[OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

Wed Sep 25 19:12:48 UTC 2019

On Wed, Sep 25, 2019 at 1:37 PM Andre McCurdy <armccurdy at gmail.com> wrote:
>
> On Wed, Sep 25, 2019 at 11:13 AM George McCollister
> <george.mccollister at gmail.com> wrote:
> > On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle
> > <mark.hatle at kernel.crashing.org> wrote:
> > > On 9/25/19 6:52 AM, George McCollister wrote:
> > > > Set OPENSSL_ENGINES to the path where engines are actually installed.
> > > >
> > > > Signed-off-by: George McCollister <george.mccollister at gmail.com>
> > > > ---
> > > >  meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > > > index 072f727e0b..8819e19ec4 100644
> > > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > > > @@ -148,7 +148,7 @@ do_install_append_class-native () {
> > > >           OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
> > > >           SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
> > > >           SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
> > > > -         OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
> > > > +         OPENSSL_ENGINES=${libdir}/engines-1.1
> > >
> > > Is this a bug in the openssl recipe (it's placing engines in the wrong place),
> > > or a bug in the recipes providing acceleration engines and THEY are going into
> > > the wrong place?
> >
> > This recipe installs:
> > packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so
> > packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so
> > packages-split/openssl-engines/usr/lib/engines-1.1/capi.so
> >
> > libp11 in meta-oe installs these:
> > packages-split/libp11/usr/lib/engines-1.1
> > packages-split/libp11/usr/lib/engines-1.1/pkcs11.so
> > packages-split/libp11-dev/usr/lib/engines-1.1
> > packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so
> >
> > >
> > > The ssl-1.1/engines makes more sense to me..  as /usr/lib/engines-1.1 obscures
> > > that they are OpenSSL related.
> >
> > I don't have a strong opinion either way but ssl-1.1/engines does make
> > a bit more sense.
> > Debian appears to install them in engines-1.1 though:
> >  https://packages.debian.org/buster/amd64/libssl1.1/filelist
>
> It would be interesting to know when the path in the -native wrapper
> script stopped matching the path where the engines plugins are
> installed. ie was the wrapper script always wrong? Did the default
> install path used by openssl change at some point?

It's been wrong on and off with openssl 1.0 and I believe always wrong
with openssl 1.1.

>
> > I do need this fixed in warrior though and wonder if anyone would
> > gripe about changing where they are installed post release.
> >
> > How shall we proceed? Does anyone else want to chime in?
>
> The change being proposed is for the openssl-native wrapper script, so
> won't affect anything on the target.
>
> I'm curious why openssl-native needs engines plugins at all?

I need the pkcs11 engine for pkcs11 signing with an HSM. Unfortunately
for me most people won't notice if the wrapper doesn't match the
installed plugin path.