Re: Installing OpenWrt 21.02 on the TP-Link AD7200
On Tue, Apr 20, 2021 at 11:35 PM Alex Henrie wrote: > > On Tue, Apr 20, 2021 at 4:04 AM Stijn Segers wrote: > > > > Alex Henrie schreef op 20 april 2021 07:28:32 CEST: > > > > > >So, what is the correct procedure for installing OpenWrt on the AD7200? > > > > Try downgrading to an older firmware. If that does not work then you'll > > need to hook up serial to see the messages the flashing process spits out. > > > > Chances are OEM firmware checks for a software version now e.g., which is > > unset at this point (see tplink-safeloader.c code). > > Thanks for the suggestion. The firmware upload fails with the same > error if I try to upload an older version of the stock firmware. The > latest version of the stock firmware (which is the version that is on > the router I have) is 2.0.1. I haven't gotten a serial cable hooked up yet, but I tried with another AD7200 router that is running stock firmware version 1.0.10 and was not able to upload OpenWrt to it either. Its web interface gives the error "Invalid file type." When started with the reset button held down, it looks for a file named ArcherC2600_1.0_tp_recovery.bin on TFTP, but again, the file transfers and then the device simply reboots back into its stock firmware. -Alex ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH v2] imagebuilder, sdk: unset BINARY_FOLDER and DOWNLOAD_FOLDER in final archives
Adrian, Am Sonntag, 25. April 2021, 21:09:40 CEST schrieb Adrian Schmutzler: > Hi, > > > -Original Message- > > From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] > > On Behalf Of Sven Roederer > > Sent: Samstag, 24. April 2021 23:48 > > To: openwrt-devel@lists.openwrt.org > > Subject: [PATCH v2] imagebuilder, sdk: unset BINARY_FOLDER and > > DOWNLOAD_FOLDER in final archives > > > > Using these config-options to customize the folders used at build-time > > makes these folder settings appear in generated archives. This causes the > > archives to be not portable, as they going to use the build-time folders > > on > > > > the new systems. Errors look like for the imagebuilder: > > mkdir: cannot create directory '/mnt/build': Permission denied > > Makefile:116: recipe for target '_call_image' failed > > make[2]: *** [_call_image] Error 1 > > Makefile:241: recipe for target 'image' failed > > make[1]: *** [image] Error 2 > > > > The build-time settings of these folders are passed into the archives via > > .config for the imagebuilder and via Config.in and Config.build for the > > sdk. The expected behavior is that after unpacking sdk and imagebuilder > > act like these settings have the default, using intree folders. So unset > > or filter out the build- time settings. > > Consider breaking this down into separate patches for imagebuilder and sdk. > pushed a splitted version as V3 [1]. Indeed I squashed them before submitting initially :-) Best Sven 1 - https://patchwork.ozlabs.org/project/openwrt/list/?series=240802 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: opkg fails to install manually downloaded packages
Am Donnerstag, 29. April 2021, 01:54:34 CEST schrieb Sven Roederer: > > Using a freshly installed OpenWrt 21.02 fails to install a package that has > been downloaded manually. I had seen this initially when using my own image > where a package was missing. To fix I copied over with scp and wanted to > install with 'opkg '. It failed, complaining about incompatible > arch. rebuilding my image via Imagebuilder made my image work. > > Initially thought of some faulty config on my board, but was just testing > with official build from downloads.openwrt.org and could confirm. > > Here my console log (taken on TPLink WDR-3600): > > - > > OpenWrt 21.02.0-rc1, r16046-59980f7aaf > > - > > root@OpenWrt:~# cd /tmp > > root@OpenWrt:/tmp# wget > > https://downloads.openwrt.org/releases/21.02.0-rc1/ > > packages/mips_24kc/base/wall_2.36.1-2_mips_24kc.ipk > > > Downloading 'https://downloads.openwrt.org/releases/21.02.0-rc1/packages/ > > mips_24kc/base/wall_2.36.1-2_mips_24kc.ipk' > > > Connecting to 168.119.138.211:443 > > Writing to 'wall_2.36.1-2_mips_24kc.ipk' > > wall_2.36.1-2_mips_2 100% |***| 10770 > > 0:00:00 > > ETA > > > Download completed (10770 bytes) > > root@OpenWrt:/tmp# opkg install /tmp/wall_2.36.1-2_mips_24kc.ipk > > Unknown package 'wall'. > > > > Collected errors: > > * pkg_hash_fetch_best_installation_candidate: Packages for wall found, > > but > > incompatible with the architectures configured > > > * opkg_install_cmd: Cannot install package wall. > > As far as I can see opkd config looks fine ... > > > root@OpenWrt:/tmp# opkg print-architecture > > arch all 1 > > arch noarch 1 > > arch mips_24kc 10 > > Any ideas? > I did not check on master yet, but I think it's a blocker for 21.02 release. > Just did a check on master, which shows the same behavior. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] ccache: don't use non-ASCII quotes
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software.--- Begin Message --- Rebased upstream ccache commit: f6202db308e32f9b2 to correct compilation errors with MANUAL.adoc due to non-ascii characters. This change enables building 21.02-rc1 on a RHEL8 host where "LANG=C" is apparently ascii rather than utf8. Original fix: Reported-by: Christophe PEREZ Bug: https://bugs.gentoo.org/762814 Signed-off-by: Sergei Trofimovich Cleaned up backport to version 4.1 and added to ccache/patches Signed-off-by: David Adair --- tools/ccache/patches/020-fix-doc-utf.patch | 96 ++ 1 file changed, 96 insertions(+) create mode 100644 tools/ccache/patches/020-fix-doc-utf.patch diff --git a/tools/ccache/patches/020-fix-doc-utf.patch b/tools/ccache/patches/020-fix-doc-utf.patch new file mode 100644 index 00..981b1f4473 --- /dev/null +++ b/tools/ccache/patches/020-fix-doc-utf.patch @@ -0,0 +1,96 @@ +From 81e72af1dac607d57c55e40c1187ead52cc45e26 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Mon, 11 Jan 2021 20:17:47 + +Subject: [PATCH] doc/MANUAL.adoc: Don't use non-ASCII quotes (#761) + +Some locales like "LANG=fr_FR.iso885915@euro make" can't +handle UTF-8 single- and double-quotes: + +$ LANG=fr_FR.iso885915@euro make +... +asciidoc: FAILED: MANUAL.adoc: line 529: unexpected error: +... + File "/usr/lib/python3.8/encodings/iso8859_15.py", line 19, in encode +return codecs.charmap_encode(input,self.errors,encoding_table)[0] +UnicodeEncodeError: 'charmap' codec can't encode character '\u201c' + in position 54: character maps to + +To avoid it the patch uses ASCII equivalents of symbols. + +The patch is generated as: + +$ sed \ +-e 's/\xE2\x80\x99/'\''/g' \ +-e 's/\xE2\x80\x9C/'\`\`'/g' \ +-e 's/\xE2\x80\x9D/'\'\''/g' \ +-i doc/MANUAL.adoc + +Reported-by: Christophe PEREZ +Bug: https://bugs.gentoo.org/762814 +Signed-off-by: Sergei Trofimovich +--- + doc/MANUAL.adoc | 24 + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/doc/MANUAL.adoc b/doc/MANUAL.adoc +index b7d89124..ec0c286a 100644 +--- a/doc/MANUAL.adoc b/doc/MANUAL.adoc +@@ -517,9 +517,9 @@ Semantics of *compression_level*: + ratio. The maximum possible value depends on the libzstd version. + Decompression speed is essentially the same for all levels. + *< 0*:: +-A negative value corresponds to Zstandard's “ultra-fast” compression ++A negative value corresponds to Zstandard's ``ultra-fast'' compression + levels, which are even faster than level 1 but with less good compression +-ratios. For instance, level *-3* corresponds to “--fast=3” for the *zstd* ++ratios. For instance, level *-3* corresponds to ``--fast=3'' for the *zstd* + command line tool. + *0* (default):: + The value *0* means that ccache will choose a suitable level, currently +@@ -564,8 +564,8 @@ Semantics of *compression_level*: + + [[config_file_clone]] *file_clone* (*CCACHE_FILECLONE* or *CCACHE_NOFILECLONE*, see <<_boolean_values,Boolean values>> above):: + +-If true, ccache will attempt to use file cloning (also known as “copy on +-write”, “CoW” or “reflinks”) to store and fetch cached compiler results. ++If true, ccache will attempt to use file cloning (also known as ``copy on ++write'', ``CoW'' or ``reflinks'') to store and fetch cached compiler results. + *file_clone* has priority over <>. The + default is false. + + +@@ -921,11 +921,11 @@ Incompressible data: 3.5 GB + + Notes: + +-* The “disk blocks” size is the cache size when taking disk block size into +- account. This value should match the “cache size” value from “ccache +- --show-stats”. The other size numbers refer to actual content sizes. +-* “Compressed data” refers to result and manifest files stored in the cache. +-* “Incompressible data” refers to files that are always stored uncompressed ++* The ``disk blocks'' size is the cache size when taking disk block size into ++ account. This value should match the ``cache size'' value from ``ccache ++ --show-stats''. The other size numbers refer to actual content sizes. ++* ``Compressed data'' refers to result and manifest files stored in the cache. ++* ``Incompressible data'' refers to files that are always stored uncompressed + (triggered by enabling <> or + <>) or unknown files (for instance files + created by older ccache versions). +@@ -1238,11 +1238,11 @@ In the direct mode, ccache uses the 160 bit BLAKE3 hash of the + the *ccache-input-c* + *ccache-input-p* data is used in the preprocessor mode. + + The *ccache-input-text* file is a combined text version of the three +-binary input files. It has three sections (“COMMON”, “DIRECT MODE” and +-“PREPROCESSOR MODE”), which is turn contain annotations that
Re: [PATCH] Extend checks on build prerequisites for building OpenWRT core
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software.--- Begin Message --- On 4/29/21 11:40 AM, Paul Spooren wrote: On 4/20/21 1:08 AM, Bas Mevissen wrote: OpenWRT requires a number of Perl modules to be installed. It wasn't checking on all of them. This patch adds checks for Perl FindBin, File::Copy, File::Compare and Thread::Queue modules. Failing to install these, will have the build break at some point. By adding these to the prereq-build.mk script, they are checked on forehand. Tested on a Fedora 33 and 34 (beta) that was freshly installed. Fedora appears to break up Perl modules into small packages that need to be installed for the build to succeed. Signed-off-by: Bas Mevissen --- include/prereq-build.mk | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/include/prereq-build.mk b/include/prereq-build.mk index 86c22f7c95..cb3dcc51e3 100644 --- a/include/prereq-build.mk +++ b/include/prereq-build.mk @@ -65,11 +65,22 @@ $(eval $(call TestHostCommand,perl-data-dumper, \ Please install the Perl Data::Dumper module, \ perl -MData::Dumper -e 1)) +$(eval $(call TestHostCommand,perl-findbin, \ + Please install the Perl FindBin module, \ + perl -MFindBin -e 1)) + +$(eval $(call TestHostCommand,perl-file-copy, \ + Please install the Perl File::Copy module, \ + perl -MFile::Copy -e 1)) + +$(eval $(call TestHostCommand,perl-file-compare, \ + Please install the Perl File::Compare module, \ + perl -MFile::Compare -e 1)) Could you please point me to where this module is required? I naively grepped through openwrt.git and couldn't find it. The other added requirements seem fine. It is in the host autoconf build. On Fedora 34, against current master, without the patch to test the need for File::Compare: $ sudo rpm -e perl-File-Compare (...) $ make -j1 V=s (...) make[3]: Entering directory '/home/bas/Workspace/openwrt-master/tools/autoconf' export SHELL="bash"; make -C /home/bas/Workspace/openwrt-master/build_dir/host/autoconf-2.69 make[4]: Entering directory '/home/bas/Workspace/openwrt-master/build_dir/host/autoconf-2.69' make all-recursive make[5]: Entering directory '/home/bas/Workspace/openwrt-master/build_dir/host/autoconf-2.69' Making all in bin make[6]: Entering directory '/home/bas/Workspace/openwrt-master/build_dir/host/autoconf-2.69/bin' autom4te_perllibdir='..'/lib AUTOM4TE_CFG='../lib/autom4te.cfg' ../bin/autom4te -B '..'/lib -B '..'/lib --language M4sh --cache '' --melt ./autoconf.as -o autoconf.in Can't locate File/Compare.pm in @INC (you may need to install the File::Compare module) (@INC contains: ../lib /usr/local/lib64/perl5/5.32 /usr/local/share/perl5/5.32 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ../lib/Autom4te/FileUtils.pm line 166. BEGIN failed--compilation aborted at ../lib/Autom4te/FileUtils.pm line 166. Compilation failed in require at ../bin/autom4te line 43. BEGIN failed--compilation aborted at ../bin/autom4te line 43. make[6]: *** [Makefile:641: autoconf.in] Error 2 (...) $ sudo dnf install -y perl-File-Compare (...) $ make -j4 (build finishes) + $(eval $(call TestHostCommand,perl-thread-queue, \ Please install the Perl Thread::Queue module, \ perl -MThread::Queue -e 1)) - $(eval $(call SetupHostCommand,tar,Please install GNU 'tar', \ gtar --version 2>&1 | grep GNU, \ gnutar --version 2>&1 | grep GNU, \ --- End Message --- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v3 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2:
- fixed postinst & postrm logic that was failing when building the final
image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
v2->v3:
- actually removed the extra files that I had promised in v2
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
package/libs/openssl/files/engines.cnf| 7 ---
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 54 insertions(+), 62 deletions(-)
delete mode 100644 package/libs/openssl/files/engines.cnf
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration
[PATCH v3 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP)
[PATCH v3 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) +
[PATCH v3 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 18 files changed, 191 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP)
[PATCH v2 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA)
[PATCH v2 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2:
- fixed postinst & postrm logic that was failing when building the final
image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
.../libs/openssl/files/openssl-engines.init | 19 ++
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 73 insertions(+), 55 deletions(-)
create mode 100644 package/libs/openssl/files/openssl-engines.init
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration
files from
- /etc/ssl/engines.cnf.d. You should
[PATCH v2 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 217 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 3/3] openssl: configure engines with uci
Hi Florian
On Thu, Apr 29, 2021 at 3:44 AM Florian Eckert wrote:
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
>
> I think AFALG is missing there?
>
As I mentioned in the earlier thread, builtin AFALG is weird. If I
enable it in openssl.cnf, it will always look for afalg.so, and will
fail. I think it was on oversight, but AFALG is not part of
OPENSSL_INIT_ENGINE_ALL_BUILTIN [1], so it will not be enabled by
default, unless you call
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_AFALG, NULL). The AFALG
engine does not have any control commands, so configuration is a noop
anyway.
[1]
https://github.com/openssl/openssl/blob/0f077b5fd86e2df0b41608fbd5684fa1a2b58f59/include/openssl/crypto.h.in#L452
> > endef
> > @@ -378,15 +377,17 @@ define Package/libopenssl/install
> > endef
> >
> > define Package/libopenssl-conf/install
> > - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
> > + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
> > $(1)/etc/init.d
> > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
> > - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
> > + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
> > + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
> > $(1)/etc/init.d/openssl
>
> I do not understand that waht you are doing there.
ENGINES_DIR is where the engine so files are stored. It is versioned,
so it is stored in a variable in engine.mk. I'm just setting it in
/etc/init.d/openssl, from ./files/openssl.init#3:
ENGINES_DIR="%ENGINES_DIR%"
The final result, installed in /etc/init.d/openssl#3 is:
ENGINES_DIR="/usr/lib/engines-1.1"
> > $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
> > $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
> > - echo padlock=padlock >>
> > $(1)/etc/ssl/engines.cnf.d/engines.cnf)
> > + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
> > $(1)/etc/config/openssl)
>
> What about AFALG?
The same explanation above fits here.
> > #!/bin/sh
> > +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
> > +if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null;
> > then
> > +cat << EOF >> "{OPENSSL_UCI}"
> > +config engine '$(1)'
> > + option enabled '1'
> > +EOF
>
> From my point of view, I think it would be better if we used the uci cli
> command directly here.
> to add the config engine section and enable this engine.
However, uci is not available when the package is installed by the
buildsystem, such as when building the firmware image. That's why I
always check for $IPKG_INSTROOT before calling any commands available
in the target only, as seen above.
>
> > fi
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
> >endef
> >
> > - define Package/$$(OSSL_ENG_PKG)/prerm :=
> > + define Package/$$(OSSL_ENG_PKG)/postrm :=
> > #!/bin/sh
> > -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
> > -[ -f "{ENGINES_CNF}" ] || exit 0
> > -sed -e '/$(1)=$(1)/d' -i "{ENGINES_CNF}"
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
>
> Should we not also remove the uci option on an uninstall wit the uci
> command?
>
I'll change this. My idea was to save the configuration, if user
later reinstall the package. However, since the %ENGINE%.cnf file is
not removed, then openssl will try to enable the removed engine and
fail.
> > +++ b/package/libs/openssl/files/openssl-engines.init
> > @@ -0,0 +1,19 @@
> > +#!/bin/sh /etc/rc.common
>
> Is the init script also switched on at the first boot?
> So that the service runs immediately?
> Not that the service has to be switched on in /etc/rc.d/ first - that
> would be unpleasant.
Yes, it is: file
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl:
symbolic link to ../init.d/openssl
>
> > +
> > +START=05
> > +OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
> > +
> > +enable_engine() {
> > + echo "$1=$1" >> "${OSSL_ENGINES_CNF}"
>
> The writing happens here on the persistent storage at every boot!
> This is not so good for embedded target with FLASH.
> It would be better to write this to the tmp.
>
This file, along with engines.cnf were left over from a previous idea,
and not are not used. I will take care of them in the v2. The list
is actually saved in /var/etc/ssl/engines.cnf.
> > + config_list_foreach openssl.openssl[0] engines enable_engine
>
> How about the named uci section globals
> config openssl globals
>
This is also part of the leftover file.
I've spotted a missing fix for the postinst/postrm scripts that were
failing when building the final image. I'll send a v2 in a bit.
Thanks for the review!
Eneas
___
Re: [PATCH] Extend checks on build prerequisites for building OpenWRT core
On 4/20/21 1:08 AM, Bas Mevissen wrote: OpenWRT requires a number of Perl modules to be installed. It wasn't checking on all of them. This patch adds checks for Perl FindBin, File::Copy, File::Compare and Thread::Queue modules. Failing to install these, will have the build break at some point. By adding these to the prereq-build.mk script, they are checked on forehand. Tested on a Fedora 33 and 34 (beta) that was freshly installed. Fedora appears to break up Perl modules into small packages that need to be installed for the build to succeed. Signed-off-by: Bas Mevissen --- include/prereq-build.mk | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/include/prereq-build.mk b/include/prereq-build.mk index 86c22f7c95..cb3dcc51e3 100644 --- a/include/prereq-build.mk +++ b/include/prereq-build.mk @@ -65,11 +65,22 @@ $(eval $(call TestHostCommand,perl-data-dumper, \ Please install the Perl Data::Dumper module, \ perl -MData::Dumper -e 1)) +$(eval $(call TestHostCommand,perl-findbin, \ + Please install the Perl FindBin module, \ + perl -MFindBin -e 1)) + +$(eval $(call TestHostCommand,perl-file-copy, \ + Please install the Perl File::Copy module, \ + perl -MFile::Copy -e 1)) + +$(eval $(call TestHostCommand,perl-file-compare, \ + Please install the Perl File::Compare module, \ + perl -MFile::Compare -e 1)) Could you please point me to where this module is required? I naively grepped through openwrt.git and couldn't find it. The other added requirements seem fine. + $(eval $(call TestHostCommand,perl-thread-queue, \ Please install the Perl Thread::Queue module, \ perl -MThread::Queue -e 1)) - $(eval $(call SetupHostCommand,tar,Please install GNU 'tar', \ gtar --version 2>&1 | grep GNU, \ gnutar --version 2>&1 | grep GNU, \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 0/3] Engine configuration series
Hello Eneas, On 2021-04-28 14:17, Eneas U de Queiroz wrote: This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. I think the uci config options are great, you can build on them and make the configuration for openssl better and can finally be configured with the uci. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. The only thing I have to say is that if the configuration no longer fits, then we have a non-functioning openssl! You just have to know what you are doing when you change the openssl configuration. After this is merged, I will adapt the two engines in the packages feed. I think we have to validate the uci options in the future in the openssl service on startup. Regards Florian ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 3/3] openssl: configure engines with uci
Hello Eneas,
Nice work.
My remarks or suggestions see inline.
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
I think AFALG is missing there?
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
I do not understand that waht you are doing there.
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
What about AFALG?
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk
b/package/libs/openssl/engine.mk
index 482b5ad5e8..efa46d7214 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,20 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1)
>/dev/null; then
+cat << EOF >> "{OPENSSL_UCI}"
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
-
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
-
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}";
then
-cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration
files from
- /etc/ssl/engines.cnf.d. You should consider start with a fresh,
updated OpenSSL config by
- running:
-
- opkg install --force-reinstall --force-maintainer libopenssl-conf
-
- The above command will overwrite any changes you may have made to
both /etc/ssl/openssl.cnf
- and /etc/ssl/engines.cnf.d/engines.cnf files, so back them up first!
- EOF
-error_out
-fi
-if [ ! -f "{ENGINES_CNF}" ]; then
-echo "Can't configure $$(OSSL_ENG_PKG): File {ENGINES_CNF} not
found."
-error_out reinstall
-fi
-if grep -q "$(1)=$(1)" "{ENGINES_CNF}"; then
-echo "$$(OSSL_ENG_PKG): $(1) engine was already configured.
Nothing to be done."
-else
-echo "$(1)=$(1)" >> "{ENGINES_CNF}"
-echo "$$(OSSL_ENG_PKG): $(1) engine enabled. All done!"
+config engine '$(1)'
+ option enabled '1'
+EOF
From my point of view, I think it would be better if we used the uci cli
command directly here.
to add the config engine section and enable this engine.
fi
+[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
endef
- define Package/$$(OSSL_ENG_PKG)/prerm :=
+ define Package/$$(OSSL_ENG_PKG)/postrm :=
#!/bin/sh
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-[ -f "{ENGINES_CNF}" ] || exit 0
-sed -e '/$(1)=$(1)/d' -i "{ENGINES_CNF}"
+[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
Should we not also remove the uci option on an uninstall wit the uci
command?
endef
endef
-
-
diff --git a/package/libs/openssl/files/openssl-engines.init
b/package/libs/openssl/files/openssl-engines.init
new file mode 100644
index 00..050a96f70a
--- /dev/null
+++ b/package/libs/openssl/files/openssl-engines.init
@@ -0,0 +1,19 @@
+#!/bin/sh /etc/rc.common
Is the init script also switched on at the first boot?
So that the service runs immediately?
Not that the service has to be switched on in
