diff options
| author |   Otavio Salvador <otavio@ossystems.com.br> | 2019-03-19 13:36:50 -0300 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-19 17:38:36 +0000 |
| commit | 672b076158247f823a518b7c33b50c82272d6388 (patch) | |
| tree | b54103cd9b94c020eca6e34f26b06bb7963e13b9 /meta/recipes-connectivity | |
| parent | 44fac788b4ba3614439d7329f645bfffeee7a2bb (diff) | |
| download | openembedded-core-contrib-672b076158247f823a518b7c33b50c82272d6388.tar.gz | |
openssl: Remove the c_rehash shell re-implementation
We had a c_rehash shell re-implementation being used for the native
package however the ca-certificates now uses the openssl rehash
internal application so there is no use for the c_rehash anymore.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | 222 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.1.1a.bb | 14 |
2 files changed, 1 insertions, 235 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh deleted file mode 100644 index 6620fdcb53..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/sh -# -# Ben Secrest <blsecres@gmail.com> -# -# sh c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. -# -# based on the c_rehash perl script distributed with openssl -# -# LICENSE: See OpenSSL license -# ^^acceptable?^^ -# - -# default certificate location -DIR=/etc/openssl - -# for filetype bitfield -IS_CERT=$(( 1 << 0 )) -IS_CRL=$(( 1 << 1 )) - - -# check to see if a file is a certificate file or a CRL file -# arguments: -# 1. the filename to be scanned -# returns: -# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} -# -check_file() -{ - local IS_TYPE=0 - - # make IFS a newline so we can process grep output line by line - local OLDIFS=${IFS} - IFS=$( printf "\n" ) - - # XXX: could be more efficient to have two 'grep -m' but is -m portable? - for LINE in $( grep '^-----BEGIN .*-----' ${1} ) - do - if echo ${LINE} \ - | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) - - if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] - then - break - fi - elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) - - if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] - then - break - fi - fi - done - - # restore IFS - IFS=${OLDIFS} - - return ${IS_TYPE} -} - - -# -# use openssl to fingerprint a file -# arguments: -# 1. the filename to fingerprint -# 2. the method to use (x509, crl) -# returns: -# none -# assumptions: -# user will capture output from last stage of pipeline -# -fingerprint() -{ - ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' -} - - -# -# link_hash - create links to certificate files -# arguments: -# 1. the filename to create a link for -# 2. the type of certificate being linked (x509, crl) -# returns: -# 0 on success, 1 otherwise -# -link_hash() -{ - local FINGERPRINT=$( fingerprint ${1} ${2} ) - local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) - local SUFFIX=0 - local LINKFILE='' - local TAG='' - - if [ ${2} = "crl" ] - then - TAG='r' - fi - - LINKFILE=${HASH}.${TAG}${SUFFIX} - - while [ -f ${LINKFILE} ] - do - if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] - then - echo "NOTE: Skipping duplicate file ${1}" >&2 - return 1 - fi - - SUFFIX=$(( ${SUFFIX} + 1 )) - LINKFILE=${HASH}.${TAG}${SUFFIX} - done - - echo "${3} => ${LINKFILE}" - - # assume any system with a POSIX shell will either support symlinks or - # do something to handle this gracefully - ln -s ${3} ${LINKFILE} - - return 0 -} - - -# hash_dir create hash links in a given directory -hash_dir() -{ - echo "Doing ${1}" - - cd ${1} - - ls -1 * 2>/dev/null | while read FILE - do - if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ - && [ -h "${FILE}" ] - then - rm ${FILE} - fi - done - - ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE - do - REAL_FILE=${FILE} - # if we run on build host then get to the real files in rootfs - if [ -n "${SYSROOT}" -a -h ${FILE} ] - then - FILE=$( readlink ${FILE} ) - # check the symlink is absolute (or dangling in other word) - if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] - then - REAL_FILE=${SYSROOT}/${FILE} - fi - fi - - check_file ${REAL_FILE} - local FILE_TYPE=${?} - local TYPE_STR='' - - if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] - then - TYPE_STR='x509' - elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] - then - TYPE_STR='crl' - else - echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 - continue - fi - - link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} - done -} - - -# choose the name of an ssl application -if [ -n "${OPENSSL}" ] -then - SSL_CMD=$(which ${OPENSSL} 2>/dev/null) -else - SSL_CMD=/usr/bin/openssl - OPENSSL=${SSL_CMD} - export OPENSSL -fi - -# fix paths -PATH=${PATH}:${DIR}/bin -export PATH - -# confirm existance/executability of ssl command -if ! [ -x ${SSL_CMD} ] -then - echo "${0}: rehashing skipped ('openssl' program not available)" >&2 - exit 0 -fi - -# determine which directories to process -old_IFS=$IFS -if [ ${#} -gt 0 ] -then - IFS=':' - DIRLIST=${*} -elif [ -n "${SSL_CERT_DIR}" ] -then - DIRLIST=$SSL_CERT_DIR -else - DIRLIST=${DIR}/certs -fi - -IFS=':' - -# process directories -for CERT_DIR in ${DIRLIST} -do - if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] - then - IFS=$old_IFS - hash_dir ${CERT_DIR} - IFS=':' - fi -done diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb index 5c5e291c1b..2e536e5d2a 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb @@ -13,7 +13,6 @@ DEPENDS = "hostperl-runtime-native" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ - file://openssl-c_rehash.sh \ file://0001-skip-test_symbol_presence.patch \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ @@ -150,12 +149,6 @@ do_install_append_class-native () { SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ OPENSSL_ENGINES=${libdir}/ssl-1.1/engines - - # Install a custom version of c_rehash that can handle sysroots properly. - # This version is used for example when installing ca-certificates during - # image creation. - install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash - sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash } do_install_append_class-nativesdk () { @@ -197,14 +190,13 @@ FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES_libssl = "${libdir}/libssl${SOLIBS}" FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" FILES_${PN}-engines = "${libdir}/engines-1.1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" +FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" FILES_${PN} =+ "${libdir}/ssl-1.1/*" FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS_libcrypto += "openssl-conf" -RDEPENDS_${PN}-misc = "perl" RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" RPROVIDES_openssl-conf = "openssl10-conf" @@ -212,7 +204,3 @@ RREPLACES_openssl-conf = "openssl10-conf" RCONFLICTS_openssl-conf = "openssl10-conf" BBCLASSEXTEND = "native nativesdk" - -inherit multilib_script - -MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |