Обсуждение: Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

Поиск
Список
Период
Сортировка

Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
Tom Lane
Дата:
Gregory Stark <stark@enterprisedb.com> writes:
> "Magnus Hagander" <mha@postgresql.org> writes:
>> Use BIO functions to avoid passing FILE * pointers to OpenSSL functions.

> Several buildfarm machines are failing:

http://www.openssl.org/docs/crypto/ERR_set_mark.html
says
ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.

Ooops.  Back to the drawing board.

            regards, tom lane

Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
Tom Lane
Дата:
I wrote:
> http://www.openssl.org/docs/crypto/ERR_set_mark.html
> says
> ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.

> Ooops.  Back to the drawing board.

To get the buildfarm going again, I applied a patch that turns these
calls into no-ops if the local OpenSSL hasn't got the functions.
I'm not entirely sure if the net result is a regression for pre-0.9.8
OpenSSLs or not --- Magnus, any thoughts on that?
        regards, tom lane


Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
"Magnus Hagander"
Дата:
> > http://www.openssl.org/docs/crypto/ERR_set_mark.html
> > says
> > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
> 
> > Ooops.  Back to the drawing board.
> 
> To get the buildfarm going again, I applied a patch that turns these
> calls into no-ops if the local OpenSSL hasn't got the functions.
> I'm not entirely sure if the net result is a regression for pre-0.9.8
> OpenSSLs or not --- Magnus, any thoughts on that?

I think it is. With Dave's part of the patch and not mine, you get the incorrect error message. It requires that you
setsslmode to required which I did't 
 
originally note, but if you do you'll get the wrong error.

Not sure what's the least evil fix.

We could ifdef the whole fix and use the old code for earlier openssl but bio for 0.9.8. Or we could implement my other
ideato load the certificate earlier. 
 
Or we could just say live with the error message on older openssl. Or someone has another idea?

/Magnus


Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
"Magnus Hagander"
Дата:
> > http://www.openssl.org/docs/crypto/ERR_set_mark.html
> > says
> > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
> 
> > Ooops.  Back to the drawing board.
> 
> To get the buildfarm going again, I applied a patch that turns these
> calls into no-ops if the local OpenSSL hasn't got the functions.
> I'm not entirely sure if the net result is a regression for pre-0.9.8
> OpenSSLs or not --- Magnus, any thoughts on that?
> 

I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99
percentof the messages coming out of that 
 
routine, I bet. And things would still work correct in 0.9.8.

/Magnus



Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
Magnus Hagander
Дата:
On Tue, Oct 02, 2007 at 08:42:28AM +0200, Magnus Hagander wrote:
> > > http://www.openssl.org/docs/crypto/ERR_set_mark.html
> > > says
> > > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
> >
> > > Ooops.  Back to the drawing board.
> >
> > To get the buildfarm going again, I applied a patch that turns these
> > calls into no-ops if the local OpenSSL hasn't got the functions.
> > I'm not entirely sure if the net result is a regression for pre-0.9.8
> > OpenSSLs or not --- Magnus, any thoughts on that?
> >
>
> I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99
percentof the messages coming out of that  
> routine, I bet. And things would still work correct in 0.9.8.

Here's an example of what I meant.

I think this can be reasonable - OpenSSL 0.9.8 is from 2005 after all, so
it's not like we're requiring something extremely new..

//Magnus


Вложения

Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
Tom Lane
Дата:
Magnus Hagander <magnus@hagander.net> writes:
>> I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99
percentof the messages coming out of that 
 
>> routine, I bet. And things would still work correct in 0.9.8.

> Here's an example of what I meant.

+1, but I think you should "#ifndef HAVE_ERR_SET_MARK" the added code.
Also, maybe try to fopen rather than just fstat?
        regards, tom lane


Re: [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

От
Magnus Hagander
Дата:
On Tue, Oct 02, 2007 at 10:04:19AM -0400, Tom Lane wrote:
> Magnus Hagander <magnus@hagander.net> writes:
> >> I thought of a compromise. We can put back a check if the file exists without using bio. That would cover some 99
percentof the messages coming out of that 
 
> >> routine, I bet. And things would still work correct in 0.9.8.
> 
> > Here's an example of what I meant.
> 
> +1, but I think you should "#ifndef HAVE_ERR_SET_MARK" the added code.
> Also, maybe try to fopen rather than just fstat?

Done on both, and applied.

//Magnus