diff options
| author | Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> | 2016-10-28 10:22:35 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-06 23:35:32 +0000 |
| commit | ef1fa14260b98fde89ad82a211461c7ccfe63d2d (patch) | |
| tree | 6af5cfac47fc85769ebabba0b0192aca6844f0c4 /meta | |
| parent | 3d4c896b2a7585539fc60a465dd3781e93e4cc24 (diff) | |
| download | poky-ef1fa14260b98fde89ad82a211461c7ccfe63d2d.tar.gz | |
openssl: rehash actual mozilla certificates inside rootfs
The c_rehash utility is supposed to be run in the folder /etc/ssl/certs
of a rootfs where the package ca-certificates puts symlinks to
various CA certificates stored in /usr/share/ca-certificates/mozilla/.
These symlinks are absolute. This means that when c_rehash is run
at rootfs creation time it can't hash the actual files since they
actually reside in the build host's directory
$SYSROOT/usr/share/ca-certificates/mozilla/.
This problem doesn't reproduce when building on Debian or Ubuntu
hosts though, because these OSs have the certificates installed
in the same /usr/share/ca-certificates/mozilla/ folder.
Images built in other distros, e.g. Fedora, have problems with
connecting to https servers when using e.g. python's http lib.
The patch fixes c_rehash to check if it runs on a build host
by testing $SYSROOT and to translate the paths to certificates
accordingly.
(From OE-Core rev: 5199b990edf4d9784c19137d0ce9ef141cd85e46)
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh index f67f415544..25ea729ac1 100644 --- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | |||
| @@ -114,11 +114,11 @@ link_hash() | |||
| 114 | LINKFILE=${HASH}.${TAG}${SUFFIX} | 114 | LINKFILE=${HASH}.${TAG}${SUFFIX} |
| 115 | done | 115 | done |
| 116 | 116 | ||
| 117 | echo "${1} => ${LINKFILE}" | 117 | echo "${3} => ${LINKFILE}" |
| 118 | 118 | ||
| 119 | # assume any system with a POSIX shell will either support symlinks or | 119 | # assume any system with a POSIX shell will either support symlinks or |
| 120 | # do something to handle this gracefully | 120 | # do something to handle this gracefully |
| 121 | ln -s ${1} ${LINKFILE} | 121 | ln -s ${3} ${LINKFILE} |
| 122 | 122 | ||
| 123 | return 0 | 123 | return 0 |
| 124 | } | 124 | } |
| @@ -142,7 +142,19 @@ hash_dir() | |||
| 142 | 142 | ||
| 143 | ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE | 143 | ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE |
| 144 | do | 144 | do |
| 145 | check_file ${FILE} | 145 | REAL_FILE=${FILE} |
| 146 | # if we run on build host then get to the real files in rootfs | ||
| 147 | if [ -n "${SYSROOT}" -a -h ${FILE} ] | ||
| 148 | then | ||
| 149 | FILE=$( readlink ${FILE} ) | ||
| 150 | # check the symlink is absolute (or dangling in other word) | ||
| 151 | if [ "x/" == "x$( echo ${FILE} | cut -c1 -)" ] | ||
| 152 | then | ||
| 153 | REAL_FILE=${SYSROOT}/${FILE} | ||
| 154 | fi | ||
| 155 | fi | ||
| 156 | |||
| 157 | check_file ${REAL_FILE} | ||
| 146 | local FILE_TYPE=${?} | 158 | local FILE_TYPE=${?} |
| 147 | local TYPE_STR='' | 159 | local TYPE_STR='' |
| 148 | 160 | ||
| @@ -157,7 +169,7 @@ hash_dir() | |||
| 157 | continue | 169 | continue |
| 158 | fi | 170 | fi |
| 159 | 171 | ||
| 160 | link_hash ${FILE} ${TYPE_STR} | 172 | link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} |
| 161 | done | 173 | done |
| 162 | } | 174 | } |
| 163 | 175 | ||