Re: [PATCH 0/3] Engine configuration series
Hello Eneas, On 2021-04-28 14:17, Eneas U de Queiroz wrote: This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. I think the uci config options are great, you can build on them and make the configuration for openssl better and can finally be configured with the uci. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. The only thing I have to say is that if the configuration no longer fits, then we have a non-functioning openssl! You just have to know what you are doing when you change the openssl configuration. After this is merged, I will adapt the two engines in the packages feed. I think we have to validate the uci options in the future in the openssl service on startup. Regards Florian ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 42 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 213 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel