diff options
| -rwxr-xr-x | configure | 55 | ||||
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | doc/src/sgml/install-windows.sgml | 9 | ||||
| -rw-r--r-- | meson.build | 1 | ||||
| -rw-r--r-- | meson_options.txt | 3 | ||||
| -rw-r--r-- | src/Makefile.global.in | 1 | ||||
| -rw-r--r-- | src/test/ldap/Makefile | 1 | ||||
| -rw-r--r-- | src/test/ldap/meson.build | 5 | ||||
| -rw-r--r-- | src/test/ldap/t/001_auth.pl | 8 | ||||
| -rw-r--r-- | src/test/modules/ssl_passphrase_callback/Makefile | 4 | ||||
| -rw-r--r-- | src/test/modules/ssl_passphrase_callback/meson.build | 2 | ||||
| -rw-r--r-- | src/test/ssl/Makefile | 2 | ||||
| -rw-r--r-- | src/test/ssl/meson.build | 5 | ||||
| -rw-r--r-- | src/test/ssl/sslfiles.mk | 34 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 4 | ||||
| -rw-r--r-- | src/tools/msvc/vcregress.pl | 1 |
16 files changed, 107 insertions, 29 deletions
diff --git a/configure b/configure index 5ea790d6380..3966368b8d9 100755 --- a/configure +++ b/configure @@ -648,6 +648,7 @@ PG_CRC32C_OBJS CFLAGS_ARMV8_CRC32C CFLAGS_SSE42 LIBOBJS +OPENSSL ZSTD LZ4 UUID_LIBS @@ -14112,6 +14113,60 @@ done fi +if test -z "$OPENSSL"; then + for ac_prog in openssl +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_OPENSSL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $OPENSSL in + [\\/]* | ?:[\\/]*) + ac_cv_path_OPENSSL="$OPENSSL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_OPENSSL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +OPENSSL=$ac_cv_path_OPENSSL +if test -n "$OPENSSL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5 +$as_echo "$OPENSSL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$OPENSSL" && break +done + +else + # Report the value of OPENSSL in configure's output in all cases. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL" >&5 +$as_echo_n "checking for OPENSSL... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5 +$as_echo "$OPENSSL" >&6; } +fi + if test "$with_ssl" = openssl ; then ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_ssl_h" = xyes; then : diff --git a/configure.ac b/configure.ac index d80cdb5ca25..f76b7ee31fc 100644 --- a/configure.ac +++ b/configure.ac @@ -1542,6 +1542,7 @@ if test "$with_gssapi" = yes ; then [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) fi +PGAC_PATH_PROGS(OPENSSL, openssl) if test "$with_ssl" = openssl ; then AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file <openssl/ssl.h> is required for OpenSSL])]) AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])]) diff --git a/doc/src/sgml/install-windows.sgml b/doc/src/sgml/install-windows.sgml index 29d3294dc80..a1013d12807 100644 --- a/doc/src/sgml/install-windows.sgml +++ b/doc/src/sgml/install-windows.sgml @@ -542,6 +542,15 @@ $ENV{PROVE_TESTS}='t/020*.pl t/010*.pl' </varlistentry> <varlistentry> + <term><varname>OPENSSL</varname></term> + <listitem><para> + Path to a <application>openssl</application> command. The default is + <literal>openssl</literal>, which will search for a command by that + name in the configured <envar>PATH</envar>. + </para></listitem> + </varlistentry> + + <varlistentry> <term><varname>TAR</varname></term> <listitem><para> Path to a <application>tar</application> command. The default is diff --git a/meson.build b/meson.build index 2d225f706d2..bfacbdc0af6 100644 --- a/meson.build +++ b/meson.build @@ -328,6 +328,7 @@ tar = find_program(get_option('TAR'), native: true) gzip = find_program(get_option('GZIP'), native: true) program_lz4 = find_program(get_option('LZ4'), native: true, required: false) touch = find_program('touch', native: true) +openssl = find_program(get_option('OPENSSL'), native: true, required: false) program_zstd = find_program(get_option('ZSTD'), native: true, required: false) dtrace = find_program(get_option('DTRACE'), native: true, required: get_option('dtrace')) missing = find_program('config/missing', native: true) diff --git a/meson_options.txt b/meson_options.txt index b629cd8d689..c7ea57994dc 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -157,6 +157,9 @@ option('GZIP', type : 'string', value: 'gzip', option('LZ4', type : 'string', value: 'lz4', description: 'path to lz4 binary') +option('OPENSSL', type : 'string', value: 'openssl', + description: 'path to openssl binary') + option('PERL', type : 'string', value: 'perl', description: 'path to perl binary') diff --git a/src/Makefile.global.in b/src/Makefile.global.in index 99889167e18..e96bedd4e7b 100644 --- a/src/Makefile.global.in +++ b/src/Makefile.global.in @@ -343,6 +343,7 @@ LN_S = @LN_S@ MSGFMT = @MSGFMT@ MSGFMT_FLAGS = @MSGFMT_FLAGS@ MSGMERGE = @MSGMERGE@ +OPENSSL = @OPENSSL@ PYTHON = @PYTHON@ TAR = @TAR@ XGETTEXT = @XGETTEXT@ diff --git a/src/test/ldap/Makefile b/src/test/ldap/Makefile index e5fa3d86104..b1e4a7be677 100644 --- a/src/test/ldap/Makefile +++ b/src/test/ldap/Makefile @@ -14,6 +14,7 @@ top_builddir = ../../.. include $(top_builddir)/src/Makefile.global export with_ldap +export OPENSSL check: $(prove_check) diff --git a/src/test/ldap/meson.build b/src/test/ldap/meson.build index 2211bd5e3ec..020f6e7f087 100644 --- a/src/test/ldap/meson.build +++ b/src/test/ldap/meson.build @@ -6,6 +6,9 @@ tests += { 'tests': [ 't/001_auth.pl', ], - 'env': {'with_ldap': ldap.found() ? 'yes' : 'no'}, + 'env': { + 'with_ldap': ldap.found() ? 'yes' : 'no', + 'OPENSSL': openssl.path(), + }, }, } diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index 2f064f69440..fd90832b755 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -113,13 +113,15 @@ append_to_file( mkdir $ldap_datadir or die; mkdir $slapd_certs or die; -system_or_bail "openssl", "req", "-new", "-nodes", "-keyout", +my $openssl = $ENV{OPENSSL}; + +system_or_bail $openssl, "req", "-new", "-nodes", "-keyout", "$slapd_certs/ca.key", "-x509", "-out", "$slapd_certs/ca.crt", "-subj", "/CN=CA"; -system_or_bail "openssl", "req", "-new", "-nodes", "-keyout", +system_or_bail $openssl, "req", "-new", "-nodes", "-keyout", "$slapd_certs/server.key", "-out", "$slapd_certs/server.csr", "-subj", "/CN=server"; -system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/server.csr", +system_or_bail $openssl, "x509", "-req", "-in", "$slapd_certs/server.csr", "-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key", "-CAcreateserial", "-out", "$slapd_certs/server.crt"; diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile index a34d7ea46a3..922f0ee0786 100644 --- a/src/test/modules/ssl_passphrase_callback/Makefile +++ b/src/test/modules/ssl_passphrase_callback/Makefile @@ -31,9 +31,9 @@ PASS = FooBaR1 .PHONY: ssl-files ssl-files-clean ssl-files: - openssl req -new -x509 -days 10000 -nodes -out server.crt \ + $(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \ -keyout server.ckey -subj "/CN=localhost" - openssl rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS) + $(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS) rm server.ckey ssl-files-clean: diff --git a/src/test/modules/ssl_passphrase_callback/meson.build b/src/test/modules/ssl_passphrase_callback/meson.build index a9eb4c564da..1c9f009af37 100644 --- a/src/test/modules/ssl_passphrase_callback/meson.build +++ b/src/test/modules/ssl_passphrase_callback/meson.build @@ -25,8 +25,6 @@ testprep_targets += ssl_passphrase_callback # Targets to generate or remove the ssl certificate and key. Need to be copied # to the source afterwards. Normally not needed. -openssl = find_program('openssl', native: true, required: false) - if openssl.found() cert = custom_target('server.crt', output: ['server.crt', 'server.ckey'], diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 12b02eb422b..2885c7c2693 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -15,7 +15,7 @@ subdir = src/test/ssl top_builddir = ../../.. include $(top_builddir)/src/Makefile.global -export with_ssl +export OPENSSL with_ssl # The sslfiles targets are separated into their own file due to interactions # with settings in Makefile.global. diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build index e2f021d884a..1e02bf9ed0c 100644 --- a/src/test/ssl/meson.build +++ b/src/test/ssl/meson.build @@ -3,7 +3,10 @@ tests += { 'sd': meson.current_source_dir(), 'bd': meson.current_build_dir(), 'tap': { - 'env': {'with_ssl': get_option('ssl')}, + 'env': { + 'with_ssl': get_option('ssl'), + 'OPENSSL': openssl.path(), + }, 'tests': [ 't/001_ssltests.pl', 't/002_scram.pl', diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index a843a21d42e..54ada01d466 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -84,7 +84,7 @@ sslfiles: $(SSLFILES) $(SSLDIRS) # Root CA is self-signed. ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config - openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@ + $(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@ # # Special-case keys @@ -94,20 +94,20 @@ ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config # Password-protected version of server-cn-only.key ssl/server-password.key: ssl/server-cn-only.key - openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1' + $(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1' # DER-encoded version of client.key ssl/client-der.key: ssl/client.key - openssl rsa -in $< -outform DER -out $@ + $(OPENSSL) rsa -in $< -outform DER -out $@ # Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) # formats to test libpq's support for the sslpassword= option. ssl/client-encrypted-pem.key: ssl/client.key - openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@ + $(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@ # TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with # OpenSSL 3.0.0, so fall back on the default for now. ssl/client-encrypted-der.key: ssl/client.key - openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@ + $(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@ # # Combined files @@ -145,7 +145,7 @@ $(COMBINATIONS): # $(STANDARD_KEYS): - openssl genrsa -out $@ 2048 + $(OPENSSL) genrsa -out $@ 2048 chmod 0600 $@ # @@ -165,18 +165,18 @@ client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ss # parallel processes, so we must mark the entire Makefile .NOTPARALLEL. .NOTPARALLEL: $(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files) - openssl ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@ + $(OPENSSL) ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@ $(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files) - openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@ + $(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@ $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files) - openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@ + $(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@ # The CSRs don't need to persist after a build. .INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr) ssl/%.csr: ssl/%.key conf/%.config - openssl req -new -utf8 -key $< -out $@ -config conf/$*.config + $(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config # # CA State @@ -210,16 +210,16 @@ ssl/%.srl: # ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files) - openssl ca -config conf/cas.config -name root_ca -gencrl -out $@ + $(OPENSSL) ca -config conf/cas.config -name root_ca -gencrl -out $@ ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files) - openssl ca -config conf/cas.config -name server_ca -revoke $< - openssl ca -config conf/cas.config -name server_ca -gencrl -out $@ + $(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $< + $(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@ ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files) - openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt - openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt - openssl ca -config conf/cas.config -name client_ca -gencrl -out $@ + $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt + $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt + $(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@ # # CRL hash directories @@ -230,7 +230,7 @@ ssl/root+client-crldir: ssl/client.crl ssl/root.crl ssl/server-crldir: ssl/server.crl ssl/client-crldir: ssl/client.crl -crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0 +crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0 ssl/%-crldir: mkdir -p $@ diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index efe5634fff2..fe42161a0fa 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -611,7 +611,7 @@ TODO: # pg_stat_ssl -my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`; +my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`; if ($? == 0) { # OpenSSL prints serial numbers in hexadecimal and converting the serial @@ -633,7 +633,7 @@ else { # OpenSSL isn't functioning on the user's PATH. This probably isn't worth # skipping the test over, so just fall back to a generic integer match. - warn 'couldn\'t run `openssl x509` to get client cert serialno'; + warn "couldn't run \"$ENV{OPENSSL} x509\" to get client cert serialno"; $serialno = '\d+'; } diff --git a/src/tools/msvc/vcregress.pl b/src/tools/msvc/vcregress.pl index 5182721eb79..1d86cd650f9 100644 --- a/src/tools/msvc/vcregress.pl +++ b/src/tools/msvc/vcregress.pl @@ -146,6 +146,7 @@ sub set_command_env { set_single_env('GZIP_PROGRAM', 'gzip'); set_single_env('LZ4', 'lz4'); + set_single_env('OPENSSL', 'openssl'); set_single_env('ZSTD', 'zstd'); } |