Hello Eneas,
Nice work.
My remarks or suggestions see inline.
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
I think AFALG is missing there?
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
I do not understand that waht you are doing there.
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
What about AFALG?
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk
b/package/libs/openssl/engine.mk
index 482b5ad5e8..efa46d7214 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,20 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# $$$$1 == non-empty: suggest reinstall
-error_out() {
- [ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
- cat <<- EOF
+if [ -n "$$$${IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1)
>/dev/null; then
+ cat << EOF >> "$$$${OPENSSL_UCI}"
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
-
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
-
- EOF
- exit 1
-}
-ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="$$$${IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "$$$${OPENSSL_CNF}" ]; then
- echo -e "ERROR: File $$$${OPENSSL_CNF} not found."
- error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "$$$${OPENSSL_CNF}";
then
- cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration
files from
- /etc/ssl/engines.cnf.d. You should consider start with a fresh,
updated OpenSSL config by
- running:
-
- opkg install --force-reinstall --force-maintainer libopenssl-conf
-
- The above command will overwrite any changes you may have made to
both /etc/ssl/openssl.cnf
- and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
- EOF
- error_out
-fi
-if [ ! -f "$$$${ENGINES_CNF}" ]; then
- echo "Can't configure $$(OSSL_ENG_PKG): File $$$${ENGINES_CNF} not
found."
- error_out reinstall
-fi
-if grep -q "$(1)=$(1)" "$$$${ENGINES_CNF}"; then
- echo "$$(OSSL_ENG_PKG): $(1) engine was already configured.
Nothing to be done."
-else
- echo "$(1)=$(1)" >> "$$$${ENGINES_CNF}"
- echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!"
+config engine '$(1)'
+ option enabled '1'
+EOF
From my point of view, I think it would be better if we used the uci cli
command directly here.
to add the config engine section and enable this engine.
fi
+[ -z "$$$${IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
endef
- define Package/$$(OSSL_ENG_PKG)/prerm :=
+ define Package/$$(OSSL_ENG_PKG)/postrm :=
#!/bin/sh
-ENGINES_CNF="$$$${IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-[ -f "$$$${ENGINES_CNF}" ] || exit 0
-sed -e '/$(1)=$(1)/d' -i "$$$${ENGINES_CNF}"
+[ -z "$$$${IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
Should we not also remove the uci option on an uninstall wit the uci
command?
endef
endef
-
-
diff --git a/package/libs/openssl/files/openssl-engines.init
b/package/libs/openssl/files/openssl-engines.init
new file mode 100644
index 0000000000..050a96f70a
--- /dev/null
+++ b/package/libs/openssl/files/openssl-engines.init
@@ -0,0 +1,19 @@
+#!/bin/sh /etc/rc.common
Is the init script also switched on at the first boot?
So that the service runs immediately?
Not that the service has to be switched on in /etc/rc.d/ first - that
would be unpleasant.
+
+START=05
+OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
+
+enable_engine() {
+ echo "$1=$1" >> "${OSSL_ENGINES_CNF}"
The writing happens here on the persistent storage at every boot!
This is not so good for embedded target with FLASH.
It would be better to write this to the tmp.
+}
+
+boot () {
+ config_load openssl
+
+ cat <<- EOF > /etc/ssl/engines.cnf.d/engines.cnf
+ # This file is automatically generated at boot time.
+ # Use uci add_list openssl.engines ENGINE_NAME to enable an
engine
+ [engines]
The same with the storage is also true here.
+ config_list_foreach openssl.openssl[0] engines enable_engine
How about the named uci section globals
config openssl globals
+}
diff --git a/package/libs/openssl/files/openssl.init
b/package/libs/openssl/files/openssl.init
new file mode 100755
index 0000000000..21e253e7a5
--- /dev/null
+++ b/package/libs/openssl/files/openssl.init
@@ -0,0 +1,31 @@
+#!/bin/sh /etc/rc.common
+
+START=13
+ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
+ENGINES_CNF="/var/etc/ssl/engines.cnf"
+ENGINES_DIR="%ENGINES_DIR%"
+
+config_engine() {
+ local enabled force
+ config_get_bool enabled "$1" enabled 1
+ config_get_bool force "$1" force 0
+ [ "$enabled" = 0 ] && return
+ if [ "$force" = 0 ] && \
+ [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \
+ [ ! -f "${ENGINES_DIR}/$1.so" ]; then
+ echo Skipping engine "$1": not installed
+ return
+ fi
+ echo Enabling engine "$1"
+ echo "$1=$1" >> "${ENGINES_CNF}"
+}
+
+start() {
+ mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
+ echo Generating engines.cnf
+ echo "# This file is automatically generated from
/etc/config/openssl." \
+ > "${ENGINES_CNF}" || \
+ { echo Error writing ${ENGINES_CNF} >&2; exit 1; }
+ config_load openssl
+ config_foreach config_engine engine
+}
diff --git
a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
index 3db7a19212..8851116347 100644
---
a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++
b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -11,7 +11,7 @@ Signed-off-by: Eneas U de Queiroz
<[email protected]>
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
-@@ -22,6 +22,13 @@ oid_section = new_oids
+@@ -22,6 +22,16 @@ oid_section = new_oids
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -20,6 +20,9 @@ diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+[openssl_conf]
+engines=engines
+
++[engines]
++.include /var/etc/ssl/engines.cnf
++
+.include /etc/ssl/engines.cnf.d
+
[ new_oids ]
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
