[PATCH 4/5] target: grand flash devices should use OpenSSL

Petr Štetiar ynezz at true.cz
Thu Jun 15 07:32:11 PDT 2023


During the years we've learned it hard way, that we needed to make a lot
of compromises while using flash space friendly micro TLS libraries like
mbedTLS/wolfSSL in order to provide more or less up to date security
features on most supported devices.

Most of the recent and decent devices have plenty of storage space, so
there is no need to make such compromises anymore and we could simply
use battle tested OpenSSL on such targets by default as storage space
increase is around 1.5 MiB, which is no brainer.

So lets make it possible to use OpenSSL on grand flash devices and
switch to libustream-openssl and wpad-basic-openssl by default there.

This should have no functional change, the target needs to actually
explicitly define `FEATURES := grand_flash` in order to have OpenSSL by
default.

References: #12874
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 config/Config-build.in | 20 ++++++++++++++++++++
 include/target.mk      | 24 ++++++++++++++++++++++--
 target/Config.in       |  3 +++
 3 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/config/Config-build.in b/config/Config-build.in
index df2d9101ca99..10c77cafdc6b 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -130,6 +130,26 @@ menu "Global build settings"
 		  Useful for release builds, so that kernel issues can be debugged offline
 		  later.
 
+	choice
+		prompt "TLS provider"
+		default TLS_PROVIDER_MBEDTLS if !GRAND_FLASH
+		default TLS_PROVIDER_OPENSSL if GRAND_FLASH
+		help
+                  This allows to select TLS provider.
+
+	config TLS_PROVIDER_MBEDTLS
+		bool "mbedTLS"
+		select PACKAGE_libustream-mbedtls
+
+	config TLS_PROVIDER_OPENSSL
+		bool "OpenSSL"
+		select PACKAGE_libustream-openssl
+
+	config TLS_PROVIDER_WOLFSSL
+		bool "wolfSSL"
+		select PACKAGE_libustream-wolfssl
+	endchoice
+
 	menu "Kernel build options"
 
 	source "config/Config-kernel.in"
diff --git a/include/target.mk b/include/target.mk
index 14c202d013d9..450823eb9280 100644
--- a/include/target.mk
+++ b/include/target.mk
@@ -38,10 +38,30 @@ DEFAULT_PACKAGES+=procd-ujail
 endif
 
 # mbedTLS wireless features handling
+ifeq ($(CONFIG_TLS_PROVIDER_MBEDTLS),y)
 DEFAULT_PACKAGES+=libustream-mbedtls
 PACKAGE_NO_WIRELESS:=-wpad-basic-mbedtls
-ifneq($(CONFIG_WIRELESS_SUPPORT),)
-DEFAULT_PACKAGES+=wpad-basic-mbedtls
+  ifneq ($(CONFIG_WIRELESS_SUPPORT),)
+    DEFAULT_PACKAGES+=wpad-basic-mbedtls
+  endif
+endif
+
+# OpenSSL and wireless features handling
+ifeq ($(CONFIG_TLS_PROVIDER_OPENSSL),y)
+DEFAULT_PACKAGES+=libustream-openssl
+PACKAGE_NO_WIRELESS:=-wpad-basic-openssl
+  ifneq ($(CONFIG_WIRELESS_SUPPORT),)
+    DEFAULT_PACKAGES+=wpad-basic-openssl
+  endif
+endif
+
+# wolfSSL wireless features handling
+ifeq ($(CONFIG_TLS_PROVIDER_WOLFSSL),y)
+DEFAULT_PACKAGES+=libustream-wolfssl
+PACKAGE_NO_WIRELESS:=-wpad-basic-wolfssl
+  ifneq ($(CONFIG_WIRELESS_SUPPORT),)
+    DEFAULT_PACKAGES+=wpad-basic-wolfssl
+  endif
 endif
 
 # include seccomp ld-preload hooks if kernel supports it
diff --git a/target/Config.in b/target/Config.in
index 195f7161a89b..1099cd9c3db1 100644
--- a/target/Config.in
+++ b/target/Config.in
@@ -124,6 +124,9 @@ config USES_BOOT_PART
 
 config WIRELESS_SUPPORT
 	bool
+	select PACKAGE_wpad-basic-mbedtls if TLS_PROVIDER_MBEDTLS
+	select PACKAGE_wpad-basic-openssl if TLS_PROVIDER_OPENSSL
+	select PACKAGE_wpad-basic-wolfssl if TLS_PROVIDER_WOLFSSL
 
 # Architecture selection
 



More information about the openwrt-devel mailing list