On 12/05/2016 05:19 AM, Michael Paquier wrote:
> On Thu, Dec 1, 2016 at 11:17 AM, Andreas Karlsson <andreas@proxel.se> wrote:
>> On 12/01/2016 02:48 AM, Andres Freund wrote:
>> Yes, I believe this is one of the changes in OpenSSL 1.1. I guess you might
>> be the first one to try to compile with 1.1 since
>> 5ff4a67f63fd6d3eb01ff9707d4674ed54a89f3b was pushed.
>
> Yes, I can see the failure as well using 1.1.0 on my OSX laptop with
> homebrew packages.
Sorry about that! Given that I just dealt with this same issue with
EVP_MD_CTX_init, I should've noticed.
> Finally, attached is a patch to address the failure. make check is
> passing here for 1.1.0 and 1.0.2. The problem is that OpenSSL 1.1
> relies on an opaque structure here so we need to have the pgcrypto
> code rely on a pointer and not a direct declaration of the structure.
> EVP_CIPHER_CTX_free() and EVP_CIPHER_CTX_new() have been introduced in
> 0.9.8 which is the oldest version supported by HEAD, and 5ff4a67f is
> HEAD-only, so there is no need to back-patch here.
I'm afraid if we just start using EVP_CIPHER_CTX_new(), we'll leak the
context on any error. We had exactly the same problem with
EVP_MD_CTX_init being removed, in the patch that added OpenSSL 1.1.0
support. We'll have to use a resource owner to track it, just like we
did with EVP_MD_CTX in commit 593d4e47. Want to do that, or should I?
- Heikki