[PATCH 1/2] openssh: make OpenSSL optional

[PATCH 1/2] openssh: make OpenSSL optional

[Max Kellermann]

From: Max Kellermann <max.kellermann@gmail.com>

Without OpenSSL, OpenSSH can still do ed25519, which is enough for
many users; and it saves a rather heavy dependency.

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
 meta/recipes-connectivity/openssh/openssh_7.8p1.bb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_7.8p1.bb b/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
index f4b295f2df..6dfa2cfd2c 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
@@ -8,8 +8,7 @@ SECTION = "console/network"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
-# openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
-DEPENDS = "zlib openssl10"
+DEPENDS = "zlib"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
@@ -71,6 +70,10 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 # We don't want to depend on libblockfile
 CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
+PACKAGECONFIG ??= "openssl"
+# openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
+PACKAGECONFIG[openssl] = ",--without-openssl,openssl10"
+
 do_configure_prepend () {
 	export LD="${CC}"
 	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-- 
2.18.0

[PATCH 2/2] libsolv: make rpm optional

[Max Kellermann]

From: Max Kellermann <max.kellermann@gmail.com>

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
 meta/recipes-extended/libsolv/libsolv_0.6.35.bb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-extended/libsolv/libsolv_0.6.35.bb b/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
index 0956453022..12dfc5d3a2 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
@@ -5,7 +5,7 @@ SECTION = "devel"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8"
 
-DEPENDS = "expat zlib rpm"
+DEPENDS = "expat zlib"
 
 SRC_URI = "git://github.com/openSUSE/libsolv.git"
 SRC_URI_append_libc-musl = " file://0001-Add-fallback-fopencookie-implementation.patch \
@@ -19,7 +19,10 @@ S = "${WORKDIR}/git"
 
 inherit cmake
 
-EXTRA_OECMAKE = "-DLIB=${baselib} -DMULTI_SEMANTICS=ON -DENABLE_RPMMD=ON -DENABLE_RPMDB=ON -DENABLE_COMPLEX_DEPS=ON"
+PACKAGECONFIG ??= "rpm"
+PACKAGECONFIG[rpm] = "-DENABLE_RPMMD=ON -DENABLE_RPMDB=ON,,rpm"
+
+EXTRA_OECMAKE = "-DLIB=${baselib} -DMULTI_SEMANTICS=ON -DENABLE_COMPLEX_DEPS=ON"
 
 PACKAGES =+ "${PN}-tools ${PN}ext"
 
-- 
2.18.0

Re: [PATCH 1/2] openssh: make OpenSSL optional

[Alexander Kanavin]

2018-09-20 15:16 GMT+02:00 Max Kellermann <max+openembedded@blarg.de>:
> Without OpenSSL, OpenSSH can still do ed25519, which is enough for
> many users; and it saves a rather heavy dependency.

I don't object to the patch (except it would need to be rebased on top
of the openssl 1.1 patch), but I would like to know a bit more.

What is ed25519? Can a client that supports only that connect to most
or all servers? Can a server that supports only that accept
connections from most or all clients? Are any features lost?

Alex

Re: [PATCH 1/2] openssh: make OpenSSL optional

[Max Kellermann]

On 2018/09/20 16:11, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> I don't object to the patch (except it would need to be rebased on top
> of the openssl 1.1 patch), but I would like to know a bit more.

Ok, I'll do that once that one is merged.

> What is ed25519? Can a client that supports only that connect to most
> or all servers? Can a server that supports only that accept
> connections from most or all clients? Are any features lost?

It is a newer public key type, supported since OpenSSH 6.5
(https://www.openssh.com/txt/release-6.5).  The crypto math behind it
was designed by Daniel Bernstein (https://ed25519.cr.yp.to/).

Usually, OpenSSH uses OpenSSL for some of its crypto, but it can use
ed25519 natively without OpenSSL.  This means you can eliminate
OpenSSL completely in some images, without having to omit OpenSSH as
well.

The downside is that a binary compiled without OpenSSL understands
only ed25519 keys, and nothing else.  That means the server will only
be able to accept ed25519 public keys, but no RSA/DSA.  That's ok for
some people who will only use ed25519 anyway (like me).  For others,
it might be a good reason to switch to ed25519 (which is allegedly
more secure than RSA).

Max