[Buildroot] [PATCH 1/1] host-python: Really do not use the system OpenSSL.

Nicolas Cavallari nicolas.cavallari at green-communications.fr
Thu Nov 17 15:06:49 UTC 2016


Even if buildroot patches host-python to not compile the 'ssl' module,
the '_ssl' and '_hashlib' module are still compiled if python detects
an usable OpenSSL installation.  This may break compilation if the
system's OpenSSL has been updated to 1.1.0 because of a bug in python,
see https://bugs.python.org/issue26470 for details.

If python does not detect an usable openssl installation for _hashlib,
it uses internal implementation of common hash algorithms instead.

This modifies the configure.ac patch to also disable _ssl and _hashlib
if --disable-ssl is used.

It must also modify setup.py to force enabling the internal
implementation of hash algorithms if _hashlib is disabled, otherwise, if
an usable openssl installation is detected, it will not compile
them and python will end up with no hash algorithm implementation at all,
breaking host-python-pycrypto and its reverse-dependencies like crda.

Signed-off-by: Nicolas Cavallari <nicolas.cavallari at green-communications.fr>
---
 .../019-force-internal-hash-if-ssl-disabled.patch  | 22 ++++++++++++++++++++++
 package/python/111-optional-ssl.patch              |  3 ++-
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 package/python/019-force-internal-hash-if-ssl-disabled.patch

Not sure if I should have added my signed off on 111-optional-ssl.patch
after modifying it.

diff --git a/package/python/019-force-internal-hash-if-ssl-disabled.patch b/package/python/019-force-internal-hash-if-ssl-disabled.patch
new file mode 100644
index 0000000..ff594ca
--- /dev/null
+++ b/package/python/019-force-internal-hash-if-ssl-disabled.patch
@@ -0,0 +1,22 @@
+Force the use of internal hash implementations if _hashlib is disabled.
+
+Otherwise, python ends up with no hash algorithm implementation at all,
+breaking python-pycrypto and its reverse-dependencies.
+
+Signed-off-by: Nicolas Cavallari <nicolas.cavallari at green-communications.fr>
+
+--- a/setup.py	2016-11-16 18:02:01.120854546 +0100
++++ b/setup.py	2016-11-17 09:52:32.485674999 +0100
+@@ -863,6 +863,12 @@ class PyBuildExt(build_ext):
+         have_usable_openssl = (have_any_openssl and
+                                openssl_ver >= min_openssl_ver)
+ 
++        if '_hashlib' in disabled_module_list:
++            # Force using the non-openssl fallbacks _md5 and _sha*.
++            have_any_openssl = False
++            have_usable_openssl = False
++            openssl_ver = 0
++
+         if have_any_openssl:
+             if have_usable_openssl:
+                 # The _hashlib module wraps optimized implementations
diff --git a/package/python/111-optional-ssl.patch b/package/python/111-optional-ssl.patch
index 956d2a0..89a8947 100644
--- a/package/python/111-optional-ssl.patch
+++ b/package/python/111-optional-ssl.patch
@@ -1,6 +1,7 @@
 Add an option to disable the ssl module
 
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni at free-electrons.com>
+Signed-off-by: Nicolas Cavallari <nicolas.cavallari at green-communications.fr>
 
 ---
  configure.in |    6 ++++++
@@ -17,7 +18,7 @@ Index: b/configure.ac
 +AC_ARG_ENABLE(ssl,
 +	AS_HELP_STRING([--disable-ssl], [disable SSL]),
 +	[ if test "$enableval" = "no"; then
-+    	     DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} ssl"
++    	     DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} ssl _ssl _hashlib"
 +  	  fi])
 +
  AC_ARG_ENABLE(dbm,
-- 
2.10.2



More information about the buildroot mailing list