Various test suites use the "openssl" program as part of their setup.
There isn't a way to override which openssl program is to be used, other
than by fiddling with the path, perhaps. This has gotten increasingly
problematic with some of the work I have been doing, because different
versions of openssl have different capabilities and do different things
by default. This patch checks for an openssl binary in configure and
meson setup, with appropriate ways to override it. This is similar to
how "lz4" and "zstd" are handled, for example. The meson build system
actually already did this, but the result was only used in some places.
This is now applied more uniformly.
From 70a115310a4f130751c0f3b4fcee69a9f29a2c3e Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Tue, 11 Oct 2022 17:04:42 +0200
Subject: [PATCH] Make finding openssl program a configure or meson option
---
configure | 55 +++++++++++++++++++
configure.ac | 1 +
meson.build | 1 +
meson_options.txt | 3 +
src/Makefile.global.in | 1 +
src/test/ldap/Makefile | 1 +
src/test/ldap/meson.build | 5 +-
src/test/ldap/t/001_auth.pl | 8 ++-
.../modules/ssl_passphrase_callback/Makefile | 4 +-
.../ssl_passphrase_callback/meson.build | 2 -
src/test/ssl/Makefile | 2 +-
src/test/ssl/meson.build | 5 +-
src/test/ssl/sslfiles.mk | 34 ++++++------
src/test/ssl/t/001_ssltests.pl | 2 +-
14 files changed, 96 insertions(+), 28 deletions(-)
diff --git a/configure b/configure
index e04ee9fb4166..dd0802844a4a 100755
--- a/configure
+++ b/configure
@@ -648,6 +648,7 @@ PG_CRC32C_OBJS
CFLAGS_ARMV8_CRC32C
CFLAGS_SSE42
LIBOBJS
+OPENSSL
ZSTD
LZ4
UUID_LIBS
@@ -14023,6 +14024,60 @@ done
fi
+if test -z "$OPENSSL"; then
+ for ac_prog in openssl
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with
args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_OPENSSL+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $OPENSSL in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_OPENSSL="$OPENSSL" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_OPENSSL="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext"
>&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+OPENSSL=$ac_cv_path_OPENSSL
+if test -n "$OPENSSL"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5
+$as_echo "$OPENSSL" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$OPENSSL" && break
+done
+
+else
+ # Report the value of OPENSSL in configure's output in all cases.
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL" >&5
+$as_echo_n "checking for OPENSSL... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5
+$as_echo "$OPENSSL" >&6; }
+fi
+
if test "$with_ssl" = openssl ; then
ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h"
"ac_cv_header_openssl_ssl_h" "$ac_includes_default"
if test "x$ac_cv_header_openssl_ssl_h" = xyes; then :
diff --git a/configure.ac b/configure.ac
index f146c8301ae1..2b11d5016684 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1539,6 +1539,7 @@ if test "$with_gssapi" = yes ; then
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is
required for GSSAPI])])])
fi
+PGAC_PATH_PROGS(OPENSSL, openssl)
if test "$with_ssl" = openssl ; then
AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file
<openssl/ssl.h> is required for OpenSSL])])
AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file
<openssl/err.h> is required for OpenSSL])])
diff --git a/meson.build b/meson.build
index 925db70c9d56..b124446277c0 100644
--- a/meson.build
+++ b/meson.build
@@ -324,6 +324,7 @@ tar = find_program(get_option('TAR'), native: true)
gzip = find_program(get_option('GZIP'), native: true)
program_lz4 = find_program(get_option('LZ4'), native: true, required: false)
touch = find_program('touch', native: true)
+openssl = find_program(get_option('OPENSSL'), native: true, required: false)
program_zstd = find_program(get_option('ZSTD'), native: true, required: false)
dtrace = find_program(get_option('DTRACE'), native: true, required:
get_option('dtrace'))
missing = find_program('config/missing', native: true)
diff --git a/meson_options.txt b/meson_options.txt
index b629cd8d6890..c7ea57994dc7 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -157,6 +157,9 @@ option('GZIP', type : 'string', value: 'gzip',
option('LZ4', type : 'string', value: 'lz4',
description: 'path to lz4 binary')
+option('OPENSSL', type : 'string', value: 'openssl',
+ description: 'path to openssl binary')
+
option('PERL', type : 'string', value: 'perl',
description: 'path to perl binary')
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 99889167e18b..e96bedd4e7b9 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -343,6 +343,7 @@ LN_S = @LN_S@
MSGFMT = @MSGFMT@
MSGFMT_FLAGS = @MSGFMT_FLAGS@
MSGMERGE = @MSGMERGE@
+OPENSSL = @OPENSSL@
PYTHON = @PYTHON@
TAR = @TAR@
XGETTEXT = @XGETTEXT@
diff --git a/src/test/ldap/Makefile b/src/test/ldap/Makefile
index e5fa3d86104c..b1e4a7be677c 100644
--- a/src/test/ldap/Makefile
+++ b/src/test/ldap/Makefile
@@ -14,6 +14,7 @@ top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
export with_ldap
+export OPENSSL
check:
$(prove_check)
diff --git a/src/test/ldap/meson.build b/src/test/ldap/meson.build
index 2211bd5e3ecf..020f6e7f087b 100644
--- a/src/test/ldap/meson.build
+++ b/src/test/ldap/meson.build
@@ -6,6 +6,9 @@ tests += {
'tests': [
't/001_auth.pl',
],
- 'env': {'with_ldap': ldap.found() ? 'yes' : 'no'},
+ 'env': {
+ 'with_ldap': ldap.found() ? 'yes' : 'no',
+ 'OPENSSL': openssl.path(),
+ },
},
}
diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index 2f064f694406..fd90832b755a 100644
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -113,13 +113,15 @@
mkdir $ldap_datadir or die;
mkdir $slapd_certs or die;
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+my $openssl = $ENV{OPENSSL};
+
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
"$slapd_certs/ca.key", "-x509", "-out", "$slapd_certs/ca.crt", "-subj",
"/CN=CA";
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
"$slapd_certs/server.key", "-out", "$slapd_certs/server.csr", "-subj",
"/CN=server";
-system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/server.csr",
+system_or_bail $openssl, "x509", "-req", "-in", "$slapd_certs/server.csr",
"-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key",
"-CAcreateserial", "-out", "$slapd_certs/server.crt";
diff --git a/src/test/modules/ssl_passphrase_callback/Makefile
b/src/test/modules/ssl_passphrase_callback/Makefile
index a34d7ea46a3c..922f0ee07864 100644
--- a/src/test/modules/ssl_passphrase_callback/Makefile
+++ b/src/test/modules/ssl_passphrase_callback/Makefile
@@ -31,9 +31,9 @@ PASS = FooBaR1
.PHONY: ssl-files ssl-files-clean
ssl-files:
- openssl req -new -x509 -days 10000 -nodes -out server.crt \
+ $(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
-keyout server.ckey -subj "/CN=localhost"
- openssl rsa -aes256 -in server.ckey -out server.key -passout
pass:$(PASS)
+ $(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout
pass:$(PASS)
rm server.ckey
ssl-files-clean:
diff --git a/src/test/modules/ssl_passphrase_callback/meson.build
b/src/test/modules/ssl_passphrase_callback/meson.build
index a9eb4c564dae..1c9f009af373 100644
--- a/src/test/modules/ssl_passphrase_callback/meson.build
+++ b/src/test/modules/ssl_passphrase_callback/meson.build
@@ -25,8 +25,6 @@ testprep_targets += ssl_passphrase_callback
# Targets to generate or remove the ssl certificate and key. Need to be copied
# to the source afterwards. Normally not needed.
-openssl = find_program('openssl', native: true, required: false)
-
if openssl.found()
cert = custom_target('server.crt',
output: ['server.crt', 'server.ckey'],
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 12b02eb422bf..2885c7c26932 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -15,7 +15,7 @@ subdir = src/test/ssl
top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
-export with_ssl
+export OPENSSL with_ssl
# The sslfiles targets are separated into their own file due to interactions
# with settings in Makefile.global.
diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build
index e2f021d884a3..1e02bf9ed0c5 100644
--- a/src/test/ssl/meson.build
+++ b/src/test/ssl/meson.build
@@ -3,7 +3,10 @@ tests += {
'sd': meson.current_source_dir(),
'bd': meson.current_build_dir(),
'tap': {
- 'env': {'with_ssl': get_option('ssl')},
+ 'env': {
+ 'with_ssl': get_option('ssl'),
+ 'OPENSSL': openssl.path(),
+ },
'tests': [
't/001_ssltests.pl',
't/002_scram.pl',
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index a843a21d42e9..54ada01d4661 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -84,7 +84,7 @@ sslfiles: $(SSLFILES) $(SSLDIRS)
# Root CA is self-signed.
ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
- openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $<
-out $@
+ $(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key
$< -out $@
#
# Special-case keys
@@ -94,20 +94,20 @@ ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
- openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+ $(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in $< -outform DER -out $@
+ $(OPENSSL) rsa -in $< -outform DER -out $@
# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
# formats to test libpq's support for the sslpassword= option.
ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out
$@
+ $(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+'
-out $@
# TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
# OpenSSL 3.0.0, so fall back on the default for now.
ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
+ $(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
#
# Combined files
@@ -145,7 +145,7 @@ $(COMBINATIONS):
#
$(STANDARD_KEYS):
- openssl genrsa -out $@ 2048
+ $(OPENSSL) genrsa -out $@ 2048
chmod 0600 $@
#
@@ -165,18 +165,18 @@ client_ca_state_files := ssl/client_ca-certindex
ssl/client_ca-certindex.attr ss
# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
.NOTPARALLEL:
$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config
ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
- openssl ca -batch -config conf/cas.config -name root_ca -notext -in
$< -out $@
+ $(OPENSSL) ca -batch -config conf/cas.config -name root_ca -notext
-in $< -out $@
$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config
ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
- openssl ca -batch -config conf/cas.config -name server_ca -notext -in
$< -out $@
+ $(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext
-in $< -out $@
$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config
ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
- openssl ca -batch -config conf/cas.config -name client_ca -notext -in
$< -out $@
+ $(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext
-in $< -out $@
# The CSRs don't need to persist after a build.
.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
ssl/%.csr: ssl/%.key conf/%.config
- openssl req -new -utf8 -key $< -out $@ -config conf/$*.config
+ $(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config
#
# CA State
@@ -210,16 +210,16 @@ ssl/%.srl:
#
ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
- openssl ca -config conf/cas.config -name root_ca -gencrl -out $@
+ $(OPENSSL) ca -config conf/cas.config -name root_ca -gencrl -out $@
ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt |
$(server_ca_state_files)
- openssl ca -config conf/cas.config -name server_ca -revoke $<
- openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
+ $(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $<
+ $(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@
ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt
ssl/client_ca.crt | $(client_ca_state_files)
- openssl ca -config conf/cas.config -name client_ca -revoke
ssl/client-revoked.crt
- openssl ca -config conf/cas.config -name client_ca -revoke
ssl/client-revoked-utf8.crt
- openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
+ $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke
ssl/client-revoked.crt
+ $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke
ssl/client-revoked-utf8.crt
+ $(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@
#
# CRL hash directories
@@ -230,7 +230,7 @@ ssl/root+client-crldir: ssl/client.crl ssl/root.crl
ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
-crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0
ssl/%-crldir:
mkdir -p $@
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index efe5634fff26..36d28fd766a8 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -611,7 +611,7 @@ sub switch_server_cert
# pg_stat_ssl
-my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`;
if ($? == 0)
{
# OpenSSL prints serial numbers in hexadecimal and converting the serial
--
2.37.3
