Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256

On Fri, Jan 5, 2018 at 7:12 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> so this is looking mighty like a crashed and burned patch from here :-(

Sorry for arriving late to the party, timezone and such..

The lack of access to the signature algorithm type is being covered by
this commit from upstream which introduced X509_get_signature_nid():
commit: dfcf48f499f19fd17a3aee03151ea301814ea6ec
author: Dr. Stephen Henson <steve(at)openssl(dot)org>
date: Wed, 13 Jun 2012 13:08:12 +0000
New functions to retrieve certificate signatures and signature OID NID.

So any versions of OpenSSL older than 1.0.1 included would not compile
on that. There is only X509_get_signature_type() before that, but this
returns the signature type, and that's the hashing type we are looking
for here. RFC 5929, which defines the channel binding types, is from
July 2010. I have not checked the OpenSSL threads, but I would bet a
nickel that one of the reasons why X509_get_signature_nid() has been
introduced is to support cases similar to tls-server-end-point where
you want to know what's the hash function used for a certificate.

That's my fault at the end, my apologies. I can reproduce manually the
compilation failure of this code when compiling by myself past
versions of OpenSSL. So I think that 054e8c6c is doing the right move.
Thanks Peter and all others involved.
--
Michael