Обсуждение: Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL
Gregory Stark <stark@enterprisedb.com> writes: > "Magnus Hagander" <mha@postgresql.org> writes: >> Use BIO functions to avoid passing FILE * pointers to OpenSSL functions. > Several buildfarm machines are failing: http://www.openssl.org/docs/crypto/ERR_set_mark.html says ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8. Ooops. Back to the drawing board. regards, tom lane
I wrote: > http://www.openssl.org/docs/crypto/ERR_set_mark.html > says > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8. > Ooops. Back to the drawing board. To get the buildfarm going again, I applied a patch that turns these calls into no-ops if the local OpenSSL hasn't got the functions. I'm not entirely sure if the net result is a regression for pre-0.9.8 OpenSSLs or not --- Magnus, any thoughts on that? regards, tom lane
Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL
От
"Magnus Hagander"
Дата:
> > http://www.openssl.org/docs/crypto/ERR_set_mark.html > > says > > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8. > > > Ooops. Back to the drawing board. > > To get the buildfarm going again, I applied a patch that turns these > calls into no-ops if the local OpenSSL hasn't got the functions. > I'm not entirely sure if the net result is a regression for pre-0.9.8 > OpenSSLs or not --- Magnus, any thoughts on that? I think it is. With Dave's part of the patch and not mine, you get the incorrect error message. It requires that you setsslmode to required which I did't originally note, but if you do you'll get the wrong error. Not sure what's the least evil fix. We could ifdef the whole fix and use the old code for earlier openssl but bio for 0.9.8. Or we could implement my other ideato load the certificate earlier. Or we could just say live with the error message on older openssl. Or someone has another idea? /Magnus
Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL
От
"Magnus Hagander"
Дата:
> > http://www.openssl.org/docs/crypto/ERR_set_mark.html > > says > > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8. > > > Ooops. Back to the drawing board. > > To get the buildfarm going again, I applied a patch that turns these > calls into no-ops if the local OpenSSL hasn't got the functions. > I'm not entirely sure if the net result is a regression for pre-0.9.8 > OpenSSLs or not --- Magnus, any thoughts on that? > I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99 percentof the messages coming out of that routine, I bet. And things would still work correct in 0.9.8. /Magnus
Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL
От
Magnus Hagander
Дата:
On Tue, Oct 02, 2007 at 08:42:28AM +0200, Magnus Hagander wrote: > > > http://www.openssl.org/docs/crypto/ERR_set_mark.html > > > says > > > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8. > > > > > Ooops. Back to the drawing board. > > > > To get the buildfarm going again, I applied a patch that turns these > > calls into no-ops if the local OpenSSL hasn't got the functions. > > I'm not entirely sure if the net result is a regression for pre-0.9.8 > > OpenSSLs or not --- Magnus, any thoughts on that? > > > > I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99 percentof the messages coming out of that > routine, I bet. And things would still work correct in 0.9.8. Here's an example of what I meant. I think this can be reasonable - OpenSSL 0.9.8 is from 2005 after all, so it's not like we're requiring something extremely new.. //Magnus
Вложения
Magnus Hagander <magnus@hagander.net> writes:
>> I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99
percentof the messages coming out of that
>> routine, I bet. And things would still work correct in 0.9.8.
> Here's an example of what I meant.
+1, but I think you should "#ifndef HAVE_ERR_SET_MARK" the added code.
Also, maybe try to fopen rather than just fstat?
regards, tom lane
Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL
От
Magnus Hagander
Дата:
On Tue, Oct 02, 2007 at 10:04:19AM -0400, Tom Lane wrote: > Magnus Hagander <magnus@hagander.net> writes: > >> I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99 percentof the messages coming out of that > >> routine, I bet. And things would still work correct in 0.9.8. > > > Here's an example of what I meant. > > +1, but I think you should "#ifndef HAVE_ERR_SET_MARK" the added code. > Also, maybe try to fopen rather than just fstat? Done on both, and applied. //Magnus