[Buildroot] [PATCH v4 1/1] package/libssh2: Add selectable crypto libraries
Peter Korsgaard
peter at korsgaard.com
Sun Nov 5 08:01:09 UTC 2017
>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:
> On 01-11-17 17:22, Sam Voss wrote:
>> Currently, the selection of the backend is based on a priority order,
>> which is not always desirable: not all features are available for all
>> backends, as reported upstream:
>> https://github.com/libssh2/libssh2/issues/213
> OK, so finally an indirect explanation for why you need this. For people who
> don't want to follow the link, here it is (Sam, correct me if I misinterpreted
> the issue): apparently, libgcrypt is not able to use a password-encrypted
> certificate generated by openssl. So really, it's a shortcoming of libgcrypt. If
> you need to use such a certificate with libssh2, you have no choice but to use
> the openssl backend.
> And I can imagine that there will be other situations where one of the backends
> is missing some feature - not so much in the crypto supported, but rather in the
> fringe aspects like reading certificates or whatnot.
Ahh, yes - That also wasn't clear to me.
>> +++ b/package/libssh2/Config.in
>> @@ -1,6 +1,5 @@
>> config BR2_PACKAGE_LIBSSH2
>> bool "libssh2"
>> - select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_MBEDTLS || BR2_PACKAGE_LIBGCRYPT)
>> help
>> libssh2 is a client-side C library implementing the SSH2
>> protocol as defined by Internet Drafts: SECSH-TRANS(22),
>> @@ -8,3 +7,26 @@ config BR2_PACKAGE_LIBSSH2
>> SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10)
>>
>> http://www.libssh2.org/
>> +
>> +if BR2_PACKAGE_LIBSSH2
>> +
>> +choice
>> + prompt "Crypto Backend"
>> + help
>> + Select crypto library to be used in libssh2.
>> +
>> +config BR2_PACKAGE_LIBSSH2_MBEDTLS
>> + bool "mbedtls"
>> + select BR2_PACKAGE_MBEDTLS
> Note that this changes the defaults we had previously. If openssl was already
> selected and you select libssh2, then openssl would be used as a backend. Now,
> the default is mbedtls, so if you don't take any action, it will be mbedtls.
> This does affect people updating Buildroot, so it needs to be mentioned in CHANGES.
Why don't we just keep the old logic instead? E.G. leave the select
openssl if !(mbedtls || libgcrypt) and then change the selects to
depends on in the choice:
choice
config BR2_PACKAGE_LIBSSH2_MBEDTLS
bool "mbedtls"
depends on BR2_PACKAGE_MBEDTLS
...
Doesn't that give us the best of both worlds? Same behaviour as before
by default and still the option to explicitly chose when multiple
backends are available?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list