[PATCH 3/3] openssl: configure engines with uci

Florian Eckert fe at dev.tdt.de
Thu Apr 29 07:43:57 BST 2021


Hello Eneas,

Nice work.
My remarks or suggestions see inline.


>  define Package/libopenssl-conf/conffiles
>  /etc/ssl/openssl.cnf
> -/etc/ssl/engines.cnf.d/engines.cnf
>  $(if
> CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
>  $(if 
> CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)

I think AFALG is missing there?

>  endef
> @@ -378,15 +377,17 @@ define Package/libopenssl/install
>  endef
> 
>  define Package/libopenssl-conf/install
> -	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
> +	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config 
> $(1)/etc/init.d
>  	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
> -	$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
> +	$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
> +	$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' 
> $(1)/etc/init.d/openssl

I do not understand that waht you are doing there.

> +	touch $(1)/etc/config/openssl
>  	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
>  		$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
> -		echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
> +		echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
> $(1)/etc/config/openssl)
>  	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
>  		$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
> -		echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
> +		echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
> $(1)/etc/config/openssl)

What about AFALG?

>  endef
> 
>  define Package/openssl-util/install
> diff --git a/package/libs/openssl/engine.mk 
> b/package/libs/openssl/engine.mk
> index 482b5ad5e8..efa46d7214 100644
> --- a/package/libs/openssl/engine.mk
> +++ b/package/libs/openssl/engine.mk
> @@ -23,60 +23,20 @@ define Package/openssl/add-engine
> 
>    define Package/$$(OSSL_ENG_PKG)/postinst :=
>  #!/bin/sh
> -# $$$$1 == non-empty: suggest reinstall
> -error_out() {
> -    [ "$1" ] && cat <<- EOF
> -	Reinstalling the libopenssl-conf package may fix this:
> +OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
> 
> -	    opkg install --force-reinstall libopenssl-conf
> -	EOF
> -    cat <<- EOF
> +if [ -n "$$$${IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) 
> >/dev/null; then
> +    cat << EOF >> "$$$${OPENSSL_UCI}"
> 
> -	Then, you will have to reinstall this package, and any other engine
> package you have
> -	you have previously installed to ensure they are enabled:
> -
> -	    opkg install --force-reinstall $$(OSSL_ENG_PKG) 
> [OTHER_ENGINE_PKG]...
> -
> -	EOF
> -    exit 1
> -}
> -ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
> -OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
> -if [ ! -f "$$$${OPENSSL_CNF}" ]; then
> -    echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
> -    error_out reinstall
> -fi
> -if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; 
> then
> -    cat <<- EOF
> -	Your /etc/ssl/openssl.cnf file is not loading engine configuration 
> files from
> -	/etc/ssl/engines.cnf.d.  You should consider start with a fresh,
> updated OpenSSL config by
> -	running:
> -
> -	    opkg install --force-reinstall --force-maintainer libopenssl-conf
> -
> -	The above command will overwrite any changes you may have made to
> both /etc/ssl/openssl.cnf
> -	and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
> -	EOF
> -    error_out
> -fi
> -if [ ! -f "$$$${ENGINES_CNF}" ]; then
> -    echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not 
> found."
> -    error_out reinstall
> -fi
> -if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
> -    echo "$$(OSSL_ENG_PKG): $(1) engine was already configured.
> Nothing to be done."
> -else
> -    echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
> -    echo "$$(OSSL_ENG_PKG): $(1) engine enabled.  All done!"
> +config engine '$(1)'
> +	option enabled '1'
> +EOF

 From my point of view, I think it would be better if we used the uci cli 
command directly here.
to add the config engine section and enable this engine.

>  fi
> +[ -z "$$$${IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
>    endef
> 
> -  define Package/$$(OSSL_ENG_PKG)/prerm :=
> +  define Package/$$(OSSL_ENG_PKG)/postrm :=
>  #!/bin/sh
> -ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
> -[ -f "$$$${ENGINES_CNF}" ] || exit 0
> -sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
> +[ -z "$$$${IPKG_INSTROOT}" ] && /etc/init.d/openssl reload

Should we not also remove the uci option on an uninstall wit the uci 
command?

>    endef
>  endef
> -
> -
> diff --git a/package/libs/openssl/files/openssl-engines.init
> b/package/libs/openssl/files/openssl-engines.init
> new file mode 100644
> index 0000000000..050a96f70a
> --- /dev/null
> +++ b/package/libs/openssl/files/openssl-engines.init
> @@ -0,0 +1,19 @@
> +#!/bin/sh /etc/rc.common

Is the init script also switched on at the first boot?
So that the service runs immediately?
Not that the service has to be switched on in /etc/rc.d/ first - that 
would be unpleasant.

> +
> +START=05
> +OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
> +
> +enable_engine() {
> +	echo "$1=$1" >> "${OSSL_ENGINES_CNF}"

The writing happens here on the persistent storage at every boot!
This is not so good for embedded target with FLASH.
It would be better to write this to the tmp.

> +}
> +
> +boot () {
> +	config_load openssl
> +
> +	cat <<- EOF > /etc/ssl/engines.cnf.d/engines.cnf
> +		# This file is automatically generated at boot time.
> +		# Use uci add_list openssl.engines ENGINE_NAME to enable an engine
> +		[engines]

The same with the storage is also true here.

> +	config_list_foreach openssl.openssl[0] engines enable_engine

How about the named uci section globals
config openssl globals

> +}
> diff --git a/package/libs/openssl/files/openssl.init
> b/package/libs/openssl/files/openssl.init
> new file mode 100755
> index 0000000000..21e253e7a5
> --- /dev/null
> +++ b/package/libs/openssl/files/openssl.init
> @@ -0,0 +1,31 @@
> +#!/bin/sh /etc/rc.common
> +
> +START=13
> +ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
> +ENGINES_CNF="/var/etc/ssl/engines.cnf"
> +ENGINES_DIR="%ENGINES_DIR%"
> +
> +config_engine() {
> +	local enabled force
> +	config_get_bool enabled "$1" enabled 1
> +	config_get_bool force "$1" force 0
> +	[ "$enabled" = 0 ] && return
> +	if [ "$force" = 0 ] && \
> +	   [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \
> +	   [ ! -f "${ENGINES_DIR}/$1.so" ]; then
> +	    echo Skipping engine "$1": not installed
> +	    return
> +	fi
> +	echo Enabling engine "$1"
> +	echo "$1=$1" >> "${ENGINES_CNF}"
> +}
> +
> +start() {
> +	mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
> +	echo Generating engines.cnf
> +	echo "# This file is automatically generated from 
> /etc/config/openssl." \
> +	      > "${ENGINES_CNF}" || \
> +	      { echo Error writing ${ENGINES_CNF} >&2; exit 1; }
> +        config_load openssl
> +	config_foreach config_engine engine
> +}
> diff --git
> a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
> b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
> index 3db7a19212..8851116347 100644
> --- 
> a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
> +++ 
> b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
> @@ -11,7 +11,7 @@ Signed-off-by: Eneas U de Queiroz 
> <cotequeiroz at gmail.com>
>  diff --git a/apps/openssl.cnf b/apps/openssl.cnf
>  --- a/apps/openssl.cnf
>  +++ b/apps/openssl.cnf
> -@@ -22,6 +22,13 @@ oid_section		= new_oids
> +@@ -22,6 +22,16 @@ oid_section		= new_oids
>   # (Alternatively, use a configuration file that has only
>   # X.509v3 extensions in its main [= default] section.)
> 
> @@ -20,6 +20,9 @@ diff --git a/apps/openssl.cnf b/apps/openssl.cnf
>  +[openssl_conf]
>  +engines=engines
>  +
> ++[engines]
> ++.include /var/etc/ssl/engines.cnf
> ++
>  +.include /etc/ssl/engines.cnf.d
>  +
>   [ new_oids ]
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list