Commit ff2f6bb0 authored by Rich Salz's avatar Rich Salz Committed by Rich Salz
Browse files

Fix rehash/c_rehash doc and behavior. 



Both now warn once if directory isn't writeable.
Both now warn on file-write errors (multiple times).
Update manpage to describe both program and script correctly.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent 8c82de99

apps/rehash.c

+4 −0
Original line number Diff line number Diff line
@@ -313,6 +313,10 @@ static int do_dir(const char *dirname, enum Hash h) 
    const char *filename;

    char *buf;



    if (app_access(dirname, W_OK) < 0) {

        BIO_printf(bio_err, "Skipping %s, can't write\n", dirname);

        return 0;

    }

    buflen = strlen(dirname);

    pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/";

    buflen += NAME_MAX + 2;

doc/apps/rehash.pod

+14 −8
Original line number Diff line number Diff line
@@ -23,7 +23,8 @@ I<flags...> 
=head1 DESCRIPTION



On some platforms, the OpenSSL B<rehash> command is available as

an external script called B<c_rehash>.  They are functionally equivalent.

an external script called B<c_rehash>.  They are functionally equivalent,

except for minor differences noted below.



B<rehash> scans directories and calculates a hash value of each

C<.pem>, C<.crt>, C<.cer>, or C<.crl>
@@ -41,12 +42,13 @@ If that is not set then the default directory (installation-specific 
but often B</usr/local/ssl/certs>) is processed.



In order for a directory to be processed, the user must have write

permissions on that directory, otherwise it will be skipped.

permissions on that directory, otherwise an error will be generated.



The links created are of the form C<HHHHHHHH.D>, where each B<H>

is a hexadecimal character and B<D> is a single decimal digit.

When processing a directory, B<rehash> will first remove all links

that have a name in that syntax. If you have links in that format

used for other purposes, they will be removed.

that have a name in that syntax, even if they are being used for some

other purpose.

To skip the removal step, use the B<-n> flag.

Hashes for CRL's look similar except the letter B<r> appears after

the period, like this: C<HHHHHHHH.rD>.
@@ -57,9 +59,13 @@ full SHA-1 fingerprint. A warning will be displayed if a duplicate 
is found.



A warning will also be displayed if there are files that

cannot be parsed as either a certificate or a CRL.

cannot be parsed as either a certificate or a CRL or if

more than one such object appears in the file.



=head2 Script Configuration



The program uses the B<openssl> program to compute the hashes and

The B<c_rehash> script

uses the B<openssl> program to compute the hashes and

fingerprints. If not found in the user's B<PATH>, then set the

B<OPENSSL> environment variable to the full pathname.

Any program can be used, it will be invoked as follows for either
@@ -79,8 +85,8 @@ optionally prefixed with some text and an equals sign. 
=item B<-old>



Use old-style hashing (MD5, as opposed to SHA-1) for generating

links for releases before 1.0.0.  Note that current versions will

not use the old style.

links to be used for releases before 1.0.0.

Note that current versions will not use the old style.



=item B<-h>

tools/c_rehash.in

+37 −27
Original line number Diff line number Diff line
@@ -84,8 +84,12 @@ if (-d $dirlist[0]) { 
}



foreach (@dirlist) {

	if(-d $_ and -w $_) {

	if (-d $_ ) {

            if ( -w $_) {

		hash_dir($_);

            } else {

                print "Skipping $_, can't write\n";

            }

	}

}
@@ -100,8 +104,8 @@ sub hash_dir { 
		# Delete any existing symbolic links

		foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {

			if (-l $_) {

				unlink $_;

				print "unlink $_" if $verbose;

				unlink $_ || warn "Can't unlink $_, $!\n";

			}

		}

	}
@@ -164,15 +168,21 @@ sub link_hash_cert { 
		}

		$hash .= ".$suffix";

		if ($symlink_exists) {

			symlink $fname, $hash;

			print "link $fname -> $hash\n" if $verbose;

			symlink $fname, $hash || warn "Can't symlink, $!";

		} else {

			open IN,"<$fname" or die "can't open $fname for read";

			open OUT,">$hash" or die "can't open $hash for write";

			print OUT <IN>;	# does the job for small text files

			close OUT;

			close IN;

			print "copy $fname -> $hash\n" if $verbose;

                        if (open($in, "<", $fname)) {

                            if (open($out,">", $hash)) {

                                print $out $_ while (<$in>);

                                close $out;

                            } else {

                                warn "can't open $hash for write, $!";

                            }

                            close $in;

                        } else {

                            warn "can't open $fname for read, $!";

                        }

		}

		$hashlist{$hash} = $fprint;

}
@@ -199,12 +209,12 @@ sub link_hash_crl { 
		}

		$hash .= ".r$suffix";

		if ($symlink_exists) {

			symlink $fname, $hash;

			print "link $fname -> $hash\n" if $verbose;

			symlink $fname, $hash || warn "Can't symlink, $!";

		} else {

			system ("cp", $fname, $hash);

			print "cp $fname -> $hash\n" if $verbose;

			system ("cp", $fname, $hash);

                        warn "Can't copy, $!" if ($? >> 8) != 0;

		}

		$hashlist{$hash} = $fprint;

}