openssl: config engines in /etc/ssl/engines.cnf.d

This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

Patches were refreshed with --zero-commit.

Signed-off-by: Eneas U de Queiroz <[email protected]>

package/libs/openssl/Makefile

@@ -146,7 +146,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
@@ -163,7 +163,8 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.  You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
@@ -179,7 +180,7 @@ endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -376,8 +377,9 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-	$(INSTALL_DIR) $(1)/etc/ssl
+	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
 	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+	$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/openssl-util/install
@@ -386,18 +388,24 @@ define Package/openssl-util/install
 endef
 
 define Package/libopenssl-afalg/install
-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
+			$(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DATA)	./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-devcrypto/install
-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
+			$(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DATA)	./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-padlock/install
-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
+			$(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_DATA)	./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 $(eval $(call BuildPackage,libopenssl))

package/libs/openssl/files/afalg.cnf

@@ -0,0 +1,3 @@
+[afalg]
+default_algorithms = ALL
+

package/libs/openssl/files/devcrypto.cnf

@@ -0,0 +1,31 @@
+[devcrypto]
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
+default_algorithms = ALL
+
+# Configuration commands:
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
+# list of supported algorithms, along with their driver, whether they
+# are hw accelerated or not, and the engine's configuration commands.
+
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
+# if acceleration can't be determined) [default=2]
+#USE_SOFTDRIVERS = 2
+
+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
+# enable [default=ALL]
+# It is recommended to disable the ECB ciphers; in most cases, it will
+# only be used for PRNG, in small blocks, where performance is poor,
+# and there may be problems with apps forking with open crypto
+# contexts, leading to failures.  The CBC ciphers work well:
+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
+
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
+# enable [default=NONE]
+# It is strongly recommended not to enable digests; their performance
+# is poor, and there are many cases in which they will not work,
+# especially when calling fork with open crypto contexts.  Openssh,
+# for example, does this, and you may not be able to login.
+#DIGESTS = NONE
+
+

package/libs/openssl/files/engines.cnf

@@ -0,0 +1,7 @@
+[engines]
+# To enable an engine, install the package, and uncomment it here:
+#devcrypto=devcrypto
+#afalg=afalg
+#padlock=padlock
+#gost=gost
+

package/libs/openssl/files/padlock.cnf

@@ -0,0 +1,3 @@
+[padlock]
+default_algorithms = ALL
+

package/libs/openssl/patches/100-Configure-afalg-support.patch

@@ -1,4 +1,4 @@
-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:29:21 -0300
 Subject: Do not use host kernel version to disable AFALG
@@ -9,7 +9,6 @@ version to disable building the AFALG engine on openwrt targets.
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/Configure b/Configure
-index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
 @@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})

package/libs/openssl/patches/110-openwrt_targets.patch

@@ -1,4 +1,4 @@
-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:30:24 -0300
 Subject: Add openwrt targets
@@ -9,7 +9,6 @@ Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
 new file mode 100644
-index 0000000000..86a86d31e4
 --- /dev/null
 +++ b/Configurations/25-openwrt.conf
 @@ -0,0 +1,52 @@

package/libs/openssl/patches/120-strip-cflags-from-binary.patch

@@ -1,4 +1,4 @@
-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:31:38 -0300
 Subject: Avoid exposing build directories
@@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/crypto/build.info b/crypto/build.info
-index 2c619c62e8..893128345a 100644
 --- a/crypto/build.info
 +++ b/crypto/build.info
 @@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \

package/libs/openssl/patches/130-dont-build-tests-fuzz.patch

@@ -1,4 +1,4 @@
-From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:34:38 -0300
 Subject: Do not build tests and fuzz directories
@@ -8,7 +8,6 @@ This shortens build time.
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/Configure b/Configure
-index 74d057c219..5813e9f8fe 100755
 --- a/Configure
 +++ b/Configure
 @@ -318,7 +318,7 @@ my $auto_threads=1;    # enable threads automatically? true by default

package/libs/openssl/patches/140-allow-prefer-chacha20.patch

@@ -1,4 +1,4 @@
-From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:44:39 -0300
 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
@@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference.
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index 6724ccf2d2..96d959427e 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
 @@ -173,9 +173,15 @@ extern "C" {
@@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644
  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
                                     "TLS_AES_128_GCM_SHA256"
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 27a1b2ec68..7039811323 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
 @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,

package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch

@@ -1,6 +1,17 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Sat, 27 Mar 2021 17:43:25 -0300
+Subject: openssl.cnf: add engine configuration
+
+This adds configuration options for engines, loading all cnf files under
+/etc/ssl/engines.d/.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -22,6 +22,99 @@ oid_section		= new_oids
+@@ -22,6 +22,13 @@ oid_section		= new_oids
  # (Alternatively, use a configuration file that has only
  # X.509v3 extensions in its main [= default] section.)
  
@@ -9,93 +20,7 @@
 +[openssl_conf]
 +engines=engines
 +
-+[engines]
-+# To enable an engine, install the package, and uncomment it here:
-+#devcrypto=devcrypto
-+#afalg=afalg
-+#padlock=padlock
-+##gost=gost
-+
-+[afalg]
-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
-+default_algorithms = ALL
-+
-+# The following commands are only available if using the alternative
-+# (sync) AFALG engine
-+# Configuration commands:
-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
-+# list of supported algorithms, along with their driver, whether they
-+# are hw accelerated or not, and the engine's configuration commands.
-+
-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
-+# if acceleration can't be determined) [default=2]
-+#USE_SOFTDRIVERS = 2
-+
-+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a
-+# comma-separated list of ciphers to enable [default=NO_ECB]
-+# Starting in 1.2.0, if you use a cipher list, each cipher may be
-+# followed by a colon (:) and the minimum request length to use
-+# AF_ALG drivers for that cipher; smaller requests are processed by
-+# softare; a negative value will use the default for that cipher
-+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0
-+
-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
-+# enable [default=NONE]
-+# It is strongly recommended not to enable digests; their performance
-+# is poor, and there are many cases in which they will not work,
-+# especially when calling fork with open crypto contexts.  Openssh,
-+# for example, does this, and you may not be able to login.
-+#DIGESTS = NONE
-+
-+[devcrypto]
-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
-+default_algorithms = ALL
-+
-+# Configuration commands:
-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
-+# list of supported algorithms, along with their driver, whether they
-+# are hw accelerated or not, and the engine's configuration commands.
-+
-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
-+# if acceleration can't be determined) [default=2]
-+#USE_SOFTDRIVERS = 2
-+
-+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
-+# enable [default=ALL]
-+# It is recommended to disable the ECB ciphers; in most cases, it will
-+# only be used for PRNG, in small blocks, where performance is poor,
-+# and there may be problems with apps forking with open crypto
-+# contexts, leading to failures.  The CBC ciphers work well:
-+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
-+
-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
-+# enable [default=NONE]
-+# It is strongly recommended not to enable digests; their performance
-+# is poor, and there are many cases in which they will not work,
-+# especially when calling fork with open crypto contexts.  Openssh,
-+# for example, does this, and you may not be able to login.
-+#DIGESTS = NONE
-+
-+[padlock]
-+default_algorithms = ALL
-+
-+[gost]
-+default_algorithms = ALL
-+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the
-+# user to choose between different parameter sets of symmetric cipher
-+# algorithm. RFC 4357 specifies several parameters for the
-+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface
-+# to choose one when encrypting. So use engine configuration parameter
-+# instead.
-+# Value of this parameter can be either short name, defined in OpenSSL
-+# obj_dat.h header file or numeric representation of OID, defined in
-+# RFC 4357.  Defaults to id-tc26-gost-28147-param-Z
-+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z
-+
-+# PBE_PARAMS: Shortname of default digest alg for PBE
-+#PBE_PARAMS =
++.include /etc/ssl/engines.cnf.d
 +
  [ new_oids ]
  

package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch

@@ -1,4 +1,4 @@
-From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Mon, 5 Nov 2018 15:54:17 -0200
 Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
@@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte <[email protected]>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index a727c6f646..a2c9a966f7 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -461,6 +461,7 @@ struct digest_ctx {

package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch

@@ -1,4 +1,4 @@
-From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Tue, 6 Nov 2018 22:54:07 -0200
 Subject: eng_devcrypto: add command to dump driver info
@@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte <[email protected]>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index 5ec38ca8f3..64dc6b891d 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;

package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch

@@ -9,7 +9,6 @@ engines/e_devcrypto.c.
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/crypto/engine/build.info b/crypto/engine/build.info
-index e00802a3fd..47fe948966 100644
 --- a/crypto/engine/build.info
 +++ b/crypto/engine/build.info
 @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\
@@ -20,7 +19,6 @@ index e00802a3fd..47fe948966 100644
 -  SOURCE[../../libcrypto]=eng_devcrypto.c
 -ENDIF
 diff --git a/crypto/init.c b/crypto/init.c
-index 1b0d523bea..ee3e2eb075 100644
 --- a/crypto/init.c
 +++ b/crypto/init.c
 @@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
@@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644
      if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
              && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
 diff --git a/engines/build.info b/engines/build.info
-index 1db771971c..33a25d7004 100644
 --- a/engines/build.info
 +++ b/engines/build.info
 @@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}]
@@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c
 similarity index 95%
 rename from crypto/engine/eng_devcrypto.c
 rename to engines/e_devcrypto.c
-index 2c1b52d572..eff1ed3a7d 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/engines/e_devcrypto.c
 @@ -7,7 +7,7 @@

package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch

@@ -20,7 +20,6 @@ turn them on if it is safe and fast enough.
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
-index 3fcd81de7a..d25230d366 100644
 --- a/engines/e_devcrypto.c
 +++ b/engines/e_devcrypto.c
 @@ -852,7 +852,7 @@ static void prepare_digest_methods(void)

package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch

@@ -9,7 +9,6 @@ session.  It may have been closed by another process after a fork.
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
 diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
-index d25230d366..f4570f1666 100644
 --- a/engines/e_devcrypto.c
 +++ b/engines/e_devcrypto.c
 @@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,