[openwrt/openwrt] openssl: configure engine packages during install
LEDE Commits
lede-commits at lists.infradead.org
Tue Feb 22 07:37:40 PST 2022
ynezz pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/30b0351039850d01c382b745a1f40b81b4be2a93
commit 30b0351039850d01c382b745a1f40b81b4be2a93
Author: Eneas U de Queiroz <cotequeiroz at gmail.com>
AuthorDate: Sun Feb 20 21:09:29 2022 -0300
openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.
The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
package/libs/openssl/Makefile | 58 ++++++---------
package/libs/openssl/engine.mk | 82 ++++++++++++++++++++++
package/libs/openssl/files/engines.cnf | 12 ++--
.../patches/150-openssl.cnf-add-engines-conf.patch | 2 +-
4 files changed, 111 insertions(+), 43 deletions(-)
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 737123930c..3a0666ff8e 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=m
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
PKG_BUILD_PARALLEL:=1
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
+include engine.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
+$(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg
$(call Package/openssl/Default)
- SUBMENU:=SSL
+ $(call Package/openssl/engine/Default)
TITLE:=AFALG hardware acceleration engine
- DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
- +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+ DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+ @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
+$(eval $(call Package/openssl/add-engine,devcrypto))
define Package/libopenssl-devcrypto
$(call Package/openssl/Default)
- SUBMENU:=SSL
+ $(call Package/openssl/engine/Default)
TITLE:=/dev/crypto hardware acceleration engine
- DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
- @!OPENSSL_ENGINE_BUILTIN
+ DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
+$(eval $(call Package/openssl/add-engine,padlock))
define Package/libopenssl-padlock
$(call Package/openssl/Default)
- SUBMENU:=SSL
+ $(call Package/openssl/engine/Default)
TITLE:=VIA Padlock hardware acceleration engine
- DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
- +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+ DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+ @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+ $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+ echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
+ $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+ echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
endef
define Package/openssl-util/install
@@ -387,27 +394,6 @@ define Package/openssl-util/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
-define Package/libopenssl-afalg/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
- $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-devcrypto/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
- $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-padlock/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
- $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_DATA) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
new file mode 100644
index 0000000000..482b5ad5e8
--- /dev/null
+++ b/package/libs/openssl/engine.mk
@@ -0,0 +1,82 @@
+ENGINES_DIR=engines-1.1
+
+define Package/openssl/engine/Default
+ SECTION:=libs
+ CATEGORY:=Libraries
+ SUBMENU:=SSL
+ DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+ OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
+ Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
+
+ define Package/$$(OSSL_ENG_PKG)/install
+ $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR)
+ $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
+ $$(1)/usr/lib/$(ENGINES_DIR)
+ $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d
+ $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
+ endef
+
+ define Package/$$(OSSL_ENG_PKG)/postinst :=
+#!/bin/sh
+# $$$$1 == non-empty: suggest reinstall
+error_out() {
+ [ "$1" ] && cat <<- EOF
+ Reinstalling the libopenssl-conf package may fix this:
+
+ opkg install --force-reinstall libopenssl-conf
+ EOF
+ cat <<- EOF
+
+ Then, you will have to reinstall this package, and any other engine package you have
+ you have previously installed to ensure they are enabled:
+
+ opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]...
+
+ EOF
+ exit 1
+}
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
+if [ ! -f "$$$${OPENSSL_CNF}" ]; then
+ echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
+ error_out reinstall
+fi
+if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then
+ cat <<- EOF
+ Your /etc/ssl/openssl.cnf file is not loading engine configuration files from
+ /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated OpenSSL config by
+ running:
+
+ opkg install --force-reinstall --force-maintainer libopenssl-conf
+
+ The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf
+ and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
+ EOF
+ error_out
+fi
+if [ ! -f "$$$${ENGINES_CNF}" ]; then
+ echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found."
+ error_out reinstall
+fi
+if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
+ echo "$$(OSSL_ENG_PKG): $(1) engine was already configured. Nothing to be done."
+else
+ echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
+ echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!"
+fi
+ endef
+
+ define Package/$$(OSSL_ENG_PKG)/prerm :=
+#!/bin/sh
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+[ -f "$$$${ENGINES_CNF}" ] || exit 0
+sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+ endef
+endef
+
+
diff --git a/package/libs/openssl/files/engines.cnf b/package/libs/openssl/files/engines.cnf
index d034ab5a30..333b1d6c25 100644
--- a/package/libs/openssl/files/engines.cnf
+++ b/package/libs/openssl/files/engines.cnf
@@ -1,7 +1,7 @@
-[engines]
-# To enable an engine, install the package, and uncomment it here:
-#devcrypto=devcrypto
-#afalg=afalg
-#padlock=padlock
-#gost=gost
+# This file should only contain the [engines] section
+# It is subject to change by installing OpenSSL engine packages
+# Any lines that have the sequence "engine-name=engine-name" will
+# be removed when the respective engine gets uninstalled.
+# You may avoid that by adding a space before/after the = sign.
+[engines]
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
index 387c3ce11e..3db7a19212 100644
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -4,7 +4,7 @@ Date: Sat, 27 Mar 2021 17:43:25 -0300
Subject: openssl.cnf: add engine configuration
This adds configuration options for engines, loading all cnf files under
-/etc/ssl/engines.d/.
+/etc/ssl/engines.cnf.d/.
Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
More information about the lede-commits
mailing list