openssl: add support for config snippet includes

This allows configuration (such as enabling providers) to be done by
adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
copy of the full configuration file. As new snippets can be added from
separate recipes, targeted changes can be done in multiple layers.

For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
containing something like:
  [default_sect]
  activate = 1

  [provider_sect]
  pkcs11 = pkcs11_sect

  [pkcs11_sect]
  pkcs11-module-path = /usr/lib/libckteec.so.0
  pkcs11-module-quirks = no-operation-state no-deinit
  pkcs11-module-encode-provider-uri-to-pem = true
  activate = 1

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index 7f81b976ba624a9978efc473b996561c4ef1ddae..a713d4bbcd32a59cde4aaa799412f51b3a98ce8c 100644 (file)
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -187,6 +187,13 @@ do_install () {
        fi
 }
 
+do_install:append:class-target () {
+        # Add support for config snippet includes
+        echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
+        echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf
+        install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
+}
+
 do_install:append:class-native () {
        create_wrapper ${D}${bindir}/openssl \
            OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \