[PATCH] openssl: make ${PN}-bin rdepend on ${PN}

[PATCH] openssl: make ${PN}-bin rdepend on ${PN}

[Hannu Lounento]

Some openssl command line operations like creating an X.509 CSR require
the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't

    root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
    Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
    140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
    140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:

which is the case e.g. in core-image-minimal with just the
package openssl-bin added to the image by declaring

    IMAGE_INSTALL_append = " openssl-bin"

e.g. in local.conf.

The file does not exist in the aforementioned image / configuration
because it is packaged to the main openssl package

    FILES_${PN} =+ "${libdir}/ssl-1.1/*"

(there is no other FILES specification that would match the file either)
and

    path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
    [...]
    /usr/lib/ssl-1.1/openssl.cnf
    [...]

Hence make the ${PN}-bin package rdepend on the main package to have the
required file /usr/lib/ssl-1.1/openssl.cnf installed.

Note that the openssl recipe has the comment

    Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
    package RRECOMMENDS on this package. This will enable the configuration
    file to be installed for both the openssl-bin package and the libcrypto
    package since the openssl-bin package depends on the libcrypto package.

but openssl-conf only contains /etc/ssl/openssl.cnf

    path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
    /etc
    /etc/ssl
    /etc/ssl/openssl.cnf

/usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
../../../etc/ssl/openssl.cnf.

Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
index 66fa8f7d0a..0ac40091fd 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
@@ -201,6 +201,7 @@ CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 
 RRECOMMENDS_libcrypto += "openssl-conf"
 RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
+RDEPENDS_${PN}-bin += "${PN}"
 
 BBCLASSEXTEND = "native nativesdk"
 
-- 
2.26.2

Re: [OE-core] [PATCH] openssl: make ${PN}-bin rdepend on ${PN}

[Richard Purdie]

On Mon, 2020-07-06 at 18:23 +0300, Hannu Lounento wrote:
> Some openssl command line operations like creating an X.509 CSR require
> the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
> 
>     root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
>     Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
>     140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
>     140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
> 
> which is the case e.g. in core-image-minimal with just the
> package openssl-bin added to the image by declaring
> 
>     IMAGE_INSTALL_append = " openssl-bin"
> 
> e.g. in local.conf.
> 
> The file does not exist in the aforementioned image / configuration
> because it is packaged to the main openssl package
> 
>     FILES_${PN} =+ "${libdir}/ssl-1.1/*"
> 
> (there is no other FILES specification that would match the file either)
> and
> 
>     path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
>     [...]
>     /usr/lib/ssl-1.1/openssl.cnf
>     [...]
> 
> Hence make the ${PN}-bin package rdepend on the main package to have the
> required file /usr/lib/ssl-1.1/openssl.cnf installed.
> 
> Note that the openssl recipe has the comment
> 
>     Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
>     package RRECOMMENDS on this package. This will enable the configuration
>     file to be installed for both the openssl-bin package and the libcrypto
>     package since the openssl-bin package depends on the libcrypto package.
> 
> but openssl-conf only contains /etc/ssl/openssl.cnf
> 
>     path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
>     /etc
>     /etc/ssl
>     /etc/ssl/openssl.cnf
> 
> /usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
> ../../../etc/ssl/openssl.cnf.
> 
> Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
> ---
>  meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
>  1 file changed, 1 insertion(+)

Perhaps the correct fix here is to move the config file in /usr to the
-conf package?

Cheers,

Richard

Re: [OE-core] [PATCH] openssl: make ${PN}-bin rdepend on ${PN}

[Hannu Lounento]

On 07/07/2020 00:32, Richard Purdie wrote:
> On Mon, 2020-07-06 at 18:23 +0300, Hannu Lounento wrote:
>> Some openssl command line operations like creating an X.509 CSR require
>> the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
>>
>>      root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
>>      Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
>>      140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
>>      140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
>>
>> which is the case e.g. in core-image-minimal with just the
>> package openssl-bin added to the image by declaring
>>
>>      IMAGE_INSTALL_append = " openssl-bin"
>>
>> e.g. in local.conf.
>>
>> The file does not exist in the aforementioned image / configuration
>> because it is packaged to the main openssl package
>>
>>      FILES_${PN} =+ "${libdir}/ssl-1.1/*"
>>
>> (there is no other FILES specification that would match the file either)
>> and
>>
>>      path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
>>      [...]
>>      /usr/lib/ssl-1.1/openssl.cnf
>>      [...]
>>
>> Hence make the ${PN}-bin package rdepend on the main package to have the
>> required file /usr/lib/ssl-1.1/openssl.cnf installed.
>>
>> Note that the openssl recipe has the comment
>>
>>      Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
>>      package RRECOMMENDS on this package. This will enable the configuration
>>      file to be installed for both the openssl-bin package and the libcrypto
>>      package since the openssl-bin package depends on the libcrypto package.
>>
>> but openssl-conf only contains /etc/ssl/openssl.cnf
>>
>>      path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
>>      /etc
>>      /etc/ssl
>>      /etc/ssl/openssl.cnf
>>
>> /usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
>> ../../../etc/ssl/openssl.cnf.
>>
>> Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
>> ---
>>   meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
>>   1 file changed, 1 insertion(+)
> 
> Perhaps the correct fix here is to move the config file in /usr to the
> -conf package?

Ok, I sent v2. I also moved /usr/lib/ssl-1.1/openssl.cnf.dist as it 
seemed closely related.

Hopefully the v2 is good because based on some quick research there have 
been fairly many changes related to the configuration file and its 
location due to various issues.

What I found out was that the commit 
4d3c79df13920b4f095ae12caf43e866318c3143 in 2013 moved the file from 
${PN}-misc to ${PN}-conf package and made libcrypto RRECOMMEND 
${PN}-conf. In 2018 the commit 13e0be4efc23fcc1a71adba1b6707ecf59fbae29 
moved the file into the main openssl package referencing a discussion on 
the mailing list:

     openssl: move the libdir openssl.cnf symlink into the openssl package

     The openssl 1.0 recipe puts the libdir symlink to /etc/ssl/openssl.cnf
     in the base openssl package (along with the libdir symlinks to
     /etc/ssl/certs and /etc/ssl/private). Keep the openssl 1.1 recipe
     aligned with that approach until there's a clear reason to do
     something else. For more background, see comments in the following
     thread:

 
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135176.html

     (From OE-Core rev: 480335803928c95e7948f8c949127ccb5cbc7dbe)

     Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Additionally there were few other openssl.cnf related commits based on 
grepping the history but those didn't seem that relevant:

bd6052d9d1 buildtools-tarball: export OPENSSL_CONF for openssl
a842b02a87 openssl: Handle -conf package file conflicts
f9ad66da9f openssl-nativesdk: Fix "can't open config file" warning
c1ce0d9a9e lib/oe/rootfs: Fix DEBUGFS generation for opkg & openssl-cnf

A change related to the aforementioned mailing list discussion was done 
and reverted in 2017 but didn't seem relevant either:

7fe30a5df4 Revert "openssl: Fix symlink creation"
070f3aa74f openssl: Fix symlink creation

 >
 > Cheers,
 >
 > Richard
 >

Thanks,
-- 
Hannu Lounento
hannu.lounento@vaisala.com