All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/gnutls: add options to enable features
@ 2020-05-15 14:02 Erwan GAUTRON
  2022-01-08 13:12 ` Peter Korsgaard
  0 siblings, 1 reply; 2+ messages in thread
From: Erwan GAUTRON @ 2020-05-15 14:02 UTC (permalink / raw)
  To: buildroot

GnuTls implements old, unsafe or unused protocols and cyphers
Secure embedded systems shall disable them in order to be certified.
This patch allows to select/unselect SSLv2 protocol and gost cypher
To ensure backward compatibility, all items are selected by default

Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
 package/gnutls/Config.in | 12 ++++++++++++
 package/gnutls/gnutls.mk |  4 +++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/package/gnutls/Config.in b/package/gnutls/Config.in
index 15b930b6bd..56ea558969 100644
--- a/package/gnutls/Config.in
+++ b/package/gnutls/Config.in
@@ -29,6 +29,18 @@ config BR2_PACKAGE_GNUTLS_TOOLS
 	  Install GnuTLS command line tools for various cryptographic
 	  tasks.
 
+config BR2_PACKAGE_GNUTLS_ENABLE_SSL2
+	bool "enable SSLv2"
+	default y
+	help
+	  Enable SSLv2 protocol.
+
+config BR2_PACKAGE_GNUTLS_ENABLE_GOST
+	bool "enable GOST"
+	default y
+	help
+	  Enable GOST cypher.
+
 endif
 
 comment "gnutls needs a toolchain w/ wchar, dynamic library"
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index a1dfce62a2..59c9a0a7d9 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -36,7 +36,9 @@ GNUTLS_CONF_ENV = gl_cv_socket_ipv6=yes \
 GNUTLS_INSTALL_STAGING = YES
 
 # libpthread autodetection poison the linkpath
-GNUTLS_CONF_OPTS += $(if $(BR2_TOOLCHAIN_HAS_THREADS),--with-libpthread-prefix=$(STAGING_DIR)/usr)
+GNUTLS_CONF_OPTS += $(if $(BR2_TOOLCHAIN_HAS_THREADS),--with-libpthread-prefix=$(STAGING_DIR)/usr) \
+                    $(if $(BR2_PACKAGE_GNUTLS_ENABLE_SSL2),,--disable-ssl2-support) \
+                    $(if $(BR2_PACKAGE_GNUTLS_ENABLE_GOST),,--disable-gost)
 
 # gnutls needs libregex, but pcre can be used too
 # The check isn't cross-compile friendly
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/gnutls: add options to enable features
  2020-05-15 14:02 [Buildroot] [PATCH 1/1] package/gnutls: add options to enable features Erwan GAUTRON
@ 2022-01-08 13:12 ` Peter Korsgaard
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2022-01-08 13:12 UTC (permalink / raw)
  To: Erwan GAUTRON; +Cc: Matt Weber, buildroot

On Fri, May 15, 2020 at 4:02 PM Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:

Hi,

Sorry for the slow response!

> GnuTls implements old, unsafe or unused protocols and cyphers
> Secure embedded systems shall disable them in order to be certified.
> This patch allows to select/unselect SSLv2 protocol and gost cypher
> To ensure backward compatibility, all items are selected by default
>
> Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
> ---
>  package/gnutls/Config.in | 12 ++++++++++++
>  package/gnutls/gnutls.mk |  4 +++-
>  2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/package/gnutls/Config.in b/package/gnutls/Config.in
> index 15b930b6bd..56ea558969 100644
> --- a/package/gnutls/Config.in
> +++ b/package/gnutls/Config.in
> @@ -29,6 +29,18 @@ config BR2_PACKAGE_GNUTLS_TOOLS
>           Install GnuTLS command line tools for various cryptographic
>           tasks.
>
> +config BR2_PACKAGE_GNUTLS_ENABLE_SSL2
> +       bool "enable SSLv2"
> +       default y

These features should only be needed in very special situations, so
I've dropped the default y.

> +       help
> +         Enable SSLv2 protocol.
> +
> +config BR2_PACKAGE_GNUTLS_ENABLE_GOST
> +       bool "enable GOST"
> +       default y
> +       help
> +         Enable GOST cypher.

Elsewhere we use the cipher spelling, so I've changed that.

> +++ b/package/gnutls/gnutls.mk
> @@ -36,7 +36,9 @@ GNUTLS_CONF_ENV = gl_cv_socket_ipv6=yes \
>  GNUTLS_INSTALL_STAGING = YES
>
>  # libpthread autodetection poison the linkpath
> -GNUTLS_CONF_OPTS += $(if $(BR2_TOOLCHAIN_HAS_THREADS),--with-libpthread-prefix=$(STAGING_DIR)/usr)
> +GNUTLS_CONF_OPTS += $(if $(BR2_TOOLCHAIN_HAS_THREADS),--with-libpthread-prefix=$(STAGING_DIR)/usr) \
> +                    $(if $(BR2_PACKAGE_GNUTLS_ENABLE_SSL2),,--disable-ssl2-support) \
> +                    $(if $(BR2_PACKAGE_GNUTLS_ENABLE_GOST),,--disable-gost)

It makes more sense to have this in the "main" _CONF_OPTS handling
just after the _GNUTLS_TOOLS logic, so I've moved it there. I have
also added explicit --enable logic like we have for the other options.

Committed with these fixes, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-01-08 13:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-15 14:02 [Buildroot] [PATCH 1/1] package/gnutls: add options to enable features Erwan GAUTRON
2022-01-08 13:12 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.