Attempt to fix build with unusual OpenSSL versions

Since e3bdb2d9, libpq failed to build on some platforms because they did not have SSL_clear_options(). Although mainline OpenSSL introduced SSL_clear_options() after SSL_OP_NO_COMPRESSION, so the code should have built fine, at least an old NetBSD version (build farm "coypu" NetBSD 5.1 gcc 4.1.3 PR-20080704 powerpc) has SSL_OP_NO_COMPRESSION but no SSL_clear_options(). So add a configure check for SSL_clear_options(). If we don't find it, skip the call. That means on such a platform one cannot *enable* SSL compression if the built-in default is off, but that seems an unlikely combination anyway and not very interesting in practice.

Attempt to fix build with unusual OpenSSL versions
Since e3bdb2d9, libpq failed to build on some platforms because they did not have SSL_clear_options(). Although mainline OpenSSL introduced SSL_clear_options() after SSL_OP_NO_COMPRESSION, so the code should have built fine, at least an old NetBSD version (build farm "coypu" NetBSD 5.1 gcc 4.1.3 PR-20080704 powerpc) has SSL_OP_NO_COMPRESSION but no SSL_clear_options(). So add a configure check for SSL_clear_options(). If we don't find it, skip the call. That means on such a platform one cannot *enable* SSL compression if the built-in default is off, but that seems an unlikely combination anyway and not very interesting in practice.
a364dfa4 · Peter Eisentraut · 3de04e4e · a364dfa4 · a364dfa4 · a364dfa4
Commit a364dfa4 authored Mar 20, 2018 by Peter Eisentraut
Showing with 13 additions and 2 deletions

configure configure +1 -1

configure.in configure.in +1 -1

src/include/pg_config.h.in src/include/pg_config.h.in +3 -0

src/interfaces/libpq/fe-secure-openssl.c src/interfaces/libpq/fe-secure-openssl.c +8 -0

No files found.
--- a/configure
+++ b/configure
@@ -10203,7 +10203,7 @@ else
 fi
  fi
-  for ac_func in SSL_get_current_compression X509_get_signature_nid
+  for ac_func in SSL_clear_options SSL_get_current_compression X509_get_signature_nid
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

--- a/configure.in
+++ b/configure.in
@@ -1067,7 +1067,7 @@ if test "$with_openssl" = yes ; then
     AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
     AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
  fi
-  AC_CHECK_FUNCS([SSL_get_current_compression X509_get_signature_nid])
+  AC_CHECK_FUNCS([SSL_clear_options SSL_get_current_compression X509_get_signature_nid])
  # Functions introduced in OpenSSL 1.1.0. We used to check for
  # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
  # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it

--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -479,6 +479,9 @@
 /* Define to 1 if you have the `srandom' function. */
 #undef HAVE_SRANDOM
+/* Define to 1 if you have the `SSL_clear_options' function. */
+#undef HAVE_SSL_CLEAR_OPTIONS
 /* Define to 1 if you have the `SSL_get_current_compression' function. */
 #undef HAVE_SSL_GET_CURRENT_COMPRESSION

--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1194,8 +1194,16 @@ initialize_SSL(PGconn *conn)
 #ifdef SSL_OP_NO_COMPRESSION
 	if (conn->sslcompression && conn->sslcompression[0] == '0')
 		SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+	/*
+	 * Mainline OpenSSL introduced SSL_clear_options() before
+	 * SSL_OP_NO_COMPRESSION, so this following #ifdef should not be
+	 * necessary, but some old NetBSD version have a locally modified libssl
+	 * that has SSL_OP_NO_COMPRESSION but not SSL_clear_options().
+	 */
+#ifdef HAVE_SSL_CLEAR_OPTIONS
 	else
 		SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+#endif
 #endif
 	return 0;