This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.
All patches were refreshed.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2: unchanged
v2->v3: unchanged
package/libs/openssl/Makefile | 30 --
package/libs/openssl/files/afalg.cnf | 32 ++
package/libs/openssl/files/devcrypto.cnf | 31 ++
package/libs/openssl/files/engines.cnf| 7 ++
package/libs/openssl/files/padlock.cnf| 3 +
.../patches/100-Configure-afalg-support.patch | 3 +-
.../openssl/patches/110-openwrt_targets.patch | 3 +-
.../120-strip-cflags-from-binary.patch| 3 +-
.../patches/130-dont-build-tests-fuzz.patch | 3 +-
.../patches/140-allow-prefer-chacha20.patch | 4 +-
.../150-openssl.cnf-add-engines-conf.patch| 101 +++---
...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +-
..._devcrypto-add-configuration-options.patch | 5 +-
...ypto-add-command-to-dump-driver-info.patch | 3 +-
...o-make-the-dev-crypto-engine-dynamic.patch | 4 -
...default-to-not-use-digests-in-engine.patch | 1 -
...to-ignore-error-when-closing-session.patch | 1 -
17 files changed, 114 insertions(+), 123 deletions(-)
create mode 100644 package/libs/openssl/files/afalg.cnf
create mode 100644 package/libs/openssl/files/devcrypto.cnf
create mode 100644 package/libs/openssl/files/engines.cnf
create mode 100644 package/libs/openssl/files/padlock.cnf
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..69616f01e8 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
@@ -146,7 +146,7 @@ endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
@@ -163,7 +163,8 @@ endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in
/etc/ssl/engines.cnf.d/engines.cnf. You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
See
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
@@ -179,7 +180,7 @@ endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
@@ -376,8 +377,9 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/openssl-util/install
@@ -386,18 +388,24 @@ define Package/openssl-util/install
endef
define Package/libopenssl-afalg/install
- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so
$(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
+ $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so
$(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/libopenssl-devcrypto/install
- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so
$(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
+ $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so
$(1)/usr/lib/$(ENGINES_DIR)
+