diff options
| author | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2016-09-15 22:29:39 +0300 |
|---|---|---|
| committer | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2016-09-15 22:45:08 +0300 |
| commit | 9895818d5656e3fe775af05df3e2b2cce7346962 (patch) | |
| tree | 548c3e7c244fd1a88f5b081d3b4ca5ed0b6ab3c5 /src/interfaces | |
| parent | 72ce78162c6c4e52b7a9bb1a2de50daee0a3628e (diff) | |
| download | postgresql-9895818d5656e3fe775af05df3e2b2cce7346962.tar.gz postgresql-9895818d5656e3fe775af05df3e2b2cce7346962.zip | |
Fix building with LibreSSL.
LibreSSL defines OPENSSL_VERSION_NUMBER to claim that it is version 2.0.0,
but it doesn't have the functions added in OpenSSL 1.1.0. Add autoconf
checks for the individual functions we need, and stop relying on
OPENSSL_VERSION_NUMBER.
Backport to 9.5 and 9.6, like the patch that broke this. In the
back-branches, there are still a few OPENSSL_VERSION_NUMBER checks left,
to check for OpenSSL 0.9.8 or 0.9.7. I left them as they were - LibreSSL
has all those functions, so they work as intended.
Per buildfarm member curculio.
Discussion: <2442.1473957669@sss.pgh.pa.us>
Diffstat (limited to 'src/interfaces')
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 13c2286c3a7..d0b3a120df1 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -508,10 +508,6 @@ wildcard_certificate_match(const char *pattern, const char *string) return 1; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#define ASN1_STRING_get0_data ASN1_STRING_data -#endif - /* * Check if a name from a server's certificate matches the peer's hostname. * @@ -546,7 +542,11 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, * There is no guarantee the string returned from the certificate is * NULL-terminated, so make a copy that is. */ +#ifdef HAVE_ASN1_STRING_GET0_DATA namedata = ASN1_STRING_get0_data(name_entry); +#else + namedata = ASN1_STRING_data(name_entry); +#endif len = ASN1_STRING_length(name_entry); name = malloc(len + 1); if (name == NULL) @@ -734,10 +734,13 @@ verify_peer_name_matches_certificate(PGconn *conn) return found_match && !got_error; } -#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L +#if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK) /* - * Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0 - * does its own locking, and doesn't need these anymore.) + * Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0 + * does its own locking, and doesn't need these anymore. The + * CRYPTO_lock() function was removed in 1.1.0, when the callbacks + * were made obsolete, so we assume that if CRYPTO_lock() exists, + * the callbacks are still required.) */ static unsigned long @@ -767,7 +770,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) PGTHREAD_ERROR("failed to unlock mutex"); } } -#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* ENABLE_THREAD_SAFETY && HAVE_CRYPTO_LOCK */ /* * Initialize SSL system, in particular creating the SSL_context object @@ -806,7 +809,7 @@ pgtls_init(PGconn *conn) if (pthread_mutex_lock(&ssl_config_mutex)) return -1; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#ifdef HAVE_CRYPTO_LOCK if (pq_init_crypto_lib) { /* @@ -847,14 +850,14 @@ pgtls_init(PGconn *conn) CRYPTO_set_locking_callback(pq_lockingcallback); } } -#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* HAVE_CRYPTO_LOCK */ #endif /* ENABLE_THREAD_SAFETY */ if (!SSL_context) { if (pq_init_ssl_lib) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#ifdef HAVE_OPENSSL_INIT_SSL OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); #else #if OPENSSL_VERSION_NUMBER >= 0x00907000L @@ -917,7 +920,7 @@ pgtls_init(PGconn *conn) static void destroy_ssl_system(void) { -#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L +#if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK) /* Mutex is created in initialize_ssl_system() */ if (pthread_mutex_lock(&ssl_config_mutex)) return; @@ -1632,7 +1635,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) * to retry; do we need to adopt their logic for that? */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#ifndef HAVE_BIO_GET_DATA #define BIO_get_data(bio) (bio->ptr) #define BIO_set_data(bio, data) (bio->ptr = data) #endif @@ -1705,7 +1708,7 @@ my_BIO_s_socket(void) if (!my_bio_methods) { BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#ifdef HAVE_BIO_METH_NEW int my_bio_index; my_bio_index = BIO_get_new_index(); |