[Buildroot] [PATCH 1/5] package/openvpn: add systemd support

[Buildroot] [PATCH 1/5] package/openvpn: add systemd support

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

If the systemd package is selected, add the package to the
dependency list and explicitly set --enable-systemd.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/openvpn/openvpn.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
index 4c6956fe12..75dde04493 100644
--- a/package/openvpn/openvpn.mk
+++ b/package/openvpn/openvpn.mk
@@ -38,6 +38,13 @@ else
 OPENVPN_CONF_OPTS += --disable-lzo
 endif
 
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+OPENVPN_DEPENDENCIES += systemd
+OPENVPN_CONF_OPTS += --enable-systemd
+else
+OPENVPN_CONF_OPTS += --disable-systemd
+endif
+
 define OPENVPN_INSTALL_TARGET_CMDS
 	$(INSTALL) -m 755 $(@D)/src/openvpn/openvpn \
 		$(TARGET_DIR)/usr/sbin/openvpn
-- 
2.21.0

[Buildroot] [PATCH 2/5] package/openvpn: add libselinux support

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

If the libselinux package is selected, add the package to the
dependency list and explicitly set --enable-selinux.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/openvpn/openvpn.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
index 75dde04493..277b072deb 100644
--- a/package/openvpn/openvpn.mk
+++ b/package/openvpn/openvpn.mk
@@ -38,6 +38,13 @@ else
 OPENVPN_CONF_OPTS += --disable-lzo
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+OPENVPN_DEPENDENCIES += libselinux
+OPENVPN_CONF_OPTS += --enable-selinux
+else
+OPENVPN_CONF_OPTS += --disable-selinux
+endif
+
 ifeq ($(BR2_PACKAGE_SYSTEMD),y)
 OPENVPN_DEPENDENCIES += systemd
 OPENVPN_CONF_OPTS += --enable-systemd
-- 
2.21.0

[Buildroot] [PATCH 3/5] package/openvpn: enable pam plugin support

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

Add a configuration option to enable the auth-pam plugin. Explicitly set the
--enable-plugin-auth-pam and depend on linux-pam if the pam-plugin option is
selected.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/openvpn/openvpn.mk | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
index 277b072deb..202f9a94af 100644
--- a/package/openvpn/openvpn.mk
+++ b/package/openvpn/openvpn.mk
@@ -11,7 +11,6 @@ OPENVPN_DEPENDENCIES = host-pkgconf openssl
 OPENVPN_LICENSE = GPL-2.0
 OPENVPN_LICENSE_FILES = COPYRIGHT.GPL
 OPENVPN_CONF_OPTS = \
-	--disable-plugin-auth-pam \
 	--enable-iproute2 \
 	--with-crypto-library=openssl \
 	$(if $(BR2_STATIC_LIBS),--disable-plugins)
@@ -45,6 +44,13 @@ else
 OPENVPN_CONF_OPTS += --disable-selinux
 endif
 
+ifeq ($(BR2_PACKAGE_OPENVPN_PAM_PLUGIN),y)
+OPENVPN_DEPENDENCIES += linux-pam
+OPENVPN_CONF_OPTS += 	--enable-plugin-auth-pam
+else
+OPENVPN_CONF_OPTS += 	--disable-plugin-auth-pam
+endif
+
 ifeq ($(BR2_PACKAGE_SYSTEMD),y)
 OPENVPN_DEPENDENCIES += systemd
 OPENVPN_CONF_OPTS += --enable-systemd
-- 
2.21.0

[Buildroot] [PATCH 4/5] pkcs11-helper: new package

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

pkcs11-helper is a library that simplifies the interaction with PKCS#11
providers for end-user applications. Pkcs11-helper allows using multiple
PKCS#11 providers at the same time, enumerating available token
certificates, or selecting a certificate directly by serialized id, handling
card removal and card insert events, handling card re-insert to a different
slot, supporting session expiration and much more all using a simple API.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 DEVELOPERS                               |  1 +
 package/Config.in                        |  1 +
 package/pkcs11-helper/Config.in          | 51 ++++++++++++++++++++++++
 package/pkcs11-helper/pkcs11-helper.hash |  3 ++
 package/pkcs11-helper/pkcs11-helper.mk   | 51 ++++++++++++++++++++++++
 5 files changed, 107 insertions(+)
 create mode 100644 package/pkcs11-helper/Config.in
 create mode 100644 package/pkcs11-helper/pkcs11-helper.hash
 create mode 100644 package/pkcs11-helper/pkcs11-helper.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index f41ac5f096..bb8ccfc916 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -52,6 +52,7 @@ F:	package/nginx-naxsi/
 F:	package/openjdk/
 F:	package/openjdk-bin/
 F:	package/php/
+F:	package/pkcs11-helper/
 F:	package/policycoreutils/
 F:	package/python3/
 F:	package/python-aioredis/
diff --git a/package/Config.in b/package/Config.in
index a1ac5069aa..91e8f02cb4 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1259,6 +1259,7 @@ menu "Crypto"
 	source "package/mbedtls/Config.in"
 	source "package/nettle/Config.in"
 	source "package/openssl/Config.in"
+	source "package/pkcs11-helper/Config.in"
 	source "package/rhash/Config.in"
 	source "package/tinydtls/Config.in"
 	source "package/tpm2-tss/Config.in"
diff --git a/package/pkcs11-helper/Config.in b/package/pkcs11-helper/Config.in
new file mode 100644
index 0000000000..4ed9217fa9
--- /dev/null
+++ b/package/pkcs11-helper/Config.in
@@ -0,0 +1,51 @@
+config BR2_PACKAGE_PKCS11_HELPER
+	bool "pkcs11-helper"
+	help
+	  pkcs11-helper is a library that simplifies the interaction
+	  with PKCS#11 providers for end-user applications.
+
+	  pkcs11-helper allows using multiple PKCS#11 providers at the
+	  same time, enumerating available token certificates, or
+	  selecting a certificate directly by serialized id, handling
+	  card removal and card insert events, handling card re-insert
+	  to a different slot, supporting session expiration and much
+	  more all using a simple API.
+
+	  pkcs11-helper is not designed to manage card content, since
+	  object attributes are usually vendor specific, and 99% of
+	  application need to access existing objects in order to
+	  perform signature and decryption.
+
+	  https://github.com/OpenSC/pkcs11-helper
+
+if BR2_PACKAGE_PKCS11_HELPER
+
+config BR2_PACKAGE_PKCS11_HELPER_GNUTLS_ENGINE
+	bool "gnutls engine support"
+	depends on !BR2_STATIC_LIBS
+	depends on BR2_USE_WCHAR
+	select BR2_PACKAGE_GNUTLS
+
+comment "gnutls support needs a toolchain w/ wchar, dynamic library"
+	depends on !BR2_USE_WCHAR || BR2_STATIC_LIBS
+
+config BR2_PACKAGE_PKCS11_HELPER_MBEDTLS_ENGINE
+	bool "mbedtls engine support"
+	select BR2_PACKAGE_MBEDTLS
+
+config BR2_PACKAGE_PKCS11_HELPER_NSS_ENGINE
+	bool "nss engine support"
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libnspr
+	depends on BR2_PACKAGE_LIBNSPR_ARCH_SUPPORT # libnspr
+	depends on !BR2_STATIC_LIBS
+	select BR2_PACKAGE_LIBNSS
+
+comment "nss support needs a toolchain w/ threads, dynamic library"
+	depends on BR2_PACKAGE_LIBNSPR_ARCH_SUPPORT
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
+
+config BR2_PACKAGE_PKCS11_HELPER_OPENSSL_ENGINE
+	bool "openssl engine support"
+	select BR2_PACKAGE_OPENSSL
+
+endif
diff --git a/package/pkcs11-helper/pkcs11-helper.hash b/package/pkcs11-helper/pkcs11-helper.hash
new file mode 100644
index 0000000000..28ef74b410
--- /dev/null
+++ b/package/pkcs11-helper/pkcs11-helper.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  fbcec9dd15a71d6ef22b09f63934c66d7d0292fefbaf3a60703ee4a9a73bf6a5  pkcs11-helper-pkcs11-helper-1.25.1.tar.gz
+sha256  b8a2f73f743dc1a51aff23f1aacbca4b868564db52496fa3c0caba755bfd1eaf  COPYING
diff --git a/package/pkcs11-helper/pkcs11-helper.mk b/package/pkcs11-helper/pkcs11-helper.mk
new file mode 100644
index 0000000000..07a0c046ad
--- /dev/null
+++ b/package/pkcs11-helper/pkcs11-helper.mk
@@ -0,0 +1,51 @@
+################################################################################
+#
+# pkcs11-helper
+#
+################################################################################
+
+PKCS11_HELPER_VERSION = pkcs11-helper-1.25.1
+PKCS11_HELPER_SITE = $(call github,OpenSC,pkcs11-helper,$(PKCS11_HELPER_VERSION))
+PKCS11_HELPER_LICENSE = GPL-2.0
+PKCS11_HELPER_LICENSE_FILES = COPYING
+PKCS11_HELPER_AUTORECONF = YES
+PKCS11_HELPER_INSTALL_STAGING = YES
+
+PKCS11_HELPER_CONF_OPTS = \
+	--disable-crypto-engine-polarssl \
+	--disable-crypto-engine-cryptoapi \
+	--disable-dependency-tracking
+
+ifeq ($(BR2_PACKAGE_PKCS11_HELPER_GNUTLS_ENGINE),y)
+PKCS11_HELPER_DEPENDENCIES += gnutls
+PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-gnutls
+else
+PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-gnutls
+endif
+
+ifeq ($(BR2_PACKAGE_PKCS11_HELPER_NSS_ENGINE),y)
+PKCS11_HELPER_DEPENDENCIES += libnss
+PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-nss
+else
+PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-nss
+endif
+
+ifeq ($(BR2_PACKAGE_PKCS11_HELPER_MBEDTLS_ENGINE),y)
+PKCS11_HELPER_DEPENDENCIES += mbedtls
+PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-mbedtls
+else
+PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-mbedtls
+endif
+
+ifeq ($(BR2_PACKAGE_PKCS11_HELPER_OPENSSL_ENGINE),y)
+PKCS11_HELPER_DEPENDENCIES += openssl
+PKCS11_HELPER_CONF_OPTS += \
+	--enable-openssl \
+	--enable-crypto-engine-openssl
+else
+PKCS11_HELPER_CONF_OPTS += \
+	--disable-openssl \
+	--disable-crypto-engine-openssl
+endif
+
+$(eval $(autotools-package))
-- 
2.21.0

[Buildroot] [PATCH 5/5] package/openvpn: add pkcs11 support

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

If the pkcs11-helper package is selected, add the package to the
dependency list and explicitly set --enable-pkcs11.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/openvpn/openvpn.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
index 202f9a94af..a01edfa8ba 100644
--- a/package/openvpn/openvpn.mk
+++ b/package/openvpn/openvpn.mk
@@ -51,6 +51,13 @@ else
 OPENVPN_CONF_OPTS += 	--disable-plugin-auth-pam
 endif
 
+ifeq ($(BR2_PACKAGE_PKCS11_HELPER),y)
+OPENVPN_DEPENDENCIES += pkcs11-helper
+OPENVPN_CONF_OPTS += --enable-pkcs11
+else
+OPENVPN_CONF_OPTS += --disable-pkcs11
+endif
+
 ifeq ($(BR2_PACKAGE_SYSTEMD),y)
 OPENVPN_DEPENDENCIES += systemd
 OPENVPN_CONF_OPTS += --enable-systemd
-- 
2.21.0

[Buildroot] [PATCH 1/5] package/openvpn: add systemd support

[Arnout Vandecappelle]

On 28/10/2019 22:24, aduskett at gmail.com wrote:
> From: Adam Duskett <Aduskett@gmail.com>
> 
> If the systemd package is selected, add the package to the
> dependency list and explicitly set --enable-systemd.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>

 Applied to master, thanks.

 Regards,
 Arnout

> ---
>  package/openvpn/openvpn.mk | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
> index 4c6956fe12..75dde04493 100644
> --- a/package/openvpn/openvpn.mk
> +++ b/package/openvpn/openvpn.mk
> @@ -38,6 +38,13 @@ else
>  OPENVPN_CONF_OPTS += --disable-lzo
>  endif
>  
> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> +OPENVPN_DEPENDENCIES += systemd
> +OPENVPN_CONF_OPTS += --enable-systemd
> +else
> +OPENVPN_CONF_OPTS += --disable-systemd
> +endif
> +
>  define OPENVPN_INSTALL_TARGET_CMDS
>  	$(INSTALL) -m 755 $(@D)/src/openvpn/openvpn \
>  		$(TARGET_DIR)/usr/sbin/openvpn
> 

[Buildroot] [PATCH 2/5] package/openvpn: add libselinux support

[Arnout Vandecappelle]

On 28/10/2019 22:24, aduskett at gmail.com wrote:
> From: Adam Duskett <Aduskett@gmail.com>
> 
> If the libselinux package is selected, add the package to the
> dependency list and explicitly set --enable-selinux.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>

 Applied to master, thanks.

 Regards,
 Arnout

> ---
>  package/openvpn/openvpn.mk | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
> index 75dde04493..277b072deb 100644
> --- a/package/openvpn/openvpn.mk
> +++ b/package/openvpn/openvpn.mk
> @@ -38,6 +38,13 @@ else
>  OPENVPN_CONF_OPTS += --disable-lzo
>  endif
>  
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +OPENVPN_DEPENDENCIES += libselinux
> +OPENVPN_CONF_OPTS += --enable-selinux
> +else
> +OPENVPN_CONF_OPTS += --disable-selinux
> +endif
> +
>  ifeq ($(BR2_PACKAGE_SYSTEMD),y)
>  OPENVPN_DEPENDENCIES += systemd
>  OPENVPN_CONF_OPTS += --enable-systemd
> 

[Buildroot] [PATCH 3/5] package/openvpn: enable pam plugin support

[Arnout Vandecappelle]

On 28/10/2019 22:24, aduskett at gmail.com wrote:
> From: Adam Duskett <Aduskett@gmail.com>
> 
> Add a configuration option to enable the auth-pam plugin. Explicitly set the
> --enable-plugin-auth-pam and depend on linux-pam if the pam-plugin option is
> selected.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> ---
>  package/openvpn/openvpn.mk | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
> index 277b072deb..202f9a94af 100644
> --- a/package/openvpn/openvpn.mk
> +++ b/package/openvpn/openvpn.mk
> @@ -11,7 +11,6 @@ OPENVPN_DEPENDENCIES = host-pkgconf openssl
>  OPENVPN_LICENSE = GPL-2.0
>  OPENVPN_LICENSE_FILES = COPYRIGHT.GPL
>  OPENVPN_CONF_OPTS = \
> -	--disable-plugin-auth-pam \
>  	--enable-iproute2 \
>  	--with-crypto-library=openssl \
>  	$(if $(BR2_STATIC_LIBS),--disable-plugins)
> @@ -45,6 +44,13 @@ else
>  OPENVPN_CONF_OPTS += --disable-selinux
>  endif
>  
> +ifeq ($(BR2_PACKAGE_OPENVPN_PAM_PLUGIN),y)

 This symbol doesn't exist, I guess you forgot to git add your Config.in changes.

 Also, can you explain (in the commit message) why you want an explicit option
for this instead of an automatic one?

> +OPENVPN_DEPENDENCIES += linux-pam
> +OPENVPN_CONF_OPTS += 	--enable-plugin-auth-pam

 We normally don't use tabs to align.

 Regards,
 Arnout

> +else
> +OPENVPN_CONF_OPTS += 	--disable-plugin-auth-pam
> +endif
> +
>  ifeq ($(BR2_PACKAGE_SYSTEMD),y)
>  OPENVPN_DEPENDENCIES += systemd
>  OPENVPN_CONF_OPTS += --enable-systemd
> 

[Buildroot] [PATCH 4/5] pkcs11-helper: new package

[Arnout Vandecappelle]

On 28/10/2019 22:24, aduskett at gmail.com wrote:
> From: Adam Duskett <Aduskett@gmail.com>
> 
> pkcs11-helper is a library that simplifies the interaction with PKCS#11
> providers for end-user applications. Pkcs11-helper allows using multiple
> PKCS#11 providers at the same time, enumerating available token
> certificates, or selecting a certificate directly by serialized id, handling
> card removal and card insert events, handling card re-insert to a different
> slot, supporting session expiration and much more all using a simple API.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>

[snip]
> +config BR2_PACKAGE_PKCS11_HELPER
> +	bool "pkcs11-helper"
> +	help
> +	  pkcs11-helper is a library that simplifies the interaction
> +	  with PKCS#11 providers for end-user applications.
> +
> +	  pkcs11-helper allows using multiple PKCS#11 providers at the
> +	  same time, enumerating available token certificates, or
> +	  selecting a certificate directly by serialized id, handling
> +	  card removal and card insert events, handling card re-insert
> +	  to a different slot, supporting session expiration and much
> +	  more all using a simple API.
> +
> +	  pkcs11-helper is not designed to manage card content, since
> +	  object attributes are usually vendor specific, and 99% of
> +	  application need to access existing objects in order to
> +	  perform signature and decryption.
> +
> +	  https://github.com/OpenSC/pkcs11-helper
> +
> +if BR2_PACKAGE_PKCS11_HELPER
> +
> +config BR2_PACKAGE_PKCS11_HELPER_GNUTLS_ENGINE
> +	bool "gnutls engine support"
> +	depends on !BR2_STATIC_LIBS
> +	depends on BR2_USE_WCHAR
> +	select BR2_PACKAGE_GNUTLS

 As usual, bikeshedding over the Config.in options :-)

 AFAIU, pkcs11-helper can be of limited use on its own (dumping info about
tokens, presumably it automatically connects to pcscd if available). So a crypto
engine is not strictly needed. But, again AFAIU, it's real use is to serve as a
plugin for the various crypto libraries so they can use the token. Is that correct?

 So, I would think that the logic is that you first select your crypto
provider(s) (possibly implicitly through a package that uses a crypto provider),
and then you add the pkcs11 "plugin" to it. So to me it seems more logical to
use depends on gnutls than select.

 But then, I wonder if it even makes sense to make it optional. Does it cost a
lot of code size to add an engine if that particular crypto library is anyway built?

 I may be all wrong about this though.

 I've not marked this as Changes Requested since it may be OK as is.

> +
> +comment "gnutls support needs a toolchain w/ wchar, dynamic library"
> +	depends on !BR2_USE_WCHAR || BR2_STATIC_LIBS
> +
> +config BR2_PACKAGE_PKCS11_HELPER_MBEDTLS_ENGINE
> +	bool "mbedtls engine support"
> +	select BR2_PACKAGE_MBEDTLS
> +
> +config BR2_PACKAGE_PKCS11_HELPER_NSS_ENGINE
> +	bool "nss engine support"
> +	depends on BR2_TOOLCHAIN_HAS_THREADS # libnspr
> +	depends on BR2_PACKAGE_LIBNSPR_ARCH_SUPPORT # libnspr
> +	depends on !BR2_STATIC_LIBS
> +	select BR2_PACKAGE_LIBNSS
> +
> +comment "nss support needs a toolchain w/ threads, dynamic library"
> +	depends on BR2_PACKAGE_LIBNSPR_ARCH_SUPPORT
> +	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
> +
> +config BR2_PACKAGE_PKCS11_HELPER_OPENSSL_ENGINE
> +	bool "openssl engine support"
> +	select BR2_PACKAGE_OPENSSL
> +
> +endif
> diff --git a/package/pkcs11-helper/pkcs11-helper.hash b/package/pkcs11-helper/pkcs11-helper.hash
> new file mode 100644
> index 0000000000..28ef74b410
> --- /dev/null
> +++ b/package/pkcs11-helper/pkcs11-helper.hash
> @@ -0,0 +1,3 @@
> +# Locally computed
> +sha256  fbcec9dd15a71d6ef22b09f63934c66d7d0292fefbaf3a60703ee4a9a73bf6a5  pkcs11-helper-pkcs11-helper-1.25.1.tar.gz
> +sha256  b8a2f73f743dc1a51aff23f1aacbca4b868564db52496fa3c0caba755bfd1eaf  COPYING
> diff --git a/package/pkcs11-helper/pkcs11-helper.mk b/package/pkcs11-helper/pkcs11-helper.mk
> new file mode 100644
> index 0000000000..07a0c046ad
> --- /dev/null
> +++ b/package/pkcs11-helper/pkcs11-helper.mk
> @@ -0,0 +1,51 @@
> +################################################################################
> +#
> +# pkcs11-helper
> +#
> +################################################################################
> +
> +PKCS11_HELPER_VERSION = pkcs11-helper-1.25.1

 This is like the v prefix: we want version as 1.25.1 and the pkcs11-helper-
prefix in the _SITE variable.

> +PKCS11_HELPER_SITE = $(call github,OpenSC,pkcs11-helper,$(PKCS11_HELPER_VERSION))
> +PKCS11_HELPER_LICENSE = GPL-2.0

 COPYING says that it is GPL-2.0 OR BSD-3-Clause.

 It also mentions the OpenSSL and gnutls etc. licenses, but I don't think those
sources are included so that's just wrong.

> +PKCS11_HELPER_LICENSE_FILES = COPYING

 You also need to include COPYING.BSD and COPYING.GPL.


> +PKCS11_HELPER_AUTORECONF = YES
> +PKCS11_HELPER_INSTALL_STAGING = YES
> +
> +PKCS11_HELPER_CONF_OPTS = \
> +	--disable-crypto-engine-polarssl \

 Weird... polarssl is just mbedtls...

> +	--disable-crypto-engine-cryptoapi \

 cryptoapi... Is that the kernel AF_CRYPTO interface? That should always be
supported then...

> +	--disable-dependency-tracking

 We don't usually specify that.

 Regards,
 Arnout

> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_GNUTLS_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += gnutls
> +PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-gnutls
> +else
> +PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-gnutls
> +endif
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_NSS_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += libnss
> +PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-nss
> +else
> +PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-nss
> +endif
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_MBEDTLS_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += mbedtls
> +PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-mbedtls
> +else
> +PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-mbedtls
> +endif
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_OPENSSL_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += openssl
> +PKCS11_HELPER_CONF_OPTS += \
> +	--enable-openssl \
> +	--enable-crypto-engine-openssl
> +else
> +PKCS11_HELPER_CONF_OPTS += \
> +	--disable-openssl \
> +	--disable-crypto-engine-openssl
> +endif
> +
> +$(eval $(autotools-package))
>