Re: [OE-core] [PATCH] python3-cryptography: workaround broken native functionality

[Richard Purdie]

On Wed, 2022-09-14 at 11:09 +0300, Mikko Rapeli wrote:
> Hi,
> 
> Found the root cause. As suggested on #pyco too maybe native openssl
> was mising legacy support.
> It wasn't but loading the on purpose hidden openssl legacy.so was
> failing. It is located in
> recipe-sysroot-native/usr/lib/ossl-modules/legacy.so and only found
> via OPENSSL_MODULES
> variable which wasn't set for python3-native users. These custom
> variables are set in the native openssl
> wrapper script and this also fixes the not found openssl.cnf. Now I
> could send a patch which sets
> the OPENSSL_CONF, OPENSSL_ENGINES and OPENSSL_MODULES paths for python3
> users via python3native.bbclass:
> 
> --- a/meta/classes-recipe/python3native.bbclass
> +++ b/meta/classes-recipe/python3native.bbclass
> @@ -28,3 +28,10 @@ export PYTHONNOUSERSITE = "1"
> 
>  # autoconf macros will use their internal default preference otherwise
>  export PYTHON
> +
> +# find openssl under python, see openssl native wrapper
> +export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf"
> +export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs"
> +export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem"
> +export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3"
> +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> 
> but that is still a copy of those variables which openssl recipe owns,
> and other users of openssl may
> have similar issues. Is there a way to export these for everyone who
> depends directly or indirectly
> from openssl-native?

Thanks for finding the root cause, this definitely helps a lot.

I'm extremely reluctant to add global exports to the system, they have
nasty effects on sstate checksum files and add overhead I'd prefer not
to have.

I wondered if we could patch openssl to code/find the location of these
files relative to the main library? Presumably that code knows where
the library itself is located so searching a relative path from there
might be something upstream might consider? It is a generic approach
which would work for al the variables too.

It is a patch we'd probably consider carrying if necessary but if there
were upstream buyin, that would obviously be much better.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#170649): 
https://lists.openembedded.org/g/openembedded-core/message/170649
Mute This Topic: https://lists.openembedded.org/mt/93651845/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-