From 17a6ca12d3dfbb8808ca6d8a5300ff2a9121ba36 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sun, 20 Feb 2022 21:09:28 -0300 Subject: openssl: config engines in /etc/ssl/engines.cnf.d This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz --- .../patches/150-openssl.cnf-add-engines-conf.patch | 101 +++------------------ 1 file changed, 13 insertions(+), 88 deletions(-) (limited to 'package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch') diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index c90fce2442..387c3ce11e 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,17 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Sat, 27 Mar 2021 17:43:25 -0300 +Subject: openssl.cnf: add engine configuration + +This adds configuration options for engines, loading all cnf files under +/etc/ssl/engines.d/. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,99 @@ oid_section = new_oids +@@ -22,6 +22,13 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -9,93 +20,7 @@ +[openssl_conf] +engines=engines + -+[engines] -+# To enable an engine, install the package, and uncomment it here: -+#devcrypto=devcrypto -+#afalg=afalg -+#padlock=padlock -+##gost=gost -+ -+[afalg] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# The following commands are only available if using the alternative -+# (sync) AFALG engine -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a -+# comma-separated list of ciphers to enable [default=NO_ECB] -+# Starting in 1.2.0, if you use a cipher list, each cipher may be -+# followed by a colon (:) and the minimum request length to use -+# AF_ALG drivers for that cipher; smaller requests are processed by -+# softare; a negative value will use the default for that cipher -+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[devcrypto] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to -+# enable [default=ALL] -+# It is recommended to disable the ECB ciphers; in most cases, it will -+# only be used for PRNG, in small blocks, where performance is poor, -+# and there may be problems with apps forking with open crypto -+# contexts, leading to failures. The CBC ciphers work well: -+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[padlock] -+default_algorithms = ALL -+ -+[gost] -+default_algorithms = ALL -+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the -+# user to choose between different parameter sets of symmetric cipher -+# algorithm. RFC 4357 specifies several parameters for the -+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface -+# to choose one when encrypting. So use engine configuration parameter -+# instead. -+# Value of this parameter can be either short name, defined in OpenSSL -+# obj_dat.h header file or numeric representation of OID, defined in -+# RFC 4357. Defaults to id-tc26-gost-28147-param-Z -+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z -+ -+# PBE_PARAMS: Shortname of default digest alg for PBE -+#PBE_PARAMS = ++.include /etc/ssl/engines.cnf.d + [ new_oids ] -- cgit v1.2.3