fi
fi
- for ac_func in SSL_get_current_compression
+ for ac_func in SSL_get_current_compression X509_get_signature_nid
do :
- ac_fn_c_check_func "$LINENO" "SSL_get_current_compression" "ac_cv_func_SSL_get_current_compression"
-if test "x$ac_cv_func_SSL_get_current_compression" = xyes; then :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL_GET_CURRENT_COMPRESSION 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
fi
- AC_CHECK_FUNCS([SSL_get_current_compression])
+ AC_CHECK_FUNCS([SSL_get_current_compression X509_get_signature_nid])
# Functions introduced in OpenSSL 1.1.0. We used to check for
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
#ifndef OPENSSL_NO_ECDH
#include <openssl/ec.h>
#endif
-#include <openssl/x509.h>
#include "libpq/libpq.h"
#include "miscadmin.h"
char *
be_tls_get_certificate_hash(Port *port, size_t *len)
{
+#ifdef HAVE_X509_GET_SIGNATURE_NID
X509 *server_cert;
char *cert_hash;
const EVP_MD *algo_type = NULL;
* Get the signature algorithm of the certificate to determine the
* hash algorithm to use for the result.
*/
- if (!OBJ_find_sigid_algs(OBJ_obj2nid(server_cert->sig_alg->algorithm),
+ if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
&algo_nid, NULL))
elog(ERROR, "could not determine server certificate signature algorithm");
*len = hash_size;
return cert_hash;
+#else
+ ereport(ERROR,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("channel binding type \"tls-server-end-point\" is not supported by this build")));
+ return NULL;
+#endif
}
/*
/* Define to 1 if you have the <winldap.h> header file. */
#undef HAVE_WINLDAP_H
+/* Define to 1 if you have the `X509_get_signature_nid' function. */
+#undef HAVE_X509_GET_SIGNATURE_NID
+
/* Define to 1 if your compiler understands __builtin_bswap16. */
#undef HAVE__BUILTIN_BSWAP16
#ifdef USE_SSL_ENGINE
#include <openssl/engine.h>
#endif
-#include <openssl/x509.h>
#include <openssl/x509v3.h>
static bool verify_peer_name_matches_certificate(PGconn *);
char *
pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
{
+#ifdef HAVE_X509_GET_SIGNATURE_NID
X509 *peer_cert;
const EVP_MD *algo_type;
unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
* Get the signature algorithm of the certificate to determine the hash
* algorithm to use for the result.
*/
- if (!OBJ_find_sigid_algs(OBJ_obj2nid(peer_cert->sig_alg->algorithm),
+ if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
&algo_nid, NULL))
{
printfPQExpBuffer(&conn->errorMessage,
*len = hash_size;
return cert_hash;
+#else
+ printfPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("channel binding type \"tls-server-end-point\" is not supported by this build\n"));
+ return NULL;
+#endif
}
/* ------------------------------------------------------------ */
projects / postgresql / commitdiff