From 9d77bd7666f4314a0a5f9f918c3c7f7d94d386c2 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sun, 20 Feb 2022 21:09:30 -0300 Subject: [PATCH] openssl: configure engines with uci This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 13 ++-- package/libs/openssl/engine.mk | 60 ++++--------------- package/libs/openssl/files/engines.cnf | 7 --- package/libs/openssl/files/openssl.init | 31 ++++++++++ .../150-openssl.cnf-add-engines-conf.patch | 5 +- 5 files changed, 54 insertions(+), 62 deletions(-) delete mode 100644 package/libs/openssl/files/engines.cnf create mode 100755 package/libs/openssl/files/openssl.init diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index a096b9015..d0af1c2ad 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 @@ -130,7 +130,6 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -/etc/ssl/engines.cnf.d/engines.cnf $(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef @@ -380,15 +379,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ - echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ - echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk index 482b5ad5e..973a98990 100644 --- a/package/libs/openssl/engine.mk +++ b/package/libs/openssl/engine.mk @@ -23,60 +23,24 @@ define Package/openssl/add-engine define Package/$$(OSSL_ENG_PKG)/postinst := #!/bin/sh -# $$$$1 == non-empty: suggest reinstall -error_out() { - [ "$1" ] && cat <<- EOF - Reinstalling the libopenssl-conf package may fix this: +OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl" - opkg install --force-reinstall libopenssl-conf - EOF - cat <<- EOF +[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 - Then, you will have to reinstall this package, and any other engine package you have - you have previously installed to ensure they are enabled: +cat << EOF >> "$$$${OPENSSL_UCI}" - opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]... +config engine '$(1)' + option enabled '1' +EOF - EOF - exit 1 -} -ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" -OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf" -if [ ! -f "$$$${OPENSSL_CNF}" ]; then - echo -e "ERROR: File $$$${OPENSSL_CNF} not found." - error_out reinstall -fi -if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then - cat <<- EOF - Your /etc/ssl/openssl.cnf file is not loading engine configuration files from - /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated OpenSSL config by - running: - - opkg install --force-reinstall --force-maintainer libopenssl-conf - - The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf - and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first! - EOF - error_out -fi -if [ ! -f "$$$${ENGINES_CNF}" ]; then - echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found." - error_out reinstall -fi -if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then - echo "$$(OSSL_ENG_PKG): $(1) engine was already configured. Nothing to be done." -else - echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}" - echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!" -fi +[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload endef - define Package/$$(OSSL_ENG_PKG)/prerm := + define Package/$$(OSSL_ENG_PKG)/postrm := #!/bin/sh -ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" -[ -f "$$$${ENGINES_CNF}" ] || exit 0 -sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}" +[ -n "$$$${IPKG_INSTROOT}" ] && exit 0 +uci delete openssl.$(1) +uci commit openssl +/etc/init.d/openssl reload endef endef - - diff --git a/package/libs/openssl/files/engines.cnf b/package/libs/openssl/files/engines.cnf deleted file mode 100644 index 333b1d6c2..000000000 --- a/package/libs/openssl/files/engines.cnf +++ /dev/null @@ -1,7 +0,0 @@ -# This file should only contain the [engines] section -# It is subject to change by installing OpenSSL engine packages -# Any lines that have the sequence "engine-name=engine-name" will -# be removed when the respective engine gets uninstalled. -# You may avoid that by adding a space before/after the = sign. - -[engines] diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init new file mode 100755 index 000000000..21e253e7a --- /dev/null +++ b/package/libs/openssl/files/openssl.init @@ -0,0 +1,31 @@ +#!/bin/sh /etc/rc.common + +START=13 +ENGINES_CNF_D="/etc/ssl/engines.cnf.d" +ENGINES_CNF="/var/etc/ssl/engines.cnf" +ENGINES_DIR="%ENGINES_DIR%" + +config_engine() { + local enabled force + config_get_bool enabled "$1" enabled 1 + config_get_bool force "$1" force 0 + [ "$enabled" = 0 ] && return + if [ "$force" = 0 ] && \ + [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \ + [ ! -f "${ENGINES_DIR}/$1.so" ]; then + echo Skipping engine "$1": not installed + return + fi + echo Enabling engine "$1" + echo "$1=$1" >> "${ENGINES_CNF}" +} + +start() { + mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1 + echo Generating engines.cnf + echo "# This file is automatically generated from /etc/config/openssl." \ + > "${ENGINES_CNF}" || \ + { echo Error writing ${ENGINES_CNF} >&2; exit 1; } + config_load openssl + config_foreach config_engine engine +} diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 3db7a1921..885111634 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -11,7 +11,7 @@ Signed-off-by: Eneas U de Queiroz diff --git a/apps/openssl.cnf b/apps/openssl.cnf --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,13 @@ oid_section = new_oids +@@ -22,6 +22,16 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -20,6 +20,9 @@ diff --git a/apps/openssl.cnf b/apps/openssl.cnf +[openssl_conf] +engines=engines + ++[engines] ++.include /var/etc/ssl/engines.cnf ++ +.include /etc/ssl/engines.cnf.d + [ new_oids ]