[Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Baruch Siach via buildroot]

uacme configure script fails when libcurl does not support TLS. This
means that BR2_PACKAGE_LIBCURL_TLS_NONE is incompatible with uacme. But
there is no way to change the choice to something other than
BR2_PACKAGE_LIBCURL_TLS_NONE. So instead make uacme depend on libcurl
and !BR2_PACKAGE_LIBCURL_TLS_NONE.

As a result we can no longer select BR2_PACKAGE_OPENSSL since it causes
recursive dependency. The existence of encryption library is implied
when !BR2_PACKAGE_LIBCURL_TLS_NONE. So we can drop that 'select'
entirely.

Fixes:
http://autobuild.buildroot.net/results/4e16f1d958ac3d30e26e7f17bdffc47834b0e2bd/
http://autobuild.buildroot.net/results/4e16f1d958ac3d30e26e7f17bdffc47834b0e2bd/
http://autobuild.buildroot.net/results/25280409b32282b4dd40b1e88127051439380f3d/

Cc: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 package/uacme/Config.in | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/package/uacme/Config.in b/package/uacme/Config.in
index d69343611557..4b20cbcdfe4b 100644
--- a/package/uacme/Config.in
+++ b/package/uacme/Config.in
@@ -1,8 +1,7 @@
 config BR2_PACKAGE_UACME
 	bool "uacme"
 	depends on BR2_USE_MMU # fork()
-	select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_GNUTLS || BR2_PACKAGE_MBEDTLS)
-	select BR2_PACKAGE_LIBCURL
+	depends on BR2_PACKAGE_LIBCURL && !BR2_PACKAGE_LIBCURL_TLS_NONE
 	help
 	  uacme is a client for the ACMEv2 protocol described in
 	  RFC8555, written in plain C with minimal dependencies
@@ -14,6 +13,10 @@ config BR2_PACKAGE_UACME
 
 	  https://github.com/ndilieto/uacme
 
+comment "uacme needs libcurl with TLS support"
+	depends on BR2_USE_MMU
+	depends on !BR2_PACKAGE_LIBCURL || BR2_PACKAGE_LIBCURL_TLS_NONE
+
 if BR2_PACKAGE_UACME
 
 config BR2_PACKAGE_UACME_UALPN
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Nicola Di Lieto]

I am afraid this won't work because unlike curl, uacme only supports 
OpenSSL, GnuTLS and mbedTLS. If either BearSSL or WolfSSL are chosen as 
the SSL library, uacme will fail at configure stage.

On Thu, Jun 09, 2022 at 10:21:56PM +0300, Baruch Siach wrote:
>uacme configure script fails when libcurl does not support TLS. This
>means that BR2_PACKAGE_LIBCURL_TLS_NONE is incompatible with uacme. But
>there is no way to change the choice to something other than
>BR2_PACKAGE_LIBCURL_TLS_NONE. So instead make uacme depend on libcurl
>and !BR2_PACKAGE_LIBCURL_TLS_NONE.
>
>As a result we can no longer select BR2_PACKAGE_OPENSSL since it causes
>recursive dependency. The existence of encryption library is implied
>when !BR2_PACKAGE_LIBCURL_TLS_NONE. So we can drop that 'select'
>entirely.
>
>Fixes:
>http://autobuild.buildroot.net/results/4e16f1d958ac3d30e26e7f17bdffc47834b0e2bd/
>http://autobuild.buildroot.net/results/4e16f1d958ac3d30e26e7f17bdffc47834b0e2bd/
>http://autobuild.buildroot.net/results/25280409b32282b4dd40b1e88127051439380f3d/
>
>Cc: Nicola Di Lieto <nicola.dilieto@gmail.com>
>Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>---
> package/uacme/Config.in | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
>diff --git a/package/uacme/Config.in b/package/uacme/Config.in
>index d69343611557..4b20cbcdfe4b 100644
>--- a/package/uacme/Config.in
>+++ b/package/uacme/Config.in
>@@ -1,8 +1,7 @@
> config BR2_PACKAGE_UACME
> 	bool "uacme"
> 	depends on BR2_USE_MMU # fork()
>-	select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_GNUTLS || BR2_PACKAGE_MBEDTLS)
>-	select BR2_PACKAGE_LIBCURL
>+	depends on BR2_PACKAGE_LIBCURL && !BR2_PACKAGE_LIBCURL_TLS_NONE
> 	help
> 	  uacme is a client for the ACMEv2 protocol described in
> 	  RFC8555, written in plain C with minimal dependencies
>@@ -14,6 +13,10 @@ config BR2_PACKAGE_UACME
>
> 	  https://github.com/ndilieto/uacme
>
>+comment "uacme needs libcurl with TLS support"
>+	depends on BR2_USE_MMU
>+	depends on !BR2_PACKAGE_LIBCURL || BR2_PACKAGE_LIBCURL_TLS_NONE
>+
> if BR2_PACKAGE_UACME
>
> config BR2_PACKAGE_UACME_UALPN
>-- 
>2.35.1
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Baruch Siach via buildroot]

Hi Nicola,

On Wed, Jul 13 2022, Nicola Di Lieto wrote:
> I am afraid this won't work because unlike curl, uacme only supports OpenSSL,
> GnuTLS and mbedTLS. If either BearSSL or WolfSSL are chosen as the SSL
> library, uacme will fail at configure stage.

This issue is already in current code. The line

  select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_GNUTLS || BR2_PACKAGE_MBEDTLS)

does not guarantee that libcurl uses any of these as crypt back
end. libcurl might still have BR2_PACKAGE_LIBCURL_BEARSSL or
BR2_PACKAGE_LIBCURL_WOLFSSL set.

This patch only fixes the BR2_PACKAGE_LIBCURL_TLS_NONE case, but we can
easily add others for something like

  depends on BR2_PACKAGE_LIBCURL && !BR2_PACKAGE_LIBCURL_TLS_NONE
          && !BR2_PACKAGE_LIBCURL_BEARSSL && !BR2_PACKAGE_LIBCURL_WOLFSSL

The reason I marked this patch RFC is because we usually do not 'depend'
on non obvious dependencies like libcurl, but 'select' them
automatically to make it easier for the user. But I could not find a way
to avoid build failure using only 'select'.

What do you think?

Thanks,
baruch

> On Thu, Jun 09, 2022 at 10:21:56PM +0300, Baruch Siach wrote:
>>uacme configure script fails when libcurl does not support TLS. This
>>means that BR2_PACKAGE_LIBCURL_TLS_NONE is incompatible with uacme. But
>>there is no way to change the choice to something other than
>>BR2_PACKAGE_LIBCURL_TLS_NONE. So instead make uacme depend on libcurl
>>and !BR2_PACKAGE_LIBCURL_TLS_NONE.
>>
>>As a result we can no longer select BR2_PACKAGE_OPENSSL since it causes
>>recursive dependency. The existence of encryption library is implied
>>when !BR2_PACKAGE_LIBCURL_TLS_NONE. So we can drop that 'select'
>>entirely.
>>
>>Fixes:
>>http://autobuild.buildroot.net/results/4e16f1d958ac3d30e26e7f17bdffc47834b0e2bd/
>>http://autobuild.buildroot.net/results/4e16f1d958ac3d30e26e7f17bdffc47834b0e2bd/
>>http://autobuild.buildroot.net/results/25280409b32282b4dd40b1e88127051439380f3d/
>>
>>Cc: Nicola Di Lieto <nicola.dilieto@gmail.com>
>>Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>>---
>> package/uacme/Config.in | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>>diff --git a/package/uacme/Config.in b/package/uacme/Config.in
>>index d69343611557..4b20cbcdfe4b 100644
>>--- a/package/uacme/Config.in
>>+++ b/package/uacme/Config.in
>>@@ -1,8 +1,7 @@
>> config BR2_PACKAGE_UACME
>> 	bool "uacme"
>> 	depends on BR2_USE_MMU # fork()
>>-	select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_GNUTLS || BR2_PACKAGE_MBEDTLS)
>>-	select BR2_PACKAGE_LIBCURL
>>+	depends on BR2_PACKAGE_LIBCURL && !BR2_PACKAGE_LIBCURL_TLS_NONE
>> 	help
>> 	  uacme is a client for the ACMEv2 protocol described in
>> 	  RFC8555, written in plain C with minimal dependencies
>>@@ -14,6 +13,10 @@ config BR2_PACKAGE_UACME
>>
>> 	  https://github.com/ndilieto/uacme
>>
>>+comment "uacme needs libcurl with TLS support"
>>+	depends on BR2_USE_MMU
>>+	depends on !BR2_PACKAGE_LIBCURL || BR2_PACKAGE_LIBCURL_TLS_NONE
>>+
>> if BR2_PACKAGE_UACME
>>
>> config BR2_PACKAGE_UACME_UALPN
>> -- 2.35.1
>>


-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Nicola Di Lieto]

Hi Baruch

On Wed, Jul 13, 2022 at 09:43:11AM +0300, Baruch Siach wrote:
>This issue is already in current code. The line
>
>  select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_GNUTLS || BR2_PACKAGE_MBEDTLS)
>
>does not guarantee that libcurl uses any of these as crypt back
>end. libcurl might still have BR2_PACKAGE_LIBCURL_BEARSSL or
>BR2_PACKAGE_LIBCURL_WOLFSSL set.
>

It doesn't matter what libcurl is using, as long as it can do TLS. uacme 
needs one of OpenSSL, GnuTLS or mbedTLS and will work fine even when 
curl is using WolfSSL or BearSSL. Of course having two crypto libraries 
wouldn't be very efficient...

>This patch only fixes the BR2_PACKAGE_LIBCURL_TLS_NONE case, but we can
>easily add others for something like
>
>  depends on BR2_PACKAGE_LIBCURL && !BR2_PACKAGE_LIBCURL_TLS_NONE
>          && !BR2_PACKAGE_LIBCURL_BEARSSL && !BR2_PACKAGE_LIBCURL_WOLFSSL
>

That might work, as long as one of OpenSSL, GnuTLS or mbedTLS is
selected.

>The reason I marked this patch RFC is because we usually do not 'depend'
>on non obvious dependencies like libcurl, but 'select' them
>automatically to make it easier for the user. But I could not find a way
>to avoid build failure using only 'select'.

There was some discussion about this when I submitted the package:

https://lists.buildroot.org/pipermail/buildroot/2019-April/551561.html

>
>What do you think?
>

I think your latest proposal might work but I'm not sure it complies 
with buildroot guidelines. Can someone more knowledgeable comment as 
well?

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Baruch Siach via buildroot]

Hi Nicola,

On Wed, Jul 13 2022, Nicola Di Lieto wrote:
> On Wed, Jul 13, 2022 at 09:43:11AM +0300, Baruch Siach wrote:
>>This issue is already in current code. The line
>>
>>  select BR2_PACKAGE_OPENSSL if !(BR2_PACKAGE_GNUTLS || BR2_PACKAGE_MBEDTLS)
>>
>>does not guarantee that libcurl uses any of these as crypt back
>>end. libcurl might still have BR2_PACKAGE_LIBCURL_BEARSSL or
>>BR2_PACKAGE_LIBCURL_WOLFSSL set.
>
> It doesn't matter what libcurl is using, as long as it can do TLS. uacme needs
> one of OpenSSL, GnuTLS or mbedTLS and will work fine even when curl is using
> WolfSSL or BearSSL. Of course having two crypto libraries wouldn't be very
> efficient...

I see. So currently the 'select' statement is needed because uacme
itself needs one of these as a cryto back end regardless of libcurl. Is
that correct?

>>This patch only fixes the BR2_PACKAGE_LIBCURL_TLS_NONE case, but we can
>>easily add others for something like
>>
>>  depends on BR2_PACKAGE_LIBCURL && !BR2_PACKAGE_LIBCURL_TLS_NONE
>>          && !BR2_PACKAGE_LIBCURL_BEARSSL && !BR2_PACKAGE_LIBCURL_WOLFSSL
>
> That might work, as long as one of OpenSSL, GnuTLS or mbedTLS is
> selected.

One of them must be selected to satisfy libcurl need for crypto back
end. But it is not very user friendly.

>>The reason I marked this patch RFC is because we usually do not 'depend'
>>on non obvious dependencies like libcurl, but 'select' them
>>automatically to make it easier for the user. But I could not find a way
>>to avoid build failure using only 'select'.
>
> There was some discussion about this when I submitted the package:
>
> https://lists.buildroot.org/pipermail/buildroot/2019-April/551561.html
>
>>What do you think?
>
> I think your latest proposal might work but I'm not sure it complies with
> buildroot guidelines. Can someone more knowledgeable comment as well?

I hope so.

I'll try a combination of 'select' and 'depends' to see how far I get.

Thanks,
baruch

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/uacme: requires TLS support in libcurl

[Nicola Di Lieto]

Hi Baruch,

On Wed, Jul 13, 2022 at 10:38:45AM +0300, Baruch Siach wrote:
>I see. So currently the 'select' statement is needed because uacme
>itself needs one of these as a cryto back end regardless of libcurl. Is
>that correct?
>

Yes, that is correct. uacme needs to do quite a lot of crypto for 
implementing RFC8555, but it doesn't do TLS directly - it uses libcurl 
for that.

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot