[Buildroot] [PATCH v4 1/1] package/libssh2: Add selectable crypto libraries

Arnout Vandecappelle arnout at mind.be
Sat Nov 4 21:58:49 UTC 2017 


On 01-11-17 17:22, Sam Voss wrote:
> Currently, the selection of the backend is based on a priority order,
> which is not always desirable: not all features are available for all
> backends, as reported upstream:
>     https://github.com/libssh2/libssh2/issues/213

 OK, so finally an indirect explanation for why you need this. For people who
don't want to follow the link, here it is (Sam, correct me if I misinterpreted
the issue): apparently, libgcrypt is not able to use a password-encrypted
certificate generated by openssl. So really, it's a shortcoming of libgcrypt. If
you need to use such a certificate with libssh2, you have no choice but to use
the openssl backend.

 And I can imagine that there will be other situations where one of the backends
is missing some feature - not so much in the crypto supported, but rather in the
fringe aspects like reading certificates or whatnot.

 So yes, it makes sense to make this selectable.

> 
> As such, allow a user to select the backend most appropriate to their
> use-case.
> 
> Signed-off-by: Sam Voss <sam.voss at rockwellcollins.com>
> 
> --
> 
> [v3->v4]
>  - Update configuration for "type->depends->select" ordering
>  - Update patch message to be more descriptive
> 
> [v2->v3]
>  - Fix comment about favoring mbedtls
> 
> [v1->v2]
>  - Do not have comments when crypo is not selected, select it instead.
>  - Do not select OpenSSL by default when libssh2 is selected if no
>    others are chosen
> ---
>  package/libssh2/Config.in  | 24 +++++++++++++++++++++++-
>  package/libssh2/libssh2.mk |  8 ++++----
>  2 files changed, 27 insertions(+), 5 deletions(-)
> 
> diff --git a/package/libssh2/Config.in b/package/libssh2/Config.in
> index 9b60823..f2d32a9 100644
> --- a/package/libssh2/Config.in
> +++ b/package/libssh2/Config.in
> @@ -1,6 +1,5 @@
>  config BR2_PACKAGE_LIBSSH2
>  	bool "libssh2"
> -	select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_MBEDTLS || BR2_PACKAGE_LIBGCRYPT)
>  	help
>  	  libssh2 is a client-side C library implementing the SSH2
>  	  protocol as defined by Internet Drafts: SECSH-TRANS(22),
> @@ -8,3 +7,26 @@ config BR2_PACKAGE_LIBSSH2
>  	  SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10)
>  
>  	  http://www.libssh2.org/
> +
> +if BR2_PACKAGE_LIBSSH2
> +
> +choice
> +	prompt "Crypto Backend"
> +	help
> +	  Select crypto library to be used in libssh2.
> +
> +config BR2_PACKAGE_LIBSSH2_MBEDTLS
> +	bool "mbedtls"
> +	select BR2_PACKAGE_MBEDTLS

 Note that this changes the defaults we had previously. If openssl was already
selected and you select libssh2, then openssl would be used as a backend. Now,
the default is mbedtls, so if you don't take any action, it will be mbedtls.

 This does affect people updating Buildroot, so it needs to be mentioned in CHANGES.

> +
> +config BR2_PACKAGE_LIBSSH2_LIBGCRYPT
> +	bool "gcrypt"
> +	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS # libgcrypt -> libgpg-error
> +	select BR2_PACKAGE_LIBGCRYPT
> +
> +config BR2_PACKAGE_LIBSSH2_OPENSSL
> +	bool "openssl"
> +	select BR2_PACKAGE_OPENSSL
> +
> +endchoice
> +endif
> diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
> index d40e844..befac92 100644
> --- a/package/libssh2/libssh2.mk
> +++ b/package/libssh2/libssh2.mk
> @@ -15,19 +15,19 @@ LIBSSH2_CONF_OPTS = --disable-examples-build
>  LIBSSH2_AUTORECONF = YES
>  
>  # Dependency is one of mbedtls, libgcrypt or openssl, guaranteed in
> -# Config.in. Favour mbedtls.

 This comment has now become useless - since the different options come from a
choice, it's obvious that only one of them would be true.


 I've applied with the above changes, and I've also pushed an update to the
CHANGES file.

 Regards,
 Arnout

> -ifeq ($(BR2_PACKAGE_MBEDTLS),y)
> +# Config.in.
> +ifeq ($(BR2_PACKAGE_LIBSSH2_MBEDTLS),y)
>  LIBSSH2_DEPENDENCIES += mbedtls
>  LIBSSH2_CONF_OPTS += --with-libmbedcrypto-prefix=$(STAGING_DIR)/usr \
>  	--with-crypto=mbedtls
> -else ifeq ($(BR2_PACKAGE_LIBGCRYPT),y)
> +else ifeq ($(BR2_PACKAGE_LIBSSH2_LIBGCRYPT),y)
>  LIBSSH2_DEPENDENCIES += libgcrypt
>  LIBSSH2_CONF_OPTS += --with-libgcrypt-prefix=$(STAGING_DIR)/usr \
>  	--with-crypto=libgcrypt
>  # configure.ac forgets to link to dependent libraries of gcrypt breaking static
>  # linking
>  LIBSSH2_CONF_ENV += LIBS="`$(STAGING_DIR)/usr/bin/libgcrypt-config --libs`"
> -else
> +else ifeq ($(BR2_PACKAGE_LIBSSH2_OPENSSL),y)
>  LIBSSH2_DEPENDENCIES += openssl
>  LIBSSH2_CONF_OPTS += --with-libssl-prefix=$(STAGING_DIR)/usr \
>  	--with-crypto=openssl
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

More information about the buildroot mailing list