add ohos_executable openssl, Out of Tree Builds, add openssl.cnf,...

add ohos_executable openssl, Out of Tree Builds, add openssl.cnf, UnsafeLegacyRenegotiation, load legacy provider Signed-off-by: N code4lala <fengziteng2@huawei.com>

add ohos_executable openssl, Out of Tree Builds, add openssl.cnf,...
add ohos_executable openssl, Out of Tree Builds, add openssl.cnf, UnsafeLegacyRenegotiation, load legacy provider Signed-off-by: N code4lala <fengziteng2@huawei.com>
2899d561 · code4lala · 7e8037ba · 2899d561 · 2899d561 · 2899d561
4 changed file
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -273,6 +273,10 @@ action("openssl_build_all_generated") {
  outputs += libcommon_build_all_generated_selected_platform_sources
  outputs += libdefault_build_all_generated_selected_platform_sources
  outputs += libcrypto_build_all_generated_selected_platform_sources
+  outputs += [ "${openssl_selected_platform_full_path}/apps/progs.c" ]
+  if (openssl_selected_platform == "mingw64") {
+    outputs += [ "${openssl_selected_platform_full_path}/apps/openssl.rc" ]
+  }
 }

 openssl_internal_cflags = [
@@ -335,6 +339,13 @@ crypto_config_common_public_include_dirs = [
  "${openssl_selected_platform_full_path}/include",
 ]

+# located at /system/etc/
+ohos_prebuilt_etc("openssl.cnf") {
+  source = "open_harmony_openssl_config/openssl.cnf"
+  subsystem_name = "thirdparty"
+  part_name = "openssl"
+}
+
 crypto_config_common_cflags = [
  "-Wa,--noexecstack",
  "-DNDEBUG",
@@ -343,7 +354,10 @@ crypto_config_common_cflags = [
  "-DOPENSSL_PIC",
  "-DENGINESDIR=\"\"",
  "-DMODULESDIR=\"\"",
-  "-DOPENSSLDIR=\"\"",
+
+  # to locate openssl.cnf
+  "-DOPENSSLDIR=\"/system/etc\"",
+
  "-DSTATIC_LEGACY",
 ]

@@ -1519,7 +1533,10 @@ if (is_mingw || is_mac) {
 }

 ohos_shared_library("libcrypto_shared") {
-  deps = [ ":crypto_source" ]
+  deps = [
+    ":crypto_source",
+    ":openssl.cnf",
+  ]
  output_name = "libcrypto_openssl"
  subsystem_name = "thirdparty"
  part_name = "openssl"
@@ -1632,6 +1649,7 @@ ohos_static_library("libssl_static") {
 ohos_shared_library("libssl_shared") {
  deps = [
    ":libcrypto_shared",
+    ":openssl.cnf",
    ":ssl_source",
  ]

@@ -1652,3 +1670,104 @@ ohos_shared_library("libssl_shared") {
    "updater",
  ]
 }
+
+ohos_static_library("libapps") {
+  sources = [
+    "apps/lib/app_libctx.c",
+    "apps/lib/app_params.c",
+    "apps/lib/app_provider.c",
+    "apps/lib/app_rand.c",
+    "apps/lib/app_x509.c",
+    "apps/lib/apps.c",
+    "apps/lib/apps_ui.c",
+    "apps/lib/columns.c",
+    "apps/lib/engine.c",
+    "apps/lib/engine_loader.c",
+    "apps/lib/fmt.c",
+    "apps/lib/http_server.c",
+    "apps/lib/names.c",
+    "apps/lib/opt.c",
+    "apps/lib/s_cb.c",
+    "apps/lib/s_socket.c",
+    "apps/lib/tlssrp_depr.c",
+  ]
+  if (openssl_selected_platform == "mingw64") {
+    sources += [ "apps/lib/win32_init.c" ]
+  }
+  subsystem_name = "thirdparty"
+  part_name = "openssl"
+  configs = [ ":crypto_config_private" ]
+}
+
+ohos_executable("openssl") {
+  sources = [
+    "${openssl_selected_platform_full_path}/apps/progs.c",
+    "apps/asn1parse.c",
+    "apps/ca.c",
+    "apps/ciphers.c",
+    "apps/cmp.c",
+    "apps/cms.c",
+    "apps/crl.c",
+    "apps/crl2pkcs7.c",
+    "apps/dgst.c",
+    "apps/dhparam.c",
+    "apps/dsa.c",
+    "apps/dsaparam.c",
+    "apps/ec.c",
+    "apps/ecparam.c",
+    "apps/enc.c",
+    "apps/engine.c",
+    "apps/errstr.c",
+    "apps/fipsinstall.c",
+    "apps/gendsa.c",
+    "apps/genpkey.c",
+    "apps/genrsa.c",
+    "apps/info.c",
+    "apps/kdf.c",
+    "apps/lib/cmp_mock_srv.c",
+    "apps/list.c",
+    "apps/mac.c",
+    "apps/nseq.c",
+    "apps/ocsp.c",
+    "apps/openssl.c",
+    "apps/passwd.c",
+    "apps/pkcs12.c",
+    "apps/pkcs7.c",
+    "apps/pkcs8.c",
+    "apps/pkey.c",
+    "apps/pkeyparam.c",
+    "apps/pkeyutl.c",
+    "apps/prime.c",
+    "apps/rand.c",
+    "apps/rehash.c",
+    "apps/req.c",
+    "apps/rsa.c",
+    "apps/rsautl.c",
+    "apps/s_client.c",
+    "apps/s_server.c",
+    "apps/s_time.c",
+    "apps/sess_id.c",
+    "apps/smime.c",
+    "apps/speed.c",
+    "apps/spkac.c",
+    "apps/srp.c",
+    "apps/storeutl.c",
+    "apps/ts.c",
+    "apps/verify.c",
+    "apps/version.c",
+    "apps/x509.c",
+  ]
+  if (openssl_selected_platform == "mingw64") {
+    sources += [ "${openssl_selected_platform_full_path}/apps/openssl.rc" ]
+  }
+  deps = [
+    ":libapps",
+    ":libcrypto_shared",
+    ":libssl_shared",
+    ":openssl.cnf",
+    ":openssl_build_all_generated",
+  ]
+  subsystem_name = "thirdparty"
+  part_name = "openssl"
+  configs = [ ":crypto_config_private" ]
+}
--- a/bundle.json
+++ b/bundle.json
@@ -17,7 +17,9 @@
        "subsystem": "thirdparty",
        "syscap": [],
        "features": [],
-        "adapted_system_type": [],
+        "adapted_system_type": [
+            "standard"
+        ],
        "rom": "",
        "ram": "",
        "deps": {
@@ -25,9 +27,11 @@
            "third_party": []
        },
        "build": {
-            "sub_component": [],
+            "sub_component": [
+                "//third_party/openssl:openssl"
+            ],
            "inner_kits": [],
            "test": []
        }
    }
-}
\ No newline at end of file
+}
--- a/make_openssl_build_all_generated.sh
+++ b/make_openssl_build_all_generated.sh
@@ -17,38 +17,32 @@ pwd # out/target_name
 openssl_source_path="$1"
 build_all_generated_path="$2"
 openssl_selected_platform="$3"
+
+# https://github.com/openssl/openssl/blob/master/INSTALL.md#out-of-tree-builds
+# OpenSSL can be configured to build in a build directory separate from the source code directory.
+# It's done by placing yourself in some other directory and invoking the configuration commands from there.
 rm -rf ${build_all_generated_path}/${openssl_selected_platform}
-mkdir -p ${build_all_generated_path}
-pushd ${build_all_generated_path}
-    rm -rf ./openssl
-    cp -r ${openssl_source_path} openssl
-    pushd openssl
-        # https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204
-        # no-shared will disable building shared libcrypto and libssl libraries.
-        # But the legacy provider would still be built as a shared module.
-        # So you would need the legacy shared module present on the installed
-        # system and the paths would have to be correct.
-        # You can use no-module to make the legacy provider built-in.
+mkdir -p ${build_all_generated_path}/${openssl_selected_platform}
+pushd ${build_all_generated_path}/${openssl_selected_platform}
+    # https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204
+    # no-shared will disable building shared libcrypto and libssl libraries.
+    # But the legacy provider would still be built as a shared module.
+    # So you would need the legacy shared module present on the installed
+    # system and the paths would have to be correct.
+    # You can use no-module to make the legacy provider built-in.

-        # https://github.com/openssl/openssl/issues/17679#issue-1130060263
-        # Is there a way to build a static version of openssl3, including the "legacy" OSSL_PROVIDER?
-        # https://github.com/openssl/openssl/issues/17679#issuecomment-1034949099
-        # Configure with no-shared no-module. The legacy provider is then part of libcrypto.a.
-        # You still need to "load" it via OSSL_PROVIDER_load() - but no .so file is required in that case.
+    # https://github.com/openssl/openssl/issues/17679#issue-1130060263
+    # Is there a way to build a static version of openssl3, including the "legacy" OSSL_PROVIDER?
+    # https://github.com/openssl/openssl/issues/17679#issuecomment-1034949099
+    # Configure with no-shared no-module. The legacy provider is then part of libcrypto.a.
+    # You still need to "load" it via OSSL_PROVIDER_load() - but no .so file is required in that case.

-        # https://github.com/openssl/openssl/issues/19368#issuecomment-1274558844
-        # no-shared affects the building of libcrypto*.dll and libssl*.dll,
-        # not dynamically loadable modules (which are governed by the configuration option no-module / enable-module,
-        # which is enabled by default).
-        configure_cmd="./Configure ${openssl_selected_platform} no-shared no-module"
-        echo $configure_cmd
-        $configure_cmd
-        make build_all_generated -j256 >/dev/null 2>&1
-    popd
-    # https://stackoverflow.com/questions/11325123/how-to-compare-two-directories-using-diff-while-ignoring-non-existing-files
-    LC_ALL=C diff -q -r --exclude=".git" ${openssl_source_path} openssl | sed 's#^Only in ##;s#: #/#' | tar -czf ${openssl_selected_platform}.tgz -T -
-    rm -rf ./openssl
-    tar -xf ${openssl_selected_platform}.tgz
-    mv openssl ${openssl_selected_platform}
-    rm -f ${openssl_selected_platform}.tgz
+    # https://github.com/openssl/openssl/issues/19368#issuecomment-1274558844
+    # no-shared affects the building of libcrypto*.dll and libssl*.dll,
+    # not dynamically loadable modules (which are governed by the configuration option no-module / enable-module,
+    # which is enabled by default).
+    configure_cmd="${openssl_source_path}/Configure ${openssl_selected_platform} no-shared no-module"
+    echo $configure_cmd
+    $configure_cmd
+    make build_all_generated -j256 >/dev/null 2>&1
 popd
--- a/open_harmony_openssl_config/openssl.cnf
+++ b/open_harmony_openssl_config/openssl.cnf
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+ssl_conf = ssl_conf_sect
+
+[provider_sect]
+# https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
+
+[ssl_conf_sect]
+system_default = ssl_conf_system_default_sect
+
+[ssl_conf_system_default_sect]
+# https://github.com/openssl/openssl/issues/21200
+# https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#Options
+Options = UnsafeLegacyRenegotiation