packages icon indicating copy to clipboard operation
packages copied to clipboard

Published 20 hours ago verified publisher icon openwrt

lighttpd: fix missing support for OpenSSL crypto library

Open ynezz opened this issue 10 months ago • 1 comments

Maintainer: @gstrauss Compile tested: x86-64, cortex-a53, cortex-a9 Run tested: x86-64, cortex-a53, cortex-a9

Description:

Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. This change will provide the necessary dependency resolution, fixing:

  Package lighttpd is missing dependencies for the following libraries:
  libcrypto.so.3

Fixes: #23794

ynezz avatar Apr 24 '24 19:04 ynezz

Thank you. I'll try to look into this later next week.

gstrauss avatar Apr 27 '24 06:04 gstrauss

Took a quick look to refresh myself. For the patch in this PR to work as desired, changes would need to be made to lighttpd source code, too.

This distinction is important: Nettle provides crypto functions, such as SHA-256. TLS libraries -- such as openssl, mbedtls, wolfssl, and gnutls -- provide TLS functions and also provide crypto functions.

Each TLS modules built for lighttpd use the associated TLS library, e.g. lighttpd mod_openssl uses openssl; lighttpd mod_mbedtls uses mbedtls; etc.

The lighttpd base application (separate from the lighttpd TLS modules) may use some crypto functions. To keep things small and portable, if lighttpd is built with Nettle, then Nettle is the default crypto library used by the lighttpd base application. Again, each lighttpd TLS module uses the associated TLS library.

Now then, if lighttpd is built with a single TLS library (and without Nettle), then the lighttpd base application will use the crypto functions from that TLS library.

However, for packaging in Linux distributions, lighttpd might be built with multiple TLS modules, and each TLS module uses the associated TLS library. Unfortunately, lighttpd currently does not provide a separate, first-class option to pick the crypto library used by the lighttpd base application. For the benefit of embedded systems where everything in the base system might use a single TLS library, there are special cases to use mbedtls or wolfssl. When one of those options are chosen lighttpd is compiled with -DFORCE_MBEDTLS_CRYPTO or with -DFORCE_WOLFSSL_CRYPTO, respectively. You can see these defines in net/lighttpd/Makefile. For this patch to work as intended, net/lighttpd/Makefile would need to define -DFORCE_OPENSSL_CRYPTO, and lighttpd upstream would need a change in lighttpd src/sys-crypto.h to recognize and act if FORCE_OPENSSL_CRYPTO were defined, similar to steps taken at the end of src/sys-crypto.h if FORCE_MBEDTLS_CRYPTO is defined.

It is not a complex patch to lighttpd, so maybe in the next release of lighttpd, I'll extend the lighttpd special cases for FORCE_MBEDTLS_CRYPTO and FORCE_WOLFSSL_CRYPTO to have options for openssl and for gnutls.

tl;dr: additional (small) changes are needed to this patch and to upstream lighttpd source code before this patch can be accepted.

gstrauss avatar May 03 '24 23:05 gstrauss

Untested patch to lighttpd. The patch in this PR would also need to be changed to add -DFORCE_OPENSSL_CRYPTO to CPPFLAGS

--- a/src/sys-crypto.h
+++ b/src/sys-crypto.h
@@ -60,4 +60,24 @@
 #endif
 #endif
 
+#ifdef USE_OPENSSL_CRYPTO
+#ifdef FORCE_OPENSSL_CRYPTO
+#undef USE_GNUTLS_CRYPTO
+#undef USE_MBEDTLS_CRYPTO
+#undef USE_NETTLE_CRYPTO
+#undef USE_NSS_CRYPTO
+#undef USE_WOLFSSL_CRYPTO
+#endif
+#endif
+
+#ifdef USE_GNUTLS_CRYPTO
+#ifdef FORCE_GNUTLS_CRYPTO
+#undef USE_MBEDTLS_CRYPTO
+#undef USE_NETTLE_CRYPTO
+#undef USE_NSS_CRYPTO
+#undef USE_OPENSSL_CRYPTO
+#undef USE_WOLFSSL_CRYPTO
+#endif
+#endif
+
 #endif

gstrauss avatar May 03 '24 23:05 gstrauss

tl;dr: additional (small) changes are needed to this patch and to upstream lighttpd source code before this patch can be accepted.

Thanks, done.

ynezz avatar May 04 '24 06:05 ynezz

@ynezz thank you for the detailed rewording of the my explanation in your patch.

Should the other items (not part of your changes) be libnettle, libmbedtls, and libwolfssl?

PKG_BUILD_DEPENDS:= \
  LIGHTTPD_PCRE2:pcre2 \
  LIGHTTPD_CRYPTOLIB_OPENSSL:libopenssl \
  LIGHTTPD_CRYPTOLIB_NETTLE:nettle \
  LIGHTTPD_CRYPTOLIB_MBEDTLS:mbedtls \
  LIGHTTPD_CRYPTOLIB_WOLFSSL:wolfssl

FYI: for completeness, I am going to add a gnutls crypto option, too.

gstrauss avatar May 08 '24 13:05 gstrauss