From patchwork Thu Nov 8 22:25:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Trent Piepho X-Patchwork-Id: 995229 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=impinj.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=impinj.com header.i=@impinj.com header.b="gCstxcnt"; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42rdxz5kgWz9s8J for ; Fri, 9 Nov 2018 09:59:01 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 88FF52F6D2; Thu, 8 Nov 2018 22:58:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkdvsJBixMh6; Thu, 8 Nov 2018 22:58:58 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 73BEC2EE58; Thu, 8 Nov 2018 22:58:58 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 1BCB11C2003 for ; Thu, 8 Nov 2018 22:58:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 16D5886AFD for ; Thu, 8 Nov 2018 22:58:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjgmY-QGKl3s for ; Thu, 8 Nov 2018 22:58:49 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710106.outbound.protection.outlook.com [40.107.71.106]) by fraxinus.osuosl.org (Postfix) with ESMTPS id CEA7B86ACC for ; Thu, 8 Nov 2018 22:58:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=impinj.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LIWYNbhMZONGkISQywE8psSvGpsvO9uksIBIpphWmog=; b=gCstxcntb0IRaapmA2AYrZCk+asBXaVCqMexem+q6ZCCLS/L0+NrQjGb8KYeF95BOvLURXHe6UKr8/0cZ8PqQwoN7+EAkpshGWsndCsKCOru7niLUHa6cWR/1htWEU3pCX9PWAVvYjQaTrQ4/5zexa+mQnJwpyT9npZBlCo95rM= Received: from MWHPR0601MB3708.namprd06.prod.outlook.com (10.167.236.38) by MWHPR0601MB3737.namprd06.prod.outlook.com (10.167.236.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.22; Thu, 8 Nov 2018 22:25:32 +0000 Received: from MWHPR0601MB3708.namprd06.prod.outlook.com ([fe80::f51a:d8dd:1aad:3bf9]) by MWHPR0601MB3708.namprd06.prod.outlook.com ([fe80::f51a:d8dd:1aad:3bf9%3]) with mapi id 15.20.1294.034; Thu, 8 Nov 2018 22:25:32 +0000 From: Trent Piepho To: "buildroot@buildroot.org" Thread-Topic: [PATCH v2] libcurl: Allow selection of TLS package libcurl will use Thread-Index: AQHUd7H1DzlrpnvbfU2e7DrNAu52zw== Date: Thu, 8 Nov 2018 22:25:31 +0000 Message-ID: <20181108222517.20629-1-tpiepho@impinj.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: MWHPR1701CA0022.namprd17.prod.outlook.com (2603:10b6:301:14::32) To MWHPR0601MB3708.namprd06.prod.outlook.com (2603:10b6:301:7c::38) authentication-results: spf=none (sender IP is ) smtp.mailfrom=tpiepho@impinj.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [216.207.205.253] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; MWHPR0601MB3737; 6:ahLOwDTOsXjB/jGoh0sW80R6GobbpH89lI9kXpnFvN4sNOSoWrg9rk6mnP6CwtA7UvDylIneuOW6/xdLINqWwxZ57cz5dxe+Wm+1o4B6KAY4SEbKZEE+N46NLJvfWavHrnKNU111BZqL6Q2rD6GRatV66B65mbrm5KdnFdchwLLyGWH3MemWUF8M+UA9o0BpRFw5rVrFQSB/FviDhFukuMqqAA8KqYxQAo6E+60dwnrR2zmWifdZnwCouT8KanoeJZ6WiDAqpahlqkEXkDf958qotyaXN44GQyriENiGAKQNXo/rZAftBeM34L/B9eJGQyRR4BcchkSLABLk8SIe8bi0w10h+ikAgWHic2POvYadkELf42S6s8X0lMWYCbKVTU2yOpgxH7zmfUDnRIAR3hdw4P7buFG39jhb5cfqouDqExart51hkGeGDmrDYni7aVCreUJkmmdRSEVNuDUXpQ==; 5:fF0rtAM5Gx1g7T5AQqvAk9nTIRVgeXAR7lS7m7zehLK0hf3alfF74gypiugl00KCexYj/QA5zgzNsAUJ20RsCsyZUYZdRxiCYXRUFEZzlagVGlHn8eYUipzLQ/n8rRRG8j7LUJKAlOUhCQZ+RsnqYPt1oj4O16xUDDRR69GDHrY=; 7:QKsqDXz9VQirMsfySaJ/k9pqGr14o9EO4/Eo6xRFHxaKUAZkawpBzfNTMGnq0a4Pq+v7CQX4kCa5QRRxGBZkPkFaGWUi4+/6pDcZsxAtQQ7ieG/OGveRb09BuBP/WdXjlSLIes2TlVxI+BAMrsEwvA== x-ms-office365-filtering-correlation-id: 127d07d9-703e-4325-4eef-08d645c917c8 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:MWHPR0601MB3737; x-ms-traffictypediagnostic: MWHPR0601MB3737: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:MWHPR0601MB3737; BCL:0; PCL:0; RULEID:; SRVR:MWHPR0601MB3737; x-forefront-prvs: 0850800A29 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(136003)(39840400004)(366004)(346002)(376002)(396003)(199004)(189003)(256004)(2906002)(14454004)(2616005)(386003)(2351001)(476003)(6506007)(25786009)(4326008)(52116002)(316002)(99286004)(107886003)(102836004)(36756003)(8936002)(478600001)(486006)(2501003)(186003)(97736004)(81156014)(106356001)(105586002)(66066001)(1730700003)(6486002)(81166006)(86362001)(68736007)(5640700003)(6512007)(5660300001)(8676002)(1076002)(71200400001)(3846002)(2900100001)(71190400001)(305945005)(6916009)(6116002)(6436002)(26005)(53936002)(14444005)(7736002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR0601MB3737; H:MWHPR0601MB3708.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: impinj.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: elcC09s0nW3G17FFV6+6bQJ938D/jqO0M9FUV0ZhQtGy+1yFG0MYZubcbaDvZ0hOcnVSlnxieByLTv3uSVhb2VZXErgWI3jL6GIpwfVhKQgWWM8aljrJuFb9kcDE5rcfsY+TDAn6QK/fcYAkdCmGBhUSiXIouRLhohFcAI0duZAw8BS84S8LzFP8VgzOIiD5mV6d4P/rymHXbmoU5DAokTYPfz3MqmF9VcaL6LXiyyxxBVybPZu2ygRuj1uCLWvKHYTNxUxGGWzqetnQBNpt7Z2ziuMeew17gh1s0TVideeztlRdKIA0sjzWKbxFwr86ynxuSYZKHCODaA0NWfqcuiWtLVK+ffCt10E3gChkARc= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: impinj.com X-MS-Exchange-CrossTenant-Network-Message-Id: 127d07d9-703e-4325-4eef-08d645c917c8 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2018 22:25:32.0007 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 6de70f0f-7357-4529-a415-d8cbb7e93e5e X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0601MB3737 Subject: [Buildroot] [PATCH v2] libcurl: Allow selection of TLS package libcurl will use X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Trent Piepho Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Instead of defaulting to OpenSSL, allow selection of package to use through a choice in libcurl's config. The default will be to select the first enabled TLS provider in the same preference order as is used now, i.e. no change from current behavior. Some of the alternative libraries have advantages over OpenSSL in certain areas. For example, gnutls has vastly superior PKCS11 support. One can use client TLS private keys by supplying a PKCS11 URI instead of a private key file name. The TLS server cert trust store can be a PKCS11 URI, e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust". Now server certs can be stored in a software and/or hardware HSM(s). This doesn't work with OpenSSL. However, some software only supports OpenSSL for TLS or other crypto functions. So it might be necessary to enable OpenSSL for that reason. Signed-off-by: Trent Piepho --- Changes since v1: Removed unneeded defaults. Removed no TLS choice, replaced with comment package/libcurl/Config.in | 25 +++++++++++++++++++++++++ package/libcurl/libcurl.mk | 15 ++++++++------- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in index 21c2ee2b7f..6309e5bfc0 100644 --- a/package/libcurl/Config.in +++ b/package/libcurl/Config.in @@ -19,4 +19,29 @@ config BR2_PACKAGE_LIBCURL_VERBOSE help Enable verbose text strings +choice + prompt "SSL/TLS library to use" + +config BR2_PACKAGE_LIBCURL_OPENSSL + bool "OpenSSL" + depends on BR2_PACKAGE_OPENSSL + +config BR2_PACKAGE_LIBCURL_GNUTLS + bool "GnuTLS" + depends on BR2_PACKAGE_GNUTLS + +config BR2_PACKAGE_LIBCURL_LIBNSS + bool "NSS" + depends on BR2_PACKAGE_LIBNSS + +config BR2_PACKAGE_LIBCURL_MBEDTLS + bool "mbed TLS" + depends on BR2_PACKAGE_MBEDTLS + +endchoice + +comment "A TLS library is needed for SSL/TLS support" + depends on !BR2_PACKAGE_OPENSSL && !BR2_PACKAGE_GNUTLS && \ + !BR2_PACKAGE_LIBNSS && !BR2_PACKAGE_MBEDTLS + endif diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index c3da8aa3e5..ac368fbb53 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -35,7 +35,7 @@ endif LIBCURL_CONFIG_SCRIPTS = curl-config -ifeq ($(BR2_PACKAGE_OPENSSL),y) +ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y) LIBCURL_DEPENDENCIES += openssl # configure adds the cross openssl dir to LD_LIBRARY_PATH which screws up # native stuff during the rest of configure when target == host. @@ -44,15 +44,16 @@ LIBCURL_DEPENDENCIES += openssl LIBCURL_CONF_ENV += LD_LIBRARY_PATH=$(if $(LD_LIBRARY_PATH),$(LD_LIBRARY_PATH):)/lib:/usr/lib LIBCURL_CONF_OPTS += --with-ssl=$(STAGING_DIR)/usr \ --with-ca-path=/etc/ssl/certs -else ifeq ($(BR2_PACKAGE_GNUTLS),y) -LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr +else ifeq ($(BR2_PACKAGE_LIBCURL_GNUTLS),y) +LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr --without-ssl LIBCURL_DEPENDENCIES += gnutls -else ifeq ($(BR2_PACKAGE_LIBNSS),y) -LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr +else ifeq ($(BR2_PACKAGE_LIBCURL_LIBNSS),y) +LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr --without-ssl --without-gnutls LIBCURL_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) `$(PKG_CONFIG_HOST_BINARY) nspr nss --cflags`" LIBCURL_DEPENDENCIES += libnss -else ifeq ($(BR2_PACKAGE_MBEDTLS),y) -LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr +else ifeq ($(BR2_PACKAGE_LIBCURL_MBEDTLS),y) +LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr \ + --without-ssl --without-gnutls --without-nss LIBCURL_DEPENDENCIES += mbedtls else LIBCURL_CONF_OPTS += --without-ssl --without-gnutls \