ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2024-12-19 13:48:06 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
31ec4515c3
openwrt/package/libs/openssl/files/openssl.init
Eneas U de Queiroz 0dc5fc8fa5
openssl: add legacy provider 
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00

73 lines
1.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh /etc/rc.common
START=13
ENGINES_CNF=/var/etc/ssl/engines.cnf
ENGINES_DIR=%ENGINES_DIR%
MODULES_DIR=/usr/lib/ossl-modules
PROVIDERS_CNF=/var/etc/ssl/providers.cnf
#1: cnf file
write_cnf_header() {
mkdir -p "$(dirname "$1")" && \
echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
echo "Error writing to $1."
return 1
}
}
#1: module name
#2: output cnf file
#3: module.so
enable_module() {
local builtin enabled force
config_get_bool builtin "$1" builtin 0
config_get_bool enabled "$1" enabled 1
config_get_bool force "$1" force 0
if [ "$enabled" = 0 ]; then
[ "$builtin" = 0 ] && return 1
echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
elif [ "$force" = 1 ]; then
printf "[Forced] "
elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
echo "$1: Could not find section [$1] in config files."
return 1
elif [ "$builtin" = 1 ]; then
printf "[Builtin] "
elif [ ! -f "$3" ];then
echo "Skipping $1: $3 not found."
return 1
fi
echo "Enabling $1"
echo "$1=$1_sect" >>"$2"
}
config_engine() {
enable_module "$1" "$ENGINES_CNF" \
"${ENGINES_DIR}/${1}.so"
}
config_provider() {
enable_module "$1" "$PROVIDERS_CNF" \
"${MODULES_DIR}/${1}.so"
}
start() {
local ret=0
config_load openssl
echo Generating engines.cnf
write_cnf_header "${ENGINES_CNF}" && \
config_foreach config_engine engine || ret=$?
echo Generating providers.cnf
write_cnf_header "${PROVIDERS_CNF}" && \
config_foreach config_provider provider || ret=$?
return $ret
}
Reference in New Issue View Git Blame Copy Permalink