NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commit8e278b6

committed

Remove support for OpenSSL 1.0.1

Here are some notes about this change:- As X509_get_signature_nid() should always exist (OpenSSL andLibreSSL), hence HAVE_X509_GET_SIGNATURE_NID is now gone.- OPENSSL_API_COMPAT is bumped to 0x10002000L.- One comment related to 1.0.1e introduced by74242c2 is removed.Upstream OpenSSL still provides long-term support for 1.0.2 in a closedfashion, so removing it is out of scope for a few years, at least.Reviewed-by: Jacob Champion, Daniel GustafssonDiscussion:https://postgr.es/m/ZG3JNursG69dz1lr@paquier.xyz

1 parent2aeaf80 commit8e278b6Copy full SHA for 8e278b6

File tree

14 files changed

+37

-100

lines changed

configure
configure.ac
doc/src/sgml
- installation.sgml
meson.build
src
- backend/libpq
  - auth-scram.c
  - be-secure-openssl.c
- include
  - libpq
    - libpq-be.h
  - pg_config.h.in
- interfaces/libpq
- test/ssl/t
  - 002_scram.pl
- tools/msvc
  - Solution.pm

14 files changed

+37

-100

lines changed

`‎configure`

Lines changed: 7 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -12744,9 +12744,9 @@ if test "$with_openssl" = yes ; then`
`12744`	`12744`	`fi`
`12745`	`12745`
`12746`	`12746`	`if test "$with_ssl" = openssl ; then`
`12747`		`- # Minimum required OpenSSL version is 1.0.1`
	`12747`	`+ # Minimum required OpenSSL version is 1.0.2`
`12748`	`12748`
`12749`		`-$as_echo "#define OPENSSL_API_COMPAT0x10001000L" >>confdefs.h`
	`12749`	`+$as_echo "#define OPENSSL_API_COMPAT0x10002000L" >>confdefs.h`
`12750`	`12750`
`12751`	`12751`	`if test "$PORTNAME" != "win32"; then`
`12752`	`12752`	`{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5`
`@@ -12961,15 +12961,13 @@ else`
`12961`	`12961`	`fi`
`12962`	`12962`
`12963`	`12963`	`fi`
`12964`		`- # Functions introduced in OpenSSL 1.0.2. LibreSSL does not have`
`12965`		`- # SSL_CTX_set_cert_cb().`
`12966`		`- for ac_func in X509_get_signature_nid SSL_CTX_set_cert_cb`
	`12964`	`+ # LibreSSL does not have SSL_CTX_set_cert_cb().`
	`12965`	`+ for ac_func in SSL_CTX_set_cert_cb`
`12967`	`12966`	`do :`
`12968`		- as_ac_var=`$as_echo "ac_cv_func_$ac_func" \| $as_tr_sh`
`12969`		`-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"`
`12970`		`-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :`
	`12967`	`+ ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"`
	`12968`	`+if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :`
`12971`	`12969`	`cat >>confdefs.h <<_ACEOF`
`12972`		-#define`$as_echo "HAVE_$ac_func" \| $as_tr_cpp` 1
	`12970`	`+#defineHAVE_SSL_CTX_SET_CERT_CB 1`
`12973`	`12971`	`_ACEOF`
`12974`	`12972`
`12975`	`12973`	`fi`

`‎configure.ac`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1367,8 +1367,8 @@ fi`
`1367`	`1367`
`1368`	`1368`	`if test "$with_ssl" = openssl ; then`
`1369`	`1369`	`dnl Order matters!`
`1370`		`-# Minimum required OpenSSL version is 1.0.1`
`1371`		`-AC_DEFINE(OPENSSL_API_COMPAT,[0x10001000L],`
	`1370`	`+# Minimum required OpenSSL version is 1.0.2`
	`1371`	`+AC_DEFINE(OPENSSL_API_COMPAT,[0x10002000L],`
`1372`	`1372`	`[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])`
`1373`	`1373`	`if test "$PORTNAME" != "win32"; then`
`1374`	`1374`	`AC_CHECK_LIB(crypto,CRYPTO_new_ex_data,[],[AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])`
`@@ -1377,9 +1377,9 @@ if test "$with_ssl" = openssl ; then`
`1377`	`1377`	`AC_SEARCH_LIBS(CRYPTO_new_ex_data,[eay32 crypto],[],[AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])`
`1378`	`1378`	`AC_SEARCH_LIBS(SSL_new,[ssleay32 ssl],[],[AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])`
`1379`	`1379`	`fi`
`1380`		`-#Functions introduced in OpenSSL 1.0.2. LibreSSL does not have`
	`1380`	`+#Function introduced in OpenSSL 1.0.2. LibreSSL does not have`
`1381`	`1381`	`# SSL_CTX_set_cert_cb().`
`1382`		`-AC_CHECK_FUNCS([X509_get_signature_nidSSL_CTX_set_cert_cb])`
	`1382`	`+AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])`
`1383`	`1383`	`# Functions introduced in OpenSSL 1.1.0. We used to check for`
`1384`	`1384`	`# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
`1385`	`1385`	`# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it`

`‎doc/src/sgml/installation.sgml`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,7 @@ documentation. See standalone-profile.xsl for details.`
`275`	`275`	`encrypted client connections. <productname>OpenSSL</productname> is`
`276`	`276`	`also required for random number generation on platforms that do not`
`277`	`277`	`have <filename>/dev/urandom</filename> (except Windows). The minimum`
`278`		`- required version is 1.0.1.`
	`278`	`+ required version is 1.0.2.`
`279`	`279`	`</para>`
`280`	`280`	`</listitem>`
`281`	`281`

`‎meson.build`

Lines changed: 3 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1266,9 +1266,8 @@ if sslopt in ['auto', 'openssl']`
`1266`	`1266`	`['CRYPTO_new_ex_data', {'required':true}],`
`1267`	`1267`	`['SSL_new', {'required':true}],`
`1268`	`1268`
`1269`		`-# Functions introduced in OpenSSL 1.0.2.`
`1270`		`- ['X509_get_signature_nid'],`
`1271`		`- ['SSL_CTX_set_cert_cb'],# not in LibreSSL`
	`1269`	`+# Functions introduced in OpenSSL 1.0.2, not in LibreSSL.`
	`1270`	`+ ['SSL_CTX_set_cert_cb'],`
`1272`	`1271`
`1273`	`1272`	`# Functions introduced in OpenSSL 1.1.0. We used to check for`
`1274`	`1273`	`# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
`@@ -1310,7 +1309,7 @@ if sslopt in ['auto', 'openssl']`
`1310`	`1309`	`if are_openssl_funcs_complete`
`1311`	`1310`	`cdata.set('USE_OPENSSL',1,`
`1312`	`1311`	`description:'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')`
`1313`		`- cdata.set('OPENSSL_API_COMPAT','0x10001000L',`
	`1312`	`+ cdata.set('OPENSSL_API_COMPAT','0x10002000L',`
`1314`	`1313`	`description:'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')`
`1315`	`1314`	`ssl_library='openssl'`
`1316`	`1315`	`else`

`‎src/backend/libpq/auth-scram.c`

Lines changed: 9 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -209,10 +209,9 @@ scram_get_mechanisms(Port *port, StringInfo buf)`
`209`	`209`	`/*`
`210`	`210`	`* Advertise the mechanisms in decreasing order of importance. So the`
`211`	`211`	`* channel-binding variants go first, if they are supported. Channel`
`212`		`- * binding is only supported with SSL, and only if the SSL implementation`
`213`		`- * has a function to get the certificate's hash.`
	`212`	`+ * binding is only supported with SSL.`
`214`	`213`	`*/`
`215`		`-#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH`
	`214`	`+#ifdefUSE_SSL`
`216`	`215`	`if (port->ssl_in_use)`
`217`	`216`	`{`
`218`	`217`	`appendStringInfoString(buf,SCRAM_SHA_256_PLUS_NAME);`
`@@ -251,13 +250,12 @@ scram_init(Port port, const char selected_mech, const char *shadow_pass)`
`251`	`250`	`/*`
`252`	`251`	`* Parse the selected mechanism.`
`253`	`252`	`*`
`254`		`- * Note that if we don't support channel binding, either because the SSL`
`255`		`- * implementation doesn't support it or we're not using SSL at all, we`
`256`		`- * would not have advertised the PLUS variant in the first place. If the`
`257`		`- * client nevertheless tries to select it, it's a protocol violation like`
`258`		`- * selecting any other SASL mechanism we don't support.`
	`253`	`+ * Note that if we don't support channel binding, or if we're not using`
	`254`	`+ * SSL at all, we would not have advertised the PLUS variant in the first`
	`255`	`+ * place. If the client nevertheless tries to select it, it's a protocol`
	`256`	`+ * violation like selecting any other SASL mechanism we don't support.`
`259`	`257`	`*/`
`260`		`-#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH`
	`258`	`+#ifdefUSE_SSL`
`261`	`259`	`if (strcmp(selected_mech,SCRAM_SHA_256_PLUS_NAME)==0&&port->ssl_in_use)`
`262`	`260`	`state->channel_binding_in_use= true;`
`263`	`261`	`else`
`@@ -1010,7 +1008,7 @@ read_client_first_message(scram_state state, const char input)`
`1010`	`1008`	`errmsg("malformed SCRAM message"),`
`1011`	`1009`	`errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));`
`1012`	`1010`
`1013`		`-#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH`
	`1011`	`+#ifdefUSE_SSL`
`1014`	`1012`	`if (state->port->ssl_in_use)`
`1015`	`1013`	`ereport(ERROR,`
`1016`	`1014`	`(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),`
`@@ -1306,7 +1304,7 @@ read_client_final_message(scram_state state, const char input)`
`1306`	`1304`	`channel_binding=read_attr_value(&p,'c');`
`1307`	`1305`	`if (state->channel_binding_in_use)`
`1308`	`1306`	`{`
`1309`		`-#ifdefHAVE_BE_TLS_GET_CERTIFICATE_HASH`
	`1307`	`+#ifdefUSE_SSL`
`1310`	`1308`	`constchar*cbind_data=NULL;`
`1311`	`1309`	`size_tcbind_data_len=0;`
`1312`	`1310`	`size_tcbind_header_len;`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -831,8 +831,6 @@ be_tls_write(Port port, void ptr, size_t len, int *waitfor)`
`831`	`831`	`*`
`832`	`832`	`* These functions are closely modelled on the standard socket BIO in OpenSSL;`
`833`	`833`	`* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.`
`834`		`- * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons`
`835`		`- * to retry; do we need to adopt their logic for that?`
`836`	`834`	`*/`
`837`	`835`
`838`	`836`	`#ifndefHAVE_BIO_GET_DATA`
`@@ -1429,7 +1427,6 @@ be_tls_get_peer_serial(Port port, char ptr, size_t len)`
`1429`	`1427`	`ptr[0]='\0';`
`1430`	`1428`	`}`
`1431`	`1429`
`1432`		`-#if defined(HAVE_X509_GET_SIGNATURE_NID)\|\| defined(HAVE_X509_GET_SIGNATURE_INFO)`
`1433`	`1430`	`char*`
`1434`	`1431`	`be_tls_get_certificate_hash(Portport,size_tlen)`
`1435`	`1432`	`{`
`@@ -1488,7 +1485,6 @@ be_tls_get_certificate_hash(Port port, size_t len)`
`1488`	`1485`
`1489`	`1486`	`returncert_hash;`
`1490`	`1487`	`}`
`1491`		`-#endif`
`1492`	`1488`
`1493`	`1489`	`/*`
`1494`	`1490`	`* Convert an X509 subject name to a cstring.`

`‎src/include/libpq/libpq-be.h`

Lines changed: 0 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -305,14 +305,8 @@ extern void be_tls_get_peer_serial(Port port, char ptr, size_t len);`
`305`	`305`	`*`
`306`	`306`	`* The result is a palloc'd hash of the server certificate with its`
`307`	`307`	`* size, and NULL if there is no certificate available.`
`308`		`- *`
`309`		`- * This is not supported with old versions of OpenSSL that don't have`
`310`		`- * the X509_get_signature_nid() function.`
`311`	`308`	`*/`
`312`		`-#if defined(USE_OPENSSL)&& (defined(HAVE_X509_GET_SIGNATURE_NID)\|\| defined(HAVE_X509_GET_SIGNATURE_INFO))`
`313`		`-#defineHAVE_BE_TLS_GET_CERTIFICATE_HASH`
`314`	`309`	`externcharbe_tls_get_certificate_hash(Portport,size_t*len);`
`315`		`-#endif`
`316`	`310`
`317`	`311`	`/* init hook for SSL, the default sets the password callback if appropriate */`
`318`	`312`	`#ifdefUSE_OPENSSL`

`‎src/include/pg_config.h.in`

Lines changed: 0 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -529,9 +529,6 @@`
`529`	`529`	/* Define to 1 if you have the `X509_get_signature_info' function. */
`530`	`530`	`#undef HAVE_X509_GET_SIGNATURE_INFO`
`531`	`531`
`532`		-/* Define to 1 if you have the `X509_get_signature_nid' function. */
`533`		`-#undef HAVE_X509_GET_SIGNATURE_NID`
`534`		`-`
`535`	`532`	`/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */`
`536`	`533`	`#undef HAVE_X86_64_POPCNTQ`
`537`	`534`

`‎src/interfaces/libpq/fe-auth-scram.c`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -401,7 +401,7 @@ build_client_first_message(fe_scram_state *state)`
`401`	`401`	`Assert(conn->ssl_in_use);`
`402`	`402`	`appendPQExpBufferStr(&buf,"p=tls-server-end-point");`
`403`	`403`	`}`
`404`		`-#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
	`404`	`+#ifdefUSE_SSL`
`405`	`405`	`elseif (conn->channel_binding[0]!= 'd'&&/* disable */`
`406`	`406`	`conn->ssl_in_use)`
`407`	`407`	`{`
`@@ -474,7 +474,7 @@ build_client_final_message(fe_scram_state *state)`
`474`	`474`	`*/`
`475`	`475`	`if (strcmp(state->sasl_mechanism,SCRAM_SHA_256_PLUS_NAME)==0)`
`476`	`476`	`{`
`477`		`-#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
	`477`	`+#ifdefUSE_SSL`
`478`	`478`	`char*cbind_data=NULL;`
`479`	`479`	`size_tcbind_data_len=0;`
`480`	`480`	`size_tcbind_header_len;`
`@@ -540,9 +540,9 @@ build_client_final_message(fe_scram_state *state)`
`540`	`540`	`appendPQExpBufferStr(&conn->errorMessage,`
`541`	`541`	`"channel binding not supported by this build\n");`
`542`	`542`	`returnNULL;`
`543`		`-#endif/HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH /`
	`543`	`+#endif/USE_SSL /`
`544`	`544`	`}`
`545`		`-#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
	`545`	`+#ifdefUSE_SSL`
`546`	`546`	`elseif (conn->channel_binding[0]!= 'd'&&/* disable */`
`547`	`547`	`conn->ssl_in_use)`
`548`	`548`	`appendPQExpBufferStr(&buf, "c=eSws");/* base64 of "y,,"*/`

`‎src/interfaces/libpq/fe-auth.c`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -478,7 +478,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)`
`478`	`478`	`{`
`479`	`479`	`/* The server has offered SCRAM-SHA-256-PLUS. */`
`480`	`480`
`481`		`-#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
	`481`	`+#ifdefUSE_SSL`
`482`	`482`	`/*`
`483`	`483`	`* The client supports channel binding, which is chosen if`
`484`	`484`	`* channel_binding is not disabled.`

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -364,7 +364,6 @@ pgtls_write(PGconn conn, const void ptr, size_t len)`
`364`	`364`	`returnn;`
`365`	`365`	`}`
`366`	`366`
`367`		`-#if defined(HAVE_X509_GET_SIGNATURE_NID)\|\| defined(HAVE_X509_GET_SIGNATURE_INFO)`
`368`	`367`	`char*`
`369`	`368`	`pgtls_get_peer_certificate_hash(PGconnconn,size_tlen)`
`370`	`369`	`{`
`@@ -439,7 +438,6 @@ pgtls_get_peer_certificate_hash(PGconn conn, size_t len)`
`439`	`438`
`440`	`439`	`returncert_hash;`
`441`	`440`	`}`
`442`		`-#endif/* HAVE_X509_GET_SIGNATURE_NID */`
`443`	`441`
`444`	`442`	`/* ------------------------------------------------------------ */`
`445`	`443`	`/OpenSSL specific code/`
`@@ -1826,8 +1824,6 @@ PQsslAttribute(PGconn conn, const char attribute_name)`
`1826`	`1824`	`*`
`1827`	`1825`	`* These functions are closely modelled on the standard socket BIO in OpenSSL;`
`1828`	`1826`	`* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.`
`1829`		`- * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons`
`1830`		`- * to retry; do we need to adopt their logic for that?`
`1831`	`1827`	`*/`
`1832`	`1828`
`1833`	`1829`	`#ifndefHAVE_BIO_GET_DATA`

`‎src/interfaces/libpq/libpq-int.h`

Lines changed: 0 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -833,14 +833,8 @@ extern ssize_t pgtls_write(PGconn conn, const void ptr, size_t len);`
`833`	`833`	`*`
`834`	`834`	`* NULL is sent back to the caller in the event of an error, with an`
`835`	`835`	`* error message for the caller to consume.`
`836`		`- *`
`837`		`- * This is not supported with old versions of OpenSSL that don't have`
`838`		`- * the X509_get_signature_nid() function.`
`839`	`836`	`*/`
`840`		`-#if defined(USE_OPENSSL)&& (defined(HAVE_X509_GET_SIGNATURE_NID)\|\| defined(HAVE_X509_GET_SIGNATURE_INFO))`
`841`		`-#defineHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
`842`	`837`	`externcharpgtls_get_peer_certificate_hash(PGconnconn,size_t*len);`
`843`		`-#endif`
`844`	`838`
`845`	`839`	`/*`
`846`	`840`	`* Verify that the server certificate matches the host name we connected to.`

`‎src/test/ssl/t/002_scram.pl`

Lines changed: 7 additions & 34 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,6 @@ sub switch_server_cert`
`44`	`44`	`# This is the pattern to use in pg_hba.conf to match incoming connections.`
`45`	`45`	`my$SERVERHOSTCIDR ='127.0.0.1/32';`
`46`	`46`
`47`		`-# Determine whether build supports tls-server-end-point.`
`48`		`-my$supports_tls_server_end_point =`
`49`		`- check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");`
`50`	`47`	`# Determine whether build supports detection of hash algorithms for`
`51`	`48`	`# RSA-PSS certificates.`
`52`	`49`	`my$supports_rsapss_certs =`
`@@ -90,21 +87,9 @@ sub switch_server_cert`
`90`	`87`	`expected_stderr=>qr/invalid channel_binding value: "invalid_value"/);`
`91`	`88`	`$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable",`
`92`	`89`	`"SCRAM with SSL and channel_binding=disable");`
`93`		`-if ($supports_tls_server_end_point)`
`94`		`-{`
`95`		`-$node->connect_ok(`
`96`		`-"$common_connstr user=ssltestuser channel_binding=require",`
`97`		`-"SCRAM with SSL and channel_binding=require");`
`98`		`-}`
`99`		`-else`
`100`		`-{`
`101`		`-$node->connect_fails(`
`102`		`-"$common_connstr user=ssltestuser channel_binding=require",`
`103`		`-"SCRAM with SSL and channel_binding=require",`
`104`		`-expected_stderr=>`
`105`		`-qr/channel binding is required, but server did not offer an authentication method that supports channel binding/`
`106`		`-);`
`107`		`-}`
	`90`	`+$node->connect_ok(`
	`91`	`+"$common_connstr user=ssltestuser channel_binding=require",`
	`92`	`+"SCRAM with SSL and channel_binding=require");`
`108`	`93`
`109`	`94`	`# Now test when the user has an MD5-encrypted password; should fail`
`110`	`95`	`$node->connect_fails(`
`@@ -152,22 +137,10 @@ sub switch_server_cert`
`152`	`137`	`expected_stderr=>`
`153`	`138`	`qr/channel binding required but not supported by server's authentication request/`
`154`	`139`	`);`
`155`		`-if ($supports_tls_server_end_point)`
`156`		`-{`
`157`		`-$node->connect_ok(`
`158`		`-"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",`
`159`		`-"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"`
`160`		`-);`
`161`		`-}`
`162`		`-else`
`163`		`-{`
`164`		`-$node->connect_fails(`
`165`		`-"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",`
`166`		`-"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256",`
`167`		`-expected_stderr=>`
`168`		`-qr/channel binding is required, but server did not offer an authentication method that supports channel binding/`
`169`		`-);`
`170`		`-}`
	`140`	`+$node->connect_ok(`
	`141`	`+"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",`
	`142`	`+"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"`
	`143`	`+);`
`171`	`144`
`172`	`145`	`# Now test with a server certificate that uses the RSA-PSS algorithm.`
`173`	`146`	`# This checks that the certificate can be loaded and that channel binding`

`‎src/tools/msvc/Solution.pm`

Lines changed: 1 addition & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -371,7 +371,6 @@ sub GenerateFiles`
`371`	`371`	`HAVE_UUID_UUID_H=>undef,`
`372`	`372`	`HAVE_WCSTOMBS_L=> 1,`
`373`	`373`	`HAVE_VISIBILITY_ATTRIBUTE=>undef,`
`374`		`-HAVE_X509_GET_SIGNATURE_NID=> 1,`
`375`	`374`	`HAVE_X509_GET_SIGNATURE_INFO=>undef,`
`376`	`375`	`HAVE_X86_64_POPCNTQ=>undef,`
`377`	`376`	`HAVE__BOOL=>undef,`
`@@ -488,6 +487,7 @@ sub GenerateFiles`
`488`	`487`	`if ($self->{options}->{openssl})`
`489`	`488`	`{`
`490`	`489`	`$define{USE_OPENSSL} = 1;`
	`490`	`+$define{HAVE_SSL_CTX_SET_CERT_CB} = 1;`
`491`	`491`
`492`	`492`	`my ($digit1,$digit2,$digit3) =$self->GetOpenSSLVersion();`
`493`	`493`
`@@ -509,14 +509,6 @@ sub GenerateFiles`
`509`	`509`	`$define{HAVE_HMAC_CTX_NEW} = 1;`
`510`	`510`	`$define{HAVE_OPENSSL_INIT_SSL} = 1;`
`511`	`511`	`}`
`512`		`-`
`513`		`-# Symbols needed with OpenSSL 1.0.2 and above.`
`514`		`-if ( ($digit1 >='3' &&$digit2 >='0' &&$digit3 >='0')`
`515`		`-\|\| ($digit1 >='1' &&$digit2 >='1' &&$digit3 >='0')`
`516`		`-\|\| ($digit1 >='1' &&$digit2 >='0' &&$digit3 >='2'))`
`517`		`-{`
`518`		`-$define{HAVE_SSL_CTX_SET_CERT_CB} = 1;`
`519`		`-}`
`520`	`512`	`}`
`521`	`513`
`522`	`514`	`$self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8e278b6

File tree

14 files changed

14 files changed

`‎configure`

`‎configure.ac`

`‎doc/src/sgml/installation.sgml`

`‎meson.build`

`‎src/backend/libpq/auth-scram.c`

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/include/libpq/libpq-be.h`

`‎src/include/pg_config.h.in`

`‎src/interfaces/libpq/fe-auth-scram.c`

`‎src/interfaces/libpq/fe-auth.c`

`‎src/interfaces/libpq/fe-secure-openssl.c`

`‎src/interfaces/libpq/libpq-int.h`

`‎src/test/ssl/t/002_scram.pl`

`‎src/tools/msvc/Solution.pm`

0 commit comments