From b54b20eb868b68379c792efab0baf8a15cd8a283 Mon Sep 17 00:00:00 2001 From: Samuli Piippo Date: Wed, 9 Sep 2015 14:00:35 +0300 Subject: Fix c_rehash run during image creation Add support to run c_rehash using SYSROOT environment variable, so that it can create hashes for the certificates during rootfs build phase of image creation. Change-Id: Ib60d4f9c217334ab7abba98dc07efd2ef8d1c7a5 Task-number: QTEE-971 Reviewed-by: Joerg Bornemann --- .../openssl/0001-Support-SYSROOT-in-c_rehash.patch | 98 ++++++++++++++++++++++ recipes/openssl/openssl_1.%.bbappend | 3 + 2 files changed, 101 insertions(+) create mode 100644 recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch (limited to 'recipes/openssl') diff --git a/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch b/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch new file mode 100644 index 0000000..01775eb --- /dev/null +++ b/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch @@ -0,0 +1,98 @@ +From 6b833a7767c25b60fb0bb8dcc00484df19946288 Mon Sep 17 00:00:00 2001 +From: Samuli Piippo +Date: Wed, 9 Sep 2015 13:37:28 +0300 +Subject: [PATCH] Support SYSROOT in c_rehash + +update-ca-certificates is ran during image creation, which in turn runs +c_rehash. Since the symlinks in /etc/ssl/certs/ are pointing to absolute +location, c_rehash does not find the actual files. Add support for SYSROOT +environment variable and use it to locate the actual files during image +creation. + +Upstream-status: Pending + +--- + tools/c_rehash.in | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index f8d0ce1..e81ec5b 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -5,6 +5,7 @@ + # and add symbolic links to their hash values. + + my $openssl; ++my $sysroot; + + my $dir; + my $prefix; +@@ -16,6 +17,10 @@ if(defined $ENV{OPENSSL}) { + $ENV{OPENSSL} = $openssl; + } + ++if(defined $ENV{SYSROOT}) { ++ $sysroot = $ENV{SYSROOT}; ++} ++ + my $pwd; + eval "require Cwd"; + if (defined(&Cwd::getcwd)) { +@@ -76,15 +81,16 @@ sub hash_dir { + } + closedir DIR; + FILE: foreach $fname (grep {/\.pem$/} @flist) { ++ $fullname = $sysroot . readlink($fname); + # Check to see if certificates and/or CRLs present. +- my ($cert, $crl) = check_file($fname); ++ my ($cert, $crl) = check_file($fullname); + if(!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } +- link_hash_cert($fname) if($cert); +- link_hash_cert_old($fname) if($cert); +- link_hash_crl($fname) if($crl); ++ link_hash_cert($fname, $fullname) if($cert); ++ link_hash_cert_old($fname, $fullname) if($cert); ++ link_hash_crl($fname, $fullname) if($crl); + } + } + +@@ -117,9 +123,10 @@ sub check_file { + + sub link_hash_cert { + my $fname = $_[0]; +- my $hashopt = $_[1] || '-subject_hash'; +- $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; ++ my $fullname = $_[1]; ++ my $hashopt = $_[2] || '-subject_hash'; ++ $fullname =~ s/'/'\\''/g; ++ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fullname"`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; +@@ -150,15 +157,16 @@ sub link_hash_cert { + } + + sub link_hash_cert_old { +- link_hash_cert($_[0], '-subject_hash_old'); ++ link_hash_cert($_[0], $_[1], '-subject_hash_old'); + } + + # Same as above except for a CRL. CRL links are of the form .r + + sub link_hash_crl { + my $fname = $_[0]; +- $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; ++ my $fullname = $_[1]; ++ $fullname =~ s/'/'\\''/g; ++ my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fullname'`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; +-- +1.9.1 + diff --git a/recipes/openssl/openssl_1.%.bbappend b/recipes/openssl/openssl_1.%.bbappend index 461cb45..ce68b59 100644 --- a/recipes/openssl/openssl_1.%.bbappend +++ b/recipes/openssl/openssl_1.%.bbappend @@ -20,6 +20,9 @@ ## ############################################################################# +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://0001-Support-SYSROOT-in-c_rehash.patch" + PACKAGECONFIG += "perl" do_install_append () { -- cgit v1.2.3-54-g00ecf