define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/openssl-util/install
endef
define Package/libopenssl-afalg/install
- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
+ $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/libopenssl-devcrypto/install
- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
+ $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/libopenssl-padlock/install
- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \
+ $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_DATA) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
endef
$(eval $(call BuildPackage,libopenssl))
--- /dev/null
+[afalg]
+default_algorithms = ALL
+
--- /dev/null
+[devcrypto]
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
+default_algorithms = ALL
+
+# Configuration commands:
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
+# list of supported algorithms, along with their driver, whether they
+# are hw accelerated or not, and the engine's configuration commands.
+
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
+# if acceleration can't be determined) [default=2]
+#USE_SOFTDRIVERS = 2
+
+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
+# enable [default=ALL]
+# It is recommended to disable the ECB ciphers; in most cases, it will
+# only be used for PRNG, in small blocks, where performance is poor,
+# and there may be problems with apps forking with open crypto
+# contexts, leading to failures. The CBC ciphers work well:
+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
+
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
+# enable [default=NONE]
+# It is strongly recommended not to enable digests; their performance
+# is poor, and there are many cases in which they will not work,
+# especially when calling fork with open crypto contexts. Openssh,
+# for example, does this, and you may not be able to login.
+#DIGESTS = NONE
+
+
--- /dev/null
+[engines]
+# To enable an engine, install the package, and uncomment it here:
+#devcrypto=devcrypto
+#afalg=afalg
+#padlock=padlock
+#gost=gost
+
--- /dev/null
+[padlock]
+default_algorithms = ALL
+
-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/Configure b/Configure
-index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
new file mode 100644
-index 0000000000..86a86d31e4
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,52 @@
-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:31:38 -0300
Subject: Avoid exposing build directories
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/crypto/build.info b/crypto/build.info
-index 2c619c62e8..893128345a 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
-From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/Configure b/Configure
-index 74d057c219..5813e9f8fe 100755
--- a/Configure
+++ b/Configure
@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default
-From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:44:39 -0300
Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index 6724ccf2d2..96d959427e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -173,9 +173,15 @@ extern "C" {
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 27a1b2ec68..7039811323 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 27 Mar 2021 17:43:25 -0300
+Subject: openssl.cnf: add engine configuration
+
+This adds configuration options for engines, loading all cnf files under
+/etc/ssl/engines.d/.
+
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
-@@ -22,6 +22,99 @@ oid_section = new_oids
+@@ -22,6 +22,13 @@ oid_section = new_oids
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
+[openssl_conf]
+engines=engines
+
-+[engines]
-+# To enable an engine, install the package, and uncomment it here:
-+#devcrypto=devcrypto
-+#afalg=afalg
-+#padlock=padlock
-+##gost=gost
-+
-+[afalg]
-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
-+default_algorithms = ALL
-+
-+# The following commands are only available if using the alternative
-+# (sync) AFALG engine
-+# Configuration commands:
-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
-+# list of supported algorithms, along with their driver, whether they
-+# are hw accelerated or not, and the engine's configuration commands.
-+
-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
-+# if acceleration can't be determined) [default=2]
-+#USE_SOFTDRIVERS = 2
-+
-+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a
-+# comma-separated list of ciphers to enable [default=NO_ECB]
-+# Starting in 1.2.0, if you use a cipher list, each cipher may be
-+# followed by a colon (:) and the minimum request length to use
-+# AF_ALG drivers for that cipher; smaller requests are processed by
-+# softare; a negative value will use the default for that cipher
-+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0
-+
-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
-+# enable [default=NONE]
-+# It is strongly recommended not to enable digests; their performance
-+# is poor, and there are many cases in which they will not work,
-+# especially when calling fork with open crypto contexts. Openssh,
-+# for example, does this, and you may not be able to login.
-+#DIGESTS = NONE
-+
-+[devcrypto]
-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
-+default_algorithms = ALL
-+
-+# Configuration commands:
-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
-+# list of supported algorithms, along with their driver, whether they
-+# are hw accelerated or not, and the engine's configuration commands.
-+
-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
-+# if acceleration can't be determined) [default=2]
-+#USE_SOFTDRIVERS = 2
-+
-+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
-+# enable [default=ALL]
-+# It is recommended to disable the ECB ciphers; in most cases, it will
-+# only be used for PRNG, in small blocks, where performance is poor,
-+# and there may be problems with apps forking with open crypto
-+# contexts, leading to failures. The CBC ciphers work well:
-+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
-+
-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
-+# enable [default=NONE]
-+# It is strongly recommended not to enable digests; their performance
-+# is poor, and there are many cases in which they will not work,
-+# especially when calling fork with open crypto contexts. Openssh,
-+# for example, does this, and you may not be able to login.
-+#DIGESTS = NONE
-+
-+[padlock]
-+default_algorithms = ALL
-+
-+[gost]
-+default_algorithms = ALL
-+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the
-+# user to choose between different parameter sets of symmetric cipher
-+# algorithm. RFC 4357 specifies several parameters for the
-+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface
-+# to choose one when encrypting. So use engine configuration parameter
-+# instead.
-+# Value of this parameter can be either short name, defined in OpenSSL
-+# obj_dat.h header file or numeric representation of OID, defined in
-+# RFC 4357. Defaults to id-tc26-gost-28147-param-Z
-+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z
-+
-+# PBE_PARAMS: Shortname of default digest alg for PBE
-+#PBE_PARAMS =
++.include /etc/ssl/engines.cnf.d
+
[ new_oids ]
-From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 15:54:17 -0200
Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
(Merged from https://github.com/openssl/openssl/pull/7585)
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index a727c6f646..a2c9a966f7 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -461,6 +461,7 @@ struct digest_ctx {
-From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Tue, 6 Nov 2018 22:54:07 -0200
Subject: eng_devcrypto: add command to dump driver info
(Merged from https://github.com/openssl/openssl/pull/7585)
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index 5ec38ca8f3..64dc6b891d 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/crypto/engine/build.info b/crypto/engine/build.info
-index e00802a3fd..47fe948966 100644
--- a/crypto/engine/build.info
+++ b/crypto/engine/build.info
@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\
- SOURCE[../../libcrypto]=eng_devcrypto.c
-ENDIF
diff --git a/crypto/init.c b/crypto/init.c
-index 1b0d523bea..ee3e2eb075 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
&& !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
diff --git a/engines/build.info b/engines/build.info
-index 1db771971c..33a25d7004 100644
--- a/engines/build.info
+++ b/engines/build.info
@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}]
similarity index 95%
rename from crypto/engine/eng_devcrypto.c
rename to engines/e_devcrypto.c
-index 2c1b52d572..eff1ed3a7d 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -7,7 +7,7 @@
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
-index 3fcd81de7a..d25230d366 100644
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
-index d25230d366..f4570f1666 100644
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
projects / openwrt / openwrt.git / commitdiff