[v2] libcurl: Allow selection of TLS package libcurl will use

Instead of defaulting to OpenSSL, allow selection of package to use
through a choice in libcurl's config.  The default will be to select the
first enabled TLS provider in the same preference order as is used now,
i.e. no change from current behavior.

Some of the alternative libraries have advantages over OpenSSL in
certain areas.

For example, gnutls has vastly superior PKCS11 support.  One can use
client TLS private keys by supplying a PKCS11 URI instead of a private
key file name.  The TLS server cert trust store can be a PKCS11 URI,
e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust". 
Now server certs can be stored in a software and/or hardware HSM(s). 
This doesn't work with OpenSSL.

However, some software only supports OpenSSL for TLS or other crypto
functions.  So it might be necessary to enable OpenSSL for that reason.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
---
Changes since v1:
  Removed unneeded defaults.
  Removed no TLS choice, replaced with comment

 package/libcurl/Config.in  | 25 +++++++++++++++++++++++++
 package/libcurl/libcurl.mk | 15 ++++++++-------
 2 files changed, 33 insertions(+), 7 deletions(-)

Hi Trent,

On 08/11/2018 23:25, Trent Piepho wrote:
> Instead of defaulting to OpenSSL, allow selection of package to use
> through a choice in libcurl's config.  The default will be to select the
> first enabled TLS provider in the same preference order as is used now,
> i.e. no change from current behavior.
> 
> Some of the alternative libraries have advantages over OpenSSL in
> certain areas.
> 
> For example, gnutls has vastly superior PKCS11 support.  One can use
> client TLS private keys by supplying a PKCS11 URI instead of a private
> key file name.  The TLS server cert trust store can be a PKCS11 URI,
> e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust". 
> Now server certs can be stored in a software and/or hardware HSM(s). 
> This doesn't work with OpenSSL.
> 
> However, some software only supports OpenSSL for TLS or other crypto
> functions.  So it might be necessary to enable OpenSSL for that reason.

 As Peter already said: excellent explanation, thanks!

> 
> Signed-off-by: Trent Piepho <tpiepho@impinj.com>
> ---
> Changes since v1:
>   Removed unneeded defaults.
>   Removed no TLS choice, replaced with comment
> 
>  package/libcurl/Config.in  | 25 +++++++++++++++++++++++++
>  package/libcurl/libcurl.mk | 15 ++++++++-------
>  2 files changed, 33 insertions(+), 7 deletions(-)
> 
> diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
> index 21c2ee2b7f..6309e5bfc0 100644
> --- a/package/libcurl/Config.in
> +++ b/package/libcurl/Config.in
> @@ -19,4 +19,29 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
>  	help
>  	  Enable verbose text strings
>  
> +choice
> +	prompt "SSL/TLS library to use"
> +
> +config BR2_PACKAGE_LIBCURL_OPENSSL
> +	bool "OpenSSL"
> +	depends on BR2_PACKAGE_OPENSSL

 I don't really like this depends. I would rather revert it into a select. So:

choice
	prompt "SSL/TLS library to use"

config BR2_PACKAGE_LIBCURL_OPENSSL
	bool "openssl"
	select BR2_PACKAGE_OPENSSL

...

config BR2_PACKAGE_LIBCURL_NONE
	bool "disable TLS"

endchoice

 Note that that means that libcurl will by default select openssl, which was not
the case before. However, I think it makes complete sense to default to enabling
TLS support in libcurl. Peter, what do you think? This would obviously have to
be mentioned in the release notes because the behaviour of existing configs
would change.

 Regards,
 Arnout

> +
> +config BR2_PACKAGE_LIBCURL_GNUTLS
> +	bool "GnuTLS"
> +	depends on BR2_PACKAGE_GNUTLS
> +
> +config BR2_PACKAGE_LIBCURL_LIBNSS
> +	bool "NSS"
> +	depends on BR2_PACKAGE_LIBNSS
> +
> +config BR2_PACKAGE_LIBCURL_MBEDTLS
> +	bool "mbed TLS"
> +	depends on BR2_PACKAGE_MBEDTLS
> +
> +endchoice
> +
> +comment "A TLS library is needed for SSL/TLS support"
> +       depends on !BR2_PACKAGE_OPENSSL && !BR2_PACKAGE_GNUTLS && \
> +                  !BR2_PACKAGE_LIBNSS && !BR2_PACKAGE_MBEDTLS
> +
>  endif
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index c3da8aa3e5..ac368fbb53 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -35,7 +35,7 @@ endif
>  
>  LIBCURL_CONFIG_SCRIPTS = curl-config
>  
> -ifeq ($(BR2_PACKAGE_OPENSSL),y)
> +ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
>  LIBCURL_DEPENDENCIES += openssl
>  # configure adds the cross openssl dir to LD_LIBRARY_PATH which screws up
>  # native stuff during the rest of configure when target == host.
> @@ -44,15 +44,16 @@ LIBCURL_DEPENDENCIES += openssl
>  LIBCURL_CONF_ENV += LD_LIBRARY_PATH=$(if $(LD_LIBRARY_PATH),$(LD_LIBRARY_PATH):)/lib:/usr/lib
>  LIBCURL_CONF_OPTS += --with-ssl=$(STAGING_DIR)/usr \
>  	--with-ca-path=/etc/ssl/certs
> -else ifeq ($(BR2_PACKAGE_GNUTLS),y)
> -LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr
> +else ifeq ($(BR2_PACKAGE_LIBCURL_GNUTLS),y)
> +LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr --without-ssl
>  LIBCURL_DEPENDENCIES += gnutls
> -else ifeq ($(BR2_PACKAGE_LIBNSS),y)
> -LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr
> +else ifeq ($(BR2_PACKAGE_LIBCURL_LIBNSS),y)
> +LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr --without-ssl --without-gnutls
>  LIBCURL_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) `$(PKG_CONFIG_HOST_BINARY) nspr nss --cflags`"
>  LIBCURL_DEPENDENCIES += libnss
> -else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
> -LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr
> +else ifeq ($(BR2_PACKAGE_LIBCURL_MBEDTLS),y)
> +LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr \
> +	--without-ssl --without-gnutls --without-nss
>  LIBCURL_DEPENDENCIES += mbedtls
>  else
>  LIBCURL_CONF_OPTS += --without-ssl --without-gnutls \
>

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

Hi,

 >> +choice
 >> +	prompt "SSL/TLS library to use"
 >> +
 >> +config BR2_PACKAGE_LIBCURL_OPENSSL
 >> +	bool "OpenSSL"
 >> +	depends on BR2_PACKAGE_OPENSSL

 >  I don't really like this depends. I would rather revert it into a select. So:

 > choice
 > 	prompt "SSL/TLS library to use"

 > config BR2_PACKAGE_LIBCURL_OPENSSL
 > 	bool "openssl"
 > 	select BR2_PACKAGE_OPENSSL

 > ...

 > config BR2_PACKAGE_LIBCURL_NONE
 > 	bool "disable TLS"

 > endchoice

 >  Note that that means that libcurl will by default select openssl, which was not
 > the case before. However, I think it makes complete sense to default to enabling
 > TLS support in libcurl. Peter, what do you think? This would obviously have to
 > be mentioned in the release notes because the behaviour of existing configs
 > would change.

Either that or add a:

 depends on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS || \
          BR2_PACKAGE_LIBNSS || BR2_PACKAGE_MBEDTLS

To the choice option and drop the _LIBCURL_NONE variant. With that we
have the same behaviour as before, except that you _CAN_ select the TLS
provider in case multiple providers are available.

On Fri, 2018-11-09 at 23:40 +0100, Peter Korsgaard wrote:
> > > > > > "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>  >> +choice
>  >> +	prompt "SSL/TLS library to use"
>  >> +
>  >> +config BR2_PACKAGE_LIBCURL_OPENSSL
>  >> +	bool "OpenSSL"
>  >> +	depends on BR2_PACKAGE_OPENSSL
> 
>  >  I don't really like this depends. I would rather revert it into a select. So:
> 
>  > choice
>  > 	prompt "SSL/TLS library to use"
> 
>  > config BR2_PACKAGE_LIBCURL_OPENSSL
>  > 	bool "openssl"
>  > 	select BR2_PACKAGE_OPENSSL
> 
>  > ...
> 
>  > config BR2_PACKAGE_LIBCURL_NONE
>  > 	bool "disable TLS"
> 
>  > endchoice
> 
>  >  Note that that means that libcurl will by default select openssl, which was not
>  > the case before. However, I think it makes complete sense to default to enabling
>  > TLS support in libcurl. Peter, what do you think? This would obviously have to
>  > be mentioned in the release notes because the behaviour of existing configs
>  > would change.

Don't most optional features in buildroot get auto-enabled when the
package they need is enabled?  Which in effect means the feature is
turned on, not by a setting under the user, but by turning on the
dependency.  I know I've seen this pattern many many times in
buildroot.

Is this pattern of turning on the dependency via an option under the
user of the dependency used elsewhere?  Or would it be a new pattern
unique to libcurl?

> Either that or add a:
> 
>  depends on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS || \
>           BR2_PACKAGE_LIBNSS || BR2_PACKAGE_MBEDTLS
> 
> To the choice option and drop the _LIBCURL_NONE variant. With that we
> have the same behaviour as before, except that you _CAN_ select the TLS
> provider in case multiple providers are available.

I did drop the NONE variant.  Do you mean in Arnout's alternate
example?  It doesn't provide entirely the same behavior.  Example:

openssl off, gnutls on

Current: libcurl uses gnutls
My patch: libcurl uses gnutls
Arnout's proposal: libcurl enables openssl and uses it.  Need to change
config to select gnutls and turn off openssl.
Peter's modification: Same as Arnout's

I believe your modification only produces the same behavior in the case
where all four tls libs are off.  As soon as one turns on, then libcurl
will select openssl.

>>>>> "Trent" == Trent Piepho <tpiepho@impinj.com> writes:

Hi,

 >> >  Note that that means that libcurl will by default select openssl, which was not
 >> > the case before. However, I think it makes complete sense to default to enabling
 >> > TLS support in libcurl. Peter, what do you think? This would obviously have to
 >> > be mentioned in the release notes because the behaviour of existing configs
 >> > would change.

 > Don't most optional features in buildroot get auto-enabled when the
 > package they need is enabled?  Which in effect means the feature is
 > turned on, not by a setting under the user, but by turning on the
 > dependency.  I know I've seen this pattern many many times in
 > buildroot.

 > Is this pattern of turning on the dependency via an option under the
 > user of the dependency used elsewhere?  Or would it be a new pattern
 > unique to libcurl?

We use automatic dependencies for most packages, but there are a few
with explicit sub options to pull in the optional dependencies.

 >> Either that or add a:
 >> 
 >> depends on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS || \
 >> BR2_PACKAGE_LIBNSS || BR2_PACKAGE_MBEDTLS
 >> 
 >> To the choice option and drop the _LIBCURL_NONE variant. With that we
 >> have the same behaviour as before, except that you _CAN_ select the TLS
 >> provider in case multiple providers are available.

 > I did drop the NONE variant.  Do you mean in Arnout's alternate
 > example?  It doesn't provide entirely the same behavior.  Example:

 > openssl off, gnutls on

 > Current: libcurl uses gnutls
 > My patch: libcurl uses gnutls
 > Arnout's proposal: libcurl enables openssl and uses it.  Need to change
 > config to select gnutls and turn off openssl.
 > Peter's modification: Same as Arnout's

 > I believe your modification only produces the same behavior in the case
 > where all four tls libs are off.  As soon as one turns on, then libcurl
 > will select openssl.

Correct, so I think it makes sense to use 'depends on' for the
individual sub options like you had. With that, the default behaviour
should be like it was before.

>>>>> "Trent" == Trent Piepho <tpiepho@impinj.com> writes:

 > Instead of defaulting to OpenSSL, allow selection of package to use
 > through a choice in libcurl's config.  The default will be to select the
 > first enabled TLS provider in the same preference order as is used now,
 > i.e. no change from current behavior.

 > Some of the alternative libraries have advantages over OpenSSL in
 > certain areas.

 > For example, gnutls has vastly superior PKCS11 support.  One can use
 > client TLS private keys by supplying a PKCS11 URI instead of a private
 > key file name.  The TLS server cert trust store can be a PKCS11 URI,
 > e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust". 
 > Now server certs can be stored in a software and/or hardware HSM(s). 
 > This doesn't work with OpenSSL.

 > However, some software only supports OpenSSL for TLS or other crypto
 > functions.  So it might be necessary to enable OpenSSL for that reason.

 > Signed-off-by: Trent Piepho <tpiepho@impinj.com>
 > ---
 > Changes since v1:
 >   Removed unneeded defaults.
 >   Removed no TLS choice, replaced with comment

 >  package/libcurl/Config.in  | 25 +++++++++++++++++++++++++
 >  package/libcurl/libcurl.mk | 15 ++++++++-------
 >  2 files changed, 33 insertions(+), 7 deletions(-)

 > diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
 > index 21c2ee2b7f..6309e5bfc0 100644
 > --- a/package/libcurl/Config.in
 > +++ b/package/libcurl/Config.in
 > @@ -19,4 +19,29 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
 >  	help
 >  	  Enable verbose text strings
 
 > +choice
 > +	prompt "SSL/TLS library to use"

This choice should be hidden if none of the dependencies are
available. As we also need (the inverse of) the same for the comment
below I have added a blind BR2_PACKAGE_LIBCURL_TLS_SUPPORT option when
depends on openssl/gnutls/libnss/mbedtls and used it here and for the
comment.


> +
 > +config BR2_PACKAGE_LIBCURL_OPENSSL
 > +	bool "OpenSSL"
 > +	depends on BR2_PACKAGE_OPENSSL
 > +
 > +config BR2_PACKAGE_LIBCURL_GNUTLS
 > +	bool "GnuTLS"
 > +	depends on BR2_PACKAGE_GNUTLS
 > +
 > +config BR2_PACKAGE_LIBCURL_LIBNSS
 > +	bool "NSS"
 > +	depends on BR2_PACKAGE_LIBNSS
 > +
 > +config BR2_PACKAGE_LIBCURL_MBEDTLS
 > +	bool "mbed TLS"
 > +	depends on BR2_PACKAGE_MBEDTLS
 > +
 > +endchoice
 > +
 > +comment "A TLS library is needed for SSL/TLS support"
 > +       depends on !BR2_PACKAGE_OPENSSL && !BR2_PACKAGE_GNUTLS && \
 > +                  !BR2_PACKAGE_LIBNSS && !BR2_PACKAGE_MBEDTLS
 > +
 >  endif
 > diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
 > index c3da8aa3e5..ac368fbb53 100644
 > --- a/package/libcurl/libcurl.mk
 > +++ b/package/libcurl/libcurl.mk
 > @@ -35,7 +35,7 @@ endif
 
 >  LIBCURL_CONFIG_SCRIPTS = curl-config
 
 > -ifeq ($(BR2_PACKAGE_OPENSSL),y)
 > +ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
 >  LIBCURL_DEPENDENCIES += openssl
 >  # configure adds the cross openssl dir to LD_LIBRARY_PATH which screws up
 >  # native stuff during the rest of configure when target == host.
 > @@ -44,15 +44,16 @@ LIBCURL_DEPENDENCIES += openssl
 >  LIBCURL_CONF_ENV += LD_LIBRARY_PATH=$(if $(LD_LIBRARY_PATH),$(LD_LIBRARY_PATH):)/lib:/usr/lib
 >  LIBCURL_CONF_OPTS += --with-ssl=$(STAGING_DIR)/usr \
 >  	--with-ca-path=/etc/ssl/certs

I think it is cleaner to handle each option on its own instead of ifeg
.. else ifeq .. else ifeq now that Config.in ensures only one of them is
available. That way we also ensure we pass all the correct --without
options so the configure script doesn't decide to use another TLS
provider than what is selected.

E.G.:

ifeq ($(BR2_PACKAGE_LIBCURL_FOO))
LIBCURL_CONF_OPTS += --with-foo
LIBCURL_DEPENDENCIES += foo
else
LIBCURL_CONF_OPTS += --without-foo
endif

ifeq ($(BR2_PACKAGE_LIBCURL_BAR))
LIBCURL_CONF_OPTS += --with-bar
LIBCURL_DEPENDENCIES += bar
else
LIBCURL_CONF_OPTS += --without-bar
endif

..

> -else ifeq ($(BR2_PACKAGE_GNUTLS),y)
 > -LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr
 > +else ifeq ($(BR2_PACKAGE_LIBCURL_GNUTLS),y)
 > +LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr --without-ssl
 >  LIBCURL_DEPENDENCIES += gnutls
 > -else ifeq ($(BR2_PACKAGE_LIBNSS),y)
 > -LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr
 > +else ifeq ($(BR2_PACKAGE_LIBCURL_LIBNSS),y)
 > +LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr --without-ssl --without-gnutls
 >  LIBCURL_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) `$(PKG_CONFIG_HOST_BINARY) nspr nss --cflags`"
 >  LIBCURL_DEPENDENCIES += libnss
 > -else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
 > -LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr
 > +else ifeq ($(BR2_PACKAGE_LIBCURL_MBEDTLS),y)
 > +LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr \
 > +	--without-ssl --without-gnutls --without-nss
 >  LIBCURL_DEPENDENCIES += mbedtls
 >  else
 >  LIBCURL_CONF_OPTS += --without-ssl --without-gnutls \

There was still a place where BR2_PACKAGE_OPENSSL was checked (for the
.pc fixup) instead of BR2_PACKAGE_LIBCURL_OPENSSL.

Committed to next with these fixes, thanks.