aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/libs/openssl/Makefile58
-rw-r--r--package/libs/openssl/engine.mk82
-rw-r--r--package/libs/openssl/files/engines.cnf12
-rw-r--r--package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch2
4 files changed, 111 insertions, 43 deletions
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 737123930c..3a0666ff8e 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=m
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
PKG_BUILD_PARALLEL:=1
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
+include engine.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
+$(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg
$(call Package/openssl/Default)
- SUBMENU:=SSL
+ $(call Package/openssl/engine/Default)
TITLE:=AFALG hardware acceleration engine
- DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
- +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+ DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+ @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
+$(eval $(call Package/openssl/add-engine,devcrypto))
define Package/libopenssl-devcrypto
$(call Package/openssl/Default)
- SUBMENU:=SSL
+ $(call Package/openssl/engine/Default)
TITLE:=/dev/crypto hardware acceleration engine
- DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
- @!OPENSSL_ENGINE_BUILTIN
+ DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
+$(eval $(call Package/openssl/add-engine,padlock))
define Package/libopenssl-padlock
$(call Package/openssl/Default)
- SUBMENU:=SSL
+ $(call Package/openssl/engine/Default)
TITLE:=VIA Padlock hardware acceleration engine
- DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
- +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+ DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+ @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+ $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+ echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
+ $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+ echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
endef
define Package/openssl-util/install
@@ -387,27 +394,6 @@ define Package/openssl-util/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
-define Package/libopenssl-afalg/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
- $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-devcrypto/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
- $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-padlock/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
- $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_DATA) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
new file mode 100644
index 0000000000..482b5ad5e8
--- /dev/null
+++ b/package/libs/openssl/engine.mk
@@ -0,0 +1,82 @@
+ENGINES_DIR=engines-1.1
+
+define Package/openssl/engine/Default
+ SECTION:=libs
+ CATEGORY:=Libraries
+ SUBMENU:=SSL
+ DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+ OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
+ Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
+
+ define Package/$$(OSSL_ENG_PKG)/install
+ $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR)
+ $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
+ $$(1)/usr/lib/$(ENGINES_DIR)
+ $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d
+ $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
+ endef
+
+ define Package/$$(OSSL_ENG_PKG)/postinst :=
+#!/bin/sh
+# $$$$1 == non-empty: suggest reinstall
+error_out() {
+ [ "$1" ] && cat <<- EOF
+ Reinstalling the libopenssl-conf package may fix this:
+
+ opkg install --force-reinstall libopenssl-conf
+ EOF
+ cat <<- EOF
+
+ Then, you will have to reinstall this package, and any other engine package you have
+ you have previously installed to ensure they are enabled:
+
+ opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]...
+
+ EOF
+ exit 1
+}
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
+if [ ! -f "$$$${OPENSSL_CNF}" ]; then
+ echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
+ error_out reinstall
+fi
+if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then
+ cat <<- EOF
+ Your /etc/ssl/openssl.cnf file is not loading engine configuration files from
+ /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated OpenSSL config by
+ running:
+
+ opkg install --force-reinstall --force-maintainer libopenssl-conf
+
+ The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf
+ and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
+ EOF
+ error_out
+fi
+if [ ! -f "$$$${ENGINES_CNF}" ]; then
+ echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found."
+ error_out reinstall
+fi
+if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
+ echo "$$(OSSL_ENG_PKG): $(1) engine was already configured. Nothing to be done."
+else
+ echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
+ echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!"
+fi
+ endef
+
+ define Package/$$(OSSL_ENG_PKG)/prerm :=
+#!/bin/sh
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+[ -f "$$$${ENGINES_CNF}" ] || exit 0
+sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+ endef
+endef
+
+
diff --git a/package/libs/openssl/files/engines.cnf b/package/libs/openssl/files/engines.cnf
index d034ab5a30..333b1d6c25 100644
--- a/package/libs/openssl/files/engines.cnf
+++ b/package/libs/openssl/files/engines.cnf
@@ -1,7 +1,7 @@
-[engines]
-# To enable an engine, install the package, and uncomment it here:
-#devcrypto=devcrypto
-#afalg=afalg
-#padlock=padlock
-#gost=gost
+# This file should only contain the [engines] section
+# It is subject to change by installing OpenSSL engine packages
+# Any lines that have the sequence "engine-name=engine-name" will
+# be removed when the respective engine gets uninstalled.
+# You may avoid that by adding a space before/after the = sign.
+[engines]
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
index 387c3ce11e..3db7a19212 100644
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -4,7 +4,7 @@ Date: Sat, 27 Mar 2021 17:43:25 -0300
Subject: openssl.cnf: add engine configuration
This adds configuration options for engines, loading all cnf files under
-/etc/ssl/engines.d/.
+/etc/ssl/engines.cnf.d/.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>