=== Applying patches on top of PostgreSQL commit ID 53a49365052026907afff7613929710d1e7f0da0 === /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf. Fri Jan 31 20:44:21 UTC 2025 On branch cf/4924 nothing to commit, working tree clean === applying patch ./v3-0001-multiple_client_certificate_selection_support.patch Applied patch to 'configure' with conflicts. Applied patch to 'configure.ac' with conflicts. Applied patch to 'meson.build' with conflicts. Applied patch to 'src/include/pg_config.h.in' with conflicts. Applied patch to 'src/interfaces/libpq/fe-connect.c' cleanly. Applied patch to 'src/interfaces/libpq/fe-secure-openssl.c' cleanly. Applied patch to 'src/interfaces/libpq/libpq-int.h' cleanly. U configure U configure.ac U meson.build U src/include/pg_config.h.in diff --cc configure index ceeef9b091,8b26c22be2..0000000000 --- a/configure +++ b/configure @@@ -12595,6 -12573,43 +12595,46 @@@ _ACEO fi done ++<<<<<<< ours ++======= + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. + for ac_func in CRYPTO_lock + do : + ac_fn_c_check_func "$LINENO" "CRYPTO_lock" "ac_cv_func_CRYPTO_lock" + if test "x$ac_cv_func_CRYPTO_lock" = xyes; then : + cat >>confdefs.h <<_ACEOF + #define HAVE_CRYPTO_LOCK 1 + _ACEOF + + fi + done + + # Function introduced in OpenSSL 1.1.1. + for ac_func in X509_get_signature_info + do : + ac_fn_c_check_func "$LINENO" "X509_get_signature_info" "ac_cv_func_X509_get_signature_info" + if test "x$ac_cv_func_X509_get_signature_info" = xyes; then : + cat >>confdefs.h <<_ACEOF + #define HAVE_X509_GET_SIGNATURE_INFO 1 + _ACEOF + + fi + done + + # Function introduced in OpenSSL 1.1.1 to allow client to obtain server's CA list + for ac_func in SSL_get0_peer_CA_list + do : + ac_fn_c_check_func "$LINENO" "SSL_get0_peer_CA_list" "ac_cv_func_SSL_get0_peer_CA_list" + if test "x$ac_cv_func_SSL_get0_peer_CA_list" = xyes; then : + cat >>confdefs.h <<_ACEOF + #define HAVE_SSL_GET0_PEER_CA_LIST 1 + _ACEOF + + fi + done ++>>>>>>> theirs $as_echo "#define USE_OPENSSL 1" >>confdefs.h diff --cc configure.ac index d713360f34,685b22268f..0000000000 --- a/configure.ac +++ b/configure.ac @@@ -1329,12 -1345,21 +1329,28 @@@ if test "$with_ssl" = openssl ; the AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])]) AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])]) fi + # Functions introduced in OpenSSL 1.1.1. + AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])]) # Function introduced in OpenSSL 1.0.2, not in LibreSSL. AC_CHECK_FUNCS([SSL_CTX_set_cert_cb]) ++<<<<<<< ours + # Function introduced in OpenSSL 1.1.1, not in LibreSSL. + AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets]) ++======= + # Functions introduced in OpenSSL 1.1.0. We used to check for + # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL + # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it + # doesn't have these OpenSSL 1.1.0 functions. So check for individual + # functions. + AC_CHECK_FUNCS([OPENSSL_init_ssl BIO_meth_new ASN1_STRING_get0_data HMAC_CTX_new HMAC_CTX_free]) + # OpenSSL versions before 1.1.0 required setting callback functions, for + # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() + # function was removed. + AC_CHECK_FUNCS([CRYPTO_lock]) + # Function introduced in OpenSSL 1.1.1. + AC_CHECK_FUNCS([X509_get_signature_info]) + AC_CHECK_FUNCS([SSL_get0_peer_CA_list]) ++>>>>>>> theirs AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)]) elif test "$with_ssl" != no ; then AC_MSG_ERROR([--with-ssl must specify openssl]) diff --cc meson.build index 8e128f4982,3d337d3db1..0000000000 --- a/meson.build +++ b/meson.build @@@ -1373,9 -1275,25 +1373,13 @@@ if sslopt in ['auto', 'openssl' # Function introduced in OpenSSL 1.0.2, not in LibreSSL. ['SSL_CTX_set_cert_cb'], - # Functions introduced in OpenSSL 1.1.0. We used to check for - # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL - # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it - # doesn't have these OpenSSL 1.1.0 functions. So check for individual - # functions. - ['OPENSSL_init_ssl'], - ['BIO_meth_new'], - ['ASN1_STRING_get0_data'], - ['HMAC_CTX_new'], - ['HMAC_CTX_free'], - - # OpenSSL versions before 1.1.0 required setting callback functions, for - # thread-safety. In 1.1.0, it's no longer required, and CRYPTO_lock() - # function was removed. - ['CRYPTO_lock'], - - # Function introduced in OpenSSL 1.1.1 + # Function introduced in OpenSSL 1.1.1, not in LibreSSL. ['X509_get_signature_info'], ++<<<<<<< ours + ['SSL_CTX_set_num_tickets'], ++======= + ['SSL_get0_peer_CA_list'], ++>>>>>>> theirs ] are_openssl_funcs_complete = true diff --cc src/include/pg_config.h.in index 07b2f798ab,ce94a138f7..0000000000 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@@ -355,11 -381,14 +355,19 @@@ /* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */ #undef HAVE_SSL_CTX_SET_CERT_CB ++<<<<<<< ours +/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ +#undef HAVE_SSL_CTX_SET_CIPHERSUITES + +/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */ +#undef HAVE_SSL_CTX_SET_NUM_TICKETS ++======= + /* Define to 1 if you have the `SSL_get0_peer_CA_list' function. */ + #undef HAVE_SSL_GET0_PEER_CA_LIST + + /* Define to 1 if stdbool.h conforms to C99. */ + #undef HAVE_STDBOOL_H ++>>>>>>> theirs /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H