* [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists
@ 2017-07-05 8:11 kai.kang
2017-07-05 8:11 ` [PATCH 01/10] Set packages conflict with distro feature openssl-no-weak-ciphers kai.kang
` (10 more replies)
0 siblings, 11 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Patches to add distro feature openssl-no-weak-ciphers have been sent to oe-core.
Jackie Huang (1):
net-snmp: disable des for openssl-no-weak-ciphers
Kai Kang (9):
Set packages conflict with distro feature openssl-no-weak-ciphers
hostapd: disable configs depends on des if openssl not support
krb5: toggle configure option pkinit
libp11: fix compile error if OPENSSL_NO_EC defined
opensc: add PACKAGECONFIG openssl
uftp: set NO_EC if openssl not support ec
stunnel: fix compile error when openssl disable des support
poco: disable package configs NetSSL and Crypto
postgresql: configure without openssl if openssl disable weak ciphers
.../freeradius/freeradius_3.0.14.bb | 5 +-
.../recipes-daemons/openhpi/openhpi_3.6.1.bb | 5 +-
.../net-snmp/net-snmp-fix-for-disable-des.patch | 32 +++++++++++++
.../recipes-protocols/net-snmp/net-snmp_5.7.3.bb | 5 +-
.../recipes-support/dovecot/dovecot_2.2.29.bb | 4 +-
.../ipsec-tools/ipsec-tools_0.8.2.bb | 4 +-
.../recipes-support/openvpn/openvpn_2.4.2.bb | 4 +-
.../stunnel/stunnel/fix-openssl-no-des.patch | 54 ++++++++++++++++++++++
.../recipes-support/stunnel/stunnel_5.35.bb | 4 +-
meta-networking/recipes-support/uftp/uftp_4.9.3.bb | 2 +
.../recipes-connectivity/hostapd/hostapd_2.6.bb | 16 +++++++
meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb | 4 +-
.../recipes-connectivity/wvdial/wvstreams_4.6.1.bb | 5 +-
meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb | 5 ++
.../recipes-extended/cfengine/cfengine_3.9.0.bb | 4 +-
meta-oe/recipes-extended/mailx/mailx_12.5-5.bb | 5 +-
meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb | 4 +-
meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb | 2 +
meta-oe/recipes-support/freerdp/freerdp_git.bb | 4 +-
...-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch | 46 ++++++++++++++++++
meta-oe/recipes-support/libp11/libp11_0.4.0.bb | 4 +-
meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 ++
meta-oe/recipes-support/poco/poco_1.7.8.bb | 1 +
meta-oe/recipes-support/postgresql/postgresql.inc | 2 +
.../python/python-cryptography.inc | 4 +-
25 files changed, 215 insertions(+), 15 deletions(-)
create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
create mode 100644 meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
create mode 100644 meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch
--
2.10.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 01/10] Set packages conflict with distro feature openssl-no-weak-ciphers
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-networking][PATCH 02/10] net-snmp: disable des for openssl-no-weak-ciphers kai.kang
` (9 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Distro feautre openssl-no-weak-ciphers is introduced to disable
openssl weak ciphers such as des, md2 etc. So set packages which could
not work if openssl disable weak ciphers conflict with distro feature
openssl-no-weak-ciphers.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb | 5 ++++-
meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb | 5 ++++-
meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb | 4 +++-
meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb | 4 +++-
meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb | 4 +++-
meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb | 5 ++++-
meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb | 5 +++++
meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb | 4 +++-
meta-oe/recipes-extended/mailx/mailx_12.5-5.bb | 5 ++++-
meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb | 4 +++-
meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb | 2 ++
meta-oe/recipes-support/freerdp/freerdp_git.bb | 4 +++-
meta-python/recipes-devtools/python/python-cryptography.inc | 4 +++-
13 files changed, 44 insertions(+), 11 deletions(-)
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb
index 6971b03..18b12d9 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb
@@ -84,7 +84,10 @@ PACKAGECONFIG[python] = "--with-rlm_python --with-rlm-python-bin=${STAGING_BINDI
PACKAGECONFIG[rest] = "--with-rlm_rest,--without-rlm_rest,curl json-c"
PACKAGECONFIG[ruby] = "--with-rlm_ruby,--without-rlm_ruby,ruby"
-inherit useradd autotools-brokensep update-rc.d systemd
+inherit useradd autotools-brokensep update-rc.d systemd distro_features_check
+
+# requires openssl ec support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
# This is not a cpan or python based package, but it needs some definitions
# from cpan-base and python-dir bbclasses for building rlm_perl and rlm_python
diff --git a/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb b/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb
index db2a24a..4d6c3fb 100644
--- a/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb
+++ b/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb
@@ -45,7 +45,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.gz \
SRC_URI[md5sum] = "4718b16e0f749b5ad214a9b04f45dd23"
SRC_URI[sha256sum] = "e0a810cb401c4bdcfc9551f2e6afd5a8ca4b411f5ee3bc60c19f82fd6e84a3dc"
-inherit autotools pkgconfig ptest update-rc.d systemd
+inherit autotools pkgconfig ptest update-rc.d systemd distro_features_check
+
+# requires net-snmp enable des and openssl md2 support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
PACKAGES =+ "${PN}-libs"
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb
index b2a3de3..ff2598e 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb
@@ -18,7 +18,9 @@ DEPENDS_append_libc-musl = " libtirpc"
CFLAGS_append_libc-musl = " -I${STAGING_INCDIR}/tirpc"
LDFLAGS_append_libc-musl = " -ltirpc"
-inherit autotools pkgconfig systemd useradd
+inherit autotools pkgconfig systemd useradd distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ldap pam', d)}"
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
index d7e8b25..7f4bc4c 100644
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
@@ -28,7 +28,9 @@ SRC_URI = "http://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${P
SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"
SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"
-inherit autotools systemd
+inherit autotools systemd distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
# Options:
# --enable-adminport enable admin port
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb b/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb
index ae72671..9f5b9f5 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=e9b64491ec98eb6c6493ac5e4118f107"
DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
-inherit autotools systemd
+inherit autotools systemd distro_features_check
SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
file://openvpn \
@@ -15,6 +15,8 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
SRC_URI[md5sum] = "0714019e109a043e858278c9e2ca18e0"
SRC_URI[sha256sum] = "b24740c9d44a81eaf2befc4846d51445a520104321e32aaf0c135ed2e098a624"
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
SYSTEMD_AUTO_ENABLE = "disable"
diff --git a/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb b/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb
index 607a617..dcd86a2 100644
--- a/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb
+++ b/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb
@@ -17,7 +17,10 @@ SRC_URI = "http://${BPN}.googlecode.com/files/${BP}.tar.gz \
SRC_URI[md5sum] = "2760dac31a43d452a19a3147bfde571c"
SRC_URI[sha256sum] = "8403f5fbf83aa9ac0c6ce15d97fd85607488152aa84e007b7d0621b8ebc07633"
-inherit autotools-brokensep pkgconfig
+inherit autotools-brokensep pkgconfig distro_features_check
+
+# requires openssl des support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
PARALLEL_MAKE = ""
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb b/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb
index 7fde778..83c917a 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb
@@ -17,6 +17,11 @@ SRC_URI[sha256sum] = "d84e7544c2e31a2d0825b4f8b093d169bf8bdb1881ee8cf75ff937918e
S = "${WORKDIR}/node-v${PV}"
+inherit distro_features_check
+
+# requires openssl des support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
# v8 errors out if you have set CCACHE
CCACHE = ""
diff --git a/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb b/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb
index 4aa8ded..9d0c553 100644
--- a/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb
+++ b/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb
@@ -23,7 +23,7 @@ SRC_URI = "https://cfengine-package-repos.s3.amazonaws.com/tarballs/${BP}.tar.gz
SRC_URI[md5sum] = "63da39655cfca30ca885fcc4a1bf8aa4"
SRC_URI[sha256sum] = "32a38aedf1199c2361e1335e0d4a1d98f9efa7cd591bcb647f35c7395bb66f2d"
-inherit autotools systemd
+inherit autotools systemd distro_features_check
export EXPLICIT_VERSION="${PV}"
@@ -68,3 +68,5 @@ EOF
}
RDEPENDS_${PN} += "${BPN}-masterfiles"
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
diff --git a/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb b/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb
index 9dd710a..b9eb607 100644
--- a/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb
+++ b/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb
@@ -33,7 +33,10 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>((\d+\.*)+)-((\d+\.*)+))\.(diff|debian\.tar)\.(
S = "${WORKDIR}/heirloom-mailx-12.5"
-inherit autotools-brokensep
+inherit autotools-brokensep distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
CFLAGS_append = " -D_BSD_SOURCE -DDEBIAN -I${S}/EXT"
diff --git a/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb b/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb
index 90f0216..b4d7d1e 100644
--- a/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb
+++ b/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb
@@ -5,7 +5,9 @@ DEPENDS = "babl librsvg glib-2.0 gtk+ pango cairo expat zlib libpng jpeg virtual
EXTRA_OECONF = "--disable-docs"
-inherit gnomebase vala gobject-introspection
+inherit gnomebase vala gobject-introspection distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
PACKAGECONFIG ??= ""
PACKAGECONFIG[jasper] = "--with-jasper,--without-jasper,jasper"
diff --git a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb
index b047bc4..f46855a 100644
--- a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb
+++ b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb
@@ -21,6 +21,8 @@ DEPENDS = "openssl virtual/libx11 libxext jpeg zlib libxfixes libxrandr libxdama
inherit autotools-brokensep distro_features_check
# depends on virtual/libx11
REQUIRED_DISTRO_FEATURES = "x11"
+# requires opens des support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi', '', d)} libvncserver"
PACKAGECONFIG[avahi] = "--with-avahi,--without-avahi,avahi"
diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_git.bb
index f2d0a4d..8825790 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_git.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_git.bb
@@ -8,7 +8,9 @@ SECTION = "net"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-inherit pkgconfig cmake gitpkgv
+inherit pkgconfig cmake gitpkgv distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
PV = "1.2.5+gitr${SRCPV}"
PKGV = "${GITPKGVTAG}"
diff --git a/meta-python/recipes-devtools/python/python-cryptography.inc b/meta-python/recipes-devtools/python/python-cryptography.inc
index 9a74e8e..6f0c9ef 100644
--- a/meta-python/recipes-devtools/python/python-cryptography.inc
+++ b/meta-python/recipes-devtools/python/python-cryptography.inc
@@ -41,7 +41,9 @@ RDEPENDS_${PN}-ptest += " \
${PYTHON_PN}-pytest \
"
-inherit ptest
+inherit ptest distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
do_install_ptest() {
install -d ${D}${PTEST_PATH}/tests
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 02/10] net-snmp: disable des for openssl-no-weak-ciphers
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
2017-07-05 8:11 ` [PATCH 01/10] Set packages conflict with distro feature openssl-no-weak-ciphers kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 03/10] hostapd: disable configs depends on des if openssl not support kai.kang
` (8 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Jackie Huang <jackie.huang@windriver.com>
net-snmp enables des support by default and fails to build with distro
feature openssl-no-weak-ciphers:
| ../../net-snmp-5.7.3/snmplib/scapi.c:82:25: fatal error: openssl/des.h: No such file or directory
| #include <openssl/des.h>
To fix the issue:
* add a patch to include des.h only if it's found in openssl
* disable des when openssl-no-weak-ciphers is enabled
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
.../net-snmp/net-snmp-fix-for-disable-des.patch | 32 ++++++++++++++++++++++
.../recipes-protocols/net-snmp/net-snmp_5.7.3.bb | 5 +++-
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
new file mode 100644
index 0000000..25eb9c9
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
@@ -0,0 +1,32 @@
+From 270e952f58a7e5ddeabe5a15e3ddaaadf40017d0 Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Thu, 22 Jun 2017 10:25:08 +0800
+Subject: [PATCH] net-snmp: fix for --disable-des
+
+Include des.h only if it's found in openssl so that
+the --disable-des works correctly.
+
+Upstream-Status: Submitted [net-snmp-coders@lists.sourceforge.net]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ snmplib/scapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/snmplib/scapi.c b/snmplib/scapi.c
+index 16ac829..271684b 100644
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -79,7 +79,9 @@ netsnmp_feature_child_of(usm_scapi, usm_support)
+ #include <openssl/hmac.h>
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
++#ifdef HAVE_OPENSSL_DES_H
+ #include <openssl/des.h>
++#endif
+ #ifdef HAVE_AES
+ #include <openssl/aes.h>
+ #endif
+--
+2.11.0
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
index 2d6887e..d3e72b2 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
file://0002-configure-fix-a-cc-check-issue.patch \
file://0003-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch \
file://0004-configure-fix-incorrect-variable.patch \
+ file://net-snmp-fix-for-disable-des.patch \
"
SRC_URI[md5sum] = "9f682bd70c717efdd9f15b686d07baee"
SRC_URI[sha256sum] = "e8dfc79b6539b71a6ff335746ce63d2da2239062ad41872fff4354cafed07a3e"
@@ -58,7 +59,9 @@ EXTRA_OECONF = "--enable-shared \
--with-defaults \
--with-install-prefix=${D} \
--with-persistent-directory=${localstatedir}/lib/net-snmp \
- ${@base_conditional('SITEINFO_ENDIANNESS', 'le', '--with-endianness=little', '--with-endianness=big', d)}"
+ ${@base_conditional('SITEINFO_ENDIANNESS', 'le', '--with-endianness=little', '--with-endianness=big', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '--disable-des', '', d)} \
+"
# net-snmp needs to have mib-modules=smux enabled to enable quagga to support snmp
EXTRA_OECONF += "--with-mib-modules=smux"
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-oe][PATCH 03/10] hostapd: disable configs depends on des if openssl not support
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
2017-07-05 8:11 ` [PATCH 01/10] Set packages conflict with distro feature openssl-no-weak-ciphers kai.kang
2017-07-05 8:11 ` [meta-networking][PATCH 02/10] net-snmp: disable des for openssl-no-weak-ciphers kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 04/10] krb5: toggle configure option pkinit kai.kang
` (7 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Distro feature 'openssl-no-weak-ciphers' is introduced to disable
openssl weak ciphers support which include des. Check the distro feature
to disable hostapd configs which depend on des.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb
index 3b74f48..4a7275d 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb
@@ -26,6 +26,22 @@ do_configure() {
}
do_compile() {
+ COMMENT="# Disable configs depend on DES"
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'true', 'false', d)} \
+ && ! grep -q "$COMMENT" ${B}/.config; then
+ echo >> ${B}/.config
+ echo "$COMMENT" >> ${B}/.config
+ for config in CONFIG_EAP_MSCHAPV2 CONFIG_EAP_PEAP CONFIG_EAP_IKEV2 \
+ CONFIG_EAP_TLS CONFIG_EAP_UNAUTH_TLS CONFIG_EAP_TTLS \
+ CONFIG_EAP_FAST CONFIG_INTERNAL_LIBTOMMATH; do
+ sed -i -e "s/^$config=.*/#&/" ${B}/.config
+ echo "$config=n" >>${B}/.config
+ done
+
+ sed -i 's/^CONFIG_TLS=.*/#&/' ${B}/.config
+ echo 'CONFIG_TLS=internal' >>${B}/.config
+ fi
+
export CFLAGS="-MMD -O2 -Wall -g -I${STAGING_INCDIR}/libnl3"
make
}
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-oe][PATCH 04/10] krb5: toggle configure option pkinit
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (2 preceding siblings ...)
2017-07-05 8:11 ` [meta-oe][PATCH 03/10] hostapd: disable configs depends on des if openssl not support kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 05/10] libp11: fix compile error if OPENSSL_NO_EC defined kai.kang
` (6 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Toggle configure option pkinit of krb5 according to distro feature
openssl-no-weak-ciphers. openssl-no-weak-ciphers is introduced to
disable openssl weak ciphers support which include des. It could not
build plugin pkinit without openssl des support.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
index 61cdd60..013a7e1 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
@@ -43,7 +43,9 @@ PACKAGECONFIG[keyutils] = "--enable-keyutils,--disable-keyutils,keyutils"
PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
-EXTRA_OECONF += " --without-tcl --with-system-et --disable-rpath"
+EXTRA_OECONF += "--without-tcl --with-system-et --disable-rpath \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '--disable-pkinit', '--enable-pkinit', d)} \
+ "
CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \
ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \
ac_cv_file__etc_TIMEZONE=no"
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-oe][PATCH 05/10] libp11: fix compile error if OPENSSL_NO_EC defined
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (3 preceding siblings ...)
2017-07-05 8:11 ` [meta-oe][PATCH 04/10] krb5: toggle configure option pkinit kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl kai.kang
` (5 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Function compute_key_fn src/p11_ec.c uses types EC_POINT and EC_KEY which are
defined in ec.h. If OPENSSL_NO_EC is defined, no header file ec.h exists and
causes compile errors.
../../git/src/p11_ec.c:45:8: error: unknown type name 'EC_POINT'
const EC_POINT *, const EC_KEY *,
^~~~~~~~
../../git/src/p11_ec.c:45:26: error: unknown type name 'EC_KEY'
const EC_POINT *, const EC_KEY *,
^~~~~~
So check OPENSSL_NO_EC earlier in src/p11_ec.c to fix the error.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
...-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch | 46 ++++++++++++++++++++++
meta-oe/recipes-support/libp11/libp11_0.4.0.bb | 4 +-
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch
diff --git a/meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch b/meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch
new file mode 100644
index 0000000..180a91f
--- /dev/null
+++ b/meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch
@@ -0,0 +1,46 @@
+Upstream-Status: Submitted [https://github.com/OpenSC/libp11]
+
+src/p11_ec.c: check OPENSSL_NO_EC earlier
+
+Function compute_key_fn uses types EC_POINT and EC_KEY which are defined
+in ec.h. If OPENSSL_NO_EC is defined, no header file ec.h exists and
+causes compile errors.
+
+../../git/src/p11_ec.c:45:8: error: unknown type name 'EC_POINT'
+const EC_POINT *, const EC_KEY *,
+ ^~~~~~~~
+../../git/src/p11_ec.c:45:26: error: unknown type name 'EC_KEY'
+const EC_POINT *, const EC_KEY *,
+ ^~~~~~
+So check OPENSSL_NO_EC earlier in src/p11_ec.c.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/p11_ec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/p11_ec.c b/src/p11_ec.c
+index 6b49775..fdf1f59 100644
+--- a/src/p11_ec.c
++++ b/src/p11_ec.c
+@@ -37,6 +37,8 @@
+ #include <openssl/ecdh.h>
+ #endif
+
++#ifndef OPENSSL_NO_EC
++
+ #if OPENSSL_VERSION_NUMBER >= 0x10100004L
+ typedef int (*compute_key_fn)(unsigned char **, size_t *,
+ const EC_POINT *, const EC_KEY *);
+@@ -49,8 +51,6 @@ static compute_key_fn ossl_ecdh_compute_key;
+
+ static int ec_ex_index = 0;
+
+-#ifndef OPENSSL_NO_EC
+-
+ /********** Manage EC ex_data */
+
+ /* NOTE: ECDH also uses ECDSA ex_data and *not* ECDH ex_data */
+--
+2.10.1
+
diff --git a/meta-oe/recipes-support/libp11/libp11_0.4.0.bb b/meta-oe/recipes-support/libp11/libp11_0.4.0.bb
index d88006c..2961e0a 100644
--- a/meta-oe/recipes-support/libp11/libp11_0.4.0.bb
+++ b/meta-oe/recipes-support/libp11/libp11_0.4.0.bb
@@ -8,7 +8,9 @@ LICENSE = "LGPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29"
DEPENDS = "libtool openssl"
-SRC_URI = "git://github.com/OpenSC/libp11.git"
+SRC_URI = "git://github.com/OpenSC/libp11.git \
+ file://0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch \
+ "
SRCREV = "22de793340ab73cafc92f8238afb51a06d8411c3"
S = "${WORKDIR}/git"
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (4 preceding siblings ...)
2017-07-05 8:11 ` [meta-oe][PATCH 05/10] libp11: fix compile error if OPENSSL_NO_EC defined kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 16:59 ` Peter Kjellerstedt
2017-07-05 8:11 ` [meta-networking][PATCH 07/10] uftp: set NO_EC if openssl not support ec kai.kang
` (4 subsequent siblings)
10 siblings, 1 reply; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Add PACKAGECONFIG openssl to enable or disable build with openssl for
opensc. Check DISTRO_FEATURE openssl-no-weak-ciphers. If it exists then
remove PACKAGECONFIG openssl for opensc.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
index fd67181..fa7c81d 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
@@ -21,6 +21,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
inherit autotools pkgconfig
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
+
+PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
+
EXTRA_OECONF = " \
--disable-static \
--enable-openct \
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 07/10] uftp: set NO_EC if openssl not support ec
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (5 preceding siblings ...)
2017-07-05 8:11 ` [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-networking][PATCH 08/10] stunnel: fix compile error when openssl disable des support kai.kang
` (3 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Distro feature openssl-no-weak-ciphers is introduced to make openssl
disable weak ciphers support which include ec algorithm. So set NO_EC
for uftp if openssl doesn't support ec.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-networking/recipes-support/uftp/uftp_4.9.3.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-networking/recipes-support/uftp/uftp_4.9.3.bb b/meta-networking/recipes-support/uftp/uftp_4.9.3.bb
index 1166f9a..6272792 100644
--- a/meta-networking/recipes-support/uftp/uftp_4.9.3.bb
+++ b/meta-networking/recipes-support/uftp/uftp_4.9.3.bb
@@ -11,6 +11,8 @@ SRC_URI[sha256sum] = "9e9215af0315257c6cc4f40fbc6161057e861be1fff10a38a5564f699e
DEPENDS = "openssl"
+EXTRA_OEMAKE = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'NO_EC=1', '', d)}"
+
do_install () {
oe_runmake install DESTDIR=${D}
}
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 08/10] stunnel: fix compile error when openssl disable des support
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (6 preceding siblings ...)
2017-07-05 8:11 ` [meta-networking][PATCH 07/10] uftp: set NO_EC if openssl not support ec kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 09/10] poco: disable package configs NetSSL and Crypto kai.kang
` (2 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
When openssl disable des support with configure option 'no-des', it
doesn't provide des related header file and functions. That causes
stunnel compile failed. Fix it by checking macro OPENSSL_NO_DES to use
openssl des related library conditionaly.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../stunnel/stunnel/fix-openssl-no-des.patch | 54 ++++++++++++++++++++++
.../recipes-support/stunnel/stunnel_5.35.bb | 4 +-
2 files changed, 57 insertions(+), 1 deletion(-)
create mode 100644 meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
new file mode 100644
index 0000000..209b0dd
--- /dev/null
+++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
@@ -0,0 +1,54 @@
+Upstream-Status: Pending
+
+When openssl disable des support with configure option 'no-des', it doesn't
+provide des related header file and functions. That causes stunnel compile
+failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related
+library conditionaly.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+diff --git a/src/common.h b/src/common.h
+index f7d38b0..bf485af 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -471,7 +471,9 @@ extern char *sys_errlist[];
+ #ifndef OPENSSL_NO_MD4
+ #include <openssl/md4.h>
+ #endif /* !defined(OPENSSL_NO_MD4) */
++#ifndef OPENSSL_NO_DES
+ #include <openssl/des.h>
++#endif
+ #ifndef OPENSSL_NO_DH
+ #include <openssl/dh.h>
+ #if OPENSSL_VERSION_NUMBER<0x10100000L
+diff --git a/src/protocol.c b/src/protocol.c
+index 587df09..8198eb6 100644
+--- a/src/protocol.c
++++ b/src/protocol.c
+@@ -66,7 +66,7 @@ NOEXPORT char *imap_server(CLI *, SERVICE_OPTIONS *, const PHASE);
+ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+ NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE);
+ NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+-#ifndef OPENSSL_NO_MD4
++#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
+ NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *);
+ NOEXPORT char *ntlm1();
+ NOEXPORT char *ntlm3(char *, char *, char *, char *);
+@@ -1175,7 +1175,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
+ fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host);
+ if(opt->protocol_username && opt->protocol_password) {
+ if(!strcasecmp(opt->protocol_authentication, "ntlm")) {
+-#ifndef OPENSSL_NO_MD4
++#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
+ ntlm(c, opt);
+ #else
+ s_log(LOG_ERR, "NTLM authentication is not available");
+@@ -1216,7 +1216,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
+ return NULL;
+ }
+
+-#ifndef OPENSSL_NO_MD4
++#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
+
+ /*
+ * NTLM code is based on the following documentation:
diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.35.bb b/meta-networking/recipes-support/stunnel/stunnel_5.35.bb
index 3e2e2c2..33eedf1 100644
--- a/meta-networking/recipes-support/stunnel/stunnel_5.35.bb
+++ b/meta-networking/recipes-support/stunnel/stunnel_5.35.bb
@@ -7,7 +7,9 @@ DEPENDS = "openssl zlib tcp-wrappers"
RDEPENDS_${PN} += "perl"
-SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz"
+SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz \
+ file://fix-openssl-no-des.patch \
+"
SRC_URI[md5sum] = "9079f5fafbccaf88b7d92b227d78249a"
SRC_URI[sha256sum] = "ffa386ae4c825f35f35157c285e7402a6d58779ad8c3822f74a9d355b54aba1d"
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-oe][PATCH 09/10] poco: disable package configs NetSSL and Crypto
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (7 preceding siblings ...)
2017-07-05 8:11 ` [meta-networking][PATCH 08/10] stunnel: fix compile error when openssl disable des support kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 10/10] postgresql: configure without openssl if openssl disable weak ciphers kai.kang
2017-07-06 15:30 ` [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists Burton, Ross
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Distro feature openssl-no-weak-ciphers will disable openssl des support
that causes poco compile failure. Disable package configs NetSSL and
Crypto for poco if distro feature openssl-no-weak-ciphers exists.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-oe/recipes-support/poco/poco_1.7.8.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-oe/recipes-support/poco/poco_1.7.8.bb b/meta-oe/recipes-support/poco/poco_1.7.8.bb
index 1b83735..c48f967 100644
--- a/meta-oe/recipes-support/poco/poco_1.7.8.bb
+++ b/meta-oe/recipes-support/poco/poco_1.7.8.bb
@@ -34,6 +34,7 @@ EXTRA_OECMAKE_append = " -DCMAKE_SKIP_RPATH=ON"
# Foundation is built anyway and doesn't need to be listed explicitly
# these don't have dependencies outside oe-core
PACKAGECONFIG ??= "XML JSON MongoDB PDF Util Net NetSSL Crypto Data DataSQLite Zip"
+PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'NetSSL Crypto', '', d)}"
PACKAGECONFIG[XML] = "-DENABLE_XML=ON -DEXPAT_LIBRARY:STRING=expat,-DENABLE_XML=OFF,expat"
PACKAGECONFIG[JSON] = "-DENABLE_JSON=ON,-DENABLE_JSON=OFF"
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-oe][PATCH 10/10] postgresql: configure without openssl if openssl disable weak ciphers
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (8 preceding siblings ...)
2017-07-05 8:11 ` [meta-oe][PATCH 09/10] poco: disable package configs NetSSL and Crypto kai.kang
@ 2017-07-05 8:11 ` kai.kang
2017-07-06 15:30 ` [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists Burton, Ross
10 siblings, 0 replies; 16+ messages in thread
From: kai.kang @ 2017-07-05 8:11 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Distro feature 'openssl-no-weak-ciphers' is introduced to disable
openssl weak ciphers. If it exists, openssl des support is disabled that
causes postgresql build failed.
Remove PACKAGECONFIG 'openssl' if distro feature 'openssl-no-weak-ciphers'
exists.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-oe/recipes-support/postgresql/postgresql.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc
index 812c2ae..b2c4b2f 100644
--- a/meta-oe/recipes-support/postgresql/postgresql.inc
+++ b/meta-oe/recipes-support/postgresql/postgresql.inc
@@ -65,6 +65,8 @@ PACKAGECONFIG[nls] = "--enable-nls,--disable-nls,,"
PACKAGECONFIG[libxml] = "--with-libxml,--without-libxml,libxml2,libxml2"
PACKAGECONFIG[perl] = "--with-perl,--without-perl,perl,perl"
+PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
+
EXTRA_OECONF += "--enable-thread-safety --disable-rpath \
--datadir=${datadir}/${BPN} \
--sysconfdir=${sysconfdir}/${BPN} \
--
2.10.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
2017-07-05 8:11 ` [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl kai.kang
@ 2017-07-05 16:59 ` Peter Kjellerstedt
2017-07-06 0:50 ` Kang Kai
0 siblings, 1 reply; 16+ messages in thread
From: Peter Kjellerstedt @ 2017-07-05 16:59 UTC (permalink / raw)
To: kai.kang, openembedded-devel
> -----Original Message-----
> From: openembedded-devel-bounces@lists.openembedded.org
> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> kai.kang@windriver.com
> Sent: den 5 juli 2017 10:11
> To: openembedded-devel@lists.openembedded.org
> Subject: [oe] [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
>
> From: Kai Kang <kai.kang@windriver.com>
>
> Add PACKAGECONFIG openssl to enable or disable build with openssl for
> opensc. Check DISTRO_FEATURE openssl-no-weak-ciphers. If it exists then
> remove PACKAGECONFIG openssl for opensc.
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb b/meta-
> oe/recipes-support/opensc/opensc_0.16.0.bb
> index fd67181..fa7c81d 100644
> --- a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
> +++ b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
> @@ -21,6 +21,11 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
>
> inherit autotools pkgconfig
>
> +PACKAGECONFIG ??= "openssl"
> +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
> +
> +PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
It is a bad idea to use _remove like this, because it makes it impossible to
enable openssl again in a bbappend or via local.conf. It is better to do it
like this:
PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '', 'openssl', d)}"
PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
You should do it similarly for poco and postgresql as well.
> +
> EXTRA_OECONF = " \
> --disable-static \
> --enable-openct \
> --
> 2.10.1
//Peter
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
2017-07-05 16:59 ` Peter Kjellerstedt
@ 2017-07-06 0:50 ` Kang Kai
0 siblings, 0 replies; 16+ messages in thread
From: Kang Kai @ 2017-07-06 0:50 UTC (permalink / raw)
To: Peter Kjellerstedt, openembedded-devel
On 2017年07月06日 00:59, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-devel-bounces@lists.openembedded.org
>> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
>> kai.kang@windriver.com
>> Sent: den 5 juli 2017 10:11
>> To: openembedded-devel@lists.openembedded.org
>> Subject: [oe] [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
>>
>> From: Kai Kang <kai.kang@windriver.com>
>>
>> Add PACKAGECONFIG openssl to enable or disable build with openssl for
>> opensc. Check DISTRO_FEATURE openssl-no-weak-ciphers. If it exists then
>> remove PACKAGECONFIG openssl for opensc.
>>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>> meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb b/meta-
>> oe/recipes-support/opensc/opensc_0.16.0.bb
>> index fd67181..fa7c81d 100644
>> --- a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
>> +++ b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
>> @@ -21,6 +21,11 @@ LIC_FILES_CHKSUM =
>> "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
>>
>> inherit autotools pkgconfig
>>
>> +PACKAGECONFIG ??= "openssl"
>> +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
>> +
>> +PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
> It is a bad idea to use _remove like this, because it makes it impossible to
> enable openssl again in a bbappend or via local.conf.
I do this intendedly that if distro feature 'openssl-no-weak-ciphers'
exists, package config openssl should be removed since opensc will
compile failed.
If this is not a good solution, just set CONFLICT_DISTRO_FEATURES as for
other packages.
Thanks,
Kai
> It is better to do it
> like this:
>
> PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '', 'openssl', d)}"
> PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
>
> You should do it similarly for poco and postgresql as well.
>
>> +
>> EXTRA_OECONF = " \
>> --disable-static \
>> --enable-openct \
>> --
>> 2.10.1
> //Peter
>
>
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
` (9 preceding siblings ...)
2017-07-05 8:11 ` [meta-oe][PATCH 10/10] postgresql: configure without openssl if openssl disable weak ciphers kai.kang
@ 2017-07-06 15:30 ` Burton, Ross
2017-07-07 0:48 ` Kang Kai
10 siblings, 1 reply; 16+ messages in thread
From: Burton, Ross @ 2017-07-06 15:30 UTC (permalink / raw)
To: Kang Kai; +Cc: OpenEmbedded Devel List
On 5 July 2017 at 09:11, <kai.kang@windriver.com> wrote:
> Patches to add distro feature openssl-no-weak-ciphers have been sent to
> oe-core.
>
FWIW I'm still not very keen on a distro feature for this.
Ross
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists
2017-07-06 15:30 ` [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists Burton, Ross
@ 2017-07-07 0:48 ` Kang Kai
2017-07-07 1:40 ` Andre McCurdy
0 siblings, 1 reply; 16+ messages in thread
From: Kang Kai @ 2017-07-07 0:48 UTC (permalink / raw)
To: Burton, Ross; +Cc: OpenEmbedded Devel List
On 2017年07月06日 23:30, Burton, Ross wrote:
>
> On 5 July 2017 at 09:11, <kai.kang@windriver.com
> <mailto:kai.kang@windriver.com>> wrote:
>
> Patches to add distro feature openssl-no-weak-ciphers have been
> sent to oe-core.
>
>
> FWIW I'm still not very keen on a distro feature for this.
How about use a global variable rather than a distro feature and check
whether it has been set?
Thanks,
Kai
>
> Ross
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists
2017-07-07 0:48 ` Kang Kai
@ 2017-07-07 1:40 ` Andre McCurdy
0 siblings, 0 replies; 16+ messages in thread
From: Andre McCurdy @ 2017-07-07 1:40 UTC (permalink / raw)
To: Kang Kai; +Cc: OpenEmbedded Devel List
On Thu, Jul 6, 2017 at 5:48 PM, Kang Kai <Kai.Kang@windriver.com> wrote:
> On 2017年07月06日 23:30, Burton, Ross wrote:
>>
>> On 5 July 2017 at 09:11, <kai.kang@windriver.com
>> <mailto:kai.kang@windriver.com>> wrote:
>>
>> Patches to add distro feature openssl-no-weak-ciphers have been
>> sent to oe-core.
>>
>> FWIW I'm still not very keen on a distro feature for this.
>
> How about use a global variable rather than a distro feature and check
> whether it has been set?
Does there need to be a bitbake variable at all? Can't other packages
detect which ciphers are supported by openssl by checking the openssl
headers etc in sysroot?
> Thanks,
> Kai
>
>> Ross
> --
> Regards,
> Neil | Kai Kang
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2017-07-07 1:40 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-05 8:11 [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists kai.kang
2017-07-05 8:11 ` [PATCH 01/10] Set packages conflict with distro feature openssl-no-weak-ciphers kai.kang
2017-07-05 8:11 ` [meta-networking][PATCH 02/10] net-snmp: disable des for openssl-no-weak-ciphers kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 03/10] hostapd: disable configs depends on des if openssl not support kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 04/10] krb5: toggle configure option pkinit kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 05/10] libp11: fix compile error if OPENSSL_NO_EC defined kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl kai.kang
2017-07-05 16:59 ` Peter Kjellerstedt
2017-07-06 0:50 ` Kang Kai
2017-07-05 8:11 ` [meta-networking][PATCH 07/10] uftp: set NO_EC if openssl not support ec kai.kang
2017-07-05 8:11 ` [meta-networking][PATCH 08/10] stunnel: fix compile error when openssl disable des support kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 09/10] poco: disable package configs NetSSL and Crypto kai.kang
2017-07-05 8:11 ` [meta-oe][PATCH 10/10] postgresql: configure without openssl if openssl disable weak ciphers kai.kang
2017-07-06 15:30 ` [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists Burton, Ross
2017-07-07 0:48 ` Kang Kai
2017-07-07 1:40 ` Andre McCurdy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.