Commit 5c6df67e authored by Heikki Linnakangas's avatar Heikki Linnakangas

Fix building with LibreSSL.

LibreSSL defines OPENSSL_VERSION_NUMBER to claim that it is version 2.0.0,
but it doesn't have the functions added in OpenSSL 1.1.0. Add autoconf
checks for the individual functions we need, and stop relying on
OPENSSL_VERSION_NUMBER.

Backport to 9.5 and 9.6, like the patch that broke this. In the
back-branches, there are still a few OPENSSL_VERSION_NUMBER checks left,
to check for OpenSSL 0.9.8 or 0.9.7. I left them as they were - LibreSSL
has all those functions, so they work as intended.

Per buildfarm member curculio.

Discussion: <2442.1473957669@sss.pgh.pa.us>
parent ffccee47
...@@ -9711,6 +9711,37 @@ if test "x$ac_cv_func_SSL_get_current_compression" = xyes; then : ...@@ -9711,6 +9711,37 @@ if test "x$ac_cv_func_SSL_get_current_compression" = xyes; then :
#define HAVE_SSL_GET_CURRENT_COMPRESSION 1 #define HAVE_SSL_GET_CURRENT_COMPRESSION 1
_ACEOF _ACEOF
fi
done
# Functions introduced in OpenSSL 1.1.0. We used to check for
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
# functions.
for ac_func in OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data RAND_OpenSSL
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
done
# OpenSSL versions before 1.1.0 required setting callback functions, for
# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
# function was removed.
for ac_func in CRYPTO_lock
do :
ac_fn_c_check_func "$LINENO" "CRYPTO_lock" "ac_cv_func_CRYPTO_lock"
if test "x$ac_cv_func_CRYPTO_lock" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_CRYPTO_LOCK 1
_ACEOF
fi fi
done done
......
...@@ -1118,6 +1118,16 @@ if test "$with_openssl" = yes ; then ...@@ -1118,6 +1118,16 @@ if test "$with_openssl" = yes ; then
AC_SEARCH_LIBS(SSL_new, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])]) AC_SEARCH_LIBS(SSL_new, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
fi fi
AC_CHECK_FUNCS([SSL_get_current_compression]) AC_CHECK_FUNCS([SSL_get_current_compression])
# Functions introduced in OpenSSL 1.1.0. We used to check for
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
# doesn't have these OpenSSL 1.1.0 functions. So check for individual
# functions.
AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_get_data BIO_meth_new ASN1_STRING_get0_data RAND_OpenSSL])
# OpenSSL versions before 1.1.0 required setting callback functions, for
# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
# function was removed.
AC_CHECK_FUNCS([CRYPTO_lock])
fi fi
if test "$with_pam" = yes ; then if test "$with_pam" = yes ; then
......
...@@ -914,10 +914,6 @@ px_find_cipher(const char *name, PX_Cipher **res) ...@@ -914,10 +914,6 @@ px_find_cipher(const char *name, PX_Cipher **res)
static int openssl_random_init = 0; static int openssl_random_init = 0;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define RAND_OpenSSL RAND_SSLeay
#endif
/* /*
* OpenSSL random should re-feeded occasionally. From /dev/urandom * OpenSSL random should re-feeded occasionally. From /dev/urandom
* preferably. * preferably.
...@@ -926,7 +922,13 @@ static void ...@@ -926,7 +922,13 @@ static void
init_openssl_rand(void) init_openssl_rand(void)
{ {
if (RAND_get_rand_method() == NULL) if (RAND_get_rand_method() == NULL)
{
#ifdef HAVE_RAND_OPENSSL
RAND_set_rand_method(RAND_OpenSSL()); RAND_set_rand_method(RAND_OpenSSL());
#else
RAND_set_rand_method(RAND_SSLeay());
#endif
}
openssl_random_init = 1; openssl_random_init = 1;
} }
......
...@@ -165,7 +165,7 @@ be_tls_init(void) ...@@ -165,7 +165,7 @@ be_tls_init(void)
if (!SSL_context) if (!SSL_context)
{ {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #ifdef HAVE_OPENSSL_INIT_SSL
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
#else #else
OPENSSL_config(NULL); OPENSSL_config(NULL);
...@@ -672,7 +672,7 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) ...@@ -672,7 +672,7 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
* to retry; do we need to adopt their logic for that? * to retry; do we need to adopt their logic for that?
*/ */
#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef HAVE_BIO_GET_DATA
#define BIO_get_data(bio) (bio->ptr) #define BIO_get_data(bio) (bio->ptr)
#define BIO_set_data(bio, data) (bio->ptr = data) #define BIO_set_data(bio, data) (bio->ptr = data)
#endif #endif
...@@ -726,7 +726,7 @@ my_BIO_s_socket(void) ...@@ -726,7 +726,7 @@ my_BIO_s_socket(void)
if (!my_bio_methods) if (!my_bio_methods)
{ {
BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket(); BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #ifdef HAVE_BIO_METH_NEW
int my_bio_index; int my_bio_index;
my_bio_index = BIO_get_new_index(); my_bio_index = BIO_get_new_index();
......
...@@ -84,12 +84,21 @@ ...@@ -84,12 +84,21 @@
/* Define to 1 if you have the `append_history' function. */ /* Define to 1 if you have the `append_history' function. */
#undef HAVE_APPEND_HISTORY #undef HAVE_APPEND_HISTORY
/* Define to 1 if you have the `ASN1_STRING_get0_data' function. */
#undef HAVE_ASN1_STRING_GET0_DATA
/* Define to 1 if you want to use atomics if available. */ /* Define to 1 if you want to use atomics if available. */
#undef HAVE_ATOMICS #undef HAVE_ATOMICS
/* Define to 1 if you have the <atomic.h> header file. */ /* Define to 1 if you have the <atomic.h> header file. */
#undef HAVE_ATOMIC_H #undef HAVE_ATOMIC_H
/* Define to 1 if you have the `BIO_get_data' function. */
#undef HAVE_BIO_GET_DATA
/* Define to 1 if you have the `BIO_meth_new' function. */
#undef HAVE_BIO_METH_NEW
/* Define to 1 if you have the `cbrt' function. */ /* Define to 1 if you have the `cbrt' function. */
#undef HAVE_CBRT #undef HAVE_CBRT
...@@ -102,6 +111,9 @@ ...@@ -102,6 +111,9 @@
/* Define to 1 if you have the `crypt' function. */ /* Define to 1 if you have the `crypt' function. */
#undef HAVE_CRYPT #undef HAVE_CRYPT
/* Define to 1 if you have the `CRYPTO_lock' function. */
#undef HAVE_CRYPTO_LOCK
/* Define to 1 if you have the <crypt.h> header file. */ /* Define to 1 if you have the <crypt.h> header file. */
#undef HAVE_CRYPT_H #undef HAVE_CRYPT_H
...@@ -364,6 +376,9 @@ ...@@ -364,6 +376,9 @@
/* Define to 1 if you have the <net/if.h> header file. */ /* Define to 1 if you have the <net/if.h> header file. */
#undef HAVE_NET_IF_H #undef HAVE_NET_IF_H
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#undef HAVE_OPENSSL_INIT_SSL
/* Define to 1 if you have the <ossp/uuid.h> header file. */ /* Define to 1 if you have the <ossp/uuid.h> header file. */
#undef HAVE_OSSP_UUID_H #undef HAVE_OSSP_UUID_H
...@@ -403,6 +418,9 @@ ...@@ -403,6 +418,9 @@
/* Define to 1 if you have the `random' function. */ /* Define to 1 if you have the `random' function. */
#undef HAVE_RANDOM #undef HAVE_RANDOM
/* Define to 1 if you have the `RAND_OpenSSL' function. */
#undef HAVE_RAND_OPENSSL
/* Define to 1 if you have the <readline.h> header file. */ /* Define to 1 if you have the <readline.h> header file. */
#undef HAVE_READLINE_H #undef HAVE_READLINE_H
......
...@@ -506,10 +506,6 @@ wildcard_certificate_match(const char *pattern, const char *string) ...@@ -506,10 +506,6 @@ wildcard_certificate_match(const char *pattern, const char *string)
return 1; return 1;
} }
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define ASN1_STRING_get0_data ASN1_STRING_data
#endif
/* /*
* Check if a name from a server's certificate matches the peer's hostname. * Check if a name from a server's certificate matches the peer's hostname.
* *
...@@ -544,7 +540,11 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, ...@@ -544,7 +540,11 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
* There is no guarantee the string returned from the certificate is * There is no guarantee the string returned from the certificate is
* NULL-terminated, so make a copy that is. * NULL-terminated, so make a copy that is.
*/ */
#ifdef HAVE_ASN1_STRING_GET0_DATA
namedata = ASN1_STRING_get0_data(name_entry); namedata = ASN1_STRING_get0_data(name_entry);
#else
namedata = ASN1_STRING_data(name_entry);
#endif
len = ASN1_STRING_length(name_entry); len = ASN1_STRING_length(name_entry);
name = malloc(len + 1); name = malloc(len + 1);
if (name == NULL) if (name == NULL)
...@@ -732,10 +732,13 @@ verify_peer_name_matches_certificate(PGconn *conn) ...@@ -732,10 +732,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
return found_match && !got_error; return found_match && !got_error;
} }
#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L #if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
/* /*
* Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0 * Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0
* does its own locking, and doesn't need these anymore.) * does its own locking, and doesn't need these anymore. The
* CRYPTO_lock() function was removed in 1.1.0, when the callbacks
* were made obsolete, so we assume that if CRYPTO_lock() exists,
* the callbacks are still required.)
*/ */
static unsigned long static unsigned long
...@@ -765,7 +768,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line) ...@@ -765,7 +768,7 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
PGTHREAD_ERROR("failed to unlock mutex"); PGTHREAD_ERROR("failed to unlock mutex");
} }
} }
#endif /* ENABLE_THREAD_SAFETY && OPENSSL_VERSION_NUMBER < 0x10100000L */ #endif /* ENABLE_THREAD_SAFETY && HAVE_CRYPTO_LOCK */
/* /*
* Initialize SSL system, in particular creating the SSL_context object * Initialize SSL system, in particular creating the SSL_context object
...@@ -804,7 +807,7 @@ pgtls_init(PGconn *conn) ...@@ -804,7 +807,7 @@ pgtls_init(PGconn *conn)
if (pthread_mutex_lock(&ssl_config_mutex)) if (pthread_mutex_lock(&ssl_config_mutex))
return -1; return -1;
#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifdef HAVE_CRYPTO_LOCK
if (pq_init_crypto_lib) if (pq_init_crypto_lib)
{ {
/* /*
...@@ -845,14 +848,14 @@ pgtls_init(PGconn *conn) ...@@ -845,14 +848,14 @@ pgtls_init(PGconn *conn)
CRYPTO_set_locking_callback(pq_lockingcallback); CRYPTO_set_locking_callback(pq_lockingcallback);
} }
} }
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ #endif /* HAVE_CRYPTO_LOCK */
#endif /* ENABLE_THREAD_SAFETY */ #endif /* ENABLE_THREAD_SAFETY */
if (!SSL_context) if (!SSL_context)
{ {
if (pq_init_ssl_lib) if (pq_init_ssl_lib)
{ {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #ifdef HAVE_OPENSSL_INIT_SSL
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
#else #else
OPENSSL_config(NULL); OPENSSL_config(NULL);
...@@ -913,7 +916,7 @@ pgtls_init(PGconn *conn) ...@@ -913,7 +916,7 @@ pgtls_init(PGconn *conn)
static void static void
destroy_ssl_system(void) destroy_ssl_system(void)
{ {
#if defined(ENABLE_THREAD_SAFETY) && OPENSSL_VERSION_NUMBER < 0x10100000L #if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
/* Mutex is created in initialize_ssl_system() */ /* Mutex is created in initialize_ssl_system() */
if (pthread_mutex_lock(&ssl_config_mutex)) if (pthread_mutex_lock(&ssl_config_mutex))
return; return;
...@@ -1628,7 +1631,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) ...@@ -1628,7 +1631,7 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
* to retry; do we need to adopt their logic for that? * to retry; do we need to adopt their logic for that?
*/ */
#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef HAVE_BIO_GET_DATA
#define BIO_get_data(bio) (bio->ptr) #define BIO_get_data(bio) (bio->ptr)
#define BIO_set_data(bio, data) (bio->ptr = data) #define BIO_set_data(bio, data) (bio->ptr = data)
#endif #endif
...@@ -1701,7 +1704,7 @@ my_BIO_s_socket(void) ...@@ -1701,7 +1704,7 @@ my_BIO_s_socket(void)
if (!my_bio_methods) if (!my_bio_methods)
{ {
BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket(); BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #ifdef HAVE_BIO_METH_NEW
int my_bio_index; int my_bio_index;
my_bio_index = BIO_get_new_index(); my_bio_index = BIO_get_new_index();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment