Introduce an openssl(1) certhash command.

This is effectively a reimplementation of the functionality provided by
the previously removed c_rehash Perl script. The c_rehash script had a
number of known issues, including the fact that it needs to run openssl(1)
multiple times and that it starts by removing all symlinks before
putting them back, creating atomicity issues/race conditions, even when
nothing has changed.

certhash is self-contained and is intended to be stable - no changes
should be made unless something has actually changed. This means it can
be run regularly in a production environment without causing certificate
lookup failures.

Further testing and improvements will happen in tree.

Discussed with tedu@

1 files changed, 3 insertions, 1 deletions

diff --git a/src/usr.bin/openssl/progs.h b/src/usr.bin/openssl/progs.h
index 6f957c6f7c..e1494e1147 100644
--- a/src/usr.bin/openssl/progs.h
+++ b/src/usr.bin/openssl/progs.h
@@ -1,8 +1,9 @@
-/* $OpenBSD: progs.h,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: progs.h,v 1.2 2015/02/10 15:29:34 jsing Exp $ */
 /* Public domain */
 
 extern int asn1parse_main(int argc, char *argv[]);
 extern int ca_main(int argc, char *argv[]);
+extern int certhash_main(int argc, char *argv[]);
 extern int ciphers_main(int argc, char *argv[]);
 extern int cms_main(int argc, char *argv[]);
 extern int crl2pkcs7_main(int argc, char *argv[]);
@@ -66,6 +67,7 @@ FUNCTION functions[] = {
         /* General functions. */
         { FUNC_TYPE_GENERAL, "asn1parse", asn1parse_main },
         { FUNC_TYPE_GENERAL, "ca", ca_main },
+        { FUNC_TYPE_GENERAL, "certhash", certhash_main },
         { FUNC_TYPE_GENERAL, "ciphers", ciphers_main },
 #ifndef OPENSSL_NO_CMS
         { FUNC_TYPE_GENERAL, "cms", cms_main },