openssl: add legacy provider
authorEneas U de Queiroz <cotequeiroz@gmail.com>
Fri, 10 Mar 2023 20:53:25 +0000 (17:53 -0300)
committerEneas U de Queiroz <cotequeiroz@gmail.com>
Wed, 5 Apr 2023 11:24:49 +0000 (08:24 -0300)
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
include/openssl-engine.mk [deleted file]
include/openssl-module.mk [new file with mode: 0644]
package/libs/openssl/Config.in
package/libs/openssl/Makefile
package/libs/openssl/files/afalg.cnf
package/libs/openssl/files/devcrypto.cnf
package/libs/openssl/files/legacy.cnf [new file with mode: 0644]
package/libs/openssl/files/openssl.init
package/libs/openssl/files/padlock.cnf
package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch

diff --git a/include/openssl-engine.mk b/include/openssl-engine.mk
deleted file mode 100644 (file)
index 891d284..0000000
+++ /dev/null
@@ -1,50 +0,0 @@
-# SPDX-License-Identifier: GPL-2.0-only
-#
-# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
-
-ENGINES_DIR=engines-3
-
-define Package/openssl/engine/Default
-  SECTION:=libs
-  CATEGORY:=Libraries
-  SUBMENU:=SSL
-  DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
-endef
-
-# 1 = engine name
-# 2 - package name, defaults to libopenssl-$(1)
-define Package/openssl/add-engine
-  OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
-  Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
-
-  define Package/$$(OSSL_ENG_PKG)/install
-       $$(INSTALL_DIR)  $$(1)/usr/lib/$(ENGINES_DIR)
-       $$(INSTALL_BIN)  $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
-                        $$(1)/usr/lib/$(ENGINES_DIR)
-       $$(INSTALL_DIR)  $$(1)/etc/ssl/engines.cnf.d
-       $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
-  endef
-
-  define Package/$$(OSSL_ENG_PKG)/postinst :=
-#!/bin/sh
-OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
-
-[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
-
-cat << EOF >> "$$$${OPENSSL_UCI}"
-
-config engine '$(1)'
-       option enabled '1'
-EOF
-
-[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
-  endef
-
-  define Package/$$(OSSL_ENG_PKG)/postrm :=
-#!/bin/sh
-[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
-uci delete openssl.$(1)
-uci commit openssl
-/etc/init.d/openssl reload
-  endef
-endef
diff --git a/include/openssl-module.mk b/include/openssl-module.mk
new file mode 100644 (file)
index 0000000..7348a10
--- /dev/null
@@ -0,0 +1,79 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
+
+ENGINES_DIR=engines-3
+
+define Package/openssl/module/Default
+  SECTION:=libs
+  CATEGORY:=Libraries
+  SUBMENU:=SSL
+  DEPENDS:=libopenssl +libopenssl-conf
+endef
+
+define Package/openssl/engine/Default
+  $(Package/openssl/module/Default)
+  DEPENDS+=@OPENSSL_ENGINE
+endef
+
+
+# 1 = moudule type (engine|provider)
+# 2 = module name
+# 3 = directory to save .so file
+# 4 = [ package name, defaults to libopenssl-$(2) ]
+define Package/openssl/add-module
+  $(eval MOD_TYPE:=$(1))
+  $(eval MOD_NAME:=$(2))
+  $(eval MOD_DIR:=$(3))
+  $(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME)))
+  $(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)')
+  $(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)')
+  Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf
+
+  define Package/$(OSSL_PKG)/install
+       $$(INSTALL_DIR)  $$(1)/$(MOD_DIR)
+       $$(INSTALL_BIN)  $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \
+                        $$(1)/$(MOD_DIR)
+       $$(INSTALL_DIR)  $$(1)/etc/ssl/modules.cnf.d
+       $$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/
+  endef
+
+  define Package/$(OSSL_PKG)/postinst
+#!/bin/sh
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
+
+[ -z "$$$${IPKG_INSTROOT}" ] \
+       && uci -q get openssl.$(MOD_NAME) >/dev/null \
+       && exit 0
+
+cat << EOF >> "$$$${OPENSSL_UCI}"
+
+config $(MOD_TYPE) '$(MOD_NAME)'
+       option enabled '1'
+EOF
+
+[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
+exit 0
+  endef
+
+  define Package/$(OSSL_PKG)/postrm
+#!/bin/sh
+[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
+uci -q delete openssl.$(MOD_NAME) && uci commit openssl
+/etc/init.d/openssl reload
+exit 0
+  endef
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+  $(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2))
+endef
+
+# 1 = provider name
+# 2 = [ package name, defaults to libopenssl-$(1) ]
+define Package/openssl/add-provider
+  $(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2))
+endef
+
index b948aab7093fdb4fec316fc19902f10675d7616c..871080a4cbec39347e6358652a99a8cc2ca18977 100644 (file)
@@ -167,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA
 
 config OPENSSL_WITH_IDEA
        bool
-       prompt "Enable IDEA cipher support"
+       default y if !SMALL_FLASH
+       prompt "Enable IDEA cipher support (needs legacy provider)"
        help
                IDEA is a block cipher with 128-bit keys.
+               To use the cipher, one must install the libopenssl-legacy
+               package, using a main libopenssl package compiled with this
+               option enabled as well.
 
 config OPENSSL_WITH_SEED
        bool
-       prompt "Enable SEED cipher support"
+       default y if !SMALL_FLASH
+       prompt "Enable SEED cipher support (needs legacy provider)"
        help
                SEED is a block cipher with 128-bit keys broadly used in
                South Korea, but seldom found elsewhere.
+               To use the cipher, one must install the libopenssl-legacy
+               package, using a main libopenssl package compiled with this
+               option enabled as well.
 
 config OPENSSL_WITH_SM234
        bool
@@ -197,11 +205,21 @@ config OPENSSL_WITH_BLAKE2
 
 config OPENSSL_WITH_MDC2
        bool
-       prompt "Enable MDC2 digest support"
+       default y if !SMALL_FLASH
+       prompt "Enable MDC2 digest support (needs legacy provider)"
+       help
+               To use the digest, one must install the libopenssl-legacy
+               package, using a main libopenssl package compiled with this
+               option enabled as well.
 
 config OPENSSL_WITH_WHIRLPOOL
        bool
-       prompt "Enable Whirlpool digest support"
+       default y if !SMALL_FLASH
+       prompt "Enable Whirlpool digest support (needs legacy provider)"
+       help
+               To use the digest, one must install the libopenssl-legacy
+               package, using a main libopenssl package compiled with this
+               option enabled as well.
 
 config OPENSSL_WITH_COMPRESSION
        bool
index 66872d54366944923bd015d65d0a8a6e951cdef1..add3eb7db66902d4c5536313eb1c9980b93f11ab 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_VERSION:=3.0.8
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 PKG_BUILD_FLAGS:=no-mips16 gc-sections
 
 PKG_BUILD_PARALLEL:=1
@@ -64,7 +64,7 @@ PKG_CONFIG_DEPENDS:= \
        CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/openssl-engine.mk
+include $(INCLUDE_DIR)/openssl-module.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -129,8 +129,8 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
-$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf)
-$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf)
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -162,6 +162,20 @@ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
 endef
 endif
 
+$(eval $(call Package/openssl/add-provider,legacy))
+define Package/libopenssl-legacy
+  $(call Package/openssl/Default)
+  $(call Package/openssl/module/Default)
+  TITLE:=OpenSSL legacy provider
+endef
+
+define Package/libopenssl-legacy/description
+The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
+have been deemed legacy. Such algorithms have commonly fallen out of use, have
+been deemed insecure by the cryptography community, or something similar.  See
+https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
+endef
+
 $(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
@@ -174,7 +188,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
@@ -190,7 +204,7 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
@@ -206,7 +220,7 @@ endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
 endef
@@ -403,16 +417,16 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-       $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
+       $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
        $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
        $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
        $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
        touch $(1)/etc/config/openssl
        $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
-               $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+               $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
                echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
        $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
-               $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+               $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
                echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
 endef
 
@@ -425,5 +439,6 @@ $(eval $(call BuildPackage,libopenssl))
 $(eval $(call BuildPackage,libopenssl-conf))
 $(eval $(call BuildPackage,libopenssl-afalg))
 $(eval $(call BuildPackage,libopenssl-devcrypto))
+$(eval $(call BuildPackage,libopenssl-legacy))
 $(eval $(call BuildPackage,libopenssl-padlock))
 $(eval $(call BuildPackage,openssl-util))
index 4f573d757c87dde4bde11e367a4ea7925579c6a3..fd206361bf353d8ad4ddcdb81558db5f6446e6aa 100644 (file)
@@ -1,3 +1,3 @@
-[afalg]
+[afalg_sect]
 default_algorithms = ALL
 
index 8afd9b1b004f50006cda46b46cfabfea7aaf6b07..91d0eee17fa8d36ff0b8e2a65ee6d88b51a9082f 100644 (file)
@@ -1,4 +1,4 @@
-[devcrypto]
+[devcrypto_sect]
 # Leave this alone and configure algorithms with CIPERS/DIGESTS below
 default_algorithms = ALL
 
diff --git a/package/libs/openssl/files/legacy.cnf b/package/libs/openssl/files/legacy.cnf
new file mode 100644 (file)
index 0000000..4c20617
--- /dev/null
@@ -0,0 +1,3 @@
+[legacy_sect]
+activate = 1
+
index f895b9878c822e8c9188cf814c4802e72dd28442..1c1e8745ffeb406834c5fd14c14f106f6ecf201c 100755 (executable)
@@ -1,11 +1,25 @@
 #!/bin/sh /etc/rc.common
 
 START=13
-ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
-ENGINES_CNF="/var/etc/ssl/engines.cnf"
-ENGINES_DIR="%ENGINES_DIR%"
+ENGINES_CNF=/var/etc/ssl/engines.cnf
+ENGINES_DIR=%ENGINES_DIR%
+MODULES_DIR=/usr/lib/ossl-modules
+PROVIDERS_CNF=/var/etc/ssl/providers.cnf
 
-config_engine() {
+#1: cnf file
+write_cnf_header() {
+       mkdir -p "$(dirname "$1")" && \
+       echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
+               echo "Error writing to $1."
+               return 1
+       }
+}
+
+
+#1: module name
+#2: output cnf file
+#3: module.so
+enable_module() {
        local builtin enabled force
 
        config_get_bool builtin "$1" builtin 0
@@ -13,30 +27,46 @@ config_engine() {
        config_get_bool force "$1" force 0
 
        if [ "$enabled" = 0 ]; then
-               [ "$builtin" != 1 ] && return 1
-               echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." && \
+               [ "$builtin" = 0 ] && return 1
+               echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
                echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
        elif [ "$force" = 1 ]; then
                printf "[Forced] "
-       elif ! grep -q "\\[ *$1 *]" "${ENGINES_CNF_D}"/*; then
+       elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
                echo "$1: Could not find section [$1] in config files."
                return 1
        elif [ "$builtin" = 1 ]; then
                printf "[Builtin] "
-       elif [ ! -f "${ENGINES_DIR}/$1.so" ];then
-               echo "$1: ${ENGINES_DIR}/$1.so not found."
+       elif [ ! -f "$3" ];then
+               echo "Skipping $1: $3 not found."
                return 1
        fi
-       echo Enabling engine "$1"
-       echo "$1=$1" >> "${ENGINES_CNF}"
+       echo "Enabling $1"
+       echo "$1=$1_sect" >>"$2"
+}
+
+config_engine() {
+       enable_module "$1" "$ENGINES_CNF" \
+                     "${ENGINES_DIR}/${1}.so"
+}
+
+config_provider() {
+       enable_module "$1" "$PROVIDERS_CNF" \
+                     "${MODULES_DIR}/${1}.so"
 }
 
 start() {
-       mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
-       echo Generating engines.cnf
-       echo "# This file is automatically generated from /etc/config/openssl." \
-             > "${ENGINES_CNF}" || \
-             { echo Error writing ${ENGINES_CNF} >&2; exit 1; }
+       local ret=0
+
         config_load openssl
-       config_foreach config_engine engine
+
+       echo Generating engines.cnf
+       write_cnf_header "${ENGINES_CNF}" && \
+       config_foreach config_engine engine || ret=$?
+
+       echo Generating providers.cnf
+       write_cnf_header "${PROVIDERS_CNF}" && \
+       config_foreach config_provider provider || ret=$?
+
+       return $ret
 }
index ef91079e5d1416138f59af340676fa3b41afa629..f4085d907b4e2050a52548b34b23333f89e83167 100644 (file)
@@ -1,3 +1,3 @@
-[padlock]
+[padlock_sect]
 default_algorithms = ALL
 
index b1ec0cae711668afa37109ece5378c6486ff77e8..9fe9cdf590cdbf0451180be3e3b74cbb049a9e79 100644 (file)
@@ -10,20 +10,32 @@ Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
 
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -30,6 +30,16 @@ oid_section = new_oids
- # (Alternatively, use a configuration file that has only
- # X.509v3 extensions in its main [= default] section.)
+@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
  
-+openssl_conf=openssl_conf
+ [openssl_init]
+ providers = provider_sect
++engines = engines_sect
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
++.include /var/etc/ssl/providers.cnf
 +
-+[openssl_conf]
-+engines=engines
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,7 +72,13 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
++activate = 1
 +
-+[engines]
++[engines_sect]
 +.include /var/etc/ssl/engines.cnf
 +
-+.include /etc/ssl/engines.cnf.d
++.include /etc/ssl/modules.cnf.d
 +
- [ new_oids ]
- # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
- # Add a simple OID like this:
+ ####################################################################