On Wed, Jan 20, 2021 at 05:07:08PM +0000, Jacob Champion wrote: > Lovely. I didn't expect *removing* an extension to effectively *add* > more, but I'm glad it works now.
My apologies for chiming in. I was looking at your patch set here,
and while reviewing the strong random and cryptohash parts I have
found a couple of mistakes in the ./configure part. I think that the
switch from --with-openssl to --with-ssl={openssl} could just be done
independently as a building piece of the rest, then the first portion
based on NSS could just add the minimum set in configure.ac.
Please note that the patch set has been using autoconf from Debian, or
something forked from upstream. There were also missing updates in
several parts of the code base, and a lack of docs for the new
switch. I have spent time checking that with --with-openssl to make
sure that the obsolete grammar is still compatible, --with-ssl=openssl
and also without it.
Thoughts?
--
Michael
From b3e18564697bdb36a8eba4afe6434294676b528b Mon Sep 17 00:00:00 2001
From: Michael Paquier <mich...@paquier.xyz>
Date: Wed, 27 Jan 2021 16:36:45 +0900
Subject: [PATCH] Introduce --with-ssl={openssl} in configure options
---
src/include/pg_config.h.in | 2 +-
src/backend/libpq/Makefile | 2 +-
src/backend/libpq/hba.c | 2 +-
src/common/Makefile | 2 +-
src/interfaces/libpq/Makefile | 2 +-
src/test/Makefile | 2 +-
src/test/modules/Makefile | 2 +-
.../modules/ssl_passphrase_callback/Makefile | 2 +-
.../ssl_passphrase_callback/t/001_testfunc.pl | 2 +-
src/test/ssl/Makefile | 2 +-
src/test/ssl/t/001_ssltests.pl | 2 +-
src/test/ssl/t/002_scram.pl | 2 +-
doc/src/sgml/installation.sgml | 5 +-
doc/src/sgml/pgcrypto.sgml | 2 +-
doc/src/sgml/sslinfo.sgml | 2 +-
contrib/Makefile | 2 +-
contrib/pgcrypto/Makefile | 4 +-
configure | 110 +++++++++++-------
configure.ac | 31 +++--
src/Makefile.global.in | 2 +-
src/tools/msvc/Solution.pm | 2 +-
src/tools/msvc/config_default.pl | 2 +-
22 files changed, 113 insertions(+), 73 deletions(-)
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index f4d9f3b408..55cab4d2bf 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -899,7 +899,7 @@
/* Define to select named POSIX semaphores. */
#undef USE_NAMED_POSIX_SEMAPHORES
-/* Define to build with OpenSSL support. (--with-openssl) */
+/* Define to build with OpenSSL support. (--with-ssl=openssl) */
#undef USE_OPENSSL
/* Define to 1 to build with PAM support. (--with-pam) */
diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index efc5ef760a..8d1d16b0fc 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -28,7 +28,7 @@ OBJS = \
pqmq.o \
pqsignal.o
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),openssl)
OBJS += be-secure-openssl.o
endif
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 371dccb852..20bf1461ce 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1041,7 +1041,7 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("hostssl record cannot match because SSL is not supported by this build"),
- errhint("Compile with --with-openssl to use SSL connections."),
+ errhint("Compile with --with-ssl=openssl to use SSL connections."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
*err_msg = "hostssl record cannot match because SSL is not supported by this build";
diff --git a/src/common/Makefile b/src/common/Makefile
index 1a1d0d3406..5422579a6a 100644
--- a/src/common/Makefile
+++ b/src/common/Makefile
@@ -80,7 +80,7 @@ OBJS_COMMON = \
wait_error.o \
wchar.o
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),openssl)
OBJS_COMMON += \
protocol_openssl.o \
cryptohash_openssl.o
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index c4fde3f93d..2b7ace52e4 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -45,7 +45,7 @@ OBJS = \
pqexpbuffer.o \
fe-auth.o
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),openssl)
OBJS += \
fe-secure-common.o \
fe-secure-openssl.o
diff --git a/src/test/Makefile b/src/test/Makefile
index ab1ef9a475..f7859c2fd5 100644
--- a/src/test/Makefile
+++ b/src/test/Makefile
@@ -28,7 +28,7 @@ ifneq (,$(filter ldap,$(PG_TEST_EXTRA)))
SUBDIRS += ldap
endif
endif
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),openssl)
ifneq (,$(filter ssl,$(PG_TEST_EXTRA)))
SUBDIRS += ssl
endif
diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile
index 59921b46cf..5391f461a2 100644
--- a/src/test/modules/Makefile
+++ b/src/test/modules/Makefile
@@ -28,7 +28,7 @@ SUBDIRS = \
unsafe_tests \
worker_spi
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),openssl)
SUBDIRS += ssl_passphrase_callback
else
ALWAYS_SUBDIRS += ssl_passphrase_callback
diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile
index f81265c296..a34d7ea46a 100644
--- a/src/test/modules/ssl_passphrase_callback/Makefile
+++ b/src/test/modules/ssl_passphrase_callback/Makefile
@@ -1,6 +1,6 @@
# ssl_passphrase_callback Makefile
-export with_openssl
+export with_ssl
MODULE_big = ssl_passphrase_func
OBJS = ssl_passphrase_func.o $(WIN32RES)
diff --git a/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl b/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl
index dbc084f870..d9838a5d5a 100644
--- a/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl
+++ b/src/test/modules/ssl_passphrase_callback/t/001_testfunc.pl
@@ -7,7 +7,7 @@ use TestLib;
use Test::More;
use PostgresNode;
-unless (($ENV{with_openssl} || 'no') eq 'yes')
+unless ($ENV{with_ssl} eq 'openssl')
{
plan skip_all => 'SSL not supported by this build';
}
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 93335b1ea2..d545382eea 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -13,7 +13,7 @@ subdir = src/test/ssl
top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
-export with_openssl
+export with_ssl
CERTIFICATES := server_ca server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index fd2727b568..9cf4ee24cb 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -11,7 +11,7 @@ use lib $FindBin::RealBin;
use SSLServer;
-if ($ENV{with_openssl} eq 'yes')
+if ($ENV{with_ssl} eq 'openssl')
{
plan tests => 93;
}
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index a088f71a1a..2bdd638115 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -13,7 +13,7 @@ use lib $FindBin::RealBin;
use SSLServer;
-if ($ENV{with_openssl} ne 'yes')
+if ($ENV{with_ssl} ne 'openssl')
{
plan skip_all => 'SSL not supported by this build';
}
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index a53389b728..2d52068310 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -967,7 +967,7 @@ build-postgresql:
</varlistentry>
<varlistentry>
- <term><option>--with-openssl</option>
+ <term><option>--with-ssl=<replaceable>LIBRARY</replaceable></option>
<indexterm>
<primary>OpenSSL</primary>
<seealso>SSL</seealso>
@@ -980,7 +980,8 @@ build-postgresql:
package to be installed. <filename>configure</filename> will check
for the required header files and libraries to make sure that
your <productname>OpenSSL</productname> installation is sufficient
- before proceeding.
+ before proceeding. The only <replaceable>LIBRARY</replaceable>
+ supported now is <option>openssl</option>.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml
index 3d74e15ec9..b6bb23de0f 100644
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -1154,7 +1154,7 @@ gen_random_uuid() returns uuid
<filename>pgcrypto</filename> configures itself according to the findings of the
main PostgreSQL <literal>configure</literal> script. The options that
affect it are <literal>--with-zlib</literal> and
- <literal>--with-openssl</literal>.
+ <literal>--with-ssl=openssl</literal>.
</para>
<para>
diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml
index 3213c039ca..2a9c45a111 100644
--- a/doc/src/sgml/sslinfo.sgml
+++ b/doc/src/sgml/sslinfo.sgml
@@ -22,7 +22,7 @@
<para>
This extension won't build at all unless the installation was
- configured with <literal>--with-openssl</literal>.
+ configured with <literal>--with-ssl=openssl</literal>.
</para>
<sect2>
diff --git a/contrib/Makefile b/contrib/Makefile
index 7a4866e338..ae1fd64028 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -52,7 +52,7 @@ SUBDIRS = \
unaccent \
vacuumlo
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),openssl)
SUBDIRS += sslinfo
else
ALWAYS_SUBDIRS += sslinfo
diff --git a/contrib/pgcrypto/Makefile b/contrib/pgcrypto/Makefile
index 316a26e58d..c0b4f1fcf6 100644
--- a/contrib/pgcrypto/Makefile
+++ b/contrib/pgcrypto/Makefile
@@ -10,8 +10,8 @@ OSSL_TESTS = sha2 des 3des cast5
ZLIB_TST = pgp-compression
ZLIB_OFF_TST = pgp-zlib-DISABLED
-CF_SRCS = $(if $(subst no,,$(with_openssl)), $(OSSL_SRCS), $(INT_SRCS))
-CF_TESTS = $(if $(subst no,,$(with_openssl)), $(OSSL_TESTS), $(INT_TESTS))
+CF_SRCS = $(if $(subst openssl,,$(with_ssl)), $(INT_SRCS), $(OSSL_SRCS))
+CF_TESTS = $(if $(subst openssl,,$(with_ssl)), $(INT_TESTS), $(OSSL_TESTS))
CF_PGP_TESTS = $(if $(subst no,,$(with_zlib)), $(ZLIB_TST), $(ZLIB_OFF_TST))
SRCS = \
diff --git a/configure b/configure
index e202697bbf..092e03e8ed 100755
--- a/configure
+++ b/configure
@@ -653,6 +653,7 @@ LIBOBJS
UUID_LIBS
LDAP_LIBS_BE
LDAP_LIBS_FE
+with_ssl
PTHREAD_CFLAGS
PTHREAD_LIBS
PTHREAD_CC
@@ -709,7 +710,6 @@ with_uuid
with_readline
with_systemd
with_selinux
-with_openssl
with_ldap
with_krb_srvnam
krb_srvtab
@@ -854,7 +854,6 @@ with_pam
with_bsd_auth
with_ldap
with_bonjour
-with_openssl
with_selinux
with_systemd
with_readline
@@ -866,6 +865,8 @@ with_libxslt
with_system_tzdata
with_zlib
with_gnu_ld
+with_ssl
+with_openssl
enable_largefile
'
ac_precious_vars='build_alias
@@ -1556,7 +1557,6 @@ Optional Packages:
--with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
- --with-openssl build with OpenSSL support
--with-selinux build with SELinux support
--with-systemd build with systemd support
--without-readline do not use GNU Readline nor BSD Libedit for editing
@@ -1570,6 +1570,8 @@ Optional Packages:
use system time zone data in DIR
--without-zlib do not use Zlib
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
+ --with-ssl=LIB use LIB for SSL/TLS support (openssl)
+ --with-openssl obsolete spelling of --with-ssl=openssl
Some influential environment variables:
CC C compiler command
@@ -8070,41 +8072,6 @@ fi
$as_echo "$with_bonjour" >&6; }
-#
-# OpenSSL
-#
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with OpenSSL support" >&5
-$as_echo_n "checking whether to build with OpenSSL support... " >&6; }
-
-
-
-# Check whether --with-openssl was given.
-if test "${with_openssl+set}" = set; then :
- withval=$with_openssl;
- case $withval in
- yes)
-
-$as_echo "#define USE_OPENSSL 1" >>confdefs.h
-
- ;;
- no)
- :
- ;;
- *)
- as_fn_error $? "no argument expected for --with-openssl option" "$LINENO" 5
- ;;
- esac
-
-else
- with_openssl=no
-
-fi
-
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_openssl" >&5
-$as_echo "$with_openssl" >&6; }
-
-
#
# SELinux
#
@@ -12174,7 +12141,64 @@ fi
fi
fi
+#
+# SSL Library
+#
+# There is currently one supported SSL/TLS libraries: OpenSSL.
+#
+
+
+
+# Check whether --with-ssl was given.
+if test "${with_ssl+set}" = set; then :
+ withval=$with_ssl;
+ case $withval in
+ yes)
+ as_fn_error $? "argument required for --with-ssl option" "$LINENO" 5
+ ;;
+ no)
+ as_fn_error $? "argument required for --with-ssl option" "$LINENO" 5
+ ;;
+ *)
+
+ ;;
+ esac
+
+fi
+
+
+if test x"$with_ssl" = x"" ; then
+ with_ssl=no
+fi
+
+
+
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then :
+ withval=$with_openssl;
+ case $withval in
+ yes)
+ :
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-openssl option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_openssl=no
+
+fi
+
+
if test "$with_openssl" = yes ; then
+ with_ssl=openssl
+fi
+
+if test "$with_ssl" = openssl ; then
# Minimum required OpenSSL version is 1.0.1
$as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h
@@ -12435,8 +12459,14 @@ _ACEOF
fi
done
+
+$as_echo "#define USE_OPENSSL 1" >>confdefs.h
+
+elif test "$with_ssl" != no ; then
+ as_fn_error $? "--with-ssl must specify openssl" "$LINENO" 5
fi
+
if test "$with_pam" = yes ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
$as_echo_n "checking for pam_start in -lpam... " >&6; }
@@ -13322,7 +13352,7 @@ done
fi
-if test "$with_openssl" = yes ; then
+if test "$with_ssl" = openssl ; then
ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default"
if test "x$ac_cv_header_openssl_ssl_h" = xyes; then :
@@ -18098,7 +18128,7 @@ fi
# will be used.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which random number source to use" >&5
$as_echo_n "checking which random number source to use... " >&6; }
-if test x"$with_openssl" = x"yes" ; then
+if test x"$with_ssl" = x"openssl" ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL" >&5
$as_echo "OpenSSL" >&6; }
elif test x"$PORTNAME" = x"win32" ; then
diff --git a/configure.ac b/configure.ac
index a5ad072ee4..f7a2db2574 100644
--- a/configure.ac
+++ b/configure.ac
@@ -852,15 +852,6 @@ PGAC_ARG_BOOL(with, bonjour, no,
AC_MSG_RESULT([$with_bonjour])
-#
-# OpenSSL
-#
-AC_MSG_CHECKING([whether to build with OpenSSL support])
-PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
- [AC_DEFINE([USE_OPENSSL], 1, [Define to build with OpenSSL support. (--with-openssl)])])
-AC_MSG_RESULT([$with_openssl])
-AC_SUBST(with_openssl)
-
#
# SELinux
#
@@ -1205,7 +1196,21 @@ if test "$with_gssapi" = yes ; then
fi
fi
+#
+# SSL Library
+#
+# There is currently one supported SSL/TLS libraries: OpenSSL.
+#
+PGAC_ARG_REQ(with, ssl, [LIB], [use LIB for SSL/TLS support (openssl)])
+if test x"$with_ssl" = x"" ; then
+ with_ssl=no
+fi
+PGAC_ARG_BOOL(with, openssl, no, [obsolete spelling of --with-ssl=openssl])
if test "$with_openssl" = yes ; then
+ with_ssl=openssl
+fi
+
+if test "$with_ssl" = openssl ; then
dnl Order matters!
# Minimum required OpenSSL version is 1.0.1
AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L],
@@ -1229,7 +1234,11 @@ if test "$with_openssl" = yes ; then
# thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock()
# function was removed.
AC_CHECK_FUNCS([CRYPTO_lock])
+ AC_DEFINE([USE_OPENSSL], 1, [Define to 1 if you have OpenSSL support.])
+elif test "$with_ssl" != no ; then
+ AC_MSG_ERROR([--with-ssl must specify openssl])
fi
+AC_SUBST(with_ssl)
if test "$with_pam" = yes ; then
AC_CHECK_LIB(pam, pam_start, [], [AC_MSG_ERROR([library 'pam' is required for PAM])])
@@ -1402,7 +1411,7 @@ if test "$with_gssapi" = yes ; then
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
fi
-if test "$with_openssl" = yes ; then
+if test "$with_ssl" = openssl ; then
AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file <openssl/ssl.h> is required for OpenSSL])])
AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])])
fi
@@ -2159,7 +2168,7 @@ fi
# first choice, else the native platform sources (Windows API or /dev/urandom)
# will be used.
AC_MSG_CHECKING([which random number source to use])
-if test x"$with_openssl" = x"yes" ; then
+if test x"$with_ssl" = x"openssl" ; then
AC_MSG_RESULT([OpenSSL])
elif test x"$PORTNAME" = x"win32" ; then
AC_MSG_RESULT([Windows native])
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 9a1688c97c..74b3a6acd2 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -183,7 +183,7 @@ with_icu = @with_icu@
with_perl = @with_perl@
with_python = @with_python@
with_tcl = @with_tcl@
-with_openssl = @with_openssl@
+with_ssl = @with_ssl@
with_readline = @with_readline@
with_selinux = @with_selinux@
with_systemd = @with_systemd@
diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm
index 2f28de0355..1c0c92fcd2 100644
--- a/src/tools/msvc/Solution.pm
+++ b/src/tools/msvc/Solution.pm
@@ -1156,7 +1156,7 @@ sub GetFakeConfigure
$cfg .= ' --with-ldap' if ($self->{options}->{ldap});
$cfg .= ' --without-zlib' unless ($self->{options}->{zlib});
$cfg .= ' --with-extra-version' if ($self->{options}->{extraver});
- $cfg .= ' --with-openssl' if ($self->{options}->{openssl});
+ $cfg .= ' --with-ssl=openssl' if ($self->{options}->{openssl});
$cfg .= ' --with-uuid' if ($self->{options}->{uuid});
$cfg .= ' --with-libxml' if ($self->{options}->{xml});
$cfg .= ' --with-libxslt' if ($self->{options}->{xslt});
diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl
index 2ef2cfc4e9..5395e211eb 100644
--- a/src/tools/msvc/config_default.pl
+++ b/src/tools/msvc/config_default.pl
@@ -16,7 +16,7 @@ our $config = {
tcl => undef, # --with-tcl=<path>
perl => undef, # --with-perl=<path>
python => undef, # --with-python=<path>
- openssl => undef, # --with-openssl=<path>
+ openssl => undef, # --with-ssl=openssl with <path>
uuid => undef, # --with-uuid=<path>
xml => undef, # --with-libxml=<path>
xslt => undef, # --with-libxslt=<path>
--
2.30.0
signature.asc
Description: PGP signature
