[PATCH 3/3] openssl: configure engines with uci
Eneas U de Queiroz
cotequeiroz at gmail.com
Wed Apr 28 13:17:04 BST 2021
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
package/libs/openssl/Makefile | 13 +++--
package/libs/openssl/engine.mk | 58 +++----------------
.../libs/openssl/files/openssl-engines.init | 19 ++++++
package/libs/openssl/files/openssl.init | 31 ++++++++++
.../150-openssl.cnf-add-engines-conf.patch | 5 +-
5 files changed, 70 insertions(+), 56 deletions(-)
create mode 100644 package/libs/openssl/files/openssl-engines.init
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..efa46d7214 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,20 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# $$$$1 == non-empty: suggest reinstall
-error_out() {
- [ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
- cat <<- EOF
+if [ -n "$$$${IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; then
+ cat << EOF >> "$$$${OPENSSL_UCI}"
- Then, you will have to reinstall this package, and any other engine package you have
- you have previously installed to ensure they are enabled:
-
- opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]...
-
- EOF
- exit 1
-}
-ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "$$$${OPENSSL_CNF}" ]; then
- echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
- error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then
- cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration files from
- /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated OpenSSL config by
- running:
-
- opkg install --force-reinstall --force-maintainer libopenssl-conf
-
- The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf
- and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
- EOF
- error_out
-fi
-if [ ! -f "$$$${ENGINES_CNF}" ]; then
- echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found."
- error_out reinstall
-fi
-if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
- echo "$$(OSSL_ENG_PKG): $(1) engine was already configured. Nothing to be done."
-else
- echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
- echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!"
+config engine '$(1)'
+ option enabled '1'
+EOF
fi
+[ -z "$$$${IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
endef
- define Package/$$(OSSL_ENG_PKG)/prerm :=
+ define Package/$$(OSSL_ENG_PKG)/postrm :=
#!/bin/sh
-ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-[ -f "$$$${ENGINES_CNF}" ] || exit 0
-sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+[ -z "$$$${IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
endef
endef
-
-
diff --git a/package/libs/openssl/files/openssl-engines.init b/package/libs/openssl/files/openssl-engines.init
new file mode 100644
index 0000000000..050a96f70a
--- /dev/null
+++ b/package/libs/openssl/files/openssl-engines.init
@@ -0,0 +1,19 @@
+#!/bin/sh /etc/rc.common
+
+START=05
+OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
+
+enable_engine() {
+ echo "$1=$1" >> "${OSSL_ENGINES_CNF}"
+}
+
+boot () {
+ config_load openssl
+
+ cat <<- EOF > /etc/ssl/engines.cnf.d/engines.cnf
+ # This file is automatically generated at boot time.
+ # Use uci add_list openssl.engines ENGINE_NAME to enable an engine
+ [engines]
+ EOF
+ config_list_foreach openssl.openssl[0] engines enable_engine
+}
diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init
new file mode 100755
index 0000000000..21e253e7a5
--- /dev/null
+++ b/package/libs/openssl/files/openssl.init
@@ -0,0 +1,31 @@
+#!/bin/sh /etc/rc.common
+
+START=13
+ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
+ENGINES_CNF="/var/etc/ssl/engines.cnf"
+ENGINES_DIR="%ENGINES_DIR%"
+
+config_engine() {
+ local enabled force
+ config_get_bool enabled "$1" enabled 1
+ config_get_bool force "$1" force 0
+ [ "$enabled" = 0 ] && return
+ if [ "$force" = 0 ] && \
+ [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \
+ [ ! -f "${ENGINES_DIR}/$1.so" ]; then
+ echo Skipping engine "$1": not installed
+ return
+ fi
+ echo Enabling engine "$1"
+ echo "$1=$1" >> "${ENGINES_CNF}"
+}
+
+start() {
+ mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
+ echo Generating engines.cnf
+ echo "# This file is automatically generated from /etc/config/openssl." \
+ > "${ENGINES_CNF}" || \
+ { echo Error writing ${ENGINES_CNF} >&2; exit 1; }
+ config_load openssl
+ config_foreach config_engine engine
+}
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
index 3db7a19212..8851116347 100644
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -11,7 +11,7 @@ Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
-@@ -22,6 +22,13 @@ oid_section = new_oids
+@@ -22,6 +22,16 @@ oid_section = new_oids
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -20,6 +20,9 @@ diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+[openssl_conf]
+engines=engines
+
++[engines]
++.include /var/etc/ssl/engines.cnf
++
+.include /etc/ssl/engines.cnf.d
+
[ new_oids ]
More information about the openwrt-devel
mailing list