summaryrefslogtreecommitdiff
path: root/meta
diff options
context:
space:
mode:
authorDmitry Rozhkov <dmitry.rozhkov@linux.intel.com>2016-10-28 10:22:35 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-11-06 23:35:16 +0000
commit5199b990edf4d9784c19137d0ce9ef141cd85e46 (patch)
tree4348b5c04ba353907d2dd4e89ef51869ba36e0c1 /meta
parent1fe17c52e4d7ce1b9d69aaa2cd9d4b351a4b2603 (diff)
downloadopenembedded-core-5199b990edf4d9784c19137d0ce9ef141cd85e46.tar.gz
openembedded-core-5199b990edf4d9784c19137d0ce9ef141cd85e46.tar.bz2
openembedded-core-5199b990edf4d9784c19137d0ce9ef141cd85e46.zip
openssl: rehash actual mozilla certificates inside rootfs
The c_rehash utility is supposed to be run in the folder /etc/ssl/certs of a rootfs where the package ca-certificates puts symlinks to various CA certificates stored in /usr/share/ca-certificates/mozilla/. These symlinks are absolute. This means that when c_rehash is run at rootfs creation time it can't hash the actual files since they actually reside in the build host's directory $SYSROOT/usr/share/ca-certificates/mozilla/. This problem doesn't reproduce when building on Debian or Ubuntu hosts though, because these OSs have the certificates installed in the same /usr/share/ca-certificates/mozilla/ folder. Images built in other distros, e.g. Fedora, have problems with connecting to https servers when using e.g. python's http lib. The patch fixes c_rehash to check if it runs on a build host by testing $SYSROOT and to translate the paths to certificates accordingly. Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh20
1 files changed, 16 insertions, 4 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
index f67f415544..25ea729ac1 100644
--- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
@@ -114,11 +114,11 @@ link_hash()
LINKFILE=${HASH}.${TAG}${SUFFIX}
done
- echo "${1} => ${LINKFILE}"
+ echo "${3} => ${LINKFILE}"
# assume any system with a POSIX shell will either support symlinks or
# do something to handle this gracefully
- ln -s ${1} ${LINKFILE}
+ ln -s ${3} ${LINKFILE}
return 0
}
@@ -142,7 +142,19 @@ hash_dir()
ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
do
- check_file ${FILE}
+ REAL_FILE=${FILE}
+ # if we run on build host then get to the real files in rootfs
+ if [ -n "${SYSROOT}" -a -h ${FILE} ]
+ then
+ FILE=$( readlink ${FILE} )
+ # check the symlink is absolute (or dangling in other word)
+ if [ "x/" == "x$( echo ${FILE} | cut -c1 -)" ]
+ then
+ REAL_FILE=${SYSROOT}/${FILE}
+ fi
+ fi
+
+ check_file ${REAL_FILE}
local FILE_TYPE=${?}
local TYPE_STR=''
@@ -157,7 +169,7 @@ hash_dir()
continue
fi
- link_hash ${FILE} ${TYPE_STR}
+ link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
done
}