Greetings,
I have identified several problems in the way OpenSSL 1.0.0's c_rehash works.
This breaks on any nonstandard configuration, in that:
- c_rehash POSTFIXES $dir/bin to the PATH, when it should prefix it. ($dir
inherits $openssldir from Configure)
- c_rehash should use $prefix/bin, not $openssldir/bin (comment ditto)
This causes several issues:
- If THE RIGHT VERSION OF openssl isn't already in PATH
or unless openssl is (uncommon!) overridden to $prefix/bin, c_rehash will be
unable to identify the proper openssl executable and abort.
- If multiple versions of OpenSSL are installed in parallel, for instance,
0.9.8X under /usr and OpenSSL 1.0.0 under /opt/openssl-1.0.0, c_rehash will
grab the wrong version of openssl and thus the wrong hash algorithm, making
OpenSSL unable to find its certificates.
This has already caused bogus bug reports:
<https://developer.berlios.de/bugs/?func=detailbug&bug_id=17073&group_id=1824>
The attached patch fixes these OpenSSL issues:
- It adds a line "my $prefix;" to tools/c_rehash.in
- It uses the line to derive the path component
- It PREPENDS this to the existing path
- It AVOIDS adding a path separator if $ENV{PATH} happens to be empty
- It teaches Configure to replace my $prefix as it regenerates c_rehash from
the .in file.
The patch applies to OpenSSL 1.0.0 on - I guess - all platforms, and possibly
earlier versions too. Please check earlier versions and adopt where needed.
Thank you.
--
Matthias Andree
diff -up ./Configure.orig ./Configure
--- ./Configure.orig 2010-01-19 22:40:54.000000000 +0100
+++ ./Configure 2010-04-12 18:24:47.000000000 +0200
@@ -1789,11 +1789,11 @@ EOF
(system $make_command.$make_targets) == 0 or exit $?
if $make_targets ne "";
if ( $perl =~ m...@^/@) {
- &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my
$dir = "' . $openssldir . '";');
+ &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my
$dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix .
'";');
&dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
} else {
# No path for Perl known ...
- &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my
\$dir;$', 'my $dir = "' . $openssldir . '";');
+ &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my
\$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix =
"' . $prefix . '";');
&dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
}
if ($depflags ne $default_depflags && !$make_depend) {
diff -up ./tools/c_rehash.in.orig ./tools/c_rehash.in
--- ./tools/c_rehash.in.orig 2009-04-22 18:50:42.000000000 +0200
+++ ./tools/c_rehash.in 2010-04-12 18:23:39.000000000 +0200
@@ -7,6 +7,7 @@
my $openssl;
my $dir;
+my $prefix;
if(defined $ENV{OPENSSL}) {
$openssl = $ENV{OPENSSL};
@@ -24,7 +25,7 @@ if (defined(&Cwd::getcwd)) {
}
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix
delimiter?
-$ENV{PATH} .= "$path_delim$dir/bin";
+$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); #
prefix our path
if(! -x $openssl) {
my $found = 0;
