Make "make variables" config attributes for overridable flags
With the support of "make variables" comes the possibility for the
user to override them. However, we need to make a difference between
defaults that we use (and that should be overridable by the user) and
flags that are crucial for building OpenSSL (should not be
overridable).
Typically, overridable flags are those setting optimization levels,
warnings levels, that kind of thing, while non-overridable flags are,
for example, macros that indicate aspects of how the config target
should be treated, such as L_ENDIAN and B_ENDIAN.
We do that differentiation by allowing upper case attributes in the
config targets, named exactly like the "make variables" we support,
and reserving the lower case attributes for non-overridable project
flags.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-07 03:35:30 +08:00
|
|
|
#!{- $config{HASHBANGPERL} -}
|
2021-05-17 20:25:12 +08:00
|
|
|
{- use OpenSSL::Util; -}
|
2016-01-26 04:19:59 +08:00
|
|
|
# {- join("\n# ", @autowarntext) -}
|
2021-03-11 21:27:36 +08:00
|
|
|
# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
2016-06-01 23:26:40 +08:00
|
|
|
#
|
2018-12-06 20:03:50 +08:00
|
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-06-01 23:26:40 +08:00
|
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
|
|
# in the file LICENSE in the source distribution or at
|
|
|
|
# https://www.openssl.org/source/license.html
|
2016-01-26 04:19:59 +08:00
|
|
|
|
2000-05-18 08:33:00 +08:00
|
|
|
# Perl c_rehash script, scan all files in a directory
|
|
|
|
# and add symbolic links to their hash values.
|
|
|
|
|
Refactor file writing - introduce template driven file writing
apps/CA.pl and tools/c_rehash are built from template files. So far,
this was done by Configure, which created its own problems as it
forced everyone to reconfigure just because one of the template files
had changed.
Instead, have those files created as part of the normal build in apps/
and in tools/.
Furthermore, this prepares for a future where Configure may produce
entirely other build files than Makefile, and the latter can't be
guaranteed to be the holder of all information for other scripts.
Instead, configdata.pm (described below) becomes the center of
configuration information.
This introduces a few new things:
%config a hash table to hold all kinds of configuration data
that can be used by any other script.
configdata.pm a perl module that Configure writes. It currently
holds the hash tables %config and %target.
util/dofile.pl a script that takes a template on STDIN and outputs
the result after applying configuration data on it.
It's supposed to be called like this:
perl -I$(TOP) -Mconfigdata < template > result
or
perl -I$(TOP) -Mconfigdata templ1 templ2 ... > result
Note: util/dofile.pl requires Text::Template.
As part of this changed, remove a number of variables that are really
just copies of entries in %target, and use %target directly. The
exceptions are $target{cflags} and $target{lflags}, they do get copied
to $cflags and $lflags. The reason for this is that those variable
potentially go through a lot of changes and would rather deserve a
place in %config. That, however, is for another commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-19 04:35:23 +08:00
|
|
|
my $dir = {- quotify1($config{openssldir}) -};
|
|
|
|
my $prefix = {- quotify1($config{prefix}) -};
|
2000-05-18 08:33:00 +08:00
|
|
|
|
2015-09-10 23:46:13 +08:00
|
|
|
my $errorcount = 0;
|
2014-09-08 06:45:02 +08:00
|
|
|
my $openssl = $ENV{OPENSSL} || "openssl";
|
|
|
|
my $pwd;
|
|
|
|
my $x509hash = "-subject_hash";
|
|
|
|
my $crlhash = "-hash";
|
|
|
|
my $verbose = 0;
|
|
|
|
my $symlink_exists=eval {symlink("",""); 1};
|
|
|
|
my $removelinks = 1;
|
|
|
|
|
|
|
|
## Parse flags.
|
2015-06-02 19:41:35 +08:00
|
|
|
while ( $ARGV[0] =~ /^-/ ) {
|
2014-09-08 06:45:02 +08:00
|
|
|
my $flag = shift @ARGV;
|
|
|
|
last if ( $flag eq '--');
|
2015-06-02 19:41:35 +08:00
|
|
|
if ( $flag eq '-old') {
|
2021-08-29 08:59:09 +08:00
|
|
|
$x509hash = "-subject_hash_old";
|
|
|
|
$crlhash = "-hash_old";
|
2016-09-12 23:29:22 +08:00
|
|
|
} elsif ( $flag eq '-h' || $flag eq '-help' ) {
|
2021-08-29 08:59:09 +08:00
|
|
|
help();
|
2014-09-08 06:45:02 +08:00
|
|
|
} elsif ( $flag eq '-n' ) {
|
2021-08-29 08:59:09 +08:00
|
|
|
$removelinks = 0;
|
2014-09-08 06:45:02 +08:00
|
|
|
} elsif ( $flag eq '-v' ) {
|
2021-08-29 08:59:09 +08:00
|
|
|
$verbose++;
|
2014-09-08 06:45:02 +08:00
|
|
|
}
|
|
|
|
else {
|
2021-08-29 08:59:09 +08:00
|
|
|
print STDERR "Usage error; try -h.\n";
|
|
|
|
exit 1;
|
2014-09-08 06:45:02 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sub help {
|
2021-08-29 08:59:09 +08:00
|
|
|
print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
|
|
|
|
print " -old use old-style digest\n";
|
|
|
|
print " -h or -help print this help text\n";
|
|
|
|
print " -v print files removed and linked\n";
|
|
|
|
exit 0;
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
|
|
|
|
2006-10-26 18:52:12 +08:00
|
|
|
eval "require Cwd";
|
|
|
|
if (defined(&Cwd::getcwd)) {
|
2021-08-29 08:59:09 +08:00
|
|
|
$pwd=Cwd::getcwd();
|
2006-10-26 18:52:12 +08:00
|
|
|
} else {
|
2021-08-29 08:59:09 +08:00
|
|
|
$pwd=`pwd`;
|
|
|
|
chomp($pwd);
|
2006-10-26 18:52:12 +08:00
|
|
|
}
|
2006-10-22 00:28:03 +08:00
|
|
|
|
2014-09-08 06:45:02 +08:00
|
|
|
# DOS/Win32 or Unix delimiter? Prefix our installdir, then search.
|
|
|
|
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
|
|
|
|
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
|
2000-05-18 08:33:00 +08:00
|
|
|
|
2015-09-08 10:21:38 +08:00
|
|
|
if (! -x $openssl) {
|
2021-08-29 08:59:09 +08:00
|
|
|
my $found = 0;
|
|
|
|
foreach (split /$path_delim/, $ENV{PATH}) {
|
|
|
|
if (-x "$_/$openssl") {
|
|
|
|
$found = 1;
|
|
|
|
$openssl = "$_/$openssl";
|
|
|
|
last;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ($found == 0) {
|
|
|
|
print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
|
|
|
|
exit 0;
|
|
|
|
}
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
|
|
|
|
2015-09-08 10:21:38 +08:00
|
|
|
if (@ARGV) {
|
2021-08-29 08:59:09 +08:00
|
|
|
@dirlist = @ARGV;
|
2015-09-08 10:21:38 +08:00
|
|
|
} elsif ($ENV{SSL_CERT_DIR}) {
|
2021-08-29 08:59:09 +08:00
|
|
|
@dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
|
2000-05-18 08:33:00 +08:00
|
|
|
} else {
|
2021-08-29 08:59:09 +08:00
|
|
|
$dirlist[0] = "$dir/certs";
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
|
|
|
|
2006-10-22 00:28:03 +08:00
|
|
|
if (-d $dirlist[0]) {
|
2021-08-29 08:59:09 +08:00
|
|
|
chdir $dirlist[0];
|
|
|
|
$openssl="$pwd/$openssl" if (!-x $openssl);
|
|
|
|
chdir $pwd;
|
2006-10-22 00:28:03 +08:00
|
|
|
}
|
2000-05-18 08:33:00 +08:00
|
|
|
|
|
|
|
foreach (@dirlist) {
|
2021-08-29 08:59:09 +08:00
|
|
|
if (-d $_ ) {
|
|
|
|
if ( -w $_) {
|
|
|
|
hash_dir($_);
|
|
|
|
} else {
|
|
|
|
print "Skipping $_, can't write\n";
|
|
|
|
$errorcount++;
|
|
|
|
}
|
|
|
|
}
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
2015-09-10 23:46:13 +08:00
|
|
|
exit($errorcount);
|
2000-05-18 08:33:00 +08:00
|
|
|
|
|
|
|
sub hash_dir {
|
2021-08-29 08:59:09 +08:00
|
|
|
my %hashlist;
|
|
|
|
print "Doing $_[0]\n";
|
|
|
|
chdir $_[0];
|
|
|
|
opendir(DIR, ".");
|
|
|
|
my @flist = sort readdir(DIR);
|
|
|
|
closedir DIR;
|
|
|
|
if ( $removelinks ) {
|
|
|
|
# Delete any existing symbolic links
|
|
|
|
foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
|
|
|
if (-l $_) {
|
|
|
|
print "unlink $_" if $verbose;
|
|
|
|
unlink $_ || warn "Can't unlink $_, $!\n";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
|
|
|
# Check to see if certificates and/or CRLs present.
|
|
|
|
my ($cert, $crl) = check_file($fname);
|
|
|
|
if (!$cert && !$crl) {
|
|
|
|
print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
|
|
|
next;
|
|
|
|
}
|
|
|
|
link_hash_cert($fname) if ($cert);
|
|
|
|
link_hash_crl($fname) if ($crl);
|
|
|
|
}
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
sub check_file {
|
2021-08-29 08:59:09 +08:00
|
|
|
my ($is_cert, $is_crl) = (0,0);
|
|
|
|
my $fname = $_[0];
|
|
|
|
open IN, $fname;
|
|
|
|
while(<IN>) {
|
|
|
|
if (/^-----BEGIN (.*)-----/) {
|
|
|
|
my $hdr = $1;
|
|
|
|
if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
|
|
|
$is_cert = 1;
|
|
|
|
last if ($is_crl);
|
|
|
|
} elsif ($hdr eq "X509 CRL") {
|
|
|
|
$is_crl = 1;
|
|
|
|
last if ($is_cert);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
close IN;
|
|
|
|
return ($is_cert, $is_crl);
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# Link a certificate to its subject name hash value, each hash is of
|
|
|
|
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
|
|
|
# then we need to up the value of n, unless its a duplicate in which
|
|
|
|
# case we skip the link. We check for duplicates by comparing the
|
|
|
|
# certificate fingerprints
|
|
|
|
|
|
|
|
sub link_hash_cert {
|
2021-08-29 08:59:09 +08:00
|
|
|
my $fname = $_[0];
|
|
|
|
$fname =~ s/\"/\\\"/g;
|
|
|
|
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
|
|
|
chomp $hash;
|
|
|
|
chomp $fprint;
|
|
|
|
$fprint =~ s/^.*=//;
|
|
|
|
$fprint =~ tr/://d;
|
|
|
|
my $suffix = 0;
|
|
|
|
# Search for an unused hash filename
|
|
|
|
while(exists $hashlist{"$hash.$suffix"}) {
|
|
|
|
# Hash matches: if fingerprint matches its a duplicate cert
|
|
|
|
if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
|
|
|
print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
$suffix++;
|
|
|
|
}
|
|
|
|
$hash .= ".$suffix";
|
|
|
|
if ($symlink_exists) {
|
|
|
|
print "link $fname -> $hash\n" if $verbose;
|
|
|
|
symlink $fname, $hash || warn "Can't symlink, $!";
|
|
|
|
} else {
|
|
|
|
print "copy $fname -> $hash\n" if $verbose;
|
|
|
|
if (open($in, "<", $fname)) {
|
|
|
|
if (open($out,">", $hash)) {
|
|
|
|
print $out $_ while (<$in>);
|
|
|
|
close $out;
|
|
|
|
} else {
|
|
|
|
warn "can't open $hash for write, $!";
|
|
|
|
}
|
|
|
|
close $in;
|
|
|
|
} else {
|
|
|
|
warn "can't open $fname for read, $!";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$hashlist{$hash} = $fprint;
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
|
|
|
|
|
|
|
sub link_hash_crl {
|
2021-08-29 08:59:09 +08:00
|
|
|
my $fname = $_[0];
|
|
|
|
$fname =~ s/'/'\\''/g;
|
|
|
|
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
|
|
|
chomp $hash;
|
|
|
|
chomp $fprint;
|
|
|
|
$fprint =~ s/^.*=//;
|
|
|
|
$fprint =~ tr/://d;
|
|
|
|
my $suffix = 0;
|
|
|
|
# Search for an unused hash filename
|
|
|
|
while(exists $hashlist{"$hash.r$suffix"}) {
|
|
|
|
# Hash matches: if fingerprint matches its a duplicate cert
|
|
|
|
if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
|
|
|
print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
$suffix++;
|
|
|
|
}
|
|
|
|
$hash .= ".r$suffix";
|
|
|
|
if ($symlink_exists) {
|
|
|
|
print "link $fname -> $hash\n" if $verbose;
|
|
|
|
symlink $fname, $hash || warn "Can't symlink, $!";
|
|
|
|
} else {
|
|
|
|
print "cp $fname -> $hash\n" if $verbose;
|
|
|
|
system ("cp", $fname, $hash);
|
|
|
|
warn "Can't copy, $!" if ($? >> 8) != 0;
|
|
|
|
}
|
|
|
|
$hashlist{$hash} = $fprint;
|
2000-05-18 08:33:00 +08:00
|
|
|
}
|