Fix compilation with older OpenSSL versions

Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros
but not the corresponding SSL_OP_NO_* macro, which causes the code for
handling ssl_min_protocol_version/ssl_max_protocol_version to fail to
compile.  To fix, add more #ifdefs and error handling.

Reported-by: Victor Wagner <vitus@wagner.pp.ru>
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index a0ae5c5046c9158ba18ea00b3250c87a3784fc9d..629919cc6e180174d801b6bf76db044e81ad0413 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
 
                if (ssl_ver == -1)
                        goto error;
-               SSL_CTX_set_min_proto_version(context, ssl_ver);
+               if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
+               {
+                       ereport(isServerStart ? FATAL : LOG,
+                                       (errmsg("could not set minimum SSL protocol version")));
+                       goto error;
+               }
        }
 
        if (ssl_max_protocol_version)
@@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
 
                if (ssl_ver == -1)
                        goto error;
-               SSL_CTX_set_max_proto_version(context, ssl_ver);
+               if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
+               {
+                       ereport(isServerStart ? FATAL : LOG,
+                                       (errmsg("could not set maximum SSL protocol version")));
+                       goto error;
+               }
        }
 
        /* disallow SSL session tickets */
@@ -1326,13 +1336,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
 
        if (version > TLS1_VERSION)
                ssl_options |= SSL_OP_NO_TLSv1;
+       /*
+        * Some OpenSSL versions define TLS*_VERSION macros but not the
+        * corresponding SSL_OP_NO_* macro, so in those cases we have to return
+        * unsuccessfully here.
+        */
 #ifdef TLS1_1_VERSION
        if (version > TLS1_1_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_1
                ssl_options |= SSL_OP_NO_TLSv1_1;
+#else
+               return 0;
+#endif
+       }
 #endif
 #ifdef TLS1_2_VERSION
        if (version > TLS1_2_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_2
                ssl_options |= SSL_OP_NO_TLSv1_2;
+#else
+               return 0;
+#endif
+       }
 #endif
 
        SSL_CTX_set_options(ctx, ssl_options);
@@ -1347,13 +1374,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
 
        AssertArg(version != 0);
 
+       /*
+        * Some OpenSSL versions define TLS*_VERSION macros but not the
+        * corresponding SSL_OP_NO_* macro, so in those cases we have to return
+        * unsuccessfully here.
+        */
 #ifdef TLS1_1_VERSION
        if (version < TLS1_1_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_1
                ssl_options |= SSL_OP_NO_TLSv1_1;
+#else
+               return 0;
+#endif
+       }
 #endif
 #ifdef TLS1_2_VERSION
        if (version < TLS1_2_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_2
                ssl_options |= SSL_OP_NO_TLSv1_2;
+#else
+               return 0;
+#endif
+       }
 #endif
 
        SSL_CTX_set_options(ctx, ssl_options);