diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2018-03-20 16:44:52 -0400 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2018-03-20 16:44:52 -0400 |
| commit | a364dfa4ac7337743050256c6eb17b5db5430173 (patch) | |
| tree | 2ab2fedc382bea18b5e5c187b13b0942e9188737 | |
| parent | 3de04e4ed12d0794e87e1db2e729d126cf183a58 (diff) | |
| download | postgresql-a364dfa4ac7337743050256c6eb17b5db5430173.tar.gz postgresql-a364dfa4ac7337743050256c6eb17b5db5430173.zip | |
Attempt to fix build with unusual OpenSSL versions
Since e3bdb2d92600ed45bd46aaf48309a436a9628218, libpq failed to build on
some platforms because they did not have SSL_clear_options(). Although
mainline OpenSSL introduced SSL_clear_options() after
SSL_OP_NO_COMPRESSION, so the code should have built fine, at least an
old NetBSD version (build farm "coypu" NetBSD 5.1 gcc 4.1.3 PR-20080704
powerpc) has SSL_OP_NO_COMPRESSION but no SSL_clear_options().
So add a configure check for SSL_clear_options(). If we don't find it,
skip the call. That means on such a platform one cannot *enable* SSL
compression if the built-in default is off, but that seems an unlikely
combination anyway and not very interesting in practice.
| -rwxr-xr-x | configure | 2 | ||||
| -rw-r--r-- | configure.in | 2 | ||||
| -rw-r--r-- | src/include/pg_config.h.in | 3 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 8 |
4 files changed, 13 insertions, 2 deletions
diff --git a/configure b/configure index a5f309212df..81170150672 100755 --- a/configure +++ b/configure @@ -10203,7 +10203,7 @@ else fi fi - for ac_func in SSL_get_current_compression X509_get_signature_nid + for ac_func in SSL_clear_options SSL_get_current_compression X509_get_signature_nid do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/configure.in b/configure.in index 9a6f4b193c4..8304b4a756a 100644 --- a/configure.in +++ b/configure.in @@ -1067,7 +1067,7 @@ if test "$with_openssl" = yes ; then AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])]) AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])]) fi - AC_CHECK_FUNCS([SSL_get_current_compression X509_get_signature_nid]) + AC_CHECK_FUNCS([SSL_clear_options SSL_get_current_compression X509_get_signature_nid]) # Functions introduced in OpenSSL 1.1.0. We used to check for # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index f98f773ff02..ea3b2b6ce77 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -479,6 +479,9 @@ /* Define to 1 if you have the `srandom' function. */ #undef HAVE_SRANDOM +/* Define to 1 if you have the `SSL_clear_options' function. */ +#undef HAVE_SSL_CLEAR_OPTIONS + /* Define to 1 if you have the `SSL_get_current_compression' function. */ #undef HAVE_SSL_GET_CURRENT_COMPRESSION diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 1a35b30dbcd..2e2f1074fcb 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1194,9 +1194,17 @@ initialize_SSL(PGconn *conn) #ifdef SSL_OP_NO_COMPRESSION if (conn->sslcompression && conn->sslcompression[0] == '0') SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION); + /* + * Mainline OpenSSL introduced SSL_clear_options() before + * SSL_OP_NO_COMPRESSION, so this following #ifdef should not be + * necessary, but some old NetBSD version have a locally modified libssl + * that has SSL_OP_NO_COMPRESSION but not SSL_clear_options(). + */ +#ifdef HAVE_SSL_CLEAR_OPTIONS else SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION); #endif +#endif return 0; } |