[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sat May 9 19:24:16 UTC 2020
Hello Erwan,
On Wed, 6 May 2020 07:59:19 +0200
Erwan GAUTRON <erwan.gautron at bertin.fr> wrote:
> Openssl implements lot of algorithms that are not required in
> some emdedded devices and cyphers known as weak.
> Secure embedded systems shall disable unused algorithms (and weak algo)
> in order to be certified.
> This patch allows to select algorithms and mecanims to disable
> such as md5
>
> Signed-off-by: Erwan GAUTRON <erwan.gautron at bertin.fr>
Thanks for your patch!
> +config BR2_PACKAGE_LIBOPENSSL_NO_CHACHA
> + bool "openssl no cipher CHACHA"
> + help
> + Remove CHACHA cipher in libopenssl.
I think it is quite odd to have inverted boolean options, i.e that
disable a feature when the option is enabled. Could we turn them
around, so that they use positive logic ? Of course, that means adding
a "default y" to keep backward compatibility, unless we decide that all
those ciphers are really dangerous (many of them are!) and disable them
by default.
> +config BR2_PACKAGE_LIBOPENSSL_NO_COMP
> + bool "openssl no compression"
> + help
> + Remove compression in libopenssl.
> +
> +config BR2_PACKAGE_LIBOPENSSL_NO_ZLIB
> + bool "zlib no compression"
> + help
> + Remove zlib in libopenssl.
Do these options allow to drop the zlib dependency of libopenssl ? If
so, we should do this and make the zlib dependency optional.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list