Re: [PATCH] python3-cryptography: workaround broken native functionality


Martin Jansa
 

FWIW: nodejs error when it fails to load openssl errors is also a bit confusing and needs OPENSSL_MODULES export:


On Thu, Sep 15, 2022 at 1:26 PM Mikko Rapeli <mikko.rapeli@...> wrote:
Hi,

On Thu, 15 Sept 2022 at 14:18, Ross Burton <Ross.Burton@...> wrote:
>
> On 14 Sep 2022, at 09:09, Mikko Rapeli via lists.openembedded.org <mikko.rapeli=linaro.org@...> wrote:
> > Found the root cause. As suggested on #pyco too maybe native openssl
> > was mising legacy support.
> > It wasn't but loading the on purpose hidden openssl legacy.so was
> > failing. It is located in
> > recipe-sysroot-native/usr/lib/ossl-modules/legacy.so and only found
> > via OPENSSL_MODULES
> > variable which wasn't set for python3-native users. These custom
> > variables are set in the native openssl
> > wrapper script and this also fixes the not found openssl.cnf. Now I
> > could send a patch which sets
> > the OPENSSL_CONF, OPENSSL_ENGINES and OPENSSL_MODULES paths for python3
> > users via python3native.bbclass:
>
> I’m glad this was root-caused before it was merged, because yes, this is the ‘correct’ (best known) fix right now:
>
> ~/Yocto/meta-arm % git grep "export OPENSSL_MODULES"
> meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb:export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> meta-arm/recipes-security/optee/optee.inc:export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules”
>
> A better solution is needed for sure.  At least when the certificates can’t be found you get somewhat understandable errors, the python3-crypto error is opaque at best.
>
> OpenSSL supporting runtime-relocation with a single variable would be nice, but iirc from glancing at the source code previously not a trivial change.  That said it does cause sufficient pain that maybe we just have to carry the patch.
>
> Alternatively, we extend the magic relocation to native recipes.  Even less trivial…

I'm working on the relocation patches but they are quite ugly, as are
the various code paths inside openssl
which handle these env variables and which fall back to compile time defaults.

Though I suspect that openssl developers may not want see the patches
resolving "OpenSSL_version" symbol
at runtime for finding the config file paths... But it's still better
than exporting these environment variables everywhere
to get relocation working.

Cheers,

-Mikko



Join openembedded-core@lists.openembedded.org to automatically receive all group messages.