[Buildroot] [PATCH v4 1/1] package/libssh2: Add selectable crypto libraries

Peter Korsgaard peter at korsgaard.com
Sun Nov 5 08:01:09 UTC 2017


>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:

 > On 01-11-17 17:22, Sam Voss wrote:
 >> Currently, the selection of the backend is based on a priority order,
 >> which is not always desirable: not all features are available for all
 >> backends, as reported upstream:
 >> https://github.com/libssh2/libssh2/issues/213

 >  OK, so finally an indirect explanation for why you need this. For people who
 > don't want to follow the link, here it is (Sam, correct me if I misinterpreted
 > the issue): apparently, libgcrypt is not able to use a password-encrypted
 > certificate generated by openssl. So really, it's a shortcoming of libgcrypt. If
 > you need to use such a certificate with libssh2, you have no choice but to use
 > the openssl backend.

 >  And I can imagine that there will be other situations where one of the backends
 > is missing some feature - not so much in the crypto supported, but rather in the
 > fringe aspects like reading certificates or whatnot.

Ahh, yes - That also wasn't clear to me.

>> +++ b/package/libssh2/Config.in
 >> @@ -1,6 +1,5 @@
 >> config BR2_PACKAGE_LIBSSH2
 >> bool "libssh2"
 >> -	select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_MBEDTLS || BR2_PACKAGE_LIBGCRYPT)
 >> help
 >> libssh2 is a client-side C library implementing the SSH2
 >> protocol as defined by Internet Drafts: SECSH-TRANS(22),
 >> @@ -8,3 +7,26 @@ config BR2_PACKAGE_LIBSSH2
 >> SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10)
 >> 
 >> http://www.libssh2.org/
 >> +
 >> +if BR2_PACKAGE_LIBSSH2
 >> +
 >> +choice
 >> +	prompt "Crypto Backend"
 >> +	help
 >> +	  Select crypto library to be used in libssh2.
 >> +
 >> +config BR2_PACKAGE_LIBSSH2_MBEDTLS
 >> +	bool "mbedtls"
 >> +	select BR2_PACKAGE_MBEDTLS

 >  Note that this changes the defaults we had previously. If openssl was already
 > selected and you select libssh2, then openssl would be used as a backend. Now,
 > the default is mbedtls, so if you don't take any action, it will be mbedtls.

 >  This does affect people updating Buildroot, so it needs to be mentioned in CHANGES.

Why don't we just keep the old logic instead? E.G. leave the select
openssl if !(mbedtls || libgcrypt) and then change the selects to
depends on in the choice:

choice

config BR2_PACKAGE_LIBSSH2_MBEDTLS
       bool "mbedtls"
       depends on BR2_PACKAGE_MBEDTLS

...

Doesn't that give us the best of both worlds? Same behaviour as before
by default and still the option to explicitly chose when multiple
backends are available?

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list