[Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use

[Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use

[Trent Piepho]

Instead of defaulting to OpenSSL, allow selection of package to use
through a choice in libcurl's config.  The default will be to select the
first enabled TLS provider in the same preference order as is used now,
i.e. no change from current behavior.

Some of the alternative libraries have advantages over OpenSSL in
certain areas.

For example, gnutls has vastly superior PKCS11 support.  One can use
client TLS private keys by supplying a PKCS11 URI instead of a private
key file name.  The TLS server cert trust store can be a PKCS11 URI,
e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
Now server certs can be stored in a software and/or hardware HSM(s).
This doesn't work with OpenSSL.

However, some software only supports OpenSSL for TLS or other crypto
functions.  So it might be necessary to enable OpenSSL for that reason.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
---
 package/libcurl/Config.in  | 28 ++++++++++++++++++++++++++++
 package/libcurl/libcurl.mk | 15 ++++++++-------
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
index 21c2ee2b7f..0b2334beb9 100644
--- a/package/libcurl/Config.in
+++ b/package/libcurl/Config.in
@@ -19,4 +19,32 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
 	help
 	  Enable verbose text strings
 
+choice
+	prompt "SSL/TLS library to use"
+	default BR2_PACKAGE_LIBCURL_OPENSSL if BR2_PACKAGE_OPENSSL
+	default BR2_PACKAGE_LIBCURL_GNUTLS if BR2_PACKAGE_GNUTLS
+	default BR2_PACKAGE_LIBCURL_LIBNSS if BR2_PACKAGE_LIBNSS
+	default BR2_PACKAGE_LIBCURL_MBEDTLS if BR2_PACKAGE_MBEDTLS
+
+config BR2_PACKAGE_LIBCURL_OPENSSL
+	bool "OpenSSL"
+	depends on BR2_PACKAGE_OPENSSL
+
+config BR2_PACKAGE_LIBCURL_GNUTLS
+	bool "GnuTLS"
+	depends on BR2_PACKAGE_GNUTLS
+
+config BR2_PACKAGE_LIBCURL_LIBNSS
+	bool "NSS"
+	depends on BR2_PACKAGE_LIBNSS
+
+config BR2_PACKAGE_LIBCURL_MBEDTLS
+	bool "mbed TLS"
+	depends on BR2_PACKAGE_MBEDTLS
+
+config BR2_PACKAGE_LIBCURL_NOSSL
+	bool "No SSL/TLS support"
+
+endchoice
+
 endif
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index c3da8aa3e5..ac368fbb53 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -35,7 +35,7 @@ endif
 
 LIBCURL_CONFIG_SCRIPTS = curl-config
 
-ifeq ($(BR2_PACKAGE_OPENSSL),y)
+ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
 LIBCURL_DEPENDENCIES += openssl
 # configure adds the cross openssl dir to LD_LIBRARY_PATH which screws up
 # native stuff during the rest of configure when target == host.
@@ -44,15 +44,16 @@ LIBCURL_DEPENDENCIES += openssl
 LIBCURL_CONF_ENV += LD_LIBRARY_PATH=$(if $(LD_LIBRARY_PATH),$(LD_LIBRARY_PATH):)/lib:/usr/lib
 LIBCURL_CONF_OPTS += --with-ssl=$(STAGING_DIR)/usr \
 	--with-ca-path=/etc/ssl/certs
-else ifeq ($(BR2_PACKAGE_GNUTLS),y)
-LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr
+else ifeq ($(BR2_PACKAGE_LIBCURL_GNUTLS),y)
+LIBCURL_CONF_OPTS += --with-gnutls=$(STAGING_DIR)/usr --without-ssl
 LIBCURL_DEPENDENCIES += gnutls
-else ifeq ($(BR2_PACKAGE_LIBNSS),y)
-LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr
+else ifeq ($(BR2_PACKAGE_LIBCURL_LIBNSS),y)
+LIBCURL_CONF_OPTS += --with-nss=$(STAGING_DIR)/usr --without-ssl --without-gnutls
 LIBCURL_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) `$(PKG_CONFIG_HOST_BINARY) nspr nss --cflags`"
 LIBCURL_DEPENDENCIES += libnss
-else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
-LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr
+else ifeq ($(BR2_PACKAGE_LIBCURL_MBEDTLS),y)
+LIBCURL_CONF_OPTS += --with-mbedtls=$(STAGING_DIR)/usr \
+	--without-ssl --without-gnutls --without-nss
 LIBCURL_DEPENDENCIES += mbedtls
 else
 LIBCURL_CONF_OPTS += --without-ssl --without-gnutls \
-- 
2.14.4

[Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use

[Peter Korsgaard]

>>>>> "Trent" == Trent Piepho <tpiepho@impinj.com> writes:

 > Instead of defaulting to OpenSSL, allow selection of package to use
 > through a choice in libcurl's config.  The default will be to select the
 > first enabled TLS provider in the same preference order as is used now,
 > i.e. no change from current behavior.

 > Some of the alternative libraries have advantages over OpenSSL in
 > certain areas.

 > For example, gnutls has vastly superior PKCS11 support.  One can use
 > client TLS private keys by supplying a PKCS11 URI instead of a private
 > key file name.  The TLS server cert trust store can be a PKCS11 URI,
 > e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
 > Now server certs can be stored in a software and/or hardware HSM(s).
 > This doesn't work with OpenSSL.

 > However, some software only supports OpenSSL for TLS or other crypto
 > functions.  So it might be necessary to enable OpenSSL for that reason.

Ok, nice description.

 > Signed-off-by: Trent Piepho <tpiepho@impinj.com>
 > ---
 >  package/libcurl/Config.in  | 28 ++++++++++++++++++++++++++++
 >  package/libcurl/libcurl.mk | 15 ++++++++-------
 >  2 files changed, 36 insertions(+), 7 deletions(-)

 > diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
 > index 21c2ee2b7f..0b2334beb9 100644
 > --- a/package/libcurl/Config.in
 > +++ b/package/libcurl/Config.in
 > @@ -19,4 +19,32 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
 >  	help
 >  	  Enable verbose text strings
 
 > +choice
 > +	prompt "SSL/TLS library to use"
 > +	default BR2_PACKAGE_LIBCURL_OPENSSL if BR2_PACKAGE_OPENSSL
 > +	default BR2_PACKAGE_LIBCURL_GNUTLS if BR2_PACKAGE_GNUTLS
 > +	default BR2_PACKAGE_LIBCURL_LIBNSS if BR2_PACKAGE_LIBNSS
 > +	default BR2_PACKAGE_LIBCURL_MBEDTLS if BR2_PACKAGE_MBEDTLS

kconfig defaults to the first available option, so these default .. if
.. can be removed.

> +
 > +config BR2_PACKAGE_LIBCURL_OPENSSL
 > +	bool "OpenSSL"
 > +	depends on BR2_PACKAGE_OPENSSL
 > +
 > +config BR2_PACKAGE_LIBCURL_GNUTLS
 > +	bool "GnuTLS"
 > +	depends on BR2_PACKAGE_GNUTLS
 > +
 > +config BR2_PACKAGE_LIBCURL_LIBNSS
 > +	bool "NSS"
 > +	depends on BR2_PACKAGE_LIBNSS
 > +
 > +config BR2_PACKAGE_LIBCURL_MBEDTLS
 > +	bool "mbed TLS"
 > +	depends on BR2_PACKAGE_MBEDTLS
 > +
 > +config BR2_PACKAGE_LIBCURL_NOSSL
 > +	bool "No SSL/TLS support"

Is there really a use case for building curl without TLS support if one
or more of the libraries are available? If not, then I would simply make
the choice depend on openssl || gnutls || libnss || mbedtls and drop
this nossl option.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use

[Trent Piepho]

On Thu, 2018-11-08 at 22:33 +0100, Peter Korsgaard wrote:
> > > > > > "Trent" == Trent Piepho <tpiepho@impinj.com> writes:
>  
>  > +choice
>  > +	prompt "SSL/TLS library to use"
>  > +	default BR2_PACKAGE_LIBCURL_OPENSSL if BR2_PACKAGE_OPENSSL
>  > +	default BR2_PACKAGE_LIBCURL_GNUTLS if BR2_PACKAGE_GNUTLS
>  > +	default BR2_PACKAGE_LIBCURL_LIBNSS if BR2_PACKAGE_LIBNSS
>  > +	default BR2_PACKAGE_LIBCURL_MBEDTLS if BR2_PACKAGE_MBEDTLS
> 
> kconfig defaults to the first available option, so these default .. if
> .. can be removed.

I thought I had to do this, but it's been a while since I made this
patch.  I'll remove them.

> 
>  > +
>  > +config BR2_PACKAGE_LIBCURL_NOSSL
>  > +	bool "No SSL/TLS support"
> 
> Is there really a use case for building curl without TLS support if one
> or more of the libraries are available? If not, then I would simply make
> the choice depend on openssl || gnutls || libnss || mbedtls and drop
> this nossl option.

I can't think of one besides minimizing the size of libcurl.  Though I
expect someone after that level of optimization would have already
turned off all TLS libraries and they don't need this option either. 
It just seemed to cover all the bases consistently.  I think kconfig
doesn't like it if the choice has no options selected?

Perhaps I should change this last one to a comment "no tls" stanza, 
enabled when no tls support is present, that explains one needs a tls
library.