Re: downgrade openssl libraryes

Home Messages Hashtags Subgroups

#54617

Re: downgrade openssl libraryes

Bas Mevissen #54617 On 2021-08-30 16:56, Ivan Riabtsov wrote: I have phytec imx6ul board with a preinstalled os. On this os opessl version is 1.0.2j i need to build nginx for this board, but i can't build yocto same version as i have on board, so I grabbed a newer version of yocto from phytec site, rolled back glibc and try to roll back openssl. I do not want to flash the device, as I'm afraid to get brick Why are you afraid to brick the device? You can use mfgtool to reflash the device from scratch, including u-boot. It works with a special boot mode pin setting and uses an USB port. Depending on the board, one might need to buy or create a custom cable. Bas. пн, 30 авг. 2021 г. в 16:51, Alexander Kanavin <alex.kanavin@...>: openssl 1.0.2 went out of support at the end of 2019 and you should not be using it. What is the problem you need to solve? Alex On Mon, 30 Aug 2021 at 15:33, Ivan Riabtsov <ivriabtsov@...> wrote: hello i am trying to rollback openssl version from 1.1.1i to 1.0.2j. Copied the recipe openssl_1.1.1i.bb to openssl_1.0.2j.bb, saved the openssl_1.1.1i.bb version with the name openssl_1.1.1i.bb.backup Отредактировал новый файл, вот разница в файлах: diff -Nau ./openssl_1.1.1i.bb.backup ./openssl_1.0.2j.bb --- ./openssl_1.1.1i.bb.backup 2021-08-27 14:46:07.085808702 +0300 +++ ./openssl_1.0.2j.bb 2021-08-27 16:12:14.216430734 +0300 @@ -7,23 +7,19 @@ # "openssl" here actually means both OpenSSL and SSLeay licenses apply # (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" +LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" DEPENDS = "hostperl-runtime-native" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ - file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ - file://reproducible.patch \ " SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242" +SRC_URI[sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -122,7 +118,7 @@ # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.0 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } @@ -134,30 +130,30 @@ # Create SSL structure for packages such as ca-certificates which # contain hard-coded paths to /etc/ssl. Debian does the same. install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ + mv ${D}${libdir}/ssl-1.0/certs \ + ${D}${libdir}/ssl-1.0/private \ + ${D}${libdir}/ssl-1.0/openssl.cnf \ ${D}${sysconfdir}/ssl/ # Although absolute symlinks would be OK for the target, they become # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf + ln -sf ${@oe.path.relative('${libdir}/ssl-1.0', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.0/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-1.0', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.0/private + ln -sf ${@oe.path.relative('${libdir}/ssl-1.0', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.0/openssl.cnf } do_install_append_class-native () { create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-1.1 + OPENSSL_CONF=${libdir}/ssl-1.0/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-1.0/certs \ + SSL_CERT_FILE=${libdir}/ssl-1.0/cert.pem \ + OPENSSL_ENGINES=${libdir}/engines-1.0 } do_install_append_class-nativesdk () { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-1.1/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-1.0/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh } PTEST_BUILD_HOST_FILES += "configdata.pm" @@ -170,8 +166,8 @@ cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} # For test_shlibload - ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ - ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ + ln -s ${libdir}/libcrypto.so.1.0 ${D}${PTEST_PATH}/ + ln -s ${libdir}/libssl.so.1.0 ${D}${PTEST_PATH}/ install -d ${D}${PTEST_PATH}/apps ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps @@ -192,11 +188,11 @@ FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES_libssl = "${libdir}/libssl${SOLIBS}" FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ - ${libdir}/ssl-1.1/openssl.cnf* \ + ${libdir}/ssl-1.0/openssl.cnf* \ " -FILES_${PN}-engines = "${libdir}/engines-1.1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" -FILES_${PN} =+ "${libdir}/ssl-1.1/" +FILES_${PN}-engines = "${libdir}/engines-1.0" +FILES_${PN}-misc = "${libdir}/ssl-1.0/misc" +FILES_${PN} =+ "${libdir}/ssl-1.0/" FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" вот новый получившийся файл: cat openssl_1.0.2j.bb SUMMARY = "Secure Socket Layer" DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." HOMEPAGE = "http://www.openssl.org/" BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" SECTION = "libs/network" # "openssl" here actually means both OpenSSL and SSLeay licenses apply # (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) LICENSE = "openssl" LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" DEPENDS = "hostperl-runtime-native" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ " SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " SRC_URI[sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" PACKAGECONFIG ?= "" PACKAGECONFIG_class-native = "" PACKAGECONFIG_class-nativesdk = "" PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" #\| ./libcrypto.so: undefined reference to `getcontext' #\| ./libcrypto.so: undefined reference to `setcontext' #\| ./libcrypto.so: undefined reference to `makecontext' EXTRA_OECONF_append_libc-musl = " no-async" EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions # (native versions can be built with newer glibc, but then relocated onto a system with older glibc) EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" do_configure () { os=${HOST_OS} case $os in linux-gnueabi \|\ linux-gnuspe \|\ linux-musleabi \|\ linux-muslspe \|\ linux-musl ) os=linux ;; ) ;; esac target="$os-${HOST_ARCH}" case $target in linux-arm) target=linux-armv4 ;; linux-aarch64) target=linux-aarch64 ;; linux-i?86 \| linux-viac3) target=linux-x86 ;; linux-gnux32-x86_64 \| linux-muslx32-x86_64 ) target=linux-x32 ;; linux-gnu64-x86_64) target=linux-x86_64 ;; linux-mips \| linux-mipsel) # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags target="linux-mips32 ${TARGET_CC_ARCH}" ;; linux-gnun32-mips) target=linux-mips64 ;; linux--mips64 \| linux-mips64 \| linux--mips64el \| linux-mips64el) target=linux64-mips64 ;; linux-microblaze* \| linux-nios2* \| linux-sh3 \| linux-sh4 \| linux-arc) target=linux-generic32 ;; linux-powerpc) target=linux-ppc ;; linux-powerpc64) target=linux-ppc64 ;; linux-powerpc64le) target=linux-ppc64le ;; linux-riscv32) target=linux-generic32 ;; linux-riscv64) target=linux-generic64 ;; linux-sparc \| linux-supersparc) target=linux-sparcv9 ;; esac useprefix=${prefix} if [ "x$useprefix" = "x" ]; then useprefix=/ fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.0 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } do_install () { oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install oe_multilib_header openssl/opensslconf.h # Create SSL structure for packages such as ca-certificates which # contain hard-coded paths to /etc/ssl. Debian does the same. install -d ${D}${sysconfdir}/ssl mv ${D}${libdir}/ssl-1.0/certs \ ${D}${libdir}/ssl-1.0/private \ ${D}${libdir}/ssl-1.0/openssl.cnf \ ${D}${sysconfdir}/ssl/ # Although absolute symlinks would be OK for the target, they become # invalid if native or nativesdk are relocated from sstate. ln -sf ${@oe.path.relative('${libdir}/ssl-1.0', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.0/certs ln -sf ${@oe.path.relative('${libdir}/ssl-1.0', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.0/private ln -sf ${@oe.path.relative('${libdir}/ssl-1.0', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.0/openssl.cnf } do_install_append_class-native () { create_wrapper ${D}${bindir}/openssl \ OPENSSL_CONF=${libdir}/ssl-1.0/openssl.cnf \ SSL_CERT_DIR=${libdir}/ssl-1.0/certs \ SSL_CERT_FILE=${libdir}/ssl-1.0/cert.pem \ OPENSSL_ENGINES=${libdir}/engines-1.0 } do_install_append_class-nativesdk () { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-1.0/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh } PTEST_BUILD_HOST_FILES += "configdata.pm" PTEST_BUILD_HOST_PATTERN = "perl_version =" do_install_ptest () { # Prune the build tree rm -f ${B}/fuzz/.* ${B}/test/. cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} # For test_shlibload ln -s ${libdir}/libcrypto.so.1.0 ${D}${PTEST_PATH}/ ln -s ${libdir}/libssl.so.1.0 ${D}${PTEST_PATH}/ install -d ${D}${PTEST_PATH}/apps ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps install -m644 ${S}/apps/.pem ${S}/apps/.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps install -d ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines } # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto # package RRECOMMENDS on this package. This will enable the configuration # file to be installed for both the openssl-bin package and the libcrypto # package since the openssl-bin package depends on the libcrypto package. PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES_libssl = "${libdir}/libssl${SOLIBS}" FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ ${libdir}/ssl-1.0/openssl.cnf* \ " FILES_${PN}-engines = "${libdir}/engines-1.0" FILES_${PN}-misc = "${libdir}/ssl-1.0/misc" FILES_${PN} =+ "${libdir}/ssl-1.0/*" FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS_libcrypto += "openssl-conf" RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" RDEPENDS_${PN}-bin += "openssl-conf" BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "openssl:openssl" # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough CVE_CHECK_WHITELIST += "CVE-2019-0190" I understand that I need to figure out the configs yourself, but I get this error when executing the bitbake openssl-native ERROR: Execution of '/home/ivr/work/yocto_orig/build/tmp/work/x86_64-linux/openssl-native/1.0.2j-r0/temp/run.do_configure.1071458' failed with exit code 2: \| unable to read opensslv.h:No such file or directory \| Configuring for linux-x86_64 \| no-devcryptoeng [option] OPENSSL_NO_DEVCRYPTOENG (skip dir) \| no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) \| no-gmp [default] OPENSSL_NO_GMP (skip dir) \| no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir) \| no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 \| no-libunbound [experimental] OPENSSL_NO_LIBUNBOUND (skip dir) \| no-md2 [default] OPENSSL_NO_MD2 (skip dir) \| no-rc5 [default] OPENSSL_NO_RC5 (skip dir) \| no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) \| no-sctp [default] OPENSSL_NO_SCTP (skip dir) \| no-shared [default] \| no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) \| no-ssl2 [default] OPENSSL_NO_SSL2 (skip dir) \| no-store [experimental] OPENSSL_NO_STORE (skip dir) \| no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) \| no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) \| no-zlib [default] \| no-zlib-dynamic [default] \| IsMK1MF=0 \| WARNING: exit code 2 from a shell command. \| As far as I can understand, the opensslv.h file is generated just at the configuration stage, why does the configuration stage give an error of the absence of this file?
More All Messages By This Member

View All 4 Messages In Topic

#54617

Join yocto@lists.yoctoproject.org to automatically receive all group messages.

Home Hashtags Subgroups Terms