From fe61df7f82aa6e0879476146dbe1da9c89b4946b Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 1 Feb 2021 19:19:44 +0900 Subject: [PATCH] Introduce --with-ssl={openssl} as a configure option This is a replacement for the existing --with-openssl, extending the logic to make easier the addition of new SSL libraries. The grammar is chosen to be similar to --with-uuid, where multiple values can be chosen, with "openssl" as the only supported value for now. The original switch, --with-openssl, is kept for compatibility. Author: Daniel Gustafsson, Michael Paquier Reviewed-by: Jacob Champion Discussion: https://postgr.es/m/FAB21FC8-0F62-434F-AA78-6BD9336D630A@yesql.se --- configure | 110 +++++++++++------- configure.ac | 31 +++-- contrib/Makefile | 2 +- contrib/pgcrypto/Makefile | 4 +- doc/src/sgml/installation.sgml | 23 +++- doc/src/sgml/pgcrypto.sgml | 2 +- doc/src/sgml/sslinfo.sgml | 2 +- src/Makefile.global.in | 2 +- src/backend/libpq/Makefile | 2 +- src/backend/libpq/hba.c | 2 +- src/common/Makefile | 2 +- src/include/pg_config.h.in | 2 +- src/interfaces/libpq/Makefile | 9 +- src/test/Makefile | 2 +- src/test/modules/Makefile | 2 +- .../modules/ssl_passphrase_callback/Makefile | 2 +- .../ssl_passphrase_callback/t/001_testfunc.pl | 4 +- src/test/ssl/Makefile | 2 +- src/test/ssl/t/001_ssltests.pl | 6 +- src/test/ssl/t/002_scram.pl | 4 +- src/tools/msvc/Solution.pm | 2 +- src/tools/msvc/config_default.pl | 2 +- 22 files changed, 137 insertions(+), 82 deletions(-) diff --git a/configure b/configure index e202697bbfa..ce9ea369993 100755 --- a/configure +++ b/configure @@ -653,6 +653,7 @@ LIBOBJS UUID_LIBS LDAP_LIBS_BE LDAP_LIBS_FE +with_ssl PTHREAD_CFLAGS PTHREAD_LIBS PTHREAD_CC @@ -709,7 +710,6 @@ with_uuid with_readline with_systemd with_selinux -with_openssl with_ldap with_krb_srvnam krb_srvtab @@ -854,7 +854,6 @@ with_pam with_bsd_auth with_ldap with_bonjour -with_openssl with_selinux with_systemd with_readline @@ -866,6 +865,8 @@ with_libxslt with_system_tzdata with_zlib with_gnu_ld +with_ssl +with_openssl enable_largefile ' ac_precious_vars='build_alias @@ -1556,7 +1557,6 @@ Optional Packages: --with-bsd-auth build with BSD Authentication support --with-ldap build with LDAP support --with-bonjour build with Bonjour support - --with-openssl build with OpenSSL support --with-selinux build with SELinux support --with-systemd build with systemd support --without-readline do not use GNU Readline nor BSD Libedit for editing @@ -1570,6 +1570,8 @@ Optional Packages: use system time zone data in DIR --without-zlib do not use Zlib --with-gnu-ld assume the C compiler uses GNU ld [default=no] + --with-ssl=LIB use LIB for SSL/TLS support (openssl) + --with-openssl obsolete spelling of --with-ssl=openssl Some influential environment variables: CC C compiler command @@ -8070,41 +8072,6 @@ fi $as_echo "$with_bonjour" >&6; } -# -# OpenSSL -# -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with OpenSSL support" >&5 -$as_echo_n "checking whether to build with OpenSSL support... " >&6; } - - - -# Check whether --with-openssl was given. -if test "${with_openssl+set}" = set; then : - withval=$with_openssl; - case $withval in - yes) - -$as_echo "#define USE_OPENSSL 1" >>confdefs.h - - ;; - no) - : - ;; - *) - as_fn_error $? "no argument expected for --with-openssl option" "$LINENO" 5 - ;; - esac - -else - with_openssl=no - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_openssl" >&5 -$as_echo "$with_openssl" >&6; } - - # # SELinux # @@ -12174,7 +12141,64 @@ fi fi fi +# +# SSL Library +# +# There is currently only one supported SSL/TLS library: OpenSSL. +# + + + +# Check whether --with-ssl was given. +if test "${with_ssl+set}" = set; then : + withval=$with_ssl; + case $withval in + yes) + as_fn_error $? "argument required for --with-ssl option" "$LINENO" 5 + ;; + no) + as_fn_error $? "argument required for --with-ssl option" "$LINENO" 5 + ;; + *) + + ;; + esac + +fi + + +if test x"$with_ssl" = x"" ; then + with_ssl=no +fi + + + +# Check whether --with-openssl was given. +if test "${with_openssl+set}" = set; then : + withval=$with_openssl; + case $withval in + yes) + : + ;; + no) + : + ;; + *) + as_fn_error $? "no argument expected for --with-openssl option" "$LINENO" 5 + ;; + esac + +else + with_openssl=no + +fi + + if test "$with_openssl" = yes ; then + with_ssl=openssl +fi + +if test "$with_ssl" = openssl ; then # Minimum required OpenSSL version is 1.0.1 $as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h @@ -12435,8 +12459,14 @@ _ACEOF fi done + +$as_echo "#define USE_OPENSSL 1" >>confdefs.h + +elif test "$with_ssl" != no ; then + as_fn_error $? "--with-ssl must specify openssl" "$LINENO" 5 fi + if test "$with_pam" = yes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 $as_echo_n "checking for pam_start in -lpam... " >&6; } @@ -13322,7 +13352,7 @@ done fi -if test "$with_openssl" = yes ; then +if test "$with_ssl" = openssl ; then ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_ssl_h" = xyes; then : @@ -18098,7 +18128,7 @@ fi # will be used. { $as_echo "$as_me:${as_lineno-$LINENO}: checking which random number source to use" >&5 $as_echo_n "checking which random number source to use... " >&6; } -if test x"$with_openssl" = x"yes" ; then +if test x"$with_ssl" = x"openssl" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL" >&5 $as_echo "OpenSSL" >&6; } elif test x"$PORTNAME" = x"win32" ; then diff --git a/configure.ac b/configure.ac index a5ad072ee4a..07da84d4017 100644 --- a/configure.ac +++ b/configure.ac @@ -852,15 +852,6 @@ PGAC_ARG_BOOL(with, bonjour, no, AC_MSG_RESULT([$with_bonjour]) -# -# OpenSSL -# -AC_MSG_CHECKING([whether to build with OpenSSL support]) -PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support], - [AC_DEFINE([USE_OPENSSL], 1, [Define to build with OpenSSL support. (--with-openssl)])]) -AC_MSG_RESULT([$with_openssl]) -AC_SUBST(with_openssl) - # # SELinux # @@ -1205,7 +1196,21 @@ if test "$with_gssapi" = yes ; then fi fi +# +# SSL Library +# +# There is currently only one supported SSL/TLS library: OpenSSL. +# +PGAC_ARG_REQ(with, ssl, [LIB], [use LIB for SSL/TLS support (openssl)]) +if test x"$with_ssl" = x"" ; then + with_ssl=no +fi +PGAC_ARG_BOOL(with, openssl, no, [obsolete spelling of --with-ssl=openssl]) if test "$with_openssl" = yes ; then + with_ssl=openssl +fi + +if test "$with_ssl" = openssl ; then dnl Order matters! # Minimum required OpenSSL version is 1.0.1 AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L], @@ -1229,7 +1234,11 @@ if test "$with_openssl" = yes ; then # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() # function was removed. AC_CHECK_FUNCS([CRYPTO_lock]) + AC_DEFINE([USE_OPENSSL], 1, [Define to 1 if you have OpenSSL support.]) +elif test "$with_ssl" != no ; then + AC_MSG_ERROR([--with-ssl must specify openssl]) fi +AC_SUBST(with_ssl) if test "$with_pam" = yes ; then AC_CHECK_LIB(pam, pam_start, [], [AC_MSG_ERROR([library 'pam' is required for PAM])]) @@ -1402,7 +1411,7 @@ if test "$with_gssapi" = yes ; then [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) fi -if test "$with_openssl" = yes ; then +if test "$with_ssl" = openssl ; then AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) fi @@ -2159,7 +2168,7 @@ fi # first choice, else the native platform sources (Windows API or /dev/urandom) # will be used. AC_MSG_CHECKING([which random number source to use]) -if test x"$with_openssl" = x"yes" ; then +if test x"$with_ssl" = x"openssl" ; then AC_MSG_RESULT([OpenSSL]) elif test x"$PORTNAME" = x"win32" ; then AC_MSG_RESULT([Windows native]) diff --git a/contrib/Makefile b/contrib/Makefile index cdc041c7db7..f27e458482e 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -51,7 +51,7 @@ SUBDIRS = \ unaccent \ vacuumlo -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),openssl) SUBDIRS += sslinfo else ALWAYS_SUBDIRS += sslinfo diff --git a/contrib/pgcrypto/Makefile b/contrib/pgcrypto/Makefile index 316a26e58de..c0b4f1fcf68 100644 --- a/contrib/pgcrypto/Makefile +++ b/contrib/pgcrypto/Makefile @@ -10,8 +10,8 @@ OSSL_TESTS = sha2 des 3des cast5 ZLIB_TST = pgp-compression ZLIB_OFF_TST = pgp-zlib-DISABLED -CF_SRCS = $(if $(subst no,,$(with_openssl)), $(OSSL_SRCS), $(INT_SRCS)) -CF_TESTS = $(if $(subst no,,$(with_openssl)), $(OSSL_TESTS), $(INT_TESTS)) +CF_SRCS = $(if $(subst openssl,,$(with_ssl)), $(INT_SRCS), $(OSSL_SRCS)) +CF_TESTS = $(if $(subst openssl,,$(with_ssl)), $(INT_TESTS), $(OSSL_TESTS)) CF_PGP_TESTS = $(if $(subst no,,$(with_zlib)), $(ZLIB_TST), $(ZLIB_OFF_TST)) SRCS = \ diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index a53389b728e..66ad4ba9380 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -967,7 +967,7 @@ build-postgresql: - + OpenSSL SSL @@ -976,11 +976,22 @@ build-postgresql: Build with support for SSL (encrypted) - connections. This requires the OpenSSL - package to be installed. configure will check - for the required header files and libraries to make sure that - your OpenSSL installation is sufficient - before proceeding. + connections. The only LIBRARY + supported is . This requires the + OpenSSL package to be installed. + configure will check for the required + header files and libraries to make sure that your + OpenSSL installation is sufficient + before proceeding. + + + + + + + + + Obsolete equivalent of --with-ssl=openssl. diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml index 3d74e15ec9b..b6bb23de0f9 100644 --- a/doc/src/sgml/pgcrypto.sgml +++ b/doc/src/sgml/pgcrypto.sgml @@ -1154,7 +1154,7 @@ gen_random_uuid() returns uuid pgcrypto configures itself according to the findings of the main PostgreSQL configure script. The options that affect it are --with-zlib and - --with-openssl. + --with-ssl=openssl. diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml index 3213c039ca6..2a9c45a111b 100644 --- a/doc/src/sgml/sslinfo.sgml +++ b/doc/src/sgml/sslinfo.sgml @@ -22,7 +22,7 @@ This extension won't build at all unless the installation was - configured with --with-openssl. + configured with --with-ssl=openssl. diff --git a/src/Makefile.global.in b/src/Makefile.global.in index 9a1688c97cb..74b3a6acd29 100644 --- a/src/Makefile.global.in +++ b/src/Makefile.global.in @@ -183,7 +183,7 @@ with_icu = @with_icu@ with_perl = @with_perl@ with_python = @with_python@ with_tcl = @with_tcl@ -with_openssl = @with_openssl@ +with_ssl = @with_ssl@ with_readline = @with_readline@ with_selinux = @with_selinux@ with_systemd = @with_systemd@ diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile index efc5ef760aa..8d1d16b0fc5 100644 --- a/src/backend/libpq/Makefile +++ b/src/backend/libpq/Makefile @@ -28,7 +28,7 @@ OBJS = \ pqmq.o \ pqsignal.o -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),openssl) OBJS += be-secure-openssl.o endif diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 371dccb852f..20bf1461cef 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1041,7 +1041,7 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("hostssl record cannot match because SSL is not supported by this build"), - errhint("Compile with --with-openssl to use SSL connections."), + errhint("Compile with --with-ssl=openssl to use SSL connections."), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); *err_msg = "hostssl record cannot match because SSL is not supported by this build"; diff --git a/src/common/Makefile b/src/common/Makefile index 1a1d0d3406c..5422579a6a2 100644 --- a/src/common/Makefile +++ b/src/common/Makefile @@ -80,7 +80,7 @@ OBJS_COMMON = \ wait_error.o \ wchar.o -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),openssl) OBJS_COMMON += \ protocol_openssl.o \ cryptohash_openssl.o diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index f4d9f3b408d..55cab4d2bf3 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -899,7 +899,7 @@ /* Define to select named POSIX semaphores. */ #undef USE_NAMED_POSIX_SEMAPHORES -/* Define to build with OpenSSL support. (--with-openssl) */ +/* Define to build with OpenSSL support. (--with-ssl=openssl) */ #undef USE_OPENSSL /* Define to 1 to build with PAM support. (--with-pam) */ diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile index c4fde3f93dd..f74677eaf9b 100644 --- a/src/interfaces/libpq/Makefile +++ b/src/interfaces/libpq/Makefile @@ -45,9 +45,14 @@ OBJS = \ pqexpbuffer.o \ fe-auth.o -ifeq ($(with_openssl),yes) +# File shared across all SSL implementations supported. +ifneq ($(with_ssl),no) +OBJS += \ + fe-secure-common.o +endif + +ifeq ($(with_ssl),openssl) OBJS += \ - fe-secure-common.o \ fe-secure-openssl.o endif diff --git a/src/test/Makefile b/src/test/Makefile index ab1ef9a4753..f7859c2fd5e 100644 --- a/src/test/Makefile +++ b/src/test/Makefile @@ -28,7 +28,7 @@ ifneq (,$(filter ldap,$(PG_TEST_EXTRA))) SUBDIRS += ldap endif endif -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),openssl) ifneq (,$(filter ssl,$(PG_TEST_EXTRA))) SUBDIRS += ssl endif diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile index 59921b46cf3..5391f461a25 100644 --- a/src/test/modules/Makefile +++ b/src/test/modules/Makefile @@ -28,7 +28,7 @@ SUBDIRS = \ unsafe_tests \ worker_spi -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),openssl) SUBDIRS += ssl_passphrase_callback else ALWAYS_SUBDIRS += ssl_passphrase_callback diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile index f81265c2963..a34d7ea46a3 100644 --- a/src/test/modules/ssl_passphrase_callback/Makefile +++ b/src/test/modules/ssl_passphrase_callback/Makefile @@ -1,6 +1,6 @@ # ssl_passphrase_callback Makefile -export with_openssl +export with_ssl MODULE_big = ssl_passphrase_func OBJS = ssl_passphrase_func.o $(WIN32RES) diff --git a/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl b/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl index dbc084f870e..a2bed5336c0 100644 --- a/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl +++ b/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl @@ -7,9 +7,9 @@ use TestLib; use Test::More; use PostgresNode; -unless (($ENV{with_openssl} || 'no') eq 'yes') +unless ($ENV{with_ssl} eq 'openssl') { - plan skip_all => 'SSL not supported by this build'; + plan skip_all => 'OpenSSL not supported by this build'; } my $clearpass = "FooBaR1"; diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 93335b1ea25..d545382eea2 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -13,7 +13,7 @@ subdir = src/test/ssl top_builddir = ../../.. include $(top_builddir)/src/Makefile.global -export with_openssl +export with_ssl CERTIFICATES := server_ca server-cn-and-alt-names \ server-cn-only server-single-alt-name server-multiple-alt-names \ diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index fd2727b5684..7928de4e7c2 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -11,13 +11,13 @@ use lib $FindBin::RealBin; use SSLServer; -if ($ENV{with_openssl} eq 'yes') +if ($ENV{with_ssl} ne 'openssl') { - plan tests => 93; + plan skip_all => 'OpenSSL not supported by this build'; } else { - plan skip_all => 'SSL not supported by this build'; + plan tests => 93; } #### Some configuration diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index a088f71a1aa..410b9e910d9 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -13,9 +13,9 @@ use lib $FindBin::RealBin; use SSLServer; -if ($ENV{with_openssl} ne 'yes') +if ($ENV{with_ssl} ne 'openssl') { - plan skip_all => 'SSL not supported by this build'; + plan skip_all => 'OpenSSL not supported by this build'; } # This is the hostname used to connect to the server. diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index 2f28de0355a..1c0c92fcd2c 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -1156,7 +1156,7 @@ sub GetFakeConfigure $cfg .= ' --with-ldap' if ($self->{options}->{ldap}); $cfg .= ' --without-zlib' unless ($self->{options}->{zlib}); $cfg .= ' --with-extra-version' if ($self->{options}->{extraver}); - $cfg .= ' --with-openssl' if ($self->{options}->{openssl}); + $cfg .= ' --with-ssl=openssl' if ($self->{options}->{openssl}); $cfg .= ' --with-uuid' if ($self->{options}->{uuid}); $cfg .= ' --with-libxml' if ($self->{options}->{xml}); $cfg .= ' --with-libxslt' if ($self->{options}->{xslt}); diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl index 2ef2cfc4e99..5395e211eb2 100644 --- a/src/tools/msvc/config_default.pl +++ b/src/tools/msvc/config_default.pl @@ -16,7 +16,7 @@ our $config = { tcl => undef, # --with-tcl= perl => undef, # --with-perl= python => undef, # --with-python= - openssl => undef, # --with-openssl= + openssl => undef, # --with-ssl=openssl with uuid => undef, # --with-uuid= xml => undef, # --with-libxml= xslt => undef, # --with-libxslt=