[PATCH] feat(openssl-1.1): rework packaging

[PATCH] feat(openssl-1.1): rework packaging

[Andrej Valek]

The main ideas is to have libssl and libcrypto in separate packages.
This saves space if only single library is needed and also some recipes
(in other layers) depend on these library packages.
Together with this other packages like in 1.0.x were created.
The only difference is that openssl 1.1 has additional package openssl-bin.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <pater.marko@siemens.com>
---
 .../recipes-connectivity/openssl/openssl_1.1.0h.bb | 29 ++++++++++++++++------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index 94b75eb92a..e5db9cffca 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -21,7 +21,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
 
 S = "${WORKDIR}/openssl-${PV}"
 
-inherit lib_package multilib_header ptest
+inherit lib_package multilib_header ptest relative_symlinks
 
 do_configure () {
 	os=${HOST_OS}
@@ -131,15 +131,25 @@ EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
 
 do_install () {
         oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-        oe_multilib_header openssl/opensslconf.h
-}
 
-do_install_append_class-native () {
         # Install a custom version of c_rehash that can handle sysroots properly.
         # This version is used for example when installing ca-certificates during
         # image creation.
         install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
         sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+
+        oe_multilib_header openssl/opensslconf.h
+
+        # Create SSL structure
+        install -d ${D}${sysconfdir}/ssl/
+        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
+           ${D}${libdir}/ssl-1.1/certs \
+           ${D}${libdir}/ssl-1.1/private \
+           \
+           ${D}${sysconfdir}/ssl/
+        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
+        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
+        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
 }
 
 do_install_ptest() {
@@ -154,8 +164,13 @@ do_install_ptest() {
 
 RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python"
 
+PACKAGES =+ "libcrypto libssl ${PN}-misc ${PN}-engines openssl-conf"
+FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl = "${libdir}/libssl${SOLIBS}"
 FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
-
-PACKAGES =+ "${PN}-engines"
+FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
+RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS_libcrypto += "openssl-conf"
-- 
2.11.0

[PATCH v2] feat(openssl-1.1): rework packaging

[Andrej Valek]

The main ideas is to have libssl and libcrypto in separate packages.
This saves space if only single library is needed and also some recipes
(in other layers) depend on these library packages.
Together with this other packages like in 1.0.x were created.
The only difference is that openssl 1.1 has additional package openssl-bin.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
---
 .../recipes-connectivity/openssl/openssl_1.1.0h.bb | 29 ++++++++++++++++------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index 94b75eb92a..e5db9cffca 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -21,7 +21,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
 
 S = "${WORKDIR}/openssl-${PV}"
 
-inherit lib_package multilib_header ptest
+inherit lib_package multilib_header ptest relative_symlinks
 
 do_configure () {
 	os=${HOST_OS}
@@ -131,15 +131,25 @@ EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
 
 do_install () {
         oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-        oe_multilib_header openssl/opensslconf.h
-}
 
-do_install_append_class-native () {
         # Install a custom version of c_rehash that can handle sysroots properly.
         # This version is used for example when installing ca-certificates during
         # image creation.
         install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
         sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+
+        oe_multilib_header openssl/opensslconf.h
+
+        # Create SSL structure
+        install -d ${D}${sysconfdir}/ssl/
+        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
+           ${D}${libdir}/ssl-1.1/certs \
+           ${D}${libdir}/ssl-1.1/private \
+           \
+           ${D}${sysconfdir}/ssl/
+        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
+        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
+        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
 }
 
 do_install_ptest() {
@@ -154,8 +164,13 @@ do_install_ptest() {
 
 RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python"
 
+PACKAGES =+ "libcrypto libssl ${PN}-misc ${PN}-engines openssl-conf"
+FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl = "${libdir}/libssl${SOLIBS}"
 FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
-
-PACKAGES =+ "${PN}-engines"
+FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
+RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS_libcrypto += "openssl-conf"
-- 
2.11.0

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Alexander Kanavin]

On 06/07/2018 10:32 AM, Andrej Valek wrote:
> -do_install_append_class-native () {
>           # Install a custom version of c_rehash that can handle sysroots properly.
>           # This version is used for example when installing ca-certificates during
>           # image creation.
>           install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
>           sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash

Why is this merged into the main do_install()? Please explain.

> +        # Create SSL structure
> +        install -d ${D}${sysconfdir}/ssl/
> +        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
> +           ${D}${libdir}/ssl-1.1/certs \
> +           ${D}${libdir}/ssl-1.1/private \
> +           \
> +           ${D}${sysconfdir}/ssl/
> +        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
> +        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
> +        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf

Please explain this change as well. Resend the patch with the 
explanations included in the commit log or (better), the recipe itself.

I would like to keep the new openssl recipe short and simple, and so 
anything that adds lines and complication should be well justified. :)

Alex

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Alexander Kanavin]

On 06/07/2018 04:13 PM, Alexander Kanavin wrote:
> Please explain this change as well. Resend the patch with the 
> explanations included in the commit log or (better), the recipe itself.
> 
> I would like to keep the new openssl recipe short and simple, and so 
> anything that adds lines and complication should be well justified. :)

Oh, one more thing: I am maintaining a branch for the upcoming 1.1.1 
release here:
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akanavin/openssl-1.1.1


so if you can give that a test, would be appreciated.

Alex

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Andrej Valek]

Hi Alex,

On 06/07/18 15:13, Alexander Kanavin wrote:
> On 06/07/2018 10:32 AM, Andrej Valek wrote:
>> -do_install_append_class-native () {
>>           # Install a custom version of c_rehash that can handle sysroots properly.
>>           # This version is used for example when installing ca-certificates during
>>           # image creation.
>>           install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
>>           sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
> 
> Why is this merged into the main do_install()? Please explain.
c_rehash was not working on target exactly as on native. (Same perl
erros). So I have copied this stuff from 1.0.2, it is working on both
platforms as well.
> 
>> +        # Create SSL structure
>> +        install -d ${D}${sysconfdir}/ssl/
>> +        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
>> +           ${D}${libdir}/ssl-1.1/certs \
>> +           ${D}${libdir}/ssl-1.1/private \
>> +           \
>> +           ${D}${sysconfdir}/ssl/
>> +        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
>> +        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
>> +        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
> 
> Please explain this change as well. Resend the patch with the 
> explanations included in the commit log or (better), the recipe itself.
During splitting to packages I have compared files with 1.0.2 and I
wanted to have same file structure. Anyway Debian is using this location
without modification and You don't like it, so I will revert it.

But note that bash-completion has the /etc path for openssl.cnf as
default search path... .
> 
> I would like to keep the new openssl recipe short and simple, and so 
> anything that adds lines and complication should be well justified. :)
> 
> Alex
> 

BR,
Andrej

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Andrej Valek]

Hi again,

after more testing, I think creating ${sysconfdir}/ssl links is highly
recommended. ca-certificate updating script (+ many other tools) has
hard-coded path to /etc/ssl. Debian has multiple links in /usr/lib/ssl/
to /etc/ssl/.

So I think, my previous patch is correct.

Now I am going to test your openssl-1.1.1 branch.

BR,
Andrej

On 06/08/18 08:33, Andrej Valek wrote:
> Hi Alex,
> 
> On 06/07/18 15:13, Alexander Kanavin wrote:
>> On 06/07/2018 10:32 AM, Andrej Valek wrote:
>>> -do_install_append_class-native () {
>>>           # Install a custom version of c_rehash that can handle sysroots properly.
>>>           # This version is used for example when installing ca-certificates during
>>>           # image creation.
>>>           install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
>>>           sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
>>
>> Why is this merged into the main do_install()? Please explain.
> c_rehash was not working on target exactly as on native. (Same perl
> erros). So I have copied this stuff from 1.0.2, it is working on both
> platforms as well.
>>
>>> +        # Create SSL structure
>>> +        install -d ${D}${sysconfdir}/ssl/
>>> +        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
>>> +           ${D}${libdir}/ssl-1.1/certs \
>>> +           ${D}${libdir}/ssl-1.1/private \
>>> +           \
>>> +           ${D}${sysconfdir}/ssl/
>>> +        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
>>> +        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
>>> +        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
>>
>> Please explain this change as well. Resend the patch with the 
>> explanations included in the commit log or (better), the recipe itself.
> During splitting to packages I have compared files with 1.0.2 and I
> wanted to have same file structure. Anyway Debian is using this location
> without modification and You don't like it, so I will revert it.
> 
> But note that bash-completion has the /etc path for openssl.cnf as
> default search path... .
>>
>> I would like to keep the new openssl recipe short and simple, and so 
>> anything that adds lines and complication should be well justified. :)
>>
>> Alex
>>
> 
> BR,
> Andrej
> 

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Alexander Kanavin]

On 06/08/2018 10:48 AM, Andrej Valek wrote:
> after more testing, I think creating ${sysconfdir}/ssl links is highly
> recommended. ca-certificate updating script (+ many other tools) has
> hard-coded path to /etc/ssl. Debian has multiple links in /usr/lib/ssl/
> to /etc/ssl/.

Right. Can you explain this in a comment in the recipe itself, and make 
the change as a separate commit please?

> c_rehash was not working on target exactly as on native. (Same perl
> erros). So I have copied this stuff from 1.0.2, it is working on both
> platforms as well.

Can you however try to look deeper into why it fails on target? For the 
target, I would much rather use the upstream's version than our custom 
script, so we don't have to deal with bit-rot and extra maintenance. The 
custom script then would only have a limited, controlled purpose of 
running under bitbake.

Alex

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Andrej Valek]

Hi
> On 06/08/2018 10:48 AM, Andrej Valek wrote:
>> after more testing, I think creating ${sysconfdir}/ssl links is highly
>> recommended. ca-certificate updating script (+ many other tools) has
>> hard-coded path to /etc/ssl. Debian has multiple links in /usr/lib/ssl/
>> to /etc/ssl/.
> 
> Right. Can you explain this in a comment in the recipe itself, and make 
> the change as a separate commit please?
OK, I will add it into recipe as separated commit.
> 
>> c_rehash was not working on target exactly as on native. (Same perl
>> erros). So I have copied this stuff from 1.0.2, it is working on both
>> platforms as well.
> 
> Can you however try to look deeper into why it fails on target? For the 
> target, I would much rather use the upstream's version than our custom 
> script, so we don't have to deal with bit-rot and extra maintenance. The 
> custom script then would only have a limited, controlled purpose of 
> running under bitbake.
Here is the log from unmodified c_rehash file on target:
./c_rehash
Unknown regexp modifier "/b" at ./c_rehash line 15, at end of line
Unknown regexp modifier "/W" at ./c_rehash line 28, at end of line
Unknown regexp modifier "/3" at ./c_rehash line 28, at end of line
Unknown regexp modifier "/2" at ./c_rehash line 28, at end of line
No such class installdir at ./c_rehash line 63, near "Prefix our installdir"
  (Might be a runaway multi-line // string starting on line 28)
syntax error at ./c_rehash line 63, near "Prefix our installdir"
Can't redeclare "my" in "my" at ./c_rehash line 68, near ""
Execution of ./c_rehash aborted due to compilation errors.
> 
> Alex
> 

Andrej

Re: [PATCH v2] feat(openssl-1.1): rework packaging

[Alexander Kanavin]

On 06/08/2018 02:31 PM, Andrej Valek wrote:
> Unknown regexp modifier "/b" at ./c_rehash line 15, at end of line
> Unknown regexp modifier "/W" at ./c_rehash line 28, at end of line
> Unknown regexp modifier "/3" at ./c_rehash line 28, at end of line
> Unknown regexp modifier "/2" at ./c_rehash line 28, at end of line
> No such class installdir at ./c_rehash line 63, near "Prefix our installdir"
>    (Might be a runaway multi-line // string starting on line 28)
> syntax error at ./c_rehash line 63, near "Prefix our installdir"
> Can't redeclare "my" in "my" at ./c_rehash line 68, near ""
> Execution of ./c_rehash aborted due to compilation errors.

A google search for the last line revealed that Debian has a patch to 
address this:

https://salsa.debian.org/debian/openssl/blob/debian/unstable/debian/patches/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch

Alex

[PATCH v3 1/2] openssl-1.1: rework packaging

[Andrej Valek]

The main idea is to have libssl and libcrypto in separate packages.
This saves space if only single library is needed and also some recipes
(in other layers) depend on these library packages.
Together with this other packages like in 1.0.x were created.
The only difference is that openssl 1.1 has additional package openssl-bin.

Patch original c_rehash instead of overriding it with our own.
After applying patch from Debian c_rehash is working.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
---
 ...le.pl-only-quote-stuff-that-actually-need.patch | 29 ++++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.1.0h.bb | 12 ++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch b/meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch
new file mode 100644
index 0000000000..25d3093e40
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch
@@ -0,0 +1,29 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Wed, 28 Mar 2018 14:05:53 +0200
+Subject: Revert "util/dofile.pl: only quote stuff that actually needs
+ quoting"
+
+This reverts commit 77ba00bc. We ended up without the quotes.
+
+BTS: #894282
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ util/dofile.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/util/dofile.pl b/util/dofile.pl
+index fc72989b0fd9..a932941cd5ad 100644
+--- a/util/dofile.pl
++++ b/util/dofile.pl
+@@ -99,9 +99,9 @@ package main;
+ # This adds quotes (") around the given string, and escapes any $, @, \,
+ # " and ' by prepending a \ to them.
+ sub quotify1 {
+-    my $s = my $orig = shift @_;
++    my $s = shift @_;
+     $s =~ s/([\$\@\\"'])/\\$1/g;
+-    $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s;
++    '"'.$s.'"';
+ }
+ 
+ # quotify_l LIST
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index 94b75eb92a..c8e0255b33 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://openssl-c_rehash.sh \
            file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
+           file://debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch \
            "
 
 S = "${WORKDIR}/openssl-${PV}"
@@ -154,8 +155,13 @@ do_install_ptest() {
 
 RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python"
 
+PACKAGES =+ "libcrypto libssl ${PN}-misc ${PN}-engines openssl-conf"
+FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl = "${libdir}/libssl${SOLIBS}"
 FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
-
-PACKAGES =+ "${PN}-engines"
+FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
+RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-
+FILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
+CONFFILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
+RRECOMMENDS_libcrypto += "openssl-conf"
-- 
2.11.0

[PATCH v3 2/2] openssl-1.1: /etc/ssl location compatibility

[Andrej Valek]

Some packages has hard-coded path to /etc/ssl location.
Create a symlinks to correct location.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.0h.bb | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index c8e0255b33..bef03c574e 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -22,7 +22,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
 
 S = "${WORKDIR}/openssl-${PV}"
 
-inherit lib_package multilib_header ptest
+inherit lib_package multilib_header ptest relative_symlinks
 
 do_configure () {
 	os=${HOST_OS}
@@ -133,6 +133,18 @@ EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
 do_install () {
         oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
         oe_multilib_header openssl/opensslconf.h
+
+        # Create SSL structure for PATH hard-coded packages like ca-certificates
+        # Debian is also using this technique
+        install -d ${D}${sysconfdir}/ssl/
+        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
+           ${D}${libdir}/ssl-1.1/certs \
+           ${D}${libdir}/ssl-1.1/private \
+           \
+           ${D}${sysconfdir}/ssl/
+        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
+        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
+        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
 }
 
 do_install_append_class-native () {
@@ -162,6 +174,6 @@ FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
 FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
 RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-FILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
-CONFFILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 RRECOMMENDS_libcrypto += "openssl-conf"
-- 
2.11.0

Re: [PATCH v3 1/2] openssl-1.1: rework packaging

[Alexander Kanavin]

2018-06-08 17:04 GMT+03:00 Andrej Valek <andrej.valek@siemens.com>:
> The main idea is to have libssl and libcrypto in separate packages.
> This saves space if only single library is needed and also some recipes
> (in other layers) depend on these library packages.
> Together with this other packages like in 1.0.x were created.
> The only difference is that openssl 1.1 has additional package openssl-bin.
>
> Patch original c_rehash instead of overriding it with our own.
> After applying patch from Debian c_rehash is working.

Can you split this in two different commits please?

Alex

Re: [PATCH v3 1/2] openssl-1.1: rework packaging

[Andrej Valek]

Hi Alex,

I have tested your branch and seems to be, that openssl is working
correctly.

We are now using original (perl) c_rehash script, but dependency to perl
is missing. Are you ok with adding runtime dependency to bin package?
Just for notice, it will install perl on target.

BR,
Andrej

On 06/08/18 17:57, Alexander Kanavin wrote:
> 2018-06-08 17:04 GMT+03:00 Andrej Valek <andrej.valek@siemens.com>:
>> The main idea is to have libssl and libcrypto in separate packages.
>> This saves space if only single library is needed and also some recipes
>> (in other layers) depend on these library packages.
>> Together with this other packages like in 1.0.x were created.
>> The only difference is that openssl 1.1 has additional package openssl-bin.
>>
>> Patch original c_rehash instead of overriding it with our own.
>> After applying patch from Debian c_rehash is working.
> 
> Can you split this in two different commits please?
> 
> Alex
> 

Re: [PATCH v3 1/2] openssl-1.1: rework packaging

[Alexander Kanavin]

On 06/11/2018 09:19 AM, Andrej Valek wrote:
> Hi Alex,
> 
> I have tested your branch and seems to be, that openssl is working
> correctly.
> 
> We are now using original (perl) c_rehash script, but dependency to perl
> is missing. Are you ok with adding runtime dependency to bin package?
> Just for notice, it will install perl on target.

Yes, of course. If c_rehash needs perl interpreter to run, then it has 
to pull it in.

Alex

[PATCH v4 1/3] openssl-1.1: fix c_rehash perl errors

[Andrej Valek]

Patch original c_rehash script with Debian patch instead
of overriding it with own version.

Error output from c_reshah without patching:
  Unknown regexp modifier "/b" at ./c_rehash line 15, at end of line
  Unknown regexp modifier "/W" at ./c_rehash line 28, at end of line
  Unknown regexp modifier "/3" at ./c_rehash line 28, at end of line
  Unknown regexp modifier "/2" at ./c_rehash line 28, at end of line
  No such class installdir at ./c_rehash line 63, near "Prefix our
  installdir"
    (Might be a runaway multi-line // string starting on line 28)
  syntax error at ./c_rehash line 63, near "Prefix our installdir"
  Can't redeclare "my" in "my" at ./c_rehash line 68, near ""
  Execution of ./c_rehash aborted due to compilation errors.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
---
 ...le.pl-only-quote-stuff-that-actually-need.patch | 29 ++++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.1.0h.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch b/meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch
new file mode 100644
index 0000000000..25d3093e40
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch
@@ -0,0 +1,29 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Wed, 28 Mar 2018 14:05:53 +0200
+Subject: Revert "util/dofile.pl: only quote stuff that actually needs
+ quoting"
+
+This reverts commit 77ba00bc. We ended up without the quotes.
+
+BTS: #894282
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ util/dofile.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/util/dofile.pl b/util/dofile.pl
+index fc72989b0fd9..a932941cd5ad 100644
+--- a/util/dofile.pl
++++ b/util/dofile.pl
+@@ -99,9 +99,9 @@ package main;
+ # This adds quotes (") around the given string, and escapes any $, @, \,
+ # " and ' by prepending a \ to them.
+ sub quotify1 {
+-    my $s = my $orig = shift @_;
++    my $s = shift @_;
+     $s =~ s/([\$\@\\"'])/\\$1/g;
+-    $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s;
++    '"'.$s.'"';
+ }
+ 
+ # quotify_l LIST
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index 94b75eb92a..eddf53c992 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://openssl-c_rehash.sh \
            file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
+           file://debian/Revert-util-dofile.pl-only-quote-stuff-that-actually-need.patch \
            "
 
 S = "${WORKDIR}/openssl-${PV}"
-- 
2.11.0

[PATCH v4 2/3] openssl-1.1: rework packaging

[Andrej Valek]

The main idea is to have libssl and libcrypto in separate packages.
This saves space if only single library is needed and also some recipes
(in other layers) depend on these library packages.
Together with this other packages like in 1.0.x were created.
The only difference is that openssl 1.1 has additional package openssl-bin.

Add missing dependency to perl for openssl-bin pkg, c_rehash requires it.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.0h.bb | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index eddf53c992..df05f3a2b7 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -155,8 +155,14 @@ do_install_ptest() {
 
 RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python"
 
+PACKAGES =+ "libcrypto libssl ${PN}-misc ${PN}-engines openssl-conf"
+RDEPENDS_${PN}-bin = "perl"
+FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl = "${libdir}/libssl${SOLIBS}"
 FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
-
-PACKAGES =+ "${PN}-engines"
+FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
+RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-
+FILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
+CONFFILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
+RRECOMMENDS_libcrypto += "openssl-conf"
-- 
2.11.0

[PATCH v4 3/3] openssl-1.1: /etc/ssl location compatibility

[Andrej Valek]

Some packages have hard-coded path to /etc/ssl location.
Create a symlinks to correct location.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.0h.bb | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
index df05f3a2b7..487219b600 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
@@ -22,7 +22,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
 
 S = "${WORKDIR}/openssl-${PV}"
 
-inherit lib_package multilib_header ptest
+inherit lib_package multilib_header ptest relative_symlinks
 
 do_configure () {
 	os=${HOST_OS}
@@ -133,6 +133,18 @@ EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
 do_install () {
         oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
         oe_multilib_header openssl/opensslconf.h
+
+        # Create SSL structure for PATH hard-coded packages like ca-certificates
+        # Debian is also using this technique
+        install -d ${D}${sysconfdir}/ssl/
+        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
+           ${D}${libdir}/ssl-1.1/certs \
+           ${D}${libdir}/ssl-1.1/private \
+           \
+           ${D}${sysconfdir}/ssl/
+        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
+        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
+        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
 }
 
 do_install_append_class-native () {
@@ -163,6 +175,6 @@ FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
 FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
 RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-FILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
-CONFFILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf ${libdir}/ssl-1.1/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 RRECOMMENDS_libcrypto += "openssl-conf"
-- 
2.11.0

Re: [PATCH v3 1/2] openssl-1.1: rework packaging

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> Alexander Kanavin
> Sent: den 11 juni 2018 14:45
> To: Andrej Valek <andrej.valek@siemens.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v3 1/2] openssl-1.1: rework packaging
> 
> On 06/11/2018 09:19 AM, Andrej Valek wrote:
> > Hi Alex,
> >
> > I have tested your branch and seems to be, that openssl is working
> > correctly.
> >
> > We are now using original (perl) c_rehash script, but dependency to perl
> > is missing. Are you ok with adding runtime dependency to bin package?
> > Just for notice, it will install perl on target.
> 
> Yes, of course. If c_rehash needs perl interpreter to run, then it has
> to pull it in.
> 
> Alex

Any reason the openssl-c_rehash.sh reimplementation of c_rehash 
as a shell script is not used for target with openssl-1.1? It is 
currently used for both native and target for openssl-1.0, and 
native for openssl-1.1. Using it would avoid the dependency on 
perl for target, which at least for us is not an option to have 
(and we do need c_rehash for target).

//Peter

Re: [PATCH v3 1/2] openssl-1.1: rework packaging

[Alexander Kanavin]

2018-06-11 20:54 GMT+03:00 Peter Kjellerstedt <peter.kjellerstedt@axis.com>:

> Any reason the openssl-c_rehash.sh reimplementation of c_rehash
> as a shell script is not used for target with openssl-1.1? It is
> currently used for both native and target for openssl-1.0, and
> native for openssl-1.1. Using it would avoid the dependency on
> perl for target, which at least for us is not an option to have
> (and we do need c_rehash for target).

Basically I do not want to maintain a custom script for the target to
keep it equivalent with an actively developed upstream implementation.
If you raise the perl issue to upstream and convince them to use the
shell version, that'd be best.

Alex

Re: [PATCH v4 3/3] openssl-1.1: /etc/ssl location compatibility

[Andrej Valek]

Hi Alex,

What is the current status of this upgrade? Are there still some open
points?

Cheers,
Andrej

On 06/11/18 15:30, Andrej Valek wrote:
> Some packages have hard-coded path to /etc/ssl location.
> Create a symlinks to correct location.
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Marko Peter <peter.marko@siemens.com>
> ---
>  meta/recipes-connectivity/openssl/openssl_1.1.0h.bb | 18 +++++++++++++++---
>  1 file changed, 15 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
> index df05f3a2b7..487219b600 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
> @@ -22,7 +22,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>  
>  S = "${WORKDIR}/openssl-${PV}"
>  
> -inherit lib_package multilib_header ptest
> +inherit lib_package multilib_header ptest relative_symlinks
>  
>  do_configure () {
>  	os=${HOST_OS}
> @@ -133,6 +133,18 @@ EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
>  do_install () {
>          oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
>          oe_multilib_header openssl/opensslconf.h
> +
> +        # Create SSL structure for PATH hard-coded packages like ca-certificates
> +        # Debian is also using this technique
> +        install -d ${D}${sysconfdir}/ssl/
> +        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
> +           ${D}${libdir}/ssl-1.1/certs \
> +           ${D}${libdir}/ssl-1.1/private \
> +           \
> +           ${D}${sysconfdir}/ssl/
> +        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
> +        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
> +        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
>  }
>  
>  do_install_append_class-native () {
> @@ -163,6 +175,6 @@ FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
>  FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
>  RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
>  FILES_${PN}-engines = "${libdir}/engines-1.1"
> -FILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
> -CONFFILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
> +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf ${libdir}/ssl-1.1/openssl.cnf"
> +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
>  RRECOMMENDS_libcrypto += "openssl-conf"
> 

Re: [PATCH v4 3/3] openssl-1.1: /etc/ssl location compatibility

[Alexander Kanavin]

No open issues from my side, please resend as Ross probably forgot to
pull it into his staging branch.

Alex

2018-07-09 14:06 GMT+02:00 Andrej Valek <andrej.valek@siemens.com>:
> Hi Alex,
>
> What is the current status of this upgrade? Are there still some open
> points?
>
> Cheers,
> Andrej
>
> On 06/11/18 15:30, Andrej Valek wrote:
>> Some packages have hard-coded path to /etc/ssl location.
>> Create a symlinks to correct location.
>>
>> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
>> Signed-off-by: Marko Peter <peter.marko@siemens.com>
>> ---
>>  meta/recipes-connectivity/openssl/openssl_1.1.0h.bb | 18 +++++++++++++++---
>>  1 file changed, 15 insertions(+), 3 deletions(-)
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
>> index df05f3a2b7..487219b600 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
>> @@ -22,7 +22,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>>
>>  S = "${WORKDIR}/openssl-${PV}"
>>
>> -inherit lib_package multilib_header ptest
>> +inherit lib_package multilib_header ptest relative_symlinks
>>
>>  do_configure () {
>>       os=${HOST_OS}
>> @@ -133,6 +133,18 @@ EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
>>  do_install () {
>>          oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
>>          oe_multilib_header openssl/opensslconf.h
>> +
>> +        # Create SSL structure for PATH hard-coded packages like ca-certificates
>> +        # Debian is also using this technique
>> +        install -d ${D}${sysconfdir}/ssl/
>> +        mv ${D}${libdir}/ssl-1.1/openssl.cnf \
>> +           ${D}${libdir}/ssl-1.1/certs \
>> +           ${D}${libdir}/ssl-1.1/private \
>> +           \
>> +           ${D}${sysconfdir}/ssl/
>> +        ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl-1.1/certs
>> +        ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl-1.1/private
>> +        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl-1.1/openssl.cnf
>>  }
>>
>>  do_install_append_class-native () {
>> @@ -163,6 +175,6 @@ FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
>>  FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
>>  RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
>>  FILES_${PN}-engines = "${libdir}/engines-1.1"
>> -FILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
>> -CONFFILES_openssl-conf = "${libdir}/ssl-1.1/openssl.cnf"
>> +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf ${libdir}/ssl-1.1/openssl.cnf"
>> +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
>>  RRECOMMENDS_libcrypto += "openssl-conf"
>>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core