11 files changed, 38 insertions, 29 deletions

diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 99889167e18..e96bedd4e7b 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -343,6 +343,7 @@ LN_S	= @LN_S@
 MSGFMT  = @MSGFMT@
 MSGFMT_FLAGS = @MSGFMT_FLAGS@
 MSGMERGE = @MSGMERGE@
+OPENSSL	= @OPENSSL@
 PYTHON	= @PYTHON@
 TAR	= @TAR@
 XGETTEXT = @XGETTEXT@
diff --git a/src/test/ldap/Makefile b/src/test/ldap/Makefile
index e5fa3d86104..b1e4a7be677 100644
--- a/src/test/ldap/Makefile
+++ b/src/test/ldap/Makefile
@@ -14,6 +14,7 @@ top_builddir = ../../..
 include $(top_builddir)/src/Makefile.global
 
 export with_ldap
+export OPENSSL
 
 check:
 	$(prove_check)
diff --git a/src/test/ldap/meson.build b/src/test/ldap/meson.build
index 2211bd5e3ec..020f6e7f087 100644
--- a/src/test/ldap/meson.build
+++ b/src/test/ldap/meson.build
@@ -6,6 +6,9 @@ tests += {
     'tests': [
       't/001_auth.pl',
     ],
-    'env': {'with_ldap': ldap.found() ? 'yes' : 'no'},
+    'env': {
+      'with_ldap': ldap.found() ? 'yes' : 'no',
+      'OPENSSL': openssl.path(),
+    },
   },
 }
diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index 2f064f69440..fd90832b755 100644
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -113,13 +113,15 @@ append_to_file(
 mkdir $ldap_datadir or die;
 mkdir $slapd_certs  or die;
 
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+my $openssl = $ENV{OPENSSL};
+
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
   "$slapd_certs/ca.key", "-x509", "-out", "$slapd_certs/ca.crt", "-subj",
   "/CN=CA";
-system_or_bail "openssl", "req", "-new", "-nodes", "-keyout",
+system_or_bail $openssl, "req", "-new", "-nodes", "-keyout",
   "$slapd_certs/server.key", "-out", "$slapd_certs/server.csr", "-subj",
   "/CN=server";
-system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/server.csr",
+system_or_bail $openssl, "x509", "-req", "-in", "$slapd_certs/server.csr",
   "-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key",
   "-CAcreateserial", "-out", "$slapd_certs/server.crt";
 
diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile
index a34d7ea46a3..922f0ee0786 100644
--- a/src/test/modules/ssl_passphrase_callback/Makefile
+++ b/src/test/modules/ssl_passphrase_callback/Makefile
@@ -31,9 +31,9 @@ PASS = FooBaR1
 .PHONY: ssl-files ssl-files-clean
 
 ssl-files:
-	openssl req -new -x509 -days 10000 -nodes -out server.crt \
+	$(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
 		-keyout server.ckey -subj "/CN=localhost"
-	openssl rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
+	$(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
 	rm server.ckey
 
 ssl-files-clean:
diff --git a/src/test/modules/ssl_passphrase_callback/meson.build b/src/test/modules/ssl_passphrase_callback/meson.build
index a9eb4c564da..1c9f009af37 100644
--- a/src/test/modules/ssl_passphrase_callback/meson.build
+++ b/src/test/modules/ssl_passphrase_callback/meson.build
@@ -25,8 +25,6 @@ testprep_targets += ssl_passphrase_callback
 # Targets to generate or remove the ssl certificate and key. Need to be copied
 # to the source afterwards. Normally not needed.
 
-openssl = find_program('openssl', native: true, required: false)
-
 if openssl.found()
   cert = custom_target('server.crt',
     output: ['server.crt', 'server.ckey'],
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 12b02eb422b..2885c7c2693 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -15,7 +15,7 @@ subdir = src/test/ssl
 top_builddir = ../../..
 include $(top_builddir)/src/Makefile.global
 
-export with_ssl
+export OPENSSL with_ssl
 
 # The sslfiles targets are separated into their own file due to interactions
 # with settings in Makefile.global.
diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build
index e2f021d884a..1e02bf9ed0c 100644
--- a/src/test/ssl/meson.build
+++ b/src/test/ssl/meson.build
@@ -3,7 +3,10 @@ tests += {
   'sd': meson.current_source_dir(),
   'bd': meson.current_build_dir(),
   'tap': {
-    'env': {'with_ssl': get_option('ssl')},
+    'env': {
+      'with_ssl': get_option('ssl'),
+      'OPENSSL': openssl.path(),
+    },
     'tests': [
       't/001_ssltests.pl',
       't/002_scram.pl',
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index a843a21d42e..54ada01d466 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -84,7 +84,7 @@ sslfiles: $(SSLFILES) $(SSLDIRS)
 
 # Root CA is self-signed.
 ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
-	openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
+	$(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
 
 #
 # Special-case keys
@@ -94,20 +94,20 @@ ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
 
 # Password-protected version of server-cn-only.key
 ssl/server-password.key: ssl/server-cn-only.key
-	openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
 
 # DER-encoded version of client.key
 ssl/client-der.key: ssl/client.key
-	openssl rsa -in $< -outform DER -out $@
+	$(OPENSSL) rsa -in $< -outform DER -out $@
 
 # Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
 # formats to test libpq's support for the sslpassword= option.
 ssl/client-encrypted-pem.key: ssl/client.key
-	openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
+	$(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
 # TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
 # OpenSSL 3.0.0, so fall back on the default for now.
 ssl/client-encrypted-der.key: ssl/client.key
-	openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
+	$(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
 
 #
 # Combined files
@@ -145,7 +145,7 @@ $(COMBINATIONS):
 #
 
 $(STANDARD_KEYS):
-	openssl genrsa -out $@ 2048
+	$(OPENSSL) genrsa -out $@ 2048
 	chmod 0600 $@
 
 #
@@ -165,18 +165,18 @@ client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ss
 # parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
 .NOTPARALLEL:
 $(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
-	openssl ca -batch -config conf/cas.config -name root_ca   -notext -in $< -out $@
+	$(OPENSSL) ca -batch -config conf/cas.config -name root_ca   -notext -in $< -out $@
 
 $(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
-	openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
+	$(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
 
 $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
-	openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
+	$(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
 
 # The CSRs don't need to persist after a build.
 .INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
 ssl/%.csr: ssl/%.key conf/%.config
-	openssl req -new -utf8 -key $< -out $@ -config conf/$*.config
+	$(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config
 
 #
 # CA State
@@ -210,16 +210,16 @@ ssl/%.srl:
 #
 
 ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
-	openssl ca -config conf/cas.config -name root_ca   -gencrl -out $@
+	$(OPENSSL) ca -config conf/cas.config -name root_ca   -gencrl -out $@
 
 ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
-	openssl ca -config conf/cas.config -name server_ca -revoke $<
-	openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
+	$(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $<
+	$(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@
 
 ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files)
-	openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
-	openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
-	openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
+	$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
+	$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
+	$(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@
 
 #
 # CRL hash directories
@@ -230,7 +230,7 @@ ssl/root+client-crldir: ssl/client.crl ssl/root.crl
 ssl/server-crldir: ssl/server.crl
 ssl/client-crldir: ssl/client.crl
 
-crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0
 
 ssl/%-crldir:
 	mkdir -p $@
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index efe5634fff2..fe42161a0fa 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -611,7 +611,7 @@ TODO:
 
 # pg_stat_ssl
 
-my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`;
 if ($? == 0)
 {
 	# OpenSSL prints serial numbers in hexadecimal and converting the serial
@@ -633,7 +633,7 @@ else
 {
 	# OpenSSL isn't functioning on the user's PATH. This probably isn't worth
 	# skipping the test over, so just fall back to a generic integer match.
-	warn 'couldn\'t run `openssl x509` to get client cert serialno';
+	warn "couldn't run \"$ENV{OPENSSL} x509\" to get client cert serialno";
 	$serialno = '\d+';
 }
 
diff --git a/src/tools/msvc/vcregress.pl b/src/tools/msvc/vcregress.pl
index 5182721eb79..1d86cd650f9 100644
--- a/src/tools/msvc/vcregress.pl
+++ b/src/tools/msvc/vcregress.pl
@@ -146,6 +146,7 @@ sub set_command_env
 {
 	set_single_env('GZIP_PROGRAM', 'gzip');
 	set_single_env('LZ4',          'lz4');
+	set_single_env('OPENSSL',      'openssl');
 	set_single_env('ZSTD',         'zstd');
 }