openssl: add legacy provider
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider. Providers are the successors of
engines, which have been deprecated.
The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.
Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds. Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.
The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.
There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package. It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.
An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled. Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.
On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-03-10 20:53:25 +00:00
|
|
|
[devcrypto_sect]
|
2022-02-21 00:09:28 +00:00
|
|
|
# Leave this alone and configure algorithms with CIPERS/DIGESTS below
|
|
|
|
default_algorithms = ALL
|
|
|
|
|
|
|
|
# Configuration commands:
|
|
|
|
# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
|
|
|
|
# list of supported algorithms, along with their driver, whether they
|
|
|
|
# are hw accelerated or not, and the engine's configuration commands.
|
|
|
|
|
|
|
|
# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
|
|
|
|
# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
|
|
|
|
# if acceleration can't be determined) [default=2]
|
|
|
|
#USE_SOFTDRIVERS = 2
|
|
|
|
|
|
|
|
# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
|
|
|
|
# enable [default=ALL]
|
|
|
|
# It is recommended to disable the ECB ciphers; in most cases, it will
|
|
|
|
# only be used for PRNG, in small blocks, where performance is poor,
|
|
|
|
# and there may be problems with apps forking with open crypto
|
2023-03-06 14:58:56 +00:00
|
|
|
# contexts, leading to failures. The CBC ciphers work well.
|
|
|
|
CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \
|
|
|
|
AES-128-CTR, AES-192-CTR, AES-256-CTR
|
2022-02-21 00:09:28 +00:00
|
|
|
|
|
|
|
# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
|
|
|
|
# enable [default=NONE]
|
|
|
|
# It is strongly recommended not to enable digests; their performance
|
|
|
|
# is poor, and there are many cases in which they will not work,
|
|
|
|
# especially when calling fork with open crypto contexts. Openssh,
|
|
|
|
# for example, does this, and you may not be able to login.
|
2023-03-06 14:58:56 +00:00
|
|
|
# Sysupgrade will fail as well. If you're adventurous enough to change
|
|
|
|
# this, you should change it back to NONE, and reboot before running
|
|
|
|
# sysupgrade!
|
|
|
|
DIGESTS = NONE
|
2022-02-21 00:09:28 +00:00
|
|
|
|