mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-27 09:12:39 +00:00
0dc5fc8fa5
This adapts the engine build infrastructure to allow building providers, and packages the legacy provider. Providers are the successors of engines, which have been deprecated. The legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool. Even though these algorithms are implemented in a separate package, their removal makes the regular library smaller by 3%, so the build options will remain to allow lean custom builds. Their defaults will change to 'y' if not bulding for a small flash, so that the regular legacy package will contain a complete set of algorithms. The engine build and configuration structure was changed to accomodate providers, and adapt to the new style of openssl.cnf in version 3.0. There is not a clean upgrade path for the /etc/ssl/openssl.cnf file, installed by the openssl-conf package. It is recommended to rename or remove the old config file when flashing an image with the updated openssl-conf package, then apply the changes manually. An old openssl.cnf file will silently work, but new engine or provider packages will not be enabled. Any remaining engine config files under /etc/ssl/engines.cnf.d can be removed. On the build side, the include file used by engine packages was renamed to openssl-module.mk, so the engine packages in other feeds need to adapt. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
42 lines
1.1 KiB
Diff
42 lines
1.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
Date: Sat, 27 Mar 2021 17:43:25 -0300
|
|
Subject: openssl.cnf: add engine configuration
|
|
|
|
This adds configuration options for engines, loading all cnf files under
|
|
/etc/ssl/engines.cnf.d/.
|
|
|
|
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
|
|
--- a/apps/openssl.cnf
|
|
+++ b/apps/openssl.cnf
|
|
@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
|
|
|
|
[openssl_init]
|
|
providers = provider_sect
|
|
+engines = engines_sect
|
|
|
|
# List of providers to load
|
|
[provider_sect]
|
|
default = default_sect
|
|
+.include /var/etc/ssl/providers.cnf
|
|
+
|
|
# The fips section name should match the section name inside the
|
|
# included fipsmodule.cnf.
|
|
# fips = fips_sect
|
|
@@ -69,7 +72,13 @@ default = default_sect
|
|
# OpenSSL may not work correctly which could lead to significant system
|
|
# problems including inability to remotely access the system.
|
|
[default_sect]
|
|
-# activate = 1
|
|
+activate = 1
|
|
+
|
|
+[engines_sect]
|
|
+.include /var/etc/ssl/engines.cnf
|
|
+
|
|
+.include /etc/ssl/modules.cnf.d
|
|
+
|
|
|
|
|
|
####################################################################
|