openssl: config engines in /etc/ssl/engines.cnf.d

This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-20 21:09:28 -03:00 · 2022-02-20 21:09:28 -03:00 · 17a6ca12d3
commit 17a6ca12d3
parent aae7af4219
16 changed files with 82 additions and 119 deletions
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@ -146,7 +146,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
@ -163,7 +163,8 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.  You may
 configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
@ -179,7 +180,7 @@ endef
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@ -376,8 +377,9 @@ define Package/libopenssl/install
 endef
 define Package/libopenssl-conf/install
-	$(INSTALL_DIR) $(1)/etc/ssl
+	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
 	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
 	$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 define Package/openssl-util/install
@ -386,18 +388,24 @@ define Package/openssl-util/install
 endef
 define Package/libopenssl-afalg/install
-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
 			$(1)/usr/lib/$(ENGINES_DIR)
 	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
 	$(INSTALL_DATA)	./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 define Package/libopenssl-devcrypto/install
-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
 			$(1)/usr/lib/$(ENGINES_DIR)
 	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
 	$(INSTALL_DATA)	./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 define Package/libopenssl-padlock/install
-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
 			$(1)/usr/lib/$(ENGINES_DIR)
 	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
 	$(INSTALL_DATA)	./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 $(eval $(call BuildPackage,libopenssl))
--- a/package/libs/openssl/files/afalg.cnf
+++ b/package/libs/openssl/files/afalg.cnf
@ -0,0 +1,3 @@
 [afalg]
 default_algorithms = ALL
--- a/package/libs/openssl/files/devcrypto.cnf
+++ b/package/libs/openssl/files/devcrypto.cnf
@ -0,0 +1,31 @@
 [devcrypto]
 # Leave this alone and configure algorithms with CIPERS/DIGESTS below
 default_algorithms = ALL
 # Configuration commands:
 # Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
 # list of supported algorithms, along with their driver, whether they
 # are hw accelerated or not, and the engine's configuration commands.
 # USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
 # drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
 # if acceleration can't be determined) [default=2]
 #USE_SOFTDRIVERS = 2
 # CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
 # enable [default=ALL]
 # It is recommended to disable the ECB ciphers; in most cases, it will
 # only be used for PRNG, in small blocks, where performance is poor,
 # and there may be problems with apps forking with open crypto
 # contexts, leading to failures.  The CBC ciphers work well:
 #CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
 # DIGESTS: either ALL, NONE, or a comma-separated list of digests to
 # enable [default=NONE]
 # It is strongly recommended not to enable digests; their performance
 # is poor, and there are many cases in which they will not work,
 # especially when calling fork with open crypto contexts.  Openssh,
 # for example, does this, and you may not be able to login.
 #DIGESTS = NONE
--- a/package/libs/openssl/files/engines.cnf
+++ b/package/libs/openssl/files/engines.cnf
@ -0,0 +1,7 @@
 [engines]
 # To enable an engine, install the package, and uncomment it here:
 #devcrypto=devcrypto
 #afalg=afalg
 #padlock=padlock
 #gost=gost
--- a/package/libs/openssl/files/padlock.cnf
+++ b/package/libs/openssl/files/padlock.cnf
@ -0,0 +1,3 @@
 [padlock]
 default_algorithms = ALL
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@ -1,4 +1,4 @@
-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Thu, 27 Sep 2018 08:29:21 -0300
 Subject: Do not use host kernel version to disable AFALG
@ -9,7 +9,6 @@ version to disable building the AFALG engine on openwrt targets.
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/Configure b/Configure
 index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@ -1,4 +1,4 @@
-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Thu, 27 Sep 2018 08:30:24 -0300
 Subject: Add openwrt targets
@ -9,7 +9,6 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
 new file mode 100644
 index 0000000000..86a86d31e4
 --- /dev/null
 +++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,52 @@
--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@ -1,4 +1,4 @@
-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Thu, 27 Sep 2018 08:31:38 -0300
 Subject: Avoid exposing build directories
@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/crypto/build.info b/crypto/build.info
 index 2c619c62e8..893128345a 100644
 --- a/crypto/build.info
 +++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
--- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
+++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
@ -1,4 +1,4 @@
-From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Thu, 27 Sep 2018 08:34:38 -0300
 Subject: Do not build tests and fuzz directories
@ -8,7 +8,6 @@ This shortens build time.
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/Configure b/Configure
 index 74d057c219..5813e9f8fe 100755
 --- a/Configure
 +++ b/Configure
@@ -318,7 +318,7 @@ my $auto_threads=1;    # enable threads automatically? true by default
--- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
+++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
@ -1,4 +1,4 @@
-From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Thu, 27 Sep 2018 08:44:39 -0300
 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference.
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
 index 6724ccf2d2..96d959427e 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
@@ -173,9 +173,15 @@ extern "C" {
@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644
 #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
                                    "TLS_AES_128_GCM_SHA256"
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
 index 27a1b2ec68..7039811323 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@ -1,6 +1,17 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cotequeiroz@gmail.com>
 Date: Sat, 27 Mar 2021 17:43:25 -0300
 Subject: openssl.cnf: add engine configuration
 This adds configuration options for engines, loading all cnf files under
 /etc/ssl/engines.d/.
 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
 diff --git a/apps/openssl.cnf b/apps/openssl.cnf
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -22,6 +22,99 @@ oid_section		= new_oids
+@@ -22,6 +22,13 @@ oid_section		= new_oids
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
@ -9,93 +20,7 @@
 +[openssl_conf]
 +engines=engines
 +
-+[engines]
+.include /etc/ssl/engines.cnf.d
 +# To enable an engine, install the package, and uncomment it here:
 +#devcrypto=devcrypto
 +#afalg=afalg
 +#padlock=padlock
 +##gost=gost
 +
 +[afalg]
 +# Leave this alone and configure algorithms with CIPERS/DIGESTS below
 +default_algorithms = ALL
 +
 +# The following commands are only available if using the alternative
 +# (sync) AFALG engine
 +# Configuration commands:
 +# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
 +# list of supported algorithms, along with their driver, whether they
 +# are hw accelerated or not, and the engine's configuration commands.
 +
 +# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
 +# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
 +# if acceleration can't be determined) [default=2]
 +#USE_SOFTDRIVERS = 2
 +
 +# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a
 +# comma-separated list of ciphers to enable [default=NO_ECB]
 +# Starting in 1.2.0, if you use a cipher list, each cipher may be
 +# followed by a colon (:) and the minimum request length to use
 +# AF_ALG drivers for that cipher; smaller requests are processed by
 +# softare; a negative value will use the default for that cipher
 +#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0
 +
 +# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
 +# enable [default=NONE]
 +# It is strongly recommended not to enable digests; their performance
 +# is poor, and there are many cases in which they will not work,
 +# especially when calling fork with open crypto contexts.  Openssh,
 +# for example, does this, and you may not be able to login.
 +#DIGESTS = NONE
 +
 +[devcrypto]
 +# Leave this alone and configure algorithms with CIPERS/DIGESTS below
 +default_algorithms = ALL
 +
 +# Configuration commands:
 +# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
 +# list of supported algorithms, along with their driver, whether they
 +# are hw accelerated or not, and the engine's configuration commands.
 +
 +# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
 +# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
 +# if acceleration can't be determined) [default=2]
 +#USE_SOFTDRIVERS = 2
 +
 +# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
 +# enable [default=ALL]
 +# It is recommended to disable the ECB ciphers; in most cases, it will
 +# only be used for PRNG, in small blocks, where performance is poor,
 +# and there may be problems with apps forking with open crypto
 +# contexts, leading to failures.  The CBC ciphers work well:
 +#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
 +
 +# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
 +# enable [default=NONE]
 +# It is strongly recommended not to enable digests; their performance
 +# is poor, and there are many cases in which they will not work,
 +# especially when calling fork with open crypto contexts.  Openssh,
 +# for example, does this, and you may not be able to login.
 +#DIGESTS = NONE
 +
 +[padlock]
 +default_algorithms = ALL
 +
 +[gost]
 +default_algorithms = ALL
 +# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the
 +# user to choose between different parameter sets of symmetric cipher
 +# algorithm. RFC 4357 specifies several parameters for the
 +# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface
 +# to choose one when encrypting. So use engine configuration parameter
 +# instead.
 +# Value of this parameter can be either short name, defined in OpenSSL
 +# obj_dat.h header file or numeric representation of OID, defined in
 +# RFC 4357.  Defaults to id-tc26-gost-28147-param-Z
 +#CRYPT_PARAMS = id-tc26-gost-28147-param-Z
 +
 +# PBE_PARAMS: Shortname of default digest alg for PBE
 +#PBE_PARAMS =
 +
 [ new_oids ]
--- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch
+++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch
@ -1,4 +1,4 @@
-From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Mon, 5 Nov 2018 15:54:17 -0200
 Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
 index a727c6f646..a2c9a966f7 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
@@ -461,6 +461,7 @@ struct digest_ctx {
--- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch
+++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch
@ -1,4 +1,4 @@
-From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 Date: Tue, 6 Nov 2018 22:54:07 -0200
 Subject: eng_devcrypto: add command to dump driver info
@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
 index 5ec38ca8f3..64dc6b891d 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;
--- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
@ -9,7 +9,6 @@ engines/e_devcrypto.c.
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/crypto/engine/build.info b/crypto/engine/build.info
 index e00802a3fd..47fe948966 100644
 --- a/crypto/engine/build.info
 +++ b/crypto/engine/build.info
@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\
@ -20,7 +19,6 @@ index e00802a3fd..47fe948966 100644
 -  SOURCE[../../libcrypto]=eng_devcrypto.c
 -ENDIF
 diff --git a/crypto/init.c b/crypto/init.c
 index 1b0d523bea..ee3e2eb075 100644
 --- a/crypto/init.c
 +++ b/crypto/init.c
@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644
     if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
             && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
 diff --git a/engines/build.info b/engines/build.info
 index 1db771971c..33a25d7004 100644
 --- a/engines/build.info
 +++ b/engines/build.info
@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}]
@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c
 similarity index 95%
 rename from crypto/engine/eng_devcrypto.c
 rename to engines/e_devcrypto.c
 index 2c1b52d572..eff1ed3a7d 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/engines/e_devcrypto.c
@@ -7,7 +7,7 @@
--- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
@ -20,7 +20,6 @@ turn them on if it is safe and fast enough.
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
 index 3fcd81de7a..d25230d366 100644
 --- a/engines/e_devcrypto.c
 +++ b/engines/e_devcrypto.c
@@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
--- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
@ -9,7 +9,6 @@ session.  It may have been closed by another process after a fork.
 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
 index d25230d366..f4570f1666 100644
 --- a/engines/e_devcrypto.c
 +++ b/engines/e_devcrypto.c
@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,