diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c index 5fd46b98741..76d9841079b 100644 --- a/contrib/sslinfo/sslinfo.c +++ b/contrib/sslinfo/sslinfo.c @@ -32,8 +32,8 @@ PG_MODULE_MAGIC; -static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName); -static Datum ASN1_STRING_to_text(ASN1_STRING *str); +static Datum X509_NAME_field_to_text(const X509_NAME *name, text *fieldName); +static Datum ASN1_STRING_to_text(const ASN1_STRING *str); /* * Function context for data persisting over repeated calls. @@ -156,7 +156,7 @@ ssl_client_serial(PG_FUNCTION_ARGS) * function. */ static Datum -ASN1_STRING_to_text(ASN1_STRING *str) +ASN1_STRING_to_text(const ASN1_STRING *str) { BIO *membuf; size_t size; @@ -171,7 +171,7 @@ ASN1_STRING_to_text(ASN1_STRING *str) (errcode(ERRCODE_OUT_OF_MEMORY), errmsg("could not create OpenSSL BIO structure"))); (void) BIO_set_close(membuf, BIO_CLOSE); - ASN1_STRING_print_ex(membuf, str, + ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, str), ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB) | ASN1_STRFLGS_UTF8_CONVERT)); /* ensure null termination of the BIO's content */ @@ -202,12 +202,12 @@ ASN1_STRING_to_text(ASN1_STRING *str) * part of name */ static Datum -X509_NAME_field_to_text(X509_NAME *name, text *fieldName) +X509_NAME_field_to_text(const X509_NAME *name, text *fieldName) { char *string_fieldname; int nid, index; - ASN1_STRING *data; + const ASN1_STRING *data; string_fieldname = text_to_cstring(fieldName); nid = OBJ_txt2nid(string_fieldname); @@ -217,10 +217,10 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName) errmsg("invalid X.509 field name: \"%s\"", string_fieldname))); pfree(string_fieldname); - index = X509_NAME_get_index_by_NID(name, nid, -1); + index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, name), nid, -1); if (index < 0) return (Datum) 0; - data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index)); + data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME *, name), index)); return ASN1_STRING_to_text(data); } @@ -429,8 +429,8 @@ ssl_extension_info(PG_FUNCTION_ARGS) HeapTuple tuple; Datum result; BIO *membuf; - X509_EXTENSION *ext; - ASN1_OBJECT *obj; + const X509_EXTENSION *ext; + const ASN1_OBJECT *obj; int nid; int len; @@ -443,7 +443,7 @@ ssl_extension_info(PG_FUNCTION_ARGS) /* Get the extension from the certificate */ ext = X509_get_ext(cert, call_cntr); - obj = X509_EXTENSION_get_object(ext); + obj = X509_EXTENSION_get_object(unconstify(X509_EXTENSION *, ext)); /* Get the extension name */ nid = OBJ_obj2nid(obj); @@ -456,7 +456,7 @@ ssl_extension_info(PG_FUNCTION_ARGS) nulls[0] = false; /* Get the extension value */ - if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0) + if (X509V3_EXT_print(membuf, unconstify(X509_EXTENSION *, ext), 0, 0) <= 0) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("could not print extension value in certificate at position %d", @@ -466,7 +466,7 @@ ssl_extension_info(PG_FUNCTION_ARGS) nulls[1] = false; /* Get critical status */ - values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext)); + values[2] = BoolGetDatum(X509_EXTENSION_get_critical(unconstify(X509_EXTENSION *, ext))); nulls[2] = false; /* Build tuple */ diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 486a66b0bf1..8c101528618 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -77,7 +77,7 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart); static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); -static char *X509_NAME_to_cstring(X509_NAME *name); +static char *X509_NAME_to_cstring(const X509_NAME *name); static SSL_CTX *SSL_context = NULL; static bool SSL_initialized = false; @@ -634,18 +634,18 @@ aloop: if (port->peer != NULL) { int len; - X509_NAME *x509name = X509_get_subject_name(port->peer); + const X509_NAME *x509name = X509_get_subject_name(port->peer); char *peer_dn; BIO *bio = NULL; BUF_MEM *bio_buf = NULL; - len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0); + len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0); if (len != -1) { char *peer_cn; peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1); - r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn, + r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn, len + 1); peer_cn[len] = '\0'; if (r != len) @@ -689,7 +689,7 @@ aloop: * which make regular expression matching a bit easier. Also note that * it prints the Subject fields in reverse order. */ - if (X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253) == -1 || + if (X509_NAME_print_ex(bio, unconstify(X509_NAME *, x509name), 0, XN_FLAG_RFC2253) == -1 || BIO_get_mem_ptr(bio, &bio_buf) <= 0) { BIO_free(bio); @@ -1615,14 +1615,14 @@ be_tls_get_certificate_hash(Port *port, size_t *len) * */ static char * -X509_NAME_to_cstring(X509_NAME *name) +X509_NAME_to_cstring(const X509_NAME *name) { BIO *membuf = BIO_new(BIO_s_mem()); int i, nid, - count = X509_NAME_entry_count(name); - X509_NAME_ENTRY *e; - ASN1_STRING *v; + count = X509_NAME_entry_count(unconstify(X509_NAME *, name)); + const X509_NAME_ENTRY *e; + const ASN1_STRING *v; const char *field_name; size_t size; char nullterm; @@ -1638,13 +1638,13 @@ X509_NAME_to_cstring(X509_NAME *name) (void) BIO_set_close(membuf, BIO_CLOSE); for (i = 0; i < count; i++) { - e = X509_NAME_get_entry(name, i); - nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)); + e = X509_NAME_get_entry(unconstify(X509_NAME *, name), i); + nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(unconstify(X509_NAME_ENTRY *, e))); if (nid == NID_undef) ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("could not get NID for ASN1_OBJECT object"))); - v = X509_NAME_ENTRY_get_data(e); + v = X509_NAME_ENTRY_get_data(unconstify(X509_NAME_ENTRY *, e)); field_name = OBJ_nid2sn(nid); if (field_name == NULL) field_name = OBJ_nid2ln(nid); @@ -1653,7 +1653,7 @@ X509_NAME_to_cstring(X509_NAME *name) (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid))); BIO_printf(membuf, "/%s=", field_name); - ASN1_STRING_print_ex(membuf, v, + ASN1_STRING_print_ex(membuf, unconstify(ASN1_STRING *, v), ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB) | ASN1_STRFLGS_UTF8_CONVERT)); } diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index b6fffd7b9b0..33ce6d5ffe3 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -66,7 +66,7 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx); static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, - ASN1_STRING *name_entry, + const ASN1_STRING *name_entry, char **store_name); static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, @@ -489,7 +489,8 @@ cert_cb(SSL *ssl, void *arg) * into a plain C string. */ static int -openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, +openssl_verify_peer_name_matches_certificate_name(PGconn *conn, + const ASN1_STRING *name_entry, char **store_name) { int len; @@ -508,7 +509,7 @@ openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *nam #ifdef HAVE_ASN1_STRING_GET0_DATA namedata = ASN1_STRING_get0_data(name_entry); #else - namedata = ASN1_STRING_data(name_entry); + namedata = ASN1_STRING_data(unconstify(ASN1_STRING *, name_entry)); #endif len = ASN1_STRING_length(name_entry); @@ -680,14 +681,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, */ if (check_cn) { - X509_NAME *subject_name; + const X509_NAME *subject_name; subject_name = X509_get_subject_name(conn->peer); if (subject_name != NULL) { int cn_index; - cn_index = X509_NAME_get_index_by_NID(subject_name, + cn_index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, subject_name), NID_commonName, -1); if (cn_index >= 0) { @@ -695,7 +696,7 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, (*names_examined)++; rc = openssl_verify_peer_name_matches_certificate_name(conn, - X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)), + X509_NAME_ENTRY_get_data(X509_NAME_get_entry(unconstify(X509_NAME *, subject_name), cn_index)), &common_name); if (common_name) diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 17dd3964b76..4880d8a75b9 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -773,7 +773,7 @@ $node->connect_fails( "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert", - expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked}, @@ -878,7 +878,7 @@ $node->connect_fails( "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert with server-side CRL directory", - expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|, + expected_stderr => qr!SSL error: (ssl[a-z0-9/]*|tls) alert certificate revoked!, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked},