so there are some build failures seen due to this change on meta-oe here is sample.
https://errors.yoctoproject.org/Errors/Build/113701/ On Sat, Dec 19, 2020 at 9:36 AM Richard Purdie <richard.pur...@linuxfoundation.org> wrote: > > The OE-Core list needs to be included on this so I'm doing so. > > Cheers, > > Richard > > > > ---------- Forwarded message ---------- > From: Shachar Menashe <shac...@vdoo.com> > To: "yocto-secur...@lists.yoctoproject.org" > <yocto-secur...@lists.yoctoproject.org> > Cc: > Bcc: > Date: Sat, 19 Dec 2020 16:04:30 +0000 > Subject: [yocto-security] [PATCH] openssl: drop support for deprecated > algorithms > 1. Drop support for many deprecated algorithms by default > 2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG > > Signed-off-by: Shachar Menashe <shac...@vdoo.com> > --- > meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb > b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb > index 8159558..f9764bd 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb > @@ -33,6 +33,8 @@ PACKAGECONFIG_class-native = "" > PACKAGECONFIG_class-nativesdk = "" > > PACKAGECONFIG[cryptodev-linux] = > "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" > +PACKAGECONFIG[no-tls1] = "no-tls1" > +PACKAGECONFIG[no-tls1_1] = "no-tls1_1" > > B = "${WORKDIR}/build" > do_configure[cleandirs] = "${B}" > @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk = > "--with-rand-seed=os,devrandom" > CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin > -DENGINESDIR=/not/builtin" > CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin > -DENGINESDIR=/not/builtin" > > +# Disable deprecated crypto algorithms > +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm) > +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5 > no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash > no-sm2 no-sm3 no-sm4 no-whirlpool" > + > do_configure () { > os=${HOST_OS} > case $os in > @@ -122,7 +128,7 @@ do_configure () { > # WARNING: do not set compiler/linker flags (-I/-D etc.) in > EXTRA_OECONF, as they will fully replace the > # environment variables set by bitbake. Adjust the environment > variables instead. > HASHBANGPERL="/usr/bin/env perl" PERL=perl > PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ > - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} > --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target > + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} > ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 > --libdir=${libdir} $target > perl ${B}/configdata.pm --dump > } > > -- > 2.17.1 > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146073): https://lists.openembedded.org/g/openembedded-core/message/146073 Mute This Topic: https://lists.openembedded.org/mt/79087117/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
