[OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
The OE-Core list needs to be included on this so I'm doing so.
Cheers,
Richard
--- Begin Message ---
1. Drop support for many deprecated algorithms by default
2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG
Signed-off-by: Shachar Menashe
---
meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
index 8159558..f9764bd 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
@@ -33,6 +33,8 @@ PACKAGECONFIG_class-native = ""
PACKAGECONFIG_class-nativesdk = ""
PACKAGECONFIG[cryptodev-linux] =
"enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
"--with-rand-seed=os,devrandom"
CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
+# Disable deprecated crypto algorithms
+# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
+DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5 no-md2
no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash no-sm2
no-sm3 no-sm4 no-whirlpool"
+
do_configure () {
os=${HOST_OS}
case $os in
@@ -122,7 +128,7 @@ do_configure () {
# WARNING: do not set compiler/linker flags (-I/-D etc.) in
EXTRA_OECONF, as they will fully replace the
# environment variables set by bitbake. Adjust the environment
variables instead.
HASHBANGPERL="/usr/bin/env perl" PERL=perl
PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
- perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
--prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
+ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1
--libdir=${libdir} $target
perl ${B}/configdata.pm --dump
}
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#229):
https://lists.yoctoproject.org/g/yocto-security/message/229
Mute This Topic: https://lists.yoctoproject.org/mt/79085238/1686473
Group Owner: yocto-security+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto-security/unsub
[richard.pur...@linuxfoundation.org]
-=-=-=-=-=-=-=-=-=-=-=-
--- End Message ---
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145901):
https://lists.openembedded.org/g/openembedded-core/message/145901
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
This looks a good improvement to me. I think it perhaps is a good idea
to disable them across
all openssl recipe types, but we might find issues with
native/nativesdk versions
On Sat, Dec 19, 2020 at 9:36 AM Richard Purdie
wrote:
>
> The OE-Core list needs to be included on this so I'm doing so.
>
> Cheers,
>
> Richard
>
>
>
> -- Forwarded message --
> From: Shachar Menashe
> To: "yocto-secur...@lists.yoctoproject.org"
>
> Cc:
> Bcc:
> Date: Sat, 19 Dec 2020 16:04:30 +
> Subject: [yocto-security] [PATCH] openssl: drop support for deprecated
> algorithms
> 1. Drop support for many deprecated algorithms by default
> 2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG
>
> Signed-off-by: Shachar Menashe
> ---
> meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 8 +++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> index 8159558..f9764bd 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> @@ -33,6 +33,8 @@ PACKAGECONFIG_class-native = ""
> PACKAGECONFIG_class-nativesdk = ""
>
> PACKAGECONFIG[cryptodev-linux] =
> "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> +PACKAGECONFIG[no-tls1] = "no-tls1"
> +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
>
> B = "${WORKDIR}/build"
> do_configure[cleandirs] = "${B}"
> @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> "--with-rand-seed=os,devrandom"
> CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
> CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
>
> +# Disable deprecated crypto algorithms
> +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
> no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash
> no-sm2 no-sm3 no-sm4 no-whirlpool"
> +
> do_configure () {
> os=${HOST_OS}
> case $os in
> @@ -122,7 +128,7 @@ do_configure () {
> # WARNING: do not set compiler/linker flags (-I/-D etc.) in
> EXTRA_OECONF, as they will fully replace the
> # environment variables set by bitbake. Adjust the environment
> variables instead.
> HASHBANGPERL="/usr/bin/env perl" PERL=perl
> PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
> - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
> + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1
> --libdir=${libdir} $target
> perl ${B}/configdata.pm --dump
> }
>
> --
> 2.17.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145902):
https://lists.openembedded.org/g/openembedded-core/message/145902
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
What version of oe-core does this target? master already has 1.1.1i.
Also, I have doubts whether we should maintain 'deprecated crypto' lists,
as we are not qualified to judge what is deprecated, and crucially, keep
the list correctly updated. Isn't openssl upstream supposed to make those
decisions?
Alex
On Sat, 19 Dec 2020 at 18:36, Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:
> The OE-Core list needs to be included on this so I'm doing so.
>
> Cheers,
>
> Richard
>
>
>
> -- Forwarded message --
> From: Shachar Menashe
> To: "yocto-secur...@lists.yoctoproject.org" <
> yocto-secur...@lists.yoctoproject.org>
> Cc:
> Bcc:
> Date: Sat, 19 Dec 2020 16:04:30 +
> Subject: [yocto-security] [PATCH] openssl: drop support for deprecated
> algorithms
> 1. Drop support for many deprecated algorithms by default
> 2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG
>
> Signed-off-by: Shachar Menashe
> ---
> meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 8 +++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> index 8159558..f9764bd 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> @@ -33,6 +33,8 @@ PACKAGECONFIG_class-native = ""
> PACKAGECONFIG_class-nativesdk = ""
>
> PACKAGECONFIG[cryptodev-linux] =
> "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> +PACKAGECONFIG[no-tls1] = "no-tls1"
> +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
>
> B = "${WORKDIR}/build"
> do_configure[cleandirs] = "${B}"
> @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> "--with-rand-seed=os,devrandom"
> CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
> CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
>
> +# Disable deprecated crypto algorithms
> +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
> no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash
> no-sm2 no-sm3 no-sm4 no-whirlpool"
> +
> do_configure () {
> os=${HOST_OS}
> case $os in
> @@ -122,7 +128,7 @@ do_configure () {
> # WARNING: do not set compiler/linker flags (-I/-D etc.) in
> EXTRA_OECONF, as they will fully replace the
> # environment variables set by bitbake. Adjust the environment
> variables instead.
> HASHBANGPERL="/usr/bin/env perl" PERL=perl
> PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
> - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir}
> $target
> + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix
> --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
> perl ${B}/configdata.pm --dump
> }
>
> --
> 2.17.1
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145903):
https://lists.openembedded.org/g/openembedded-core/message/145903
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On Sat, Dec 19, 2020 at 9:45 AM Alexander Kanavin
wrote:
>
> What version of oe-core does this target? master already has 1.1.1i.
>
> Also, I have doubts whether we should maintain 'deprecated crypto' lists, as
> we are not qualified to judge what is deprecated, and crucially, keep the
> list correctly updated. Isn't openssl upstream supposed to make those
> decisions?
upstream openssl enables almost all of the algorithms it supports.
Providing a way
for users to add/remove algorithms with some defaults I think its a good thing.
>
> Alex
>
> On Sat, 19 Dec 2020 at 18:36, Richard Purdie
> wrote:
>>
>> The OE-Core list needs to be included on this so I'm doing so.
>>
>> Cheers,
>>
>> Richard
>>
>>
>>
>> -- Forwarded message --
>> From: Shachar Menashe
>> To: "yocto-secur...@lists.yoctoproject.org"
>>
>> Cc:
>> Bcc:
>> Date: Sat, 19 Dec 2020 16:04:30 +
>> Subject: [yocto-security] [PATCH] openssl: drop support for deprecated
>> algorithms
>> 1. Drop support for many deprecated algorithms by default
>> 2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG
>>
>> Signed-off-by: Shachar Menashe
>> ---
>> meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 8 +++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
>> b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
>> index 8159558..f9764bd 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
>> @@ -33,6 +33,8 @@ PACKAGECONFIG_class-native = ""
>> PACKAGECONFIG_class-nativesdk = ""
>>
>> PACKAGECONFIG[cryptodev-linux] =
>> "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
>> +PACKAGECONFIG[no-tls1] = "no-tls1"
>> +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
>>
>> B = "${WORKDIR}/build"
>> do_configure[cleandirs] = "${B}"
>> @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
>> "--with-rand-seed=os,devrandom"
>> CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
>> -DENGINESDIR=/not/builtin"
>> CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
>> -DENGINESDIR=/not/builtin"
>>
>> +# Disable deprecated crypto algorithms
>> +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
>> +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
>> no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash
>> no-sm2 no-sm3 no-sm4 no-whirlpool"
>> +
>> do_configure () {
>> os=${HOST_OS}
>> case $os in
>> @@ -122,7 +128,7 @@ do_configure () {
>> # WARNING: do not set compiler/linker flags (-I/-D etc.) in
>> EXTRA_OECONF, as they will fully replace the
>> # environment variables set by bitbake. Adjust the environment
>> variables instead.
>> HASHBANGPERL="/usr/bin/env perl" PERL=perl
>> PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
>> - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
>> --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
>> + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
>> ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix
>> --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
>> perl ${B}/configdata.pm --dump
>> }
>>
>> --
>> 2.17.1
>>
>>
>>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145904):
https://lists.openembedded.org/g/openembedded-core/message/145904
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On 19.12.20 18:36, Richard Purdie wrote:
PACKAGECONFIG[cryptodev-linux] =
"enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
"--with-rand-seed=os,devrandom"
CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
+# Disable deprecated crypto algorithms
+# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
+DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5 no-md2
no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4
no-whirlpool"
+
From my perspective this breaks backward compatibility, so I would
rather have them all that as optional PACKAGECONFIG fields (which also
does make it easier for ppl, still relying on one of those algorithms,
for whatever reason, to re-enable them) - with the current approach all
one could do is to override it with a bbappend - and tbh letting ppl
have bbappends for this recipe, doesn't sound like the best idea in the
long run to "enforce" any kind of "security" or "hardening"
do_configure () {
os=${HOST_OS}
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145905):
https://lists.openembedded.org/g/openembedded-core/message/145905
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On Sat, 2020-12-19 at 18:53 +0100, Konrad Weihmann wrote:
> On 19.12.20 18:36, Richard Purdie wrote:
> > PACKAGECONFIG[cryptodev-linux] =
> > "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> > +PACKAGECONFIG[no-tls1] = "no-tls1"
> > +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> >
> > B = "${WORKDIR}/build"
> > do_configure[cleandirs] = "${B}"
> > @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> > "--with-rand-seed=os,devrandom"
> > CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> > -DENGINESDIR=/not/builtin"
> > CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> > -DENGINESDIR=/not/builtin"
> >
> > +# Disable deprecated crypto algorithms
> > +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> > +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
> > no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash
> > no-sm2 no-sm3 no-sm4 no-whirlpool"
> > +
> From my perspective this breaks backward compatibility, so I would
> rather have them all that as optional PACKAGECONFIG fields (which also
> does make it easier for ppl, still relying on one of those algorithms,
> for whatever reason, to re-enable them) - with the current approach all
> one could do is to override it with a bbappend - and tbh letting ppl
> have bbappends for this recipe, doesn't sound like the best idea in the
> long run to "enforce" any kind of "security" or "hardening"
Having it as a variable does mean you could customise the variable and
doesn't mean it has to be done with a bbappend, it can be set from a
distro config too.
I'm not sure turning each one into a packageconfig is going to be more
helpful compared to this in practise...
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145906):
https://lists.openembedded.org/g/openembedded-core/message/145906
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On 19.12.20 18:58, Richard Purdie wrote:
On Sat, 2020-12-19 at 18:53 +0100, Konrad Weihmann wrote:
On 19.12.20 18:36, Richard Purdie wrote:
PACKAGECONFIG[cryptodev-linux] =
"enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
"--with-rand-seed=os,devrandom"
CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
+# Disable deprecated crypto algorithms
+# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
+DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5 no-md2
no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4
no-whirlpool"
+
From my perspective this breaks backward compatibility, so I would
rather have them all that as optional PACKAGECONFIG fields (which also
does make it easier for ppl, still relying on one of those algorithms,
for whatever reason, to re-enable them) - with the current approach all
one could do is to override it with a bbappend - and tbh letting ppl
have bbappends for this recipe, doesn't sound like the best idea in the
long run to "enforce" any kind of "security" or "hardening"
Having it as a variable does mean you could customise the variable and
doesn't mean it has to be done with a bbappend, it can be set from a
distro config too.
I'm not sure turning each one into a packageconfig is going to be more
helpful compared to this in practise...
I'm not sure I follow, as this is a "hard" assign - if it would (in
theory) a ??= assignment, yes then it would be fine. Still that leaves
us with a not commonly known variable, while PACKAGECONFIG is more
widely accepted in 3rd party layers/distros from my experience.
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145907):
https://lists.openembedded.org/g/openembedded-core/message/145907
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On Sat, 2020-12-19 at 19:04 +0100, Konrad Weihmann wrote:
>
> On 19.12.20 18:58, Richard Purdie wrote:
> > On Sat, 2020-12-19 at 18:53 +0100, Konrad Weihmann wrote:
> > > On 19.12.20 18:36, Richard Purdie wrote:
> > > >PACKAGECONFIG[cryptodev-linux] =
> > > > "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> > > > +PACKAGECONFIG[no-tls1] = "no-tls1"
> > > > +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> > > >
> > > >B = "${WORKDIR}/build"
> > > >do_configure[cleandirs] = "${B}"
> > > > @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> > > > "--with-rand-seed=os,devrandom"
> > > >CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> > > > -DENGINESDIR=/not/builtin"
> > > >CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> > > > -DENGINESDIR=/not/builtin"
> > > >
> > > > +# Disable deprecated crypto algorithms
> > > > +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> > > > +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
> > > > no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed
> > > > no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool"
> > > > +
> > > From my perspective this breaks backward compatibility, so I would
> > > rather have them all that as optional PACKAGECONFIG fields (which also
> > > does make it easier for ppl, still relying on one of those algorithms,
> > > for whatever reason, to re-enable them) - with the current approach all
> > > one could do is to override it with a bbappend - and tbh letting ppl
> > > have bbappends for this recipe, doesn't sound like the best idea in the
> > > long run to "enforce" any kind of "security" or "hardening"
> >
> > Having it as a variable does mean you could customise the variable and
> > doesn't mean it has to be done with a bbappend, it can be set from a
> > distro config too.
> >
> > I'm not sure turning each one into a packageconfig is going to be more
> > helpful compared to this in practise...
>
> I'm not sure I follow, as this is a "hard" assign - if it would (in
> theory) a ??= assignment, yes then it would be fine. Still that leaves
> us with a not commonly known variable, while PACKAGECONFIG is more
> widely accepted in 3rd party layers/distros from my experience.
You could do various things to this from a distro config, e.g.:
DEPRECATED_CRYPTO_FLAGS_pn-openssl = "xxx"
or
DEPRECATED_CRYPTO_FLAGS_pn-openssl_ = "xxx"
DEPRECATED_CRYPTO_FLAGS_pn-openssl_append = " extra-disable"
DEPRECATED_CRYPTO_FLAGS_pn-openssl_remove = "add-me-back"
so I'd say that its not a particularly "hard" assignment?
We could make it a ??= but I'm not sure it would change much practcial
use as it would almost always be with an override of some sort?
Whilst PACKAGECONFIG is more well known,the variable name here may
actually improve readability...
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145912):
https://lists.openembedded.org/g/openembedded-core/message/145912
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On Sat, Dec 19, 2020 at 9:59 AM Richard Purdie
wrote:
>
> On Sat, 2020-12-19 at 18:53 +0100, Konrad Weihmann wrote:
> > On 19.12.20 18:36, Richard Purdie wrote:
> > > PACKAGECONFIG[cryptodev-linux] =
> > > "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> > > +PACKAGECONFIG[no-tls1] = "no-tls1"
> > > +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> > >
> > > B = "${WORKDIR}/build"
> > > do_configure[cleandirs] = "${B}"
> > > @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> > > "--with-rand-seed=os,devrandom"
> > > CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> > > -DENGINESDIR=/not/builtin"
> > > CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> > > -DENGINESDIR=/not/builtin"
> > >
> > > +# Disable deprecated crypto algorithms
> > > +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> > > +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
> > > no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed
> > > no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool"
> > > +
> > From my perspective this breaks backward compatibility, so I would
> > rather have them all that as optional PACKAGECONFIG fields (which also
> > does make it easier for ppl, still relying on one of those algorithms,
> > for whatever reason, to re-enable them) - with the current approach all
> > one could do is to override it with a bbappend - and tbh letting ppl
> > have bbappends for this recipe, doesn't sound like the best idea in the
> > long run to "enforce" any kind of "security" or "hardening"
>
> Having it as a variable does mean you could customise the variable and
> doesn't mean it has to be done with a bbappend, it can be set from a
> distro config too.
>
> I'm not sure turning each one into a packageconfig is going to be more
> helpful compared to this in practise...
I agree, its good as it is, we are able to append/remove options from
it via config or recipe metadata in custom layers if needed.
>
> Cheers,
>
> Richard
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145913):
https://lists.openembedded.org/g/openembedded-core/message/145913
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On 12/19/20 12:04 PM, Konrad Weihmann wrote:
>
>
> On 19.12.20 18:58, Richard Purdie wrote:
>> On Sat, 2020-12-19 at 18:53 +0100, Konrad Weihmann wrote:
>>> On 19.12.20 18:36, Richard Purdie wrote:
PACKAGECONFIG[cryptodev-linux] =
"enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
"--with-rand-seed=os,devrandom"
CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
-DENGINESDIR=/not/builtin"
+# Disable deprecated crypto algorithms
+# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
+DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed
no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool"
+
>>> From my perspective this breaks backward compatibility, so I would
>>> rather have them all that as optional PACKAGECONFIG fields (which also
>>> does make it easier for ppl, still relying on one of those algorithms,
>>> for whatever reason, to re-enable them) - with the current approach all
>>> one could do is to override it with a bbappend - and tbh letting ppl
>>> have bbappends for this recipe, doesn't sound like the best idea in the
>>> long run to "enforce" any kind of "security" or "hardening"
>>
>> Having it as a variable does mean you could customise the variable and
>> doesn't mean it has to be done with a bbappend, it can be set from a
>> distro config too.
>>
>> I'm not sure turning each one into a packageconfig is going to be more
>> helpful compared to this in practise...
>
> I'm not sure I follow, as this is a "hard" assign - if it would (in
> theory) a ??= assignment, yes then it would be fine. Still that leaves
> us with a not commonly known variable, while PACKAGECONFIG is more
> widely accepted in 3rd party layers/distros from my experience.
In the past I had done something similar w/ PACKAGECONFIG, and then had a
comment in the recipe that indicated that certain items were not recommended
with a link to the OpenSSL documentation where it explained that.
It might also be a reasonable idea (security wise, maybe not OE wise) to display
a bb.warn if one of the 'unsafe' crypto algorithms is enabled.
As for someone mentioning that it's unclear if we should be maintaining a list,
in the past there was a list in the OpenSSL documentation. I would certainly
rely on that list as what should and should not be enabled by default (with
exceptions as appropriate.)
--Mark
>>
>> Cheers,
>>
>> Richard
>>
>>
>>
>>
>>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146031):
https://lists.openembedded.org/g/openembedded-core/message/146031
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On Sat, Dec 19, 2020 at 4:08 PM Richard Purdie
wrote:
>
> On Sat, 2020-12-19 at 19:04 +0100, Konrad Weihmann wrote:
> >
> > On 19.12.20 18:58, Richard Purdie wrote:
> > > On Sat, 2020-12-19 at 18:53 +0100, Konrad Weihmann wrote:
> > > > On 19.12.20 18:36, Richard Purdie wrote:
> > > > >PACKAGECONFIG[cryptodev-linux] =
> > > > > "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> > > > > +PACKAGECONFIG[no-tls1] = "no-tls1"
> > > > > +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> > > > >
> > > > >B = "${WORKDIR}/build"
> > > > >do_configure[cleandirs] = "${B}"
> > > > > @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> > > > > "--with-rand-seed=os,devrandom"
> > > > >CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> > > > > -DENGINESDIR=/not/builtin"
> > > > >CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> > > > > -DENGINESDIR=/not/builtin"
> > > > >
> > > > > +# Disable deprecated crypto algorithms
> > > > > +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> > > > > +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4
> > > > > no-rc5 no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt
> > > > > no-seed no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool"
> > > > > +
> > > > From my perspective this breaks backward compatibility, so I would
> > > > rather have them all that as optional PACKAGECONFIG fields (which also
> > > > does make it easier for ppl, still relying on one of those algorithms,
> > > > for whatever reason, to re-enable them) - with the current approach all
> > > > one could do is to override it with a bbappend - and tbh letting ppl
> > > > have bbappends for this recipe, doesn't sound like the best idea in the
> > > > long run to "enforce" any kind of "security" or "hardening"
> > >
> > > Having it as a variable does mean you could customise the variable and
> > > doesn't mean it has to be done with a bbappend, it can be set from a
> > > distro config too.
> > >
> > > I'm not sure turning each one into a packageconfig is going to be more
> > > helpful compared to this in practise...
> >
> > I'm not sure I follow, as this is a "hard" assign - if it would (in
> > theory) a ??= assignment, yes then it would be fine. Still that leaves
> > us with a not commonly known variable, while PACKAGECONFIG is more
> > widely accepted in 3rd party layers/distros from my experience.
>
> You could do various things to this from a distro config, e.g.:
>
> DEPRECATED_CRYPTO_FLAGS_pn-openssl = "xxx"
>
> or
>
> DEPRECATED_CRYPTO_FLAGS_pn-openssl_ = "xxx"
>
> DEPRECATED_CRYPTO_FLAGS_pn-openssl_append = " extra-disable"
>
> DEPRECATED_CRYPTO_FLAGS_pn-openssl_remove = "add-me-back"
>
> so I'd say that its not a particularly "hard" assignment?
>
> We could make it a ??= but I'm not sure it would change much practcial
> use as it would almost always be with an override of some sort?
>
> Whilst PACKAGECONFIG is more well known,the variable name here may
> actually improve readability...
Does it? It just looks like an extension of a definition of
PACKAGECONFIG but with the logic all reversed (e.g. instead of adding
FOO to PACKAGECONFIG to enable support for something we now have to
add no-FOO to the new custom variable to disable something). Inverting
the logic of all the options makes it closer to the semantics expected
by the openssl configure scripts, but makes it further from the
semantics expected by someone using OE to configure a package (who is
presumably used to the "add FOO to PACKAGECONFIG to enable something"
convention).
Converting all these options to individual PACKAGECONFIG options but
not adding them to the default value PACKAGECONFIG seems like the
better approach. Users who need to enable a particular algorithm can
then add it to PACKAGECONFIG in the usual way.
In general, disabling old or unused algorithms by default is a good
change though.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146032):
https://lists.openembedded.org/g/openembedded-core/message/146032
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
so there are some build failures seen due to this change on meta-oe
here is sample.
https://errors.yoctoproject.org/Errors/Build/113701/
On Sat, Dec 19, 2020 at 9:36 AM Richard Purdie
wrote:
>
> The OE-Core list needs to be included on this so I'm doing so.
>
> Cheers,
>
> Richard
>
>
>
> -- Forwarded message --
> From: Shachar Menashe
> To: "yocto-secur...@lists.yoctoproject.org"
>
> Cc:
> Bcc:
> Date: Sat, 19 Dec 2020 16:04:30 +
> Subject: [yocto-security] [PATCH] openssl: drop support for deprecated
> algorithms
> 1. Drop support for many deprecated algorithms by default
> 2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG
>
> Signed-off-by: Shachar Menashe
> ---
> meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 8 +++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> index 8159558..f9764bd 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> @@ -33,6 +33,8 @@ PACKAGECONFIG_class-native = ""
> PACKAGECONFIG_class-nativesdk = ""
>
> PACKAGECONFIG[cryptodev-linux] =
> "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> +PACKAGECONFIG[no-tls1] = "no-tls1"
> +PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
>
> B = "${WORKDIR}/build"
> do_configure[cleandirs] = "${B}"
> @@ -52,6 +54,10 @@ EXTRA_OECONF_class-nativesdk =
> "--with-rand-seed=os,devrandom"
> CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
> CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
>
> +# Disable deprecated crypto algorithms
> +# Retained for compatibilty - des (curl), dh (python-ssl), dsa (rpm)
> +DEPRECATED_CRYPTO_FLAGS = " no-ssl no-idea no-psk no-rc2 no-rc4 no-rc5
> no-md2 no-md4 no-srp no-camellia no-bf no-mdc2 no-scrypt no-seed no-siphash
> no-sm2 no-sm3 no-sm4 no-whirlpool"
> +
> do_configure () {
> os=${HOST_OS}
> case $os in
> @@ -122,7 +128,7 @@ do_configure () {
> # WARNING: do not set compiler/linker flags (-I/-D etc.) in
> EXTRA_OECONF, as they will fully replace the
> # environment variables set by bitbake. Adjust the environment
> variables instead.
> HASHBANGPERL="/usr/bin/env perl" PERL=perl
> PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
> - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
> + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1
> --libdir=${libdir} $target
> perl ${B}/configdata.pm --dump
> }
>
> --
> 2.17.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146073):
https://lists.openembedded.org/g/openembedded-core/message/146073
Mute This Topic: https://lists.openembedded.org/mt/79087117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
Yeah, the patch is actually targeted for dunfell branch, but I understood the policy is first merging to master... So I will rebase the patch on master and retest everything -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146079): https://lists.openembedded.org/g/openembedded-core/message/146079 Mute This Topic: https://lists.openembedded.org/mt/79087117/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] [PATCH] openssl: drop support for deprecated algorithms
On Wed, 2020-12-23 at 01:18 -0800, Shachar Menashe wrote: > Yeah, the patch is actually targeted for dunfell branch, but I > understood the policy is first merging to master... > So I will rebase the patch on master and retest everything I did rebase the patch and its currently queued in master-next to see how it worked out. Khem has posted a good follow up showing it caused some issues for recipes in meta-openembedded so we have a list of the software removing those algorithms caused problems with. We'd need to sort this out in master before we can think about dunfell. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146080): https://lists.openembedded.org/g/openembedded-core/message/146080 Mute This Topic: https://lists.openembedded.org/mt/79087117/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
