[OE-core] What is the recommended approach to upgrade Openssl?

Ryan Pabis (pabisr) pabisr at cisco.com
Fri Mar 23 19:53:24 UTC 2018


All,

I’m working on a bundled package from NXP  that’s based on Yocto Krogroth (so 2015 ish).  But now I need to update openssl from 1.0.2d to 1.0.2n to fix multiple CVE vulnerabilities.  However, this is proving to be quite difficult.  I’ve been able to upgrade curl, expat, python, etc. by adding the new component to my layer and then updating the layer.conf file.  But it appears openssl is different.

If I try the same approach with openssl the first thing that goes wrong is the openssl_1.0.2n.bb file complains about the python function .filter not being supported as well as hostperl-runtime-native not being found.  So, I fix those by reverting back to .contains and changing to perl-native-runtime.  That seems to solve the .bb problem.  However, then I get an rpm error.   Which I fix by upgrading to 4.14.1. However, now I’m stuck with an ‘ar’ error that I can’t figure out.

So, my question is A) Is this the right approach or should I be updating the entire openembedded layer (if so are there instructions anywhere on how to do that?) and B).  If my approach is ok what is causing the ‘ar’ error since this built previously with openssl 1.0.2d?

Here is snippet of the error.

| gcc  -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DL_ENDIAN    -DTERMIO -isystem/home/pabisr/inode/build/tmp/sysroots/x86_64-linux/usr/include -O2 -pipe -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -fPIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -isystem/home/pabisr/inode/build/tmp/sysroots/x86_64-linux/usr/include  -c -o obj_xref.o obj_xref.c
| ar ../../libcrypto.a o_names.o obj_dat.o obj_lib.o obj_err.o obj_xref.o
| ar: invalid option -- '.'
| Usage: ar [emulation options] [-]{dmpqrstx}[abcDfilMNoPsSTuvV] [--plugin <name>] [member-name] [count] archive-file file...
|        ar -M [<mri-script]
|  commands:
|   d            - delete file(s) from the archive
|   m[ab]        - move file(s) in the archive
|   p            - print file(s) found in the archive
|   q[f]         - quick append file(s) to the archive
|   r[ab][f][u]  - replace existing or insert new file(s) into the archive
|   s            - act as ranlib
|   t            - display contents of archive
|   x[o]         - extract file(s) from the archive
|  command specific modifiers:
|   [a]          - put file(s) after [member-name]
|   [b]          - put file(s) before [member-name] (same as [i])
|   [D]          - use zero for timestamps and uids/gids (default)
|   [U]          - use actual timestamps and uids/gids
|   [N]          - use instance [count] of name
|   [f]          - truncate inserted file names
|   [P]          - use full path names when matching
|   [o]          - preserve original dates
|   [u]          - only replace files that are newer than current archive contents
|  generic modifiers:
|   [c]          - do not warn if the library had to be created
|   [s]          - create an archive index (cf. ranlib)
|   [S]          - do not build a symbol table
|   [T]          - make a thin archive
|   [v]          - be verbose
|   [V]          - display the version number
|   @<file>      - read options from <file>
|   --target=BFDNAME - specify the target object format as BFDNAME
|  optional:
|   --plugin <p> - load the specified plugin
|  emulation options:
|   No emulation specific options
| ar: supported targets: elf64-x86-64 elf32-i386 elf32-iamcu elf32-x86-64 a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big pe-x86-64 pe-bigobj-x86-64 pe-i386 plugin srec symbolsrec verilog tekhex binary ihex
| Makefile:37: recipe for target 'lib' failed
| make[2]: *** [lib] Error 1
| make[2]: Leaving directory '/home/pabisr/inode/build/tmp/work/x86_64-linux/openssl-native/1.0.2n-r0/openssl-1.0.2n/crypto/objects'
| Makefile:88: recipe for target 'subdirs' failed
| make[1]: *** [subdirs] Error 1
| make[1]: Leaving directory '/home/pabisr/inode/build/tmp/work/x86_64-linux/openssl-native/1.0.2n-r0/openssl-1.0.2n/crypto'
| Makefile:288: recipe for target 'build_crypto' failed
| make: *** [build_crypto] Error 1
| WARNING: exit code 1 from a shell command.
| ERROR: oe_runmake failed
| ERROR: Function failed: do_compile (log file is located at /home/pabisr/inode/build/tmp/work/x86_64-linux/openssl-native/1.0.2n-r0/temp/log.do_compile.102235)
ERROR: Task 87 (virtual:native:/home/pabisr/inode/sources/meta-inode-eval/recipes-connectivity/openssl/openssl_1.0.2n.bb, do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 240 tasks of which 231 didn't need to be rerun and 1 failed.
Waiting for 0 running tasks to finish:

Summary: 1 task failed:
  virtual:native:/home/pabisr/inode/sources/meta-inode-eval/recipes-connectivity/openssl/openssl_1.0.2n.bb, do_compile
Summary: There was 1 WARNING message shown.
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180323/2afdfaa8/attachment-0002.html>


More information about the Openembedded-core mailing list