summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOtavio Salvador <otavio@ossystems.com.br>2019-03-19 13:36:50 -0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-03-19 23:50:41 +0000
commit15f2cefac48f0e1d8f0e921b858df2355da5bbcd (patch)
treee8649ab78c845a0ef25dfc3fb95261e70d6f6060
parent5f6156b32c9d17bdb06d67199373433b0e470cc7 (diff)
downloadpoky-15f2cefac48f0e1d8f0e921b858df2355da5bbcd.tar.gz
openssl: Remove the c_rehash shell re-implementation
We had a c_rehash shell re-implementation being used for the native package however the ca-certificates now uses the openssl rehash internal application so there is no use for the c_rehash anymore. (From OE-Core rev: 672b076158247f823a518b7c33b50c82272d6388) Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh222
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.1.1a.bb14
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates_20190110.bb2
3 files changed, 2 insertions, 236 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
deleted file mode 100644
index 6620fdcb53..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
+++ /dev/null
@@ -1,222 +0,0 @@
1#!/bin/sh
2#
3# Ben Secrest <blsecres@gmail.com>
4#
5# sh c_rehash script, scan all files in a directory
6# and add symbolic links to their hash values.
7#
8# based on the c_rehash perl script distributed with openssl
9#
10# LICENSE: See OpenSSL license
11# ^^acceptable?^^
12#
13
14# default certificate location
15DIR=/etc/openssl
16
17# for filetype bitfield
18IS_CERT=$(( 1 << 0 ))
19IS_CRL=$(( 1 << 1 ))
20
21
22# check to see if a file is a certificate file or a CRL file
23# arguments:
24# 1. the filename to be scanned
25# returns:
26# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
27#
28check_file()
29{
30 local IS_TYPE=0
31
32 # make IFS a newline so we can process grep output line by line
33 local OLDIFS=${IFS}
34 IFS=$( printf "\n" )
35
36 # XXX: could be more efficient to have two 'grep -m' but is -m portable?
37 for LINE in $( grep '^-----BEGIN .*-----' ${1} )
38 do
39 if echo ${LINE} \
40 | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
41 then
42 IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
43
44 if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
45 then
46 break
47 fi
48 elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
49 then
50 IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
51
52 if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
53 then
54 break
55 fi
56 fi
57 done
58
59 # restore IFS
60 IFS=${OLDIFS}
61
62 return ${IS_TYPE}
63}
64
65
66#
67# use openssl to fingerprint a file
68# arguments:
69# 1. the filename to fingerprint
70# 2. the method to use (x509, crl)
71# returns:
72# none
73# assumptions:
74# user will capture output from last stage of pipeline
75#
76fingerprint()
77{
78 ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
79}
80
81
82#
83# link_hash - create links to certificate files
84# arguments:
85# 1. the filename to create a link for
86# 2. the type of certificate being linked (x509, crl)
87# returns:
88# 0 on success, 1 otherwise
89#
90link_hash()
91{
92 local FINGERPRINT=$( fingerprint ${1} ${2} )
93 local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
94 local SUFFIX=0
95 local LINKFILE=''
96 local TAG=''
97
98 if [ ${2} = "crl" ]
99 then
100 TAG='r'
101 fi
102
103 LINKFILE=${HASH}.${TAG}${SUFFIX}
104
105 while [ -f ${LINKFILE} ]
106 do
107 if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
108 then
109 echo "NOTE: Skipping duplicate file ${1}" >&2
110 return 1
111 fi
112
113 SUFFIX=$(( ${SUFFIX} + 1 ))
114 LINKFILE=${HASH}.${TAG}${SUFFIX}
115 done
116
117 echo "${3} => ${LINKFILE}"
118
119 # assume any system with a POSIX shell will either support symlinks or
120 # do something to handle this gracefully
121 ln -s ${3} ${LINKFILE}
122
123 return 0
124}
125
126
127# hash_dir create hash links in a given directory
128hash_dir()
129{
130 echo "Doing ${1}"
131
132 cd ${1}
133
134 ls -1 * 2>/dev/null | while read FILE
135 do
136 if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
137 && [ -h "${FILE}" ]
138 then
139 rm ${FILE}
140 fi
141 done
142
143 ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
144 do
145 REAL_FILE=${FILE}
146 # if we run on build host then get to the real files in rootfs
147 if [ -n "${SYSROOT}" -a -h ${FILE} ]
148 then
149 FILE=$( readlink ${FILE} )
150 # check the symlink is absolute (or dangling in other word)
151 if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ]
152 then
153 REAL_FILE=${SYSROOT}/${FILE}
154 fi
155 fi
156
157 check_file ${REAL_FILE}
158 local FILE_TYPE=${?}
159 local TYPE_STR=''
160
161 if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
162 then
163 TYPE_STR='x509'
164 elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
165 then
166 TYPE_STR='crl'
167 else
168 echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2
169 continue
170 fi
171
172 link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
173 done
174}
175
176
177# choose the name of an ssl application
178if [ -n "${OPENSSL}" ]
179then
180 SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
181else
182 SSL_CMD=/usr/bin/openssl
183 OPENSSL=${SSL_CMD}
184 export OPENSSL
185fi
186
187# fix paths
188PATH=${PATH}:${DIR}/bin
189export PATH
190
191# confirm existance/executability of ssl command
192if ! [ -x ${SSL_CMD} ]
193then
194 echo "${0}: rehashing skipped ('openssl' program not available)" >&2
195 exit 0
196fi
197
198# determine which directories to process
199old_IFS=$IFS
200if [ ${#} -gt 0 ]
201then
202 IFS=':'
203 DIRLIST=${*}
204elif [ -n "${SSL_CERT_DIR}" ]
205then
206 DIRLIST=$SSL_CERT_DIR
207else
208 DIRLIST=${DIR}/certs
209fi
210
211IFS=':'
212
213# process directories
214for CERT_DIR in ${DIRLIST}
215do
216 if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
217 then
218 IFS=$old_IFS
219 hash_dir ${CERT_DIR}
220 IFS=':'
221 fi
222done
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
index 5c5e291c1b..2e536e5d2a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
@@ -13,7 +13,6 @@ DEPENDS = "hostperl-runtime-native"
13 13
14SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ 14SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
15 file://run-ptest \ 15 file://run-ptest \
16 file://openssl-c_rehash.sh \
17 file://0001-skip-test_symbol_presence.patch \ 16 file://0001-skip-test_symbol_presence.patch \
18 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 17 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
19 file://afalg.patch \ 18 file://afalg.patch \
@@ -150,12 +149,6 @@ do_install_append_class-native () {
150 SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ 149 SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
151 SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ 150 SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
152 OPENSSL_ENGINES=${libdir}/ssl-1.1/engines 151 OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
153
154 # Install a custom version of c_rehash that can handle sysroots properly.
155 # This version is used for example when installing ca-certificates during
156 # image creation.
157 install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
158 sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
159} 152}
160 153
161do_install_append_class-nativesdk () { 154do_install_append_class-nativesdk () {
@@ -197,14 +190,13 @@ FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
197FILES_libssl = "${libdir}/libssl${SOLIBS}" 190FILES_libssl = "${libdir}/libssl${SOLIBS}"
198FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" 191FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
199FILES_${PN}-engines = "${libdir}/engines-1.1" 192FILES_${PN}-engines = "${libdir}/engines-1.1"
200FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" 193FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
201FILES_${PN} =+ "${libdir}/ssl-1.1/*" 194FILES_${PN} =+ "${libdir}/ssl-1.1/*"
202FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" 195FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
203 196
204CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" 197CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
205 198
206RRECOMMENDS_libcrypto += "openssl-conf" 199RRECOMMENDS_libcrypto += "openssl-conf"
207RDEPENDS_${PN}-misc = "perl"
208RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" 200RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
209 201
210RPROVIDES_openssl-conf = "openssl10-conf" 202RPROVIDES_openssl-conf = "openssl10-conf"
@@ -212,7 +204,3 @@ RREPLACES_openssl-conf = "openssl10-conf"
212RCONFLICTS_openssl-conf = "openssl10-conf" 204RCONFLICTS_openssl-conf = "openssl10-conf"
213 205
214BBCLASSEXTEND = "native nativesdk" 206BBCLASSEXTEND = "native nativesdk"
215
216inherit multilib_script
217
218MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20190110.bb b/meta/recipes-support/ca-certificates/ca-certificates_20190110.bb
index b9f57900c8..4c0425302f 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20190110.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20190110.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://debian/copyright;md5=aeb420429b1659507e0a5a1b123e8308
11DEPENDS = "" 11DEPENDS = ""
12DEPENDS_class-native = "openssl-native" 12DEPENDS_class-native = "openssl-native"
13DEPENDS_class-nativesdk = "openssl-native" 13DEPENDS_class-nativesdk = "openssl-native"
14# Need c_rehash from openssl and run-parts from debianutils 14# Need rehash from openssl and run-parts from debianutils
15PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" 15PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
16 16
17SRCREV = "c28799b138b044c963d24c4a69659b6e5486e3be" 17SRCREV = "c28799b138b044c963d24c4a69659b6e5486e3be"