diff options
-rw-r--r-- | package/libs/openssl/Makefile | 58 | ||||
-rw-r--r-- | package/libs/openssl/engine.mk | 82 | ||||
-rw-r--r-- | package/libs/openssl/files/engines.cnf | 12 | ||||
-rw-r--r-- | package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch | 2 |
4 files changed, 111 insertions, 43 deletions
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 737123930c..3a0666ff8e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ + @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ + @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ + echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), + $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ + echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) endef define Package/openssl-util/install @@ -387,27 +394,6 @@ define Package/openssl-util/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef -define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ - $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ -endef - -define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ - $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ -endef - -define Package/libopenssl-padlock/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ - $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_DATA) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ -endef - $(eval $(call BuildPackage,libopenssl)) $(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-afalg)) diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk new file mode 100644 index 0000000000..482b5ad5e8 --- /dev/null +++ b/package/libs/openssl/engine.mk @@ -0,0 +1,82 @@ +ENGINES_DIR=engines-1.1 + +define Package/openssl/engine/Default + SECTION:=libs + CATEGORY:=Libraries + SUBMENU:=SSL + DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf +endef + +# 1 = engine name +# 2 - package name, defaults to libopenssl-$(1) +define Package/openssl/add-engine + OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1)) + Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf + + define Package/$$(OSSL_ENG_PKG)/install + $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR) + $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \ + $$(1)/usr/lib/$(ENGINES_DIR) + $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d + $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/ + endef + + define Package/$$(OSSL_ENG_PKG)/postinst := +#!/bin/sh +# $$$$1 == non-empty: suggest reinstall +error_out() { + [ "$1" ] && cat <<- EOF + Reinstalling the libopenssl-conf package may fix this: + + opkg install --force-reinstall libopenssl-conf + EOF + cat <<- EOF + + Then, you will have to reinstall this package, and any other engine package you have + you have previously installed to ensure they are enabled: + + opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]... + + EOF + exit 1 +} +ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" +OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf" +if [ ! -f "$$$${OPENSSL_CNF}" ]; then + echo -e "ERROR: File $$$${OPENSSL_CNF} not found." + error_out reinstall +fi +if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then + cat <<- EOF + Your /etc/ssl/openssl.cnf file is not loading engine configuration files from + /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated OpenSSL config by + running: + + opkg install --force-reinstall --force-maintainer libopenssl-conf + + The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf + and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first! + EOF + error_out +fi +if [ ! -f "$$$${ENGINES_CNF}" ]; then + echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found." + error_out reinstall +fi +if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then + echo "$$(OSSL_ENG_PKG): $(1) engine was already configured. Nothing to be done." +else + echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}" + echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!" +fi + endef + + define Package/$$(OSSL_ENG_PKG)/prerm := +#!/bin/sh +ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" +[ -f "$$$${ENGINES_CNF}" ] || exit 0 +sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}" + endef +endef + + diff --git a/package/libs/openssl/files/engines.cnf b/package/libs/openssl/files/engines.cnf index d034ab5a30..333b1d6c25 100644 --- a/package/libs/openssl/files/engines.cnf +++ b/package/libs/openssl/files/engines.cnf @@ -1,7 +1,7 @@ -[engines] -# To enable an engine, install the package, and uncomment it here: -#devcrypto=devcrypto -#afalg=afalg -#padlock=padlock -#gost=gost +# This file should only contain the [engines] section +# It is subject to change by installing OpenSSL engine packages +# Any lines that have the sequence "engine-name=engine-name" will +# be removed when the respective engine gets uninstalled. +# You may avoid that by adding a space before/after the = sign. +[engines] diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 387c3ce11e..3db7a19212 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -4,7 +4,7 @@ Date: Sat, 27 Mar 2021 17:43:25 -0300 Subject: openssl.cnf: add engine configuration This adds configuration options for engines, loading all cnf files under -/etc/ssl/engines.d/. +/etc/ssl/engines.cnf.d/. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> |