From: Nick Porter Date: Mon, 6 Jun 2022 16:39:51 +0000 (+0100) Subject: Amend building of test certs to avoid `openssl ca` race condition (#4548) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4b5f6c8987dd7701e622d2e6a8ccea338d42d4d;p=thirdparty%2Ffreeradius-server.git Amend building of test certs to avoid `openssl ca` race condition (#4548) * Amend building of test certs to avoid `openssl ca` race condition * Ensure vrfy targets have all their dependencies --- diff --git a/raddb/all.mk b/raddb/all.mk index b281ffc7543..0c722c8fc50 100644 --- a/raddb/all.mk +++ b/raddb/all.mk @@ -41,8 +41,6 @@ LOCAL_CERT_FILES := dh \ ecc/server.key \ ecc/server.pem -GENERATED_CERT_FILES := $(addprefix ${top_srcdir}/raddb/certs/,$(LOCAL_CERT_FILES)) - INSTALL_CERT_PRODUCTS := $(addprefix $(R)$(raddbdir)/certs/,$(INSTALL_CERT_FILES)) ifeq ("$(TEST_CERTS)","yes") @@ -140,22 +138,6 @@ endif ifeq ("$(PACKAGE)","") # # Always create the test certs for normal development. -# -build.raddb: $(GENERATED_CERT_FILES) - - -.PHONY: ${top_srcdir}/raddb/certs/rsa -${top_srcdir}/raddb/certs/rsa: - @mkdir -p $@ - -.PHONY: ${top_srcdir}/raddb/certs/ecc -${top_srcdir}/raddb/certs/ecc: - @mkdir -p $@ - -${top_srcdir}/raddb/certs/passwords.mk: $(wildcard ${top_srcdir}/raddb/certs/*cnf) - ${Q}$(MAKE) -C $(dir $@) $(notdir $@) - - # # We used to have cached certificates in src/test/certs which would regularly # expire and break CI. @@ -167,46 +149,13 @@ ${top_srcdir}/raddb/certs/passwords.mk: $(wildcard ${top_srcdir}/raddb/certs/*cn # done with the CI environment's caching features and not committed to the # git repository. # -define BUILD_CERT -${1}/${2}/${3}.key: ${1}/${3}.cnf ${1}/passwords.mk | ${1}/${2} - $${Q}echo CERT-KEY ${2}/${3} - $${Q}$$(MAKE) -C ${1} ${2}/${3}.key - @touch $$@ - -${1}/${2}/${3}.csr: ${1}/${2}/${3}.key - $${Q}echo CERT-CSR ${2}/${3} - $${Q}$$(MAKE) -C ${1} ${2}/${3}.csr - @touch $$@ - -${1}/${2}/${3}.pem: ${1}/${2}/${3}.key - $${Q}echo CERT-PEM ${2}/${3} - $${Q}$$(MAKE) -C ${1} ${2}/${3}.pem - @touch $$@ - -${1}/${2}/${3}.crt: ${1}/${2}/${3}.pem - $${Q}echo CERT-CRT ${2}/${3} - $${Q}$$(MAKE) -C ${1} ${2}/${3}.crt - @touch $$@ - -ifneq "${3}" "ca" -# client, server, and OCSP certs need the CA cert. -${1}/${2}/${3}.crt: ${1}/${2}/ca.crt - -${1}/${2}/${3}.crt: ${1}/${2}/${3}.csr -endif - -endef - -# -# Generate local certificate products when doing a non-package -# (i.e. developer) build. +# To avoid race conditions when calling `openssl ca` the submake is called +# with -j1 # -$(foreach dir,rsa ecc,$(foreach file,ca server client ocsp,$(eval $(call BUILD_CERT,${top_srcdir}/raddb/certs,${dir},${file})))) +build.raddb: ${top_srcdir}/raddb/certs/ecc/ocsp.pem -${top_srcdir}/raddb/certs/dh: ${top_srcdir}/raddb/certs/passwords.mk - ${Q}echo CERT-DH $@ - ${Q}$(MAKE) -C ${top_srcdir}/raddb/certs/ $(notdir $@) - ${Q}touch $@ +${top_srcdir}/raddb/certs/ecc/ocsp.pem: + ${Q}$(MAKE) -j1 -C ${top_srcdir}/raddb/certs/ # # If we're not packaging the server, install the various diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile index 492af6da301..ba703872b50 100644 --- a/raddb/certs/Makefile +++ b/raddb/certs/Makefile @@ -153,7 +153,7 @@ rsa/server.pem: rsa/server.p12 openssl pkcs12 -in rsa/server.p12 -out rsa/server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) .PHONY: rsa/server.vrfy -rsa/server.vrfy: rsa/ca.pem +rsa/server.vrfy: rsa/ca.pem rsa/server.pem @openssl verify $(PARTIAL) -CAfile rsa/ca.pem rsa/server.pem ###################################################################### @@ -177,7 +177,7 @@ ecc/server.pem: ecc/server.p12 openssl pkcs12 -in ecc/server.p12 -out ecc/server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) .PHONY: ecc/server.vrfy -ecc/server.vrfy: ecc/ca.pem +ecc/server.vrfy: ecc/ca.pem ecc/server.pem @openssl verify $(PARTIAL) -CAfile ecc/ca.pem ecc/server.pem ###################################################################### @@ -198,7 +198,7 @@ rsa/ocsp.pem: rsa/ocsp.p12 openssl pkcs12 -in rsa/ocsp.p12 -out rsa/ocsp.pem -passin pass:$(PASSWORD_OCSP) -passout pass:$(PASSWORD_OCSP) .PHONY: rsa/ocsp.vrfy -rsa/ocsp.vrfy: rsa/ca.pem +rsa/ocsp.vrfy: rsa/ca.pem rsa/ocsp.pem @openssl verify $(PARTIAL) -CAfile rsa/ca.pem rsa/ocsp.pem ###################################################################### @@ -222,7 +222,7 @@ ecc/ocsp.pem: ecc/ocsp.p12 openssl pkcs12 -in ecc/ocsp.p12 -out ecc/ocsp.pem -passin pass:$(PASSWORD_OCSP) -passout pass:$(PASSWORD_OCSP) .PHONY: ecc/ocsp.vrfy -ecc/ocsp.vrfy: ecc/ca.pem +ecc/ocsp.vrfy: ecc/ca.pem ecc/ocsp.pem @openssl verify $(PARTIAL) -CAfile ecc/ca.pem ecc/ocsp.pem ######################################################################