[openwrt/openwrt] openssl: always build with GOST engine support

Tue Feb 23 18:31:11 EST 2021

hauke pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/12a80e44b914a00fa39daae5474b3964f246ddc3

commit 12a80e44b914a00fa39daae5474b3964f246ddc3
Author: Eneas U de Queiroz <cotequeiroz at gmail.com>
AuthorDate: Wed Feb 17 21:50:08 2021 -0300

    openssl: always build with GOST engine support
    
    The packages feed has a proposed package for a GOST engine, which needs
    support from the main openssl library.  It is a default option in
    OpenSSL.  All that needs to be done here is to not disable it.
    
    Package increases by a net 1-byte, so it is not really really worth
    keeping this optional.
    
    This commit also includes a commented-out example engine configuration
    in openssl.cnf, as it is done for other available engines.
    
    Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
 package/libs/openssl/Config.in                        | 11 -----------
 package/libs/openssl/Makefile                         |  7 +------
 .../patches/150-openssl.cnf-add-engines-conf.patch    | 19 ++++++++++++++++++-
 3 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index d1281ec6fa..bc2f0584b6 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC
 		initiate crypto operations asynchronously. In order to work
 		this will require the presence of an async capable engine.
 
-config OPENSSL_WITH_GOST
-	bool
-	prompt "Prepare library for GOST engine"
-	depends on OPENSSL_ENGINE
-	help
-		This option prepares the library to accept engine support
-		for Russian GOST crypto algorithms.
-		The gost engine is not included in standard openwrt feeds.
-		To build such engine yourself, see:
-		https://github.com/gost-engine/engine
-
 endif
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7dbbd65026..436abfd94c 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=j
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -52,7 +52,6 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_WITH_DTLS \
 	CONFIG_OPENSSL_WITH_EC2M \
 	CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
-	CONFIG_OPENSSL_WITH_GOST \
 	CONFIG_OPENSSL_WITH_IDEA \
 	CONFIG_OPENSSL_WITH_MDC2 \
 	CONFIG_OPENSSL_WITH_NPN \
@@ -289,10 +288,6 @@ else
   OPENSSL_OPTIONS += no-engine
 endif
 
-ifndef CONFIG_OPENSSL_WITH_GOST
-  OPENSSL_OPTIONS += no-gost
-endif
-
 ifndef CONFIG_OPENSSL_WITH_DTLS
   OPENSSL_OPTIONS += no-dtls
 endif
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
index 81d41963c6..c90fce2442 100644
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -1,6 +1,6 @@
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -22,6 +22,82 @@ oid_section		= new_oids
+@@ -22,6 +22,99 @@ oid_section		= new_oids
  # (Alternatively, use a configuration file that has only
  # X.509v3 extensions in its main [= default] section.)
  
@@ -14,6 +14,7 @@
 +#devcrypto=devcrypto
 +#afalg=afalg
 +#padlock=padlock
++##gost=gost
 +
 +[afalg]
 +# Leave this alone and configure algorithms with CIPERS/DIGESTS below
@@ -79,6 +80,22 @@
 +
 +[padlock]
 +default_algorithms = ALL
++
++[gost]
++default_algorithms = ALL
++# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the
++# user to choose between different parameter sets of symmetric cipher
++# algorithm. RFC 4357 specifies several parameters for the
++# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface
++# to choose one when encrypting. So use engine configuration parameter
++# instead.
++# Value of this parameter can be either short name, defined in OpenSSL
++# obj_dat.h header file or numeric representation of OID, defined in
++# RFC 4357.  Defaults to id-tc26-gost-28147-param-Z
++#CRYPT_PARAMS = id-tc26-gost-28147-param-Z
++
++# PBE_PARAMS: Shortname of default digest alg for PBE
++#PBE_PARAMS =
 +
  [ new_oids ]
  

