openssl: configure engine packages during install

This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz <[email protected]>

package/libs/openssl/Makefile

@@ -11,9 +11,8 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=1
 
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
+include engine.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
 This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
 endef
 
+$(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
-	   +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+	     @!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
 
+$(eval $(call Package/openssl/add-engine,devcrypto))
 define Package/libopenssl-devcrypto
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=/dev/crypto hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
-	   @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.  You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
 
+$(eval $(call Package/openssl/add-engine,padlock))
 define Package/libopenssl-padlock
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=VIA Padlock hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
-	   +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+	     @!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
 	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
 	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
 	$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+		$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+		echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
+		$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+		echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
 endef
 
 define Package/openssl-util/install
@@ -387,27 +394,6 @@ define Package/openssl-util/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
 endef
 
-define Package/libopenssl-afalg/install
-	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
-			$(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_DATA)	./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-devcrypto/install
-	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
-			$(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_DATA)	./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
-define Package/libopenssl-padlock/install
-	$(INSTALL_DIR)	$(1)/etc/ssl/engines.cnf.d \
-			$(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN)	$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_DATA)	./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-endef
-
 $(eval $(call BuildPackage,libopenssl))
 $(eval $(call BuildPackage,libopenssl-conf))
 $(eval $(call BuildPackage,libopenssl-afalg))

package/libs/openssl/engine.mk

@@ -0,0 +1,82 @@
+ENGINES_DIR=engines-1.1
+
+define Package/openssl/engine/Default
+  SECTION:=libs
+  CATEGORY:=Libraries
+  SUBMENU:=SSL
+  DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+  OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
+  Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
+
+  define Package/$$(OSSL_ENG_PKG)/install
+	$$(INSTALL_DIR)  $$(1)/usr/lib/$(ENGINES_DIR)
+	$$(INSTALL_BIN)  $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
+			 $$(1)/usr/lib/$(ENGINES_DIR)
+	$$(INSTALL_DIR)  $$(1)/etc/ssl/engines.cnf.d
+	$$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
+  endef
+
+  define Package/$$(OSSL_ENG_PKG)/postinst :=
+#!/bin/sh
+# $$$$1 == non-empty: suggest reinstall
+error_out() {
+    [ "$1" ] && cat <<- EOF
+	Reinstalling the libopenssl-conf package may fix this:
+
+	    opkg install --force-reinstall libopenssl-conf
+	EOF
+    cat <<- EOF
+
+	Then, you will have to reinstall this package, and any other engine package you have
+	you have previously installed to ensure they are enabled:
+
+	    opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]...
+
+	EOF
+    exit 1
+}
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
+if [ ! -f "$$$${OPENSSL_CNF}" ]; then
+    echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
+    error_out reinstall
+fi
+if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}"; then
+    cat <<- EOF
+	Your /etc/ssl/openssl.cnf file is not loading engine configuration files from
+	/etc/ssl/engines.cnf.d.  You should consider start with a fresh, updated OpenSSL config by
+	running:
+
+	    opkg install --force-reinstall --force-maintainer libopenssl-conf
+
+	The above command will overwrite any changes you may have made to both /etc/ssl/openssl.cnf
+	and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
+	EOF
+    error_out
+fi
+if [ ! -f "$$$${ENGINES_CNF}" ]; then
+    echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not found."
+    error_out reinstall
+fi
+if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
+    echo "$$(OSSL_ENG_PKG): $(1) engine was already configured.  Nothing to be done."
+else
+    echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
+    echo "$$(OSSL_ENG_PKG): $(1) engine enabled.  All done!"
+fi
+  endef
+
+  define Package/$$(OSSL_ENG_PKG)/prerm :=
+#!/bin/sh
+ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
+[ -f "$$$${ENGINES_CNF}" ] || exit 0
+sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+  endef
+endef
+
+

package/libs/openssl/files/engines.cnf

@@ -1,7 +1,7 @@
-[engines]
-# To enable an engine, install the package, and uncomment it here:
-#devcrypto=devcrypto
-#afalg=afalg
-#padlock=padlock
-#gost=gost
+# This file should only contain the [engines] section
+# It is subject to change by installing OpenSSL engine packages
+# Any lines that have the sequence "engine-name=engine-name" will
+# be removed when the respective engine gets uninstalled.
+# You may avoid that by adding a space before/after the  = sign.
 
+[engines]

package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch

@@ -4,7 +4,7 @@ Date: Sat, 27 Mar 2021 17:43:25 -0300
 Subject: openssl.cnf: add engine configuration
 
 This adds configuration options for engines, loading all cnf files under
-/etc/ssl/engines.d/.
+/etc/ssl/engines.cnf.d/.
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>