On 19.12.20 18:36, Richard Purdie wrote:
PACKAGECONFIG[cryptodev-linux] =
"enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
"--with-rand-seed=os,devrandom"
CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
+# Disable deprecated crypto algorithms
+# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
+DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5 no-md2
no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4
no-whirlpool"
+
From my perspective this breaks backward compatibility, so I would
rather have them all that as optional PACKAGECONFIG fields (which also
does make it easier for ppl, still relying on one of those algorithms,
for whatever reason, to re-enable them) - with the current approach all
one could do is to override it with a bbappend - and tbh letting ppl
have bbappends for this recipe, doesn't sound like the best idea in the
long run to "enforce" any kind of "security" or "hardening"
do_configure () {
os=${HOST_OS}
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145905):
https://lists.openembedded.org/g/openembedded-core/message/145905
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
