[PATCH] package: openssl: Enable built engines per default
Eneas U de Queiroz
cotequeiroz at gmail.com
Tue Apr 27 14:38:27 BST 2021
> >> How about if we create a uci default script and check on the running
> >> system what is installed?
> >> And then we could generate a file and add or remove an include line
> >> form
> >> the openssl.cnf [1]?
> >
> > I think we can manage something like that. The .include option can
> > load all files in a directory (/etc/ssl/engines.d/), and won't fail if
> > there aren't any files--the directory itself must exist. Each engine
> > package can install its own file there, ahd have a post-install script
> > that adds a line to an "engines.cnf" file if there isn't any:
> >
> > add_engine() {
> > # $1 = engine name (engine .so file without the .so extension)
> > grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
> > echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
> > }
> >
> > /etc/ssl/engines.d/engines.cnf would start out with just the [engines]
> > header and some comments explaining its use and warning not to edit
> > something that would break things.
> >
> > What do you think?
>
> The plan sounds good :+1:
>
Hi
I'm testing that proposal, and it's almost ready. I've expanded it to
use uci to enable/disable the engines, but I'm still running tests to
catch corner cases. I am not able to test the padlock engine, but its
usage should be like devcrypto. Afalg is more complicated if built
into the library, because openssl does not initialize it like other
builtin engines. There's no way to configure it for general use when
built that way.
Cheers,
Eneas
More information about the openwrt-devel
mailing list