Another attempt at fixing build with various OpenSSL versions
It seems we can't easily work around the lack of X509_get_signature_nid(), so revert the previous attempts and just disable the tls-server-end-point feature if we don't have it.
This commit is contained in:
parent
1834c1e432
commit
054e8c6cdb
|
@ -10125,12 +10125,13 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
for ac_func in SSL_get_current_compression
|
for ac_func in SSL_get_current_compression X509_get_signature_nid
|
||||||
do :
|
do :
|
||||||
ac_fn_c_check_func "$LINENO" "SSL_get_current_compression" "ac_cv_func_SSL_get_current_compression"
|
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||||
if test "x$ac_cv_func_SSL_get_current_compression" = xyes; then :
|
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||||
|
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
|
||||||
cat >>confdefs.h <<_ACEOF
|
cat >>confdefs.h <<_ACEOF
|
||||||
#define HAVE_SSL_GET_CURRENT_COMPRESSION 1
|
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
|
||||||
_ACEOF
|
_ACEOF
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1064,7 +1064,7 @@ if test "$with_openssl" = yes ; then
|
||||||
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
|
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
|
||||||
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
|
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
|
||||||
fi
|
fi
|
||||||
AC_CHECK_FUNCS([SSL_get_current_compression])
|
AC_CHECK_FUNCS([SSL_get_current_compression X509_get_signature_nid])
|
||||||
# Functions introduced in OpenSSL 1.1.0. We used to check for
|
# Functions introduced in OpenSSL 1.1.0. We used to check for
|
||||||
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
|
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
|
||||||
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
|
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
|
||||||
|
|
|
@ -57,7 +57,6 @@
|
||||||
#ifndef OPENSSL_NO_ECDH
|
#ifndef OPENSSL_NO_ECDH
|
||||||
#include <openssl/ec.h>
|
#include <openssl/ec.h>
|
||||||
#endif
|
#endif
|
||||||
#include <openssl/x509.h>
|
|
||||||
|
|
||||||
#include "libpq/libpq.h"
|
#include "libpq/libpq.h"
|
||||||
#include "miscadmin.h"
|
#include "miscadmin.h"
|
||||||
|
@ -1250,6 +1249,7 @@ be_tls_get_peer_finished(Port *port, size_t *len)
|
||||||
char *
|
char *
|
||||||
be_tls_get_certificate_hash(Port *port, size_t *len)
|
be_tls_get_certificate_hash(Port *port, size_t *len)
|
||||||
{
|
{
|
||||||
|
#ifdef HAVE_X509_GET_SIGNATURE_NID
|
||||||
X509 *server_cert;
|
X509 *server_cert;
|
||||||
char *cert_hash;
|
char *cert_hash;
|
||||||
const EVP_MD *algo_type = NULL;
|
const EVP_MD *algo_type = NULL;
|
||||||
|
@ -1266,7 +1266,7 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
|
||||||
* Get the signature algorithm of the certificate to determine the
|
* Get the signature algorithm of the certificate to determine the
|
||||||
* hash algorithm to use for the result.
|
* hash algorithm to use for the result.
|
||||||
*/
|
*/
|
||||||
if (!OBJ_find_sigid_algs(OBJ_obj2nid(server_cert->sig_alg->algorithm),
|
if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
|
||||||
&algo_nid, NULL))
|
&algo_nid, NULL))
|
||||||
elog(ERROR, "could not determine server certificate signature algorithm");
|
elog(ERROR, "could not determine server certificate signature algorithm");
|
||||||
|
|
||||||
|
@ -1299,6 +1299,12 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
|
||||||
*len = hash_size;
|
*len = hash_size;
|
||||||
|
|
||||||
return cert_hash;
|
return cert_hash;
|
||||||
|
#else
|
||||||
|
ereport(ERROR,
|
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
||||||
|
errmsg("channel binding type \"tls-server-end-point\" is not supported by this build")));
|
||||||
|
return NULL;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -681,6 +681,9 @@
|
||||||
/* Define to 1 if you have the <winldap.h> header file. */
|
/* Define to 1 if you have the <winldap.h> header file. */
|
||||||
#undef HAVE_WINLDAP_H
|
#undef HAVE_WINLDAP_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `X509_get_signature_nid' function. */
|
||||||
|
#undef HAVE_X509_GET_SIGNATURE_NID
|
||||||
|
|
||||||
/* Define to 1 if your compiler understands __builtin_bswap16. */
|
/* Define to 1 if your compiler understands __builtin_bswap16. */
|
||||||
#undef HAVE__BUILTIN_BSWAP16
|
#undef HAVE__BUILTIN_BSWAP16
|
||||||
|
|
||||||
|
|
|
@ -58,7 +58,6 @@
|
||||||
#ifdef USE_SSL_ENGINE
|
#ifdef USE_SSL_ENGINE
|
||||||
#include <openssl/engine.h>
|
#include <openssl/engine.h>
|
||||||
#endif
|
#endif
|
||||||
#include <openssl/x509.h>
|
|
||||||
#include <openssl/x509v3.h>
|
#include <openssl/x509v3.h>
|
||||||
|
|
||||||
static bool verify_peer_name_matches_certificate(PGconn *);
|
static bool verify_peer_name_matches_certificate(PGconn *);
|
||||||
|
@ -430,6 +429,7 @@ pgtls_get_finished(PGconn *conn, size_t *len)
|
||||||
char *
|
char *
|
||||||
pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
||||||
{
|
{
|
||||||
|
#ifdef HAVE_X509_GET_SIGNATURE_NID
|
||||||
X509 *peer_cert;
|
X509 *peer_cert;
|
||||||
const EVP_MD *algo_type;
|
const EVP_MD *algo_type;
|
||||||
unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
|
unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
|
||||||
|
@ -448,7 +448,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
||||||
* Get the signature algorithm of the certificate to determine the hash
|
* Get the signature algorithm of the certificate to determine the hash
|
||||||
* algorithm to use for the result.
|
* algorithm to use for the result.
|
||||||
*/
|
*/
|
||||||
if (!OBJ_find_sigid_algs(OBJ_obj2nid(peer_cert->sig_alg->algorithm),
|
if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
|
||||||
&algo_nid, NULL))
|
&algo_nid, NULL))
|
||||||
{
|
{
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
|
@ -499,6 +499,11 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
||||||
*len = hash_size;
|
*len = hash_size;
|
||||||
|
|
||||||
return cert_hash;
|
return cert_hash;
|
||||||
|
#else
|
||||||
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
|
libpq_gettext("channel binding type \"tls-server-end-point\" is not supported by this build\n"));
|
||||||
|
return NULL;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ------------------------------------------------------------ */
|
/* ------------------------------------------------------------ */
|
||||||
|
|
Loading…
Reference in New Issue