aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEneas U de Queiroz <cote2004-github@yahoo.com>2018-10-22 11:32:56 -0300
committerHauke Mehrtens <hauke@hauke-m.de>2019-02-12 21:14:46 +0100
commitbe3892284ca77a69615351b106b8dfbadad728c4 (patch)
tree63a04a5d53b72ac6d8d86a0f6d3788d4f9c8a3cb
parentb044b52ab9553b8d94cfc5565d2ea5013364159d (diff)
downloadupstream-be3892284ca77a69615351b106b8dfbadad728c4.tar.gz
upstream-be3892284ca77a69615351b106b8dfbadad728c4.tar.bz2
upstream-be3892284ca77a69615351b106b8dfbadad728c4.zip
openssl: add configuration options, disable ssl3
Adds the following configuration options: * using optimized assembler code (was always on before) * use of x86 SSE2 instructions * dyanic engine support * include error messages * Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms * RFC3779, CMS protocols * VIA padlock hardware acceleration engine Installs openssl.cnf with the library as it is used by engines independent of the openssl util. Fixes DTLS option that was innefective before. Disables insecure SSL3 protocol and SHA0. Adds openwrt-specific targets to Configure script, including asm support for i386, ppc and mips64. Strips building dirs from CFLAGS shown in binary. Skips the fuzz directory during build. Removed include/crypto/devcrypto.h that was included here, to use the cryptodev-linux package, now that it was been moved from the packages feed to the main openwrt repository. This decreses the size of the ipk binray on MIPS32 by about 3.3%: old: 706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
-rw-r--r--package/libs/openssl/Config.in206
-rw-r--r--package/libs/openssl/Makefile182
-rw-r--r--package/libs/openssl/include/crypto/cryptodev.h292
-rw-r--r--package/libs/openssl/patches/100-openwrt_targets.patch44
-rw-r--r--package/libs/openssl/patches/110-optimize-for-size.patch16
-rw-r--r--package/libs/openssl/patches/110-perl-path.patch (renamed from package/libs/openssl/patches/130-perl-path.patch)0
-rw-r--r--package/libs/openssl/patches/120-makefile-dirs.patch (renamed from package/libs/openssl/patches/140-makefile-dirs.patch)2
-rw-r--r--package/libs/openssl/patches/130-disable_doc_tests.patch (renamed from package/libs/openssl/patches/160-disable_doc_tests.patch)0
-rw-r--r--package/libs/openssl/patches/140-bash_path.patch (renamed from package/libs/openssl/patches/170-bash_path.patch)0
-rw-r--r--package/libs/openssl/patches/150-fix_link_segfault.patch (renamed from package/libs/openssl/patches/180-fix_link_segfault.patch)0
-rw-r--r--package/libs/openssl/patches/150-no_engines.patch81
-rw-r--r--package/libs/openssl/patches/160-remove_timestamp_check.patch (renamed from package/libs/openssl/patches/190-remove_timestamp_check.patch)0
-rw-r--r--package/libs/openssl/patches/170-parallel_build.patch (renamed from package/libs/openssl/patches/200-parallel_build.patch)8
-rw-r--r--package/libs/openssl/patches/180-strip-cflags-from-binary.patch21
14 files changed, 376 insertions, 476 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index c39e28510f..fe73229915 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -1,72 +1,216 @@
if PACKAGE_libopenssl
-config OPENSSL_WITH_EC
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+ bool
+ prompt "Enable optimization for speed instead of size"
+ select OPENSSL_WITH_ASM
+ help
+ Enabling this option increases code size (around 20%) and
+ performance. The increase in performance and size depends on the
+ target CPU. EC and AES seem to benefit the most, with EC speed
+ increased by 20%-50% (mipsel & x86).
+ AES-GCM is supposed to be 3x faster on x86. YMMV.
+
+config OPENSSL_WITH_ASM
bool
default y
- prompt "Enable elliptic curve support"
+ prompt "Compile with optimized assembly code"
+ depends on !arc
+ help
+ Disabling this option will reduce code size and performance.
+ The increase in performance and size depends on the target
+ CPU and on the algorithms being optimized. As of 1.1.0i*:
-config OPENSSL_WITH_EC2M
- bool
- depends on OPENSSL_WITH_EC
- prompt "Enable ec2m support"
+ Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
+ aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
+ arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
+ i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
+ mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
+ mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
+ powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
+ x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
-config OPENSSL_WITH_SSL3
+ * Only most common algorithms shown. Your mileage may vary.
+ BN (bignum) performance was measured using RSA sign/verify.
+
+config OPENSSL_WITH_SSE2
bool
- default n
- prompt "Enable sslv3 support"
+ default y if !TARGET_x86_legacy && !TARGET_x86_geode
+ prompt "Enable use of x86 SSE2 instructions"
+ depends on OPENSSL_WITH_ASM && i386
+ help
+ Use of SSE2 instructions greatly increase performance (up to
+ 3x faster) with a minimum (~0.2%, or 23KB) increase in package
+ size, but it will bring no benefit if your hardware does not
+ support them, such as Geode GX and LX. In this case you may
+ save 23KB by saying yes here. AMD Geode NX, and Intel
+ Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
- prompt "Include deprecated APIs"
+ prompt "Include deprecated APIs (See help for a list of packages that need this)"
+ help
+ Squid currently requires this.
config OPENSSL_NO_DEPRECATED
bool
default !OPENSSL_WITH_DEPRECATED
-config OPENSSL_WITH_DTLS
+config OPENSSL_WITH_ERROR_MESSAGES
bool
- default n
- prompt "Enable DTLS support"
+ prompt "Include error messages"
+ help
+ This option aids debugging, but increases package size and
+ memory usage.
-config OPENSSL_WITH_COMPRESSION
+comment "Protocol Support"
+
+config OPENSSL_WITH_DTLS
bool
- default n
- prompt "Enable compression support"
+ prompt "Enable DTLS support"
+ help
+ Datagram Transport Layer Security (DTLS) provides TLS-like security
+ for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
config OPENSSL_WITH_NPN
bool
default y
prompt "Enable NPN support"
+ help
+ NPN is a TLS extension, obsoleted and replaced with ALPN,
+ used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+ bool
+ default y
+ prompt "Enable SRP support"
+ help
+ The Secure Remote Password protocol (SRP) is an augmented
+ password-authenticated key agreement (PAKE) protocol, specifically
+ designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+ bool
+ default y
+ prompt "Enable CMS (RFC 5652) support"
+ help
+ Cryptographic Message Syntax (CMS) is used to digitally sign,
+ digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC
+ bool
+ default y
+ prompt "Enable elliptic curve support"
+ help
+ Elliptic-curve cryptography (ECC) is an approach to public-key
+ cryptography based on the algebraic structure of elliptic curves
+ over finite fields. ECC requires smaller keys compared to non-ECC
+ cryptography to provide equivalent security.
+
+config OPENSSL_WITH_EC2M
+ bool
+ depends on OPENSSL_WITH_EC
+ prompt "Enable ec2m support"
+ help
+ This option enables the more efficient, yet less common, binary
+ field elliptic curves.
config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
+ help
+ Build support for Pre-Shared Key based cipher suites.
-config OPENSSL_WITH_SRP
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_CAMELLIA
bool
- default y
- prompt "Enable SRP support"
+ prompt "Enable Camellia cipher support"
+ help
+ Camellia is a bock cipher with security levels and processing
+ abilities comparable to AES.
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_IDEA
bool
- depends on OPENSSL_ENGINE_CRYPTO
- prompt "Digests acceleration support"
+ prompt "Enable IDEA cipher support"
+ help
+ IDEA is a block cipher with 128-bit keys.
-config OPENSSL_HARDWARE_SUPPORT
+config OPENSSL_WITH_SEED
bool
- default n
- prompt "Enable hardware support"
+ prompt "Enable SEED cipher support"
+ help
+ SEED is a block cipher with 128-bit keys broadly used in
+ South Korea, but seldom found elsewhere.
-config OPENSSL_OPTIMIZE_SPEED
+config OPENSSL_WITH_MDC2
bool
- default n
- prompt "Enable optimization for speed instead of size"
+ prompt "Enable MDC2 digest support"
-endif
+config OPENSSL_WITH_WHIRLPOOL
+ bool
+ prompt "Enable Whirlpool digest support"
+
+config OPENSSL_WITH_COMPRESSION
+ bool
+ prompt "Enable compression support"
+ help
+ TLS compression is not recommended, as it is deemed insecure.
+ The CRIME attack exploits this weakness.
+ Even with this option turned on, it is disabled by default, and the
+ application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+ bool
+ prompt "Enable RFC3779 support (BGP)"
+ help
+ RFC 3779 defines two X.509 v3 certificate extensions. The first
+ binds a list of IP address blocks, or prefixes, to the subject of a
+ certificate. The second binds a list of autonomous system
+ identifiers to the subject of a certificate. These extensions may be
+ used to convey the authorization of the subject to use the IP
+ addresses and autonomous system identifiers contained in the
+ extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+ bool "Enable engine support"
+ help
+ This enables alternative cryptography implementations,
+ most commonly for interfacing with external crypto devices,
+ or supporting new/alternative ciphers and digests.
config OPENSSL_ENGINE_CRYPTO
bool
- select OPENSSL_HARDWARE_SUPPORT
- prompt "Crypto acceleration support" if PACKAGE_libopenssl
+ select OPENSSL_ENGINE
+ select PACKAGE_kmod-cryptodev
+ prompt "Acceleration support through /dev/crypto"
+ help
+ This enables use of hardware acceleration through OpenBSD
+ Cryptodev API (/dev/crypto) interface.
+ You must install kmod-cryptodev (under Kernel modules, Cryptographic
+ API modules) for /dev/crypto to show up and use hardware
+ acceleration; otherwise it falls back to software.
+
+config OPENSSL_ENGINE_DIGEST
+ bool
+ depends on OPENSSL_ENGINE_CRYPTO
+ prompt "/dev/crypto digest (md5/sha1) acceleration support"
+
+config OPENSSL_WITH_GOST
+ bool
+ prompt "Prepare library for GOST engine"
+ depends on OPENSSL_ENGINE
+ help
+ This option prepares the library to accept engine support
+ for Russian GOST crypto algorithms.
+
+endif
+
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 71c2c9c028..d9b1de2581 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -15,7 +15,7 @@ PKG_RELEASE:=2
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=0
-
+PKG_BUILD_DEPENDS:=cryptodev-linux
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
@@ -25,24 +25,35 @@ PKG_SOURCE_URL:= \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
+ENGINES_DIR=engines
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
+ CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
CONFIG_OPENSSL_ENGINE_DIGEST \
- CONFIG_OPENSSL_WITH_EC \
- CONFIG_OPENSSL_WITH_EC2M \
- CONFIG_OPENSSL_WITH_SSL3 \
- CONFIG_OPENSSL_HARDWARE_SUPPORT \
CONFIG_OPENSSL_NO_DEPRECATED \
- CONFIG_OPENSSL_WITH_DTLS \
+ CONFIG_OPENSSL_OPTIMIZE_SPEED \
+ CONFIG_OPENSSL_WITH_ASM \
+ CONFIG_OPENSSL_WITH_CAMELLIA \
+ CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
+ CONFIG_OPENSSL_WITH_DTLS \
+ CONFIG_OPENSSL_WITH_EC \
+ CONFIG_OPENSSL_WITH_EC2M \
+ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
+ CONFIG_OPENSSL_WITH_GOST \
+ CONFIG_OPENSSL_WITH_IDEA \
+ CONFIG_OPENSSL_WITH_MDC2 \
CONFIG_OPENSSL_WITH_NPN \
CONFIG_OPENSSL_WITH_PSK \
+ CONFIG_OPENSSL_WITH_RFC3779 \
+ CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SRP \
- CONFIG_OPENSSL_OPTIMIZE_SPEED
+ CONFIG_OPENSSL_WITH_SSE2 \
+ CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
@@ -54,6 +65,8 @@ endif
define Package/openssl/Default
TITLE:=Open source SSL toolkit
URL:=http://www.openssl.org/
+ SECTION:=libs
+ CATEGORY:=Libraries
endef
define Package/libopenssl/config
@@ -62,16 +75,14 @@ endef
define Package/openssl/Default/description
The OpenSSL Project is a collaborative effort to develop a robust,
-commercial-grade, full-featured, and Open Source toolkit implementing the Secure
-Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
-as a full-strength general purpose cryptography library.
+commercial-grade, full-featured, and Open Source toolkit implementing the
+Transport Layer Security (TLS) protocol as well as a full-strength
+general-purpose cryptography library.
endef
define Package/libopenssl
$(call Package/openssl/Default)
- SECTION:=libs
SUBMENU:=SSL
- CATEGORY:=Libraries
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
TITLE+= (libraries)
ABI_VERSION:=1.0.0
@@ -100,19 +111,35 @@ $(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
+define Package/libopenssl-gost
+ $(call Package/openssl/Default)
+ SUBMENU:=SSL
+ TITLE:=Russian GOST algorithms engine
+ DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
+endef
+
+define Package/libopenssl-gost/description
+This package adds an engine that enables Russian GOST algorithms.
+To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+The engine_id is "gost"
+endef
-OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
- no-whrlpool no-whirlpool no-seed no-jpake
-OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
+define Package/libopenssl-padlock
+ $(call Package/openssl/Default)
+ SUBMENU:=SSL
+ TITLE:=VIA Padlock hardware acceleration engine
+ DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock
+endef
-ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
- OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
- ifdef CONFIG_OPENSSL_ENGINE_DIGEST
- OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
- endif
-else
- OPENSSL_OPTIONS += no-engines
-endif
+define Package/libopenssl-padlock/description
+This package adds an engine that enables VIA Padlock hardware acceleration.
+To use it, you need to configure it in /etc/ssl/openssl.cnf.
+See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+The engine_id is "padlock"
+endef
+
+OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
ifndef CONFIG_OPENSSL_WITH_EC
OPENSSL_OPTIONS += no-ec
@@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M
OPENSSL_OPTIONS += no-ec2m
endif
-ifndef CONFIG_OPENSSL_WITH_SSL3
- OPENSSL_OPTIONS += no-ssl3 no-ssl3-method
+ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
+ OPENSSL_OPTIONS += no-err
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CAMELLIA
+ OPENSSL_OPTIONS += no-camellia
+endif
+
+ifndef CONFIG_OPENSSL_WITH_IDEA
+ OPENSSL_OPTIONS += no-idea
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SEED
+ OPENSSL_OPTIONS += no-seed
endif
-ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT
- OPENSSL_OPTIONS += no-hw
+ifndef CONFIG_OPENSSL_WITH_MDC2
+ OPENSSL_OPTIONS += no-mdc2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
+ OPENSSL_OPTIONS += no-whirlpool
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CMS
+ OPENSSL_OPTIONS += no-cms
+endif
+
+ifdef CONFIG_OPENSSL_WITH_RFC3779
+ OPENSSL_OPTIONS += enable-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
OPENSSL_OPTIONS += no-deprecated
endif
+ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
+ TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
+else
+ OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
+endif
+
+ifdef CONFIG_OPENSSL_ENGINE
+ ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
+ OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
+ ifdef CONFIG_OPENSSL_ENGINE_DIGEST
+ OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
+ endif
+ endif
+ ifndef CONFIG_PACKAGE_libopenssl-padlock
+ OPENSSL_OPTIONS += no-hw-padlock
+ endif
+else
+ OPENSSL_OPTIONS += no-engine
+endif
+
+ifndef CONFIG_OPENSSL_WITH_GOST
+ OPENSSL_OPTIONS += no-gost
+endif
+
+# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
+# but openssl util gets built without it
ifndef CONFIG_OPENSSL_WITH_DTLS
- OPENSSL_OPTIONS += no-dtls
+ OPENSSL_OPTIONS += no-dtls no-dtls1
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP
OPENSSL_OPTIONS += no-srp
endif
-ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
- TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3
+ifndef CONFIG_OPENSSL_WITH_ASM
+ OPENSSL_OPTIONS += no-asm
endif
-ifeq ($(CONFIG_x86_64),y)
- OPENSSL_TARGET:=linux-x86_64-openwrt
- OPENSSL_MAKEFLAGS += LIBDIR=lib
-else
- OPENSSL_OPTIONS+=no-sse2
- ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y)
- OPENSSL_TARGET:=linux-mips-openwrt
- else ifeq ($(CONFIG_aarch64),y)
- OPENSSL_TARGET:=linux-aarch64-openwrt
- else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y)
- OPENSSL_TARGET:=linux-armv4-openwrt
- else
- OPENSSL_TARGET:=linux-generic-openwrt
- OPENSSL_OPTIONS+=no-perlasm
+ifdef CONFIG_i386
+ ifndef CONFIG_OPENSSL_WITH_SSE2
+ OPENSSL_OPTIONS += no-sse2
endif
endif
+OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
+
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5)
define Build/Configure
@@ -187,11 +255,10 @@ define Build/Configure
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/usr \
+ --libdir=lib \
--openssldir=/etc/ssl \
$(TARGET_CPPFLAGS) \
- $(TARGET_LDFLAGS) -ldl \
- $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \
- $(OPENSSL_NO_CIPHERS) \
+ $(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
@@ -202,7 +269,7 @@ define Build/Configure
depend
endef
-TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections
+TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Compile
@@ -251,20 +318,33 @@ define Build/InstallDev
endef
define Package/libopenssl/install
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ $(INSTALL_DIR) $(1)/etc/ssl/private
+ chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
+ $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/etc/ssl
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(INSTALL_DIR) $(1)/etc/ssl/certs
- $(INSTALL_DIR) $(1)/etc/ssl/private
- chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
+define Package/libopenssl-padlock/install
+ $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+endef
+
+define Package/libopenssl-gost/install
+ $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
+endef
+
$(eval $(call BuildPackage,libopenssl))
+$(eval $(call BuildPackage,libopenssl-gost))
+$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h
deleted file mode 100644
index 7fb9c7dcda..0000000000
--- a/package/libs/openssl/include/crypto/cryptodev.h
+++ /dev/null
@@ -1,292 +0,0 @@
-/* This is a source compatible implementation with the original API of
- * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h.
- * Placed under public domain */
-
-#ifndef L_CRYPTODEV_H
-#define L_CRYPTODEV_H
-
-#include <linux/types.h>
-#ifndef __KERNEL__
-#define __user
-#endif
-
-/* API extensions for linux */
-#define CRYPTO_HMAC_MAX_KEY_LEN 512
-#define CRYPTO_CIPHER_MAX_KEY_LEN 64
-
-/* All the supported algorithms
- */
-enum cryptodev_crypto_op_t {
- CRYPTO_DES_CBC = 1,
- CRYPTO_3DES_CBC = 2,
- CRYPTO_BLF_CBC = 3,
- CRYPTO_CAST_CBC = 4,
- CRYPTO_SKIPJACK_CBC = 5,
- CRYPTO_MD5_HMAC = 6,
- CRYPTO_SHA1_HMAC = 7,
- CRYPTO_RIPEMD160_HMAC = 8,
- CRYPTO_MD5_KPDK = 9,
- CRYPTO_SHA1_KPDK = 10,
- CRYPTO_RIJNDAEL128_CBC = 11,
- CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC,
- CRYPTO_ARC4 = 12,
- CRYPTO_MD5 = 13,
- CRYPTO_SHA1 = 14,
- CRYPTO_DEFLATE_COMP = 15,
- CRYPTO_NULL = 16,
- CRYPTO_LZS_COMP = 17,
- CRYPTO_SHA2_256_HMAC = 18,
- CRYPTO_SHA2_384_HMAC = 19,
- CRYPTO_SHA2_512_HMAC = 20,
- CRYPTO_AES_CTR = 21,
- CRYPTO_AES_XTS = 22,
- CRYPTO_AES_ECB = 23,
- CRYPTO_AES_GCM = 50,
-
- CRYPTO_CAMELLIA_CBC = 101,
- CRYPTO_RIPEMD160,
- CRYPTO_SHA2_224,
- CRYPTO_SHA2_256,
- CRYPTO_SHA2_384,
- CRYPTO_SHA2_512,
- CRYPTO_SHA2_224_HMAC,
- CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */
-};
-
-#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1)
-
-/* Values for ciphers */
-#define DES_BLOCK_LEN 8
-#define DES3_BLOCK_LEN 8
-#define RIJNDAEL128_BLOCK_LEN 16
-#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN
-#define CAMELLIA_BLOCK_LEN 16
-#define BLOWFISH_BLOCK_LEN 8
-#define SKIPJACK_BLOCK_LEN 8
-#define CAST128_BLOCK_LEN 8
-
-/* the maximum of the above */
-#define EALG_MAX_BLOCK_LEN 16
-
-/* Values for hashes/MAC */
-#define AALG_MAX_RESULT_LEN 64
-
-/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */
-#define CRYPTODEV_MAX_ALG_NAME 64
-
-#define HASH_MAX_LEN 64
-
-/* input of CIOCGSESSION */
-struct session_op {
- /* Specify either cipher or mac
- */
- __u32 cipher; /* cryptodev_crypto_op_t */
- __u32 mac; /* cryptodev_crypto_op_t */
-
- __u32 keylen;
- __u8 __user *key;
- __u32 mackeylen;
- __u8 __user *mackey;
-
- __u32 ses; /* session identifier */
-};
-
-struct session_info_op {
- __u32 ses; /* session identifier */
-
- /* verbose names for the requested ciphers */
- struct alg_info {
- char cra_name[CRYPTODEV_MAX_ALG_NAME];
- char cra_driver_name[CRYPTODEV_MAX_ALG_NAME];
- } cipher_info, hash_info;
-
- __u16 alignmask; /* alignment constraints */
- __u32 flags; /* SIOP_FLAGS_* */
-};
-
-/* If this flag is set then this algorithm uses
- * a driver only available in kernel (software drivers,
- * or drivers based on instruction sets do not set this flag).
- *
- * If multiple algorithms are involved (as in AEAD case), then
- * if one of them is kernel-driver-only this flag will be set.
- */
-#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1
-
-#define COP_ENCRYPT 0
-#define COP_DECRYPT 1
-
-/* input of CIOCCRYPT */
-struct crypt_op {
- __u32 ses; /* session identifier */
- __u16 op; /* COP_ENCRYPT or COP_DECRYPT */
- __u16 flags; /* see COP_FLAG_* */
- __u32 len; /* length of source data */
- __u8 __user *src; /* source data */
- __u8 __user *dst; /* pointer to output data */
- /* pointer to output data for hash/MAC operations */
- __u8 __user *mac;
- /* initialization vector for encryption operations */
- __u8 __user *iv;
-};
-
-/* input of CIOCAUTHCRYPT */
-struct crypt_auth_op {
- __u32 ses; /* session identifier */
- __u16 op; /* COP_ENCRYPT or COP_DECRYPT */
- __u16 flags; /* see COP_FLAG_AEAD_* */
- __u32 len; /* length of source data */
- __u32 auth_len; /* length of auth data */
- __u8 __user *auth_src; /* authenticated-only data */
-
- /* The current implementation is more efficient if data are
- * encrypted in-place (src==dst). */
- __u8 __user *src; /* data to be encrypted and authenticated */
- __u8 __user *dst; /* pointer to output data. Must have
- * space for tag. For TLS this should be at least
- * len + tag_size + block_size for padding */
-
- __u8 __user *tag; /* where the tag will be copied to. TLS mode
- * doesn't use that as tag is copied to dst.
- * SRTP mode copies tag there. */
- __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */
-
- /* initialization vector for encryption operations */
- __u8 __user *iv;
- __u32 iv_len;
-};
-
-/* In plain AEAD mode the following are required:
- * flags : 0
- * iv : the initialization vector (12 bytes)
- * auth_len: the length of the data to be authenticated
- * auth_src: the data to be authenticated
- * len : length of data to be encrypted
- * src : the data to be encrypted
- * dst : space to hold encrypted data. It must have
- * at least a size of len + tag_size.
- * tag_size: the size of the desired authentication tag or zero to use
- * the maximum tag output.
- *
- * Note tag isn't being used because the Linux AEAD interface
- * copies the tag just after data.
- */
-
-/* In TLS mode (used for CBC ciphers that required padding)
- * the following are required:
- * flags : COP_FLAG_AEAD_TLS_TYPE
- * iv : the initialization vector
- * auth_len: the length of the data to be authenticated only
- * len : length of data to be encrypted
- * auth_src: the data to be authenticated
- * src : the data to be encrypted
- * dst : space to hold encrypted data (preferably in-place). It must have
- * at least a size of len + tag_size + blocksize.
- * tag_size: the size of the desired authentication tag or zero to use
- * the default mac output.
- *
- * Note that the padding used is the minimum padding.
- */
-
-/* In SRTP mode the following are required:
- * flags : COP_FLAG_AEAD_SRTP_TYPE
- * iv : the initialization vector
- * auth_len: the length of the data to be authenticated. This must
- * include the SRTP header + SRTP payload (data to be encrypted) + rest
- *
- * len : length of data to be encrypted
- * auth_src: pointer the data to be authenticated. Should point at the same buffer as src.
- * src : pointer to the data to be encrypted.
- * dst : This is mandatory to be the same as src (in-place only).
- * tag_size: the size of the desired authentication tag or zero to use
- * the default mac output.
- * tag : Pointer to an address where the authentication tag will be copied.
- */
-
-
-/* struct crypt_op flags */
-
-#define COP_FLAG_NONE (0 << 0) /* totally no flag */
-#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */
-#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */
-#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */
-#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */
-#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the
- * TLS protocol rules */
-#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the
- * SRTP protocol rules */
-#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state.
- * should be used in combination
- * with COP_FLAG_UPDATE */
-
-
-/* Stuff for bignum arithmetic and public key
- * cryptography - not supported yet by linux
- * cryptodev.
- */
-
-#define CRYPTO_ALG_FLAG_SUPPORTED 1
-#define CRYPTO_ALG_FLAG_RNG_ENABLE 2
-#define CRYPTO_ALG_FLAG_DSA_SHA 4
-
-struct crparam {
- __u8 *crp_p;
- __u32 crp_nbits;
-};
-
-#define CRK_MAXPARAM 8
-
-/* input of CIOCKEY */
-struct crypt_kop {
- __u32 crk_op; /* cryptodev_crk_op_t */
- __u32 crk_status;
- __u16 crk_iparams;
- __u16 crk_oparams;
- __u32 crk_pad1;
- struct crparam crk_param[CRK_MAXPARAM];
-};
-
-enum cryptodev_crk_op_t {
- CRK_MOD_EXP = 0,
- CRK_MOD_EXP_CRT = 1,
- CRK_DSA_SIGN = 2,
- CRK_DSA_VERIFY = 3,
- CRK_DH_COMPUTE_KEY = 4,
- CRK_ALGORITHM_ALL
-};
-
-#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1)
-
-/* features to be queried with CIOCASYMFEAT ioctl
- */
-#define CRF_MOD_EXP (1 << CRK_MOD_EXP)
-#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT)
-#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN)
-#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY)
-#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY)
-
-
-/* ioctl's. Compatible with old linux cryptodev.h
- */
-#define CRIOGET _IOWR('c', 101, __u32)
-#define CIOCGSESSION _IOWR('c', 102, struct session_op)
-#define CIOCFSESSION _IOW('c', 103, __u32)
-#define CIOCCRYPT _IOWR('c', 104, struct crypt_op)
-#define CIOCKEY _IOWR('c', 105, struct crypt_kop)
-#define CIOCASYMFEAT _IOR('c', 106, __u32)
-#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op)
-
-/* to indicate that CRIOGET is not required in linux
- */
-#define CRIOGET_NOT_NEEDED 1
-
-/* additional ioctls for AEAD */
-#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op)
-
-/* additional ioctls for asynchronous operation.
- * These are conditionally enabled since version 1.6.
- */
-#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op)
-#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op)
-
-#endif /* L_CRYPTODEV_H */
diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch
new file mode 100644
index 0000000000..52a51f9f47
--- /dev/null
+++ b/package/libs/openssl/patches/100-openwrt_targets.patch
@@ -0,0 +1,44 @@
+From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 26 Sep 2018 16:21:27 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -470,6 +470,32 @@ my %table=(
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+
++# OpenWrt targets
++# from linux-aarch64
++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-generic32
++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-armv4
++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-armv4
++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-elf
++"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-mips32
++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux64-mips64
++"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux64-mips64
++"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux-mips32
++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-ppc
++"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-x86_64
++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux-generic32
++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++
+ # Android: linux-* but without pointers to headers and libs.
+ "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch
deleted file mode 100644
index d6d4a21111..0000000000
--- a/package/libs/openssl/patches/110-optimize-for-size.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -470,6 +470,13 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-+# OpenWrt targets
-+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
- # Android: linux-* but without pointers to headers and libs.
- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch
index 2dbdc76010..2dbdc76010 100644
--- a/package/libs/openssl/patches/130-perl-path.patch
+++ b/package/libs/openssl/patches/110-perl-path.patch
diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch
index 83c412f444..5bcb316486 100644
--- a/package/libs/openssl/patches/140-makefile-dirs.patch
+++ b/package/libs/openssl/patches/120-makefile-dirs.patch
@@ -5,7 +5,7 @@
BASEADDR=
-DIRS= crypto ssl engines apps test tools
-+DIRS= crypto ssl apps
++DIRS= crypto ssl engines apps
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch
index e38d44a768..e38d44a768 100644
--- a/package/libs/openssl/patches/160-disable_doc_tests.patch
+++ b/package/libs/openssl/patches/130-disable_doc_tests.patch
diff --git a/package/libs/openssl/patches/170-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch
index c29b59afdd..c29b59afdd 100644
--- a/package/libs/openssl/patches/170-bash_path.patch
+++ b/package/libs/openssl/patches/140-bash_path.patch
diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch
index 3e36beb49c..3e36beb49c 100644
--- a/package/libs/openssl/patches/180-fix_link_segfault.patch
+++ b/package/libs/openssl/patches/150-fix_link_segfault.patch
diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch
deleted file mode 100644
index a518a00496..0000000000
--- a/package/libs/openssl/patches/150-no_engines.patch
+++ /dev/null
@@ -1,81 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -2144,6 +2144,11 @@ EOF
- close(OUT);
- }
-
-+# ugly hack to disable engines
-+if($target eq "mingwx") {
-+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile");
-+}
-+
- print <<EOF;
-
- Configured for $target.
---- a/util/libeay.num
-+++ b/util/libeay.num
-@@ -2075,7 +2075,6 @@ PKCS7_ATTR_SIGN_it
- UI_add_error_string 2633 EXIST::FUNCTION:
- KRB5_CHECKSUM_free 2634 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext 2635 EXIST::FUNCTION:
--ENGINE_load_ubsec 2636 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE
- PKEY_USAGE_PERIOD_it 2638 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKEY_USAGE_PERIOD_it 2638 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2549,7 +2548,6 @@ OCSP_RESPONSE_new
- AES_set_encrypt_key 3024 EXIST::FUNCTION:AES
- OCSP_resp_count 3025 EXIST::FUNCTION:
- KRB5_CHECKSUM_new 3026 EXIST::FUNCTION:
--ENGINE_load_cswift 3027 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_onereq_get0_id 3028 EXIST::FUNCTION:
- ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE
- NOTICEREF_it 3030 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2580,7 +2578,6 @@ ASN1_primitive_free
- i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION:
- i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION:
- asn1_enc_save 3054 EXIST::FUNCTION:
--ENGINE_load_nuron 3055 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES
- PKCS12_MAC_DATA_it 3057 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKCS12_MAC_DATA_it 3057 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2604,7 +2601,6 @@ asn1_get_choice_selector
- i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION:
- ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE
- AES_options 3074 EXIST::FUNCTION:AES
--ENGINE_load_chil 3075 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_id_cmp 3076 EXIST::FUNCTION:
- OCSP_BASICRESP_new 3077 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION:
-@@ -2671,7 +2667,6 @@ OCSP_CRLID_it
- OCSP_CRLID_it 3127 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- i2d_KRB5_AUTHENTBODY 3128 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION:
--ENGINE_load_atalla 3130 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- X509_NAME_it 3131 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_NAME_it 3131 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- USERNOTICE_it 3132 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2766,8 +2761,6 @@ DES_read_2passwords
- DES_read_password 3207 EXIST::FUNCTION:DES
- UI_UTIL_read_pw 3208 EXIST::FUNCTION:
- UI_UTIL_read_pw_string 3209 EXIST::FUNCTION:
--ENGINE_load_aep 3210 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
--ENGINE_load_sureware 3211 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OPENSSL_add_all_algorithms_noconf 3212 EXIST:!VMS:FUNCTION:
- OPENSSL_add_all_algo_noconf 3212 EXIST:VMS:FUNCTION:
- OPENSSL_add_all_algorithms_conf 3213 EXIST:!VMS:FUNCTION:
-@@ -2776,7 +2769,6 @@ OPENSSL_load_builtin_modules
- AES_ofb128_encrypt 3215 EXIST::FUNCTION:AES
- AES_ctr128_encrypt 3216 EXIST::FUNCTION:AES
- AES_cfb128_encrypt 3217 EXIST::FUNCTION:AES
--ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES
- EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES
- EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES
-@@ -3111,7 +3103,6 @@ EC_GFp_nist_method
- STORE_meth_set_modify_fn 3530 NOEXIST::FUNCTION:
- STORE_method_set_modify_function 3530 NOEXIST::FUNCTION:
- STORE_parse_attrs_next 3531 NOEXIST::FUNCTION:
--ENGINE_load_padlock 3532 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- EC_GROUP_set_curve_name 3533 EXIST::FUNCTION:EC
- X509_CERT_PAIR_it 3534 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_CERT_PAIR_it 3534 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
diff --git a/package/libs/openssl/patches/190-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch
index 424e66063c..424e66063c 100644
--- a/package/libs/openssl/patches/190-remove_timestamp_check.patch
+++ b/package/libs/openssl/patches/160-remove_timestamp_check.patch
diff --git a/package/libs/openssl/patches/200-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch
index 37134e4030..cbe5d51241 100644
--- a/package/libs/openssl/patches/200-parallel_build.patch
+++ b/package/libs/openssl/patches/170-parallel_build.patch
@@ -92,7 +92,7 @@
fi; \
--- a/crypto/Makefile
+++ b/crypto/Makefile
-@@ -85,11 +85,11 @@ testapps:
+@@ -87,11 +87,11 @@ testapps:
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
subdirs:
@@ -106,7 +106,7 @@
links:
@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@ links:
+@@ -102,7 +102,7 @@ links:
# lib: $(LIB): are splitted to avoid end-less loop
lib: $(LIB)
@touch lib
@@ -115,7 +115,7 @@
$(AR) $(LIB) $(LIBOBJ)
test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs
+@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
fi
libs:
@@ -124,7 +124,7 @@
install:
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@ install:
+@@ -122,7 +122,7 @@ install:
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
new file mode 100644
index 0000000000..e70bd077d5
--- /dev/null
+++ b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 26 Sep 2018 18:04:58 -0300
+Subject: Avoid exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -57,7 +57,7 @@ top:
+ all: shared
+
+ buildinf.h: ../Makefile
+- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
++ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
+
+ x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
+ $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@