aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/openssl
diff options
context:
space:
mode:
authorEneas U de Queiroz <cote2004-github@yahoo.com>2018-10-24 11:25:00 -0300
committerHauke Mehrtens <hauke@hauke-m.de>2019-02-12 22:23:26 +0100
commitd872d00b2f7e31b98e11e83922d1aaefc270647e (patch)
tree70a74b004144e1a2d16c71b6d4aff626e085c498 /package/libs/openssl
parentbe3892284ca77a69615351b106b8dfbadad728c4 (diff)
downloadupstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.tar.gz
upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.tar.bz2
upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.zip
openssl: update to version 1.1.1a
This version adds the following functionality: * TLS 1.3 * AFALG engine support for hardware accelleration * x25519 ECC curve support * CRIME protection: disable use of compression by default * Support for ChaCha20 and Poly1305 Patches fixing bugs in the /dev/crypto engine were applied, from https://github.com/openssl/openssl/pull/7585 This increses the size of the ipk binray on MIPS32 by about 32%: old: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk 239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Diffstat (limited to 'package/libs/openssl')
-rw-r--r--package/libs/openssl/Config.in65
-rw-r--r--package/libs/openssl/Makefile117
-rw-r--r--package/libs/openssl/patches/100-Configure-afalg-support.patch23
-rw-r--r--package/libs/openssl/patches/100-openwrt_targets.patch44
-rw-r--r--package/libs/openssl/patches/110-openwrt_targets.patch60
-rw-r--r--package/libs/openssl/patches/110-perl-path.patch64
-rw-r--r--package/libs/openssl/patches/120-makefile-dirs.patch11
-rw-r--r--package/libs/openssl/patches/120-strip-cflags-from-binary.patch21
-rw-r--r--package/libs/openssl/patches/130-disable_doc_tests.patch58
-rw-r--r--package/libs/openssl/patches/130-dont-build-tests-fuzz.patch29
-rw-r--r--package/libs/openssl/patches/140-bash_path.patch8
-rw-r--r--package/libs/openssl/patches/150-fix_link_segfault.patch18
-rw-r--r--package/libs/openssl/patches/160-remove_timestamp_check.patch23
-rw-r--r--package/libs/openssl/patches/170-parallel_build.patch184
-rw-r--r--package/libs/openssl/patches/180-strip-cflags-from-binary.patch21
-rw-r--r--package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch42
-rw-r--r--package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch37
-rw-r--r--package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch53
-rw-r--r--package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch46
-rw-r--r--package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch54
-rw-r--r--package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch217
-rw-r--r--package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch71
22 files changed, 774 insertions, 492 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index fe73229915..53b91ddb94 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED
default y
prompt "Include deprecated APIs (See help for a list of packages that need this)"
help
- Squid currently requires this.
+ Since openssl 1.1.x is still new to openwrt, some packages
+ requiring this option do not list it as a requirement yet:
+ * freeswitch-stable, freeswitch, python, python3, squid.
config OPENSSL_NO_DEPRECATED
bool
@@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES
comment "Protocol Support"
+config OPENSSL_WITH_TLS13
+ bool
+ default y
+ prompt "Enable support for TLS 1.3"
+ select OPENSSL_WITH_EC
+ help
+ TLS 1.3 is the newest version of the TLS specification.
+ It aims:
+ * to increase the overall security of the protocol,
+ removing outdated algorithms, and encrypting more of the
+ protocol;
+ * to increase performance by reducing the number of round-trips
+ when performing a full handshake.
+ It increases package size by ~4KB.
+
config OPENSSL_WITH_DTLS
bool
prompt "Enable DTLS support"
@@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M
This option enables the more efficient, yet less common, binary
field elliptic curves.
+config OPENSSL_WITH_CHACHA_POLY1305
+ bool
+ default y
+ prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+ help
+ ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+ combining ChaCha stream cipher with Poly1305 MAC.
+ It is 3x faster than AES, when not using a CPU with AES-specific
+ instructions, as is the case of most embedded devices.
+
config OPENSSL_WITH_PSK
bool
default y
@@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK
comment "Less commonly used build options"
+config OPENSSL_WITH_ARIA
+ bool
+ prompt "Enable ARIA support"
+ help
+ ARIA is a block cipher developed in South Korea, based on AES.
+
config OPENSSL_WITH_CAMELLIA
bool
prompt "Enable Camellia cipher support"
@@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
+config OPENSSL_WITH_SM234
+ bool
+ prompt "Enable SM2/3/4 algorithms support"
+ help
+ These algorithms are a set of "Commercial Cryptography"
+ algorithms approved for use in China.
+ * SM2 is an EC algorithm equivalent to ECDSA P-256
+ * SM3 is a hash function equivalent to SHA-256
+ * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+ bool
+ prompt "Enable BLAKE2 digest support"
+ help
+ BLAKE2 is a cryptographic hash function based on the ChaCha
+ stream cipher.
+
config OPENSSL_WITH_MDC2
bool
prompt "Enable MDC2 digest support"
@@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO
API modules) for /dev/crypto to show up and use hardware
acceleration; otherwise it falls back to software.
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_ASYNC
bool
- depends on OPENSSL_ENGINE_CRYPTO
- prompt "/dev/crypto digest (md5/sha1) acceleration support"
+ prompt "Enable asynchronous jobs support"
+ depends on OPENSSL_ENGINE && USE_GLIBC
+ help
+ Enables async-aware applications to be able to use OpenSSL to
+ initiate crypto operations asynchronously. In order to work
+ this will require the presence of an async capable engine.
config OPENSSL_WITH_GOST
bool
@@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST
help
This option prepares the library to accept engine support
for Russian GOST crypto algorithms.
+ The gost engine is not included in standard openwrt feeds.
+ To build such engine yourself, see:
+ https://github.com/gost-engine/engine
endif
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index d9b1de2581..27746c15c6 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -8,11 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
-PKG_BASE:=1.0.2
-PKG_BUGFIX:=q
+PKG_BASE:=1.1.1
+PKG_BUGFIX:=a
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=2
PKG_USE_MIPS16:=0
+ENGINES_DIR=engines-1.1
PKG_BUILD_PARALLEL:=0
PKG_BUILD_DEPENDS:=cryptodev-linux
@@ -24,8 +25,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
-ENGINES_DIR=engines
+PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
@@ -33,11 +33,14 @@ PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
- CONFIG_OPENSSL_ENGINE_DIGEST \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
+ CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
+ CONFIG_OPENSSL_WITH_ASYNC \
+ CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
+ CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
@@ -51,8 +54,10 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
+ CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_WITH_SSE2 \
+ CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
@@ -85,7 +90,7 @@ $(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
TITLE+= (libraries)
- ABI_VERSION:=1.0.0
+ ABI_VERSION:=1.1
MENU:=1
endef
@@ -111,18 +116,19 @@ $(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
-define Package/libopenssl-gost
+define Package/libopenssl-afalg
$(call Package/openssl/Default)
SUBMENU:=SSL
- TITLE:=Russian GOST algorithms engine
- DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
+ TITLE:=AFALG hardware acceleration engine
+ DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user
endef
-define Package/libopenssl-gost/description
-This package adds an engine that enables Russian GOST algorithms.
+define Package/libopenssl-afalg/description
+This package adds an engine that enables hardware acceleration
+through the AF_ALG kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
-See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
-The engine_id is "gost"
+See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+The engine_id is "afalg"
endef
define Package/libopenssl-padlock
@@ -135,11 +141,23 @@ endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
To use it, you need to configure it in /etc/ssl/openssl.cnf.
-See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "padlock"
endef
-OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
+OPENSSL_OPTIONS:= shared
+
+ifndef CONFIG_OPENSSL_WITH_BLAKE2
+ OPENSSL_OPTIONS += no-blake2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
+ OPENSSL_OPTIONS += no-chacha no-poly1305
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ASYNC
+ OPENSSL_OPTIONS += no-async
+endif
ifndef CONFIG_OPENSSL_WITH_EC
OPENSSL_OPTIONS += no-ec
@@ -153,6 +171,18 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif
+ifndef CONFIG_OPENSSL_WITH_TLS13
+ OPENSSL_OPTIONS += no-tls1_3
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ARIA
+ OPENSSL_OPTIONS += no-aria
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SM234
+ OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
+endif
+
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
@@ -177,8 +207,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif
-ifdef CONFIG_OPENSSL_WITH_RFC3779
- OPENSSL_OPTIONS += enable-rfc3779
+ifndef CONFIG_OPENSSL_WITH_RFC3779
+ OPENSSL_OPTIONS += no-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
@@ -193,10 +223,10 @@ endif
ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
- OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
- ifdef CONFIG_OPENSSL_ENGINE_DIGEST
- OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
- endif
+ OPENSSL_OPTIONS += enable-devcryptoeng
+ endif
+ ifndef CONFIG_PACKAGE_libopenssl-afalg
+ OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
@@ -209,10 +239,8 @@ ifndef CONFIG_OPENSSL_WITH_GOST
OPENSSL_OPTIONS += no-gost
endif
-# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
-# but openssl util gets built without it
ifndef CONFIG_OPENSSL_WITH_DTLS
- OPENSSL_OPTIONS += no-dtls no-dtls1
+ OPENSSL_OPTIONS += no-dtls
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@@ -261,12 +289,6 @@ define Build/Configure
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
- +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
- CROSS_COMPILE="$(TARGET_CROSS)" \
- MAKEDEPPROG="$(TARGET_CROSS)gcc" \
- OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
- $(OPENSSL_MAKEFLAGS) \
- depend
endef
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
@@ -276,35 +298,16 @@ define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
- ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
- AR="$(TARGET_CROSS)ar r" \
- RANLIB="$(TARGET_CROSS)ranlib" \
+ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
- +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
- CROSS_COMPILE="$(TARGET_CROSS)" \
- CC="$(TARGET_CC)" \
- ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
- AR="$(TARGET_CROSS)ar r" \
- RANLIB="$(TARGET_CROSS)ranlib" \
- OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
- $(OPENSSL_MAKEFLAGS) \
- build-shared
- # Work around openssl build bug to link libssl.so with libcrypto.so.
- -rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
- +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
- CROSS_COMPILE="$(TARGET_CROSS)" \
- CC="$(TARGET_CC)" \
- OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
- $(OPENSSL_MAKEFLAGS) \
- do_linux-shared
$(MAKE) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
- INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
+ DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
- install
+ install_sw install_ssldirs
endef
define Build/InstallDev
@@ -334,17 +337,17 @@ define Package/openssl-util/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
-define Package/libopenssl-padlock/install
+define Package/libopenssl-afalg/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
endef
-define Package/libopenssl-gost/install
+define Package/libopenssl-padlock/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
endef
$(eval $(call BuildPackage,libopenssl))
-$(eval $(call BuildPackage,libopenssl-gost))
+$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch
new file mode 100644
index 0000000000..f5f32c2818
--- /dev/null
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -0,0 +1,23 @@
+From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:29:21 -0300
+Subject: Do not use host kernel version to disable AFALG
+
+This patch prevents the Configure script from using the host kernel
+version to disable building the AFALG engine on openwrt targets.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra
+
+ unless ($disabled{afalgeng}) {
+ $config{afalgeng}="";
+- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
++ if ($target =~ m/openwrt$/) {
++ push @{$config{engdirs}}, "afalg";
++ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ my $minver = 4*10000 + 1*100 + 0;
+ if ($config{CROSS_COMPILE} eq "") {
+ my $verstr = `uname -r`;
diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch
deleted file mode 100644
index 52a51f9f47..0000000000
--- a/package/libs/openssl/patches/100-openwrt_targets.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 26 Sep 2018 16:21:27 -0300
-Subject: Add openwrt targets
-
-Targets are named: linux-$(CONFIG_ARCH)-openwrt
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
-
---- a/Configure
-+++ b/Configure
-@@ -470,6 +470,32 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-+# OpenWrt targets
-+# from linux-aarch64
-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-generic32
-+"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-armv4
-+"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-armv4
-+"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-elf
-+"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-mips32
-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux64-mips64
-+"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux64-mips64
-+"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux-mips32
-+"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-ppc
-+"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-x86_64
-+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux-generic32
-+"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
- # Android: linux-* but without pointers to headers and libs.
- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch
new file mode 100644
index 0000000000..bc49e27aeb
--- /dev/null
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -0,0 +1,60 @@
+From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:30:24 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- /dev/null
++++ b/Configurations/25-openwrt.conf
+@@ -0,0 +1,48 @@
++## Openwrt "CONFIG_ARCH" matching targets.
++
++# The targets need to end in '-openwrt' for the AFALG patch to work
++
++my %targets = (
++ "openwrt" => {
++ template => 1,
++ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
++ },
++ "linux-aarch64-openwrt" => {
++ inherit_from => [ "linux-aarch64", "openwrt" ],
++ },
++ "linux-arc-openwrt" => {
++ inherit_from => [ "linux-generic32", "openwrt" ],
++ },
++ "linux-arm-openwrt" => {
++ inherit_from => [ "linux-armv4", "openwrt" ],
++ },
++ "linux-armeb-openwrt" => {
++ inherit_from => [ "linux-armv4", "openwrt" ],
++ },
++ "linux-i386-openwrt" => {
++ inherit_from => [ "linux-x86", "openwrt" ],
++ },
++ "linux-mips-openwrt" => {
++ inherit_from => [ "linux-mips32", "openwrt" ],
++ },
++ "linux-mips64-openwrt" => {
++ inherit_from => [ "linux64-mips64", "openwrt" ],
++ },
++ "linux-mips64el-openwrt" => {
++ inherit_from => [ "linux64-mips64", "openwrt" ],
++ },
++ "linux-mipsel-openwrt" => {
++ inherit_from => [ "linux-mips32", "openwrt" ],
++ },
++ "linux-powerpc-openwrt" => {
++ inherit_from => [ "linux-ppc", "openwrt" ],
++ },
++ "linux-x86_64-openwrt" => {
++ inherit_from => [ "linux-x86_64", "openwrt" ],
++ },
++
++### Basic default option
++ "linux-generic32-openwrt" => {
++ inherit_from => [ "linux-generic32", "openwrt" ],
++ },
++);
diff --git a/package/libs/openssl/patches/110-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch
deleted file mode 100644
index 2dbdc76010..0000000000
--- a/package/libs/openssl/patches/110-perl-path.patch
+++ /dev/null
@@ -1,64 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -1,4 +1,4 @@
--:
-+#!/usr/bin/perl
- eval 'exec perl -S $0 ${1+"$@"}'
- if $running_under_some_shell;
- ##
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl
-+#!/usr/bin/perl
-
- # Perl c_rehash script, scan all files in a directory
- # and add symbolic links to their hash values.
---- a/util/clean-depend.pl
-+++ b/util/clean-depend.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- # Clean the dependency list in a makefile of standard includes...
- # Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
-
---- a/util/mkdef.pl
-+++ b/util/mkdef.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- #
- # generate a .def file
- #
---- a/util/mkerr.pl
-+++ b/util/mkerr.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
-
- my $config = "crypto/err/openssl.ec";
- my $hprefix = "openssl/";
---- a/util/mkstack.pl
-+++ b/util/mkstack.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
-
- # This is a utility that searches out "DECLARE_STACK_OF()"
- # declarations in .h and .c files, and updates/creates/replaces
---- a/util/pod2man.pl
-+++ b/util/pod2man.pl
-@@ -1,4 +1,4 @@
--: #!/usr/bin/perl-5.005
-+#!/usr/bin/perl
- eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
- if $running_under_some_shell;
-
---- a/util/selftest.pl
-+++ b/util/selftest.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- #
- # Run the test suite and generate a report
- #
diff --git a/package/libs/openssl/patches/120-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch
deleted file mode 100644
index 5bcb316486..0000000000
--- a/package/libs/openssl/patches/120-makefile-dirs.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -137,7 +137,7 @@ FIPSCANLIB=
-
- BASEADDR=
-
--DIRS= crypto ssl engines apps test tools
-+DIRS= crypto ssl engines apps
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
-
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
new file mode 100644
index 0000000000..d6e35b7451
--- /dev/null
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:31:38 -0300
+Subject: void exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink
+ ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
+
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
+ DEPEND[buildinf.h]=../configdata.pm
+
+ GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
diff --git a/package/libs/openssl/patches/130-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch
deleted file mode 100644
index e38d44a768..0000000000
--- a/package/libs/openssl/patches/130-disable_doc_tests.patch
+++ /dev/null
@@ -1,58 +0,0 @@
---- a/Makefile
-+++ b/Makefile
-@@ -139,7 +139,7 @@ FIPSCANLIB=
-
- BASEADDR=0xFB00000
-
--DIRS= crypto ssl engines apps test tools
-+DIRS= crypto ssl engines apps tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
-
-@@ -157,7 +157,7 @@ SDIRS= \
-
- # tests to perform. "alltests" is a special word indicating that all tests
- # should be performed.
--TESTS = alltests
-+TESTS =
-
- MAKEFILE= Makefile
-
-@@ -171,7 +171,7 @@ SHELL=/bin/sh
-
- TOP= .
- ONEDIRS=out tmp
--EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS
-+EDIRS= times bugs util include certs ms shlib mt demos perl sf dep VMS
- WDIRS= windows
- LIBS= libcrypto.a libssl.a
- SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
-@@ -276,7 +276,7 @@ reflect:
-
- sub_all: build_all
-
--build_all: build_libs build_apps build_tests build_tools
-+build_all: build_libs build_apps build_tools
-
- build_libs: build_libcrypto build_libssl openssl.pc
-
-@@ -542,7 +542,7 @@ dist:
- @$(MAKE) SDIRS='$(SDIRS)' clean
- @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-
--install: all install_docs install_sw
-+install: all install_sw
-
- install_sw:
- @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -540,7 +540,7 @@ dist:
- @$(MAKE) SDIRS='$(SDIRS)' clean
- @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-
--install: all install_docs install_sw
-+install: all install_sw
-
- install_sw:
- @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
new file mode 100644
index 0000000000..7c61b1e292
--- /dev/null
+++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
@@ -0,0 +1,29 @@
+From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:34:38 -0300
+Subject: Do not build tests and fuzz directories
+
+This shortens build time.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -299,7 +299,7 @@ my $auto_threads=1; # enable threads
+ my $default_ranlib;
+
+ # Top level directories to build
+-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
++$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ];
+ # crypto/ subdirectories to build
+ $config{sdirs} = [
+ "objects",
+@@ -311,7 +311,7 @@ $config{sdirs} = [
+ "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
+ ];
+ # test/ subdirectories to build
+-$config{tdirs} = [ "ossl_shim" ];
++$config{tdirs} = [];
+
+ # Known TLS and DTLS protocols
+ my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);
diff --git a/package/libs/openssl/patches/140-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch
deleted file mode 100644
index c29b59afdd..0000000000
--- a/package/libs/openssl/patches/140-bash_path.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/util/domd
-+++ b/util/domd
-@@ -1,4 +1,4 @@
--#!/bin/sh
-+#!/usr/bin/env bash
- # Do a makedepend, only leave out the standard headers
- # Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
-
diff --git a/package/libs/openssl/patches/150-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch
deleted file mode 100644
index 3e36beb49c..0000000000
--- a/package/libs/openssl/patches/150-fix_link_segfault.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -95,7 +95,6 @@ LINK_APP= \
- LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
- LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
- $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
-
- LINK_SO= \
-@@ -105,7 +104,6 @@ LINK_SO= \
- SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
- LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
- $${SHAREDCMD} $${SHAREDFLAGS} \
- -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
- $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
diff --git a/package/libs/openssl/patches/160-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch
deleted file mode 100644
index 424e66063c..0000000000
--- a/package/libs/openssl/patches/160-remove_timestamp_check.patch
+++ /dev/null
@@ -1,23 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar
- EXHEADER= e_os2.h
- HEADER= e_os.h
-
--all: Makefile build_all
-+all: build_all
-
- # as we stick to -e, CLEARENV ensures that local variables in lower
- # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-@@ -404,11 +404,6 @@ openssl.pc: Makefile
- echo 'Version: '$(VERSION); \
- echo 'Requires: libssl libcrypto' ) > openssl.pc
-
--Makefile: Makefile.org Configure config
-- @echo "Makefile is older than Makefile.org, Configure or config."
-- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
-- @false
--
- libclean:
- rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
-
diff --git a/package/libs/openssl/patches/170-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch
deleted file mode 100644
index cbe5d51241..0000000000
--- a/package/libs/openssl/patches/170-parallel_build.patch
+++ /dev/null
@@ -1,184 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi
- build_libssl: build_ssl libssl.pc
-
- build_crypto:
-- @dir=crypto; target=all; $(BUILD_ONE_CMD)
-+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
-- @dir=ssl; target=all; $(BUILD_ONE_CMD)
-+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
-- @dir=engines; target=all; $(BUILD_ONE_CMD)
-+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
-- @dir=apps; target=all; $(BUILD_ONE_CMD)
-+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
-- @dir=test; target=all; $(BUILD_ONE_CMD)
-+ +@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
-- @dir=tools; target=all; $(BUILD_ONE_CMD)
-+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
-
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut
- @set -e; target=update; $(RECURSIVE_BUILD_CMD)
-
- depend:
-- @set -e; target=depend; $(RECURSIVE_BUILD_CMD)
-+ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
-
- lint:
- @set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-@@ -535,9 +535,9 @@ dist:
- @$(MAKE) SDIRS='$(SDIRS)' clean
- @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-
--install: all install_sw
-+install: install_sw
-
--install_sw:
-+install_dirs:
- @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -546,12 +546,19 @@ install_sw:
- $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- $(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+ @$(PERL) $(TOP)/util/mkdir-p.pl \
-+ $(INSTALL_PREFIX)$(MANDIR)/man1 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man3 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man5 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- do \
- if [ -f "$$i" ]; then \
-@@ -635,12 +642,7 @@ install_html_docs:
- done; \
- done
-
--install_docs:
-- @$(PERL) $(TOP)/util/mkdir-p.pl \
-- $(INSTALL_PREFIX)$(MANDIR)/man1 \
-- $(INSTALL_PREFIX)$(MANDIR)/man3 \
-- $(INSTALL_PREFIX)$(MANDIR)/man5 \
-- $(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- here="`pwd`"; \
- filecase=; \
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -120,6 +120,7 @@ SYMLINK_SO= \
- done; \
- fi; \
- if [ -n "$$SHLIB_SOVER" ]; then \
-+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- fi; \
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -87,11 +87,11 @@ testapps:
- @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
-
- subdirs:
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
-- @target=files; $(RECURSIVE_MAKE)
-+ +@target=files; $(RECURSIVE_MAKE)
-
- links:
- @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -102,7 +102,7 @@ links:
- # lib: $(LIB): are splitted to avoid end-less loop
- lib: $(LIB)
- @touch lib
--$(LIB): $(LIBOBJ)
-+$(LIB): $(LIBOBJ) | subdirs
- $(AR) $(LIB) $(LIBOBJ)
- test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- $(RANLIB) $(LIB) || echo Never mind.
-@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
- fi
-
- libs:
-- @target=lib; $(RECURSIVE_MAKE)
-+ +@target=lib; $(RECURSIVE_MAKE)
-
- install:
- @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -122,7 +122,7 @@ install:
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- lint:
- @target=lint; $(RECURSIVE_MAKE)
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@ top:
-
- all: lib subdirs
-
--lib: $(LIBOBJ)
-+lib: $(LIBOBJ) | subdirs
- @if [ -n "$(SHARED_LIBS)" ]; then \
- set -e; \
- for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@ lib: $(LIBOBJ)
-
- subdirs:
- echo $(EDIRS)
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@ install:
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- done; \
- fi
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- tags:
- ctags $(SRC)
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -145,7 +145,7 @@ install:
- tags:
- ctags $(SRC)
-
--tests: exe apps $(TESTS)
-+tests: exe $(TESTS)
-
- apps:
- @(cd ..; $(MAKE) DIRS=apps all)
-@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
- # fi
-
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
-- @target=dummytest; $(BUILD_CMD)
-+ +@target=dummytest; $(BUILD_CMD)
-
- # DO NOT DELETE THIS LINE -- make depend depends on it.
-
diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
deleted file mode 100644
index e70bd077d5..0000000000
--- a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 26 Sep 2018 18:04:58 -0300
-Subject: Avoid exposing build directories
-
-The CFLAGS contain the build directories, and are shown by calling
-SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
-
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -57,7 +57,7 @@ top:
- all: shared
-
- buildinf.h: ../Makefile
-- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
-+ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
-
- x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
- $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
diff --git a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch
new file mode 100644
index 0000000000..228654f03c
--- /dev/null
+++ b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch
@@ -0,0 +1,42 @@
+From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 5 Nov 2018 17:59:42 -0200
+Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables
+
+Call functions to prepare methods after confirming that /dev/crytpo was
+sucessfully open and that the destroy function has been set.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -619,11 +619,6 @@ void engine_load_devcrypto_int()
+ return;
+ }
+
+- prepare_cipher_methods();
+-#ifdef IMPLEMENT_DIGEST
+- prepare_digest_methods();
+-#endif
+-
+ if ((e = ENGINE_new()) == NULL
+ || !ENGINE_set_destroy_function(e, devcrypto_unload)) {
+ ENGINE_free(e);
+@@ -636,6 +631,11 @@ void engine_load_devcrypto_int()
+ return;
+ }
+
++ prepare_cipher_methods();
++#ifdef IMPLEMENT_DIGEST
++ prepare_digest_methods();
++#endif
++
+ if (!ENGINE_set_id(e, "devcrypto")
+ || !ENGINE_set_name(e, "/dev/crypto engine")
+
diff --git a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch
new file mode 100644
index 0000000000..9e59a16ac2
--- /dev/null
+++ b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch
@@ -0,0 +1,37 @@
+From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 14 Nov 2018 11:22:14 -0200
+Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases
+
+Return failure when the digest_ctx is null in digest_update and
+digest_final, and when md is null in digest_final.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx
+ if (count == 0)
+ return 1;
+
++ if (digest_ctx == NULL)
++ return 0;
++
+ if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
+@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx,
+ struct digest_ctx *digest_ctx =
+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+
++ if (md == NULL || digest_ctx == NULL)
++ return 0;
+ if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
diff --git a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch
new file mode 100644
index 0000000000..2cfff604b9
--- /dev/null
+++ b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch
@@ -0,0 +1,53 @@
+From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 14 Nov 2018 13:58:06 -0200
+Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest
+
+If the source ctx has not been initialized, don't initialize the copy
+either.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e,
+
+ struct digest_ctx {
+ struct session_op sess;
+- int init;
++ /* This signals that the init function was called, not that it succeeded. */
++ int init_called;
+ };
+
+ static const struct digest_data_st {
+@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx)
+ const struct digest_data_st *digest_d =
+ get_digest_data(EVP_MD_CTX_type(ctx));
+
+- digest_ctx->init = 1;
++ digest_ctx->init_called = 1;
+
+ memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
+ digest_ctx->sess.mac = digest_d->devcryptoid;
+@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c
+ (struct digest_ctx *)EVP_MD_CTX_md_data(to);
+ struct cphash_op cphash;
+
+- if (digest_from == NULL)
++ if (digest_from == NULL || digest_from->init_called != 1)
+ return 1;
+
+- if (digest_from->init != 1) {
+- SYSerr(SYS_F_IOCTL, EINVAL);
+- return 0;
+- }
+-
+ if (!digest_init(to)) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
diff --git a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch
new file mode 100644
index 0000000000..050853a3d1
--- /dev/null
+++ b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch
@@ -0,0 +1,46 @@
+From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 5 Nov 2018 15:59:44 -0200
+Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final
+
+Close the session in digest_cleanup instead of digest_final. A failure
+in closing the session does not mean a previous successful digest final
+has failed as well.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx,
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
+ }
+- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
+- SYSerr(SYS_F_IOCTL, errno);
+- return 0;
+- }
+
+ return 1;
+ }
+@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c
+
+ static int digest_cleanup(EVP_MD_CTX *ctx)
+ {
++ struct digest_ctx *digest_ctx =
++ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
++
++ if (digest_ctx == NULL)
++ return 1;
++ if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
++ SYSerr(SYS_F_IOCTL, errno);
++ return 0;
++ }
+ return 1;
+ }
+
diff --git a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch
new file mode 100644
index 0000000000..948ff7c2bc
--- /dev/null
+++ b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch
@@ -0,0 +1,54 @@
+From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Tue, 13 Nov 2018 09:23:22 -0200
+Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function
+
+The engine needs a custom cipher context copy function to open a new
+/dev/crypto session.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C
+ return 1;
+ }
+
++static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
++{
++ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
++ struct cipher_ctx *cipher_ctx;
++
++ if (type == EVP_CTRL_COPY) {
++ /* when copying the context, a new session needs to be initialized */
++ cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
++ return (cipher_ctx == NULL)
++ || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
++ (cipher_ctx->op == COP_ENCRYPT));
++ }
++
++ return -1;
++}
++
+ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+ struct cipher_ctx *cipher_ctx =
+@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void)
+ cipher_data[i].ivlen)
+ || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
+ cipher_data[i].flags
++ | EVP_CIPH_CUSTOM_COPY
+ | EVP_CIPH_FLAG_DEFAULT_ASN1)
+ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+ || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+ cipher_do_cipher)
++ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+ || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
+ cipher_cleanup)
+ || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
diff --git a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch
new file mode 100644
index 0000000000..54a9236f13
--- /dev/null
+++ b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch
@@ -0,0 +1,217 @@
+From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 28 Nov 2018 11:26:27 -0200
+Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode
+
+Make CTR mode behave like a stream cipher.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -47,10 +47,12 @@ static int cfd;
+
+ struct cipher_ctx {
+ struct session_op sess;
+-
+- /* to pass from init to do_cipher */
+- const unsigned char *iv;
+ int op; /* COP_ENCRYPT or COP_DECRYPT */
++ unsigned long mode; /* EVP_CIPH_*_MODE */
++
++ /* to handle ctr mode being a stream cipher */
++ unsigned char partial[EVP_MAX_BLOCK_LENGTH];
++ unsigned int blocksize, num;
+ };
+
+ static const struct cipher_data_st {
+@@ -87,9 +89,9 @@ static const struct cipher_data_st {
+ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
+ #endif
+ #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
+- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ #endif
+ #if 0 /* Not yet supported */
+ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+ cipher_ctx->sess.keylen = cipher_d->keylen;
+ cipher_ctx->sess.key = (void *)key;
+ cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
++ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
++ cipher_ctx->blocksize = cipher_d->blocksize;
+ if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
+@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C
+ struct cipher_ctx *cipher_ctx =
+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct crypt_op cryp;
++ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+ #if !defined(COP_FLAG_WRITE_IV)
+ unsigned char saved_iv[EVP_MAX_IV_LENGTH];
++ const unsigned char *ivptr;
++ size_t nblocks, ivlen;
+ #endif
+
+ memset(&cryp, 0, sizeof(cryp));
+@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C
+ cryp.len = inl;
+ cryp.src = (void *)in;
+ cryp.dst = (void *)out;
+- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
++ cryp.iv = (void *)iv;
+ cryp.op = cipher_ctx->op;
+ #if !defined(COP_FLAG_WRITE_IV)
+ cryp.flags = 0;
+
+- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
+- if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
++ ivlen = EVP_CIPHER_CTX_iv_length(ctx);
++ if (ivlen > 0)
++ switch (cipher_ctx->mode) {
++ case EVP_CIPH_CBC_MODE:
++ assert(inl >= ivlen);
++ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
++ ivptr = in + inl - ivlen;
++ memcpy(saved_iv, ivptr, ivlen);
++ }
++ break;
++
++ case EVP_CIPH_CTR_MODE:
++ break;
+
+- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
++ default: /* should not happen */
++ return 0;
+ }
+- }
+ #else
+ cryp.flags = COP_FLAG_WRITE_IV;
+ #endif
+@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C
+ }
+
+ #if !defined(COP_FLAG_WRITE_IV)
+- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+- unsigned char *ivptr = saved_iv;
++ if (ivlen > 0)
++ switch (cipher_ctx->mode) {
++ case EVP_CIPH_CBC_MODE:
++ assert(inl >= ivlen);
++ if (EVP_CIPHER_CTX_encrypting(ctx))
++ ivptr = out + inl - ivlen;
++ else
++ ivptr = saved_iv;
++
++ memcpy(iv, ivptr, ivlen);
++ break;
++
++ case EVP_CIPH_CTR_MODE:
++ nblocks = (inl + cipher_ctx->blocksize - 1)
++ / cipher_ctx->blocksize;
++ do {
++ ivlen--;
++ nblocks += iv[ivlen];
++ iv[ivlen] = (uint8_t) nblocks;
++ nblocks >>= 8;
++ } while (ivlen);
++ break;
++
++ default: /* should not happen */
++ return 0;
++ }
++#endif
++
++ return 1;
++}
+
+- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
+- if (!EVP_CIPHER_CTX_encrypting(ctx))
+- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
++static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, size_t inl)
++{
++ struct cipher_ctx *cipher_ctx =
++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
++ size_t nblocks, len;
+
+- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
+- EVP_CIPHER_CTX_iv_length(ctx));
++ /* initial partial block */
++ while (cipher_ctx->num && inl) {
++ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
++ --inl;
++ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
++ }
++
++ /* full blocks */
++ if (inl > (unsigned int) cipher_ctx->blocksize) {
++ nblocks = inl/cipher_ctx->blocksize;
++ len = nblocks * cipher_ctx->blocksize;
++ if (cipher_do_cipher(ctx, out, in, len) < 1)
++ return 0;
++ inl -= len;
++ out += len;
++ in += len;
++ }
++
++ /* final partial block */
++ if (inl) {
++ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
++ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
++ cipher_ctx->blocksize) < 1)
++ return 0;
++ while (inl--) {
++ out[cipher_ctx->num] = in[cipher_ctx->num]
++ ^ cipher_ctx->partial[cipher_ctx->num];
++ cipher_ctx->num++;
++ }
+ }
+-#endif
+
+ return 1;
+ }
+@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void)
+ {
+ size_t i;
+ struct session_op sess;
++ unsigned long cipher_mode;
+
+ memset(&sess, 0, sizeof(sess));
+ sess.key = (void *)"01234567890123456789012345678901234567890123456789";
+@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void)
+ || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+ continue;
+
++ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
++
+ if ((known_cipher_methods[i] =
+ EVP_CIPHER_meth_new(cipher_data[i].nid,
+- cipher_data[i].blocksize,
++ cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
++ cipher_data[i].blocksize,
+ cipher_data[i].keylen)) == NULL
+ || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
+ cipher_data[i].ivlen)
+@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void)
+ | EVP_CIPH_FLAG_DEFAULT_ASN1)
+ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+ || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
++ cipher_mode == EVP_CIPH_CTR_MODE ?
++ ctr_do_cipher :
+ cipher_do_cipher)
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+ || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
diff --git a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch
new file mode 100644
index 0000000000..df871920be
--- /dev/null
+++ b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch
@@ -0,0 +1,71 @@
+From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Sat, 8 Dec 2018 18:01:04 -0200
+Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy
+
+Digest must be able to do partial-state copy to be used.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct
+ return 1;
+ }
+
++static int devcrypto_test_digest(size_t digest_data_index)
++{
++ struct session_op sess1, sess2;
++ struct cphash_op cphash;
++ int ret=0;
++
++ memset(&sess1, 0, sizeof(sess1));
++ memset(&sess2, 0, sizeof(sess2));
++ sess1.mac = digest_data[digest_data_index].devcryptoid;
++ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
++ return 0;
++ /* Make sure the driver is capable of hash state copy */
++ sess2.mac = sess1.mac;
++ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
++ cphash.src_ses = sess1.ses;
++ cphash.dst_ses = sess2.ses;
++ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
++ ret = 1;
++ ioctl(cfd, CIOCFSESSION, &sess2.ses);
++ }
++ ioctl(cfd, CIOCFSESSION, &sess1.ses);
++ return ret;
++}
++
+ /*
+ * Keep a table of known nids and associated methods.
+ * Note that known_digest_nids[] isn't necessarily indexed the same way as
+@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL
+ static void prepare_digest_methods(void)
+ {
+ size_t i;
+- struct session_op sess;
+-
+- memset(&sess, 0, sizeof(sess));
+
+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+ i++) {
+
+ /*
+- * Check that the algo is really availably by trying to open and close
+- * a session.
++ * Check that the algo is usable
+ */
+- sess.mac = digest_data[i].devcryptoid;
+- if (ioctl(cfd, CIOCGSESSION, &sess) < 0
+- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
++ if (!devcrypto_test_digest(i))
+ continue;
+
+ if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,