[PATCH v4 0/3] openssl: Engine configuration series
Eneas U de Queiroz
cotequeiroz at gmail.com
Sun Feb 20 16:09:27 PST 2022
This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
also splits the configuration from one monolithic file to one file per
engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
their installation. It introduces an engine.mk file that provides
menu placement, basic dependencies and the postinst, postrm functions
for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
list generation during startup, or when an engine package is
installed or removed.
The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.
The second and third commits had testing expanded to checking built-in
I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged. The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.
I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files. Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters". All I could do to help was to point to a header file where
the actual list of supported parameters is defined.
After this is merged, I will adapt the two engines in the packages feed.
- fixed postinst & postrm logic that was failing when building the final
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
- actually removed the extra files that I had promised in v2
- rebased onto current head
- removed non-applicable options from original afalg engine conf file
Eneas U de Queiroz (3):
openssl: config engines in /etc/ssl/engines.cnf.d
openssl: configure engine packages during install
openssl: configure engines with uci
package/libs/openssl/Makefile | 55 +++++-----
package/libs/openssl/engine.mk | 46 ++++++++
package/libs/openssl/files/afalg.cnf | 3 +
package/libs/openssl/files/devcrypto.cnf | 31 ++++++
package/libs/openssl/files/openssl.init | 31 ++++++
package/libs/openssl/files/padlock.cnf | 3 +
.../patches/100-Configure-afalg-support.patch | 3 +-
.../openssl/patches/110-openwrt_targets.patch | 3 +-
.../120-strip-cflags-from-binary.patch | 3 +-
.../patches/130-dont-build-tests-fuzz.patch | 3 +-
.../patches/140-allow-prefer-chacha20.patch | 4 +-
.../150-openssl.cnf-add-engines-conf.patch | 100 +++---------------
...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +-
...ypto-add-command-to-dump-driver-info.patch | 3 +-
...o-make-the-dev-crypto-engine-dynamic.patch | 4 -
...default-to-not-use-digests-in-engine.patch | 1 -
...to-ignore-error-when-closing-session.patch | 1 -
17 files changed, 160 insertions(+), 137 deletions(-)
create mode 100644 package/libs/openssl/engine.mk
create mode 100644 package/libs/openssl/files/afalg.cnf
create mode 100644 package/libs/openssl/files/devcrypto.cnf
create mode 100755 package/libs/openssl/files/openssl.init
create mode 100644 package/libs/openssl/files/padlock.cnf
More information about the openwrt-devel