+++ /dev/null
-# SPDX-License-Identifier: GPL-2.0-only
-#
-# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
-
-ENGINES_DIR=engines-3
-
-define Package/openssl/engine/Default
- SECTION:=libs
- CATEGORY:=Libraries
- SUBMENU:=SSL
- DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
-endef
-
-# 1 = engine name
-# 2 - package name, defaults to libopenssl-$(1)
-define Package/openssl/add-engine
- OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
- Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
-
- define Package/$$(OSSL_ENG_PKG)/install
- $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR)
- $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
- $$(1)/usr/lib/$(ENGINES_DIR)
- $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d
- $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
- endef
-
- define Package/$$(OSSL_ENG_PKG)/postinst :=
-#!/bin/sh
-OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
-
-[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
-
-cat << EOF >> "$$$${OPENSSL_UCI}"
-
-config engine '$(1)'
- option enabled '1'
-EOF
-
-[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
- endef
-
- define Package/$$(OSSL_ENG_PKG)/postrm :=
-#!/bin/sh
-[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
-uci delete openssl.$(1)
-uci commit openssl
-/etc/init.d/openssl reload
- endef
-endef
--- /dev/null
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
+
+ENGINES_DIR=engines-3
+
+define Package/openssl/module/Default
+ SECTION:=libs
+ CATEGORY:=Libraries
+ SUBMENU:=SSL
+ DEPENDS:=libopenssl +libopenssl-conf
+endef
+
+define Package/openssl/engine/Default
+ $(Package/openssl/module/Default)
+ DEPENDS+=@OPENSSL_ENGINE
+endef
+
+
+# 1 = moudule type (engine|provider)
+# 2 = module name
+# 3 = directory to save .so file
+# 4 = [ package name, defaults to libopenssl-$(2) ]
+define Package/openssl/add-module
+ $(eval MOD_TYPE:=$(1))
+ $(eval MOD_NAME:=$(2))
+ $(eval MOD_DIR:=$(3))
+ $(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME)))
+ $(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)')
+ $(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)')
+ Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf
+
+ define Package/$(OSSL_PKG)/install
+ $$(INSTALL_DIR) $$(1)/$(MOD_DIR)
+ $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \
+ $$(1)/$(MOD_DIR)
+ $$(INSTALL_DIR) $$(1)/etc/ssl/modules.cnf.d
+ $$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/
+ endef
+
+ define Package/$(OSSL_PKG)/postinst
+#!/bin/sh
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
+
+[ -z "$$$${IPKG_INSTROOT}" ] \
+ && uci -q get openssl.$(MOD_NAME) >/dev/null \
+ && exit 0
+
+cat << EOF >> "$$$${OPENSSL_UCI}"
+
+config $(MOD_TYPE) '$(MOD_NAME)'
+ option enabled '1'
+EOF
+
+[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
+exit 0
+ endef
+
+ define Package/$(OSSL_PKG)/postrm
+#!/bin/sh
+[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
+uci -q delete openssl.$(MOD_NAME) && uci commit openssl
+/etc/init.d/openssl reload
+exit 0
+ endef
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+ $(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2))
+endef
+
+# 1 = provider name
+# 2 = [ package name, defaults to libopenssl-$(1) ]
+define Package/openssl/add-provider
+ $(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2))
+endef
+
config OPENSSL_WITH_IDEA
bool
- prompt "Enable IDEA cipher support"
+ default y if !SMALL_FLASH
+ prompt "Enable IDEA cipher support (needs legacy provider)"
help
IDEA is a block cipher with 128-bit keys.
+ To use the cipher, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
config OPENSSL_WITH_SEED
bool
- prompt "Enable SEED cipher support"
+ default y if !SMALL_FLASH
+ prompt "Enable SEED cipher support (needs legacy provider)"
help
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
+ To use the cipher, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
config OPENSSL_WITH_SM234
bool
config OPENSSL_WITH_MDC2
bool
- prompt "Enable MDC2 digest support"
+ default y if !SMALL_FLASH
+ prompt "Enable MDC2 digest support (needs legacy provider)"
+ help
+ To use the digest, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
config OPENSSL_WITH_WHIRLPOOL
bool
- prompt "Enable Whirlpool digest support"
+ default y if !SMALL_FLASH
+ prompt "Enable Whirlpool digest support (needs legacy provider)"
+ help
+ To use the digest, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
config OPENSSL_WITH_COMPRESSION
bool
PKG_NAME:=openssl
PKG_VERSION:=3.0.8
-PKG_RELEASE:=6
+PKG_RELEASE:=7
PKG_BUILD_FLAGS:=no-mips16 gc-sections
PKG_BUILD_PARALLEL:=1
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/openssl-engine.mk
+include $(INCLUDE_DIR)/openssl-module.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf)
-$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf)
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
endef
define Package/libopenssl-conf/description
endef
endif
+$(eval $(call Package/openssl/add-provider,legacy))
+define Package/libopenssl-legacy
+ $(call Package/openssl/Default)
+ $(call Package/openssl/module/Default)
+ TITLE:=OpenSSL legacy provider
+endef
+
+define Package/libopenssl-legacy/description
+The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
+have been deemed legacy. Such algorithms have commonly fallen out of use, have
+been deemed insecure by the cryptography community, or something similar. See
+https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
+endef
+
$(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg
$(call Package/openssl/Default)
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
-See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
-See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
-See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
+ $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
- $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
- $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
endef
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto))
+$(eval $(call BuildPackage,libopenssl-legacy))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
-[afalg]
+[afalg_sect]
default_algorithms = ALL
-[devcrypto]
+[devcrypto_sect]
# Leave this alone and configure algorithms with CIPERS/DIGESTS below
default_algorithms = ALL
--- /dev/null
+[legacy_sect]
+activate = 1
+
#!/bin/sh /etc/rc.common
START=13
-ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
-ENGINES_CNF="/var/etc/ssl/engines.cnf"
-ENGINES_DIR="%ENGINES_DIR%"
+ENGINES_CNF=/var/etc/ssl/engines.cnf
+ENGINES_DIR=%ENGINES_DIR%
+MODULES_DIR=/usr/lib/ossl-modules
+PROVIDERS_CNF=/var/etc/ssl/providers.cnf
-config_engine() {
+#1: cnf file
+write_cnf_header() {
+ mkdir -p "$(dirname "$1")" && \
+ echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
+ echo "Error writing to $1."
+ return 1
+ }
+}
+
+
+#1: module name
+#2: output cnf file
+#3: module.so
+enable_module() {
local builtin enabled force
config_get_bool builtin "$1" builtin 0
config_get_bool force "$1" force 0
if [ "$enabled" = 0 ]; then
- [ "$builtin" != 1 ] && return 1
- echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." && \
+ [ "$builtin" = 0 ] && return 1
+ echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
elif [ "$force" = 1 ]; then
printf "[Forced] "
- elif ! grep -q "\\[ *$1 *]" "${ENGINES_CNF_D}"/*; then
+ elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
echo "$1: Could not find section [$1] in config files."
return 1
elif [ "$builtin" = 1 ]; then
printf "[Builtin] "
- elif [ ! -f "${ENGINES_DIR}/$1.so" ];then
- echo "$1: ${ENGINES_DIR}/$1.so not found."
+ elif [ ! -f "$3" ];then
+ echo "Skipping $1: $3 not found."
return 1
fi
- echo Enabling engine "$1"
- echo "$1=$1" >> "${ENGINES_CNF}"
+ echo "Enabling $1"
+ echo "$1=$1_sect" >>"$2"
+}
+
+config_engine() {
+ enable_module "$1" "$ENGINES_CNF" \
+ "${ENGINES_DIR}/${1}.so"
+}
+
+config_provider() {
+ enable_module "$1" "$PROVIDERS_CNF" \
+ "${MODULES_DIR}/${1}.so"
}
start() {
- mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
- echo Generating engines.cnf
- echo "# This file is automatically generated from /etc/config/openssl." \
- > "${ENGINES_CNF}" || \
- { echo Error writing ${ENGINES_CNF} >&2; exit 1; }
+ local ret=0
+
config_load openssl
- config_foreach config_engine engine
+
+ echo Generating engines.cnf
+ write_cnf_header "${ENGINES_CNF}" && \
+ config_foreach config_engine engine || ret=$?
+
+ echo Generating providers.cnf
+ write_cnf_header "${PROVIDERS_CNF}" && \
+ config_foreach config_provider provider || ret=$?
+
+ return $ret
}
-[padlock]
+[padlock_sect]
default_algorithms = ALL
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
-@@ -30,6 +30,16 @@ oid_section = new_oids
- # (Alternatively, use a configuration file that has only
- # X.509v3 extensions in its main [= default] section.)
+@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
-+openssl_conf=openssl_conf
+ [openssl_init]
+ providers = provider_sect
++engines = engines_sect
+
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
++.include /var/etc/ssl/providers.cnf
+
-+[openssl_conf]
-+engines=engines
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,7 +72,13 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
++activate = 1
+
-+[engines]
++[engines_sect]
+.include /var/etc/ssl/engines.cnf
+
-+.include /etc/ssl/engines.cnf.d
++.include /etc/ssl/modules.cnf.d
+
- [ new_oids ]
- # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
- # Add a simple OID like this:
+
+
+ ####################################################################