|
36 | 36 | #include <openssl/ec.h>
|
37 | 37 | #endif
|
38 | 38 |
|
| 39 | +#include "common/openssl.h" |
39 | 40 | #include "libpq/libpq.h"
|
40 | 41 | #include "miscadmin.h"
|
41 | 42 | #include "pgstat.h"
|
@@ -69,11 +70,6 @@ static bool ssl_is_server_start;
|
69 | 70 |
|
70 | 71 | static int ssl_protocol_version_to_openssl(int v, const char *guc_name,
|
71 | 72 | int loglevel);
|
72 |
| -#ifndef SSL_CTX_set_min_proto_version |
73 |
| -static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); |
74 |
| -static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); |
75 |
| -#endif |
76 |
| - |
77 | 73 |
|
78 | 74 | /* ------------------------------------------------------------ */
|
79 | 75 | /* Public interface */
|
@@ -1314,96 +1310,3 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
|
1314 | 1310 | GetConfigOption(guc_name, false, false))));
|
1315 | 1311 | return -1;
|
1316 | 1312 | }
|
1317 |
| - |
1318 |
| -/* |
1319 |
| - * Replacements for APIs present in newer versions of OpenSSL |
1320 |
| - */ |
1321 |
| -#ifndef SSL_CTX_set_min_proto_version |
1322 |
| - |
1323 |
| -/* |
1324 |
| - * OpenSSL versions that support TLS 1.3 shouldn't get here because they |
1325 |
| - * already have these functions. So we don't have to keep updating the below |
1326 |
| - * code for every new TLS version, and eventually it can go away. But let's |
1327 |
| - * just check this to make sure ... |
1328 |
| - */ |
1329 |
| -#ifdef TLS1_3_VERSION |
1330 |
| -#error OpenSSL version mismatch |
1331 |
| -#endif |
1332 |
| - |
1333 |
| -static int |
1334 |
| -SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) |
1335 |
| -{ |
1336 |
| - int ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; |
1337 |
| - |
1338 |
| - if (version > TLS1_VERSION) |
1339 |
| - ssl_options |= SSL_OP_NO_TLSv1; |
1340 |
| - /* |
1341 |
| - * Some OpenSSL versions define TLS*_VERSION macros but not the |
1342 |
| - * corresponding SSL_OP_NO_* macro, so in those cases we have to return |
1343 |
| - * unsuccessfully here. |
1344 |
| - */ |
1345 |
| -#ifdef TLS1_1_VERSION |
1346 |
| - if (version > TLS1_1_VERSION) |
1347 |
| - { |
1348 |
| -#ifdef SSL_OP_NO_TLSv1_1 |
1349 |
| - ssl_options |= SSL_OP_NO_TLSv1_1; |
1350 |
| -#else |
1351 |
| - return 0; |
1352 |
| -#endif |
1353 |
| - } |
1354 |
| -#endif |
1355 |
| -#ifdef TLS1_2_VERSION |
1356 |
| - if (version > TLS1_2_VERSION) |
1357 |
| - { |
1358 |
| -#ifdef SSL_OP_NO_TLSv1_2 |
1359 |
| - ssl_options |= SSL_OP_NO_TLSv1_2; |
1360 |
| -#else |
1361 |
| - return 0; |
1362 |
| -#endif |
1363 |
| - } |
1364 |
| -#endif |
1365 |
| - |
1366 |
| - SSL_CTX_set_options(ctx, ssl_options); |
1367 |
| - |
1368 |
| - return 1; /* success */ |
1369 |
| -} |
1370 |
| - |
1371 |
| -static int |
1372 |
| -SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version) |
1373 |
| -{ |
1374 |
| - int ssl_options = 0; |
1375 |
| - |
1376 |
| - AssertArg(version != 0); |
1377 |
| - |
1378 |
| - /* |
1379 |
| - * Some OpenSSL versions define TLS*_VERSION macros but not the |
1380 |
| - * corresponding SSL_OP_NO_* macro, so in those cases we have to return |
1381 |
| - * unsuccessfully here. |
1382 |
| - */ |
1383 |
| -#ifdef TLS1_1_VERSION |
1384 |
| - if (version < TLS1_1_VERSION) |
1385 |
| - { |
1386 |
| -#ifdef SSL_OP_NO_TLSv1_1 |
1387 |
| - ssl_options |= SSL_OP_NO_TLSv1_1; |
1388 |
| -#else |
1389 |
| - return 0; |
1390 |
| -#endif |
1391 |
| - } |
1392 |
| -#endif |
1393 |
| -#ifdef TLS1_2_VERSION |
1394 |
| - if (version < TLS1_2_VERSION) |
1395 |
| - { |
1396 |
| -#ifdef SSL_OP_NO_TLSv1_2 |
1397 |
| - ssl_options |= SSL_OP_NO_TLSv1_2; |
1398 |
| -#else |
1399 |
| - return 0; |
1400 |
| -#endif |
1401 |
| - } |
1402 |
| -#endif |
1403 |
| - |
1404 |
| - SSL_CTX_set_options(ctx, ssl_options); |
1405 |
| - |
1406 |
| - return 1; /* success */ |
1407 |
| -} |
1408 |
| - |
1409 |
| -#endif /* !SSL_CTX_set_min_proto_version */ |
0 commit comments