openssl: configure engines with uci

This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

    config engine 'devcrypto'
            option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>

1 files changed, 12 insertions, 48 deletions

diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
 
   define Package/$$(OSSL_ENG_PKG)/postinst :=
 #!/bin/sh
-# $$$$1 == non-empty: suggest reinstall
-error_out() {
-    [ "$1" ] && cat <<- EOF
-	Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
 
-	    opkg install --force-reinstall libopenssl-conf
-	EOF
-    cat <<- EOF
+[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
 
-	Then, you will have to reinstall this package, and any other engine package you have
-	you have previously installed to ensure they are enabled:
+cat << EOF >> "$$$${OPENSSL_UCI}"
 
-	    opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]...
+config engine '$(1)'
+	option enabled '1'
+EOF
 
-	EOF
-    exit 1
-}
-ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "$$$${OPENSSL_CNF}" ]; then
-    echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
-    error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then
-    cat <<- EOF
-	Your /etc/ssl/openssl.cnf file is not loading engine configuration files from
-	/etc/ssl/engines.cnf.d.  You should consider start with a fresh, updated OpenSSL config by
-	running:
-
-	    opkg install --force-reinstall --force-maintainer libopenssl-conf
-
-	The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf
-	and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
-	EOF
-    error_out
-fi
-if [ ! -f "$$$${ENGINES_CNF}" ]; then
-    echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found."
-    error_out reinstall
-fi
-if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
-    echo "$$(OSSL_ENG_PKG): $(1) engine was already configured.  Nothing to be done."
-else
-    echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
-    echo "$$(OSSL_ENG_PKG): $(1) engine enabled.  All done!"
-fi
+[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
   endef
 
-  define Package/$$(OSSL_ENG_PKG)/prerm :=
+  define Package/$$(OSSL_ENG_PKG)/postrm :=
 #!/bin/sh
-ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-[ -f "$$$${ENGINES_CNF}" ] || exit 0
-sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
+uci delete openssl.$(1)
+uci commit openssl
+/etc/init.d/openssl reload
   endef
 endef
-
-