domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: make UCI config aware of built-in engines

Browse Source 
Engines that are built into the main libcrypto OpenSSL library can't be
disabled through UCI.  Add a 'builtin' setting to signal that the engine
can't be disabled through UCI, and show a message explaining this in
case buitin=1 and enabled=0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This commit is contained in:
Eneas U de Queiroz
2023-03-14 18:51:45 -03:00
parent 975036f6f9
commit 0b70d55a64
2 changed files with 43 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
package/libs/openssl/Makefile
View File

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl PKG_NAME:=openssl
PKG_VERSION:=3.0.8 PKG_VERSION:=3.0.8
PKG_RELEASE:=5 PKG_RELEASE:=6
PKG_BUILD_FLAGS:=no-mips16 gc-sections PKG_BUILD_FLAGS:=no-mips16 gc-sections
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
@@ -138,6 +138,30 @@ $(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef endef
ifneq ($(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK)$(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),)
define Package/libopenssl-conf/postinst
#!/bin/sh
OPENSSL_UCI="$${IPKG_INSTROOT}/etc/config/openssl"
add_engine_config() {
if [ -z "$${IPKG_INSTROOT}" ] && uci -q get "openssl.$$1" >/dev/null; then
[ "$$(uci -q get "openssl.$$1.builtin")" = 1 ] && return
uci set "openssl.$$1.builtin=1" && uci commit openssl
return
fi
{
echo "engine '$$1'"
echo " option enabled '1'"
echo " option builtin '1'"
echo
} >>"$${OPENSSL_UCI}"
}
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),add_engine_config devcrypto)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
endef
endif
$(eval $(call Package/openssl/add-engine,afalg)) $(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg define Package/libopenssl-afalg
$(call Package/openssl/Default) $(call Package/openssl/Default)

25
package/libs/openssl/files/openssl.init
View File

@@ -6,15 +6,26 @@ ENGINES_CNF="/var/etc/ssl/engines.cnf"
ENGINES_DIR="%ENGINES_DIR%" ENGINES_DIR="%ENGINES_DIR%"
config_engine() { config_engine() {
local enabled force local builtin enabled force
config_get_bool builtin "$1" builtin 0
config_get_bool enabled "$1" enabled 1 config_get_bool enabled "$1" enabled 1
config_get_bool force "$1" force 0 config_get_bool force "$1" force 0
[ "$enabled" = 0 ] && return
if [ "$force" = 0 ] && \ if [ "$enabled" = 0 ]; then
[ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \ [ "$builtin" != 1 ] && return 1
[ ! -f "${ENGINES_DIR}/$1.so" ]; then echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." && \
echo Skipping engine "$1": not installed echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
return elif [ "$force" = 1 ]; then
printf "[Forced] "
elif ! grep -q "\\[ *$1 *]" "${ENGINES_CNF_D}"/*; then
echo "$1: Could not find section [$1] in config files."
return 1
elif [ "$builtin" = 1 ]; then
printf "[Builtin] "
elif [ ! -f "${ENGINES_DIR}/$1.so" ];then
echo "$1: ${ENGINES_DIR}/$1.so not found."
return 1
fi fi
echo Enabling engine "$1" echo Enabling engine "$1"
echo "$1=$1" >> "${ENGINES_CNF}" echo "$1=$1" >> "${ENGINES_CNF}"