[openwrt/openwrt] openssl: configure engine packages during install

LEDE Commits lede-commits at lists.infradead.org
Tue Feb 22 07:37:40 PST 2022


ynezz pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/30b0351039850d01c382b745a1f40b81b4be2a93

commit 30b0351039850d01c382b745a1f40b81b4be2a93
Author: Eneas U de Queiroz <cotequeiroz at gmail.com>
AuthorDate: Sun Feb 20 21:09:29 2022 -0300

    openssl: configure engine packages during install
    
    This enables an engine during its package's installation, by adding it
    to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.
    
    The engine build system was reworked, with the addition of an engine.mk
    file that groups some of the engine packages' definitions, and could be
    used by out of tree engines as well.
    
    Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
 package/libs/openssl/Makefile                      | 58 ++++++---------
 package/libs/openssl/engine.mk                     | 82 ++++++++++++++++++++++
 package/libs/openssl/files/engines.cnf             | 12 ++--
 .../patches/150-openssl.cnf-add-engines-conf.patch |  2 +-
 4 files changed, 111 insertions(+), 43 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 737123930c..3a0666ff8e 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=1
 
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
+include engine.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
 This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
 endef
 
+$(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
-	   +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+	     @!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
 
+$(eval $(call Package/openssl/add-engine,devcrypto))
 define Package/libopenssl-devcrypto
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=/dev/crypto hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
-	   @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.  You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
 
+$(eval $(call Package/openssl/add-engine,padlock))
 define Package/libopenssl-padlock
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=VIA Padlock hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
-	   +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+	     @!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
 	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
 	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
 	$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+		$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+		echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
+		$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+		echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
 endef
 
 define Package/openssl-util/install
@@ -387,27 +394,6 @@ define Package/openssl-util/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
 endef
 
-define Package/libopenssl-afalg/install
-	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
-			$(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_DATA)	./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-devcrypto/install
-	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
-			$(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_DATA)	./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-padlock/install
-	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
-			$(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_DATA)	./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
 $(eval $(call BuildPackage,libopenssl))
 $(eval $(call BuildPackage,libopenssl-conf))
 $(eval $(call BuildPackage,libopenssl-afalg))
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
new file mode 100644
index 0000000000..482b5ad5e8
--- /dev/null
+++ b/package/libs/openssl/engine.mk
@@ -0,0 +1,82 @@
+ENGINES_DIR=engines-1.1
+
+define Package/openssl/engine/Default
+  SECTION:=libs
+  CATEGORY:=Libraries
+  SUBMENU:=SSL
+  DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+  OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
+  Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
+
+  define Package/$$(OSSL_ENG_PKG)/install
+	$$(INSTALL_DIR)  $$(1)/usr/lib/$(ENGINES_DIR)
+	$$(INSTALL_BIN)  $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
+			 $$(1)/usr/lib/$(ENGINES_DIR)
+	$$(INSTALL_DIR)  $$(1)/etc/ssl/engines.cnf.d
+	$$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
+  endef
+
+  define Package/$$(OSSL_ENG_PKG)/postinst :=
+#!/bin/sh
+# $$$$1 == non-empty: suggest reinstall
+error_out() {
+    [ "$1" ] && cat <<- EOF
+	Reinstalling the libopenssl-conf package may fix this:
+
+	    opkg install --force-reinstall libopenssl-conf
+	EOF
+    cat <<- EOF
+
+	Then, you will have to reinstall this package, and any other engine package you have
+	you have previously installed to ensure they are enabled:
+
+	    opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]...
+
+	EOF
+    exit 1
+}
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
+if [ ! -f "$$$${OPENSSL_CNF}" ]; then
+    echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
+    error_out reinstall
+fi
+if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then
+    cat <<- EOF
+	Your /etc/ssl/openssl.cnf file is not loading engine configuration files from
+	/etc/ssl/engines.cnf.d.  You should consider start with a fresh, updated OpenSSL config by
+	running:
+
+	    opkg install --force-reinstall --force-maintainer libopenssl-conf
+
+	The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf
+	and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
+	EOF
+    error_out
+fi
+if [ ! -f "$$$${ENGINES_CNF}" ]; then
+    echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found."
+    error_out reinstall
+fi
+if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
+    echo "$$(OSSL_ENG_PKG): $(1) engine was already configured.  Nothing to be done."
+else
+    echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
+    echo "$$(OSSL_ENG_PKG): $(1) engine enabled.  All done!"
+fi
+  endef
+
+  define Package/$$(OSSL_ENG_PKG)/prerm :=
+#!/bin/sh
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+[ -f "$$$${ENGINES_CNF}" ] || exit 0
+sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+  endef
+endef
+
+
diff --git a/package/libs/openssl/files/engines.cnf b/package/libs/openssl/files/engines.cnf
index d034ab5a30..333b1d6c25 100644
--- a/package/libs/openssl/files/engines.cnf
+++ b/package/libs/openssl/files/engines.cnf
@@ -1,7 +1,7 @@
-[engines]
-# To enable an engine, install the package, and uncomment it here:
-#devcrypto=devcrypto
-#afalg=afalg
-#padlock=padlock
-#gost=gost
+# This file should only contain the [engines] section
+# It is subject to change by installing OpenSSL engine packages
+# Any lines that have the sequence "engine-name=engine-name" will
+# be removed when the respective engine gets uninstalled.
+# You may avoid that by adding a space before/after the  = sign.
 
+[engines]
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
index 387c3ce11e..3db7a19212 100644
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -4,7 +4,7 @@ Date: Sat, 27 Mar 2021 17:43:25 -0300
 Subject: openssl.cnf: add engine configuration
 
 This adds configuration options for engines, loading all cnf files under
-/etc/ssl/engines.d/.
+/etc/ssl/engines.cnf.d/.
 
 Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
 



More information about the lede-commits mailing list