lighttpd: add option to use OpenSSL crypto library

Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
gstrauss · May 12, 2024 · e90817d · e90817d
1 parent 42140c6
commit e90817d
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile
@@ -48,13 +48,17 @@ PKG_CONFIG_DEPENDS:= \
   CONFIG_LIGHTTPD_PCRE2 \
   CONFIG_LIGHTTPD_CRYPTOLIB_NONE \
   CONFIG_LIGHTTPD_CRYPTOLIB_NETTLE \
+  CONFIG_LIGHTTPD_CRYPTOLIB_GNUTLS \
   CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS \
+  CONFIG_LIGHTTPD_CRYPTOLIB_OPENSSL \
   CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL
 
 PKG_BUILD_DEPENDS:= \
   LIGHTTPD_PCRE2:pcre2 \
   LIGHTTPD_CRYPTOLIB_NETTLE:nettle \
+  LIGHTTPD_CRYPTOLIB_GNUTLS:gnutls \
   LIGHTTPD_CRYPTOLIB_MBEDTLS:mbedtls \
+  LIGHTTPD_CRYPTOLIB_OPENSSL:openssl \
   LIGHTTPD_CRYPTOLIB_WOLFSSL:wolfssl
 
 include $(INCLUDE_DIR)/package.mk
@@ -64,10 +68,16 @@ include $(INCLUDE_DIR)/meson.mk
 # (separate from lighttpd TLS modules, which are each standalone)
 cryptolibdep= \
   +LIGHTTPD_CRYPTOLIB_NETTLE:libnettle \
+  +LIGHTTPD_CRYPTOLIB_GNUTLS:libgnutls \
   +LIGHTTPD_CRYPTOLIB_MBEDTLS:libmbedtls \
+  +LIGHTTPD_CRYPTOLIB_OPENSSL:libopenssl \
   +LIGHTTPD_CRYPTOLIB_WOLFSSL:libwolfssl
 ifdef CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS
   TARGET_CPPFLAGS += -DFORCE_MBEDTLS_CRYPTO
+else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_GNUTLS
+  TARGET_CPPFLAGS += -DFORCE_GNUTLS_CRYPTO
+else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_OPENSSL
+  TARGET_CPPFLAGS += -DFORCE_OPENSSL_CRYPTO
 else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL
   TARGET_CPPFLAGS += -DFORCE_WOLFSSL_CRYPTO
 endif
@@ -131,9 +141,15 @@ if PACKAGE_lighttpd
 		config LIGHTTPD_CRYPTOLIB_NETTLE
 			bool "libnettle"
 
+		config LIGHTTPD_CRYPTOLIB_GNUTLS
+			bool "libgnutls"
+
 		config LIGHTTPD_CRYPTOLIB_MBEDTLS
 			bool "libmbedtls"
 
+		config LIGHTTPD_CRYPTOLIB_OPENSSL
+			bool "libopenssl"
+
 		config LIGHTTPD_CRYPTOLIB_WOLFSSL
 			bool "libwolfssl"
 	endchoice

diff --git a/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch b/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch
@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 4 May 2024 06:33:16 +0000
+Subject: [PATCH] sys-crypto.h: add support for OpenSSL as crypto library
+
+Each TLS module in lighttpd is built to utilize its corresponding TLS
+library. For example, lighttpd's mod_openssl module utilizes OpenSSL,
+and its mod_mbedtls module uses mbedTLS.
+
+Separately, the core lighttpd application may employ cryptographic
+functions. For efficiency and portability, if lighttpd is compiled with
+Nettle, it becomes the default cryptographic library for the base
+application. However, each TLS module within lighttpd still relies on
+its respective TLS library.
+
+In scenarios where lighttpd is configured with only one TLS library and
+without Nettle, the base application adopts the cryptographic functions
+from that specific TLS library.
+
+When preparing for Linux distributions, lighttpd might be built with
+several TLS modules, where each module uses its designated TLS library.
+Presently, lighttpd does not offer a distinct, dedicated option to
+select the cryptographic library for the base application.
+
+In contexts like embedded systems, where a single TLS library might be
+utilized across the entire base system, specific configurations allow
+the use of either mbedTLS or wolfSSL. For these, lighttpd is compiled
+with -DFORCE_MBEDTLS_CRYPTO or -DFORCE_WOLFSSL_CRYPTO, respectively.
+
+To extend this capability, let's introduce the FORCE_OPENSSL_CRYPTO
+define, enabling lighttpd to also use OpenSSL as an additional
+cryptographic library, akin to the existing support for mbedTLS and
+wolfSSL.
+
+Suggested-by: Glenn Strauss <gstrauss@gluelogic.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ src/sys-crypto.h | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/src/sys-crypto.h
++++ b/src/sys-crypto.h
+@@ -60,4 +60,24 @@
+ #endif
+ #endif
+
++#ifdef USE_OPENSSL_CRYPTO
++#ifdef FORCE_OPENSSL_CRYPTO
++#undef USE_GNUTLS_CRYPTO
++#undef USE_MBEDTLS_CRYPTO
++#undef USE_NETTLE_CRYPTO
++#undef USE_NSS_CRYPTO
++#undef USE_WOLFSSL_CRYPTO
++#endif
++#endif
++
++#ifdef USE_GNUTLS_CRYPTO
++#ifdef FORCE_GNUTLS_CRYPTO
++#undef USE_MBEDTLS_CRYPTO
++#undef USE_NETTLE_CRYPTO
++#undef USE_NSS_CRYPTO
++#undef USE_OPENSSL_CRYPTO
++#undef USE_WOLFSSL_CRYPTO
++#endif
++#endif
++
+ #endif