From: Rasmus Villemoes <ravi@prevas.dk>
Date: Mon, 24 Feb 2025 21:22:08 +0000 (+0100)
Subject: openssl: honour calling environment's values in wrapper script
X-Git-Tag: yocto-5.2~396
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5582ec9d3a21c546b799d2f6d4928f5e1d19eb0a;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

openssl: honour calling environment's values in wrapper script

When using openssl with some pkcs#11 plugin module, one (usually)
needs to set the OPENSSL_CONF environment variable
appropriately, and e.g. invoke openssl as

  openssl dgst -engine pkcs11 -keyform engine ...

However, when putting that logic in a bitbake recipe and depending on
openssl-native (and the recipe providing the pkcs#11 engine and the
associated configuration file), the value of OPENSSL_CONF is
unconditionally overridden by the wrapper script.

If openssl was invoked directly in the task function, I could probably
call "openssl.real" instead, but then I miss the proper settings of
the other four variables, which I'd then also have to repeat in my
recipe. Moreover, sometimes openssl is only called via some helper
script (for example rpi-eeprom-digest for signing bootloader images
for RPi), and it's not reasonable to patch every such script to call
openssl.real.

So rewrite the wrapper such that if a variable is already set in the
environment before openssl is invoked, preserve its value.

Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb b/meta/recipes-connectivity/openssl/openssl_3.4.1.bb
index e18ec4b1ad8..1a054a36753 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.4.1.bb
@@ -176,11 +176,11 @@ do_install () {
 
 do_install:append:class-native () {
 	create_wrapper ${D}${bindir}/openssl \
-	    OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
-	    SSL_CERT_DIR=${libdir}/ssl-3/certs \
-	    SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
-	    OPENSSL_ENGINES=${libdir}/engines-3 \
-	    OPENSSL_MODULES=${libdir}/ossl-modules
+	    OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
+	    SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
+	    SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
+	    OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
+	    OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
 }
 
 do_install:append:class-nativesdk () {