From 798ff37aaac91262b70b00394374fe1ee45d973d Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 19 Mar 2020 16:12:14 -0300 Subject: [PATCH] openssl: add configuration example for afalg-sync This adds commented configuration help for the alternate, afalg-sync engine to /etc/ssl/openssl.cnf. Signed-off-by: Eneas U de Queiroz (cherry picked from commit d9d689589b96bd80e57e5c603d84d6ee95049800) --- package/libs/openssl/Makefile | 2 +- .../150-openssl.cnf-add-engines-conf.patch | 31 ++++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index eb267f31f0..ca393be88f 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=d PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 6c7143dd7e..81d41963c6 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,6 @@ --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,53 @@ oid_section = new_oids +@@ -22,6 +22,82 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -16,8 +16,37 @@ +#padlock=padlock + +[afalg] ++# Leave this alone and configure algorithms with CIPERS/DIGESTS below +default_algorithms = ALL + ++# The following commands are only available if using the alternative ++# (sync) AFALG engine ++# Configuration commands: ++# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a ++# list of supported algorithms, along with their driver, whether they ++# are hw accelerated or not, and the engine's configuration commands. ++ ++# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) ++# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use ++# if acceleration can't be determined) [default=2] ++#USE_SOFTDRIVERS = 2 ++ ++# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a ++# comma-separated list of ciphers to enable [default=NO_ECB] ++# Starting in 1.2.0, if you use a cipher list, each cipher may be ++# followed by a colon (:) and the minimum request length to use ++# AF_ALG drivers for that cipher; smaller requests are processed by ++# softare; a negative value will use the default for that cipher ++#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 ++ ++# DIGESTS: either ALL, NONE, or a comma-separated list of digests to ++# enable [default=NONE] ++# It is strongly recommended not to enable digests; their performance ++# is poor, and there are many cases in which they will not work, ++# especially when calling fork with open crypto contexts. Openssh, ++# for example, does this, and you may not be able to login. ++#DIGESTS = NONE ++ +[devcrypto] +# Leave this alone and configure algorithms with CIPERS/DIGESTS below +default_algorithms = ALL -- 2.25.1