[PATCH] OpenSSL: Mark underlying BIO with the appropriate type flags - Mailing list pgsql-hackers

Hi Everyone,

I’ve ran into an issue where the OpenSSL API function “ssl_get_fd” fails, due to the underlying BIO object created by Postgres is not being flagged properly.

Previous to OpenSSL version 1.1.0, the BIO methods object would be copied directly from the existing socket type and then its read\write functions would be replaced.

With 1.1.0 and up, the object is created from scratch and then all its methods are initialized to be the ones of the socket type, except read/write which are custom.

In this newer way, a new type is given to it by calling “BIO_get_new_index”, but the related type flags aren’t added.

For more information please see: https://www.openssl.org/docs/man1.1.0/man3/BIO_get_new_index.html

In this case, the type should have both BIO_TYPE_SOURCE_SINK and BIO_TYPE_DESCRIPTOR.

The proposed patch will add these flags to the BIO type on creation. I have compiled it with OpenSSL, enabled encryption and verified that basic queries work fine.

I don’t believe this affects Postgres, since the code has been this way for 5 years. I ran into it because I’m writing auditing code that hooks on Postgres calls. I’ve already found a workaround by adding these flags myself with an additional hook, but thought it would be worth bringing up here and see if you think it’s worth patching.

Regards,

Itamar Gafni 

Imperva