openssl: always build with GOST engine support

The packages feed has a proposed package for a GOST engine, which needs support from the main openssl library. It is a default option in OpenSSL. All that needs to be done here is to not disable it. Package increases by a net 1-byte, so it is not really really worth keeping this optional. This commit also includes a commented-out example engine configuration in openssl.cnf, as it is done for other available engines. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 21:50:08 -03:00 · 2021-02-17 21:50:08 -03:00 · 12a80e44b9
commit 12a80e44b9
parent 06356f0020
3 changed files with 19 additions and 18 deletions
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC
 		initiate crypto operations asynchronously. In order to work
 		this will require the presence of an async capable engine.

-config OPENSSL_WITH_GOST
-	bool
-	prompt "Prepare library for GOST engine"
-	depends on OPENSSL_ENGINE
-	help
-		This option prepares the library to accept engine support
-		for Russian GOST crypto algorithms.
-		The gost engine is not included in standard openwrt feeds.
-		To build such engine yourself, see:
-		https://github.com/gost-engine/engine
-
 endif
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=j
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1

@ -52,7 +52,6 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_WITH_DTLS \
 	CONFIG_OPENSSL_WITH_EC2M \
 	CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
-	CONFIG_OPENSSL_WITH_GOST \
 	CONFIG_OPENSSL_WITH_IDEA \
 	CONFIG_OPENSSL_WITH_MDC2 \
 	CONFIG_OPENSSL_WITH_NPN \
@ -289,10 +288,6 @@ else
  OPENSSL_OPTIONS += no-engine
 endif

-ifndef CONFIG_OPENSSL_WITH_GOST
-  OPENSSL_OPTIONS += no-gost
-endif
-
 ifndef CONFIG_OPENSSL_WITH_DTLS
  OPENSSL_OPTIONS += no-dtls
 endif
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@ -1,6 +1,6 @@
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -22,6 +22,82 @@ oid_section		= new_oids
+@@ -22,6 +22,99 @@ oid_section		= new_oids
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 
@ -14,6 +14,7 @@
 +#devcrypto=devcrypto
 +#afalg=afalg
 +#padlock=padlock
+##gost=gost
 +
 +[afalg]
 +# Leave this alone and configure algorithms with CIPERS/DIGESTS below
@ -79,6 +80,22 @@
 +
 +[padlock]
 +default_algorithms = ALL
+
+[gost]
+default_algorithms = ALL
+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the
+# user to choose between different parameter sets of symmetric cipher
+# algorithm. RFC 4357 specifies several parameters for the
+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface
+# to choose one when encrypting. So use engine configuration parameter
+# instead.
+# Value of this parameter can be either short name, defined in OpenSSL
+# obj_dat.h header file or numeric representation of OID, defined in
+# RFC 4357.  Defaults to id-tc26-gost-28147-param-Z
+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z
+
+# PBE_PARAMS: Shortname of default digest alg for PBE
+#PBE_PARAMS =
 +
 [ new_oids ]