diff options
author | Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> | 2016-10-28 10:22:35 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-06 23:35:16 +0000 |
commit | 5199b990edf4d9784c19137d0ce9ef141cd85e46 (patch) | |
tree | 4348b5c04ba353907d2dd4e89ef51869ba36e0c1 /meta | |
parent | 1fe17c52e4d7ce1b9d69aaa2cd9d4b351a4b2603 (diff) | |
download | openembedded-core-5199b990edf4d9784c19137d0ce9ef141cd85e46.tar.gz openembedded-core-5199b990edf4d9784c19137d0ce9ef141cd85e46.tar.bz2 openembedded-core-5199b990edf4d9784c19137d0ce9ef141cd85e46.zip |
openssl: rehash actual mozilla certificates inside rootfs
The c_rehash utility is supposed to be run in the folder /etc/ssl/certs
of a rootfs where the package ca-certificates puts symlinks to
various CA certificates stored in /usr/share/ca-certificates/mozilla/.
These symlinks are absolute. This means that when c_rehash is run
at rootfs creation time it can't hash the actual files since they
actually reside in the build host's directory
$SYSROOT/usr/share/ca-certificates/mozilla/.
This problem doesn't reproduce when building on Debian or Ubuntu
hosts though, because these OSs have the certificates installed
in the same /usr/share/ca-certificates/mozilla/ folder.
Images built in other distros, e.g. Fedora, have problems with
connecting to https servers when using e.g. python's http lib.
The patch fixes c_rehash to check if it runs on a build host
by testing $SYSROOT and to translate the paths to certificates
accordingly.
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh index f67f415544..25ea729ac1 100644 --- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh @@ -114,11 +114,11 @@ link_hash() LINKFILE=${HASH}.${TAG}${SUFFIX} done - echo "${1} => ${LINKFILE}" + echo "${3} => ${LINKFILE}" # assume any system with a POSIX shell will either support symlinks or # do something to handle this gracefully - ln -s ${1} ${LINKFILE} + ln -s ${3} ${LINKFILE} return 0 } @@ -142,7 +142,19 @@ hash_dir() ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE do - check_file ${FILE} + REAL_FILE=${FILE} + # if we run on build host then get to the real files in rootfs + if [ -n "${SYSROOT}" -a -h ${FILE} ] + then + FILE=$( readlink ${FILE} ) + # check the symlink is absolute (or dangling in other word) + if [ "x/" == "x$( echo ${FILE} | cut -c1 -)" ] + then + REAL_FILE=${SYSROOT}/${FILE} + fi + fi + + check_file ${REAL_FILE} local FILE_TYPE=${?} local TYPE_STR='' @@ -157,7 +169,7 @@ hash_dir() continue fi - link_hash ${FILE} ${TYPE_STR} + link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} done } |