Attempt to fix build with unusual OpenSSL versions

Since e3bdb2d92600ed45bd46aaf48309a436a9628218, libpq failed to build on
some platforms because they did not have SSL_clear_options().  Although
mainline OpenSSL introduced SSL_clear_options() after
SSL_OP_NO_COMPRESSION, so the code should have built fine, at least an
old NetBSD version (build farm "coypu" NetBSD 5.1 gcc 4.1.3 PR-20080704
powerpc) has SSL_OP_NO_COMPRESSION but no SSL_clear_options().

So add a configure check for SSL_clear_options().  If we don't find it,
skip the call.  That means on such a platform one cannot *enable* SSL
compression if the built-in default is off, but that seems an unlikely
combination anyway and not very interesting in practice.

diff --git a/configure b/configure
index a5f309212dfd9965c7eba955c732e1c3af7b2621..8117015067288b5a431807fca1704c4e5b8bedbb 100755 (executable)
--- a/configure
+++ b/configure
@@ -10203,7 +10203,7 @@ else
 fi
 
   fi
-  for ac_func in SSL_get_current_compression X509_get_signature_nid
+  for ac_func in SSL_clear_options SSL_get_current_compression X509_get_signature_nid
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

diff --git a/configure.in b/configure.in
index 9a6f4b193c43d883b71a303a50c80cb61d7c8bd8..8304b4a756ae7a90d4a5f32c7f84c3792be33f39 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1067,7 +1067,7 @@ if test "$with_openssl" = yes ; then
      AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
      AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
   fi
-  AC_CHECK_FUNCS([SSL_get_current_compression X509_get_signature_nid])
+  AC_CHECK_FUNCS([SSL_clear_options SSL_get_current_compression X509_get_signature_nid])
   # Functions introduced in OpenSSL 1.1.0. We used to check for
   # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
   # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it

diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index f98f773ff02ce50b22b0f7f20e4163908d4f3cce..ea3b2b6ce770e8e45fe2b5e2e25e37ab03b5e92f 100644 (file)
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -479,6 +479,9 @@
 /* Define to 1 if you have the `srandom' function. */
 #undef HAVE_SRANDOM
 
+/* Define to 1 if you have the `SSL_clear_options' function. */
+#undef HAVE_SSL_CLEAR_OPTIONS
+
 /* Define to 1 if you have the `SSL_get_current_compression' function. */
 #undef HAVE_SSL_GET_CURRENT_COMPRESSION
 

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 1a35b30dbcdf9c47bb51d7f6d69e1bb669ba02f4..2e2f1074fcb5c70193e76c1006948b54f23524ff 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1194,8 +1194,16 @@ initialize_SSL(PGconn *conn)
 #ifdef SSL_OP_NO_COMPRESSION
        if (conn->sslcompression && conn->sslcompression[0] == '0')
                SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+       /*
+        * Mainline OpenSSL introduced SSL_clear_options() before
+        * SSL_OP_NO_COMPRESSION, so this following #ifdef should not be
+        * necessary, but some old NetBSD version have a locally modified libssl
+        * that has SSL_OP_NO_COMPRESSION but not SSL_clear_options().
+        */
+#ifdef HAVE_SSL_CLEAR_OPTIONS
        else
                SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+#endif
 #endif
 
        return 0;