[PATCH v4 0/3] openssl: Engine configuration series

Eneas U de Queiroz cotequeiroz at gmail.com
Sun Feb 20 16:09:27 PST 2022


This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
are installed.

The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
  also splits the configuration from one monolithic file to one file per
  engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
  their installation.  It introduces an engine.mk file that provides
  menu placement, basic dependencies and the postinst, postrm functions
  for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
  list generation during startup, or when an engine package is
  installed or removed.

The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.

The second and third commits had testing expanded to checking built-in
engine builds.

I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged.  The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.

I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files.  Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
otherwise.

openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters".  All I could do to help was to point to a header file where
the actual list of supported parameters is defined.

After this is merged, I will adapt the two engines in the packages feed.

Changelog:

v1->v2:
- fixed postinst & postrm logic that was failing when building the final
  image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions

v2->v3:
- actually removed the extra files that I had promised in v2

v3->v4:
- rebased onto current head
- removed non-applicable options from original afalg engine conf file

Eneas U de Queiroz (3):
  openssl: config engines in /etc/ssl/engines.cnf.d
  openssl: configure engine packages during install
  openssl: configure engines with uci

 package/libs/openssl/Makefile                 |  55 +++++-----
 package/libs/openssl/engine.mk                |  46 ++++++++
 package/libs/openssl/files/afalg.cnf          |   3 +
 package/libs/openssl/files/devcrypto.cnf      |  31 ++++++
 package/libs/openssl/files/openssl.init       |  31 ++++++
 package/libs/openssl/files/padlock.cnf        |   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch        |   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch    | 100 +++---------------
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 17 files changed, 160 insertions(+), 137 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100755 package/libs/openssl/files/openssl.init
 create mode 100644 package/libs/openssl/files/padlock.cnf

-- 
2.34.1




More information about the openwrt-devel mailing list