b9c3486428
Add a patch [1] to silence warnings from OpenSSL v3.2.0-v3.2.1 for reading from stdin without using -in [2,3]. This will be fixed by upstream OpenSSL v3.2.2 and v3.3.0 as well [4]. [1] https://git.build2.org/cgit/bpkg/commit/?id=40bb034f57cf37c1cbdcef337733507c230c6004 [2] https://github.com/build2/build2/issues/353 [3] https://github.com/build2/build2/issues/379 [4] https://github.com/openssl/openssl/pull/23526
228 lines
7.6 KiB
Diff
228 lines
7.6 KiB
Diff
From 40bb034f57cf37c1cbdcef337733507c230c6004 Mon Sep 17 00:00:00 2001
|
|
From: Karen Arutyunov <karen@codesynthesis.com>
|
|
Date: Tue, 23 Apr 2024 12:25:33 +0300
|
|
Subject: Suppress the 'reading certificate from stdin' openssl warning on
|
|
POSIX systems in bpkg-fetch
|
|
|
|
---
|
|
bpkg/auth.cxx | 137 ++++++++++++++++++++++++++++++++++++++--------------------
|
|
1 file changed, 89 insertions(+), 48 deletions(-)
|
|
|
|
diff --git a/bpkg/auth.cxx b/bpkg/auth.cxx
|
|
index 663054d..191da0a 100644
|
|
--- a/bpkg/auth.cxx
|
|
+++ b/bpkg/auth.cxx
|
|
@@ -23,15 +23,15 @@ using namespace butl;
|
|
|
|
namespace bpkg
|
|
{
|
|
- static const string openssl_version ("version");
|
|
- static const string openssl_pkeyutl ("pkeyutl");
|
|
- static const string openssl_rsautl ("rsautl");
|
|
- static const string openssl_x509 ("x509");
|
|
-
|
|
- const char* openssl_commands[5] = {openssl_version.c_str (),
|
|
- openssl_pkeyutl.c_str (),
|
|
- openssl_rsautl.c_str (),
|
|
- openssl_x509.c_str (),
|
|
+ static const string openssl_version_cmd ("version");
|
|
+ static const string openssl_pkeyutl_cmd ("pkeyutl");
|
|
+ static const string openssl_rsautl_cmd ("rsautl");
|
|
+ static const string openssl_x509_cmd ("x509");
|
|
+
|
|
+ const char* openssl_commands[5] = {openssl_version_cmd.c_str (),
|
|
+ openssl_pkeyutl_cmd.c_str (),
|
|
+ openssl_rsautl_cmd.c_str (),
|
|
+ openssl_x509_cmd.c_str (),
|
|
nullptr};
|
|
|
|
// Print process command line.
|
|
@@ -43,9 +43,42 @@ namespace bpkg
|
|
print_process (args, n);
|
|
}
|
|
|
|
+ // Query the openssl information and return the openssl version. Cache the
|
|
+ // version on the first function call. Fail on the underlying process and IO
|
|
+ // error. Return the 0.0.0 version if unable to parse the openssl stdout.
|
|
+ //
|
|
+ static optional<semantic_version> openssl_ver;
|
|
+
|
|
+ static const semantic_version&
|
|
+ openssl_version (const common_options& co)
|
|
+ {
|
|
+ const path& openssl_path (co.openssl ()[openssl_version_cmd]);
|
|
+
|
|
+ if (!openssl_ver)
|
|
+ try
|
|
+ {
|
|
+ optional<openssl_info> oi (
|
|
+ openssl::info (print_command, 2, openssl_path));
|
|
+
|
|
+ openssl_ver = (oi && oi->name == "OpenSSL"
|
|
+ ? move (oi->version)
|
|
+ : semantic_version ());
|
|
+ }
|
|
+ catch (const process_error& e)
|
|
+ {
|
|
+ fail << "unable to execute " << openssl_path << ": " << e << endf;
|
|
+ }
|
|
+ catch (const io_error& e)
|
|
+ {
|
|
+ fail << "unable to read '" << openssl_path << "' output: " << e
|
|
+ << endf;
|
|
+ }
|
|
+
|
|
+ return *openssl_ver;
|
|
+ }
|
|
+
|
|
// Return true if the openssl version is greater or equal to 3.0.0 and so
|
|
- // pkeyutl needs to be used instead of rsautl. Cache the result on the first
|
|
- // function call.
|
|
+ // pkeyutl needs to be used instead of rsautl.
|
|
//
|
|
// Note that openssl 3.0.0 deprecates rsautl in favor of pkeyutl.
|
|
//
|
|
@@ -54,37 +87,28 @@ namespace bpkg
|
|
// (see the 'pkeyutl -verifyrecover error "input data too long to be a
|
|
// hash"' issue report for details).
|
|
//
|
|
- static optional<bool> use_pkeyutl;
|
|
-
|
|
- static bool
|
|
+ static inline bool
|
|
use_openssl_pkeyutl (const common_options& co)
|
|
{
|
|
- if (!use_pkeyutl)
|
|
- {
|
|
- const path& openssl_path (co.openssl ()[openssl_version]);
|
|
-
|
|
- try
|
|
- {
|
|
- optional<openssl_info> oi (
|
|
- openssl::info (print_command, 2, openssl_path));
|
|
-
|
|
- use_pkeyutl = oi &&
|
|
- oi->name == "OpenSSL" &&
|
|
- oi->version >= semantic_version {3, 0, 0};
|
|
- }
|
|
- catch (const process_error& e)
|
|
- {
|
|
- fail << "unable to execute " << openssl_path << ": " << e << endf;
|
|
- }
|
|
- catch (const io_error& e)
|
|
- {
|
|
- fail << "unable to read '" << openssl_path << "' output: " << e
|
|
- << endf;
|
|
- }
|
|
- }
|
|
+ return openssl_version (co) >= semantic_version {3, 0, 0};
|
|
+ }
|
|
|
|
- return *use_pkeyutl;
|
|
+ // Return true if some openssl commands (openssl x509 -fingerprint, etc) may
|
|
+ // issue the 'Reading certificate from stdin since no -in or -new option is
|
|
+ // given' warning. This is the case for the openssl version in the [3.2.0
|
|
+ // 3.3.0) range (see GH issue #353 for details).
|
|
+ //
|
|
+ // Note that there is no easy way to suppress this warning on Windows and
|
|
+ // thus we don't define this function there.
|
|
+ //
|
|
+#ifndef _WIN32
|
|
+ static inline bool
|
|
+ openssl_warn_stdin (const common_options& co)
|
|
+ {
|
|
+ const semantic_version& v (openssl_version (co));
|
|
+ return v >= semantic_version {3, 2, 0} && v < semantic_version {3, 3, 0};
|
|
}
|
|
+#endif
|
|
|
|
// Find the repository location prefix that ends with the version component.
|
|
// We consider all repositories under this location to be related.
|
|
@@ -190,15 +214,25 @@ namespace bpkg
|
|
dr << ": " << *e;
|
|
};
|
|
|
|
- const path& openssl_path (co.openssl ()[openssl_x509]);
|
|
- const strings& openssl_opts (co.openssl_option ()[openssl_x509]);
|
|
+ const path& openssl_path (co.openssl ()[openssl_x509_cmd]);
|
|
+ const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]);
|
|
|
|
try
|
|
{
|
|
openssl os (print_command,
|
|
fdstream_mode::text, fdstream_mode::text, 2,
|
|
- openssl_path, openssl_x509,
|
|
- openssl_opts, "-sha256", "-noout", "-fingerprint");
|
|
+ openssl_path, openssl_x509_cmd,
|
|
+ openssl_opts,
|
|
+ "-sha256",
|
|
+ "-noout",
|
|
+ "-fingerprint"
|
|
+#ifndef _WIN32
|
|
+ ,
|
|
+ (openssl_warn_stdin (co)
|
|
+ ? cstrings ({"-in", "/dev/stdin"})
|
|
+ : cstrings ())
|
|
+#endif
|
|
+ );
|
|
|
|
os.out << pem;
|
|
os.out.close ();
|
|
@@ -288,8 +322,8 @@ namespace bpkg
|
|
dr << ": " << *e;
|
|
};
|
|
|
|
- const path& openssl_path (co.openssl ()[openssl_x509]);
|
|
- const strings& openssl_opts (co.openssl_option ()[openssl_x509]);
|
|
+ const path& openssl_path (co.openssl ()[openssl_x509_cmd]);
|
|
+ const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]);
|
|
|
|
try
|
|
{
|
|
@@ -315,7 +349,7 @@ namespace bpkg
|
|
openssl os (
|
|
print_command,
|
|
fdstream_mode::text, fdstream_mode::text, 2,
|
|
- openssl_path, openssl_x509,
|
|
+ openssl_path, openssl_x509_cmd,
|
|
openssl_opts, "-noout", "-subject", "-dates", "-email",
|
|
|
|
// Previously we have used "RFC2253,sep_multiline" format to display
|
|
@@ -347,6 +381,13 @@ namespace bpkg
|
|
// sep_multiline - display field per line.
|
|
//
|
|
"-nameopt", "utf8,esc_ctrl,dump_nostr,dump_der,sname,sep_multiline"
|
|
+
|
|
+#ifndef _WIN32
|
|
+ ,
|
|
+ (openssl_warn_stdin (co)
|
|
+ ? cstrings ({"-in", "/dev/stdin"})
|
|
+ : cstrings ())
|
|
+#endif
|
|
);
|
|
|
|
// We unset failbit to provide the detailed error description (which
|
|
@@ -877,7 +918,7 @@ namespace bpkg
|
|
};
|
|
|
|
bool ku (use_openssl_pkeyutl (co));
|
|
- const string& cmd (ku ? openssl_pkeyutl : openssl_rsautl);
|
|
+ const string& cmd (ku ? openssl_pkeyutl_cmd : openssl_rsautl_cmd);
|
|
|
|
const path& openssl_path (co.openssl ()[cmd]);
|
|
const strings& openssl_opts (co.openssl_option ()[cmd]);
|
|
@@ -973,8 +1014,8 @@ namespace bpkg
|
|
};
|
|
|
|
const string& cmd (use_openssl_pkeyutl (co)
|
|
- ? openssl_pkeyutl
|
|
- : openssl_rsautl);
|
|
+ ? openssl_pkeyutl_cmd
|
|
+ : openssl_rsautl_cmd);
|
|
|
|
const path& openssl_path (co.openssl ()[cmd]);
|
|
const strings& openssl_opts (co.openssl_option ()[cmd]);
|
|
--
|
|
cgit v1.1
|
|
|