From: Peter Eisentraut <peter@eisentraut.org>
Date: Thu, 20 Oct 2022 19:01:05 +0000 (+0200)
Subject: Make finding openssl program a configure or meson option
X-Git-Tag: REL_16_BETA1~1443
X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=c8e4030d1bddc1120fd1c3f17db5b86a729df4b6;p=postgresql.git

Make finding openssl program a configure or meson option

Various test suites use the "openssl" program as part of their setup.
There isn't a way to override which openssl program is to be used,
other than by fiddling with the path, perhaps.  This has gotten
increasingly problematic because different versions of openssl have
different capabilities and do different things by default.

This patch checks for an openssl binary in configure and meson setup,
with appropriate ways to override it.  This is similar to how "lz4"
and "zstd" are handled, for example.  The meson build system actually
already did this, but the result was only used in some places.  This
is now applied more uniformly.

Reviewed-by: Michael Paquier <michael@paquier.xyz>
Discussion: https://www.postgresql.org/message-id/flat/dc638b75-a16a-007d-9e1c-d16ed6cf0ad2%40enterprisedb.com
---

diff --git a/configure b/configure
index 5ea790d6380..3966368b8d9 100755
--- a/configure
+++ b/configure
@@ -648,6 +648,7 @@ PG_CRC32C_OBJS
 CFLAGS_ARMV8_CRC32C
 CFLAGS_SSE42
 LIBOBJS
+OPENSSL
 ZSTD
 LZ4
 UUID_LIBS
@@ -14112,6 +14113,60 @@ done
 
 fi
 
+if test -z "$OPENSSL"; then
+  for ac_prog in openssl
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_OPENSSL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $OPENSSL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_OPENSSL="$OPENSSL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_OPENSSL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+OPENSSL=$ac_cv_path_OPENSSL
+if test -n "$OPENSSL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5
+$as_echo "$OPENSSL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$OPENSSL" && break
+done
+
+else
+  # Report the value of OPENSSL in configure's output in all cases.
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL" >&5
+$as_echo_n "checking for OPENSSL... " >&6; }
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5
+$as_echo "$OPENSSL" >&6; }
+fi
+
 if test "$with_ssl" = openssl ; then
   ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default"
 if test "x$ac_cv_header_openssl_ssl_h" = xyes; then :
diff --git a/configure.ac b/configure.ac
index d80cdb5ca25..f76b7ee31fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1542,6 +1542,7 @@ if test "$with_gssapi" = yes ; then
 	[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
 fi
 
+PGAC_PATH_PROGS(OPENSSL, openssl)
 if test "$with_ssl" = openssl ; then
   AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file <openssl/ssl.h> is required for OpenSSL])])
   AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])])
diff --git a/doc/src/sgml/install-windows.sgml b/doc/src/sgml/install-windows.sgml
index 29d3294dc80..a1013d12807 100644
--- a/doc/src/sgml/install-windows.sgml
+++ b/doc/src/sgml/install-windows.sgml
@@ -541,6 +541,15 @@ $ENV{PROVE_TESTS}='t/020*.pl t/010*.pl'
      </para></listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><varname>OPENSSL</varname></term>
+     <listitem><para>
+      Path to a <application>openssl</application> command. The default is
+      <literal>openssl</literal>, which will search for a command by that
+      name in the configured <envar>PATH</envar>.
+     </para></listitem>
+    </varlistentry>
+
     <varlistentry>
      <term><varname>TAR</varname></term>
      <listitem><para>
diff --git a/meson.build b/meson.build
index 2d225f706d2..bfacbdc0af6 100644
--- a/meson.build
+++ b/meson.build
@@ -328,6 +328,7 @@ tar = find_program(get_option('TAR'), native: true)
 gzip = find_program(get_option('GZIP'), native: true)
 program_lz4 = find_program(get_option('LZ4'), native: true, required: false)
 touch = find_program('touch', native: true)
+openssl = find_program(get_option('OPENSSL'), native: true, required: false)
 program_zstd = find_program(get_option('ZSTD'), native: true, required: false)
 dtrace = find_program(get_option('DTRACE'), native: true, required: get_option('dtrace'))
 missing = find_program('config/missing', native: true)
diff --git a/meson_options.txt b/meson_options.txt
index b629cd8d689..c7ea57994dc 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -157,6 +157,9 @@ option('GZIP', type : 'string', value: 'gzip',
 option('LZ4', type : 'string', value: 'lz4',
   description: 'path to lz4 binary')
 
+option('OPENSSL', type : 'string', value: 'openssl',
+  description: 'path to openssl binary')
+
 option('PERL', type : 'string', value: 'perl',
   description: 'path to perl binary')
 
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 99889167e18..e96bedd4e7b 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -343,6 +343,7 @@ LN_S	= @LN_S@
 MSGFMT  = @MSGFMT@
 MSGFMT_FLAGS = @MSGFMT_FLAGS@
 MSGMERGE = @MSGMERGE@
+OPENSSL	= @OPENSSL@
 PYTHON	= @PYTHON@
 TAR	= @TAR@
 XGETTEXT = @XGETTEXT@
diff --git a/src/test/ldap/Makefile b/src/test/ldap/Makefile
index e5fa3d86104..b1e4a7be677 100644
--- a/src/test/ldap/Makefile
+++ b/src/test/ldap/Makefile
@@ -14,6 +14,7 @@ top_builddir = ../../..
 include $(top_builddir)/src/Makefile.global
 
 export with_ldap
+export OPENSSL
 
 check:
 	$(prove_check)
diff --git a/src/test/ldap/meson.build b/src/test/ldap/meson.build
index 2211bd5e3ec..020f6e7f087 100644
--- a/src/test/ldap/meson.build
+++ b/src/test/ldap/meson.build
@@ -6,6 +6,9 @@ tests += {
     'tests': [
       't/001_auth.pl',
     ],
-    'env': {'with_ldap': ldap.found() ? 'yes' : 'no'},
+    'env': {
+      'with_ldap': ldap.found() ? 'yes' : 'no',
+      'OPENSSL': openssl.path(),
+    },
   },
 }
diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index 2f064f69440..fd90832b755 100644
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -113,13 +113,15 @@ append_to_file(
 mkdir $ldap_datadir or die;
 mkdir $slapd_certs  or die;
 
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+my $openssl = $ENV{OPENSSL};
+
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
   "$slapd_certs/ca.key", "-x509", "-out", "$slapd_certs/ca.crt", "-subj",
   "/CN=CA";
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
   "$slapd_certs/server.key", "-out", "$slapd_certs/server.csr", "-subj",
   "/CN=server";
-system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/server.csr",
+system_or_bail $openssl, "x509", "-req", "-in", "$slapd_certs/server.csr",
   "-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key",
   "-CAcreateserial", "-out", "$slapd_certs/server.crt";
 
diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile
index a34d7ea46a3..922f0ee0786 100644
--- a/src/test/modules/ssl_passphrase_callback/Makefile
+++ b/src/test/modules/ssl_passphrase_callback/Makefile
@@ -31,9 +31,9 @@ PASS = FooBaR1
 .PHONY: ssl-files ssl-files-clean
 
 ssl-files:
-	openssl req -new -x509 -days 10000 -nodes -out server.crt \
+	$(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
 		-keyout server.ckey -subj "/CN=localhost"
-	openssl rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
+	$(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
 	rm server.ckey
 
 ssl-files-clean:
diff --git a/src/test/modules/ssl_passphrase_callback/meson.build b/src/test/modules/ssl_passphrase_callback/meson.build
index a9eb4c564da..1c9f009af37 100644
--- a/src/test/modules/ssl_passphrase_callback/meson.build
+++ b/src/test/modules/ssl_passphrase_callback/meson.build
@@ -25,8 +25,6 @@ testprep_targets += ssl_passphrase_callback
 # Targets to generate or remove the ssl certificate and key. Need to be copied
 # to the source afterwards. Normally not needed.
 
-openssl = find_program('openssl', native: true, required: false)
-
 if openssl.found()
   cert = custom_target('server.crt',
     output: ['server.crt', 'server.ckey'],
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 12b02eb422b..2885c7c2693 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -15,7 +15,7 @@ subdir = src/test/ssl
 top_builddir = ../../..
 include $(top_builddir)/src/Makefile.global
 
-export with_ssl
+export OPENSSL with_ssl
 
 # The sslfiles targets are separated into their own file due to interactions
 # with settings in Makefile.global.
diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build
index e2f021d884a..1e02bf9ed0c 100644
--- a/src/test/ssl/meson.build
+++ b/src/test/ssl/meson.build
@@ -3,7 +3,10 @@ tests += {
   'sd': meson.current_source_dir(),
   'bd': meson.current_build_dir(),
   'tap': {
-    'env': {'with_ssl': get_option('ssl')},
+    'env': {
+      'with_ssl': get_option('ssl'),
+      'OPENSSL': openssl.path(),
+    },
     'tests': [
       't/001_ssltests.pl',
       't/002_scram.pl',
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index a843a21d42e..54ada01d466 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -84,7 +84,7 @@ sslfiles: $(SSLFILES) $(SSLDIRS)
 
 # Root CA is self-signed.
 ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
-	openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
+	$(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
 
 #
 # Special-case keys
@@ -94,20 +94,20 @@ ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
 
 # Password-protected version of server-cn-only.key
 ssl/server-password.key: ssl/server-cn-only.key
-	openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
 
 # DER-encoded version of client.key
 ssl/client-der.key: ssl/client.key
-	openssl rsa -in $< -outform DER -out $@
+	$(OPENSSL) rsa -in $< -outform DER -out $@
 
 # Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
 # formats to test libpq's support for the sslpassword= option.
 ssl/client-encrypted-pem.key: ssl/client.key
-	openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
+	$(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
 # TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
 # OpenSSL 3.0.0, so fall back on the default for now.
 ssl/client-encrypted-der.key: ssl/client.key
-	openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
+	$(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
 
 #
 # Combined files
@@ -145,7 +145,7 @@ $(COMBINATIONS):
 #
 
 $(STANDARD_KEYS):
-	openssl genrsa -out $@ 2048
+	$(OPENSSL) genrsa -out $@ 2048
 	chmod 0600 $@
 
 #
@@ -165,18 +165,18 @@ client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ss
 # parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
 .NOTPARALLEL:
 $(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
-	openssl ca -batch -config conf/cas.config -name root_ca   -notext -in $< -out $@
+	$(OPENSSL) ca -batch -config conf/cas.config -name root_ca   -notext -in $< -out $@
 
 $(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
-	openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
+	$(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
 
 $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
-	openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
+	$(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
 
 # The CSRs don't need to persist after a build.
 .INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
 ssl/%.csr: ssl/%.key conf/%.config
-	openssl req -new -utf8 -key $< -out $@ -config conf/$*.config
+	$(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config
 
 #
 # CA State
@@ -210,16 +210,16 @@ ssl/%.srl:
 #
 
 ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
-	openssl ca -config conf/cas.config -name root_ca   -gencrl -out $@
+	$(OPENSSL) ca -config conf/cas.config -name root_ca   -gencrl -out $@
 
 ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
-	openssl ca -config conf/cas.config -name server_ca -revoke $<
-	openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
+	$(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $<
+	$(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@
 
 ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files)
-	openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
-	openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
-	openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
+	$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
+	$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
+	$(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@
 
 #
 # CRL hash directories
@@ -230,7 +230,7 @@ ssl/root+client-crldir: ssl/client.crl ssl/root.crl
 ssl/server-crldir: ssl/server.crl
 ssl/client-crldir: ssl/client.crl
 
-crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0
 
 ssl/%-crldir:
 	mkdir -p $@
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index efe5634fff2..fe42161a0fa 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -611,7 +611,7 @@ TODO:
 
 # pg_stat_ssl
 
-my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`;
 if ($? == 0)
 {
 	# OpenSSL prints serial numbers in hexadecimal and converting the serial
@@ -633,7 +633,7 @@ else
 {
 	# OpenSSL isn't functioning on the user's PATH. This probably isn't worth
 	# skipping the test over, so just fall back to a generic integer match.
-	warn 'couldn\'t run `openssl x509` to get client cert serialno';
+	warn "couldn't run \"$ENV{OPENSSL} x509\" to get client cert serialno";
 	$serialno = '\d+';
 }
 
diff --git a/src/tools/msvc/vcregress.pl b/src/tools/msvc/vcregress.pl
index 5182721eb79..1d86cd650f9 100644
--- a/src/tools/msvc/vcregress.pl
+++ b/src/tools/msvc/vcregress.pl
@@ -146,6 +146,7 @@ sub set_command_env
 {
 	set_single_env('GZIP_PROGRAM', 'gzip');
 	set_single_env('LZ4',          'lz4');
+	set_single_env('OPENSSL',      'openssl');
 	set_single_env('ZSTD',         'zstd');
 }