mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-15 08:20:16 +08:00
Remove support for OpenSSL 1.0.1
Here are some notes about this change:
- As X509_get_signature_nid() should always exist (OpenSSL and
LibreSSL), hence HAVE_X509_GET_SIGNATURE_NID is now gone.
- OPENSSL_API_COMPAT is bumped to 0x10002000L.
- One comment related to 1.0.1e introduced by 74242c2
is removed.
Upstream OpenSSL still provides long-term support for 1.0.2 in a closed
fashion, so removing it is out of scope for a few years, at least.
Reviewed-by: Jacob Champion, Daniel Gustafsson
Discussion: https://postgr.es/m/ZG3JNursG69dz1lr@paquier.xyz
This commit is contained in:
parent
2aeaf80e57
commit
8e278b6576
16
configure
vendored
16
configure
vendored
@ -12744,9 +12744,9 @@ if test "$with_openssl" = yes ; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if test "$with_ssl" = openssl ; then
|
if test "$with_ssl" = openssl ; then
|
||||||
# Minimum required OpenSSL version is 1.0.1
|
# Minimum required OpenSSL version is 1.0.2
|
||||||
|
|
||||||
$as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h
|
$as_echo "#define OPENSSL_API_COMPAT 0x10002000L" >>confdefs.h
|
||||||
|
|
||||||
if test "$PORTNAME" != "win32"; then
|
if test "$PORTNAME" != "win32"; then
|
||||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
|
||||||
@ -12961,15 +12961,13 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
# Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
|
# LibreSSL does not have SSL_CTX_set_cert_cb().
|
||||||
# SSL_CTX_set_cert_cb().
|
for ac_func in SSL_CTX_set_cert_cb
|
||||||
for ac_func in X509_get_signature_nid SSL_CTX_set_cert_cb
|
|
||||||
do :
|
do :
|
||||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
|
||||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
|
||||||
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
|
|
||||||
cat >>confdefs.h <<_ACEOF
|
cat >>confdefs.h <<_ACEOF
|
||||||
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
|
#define HAVE_SSL_CTX_SET_CERT_CB 1
|
||||||
_ACEOF
|
_ACEOF
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
@ -1367,8 +1367,8 @@ fi
|
|||||||
|
|
||||||
if test "$with_ssl" = openssl ; then
|
if test "$with_ssl" = openssl ; then
|
||||||
dnl Order matters!
|
dnl Order matters!
|
||||||
# Minimum required OpenSSL version is 1.0.1
|
# Minimum required OpenSSL version is 1.0.2
|
||||||
AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L],
|
AC_DEFINE(OPENSSL_API_COMPAT, [0x10002000L],
|
||||||
[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
|
[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
|
||||||
if test "$PORTNAME" != "win32"; then
|
if test "$PORTNAME" != "win32"; then
|
||||||
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
|
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
|
||||||
@ -1377,9 +1377,9 @@ if test "$with_ssl" = openssl ; then
|
|||||||
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
|
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
|
||||||
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
|
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
|
||||||
fi
|
fi
|
||||||
# Functions introduced in OpenSSL 1.0.2. LibreSSL does not have
|
# Function introduced in OpenSSL 1.0.2. LibreSSL does not have
|
||||||
# SSL_CTX_set_cert_cb().
|
# SSL_CTX_set_cert_cb().
|
||||||
AC_CHECK_FUNCS([X509_get_signature_nid SSL_CTX_set_cert_cb])
|
AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
|
||||||
# Functions introduced in OpenSSL 1.1.0. We used to check for
|
# Functions introduced in OpenSSL 1.1.0. We used to check for
|
||||||
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
|
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
|
||||||
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
|
# defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
|
||||||
|
@ -275,7 +275,7 @@ documentation. See standalone-profile.xsl for details.
|
|||||||
encrypted client connections. <productname>OpenSSL</productname> is
|
encrypted client connections. <productname>OpenSSL</productname> is
|
||||||
also required for random number generation on platforms that do not
|
also required for random number generation on platforms that do not
|
||||||
have <filename>/dev/urandom</filename> (except Windows). The minimum
|
have <filename>/dev/urandom</filename> (except Windows). The minimum
|
||||||
required version is 1.0.1.
|
required version is 1.0.2.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
@ -1266,9 +1266,8 @@ if sslopt in ['auto', 'openssl']
|
|||||||
['CRYPTO_new_ex_data', {'required': true}],
|
['CRYPTO_new_ex_data', {'required': true}],
|
||||||
['SSL_new', {'required': true}],
|
['SSL_new', {'required': true}],
|
||||||
|
|
||||||
# Functions introduced in OpenSSL 1.0.2.
|
# Functions introduced in OpenSSL 1.0.2, not in LibreSSL.
|
||||||
['X509_get_signature_nid'],
|
['SSL_CTX_set_cert_cb'],
|
||||||
['SSL_CTX_set_cert_cb'], # not in LibreSSL
|
|
||||||
|
|
||||||
# Functions introduced in OpenSSL 1.1.0. We used to check for
|
# Functions introduced in OpenSSL 1.1.0. We used to check for
|
||||||
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
|
# OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
|
||||||
@ -1310,7 +1309,7 @@ if sslopt in ['auto', 'openssl']
|
|||||||
if are_openssl_funcs_complete
|
if are_openssl_funcs_complete
|
||||||
cdata.set('USE_OPENSSL', 1,
|
cdata.set('USE_OPENSSL', 1,
|
||||||
description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
|
description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
|
||||||
cdata.set('OPENSSL_API_COMPAT', '0x10001000L',
|
cdata.set('OPENSSL_API_COMPAT', '0x10002000L',
|
||||||
description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
|
description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
|
||||||
ssl_library = 'openssl'
|
ssl_library = 'openssl'
|
||||||
else
|
else
|
||||||
|
@ -209,10 +209,9 @@ scram_get_mechanisms(Port *port, StringInfo buf)
|
|||||||
/*
|
/*
|
||||||
* Advertise the mechanisms in decreasing order of importance. So the
|
* Advertise the mechanisms in decreasing order of importance. So the
|
||||||
* channel-binding variants go first, if they are supported. Channel
|
* channel-binding variants go first, if they are supported. Channel
|
||||||
* binding is only supported with SSL, and only if the SSL implementation
|
* binding is only supported with SSL.
|
||||||
* has a function to get the certificate's hash.
|
|
||||||
*/
|
*/
|
||||||
#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
if (port->ssl_in_use)
|
if (port->ssl_in_use)
|
||||||
{
|
{
|
||||||
appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
|
appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
|
||||||
@ -251,13 +250,12 @@ scram_init(Port *port, const char *selected_mech, const char *shadow_pass)
|
|||||||
/*
|
/*
|
||||||
* Parse the selected mechanism.
|
* Parse the selected mechanism.
|
||||||
*
|
*
|
||||||
* Note that if we don't support channel binding, either because the SSL
|
* Note that if we don't support channel binding, or if we're not using
|
||||||
* implementation doesn't support it or we're not using SSL at all, we
|
* SSL at all, we would not have advertised the PLUS variant in the first
|
||||||
* would not have advertised the PLUS variant in the first place. If the
|
* place. If the client nevertheless tries to select it, it's a protocol
|
||||||
* client nevertheless tries to select it, it's a protocol violation like
|
* violation like selecting any other SASL mechanism we don't support.
|
||||||
* selecting any other SASL mechanism we don't support.
|
|
||||||
*/
|
*/
|
||||||
#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
|
if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
|
||||||
state->channel_binding_in_use = true;
|
state->channel_binding_in_use = true;
|
||||||
else
|
else
|
||||||
@ -1010,7 +1008,7 @@ read_client_first_message(scram_state *state, const char *input)
|
|||||||
errmsg("malformed SCRAM message"),
|
errmsg("malformed SCRAM message"),
|
||||||
errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
|
errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
|
||||||
|
|
||||||
#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
if (state->port->ssl_in_use)
|
if (state->port->ssl_in_use)
|
||||||
ereport(ERROR,
|
ereport(ERROR,
|
||||||
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
||||||
@ -1306,7 +1304,7 @@ read_client_final_message(scram_state *state, const char *input)
|
|||||||
channel_binding = read_attr_value(&p, 'c');
|
channel_binding = read_attr_value(&p, 'c');
|
||||||
if (state->channel_binding_in_use)
|
if (state->channel_binding_in_use)
|
||||||
{
|
{
|
||||||
#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
const char *cbind_data = NULL;
|
const char *cbind_data = NULL;
|
||||||
size_t cbind_data_len = 0;
|
size_t cbind_data_len = 0;
|
||||||
size_t cbind_header_len;
|
size_t cbind_header_len;
|
||||||
|
@ -831,8 +831,6 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
|
|||||||
*
|
*
|
||||||
* These functions are closely modelled on the standard socket BIO in OpenSSL;
|
* These functions are closely modelled on the standard socket BIO in OpenSSL;
|
||||||
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
|
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
|
||||||
* XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
|
|
||||||
* to retry; do we need to adopt their logic for that?
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef HAVE_BIO_GET_DATA
|
#ifndef HAVE_BIO_GET_DATA
|
||||||
@ -1429,7 +1427,6 @@ be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
|
|||||||
ptr[0] = '\0';
|
ptr[0] = '\0';
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
|
|
||||||
char *
|
char *
|
||||||
be_tls_get_certificate_hash(Port *port, size_t *len)
|
be_tls_get_certificate_hash(Port *port, size_t *len)
|
||||||
{
|
{
|
||||||
@ -1488,7 +1485,6 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
|
|||||||
|
|
||||||
return cert_hash;
|
return cert_hash;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Convert an X509 subject name to a cstring.
|
* Convert an X509 subject name to a cstring.
|
||||||
|
@ -305,14 +305,8 @@ extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len);
|
|||||||
*
|
*
|
||||||
* The result is a palloc'd hash of the server certificate with its
|
* The result is a palloc'd hash of the server certificate with its
|
||||||
* size, and NULL if there is no certificate available.
|
* size, and NULL if there is no certificate available.
|
||||||
*
|
|
||||||
* This is not supported with old versions of OpenSSL that don't have
|
|
||||||
* the X509_get_signature_nid() function.
|
|
||||||
*/
|
*/
|
||||||
#if defined(USE_OPENSSL) && (defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO))
|
|
||||||
#define HAVE_BE_TLS_GET_CERTIFICATE_HASH
|
|
||||||
extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
|
extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
|
||||||
#endif
|
|
||||||
|
|
||||||
/* init hook for SSL, the default sets the password callback if appropriate */
|
/* init hook for SSL, the default sets the password callback if appropriate */
|
||||||
#ifdef USE_OPENSSL
|
#ifdef USE_OPENSSL
|
||||||
|
@ -529,9 +529,6 @@
|
|||||||
/* Define to 1 if you have the `X509_get_signature_info' function. */
|
/* Define to 1 if you have the `X509_get_signature_info' function. */
|
||||||
#undef HAVE_X509_GET_SIGNATURE_INFO
|
#undef HAVE_X509_GET_SIGNATURE_INFO
|
||||||
|
|
||||||
/* Define to 1 if you have the `X509_get_signature_nid' function. */
|
|
||||||
#undef HAVE_X509_GET_SIGNATURE_NID
|
|
||||||
|
|
||||||
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
|
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
|
||||||
#undef HAVE_X86_64_POPCNTQ
|
#undef HAVE_X86_64_POPCNTQ
|
||||||
|
|
||||||
|
@ -401,7 +401,7 @@ build_client_first_message(fe_scram_state *state)
|
|||||||
Assert(conn->ssl_in_use);
|
Assert(conn->ssl_in_use);
|
||||||
appendPQExpBufferStr(&buf, "p=tls-server-end-point");
|
appendPQExpBufferStr(&buf, "p=tls-server-end-point");
|
||||||
}
|
}
|
||||||
#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
else if (conn->channel_binding[0] != 'd' && /* disable */
|
else if (conn->channel_binding[0] != 'd' && /* disable */
|
||||||
conn->ssl_in_use)
|
conn->ssl_in_use)
|
||||||
{
|
{
|
||||||
@ -474,7 +474,7 @@ build_client_final_message(fe_scram_state *state)
|
|||||||
*/
|
*/
|
||||||
if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) == 0)
|
if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) == 0)
|
||||||
{
|
{
|
||||||
#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
char *cbind_data = NULL;
|
char *cbind_data = NULL;
|
||||||
size_t cbind_data_len = 0;
|
size_t cbind_data_len = 0;
|
||||||
size_t cbind_header_len;
|
size_t cbind_header_len;
|
||||||
@ -540,9 +540,9 @@ build_client_final_message(fe_scram_state *state)
|
|||||||
appendPQExpBufferStr(&conn->errorMessage,
|
appendPQExpBufferStr(&conn->errorMessage,
|
||||||
"channel binding not supported by this build\n");
|
"channel binding not supported by this build\n");
|
||||||
return NULL;
|
return NULL;
|
||||||
#endif /* HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH */
|
#endif /* USE_SSL */
|
||||||
}
|
}
|
||||||
#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
else if (conn->channel_binding[0] != 'd' && /* disable */
|
else if (conn->channel_binding[0] != 'd' && /* disable */
|
||||||
conn->ssl_in_use)
|
conn->ssl_in_use)
|
||||||
appendPQExpBufferStr(&buf, "c=eSws"); /* base64 of "y,," */
|
appendPQExpBufferStr(&buf, "c=eSws"); /* base64 of "y,," */
|
||||||
|
@ -478,7 +478,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
|
|||||||
{
|
{
|
||||||
/* The server has offered SCRAM-SHA-256-PLUS. */
|
/* The server has offered SCRAM-SHA-256-PLUS. */
|
||||||
|
|
||||||
#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
|
#ifdef USE_SSL
|
||||||
/*
|
/*
|
||||||
* The client supports channel binding, which is chosen if
|
* The client supports channel binding, which is chosen if
|
||||||
* channel_binding is not disabled.
|
* channel_binding is not disabled.
|
||||||
|
@ -364,7 +364,6 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
|
|||||||
return n;
|
return n;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
|
|
||||||
char *
|
char *
|
||||||
pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
||||||
{
|
{
|
||||||
@ -439,7 +438,6 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
|
|||||||
|
|
||||||
return cert_hash;
|
return cert_hash;
|
||||||
}
|
}
|
||||||
#endif /* HAVE_X509_GET_SIGNATURE_NID */
|
|
||||||
|
|
||||||
/* ------------------------------------------------------------ */
|
/* ------------------------------------------------------------ */
|
||||||
/* OpenSSL specific code */
|
/* OpenSSL specific code */
|
||||||
@ -1826,8 +1824,6 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
|
|||||||
*
|
*
|
||||||
* These functions are closely modelled on the standard socket BIO in OpenSSL;
|
* These functions are closely modelled on the standard socket BIO in OpenSSL;
|
||||||
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
|
* see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
|
||||||
* XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
|
|
||||||
* to retry; do we need to adopt their logic for that?
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef HAVE_BIO_GET_DATA
|
#ifndef HAVE_BIO_GET_DATA
|
||||||
|
@ -833,14 +833,8 @@ extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
|
|||||||
*
|
*
|
||||||
* NULL is sent back to the caller in the event of an error, with an
|
* NULL is sent back to the caller in the event of an error, with an
|
||||||
* error message for the caller to consume.
|
* error message for the caller to consume.
|
||||||
*
|
|
||||||
* This is not supported with old versions of OpenSSL that don't have
|
|
||||||
* the X509_get_signature_nid() function.
|
|
||||||
*/
|
*/
|
||||||
#if defined(USE_OPENSSL) && (defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO))
|
|
||||||
#define HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
|
|
||||||
extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
|
extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify that the server certificate matches the host name we connected to.
|
* Verify that the server certificate matches the host name we connected to.
|
||||||
|
@ -44,9 +44,6 @@ my $SERVERHOSTADDR = '127.0.0.1';
|
|||||||
# This is the pattern to use in pg_hba.conf to match incoming connections.
|
# This is the pattern to use in pg_hba.conf to match incoming connections.
|
||||||
my $SERVERHOSTCIDR = '127.0.0.1/32';
|
my $SERVERHOSTCIDR = '127.0.0.1/32';
|
||||||
|
|
||||||
# Determine whether build supports tls-server-end-point.
|
|
||||||
my $supports_tls_server_end_point =
|
|
||||||
check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
|
|
||||||
# Determine whether build supports detection of hash algorithms for
|
# Determine whether build supports detection of hash algorithms for
|
||||||
# RSA-PSS certificates.
|
# RSA-PSS certificates.
|
||||||
my $supports_rsapss_certs =
|
my $supports_rsapss_certs =
|
||||||
@ -90,21 +87,9 @@ $node->connect_fails(
|
|||||||
expected_stderr => qr/invalid channel_binding value: "invalid_value"/);
|
expected_stderr => qr/invalid channel_binding value: "invalid_value"/);
|
||||||
$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable",
|
$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable",
|
||||||
"SCRAM with SSL and channel_binding=disable");
|
"SCRAM with SSL and channel_binding=disable");
|
||||||
if ($supports_tls_server_end_point)
|
$node->connect_ok(
|
||||||
{
|
"$common_connstr user=ssltestuser channel_binding=require",
|
||||||
$node->connect_ok(
|
"SCRAM with SSL and channel_binding=require");
|
||||||
"$common_connstr user=ssltestuser channel_binding=require",
|
|
||||||
"SCRAM with SSL and channel_binding=require");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$node->connect_fails(
|
|
||||||
"$common_connstr user=ssltestuser channel_binding=require",
|
|
||||||
"SCRAM with SSL and channel_binding=require",
|
|
||||||
expected_stderr =>
|
|
||||||
qr/channel binding is required, but server did not offer an authentication method that supports channel binding/
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
# Now test when the user has an MD5-encrypted password; should fail
|
# Now test when the user has an MD5-encrypted password; should fail
|
||||||
$node->connect_fails(
|
$node->connect_fails(
|
||||||
@ -152,22 +137,10 @@ $node->connect_fails(
|
|||||||
expected_stderr =>
|
expected_stderr =>
|
||||||
qr/channel binding required but not supported by server's authentication request/
|
qr/channel binding required but not supported by server's authentication request/
|
||||||
);
|
);
|
||||||
if ($supports_tls_server_end_point)
|
$node->connect_ok(
|
||||||
{
|
"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
|
||||||
$node->connect_ok(
|
"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"
|
||||||
"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
|
);
|
||||||
"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$node->connect_fails(
|
|
||||||
"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",
|
|
||||||
"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256",
|
|
||||||
expected_stderr =>
|
|
||||||
qr/channel binding is required, but server did not offer an authentication method that supports channel binding/
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
# Now test with a server certificate that uses the RSA-PSS algorithm.
|
# Now test with a server certificate that uses the RSA-PSS algorithm.
|
||||||
# This checks that the certificate can be loaded and that channel binding
|
# This checks that the certificate can be loaded and that channel binding
|
||||||
|
@ -371,7 +371,6 @@ sub GenerateFiles
|
|||||||
HAVE_UUID_UUID_H => undef,
|
HAVE_UUID_UUID_H => undef,
|
||||||
HAVE_WCSTOMBS_L => 1,
|
HAVE_WCSTOMBS_L => 1,
|
||||||
HAVE_VISIBILITY_ATTRIBUTE => undef,
|
HAVE_VISIBILITY_ATTRIBUTE => undef,
|
||||||
HAVE_X509_GET_SIGNATURE_NID => 1,
|
|
||||||
HAVE_X509_GET_SIGNATURE_INFO => undef,
|
HAVE_X509_GET_SIGNATURE_INFO => undef,
|
||||||
HAVE_X86_64_POPCNTQ => undef,
|
HAVE_X86_64_POPCNTQ => undef,
|
||||||
HAVE__BOOL => undef,
|
HAVE__BOOL => undef,
|
||||||
@ -488,6 +487,7 @@ sub GenerateFiles
|
|||||||
if ($self->{options}->{openssl})
|
if ($self->{options}->{openssl})
|
||||||
{
|
{
|
||||||
$define{USE_OPENSSL} = 1;
|
$define{USE_OPENSSL} = 1;
|
||||||
|
$define{HAVE_SSL_CTX_SET_CERT_CB} = 1;
|
||||||
|
|
||||||
my ($digit1, $digit2, $digit3) = $self->GetOpenSSLVersion();
|
my ($digit1, $digit2, $digit3) = $self->GetOpenSSLVersion();
|
||||||
|
|
||||||
@ -509,14 +509,6 @@ sub GenerateFiles
|
|||||||
$define{HAVE_HMAC_CTX_NEW} = 1;
|
$define{HAVE_HMAC_CTX_NEW} = 1;
|
||||||
$define{HAVE_OPENSSL_INIT_SSL} = 1;
|
$define{HAVE_OPENSSL_INIT_SSL} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Symbols needed with OpenSSL 1.0.2 and above.
|
|
||||||
if ( ($digit1 >= '3' && $digit2 >= '0' && $digit3 >= '0')
|
|
||||||
|| ($digit1 >= '1' && $digit2 >= '1' && $digit3 >= '0')
|
|
||||||
|| ($digit1 >= '1' && $digit2 >= '0' && $digit3 >= '2'))
|
|
||||||
{
|
|
||||||
$define{HAVE_SSL_CTX_SET_CERT_CB} = 1;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1);
|
$self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1);
|
||||||
|
Loading…
Reference in New Issue
Block a user