mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-18 13:26:34 +00:00
openssl: add legacy provider
This adapts the engine build infrastructure to allow building providers, and packages the legacy provider. Providers are the successors of engines, which have been deprecated. The legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool. Even though these algorithms are implemented in a separate package, their removal makes the regular library smaller by 3%, so the build options will remain to allow lean custom builds. Their defaults will change to 'y' if not bulding for a small flash, so that the regular legacy package will contain a complete set of algorithms. The engine build and configuration structure was changed to accomodate providers, and adapt to the new style of openssl.cnf in version 3.0. There is not a clean upgrade path for the /etc/ssl/openssl.cnf file, installed by the openssl-conf package. It is recommended to rename or remove the old config file when flashing an image with the updated openssl-conf package, then apply the changes manually. An old openssl.cnf file will silently work, but new engine or provider packages will not be enabled. Any remaining engine config files under /etc/ssl/engines.cnf.d can be removed. On the build side, the include file used by engine packages was renamed to openssl-module.mk, so the engine packages in other feeds need to adapt. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This commit is contained in:
parent
0b70d55a64
commit
0dc5fc8fa5
@ -1,50 +0,0 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
#
|
||||
# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
|
||||
|
||||
ENGINES_DIR=engines-3
|
||||
|
||||
define Package/openssl/engine/Default
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
SUBMENU:=SSL
|
||||
DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
|
||||
endef
|
||||
|
||||
# 1 = engine name
|
||||
# 2 - package name, defaults to libopenssl-$(1)
|
||||
define Package/openssl/add-engine
|
||||
OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
|
||||
Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
|
||||
|
||||
define Package/$$(OSSL_ENG_PKG)/install
|
||||
$$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR)
|
||||
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
|
||||
$$(1)/usr/lib/$(ENGINES_DIR)
|
||||
$$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d
|
||||
$$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
|
||||
endef
|
||||
|
||||
define Package/$$(OSSL_ENG_PKG)/postinst :=
|
||||
#!/bin/sh
|
||||
OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
|
||||
|
||||
[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
|
||||
|
||||
cat << EOF >> "$$$${OPENSSL_UCI}"
|
||||
|
||||
config engine '$(1)'
|
||||
option enabled '1'
|
||||
EOF
|
||||
|
||||
[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
|
||||
endef
|
||||
|
||||
define Package/$$(OSSL_ENG_PKG)/postrm :=
|
||||
#!/bin/sh
|
||||
[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
|
||||
uci delete openssl.$(1)
|
||||
uci commit openssl
|
||||
/etc/init.d/openssl reload
|
||||
endef
|
||||
endef
|
79
include/openssl-module.mk
Normal file
79
include/openssl-module.mk
Normal file
@ -0,0 +1,79 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
#
|
||||
# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
|
||||
|
||||
ENGINES_DIR=engines-3
|
||||
|
||||
define Package/openssl/module/Default
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
SUBMENU:=SSL
|
||||
DEPENDS:=libopenssl +libopenssl-conf
|
||||
endef
|
||||
|
||||
define Package/openssl/engine/Default
|
||||
$(Package/openssl/module/Default)
|
||||
DEPENDS+=@OPENSSL_ENGINE
|
||||
endef
|
||||
|
||||
|
||||
# 1 = moudule type (engine|provider)
|
||||
# 2 = module name
|
||||
# 3 = directory to save .so file
|
||||
# 4 = [ package name, defaults to libopenssl-$(2) ]
|
||||
define Package/openssl/add-module
|
||||
$(eval MOD_TYPE:=$(1))
|
||||
$(eval MOD_NAME:=$(2))
|
||||
$(eval MOD_DIR:=$(3))
|
||||
$(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME)))
|
||||
$(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)')
|
||||
$(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)')
|
||||
Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf
|
||||
|
||||
define Package/$(OSSL_PKG)/install
|
||||
$$(INSTALL_DIR) $$(1)/$(MOD_DIR)
|
||||
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \
|
||||
$$(1)/$(MOD_DIR)
|
||||
$$(INSTALL_DIR) $$(1)/etc/ssl/modules.cnf.d
|
||||
$$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/
|
||||
endef
|
||||
|
||||
define Package/$(OSSL_PKG)/postinst
|
||||
#!/bin/sh
|
||||
OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
|
||||
|
||||
[ -z "$$$${IPKG_INSTROOT}" ] \
|
||||
&& uci -q get openssl.$(MOD_NAME) >/dev/null \
|
||||
&& exit 0
|
||||
|
||||
cat << EOF >> "$$$${OPENSSL_UCI}"
|
||||
|
||||
config $(MOD_TYPE) '$(MOD_NAME)'
|
||||
option enabled '1'
|
||||
EOF
|
||||
|
||||
[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Package/$(OSSL_PKG)/postrm
|
||||
#!/bin/sh
|
||||
[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
|
||||
uci -q delete openssl.$(MOD_NAME) && uci commit openssl
|
||||
/etc/init.d/openssl reload
|
||||
exit 0
|
||||
endef
|
||||
endef
|
||||
|
||||
# 1 = engine name
|
||||
# 2 - package name, defaults to libopenssl-$(1)
|
||||
define Package/openssl/add-engine
|
||||
$(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2))
|
||||
endef
|
||||
|
||||
# 1 = provider name
|
||||
# 2 = [ package name, defaults to libopenssl-$(1) ]
|
||||
define Package/openssl/add-provider
|
||||
$(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2))
|
||||
endef
|
||||
|
@ -167,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA
|
||||
|
||||
config OPENSSL_WITH_IDEA
|
||||
bool
|
||||
prompt "Enable IDEA cipher support"
|
||||
default y if !SMALL_FLASH
|
||||
prompt "Enable IDEA cipher support (needs legacy provider)"
|
||||
help
|
||||
IDEA is a block cipher with 128-bit keys.
|
||||
To use the cipher, one must install the libopenssl-legacy
|
||||
package, using a main libopenssl package compiled with this
|
||||
option enabled as well.
|
||||
|
||||
config OPENSSL_WITH_SEED
|
||||
bool
|
||||
prompt "Enable SEED cipher support"
|
||||
default y if !SMALL_FLASH
|
||||
prompt "Enable SEED cipher support (needs legacy provider)"
|
||||
help
|
||||
SEED is a block cipher with 128-bit keys broadly used in
|
||||
South Korea, but seldom found elsewhere.
|
||||
To use the cipher, one must install the libopenssl-legacy
|
||||
package, using a main libopenssl package compiled with this
|
||||
option enabled as well.
|
||||
|
||||
config OPENSSL_WITH_SM234
|
||||
bool
|
||||
@ -197,11 +205,21 @@ config OPENSSL_WITH_BLAKE2
|
||||
|
||||
config OPENSSL_WITH_MDC2
|
||||
bool
|
||||
prompt "Enable MDC2 digest support"
|
||||
default y if !SMALL_FLASH
|
||||
prompt "Enable MDC2 digest support (needs legacy provider)"
|
||||
help
|
||||
To use the digest, one must install the libopenssl-legacy
|
||||
package, using a main libopenssl package compiled with this
|
||||
option enabled as well.
|
||||
|
||||
config OPENSSL_WITH_WHIRLPOOL
|
||||
bool
|
||||
prompt "Enable Whirlpool digest support"
|
||||
default y if !SMALL_FLASH
|
||||
prompt "Enable Whirlpool digest support (needs legacy provider)"
|
||||
help
|
||||
To use the digest, one must install the libopenssl-legacy
|
||||
package, using a main libopenssl package compiled with this
|
||||
option enabled as well.
|
||||
|
||||
config OPENSSL_WITH_COMPRESSION
|
||||
bool
|
||||
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=openssl
|
||||
PKG_VERSION:=3.0.8
|
||||
PKG_RELEASE:=6
|
||||
PKG_RELEASE:=7
|
||||
PKG_BUILD_FLAGS:=no-mips16 gc-sections
|
||||
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
@ -64,7 +64,7 @@ PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_OPENSSL_WITH_WHIRLPOOL
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/openssl-engine.mk
|
||||
include $(INCLUDE_DIR)/openssl-module.mk
|
||||
|
||||
ifneq ($(CONFIG_CCACHE),)
|
||||
HOSTCC=$(HOSTCC_NOCACHE)
|
||||
@ -129,8 +129,8 @@ endef
|
||||
|
||||
define Package/libopenssl-conf/conffiles
|
||||
/etc/ssl/openssl.cnf
|
||||
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf)
|
||||
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf)
|
||||
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
|
||||
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
|
||||
endef
|
||||
|
||||
define Package/libopenssl-conf/description
|
||||
@ -162,6 +162,20 @@ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
|
||||
endef
|
||||
endif
|
||||
|
||||
$(eval $(call Package/openssl/add-provider,legacy))
|
||||
define Package/libopenssl-legacy
|
||||
$(call Package/openssl/Default)
|
||||
$(call Package/openssl/module/Default)
|
||||
TITLE:=OpenSSL legacy provider
|
||||
endef
|
||||
|
||||
define Package/libopenssl-legacy/description
|
||||
The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
|
||||
have been deemed legacy. Such algorithms have commonly fallen out of use, have
|
||||
been deemed insecure by the cryptography community, or something similar. See
|
||||
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
|
||||
endef
|
||||
|
||||
$(eval $(call Package/openssl/add-engine,afalg))
|
||||
define Package/libopenssl-afalg
|
||||
$(call Package/openssl/Default)
|
||||
@ -174,7 +188,7 @@ endef
|
||||
define Package/libopenssl-afalg/description
|
||||
This package adds an engine that enables hardware acceleration
|
||||
through the AF_ALG kernel interface.
|
||||
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
|
||||
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
|
||||
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
||||
The engine_id is "afalg"
|
||||
endef
|
||||
@ -190,7 +204,7 @@ endef
|
||||
define Package/libopenssl-devcrypto/description
|
||||
This package adds an engine that enables hardware acceleration
|
||||
through the /dev/crypto kernel interface.
|
||||
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
|
||||
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
|
||||
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
||||
The engine_id is "devcrypto"
|
||||
endef
|
||||
@ -206,7 +220,7 @@ endef
|
||||
|
||||
define Package/libopenssl-padlock/description
|
||||
This package adds an engine that enables VIA Padlock hardware acceleration.
|
||||
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
|
||||
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
|
||||
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
||||
The engine_id is "padlock"
|
||||
endef
|
||||
@ -403,16 +417,16 @@ define Package/libopenssl/install
|
||||
endef
|
||||
|
||||
define Package/libopenssl-conf/install
|
||||
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
|
||||
$(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
|
||||
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
|
||||
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
|
||||
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
|
||||
touch $(1)/etc/config/openssl
|
||||
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
|
||||
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
|
||||
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
|
||||
echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
|
||||
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
|
||||
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
|
||||
$(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
|
||||
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
|
||||
endef
|
||||
|
||||
@ -425,5 +439,6 @@ $(eval $(call BuildPackage,libopenssl))
|
||||
$(eval $(call BuildPackage,libopenssl-conf))
|
||||
$(eval $(call BuildPackage,libopenssl-afalg))
|
||||
$(eval $(call BuildPackage,libopenssl-devcrypto))
|
||||
$(eval $(call BuildPackage,libopenssl-legacy))
|
||||
$(eval $(call BuildPackage,libopenssl-padlock))
|
||||
$(eval $(call BuildPackage,openssl-util))
|
||||
|
@ -1,3 +1,3 @@
|
||||
[afalg]
|
||||
[afalg_sect]
|
||||
default_algorithms = ALL
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
[devcrypto]
|
||||
[devcrypto_sect]
|
||||
# Leave this alone and configure algorithms with CIPERS/DIGESTS below
|
||||
default_algorithms = ALL
|
||||
|
||||
|
3
package/libs/openssl/files/legacy.cnf
Normal file
3
package/libs/openssl/files/legacy.cnf
Normal file
@ -0,0 +1,3 @@
|
||||
[legacy_sect]
|
||||
activate = 1
|
||||
|
@ -1,11 +1,25 @@
|
||||
#!/bin/sh /etc/rc.common
|
||||
|
||||
START=13
|
||||
ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
|
||||
ENGINES_CNF="/var/etc/ssl/engines.cnf"
|
||||
ENGINES_DIR="%ENGINES_DIR%"
|
||||
ENGINES_CNF=/var/etc/ssl/engines.cnf
|
||||
ENGINES_DIR=%ENGINES_DIR%
|
||||
MODULES_DIR=/usr/lib/ossl-modules
|
||||
PROVIDERS_CNF=/var/etc/ssl/providers.cnf
|
||||
|
||||
config_engine() {
|
||||
#1: cnf file
|
||||
write_cnf_header() {
|
||||
mkdir -p "$(dirname "$1")" && \
|
||||
echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
|
||||
echo "Error writing to $1."
|
||||
return 1
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#1: module name
|
||||
#2: output cnf file
|
||||
#3: module.so
|
||||
enable_module() {
|
||||
local builtin enabled force
|
||||
|
||||
config_get_bool builtin "$1" builtin 0
|
||||
@ -13,30 +27,46 @@ config_engine() {
|
||||
config_get_bool force "$1" force 0
|
||||
|
||||
if [ "$enabled" = 0 ]; then
|
||||
[ "$builtin" != 1 ] && return 1
|
||||
echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." && \
|
||||
[ "$builtin" = 0 ] && return 1
|
||||
echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
|
||||
echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
|
||||
elif [ "$force" = 1 ]; then
|
||||
printf "[Forced] "
|
||||
elif ! grep -q "\\[ *$1 *]" "${ENGINES_CNF_D}"/*; then
|
||||
elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
|
||||
echo "$1: Could not find section [$1] in config files."
|
||||
return 1
|
||||
elif [ "$builtin" = 1 ]; then
|
||||
printf "[Builtin] "
|
||||
elif [ ! -f "${ENGINES_DIR}/$1.so" ];then
|
||||
echo "$1: ${ENGINES_DIR}/$1.so not found."
|
||||
elif [ ! -f "$3" ];then
|
||||
echo "Skipping $1: $3 not found."
|
||||
return 1
|
||||
fi
|
||||
echo Enabling engine "$1"
|
||||
echo "$1=$1" >> "${ENGINES_CNF}"
|
||||
echo "Enabling $1"
|
||||
echo "$1=$1_sect" >>"$2"
|
||||
}
|
||||
|
||||
config_engine() {
|
||||
enable_module "$1" "$ENGINES_CNF" \
|
||||
"${ENGINES_DIR}/${1}.so"
|
||||
}
|
||||
|
||||
config_provider() {
|
||||
enable_module "$1" "$PROVIDERS_CNF" \
|
||||
"${MODULES_DIR}/${1}.so"
|
||||
}
|
||||
|
||||
start() {
|
||||
mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
|
||||
echo Generating engines.cnf
|
||||
echo "# This file is automatically generated from /etc/config/openssl." \
|
||||
> "${ENGINES_CNF}" || \
|
||||
{ echo Error writing ${ENGINES_CNF} >&2; exit 1; }
|
||||
local ret=0
|
||||
|
||||
config_load openssl
|
||||
config_foreach config_engine engine
|
||||
|
||||
echo Generating engines.cnf
|
||||
write_cnf_header "${ENGINES_CNF}" && \
|
||||
config_foreach config_engine engine || ret=$?
|
||||
|
||||
echo Generating providers.cnf
|
||||
write_cnf_header "${PROVIDERS_CNF}" && \
|
||||
config_foreach config_provider provider || ret=$?
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
@ -1,3 +1,3 @@
|
||||
[padlock]
|
||||
[padlock_sect]
|
||||
default_algorithms = ALL
|
||||
|
||||
|
@ -10,20 +10,32 @@ Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
||||
|
||||
--- a/apps/openssl.cnf
|
||||
+++ b/apps/openssl.cnf
|
||||
@@ -30,6 +30,16 @@ oid_section = new_oids
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
+openssl_conf=openssl_conf
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
+engines = engines_sect
|
||||
|
||||
# List of providers to load
|
||||
[provider_sect]
|
||||
default = default_sect
|
||||
+.include /var/etc/ssl/providers.cnf
|
||||
+
|
||||
+[openssl_conf]
|
||||
+engines=engines
|
||||
# The fips section name should match the section name inside the
|
||||
# included fipsmodule.cnf.
|
||||
# fips = fips_sect
|
||||
@@ -69,7 +72,13 @@ default = default_sect
|
||||
# OpenSSL may not work correctly which could lead to significant system
|
||||
# problems including inability to remotely access the system.
|
||||
[default_sect]
|
||||
-# activate = 1
|
||||
+activate = 1
|
||||
+
|
||||
+[engines]
|
||||
+[engines_sect]
|
||||
+.include /var/etc/ssl/engines.cnf
|
||||
+
|
||||
+.include /etc/ssl/engines.cnf.d
|
||||
+.include /etc/ssl/modules.cnf.d
|
||||
+
|
||||
[ new_oids ]
|
||||
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
||||
# Add a simple OID like this:
|
||||
|
||||
|
||||
####################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user