[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

[Erwan GAUTRON]

From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>

Openssl implements lot of algorithms that are not required in
some emdedded devices and cyphers known as weak.
Secure embedded systems shall disable unused algorithms (and weak algo)
in order to be certified.
This patch allows to select algorithms and mecanims to disable
such as md5

Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
 package/libopenssl/Config.in     | 151 +++++++++++++++++++++++++++++++
 package/libopenssl/libopenssl.mk |  25 +++++
 2 files changed, 176 insertions(+)

diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 881518d1cb..7c84be3bb4 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -44,4 +44,155 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
 	help
 	  Install additional encryption engine libraries.
 
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
+	bool "enable openssl CHACHA "
+	default y
+	help
+	  Enable CHACHA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
+	bool "enable openssl RC5"
+	default y
+	help
+	  Enable RC5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
+	bool "enable openssl RC2"
+	default y
+	help
+	  Enable RC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
+	bool "enable openssl RC4"
+	default y
+	help
+	  Enable RC4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
+	bool "enable openssl MD2"
+	default y
+	help
+	  Enable MD2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4
+	bool "enable openssl MD4"
+	default y
+	help
+	  Enable MD4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5
+	bool "enable openssl MD5"
+	default y
+	help
+	  Enable MD5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2
+	bool "enable openssl MDC2"
+	default y
+	help
+	  Enable MDC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2
+	bool "enable openssl BLAKE2"
+	default y
+	help
+	  Enable BLAKE2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA
+	bool "enable openssl IDEA"
+	default y
+	help
+	  Enable IDEA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED
+	bool "enable openssl SEED"
+	default y
+	help
+	  Enable SEED cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
+	bool "enable openssl DES"
+	default y
+	help
+	  Enable DES cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160
+	bool "enable openssl RMD160"
+	default y
+	help
+	  Enable RMD160 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL
+	bool "enable openssl WHIRLPOOL"
+	default y
+	help
+	  Enable WHIRLPOOL cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH
+	bool "enable openssl BLOWFISH"
+	default y
+	help
+	  Enable BLOWFISH cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
+	bool "enable openssl SSL"
+	default y
+	help
+	  Enable SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
+	bool "enable openssl SSL2"
+	default y
+	help
+	  Enable SSL2 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
+	bool "enable openssl SSL3"
+	default y
+	help
+	  Enable SSL3 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
+	bool "enable openssl WEAK_SSL"
+	default y
+	help
+	  Enable WEAK_SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
+	bool "enable openssl mode PSK"
+	default y
+	help
+	  Enable PSK mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
+	bool "enable openssl mode CAST"
+	default y
+	help
+	  Enable CAST mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_UNSECURE
+	bool "enable unit test, debug, backtrace"
+	default y
+	help
+	  Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
+	bool "enable openssl dynamic engine"
+	default y
+	help
+	  Enable dynamic engine in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
+	bool "enable openssl IPV6"
+	default y
+	help
+	  Enable IPV6 in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
+	bool "enable openssl compression"
+	default y
+	help
+	  Enable compression in libopenssl.
+
+
 endif # BR2_PACKAGE_LIBOPENSSL
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..ba87cce7b7 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -86,6 +86,31 @@ define LIBOPENSSL_CONFIGURE_CMDS
 			no-tests \
 			no-fuzz-libfuzzer \
 			no-fuzz-afl \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5),,no-rc5) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2),,no-md2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4),,no-md4) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5),,no-md5) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2),,no-mdc2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2),,no-blake2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA),,no-idea) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED),,no-seed) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DES),,no-des) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160),,no-rmd160) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL),,no-whirlpool) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH),,no-bf) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL),,no-ssl) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2),,no-ssl2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3),,no-ssl3) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL),,no-weak-ssl-ciphers) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK),,no-psk) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST),,no-cast) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6),,-DOPENSSL_USE_IPV6=0) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \
 			$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
 	)
 	$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
-- 
2.25.1

[Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features

[Erwan GAUTRON]

From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>

Openssl implements lot of algorithms that are not required in
some emdedded devices and cyphers known as weak.
Secure embedded systems shall disable unused algorithms (and weak algo)
in order to be certified.
This patch allows to select weak algorithms and mecanims to enable
such as md5
To ensure backward compatibility, all items are selected by default

Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
 package/libopenssl/Config.in     | 151 +++++++++++++++++++++++++++++++
 package/libopenssl/libopenssl.mk |  25 +++++
 2 files changed, 176 insertions(+)

diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 881518d1cb..7c84be3bb4 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -44,4 +44,155 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
 	help
 	  Install additional encryption engine libraries.
 
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
+	bool "enable openssl CHACHA "
+	default y
+	help
+	  Enable CHACHA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
+	bool "enable openssl RC5"
+	default y
+	help
+	  Enable RC5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
+	bool "enable openssl RC2"
+	default y
+	help
+	  Enable RC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
+	bool "enable openssl RC4"
+	default y
+	help
+	  Enable RC4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
+	bool "enable openssl MD2"
+	default y
+	help
+	  Enable MD2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4
+	bool "enable openssl MD4"
+	default y
+	help
+	  Enable MD4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5
+	bool "enable openssl MD5"
+	default y
+	help
+	  Enable MD5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2
+	bool "enable openssl MDC2"
+	default y
+	help
+	  Enable MDC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2
+	bool "enable openssl BLAKE2"
+	default y
+	help
+	  Enable BLAKE2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA
+	bool "enable openssl IDEA"
+	default y
+	help
+	  Enable IDEA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED
+	bool "enable openssl SEED"
+	default y
+	help
+	  Enable SEED cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
+	bool "enable openssl DES"
+	default y
+	help
+	  Enable DES cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160
+	bool "enable openssl RMD160"
+	default y
+	help
+	  Enable RMD160 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL
+	bool "enable openssl WHIRLPOOL"
+	default y
+	help
+	  Enable WHIRLPOOL cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH
+	bool "enable openssl BLOWFISH"
+	default y
+	help
+	  Enable BLOWFISH cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
+	bool "enable openssl SSL"
+	default y
+	help
+	  Enable SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
+	bool "enable openssl SSL2"
+	default y
+	help
+	  Enable SSL2 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
+	bool "enable openssl SSL3"
+	default y
+	help
+	  Enable SSL3 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
+	bool "enable openssl WEAK_SSL"
+	default y
+	help
+	  Enable WEAK_SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
+	bool "enable openssl mode PSK"
+	default y
+	help
+	  Enable PSK mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
+	bool "enable openssl mode CAST"
+	default y
+	help
+	  Enable CAST mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_UNSECURE
+	bool "enable unit test, debug, backtrace"
+	default y
+	help
+	  Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
+	bool "enable openssl dynamic engine"
+	default y
+	help
+	  Enable dynamic engine in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
+	bool "enable openssl IPV6"
+	default y
+	help
+	  Enable IPV6 in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
+	bool "enable openssl compression"
+	default y
+	help
+	  Enable compression in libopenssl.
+
+
 endif # BR2_PACKAGE_LIBOPENSSL
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..ba87cce7b7 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -86,6 +86,31 @@ define LIBOPENSSL_CONFIGURE_CMDS
 			no-tests \
 			no-fuzz-libfuzzer \
 			no-fuzz-afl \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5),,no-rc5) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2),,no-md2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4),,no-md4) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5),,no-md5) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2),,no-mdc2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2),,no-blake2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA),,no-idea) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED),,no-seed) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DES),,no-des) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160),,no-rmd160) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL),,no-whirlpool) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH),,no-bf) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL),,no-ssl) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2),,no-ssl2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3),,no-ssl3) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL),,no-weak-ssl-ciphers) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK),,no-psk) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST),,no-cast) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6),,-DOPENSSL_USE_IPV6=0) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \
 			$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
 	)
 	$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
-- 
2.25.1

[Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features

[Thomas Petazzoni]

Hello Erwan,

On Mon, 11 May 2020 13:28:40 +0200
Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:

>  package/libopenssl/Config.in     | 151 +++++++++++++++++++++++++++++++
>  package/libopenssl/libopenssl.mk |  25 +++++
>  2 files changed, 176 insertions(+)

Thanks for this new iteration!

> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
> +	bool "enable openssl CHACHA "
> +	default y
> +	help
> +	  Enable CHACHA cipher in libopenssl.

The "in openssl" part of each help text is not really useful, as these
are suboptions of libopenssl already.

> +config BR2_PACKAGE_LIBOPENSSL_UNSECURE
> +	bool "enable unit test, debug, backtrace"
> +	default y
> +	help
> +	  Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.

This line is too long, "make check-package" most likely complains about
this.

> +config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
> +	bool "enable openssl dynamic engine"
> +	default y
> +	help
> +	  Enable dynamic engine in libopenssl.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
> +	bool "enable openssl IPV6"
> +	default y
> +	help
> +	  Enable IPV6 in libopenssl.

Is it really useful to make IPv6 optional? Is that necessary for your
certification? IPv6 used to be optional in Buildroot in general, and we
got rid of that several years ago, so reintroducing IPv6 options will
really need some good jusitification.

> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
> +	bool "enable openssl compression"
> +	default y
> +	help
> +	  Enable compression in libopenssl.

So you dropped the zlib option? Why?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features

[Erwan Gautron]

Hello Thomas,

?



On 11/05/2020 14:47, Thomas Petazzoni wrote:
> Hello Erwan,
> 
> On Mon, 11 May 2020 13:28:40 +0200
> Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:
> 
>>  package/libopenssl/Config.in     | 151 +++++++++++++++++++++++++++++++
>>  package/libopenssl/libopenssl.mk |  25 +++++
>>  2 files changed, 176 insertions(+)
> 
> Thanks for this new iteration!
welcome
> 
>> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
>> +	bool "enable openssl CHACHA "
>> +	default y
>> +	help
>> +	  Enable CHACHA cipher in libopenssl.
> 
> The "in openssl" part of each help text is not really useful, as these
> are suboptions of libopenssl already.
> 
I'll update
>> +config BR2_PACKAGE_LIBOPENSSL_UNSECURE
>> +	bool "enable unit test, debug, backtrace"
>> +	default y
>> +	help
>> +	  Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.
> 
> This line is too long, "make check-package" most likely complains about
> this.
> 
ok
>> +config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
>> +	bool "enable openssl dynamic engine"
>> +	default y
>> +	help
>> +	  Enable dynamic engine in libopenssl.
>> +
>> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
>> +	bool "enable openssl IPV6"
>> +	default y
>> +	help
>> +	  Enable IPV6 in libopenssl.
> 
> Is it really useful to make IPv6 optional? Is that necessary for your
> certification? IPv6 used to be optional in Buildroot in general, and we
> got rid of that several years ago, so reintroducing IPv6 options will
> really need some good jusitification.
> 
I can understand. Anyway my certification needs to disable all Ipv6
options. But I can do that by patching my local copy of buildroot in
post build process. I'll remove the option

>> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
>> +	bool "enable openssl compression"
>> +	default y
>> +	help
>> +	  Enable compression in libopenssl.
> 
> So you dropped the zlib option? Why?
I remove it because I've found a case where this option causes some
problems.

> 
> Best regards,
> 
> Thomas
> 
 I'll send the new patch soon

Regards
Erwan

[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

[GAUTRON, Erwan]

Hello Thomas,
Thanks for your comments
I will implement them and submit a new patch

Regards/Cordialement,

Erwan
------------------------------------------------------------------------------


De : Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Envoy? : samedi 9 mai 2020 21:24

? : GAUTRON, Erwan <erwan.gautron@bertin.fr>

Cc?: buildroot at buildroot.org <buildroot@buildroot.org>; Matt Weber <matthew.weber@rockwellcollins.com>

Objet : Re: [Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

?


Hello Erwan,



On Wed,? 6 May 2020 07:59:19 +0200

Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:



> Openssl implements lot of algorithms that are not required in

> some emdedded devices and cyphers known as weak.

> Secure embedded systems shall disable unused algorithms (and weak algo)

> in order to be certified.

> This patch allows to select algorithms and mecanims to disable

> such as md5

> 

> Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>



Thanks for your patch!



> +config BR2_PACKAGE_LIBOPENSSL_NO_CHACHA

> +???? bool "openssl no cipher CHACHA"

> +???? help

> +?????? Remove CHACHA cipher in libopenssl.



I think it is quite odd to have inverted boolean options, i.e that

disable a feature when the option is enabled. Could we turn them

around, so that they use positive logic ? Of course, that means adding

a "default y" to keep backward compatibility, unless we decide that all

those ciphers are really dangerous (many of them are!) and disable them

by default.



> +config BR2_PACKAGE_LIBOPENSSL_NO_COMP

> +???? bool "openssl no compression"

> +???? help

> +?????? Remove compression in libopenssl.

> +

> +config BR2_PACKAGE_LIBOPENSSL_NO_ZLIB

> +???? bool "zlib no compression"

> +???? help

> +?????? Remove zlib in libopenssl.



Do these options allow to drop the zlib dependency of libopenssl ? If

so, we should do this and make the zlib dependency optional.



Thanks!



Thomas

-- 

Thomas Petazzoni, CTO, Bootlin

Embedded Linux and Kernel engineering

https://bootlin.com

[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

[Thomas Petazzoni]

Hello Erwan,

On Wed,  6 May 2020 07:59:19 +0200
Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:

> Openssl implements lot of algorithms that are not required in
> some emdedded devices and cyphers known as weak.
> Secure embedded systems shall disable unused algorithms (and weak algo)
> in order to be certified.
> This patch allows to select algorithms and mecanims to disable
> such as md5
> 
> Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>

Thanks for your patch!

> +config BR2_PACKAGE_LIBOPENSSL_NO_CHACHA
> +	bool "openssl no cipher CHACHA"
> +	help
> +	  Remove CHACHA cipher in libopenssl.

I think it is quite odd to have inverted boolean options, i.e that
disable a feature when the option is enabled. Could we turn them
around, so that they use positive logic ? Of course, that means adding
a "default y" to keep backward compatibility, unless we decide that all
those ciphers are really dangerous (many of them are!) and disable them
by default.

> +config BR2_PACKAGE_LIBOPENSSL_NO_COMP
> +	bool "openssl no compression"
> +	help
> +	  Remove compression in libopenssl.
> +
> +config BR2_PACKAGE_LIBOPENSSL_NO_ZLIB
> +	bool "zlib no compression"
> +	help
> +	  Remove zlib in libopenssl.

Do these options allow to drop the zlib dependency of libopenssl ? If
so, we should do this and make the zlib dependency optional.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

[Erwan GAUTRON]

From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>

Openssl implements lot of algorithms that are not required in
some emdedded devices and cyphers known as weak.
Secure embedded systems shall disable unused algorithms (and weak algo)
in order to be certified.
This patch allows to select algorithms and mecanims to disable
such as md5

Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
 package/libopenssl/Config.in     | 130 +++++++++++++++++++++++++++++++
 package/libopenssl/libopenssl.mk |  26 +++++++
 2 files changed, 156 insertions(+)

diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 881518d1cb..e0b5df4f32 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -44,4 +44,134 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
 	help
 	  Install additional encryption engine libraries.
 
+config BR2_PACKAGE_LIBOPENSSL_NO_CHACHA
+	bool "openssl no cipher CHACHA"
+	help
+	  Remove CHACHA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_RC5
+	bool "openssl no cipher RC5"
+	help
+	  Remove RC5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_RC2
+	bool "openssl no cipher RC2"
+	help
+	  Remove RC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_RC4
+	bool "openssl no cipher RC4"
+	help
+	  Remove RC4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_MD2
+	bool "openssl no cipher MD2"
+	help
+	  Remove MD2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_MD4
+	bool "openssl no cipher MD4"
+	help
+	  Remove MD4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_MD5
+	bool "openssl no cipher MD5"
+	help
+	  Remove MD5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_MDC2
+	bool "openssl no cipher MDC2"
+	help
+	  Remove MDC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_BLAKE2
+	bool "openssl no cipher BLAKE2"
+	help
+	  Remove BLAKE2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_IDEA
+	bool "openssl no cipher IDEA"
+	help
+	  Remove IDEA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_SEED
+	bool "openssl no cipher SEED"
+	help
+	  Remove SEED cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_DES
+	bool "openssl no cipher DES"
+	help
+	  Remove DES cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_RMD160
+	bool "openssl no cipher RMD160"
+	help
+	  Remove RMD160 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_WHIRLPOOL
+	bool "openssl no cipher WHIRLPOOL"
+	help
+	  Remove WHIRLPOOL cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_BLOWFISH
+	bool "openssl no cipher BLOWFISH"
+	help
+	  Remove BLOWFISH cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_SSL
+	bool "openssl no mode SSL"
+	help
+	  Remove SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_SSL2
+	bool "openssl no mode SSL2"
+	help
+	  Remove SSL2 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_SSL3
+	bool "openssl no mode SSL3"
+	help
+	  Remove SSL3 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_WEAK_SSL
+	bool "openssl no mode WEAK_SSL"
+	help
+	  Remove WEAK_SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_PSK
+	bool "openssl no mode PSK"
+	help
+	  Remove PSK mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_CAST
+	bool "openssl no mode CAST"
+	help
+	  Remove CAST mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_SECURE
+	bool "openssl secure Bertin-It"
+	help
+	  Remove no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
+	bool "openssl no dynamic engine"
+	help
+	  Remove dynamic engine in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_IPV6
+	bool "openssl no IPV6"
+	help
+	  Remove IPV6 in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_COMP
+	bool "openssl no compression"
+	help
+	  Remove compression in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_NO_ZLIB
+	bool "zlib no compression"
+	help
+	  Remove zlib in libopenssl.
+
 endif # BR2_PACKAGE_LIBOPENSSL
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..91f5340abd 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -86,6 +86,32 @@ define LIBOPENSSL_CONFIGURE_CMDS
 			no-tests \
 			no-fuzz-libfuzzer \
 			no-fuzz-afl \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_CHACHA),no-chacha) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_RC5),no-rc5) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_RC2),no-rc2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_RC4),no-rc4) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_MD2),no-md2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_MD4),no-md4) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_MD5),no-md5) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_MDC2),no-mdc2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_BLAKE2),no-blake2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_IDEA),no-idea) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_SEED),no-seed) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_DES),no-des) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_RMD160),no-rmd160) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_WHIRLPOOL),no-whirlpool) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_BLOWFISH),no-bf) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_SSL),no-ssl) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_SSL2),no-ssl2) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_SSL3),no-ssl3) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_WEAK_SSL),no-weak-ssl-ciphers) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_PSK),no-psk) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_CAST),no-cast) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_SECURE),no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),no-dynamic-engine ) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_IPV6),-DOPENSSL_USE_IPV6=0) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_COMP),no-comp) \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_NO_ZLIB),no-zlib) \
 			$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
 	)
 	$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
-- 
2.25.1