On 2015年05月22日 17:16, [email protected] wrote:
From: Roy Li <[email protected]>
padlock_conf.patch will enable the padlock engine by default,
but this engine does not work on some 32bit machine, and lead
to openssl unable to work
Signed-off-by: Roy Li <[email protected]>
This commit message is not precise, I should rework it, but
it has been merged, so I paste it to easy person to find
more clue.
This issue is if padlock is enabled on 32bit machine, but
machine has not this hardware, the openssl can not work.
1. on 64bit machine linux (Ubuntu), both host and native are OK
1.1 run the host's openssl
lirq@LRQ:/work/wr/source/oe-core$ openssl engine -t
(rsax) RSAX engine support
[ available ]
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
lirq@LRQ:/work/wr/source/oe-core$
1.2 run native openssl
intel$ bitbake_build/tmp/sysroots/x86_64-linux/usr/bin/openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
intel$
2. on a 32bit machine(Ubuntu), host is oK, but native is not.
2.1 run host openssl on 32bit machine
rli2@yow-lpgbld-vm40$openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
rli2@yow-lpgbld-vm40$
2.2 run native openssl on 32bit machine, failed with below message.
rli2@yow-lpgbld-vm40$./bitbake_build/tmp/sysroots/i686-linux/usr/bin/openssl
engine -t
Error configuring OpenSSL
3074004668:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine
configuration error:eng_cnf.c:191:section=padlock_section, name=init,
value=1
3074004668:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:223:module=engines,
value=engine_section, retcode=-1
rli2@yow-lpgbld-vm40$
3. this leads to build openflow on a 32bit machine failure.
since a C file should be generated by openssl, but it failed.
3.1 go to source dir of openflow
rli2@yow-lpgbld-vm40$pwd
/home/nxadm/nx/yow-lpgbld-vm40.1/builds-2015-05-24-064042/x86-kvm-guest_world_bd_nosplit/build/openflow/git
rli2@yow-lpgbld-vm40$
3.2 use the native openssl, it failed.
rli2@yow-lpgbld-vm40$/home/nxadm/nx/yow-lpgbld-vm40.1/builds-2015-05-24-064042/x86-kvm-guest_world_bd_nosplit/bitbake_build/tmp/sysroots/i686-linux/usr/bin/openssl
dhparam -C -in ./lib/dh1024.pem -noout
Error configuring OpenSSL
3073935036:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine
configuration error:eng_cnf.c:191:section=padlock_section, name=init,
value=1
3073935036:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:223:module=engines,
value=engine_section, retcode=-1
rli2@yow-lpgbld-vm40$
3.3 use the host openssl which is working, since it does not enable padlock
rli2@yow-lpgbld-vm40$openssl dhparam -C -in ./lib/dh1024.pem -noout
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
DH *get_dh1024()
{
static unsigned char dh1024_p[]={
0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,
0x91,0x07,0x36,0x6B,0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,
0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,
0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,
0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,
0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,
0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,
0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,
0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,
0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,
0xA2,0x5E,0xC3,0x55,0xE9,0x2F,0x78,0xC7,
};
static unsigned char dh1024_g[]={
0x02,
};
DH *dh;
if ((dh=DH_new()) == NULL) return(NULL);
dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
if ((dh->p == NULL) || (dh->g == NULL))
{ DH_free(dh); return(NULL); }
return(dh);
}
rli2@yow-lpgbld-vm40$
4. openssl should be fixed, but I think dropping this patch is
reasonable, since most machine has not this hardware, and
if machine has this hw, I think the end-user should know
how to enable
-Roy
---
.../openssl/openssl/debian1.0.2/padlock_conf.patch | 31 ----------------------
.../recipes-connectivity/openssl/openssl_1.0.2a.bb | 1 -
2 files changed, 32 deletions(-)
delete mode 100644
meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
diff --git
a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
deleted file mode 100644
index 61dcf45..0000000
--- a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-
-Upstream-Status: Backport [debian]
-
---- openssl/apps/openssl.cnf.orig 2012-06-06 00:45:56.000000000 +0200
-+++ openssl/apps/openssl.cnf 2012-06-06 00:46:46.000000000 +0200
-@@ -19,6 +19,8 @@
- # (Alternatively, use a configuration file that has only
- # X.509v3 extensions in its main [= default] section.)
-
-+openssl_conf = openssl_def
-+
- [ new_oids ]
-
- # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-@@ -348,3 +350,16 @@
- # (optional, default: no)
- ess_cert_id_chain = no # Must the ESS cert id chain be included?
- # (optional, default: no)
-+
-+[openssl_def]
-+engines = engine_section
-+
-+[engine_section]
-+padlock = padlock_section
-+
-+[padlock_section]
-+soft_load=1
-+init=1
-+default_algorithms = ALL
-+dynamic_path=padlock
-+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
index 6cf8049..dd97ea8 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
@@ -18,7 +18,6 @@ SRC_URI += "file://configure-targets.patch \
file://openssl-fix-link.patch \
file://debian1.0.2/block_diginotar.patch \
file://debian1.0.2/block_digicert_malaysia.patch \
- file://debian1.0.2/padlock_conf.patch \
file://debian/ca.patch \
file://debian/c_rehash-compat.patch \
file://debian/debian-targets.patch \
--
Best Reagrds,
Roy | RongQing Li
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
