X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=package%2Flibs%2Fopenssl%2Fpatches%2F150-openssl.cnf-add-engines-conf.patch;h=b1ec0cae711668afa37109ece5378c6486ff77e8;hb=7e7e76afca7877b97bc049d8f5a83a840a20a2af;hp=6c7143dd7ed64677e11d86044bc8f047545c1c92;hpb=cebf024c4d9fd761e55383a582f7e29ac7cc921c;p=openwrt%2Fopenwrt.git diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 6c7143dd7e..b1ec0cae71 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,16 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Sat, 27 Mar 2021 17:43:25 -0300 +Subject: openssl.cnf: add engine configuration + +This adds configuration options for engines, loading all cnf files under +/etc/ssl/engines.cnf.d/. + +Signed-off-by: Eneas U de Queiroz + --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,53 @@ oid_section = new_oids +@@ -30,6 +30,16 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -10,47 +20,10 @@ +engines=engines + +[engines] -+# To enable an engine, install the package, and uncomment it here: -+#devcrypto=devcrypto -+#afalg=afalg -+#padlock=padlock ++.include /var/etc/ssl/engines.cnf + -+[afalg] -+default_algorithms = ALL -+ -+[devcrypto] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to -+# enable [default=ALL] -+# It is recommended to disable the ECB ciphers; in most cases, it will -+# only be used for PRNG, in small blocks, where performance is poor, -+# and there may be problems with apps forking with open crypto -+# contexts, leading to failures. The CBC ciphers work well: -+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[padlock] -+default_algorithms = ALL ++.include /etc/ssl/engines.cnf.d + [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. + # Add a simple OID like this: