lighttpd: add option to use OpenSSL crypto library
Currently, it is not feasible to configure lighttpd to use OpenSSL as
its internal crypto library. Instead, one must rely on alternative
crypto libraries such as Nettle or mbedTLS. This setup is not ideal in
scenarios where a single crypto library is preferred. To address this
issue, lets propose introducing OpenSSL as an additional configuration
option. Similarly, propose GnuTLS as additional configuration option.
Closes: #24004
Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 8c9597f1dc)
This commit is contained in:
Petr Štetiar
Tianling Shen
parent
8e683037f0
commit
0302f8cf63
|
|
@ -48,13 +48,17 @@ PKG_CONFIG_DEPENDS:= \
|
|||
CONFIG_LIGHTTPD_PCRE2 \
|
||||
CONFIG_LIGHTTPD_CRYPTOLIB_NONE \
|
||||
CONFIG_LIGHTTPD_CRYPTOLIB_NETTLE \
|
||||
CONFIG_LIGHTTPD_CRYPTOLIB_GNUTLS \
|
||||
CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS \
|
||||
CONFIG_LIGHTTPD_CRYPTOLIB_OPENSSL \
|
||||
CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL
|
||||
|
||||
PKG_BUILD_DEPENDS:= \
|
||||
LIGHTTPD_PCRE2:pcre2 \
|
||||
LIGHTTPD_CRYPTOLIB_NETTLE:nettle \
|
||||
LIGHTTPD_CRYPTOLIB_GNUTLS:gnutls \
|
||||
LIGHTTPD_CRYPTOLIB_MBEDTLS:mbedtls \
|
||||
LIGHTTPD_CRYPTOLIB_OPENSSL:openssl \
|
||||
LIGHTTPD_CRYPTOLIB_WOLFSSL:wolfssl
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
|
@ -64,10 +68,16 @@ include $(INCLUDE_DIR)/meson.mk
|
|||
# (separate from lighttpd TLS modules, which are each standalone)
|
||||
cryptolibdep= \
|
||||
+LIGHTTPD_CRYPTOLIB_NETTLE:libnettle \
|
||||
+LIGHTTPD_CRYPTOLIB_GNUTLS:libgnutls \
|
||||
+LIGHTTPD_CRYPTOLIB_MBEDTLS:libmbedtls \
|
||||
+LIGHTTPD_CRYPTOLIB_OPENSSL:libopenssl \
|
||||
+LIGHTTPD_CRYPTOLIB_WOLFSSL:libwolfssl
|
||||
ifdef CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS
|
||||
TARGET_CPPFLAGS += -DFORCE_MBEDTLS_CRYPTO
|
||||
else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_GNUTLS
|
||||
TARGET_CPPFLAGS += -DFORCE_GNUTLS_CRYPTO
|
||||
else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_OPENSSL
|
||||
TARGET_CPPFLAGS += -DFORCE_OPENSSL_CRYPTO
|
||||
else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL
|
||||
TARGET_CPPFLAGS += -DFORCE_WOLFSSL_CRYPTO
|
||||
endif
|
||||
|
|
@ -131,9 +141,15 @@ if PACKAGE_lighttpd
|
|||
config LIGHTTPD_CRYPTOLIB_NETTLE
|
||||
bool "libnettle"
|
||||
|
||||
config LIGHTTPD_CRYPTOLIB_GNUTLS
|
||||
bool "libgnutls"
|
||||
|
||||
config LIGHTTPD_CRYPTOLIB_MBEDTLS
|
||||
bool "libmbedtls"
|
||||
|
||||
config LIGHTTPD_CRYPTOLIB_OPENSSL
|
||||
bool "libopenssl"
|
||||
|
||||
config LIGHTTPD_CRYPTOLIB_WOLFSSL
|
||||
bool "libwolfssl"
|
||||
endchoice
|
||||
|
|
|
|||
|
|
@ -0,0 +1,71 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
|
||||
Date: Sat, 4 May 2024 06:33:16 +0000
|
||||
Subject: [PATCH] sys-crypto.h: add support for OpenSSL as crypto library
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Each TLS module in lighttpd is built to utilize its corresponding TLS
|
||||
library. For example, lighttpd's mod_openssl module utilizes OpenSSL,
|
||||
and its mod_mbedtls module uses mbedTLS.
|
||||
|
||||
Separately, the core lighttpd application may employ cryptographic
|
||||
functions. For efficiency and portability, if lighttpd is compiled with
|
||||
Nettle, it becomes the default cryptographic library for the base
|
||||
application. However, each TLS module within lighttpd still relies on
|
||||
its respective TLS library.
|
||||
|
||||
In scenarios where lighttpd is configured with only one TLS library and
|
||||
without Nettle, the base application adopts the cryptographic functions
|
||||
from that specific TLS library.
|
||||
|
||||
When preparing for Linux distributions, lighttpd might be built with
|
||||
several TLS modules, where each module uses its designated TLS library.
|
||||
Presently, lighttpd does not offer a distinct, dedicated option to
|
||||
select the cryptographic library for the base application.
|
||||
|
||||
In contexts like embedded systems, where a single TLS library might be
|
||||
utilized across the entire base system, specific configurations allow
|
||||
the use of either mbedTLS or wolfSSL. For these, lighttpd is compiled
|
||||
with -DFORCE_MBEDTLS_CRYPTO or -DFORCE_WOLFSSL_CRYPTO, respectively.
|
||||
|
||||
To extend this capability, let's introduce the FORCE_OPENSSL_CRYPTO
|
||||
define, enabling lighttpd to also use OpenSSL as an additional
|
||||
cryptographic library, akin to the existing support for mbedTLS and
|
||||
wolfSSL.
|
||||
|
||||
|
||||
Suggested-by: Glenn Strauss <gstrauss@gluelogic.com>
|
||||
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
||||
---
|
||||
src/sys-crypto.h | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
--- a/src/sys-crypto.h
|
||||
+++ b/src/sys-crypto.h
|
||||
@@ -60,4 +60,24 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
+#ifdef USE_OPENSSL_CRYPTO
|
||||
+#ifdef FORCE_OPENSSL_CRYPTO
|
||||
+#undef USE_GNUTLS_CRYPTO
|
||||
+#undef USE_MBEDTLS_CRYPTO
|
||||
+#undef USE_NETTLE_CRYPTO
|
||||
+#undef USE_NSS_CRYPTO
|
||||
+#undef USE_WOLFSSL_CRYPTO
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
+#ifdef USE_GNUTLS_CRYPTO
|
||||
+#ifdef FORCE_GNUTLS_CRYPTO
|
||||
+#undef USE_MBEDTLS_CRYPTO
|
||||
+#undef USE_NETTLE_CRYPTO
|
||||
+#undef USE_NSS_CRYPTO
|
||||
+#undef USE_OPENSSL_CRYPTO
|
||||
+#undef USE_WOLFSSL_CRYPTO
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#endif
|
||||
Loading…
Reference in New Issue