| Message ID | 20230615143212.2464680-5-ynezz@true.cz |
|---|---|
| State | Superseded |
| Delegated to: | Petr Štetiar |
| Headers | show |
| Series | Fix missing TLS v1.3 support with OpenSSL | expand |
On Thu, Jun 15, 2023 at 04:32:11PM +0200, Petr Štetiar wrote: > During the years we've learned it hard way, that we needed to make a lot > of compromises while using flash space friendly micro TLS libraries like > mbedTLS/wolfSSL in order to provide more or less up to date security > features on most supported devices. > > Most of the recent and decent devices have plenty of storage space, so > there is no need to make such compromises anymore and we could simply > use battle tested OpenSSL on such targets by default as storage space > increase is around 1.5 MiB, which is no brainer. > > So lets make it possible to use OpenSSL on grand flash devices and > switch to libustream-openssl and wpad-basic-openssl by default there. > > This should have no functional change, the target needs to actually > explicitly define `FEATURES := grand_flash` in order to have OpenSSL by > default. > > References: #12874 > Signed-off-by: Petr Štetiar <ynezz@true.cz> Love this and the other series, me and also other member discussed this idea in meeting and IRC so finally this is getting proposed. Anyway I think also other package needs to be updated for this or I think we will have a situation where we have multiple SSL lib selected. libcurl is the first example I can think of. This is just to alert that we will have this situation until we migrate each package to the new TLS_PROVIDED option.
diff --git a/config/Config-build.in b/config/Config-build.in index df2d9101ca99..10c77cafdc6b 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -130,6 +130,26 @@ menu "Global build settings" Useful for release builds, so that kernel issues can be debugged offline later. + choice + prompt "TLS provider" + default TLS_PROVIDER_MBEDTLS if !GRAND_FLASH + default TLS_PROVIDER_OPENSSL if GRAND_FLASH + help + This allows to select TLS provider. + + config TLS_PROVIDER_MBEDTLS + bool "mbedTLS" + select PACKAGE_libustream-mbedtls + + config TLS_PROVIDER_OPENSSL + bool "OpenSSL" + select PACKAGE_libustream-openssl + + config TLS_PROVIDER_WOLFSSL + bool "wolfSSL" + select PACKAGE_libustream-wolfssl + endchoice + menu "Kernel build options" source "config/Config-kernel.in" diff --git a/include/target.mk b/include/target.mk index 14c202d013d9..450823eb9280 100644 --- a/include/target.mk +++ b/include/target.mk @@ -38,10 +38,30 @@ DEFAULT_PACKAGES+=procd-ujail endif # mbedTLS wireless features handling +ifeq ($(CONFIG_TLS_PROVIDER_MBEDTLS),y) DEFAULT_PACKAGES+=libustream-mbedtls PACKAGE_NO_WIRELESS:=-wpad-basic-mbedtls -ifneq($(CONFIG_WIRELESS_SUPPORT),) -DEFAULT_PACKAGES+=wpad-basic-mbedtls + ifneq ($(CONFIG_WIRELESS_SUPPORT),) + DEFAULT_PACKAGES+=wpad-basic-mbedtls + endif +endif + +# OpenSSL and wireless features handling +ifeq ($(CONFIG_TLS_PROVIDER_OPENSSL),y) +DEFAULT_PACKAGES+=libustream-openssl +PACKAGE_NO_WIRELESS:=-wpad-basic-openssl + ifneq ($(CONFIG_WIRELESS_SUPPORT),) + DEFAULT_PACKAGES+=wpad-basic-openssl + endif +endif + +# wolfSSL wireless features handling +ifeq ($(CONFIG_TLS_PROVIDER_WOLFSSL),y) +DEFAULT_PACKAGES+=libustream-wolfssl +PACKAGE_NO_WIRELESS:=-wpad-basic-wolfssl + ifneq ($(CONFIG_WIRELESS_SUPPORT),) + DEFAULT_PACKAGES+=wpad-basic-wolfssl + endif endif # include seccomp ld-preload hooks if kernel supports it diff --git a/target/Config.in b/target/Config.in index 195f7161a89b..1099cd9c3db1 100644 --- a/target/Config.in +++ b/target/Config.in @@ -124,6 +124,9 @@ config USES_BOOT_PART config WIRELESS_SUPPORT bool + select PACKAGE_wpad-basic-mbedtls if TLS_PROVIDER_MBEDTLS + select PACKAGE_wpad-basic-openssl if TLS_PROVIDER_OPENSSL + select PACKAGE_wpad-basic-wolfssl if TLS_PROVIDER_WOLFSSL # Architecture selection
During the years we've learned it hard way, that we needed to make a lot of compromises while using flash space friendly micro TLS libraries like mbedTLS/wolfSSL in order to provide more or less up to date security features on most supported devices. Most of the recent and decent devices have plenty of storage space, so there is no need to make such compromises anymore and we could simply use battle tested OpenSSL on such targets by default as storage space increase is around 1.5 MiB, which is no brainer. So lets make it possible to use OpenSSL on grand flash devices and switch to libustream-openssl and wpad-basic-openssl by default there. This should have no functional change, the target needs to actually explicitly define `FEATURES := grand_flash` in order to have OpenSSL by default. References: #12874 Signed-off-by: Petr Štetiar <ynezz@true.cz> --- config/Config-build.in | 20 ++++++++++++++++++++ include/target.mk | 24 ++++++++++++++++++++++-- target/Config.in | 3 +++ 3 files changed, 45 insertions(+), 2 deletions(-)