Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

lighttpd:

 * drop support for cyassl as it lacks support for the following functions required by the latest (1.4.34) lighttpd version: BIO_s_file, BIO_read_filename, PEM_read_bio_X509, X509_check_private_key


git-svn-id: file:///var/svn/freetz/trunk@11596 149334a1-2f27-0410-a3b9-fc62619ac1e6
  • Loading branch information...
commit d2ffdb9e7a43d89d8c23961f4531f19cd0314853 1 parent 932c2ae
er13 authored
13 make/lighttpd/Config.in
View
@@ -23,21 +23,12 @@ config FREETZ_PACKAGE_LIGHTTPD
config FREETZ_PACKAGE_LIGHTTPD_WITH_SSL
bool "build with SSL support"
depends on FREETZ_PACKAGE_LIGHTTPD
- select FREETZ_LIB_libcrypto if ! FREETZ_PACKAGE_LIGHTTPD_USE_CYASSL
- select FREETZ_LIB_libssl if ! FREETZ_PACKAGE_LIGHTTPD_USE_CYASSL
+ select FREETZ_LIB_libcrypto
+ select FREETZ_LIB_libssl
default n
help
This option enables SSL support for lighttpd.
-config FREETZ_PACKAGE_LIGHTTPD_USE_CYASSL
- bool
-# bool "Use cyassl instead of openssl"
- depends on FREETZ_PACKAGE_LIGHTTPD_WITH_SSL
- select FREETZ_LIB_libcyassl
- default n
- help
- Use lightweight cyassl as SSL library.
-
config FREETZ_PACKAGE_LIGHTTPD_LDD
bool "Include LDD support"
depends on FREETZ_PACKAGE_LIGHTTPD
13 make/lighttpd/lighttpd.mk
View
@@ -28,7 +28,6 @@ $(PKG)_MODULES_TARGET_DIR := $($(PKG)_MODULES:%=$($(PKG)_DEST_DIR)$($(PKG)_MODUL
$(PKG)_NOT_INCLUDED := $(patsubst %,$($(PKG)_DEST_DIR)$($(PKG)_MODULES_DIR)/mod_%.so,$(filter-out $($(PKG)_MODULES),$($(PKG)_MODULES_ALL)))
$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_LIGHTTPD_WITH_SSL
-$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_LIGHTTPD_USE_CYASSL
$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_LIGHTTPD_WITH_LUA
$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_LIGHTTPD_MOD_COMPRESS
$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_LIGHTTPD_MOD_WEBDAV_WITH_PROPS
@@ -39,20 +38,12 @@ $(PKG)_REBUILD_SUBOPTS += FREETZ_TARGET_IPV6_SUPPORT
$(PKG)_DEPENDS_ON := pcre
ifeq ($(strip $(FREETZ_PACKAGE_LIGHTTPD_WITH_SSL)),y)
-$(PKG)_CONFIGURE_OPTIONS += --with-openssl=yes
-$(PKG)_CONFIGURE_OPTIONS += --with-openssl-libs="$(TARGET_TOOLCHAIN_STAGING_DIR)/usr/lib"
-ifeq ($(strip $(FREETZ_PACKAGE_LIGHTTPD_USE_CYASSL)),y)
-$(PKG)_DEPENDS_ON += cyassl
-$(PKG)_CONFIGURE_OPTIONS += --with-openssl-includes="$(TARGET_TOOLCHAIN_STAGING_DIR)/usr/include/cyassl"
-$(PKG)_CONFIGURE_ENV += OPENSSL_ALTERNATIVE=cyassl
-$(PKG)_CONFIGURE_ENV += OPENSSL_ALTERNATIVE_FCT_PREFIX=Cya
-$(PKG)_CONFIGURE_ENV += OPENSSL_ALTERNATIVE_EXTRALIBS="-lm -lz"
-else
$(PKG)_REBUILD_SUBOPTS += FREETZ_OPENSSL_SHLIB_VERSION
$(PKG)_DEPENDS_ON += openssl
+$(PKG)_CONFIGURE_OPTIONS += --with-openssl=yes
+$(PKG)_CONFIGURE_OPTIONS += --with-openssl-libs="$(TARGET_TOOLCHAIN_STAGING_DIR)/usr/lib"
$(PKG)_CONFIGURE_OPTIONS += --with-openssl-includes="$(TARGET_TOOLCHAIN_STAGING_DIR)/usr/include"
endif
-endif
ifeq ($(strip $(FREETZ_PACKAGE_LIGHTTPD_MOD_COMPRESS)),y)
$(PKG)_DEPENDS_ON += zlib
283 make/lighttpd/patches/200-openssl-alternative.patch.disabled
View
@@ -1,283 +0,0 @@
---- configure
-+++ configure
-@@ -14346,51 +14346,25 @@
- done
-
- OLDLIBS="$LIBS"
-- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BIO_f_base64 in -lcrypto" >&5
--$as_echo_n "checking for BIO_f_base64 in -lcrypto... " >&6; }
--if ${ac_cv_lib_crypto_BIO_f_base64+:} false; then :
-- $as_echo_n "(cached) " >&6
--else
-- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lcrypto $LIBS"
--cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h. */
--
--/* Override any GCC internal prototype to avoid an error.
-- Use char because int might match the return type of a GCC
-- builtin and then its argument prototype would still apply. */
--#ifdef __cplusplus
--extern "C"
--#endif
--char BIO_f_base64 ();
--int
--main ()
--{
--return BIO_f_base64 ();
-- ;
-- return 0;
--}
--_ACEOF
--if ac_fn_c_try_link "$LINENO"; then :
-- ac_cv_lib_crypto_BIO_f_base64=yes
--else
-- ac_cv_lib_crypto_BIO_f_base64=no
--fi
--rm -f core conftest.err conftest.$ac_objext \
-- conftest$ac_exeext conftest.$ac_ext
--LIBS=$ac_check_lib_save_LIBS
--fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_BIO_f_base64" >&5
--$as_echo "$ac_cv_lib_crypto_BIO_f_base64" >&6; }
--if test "x$ac_cv_lib_crypto_BIO_f_base64" = xyes; then :
--
-- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_new in -lssl" >&5
--$as_echo_n "checking for SSL_new in -lssl... " >&6; }
--if ${ac_cv_lib_ssl_SSL_new+:} false; then :
-+ if [ -n "$OPENSSL_ALTERNATIVE" ]; then
-+ SSL_NEW_LIB="$OPENSSL_ALTERNATIVE"
-+ SSL_NEW_FCT_PREFIX="$OPENSSL_ALTERNATIVE_FCT_PREFIX"
-+ SSL_NEW_EXTRALIBS="$OPENSSL_ALTERNATIVE_EXTRALIBS"
-+ CPPFLAGS="$CPPFLAGS -DUSE_OPENSSL_ALTERNATIVE=$OPENSSL_ALTERNATIVE"
-+ else
-+ SSL_NEW_LIB="ssl"
-+ SSL_NEW_EXTRALIBS="-lcrypto"
-+ fi
-+# NB: Lighttpd doesn't call the BIO_f_base64 function at all. So the test for it is actually unnecessary.
-+# That's the reason we removed it. This also makes it possible to use alternative ssl implementations
-+# which do not provide this function.
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_new in -l${SSL_NEW_LIB}" >&5
-+$as_echo_n "checking for ${SSL_NEW_FCT_PREFIX}SSL_new in -l${SSL_NEW_LIB}... " >&6; }
-+if test "$(eval echo \${ac_cv_lib_${SSL_NEW_LIB}_SSL_new+set})" = set; then :
- $as_echo_n "(cached) " >&6
- else
- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lssl -lcrypto "$DL_LIB" $LIBS"
-+LIBS="-l${SSL_NEW_LIB} ${SSL_NEW_EXTRALIBS} "$DL_LIB" $LIBS"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
-@@ -14400,35 +14374,34 @@
- #ifdef __cplusplus
- extern "C"
- #endif
--char SSL_new ();
-+char ${SSL_NEW_FCT_PREFIX}SSL_new ();
- int
- main ()
- {
--return SSL_new ();
-+return ${SSL_NEW_FCT_PREFIX}SSL_new ();
- ;
- return 0;
- }
- _ACEOF
- if ac_fn_c_try_link "$LINENO"; then :
-- ac_cv_lib_ssl_SSL_new=yes
-+ eval ac_cv_lib_${SSL_NEW_LIB}_SSL_new=yes
- else
-- ac_cv_lib_ssl_SSL_new=no
-+ eval ac_cv_lib_${SSL_NEW_LIB}_SSL_new=no
- fi
- rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- LIBS=$ac_check_lib_save_LIBS
- fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_new" >&5
--$as_echo "$ac_cv_lib_ssl_SSL_new" >&6; }
--if test "x$ac_cv_lib_ssl_SSL_new" = xyes; then :
-- SSL_LIB="-lssl -lcrypto"
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $(eval echo \$ac_cv_lib_${SSL_NEW_LIB}_SSL_new)" >&5
-+$as_echo "$(eval echo \$ac_cv_lib_${SSL_NEW_LIB}_SSL_new)" >&6; }
-+if test "x$(eval echo \$ac_cv_lib_${SSL_NEW_LIB}_SSL_new)" = x""yes; then :
-+ SSL_LIB="-l${SSL_NEW_LIB} ${SSL_NEW_EXTRALIBS}"
-
- $as_echo "#define HAVE_LIBSSL /**/" >>confdefs.h
-
- fi
-
-
--fi
-
- LIBS="$OLDLIBS"
-
---- src/base.h
-+++ src/base.h
-@@ -323,8 +323,10 @@
- /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
- EVP_PKEY *ssl_pemfile_pkey;
- X509 *ssl_pemfile_x509;
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- STACK_OF(X509_NAME) *ssl_ca_file_cert_names;
- #endif
-+#endif
- } specific_config;
-
- /* the order of the items should be the same as they are processed
---- src/configfile.c
-+++ src/configfile.c
-@@ -344,8 +344,10 @@
- #endif
- PATCH(ssl_ca_file);
- #ifdef USE_OPENSSL
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- PATCH(ssl_ca_file_cert_names);
- #endif
-+#endif
- PATCH(ssl_cipher_list);
- PATCH(ssl_dh_file);
- PATCH(ssl_ec_curve);
-@@ -419,8 +421,10 @@
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
- PATCH(ssl_ca_file);
- #ifdef USE_OPENSSL
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- PATCH(ssl_ca_file_cert_names);
- #endif
-+#endif
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
- PATCH(ssl_honor_cipher_order);
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
---- src/connections.c
-+++ src/connections.c
-@@ -1348,7 +1348,9 @@
- }
-
- con->renegotiations = 0;
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- SSL_set_app_data(con->ssl, con);
-+#endif
- SSL_set_accept_state(con->ssl);
-
- if (1 != (SSL_set_fd(con->ssl, cnt))) {
---- src/network.c
-+++ src/network.c
-@@ -40,6 +40,7 @@
- #endif
-
- #ifdef USE_OPENSSL
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- static void ssl_info_callback(const SSL *ssl, int where, int ret) {
- UNUSED(ret);
-
-@@ -49,6 +50,7 @@
- }
- }
- #endif
-+#endif
-
- static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
- server_socket *srv_socket = (server_socket *)context;
-@@ -137,6 +139,12 @@
- }
-
- if (con->conf.ssl_verifyclient) {
-+#if (defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
-+ log_error_write(
-+ srv, __FILE__, __LINE__, "s",
-+ "SSL: ssl.verifyclient feature is not available when lighttpd is linked against cyassl"
-+ );
-+#else
- if (NULL == con->conf.ssl_ca_file_cert_names) {
- log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
- "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
-@@ -152,6 +160,7 @@
- NULL
- );
- SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
-+#endif
- }
-
- return SSL_TLSEXT_ERR_OK;
-@@ -731,6 +740,7 @@
- }
-
-
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- if (!buffer_is_empty(s->ssl_ca_file)) {
- s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
- if (NULL == s->ssl_ca_file_cert_names) {
-@@ -738,6 +748,7 @@
- lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s->ssl_ca_file);
- }
- }
-+#endif
-
- if (buffer_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
-
-@@ -766,7 +777,9 @@
- }
-
- SSL_CTX_set_options(s->ssl_ctx, ssloptions);
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
-+#endif
-
- if (!s->ssl_use_sslv2) {
- /* disable SSLv2 */
-@@ -878,6 +891,13 @@
- }
-
- if (s->ssl_verifyclient) {
-+#if (defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
-+# warning client verification is not available when linking against cyassl
-+ log_error_write(
-+ srv, __FILE__, __LINE__, "s",
-+ "SSL: ssl.verifyclient feature is not available when lighttpd is linked against cyassl"
-+ );
-+#else
- if (NULL == s->ssl_ca_file_cert_names) {
- log_error_write(srv, __FILE__, __LINE__, "s",
- "SSL: You specified ssl.verifyclient.activate but no ca_file"
-@@ -891,6 +911,7 @@
- NULL
- );
- SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
-+#endif
- }
-
- if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
---- src/response.c
-+++ src/response.c
-@@ -133,6 +133,9 @@
-
- #ifdef USE_OPENSSL
- static void https_add_ssl_entries(connection *con) {
-+#if (defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
-+# warning client verification is not available when linking against cyassl
-+#else
- X509 *xs;
- X509_NAME *xn;
- X509_NAME_ENTRY *xe;
-@@ -208,6 +211,7 @@
- }
- }
- X509_free(xs);
-+#endif
- }
- #endif
-
---- src/server.c
-+++ src/server.c
-@@ -316,8 +316,10 @@
- SSL_CTX_free(s->ssl_ctx);
- EVP_PKEY_free(s->ssl_pemfile_pkey);
- X509_free(s->ssl_pemfile_x509);
-+#if !(defined(USE_OPENSSL_ALTERNATIVE) && USE_OPENSSL_ALTERNATIVE==cyassl)
- if (NULL != s->ssl_ca_file_cert_names) sk_X509_NAME_pop_free(s->ssl_ca_file_cert_names, X509_NAME_free);
- #endif
-+#endif
- free(s);
- }
- free(srv->config_storage);
Please sign in to comment.
Something went wrong with that request. Please try again.