openssl: bump to 1.1.1d

This version fixes 3 low-severity vulnerabilities:

- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
		 CMS_decrypt_set1_pkey

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <[email protected]>

package/libs/openssl/Makefile

@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=c
+PKG_BUGFIX:=d
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
 	http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90
+PKG_HASH:=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE

package/libs/openssl/patches/100-Configure-afalg-support.patch

@@ -1,4 +1,4 @@
-From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
+From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:29:21 -0300
 Subject: Do not use host kernel version to disable AFALG
@@ -8,9 +8,11 @@ version to disable building the AFALG engine on openwrt targets.
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/Configure b/Configure
+index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
-@@ -1535,7 +1535,9 @@ unless ($disabled{"crypto-mdebug-backtra
+@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
  
  unless ($disabled{afalgeng}) {
      $config{afalgeng}="";

package/libs/openssl/patches/110-openwrt_targets.patch

@@ -1,4 +1,4 @@
-From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
+From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:30:24 -0300
 Subject: Add openwrt targets
@@ -7,6 +7,9 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
+new file mode 100644
+index 0000000000..86a86d31e4
 --- /dev/null
 +++ b/Configurations/25-openwrt.conf
 @@ -0,0 +1,48 @@

package/libs/openssl/patches/120-strip-cflags-from-binary.patch

@@ -1,16 +1,18 @@
-From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
+From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:31:38 -0300
-Subject: void exposing build directories
+Subject: Avoid exposing build directories
 
 The CFLAGS contain the build directories, and are shown by calling
 OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/crypto/build.info b/crypto/build.info
+index 2c619c62e8..893128345a 100644
 --- a/crypto/build.info
 +++ b/crypto/build.info
-@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink
+@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
          ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
  
  DEPEND[cversion.o]=buildinf.h

package/libs/openssl/patches/130-dont-build-tests-fuzz.patch

@@ -1,4 +1,4 @@
-From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
+From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:34:38 -0300
 Subject: Do not build tests and fuzz directories
@@ -7,9 +7,11 @@ This shortens build time.
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/Configure b/Configure
+index 74d057c219..5813e9f8fe 100755
 --- a/Configure
 +++ b/Configure
-@@ -299,7 +299,7 @@ my $auto_threads=1;    # enable threads
+@@ -296,7 +296,7 @@ my $auto_threads=1;    # enable threads automatically? true by default
  my $default_ranlib;
  
  # Top level directories to build
@@ -18,7 +20,7 @@ Signed-off-by: Eneas U de Queiroz <[email protected]>
  # crypto/ subdirectories to build
  $config{sdirs} = [
      "objects",
-@@ -311,7 +311,7 @@ $config{sdirs} = [
+@@ -308,7 +308,7 @@ $config{sdirs} = [
      "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
      ];
  # test/ subdirectories to build

package/libs/openssl/patches/140-allow-prefer-chacha20.patch

@@ -1,4 +1,4 @@
-From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001
+From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Thu, 27 Sep 2018 08:44:39 -0300
 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
@@ -14,6 +14,8 @@ when the client has it on top of its ciphersuite preference.
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
+index 6724ccf2d2..96d959427e 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
 @@ -173,9 +173,15 @@ extern "C" {
@@ -35,9 +37,11 @@ Signed-off-by: Eneas U de Queiroz <[email protected]>
  # else
  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
                                     "TLS_AES_128_GCM_SHA256"
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 27a1b2ec68..7039811323 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
-@@ -1466,11 +1466,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
      ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
                            &tail);
  
@@ -67,7 +71,7 @@ Signed-off-by: Eneas U de Queiroz <[email protected]>
  
      /*
       * ...and generally, our preferred cipher is AES.
-@@ -1526,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
       * Within each group, ciphers remain sorted by strength and previous
       * preference, i.e.,
       * 1) ECDHE > DHE

package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch

@@ -1,7 +1,7 @@
-From 48e2c9202ea345347da91f4c583e5915eb010d50 Mon Sep 17 00:00:00 2001
+From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Mon, 5 Nov 2018 15:54:17 -0200
-Subject: [PATCH 1/4] eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
+Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
 
 Since each ioctl causes a context switch, slowing things down, if
 EVP_MD_CTX_FLAG_ONESHOT is set, then:
@@ -14,6 +14,8 @@ Reviewed-by: Matthias St. Pierre <[email protected]>
 Reviewed-by: Richard Levitte <[email protected]>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
+diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
+index a727c6f646..a2c9a966f7 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -461,6 +461,7 @@ struct digest_ctx {
@@ -24,7 +26,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  };
  
  static const struct digest_data_st {
-@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx
+@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
      if (digest_ctx == NULL)
          return 0;
  
@@ -44,7 +46,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  }
  
  static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
-@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx,
+@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
  
      if (md == NULL || digest_ctx == NULL)
          return 0;

package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch

@@ -1,7 +1,7 @@
-From 800272d22acf95070f22c870eca15bdba0539a6a Mon Sep 17 00:00:00 2001
+From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Sat, 3 Nov 2018 15:41:10 -0300
-Subject: [PATCH 2/4] eng_devcrypto: add configuration options
+Subject: eng_devcrypto: add configuration options
 
 USE_SOFTDRIVERS: whether to use software (not accelerated) drivers
 CIPHERS: list of ciphers to enable
@@ -13,6 +13,8 @@ Reviewed-by: Matthias St. Pierre <[email protected]>
 Reviewed-by: Richard Levitte <[email protected]>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
+diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
+index a2c9a966f7..5ec38ca8f3 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -16,6 +16,7 @@
@@ -78,7 +80,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  
      /*
       * Code further down must make sure that only NIDs in the table above
-@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX
+@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
  }
  
  /*
@@ -184,7 +186,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  static const EVP_CIPHER *get_cipher_method(int nid)
  {
      size_t i = get_cipher_data_index(nid);
-@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e,
+@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
      return *cipher != NULL;
  }
  
@@ -245,7 +247,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  
      /*
       * Code further down must make sure that only NIDs in the table above
-@@ -516,8 +637,8 @@ static const struct digest_data_st *get_
+@@ -516,8 +637,8 @@ static const struct digest_data_st *get_digest_data(int nid)
  }
  
  /*
@@ -256,7 +258,7 @@ Reviewed-by: Richard Levitte <[email protected]>
   */
  
  static int digest_init(EVP_MD_CTX *ctx)
-@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ct
+@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx)
      return clean_devcrypto_session(&digest_ctx->sess);
  }
  
@@ -401,7 +403,7 @@ Reviewed-by: Richard Levitte <[email protected]>
      }
  }
  
-@@ -739,7 +909,153 @@ static int devcrypto_digests(ENGINE *e,
+@@ -739,8 +909,154 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest,
      return *digest != NULL;
  }
  
@@ -477,8 +479,8 @@ Reviewed-by: Richard Levitte <[email protected]>
 +    "DIGESTS",
 +    "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
 +    ENGINE_CMD_FLAG_STRING},
-+#endif
-+
+ #endif
+ 
 +   {0, NULL, NULL, 0}
 +};
 +
@@ -502,7 +504,7 @@ Reviewed-by: Richard Levitte <[email protected]>
 +        use_softdrivers = i;
 +#ifdef IMPLEMENT_DIGEST
 +        rebuild_known_digest_nids(e);
- #endif
++#endif
 +        rebuild_known_cipher_nids(e);
 +        return 1;
 +#endif /* CIOCGSESSINFO */
@@ -552,9 +554,10 @@ Reviewed-by: Richard Levitte <[email protected]>
 +    }
 +    return 0;
 +}
- 
++
  /******************************************************************************
   *
+  * LOAD / UNLOAD
 @@ -793,6 +1109,8 @@ void engine_load_devcrypto_int()
  
      if (!ENGINE_set_id(e, "devcrypto")

package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch

@@ -1,7 +1,7 @@
-From ced41f7d44cb8cd3c4523f7271530d9d92e4f064 Mon Sep 17 00:00:00 2001
+From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Tue, 6 Nov 2018 22:54:07 -0200
-Subject: [PATCH 3/4] eng_devcrypto: add command to dump driver info
+Subject: eng_devcrypto: add command to dump driver info
 
 This is useful to determine the kernel driver running each algorithm.
 
@@ -11,9 +11,11 @@ Reviewed-by: Matthias St. Pierre <[email protected]>
 Reviewed-by: Richard Levitte <[email protected]>
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
+diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
+index 5ec38ca8f3..64dc6b891d 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
-@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_D
+@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;
   */
  struct driver_info_st {
      enum devcrypto_status_t {
@@ -80,7 +82,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  #endif /* CIOCGSESSINFO */
          }
          ioctl(cfd, CIOCFSESSION, &sess.ses);
-@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(v
+@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(void)
  {
      size_t i;
  
@@ -93,7 +95,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  }
  
  static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(co
+@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(const char *str, int len, void *usr)
      return 1;
  }
  
@@ -188,7 +190,7 @@ Reviewed-by: Richard Levitte <[email protected]>
              EVP_MD_meth_free(known_digest_methods[i]);
              known_digest_methods[i] = NULL;
              goto finish;
-@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(v
+@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(void)
  {
      size_t i;
  
@@ -201,7 +203,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  }
  
  static int devcrypto_digests(ENGINE *e, const EVP_MD **digest,
-@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(co
+@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(const char *str, int len, void *usr)
      return 1;
  }
  
@@ -245,7 +247,7 @@ Reviewed-by: Richard Levitte <[email protected]>
  #endif
  
  /******************************************************************************
-@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_c
+@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
      ENGINE_CMD_FLAG_STRING},
  #endif
  
@@ -257,7 +259,7 @@ Reviewed-by: Richard Levitte <[email protected]>
     {0, NULL, NULL, 0}
  };
  
-@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int
+@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
          return 1;
  #endif /* IMPLEMENT_DIGEST */
  

package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch

@@ -1,7 +1,7 @@
-From 5d3be6bc8ed7d73ab2c4d389fb0f0a03dacd04b1 Mon Sep 17 00:00:00 2001
+From 52ddedc09ee81fe05ea2fa384fce89afe92d6d72 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Mon, 11 Mar 2019 09:29:13 -0300
-Subject: [PATCH] e_devcrypto: default to not use digests in engine
+Subject: e_devcrypto: default to not use digests in engine
 
 Digests are almost always slower when using /dev/crypto because of the
 cost of the context switches.  Only for large blocks it is worth it.
@@ -19,6 +19,8 @@ turn them on if it is safe and fast enough.
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
+index fb5c6e1636..7741138b82 100644
 --- a/engines/e_devcrypto.c
 +++ b/engines/e_devcrypto.c
 @@ -854,7 +854,7 @@ static void prepare_digest_methods(void)
@@ -30,7 +32,7 @@ Signed-off-by: Eneas U de Queiroz <[email protected]>
  
          /*
           * Check that the digest is usable
-@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
  #ifdef IMPLEMENT_DIGEST
     {DEVCRYPTO_CMD_DIGESTS,
      "DIGESTS",

package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch

@@ -1,16 +1,18 @@
-From b6e6d157367bae91a8015434769572e430257d40 Mon Sep 17 00:00:00 2001
+From b6b2744f06f64922b449b3cb4bf0ad3df3efba71 Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz <[email protected]>
 Date: Mon, 11 Mar 2019 10:15:14 -0300
-Subject: [PATCH] e_devcrypto: ignore error when closing session
+Subject: e_devcrypto: ignore error when closing session
 
 In cipher_init, ignore an eventual error when closing the previous
 session.  It may have been closed by another process after a fork.
 
 Signed-off-by: Eneas U de Queiroz <[email protected]>
 
+diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
+index 7741138b82..2480bdbd57 100644
 --- a/engines/e_devcrypto.c
 +++ b/engines/e_devcrypto.c
-@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
          get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
  
      /* cleanup a previous session */