[OE-core] What is the recommended approach to upgrade Openssl?

Vincent Prince vincent.prince.fr at gmail.com
Mon Mar 26 08:04:27 UTC 2018 

Hi,

I'd say if you start looking at CVE/security issues, I think best option is
to update the whole thing as any breach should be fixed.
As you are working on NXP product, updating Yocto version should be quite
straightforward, by replacing krogoth branch to rocko.
You can watch this presentation
https://www.youtube.com/watch?v=F5R8VXnfwYw  that
indroduces a particular workflow to ease version migrations.

Best regards,
Vincent

2018-03-23 20:53 GMT+01:00 Ryan Pabis (pabisr) <pabisr at cisco.com>:

> All,
>
>
>
> I’m working on a bundled package from NXP  that’s based on Yocto Krogroth
> (so 2015 ish).  But now I need to update openssl from 1.0.2d to 1.0.2n to
> fix multiple CVE vulnerabilities.  However, this is proving to be quite
> difficult.  I’ve been able to upgrade curl, expat, python, etc. by adding
> the new component to my layer and then updating the layer.conf file.  But
> it appears openssl is different.
>
>
>
> If I try the same approach with openssl the first thing that goes wrong is
> the openssl_1.0.2n.bb file complains about the python function .filter
> not being supported as well as hostperl-runtime-native not being found.
> So, I fix those by reverting back to .contains and changing to
> perl-native-runtime.  That seems to solve the .bb problem.  However, then I
> get an rpm error.   Which I fix by upgrading to 4.14.1. However, now I’m
> stuck with an ‘ar’ error that I can’t figure out.
>
>
>
> So, my question is A) Is this the right approach or should I be updating
> the entire openembedded layer (if so are there instructions anywhere on how
> to do that?) and B).  If my approach is ok what is causing the ‘ar’ error
> since this built previously with openssl 1.0.2d?
>
>
>
> Here is snippet of the error.
>
>
>
> | gcc  -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -fPIC
> -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DL_ENDIAN    -DTERMIO
> -isystem/home/pabisr/inode/build/tmp/sysroots/x86_64-linux/usr/include
> -O2 -pipe -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
> -fPIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
> -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> -DECP_NISTZ256_ASM -isystem/home/pabisr/inode/build/tmp/sysroots/x86_64-linux/usr/include
> -c -o obj_xref.o obj_xref.c
>
> | ar ../../libcrypto.a o_names.o obj_dat.o obj_lib.o obj_err.o obj_xref.o
>
> | ar: invalid option -- '.'
>
> | Usage: ar [emulation options] [-]{dmpqrstx}[abcDfilMNoPsSTuvV]
> [--plugin <name>] [member-name] [count] archive-file file...
>
> |        ar -M [<mri-script]
>
> |  commands:
>
> |   d            - delete file(s) from the archive
>
> |   m[ab]        - move file(s) in the archive
>
> |   p            - print file(s) found in the archive
>
> |   q[f]         - quick append file(s) to the archive
>
> |   r[ab][f][u]  - replace existing or insert new file(s) into the archive
>
> |   s            - act as ranlib
>
> |   t            - display contents of archive
>
> |   x[o]         - extract file(s) from the archive
>
> |  command specific modifiers:
>
> |   [a]          - put file(s) after [member-name]
>
> |   [b]          - put file(s) before [member-name] (same as [i])
>
> |   [D]          - use zero for timestamps and uids/gids (default)
>
> |   [U]          - use actual timestamps and uids/gids
>
> |   [N]          - use instance [count] of name
>
> |   [f]          - truncate inserted file names
>
> |   [P]          - use full path names when matching
>
> |   [o]          - preserve original dates
>
> |   [u]          - only replace files that are newer than current archive
> contents
>
> |  generic modifiers:
>
> |   [c]          - do not warn if the library had to be created
>
> |   [s]          - create an archive index (cf. ranlib)
>
> |   [S]          - do not build a symbol table
>
> |   [T]          - make a thin archive
>
> |   [v]          - be verbose
>
> |   [V]          - display the version number
>
> |   @<file>      - read options from <file>
>
> |   --target=BFDNAME - specify the target object format as BFDNAME
>
> |  optional:
>
> |   --plugin <p> - load the specified plugin
>
> |  emulation options:
>
> |   No emulation specific options
>
> | ar: supported targets: elf64-x86-64 elf32-i386 elf32-iamcu elf32-x86-64
> a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little
> elf64-big elf32-little elf32-big pe-x86-64 pe-bigobj-x86-64 pe-i386 plugin
> srec symbolsrec verilog tekhex binary ihex
>
> | Makefile:37: recipe for target 'lib' failed
>
> | make[2]: *** [lib] Error 1
>
> | make[2]: Leaving directory '/home/pabisr/inode/build/tmp/
> work/x86_64-linux/openssl-native/1.0.2n-r0/openssl-1.0.2n/crypto/objects'
>
> | Makefile:88: recipe for target 'subdirs' failed
>
> | make[1]: *** [subdirs] Error 1
>
> | make[1]: Leaving directory '/home/pabisr/inode/build/tmp/
> work/x86_64-linux/openssl-native/1.0.2n-r0/openssl-1.0.2n/crypto'
>
> | Makefile:288: recipe for target 'build_crypto' failed
>
> | make: *** [build_crypto] Error 1
>
> | WARNING: exit code 1 from a shell command.
>
> | ERROR: oe_runmake failed
>
> | ERROR: Function failed: do_compile (log file is located at
> /home/pabisr/inode/build/tmp/work/x86_64-linux/openssl-
> native/1.0.2n-r0/temp/log.do_compile.102235)
>
> ERROR: Task 87 (virtual:native:/home/pabisr/inode/sources/meta-inode-eval/
> recipes-connectivity/openssl/openssl_1.0.2n.bb, do_compile) failed with
> exit code '1'
>
> NOTE: Tasks Summary: Attempted 240 tasks of which 231 didn't need to be
> rerun and 1 failed.
>
> Waiting for 0 running tasks to finish:
>
>
>
> Summary: 1 task failed:
>
>   virtual:native:/home/pabisr/inode/sources/meta-inode-eval/
> recipes-connectivity/openssl/openssl_1.0.2n.bb, do_compile
>
> Summary: There was 1 WARNING message shown.
>
> Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180326/07e9373f/attachment-0002.html>

More information about the Openembedded-core mailing list