[0/3] Engine configuration series

Message ID	20210428121704.19707-1-cotequeiroz@gmail.com
Headers	show Return-Path: <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org> From: Eneas U de Queiroz <cotequeiroz@gmail.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>, Daniel Danzberger <daniel@dd-wrt.com>, Florian Eckert <fe@dev.tdt.de> Subject: [PATCH 0/3] Engine configuration series Date: Wed, 28 Apr 2021 09:17:01 -0300 Message-Id: <20210428121704.19707-1-cotequeiroz@gmail.com> MIME-Version: 1.0 preview: This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:82a listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [cotequeiroz[at]gmail.com] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org> Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org
Series	Engine configuration series \| expand [0/3] Engine configuration series [1/3] openssl: config engines in /etc/ssl/engines.cnf.d [2/3] openssl: configure engine packages during install [3/3] openssl: configure engines with uci

Message ID

20210428121704.19707-1-cotequeiroz@gmail.com

Headers

From: Eneas U de Queiroz <cotequeiroz@gmail.com>
To: openwrt-devel@lists.openwrt.org
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>,
 Daniel Danzberger <daniel@dd-wrt.com>, Florian Eckert <fe@dev.tdt.de>
Subject: [PATCH 0/3] Engine configuration series
Date: Wed, 28 Apr 2021 09:17:01 -0300
Message-Id: <20210428121704.19707-1-cotequeiroz@gmail.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Series

Engine configuration series | expand

Message

Eneas U de Queiroz April 28, 2021, 12:17 p.m. UTC

This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
are installed.

The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
  also splits the configuration from one monolithic file to one file per
  engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
  their installation.  It introduces an engine.mk file that provides
  menu placement, basic dependencies and the postinst, postrm functions
  for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
  list generation during startup, or when an engine package is
  installed or removed.

The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.

The second and third commits had testing expanded to checking built-in
engine builds.

I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged.  The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.

I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files.  Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
otherwise.

openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters".  All I could do to help was to point to a header file where
the actual list of supported parameters is defined.

After this is merged, I will adapt the two engines in the packages feed.

Eneas U de Queiroz (3):
  openssl: config engines in /etc/ssl/engines.cnf.d
  openssl: configure engine packages during install
  openssl: configure engines with uci

 package/libs/openssl/Makefile                 |  55 +++++-----
 package/libs/openssl/engine.mk                |  42 ++++++++
 package/libs/openssl/files/afalg.cnf          |  32 ++++++
 package/libs/openssl/files/devcrypto.cnf      |  31 ++++++
 package/libs/openssl/files/engines.cnf        |   7 ++
 .../libs/openssl/files/openssl-engines.init   |  19 ++++
 package/libs/openssl/files/openssl.init       |  31 ++++++
 package/libs/openssl/files/padlock.cnf        |   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch        |   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch    | 100 +++---------------
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 20 files changed, 213 insertions(+), 140 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/openssl-engines.init
 create mode 100755 package/libs/openssl/files/openssl.init
 create mode 100644 package/libs/openssl/files/padlock.cnf

Comments

Florian Eckert April 29, 2021, 6:52 a.m. UTC | #1

Hello Eneas,

On 2021-04-28 14:17, Eneas U de Queiroz wrote:
> This series builds upon what was first started by Daniel Danzberger,
> with some suggestions by Florian Eckert to enable the engines when they
> are installed.
> 
> The series split is subject to discussion:
> - the first commit does a patch cleanup proposed by Rosen Penev, and
>   also splits the configuration from one monolithic file to one file 
> per
>   engine, and also an engines list.
> - the sencond implements my first proposal, of enabling engines during
>   their installation.  It introduces an engine.mk file that provides
>   menu placement, basic dependencies and the postinst, postrm functions
>   for engine packages, and can be used for out of tree engine packages.
> - the third commit introduces uci configuration, and does the engines
>   list generation during startup, or when an engine package is
>   installed or removed.
> 
> The first commit received basic testing on mvebu running master,
> covering afalg and devcrpto engines built as modules.
> 
> The second and third commits had testing expanded to checking built-in
> engine builds.
> 
> I have not squashed the commits, but I do think that 2 and 3 may be
> squashed if 3 is merged.  The first one is just cleanup, and the second
> adds complexity that ended up being removed by the third commit.
> Nonetheless, all of them result in a working package.
> 
> I thought about expanding uci support to include other configuration
> commands, but it would drop the documentation provided by the current
> config files.  Besides, each engine has its own options, which would
> add complexity to config generation if you are to actually verify them.
> Passing unknown commands straight from uci to the config files would be
> simple and work, but it would be hard to find what options are
> available, compared to just reading the example configs provided
> otherwise.

I think the uci config options are great, you can build on
them and make the configuration for openssl better and can
finally be configured with the uci.

> openssl engine -vv would show the commands, with some basic description
> of them, but getting the supported arguments may not be 
> straightforward.
> For example, gost engine has "CRYPT_PARAMS: OID of default GOST 
> 28147-89
> parameters".  All I could do to help was to point to a header file 
> where
> the actual list of supported parameters is defined.

The only thing I have to say is that if the configuration no longer 
fits, then we
have a non-functioning openssl! You just have to know what you
are doing when you change the openssl configuration.

> After this is merged, I will adapt the two engines in the packages 
> feed.

I think we have to validate the uci options in the future in
the openssl service on startup.


Regards

Florian