[core] preprocessor option to force crypto lib

add preprocessor option to force crypto lib used by lighttpd base
-DFORCE_MBEDTLS_CRYPTO for mbed TLS
or -DFORCE_WOLFSSL_CRYPTO for WolfSSL

This a

[core] preprocessor option to force crypto lib

add preprocessor option to force crypto lib used by lighttpd base
-DFORCE_MBEDTLS_CRYPTO for mbed TLS
or -DFORCE_WOLFSSL_CRYPTO for WolfSSL

This allows building lighttpd with support for multiple TLS modules,
and at the same time specifying the lighttpd base crypto lib dependency.

(Packages such as OpenWRT lighttpd package would need to update
package dependency along with specifying the preprocessor define)

If lighttpd is built with meson and without "-Dwith_nettle=true",
then lighttpd will use mbed TLS if built with "-Dwith_mbedtls",
so the preprocessor option is not strictly necessary for mbed TLS.
However, if built with "-Dwith_mbedtls" and "-Dwith_wolfssl" *and*
without "-Dwith_nettle=true" *and* lighttpd base crypto dependency
on WolfSSL is desired, then CFLAGS -DFORCE_WOLFSSL_CRYPTO is needed,
e.g. with a patch to add it to 'defs' near the top of src/meson.build.

x-ref:
"lighttpd authentication modules depends on libnettle"
https://github.com/openwrt/packages/issues/18851

show more ...

[core] set NSS_VER_INCLUDE after crypto lib select

[multiple] include wolfssl/options.h after select

include wolfssl/options.h crypto lib config
after selecting crypto lib to use

wolfSSL does not prefix its defines with a wolfSSL-specific namespace

[multiple] include wolfssl/options.h after select

include wolfssl/options.h crypto lib config
after selecting crypto lib to use

wolfSSL does not prefix its defines with a wolfSSL-specific namespace
(so we would like to avoid unnecessarily polluting preproc namespace)

This commit further isolates wolfSSL after split from mod_openssl.
Cleans up some preprocessor logic that was put in place when using
the wolfSSL compatibility layer for openssl, before creating a
dedicated mod_wolfssl.

show more ...

[multiple] include mbedtls/config.h after select

include mbedtls/config.h crypto lib config
after selecting crypto lib to use

[core] adjust wolfssl workaround for another case

adjust wolfssl types.h workaround for another edge case

[core] workaround fragile code in wolfssl types.h

workaround fragile code in wolfssl/wolfcrypto/types.h

Including header blows up compile in 32-bit when lighttpd meson build
in OpenWRT on a 32-bit

[core] workaround fragile code in wolfssl types.h

workaround fragile code in wolfssl/wolfcrypto/types.h

Including header blows up compile in 32-bit when lighttpd meson build
in OpenWRT on a 32-bit platform generates lighttpd config.h containing
define of SIZEOF_LONG, but not SIZEOF_LONG_LONG, and the wolfssl types.h
flubs and fails to choose an enum value used by a macro that is unused
by most consumers of the wolfssl header.

show more ...

[build] WITHOUT_LIB_CRYPTO option in code

(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)

If WITHOUT_LIB_CRYPTO is defin

[build] WITHOUT_LIB_CRYPTO option in code

(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)

If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.

As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)

show more ...

[build] detect nss3/nss.h or nss/nss.h for NSS

[multiple] test for nss includes

some distro packages deploy NSS includes under nss/, others nss3/
(and similar for nspr/ vs nspr4/)

[multiple] use NSS crypto if no other crypto avail

use NSS crypto if no other crypto avail, but NSS crypto is available

"NSS crypto support" is not included in tests/LightyTest.pm:has_crypto()
due

[multiple] use NSS crypto if no other crypto avail

use NSS crypto if no other crypto avail, but NSS crypto is available

"NSS crypto support" is not included in tests/LightyTest.pm:has_crypto()
due to NSS libraries (freebl3) lacking public export for HMAC funcs

show more ...

[mod_wolfssl] standalone module

standalone module forked from mod_openssl

[mod_openssl] prefer some WolfSSL native APIs

Prefer some WolfSSL native APIs when building with WolfSSL.

However, some functionality in WolfSSL is available only through the
WolfSSL compatibility

[mod_openssl] prefer some WolfSSL native APIs

Prefer some WolfSSL native APIs when building with WolfSSL.

However, some functionality in WolfSSL is available only through the
WolfSSL compatibility layer for OpenSSL, so the effort to create a
native mod_wolfssl halted here.

show more ...

[mod_nss] NSS option for TLS (fixes #1218)

(experimental)

WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED

mod_nss supports most ssl.* config options supported by mod_openssl

[mod_nss] NSS option for TLS (fixes #1218)

(experimental)

WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED

mod_nss supports most ssl.* config options supported by mod_openssl

x-ref:
"alternate ssl backend"
https://redmine.lighttpd.net/issues/1218

show more ...

[mod_gnutls] GnuTLS option for TLS (fixes #109)

(experimental)

mod_gnutls supports most ssl.* config options supported by mod_openssl

x-ref:
"GnuTLS support for the mod_ssl"
https://redmine.li

[mod_gnutls] GnuTLS option for TLS (fixes #109)

(experimental)

mod_gnutls supports most ssl.* config options supported by mod_openssl

x-ref:
"GnuTLS support for the mod_ssl"
https://redmine.lighttpd.net/issues/109

show more ...

[mod_mbedtls] mbedTLS option for TLS

(experimental)

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments

[mod_mbedtls] mbedTLS option for TLS

(experimental)

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
https://redmine.lighttpd.net/boards/3/topics/7029

show more ...

[multiple] ./configure --with-nettle to use Nettle

./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL. Note: Nettle does not provide TLS.

x-ref:
"Ho

[multiple] ./configure --with-nettle to use Nettle

./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL. Note: Nettle does not provide TLS.

x-ref:
"How to use SHA-256 without OpenSSL?"
https://redmine.lighttpd.net/boards/2/topics/8903

show more ...

[mod_openssl] add support for wolfSSL

requires wolfSSL library version 3.15.3 or later
https://www.wolfssl.com/
https://github.com/wolfSSL/wolfssl

(thx dgarske)

x-ref:
"Adds support for building

[mod_openssl] add support for wolfSSL

requires wolfSSL library version 3.15.3 or later
https://www.wolfssl.com/
https://github.com/wolfSSL/wolfssl

(thx dgarske)

x-ref:
"Adds support for building Lighttpd with wolfSSL"
https://github.com/lighttpd/lighttpd1.4/pull/92

show more ...

[TLS] sys-crypto.h abstraction

(add the header)