openssl: add legacy provider

This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This commit is contained in:
Eneas U de Queiroz 2023-03-10 17:53:25 -03:00
parent 0b70d55a64
commit 0dc5fc8fa5
No known key found for this signature in database
GPG Key ID: A1FE5A85EFAE657D
10 changed files with 202 additions and 95 deletions

View File

@ -1,50 +0,0 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
ENGINES_DIR=engines-3
define Package/openssl/engine/Default
SECTION:=libs
CATEGORY:=Libraries
SUBMENU:=SSL
DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
endef
# 1 = engine name
# 2 - package name, defaults to libopenssl-$(1)
define Package/openssl/add-engine
OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
define Package/$$(OSSL_ENG_PKG)/install
$$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR)
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
$$(1)/usr/lib/$(ENGINES_DIR)
$$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d
$$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
endef
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
cat << EOF >> "$$$${OPENSSL_UCI}"
config engine '$(1)'
option enabled '1'
EOF
[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
endef
define Package/$$(OSSL_ENG_PKG)/postrm :=
#!/bin/sh
[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
uci delete openssl.$(1)
uci commit openssl
/etc/init.d/openssl reload
endef
endef

79
include/openssl-module.mk Normal file
View File

@ -0,0 +1,79 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
ENGINES_DIR=engines-3
define Package/openssl/module/Default
SECTION:=libs
CATEGORY:=Libraries
SUBMENU:=SSL
DEPENDS:=libopenssl +libopenssl-conf
endef
define Package/openssl/engine/Default
$(Package/openssl/module/Default)
DEPENDS+=@OPENSSL_ENGINE
endef
# 1 = moudule type (engine|provider)
# 2 = module name
# 3 = directory to save .so file
# 4 = [ package name, defaults to libopenssl-$(2) ]
define Package/openssl/add-module
$(eval MOD_TYPE:=$(1))
$(eval MOD_NAME:=$(2))
$(eval MOD_DIR:=$(3))
$(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME)))
$(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)')
$(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)')
Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf
define Package/$(OSSL_PKG)/install
$$(INSTALL_DIR) $$(1)/$(MOD_DIR)
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \
$$(1)/$(MOD_DIR)
$$(INSTALL_DIR) $$(1)/etc/ssl/modules.cnf.d
$$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/
endef
define Package/$(OSSL_PKG)/postinst
#!/bin/sh
OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
[ -z "$$$${IPKG_INSTROOT}" ] \
&& uci -q get openssl.$(MOD_NAME) >/dev/null \
&& exit 0
cat << EOF >> "$$$${OPENSSL_UCI}"
config $(MOD_TYPE) '$(MOD_NAME)'
option enabled '1'
EOF
[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
exit 0
endef
define Package/$(OSSL_PKG)/postrm
#!/bin/sh
[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
uci -q delete openssl.$(MOD_NAME) && uci commit openssl
/etc/init.d/openssl reload
exit 0
endef
endef
# 1 = engine name
# 2 - package name, defaults to libopenssl-$(1)
define Package/openssl/add-engine
$(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2))
endef
# 1 = provider name
# 2 = [ package name, defaults to libopenssl-$(1) ]
define Package/openssl/add-provider
$(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2))
endef

View File

@ -167,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA
config OPENSSL_WITH_IDEA config OPENSSL_WITH_IDEA
bool bool
prompt "Enable IDEA cipher support" default y if !SMALL_FLASH
prompt "Enable IDEA cipher support (needs legacy provider)"
help help
IDEA is a block cipher with 128-bit keys. IDEA is a block cipher with 128-bit keys.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SEED config OPENSSL_WITH_SEED
bool bool
prompt "Enable SEED cipher support" default y if !SMALL_FLASH
prompt "Enable SEED cipher support (needs legacy provider)"
help help
SEED is a block cipher with 128-bit keys broadly used in SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere. South Korea, but seldom found elsewhere.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SM234 config OPENSSL_WITH_SM234
bool bool
@ -197,11 +205,21 @@ config OPENSSL_WITH_BLAKE2
config OPENSSL_WITH_MDC2 config OPENSSL_WITH_MDC2
bool bool
prompt "Enable MDC2 digest support" default y if !SMALL_FLASH
prompt "Enable MDC2 digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_WHIRLPOOL config OPENSSL_WITH_WHIRLPOOL
bool bool
prompt "Enable Whirlpool digest support" default y if !SMALL_FLASH
prompt "Enable Whirlpool digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_COMPRESSION config OPENSSL_WITH_COMPRESSION
bool bool

View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl PKG_NAME:=openssl
PKG_VERSION:=3.0.8 PKG_VERSION:=3.0.8
PKG_RELEASE:=6 PKG_RELEASE:=7
PKG_BUILD_FLAGS:=no-mips16 gc-sections PKG_BUILD_FLAGS:=no-mips16 gc-sections
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
@ -64,7 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/openssl-engine.mk include $(INCLUDE_DIR)/openssl-module.mk
ifneq ($(CONFIG_CCACHE),) ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE) HOSTCC=$(HOSTCC_NOCACHE)
@ -129,8 +129,8 @@ endef
define Package/libopenssl-conf/conffiles define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
endef endef
define Package/libopenssl-conf/description define Package/libopenssl-conf/description
@ -162,6 +162,20 @@ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
endef endef
endif endif
$(eval $(call Package/openssl/add-provider,legacy))
define Package/libopenssl-legacy
$(call Package/openssl/Default)
$(call Package/openssl/module/Default)
TITLE:=OpenSSL legacy provider
endef
define Package/libopenssl-legacy/description
The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy. Such algorithms have commonly fallen out of use, have
been deemed insecure by the cryptography community, or something similar. See
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
endef
$(eval $(call Package/openssl/add-engine,afalg)) $(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg define Package/libopenssl-afalg
$(call Package/openssl/Default) $(call Package/openssl/Default)
@ -174,7 +188,7 @@ endef
define Package/libopenssl-afalg/description define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface. through the AF_ALG kernel interface.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg" The engine_id is "afalg"
endef endef
@ -190,7 +204,7 @@ endef
define Package/libopenssl-devcrypto/description define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface. through the /dev/crypto kernel interface.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto" The engine_id is "devcrypto"
endef endef
@ -206,7 +220,7 @@ endef
define Package/libopenssl-padlock/description define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration. This package adds an engine that enables VIA Padlock hardware acceleration.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock" The engine_id is "padlock"
endef endef
@ -403,16 +417,16 @@ define Package/libopenssl/install
endef endef
define Package/libopenssl-conf/install define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
touch $(1)/etc/config/openssl touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
endef endef
@ -425,5 +439,6 @@ $(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg)) $(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto)) $(eval $(call BuildPackage,libopenssl-devcrypto))
$(eval $(call BuildPackage,libopenssl-legacy))
$(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util)) $(eval $(call BuildPackage,openssl-util))

View File

@ -1,3 +1,3 @@
[afalg] [afalg_sect]
default_algorithms = ALL default_algorithms = ALL

View File

@ -1,4 +1,4 @@
[devcrypto] [devcrypto_sect]
# Leave this alone and configure algorithms with CIPERS/DIGESTS below # Leave this alone and configure algorithms with CIPERS/DIGESTS below
default_algorithms = ALL default_algorithms = ALL

View File

@ -0,0 +1,3 @@
[legacy_sect]
activate = 1

View File

@ -1,11 +1,25 @@
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
START=13 START=13
ENGINES_CNF_D="/etc/ssl/engines.cnf.d" ENGINES_CNF=/var/etc/ssl/engines.cnf
ENGINES_CNF="/var/etc/ssl/engines.cnf" ENGINES_DIR=%ENGINES_DIR%
ENGINES_DIR="%ENGINES_DIR%" MODULES_DIR=/usr/lib/ossl-modules
PROVIDERS_CNF=/var/etc/ssl/providers.cnf
config_engine() { #1: cnf file
write_cnf_header() {
mkdir -p "$(dirname "$1")" && \
echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
echo "Error writing to $1."
return 1
}
}
#1: module name
#2: output cnf file
#3: module.so
enable_module() {
local builtin enabled force local builtin enabled force
config_get_bool builtin "$1" builtin 0 config_get_bool builtin "$1" builtin 0
@ -13,30 +27,46 @@ config_engine() {
config_get_bool force "$1" force 0 config_get_bool force "$1" force 0
if [ "$enabled" = 0 ]; then if [ "$enabled" = 0 ]; then
[ "$builtin" != 1 ] && return 1 [ "$builtin" = 0 ] && return 1
echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." && \ echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl." echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
elif [ "$force" = 1 ]; then elif [ "$force" = 1 ]; then
printf "[Forced] " printf "[Forced] "
elif ! grep -q "\\[ *$1 *]" "${ENGINES_CNF_D}"/*; then elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
echo "$1: Could not find section [$1] in config files." echo "$1: Could not find section [$1] in config files."
return 1 return 1
elif [ "$builtin" = 1 ]; then elif [ "$builtin" = 1 ]; then
printf "[Builtin] " printf "[Builtin] "
elif [ ! -f "${ENGINES_DIR}/$1.so" ];then elif [ ! -f "$3" ];then
echo "$1: ${ENGINES_DIR}/$1.so not found." echo "Skipping $1: $3 not found."
return 1 return 1
fi fi
echo Enabling engine "$1" echo "Enabling $1"
echo "$1=$1" >> "${ENGINES_CNF}" echo "$1=$1_sect" >>"$2"
}
config_engine() {
enable_module "$1" "$ENGINES_CNF" \
"${ENGINES_DIR}/${1}.so"
}
config_provider() {
enable_module "$1" "$PROVIDERS_CNF" \
"${MODULES_DIR}/${1}.so"
} }
start() { start() {
mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1 local ret=0
echo Generating engines.cnf
echo "# This file is automatically generated from /etc/config/openssl." \
> "${ENGINES_CNF}" || \
{ echo Error writing ${ENGINES_CNF} >&2; exit 1; }
config_load openssl config_load openssl
config_foreach config_engine engine
echo Generating engines.cnf
write_cnf_header "${ENGINES_CNF}" && \
config_foreach config_engine engine || ret=$?
echo Generating providers.cnf
write_cnf_header "${PROVIDERS_CNF}" && \
config_foreach config_provider provider || ret=$?
return $ret
} }

View File

@ -1,3 +1,3 @@
[padlock] [padlock_sect]
default_algorithms = ALL default_algorithms = ALL

View File

@ -10,20 +10,32 @@ Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
--- a/apps/openssl.cnf --- a/apps/openssl.cnf
+++ b/apps/openssl.cnf +++ b/apps/openssl.cnf
@@ -30,6 +30,16 @@ oid_section = new_oids @@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
+openssl_conf=openssl_conf [openssl_init]
providers = provider_sect
+engines = engines_sect
# List of providers to load
[provider_sect]
default = default_sect
+.include /var/etc/ssl/providers.cnf
+ +
+[openssl_conf] # The fips section name should match the section name inside the
+engines=engines # included fipsmodule.cnf.
# fips = fips_sect
@@ -69,7 +72,13 @@ default = default_sect
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
-# activate = 1
+activate = 1
+ +
+[engines] +[engines_sect]
+.include /var/etc/ssl/engines.cnf +.include /var/etc/ssl/engines.cnf
+ +
+.include /etc/ssl/engines.cnf.d +.include /etc/ssl/modules.cnf.d
+ +
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this: ####################################################################