Commit 43033e129b for openssl.org
commit 43033e129b23ef67b91c4bd45b657c62fb22c0ff
Author: Norbert Pocs <norbertp@openssl.org>
Date: Wed Dec 17 17:28:06 2025 +0100
Remove the c_rehash script
The `openssl rehash` should be used instead.
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29427)
diff --git a/.gitignore b/.gitignore
index 9a388a8c72..7983f5bbc7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -301,8 +301,6 @@ providers/implementations/rands/test_rng.inc
# Misc auto generated files
/doc/man7/openssl_user_macros.pod
-/tools/c_rehash
-/tools/c_rehash.pl
/util/shlib_wrap.sh
/util/wrap.pl
/tags
diff --git a/CHANGES.md b/CHANGES.md
index 0156923e2f..0ca5ba5398 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -32,6 +32,10 @@ OpenSSL 4.0
### Changes between 3.6 and 4.0 [xx XXX xxxx]
+ * The script tool `c_rehash` was removed. Use `openssl rehash` instead.
+
+ *Norbert Pocs*
+
* The crypto-mdebug-backtrace configuration option has been entirely removed.
The option has been a no-op since 1.0.2.
diff --git a/NEWS.md b/NEWS.md
index 164fd8ca37..86869a8114 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -27,6 +27,8 @@ OpenSSL 4.0
### Major changes between OpenSSL 3.6 and OpenSSL 4.0 [under development]
+ * The script tool `c_rehash` was removed. Use `openssl rehash` instead.
+
* ENGINE support was removed. The `no-engine` build option and the
`OPENSSL_NO_ENGINE` macro is always present.
diff --git a/VMS/openssl_utils.com.in b/VMS/openssl_utils.com.in
index 900d0462c5..4369711a21 100644
--- a/VMS/openssl_utils.com.in
+++ b/VMS/openssl_utils.com.in
@@ -5,10 +5,3 @@ $ v := {- sprintf "%02d", split(/\./, $config{version}) -}
$
$ OPENSSL'v' :== $OSSL$EXE:OPENSSL'v'
$ OPENSSL :== $OSSL$EXE:OPENSSL'v'
-$
-$ IF F$TYPE(PERL) .EQS. "STRING"
-$ THEN
-$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash.pl
-$ ELSE
-$ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
-$ ENDIF
diff --git a/apps/rehash.c b/apps/rehash.c
index e2083fa76b..45089a0109 100644
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -588,7 +588,7 @@ const OPTIONS rehash_options[] = {
int rehash_main(int argc, char **argv)
{
- BIO_printf(bio_err, "Not available; use c_rehash script\n");
+ BIO_printf(bio_err, "Not available\n");
return 1;
}
diff --git a/build.info b/build.info
index 41e82e6acb..abf27ae39a 100644
--- a/build.info
+++ b/build.info
@@ -1,7 +1,7 @@
# Note that some of these directories are filtered in Configure. Look for
# %skipdir there for further explanations.
-SUBDIRS=crypto ssl apps util tools fuzz providers doc
+SUBDIRS=crypto ssl apps util fuzz providers doc
IF[{- !$disabled{tests} -}]
SUBDIRS=test
ENDIF
diff --git a/doc/man1/openssl-rehash.pod.in b/doc/man1/openssl-rehash.pod.in
index aa367cce4e..fa8c675609 100644
--- a/doc/man1/openssl-rehash.pod.in
+++ b/doc/man1/openssl-rehash.pod.in
@@ -24,21 +24,8 @@ B<rehash>
{- $OpenSSL::safe::opt_provider_synopsis -}
[I<directory>] ...
-B<c_rehash>
-[B<-h>]
-[B<-help>]
-[B<-old>]
-[B<-n>]
-[B<-v>]
-{- $OpenSSL::safe::opt_provider_synopsis -}
-[I<directory>] ...
-
=head1 DESCRIPTION
-This command is generally equivalent to the external
-script B<c_rehash>,
-except for minor differences noted below.
-
B<openssl rehash> scans directories and calculates a hash value of
each F<.pem>, F<.crt>, F<.cer>, or F<.crl>
file in the specified directory list and creates symbolic links
@@ -75,22 +62,6 @@ A warning will also be displayed if there are files that
cannot be parsed as either a certificate or a CRL or if
more than one such object appears in the file.
-=head2 Script Configuration
-
-The B<c_rehash> script
-uses the B<openssl> program to compute the hashes and
-fingerprints. If not found in the user's B<PATH>, then set the
-B<OPENSSL> environment variable to the full pathname.
-Any program can be used, it will be invoked as follows for either
-a certificate or CRL:
-
- $OPENSSL x509 -hash -fingerprint -noout -in FILENAME
- $OPENSSL crl -hash -fingerprint -noout -in FILENAME
-
-where I<FILENAME> is the filename. It must output the hash of the
-file on the first line, and the fingerprint on the second,
-optionally prefixed with some text and an equals sign.
-
=head1 OPTIONS
=over 4
@@ -154,6 +125,10 @@ L<openssl(1)>,
L<openssl-crl(1)>,
L<openssl-x509(1)>
+=head1 HISTORY
+
+B<c_rehash> was removed in OpenSSL 4.0. Use B<openssl rehash> instead.
+
=head1 COPYRIGHT
Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/SSL_CTX_load_verify_locations.pod b/doc/man3/SSL_CTX_load_verify_locations.pod
index 7e3b2771f2..c129f17f7b 100644
--- a/doc/man3/SSL_CTX_load_verify_locations.pod
+++ b/doc/man3/SSL_CTX_load_verify_locations.pod
@@ -83,7 +83,7 @@ If more than one CA certificate with the same name hash value exist, the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other
properties of the certificates.
-Use the B<c_rehash> utility to create the necessary links.
+Use the B<openssl rehash> utility to create the necessary links.
The certificates in B<CApath> are only looked up when required, e.g. when
building the certificate chain or when actually performing the verification
@@ -158,7 +158,7 @@ Prepare the directory /some/where/certs containing several CA certificates
for use as B<CApath>:
cd /some/where/certs
- c_rehash .
+ openssl rehash .
=head1 SEE ALSO
diff --git a/tools/build.info b/tools/build.info
deleted file mode 100644
index 059e582345..0000000000
--- a/tools/build.info
+++ /dev/null
@@ -1,7 +0,0 @@
-{- our $c_rehash_name =
- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
- "" -}
-IF[{- !$disabled{apps} -}]
- SCRIPTS={- $c_rehash_name -}
- SOURCE[{- $c_rehash_name -}]=c_rehash.in
-ENDIF
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
deleted file mode 100644
index bb68c44692..0000000000
--- a/tools/c_rehash.in
+++ /dev/null
@@ -1,252 +0,0 @@
-#!{- $config{HASHBANGPERL} -}
-{- use OpenSSL::Util; -}
-# {- join("\n# ", @autowarntext) -}
-# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License"). You may not use
-# this file except in compliance with the License. You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# Perl c_rehash script, scan all files in a directory
-# and add symbolic links to their hash values.
-
-my $dir = {- quotify1($config{openssldir}) -};
-my $prefix = {- quotify1($config{prefix}) -};
-
-my $errorcount = 0;
-my $openssl = $ENV{OPENSSL} || "openssl";
-my $pwd;
-my $x509hash = "-subject_hash";
-my $crlhash = "-hash";
-my $verbose = 0;
-my $symlink_exists=eval {symlink("",""); 1};
-my $removelinks = 1;
-
-## Parse flags.
-while ( $ARGV[0] =~ /^-/ ) {
- my $flag = shift @ARGV;
- last if ( $flag eq '--');
- if ( $flag eq '-old') {
- $x509hash = "-subject_hash_old";
- $crlhash = "-hash_old";
- } elsif ( $flag eq '-h' || $flag eq '-help' ) {
- help();
- } elsif ( $flag eq '-n' ) {
- $removelinks = 0;
- } elsif ( $flag eq '-v' ) {
- $verbose++;
- }
- else {
- print STDERR "Usage error; try -h.\n";
- exit 1;
- }
-}
-
-sub help {
- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
- print " -old use old-style digest\n";
- print " -h or -help print this help text\n";
- print " -v print files removed and linked\n";
- exit 0;
-}
-
-eval "require Cwd";
-if (defined(&Cwd::getcwd)) {
- $pwd=Cwd::getcwd();
-} else {
- $pwd=`pwd`;
- chomp($pwd);
-}
-
-# DOS/Win32 or Unix delimiter? Prefix our installdir, then search.
-my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
-$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
-
-if (!(-f $openssl && -x $openssl)) {
- my $found = 0;
- foreach (split /$path_delim/, $ENV{PATH}) {
- if (-f "$_/$openssl" && -x "$_/$openssl") {
- $found = 1;
- $openssl = "$_/$openssl";
- last;
- }
- }
- if ($found == 0) {
- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
- exit 0;
- }
-}
-
-if (@ARGV) {
- @dirlist = @ARGV;
-} elsif ($ENV{SSL_CERT_DIR}) {
- @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
-} else {
- $dirlist[0] = "$dir/certs";
-}
-
-if (-d $dirlist[0]) {
- chdir $dirlist[0];
- $openssl="$pwd/$openssl" if (!(-f $openssl && -x $openssl));
- chdir $pwd;
-}
-
-foreach (@dirlist) {
- if (-d $_ ) {
- if ( -w $_) {
- hash_dir($_);
- } else {
- print "Skipping $_, can't write\n";
- $errorcount++;
- }
- }
-}
-exit($errorcount);
-
-sub copy_file {
- my ($src_fname, $dst_fname) = @_;
-
- if (open(my $in, "<", $src_fname)) {
- if (open(my $out, ">", $dst_fname)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "Cannot open $dst_fname for write, $!";
- }
- close $in;
- } else {
- warn "Cannot open $src_fname for read, $!";
- }
-}
-
-sub hash_dir {
- my $dir = shift;
- my %hashlist;
-
- print "Doing $dir\n";
-
- if (!chdir $dir) {
- print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
- return;
- }
-
- opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_\n" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem|crt|cer|crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
-
- chdir $pwd;
-}
-
-sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
-
- open(my $in, "<", $fname);
- while(<$in>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close $in;
- return ($is_cert, $is_crl);
-}
-
-sub compute_hash {
- my $fh;
- if ( $^O eq "VMS" ) {
- # VMS uses the open through shell
- # The file names are safe there and list form is unsupported
- if (!open($fh, "-|", join(' ', @_))) {
- print STDERR "Cannot compute hash on '$fname'\n";
- return;
- }
- } else {
- if (!open($fh, "-|", @_)) {
- print STDERR "Cannot compute hash on '$fname'\n";
- return;
- }
- binmode($fh, ":crlf");
- }
- return (<$fh>, <$fh>);
-}
-
-# Link a certificate to its subject name hash value, each hash is of
-# the form <hash>.<n> where n is an integer. If the hash value already exists
-# then we need to up the value of n, unless its a duplicate in which
-# case we skip the link. We check for duplicates by comparing the
-# certificate fingerprints
-
-sub link_hash_cert {
- link_hash($_[0], 'cert');
-}
-
-# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
-
-sub link_hash_crl {
- link_hash($_[0], 'crl');
-}
-
-sub link_hash {
- my ($fname, $type) = @_;
- my $is_cert = $type eq 'cert';
-
- my ($hash, $fprint) = compute_hash($openssl,
- $is_cert ? "x509" : "crl",
- $is_cert ? $x509hash : $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- $hash =~ s/^.*=// if !$is_cert;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- my $crlmark = $is_cert ? "" : "r";
- while(exists $hashlist{"$hash.$crlmark$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
- my $what = $is_cert ? 'certificate' : 'CRL';
- print STDERR "WARNING: Skipping duplicate $what $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$crlmark$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- copy_file($fname, $hash);
- }
- $hashlist{$hash} = $fprint;
-}