fi
if test "$with_ssl" = openssl ; then
- # Minimum required OpenSSL version is 1.0.1
+ # Minimum required OpenSSL version is 1.0.2
-$as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h
+$as_echo "#define OPENSSL_API_COMPAT 0x10002000L" >>confdefs.h
if test "$PORTNAME" != "win32"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
fi
fi
- # Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
- # SSL_CTX_set_cert_cb().
- for ac_func in X509_get_signature_nid SSL_CTX_set_cert_cb
+ # LibreSSL does not have SSL_CTX_set_cert_cb().
+ for ac_func in SSL_CTX_set_cert_cb
do :
- as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
+if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+#define HAVE_SSL_CTX_SET_CERT_CB 1
_ACEOF
fi
if test "$with_ssl" = openssl ; then
dnl Order matters!
- # Minimum required OpenSSL version is 1.0.1
- AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L],
+ # Minimum required OpenSSL version is 1.0.2
+ AC_DEFINE(OPENSSL_API_COMPAT, [0x10002000L],
[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
if test "$PORTNAME" != "win32"; then
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
fi
- # Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
+ # Function introduced in OpenSSL 1.0.2. LibreSSL does not have
# SSL_CTX_set_cert_cb().
- AC_CHECK_FUNCS([X509_get_signature_nid SSL_CTX_set_cert_cb])
+ AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
# Functions introduced in OpenSSL 1.1.0. We used to check for
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
encrypted client connections. <productname>OpenSSL</productname> is
also required for random number generation on platforms that do not
have <filename>/dev/urandom</filename> (except Windows). The minimum
- required version is 1.0.1.
+ required version is 1.0.2.
</para>
</listitem>
['CRYPTO_new_ex_data', {'required': true}],
['SSL_new', {'required': true}],
- # Functions introduced in OpenSSL 1.0.2.
- ['X509_get_signature_nid'],
- ['SSL_CTX_set_cert_cb'], # not in LibreSSL
+ # Functions introduced in OpenSSL 1.0.2, not in LibreSSL.
+ ['SSL_CTX_set_cert_cb'],
# Functions introduced in OpenSSL 1.1.0. We used to check for
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
if are_openssl_funcs_complete
cdata.set('USE_OPENSSL', 1,
description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
- cdata.set('OPENSSL_API_COMPAT', '0x10001000L',
+ cdata.set('OPENSSL_API_COMPAT', '0x10002000L',
description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
ssl_library = 'openssl'
else
/*
* Advertise the mechanisms in decreasing order of importance. So the
* channel-binding variants go first, if they are supported. Channel
- * binding is only supported with SSL, and only if the SSL implementation
- * has a function to get the certificate's hash.
+ * binding is only supported with SSL.
*/
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
if (port->ssl_in_use)
{
appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
/*
* Parse the selected mechanism.
*
- * Note that if we don't support channel binding, either because the SSL
- * implementation doesn't support it or we're not using SSL at all, we
- * would not have advertised the PLUS variant in the first place. If the
- * client nevertheless tries to select it, it's a protocol violation like
- * selecting any other SASL mechanism we don't support.
+ * Note that if we don't support channel binding, or if we're not using
+ * SSL at all, we would not have advertised the PLUS variant in the first
+ * place. If the client nevertheless tries to select it, it's a protocol
+ * violation like selecting any other SASL mechanism we don't support.
*/
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
state->channel_binding_in_use = true;
else
errmsg("malformed SCRAM message"),
errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
if (state->port->ssl_in_use)
ereport(ERROR,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
channel_binding = read_attr_value(&p, 'c');
if (state->channel_binding_in_use)
{
-#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
+#ifdef USE_SSL
const char *cbind_data = NULL;
size_t cbind_data_len = 0;
size_t cbind_header_len;
*
* These functions are closely modelled on the standard socket BIO in OpenSSL;
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
- * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
- * to retry; do we need to adopt their logic for that?
*/
#ifndef HAVE_BIO_GET_DATA
ptr[0] = '\0';
}
-#if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
char *
be_tls_get_certificate_hash(Port *port, size_t *len)
{
return cert_hash;
}
-#endif
/*
* Convert an X509 subject name to a cstring.
*
* The result is a palloc'd hash of the server certificate with its
* size, and NULL if there is no certificate available.
- *
- * This is not supported with old versions of OpenSSL that don't have
- * the X509_get_signature_nid() function.
*/
-#if defined(USE_OPENSSL) && (defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO))
-#define HAVE_BE_TLS_GET_CERTIFICATE_HASH
extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
-#endif
/* init hook for SSL, the default sets the password callback if appropriate */
#ifdef USE_OPENSSL
/* Define to 1 if you have the `X509_get_signature_info' function. */
#undef HAVE_X509_GET_SIGNATURE_INFO
-/* Define to 1 if you have the `X509_get_signature_nid' function. */
-#undef HAVE_X509_GET_SIGNATURE_NID
-
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
#undef HAVE_X86_64_POPCNTQ
Assert(conn->ssl_in_use);
appendPQExpBufferStr(&buf, "p=tls-server-end-point");
}
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
else if (conn->channel_binding[0] != 'd' && /* disable */
conn->ssl_in_use)
{
*/
if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) == 0)
{
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
char *cbind_data = NULL;
size_t cbind_data_len = 0;
size_t cbind_header_len;
appendPQExpBufferStr(&conn->errorMessage,
"channel binding not supported by this build\n");
return NULL;
-#endif /* HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH */
+#endif /* USE_SSL */
}
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
else if (conn->channel_binding[0] != 'd' && /* disable */
conn->ssl_in_use)
appendPQExpBufferStr(&buf, "c=eSws"); /* base64 of "y,," */
{
/* The server has offered SCRAM-SHA-256-PLUS. */
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
+#ifdef USE_SSL
/*
* The client supports channel binding, which is chosen if
* channel_binding is not disabled.
return n;
}
-#if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
char *
pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
{
return cert_hash;
}
-#endif /* HAVE_X509_GET_SIGNATURE_NID */
/* ------------------------------------------------------------ */
/* OpenSSL specific code */
*
* These functions are closely modelled on the standard socket BIO in OpenSSL;
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
- * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
- * to retry; do we need to adopt their logic for that?
*/
#ifndef HAVE_BIO_GET_DATA
*
* NULL is sent back to the caller in the event of an error, with an
* error message for the caller to consume.
- *
- * This is not supported with old versions of OpenSSL that don't have
- * the X509_get_signature_nid() function.
*/
-#if defined(USE_OPENSSL) && (defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO))
-#define HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
-#endif
/*
* Verify that the server certificate matches the host name we connected to.
# This is the pattern to use in pg_hba.conf to match incoming connections.
my $SERVERHOSTCIDR = '127.0.0.1/32';
-# Determine whether build supports tls-server-end-point.
-my $supports_tls_server_end_point =
- check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
# Determine whether build supports detection of hash algorithms for
# RSA-PSS certificates.
my $supports_rsapss_certs =
expected_stderr => qr/invalid channel_binding value: "invalid_value"/);
$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable");
-if ($supports_tls_server_end_point)
-{
- $node->connect_ok(
- "$common_connstr user=ssltestuser channel_binding=require",
- "SCRAM with SSL and channel_binding=require");
-}
-else
-{
- $node->connect_fails(
- "$common_connstr user=ssltestuser channel_binding=require",
- "SCRAM with SSL and channel_binding=require",
- expected_stderr =>
- qr/channel binding is required, but server did not offer an authentication method that supports channel binding/
- );
-}
+$node->connect_ok(
+ "$common_connstr user=ssltestuser channel_binding=require",
+ "SCRAM with SSL and channel_binding=require");
# Now test when the user has an MD5-encrypted password; should fail
$node->connect_fails(
expected_stderr =>
qr/channel binding required but not supported by server's authentication request/
);
-if ($supports_tls_server_end_point)
-{
- $node->connect_ok(
- "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
- "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"
- );
-}
-else
-{
- $node->connect_fails(
- "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
- "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256",
- expected_stderr =>
- qr/channel binding is required, but server did not offer an authentication method that supports channel binding/
- );
-}
+$node->connect_ok(
+ "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
+ "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"
+);
# Now test with a server certificate that uses the RSA-PSS algorithm.
# This checks that the certificate can be loaded and that channel binding
HAVE_UUID_UUID_H => undef,
HAVE_WCSTOMBS_L => 1,
HAVE_VISIBILITY_ATTRIBUTE => undef,
- HAVE_X509_GET_SIGNATURE_NID => 1,
HAVE_X509_GET_SIGNATURE_INFO => undef,
HAVE_X86_64_POPCNTQ => undef,
HAVE__BOOL => undef,
if ($self->{options}->{openssl})
{
$define{USE_OPENSSL} = 1;
+ $define{HAVE_SSL_CTX_SET_CERT_CB} = 1;
my ($digit1, $digit2, $digit3) = $self->GetOpenSSLVersion();
$define{HAVE_HMAC_CTX_NEW} = 1;
$define{HAVE_OPENSSL_INIT_SSL} = 1;
}
-
- # Symbols needed with OpenSSL 1.0.2 and above.
- if ( ($digit1 >= '3' && $digit2 >= '0' && $digit3 >= '0')
- || ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')
- || ($digit1 >= '1' && $digit2 >= '0' && $digit3 >= '2'))
- {
- $define{HAVE_SSL_CTX_SET_CERT_CB} = 1;
- }
}
$self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1);