[PATCH] package: openssl: Enable built engines per default
Florian Eckert
fe at dev.tdt.de
Fri Apr 23 07:10:56 BST 2021
Hello Daniel,
Hello Eneas,
On 2021-04-23 01:36, Eneas U de Queiroz wrote:
> On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger <daniel at dd-wrt.com>
> wrote:
>>
>> Automatically enable an engine in the openssl.cnf if it has been
>> build.
>> Before this change, /etc/openssl.cnf had to be edited manually on the
>> system to enable the engine.
>>
>
>> +define Package/libopenssl-conf/enable
>> + $(if $(CONFIG_PACKAGE_libopenssl-$(2)),sed -i
>> s/^\#*$(2)=$(2)/$(2)=$(2)/ $(1)/etc/ssl/openssl.cnf)
>> +endef
>
>> define Package/libopenssl-conf/install
>> $(INSTALL_DIR) $(1)/etc/ssl
>> $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
>> + $(call Package/libopenssl-conf/enable,$(1),devcrypto)
>> + $(call Package/libopenssl-conf/enable,$(1),afalg)
>> + $(call Package/libopenssl-conf/enable,$(1),padlock)
>
> I do like the idea, though. My first thought was to add an install
> script to the engine packages. The problem is that the config file
> may have been changed in a way that sed may produce unwanted results.
How about if we create a uci default script and check on the running
system what is installed?
And then we could generate a file and add or remove an include line form
the openssl.cnf [1]?
> Another option, which may be the easiest and safest, is to use your
> approach, but only uncomment the engines built into the firmware (=y),
> and not the ones built as modules.
I think this is not an option, because not all want to have all engines
installed.
That is my opinion.
Thanks florian
[1] https://github.com/openssl/openssl/blob/master/apps/openssl.cnf#L10
More information about the openwrt-devel
mailing list