[OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

Wed Sep 25 21:39:07 UTC 2019

On Wed, Sep 25, 2019 at 2:30 PM George McCollister
<george.mccollister at gmail.com> wrote:
>
> On Wed, Sep 25, 2019 at 1:34 PM Khem Raj <raj.khem at gmail.com> wrote:
> >
> > On 9/25/19 11:13 AM, George McCollister wrote:
> > > On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle
> > > <mark.hatle at kernel.crashing.org> wrote:
> > >>
> > >> On 9/25/19 6:52 AM, George McCollister wrote:
> > >>> Set OPENSSL_ENGINES to the path where engines are actually installed.
> > >>>
> > >>> Signed-off-by: George McCollister <george.mccollister at gmail.com>
> > >>> ---
> > >>>   meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
> > >>>   1 file changed, 1 insertion(+), 1 deletion(-)
> > >>>
> > >>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > >>> index 072f727e0b..8819e19ec4 100644
> > >>> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > >>> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > >>> @@ -148,7 +148,7 @@ do_install_append_class-native () {
> > >>>            OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
> > >>>            SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
> > >>>            SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
> > >>> -         OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
> > >>> +         OPENSSL_ENGINES=${libdir}/engines-1.1
> > >>
> > >> Is this a bug in the openssl recipe (it's placing engines in the wrong place),
> > >> or a bug in the recipes providing acceleration engines and THEY are going into
> > >> the wrong place?
> > >
> > > This recipe installs:
> > > packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so
> > > packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so
> > > packages-split/openssl-engines/usr/lib/engines-1.1/capi.so
> > >
> > > libp11 in meta-oe installs these:
> > > packages-split/libp11/usr/lib/engines-1.1
> > > packages-split/libp11/usr/lib/engines-1.1/pkcs11.so
> > > packages-split/libp11-dev/usr/lib/engines-1.1
> > > packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so
> > >
> > >>
> > >> The ssl-1.1/engines makes more sense to me..  as /usr/lib/engines-1.1 obscures
> > >> that they are OpenSSL related.
> > >
> > > I don't have a strong opinion either way but ssl-1.1/engines does make
> > > a bit more sense.
> > > Debian appears to install them in engines-1.1 though:
> > >   https://packages.debian.org/buster/amd64/libssl1.1/filelist
> > >
> > > I do need this fixed in warrior though and wonder if anyone would
> > > gripe about changing where they are installed post release.
> > >
> > > How shall we proceed? Does anyone else want to chime in?
> > >
> >
> > Using /usr/lib/<package> is known jargon and lets use it. I think doing
> > it the way other distros are doing it and how upstream defaults are is
> > also helpful. it reduced one more thing to worry about. Release branches
> > should not be an issue as long as we have them packages in same output
> > package.
>
> It looks like Fedora is also using engines-1.1:
> https://apps.fedoraproject.org/packages/openssl-libs/
>
> I've found there is no Configure switch to set the engines directory.
> I believe it will require a patch to changes 3 - 4 lines in
> Configurations/unix-Makefile.tmpl.
> meta-oe/recipes-support/libp11/libp11_0.4.10.bb would also need to be
> changed to use the new path.
>
> Is carrying a custom patch to deviate from the upstream package and
> major distribution behavior really wise?
>

right. so lets not do it.

> If there is somewhat of a consensus to go that way knowing it requires
> a custom patch I'll send a patch for openssl and then one to fix
> libp11 (which the first patch will break).
>
> >
> > >>
> > >> --Mark
> > >>
> > >>>   }
> > >>>
> > >>>   do_install_append_class-nativesdk () {
> > >>>
> > >>
> > >> --
> > >> _______________________________________________
> > >> Openembedded-core mailing list
> > >> Openembedded-core at lists.openembedded.org
> > >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> > >
> > > -George
> > >
> >