From 70a115310a4f130751c0f3b4fcee69a9f29a2c3e Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Tue, 11 Oct 2022 17:04:42 +0200 Subject: [PATCH] Make finding openssl program a configure or meson option --- configure | 55 +++++++++++++++++++ configure.ac | 1 + meson.build | 1 + meson_options.txt | 3 + src/Makefile.global.in | 1 + src/test/ldap/Makefile | 1 + src/test/ldap/meson.build | 5 +- src/test/ldap/t/001_auth.pl | 8 ++- .../modules/ssl_passphrase_callback/Makefile | 4 +- .../ssl_passphrase_callback/meson.build | 2 - src/test/ssl/Makefile | 2 +- src/test/ssl/meson.build | 5 +- src/test/ssl/sslfiles.mk | 34 ++++++------ src/test/ssl/t/001_ssltests.pl | 2 +- 14 files changed, 96 insertions(+), 28 deletions(-) diff --git a/configure b/configure index e04ee9fb4166..dd0802844a4a 100755 --- a/configure +++ b/configure @@ -648,6 +648,7 @@ PG_CRC32C_OBJS CFLAGS_ARMV8_CRC32C CFLAGS_SSE42 LIBOBJS +OPENSSL ZSTD LZ4 UUID_LIBS @@ -14023,6 +14024,60 @@ done fi +if test -z "$OPENSSL"; then + for ac_prog in openssl +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_OPENSSL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $OPENSSL in + [\\/]* | ?:[\\/]*) + ac_cv_path_OPENSSL="$OPENSSL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_OPENSSL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +OPENSSL=$ac_cv_path_OPENSSL +if test -n "$OPENSSL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5 +$as_echo "$OPENSSL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$OPENSSL" && break +done + +else + # Report the value of OPENSSL in configure's output in all cases. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL" >&5 +$as_echo_n "checking for OPENSSL... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5 +$as_echo "$OPENSSL" >&6; } +fi + if test "$with_ssl" = openssl ; then ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_ssl_h" = xyes; then : diff --git a/configure.ac b/configure.ac index f146c8301ae1..2b11d5016684 100644 --- a/configure.ac +++ b/configure.ac @@ -1539,6 +1539,7 @@ if test "$with_gssapi" = yes ; then [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) fi +PGAC_PATH_PROGS(OPENSSL, openssl) if test "$with_ssl" = openssl ; then AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) diff --git a/meson.build b/meson.build index 925db70c9d56..b124446277c0 100644 --- a/meson.build +++ b/meson.build @@ -324,6 +324,7 @@ tar = find_program(get_option('TAR'), native: true) gzip = find_program(get_option('GZIP'), native: true) program_lz4 = find_program(get_option('LZ4'), native: true, required: false) touch = find_program('touch', native: true) +openssl = find_program(get_option('OPENSSL'), native: true, required: false) program_zstd = find_program(get_option('ZSTD'), native: true, required: false) dtrace = find_program(get_option('DTRACE'), native: true, required: get_option('dtrace')) missing = find_program('config/missing', native: true) diff --git a/meson_options.txt b/meson_options.txt index b629cd8d6890..c7ea57994dc7 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -157,6 +157,9 @@ option('GZIP', type : 'string', value: 'gzip', option('LZ4', type : 'string', value: 'lz4', description: 'path to lz4 binary') +option('OPENSSL', type : 'string', value: 'openssl', + description: 'path to openssl binary') + option('PERL', type : 'string', value: 'perl', description: 'path to perl binary') diff --git a/src/Makefile.global.in b/src/Makefile.global.in index 99889167e18b..e96bedd4e7b9 100644 --- a/src/Makefile.global.in +++ b/src/Makefile.global.in @@ -343,6 +343,7 @@ LN_S = @LN_S@ MSGFMT = @MSGFMT@ MSGFMT_FLAGS = @MSGFMT_FLAGS@ MSGMERGE = @MSGMERGE@ +OPENSSL = @OPENSSL@ PYTHON = @PYTHON@ TAR = @TAR@ XGETTEXT = @XGETTEXT@ diff --git a/src/test/ldap/Makefile b/src/test/ldap/Makefile index e5fa3d86104c..b1e4a7be677c 100644 --- a/src/test/ldap/Makefile +++ b/src/test/ldap/Makefile @@ -14,6 +14,7 @@ top_builddir = ../../.. include $(top_builddir)/src/Makefile.global export with_ldap +export OPENSSL check: $(prove_check) diff --git a/src/test/ldap/meson.build b/src/test/ldap/meson.build index 2211bd5e3ecf..020f6e7f087b 100644 --- a/src/test/ldap/meson.build +++ b/src/test/ldap/meson.build @@ -6,6 +6,9 @@ tests += { 'tests': [ 't/001_auth.pl', ], - 'env': {'with_ldap': ldap.found() ? 'yes' : 'no'}, + 'env': { + 'with_ldap': ldap.found() ? 'yes' : 'no', + 'OPENSSL': openssl.path(), + }, }, } diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index 2f064f694406..fd90832b755a 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -113,13 +113,15 @@ mkdir $ldap_datadir or die; mkdir $slapd_certs or die; -system_or_bail "openssl", "req", "-new", "-nodes", "-keyout", +my $openssl = $ENV{OPENSSL}; + +system_or_bail $openssl, "req", "-new", "-nodes", "-keyout", "$slapd_certs/ca.key", "-x509", "-out", "$slapd_certs/ca.crt", "-subj", "/CN=CA"; -system_or_bail "openssl", "req", "-new", "-nodes", "-keyout", +system_or_bail $openssl, "req", "-new", "-nodes", "-keyout", "$slapd_certs/server.key", "-out", "$slapd_certs/server.csr", "-subj", "/CN=server"; -system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/server.csr", +system_or_bail $openssl, "x509", "-req", "-in", "$slapd_certs/server.csr", "-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key", "-CAcreateserial", "-out", "$slapd_certs/server.crt"; diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile index a34d7ea46a3c..922f0ee07864 100644 --- a/src/test/modules/ssl_passphrase_callback/Makefile +++ b/src/test/modules/ssl_passphrase_callback/Makefile @@ -31,9 +31,9 @@ PASS = FooBaR1 .PHONY: ssl-files ssl-files-clean ssl-files: - openssl req -new -x509 -days 10000 -nodes -out server.crt \ + $(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \ -keyout server.ckey -subj "/CN=localhost" - openssl rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS) + $(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS) rm server.ckey ssl-files-clean: diff --git a/src/test/modules/ssl_passphrase_callback/meson.build b/src/test/modules/ssl_passphrase_callback/meson.build index a9eb4c564dae..1c9f009af373 100644 --- a/src/test/modules/ssl_passphrase_callback/meson.build +++ b/src/test/modules/ssl_passphrase_callback/meson.build @@ -25,8 +25,6 @@ testprep_targets += ssl_passphrase_callback # Targets to generate or remove the ssl certificate and key. Need to be copied # to the source afterwards. Normally not needed. -openssl = find_program('openssl', native: true, required: false) - if openssl.found() cert = custom_target('server.crt', output: ['server.crt', 'server.ckey'], diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 12b02eb422bf..2885c7c26932 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -15,7 +15,7 @@ subdir = src/test/ssl top_builddir = ../../.. include $(top_builddir)/src/Makefile.global -export with_ssl +export OPENSSL with_ssl # The sslfiles targets are separated into their own file due to interactions # with settings in Makefile.global. diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build index e2f021d884a3..1e02bf9ed0c5 100644 --- a/src/test/ssl/meson.build +++ b/src/test/ssl/meson.build @@ -3,7 +3,10 @@ tests += { 'sd': meson.current_source_dir(), 'bd': meson.current_build_dir(), 'tap': { - 'env': {'with_ssl': get_option('ssl')}, + 'env': { + 'with_ssl': get_option('ssl'), + 'OPENSSL': openssl.path(), + }, 'tests': [ 't/001_ssltests.pl', 't/002_scram.pl', diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index a843a21d42e9..54ada01d4661 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -84,7 +84,7 @@ sslfiles: $(SSLFILES) $(SSLDIRS) # Root CA is self-signed. ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config - openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@ + $(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@ # # Special-case keys @@ -94,20 +94,20 @@ ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config # Password-protected version of server-cn-only.key ssl/server-password.key: ssl/server-cn-only.key - openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1' + $(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1' # DER-encoded version of client.key ssl/client-der.key: ssl/client.key - openssl rsa -in $< -outform DER -out $@ + $(OPENSSL) rsa -in $< -outform DER -out $@ # Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) # formats to test libpq's support for the sslpassword= option. ssl/client-encrypted-pem.key: ssl/client.key - openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@ + $(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@ # TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with # OpenSSL 3.0.0, so fall back on the default for now. ssl/client-encrypted-der.key: ssl/client.key - openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@ + $(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@ # # Combined files @@ -145,7 +145,7 @@ $(COMBINATIONS): # $(STANDARD_KEYS): - openssl genrsa -out $@ 2048 + $(OPENSSL) genrsa -out $@ 2048 chmod 0600 $@ # @@ -165,18 +165,18 @@ client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ss # parallel processes, so we must mark the entire Makefile .NOTPARALLEL. .NOTPARALLEL: $(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files) - openssl ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@ + $(OPENSSL) ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@ $(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files) - openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@ + $(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@ $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files) - openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@ + $(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@ # The CSRs don't need to persist after a build. .INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr) ssl/%.csr: ssl/%.key conf/%.config - openssl req -new -utf8 -key $< -out $@ -config conf/$*.config + $(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config # # CA State @@ -210,16 +210,16 @@ ssl/%.srl: # ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files) - openssl ca -config conf/cas.config -name root_ca -gencrl -out $@ + $(OPENSSL) ca -config conf/cas.config -name root_ca -gencrl -out $@ ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files) - openssl ca -config conf/cas.config -name server_ca -revoke $< - openssl ca -config conf/cas.config -name server_ca -gencrl -out $@ + $(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $< + $(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@ ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files) - openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt - openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt - openssl ca -config conf/cas.config -name client_ca -gencrl -out $@ + $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt + $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt + $(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@ # # CRL hash directories @@ -230,7 +230,7 @@ ssl/root+client-crldir: ssl/client.crl ssl/root.crl ssl/server-crldir: ssl/server.crl ssl/client-crldir: ssl/client.crl -crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0 +crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0 ssl/%-crldir: mkdir -p $@ diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index efe5634fff26..36d28fd766a8 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -611,7 +611,7 @@ sub switch_server_cert # pg_stat_ssl -my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`; +my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`; if ($? == 0) { # OpenSSL prints serial numbers in hexadecimal and converting the serial -- 2.37.3