Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 9895818

Browse files
committed
Fix building with LibreSSL.
LibreSSL defines OPENSSL_VERSION_NUMBER to claim that it is version 2.0.0, but it doesn't have the functions added in OpenSSL 1.1.0. Add autoconf checks for the individual functions we need, and stop relying on OPENSSL_VERSION_NUMBER. Backport to 9.5 and 9.6, like the patch that broke this. In the back-branches, there are still a few OPENSSL_VERSION_NUMBER checks left, to check for OpenSSL 0.9.8 or 0.9.7. I left them as they were - LibreSSL has all those functions, so they work as intended. Per buildfarm member curculio. Discussion: <2442.1473957669@sss.pgh.pa.us>
1 parent 72ce781 commit 9895818

File tree

6 files changed

+85
-21
lines changed

6 files changed

+85
-21
lines changed

configure

+31
Original file line numberDiff line numberDiff line change
@@ -9711,6 +9711,37 @@ if test "x$ac_cv_func_SSL_get_current_compression" = xyes; then :
97119711
#define HAVE_SSL_GET_CURRENT_COMPRESSION 1
97129712
_ACEOF
97139713

9714+
fi
9715+
done
9716+
9717+
# Functions introduced in OpenSSL 1.1.0. We used to check for
9718+
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
9719+
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
9720+
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
9721+
# functions.
9722+
for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data RAND_OpenSSL
9723+
do :
9724+
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
9725+
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
9726+
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
9727+
cat >>confdefs.h <<_ACEOF
9728+
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
9729+
_ACEOF
9730+
9731+
fi
9732+
done
9733+
9734+
# OpenSSL versions before 1.1.0 required setting callback functions, for
9735+
# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
9736+
# function was removed.
9737+
for ac_func in CRYPTO_lock
9738+
do :
9739+
ac_fn_c_check_func "$LINENO" "CRYPTO_lock" "ac_cv_func_CRYPTO_lock"
9740+
if test "x$ac_cv_func_CRYPTO_lock" = xyes; then :
9741+
cat >>confdefs.h <<_ACEOF
9742+
#define HAVE_CRYPTO_LOCK 1
9743+
_ACEOF
9744+
97149745
fi
97159746
done
97169747

configure.in

+10
Original file line numberDiff line numberDiff line change
@@ -1118,6 +1118,16 @@ if test "$with_openssl" = yes ; then
11181118
AC_SEARCH_LIBS(SSL_new, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
11191119
fi
11201120
AC_CHECK_FUNCS([SSL_get_current_compression])
1121+
# Functions introduced in OpenSSL 1.1.0. We used to check for
1122+
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
1123+
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
1124+
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
1125+
# functions.
1126+
AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data RAND_OpenSSL])
1127+
# OpenSSL versions before 1.1.0 required setting callback functions, for
1128+
# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
1129+
# function was removed.
1130+
AC_CHECK_FUNCS([CRYPTO_lock])
11211131
fi
11221132

11231133
if test "$with_pam" = yes ; then

contrib/pgcrypto/openssl.c

+6-4
Original file line numberDiff line numberDiff line change
@@ -1062,10 +1062,6 @@ px_find_cipher(const char *name, PX_Cipher **res)
10621062

10631063
static int openssl_random_init = 0;
10641064

1065-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
1066-
#define RAND_OpenSSL RAND_SSLeay
1067-
#endif
1068-
10691065
/*
10701066
* OpenSSL random should re-feeded occasionally. From /dev/urandom
10711067
* preferably.
@@ -1074,7 +1070,13 @@ static void
10741070
init_openssl_rand(void)
10751071
{
10761072
if (RAND_get_rand_method() == NULL)
1073+
{
1074+
#ifdef HAVE_RAND_OPENSSL
10771075
RAND_set_rand_method(RAND_OpenSSL());
1076+
#else
1077+
RAND_set_rand_method(RAND_SSLeay());
1078+
#endif
1079+
}
10781080
openssl_random_init = 1;
10791081
}
10801082

src/backend/libpq/be-secure-openssl.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,7 @@ be_tls_init(void)
167167

168168
if (!SSL_context)
169169
{
170-
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
170+
#ifdef HAVE_OPENSSL_INIT_SSL
171171
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
172172
#else
173173
#if OPENSSL_VERSION_NUMBER >= 0x0907000L
@@ -678,7 +678,7 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
678678
* to retry; do we need to adopt their logic for that?
679679
*/
680680

681-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
681+
#ifndef HAVE_BIO_GET_DATA
682682
#define BIO_get_data(bio) (bio->ptr)
683683
#define BIO_set_data(bio, data) (bio->ptr = data)
684684
#endif
@@ -732,7 +732,7 @@ my_BIO_s_socket(void)
732732
if (!my_bio_methods)
733733
{
734734
BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
735-
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
735+
#ifdef HAVE_BIO_METH_NEW
736736
int my_bio_index;
737737

738738
my_bio_index = BIO_get_new_index();

src/include/pg_config.h.in

+18
Original file line numberDiff line numberDiff line change
@@ -84,12 +84,21 @@
8484
/* Define to 1 if you have the `append_history' function. */
8585
#undef HAVE_APPEND_HISTORY
8686

87+
/* Define to 1 if you have the `ASN1_STRING_get0_data' function. */
88+
#undef HAVE_ASN1_STRING_GET0_DATA
89+
8790
/* Define to 1 if you want to use atomics if available. */
8891
#undef HAVE_ATOMICS
8992

9093
/* Define to 1 if you have the <atomic.h> header file. */
9194
#undef HAVE_ATOMIC_H
9295

96+
/* Define to 1 if you have the `BIO_get_data' function. */
97+
#undef HAVE_BIO_GET_DATA
98+
99+
/* Define to 1 if you have the `BIO_meth_new' function. */
100+
#undef HAVE_BIO_METH_NEW
101+
93102
/* Define to 1 if you have the `cbrt' function. */
94103
#undef HAVE_CBRT
95104

@@ -102,6 +111,9 @@
102111
/* Define to 1 if you have the `crypt' function. */
103112
#undef HAVE_CRYPT
104113

114+
/* Define to 1 if you have the `CRYPTO_lock' function. */
115+
#undef HAVE_CRYPTO_LOCK
116+
105117
/* Define to 1 if you have the <crypt.h> header file. */
106118
#undef HAVE_CRYPT_H
107119

@@ -364,6 +376,9 @@
364376
/* Define to 1 if you have the <net/if.h> header file. */
365377
#undef HAVE_NET_IF_H
366378

379+
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
380+
#undef HAVE_OPENSSL_INIT_SSL
381+
367382
/* Define to 1 if you have the <ossp/uuid.h> header file. */
368383
#undef HAVE_OSSP_UUID_H
369384

@@ -403,6 +418,9 @@
403418
/* Define to 1 if you have the `random' function. */
404419
#undef HAVE_RANDOM
405420

421+
/* Define to 1 if you have the `RAND_OpenSSL' function. */
422+
#undef HAVE_RAND_OPENSSL
423+
406424
/* Define to 1 if you have the <readline.h> header file. */
407425
#undef HAVE_READLINE_H
408426

src/interfaces/libpq/fe-secure-openssl.c

+17-14
Original file line numberDiff line numberDiff line change
@@ -508,10 +508,6 @@ wildcard_certificate_match(const char *pattern, const char *string)
508508
return 1;
509509
}
510510

511-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
512-
#define ASN1_STRING_get0_data ASN1_STRING_data
513-
#endif
514-
515511
/*
516512
* Check if a name from a server's certificate matches the peer's hostname.
517513
*
@@ -546,7 +542,11 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
546542
* There is no guarantee the string returned from the certificate is
547543
* NULL-terminated, so make a copy that is.
548544
*/
545+
#ifdef HAVE_ASN1_STRING_GET0_DATA
549546
namedata = ASN1_STRING_get0_data(name_entry);
547+
#else
548+
namedata = ASN1_STRING_data(name_entry);
549+
#endif
550550
len = ASN1_STRING_length(name_entry);
551551
name = malloc(len + 1);
552552
if (name == NULL)
@@ -734,10 +734,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
734734
return found_match && !got_error;
735735
}
736736

737-
#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
737+
#if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
738738
/*
739-
* Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0
740-
* does its own locking, and doesn't need these anymore.)
739+
* Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0
740+
* does its own locking, and doesn't need these anymore. The
741+
* CRYPTO_lock() function was removed in 1.1.0, when the callbacks
742+
* were made obsolete, so we assume that if CRYPTO_lock() exists,
743+
* the callbacks are still required.)
741744
*/
742745

743746
static unsigned long
@@ -767,7 +770,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
767770
PGTHREAD_ERROR("failed to unlock mutex");
768771
}
769772
}
770-
#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */
773+
#endif /* ENABLE_THREAD_SAFETY && HAVE_CRYPTO_LOCK */
771774

772775
/*
773776
* Initialize SSL system, in particular creating the SSL_context object
@@ -806,7 +809,7 @@ pgtls_init(PGconn *conn)
806809
if (pthread_mutex_lock(&ssl_config_mutex))
807810
return -1;
808811

809-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
812+
#ifdef HAVE_CRYPTO_LOCK
810813
if (pq_init_crypto_lib)
811814
{
812815
/*
@@ -847,14 +850,14 @@ pgtls_init(PGconn *conn)
847850
CRYPTO_set_locking_callback(pq_lockingcallback);
848851
}
849852
}
850-
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
853+
#endif /* HAVE_CRYPTO_LOCK */
851854
#endif /* ENABLE_THREAD_SAFETY */
852855

853856
if (!SSL_context)
854857
{
855858
if (pq_init_ssl_lib)
856859
{
857-
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
860+
#ifdef HAVE_OPENSSL_INIT_SSL
858861
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
859862
#else
860863
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
@@ -917,7 +920,7 @@ pgtls_init(PGconn *conn)
917920
static void
918921
destroy_ssl_system(void)
919922
{
920-
#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L
923+
#if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
921924
/* Mutex is created in initialize_ssl_system() */
922925
if (pthread_mutex_lock(&ssl_config_mutex))
923926
return;
@@ -1632,7 +1635,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
16321635
* to retry; do we need to adopt their logic for that?
16331636
*/
16341637

1635-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
1638+
#ifndef HAVE_BIO_GET_DATA
16361639
#define BIO_get_data(bio) (bio->ptr)
16371640
#define BIO_set_data(bio, data) (bio->ptr = data)
16381641
#endif
@@ -1705,7 +1708,7 @@ my_BIO_s_socket(void)
17051708
if (!my_bio_methods)
17061709
{
17071710
BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
1708-
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
1711+
#ifdef HAVE_BIO_METH_NEW
17091712
int my_bio_index;
17101713

17111714
my_bio_index = BIO_get_new_index();

0 commit comments

Comments
 (0)