NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit48e5ba6

committed

Fix building with LibreSSL.

LibreSSL defines OPENSSL_VERSION_NUMBER to claim that it is version 2.0.0,but it doesn't have the functions added in OpenSSL 1.1.0. Add autoconfchecks for the individual functions we need, and stop relying onOPENSSL_VERSION_NUMBER.Backport to 9.5 and 9.6, like the patch that broke this. In theback-branches, there are still a few OPENSSL_VERSION_NUMBER checks left,to check for OpenSSL 0.9.8 or 0.9.7. I left them as they were - LibreSSLhas all those functions, so they work as intended.Per buildfarm member curculio.Discussion: <2442.1473957669@sss.pgh.pa.us>

1 parent60b6d99 commit48e5ba6Copy full SHA for 48e5ba6

File tree

6 files changed

+85

-21

lines changed

configure
configure.in
contrib/pgcrypto
- openssl.c
src
- backend/libpq
  - be-secure-openssl.c
- include
  - pg_config.h.in
- interfaces/libpq
  - fe-secure-openssl.c

6 files changed

+85

-21

lines changed

`‎configure`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -8877,6 +8877,37 @@ if test "x$ac_cv_func_SSL_get_current_compression" = xyes; then :`
`8877`	`8877`	`#define HAVE_SSL_GET_CURRENT_COMPRESSION 1`
`8878`	`8878`	`_ACEOF`
`8879`	`8879`
	`8880`	`+fi`
	`8881`	`+done`
	`8882`	`+`
	`8883`	`+# Functions introduced in OpenSSL 1.1.0. We used to check for`
	`8884`	`+# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
	`8885`	`+# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it`
	`8886`	`+# doesn't have these OpenSSL 1.1.0 functions. So check for individual`
	`8887`	`+# functions.`
	`8888`	`+forac_funcin OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data RAND_OpenSSL`
	`8889`	`+do:`
	`8890`	+ as_ac_var=`$as_echo"ac_cv_func_$ac_func"\|$as_tr_sh`
	`8891`	`+ac_fn_c_check_func"$LINENO""$ac_func""$as_ac_var"`
	`8892`	`+ifevaltest\"x\$"$as_ac_var"\" = x"yes";then:`
	`8893`	`+ cat>>confdefs.h<<_ACEOF`
	`8894`	+#define`$as_echo"HAVE_$ac_func"\|$as_tr_cpp` 1
	`8895`	`+_ACEOF`
	`8896`	`+`
	`8897`	`+fi`
	`8898`	`+done`
	`8899`	`+`
	`8900`	`+# OpenSSL versions before 1.1.0 required setting callback functions, for`
	`8901`	`+# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()`
	`8902`	`+# function was removed.`
	`8903`	`+forac_funcin CRYPTO_lock`
	`8904`	`+do:`
	`8905`	`+ ac_fn_c_check_func"$LINENO""CRYPTO_lock""ac_cv_func_CRYPTO_lock"`
	`8906`	`+iftest"x$ac_cv_func_CRYPTO_lock" = xyes;then:`
	`8907`	`+ cat>>confdefs.h<<_ACEOF`
	`8908`	`+#define HAVE_CRYPTO_LOCK 1`
	`8909`	`+_ACEOF`
	`8910`	`+`
`8880`	`8911`	`fi`
`8881`	`8912`	`done`
`8882`	`8913`

`‎configure.in`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1034,6 +1034,16 @@ if test "$with_openssl" = yes ; then`
`1034`	`1034`	`AC_SEARCH_LIBS(SSL_new, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])`
`1035`	`1035`	`fi`
`1036`	`1036`	`AC_CHECK_FUNCS([SSL_get_current_compression])`
	`1037`	`+ # Functions introduced in OpenSSL 1.1.0. We used to check for`
	`1038`	`+ # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL`
	`1039`	`+ # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it`
	`1040`	`+ # doesn't have these OpenSSL 1.1.0 functions. So check for individual`
	`1041`	`+ # functions.`
	`1042`	`+ AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data RAND_OpenSSL])`
	`1043`	`+ # OpenSSL versions before 1.1.0 required setting callback functions, for`
	`1044`	`+ # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()`
	`1045`	`+ # function was removed.`
	`1046`	`+ AC_CHECK_FUNCS([CRYPTO_lock])`
`1037`	`1047`	`fi`
`1038`	`1048`
`1039`	`1049`	`if test "$with_pam" = yes ; then`

`‎contrib/pgcrypto/openssl.c`

Lines changed: 6 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1062,10 +1062,6 @@ px_find_cipher(const char name, PX_Cipher *res)`
`1062`	`1062`
`1063`	`1063`	`staticintopenssl_random_init=0;`
`1064`	`1064`
`1065`		`-#ifOPENSSL_VERSION_NUMBER<0x10100000L`
`1066`		`-#defineRAND_OpenSSL RAND_SSLeay`
`1067`		`-#endif`
`1068`		`-`
`1069`	`1065`	`/*`
`1070`	`1066`	`* OpenSSL random should re-feeded occasionally. From /dev/urandom`
`1071`	`1067`	`* preferably.`
`@@ -1074,7 +1070,13 @@ static void`
`1074`	`1070`	`init_openssl_rand(void)`
`1075`	`1071`	`{`
`1076`	`1072`	`if (RAND_get_rand_method()==NULL)`
	`1073`	`+{`
	`1074`	`+#ifdefHAVE_RAND_OPENSSL`
`1077`	`1075`	`RAND_set_rand_method(RAND_OpenSSL());`
	`1076`	`+#else`
	`1077`	`+RAND_set_rand_method(RAND_SSLeay());`
	`1078`	`+#endif`
	`1079`	`+}`
`1078`	`1080`	`openssl_random_init=1;`
`1079`	`1081`	`}`
`1080`	`1082`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ be_tls_init(void)`
`167`	`167`
`168`	`168`	`if (!SSL_context)`
`169`	`169`	`{`
`170`		`-#ifOPENSSL_VERSION_NUMBER >=0x10100000L`
	`170`	`+#ifdefHAVE_OPENSSL_INIT_SSL`
`171`	`171`	`OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG,NULL);`
`172`	`172`	`#else`
`173`	`173`	`#ifOPENSSL_VERSION_NUMBER >=0x0907000L`
`@@ -655,7 +655,7 @@ be_tls_write(Port port, void ptr, size_t len, int *waitfor)`
`655`	`655`	`* to retry; do we need to adopt their logic for that?`
`656`	`656`	`*/`
`657`	`657`
`658`		`-#ifOPENSSL_VERSION_NUMBER<0x10100000L`
	`658`	`+#ifndefHAVE_BIO_GET_DATA`
`659`	`659`	`#defineBIO_get_data(bio) (bio->ptr)`
`660`	`660`	`#defineBIO_set_data(bio,data) (bio->ptr = data)`
`661`	`661`	`#endif`
`@@ -709,7 +709,7 @@ my_BIO_s_socket(void)`
`709`	`709`	`if (!my_bio_methods)`
`710`	`710`	`{`
`711`	`711`	`BIO_METHODbiom= (BIO_METHOD)BIO_s_socket();`
`712`		`-#ifOPENSSL_VERSION_NUMBER >=0x10100000L`
	`712`	`+#ifdefHAVE_BIO_METH_NEW`
`713`	`713`	`intmy_bio_index;`
`714`	`714`
`715`	`715`	`my_bio_index=BIO_get_new_index();`

`‎src/include/pg_config.h.in`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -84,12 +84,21 @@`
`84`	`84`	/* Define to 1 if you have the `append_history' function. */
`85`	`85`	`#undef HAVE_APPEND_HISTORY`
`86`	`86`
	`87`	+/* Define to 1 if you have the `ASN1_STRING_get0_data' function. */
	`88`	`+#undef HAVE_ASN1_STRING_GET0_DATA`
	`89`	`+`
`87`	`90`	`/* Define to 1 if you want to use atomics if available. */`
`88`	`91`	`#undef HAVE_ATOMICS`
`89`	`92`
`90`	`93`	`/* Define to 1 if you have the <atomic.h> header file. */`
`91`	`94`	`#undef HAVE_ATOMIC_H`
`92`	`95`
	`96`	+/* Define to 1 if you have the `BIO_get_data' function. */
	`97`	`+#undef HAVE_BIO_GET_DATA`
	`98`	`+`
	`99`	+/* Define to 1 if you have the `BIO_meth_new' function. */
	`100`	`+#undef HAVE_BIO_METH_NEW`
	`101`	`+`
`93`	`102`	/* Define to 1 if you have the `cbrt' function. */
`94`	`103`	`#undef HAVE_CBRT`
`95`	`104`
`@@ -102,6 +111,9 @@`
`102`	`111`	/* Define to 1 if you have the `crypt' function. */
`103`	`112`	`#undef HAVE_CRYPT`
`104`	`113`
	`114`	+/* Define to 1 if you have the `CRYPTO_lock' function. */
	`115`	`+#undef HAVE_CRYPTO_LOCK`
	`116`	`+`
`105`	`117`	`/* Define to 1 if you have the <crypt.h> header file. */`
`106`	`118`	`#undef HAVE_CRYPT_H`
`107`	`119`
`@@ -364,6 +376,9 @@`
`364`	`376`	`/* Define to 1 if you have the <net/if.h> header file. */`
`365`	`377`	`#undef HAVE_NET_IF_H`
`366`	`378`
	`379`	+/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
	`380`	`+#undef HAVE_OPENSSL_INIT_SSL`
	`381`	`+`
`367`	`382`	`/* Define to 1 if you have the <ossp/uuid.h> header file. */`
`368`	`383`	`#undef HAVE_OSSP_UUID_H`
`369`	`384`
`@@ -400,6 +415,9 @@`
`400`	`415`	/* Define to 1 if you have the `random' function. */
`401`	`416`	`#undef HAVE_RANDOM`
`402`	`417`
	`418`	+/* Define to 1 if you have the `RAND_OpenSSL' function. */
	`419`	`+#undef HAVE_RAND_OPENSSL`
	`420`	`+`
`403`	`421`	`/* Define to 1 if you have the <readline.h> header file. */`
`404`	`422`	`#undef HAVE_READLINE_H`
`405`	`423`

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 17 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -507,10 +507,6 @@ wildcard_certificate_match(const char pattern, const char string)`
`507`	`507`	`return1;`
`508`	`508`	`}`
`509`	`509`
`510`		`-#ifOPENSSL_VERSION_NUMBER<0x10100000L`
`511`		`-#defineASN1_STRING_get0_data ASN1_STRING_data`
`512`		`-#endif`
`513`		`-`
`514`	`510`	`/*`
`515`	`511`	`* Check if a name from a server's certificate matches the peer's hostname.`
`516`	`512`	`*`
`@@ -545,7 +541,11 @@ verify_peer_name_matches_certificate_name(PGconn conn, ASN1_STRING name_entry,`
`545`	`541`	`* There is no guarantee the string returned from the certificate is`
`546`	`542`	`* NULL-terminated, so make a copy that is.`
`547`	`543`	`*/`
	`544`	`+#ifdefHAVE_ASN1_STRING_GET0_DATA`
`548`	`545`	`namedata=ASN1_STRING_get0_data(name_entry);`
	`546`	`+#else`
	`547`	`+namedata=ASN1_STRING_data(name_entry);`
	`548`	`+#endif`
`549`	`549`	`len=ASN1_STRING_length(name_entry);`
`550`	`550`	`name=malloc(len+1);`
`551`	`551`	`if (name==NULL)`
`@@ -733,10 +733,13 @@ verify_peer_name_matches_certificate(PGconn *conn)`
`733`	`733`	`returnfound_match&& !got_error;`
`734`	`734`	`}`
`735`	`735`
`736`		`-#if defined(ENABLE_THREAD_SAFETY)&&OPENSSL_VERSION_NUMBER<0x10100000L`
	`736`	`+#if defined(ENABLE_THREAD_SAFETY)&&defined(HAVE_CRYPTO_LOCK)`
`737`	`737`	`/*`
`738`		`- *Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0`
`739`		`- *does its own locking, and doesn't need these anymore.)`
	`738`	`+ *Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0`
	`739`	`+ *does its own locking, and doesn't need these anymore. The`
	`740`	`+ *CRYPTO_lock() function was removed in 1.1.0, when the callbacks`
	`741`	`+ *were made obsolete, so we assume that if CRYPTO_lock() exists,`
	`742`	`+ *the callbacks are still required.)`
`740`	`743`	`*/`
`741`	`744`
`742`	`745`	`staticunsigned long`
`@@ -766,7 +769,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)`
`766`	`769`	`PGTHREAD_ERROR("failed to unlock mutex");`
`767`	`770`	`}`
`768`	`771`	`}`
`769`		`-#endif/* ENABLE_THREAD_SAFETY &&OPENSSL_VERSION_NUMBER < 0x10100000L */`
	`772`	`+#endif/* ENABLE_THREAD_SAFETY &&HAVE_CRYPTO_LOCK */`
`770`	`773`
`771`	`774`	`/*`
`772`	`775`	`* Initialize SSL system, in particular creating the SSL_context object`
`@@ -805,7 +808,7 @@ pgtls_init(PGconn *conn)`
`805`	`808`	`if (pthread_mutex_lock(&ssl_config_mutex))`
`806`	`809`	`return-1;`
`807`	`810`
`808`		`-#ifOPENSSL_VERSION_NUMBER<0x10100000L`
	`811`	`+#ifdefHAVE_CRYPTO_LOCK`
`809`	`812`	`if (pq_init_crypto_lib)`
`810`	`813`	`{`
`811`	`814`	`/*`
`@@ -846,14 +849,14 @@ pgtls_init(PGconn *conn)`
`846`	`849`	`CRYPTO_set_locking_callback(pq_lockingcallback);`
`847`	`850`	`}`
`848`	`851`	`}`
`849`		`-#endif/OPENSSL_VERSION_NUMBER < 0x10100000L /`
	`852`	`+#endif/HAVE_CRYPTO_LOCK /`
`850`	`853`	`#endif/* ENABLE_THREAD_SAFETY */`
`851`	`854`
`852`	`855`	`if (!SSL_context)`
`853`	`856`	`{`
`854`	`857`	`if (pq_init_ssl_lib)`
`855`	`858`	`{`
`856`		`-#ifOPENSSL_VERSION_NUMBER >=0x10100000L`
	`859`	`+#ifdefHAVE_OPENSSL_INIT_SSL`
`857`	`860`	`OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG,NULL);`
`858`	`861`	`#else`
`859`	`862`	`#ifOPENSSL_VERSION_NUMBER >=0x00907000L`
`@@ -916,7 +919,7 @@ pgtls_init(PGconn *conn)`
`916`	`919`	`staticvoid`
`917`	`920`	`destroy_ssl_system(void)`
`918`	`921`	`{`
`919`		`-#if defined(ENABLE_THREAD_SAFETY)&&OPENSSL_VERSION_NUMBER<0x10100000L`
	`922`	`+#if defined(ENABLE_THREAD_SAFETY)&&defined(HAVE_CRYPTO_LOCK)`
`920`	`923`	`/* Mutex is created in initialize_ssl_system() */`
`921`	`924`	`if (pthread_mutex_lock(&ssl_config_mutex))`
`922`	`925`	`return;`
`@@ -1631,7 +1634,7 @@ PQsslAttribute(PGconn conn, const char attribute_name)`
`1631`	`1634`	`* to retry; do we need to adopt their logic for that?`
`1632`	`1635`	`*/`
`1633`	`1636`
`1634`		`-#ifOPENSSL_VERSION_NUMBER<0x10100000L`
	`1637`	`+#ifndefHAVE_BIO_GET_DATA`
`1635`	`1638`	`#defineBIO_get_data(bio) (bio->ptr)`
`1636`	`1639`	`#defineBIO_set_data(bio,data) (bio->ptr = data)`
`1637`	`1640`	`#endif`
`@@ -1704,7 +1707,7 @@ my_BIO_s_socket(void)`
`1704`	`1707`	`if (!my_bio_methods)`
`1705`	`1708`	`{`
`1706`	`1709`	`BIO_METHODbiom= (BIO_METHOD)BIO_s_socket();`
`1707`		`-#ifOPENSSL_VERSION_NUMBER >=0x10100000L`
	`1710`	`+#ifdefHAVE_BIO_METH_NEW`
`1708`	`1711`	`intmy_bio_index;`
`1709`	`1712`
`1710`	`1713`	`my_bio_index=BIO_get_new_index();`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit48e5ba6

File tree

6 files changed

6 files changed

`‎configure`

`‎configure.in`

`‎contrib/pgcrypto/openssl.c`

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/include/pg_config.h.in`

`‎src/interfaces/libpq/fe-secure-openssl.c`

0 commit comments