssltests.pl
|
||
|
+++ b/src/test/ssl/t/001_ssltests.pl
|
||
|
@@ -776,7 +776,7 @@ sub switch_server_cert
|
||
|
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
|
||
|
. sslkey('client-revoked.key'),
|
||
|
"certificate authorization fails with revoked client cert",
|
||
|
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
|
||
|
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
|
||
|
# temporarily(?) skip this check due to timing issue
|
||
|
# log_like => [
|
||
|
# qr{Client certificate verification failed at depth 0: certificate revoked},
|
||
|
@@ -881,7 +881,7 @@ sub switch_server_cert
|
||
|
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
|
||
|
. sslkey('client-revoked.key'),
|
||
|
"certificate authorization fails with revoked client cert with server-side CRL directory",
|
||
|
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
|
||
|
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
|
||
|
# temporarily(?) skip this check due to timing issue
|
||
|
# log_like => [
|
||
|
# qr{Client certificate verification failed at depth 0: certificate revoked},
|
||
|
@@ -894,7 +894,7 @@ sub switch_server_cert
|
||
|
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
|
||
|
. sslkey('client-revoked-utf8.key'),
|
||
|
"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
|
||
|
- expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
|
||
|
+ expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
|
||
|
# temporarily(?) skip this check due to timing issue
|
||
|
# log_like => [
|
||
|
# qr{Client certificate verification failed at depth 0: certificate revoked},
|