Fix compilation with older OpenSSL versions

Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros but not the corresponding SSL_OP_NO_* macro, which causes the code for handling ssl_min_protocol_version/ssl_max_protocol_version to fail to compile. To fix, add more #ifdefs and error handling. Reported-by: Victor Wagner <vitus@wagner.pp.ru> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm
6 years ago · 4e6f101e92
parent 4ea03f3f4e
commit 4e6f101e92
1 changed files with 46 additions and 2 deletions
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)

 		if (ssl_ver == -1)
 			goto error;
-		SSL_CTX_set_min_proto_version(context, ssl_ver);
+		if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
+		{
+			ereport(isServerStart ? FATAL : LOG,
+					(errmsg("could not set minimum SSL protocol version")));
+			goto error;
+		}
 	}

 	if (ssl_max_protocol_version)
@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)

 		if (ssl_ver == -1)
 			goto error;
-		SSL_CTX_set_max_proto_version(context, ssl_ver);
+		if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
+		{
+			ereport(isServerStart ? FATAL : LOG,
+					(errmsg("could not set maximum SSL protocol version")));
+			goto error;
+		}
 	}

 	/* disallow SSL session tickets */
@ -1326,13 +1336,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)

 	if (version > TLS1_VERSION)
 		ssl_options |= SSL_OP_NO_TLSv1;
+	/*
+	 * Some OpenSSL versions define TLS*_VERSION macros but not the
+	 * corresponding SSL_OP_NO_* macro, so in those cases we have to return
+	 * unsuccessfully here.
+	 */
 #ifdef TLS1_1_VERSION
 	if (version > TLS1_1_VERSION)
+	{
+#ifdef SSL_OP_NO_TLSv1_1
 		ssl_options |= SSL_OP_NO_TLSv1_1;
+#else
+		return 0;
+#endif
+	}
 #endif
 #ifdef TLS1_2_VERSION
 	if (version > TLS1_2_VERSION)
+	{
+#ifdef SSL_OP_NO_TLSv1_2
 		ssl_options |= SSL_OP_NO_TLSv1_2;
+#else
+		return 0;
+#endif
+	}
 #endif

 	SSL_CTX_set_options(ctx, ssl_options);
@ -1347,13 +1374,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)

 	AssertArg(version != 0);

+	/*
+	 * Some OpenSSL versions define TLS*_VERSION macros but not the
+	 * corresponding SSL_OP_NO_* macro, so in those cases we have to return
+	 * unsuccessfully here.
+	 */
 #ifdef TLS1_1_VERSION
 	if (version < TLS1_1_VERSION)
+	{
+#ifdef SSL_OP_NO_TLSv1_1
 		ssl_options |= SSL_OP_NO_TLSv1_1;
+#else
+		return 0;
+#endif
+	}
 #endif
 #ifdef TLS1_2_VERSION
 	if (version < TLS1_2_VERSION)
+	{
+#ifdef SSL_OP_NO_TLSv1_2
 		ssl_options |= SSL_OP_NO_TLSv1_2;
+#else
+		return 0;
+#endif
+	}
 #endif

 	SSL_CTX_set_options(ctx, ssl_options);