From 2899d5617f0d607562de319dc3883d936f4eae43 Mon Sep 17 00:00:00 2001 From: code4lala Date: Wed, 14 Jun 2023 10:35:58 +0800 Subject: [PATCH] add ohos_executable openssl, Out of Tree Builds, add openssl.cnf, UnsafeLegacyRenegotiation, load legacy provider Signed-off-by: code4lala --- BUILD.gn | 123 +++++++++++++++++++++++- bundle.json | 10 +- make_openssl_build_all_generated.sh | 56 +++++------ open_harmony_openssl_config/openssl.cnf | 24 +++++ 4 files changed, 177 insertions(+), 36 deletions(-) create mode 100644 open_harmony_openssl_config/openssl.cnf diff --git a/BUILD.gn b/BUILD.gn index 977e57a9cc..1188d4b6b3 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -273,6 +273,10 @@ action("openssl_build_all_generated") { outputs += libcommon_build_all_generated_selected_platform_sources outputs += libdefault_build_all_generated_selected_platform_sources outputs += libcrypto_build_all_generated_selected_platform_sources + outputs += [ "${openssl_selected_platform_full_path}/apps/progs.c" ] + if (openssl_selected_platform == "mingw64") { + outputs += [ "${openssl_selected_platform_full_path}/apps/openssl.rc" ] + } } openssl_internal_cflags = [ @@ -335,6 +339,13 @@ crypto_config_common_public_include_dirs = [ "${openssl_selected_platform_full_path}/include", ] +# located at /system/etc/ +ohos_prebuilt_etc("openssl.cnf") { + source = "open_harmony_openssl_config/openssl.cnf" + subsystem_name = "thirdparty" + part_name = "openssl" +} + crypto_config_common_cflags = [ "-Wa,--noexecstack", "-DNDEBUG", @@ -343,7 +354,10 @@ crypto_config_common_cflags = [ "-DOPENSSL_PIC", "-DENGINESDIR=\"\"", "-DMODULESDIR=\"\"", - "-DOPENSSLDIR=\"\"", + + # to locate openssl.cnf + "-DOPENSSLDIR=\"/system/etc\"", + "-DSTATIC_LEGACY", ] @@ -1519,7 +1533,10 @@ if (is_mingw || is_mac) { } ohos_shared_library("libcrypto_shared") { - deps = [ ":crypto_source" ] + deps = [ + ":crypto_source", + ":openssl.cnf", + ] output_name = "libcrypto_openssl" subsystem_name = "thirdparty" part_name = "openssl" @@ -1632,6 +1649,7 @@ ohos_static_library("libssl_static") { ohos_shared_library("libssl_shared") { deps = [ ":libcrypto_shared", + ":openssl.cnf", ":ssl_source", ] @@ -1652,3 +1670,104 @@ ohos_shared_library("libssl_shared") { "updater", ] } + +ohos_static_library("libapps") { + sources = [ + "apps/lib/app_libctx.c", + "apps/lib/app_params.c", + "apps/lib/app_provider.c", + "apps/lib/app_rand.c", + "apps/lib/app_x509.c", + "apps/lib/apps.c", + "apps/lib/apps_ui.c", + "apps/lib/columns.c", + "apps/lib/engine.c", + "apps/lib/engine_loader.c", + "apps/lib/fmt.c", + "apps/lib/http_server.c", + "apps/lib/names.c", + "apps/lib/opt.c", + "apps/lib/s_cb.c", + "apps/lib/s_socket.c", + "apps/lib/tlssrp_depr.c", + ] + if (openssl_selected_platform == "mingw64") { + sources += [ "apps/lib/win32_init.c" ] + } + subsystem_name = "thirdparty" + part_name = "openssl" + configs = [ ":crypto_config_private" ] +} + +ohos_executable("openssl") { + sources = [ + "${openssl_selected_platform_full_path}/apps/progs.c", + "apps/asn1parse.c", + "apps/ca.c", + "apps/ciphers.c", + "apps/cmp.c", + "apps/cms.c", + "apps/crl.c", + "apps/crl2pkcs7.c", + "apps/dgst.c", + "apps/dhparam.c", + "apps/dsa.c", + "apps/dsaparam.c", + "apps/ec.c", + "apps/ecparam.c", + "apps/enc.c", + "apps/engine.c", + "apps/errstr.c", + "apps/fipsinstall.c", + "apps/gendsa.c", + "apps/genpkey.c", + "apps/genrsa.c", + "apps/info.c", + "apps/kdf.c", + "apps/lib/cmp_mock_srv.c", + "apps/list.c", + "apps/mac.c", + "apps/nseq.c", + "apps/ocsp.c", + "apps/openssl.c", + "apps/passwd.c", + "apps/pkcs12.c", + "apps/pkcs7.c", + "apps/pkcs8.c", + "apps/pkey.c", + "apps/pkeyparam.c", + "apps/pkeyutl.c", + "apps/prime.c", + "apps/rand.c", + "apps/rehash.c", + "apps/req.c", + "apps/rsa.c", + "apps/rsautl.c", + "apps/s_client.c", + "apps/s_server.c", + "apps/s_time.c", + "apps/sess_id.c", + "apps/smime.c", + "apps/speed.c", + "apps/spkac.c", + "apps/srp.c", + "apps/storeutl.c", + "apps/ts.c", + "apps/verify.c", + "apps/version.c", + "apps/x509.c", + ] + if (openssl_selected_platform == "mingw64") { + sources += [ "${openssl_selected_platform_full_path}/apps/openssl.rc" ] + } + deps = [ + ":libapps", + ":libcrypto_shared", + ":libssl_shared", + ":openssl.cnf", + ":openssl_build_all_generated", + ] + subsystem_name = "thirdparty" + part_name = "openssl" + configs = [ ":crypto_config_private" ] +} diff --git a/bundle.json b/bundle.json index ada0e8b7ff..1f2803270b 100644 --- a/bundle.json +++ b/bundle.json @@ -17,7 +17,9 @@ "subsystem": "thirdparty", "syscap": [], "features": [], - "adapted_system_type": [], + "adapted_system_type": [ + "standard" + ], "rom": "", "ram": "", "deps": { @@ -25,9 +27,11 @@ "third_party": [] }, "build": { - "sub_component": [], + "sub_component": [ + "//third_party/openssl:openssl" + ], "inner_kits": [], "test": [] } } -} \ No newline at end of file +} diff --git a/make_openssl_build_all_generated.sh b/make_openssl_build_all_generated.sh index 21310a170c..af2db86400 100755 --- a/make_openssl_build_all_generated.sh +++ b/make_openssl_build_all_generated.sh @@ -17,38 +17,32 @@ pwd # out/target_name openssl_source_path="$1" build_all_generated_path="$2" openssl_selected_platform="$3" + +# https://github.com/openssl/openssl/blob/master/INSTALL.md#out-of-tree-builds +# OpenSSL can be configured to build in a build directory separate from the source code directory. +# It's done by placing yourself in some other directory and invoking the configuration commands from there. rm -rf ${build_all_generated_path}/${openssl_selected_platform} -mkdir -p ${build_all_generated_path} -pushd ${build_all_generated_path} - rm -rf ./openssl - cp -r ${openssl_source_path} openssl - pushd openssl - # https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204 - # no-shared will disable building shared libcrypto and libssl libraries. - # But the legacy provider would still be built as a shared module. - # So you would need the legacy shared module present on the installed - # system and the paths would have to be correct. - # You can use no-module to make the legacy provider built-in. +mkdir -p ${build_all_generated_path}/${openssl_selected_platform} +pushd ${build_all_generated_path}/${openssl_selected_platform} + # https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204 + # no-shared will disable building shared libcrypto and libssl libraries. + # But the legacy provider would still be built as a shared module. + # So you would need the legacy shared module present on the installed + # system and the paths would have to be correct. + # You can use no-module to make the legacy provider built-in. - # https://github.com/openssl/openssl/issues/17679#issue-1130060263 - # Is there a way to build a static version of openssl3, including the "legacy" OSSL_PROVIDER? - # https://github.com/openssl/openssl/issues/17679#issuecomment-1034949099 - # Configure with no-shared no-module. The legacy provider is then part of libcrypto.a. - # You still need to "load" it via OSSL_PROVIDER_load() - but no .so file is required in that case. + # https://github.com/openssl/openssl/issues/17679#issue-1130060263 + # Is there a way to build a static version of openssl3, including the "legacy" OSSL_PROVIDER? + # https://github.com/openssl/openssl/issues/17679#issuecomment-1034949099 + # Configure with no-shared no-module. The legacy provider is then part of libcrypto.a. + # You still need to "load" it via OSSL_PROVIDER_load() - but no .so file is required in that case. - # https://github.com/openssl/openssl/issues/19368#issuecomment-1274558844 - # no-shared affects the building of libcrypto*.dll and libssl*.dll, - # not dynamically loadable modules (which are governed by the configuration option no-module / enable-module, - # which is enabled by default). - configure_cmd="./Configure ${openssl_selected_platform} no-shared no-module" - echo $configure_cmd - $configure_cmd - make build_all_generated -j256 >/dev/null 2>&1 - popd - # https://stackoverflow.com/questions/11325123/how-to-compare-two-directories-using-diff-while-ignoring-non-existing-files - LC_ALL=C diff -q -r --exclude=".git" ${openssl_source_path} openssl | sed 's#^Only in ##;s#: #/#' | tar -czf ${openssl_selected_platform}.tgz -T - - rm -rf ./openssl - tar -xf ${openssl_selected_platform}.tgz - mv openssl ${openssl_selected_platform} - rm -f ${openssl_selected_platform}.tgz + # https://github.com/openssl/openssl/issues/19368#issuecomment-1274558844 + # no-shared affects the building of libcrypto*.dll and libssl*.dll, + # not dynamically loadable modules (which are governed by the configuration option no-module / enable-module, + # which is enabled by default). + configure_cmd="${openssl_source_path}/Configure ${openssl_selected_platform} no-shared no-module" + echo $configure_cmd + $configure_cmd + make build_all_generated -j256 >/dev/null 2>&1 popd diff --git a/open_harmony_openssl_config/openssl.cnf b/open_harmony_openssl_config/openssl.cnf new file mode 100644 index 0000000000..2ba351d441 --- /dev/null +++ b/open_harmony_openssl_config/openssl.cnf @@ -0,0 +1,24 @@ +openssl_conf = openssl_init + +[openssl_init] +providers = provider_sect +ssl_conf = ssl_conf_sect + +[provider_sect] +# https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers +default = default_sect +legacy = legacy_sect + +[default_sect] +activate = 1 + +[legacy_sect] +activate = 1 + +[ssl_conf_sect] +system_default = ssl_conf_system_default_sect + +[ssl_conf_system_default_sect] +# https://github.com/openssl/openssl/issues/21200 +# https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#Options +Options = UnsafeLegacyRenegotiation -- GitLab