From: Petr Štetiar <ynezz@true.cz>
Date: Wed, 24 Apr 2024 19:28:40 +0000 (+0000)
Subject: lighttpd: add option to use OpenSSL crypto library
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=f02b69597160cb5360cd91f3e8bacb11d1205a71;p=feed%2Fpackages.git

lighttpd: add option to use OpenSSL crypto library

Currently, it is not feasible to configure lighttpd to use OpenSSL as
its internal crypto library. Instead, one must rely on alternative
crypto libraries such as Nettle or mbedTLS. This setup is not ideal in
scenarios where a single crypto library is preferred. To address this
issue, lets propose introducing OpenSSL as an additional configuration
option.  Similarly, propose GnuTLS as additional configuration option.

Closes: #24004
Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 8c9597f1dcb0ab5965a5ecdb506e234c5da61a3e)
---

diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile
index 9a377c0890..cd6e854312 100644
--- a/net/lighttpd/Makefile
+++ b/net/lighttpd/Makefile
@@ -49,13 +49,17 @@ PKG_CONFIG_DEPENDS:= \
   CONFIG_LIGHTTPD_PCRE2 \
   CONFIG_LIGHTTPD_CRYPTOLIB_NONE \
   CONFIG_LIGHTTPD_CRYPTOLIB_NETTLE \
+  CONFIG_LIGHTTPD_CRYPTOLIB_GNUTLS \
   CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS \
+  CONFIG_LIGHTTPD_CRYPTOLIB_OPENSSL \
   CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL
 
 PKG_BUILD_DEPENDS:= \
   LIGHTTPD_PCRE2:pcre2 \
   LIGHTTPD_CRYPTOLIB_NETTLE:nettle \
+  LIGHTTPD_CRYPTOLIB_GNUTLS:gnutls \
   LIGHTTPD_CRYPTOLIB_MBEDTLS:mbedtls \
+  LIGHTTPD_CRYPTOLIB_OPENSSL:openssl \
   LIGHTTPD_CRYPTOLIB_WOLFSSL:wolfssl
 
 include $(INCLUDE_DIR)/package.mk
@@ -65,10 +69,16 @@ include $(INCLUDE_DIR)/meson.mk
 # (separate from lighttpd TLS modules, which are each standalone)
 cryptolibdep= \
   +LIGHTTPD_CRYPTOLIB_NETTLE:libnettle \
+  +LIGHTTPD_CRYPTOLIB_GNUTLS:libgnutls \
   +LIGHTTPD_CRYPTOLIB_MBEDTLS:libmbedtls \
+  +LIGHTTPD_CRYPTOLIB_OPENSSL:libopenssl \
   +LIGHTTPD_CRYPTOLIB_WOLFSSL:libwolfssl
 ifdef CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS
   TARGET_CPPFLAGS += -DFORCE_MBEDTLS_CRYPTO
+else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_GNUTLS
+  TARGET_CPPFLAGS += -DFORCE_GNUTLS_CRYPTO
+else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_OPENSSL
+  TARGET_CPPFLAGS += -DFORCE_OPENSSL_CRYPTO
 else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL
   # (Note: if CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL is set,
   #  then lighttpd-mod-mbedtls should not be selected to also be built)
@@ -134,9 +144,15 @@ if PACKAGE_lighttpd
 		config LIGHTTPD_CRYPTOLIB_NETTLE
 			bool "libnettle"
 
+		config LIGHTTPD_CRYPTOLIB_GNUTLS
+			bool "libgnutls"
+
 		config LIGHTTPD_CRYPTOLIB_MBEDTLS
 			bool "libmbedtls"
 
+		config LIGHTTPD_CRYPTOLIB_OPENSSL
+			bool "libopenssl"
+
 		config LIGHTTPD_CRYPTOLIB_WOLFSSL
 			bool "libwolfssl"
 	endchoice
diff --git a/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch b/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch
new file mode 100644
index 0000000000..845f23adce
--- /dev/null
+++ b/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 4 May 2024 06:33:16 +0000
+Subject: [PATCH] sys-crypto.h: add support for OpenSSL as crypto library
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Each TLS module in lighttpd is built to utilize its corresponding TLS
+library. For example, lighttpd's mod_openssl module utilizes OpenSSL,
+and its mod_mbedtls module uses mbedTLS.
+
+Separately, the core lighttpd application may employ cryptographic
+functions. For efficiency and portability, if lighttpd is compiled with
+Nettle, it becomes the default cryptographic library for the base
+application. However, each TLS module within lighttpd still relies on
+its respective TLS library.
+
+In scenarios where lighttpd is configured with only one TLS library and
+without Nettle, the base application adopts the cryptographic functions
+from that specific TLS library.
+
+When preparing for Linux distributions, lighttpd might be built with
+several TLS modules, where each module uses its designated TLS library.
+Presently, lighttpd does not offer a distinct, dedicated option to
+select the cryptographic library for the base application.
+
+In contexts like embedded systems, where a single TLS library might be
+utilized across the entire base system, specific configurations allow
+the use of either mbedTLS or wolfSSL. For these, lighttpd is compiled
+with -DFORCE_MBEDTLS_CRYPTO or -DFORCE_WOLFSSL_CRYPTO, respectively.
+
+To extend this capability, let's introduce the FORCE_OPENSSL_CRYPTO
+define, enabling lighttpd to also use OpenSSL as an additional
+cryptographic library, akin to the existing support for mbedTLS and
+wolfSSL.
+
+
+Suggested-by: Glenn Strauss <gstrauss@gluelogic.com>
+Signed-off-by: Petr Å tetiar <ynezz@true.cz>
+---
+ src/sys-crypto.h | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/src/sys-crypto.h
++++ b/src/sys-crypto.h
+@@ -60,4 +60,24 @@
+ #endif
+ #endif
+ 
++#ifdef USE_OPENSSL_CRYPTO
++#ifdef FORCE_OPENSSL_CRYPTO
++#undef USE_GNUTLS_CRYPTO
++#undef USE_MBEDTLS_CRYPTO
++#undef USE_NETTLE_CRYPTO
++#undef USE_NSS_CRYPTO
++#undef USE_WOLFSSL_CRYPTO
++#endif
++#endif
++
++#ifdef USE_GNUTLS_CRYPTO
++#ifdef FORCE_GNUTLS_CRYPTO
++#undef USE_MBEDTLS_CRYPTO
++#undef USE_NETTLE_CRYPTO
++#undef USE_NSS_CRYPTO
++#undef USE_OPENSSL_CRYPTO
++#undef USE_WOLFSSL_CRYPTO
++#endif
++#endif
++
+ #endif