From: Peter Eisentraut Date: Tue, 20 Mar 2018 20:44:52 +0000 (-0400) Subject: Attempt to fix build with unusual OpenSSL versions X-Git-Tag: REL_11_BETA1~552 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a364dfa4ac7337743050256c6eb17b5db5430173;p=postgresql Attempt to fix build with unusual OpenSSL versions Since e3bdb2d92600ed45bd46aaf48309a436a9628218, libpq failed to build on some platforms because they did not have SSL_clear_options(). Although mainline OpenSSL introduced SSL_clear_options() after SSL_OP_NO_COMPRESSION, so the code should have built fine, at least an old NetBSD version (build farm "coypu" NetBSD 5.1 gcc 4.1.3 PR-20080704 powerpc) has SSL_OP_NO_COMPRESSION but no SSL_clear_options(). So add a configure check for SSL_clear_options(). If we don't find it, skip the call. That means on such a platform one cannot *enable* SSL compression if the built-in default is off, but that seems an unlikely combination anyway and not very interesting in practice. --- diff --git a/configure b/configure index a5f309212d..8117015067 100755 --- a/configure +++ b/configure @@ -10203,7 +10203,7 @@ else fi fi - for ac_func in SSL_get_current_compression X509_get_signature_nid + for ac_func in SSL_clear_options SSL_get_current_compression X509_get_signature_nid do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/configure.in b/configure.in index 9a6f4b193c..8304b4a756 100644 --- a/configure.in +++ b/configure.in @@ -1067,7 +1067,7 @@ if test "$with_openssl" = yes ; then AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])]) AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])]) fi - AC_CHECK_FUNCS([SSL_get_current_compression X509_get_signature_nid]) + AC_CHECK_FUNCS([SSL_clear_options SSL_get_current_compression X509_get_signature_nid]) # Functions introduced in OpenSSL 1.1.0. We used to check for # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index f98f773ff0..ea3b2b6ce7 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -479,6 +479,9 @@ /* Define to 1 if you have the `srandom' function. */ #undef HAVE_SRANDOM +/* Define to 1 if you have the `SSL_clear_options' function. */ +#undef HAVE_SSL_CLEAR_OPTIONS + /* Define to 1 if you have the `SSL_get_current_compression' function. */ #undef HAVE_SSL_GET_CURRENT_COMPRESSION diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 1a35b30dbc..2e2f1074fc 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1194,8 +1194,16 @@ initialize_SSL(PGconn *conn) #ifdef SSL_OP_NO_COMPRESSION if (conn->sslcompression && conn->sslcompression[0] == '0') SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION); + /* + * Mainline OpenSSL introduced SSL_clear_options() before + * SSL_OP_NO_COMPRESSION, so this following #ifdef should not be + * necessary, but some old NetBSD version have a locally modified libssl + * that has SSL_OP_NO_COMPRESSION but not SSL_clear_options(). + */ +#ifdef HAVE_SSL_CLEAR_OPTIONS else SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION); +#endif #endif return 0;