diff --git a/include/openssl-engine.mk b/include/openssl-engine.mk deleted file mode 100644 index 891d284f12..0000000000 --- a/include/openssl-engine.mk +++ /dev/null @@ -1,50 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0-only -# -# Copyright (C) 2022-2023 Enéas Ulir de Queiroz - -ENGINES_DIR=engines-3 - -define Package/openssl/engine/Default - SECTION:=libs - CATEGORY:=Libraries - SUBMENU:=SSL - DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf -endef - -# 1 = engine name -# 2 - package name, defaults to libopenssl-$(1) -define Package/openssl/add-engine - OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1)) - Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf - - define Package/$$(OSSL_ENG_PKG)/install - $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR) - $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \ - $$(1)/usr/lib/$(ENGINES_DIR) - $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d - $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/ - endef - - define Package/$$(OSSL_ENG_PKG)/postinst := -#!/bin/sh -OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl" - -[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 - -cat << EOF >> "$$$${OPENSSL_UCI}" - -config engine '$(1)' - option enabled '1' -EOF - -[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload - endef - - define Package/$$(OSSL_ENG_PKG)/postrm := -#!/bin/sh -[ -n "$$$${IPKG_INSTROOT}" ] && exit 0 -uci delete openssl.$(1) -uci commit openssl -/etc/init.d/openssl reload - endef -endef diff --git a/include/openssl-module.mk b/include/openssl-module.mk new file mode 100644 index 0000000000..7348a10dbc --- /dev/null +++ b/include/openssl-module.mk @@ -0,0 +1,79 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Copyright (C) 2022-2023 Enéas Ulir de Queiroz + +ENGINES_DIR=engines-3 + +define Package/openssl/module/Default + SECTION:=libs + CATEGORY:=Libraries + SUBMENU:=SSL + DEPENDS:=libopenssl +libopenssl-conf +endef + +define Package/openssl/engine/Default + $(Package/openssl/module/Default) + DEPENDS+=@OPENSSL_ENGINE +endef + + +# 1 = moudule type (engine|provider) +# 2 = module name +# 3 = directory to save .so file +# 4 = [ package name, defaults to libopenssl-$(2) ] +define Package/openssl/add-module + $(eval MOD_TYPE:=$(1)) + $(eval MOD_NAME:=$(2)) + $(eval MOD_DIR:=$(3)) + $(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME))) + $(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)') + $(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)') + Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf + + define Package/$(OSSL_PKG)/install + $$(INSTALL_DIR) $$(1)/$(MOD_DIR) + $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \ + $$(1)/$(MOD_DIR) + $$(INSTALL_DIR) $$(1)/etc/ssl/modules.cnf.d + $$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/ + endef + + define Package/$(OSSL_PKG)/postinst +#!/bin/sh +OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl" + +[ -z "$$$${IPKG_INSTROOT}" ] \ + && uci -q get openssl.$(MOD_NAME) >/dev/null \ + && exit 0 + +cat << EOF >> "$$$${OPENSSL_UCI}" + +config $(MOD_TYPE) '$(MOD_NAME)' + option enabled '1' +EOF + +[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload +exit 0 + endef + + define Package/$(OSSL_PKG)/postrm +#!/bin/sh +[ -n "$$$${IPKG_INSTROOT}" ] && exit 0 +uci -q delete openssl.$(MOD_NAME) && uci commit openssl +/etc/init.d/openssl reload +exit 0 + endef +endef + +# 1 = engine name +# 2 - package name, defaults to libopenssl-$(1) +define Package/openssl/add-engine + $(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2)) +endef + +# 1 = provider name +# 2 = [ package name, defaults to libopenssl-$(1) ] +define Package/openssl/add-provider + $(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2)) +endef + diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index b948aab709..871080a4cb 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -167,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA config OPENSSL_WITH_IDEA bool - prompt "Enable IDEA cipher support" + default y if !SMALL_FLASH + prompt "Enable IDEA cipher support (needs legacy provider)" help IDEA is a block cipher with 128-bit keys. + To use the cipher, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_SEED bool - prompt "Enable SEED cipher support" + default y if !SMALL_FLASH + prompt "Enable SEED cipher support (needs legacy provider)" help SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. + To use the cipher, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_SM234 bool @@ -197,11 +205,21 @@ config OPENSSL_WITH_BLAKE2 config OPENSSL_WITH_MDC2 bool - prompt "Enable MDC2 digest support" + default y if !SMALL_FLASH + prompt "Enable MDC2 digest support (needs legacy provider)" + help + To use the digest, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_WHIRLPOOL bool - prompt "Enable Whirlpool digest support" + default y if !SMALL_FLASH + prompt "Enable Whirlpool digest support (needs legacy provider)" + help + To use the digest, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_COMPRESSION bool diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 66872d5436..add3eb7db6 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_VERSION:=3.0.8 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_BUILD_FLAGS:=no-mips16 gc-sections PKG_BUILD_PARALLEL:=1 @@ -64,7 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/openssl-engine.mk +include $(INCLUDE_DIR)/openssl-module.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -129,8 +129,8 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf) -$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -162,6 +162,20 @@ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock) endef endif +$(eval $(call Package/openssl/add-provider,legacy)) +define Package/libopenssl-legacy + $(call Package/openssl/Default) + $(call Package/openssl/module/Default) + TITLE:=OpenSSL legacy provider +endef + +define Package/libopenssl-legacy/description +The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that +have been deemed legacy. Such algorithms have commonly fallen out of use, have +been deemed insecure by the cryptography community, or something similar. See +https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html +endef + $(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) @@ -174,7 +188,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef @@ -190,7 +204,7 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef @@ -206,7 +220,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" endef @@ -403,16 +417,16 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), - $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ + $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), - $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ + $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef @@ -425,5 +439,6 @@ $(eval $(call BuildPackage,libopenssl)) $(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-afalg)) $(eval $(call BuildPackage,libopenssl-devcrypto)) +$(eval $(call BuildPackage,libopenssl-legacy)) $(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/files/afalg.cnf b/package/libs/openssl/files/afalg.cnf index 4f573d757c..fd206361bf 100644 --- a/package/libs/openssl/files/afalg.cnf +++ b/package/libs/openssl/files/afalg.cnf @@ -1,3 +1,3 @@ -[afalg] +[afalg_sect] default_algorithms = ALL diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf index 8afd9b1b00..91d0eee17f 100644 --- a/package/libs/openssl/files/devcrypto.cnf +++ b/package/libs/openssl/files/devcrypto.cnf @@ -1,4 +1,4 @@ -[devcrypto] +[devcrypto_sect] # Leave this alone and configure algorithms with CIPERS/DIGESTS below default_algorithms = ALL diff --git a/package/libs/openssl/files/legacy.cnf b/package/libs/openssl/files/legacy.cnf new file mode 100644 index 0000000000..4c20617444 --- /dev/null +++ b/package/libs/openssl/files/legacy.cnf @@ -0,0 +1,3 @@ +[legacy_sect] +activate = 1 + diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init index f895b9878c..1c1e8745ff 100755 --- a/package/libs/openssl/files/openssl.init +++ b/package/libs/openssl/files/openssl.init @@ -1,11 +1,25 @@ #!/bin/sh /etc/rc.common START=13 -ENGINES_CNF_D="/etc/ssl/engines.cnf.d" -ENGINES_CNF="/var/etc/ssl/engines.cnf" -ENGINES_DIR="%ENGINES_DIR%" +ENGINES_CNF=/var/etc/ssl/engines.cnf +ENGINES_DIR=%ENGINES_DIR% +MODULES_DIR=/usr/lib/ossl-modules +PROVIDERS_CNF=/var/etc/ssl/providers.cnf -config_engine() { +#1: cnf file +write_cnf_header() { + mkdir -p "$(dirname "$1")" && \ + echo "# This file is automatically generated from /etc/config/openssl." >"$1" || { + echo "Error writing to $1." + return 1 + } +} + + +#1: module name +#2: output cnf file +#3: module.so +enable_module() { local builtin enabled force config_get_bool builtin "$1" builtin 0 @@ -13,30 +27,46 @@ config_engine() { config_get_bool force "$1" force 0 if [ "$enabled" = 0 ]; then - [ "$builtin" != 1 ] && return 1 - echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." && \ + [ "$builtin" = 0 ] && return 1 + echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl." elif [ "$force" = 1 ]; then printf "[Forced] " - elif ! grep -q "\\[ *$1 *]" "${ENGINES_CNF_D}"/*; then + elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then echo "$1: Could not find section [$1] in config files." return 1 elif [ "$builtin" = 1 ]; then printf "[Builtin] " - elif [ ! -f "${ENGINES_DIR}/$1.so" ];then - echo "$1: ${ENGINES_DIR}/$1.so not found." + elif [ ! -f "$3" ];then + echo "Skipping $1: $3 not found." return 1 fi - echo Enabling engine "$1" - echo "$1=$1" >> "${ENGINES_CNF}" + echo "Enabling $1" + echo "$1=$1_sect" >>"$2" +} + +config_engine() { + enable_module "$1" "$ENGINES_CNF" \ + "${ENGINES_DIR}/${1}.so" +} + +config_provider() { + enable_module "$1" "$PROVIDERS_CNF" \ + "${MODULES_DIR}/${1}.so" } start() { - mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1 - echo Generating engines.cnf - echo "# This file is automatically generated from /etc/config/openssl." \ - > "${ENGINES_CNF}" || \ - { echo Error writing ${ENGINES_CNF} >&2; exit 1; } + local ret=0 + config_load openssl - config_foreach config_engine engine + + echo Generating engines.cnf + write_cnf_header "${ENGINES_CNF}" && \ + config_foreach config_engine engine || ret=$? + + echo Generating providers.cnf + write_cnf_header "${PROVIDERS_CNF}" && \ + config_foreach config_provider provider || ret=$? + + return $ret } diff --git a/package/libs/openssl/files/padlock.cnf b/package/libs/openssl/files/padlock.cnf index ef91079e5d..f4085d907b 100644 --- a/package/libs/openssl/files/padlock.cnf +++ b/package/libs/openssl/files/padlock.cnf @@ -1,3 +1,3 @@ -[padlock] +[padlock_sect] default_algorithms = ALL diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index b1ec0cae71..9fe9cdf590 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -10,20 +10,32 @@ Signed-off-by: Eneas U de Queiroz --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -30,6 +30,16 @@ oid_section = new_oids - # (Alternatively, use a configuration file that has only - # X.509v3 extensions in its main [= default] section.) +@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7 -+openssl_conf=openssl_conf + [openssl_init] + providers = provider_sect ++engines = engines_sect + + # List of providers to load + [provider_sect] + default = default_sect ++.include /var/etc/ssl/providers.cnf + -+[openssl_conf] -+engines=engines + # The fips section name should match the section name inside the + # included fipsmodule.cnf. + # fips = fips_sect +@@ -69,7 +72,13 @@ default = default_sect + # OpenSSL may not work correctly which could lead to significant system + # problems including inability to remotely access the system. + [default_sect] +-# activate = 1 ++activate = 1 + -+[engines] ++[engines_sect] +.include /var/etc/ssl/engines.cnf + -+.include /etc/ssl/engines.cnf.d ++.include /etc/ssl/modules.cnf.d + - [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. - # Add a simple OID like this: + + + ####################################################################