forked from coolsnowwolf/lede
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz <[email protected]>
- Loading branch information
1 parent
01aef11
commit 05c6de1
Showing
16 changed files
with
82 additions
and
119 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[afalg] | ||
default_algorithms = ALL | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
[devcrypto] | ||
# Leave this alone and configure algorithms with CIPERS/DIGESTS below | ||
default_algorithms = ALL | ||
|
||
# Configuration commands: | ||
# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a | ||
# list of supported algorithms, along with their driver, whether they | ||
# are hw accelerated or not, and the engine's configuration commands. | ||
|
||
# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) | ||
# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use | ||
# if acceleration can't be determined) [default=2] | ||
#USE_SOFTDRIVERS = 2 | ||
|
||
# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to | ||
# enable [default=ALL] | ||
# It is recommended to disable the ECB ciphers; in most cases, it will | ||
# only be used for PRNG, in small blocks, where performance is poor, | ||
# and there may be problems with apps forking with open crypto | ||
# contexts, leading to failures. The CBC ciphers work well: | ||
#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC | ||
|
||
# DIGESTS: either ALL, NONE, or a comma-separated list of digests to | ||
# enable [default=NONE] | ||
# It is strongly recommended not to enable digests; their performance | ||
# is poor, and there are many cases in which they will not work, | ||
# especially when calling fork with open crypto contexts. Openssh, | ||
# for example, does this, and you may not be able to login. | ||
#DIGESTS = NONE | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
[engines] | ||
# To enable an engine, install the package, and uncomment it here: | ||
#devcrypto=devcrypto | ||
#afalg=afalg | ||
#padlock=padlock | ||
#gost=gost | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[padlock] | ||
default_algorithms = ALL | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Thu, 27 Sep 2018 08:29:21 -0300 | ||
Subject: Do not use host kernel version to disable AFALG | ||
|
@@ -9,7 +9,6 @@ version to disable building the AFALG engine on openwrt targets. | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/Configure b/Configure | ||
index 5a699836f3..74d057c219 100755 | ||
--- a/Configure | ||
+++ b/Configure | ||
@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Thu, 27 Sep 2018 08:30:24 -0300 | ||
Subject: Add openwrt targets | ||
|
@@ -9,7 +9,6 @@ Signed-off-by: Eneas U de Queiroz <[email protected]> | |
|
||
diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf | ||
new file mode 100644 | ||
index 0000000000..86a86d31e4 | ||
--- /dev/null | ||
+++ b/Configurations/25-openwrt.conf | ||
@@ -0,0 +1,52 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Thu, 27 Sep 2018 08:31:38 -0300 | ||
Subject: Avoid exposing build directories | ||
|
@@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/crypto/build.info b/crypto/build.info | ||
index 2c619c62e8..893128345a 100644 | ||
--- a/crypto/build.info | ||
+++ b/crypto/build.info | ||
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Thu, 27 Sep 2018 08:34:38 -0300 | ||
Subject: Do not build tests and fuzz directories | ||
|
@@ -8,7 +8,6 @@ This shortens build time. | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/Configure b/Configure | ||
index 74d057c219..5813e9f8fe 100755 | ||
--- a/Configure | ||
+++ b/Configure | ||
@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Thu, 27 Sep 2018 08:44:39 -0300 | ||
Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option | ||
|
@@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference. | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h | ||
index 6724ccf2d2..96d959427e 100644 | ||
--- a/include/openssl/ssl.h | ||
+++ b/include/openssl/ssl.h | ||
@@ -173,9 +173,15 @@ extern "C" { | ||
|
@@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644 | |
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ | ||
"TLS_AES_128_GCM_SHA256" | ||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c | ||
index 27a1b2ec68..7039811323 100644 | ||
--- a/ssl/ssl_ciph.c | ||
+++ b/ssl/ssl_ciph.c | ||
@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,17 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Sat, 27 Mar 2021 17:43:25 -0300 | ||
Subject: openssl.cnf: add engine configuration | ||
|
||
This adds configuration options for engines, loading all cnf files under | ||
/etc/ssl/engines.d/. | ||
|
||
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf | ||
--- a/apps/openssl.cnf | ||
+++ b/apps/openssl.cnf | ||
@@ -22,6 +22,99 @@ oid_section = new_oids | ||
@@ -22,6 +22,13 @@ oid_section = new_oids | ||
# (Alternatively, use a configuration file that has only | ||
# X.509v3 extensions in its main [= default] section.) | ||
|
||
|
@@ -9,93 +20,7 @@ | |
+[openssl_conf] | ||
+engines=engines | ||
+ | ||
+[engines] | ||
+# To enable an engine, install the package, and uncomment it here: | ||
+#devcrypto=devcrypto | ||
+#afalg=afalg | ||
+#padlock=padlock | ||
+##gost=gost | ||
+ | ||
+[afalg] | ||
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below | ||
+default_algorithms = ALL | ||
+ | ||
+# The following commands are only available if using the alternative | ||
+# (sync) AFALG engine | ||
+# Configuration commands: | ||
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a | ||
+# list of supported algorithms, along with their driver, whether they | ||
+# are hw accelerated or not, and the engine's configuration commands. | ||
+ | ||
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) | ||
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use | ||
+# if acceleration can't be determined) [default=2] | ||
+#USE_SOFTDRIVERS = 2 | ||
+ | ||
+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a | ||
+# comma-separated list of ciphers to enable [default=NO_ECB] | ||
+# Starting in 1.2.0, if you use a cipher list, each cipher may be | ||
+# followed by a colon (:) and the minimum request length to use | ||
+# AF_ALG drivers for that cipher; smaller requests are processed by | ||
+# softare; a negative value will use the default for that cipher | ||
+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 | ||
+ | ||
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to | ||
+# enable [default=NONE] | ||
+# It is strongly recommended not to enable digests; their performance | ||
+# is poor, and there are many cases in which they will not work, | ||
+# especially when calling fork with open crypto contexts. Openssh, | ||
+# for example, does this, and you may not be able to login. | ||
+#DIGESTS = NONE | ||
+ | ||
+[devcrypto] | ||
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below | ||
+default_algorithms = ALL | ||
+ | ||
+# Configuration commands: | ||
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a | ||
+# list of supported algorithms, along with their driver, whether they | ||
+# are hw accelerated or not, and the engine's configuration commands. | ||
+ | ||
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) | ||
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use | ||
+# if acceleration can't be determined) [default=2] | ||
+#USE_SOFTDRIVERS = 2 | ||
+ | ||
+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to | ||
+# enable [default=ALL] | ||
+# It is recommended to disable the ECB ciphers; in most cases, it will | ||
+# only be used for PRNG, in small blocks, where performance is poor, | ||
+# and there may be problems with apps forking with open crypto | ||
+# contexts, leading to failures. The CBC ciphers work well: | ||
+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC | ||
+ | ||
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to | ||
+# enable [default=NONE] | ||
+# It is strongly recommended not to enable digests; their performance | ||
+# is poor, and there are many cases in which they will not work, | ||
+# especially when calling fork with open crypto contexts. Openssh, | ||
+# for example, does this, and you may not be able to login. | ||
+#DIGESTS = NONE | ||
+ | ||
+[padlock] | ||
+default_algorithms = ALL | ||
+ | ||
+[gost] | ||
+default_algorithms = ALL | ||
+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the | ||
+# user to choose between different parameter sets of symmetric cipher | ||
+# algorithm. RFC 4357 specifies several parameters for the | ||
+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface | ||
+# to choose one when encrypting. So use engine configuration parameter | ||
+# instead. | ||
+# Value of this parameter can be either short name, defined in OpenSSL | ||
+# obj_dat.h header file or numeric representation of OID, defined in | ||
+# RFC 4357. Defaults to id-tc26-gost-28147-param-Z | ||
+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z | ||
+ | ||
+# PBE_PARAMS: Shortname of default digest alg for PBE | ||
+#PBE_PARAMS = | ||
+.include /etc/ssl/engines.cnf.d | ||
+ | ||
[ new_oids ] | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Mon, 5 Nov 2018 15:54:17 -0200 | ||
Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT | ||
|
@@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte <[email protected]> | |
(Merged from https://github.com/openssl/openssl/pull/7585) | ||
|
||
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c | ||
index a727c6f646..a2c9a966f7 100644 | ||
--- a/crypto/engine/eng_devcrypto.c | ||
+++ b/crypto/engine/eng_devcrypto.c | ||
@@ -461,6 +461,7 @@ struct digest_ctx { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Eneas U de Queiroz <[email protected]> | ||
Date: Tue, 6 Nov 2018 22:54:07 -0200 | ||
Subject: eng_devcrypto: add command to dump driver info | ||
|
@@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte <[email protected]> | |
(Merged from https://github.com/openssl/openssl/pull/7585) | ||
|
||
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c | ||
index 5ec38ca8f3..64dc6b891d 100644 | ||
--- a/crypto/engine/eng_devcrypto.c | ||
+++ b/crypto/engine/eng_devcrypto.c | ||
@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,6 @@ engines/e_devcrypto.c. | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/crypto/engine/build.info b/crypto/engine/build.info | ||
index e00802a3fd..47fe948966 100644 | ||
--- a/crypto/engine/build.info | ||
+++ b/crypto/engine/build.info | ||
@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ | ||
|
@@ -20,7 +19,6 @@ index e00802a3fd..47fe948966 100644 | |
- SOURCE[../../libcrypto]=eng_devcrypto.c | ||
-ENDIF | ||
diff --git a/crypto/init.c b/crypto/init.c | ||
index 1b0d523bea..ee3e2eb075 100644 | ||
--- a/crypto/init.c | ||
+++ b/crypto/init.c | ||
@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) | ||
|
@@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644 | |
if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) | ||
&& !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) | ||
diff --git a/engines/build.info b/engines/build.info | ||
index 1db771971c..33a25d7004 100644 | ||
--- a/engines/build.info | ||
+++ b/engines/build.info | ||
@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] | ||
|
@@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c | |
similarity index 95% | ||
rename from crypto/engine/eng_devcrypto.c | ||
rename to engines/e_devcrypto.c | ||
index 2c1b52d572..eff1ed3a7d 100644 | ||
--- a/crypto/engine/eng_devcrypto.c | ||
+++ b/engines/e_devcrypto.c | ||
@@ -7,7 +7,7 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,7 +20,6 @@ turn them on if it is safe and fast enough. | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c | ||
index 3fcd81de7a..d25230d366 100644 | ||
--- a/engines/e_devcrypto.c | ||
+++ b/engines/e_devcrypto.c | ||
@@ -852,7 +852,7 @@ static void prepare_digest_methods(void) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,6 @@ session. It may have been closed by another process after a fork. | |
Signed-off-by: Eneas U de Queiroz <[email protected]> | ||
|
||
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c | ||
index d25230d366..f4570f1666 100644 | ||
--- a/engines/e_devcrypto.c | ||
+++ b/engines/e_devcrypto.c | ||
@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, | ||
|