Both now warn once if directory isn't writeable.
Both now warn on file-write errors (multiple times).
Update manpage to describe both program and script correctly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
const char *filename;
char *buf;
const char *filename;
char *buf;
+ if (app_access(dirname, W_OK) < 0) {
+ BIO_printf(bio_err, "Skipping %s, can't write\n", dirname);
+ return 0;
+ }
buflen = strlen(dirname);
pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/";
buflen += NAME_MAX + 2;
buflen = strlen(dirname);
pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/";
buflen += NAME_MAX + 2;
=head1 DESCRIPTION
On some platforms, the OpenSSL B<rehash> command is available as
=head1 DESCRIPTION
On some platforms, the OpenSSL B<rehash> command is available as
-an external script called B<c_rehash>. They are functionally equivalent.
+an external script called B<c_rehash>. They are functionally equivalent,
+except for minor differences noted below.
B<rehash> scans directories and calculates a hash value of each
C<.pem>, C<.crt>, C<.cer>, or C<.crl>
B<rehash> scans directories and calculates a hash value of each
C<.pem>, C<.crt>, C<.cer>, or C<.crl>
but often B</usr/local/ssl/certs>) is processed.
In order for a directory to be processed, the user must have write
but often B</usr/local/ssl/certs>) is processed.
In order for a directory to be processed, the user must have write
-permissions on that directory, otherwise it will be skipped.
+permissions on that directory, otherwise an error will be generated.
+
The links created are of the form C<HHHHHHHH.D>, where each B<H>
is a hexadecimal character and B<D> is a single decimal digit.
When processing a directory, B<rehash> will first remove all links
The links created are of the form C<HHHHHHHH.D>, where each B<H>
is a hexadecimal character and B<D> is a single decimal digit.
When processing a directory, B<rehash> will first remove all links
-that have a name in that syntax. If you have links in that format
-used for other purposes, they will be removed.
+that have a name in that syntax, even if they are being used for some
+other purpose.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after
the period, like this: C<HHHHHHHH.rD>.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after
the period, like this: C<HHHHHHHH.rD>.
is found.
A warning will also be displayed if there are files that
is found.
A warning will also be displayed if there are files that
-cannot be parsed as either a certificate or a CRL.
+cannot be parsed as either a certificate or a CRL or if
+more than one such object appears in the file.
+
+=head2 Script Configuration
-The program uses the B<openssl> program to compute the hashes and
+The B<c_rehash> script
+uses the B<openssl> program to compute the hashes and
fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname.
Any program can be used, it will be invoked as follows for either
fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname.
Any program can be used, it will be invoked as follows for either
=item B<-old>
Use old-style hashing (MD5, as opposed to SHA-1) for generating
=item B<-old>
Use old-style hashing (MD5, as opposed to SHA-1) for generating
-links for releases before 1.0.0. Note that current versions will
-not use the old style.
+links to be used for releases before 1.0.0.
+Note that current versions will not use the old style.
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
my $found = 0;
foreach (split /$path_delim/, $ENV{PATH}) {
my $found = 0;
foreach (split /$path_delim/, $ENV{PATH}) {
+ if (-x "$_/$openssl") {
$found = 1;
$openssl = "$_/$openssl";
last;
}
}
$found = 1;
$openssl = "$_/$openssl";
last;
}
}
print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
exit 0;
}
}
print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
exit 0;
}
}
-} elsif($ENV{SSL_CERT_DIR}) {
+} elsif ($ENV{SSL_CERT_DIR}) {
@dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
} else {
$dirlist[0] = "$dir/certs";
@dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
} else {
$dirlist[0] = "$dir/certs";
+ if (-d $_ ) {
+ if ( -w $_) {
+ } else {
+ print "Skipping $_, can't write\n";
+ }
if ( $removelinks ) {
# Delete any existing symbolic links
foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
if ( $removelinks ) {
# Delete any existing symbolic links
foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if(-l $_) {
- unlink $_;
print "unlink $_" if $verbose;
print "unlink $_" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
}
}
}
FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
# Check to see if certificates and/or CRLs present.
my ($cert, $crl) = check_file($fname);
}
}
}
FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
# Check to see if certificates and/or CRLs present.
my ($cert, $crl) = check_file($fname);
print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
next;
}
print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
next;
}
- link_hash_cert($fname) if($cert);
- link_hash_crl($fname) if($crl);
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
my $fname = $_[0];
open IN, $fname;
while(<IN>) {
my $fname = $_[0];
open IN, $fname;
while(<IN>) {
- if(/^-----BEGIN (.*)-----/) {
+ if (/^-----BEGIN (.*)-----/) {
- if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- last if($is_crl);
- } elsif($hdr eq "X509 CRL") {
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
# Search for an unused hash filename
while(exists $hashlist{"$hash.$suffix"}) {
# Hash matches: if fingerprint matches its a duplicate cert
# Search for an unused hash filename
while(exists $hashlist{"$hash.$suffix"}) {
# Hash matches: if fingerprint matches its a duplicate cert
- if($hashlist{"$hash.$suffix"} eq $fprint) {
+ if ($hashlist{"$hash.$suffix"} eq $fprint) {
print STDERR "WARNING: Skipping duplicate certificate $fname\n";
return;
}
print STDERR "WARNING: Skipping duplicate certificate $fname\n";
return;
}
}
$hash .= ".$suffix";
if ($symlink_exists) {
}
$hash .= ".$suffix";
if ($symlink_exists) {
print "link $fname -> $hash\n" if $verbose;
print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
- open IN,"<$fname" or die "can't open $fname for read";
- open OUT,">$hash" or die "can't open $hash for write";
- print OUT <IN>; # does the job for small text files
- close OUT;
- close IN;
print "copy $fname -> $hash\n" if $verbose;
print "copy $fname -> $hash\n" if $verbose;
+ if (open($in, "<", $fname)) {
+ if (open($out,">", $hash)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "can't open $hash for write, $!";
+ }
+ close $in;
+ } else {
+ warn "can't open $fname for read, $!";
+ }
}
$hashlist{$hash} = $fprint;
}
}
$hashlist{$hash} = $fprint;
}
# Search for an unused hash filename
while(exists $hashlist{"$hash.r$suffix"}) {
# Hash matches: if fingerprint matches its a duplicate cert
# Search for an unused hash filename
while(exists $hashlist{"$hash.r$suffix"}) {
# Hash matches: if fingerprint matches its a duplicate cert
- if($hashlist{"$hash.r$suffix"} eq $fprint) {
+ if ($hashlist{"$hash.r$suffix"} eq $fprint) {
print STDERR "WARNING: Skipping duplicate CRL $fname\n";
return;
}
print STDERR "WARNING: Skipping duplicate CRL $fname\n";
return;
}
}
$hash .= ".r$suffix";
if ($symlink_exists) {
}
$hash .= ".r$suffix";
if ($symlink_exists) {
print "link $fname -> $hash\n" if $verbose;
print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
- system ("cp", $fname, $hash);
print "cp $fname -> $hash\n" if $verbose;
print "cp $fname -> $hash\n" if $verbose;
+ system ("cp", $fname, $hash);
+ warn "Can't copy, $!" if ($? >> 8) != 0;
}
$hashlist{$hash} = $fprint;
}
}
$hashlist{$hash} = $fprint;
}
projects / openssl.git / commitdiff