diff --git a/SConstruct b/SConstruct index 3d5a8708..bcac49fe 100644 --- a/SConstruct +++ b/SConstruct @@ -253,6 +253,7 @@ vars.AddVariables( PackageVariable('with_mysql', 'enable mysql support', 'no'), BoolVariable('with_openssl', 'enable openssl support', 'no'), PackageVariable('with_wolfssl', 'enable wolfSSL support', 'no'), + BoolVariable('with_nettle', 'enable Nettle support', 'no'), BoolVariable('with_pam', 'enable PAM auth support', 'no'), PackageVariable('with_pcre', 'enable pcre support', 'yes'), PackageVariable('with_pgsql', 'enable pgsql support', 'no'), @@ -608,6 +609,14 @@ if 1: LIBCRYPTO = 'wolfssl', ) + if env['with_nettle']: + if not autoconf.CheckLibWithHeader('nettle', 'nettle/nettle-types.h', 'C'): + fail("Couldn't find Nettle") + autoconf.env.Append( + CPPFLAGS = [ '-DHAVE_NETTLE_NETTLE_TYPES_H' ], + LIBCRYPTO = 'nettle', + ) + if env['with_pam']: if not autoconf.CheckLibWithHeader('pam', 'security/pam_appl.h', 'C'): fail("Couldn't find pam") diff --git a/configure.ac b/configure.ac index e9f0b60e..83d273b8 100644 --- a/configure.ac +++ b/configure.ac @@ -737,6 +737,35 @@ if test "$WITH_OPENSSL" != no && test "$WITH_WOLFSSL" != no; then AC_MSG_ERROR([lighttpd should not be built with both --with-openssl and --with-wolfssl]) fi +dnl Check for Nettle (and overwrite CRYPTO_LIB if set by OpenSSL or wolfSSL) +AC_MSG_NOTICE([----------------------------------------]) +AC_MSG_CHECKING([for Nettle]) +AC_ARG_WITH([nettle], + [AC_HELP_STRING([--with-nettle@<:@=DIR@:>@], + [Include Nettle support (default no)] + )], + [WITH_NETTLE=$withval], + [WITH_NETTLE=no] +) +AC_MSG_RESULT([$WITH_NETTLE]) + +if test "$WITH_NETTLE" != no; then + if test "$WITH_NETTLE" != yes; then + CPPFLAGS="${CPPFLAGS} -I$WITH_NETTLE/include" + LDFLAGS="${LDFLAGS} -L$WITH_NETTLE/lib" + fi + + AC_CHECK_HEADERS([nettle/nettle-types.h], [], [ + AC_MSG_ERROR([nettle headers not found. install them or build without --with-nettle]) + ]) + AC_CHECK_LIB([nettle], [nettle_md5_init], + [CRYPTO_LIB="-lnettle"], + [AC_MSG_ERROR([nettle crypto library not found. install it or build without --with-nettle])] + ) + + AC_SUBST([CRYPTO_LIB]) +fi + dnl pcre support AC_MSG_NOTICE([----------------------------------------]) diff --git a/meson_options.txt b/meson_options.txt index bf1192d9..92d3f4a9 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -63,6 +63,11 @@ option('with_mysql', value: false, description: 'with mysql-support for mod_vhostdb_mysql [default: off]', ) +option('with_nettle', + type: 'boolean', + value: false, + description: 'with Nettle-support [default: off]', +) option('with_openssl', type: 'boolean', value: false, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 9b48744f..fbfb5d93 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -22,6 +22,7 @@ option(WITH_PGSQL "with postgres-support for mod_vhostdb_pgsql [default: off]") option(WITH_DBI "with dbi-support for mod_vhostdb_dbi [default: off]") option(WITH_OPENSSL "with openssl-support [default: off]") option(WITH_WOLFSSL "with wolfSSL-support [default: off]") +option(WITH_NETTLE "with Nettle-support [default: off]") option(WITH_PCRE "with regex support [default: on]" ON) option(WITH_WEBDAV_PROPS "with property-support for mod_webdav [default: off]") option(WITH_WEBDAV_LOCKS "locks in webdav [default: off]") @@ -370,6 +371,24 @@ if(WITH_OPENSSL AND WITH_WOLFSSL) message(FATAL_ERROR "lighttpd should not be built with both --with-openssl and --with-wolfssl") endif() +if(WITH_NETTLE) + if(APPLE) + set(CMAKE_REQUIRED_INCLUDES /opt/local/include) + endif() + check_include_files(nettle/nettle-types.h HAVE_NETTLE_NETTLE_TYPES_H) + if(APPLE) + set(CMAKE_REQUIRED_INCLUDES) + endif() + if(HAVE_NETTLE_NETTLE_TYPES_H) + check_library_exists(nettle nettle_md5_init "" HAVE_LIBCRYPTO) + if(HAVE_LIBCRYPTO) + set(CRYPTO_LIBRARY nettle) + endif() + endif() +else() + unset(HAVE_NETTLE_NETTLE_TYPES_H) +endif() + if(WITH_PCRE) ## if we have pcre-config, use it xconfig(pcre-config PCRE_INCDIR PCRE_LIBDIR PCRE_LDFLAGS PCRE_CFLAGS) diff --git a/src/algo_sha1.c b/src/algo_sha1.c index d6a58599..e80ee2a2 100644 --- a/src/algo_sha1.c +++ b/src/algo_sha1.c @@ -2,7 +2,7 @@ typedef int innocuous_typedef_to_quiet_empty_translation_unit_compiler_warning; #include "sys-crypto.h" -#ifndef USE_OPENSSL_CRYPTO +#ifndef USE_LIB_CRYPTO #include "sys-endian.h" #include "algo_sha1.h" diff --git a/src/algo_sha1.h b/src/algo_sha1.h index 346d1c98..a89efb90 100644 --- a/src/algo_sha1.h +++ b/src/algo_sha1.h @@ -2,12 +2,32 @@ #define INCLUDED_ALGO_SHA1_H #include "first.h" -#include "sys-crypto.h" -#ifdef USE_OPENSSL_CRYPTO +#include "sys-crypto.h" /* USE_LIB_CRYPTO */ +#ifdef USE_LIB_CRYPTO + +#ifdef USE_NETTLE_CRYPTO +#include +#ifndef SHA_DIGEST_LENGTH +#define SHA_DIGEST_LENGTH 20 +#endif +typedef struct sha1_ctx SHA_CTX; +#define SHA1_Init(ctx) \ + sha1_init(ctx) +#define SHA1_Final(digest, ctx) \ + sha1_digest((ctx),sizeof(digest),(digest)) +static void +SHA1_Update(SHA_CTX *ctx, const void *data, size_t length) +{ + sha1_update(ctx, length, data); +} + +#elif defined(USE_OPENSSL_CRYPTO) #include -#else +#endif + +#else /* ! USE_LIB_CRYPTO */ /* * sha.h diff --git a/src/md5.c b/src/md5.c index 42fe466d..e559f449 100644 --- a/src/md5.c +++ b/src/md5.c @@ -33,10 +33,10 @@ documentation and/or software. #define POINTER unsigned char * #if 0 /* Note: not defined here or in lighttpd local "md5.h" */ -#include "sys-crypto.h" /* USE_OPENSSL_CRYPTO */ +#include "sys-crypto.h" /* USE_LIB_CRYPTO */ #endif -#ifndef USE_OPENSSL_CRYPTO +#ifndef USE_LIB_CRYPTO #include /* Constants for MD5Transform routine. diff --git a/src/meson.build b/src/meson.build index 291b01e6..71e0cabe 100644 --- a/src/meson.build +++ b/src/meson.build @@ -420,6 +420,13 @@ if get_option('with_wolfssl') != 'false' libcrypto += libwolfssl_includes_dep conf_data.set('HAVE_WOLFSSL_SSL_H', true) endif +if get_option('with_nettle') != 'false' + # manual search: + # header: nettle/nettle-types.h + # function: nettle_md5_init (-lnettle) + libcrypto = [ dependency('libnettle') ] + conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) +endif libpcre = [] if get_option('with_pcre') diff --git a/src/mod_auth.c b/src/mod_auth.c index 442fed73..172a6a49 100644 --- a/src/mod_auth.c +++ b/src/mod_auth.c @@ -6,11 +6,45 @@ #include "http_header.h" #include "log.h" -#include "sys-crypto.h" /* USE_OPENSSL_CRYPTO */ -#ifdef USE_OPENSSL_CRYPTO +#include "sys-crypto.h" /* USE_LIB_CRYPTO */ +#ifdef USE_LIB_CRYPTO + +#if defined(USE_NETTLE_CRYPTO) + +#include +typedef struct sha256_ctx SHA256_CTX; +#define SHA256_Init(ctx) \ + sha256_init(ctx) +#define SHA256_Final(digest, ctx) \ + sha256_digest((ctx),sizeof(digest),(digest)) +static void +SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length) +{ + sha256_update(ctx, length, data); +} + +#ifndef SHA512_256_DIGEST_LENGTH +#define SHA512_256_DIGEST_LENGTH 32 +#endif +typedef struct sha512_ctx SHA512_CTX; +#define SHA512_256_Init(ctx) \ + sha512_256_init(ctx) +#define SHA512_256_Final(digest, ctx) \ + sha512_256_digest((ctx),sizeof(digest),(digest)) +static void +SHA512_256_Update(SHA512_CTX *ctx, const void *data, size_t length) +{ + sha512_256_update(ctx, length, data); +} + +#elif defined(USE_OPENSSL_CRYPTO) + #include + #endif +#endif /* USE_LIB_CRYPTO */ + #include #include @@ -132,7 +166,7 @@ static int mod_auth_algorithm_parse(http_auth_info_t *ai, const char *s) { ai->dlen = HTTP_AUTH_DIGEST_MD5_BINLEN; return 1; } - #ifdef USE_OPENSSL_CRYPTO + #ifdef USE_LIB_CRYPTO else if (len >= 7 && 's' == (s[0] | 0x20) && 'h' == (s[1] | 0x20) @@ -613,7 +647,7 @@ static handler_t mod_auth_check_basic(request_st * const r, void *p_d, const str } -#ifdef USE_OPENSSL_CRYPTO +#ifdef USE_LIB_CRYPTO static void mod_auth_digest_mutate_sha256(http_auth_info_t *ai, const char *m, const char *uri, const char *nonce, const char *cnonce, const char *nc, const char *qop) { SHA256_CTX ctx; @@ -761,7 +795,7 @@ static void mod_auth_digest_nonce_sha512_256(buffer *b, time_t cur_ts, int rnd, #endif /* SHA512_256_DIGEST_LENGTH */ -#endif /* USE_OPENSSL_CRYPTO */ +#endif /* USE_LIB_CRYPTO */ static void mod_auth_digest_mutate_md5(http_auth_info_t *ai, const char *m, const char *uri, const char *nonce, const char *cnonce, const char *nc, const char *qop) { li_MD5_CTX ctx; @@ -839,7 +873,7 @@ static void mod_auth_digest_nonce_md5(buffer *b, time_t cur_ts, int rnd, const b static void mod_auth_digest_mutate(http_auth_info_t *ai, const char *m, const char *uri, const char *nonce, const char *cnonce, const char *nc, const char *qop) { if (ai->dalgo & HTTP_AUTH_DIGEST_MD5) mod_auth_digest_mutate_md5(ai, m, uri, nonce, cnonce, nc, qop); - #ifdef USE_OPENSSL_CRYPTO + #ifdef USE_LIB_CRYPTO else if (ai->dalgo & HTTP_AUTH_DIGEST_SHA256) mod_auth_digest_mutate_sha256(ai, m, uri, nonce, cnonce, nc, qop); #ifdef SHA512_256_DIGEST_LENGTH @@ -864,7 +898,7 @@ static void mod_auth_append_nonce(buffer *b, time_t cur_ts, const struct http_au buffer_append_string_len(b, CONST_STR_LEN(":")); } switch (dalgo) { - #ifdef USE_OPENSSL_CRYPTO + #ifdef USE_LIB_CRYPTO #ifdef SHA512_256_DIGEST_LENGTH case HTTP_AUTH_DIGEST_SHA512_256: mod_auth_digest_nonce_sha512_256(b, cur_ts, rnd, nonce_secret); @@ -887,7 +921,7 @@ static void mod_auth_digest_www_authenticate(buffer *b, time_t cur_ts, const str int algoid[3]; unsigned int algolen[3]; const char *algoname[3]; - #ifdef USE_OPENSSL_CRYPTO + #ifdef USE_LIB_CRYPTO #ifdef SHA512_256_DIGEST_LENGTH if (algos & HTTP_AUTH_DIGEST_SHA512_256) { algoid[n] = HTTP_AUTH_DIGEST_SHA512_256; diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c index cacc10fb..571178b2 100644 --- a/src/mod_authn_file.c +++ b/src/mod_authn_file.c @@ -14,11 +14,59 @@ # define HAVE_CRYPT #endif -#include "sys-crypto.h" -#ifdef USE_OPENSSL_CRYPTO +#include "sys-crypto.h" /* USE_LIB_CRYPTO */ +#ifdef USE_LIB_CRYPTO + +#if defined(USE_NETTLE_CRYPTO) + +#include +#include + +typedef struct md4_ctx MD4_CTX; +#define MD4_Init(ctx) \ + md4_init(ctx) +#define MD4_Final(digest, ctx) \ + md4_digest((ctx),sizeof(digest),(digest)) +static void +MD4_Update(MD4_CTX *ctx, const void *data, size_t length) +{ + md4_update(ctx, length, data); +} + +typedef struct sha256_ctx SHA256_CTX; +#define SHA256_Init(ctx) \ + sha256_init(ctx) +#define SHA256_Final(digest, ctx) \ + sha256_digest((ctx),sizeof(digest),(digest)) +static void +SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length) +{ + sha256_update(ctx, length, data); +} + +#ifndef SHA512_256_DIGEST_LENGTH +#define SHA512_256_DIGEST_LENGTH 32 +#endif +typedef struct sha512_ctx SHA512_CTX; +#define SHA512_256_Init(ctx) \ + sha512_256_init(ctx) +#define SHA512_256_Final(digest, ctx) \ + sha512_256_digest((ctx),sizeof(digest),(digest)) +static void +SHA512_256_Update(SHA512_CTX *ctx, const void *data, size_t length) +{ + sha512_256_update(ctx, length, data); +} + +#elif defined(USE_OPENSSL_CRYPTO) + #include +#include + #endif +#endif /* USE_LIB_CRYPTO */ + #include "safe_memclear.h" /*(htpasswd)*/ @@ -159,7 +207,7 @@ SETDEFAULTS_FUNC(mod_authn_file_set_defaults) { -#ifdef USE_OPENSSL_CRYPTO +#ifdef USE_LIB_CRYPTO static void mod_authn_file_digest_sha256(http_auth_info_t *ai, const char *pw, size_t pwlen) { SHA256_CTX ctx; @@ -202,7 +250,7 @@ static void mod_authn_file_digest(http_auth_info_t *ai, const char *pw, size_t p if (ai->dalgo & HTTP_AUTH_DIGEST_MD5) mod_authn_file_digest_md5(ai, pw, pwlen); - #ifdef USE_OPENSSL_CRYPTO + #ifdef USE_LIB_CRYPTO else if (ai->dalgo & HTTP_AUTH_DIGEST_SHA256) mod_authn_file_digest_sha256(ai, pw, pwlen); #ifdef SHA512_256_DIGEST_LENGTH @@ -644,7 +692,7 @@ static handler_t mod_authn_file_htpasswd_basic(request_st * const r, void *p_d, crypt_tmp_data.initialized = 0; #endif #endif - #ifdef USE_OPENSSL_CRYPTO /* (for MD4_*() (e.g. MD4_Update())) */ + #ifdef USE_LIB_CRYPTO /*(for MD4_*() (e.g. MD4_Update()))*/ #ifndef NO_MD4 /*(e.g. wolfSSL built without MD4)*/ if (0 == memcmp(password->ptr, CONST_STR_LEN("$1+ntlm$"))) { /* CRYPT-MD5-NTLM algorithm diff --git a/src/mod_secdownload.c b/src/mod_secdownload.c index d1e9bba8..ba816827 100644 --- a/src/mod_secdownload.c +++ b/src/mod_secdownload.c @@ -12,10 +12,14 @@ #include #include "sys-crypto.h" -#ifdef USE_OPENSSL_CRYPTO +#ifdef USE_LIB_CRYPTO +#if defined(USE_NETTLE_CRYPTO) +#include +#elif defined(USE_OPENSSL_CRYPTO) #include #include #endif +#endif #include "md5.h" @@ -177,11 +181,17 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c return const_time_memeq((char *)HA1, (char *)md5bin, sizeof(md5bin)); } case SECDL_HMAC_SHA1: -#ifdef USE_OPENSSL_CRYPTO +#ifdef USE_LIB_CRYPTO { unsigned char digest[20]; char base64_digest[27]; + #if defined(USE_NETTLE_CRYPTO) + struct hmac_sha1_ctx ctx; + hmac_sha1_set_key(&ctx, buffer_string_length(config->secret), (const uint8_t *)config->secret->ptr); + hmac_sha1_update(&ctx, strlen(protected_path), (const uint8_t *)protected_path); + hmac_sha1_digest(&ctx, sizeof(digest), (uint8_t *)digest); + #elif defined(USE_OPENSSL_CRYPTO) if (NULL == HMAC( EVP_sha1(), (unsigned char const*) config->secret->ptr, buffer_string_length(config->secret), @@ -191,6 +201,9 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c "hmac-sha1: HMAC() failed"); return 0; } + #else + #error "unexpected; crypto lib not configured for use by mod_secdownload" + #endif li_to_base64_no_padding(base64_digest, 27, digest, 20, BASE64_URL); @@ -199,11 +212,17 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c #endif break; case SECDL_HMAC_SHA256: -#ifdef USE_OPENSSL_CRYPTO +#ifdef USE_LIB_CRYPTO { unsigned char digest[32]; char base64_digest[43]; + #if defined(USE_NETTLE_CRYPTO) + struct hmac_sha256_ctx ctx; + hmac_sha256_set_key(&ctx, buffer_string_length(config->secret), (const uint8_t *)config->secret->ptr); + hmac_sha256_update(&ctx, strlen(protected_path), (const uint8_t *)protected_path); + hmac_sha256_digest(&ctx, sizeof(digest), (uint8_t *)digest); + #elif defined(USE_OPENSSL_CRYPTO) if (NULL == HMAC( EVP_sha256(), (unsigned char const*) config->secret->ptr, buffer_string_length(config->secret), @@ -213,6 +232,9 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c "hmac-sha256: HMAC() failed"); return 0; } + #else + #error "unexpected; crypto lib not configured for use by mod_secdownload" + #endif li_to_base64_no_padding(base64_digest, 43, digest, 32, BASE64_URL); @@ -236,7 +258,7 @@ static int mod_secdownload_parse_algorithm(config_plugin_value_t * const cpv, lo log_error(errh, __FILE__, __LINE__, "invalid secdownload.algorithm: %s", cpv->v.b->ptr); return 0; - #ifndef USE_OPENSSL_CRYPTO + #ifndef USE_LIB_CRYPTO case SECDL_HMAC_SHA1: case SECDL_HMAC_SHA256: log_error(errh, __FILE__, __LINE__, diff --git a/src/rand.c b/src/rand.c index 5cb556dc..8ac4a6f5 100644 --- a/src/rand.c +++ b/src/rand.c @@ -13,7 +13,13 @@ #include #include -#include "sys-crypto.h" +#include "sys-crypto.h" /* USE_LIB_CRYPTO */ +#ifdef USE_NETTLE_CRYPTO +#undef USE_OPENSSL_CRYPTO +#include +#include +#include +#endif #ifdef USE_OPENSSL_CRYPTO #include /* OPENSSL_VERSION_NUMBER */ #include @@ -126,6 +132,39 @@ static int li_rand_device_bytes (unsigned char *buf, int num) static int li_rand_inited; static unsigned short xsubi[3]; +#ifdef USE_NETTLE_CRYPTO +static struct knuth_lfib_ctx knuth_lfib_ctx; +static struct arcfour_ctx arcfour_ctx; +static struct yarrow256_ctx yarrow256_ctx; +#endif + +#ifdef USE_NETTLE_CRYPTO +/* adapted from Nettle documentation arcfour_set_key_hashed() in nettle.pdf */ +/* A more robust key setup function for ARCFOUR */ +static void +li_arcfour_init_random_key_hashed(struct arcfour_ctx *ctx) +{ + uint8_t key[ARCFOUR_KEY_SIZE]; + const size_t length = sizeof(key); + if (1 != li_rand_device_bytes(key, (int)sizeof(key))) { + log_failed_assert(__FILE__, __LINE__, + "gathering entropy for arcfour seed failed"); + } + memset(ctx, 0, sizeof(*ctx)); + + struct sha256_ctx hash; + uint8_t digest[SHA256_DIGEST_SIZE]; + uint8_t buf[0x200]; + memset(buf, 0, sizeof(buf)); + sha256_init(&hash); + sha256_update(&hash, length, key); + sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); + nettle_arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); + nettle_arcfour_crypt(ctx, sizeof(buf), buf, buf); + nettle_arcfour_crypt(ctx, sizeof(buf), buf, buf); + nettle_arcfour_crypt(ctx, sizeof(buf), buf, buf); +} +#endif static void li_rand_init (void) { @@ -158,6 +197,11 @@ static void li_rand_init (void) #ifdef HAVE_SRANDOM srandom(u); /*(initialize just in case random() used elsewhere)*/ #endif + #ifdef USE_NETTLE_CRYPTO + nettle_knuth_lfib_init(&knuth_lfib_ctx, u); + nettle_yarrow256_init(&yarrow256_ctx, 0, NULL); + li_arcfour_init_random_key_hashed(&arcfour_ctx); + #endif #ifdef USE_OPENSSL_CRYPTO RAND_poll(); RAND_seed(xsubi, (int)sizeof(xsubi)); @@ -180,6 +224,11 @@ int li_rand_pseudo (void) #endif #endif if (!li_rand_inited) li_rand_init(); + #ifdef USE_NETTLE_CRYPTO + int i = (int)nettle_knuth_lfib_get(&knuth_lfib_ctx); + nettle_arcfour_crypt(&arcfour_ctx, sizeof(i), (uint8_t *)&i, (uint8_t *)&i); + if (i) return i; /*(cond to avoid compiler warning for code after return)*/ + #endif #ifdef HAVE_ARC4RANDOM_BUF return (int)arc4random(); #elif defined(HAVE_SRANDOM) @@ -203,6 +252,21 @@ void li_rand_pseudo_bytes (unsigned char *buf, int num) int li_rand_bytes (unsigned char *buf, int num) { + #ifdef USE_NETTLE_CRYPTO + #if 0 /* not implemented: periodic nettle_yarrow256_update() and reseed */ + if (!nettle_yarrow256_is_seeded(&yarrow256_ctx)) { + uint8_t seed_file[YARROW256_SEED_FILE_SIZE]; + if (1 == li_rand_device_bytes((unsigned char *)seed_file, + (int)sizeof(seed_file))) { + nettle_yarrow256_seed(&yarrow256_ctx, sizeof(seed_file), seed_file); + } + } + if (nettle_yarrow256_is_seeded(&yarrow256_ctx)) { + nettle_yarrow256_random(&yarrow256_ctx, (size_t)num, (uint8_t *)buf); + return 1; + } + #endif + #endif #ifdef USE_OPENSSL_CRYPTO int rc = RAND_bytes(buf, num); if (-1 != rc) { diff --git a/src/sys-crypto.h b/src/sys-crypto.h index 8158abac..5d15533c 100644 --- a/src/sys-crypto.h +++ b/src/sys-crypto.h @@ -3,10 +3,12 @@ #include "first.h" #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H +#define USE_LIB_CRYPTO #define USE_OPENSSL_CRYPTO #endif #ifdef HAVE_WOLFSSL_SSL_H +#define USE_LIB_CRYPTO #define USE_OPENSSL_CRYPTO /* wolfSSL needs to be built with ./configure --enable-lighty for lighttpd. * Doing so defines OPENSSL_EXTRA and HAVE_LIGHTY in , and @@ -16,4 +18,9 @@ #include #endif +#ifdef HAVE_NETTLE_NETTLE_TYPES_H +#define USE_LIB_CRYPTO +#define USE_NETTLE_CRYPTO +#endif + #endif