[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

GAUTRON, Erwan erwan.gautron at bertin.fr
Mon May 11 06:25:32 UTC 2020


Hello Thomas,
Thanks for your comments
I will implement them and submit a new patch

Regards/Cordialement,

Erwan
------------------------------------------------------------------------------


De : Thomas Petazzoni <thomas.petazzoni at bootlin.com>

Envoyé : samedi 9 mai 2020 21:24

À : GAUTRON, Erwan <erwan.gautron at bertin.fr>

Cc : buildroot at buildroot.org <buildroot at buildroot.org>; Matt Weber <matthew.weber at rockwellcollins.com>

Objet : Re: [Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

 


Hello Erwan,



On Wed,  6 May 2020 07:59:19 +0200

Erwan GAUTRON <erwan.gautron at bertin.fr> wrote:



> Openssl implements lot of algorithms that are not required in

> some emdedded devices and cyphers known as weak.

> Secure embedded systems shall disable unused algorithms (and weak algo)

> in order to be certified.

> This patch allows to select algorithms and mecanims to disable

> such as md5

> 

> Signed-off-by: Erwan GAUTRON <erwan.gautron at bertin.fr>



Thanks for your patch!



> +config BR2_PACKAGE_LIBOPENSSL_NO_CHACHA

> +     bool "openssl no cipher CHACHA"

> +     help

> +       Remove CHACHA cipher in libopenssl.



I think it is quite odd to have inverted boolean options, i.e that

disable a feature when the option is enabled. Could we turn them

around, so that they use positive logic ? Of course, that means adding

a "default y" to keep backward compatibility, unless we decide that all

those ciphers are really dangerous (many of them are!) and disable them

by default.



> +config BR2_PACKAGE_LIBOPENSSL_NO_COMP

> +     bool "openssl no compression"

> +     help

> +       Remove compression in libopenssl.

> +

> +config BR2_PACKAGE_LIBOPENSSL_NO_ZLIB

> +     bool "zlib no compression"

> +     help

> +       Remove zlib in libopenssl.



Do these options allow to drop the zlib dependency of libopenssl ? If

so, we should do this and make the zlib dependency optional.



Thanks!



Thomas

-- 

Thomas Petazzoni, CTO, Bootlin

Embedded Linux and Kernel engineering

https://bootlin.com



More information about the buildroot mailing list