openssl: update to version 1.1.1a

This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <[email protected]>

package/libs/openssl/Config.in

@@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED
 	default y
 	prompt "Include deprecated APIs (See help for a list of packages that need this)"
 	help
-		Squid currently requires this.
+		Since openssl 1.1.x is still new to openwrt, some packages
+		requiring this option do not list it as a requirement yet:
+		 * freeswitch-stable, freeswitch, python, python3, squid.
 
 config OPENSSL_NO_DEPRECATED
 	bool
@@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES
 
 comment "Protocol Support"
 
+config OPENSSL_WITH_TLS13
+	bool
+	default y
+	prompt "Enable support for TLS 1.3"
+	select OPENSSL_WITH_EC
+	help
+		TLS 1.3 is the newest version of the TLS specification.
+		It aims:
+		 * to increase the overall security of the protocol,
+		   removing outdated algorithms, and encrypting more of the
+		   protocol;
+		 * to increase performance by reducing the number of round-trips
+		   when performing a full handshake.
+		It increases package size by ~4KB.
+
 config OPENSSL_WITH_DTLS
 	bool
 	prompt "Enable DTLS support"
@@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M
 		This option enables the more efficient, yet less common, binary
 		field elliptic curves.
 
+config OPENSSL_WITH_CHACHA_POLY1305
+	bool
+	default y
+	prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+	help
+		ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+		combining ChaCha stream cipher with Poly1305 MAC.
+		It is 3x faster than AES, when not using a CPU with AES-specific
+		instructions, as is the case of most embedded devices.
+
 config OPENSSL_WITH_PSK
 	bool
 	default y
@@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK
 
 comment "Less commonly used build options"
 
+config OPENSSL_WITH_ARIA
+	bool
+	prompt "Enable ARIA support"
+	help
+		ARIA is a block cipher developed in South Korea, based on AES.
+
 config OPENSSL_WITH_CAMELLIA
 	bool
 	prompt "Enable Camellia cipher support"
@@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED
 		SEED is a block cipher with 128-bit keys broadly used in
 		South Korea, but seldom found elsewhere.
 
+config OPENSSL_WITH_SM234
+	bool
+	prompt "Enable SM2/3/4 algorithms support"
+	help
+		These algorithms are a set of "Commercial Cryptography"
+		algorithms approved for use in China.
+		  * SM2 is an EC algorithm equivalent to ECDSA P-256
+		  * SM3 is a hash function equivalent to SHA-256
+		  * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+	bool
+	prompt "Enable BLAKE2 digest support"
+	help
+		BLAKE2 is a cryptographic hash function based on the ChaCha
+		stream cipher.
+
 config OPENSSL_WITH_MDC2
 	bool
 	prompt "Enable MDC2 digest support"
@@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO
 		API modules) for /dev/crypto to show up and use hardware
 		acceleration; otherwise it falls back to software.
 
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_ASYNC
 	bool
-	depends on OPENSSL_ENGINE_CRYPTO
-	prompt "/dev/crypto digest (md5/sha1) acceleration support"
+	prompt "Enable asynchronous jobs support"
+	depends on OPENSSL_ENGINE && USE_GLIBC
+	help
+		Enables async-aware applications to be able to use OpenSSL to
+		initiate crypto operations asynchronously. In order to work
+		this will require the presence of an async capable engine.
 
 config OPENSSL_WITH_GOST
 	bool
@@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST
 	help
 		This option prepares the library to accept engine support
 		for Russian GOST crypto algorithms.
+		The gost engine is not included in standard openwrt feeds.
+		To build such engine yourself, see:
+		https://github.com/gost-engine/engine
 
 endif
 

package/libs/openssl/Makefile

@@ -8,11 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
-PKG_BASE:=1.0.2
-PKG_BUGFIX:=q
+PKG_BASE:=1.1.1
+PKG_BUGFIX:=a
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
+ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=0
 PKG_BUILD_DEPENDS:=cryptodev-linux
@@ -24,8 +25,7 @@ PKG_SOURCE_URL:= \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
 	http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
-ENGINES_DIR=engines
+PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
@@ -33,11 +33,14 @@ PKG_CPE_ID:=cpe:/a:openssl:openssl
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_ENGINE \
 	CONFIG_OPENSSL_ENGINE_CRYPTO \
-	CONFIG_OPENSSL_ENGINE_DIGEST \
 	CONFIG_OPENSSL_NO_DEPRECATED \
 	CONFIG_OPENSSL_OPTIMIZE_SPEED \
+	CONFIG_OPENSSL_WITH_ARIA \
 	CONFIG_OPENSSL_WITH_ASM \
+	CONFIG_OPENSSL_WITH_ASYNC \
+	CONFIG_OPENSSL_WITH_BLAKE2 \
 	CONFIG_OPENSSL_WITH_CAMELLIA \
+	CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
 	CONFIG_OPENSSL_WITH_CMS \
 	CONFIG_OPENSSL_WITH_COMPRESSION \
 	CONFIG_OPENSSL_WITH_DTLS \
@@ -51,8 +54,10 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_WITH_PSK \
 	CONFIG_OPENSSL_WITH_RFC3779 \
 	CONFIG_OPENSSL_WITH_SEED \
+	CONFIG_OPENSSL_WITH_SM234 \
 	CONFIG_OPENSSL_WITH_SRP \
 	CONFIG_OPENSSL_WITH_SSE2 \
+	CONFIG_OPENSSL_WITH_TLS13 \
 	CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
@@ -85,7 +90,7 @@ $(call Package/openssl/Default)
   SUBMENU:=SSL
   DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
   TITLE+= (libraries)
-  ABI_VERSION:=1.0.0
+  ABI_VERSION:=1.1
   MENU:=1
 endef
 
@@ -111,18 +116,19 @@ $(call Package/openssl/Default/description)
 This package contains the OpenSSL command-line utility.
 endef
 
-define Package/libopenssl-gost
+define Package/libopenssl-afalg
   $(call Package/openssl/Default)
   SUBMENU:=SSL
-  TITLE:=Russian GOST algorithms engine
-  DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
+  TITLE:=AFALG hardware acceleration engine
+  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user
 endef
 
-define Package/libopenssl-gost/description
-This package adds an engine that enables Russian GOST algorithms.
+define Package/libopenssl-afalg/description
+This package adds an engine that enables hardware acceleration
+through the AF_ALG kernel interface.
 To use it, you need to configure the engine in /etc/ssl/openssl.cnf
-See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
-The engine_id is "gost"
+See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+The engine_id is "afalg"
 endef
 
 define Package/libopenssl-padlock
@@ -135,11 +141,23 @@ endef
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
 To use it, you need to configure it in /etc/ssl/openssl.cnf.
-See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 The engine_id is "padlock"
 endef
 
-OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
+OPENSSL_OPTIONS:= shared
+
+ifndef CONFIG_OPENSSL_WITH_BLAKE2
+  OPENSSL_OPTIONS += no-blake2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
+  OPENSSL_OPTIONS += no-chacha no-poly1305
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ASYNC
+  OPENSSL_OPTIONS += no-async
+endif
 
 ifndef CONFIG_OPENSSL_WITH_EC
   OPENSSL_OPTIONS += no-ec
@@ -153,6 +171,18 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
   OPENSSL_OPTIONS += no-err
 endif
 
+ifndef CONFIG_OPENSSL_WITH_TLS13
+  OPENSSL_OPTIONS += no-tls1_3
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ARIA
+  OPENSSL_OPTIONS += no-aria
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SM234
+  OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
+endif
+
 ifndef CONFIG_OPENSSL_WITH_CAMELLIA
   OPENSSL_OPTIONS += no-camellia
 endif
@@ -177,8 +207,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS
   OPENSSL_OPTIONS += no-cms
 endif
 
-ifdef CONFIG_OPENSSL_WITH_RFC3779
-  OPENSSL_OPTIONS += enable-rfc3779
+ifndef CONFIG_OPENSSL_WITH_RFC3779
+  OPENSSL_OPTIONS += no-rfc3779
 endif
 
 ifdef CONFIG_OPENSSL_NO_DEPRECATED
@@ -193,10 +223,10 @@ endif
 
 ifdef CONFIG_OPENSSL_ENGINE
   ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
-    OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
-    ifdef CONFIG_OPENSSL_ENGINE_DIGEST
-      OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
-    endif
+    OPENSSL_OPTIONS += enable-devcryptoeng
+  endif
+  ifndef CONFIG_PACKAGE_libopenssl-afalg
+    OPENSSL_OPTIONS += no-afalgeng
   endif
   ifndef CONFIG_PACKAGE_libopenssl-padlock
     OPENSSL_OPTIONS += no-hw-padlock
@@ -209,10 +239,8 @@ ifndef CONFIG_OPENSSL_WITH_GOST
   OPENSSL_OPTIONS += no-gost
 endif
 
-# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
-# but openssl util gets built without it
 ifndef CONFIG_OPENSSL_WITH_DTLS
-  OPENSSL_OPTIONS += no-dtls no-dtls1
+  OPENSSL_OPTIONS += no-dtls
 endif
 
 ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@@ -261,12 +289,6 @@ define Build/Configure
 			$(TARGET_LDFLAGS) \
 			$(OPENSSL_OPTIONS) \
 	)
-	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-		CROSS_COMPILE="$(TARGET_CROSS)" \
-		MAKEDEPPROG="$(TARGET_CROSS)gcc" \
-		OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
-		$(OPENSSL_MAKEFLAGS) \
-		depend
 endef
 
 TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
@@ -276,35 +298,16 @@ define Build/Compile
 	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
 		CROSS_COMPILE="$(TARGET_CROSS)" \
 		CC="$(TARGET_CC)" \
-		ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
-		AR="$(TARGET_CROSS)ar r" \
-		RANLIB="$(TARGET_CROSS)ranlib" \
+		SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
 		OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
 		$(OPENSSL_MAKEFLAGS) \
 		all
-	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-		CROSS_COMPILE="$(TARGET_CROSS)" \
-		CC="$(TARGET_CC)" \
-		ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
-		AR="$(TARGET_CROSS)ar r" \
-		RANLIB="$(TARGET_CROSS)ranlib" \
-		OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
-		$(OPENSSL_MAKEFLAGS) \
-		build-shared
-	# Work around openssl build bug to link libssl.so with libcrypto.so.
-	-rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
-	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-		CROSS_COMPILE="$(TARGET_CROSS)" \
-		CC="$(TARGET_CC)" \
-		OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
-		$(OPENSSL_MAKEFLAGS) \
-		do_linux-shared
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		CROSS_COMPILE="$(TARGET_CROSS)" \
 		CC="$(TARGET_CC)" \
-		INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
 		$(OPENSSL_MAKEFLAGS) \
-		install
+		install_sw install_ssldirs
 endef
 
 define Build/InstallDev
@@ -334,17 +337,17 @@ define Package/openssl-util/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
 endef
 
-define Package/libopenssl-padlock/install
+define Package/libopenssl-afalg/install
 	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
 endef
 
-define Package/libopenssl-gost/install
+define Package/libopenssl-padlock/install
 	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
 endef
 
 $(eval $(call BuildPackage,libopenssl))
-$(eval $(call BuildPackage,libopenssl-gost))
+$(eval $(call BuildPackage,libopenssl-afalg))
 $(eval $(call BuildPackage,libopenssl-padlock))
 $(eval $(call BuildPackage,openssl-util))

package/libs/openssl/patches/100-Configure-afalg-support.patch

@@ -0,0 +1,23 @@
+From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Thu, 27 Sep 2018 08:29:21 -0300
+Subject: Do not use host kernel version to disable AFALG
+
+This patch prevents the Configure script from using the host kernel
+version to disable building the AFALG engine on openwrt targets.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+--- a/Configure
++++ b/Configure
+@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra
+ 
+ unless ($disabled{afalgeng}) {
+     $config{afalgeng}="";
+-    if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
++    if ($target =~ m/openwrt$/) {
++        push @{$config{engdirs}}, "afalg";
++    } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+         my $minver = 4*10000 + 1*100 + 0;
+         if ($config{CROSS_COMPILE} eq "") {
+             my $verstr = `uname -r`;

package/libs/openssl/patches/100-openwrt_targets.patch

@@ -1,44 +0,0 @@
-From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <[email protected]>
-Date: Wed, 26 Sep 2018 16:21:27 -0300
-Subject: Add openwrt targets
-
-Targets are named: linux-$(CONFIG_ARCH)-openwrt
-
-Signed-off-by: Eneas U de Queiroz <[email protected]>
-
---- a/Configure
-+++ b/Configure
-@@ -470,6 +470,32 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- 
-+# OpenWrt targets
-+# from linux-aarch64
-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-generic32
-+"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-armv4
-+"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-armv4
-+"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-elf
-+"linux-i386-openwrt",	"gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-mips32
-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux64-mips64
-+"linux-mips64-openwrt",   "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux64-mips64
-+"linux-mips64el-openwrt",   "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux-mips32
-+"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-ppc
-+"linux-powerpc-openwrt",	"gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-x86_64
-+"linux-x86_64-openwrt",	"gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux-generic32
-+"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
- # Android: linux-* but without pointers to headers and libs.
- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

package/libs/openssl/patches/110-openwrt_targets.patch

@@ -0,0 +1,60 @@
+From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Thu, 27 Sep 2018 08:30:24 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+--- /dev/null
++++ b/Configurations/25-openwrt.conf
+@@ -0,0 +1,48 @@
++## Openwrt "CONFIG_ARCH" matching targets.
++
++# The targets need to end in '-openwrt' for the AFALG patch to work
++
++my %targets = (
++    "openwrt" => {
++	template	=> 1,
++	CFLAGS		=> add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
++    },
++    "linux-aarch64-openwrt" => {
++        inherit_from    => [ "linux-aarch64", "openwrt" ],
++    },
++    "linux-arc-openwrt" => {
++        inherit_from    => [ "linux-generic32", "openwrt" ],
++    },
++    "linux-arm-openwrt" => {
++        inherit_from    => [ "linux-armv4", "openwrt" ],
++    },
++    "linux-armeb-openwrt" => {
++        inherit_from    => [ "linux-armv4", "openwrt" ],
++    },
++    "linux-i386-openwrt" => {
++        inherit_from    => [ "linux-x86", "openwrt" ],
++    },
++    "linux-mips-openwrt" => {
++        inherit_from    => [ "linux-mips32", "openwrt" ],
++    },
++    "linux-mips64-openwrt" => {
++        inherit_from    => [ "linux64-mips64", "openwrt" ],
++    },
++    "linux-mips64el-openwrt" => {
++        inherit_from    => [ "linux64-mips64", "openwrt" ],
++    },
++    "linux-mipsel-openwrt" => {
++        inherit_from    => [ "linux-mips32", "openwrt" ],
++    },
++    "linux-powerpc-openwrt" => {
++        inherit_from    => [ "linux-ppc", "openwrt" ],
++    },
++    "linux-x86_64-openwrt" => {
++        inherit_from    => [ "linux-x86_64", "openwrt" ],
++    },
++
++### Basic default option
++    "linux-generic32-openwrt" => {
++        inherit_from    => [ "linux-generic32", "openwrt" ],
++    },
++);

package/libs/openssl/patches/110-perl-path.patch

@@ -1,64 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -1,4 +1,4 @@
--:
-+#!/usr/bin/perl
- eval 'exec perl -S $0 ${1+"$@"}'
-     if $running_under_some_shell;
- ##
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl
-+#!/usr/bin/perl
- 
- # Perl c_rehash script, scan all files in a directory
- # and add symbolic links to their hash values.
---- a/util/clean-depend.pl
-+++ b/util/clean-depend.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- # Clean the dependency list in a makefile of standard includes...
- # Written by Ben Laurie <[email protected]> 19 Jan 1999
- 
---- a/util/mkdef.pl
-+++ b/util/mkdef.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- #
- # generate a .def file
- #
---- a/util/mkerr.pl
-+++ b/util/mkerr.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- 
- my $config = "crypto/err/openssl.ec";
- my $hprefix = "openssl/";
---- a/util/mkstack.pl
-+++ b/util/mkstack.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- 
- # This is a utility that searches out "DECLARE_STACK_OF()"
- # declarations in .h and .c files, and updates/creates/replaces
---- a/util/pod2man.pl
-+++ b/util/pod2man.pl
-@@ -1,4 +1,4 @@
--: #!/usr/bin/perl-5.005
-+#!/usr/bin/perl
-     eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
- 	if $running_under_some_shell;
- 
---- a/util/selftest.pl
-+++ b/util/selftest.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- #
- # Run the test suite and generate a report
- #

package/libs/openssl/patches/120-makefile-dirs.patch

@@ -1,11 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -137,7 +137,7 @@ FIPSCANLIB=
- 
- BASEADDR=
- 
--DIRS=   crypto ssl engines apps test tools
-+DIRS=   crypto ssl engines apps
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
- 

package/libs/openssl/patches/120-strip-cflags-from-binary.patch

@@ -0,0 +1,21 @@
+From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Thu, 27 Sep 2018 08:31:38 -0300
+Subject: void exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink
+         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
+ 
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
+ DEPEND[buildinf.h]=../configdata.pm
+ 
+ GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)

package/libs/openssl/patches/130-disable_doc_tests.patch

@@ -1,58 +0,0 @@
---- a/Makefile
-+++ b/Makefile
-@@ -139,7 +139,7 @@ FIPSCANLIB=
- 
- BASEADDR=0xFB00000
- 
--DIRS=   crypto ssl engines apps test tools
-+DIRS=   crypto ssl engines apps tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
- 
-@@ -157,7 +157,7 @@ SDIRS=  \
- 
- # tests to perform.  "alltests" is a special word indicating that all tests
- # should be performed.
--TESTS = alltests
-+TESTS =
- 
- MAKEFILE= Makefile
- 
-@@ -171,7 +171,7 @@ SHELL=/bin/sh
- 
- TOP=    .
- ONEDIRS=out tmp
--EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
-+EDIRS=  times bugs util include certs ms shlib mt demos perl sf dep VMS
- WDIRS=  windows
- LIBS=   libcrypto.a libssl.a
- SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
-@@ -276,7 +276,7 @@ reflect:
- 
- sub_all: build_all
- 
--build_all: build_libs build_apps build_tests build_tools
-+build_all: build_libs build_apps build_tools
- 
- build_libs: build_libcrypto build_libssl openssl.pc
- 
-@@ -542,7 +542,7 @@ dist:
- 	@$(MAKE) SDIRS='$(SDIRS)' clean
- 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
- 
--install: all install_docs install_sw
-+install: all install_sw
- 
- install_sw:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -540,7 +540,7 @@ dist:
- 	@$(MAKE) SDIRS='$(SDIRS)' clean
- 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
- 
--install: all install_docs install_sw
-+install: all install_sw
- 
- install_sw:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \

package/libs/openssl/patches/130-dont-build-tests-fuzz.patch

@@ -0,0 +1,29 @@
+From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Thu, 27 Sep 2018 08:34:38 -0300
+Subject: Do not build tests and fuzz directories
+
+This shortens build time.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+--- a/Configure
++++ b/Configure
+@@ -299,7 +299,7 @@ my $auto_threads=1;    # enable threads
+ my $default_ranlib;
+ 
+ # Top level directories to build
+-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
++$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ];
+ # crypto/ subdirectories to build
+ $config{sdirs} = [
+     "objects",
+@@ -311,7 +311,7 @@ $config{sdirs} = [
+     "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
+     ];
+ # test/ subdirectories to build
+-$config{tdirs} = [ "ossl_shim" ];
++$config{tdirs} = [];
+ 
+ # Known TLS and DTLS protocols
+ my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);

package/libs/openssl/patches/140-bash_path.patch

@@ -1,8 +0,0 @@
---- a/util/domd
-+++ b/util/domd
-@@ -1,4 +1,4 @@
--#!/bin/sh
-+#!/usr/bin/env bash
- # Do a makedepend, only leave out the standard headers
- # Written by Ben Laurie <[email protected]> 19 Jan 1999
- 

package/libs/openssl/patches/150-fix_link_segfault.patch

@@ -1,18 +0,0 @@
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -95,7 +95,6 @@ LINK_APP=	\
-     LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
--    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
- 
- LINK_SO=	\
-@@ -105,7 +104,6 @@ LINK_SO=	\
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
--    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
- 	$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \

package/libs/openssl/patches/160-remove_timestamp_check.patch

@@ -1,23 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -185,7 +185,7 @@ TARFILE=        ../$(NAME).tar
- EXHEADER=       e_os2.h
- HEADER=         e_os.h
- 
--all: Makefile build_all
-+all: build_all
- 
- # as we stick to -e, CLEARENV ensures that local variables in lower
- # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-@@ -404,11 +404,6 @@ openssl.pc: Makefile
- 	    echo 'Version: '$(VERSION); \
- 	    echo 'Requires: libssl libcrypto' ) > openssl.pc
- 
--Makefile: Makefile.org Configure config
--	@echo "Makefile is older than Makefile.org, Configure or config."
--	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
--	@false
--
- libclean:
- 	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
- 

package/libs/openssl/patches/170-parallel_build.patch

@@ -1,184 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi
- build_libssl: build_ssl libssl.pc
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut
- 	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
- 
- depend:
--	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
- 
- lint:
- 	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-@@ -535,9 +535,9 @@ dist:
- 	@$(MAKE) SDIRS='$(SDIRS)' clean
- 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
- 
--install: all install_sw
-+install: install_sw
- 
--install_sw:
-+install_dirs:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -546,12 +546,19 @@ install_sw:
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+	@$(PERL) $(TOP)/util/mkdir-p.pl \
-+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- 	do \
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
-@@ -635,12 +642,7 @@ install_html_docs:
- 		done; \
- 	done
- 
--install_docs:
--	@$(PERL) $(TOP)/util/mkdir-p.pl \
--		$(INSTALL_PREFIX)$(MANDIR)/man1 \
--		$(INSTALL_PREFIX)$(MANDIR)/man3 \
--		$(INSTALL_PREFIX)$(MANDIR)/man5 \
--		$(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- 	here="`pwd`"; \
- 	filecase=; \
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -120,6 +120,7 @@ SYMLINK_SO=	\
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -87,11 +87,11 @@ testapps:
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -102,7 +102,7 @@ links:
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- 	$(RANLIB) $(LIB) || echo Never mind.
-@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -122,7 +122,7 @@ install:
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@ top:
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@ lib:	$(LIBOBJ)
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@ install:
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -145,7 +145,7 @@ install:
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

package/libs/openssl/patches/180-strip-cflags-from-binary.patch

@@ -1,21 +0,0 @@
-From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <[email protected]>
-Date: Wed, 26 Sep 2018 18:04:58 -0300
-Subject: Avoid exposing build directories
-
-The CFLAGS contain the build directories, and are shown by calling
-SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
-
-Signed-off-by: Eneas U de Queiroz <[email protected]>
-
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -57,7 +57,7 @@ top:
- all: shared
- 
- buildinf.h: ../Makefile
--	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
-+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap%  -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
- 
- x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
- 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@

package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch

@@ -0,0 +1,42 @@
+From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Mon, 5 Nov 2018 17:59:42 -0200
+Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables
+
+Call functions to prepare methods after confirming that /dev/crytpo was
+sucessfully open and that the destroy function has been set.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -619,11 +619,6 @@ void engine_load_devcrypto_int()
+         return;
+     }
+ 
+-    prepare_cipher_methods();
+-#ifdef IMPLEMENT_DIGEST
+-    prepare_digest_methods();
+-#endif
+-
+     if ((e = ENGINE_new()) == NULL
+         || !ENGINE_set_destroy_function(e, devcrypto_unload)) {
+         ENGINE_free(e);
+@@ -636,6 +631,11 @@ void engine_load_devcrypto_int()
+         return;
+     }
+ 
++    prepare_cipher_methods();
++#ifdef IMPLEMENT_DIGEST
++    prepare_digest_methods();
++#endif
++
+     if (!ENGINE_set_id(e, "devcrypto")
+         || !ENGINE_set_name(e, "/dev/crypto engine")
+ 

package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch

@@ -0,0 +1,37 @@
+From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Wed, 14 Nov 2018 11:22:14 -0200
+Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases
+
+Return failure when the digest_ctx is null in digest_update and
+digest_final, and when md is null in digest_final.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx
+     if (count == 0)
+         return 1;
+ 
++    if (digest_ctx == NULL)
++        return 0;
++
+     if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;
+@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx,
+     struct digest_ctx *digest_ctx =
+         (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+ 
++    if (md == NULL || digest_ctx == NULL)
++        return 0;
+     if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;

package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch

@@ -0,0 +1,53 @@
+From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Wed, 14 Nov 2018 13:58:06 -0200
+Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest
+
+If the source ctx has not been initialized, don't initialize the copy
+either.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e,
+ 
+ struct digest_ctx {
+     struct session_op sess;
+-    int init;
++    /* This signals that the init function was called, not that it succeeded. */
++    int init_called;
+ };
+ 
+ static const struct digest_data_st {
+@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx)
+     const struct digest_data_st *digest_d =
+         get_digest_data(EVP_MD_CTX_type(ctx));
+ 
+-    digest_ctx->init = 1;
++    digest_ctx->init_called = 1;
+ 
+     memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
+     digest_ctx->sess.mac = digest_d->devcryptoid;
+@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c
+         (struct digest_ctx *)EVP_MD_CTX_md_data(to);
+     struct cphash_op cphash;
+ 
+-    if (digest_from == NULL)
++    if (digest_from == NULL || digest_from->init_called != 1)
+         return 1;
+ 
+-    if (digest_from->init != 1) {
+-        SYSerr(SYS_F_IOCTL, EINVAL);
+-        return 0;
+-    }
+-
+     if (!digest_init(to)) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;

package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch

@@ -0,0 +1,46 @@
+From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Mon, 5 Nov 2018 15:59:44 -0200
+Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final
+
+Close the session in digest_cleanup instead of digest_final.  A failure
+in closing the session does not mean a previous successful digest final
+has failed as well.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx,
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;
+     }
+-    if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
+-        SYSerr(SYS_F_IOCTL, errno);
+-        return 0;
+-    }
+ 
+     return 1;
+ }
+@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c
+ 
+ static int digest_cleanup(EVP_MD_CTX *ctx)
+ {
++    struct digest_ctx *digest_ctx =
++        (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
++
++    if (digest_ctx == NULL)
++        return 1;
++    if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
++        SYSerr(SYS_F_IOCTL, errno);
++        return 0;
++    }
+     return 1;
+ }
+ 

package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch

@@ -0,0 +1,54 @@
+From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Tue, 13 Nov 2018 09:23:22 -0200
+Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function
+
+The engine needs a custom cipher context copy function to open a new
+/dev/crypto session.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     return 1;
+ }
+ 
++static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
++{
++    EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
++    struct cipher_ctx *cipher_ctx;
++
++    if (type == EVP_CTRL_COPY) {
++        /* when copying the context, a new session needs to be initialized */
++        cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
++        return (cipher_ctx == NULL)
++            || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
++                           (cipher_ctx->op == COP_ENCRYPT));
++    }
++
++    return -1;
++}
++
+ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+     struct cipher_ctx *cipher_ctx =
+@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void)
+                                               cipher_data[i].ivlen)
+             || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
+                                           cipher_data[i].flags
++                                          | EVP_CIPH_CUSTOM_COPY
+                                           | EVP_CIPH_FLAG_DEFAULT_ASN1)
+             || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+             || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+                                               cipher_do_cipher)
++            || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+             || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
+                                             cipher_cleanup)
+             || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],

package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch

@@ -0,0 +1,217 @@
+From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Wed, 28 Nov 2018 11:26:27 -0200
+Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode
+
+Make CTR mode behave like a stream cipher.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -47,10 +47,12 @@ static int cfd;
+ 
+ struct cipher_ctx {
+     struct session_op sess;
+-
+-    /* to pass from init to do_cipher */
+-    const unsigned char *iv;
+     int op;                      /* COP_ENCRYPT or COP_DECRYPT */
++    unsigned long mode;          /* EVP_CIPH_*_MODE */
++
++    /* to handle ctr mode being a stream cipher */
++    unsigned char partial[EVP_MAX_BLOCK_LENGTH];
++    unsigned int blocksize, num;
+ };
+ 
+ static const struct cipher_data_st {
+@@ -87,9 +89,9 @@ static const struct cipher_data_st {
+     { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
+ #endif
+ #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
+-    { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+-    { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+-    { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ #endif
+ #if 0                            /* Not yet supported */
+     { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+     cipher_ctx->sess.keylen = cipher_d->keylen;
+     cipher_ctx->sess.key = (void *)key;
+     cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
++    cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
++    cipher_ctx->blocksize = cipher_d->blocksize;
+     if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;
+@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     struct cipher_ctx *cipher_ctx =
+         (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+     struct crypt_op cryp;
++    unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+ #if !defined(COP_FLAG_WRITE_IV)
+     unsigned char saved_iv[EVP_MAX_IV_LENGTH];
++    const unsigned char *ivptr;
++    size_t nblocks, ivlen;
+ #endif
+ 
+     memset(&cryp, 0, sizeof(cryp));
+@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     cryp.len = inl;
+     cryp.src = (void *)in;
+     cryp.dst = (void *)out;
+-    cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
++    cryp.iv = (void *)iv;
+     cryp.op = cipher_ctx->op;
+ #if !defined(COP_FLAG_WRITE_IV)
+     cryp.flags = 0;
+ 
+-    if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+-        assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
+-        if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+-            unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
++    ivlen = EVP_CIPHER_CTX_iv_length(ctx);
++    if (ivlen > 0)
++        switch (cipher_ctx->mode) {
++        case EVP_CIPH_CBC_MODE:
++            assert(inl >= ivlen);
++            if (!EVP_CIPHER_CTX_encrypting(ctx)) {
++                ivptr = in + inl - ivlen;
++                memcpy(saved_iv, ivptr, ivlen);
++            }
++            break;
++
++        case EVP_CIPH_CTR_MODE:
++            break;
+ 
+-            memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
++        default: /* should not happen */
++            return 0;
+         }
+-    }
+ #else
+     cryp.flags = COP_FLAG_WRITE_IV;
+ #endif
+@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     }
+ 
+ #if !defined(COP_FLAG_WRITE_IV)
+-    if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+-        unsigned char *ivptr = saved_iv;
++    if (ivlen > 0)
++        switch (cipher_ctx->mode) {
++        case EVP_CIPH_CBC_MODE:
++            assert(inl >= ivlen);
++            if (EVP_CIPHER_CTX_encrypting(ctx))
++                ivptr = out + inl - ivlen;
++            else
++                ivptr = saved_iv;
++
++            memcpy(iv, ivptr, ivlen);
++            break;
++
++        case EVP_CIPH_CTR_MODE:
++            nblocks = (inl + cipher_ctx->blocksize - 1)
++                      / cipher_ctx->blocksize;
++            do {
++                ivlen--;
++                nblocks += iv[ivlen];
++                iv[ivlen] = (uint8_t) nblocks;
++                nblocks >>= 8;
++            } while (ivlen);
++            break;
++
++        default: /* should not happen */
++            return 0;
++        }
++#endif
++
++    return 1;
++}
+ 
+-        assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
+-        if (!EVP_CIPHER_CTX_encrypting(ctx))
+-            ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
++static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++                         const unsigned char *in, size_t inl)
++{
++    struct cipher_ctx *cipher_ctx =
++        (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
++    size_t nblocks, len;
+ 
+-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
+-               EVP_CIPHER_CTX_iv_length(ctx));
++    /* initial partial block */
++    while (cipher_ctx->num && inl) {
++        (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
++        --inl;
++        cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
++    }
++
++    /* full blocks */
++    if (inl > (unsigned int) cipher_ctx->blocksize) {
++        nblocks = inl/cipher_ctx->blocksize;
++        len = nblocks * cipher_ctx->blocksize;
++        if (cipher_do_cipher(ctx, out, in, len) < 1)
++            return 0;
++        inl -= len;
++        out += len;
++        in += len;
++    }
++
++    /* final partial block */
++    if (inl) {
++        memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
++        if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
++            cipher_ctx->blocksize) < 1)
++            return 0;
++        while (inl--) {
++            out[cipher_ctx->num] = in[cipher_ctx->num]
++                                   ^ cipher_ctx->partial[cipher_ctx->num];
++            cipher_ctx->num++;
++        }
+     }
+-#endif
+ 
+     return 1;
+ }
+@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void)
+ {
+     size_t i;
+     struct session_op sess;
++    unsigned long cipher_mode;
+ 
+     memset(&sess, 0, sizeof(sess));
+     sess.key = (void *)"01234567890123456789012345678901234567890123456789";
+@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void)
+             || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+             continue;
+ 
++        cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
++
+         if ((known_cipher_methods[i] =
+                  EVP_CIPHER_meth_new(cipher_data[i].nid,
+-                                     cipher_data[i].blocksize,
++                                     cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
++                                                    cipher_data[i].blocksize,
+                                      cipher_data[i].keylen)) == NULL
+             || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
+                                               cipher_data[i].ivlen)
+@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void)
+                                           | EVP_CIPH_FLAG_DEFAULT_ASN1)
+             || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+             || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
++                                     cipher_mode == EVP_CIPH_CTR_MODE ?
++                                              ctr_do_cipher :
+                                               cipher_do_cipher)
+             || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+             || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],

package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch

@@ -0,0 +1,71 @@
+From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <[email protected]>
+Date: Sat, 8 Dec 2018 18:01:04 -0200
+Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy
+
+Digest must be able to do partial-state copy to be used.
+
+Signed-off-by: Eneas U de Queiroz <[email protected]>
+
+Reviewed-by: Matthias St. Pierre <[email protected]>
+Reviewed-by: Richard Levitte <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct
+     return 1;
+ }
+ 
++static int devcrypto_test_digest(size_t digest_data_index)
++{
++    struct session_op sess1, sess2;
++    struct cphash_op cphash;
++    int ret=0;
++
++    memset(&sess1, 0, sizeof(sess1));
++    memset(&sess2, 0, sizeof(sess2));
++    sess1.mac = digest_data[digest_data_index].devcryptoid;
++    if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
++        return 0;
++    /* Make sure the driver is capable of hash state copy */
++    sess2.mac = sess1.mac;
++    if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
++        cphash.src_ses = sess1.ses;
++        cphash.dst_ses = sess2.ses;
++        if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
++            ret = 1;
++        ioctl(cfd, CIOCFSESSION, &sess2.ses);
++    }
++    ioctl(cfd, CIOCFSESSION, &sess1.ses);
++    return ret;
++}
++
+ /*
+  * Keep a table of known nids and associated methods.
+  * Note that known_digest_nids[] isn't necessarily indexed the same way as
+@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL
+ static void prepare_digest_methods(void)
+ {
+     size_t i;
+-    struct session_op sess;
+-
+-    memset(&sess, 0, sizeof(sess));
+ 
+     for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+          i++) {
+ 
+         /*
+-         * Check that the algo is really availably by trying to open and close
+-         * a session.
++         * Check that the algo is usable
+          */
+-        sess.mac = digest_data[i].devcryptoid;
+-        if (ioctl(cfd, CIOCGSESSION, &sess) < 0
+-            || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
++        if (!devcrypto_test_digest(i))
+             continue;
+ 
+         if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,