CFLAGS_ARMV8_CRC32C
CFLAGS_SSE42
LIBOBJS
+OPENSSL
ZSTD
LZ4
UUID_LIBS
fi
+if test -z "$OPENSSL"; then
+ for ac_prog in openssl
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_OPENSSL+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $OPENSSL in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_OPENSSL="$OPENSSL" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_OPENSSL="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+OPENSSL=$ac_cv_path_OPENSSL
+if test -n "$OPENSSL"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5
+$as_echo "$OPENSSL" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$OPENSSL" && break
+done
+
+else
+ # Report the value of OPENSSL in configure's output in all cases.
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL" >&5
+$as_echo_n "checking for OPENSSL... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5
+$as_echo "$OPENSSL" >&6; }
+fi
+
if test "$with_ssl" = openssl ; then
ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default"
if test "x$ac_cv_header_openssl_ssl_h" = xyes; then :
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
fi
+PGAC_PATH_PROGS(OPENSSL, openssl)
if test "$with_ssl" = openssl ; then
AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file <openssl/ssl.h> is required for OpenSSL])])
AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])])
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>OPENSSL</varname></term>
+ <listitem><para>
+ Path to a <application>openssl</application> command. The default is
+ <literal>openssl</literal>, which will search for a command by that
+ name in the configured <envar>PATH</envar>.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>TAR</varname></term>
<listitem><para>
gzip = find_program(get_option('GZIP'), native: true)
program_lz4 = find_program(get_option('LZ4'), native: true, required: false)
touch = find_program('touch', native: true)
+openssl = find_program(get_option('OPENSSL'), native: true, required: false)
program_zstd = find_program(get_option('ZSTD'), native: true, required: false)
dtrace = find_program(get_option('DTRACE'), native: true, required: get_option('dtrace'))
missing = find_program('config/missing', native: true)
option('LZ4', type : 'string', value: 'lz4',
description: 'path to lz4 binary')
+option('OPENSSL', type : 'string', value: 'openssl',
+ description: 'path to openssl binary')
+
option('PERL', type : 'string', value: 'perl',
description: 'path to perl binary')
MSGFMT = @MSGFMT@
MSGFMT_FLAGS = @MSGFMT_FLAGS@
MSGMERGE = @MSGMERGE@
+OPENSSL = @OPENSSL@
PYTHON = @PYTHON@
TAR = @TAR@
XGETTEXT = @XGETTEXT@
include $(top_builddir)/src/Makefile.global
export with_ldap
+export OPENSSL
check:
$(prove_check)
'tests': [
't/001_auth.pl',
],
- 'env': {'with_ldap': ldap.found() ? 'yes' : 'no'},
+ 'env': {
+ 'with_ldap': ldap.found() ? 'yes' : 'no',
+ 'OPENSSL': openssl.path(),
+ },
},
}
mkdir $ldap_datadir or die;
mkdir $slapd_certs or die;
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+my $openssl = $ENV{OPENSSL};
+
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
"$slapd_certs/ca.key", "-x509", "-out", "$slapd_certs/ca.crt", "-subj",
"/CN=CA";
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
"$slapd_certs/server.key", "-out", "$slapd_certs/server.csr", "-subj",
"/CN=server";
-system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/server.csr",
+system_or_bail $openssl, "x509", "-req", "-in", "$slapd_certs/server.csr",
"-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key",
"-CAcreateserial", "-out", "$slapd_certs/server.crt";
.PHONY: ssl-files ssl-files-clean
ssl-files:
- openssl req -new -x509 -days 10000 -nodes -out server.crt \
+ $(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
-keyout server.ckey -subj "/CN=localhost"
- openssl rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
+ $(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
rm server.ckey
ssl-files-clean:
# Targets to generate or remove the ssl certificate and key. Need to be copied
# to the source afterwards. Normally not needed.
-openssl = find_program('openssl', native: true, required: false)
-
if openssl.found()
cert = custom_target('server.crt',
output: ['server.crt', 'server.ckey'],
top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
-export with_ssl
+export OPENSSL with_ssl
# The sslfiles targets are separated into their own file due to interactions
# with settings in Makefile.global.
'sd': meson.current_source_dir(),
'bd': meson.current_build_dir(),
'tap': {
- 'env': {'with_ssl': get_option('ssl')},
+ 'env': {
+ 'with_ssl': get_option('ssl'),
+ 'OPENSSL': openssl.path(),
+ },
'tests': [
't/001_ssltests.pl',
't/002_scram.pl',
# Root CA is self-signed.
ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
- openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
+ $(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
#
# Special-case keys
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
- openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+ $(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in $< -outform DER -out $@
+ $(OPENSSL) rsa -in $< -outform DER -out $@
# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
# formats to test libpq's support for the sslpassword= option.
ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
+ $(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
# TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
# OpenSSL 3.0.0, so fall back on the default for now.
ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
+ $(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
#
# Combined files
#
$(STANDARD_KEYS):
- openssl genrsa -out $@ 2048
+ $(OPENSSL) genrsa -out $@ 2048
chmod 0600 $@
#
# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
.NOTPARALLEL:
$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
- openssl ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@
+ $(OPENSSL) ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@
$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
- openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
+ $(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
- openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
+ $(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
# The CSRs don't need to persist after a build.
.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
ssl/%.csr: ssl/%.key conf/%.config
- openssl req -new -utf8 -key $< -out $@ -config conf/$*.config
+ $(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config
#
# CA State
#
ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
- openssl ca -config conf/cas.config -name root_ca -gencrl -out $@
+ $(OPENSSL) ca -config conf/cas.config -name root_ca -gencrl -out $@
ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
- openssl ca -config conf/cas.config -name server_ca -revoke $<
- openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
+ $(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $<
+ $(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@
ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files)
- openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
- openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
+ $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
+ $(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
+ $(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@
#
# CRL hash directories
ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
-crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0
ssl/%-crldir:
mkdir -p $@
# pg_stat_ssl
-my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`;
if ($? == 0)
{
# OpenSSL prints serial numbers in hexadecimal and converting the serial
{
# OpenSSL isn't functioning on the user's PATH. This probably isn't worth
# skipping the test over, so just fall back to a generic integer match.
- warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ warn "couldn't run \"$ENV{OPENSSL} x509\" to get client cert serialno";
$serialno = '\d+';
}
{
set_single_env('GZIP_PROGRAM', 'gzip');
set_single_env('LZ4', 'lz4');
+ set_single_env('OPENSSL', 'openssl');
set_single_env('ZSTD', 'zstd');
}
projects / users / gsingh / postgres.git / commitdiff