[ovs-dev] Bug#828478: [PATCH] ovs-pki: Use SHA-512 message digest when available.

[Ben Pfaff]

The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
OVS unit tests, which use SHA-1.  We last tried to switch to SHA-512 in
2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
XenServer did not support SHA-512.

This commit detects support for SHA-512 and uses it if available, so it
should avoid the problem encountered previously.

CC: 828478 at bugs.debian.org
Reported-at: https://bugs.debian.org/828478
Reported-by: Kurt Roeckx <kurt at roeckx.be>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 AUTHORS              |  1 +
 utilities/ovs-pki.in | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index 704ba40..a893330 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -367,6 +367,7 @@ Konstantin Khorenko     khorenko at openvz.org
 Kris zhang              zhang.kris at gmail.com
 Krishna Miriyala        krishna at nicira.com
 Krishna Mohan Elluru    elluru.kri.mohan at hpe.com
+Kurt Roeckx             kurt at roeckx.be
 Len Gao                 leng at vmware.com
 Logan Rosen             logatronico at gmail.com
 Luca Falavigna          dktrkranz at debian.org
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 9b2b5aa..17497a8 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -248,7 +248,18 @@ if test "$command" = "init"; then
 
         # Write CA configuration file.
         if test ! -e ca.cnf; then
-            sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF'
+	    if echo | openssl dgst -sha512 >/dev/null 2>&1; then
+		md=sha512
+	    elif echo | openssl dgst -sha1 >/dev/null 2>&1; then
+		md=sha1
+	    else
+		echo "$0: openssl does not support sha512 or sha1" >&2
+		exit 1
+	    fi
+            sed "s/@ca@/$ca/g
+s/@curr_date@/$curr_date/g
+s/@md@/$md/g
+" > ca.cnf <<'EOF'
 [ req ]
 prompt = no
 distinguished_name = req_distinguished_name
@@ -274,7 +285,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = sha1                  # message digest to use
+default_md     = @md@                  # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option
-- 
2.1.3