5 files changed, 102 insertions, 71 deletions

diff --git a/bpkg/auth.cxx b/bpkg/auth.cxx
index 663054d..191da0a 100644
--- a/bpkg/auth.cxx
+++ b/bpkg/auth.cxx
@@ -23,15 +23,15 @@ using namespace butl;
 
 namespace bpkg
 {
-  static const string openssl_version ("version");
-  static const string openssl_pkeyutl ("pkeyutl");
-  static const string openssl_rsautl  ("rsautl");
-  static const string openssl_x509    ("x509");
-
-  const char* openssl_commands[5] = {openssl_version.c_str (),
-                                     openssl_pkeyutl.c_str (),
-                                     openssl_rsautl.c_str (),
-                                     openssl_x509.c_str (),
+  static const string openssl_version_cmd ("version");
+  static const string openssl_pkeyutl_cmd ("pkeyutl");
+  static const string openssl_rsautl_cmd  ("rsautl");
+  static const string openssl_x509_cmd    ("x509");
+
+  const char* openssl_commands[5] = {openssl_version_cmd.c_str (),
+                                     openssl_pkeyutl_cmd.c_str (),
+                                     openssl_rsautl_cmd.c_str (),
+                                     openssl_x509_cmd.c_str (),
                                      nullptr};
 
   // Print process command line.
@@ -43,9 +43,42 @@ namespace bpkg
       print_process (args, n);
   }
 
+  // Query the openssl information and return the openssl version. Cache the
+  // version on the first function call. Fail on the underlying process and IO
+  // error. Return the 0.0.0 version if unable to parse the openssl stdout.
+  //
+  static optional<semantic_version> openssl_ver;
+
+  static const semantic_version&
+  openssl_version (const common_options& co)
+  {
+    const path& openssl_path (co.openssl ()[openssl_version_cmd]);
+
+    if (!openssl_ver)
+    try
+    {
+      optional<openssl_info> oi (
+        openssl::info (print_command, 2, openssl_path));
+
+      openssl_ver = (oi && oi->name == "OpenSSL"
+                     ? move (oi->version)
+                     : semantic_version ());
+    }
+    catch (const process_error& e)
+    {
+      fail << "unable to execute " << openssl_path << ": " << e << endf;
+    }
+    catch (const io_error& e)
+    {
+      fail << "unable to read '" << openssl_path << "' output: " << e
+           << endf;
+    }
+
+    return *openssl_ver;
+  }
+
   // Return true if the openssl version is greater or equal to 3.0.0 and so
-  // pkeyutl needs to be used instead of rsautl. Cache the result on the first
-  // function call.
+  // pkeyutl needs to be used instead of rsautl.
   //
   // Note that openssl 3.0.0 deprecates rsautl in favor of pkeyutl.
   //
@@ -54,37 +87,28 @@ namespace bpkg
   // (see the 'pkeyutl -verifyrecover error "input data too long to be a
   // hash"' issue report for details).
   //
-  static optional<bool> use_pkeyutl;
-
-  static bool
+  static inline bool
   use_openssl_pkeyutl (const common_options& co)
   {
-    if (!use_pkeyutl)
-    {
-      const path& openssl_path (co.openssl ()[openssl_version]);
-
-      try
-      {
-        optional<openssl_info> oi (
-          openssl::info (print_command, 2, openssl_path));
-
-        use_pkeyutl = oi                    &&
-                      oi->name == "OpenSSL" &&
-                      oi->version >= semantic_version {3, 0, 0};
-      }
-      catch (const process_error& e)
-      {
-        fail << "unable to execute " << openssl_path << ": " << e << endf;
-      }
-      catch (const io_error& e)
-      {
-        fail << "unable to read '" << openssl_path << "' output: " << e
-             << endf;
-      }
-    }
+    return openssl_version (co) >= semantic_version {3, 0, 0};
+  }
 
-    return *use_pkeyutl;
+  // Return true if some openssl commands (openssl x509 -fingerprint, etc) may
+  // issue the 'Reading certificate from stdin since no -in or -new option is
+  // given' warning. This is the case for the openssl version in the [3.2.0
+  // 3.3.0) range (see GH issue #353 for details).
+  //
+  // Note that there is no easy way to suppress this warning on Windows and
+  // thus we don't define this function there.
+  //
+#ifndef _WIN32
+  static inline bool
+  openssl_warn_stdin (const common_options& co)
+  {
+    const semantic_version& v (openssl_version (co));
+    return v >= semantic_version {3, 2, 0} && v < semantic_version {3, 3, 0};
   }
+#endif
 
   // Find the repository location prefix that ends with the version component.
   // We consider all repositories under this location to be related.
@@ -190,15 +214,25 @@ namespace bpkg
         dr << ": " << *e;
     };
 
-    const path& openssl_path (co.openssl ()[openssl_x509]);
-    const strings& openssl_opts (co.openssl_option ()[openssl_x509]);
+    const path& openssl_path (co.openssl ()[openssl_x509_cmd]);
+    const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]);
 
     try
     {
       openssl os (print_command,
                   fdstream_mode::text, fdstream_mode::text, 2,
-                  openssl_path, openssl_x509,
-                  openssl_opts, "-sha256", "-noout", "-fingerprint");
+                  openssl_path, openssl_x509_cmd,
+                  openssl_opts,
+                  "-sha256",
+                  "-noout",
+                  "-fingerprint"
+#ifndef _WIN32
+                  ,
+                  (openssl_warn_stdin (co)
+                   ? cstrings ({"-in", "/dev/stdin"})
+                   : cstrings ())
+#endif
+      );
 
       os.out << pem;
       os.out.close ();
@@ -288,8 +322,8 @@ namespace bpkg
         dr << ": " << *e;
     };
 
-    const path& openssl_path (co.openssl ()[openssl_x509]);
-    const strings& openssl_opts (co.openssl_option ()[openssl_x509]);
+    const path& openssl_path (co.openssl ()[openssl_x509_cmd]);
+    const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]);
 
     try
     {
@@ -315,7 +349,7 @@ namespace bpkg
       openssl os (
         print_command,
         fdstream_mode::text, fdstream_mode::text, 2,
-        openssl_path, openssl_x509,
+        openssl_path, openssl_x509_cmd,
         openssl_opts, "-noout", "-subject", "-dates", "-email",
 
         // Previously we have used "RFC2253,sep_multiline" format to display
@@ -347,6 +381,13 @@ namespace bpkg
         // sep_multiline - display field per line.
         //
         "-nameopt", "utf8,esc_ctrl,dump_nostr,dump_der,sname,sep_multiline"
+
+#ifndef _WIN32
+        ,
+        (openssl_warn_stdin (co)
+         ? cstrings ({"-in", "/dev/stdin"})
+         : cstrings ())
+#endif
       );
 
       // We unset failbit to provide the detailed error description (which
@@ -877,7 +918,7 @@ namespace bpkg
     };
 
     bool ku (use_openssl_pkeyutl (co));
-    const string& cmd (ku ? openssl_pkeyutl : openssl_rsautl);
+    const string& cmd (ku ? openssl_pkeyutl_cmd : openssl_rsautl_cmd);
 
     const path& openssl_path (co.openssl ()[cmd]);
     const strings& openssl_opts (co.openssl_option ()[cmd]);
@@ -973,8 +1014,8 @@ namespace bpkg
     };
 
     const string& cmd (use_openssl_pkeyutl (co)
-                       ? openssl_pkeyutl
-                       : openssl_rsautl);
+                       ? openssl_pkeyutl_cmd
+                       : openssl_rsautl_cmd);
 
     const path& openssl_path (co.openssl ()[cmd]);
     const strings& openssl_opts (co.openssl_option ()[cmd]);
diff --git a/bpkg/buildfile b/bpkg/buildfile
index 0ba60dc..8836712 100644
--- a/bpkg/buildfile
+++ b/bpkg/buildfile
@@ -15,15 +15,12 @@ import libs = build2%lib{build2}
 for m: bash bin c cc cli cxx in version
   import libs += build2%lib{build2-$m}
 
+# @@ TMP we require libsqlite3 to be interface dependency of libbut-odb only
+#    for the database migrations to schema versions 13 and 14.
+#
 import libs += libbpkg%lib{bpkg}
 import libs += libbutl%lib{butl}
-import libs += libodb%lib{odb}
-import libs += libodb-sqlite%lib{odb-sqlite}
-
-# @@ TMP Only required for the database migrations to schema versions 13 and
-#    14.
-#
-import libs += libsqlite3%lib{sqlite3}
+import libs += libbutl%lib{butl-odb}
 
 options_topics =           \
 bpkg-options               \
diff --git a/bpkg/odb.sh b/bpkg/odb.sh
index 75c6d2d..1387773 100755
--- a/bpkg/odb.sh
+++ b/bpkg/odb.sh
@@ -16,8 +16,9 @@ if test -d ../.bdep; then
 sed -r -ne 's#^(@[^ ]+ )?([^ ]+)/ .*default.*$#\2#p')"
   fi
 
-  inc+=("-I$(echo "$cfg"/libodb-[1-9]*/)")
-  inc+=("-I$(echo "$cfg"/libodb-sqlite-[1-9]*/)")
+  # Note: there is nothing generated in libbutl-odb.
+  #
+  inc+=("-I../../libbutl/libbutl-odb")
 
   inc+=("-I$cfg/libbutl")
   inc+=("-I../../libbutl")
@@ -30,11 +31,7 @@ sed -r -ne 's#^(@[^ ]+ )?([^ ]+)/ .*default.*$#\2#p')"
 
 else
 
-  inc+=("-I$HOME/work/odb/builds/default/libodb-sqlite-default")
-  inc+=("-I$HOME/work/odb/libodb-sqlite")
-
-  inc+=("-I$HOME/work/odb/builds/default/libodb-default")
-  inc+=("-I$HOME/work/odb/libodb")
+  inc+=("-I../../libbutl/libbutl-odb")
 
   inc+=(-I.. -I../../libbpkg -I../../libbutl)
 
diff --git a/bpkg/pkg-build-collect.cxx b/bpkg/pkg-build-collect.cxx
index 352fa52..6f1195c 100644
--- a/bpkg/pkg-build-collect.cxx
+++ b/bpkg/pkg-build-collect.cxx
@@ -2962,8 +2962,12 @@ namespace bpkg
 
                 const strings mods {"cc"};
 
+                // Use the *-no-warnings host/build2 configurations since the
+                // user has no control over such private configurations and
+                // they are primarily used for consumption.
+                //
                 const strings vars {
-                  "config.config.load=~" + type,
+                  "config.config.load=~" + type + "-no-warnings",
                     "config.config.persist+='config.*'@unused=drop"};
 
                 dir_path cd (bpkg_dir / dir_path (type));
diff --git a/bpkg/version.hxx.in b/bpkg/version.hxx.in
index 22da973..603a5f7 100644
--- a/bpkg/version.hxx.in
+++ b/bpkg/version.hxx.in
@@ -43,14 +43,6 @@ $libbutl.check(LIBBUTL_VERSION, LIBBUTL_SNAPSHOT)$
 
 $libbpkg.check(LIBBPKG_VERSION, LIBBPKG_SNAPSHOT)$
 
-#include <odb/version.hxx>
-
-$libodb.check(LIBODB_VERSION, LIBODB_SNAPSHOT)$
-
-#include <odb/sqlite/version.hxx>
-
-$libodb_sqlite.check(LIBODB_SQLITE_VERSION, LIBODB_SQLITE_SNAPSHOT)$
-
 // User agent.
 //
 #if   defined(_WIN32)