* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
@ 2020-07-21 9:26 Erwan Gautron
2020-08-29 21:56 ` Yann E. MORIN
0 siblings, 1 reply; 7+ messages in thread
From: Erwan Gautron @ 2020-07-21 9:26 UTC (permalink / raw)
To: buildroot
From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
Openssl implements lot of algorithms that are not required in
some emdedded devices and cyphers known as weak.
Secure embedded systems shall disable unused algorithms (and weak algo)
in order to be certified.
This patch allows to select weak algorithms and mecanims to enable
such as md5
To ensure backward compatibility, all items are selected by default
Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
package/libopenssl/Config.in | 147 +++++++++++++++++++++++++++++++
package/libopenssl/libopenssl.mk | 24 +++++
2 files changed, 171 insertions(+)
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 8909e36b9e..c034408a96 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -44,4 +44,151 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
help
Install additional encryption engine libraries.
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
+ bool "enable CHACHA "
+ default y
+ help
+ Enable CHACHA cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
+ bool "enable RC5"
+ default y
+ help
+ Enable RC5 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
+ bool "enable RC2"
+ default y
+ help
+ Enable RC2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
+ bool "enable RC4"
+ default y
+ help
+ Enable RC4 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
+ bool "enable MD2"
+ default y
+ help
+ Enable MD2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4
+ bool "enable MD4"
+ default y
+ help
+ Enable MD4 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5
+ bool "enable MD5"
+ default y
+ help
+ Enable MD5 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2
+ bool "enable MDC2"
+ default y
+ help
+ Enable MDC2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2
+ bool "enable BLAKE2"
+ default y
+ help
+ Enable BLAKE2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA
+ bool "enable IDEA"
+ default y
+ help
+ Enable IDEA cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED
+ bool "enable SEED"
+ default y
+ help
+ Enable SEED cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
+ bool "enable DES"
+ default y
+ help
+ Enable DES cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160
+ bool "enable RMD160"
+ default y
+ help
+ Enable RMD160 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL
+ bool "enable WHIRLPOOL"
+ default y
+ help
+ Enable WHIRLPOOL cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH
+ bool "enable BLOWFISH"
+ default y
+ help
+ Enable BLOWFISH cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
+ bool "enable SSL"
+ default y
+ help
+ Enable SSL mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
+ bool "enable SSL2"
+ default y
+ help
+ Enable SSL2 mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
+ bool "enable SSL3"
+ default y
+ help
+ Enable SSL3 mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
+ bool "enable WEAK_SSL"
+ default y
+ help
+ Enable WEAK_SSL mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
+ bool "enable mode PSK"
+ default y
+ help
+ Enable PSK mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
+ bool "enable mode CAST"
+ default y
+ help
+ Enable CAST mode.
+
+config BR2_PACKAGE_LIBOPENSSL_UNSECURE
+ bool "enable unit test, debug, backtrace"
+ default y
+ help
+ Enable unit-test crypto-mdebug-backtrace
+ crypto-mdebug autoerrinit mode.
+
+config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
+ bool "enable dynamic engine"
+ default y
+ help
+ Enable dynamic engine.
+
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
+ bool "enable compression"
+ default y
+ help
+ Enable compression.
+
+
endif # BR2_PACKAGE_LIBOPENSSL
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..ff9ae08d74 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -86,6 +86,30 @@ define LIBOPENSSL_CONFIGURE_CMDS
no-tests \
no-fuzz-libfuzzer \
no-fuzz-afl \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5),,no-rc5) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2),,no-md2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4),,no-md4) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5),,no-md5) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2),,no-mdc2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2),,no-blake2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA),,no-idea) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED),,no-seed) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DES),,no-des) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160),,no-rmd160) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL),,no-whirlpool) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH),,no-bf) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL),,no-ssl) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2),,no-ssl2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3),,no-ssl3) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL),,no-weak-ssl-ciphers) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK),,no-psk) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST),,no-cast) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \
$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
)
$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
2020-07-21 9:26 [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features Erwan Gautron
@ 2020-08-29 21:56 ` Yann E. MORIN
0 siblings, 0 replies; 7+ messages in thread
From: Yann E. MORIN @ 2020-08-29 21:56 UTC (permalink / raw)
To: buildroot
Erwan, All,
On 2020-07-21 11:26 +0200, Erwan Gautron spake thusly:
> From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
> Openssl implements lot of algorithms that are not required in
> some emdedded devices and cyphers known as weak.
> Secure embedded systems shall disable unused algorithms (and weak algo)
> in order to be certified.
> This patch allows to select weak algorithms and mecanims to enable
> such as md5
> To ensure backward compatibility, all items are selected by default
While I certainly understand and appreciate the rationale, I think this
is going a bit too far and is too granular.
I would suggest that we just add a few categories, like:
config BR2_PACKAGE_LIBOPENSSL_LEGACY_CIPHERS
bool "enable legacy cipher suites"
help
Build support for the following legacy, weak cipher suites:
rc2
rc4
rc5
[etc... fill in as appropriate]
config BR2_PACKAGE_LIBOPENSSL_LEGACY_HASHES
bool "enable legacy hash algorithms"
help
Build support for legacy, weak hash alorithms:
md2
md4
md5
[etc... fill in as appropriate]
config BR2_PACKAGE_LIBOPENSSL_LEGACY_PROTOCOLS
bool "enable legacy protocols"
help
Build support for legacy protocols;
SSL 1.0
SSL 2.0
SSL 3.0
TLS 1.0
[etc... fill in as appropriate]
And we would consider legacy any cipher suite, hash algorithm, or
protocol that is deprecated by NIST (e.g. because they are forbidden in
FIPS 140-2, or the soon-to-be-in-force FIPS 140-3).
Finally, I would not add any option to disable "current" cipher suites,
hash algorithms, or protocols; I would always have them built. This will
help build devices that are future-proof, when the servers they talk to
are upgraded to using new protocols and thus new cipher suites: devices
in the fields will not need to be updated just for that.
Also, see below for a few generic comments...
> Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
> ---
> package/libopenssl/Config.in | 147 +++++++++++++++++++++++++++++++
> package/libopenssl/libopenssl.mk | 24 +++++
> 2 files changed, 171 insertions(+)
>
> diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
> index 8909e36b9e..c034408a96 100644
> --- a/package/libopenssl/Config.in
> +++ b/package/libopenssl/Config.in
> @@ -44,4 +44,151 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
> help
> Install additional encryption engine libraries.
>
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
> + bool "enable CHACHA "
> + default y
> + help
> + Enable CHACHA cipher.
There is not point in providing a help text that just repeats the prompt
of the option. Surely, the user expects to enable 'foo' when they select
the 'foo' option, so a help text that just says so is useless. And in
this case, there is no need for such a helpt text indeed.
But with the proposal I made above, that comment is now moot (but you'll
know for your next patches! ;-) ).
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
> + bool "enable RC5"
> + default y
> + help
> + Enable RC5 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
> + bool "enable RC2"
> + default y
> + help
> + Enable RC2 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
> + bool "enable RC4"
> + default y
> + help
> + Enable RC4 cipher.
Also for the future: keep alphabetical ordering, so that items in a same
category are ordered and easy to find.
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
> + bool "enable MD2"
> + default y
> + help
> + Enable MD2 cipher.
The MD2/4/5 are not ciphers, but hashes. Well, they are hash algorithms.
Well, they are message-digest algorithms. Well, I am not a security
pedant, but they are certainly not ciphers.
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
> + bool "enable SSL"
> + default y
> + help
> + Enable SSL mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
> + bool "enable SSL2"
> + default y
> + help
> + Enable SSL2 mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
> + bool "enable SSL3"
> + default y
> + help
> + Enable SSL3 mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
> + bool "enable WEAK_SSL"
> + default y
> + help
> + Enable WEAK_SSL mode.
WEAK_SSL is about weak ciphers; it's not a protocol, just the list of
ciphers allowed.
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
> + bool "enable mode PSK"
> + default y
> + help
> + Enable PSK mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
> + bool "enable mode CAST"
> + default y
> + help
> + Enable CAST mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_UNSECURE
> + bool "enable unit test, debug, backtrace"
> + default y
> + help
> + Enable unit-test crypto-mdebug-backtrace
> + crypto-mdebug autoerrinit mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
> + bool "enable dynamic engine"
> + default y
> + help
> + Enable dynamic engine.
> +
> +
Two empty consecutive lines is one too many.
Running 'make check-package' would hint at this.
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
> + bool "enable compression"
> + default y
> + help
> + Enable compression.
> +
> +
Ditto empty lines.
Would you care to respin your series in the direction I suggest above,
please?
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
2020-05-11 13:21 Erwan GAUTRON
@ 2021-05-16 17:09 ` Yann E. MORIN
0 siblings, 0 replies; 7+ messages in thread
From: Yann E. MORIN @ 2021-05-16 17:09 UTC (permalink / raw)
To: buildroot
Erwan, All,
Sorry for coming back so late on that one...
On 2020-05-11 15:21 +0200, Erwan GAUTRON spake thusly:
> From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
>
> Openssl implements lot of algorithms that are not required in
> some emdedded devices and cyphers known as weak.
> Secure embedded systems shall disable unused algorithms (and weak algo)
> in order to be certified.
> This patch allows to select weak algorithms and mecanims to enable
> such as md5
> To ensure backward compatibility, all items are selected by default
>
> Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
I was pretty sure I had already seen that patch, and indeed I replied to
it, but that was to your July respin, while the three older attempts
were still available on patchowrk...
Because I was not sure I had already replied, I eventually applied this
iteration to the 'next' branch.
And then, when looking for the mail to reply to, I found my later
review...
My fault for taking so long to handle that patch. So...
Applied to next, thanks.
Regards,
Yann E. MORIN.
> ---
> package/libopenssl/Config.in | 147 +++++++++++++++++++++++++++++++
> package/libopenssl/libopenssl.mk | 24 +++++
> 2 files changed, 171 insertions(+)
>
> diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
> index 881518d1cb..184a365a46 100644
> --- a/package/libopenssl/Config.in
> +++ b/package/libopenssl/Config.in
> @@ -44,4 +44,151 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
> help
> Install additional encryption engine libraries.
>
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
> + bool "enable CHACHA "
> + default y
> + help
> + Enable CHACHA cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
> + bool "enable RC5"
> + default y
> + help
> + Enable RC5 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
> + bool "enable RC2"
> + default y
> + help
> + Enable RC2 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
> + bool "enable RC4"
> + default y
> + help
> + Enable RC4 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
> + bool "enable MD2"
> + default y
> + help
> + Enable MD2 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4
> + bool "enable MD4"
> + default y
> + help
> + Enable MD4 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5
> + bool "enable MD5"
> + default y
> + help
> + Enable MD5 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2
> + bool "enable MDC2"
> + default y
> + help
> + Enable MDC2 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2
> + bool "enable BLAKE2"
> + default y
> + help
> + Enable BLAKE2 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA
> + bool "enable IDEA"
> + default y
> + help
> + Enable IDEA cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED
> + bool "enable SEED"
> + default y
> + help
> + Enable SEED cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
> + bool "enable DES"
> + default y
> + help
> + Enable DES cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160
> + bool "enable RMD160"
> + default y
> + help
> + Enable RMD160 cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL
> + bool "enable WHIRLPOOL"
> + default y
> + help
> + Enable WHIRLPOOL cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH
> + bool "enable BLOWFISH"
> + default y
> + help
> + Enable BLOWFISH cipher.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
> + bool "enable SSL"
> + default y
> + help
> + Enable SSL mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
> + bool "enable SSL2"
> + default y
> + help
> + Enable SSL2 mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
> + bool "enable SSL3"
> + default y
> + help
> + Enable SSL3 mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
> + bool "enable WEAK_SSL"
> + default y
> + help
> + Enable WEAK_SSL mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
> + bool "enable mode PSK"
> + default y
> + help
> + Enable PSK mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
> + bool "enable mode CAST"
> + default y
> + help
> + Enable CAST mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_UNSECURE
> + bool "enable unit test, debug, backtrace"
> + default y
> + help
> + Enable unit-test crypto-mdebug-backtrace
> + crypto-mdebug autoerrinit mode.
> +
> +config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
> + bool "enable dynamic engine"
> + default y
> + help
> + Enable dynamic engine.
> +
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
> + bool "enable compression"
> + default y
> + help
> + Enable compression.
> +
> +
> endif # BR2_PACKAGE_LIBOPENSSL
> diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> index a300458f85..ff9ae08d74 100644
> --- a/package/libopenssl/libopenssl.mk
> +++ b/package/libopenssl/libopenssl.mk
> @@ -86,6 +86,30 @@ define LIBOPENSSL_CONFIGURE_CMDS
> no-tests \
> no-fuzz-libfuzzer \
> no-fuzz-afl \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5),,no-rc5) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2),,no-md2) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4),,no-md4) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5),,no-md5) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2),,no-mdc2) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2),,no-blake2) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA),,no-idea) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED),,no-seed) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DES),,no-des) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160),,no-rmd160) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL),,no-whirlpool) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH),,no-bf) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL),,no-ssl) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2),,no-ssl2) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3),,no-ssl3) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL),,no-weak-ssl-ciphers) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK),,no-psk) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST),,no-cast) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \
> + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \
> $(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
> )
> $(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
> --
> 2.25.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
@ 2020-05-11 13:21 Erwan GAUTRON
2021-05-16 17:09 ` Yann E. MORIN
0 siblings, 1 reply; 7+ messages in thread
From: Erwan GAUTRON @ 2020-05-11 13:21 UTC (permalink / raw)
To: buildroot
From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
Openssl implements lot of algorithms that are not required in
some emdedded devices and cyphers known as weak.
Secure embedded systems shall disable unused algorithms (and weak algo)
in order to be certified.
This patch allows to select weak algorithms and mecanims to enable
such as md5
To ensure backward compatibility, all items are selected by default
Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
package/libopenssl/Config.in | 147 +++++++++++++++++++++++++++++++
package/libopenssl/libopenssl.mk | 24 +++++
2 files changed, 171 insertions(+)
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 881518d1cb..184a365a46 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -44,4 +44,151 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
help
Install additional encryption engine libraries.
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
+ bool "enable CHACHA "
+ default y
+ help
+ Enable CHACHA cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
+ bool "enable RC5"
+ default y
+ help
+ Enable RC5 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
+ bool "enable RC2"
+ default y
+ help
+ Enable RC2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
+ bool "enable RC4"
+ default y
+ help
+ Enable RC4 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
+ bool "enable MD2"
+ default y
+ help
+ Enable MD2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4
+ bool "enable MD4"
+ default y
+ help
+ Enable MD4 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5
+ bool "enable MD5"
+ default y
+ help
+ Enable MD5 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2
+ bool "enable MDC2"
+ default y
+ help
+ Enable MDC2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2
+ bool "enable BLAKE2"
+ default y
+ help
+ Enable BLAKE2 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA
+ bool "enable IDEA"
+ default y
+ help
+ Enable IDEA cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED
+ bool "enable SEED"
+ default y
+ help
+ Enable SEED cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
+ bool "enable DES"
+ default y
+ help
+ Enable DES cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160
+ bool "enable RMD160"
+ default y
+ help
+ Enable RMD160 cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL
+ bool "enable WHIRLPOOL"
+ default y
+ help
+ Enable WHIRLPOOL cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH
+ bool "enable BLOWFISH"
+ default y
+ help
+ Enable BLOWFISH cipher.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
+ bool "enable SSL"
+ default y
+ help
+ Enable SSL mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
+ bool "enable SSL2"
+ default y
+ help
+ Enable SSL2 mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
+ bool "enable SSL3"
+ default y
+ help
+ Enable SSL3 mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
+ bool "enable WEAK_SSL"
+ default y
+ help
+ Enable WEAK_SSL mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
+ bool "enable mode PSK"
+ default y
+ help
+ Enable PSK mode.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
+ bool "enable mode CAST"
+ default y
+ help
+ Enable CAST mode.
+
+config BR2_PACKAGE_LIBOPENSSL_UNSECURE
+ bool "enable unit test, debug, backtrace"
+ default y
+ help
+ Enable unit-test crypto-mdebug-backtrace
+ crypto-mdebug autoerrinit mode.
+
+config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
+ bool "enable dynamic engine"
+ default y
+ help
+ Enable dynamic engine.
+
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
+ bool "enable compression"
+ default y
+ help
+ Enable compression.
+
+
endif # BR2_PACKAGE_LIBOPENSSL
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..ff9ae08d74 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -86,6 +86,30 @@ define LIBOPENSSL_CONFIGURE_CMDS
no-tests \
no-fuzz-libfuzzer \
no-fuzz-afl \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5),,no-rc5) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2),,no-md2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4),,no-md4) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5),,no-md5) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2),,no-mdc2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2),,no-blake2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA),,no-idea) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED),,no-seed) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DES),,no-des) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160),,no-rmd160) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL),,no-whirlpool) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH),,no-bf) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL),,no-ssl) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2),,no-ssl2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3),,no-ssl3) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL),,no-weak-ssl-ciphers) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK),,no-psk) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST),,no-cast) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \
$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
)
$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
2020-05-11 12:47 ` Thomas Petazzoni
@ 2020-05-11 13:02 ` Erwan Gautron
0 siblings, 0 replies; 7+ messages in thread
From: Erwan Gautron @ 2020-05-11 13:02 UTC (permalink / raw)
To: buildroot
Hello Thomas,
?
On 11/05/2020 14:47, Thomas Petazzoni wrote:
> Hello Erwan,
>
> On Mon, 11 May 2020 13:28:40 +0200
> Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:
>
>> package/libopenssl/Config.in | 151 +++++++++++++++++++++++++++++++
>> package/libopenssl/libopenssl.mk | 25 +++++
>> 2 files changed, 176 insertions(+)
>
> Thanks for this new iteration!
welcome
>
>> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
>> + bool "enable openssl CHACHA "
>> + default y
>> + help
>> + Enable CHACHA cipher in libopenssl.
>
> The "in openssl" part of each help text is not really useful, as these
> are suboptions of libopenssl already.
>
I'll update
>> +config BR2_PACKAGE_LIBOPENSSL_UNSECURE
>> + bool "enable unit test, debug, backtrace"
>> + default y
>> + help
>> + Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.
>
> This line is too long, "make check-package" most likely complains about
> this.
>
ok
>> +config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
>> + bool "enable openssl dynamic engine"
>> + default y
>> + help
>> + Enable dynamic engine in libopenssl.
>> +
>> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
>> + bool "enable openssl IPV6"
>> + default y
>> + help
>> + Enable IPV6 in libopenssl.
>
> Is it really useful to make IPv6 optional? Is that necessary for your
> certification? IPv6 used to be optional in Buildroot in general, and we
> got rid of that several years ago, so reintroducing IPv6 options will
> really need some good jusitification.
>
I can understand. Anyway my certification needs to disable all Ipv6
options. But I can do that by patching my local copy of buildroot in
post build process. I'll remove the option
>> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
>> + bool "enable openssl compression"
>> + default y
>> + help
>> + Enable compression in libopenssl.
>
> So you dropped the zlib option? Why?
I remove it because I've found a case where this option causes some
problems.
>
> Best regards,
>
> Thomas
>
I'll send the new patch soon
Regards
Erwan
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
2020-05-11 11:28 ` [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features Erwan GAUTRON
@ 2020-05-11 12:47 ` Thomas Petazzoni
2020-05-11 13:02 ` Erwan Gautron
0 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2020-05-11 12:47 UTC (permalink / raw)
To: buildroot
Hello Erwan,
On Mon, 11 May 2020 13:28:40 +0200
Erwan GAUTRON <erwan.gautron@bertin.fr> wrote:
> package/libopenssl/Config.in | 151 +++++++++++++++++++++++++++++++
> package/libopenssl/libopenssl.mk | 25 +++++
> 2 files changed, 176 insertions(+)
Thanks for this new iteration!
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
> + bool "enable openssl CHACHA "
> + default y
> + help
> + Enable CHACHA cipher in libopenssl.
The "in openssl" part of each help text is not really useful, as these
are suboptions of libopenssl already.
> +config BR2_PACKAGE_LIBOPENSSL_UNSECURE
> + bool "enable unit test, debug, backtrace"
> + default y
> + help
> + Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.
This line is too long, "make check-package" most likely complains about
this.
> +config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
> + bool "enable openssl dynamic engine"
> + default y
> + help
> + Enable dynamic engine in libopenssl.
> +
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
> + bool "enable openssl IPV6"
> + default y
> + help
> + Enable IPV6 in libopenssl.
Is it really useful to make IPv6 optional? Is that necessary for your
certification? IPv6 used to be optional in Buildroot in general, and we
got rid of that several years ago, so reintroducing IPv6 options will
really need some good jusitification.
> +config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
> + bool "enable openssl compression"
> + default y
> + help
> + Enable compression in libopenssl.
So you dropped the zlib option? Why?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features
2020-05-11 11:28 [Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features Erwan GAUTRON
@ 2020-05-11 11:28 ` Erwan GAUTRON
2020-05-11 12:47 ` Thomas Petazzoni
0 siblings, 1 reply; 7+ messages in thread
From: Erwan GAUTRON @ 2020-05-11 11:28 UTC (permalink / raw)
To: buildroot
From: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
Openssl implements lot of algorithms that are not required in
some emdedded devices and cyphers known as weak.
Secure embedded systems shall disable unused algorithms (and weak algo)
in order to be certified.
This patch allows to select weak algorithms and mecanims to enable
such as md5
To ensure backward compatibility, all items are selected by default
Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
---
package/libopenssl/Config.in | 151 +++++++++++++++++++++++++++++++
package/libopenssl/libopenssl.mk | 25 +++++
2 files changed, 176 insertions(+)
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 881518d1cb..7c84be3bb4 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -44,4 +44,155 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
help
Install additional encryption engine libraries.
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA
+ bool "enable openssl CHACHA "
+ default y
+ help
+ Enable CHACHA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5
+ bool "enable openssl RC5"
+ default y
+ help
+ Enable RC5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2
+ bool "enable openssl RC2"
+ default y
+ help
+ Enable RC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4
+ bool "enable openssl RC4"
+ default y
+ help
+ Enable RC4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2
+ bool "enable openssl MD2"
+ default y
+ help
+ Enable MD2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4
+ bool "enable openssl MD4"
+ default y
+ help
+ Enable MD4 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5
+ bool "enable openssl MD5"
+ default y
+ help
+ Enable MD5 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2
+ bool "enable openssl MDC2"
+ default y
+ help
+ Enable MDC2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2
+ bool "enable openssl BLAKE2"
+ default y
+ help
+ Enable BLAKE2 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA
+ bool "enable openssl IDEA"
+ default y
+ help
+ Enable IDEA cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED
+ bool "enable openssl SEED"
+ default y
+ help
+ Enable SEED cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
+ bool "enable openssl DES"
+ default y
+ help
+ Enable DES cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160
+ bool "enable openssl RMD160"
+ default y
+ help
+ Enable RMD160 cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL
+ bool "enable openssl WHIRLPOOL"
+ default y
+ help
+ Enable WHIRLPOOL cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH
+ bool "enable openssl BLOWFISH"
+ default y
+ help
+ Enable BLOWFISH cipher in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL
+ bool "enable openssl SSL"
+ default y
+ help
+ Enable SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2
+ bool "enable openssl SSL2"
+ default y
+ help
+ Enable SSL2 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3
+ bool "enable openssl SSL3"
+ default y
+ help
+ Enable SSL3 mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL
+ bool "enable openssl WEAK_SSL"
+ default y
+ help
+ Enable WEAK_SSL mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK
+ bool "enable openssl mode PSK"
+ default y
+ help
+ Enable PSK mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST
+ bool "enable openssl mode CAST"
+ default y
+ help
+ Enable CAST mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_UNSECURE
+ bool "enable unit test, debug, backtrace"
+ default y
+ help
+ Enable unit-test crypto-mdebug-backtrace crypto-mdebug autoerrinit mode in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE
+ bool "enable openssl dynamic engine"
+ default y
+ help
+ Enable dynamic engine in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6
+ bool "enable openssl IPV6"
+ default y
+ help
+ Enable IPV6 in libopenssl.
+
+config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP
+ bool "enable openssl compression"
+ default y
+ help
+ Enable compression in libopenssl.
+
+
endif # BR2_PACKAGE_LIBOPENSSL
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..ba87cce7b7 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -86,6 +86,31 @@ define LIBOPENSSL_CONFIGURE_CMDS
no-tests \
no-fuzz-libfuzzer \
no-fuzz-afl \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC5),,no-rc5) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2),,no-md2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4),,no-md4) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MD5),,no-md5) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2),,no-mdc2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2),,no-blake2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA),,no-idea) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED),,no-seed) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DES),,no-des) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160),,no-rmd160) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL),,no-whirlpool) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH),,no-bf) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL),,no-ssl) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2),,no-ssl2) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3),,no-ssl3) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL),,no-weak-ssl-ciphers) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK),,no-psk) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST),,no-cast) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug-backtrace no-crypto-mdebug no-autoerrinit) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_IPV6),,-DOPENSSL_USE_IPV6=0) \
+ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \
$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
)
$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-05-16 17:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-21 9:26 [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features Erwan Gautron
2020-08-29 21:56 ` Yann E. MORIN
-- strict thread matches above, loose matches on Subject: below --
2020-05-11 13:21 Erwan GAUTRON
2021-05-16 17:09 ` Yann E. MORIN
2020-05-11 11:28 [Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features Erwan GAUTRON
2020-05-11 11:28 ` [Buildroot] [PATCH 1/1] package/libopenssl: add option to enable some features Erwan GAUTRON
2020-05-11 12:47 ` Thomas Petazzoni
2020-05-11 13:02 ` Erwan Gautron
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.