Re: [OE-core] [PATCH] python3-cryptography: workaround broken native functionality

[Ross Burton <Ross.Burton@arm.com>]

On 14 Sep 2022, at 09:09, Mikko Rapeli via lists.openembedded.org <mikko.rapeli=linaro.org@lists.openembedded.org> wrote:
> Found the root cause. As suggested on #pyco too maybe native openssl
> was mising legacy support.
> It wasn't but loading the on purpose hidden openssl legacy.so was
> failing. It is located in
> recipe-sysroot-native/usr/lib/ossl-modules/legacy.so and only found
> via OPENSSL_MODULES
> variable which wasn't set for python3-native users. These custom
> variables are set in the native openssl
> wrapper script and this also fixes the not found openssl.cnf. Now I
> could send a patch which sets
> the OPENSSL_CONF, OPENSSL_ENGINES and OPENSSL_MODULES paths for python3
> users via python3native.bbclass:

I’m glad this was root-caused before it was merged, because yes, this is the ‘correct’ (best known) fix right now:

~/Yocto/meta-arm % git grep "export OPENSSL_MODULES"
meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb:export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
meta-arm/recipes-security/optee/optee.inc:export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules”

A better solution is needed for sure.  At least when the certificates can’t be found you get somewhat understandable errors, the python3-crypto error is opaque at best.

OpenSSL supporting runtime-relocation with a single variable would be nice, but iirc from glancing at the source code previously not a trivial change.  That said it does cause sufficient pain that maybe we just have to carry the patch.

Alternatively, we extend the magic relocation to native recipes.  Even less trivial…

Ross