aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/openssl
diff options
context:
space:
mode:
Diffstat (limited to 'package/libs/openssl')
-rw-r--r--package/libs/openssl/Config.in206
-rw-r--r--package/libs/openssl/Makefile182
-rw-r--r--package/libs/openssl/include/crypto/cryptodev.h292
-rw-r--r--package/libs/openssl/patches/100-openwrt_targets.patch44
-rw-r--r--package/libs/openssl/patches/110-optimize-for-size.patch16
-rw-r--r--package/libs/openssl/patches/110-perl-path.patch (renamed from package/libs/openssl/patches/130-perl-path.patch)0
-rw-r--r--package/libs/openssl/patches/120-makefile-dirs.patch (renamed from package/libs/openssl/patches/140-makefile-dirs.patch)2
-rw-r--r--package/libs/openssl/patches/130-disable_doc_tests.patch (renamed from package/libs/openssl/patches/160-disable_doc_tests.patch)0
-rw-r--r--package/libs/openssl/patches/140-bash_path.patch (renamed from package/libs/openssl/patches/170-bash_path.patch)0
-rw-r--r--package/libs/openssl/patches/150-fix_link_segfault.patch (renamed from package/libs/openssl/patches/180-fix_link_segfault.patch)0
-rw-r--r--package/libs/openssl/patches/150-no_engines.patch81
-rw-r--r--package/libs/openssl/patches/160-remove_timestamp_check.patch (renamed from package/libs/openssl/patches/190-remove_timestamp_check.patch)0
-rw-r--r--package/libs/openssl/patches/170-parallel_build.patch (renamed from package/libs/openssl/patches/200-parallel_build.patch)8
-rw-r--r--package/libs/openssl/patches/180-strip-cflags-from-binary.patch21
14 files changed, 376 insertions, 476 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index c39e28510f..fe73229915 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -1,72 +1,216 @@
if PACKAGE_libopenssl
-config OPENSSL_WITH_EC
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+ bool
+ prompt "Enable optimization for speed instead of size"
+ select OPENSSL_WITH_ASM
+ help
+ Enabling this option increases code size (around 20%) and
+ performance. The increase in performance and size depends on the
+ target CPU. EC and AES seem to benefit the most, with EC speed
+ increased by 20%-50% (mipsel & x86).
+ AES-GCM is supposed to be 3x faster on x86. YMMV.
+
+config OPENSSL_WITH_ASM
bool
default y
- prompt "Enable elliptic curve support"
+ prompt "Compile with optimized assembly code"
+ depends on !arc
+ help
+ Disabling this option will reduce code size and performance.
+ The increase in performance and size depends on the target
+ CPU and on the algorithms being optimized. As of 1.1.0i*:
-config OPENSSL_WITH_EC2M
- bool
- depends on OPENSSL_WITH_EC
- prompt "Enable ec2m support"
+ Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
+ aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
+ arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
+ i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
+ mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
+ mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
+ powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
+ x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
-config OPENSSL_WITH_SSL3
+ * Only most common algorithms shown. Your mileage may vary.
+ BN (bignum) performance was measured using RSA sign/verify.
+
+config OPENSSL_WITH_SSE2
bool
- default n
- prompt "Enable sslv3 support"
+ default y if !TARGET_x86_legacy && !TARGET_x86_geode
+ prompt "Enable use of x86 SSE2 instructions"
+ depends on OPENSSL_WITH_ASM && i386
+ help
+ Use of SSE2 instructions greatly increase performance (up to
+ 3x faster) with a minimum (~0.2%, or 23KB) increase in package
+ size, but it will bring no benefit if your hardware does not
+ support them, such as Geode GX and LX. In this case you may
+ save 23KB by saying yes here. AMD Geode NX, and Intel
+ Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
- prompt "Include deprecated APIs"
+ prompt "Include deprecated APIs (See help for a list of packages that need this)"
+ help
+ Squid currently requires this.
config OPENSSL_NO_DEPRECATED
bool
default !OPENSSL_WITH_DEPRECATED
-config OPENSSL_WITH_DTLS
+config OPENSSL_WITH_ERROR_MESSAGES
bool
- default n
- prompt "Enable DTLS support"
+ prompt "Include error messages"
+ help
+ This option aids debugging, but increases package size and
+ memory usage.
-config OPENSSL_WITH_COMPRESSION
+comment "Protocol Support"
+
+config OPENSSL_WITH_DTLS
bool
- default n
- prompt "Enable compression support"
+ prompt "Enable DTLS support"
+ help
+ Datagram Transport Layer Security (DTLS) provides TLS-like security
+ for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
config OPENSSL_WITH_NPN
bool
default y
prompt "Enable NPN support"
+ help
+ NPN is a TLS extension, obsoleted and replaced with ALPN,
+ used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+ bool
+ default y
+ prompt "Enable SRP support"
+ help
+ The Secure Remote Password protocol (SRP) is an augmented
+ password-authenticated key agreement (PAKE) protocol, specifically
+ designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+ bool
+ default y
+ prompt "Enable CMS (RFC 5652) support"
+ help
+ Cryptographic Message Syntax (CMS) is used to digitally sign,
+ digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC
+ bool
+ default y
+ prompt "Enable elliptic curve support"
+ help
+ Elliptic-curve cryptography (ECC) is an approach to public-key
+ cryptography based on the algebraic structure of elliptic curves
+ over finite fields. ECC requires smaller keys compared to non-ECC
+ cryptography to provide equivalent security.
+
+config OPENSSL_WITH_EC2M
+ bool
+ depends on OPENSSL_WITH_EC
+ prompt "Enable ec2m support"
+ help
+ This option enables the more efficient, yet less common, binary
+ field elliptic curves.
config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
+ help
+ Build support for Pre-Shared Key based cipher suites.
-config OPENSSL_WITH_SRP
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_CAMELLIA
bool
- default y
- prompt "Enable SRP support"
+ prompt "Enable Camellia cipher support"
+ help
+ Camellia is a bock cipher with security levels and processing
+ abilities comparable to AES.
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_IDEA
bool
- depends on OPENSSL_ENGINE_CRYPTO
- prompt "Digests acceleration support"
+ prompt "Enable IDEA cipher support"
+ help
+ IDEA is a block cipher with 128-bit keys.
-config OPENSSL_HARDWARE_SUPPORT
+config OPENSSL_WITH_SEED
bool
- default n
- prompt "Enable hardware support"
+ prompt "Enable SEED cipher support"
+ help
+ SEED is a block cipher with 128-bit keys broadly used in
+ South Korea, but seldom found elsewhere.
-config OPENSSL_OPTIMIZE_SPEED
+config OPENSSL_WITH_MDC2
bool
- default n
- prompt "Enable optimization for speed instead of size"
+ prompt "Enable MDC2 digest support"
-endif
+config OPENSSL_WITH_WHIRLPOOL
+ bool
+ prompt "Enable Whirlpool digest support"
+
+config OPENSSL_WITH_COMPRESSION
+ bool
+ prompt "Enable compression support"
+ help
+ TLS compression is not recommended, as it is deemed insecure.
+ The CRIME attack exploits this weakness.
+ Even with this option turned on, it is disabled by default, and the
+ application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+ bool
+ prompt "Enable RFC3779 support (BGP)"
+ help
+ RFC 3779 defines two X.509 v3 certificate extensions. The first
+ binds a list of IP address blocks, or prefixes, to the subject of a
+ certificate. The second binds a list of autonomous system
+ identifiers to the subject of a certificate. These extensions may be
+ used to convey the authorization of the subject to use the IP
+ addresses and autonomous system identifiers contained in the
+ extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+ bool "Enable engine support"
+ help
+ This enables alternative cryptography implementations,
+ most commonly for interfacing with external crypto devices,
+ or supporting new/alternative ciphers and digests.
config OPENSSL_ENGINE_CRYPTO
bool
- select OPENSSL_HARDWARE_SUPPORT
- prompt "Crypto acceleration support" if PACKAGE_libopenssl
+ select OPENSSL_ENGINE
+ select PACKAGE_kmod-cryptodev
+ prompt "Acceleration support through /dev/crypto"
+ help
+ This enables use of hardware acceleration through OpenBSD
+ Cryptodev API (/dev/crypto) interface.
+ You must install kmod-cryptodev (under Kernel modules, Cryptographic
+ API modules) for /dev/crypto to show up and use hardware
+ acceleration; otherwise it falls back to software.
+
+config OPENSSL_ENGINE_DIGEST
+ bool
+ depends on OPENSSL_ENGINE_CRYPTO
+ prompt "/dev/crypto digest (md5/sha1) acceleration support"
+
+config OPENSSL_WITH_GOST
+ bool
+ prompt "Prepare library for GOST engine"
+ depends on OPENSSL_ENGINE
+ help
+ This option prepares the library to accept engine support
+ for Russian GOST crypto algorithms.
+
+endif
+
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 71c2c9c028..d9b1de2581 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -15,7 +15,7 @@ PKG_RELEASE:=2
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=0
-
+PKG_BUILD_DEPENDS:=cryptodev-linux
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
@@ -25,24 +25,35 @@ PKG_SOURCE_URL:= \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
+ENGINES_DIR=engines
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
+ CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
CONFIG_OPENSSL_ENGINE_DIGEST \
- CONFIG_OPENSSL_WITH_EC \
- CONFIG_OPENSSL_WITH_EC2M \
- CONFIG_OPENSSL_WITH_SSL3 \
- CONFIG_OPENSSL_HARDWARE_SUPPORT \
CONFIG_OPENSSL_NO_DEPRECATED \
- CONFIG_OPENSSL_WITH_DTLS \
+ CONFIG_OPENSSL_OPTIMIZE_SPEED \
+ CONFIG_OPENSSL_WITH_ASM \
+ CONFIG_OPENSSL_WITH_CAMELLIA \
+ CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
+ CONFIG_OPENSSL_WITH_DTLS \
+ CONFIG_OPENSSL_WITH_EC \
+ CONFIG_OPENSSL_WITH_EC2M \
+ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
+ CONFIG_OPENSSL_WITH_GOST \
+ CONFIG_OPENSSL_WITH_IDEA \
+ CONFIG_OPENSSL_WITH_MDC2 \
CONFIG_OPENSSL_WITH_NPN \
CONFIG_OPENSSL_WITH_PSK \
+ CONFIG_OPENSSL_WITH_RFC3779 \
+ CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SRP \
- CONFIG_OPENSSL_OPTIMIZE_SPEED
+ CONFIG_OPENSSL_WITH_SSE2 \
+ CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
@@ -54,6 +65,8 @@ endif
define Package/openssl/Default
TITLE:=Open source SSL toolkit
URL:=http://www.openssl.org/
+ SECTION:=libs
+ CATEGORY:=Libraries
endef
define Package/libopenssl/config
@@ -62,16 +75,14 @@ endef
define Package/openssl/Default/description
The OpenSSL Project is a collaborative effort to develop a robust,
-commercial-grade, full-featured, and Open Source toolkit implementing the Secure
-Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
-as a full-strength general purpose cryptography library.
+commercial-grade, full-featured, and Open Source toolkit implementing the
+Transport Layer Security (TLS) protocol as well as a full-strength
+general-purpose cryptography library.
endef
define Package/libopenssl
$(call Package/openssl/Default)
- SECTION:=libs
SUBMENU:=SSL
- CATEGORY:=Libraries
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
TITLE+= (libraries)
ABI_VERSION:=1.0.0
@@ -100,19 +111,35 @@ $(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
+define Package/libopenssl-gost
+ $(call Package/openssl/Default)
+ SUBMENU:=SSL
+ TITLE:=Russian GOST algorithms engine
+ DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
+endef
+
+define Package/libopenssl-gost/description
+This package adds an engine that enables Russian GOST algorithms.
+To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+The engine_id is "gost"
+endef
-OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
- no-whrlpool no-whirlpool no-seed no-jpake
-OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
+define Package/libopenssl-padlock
+ $(call Package/openssl/Default)
+ SUBMENU:=SSL
+ TITLE:=VIA Padlock hardware acceleration engine
+ DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock
+endef
-ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
- OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
- ifdef CONFIG_OPENSSL_ENGINE_DIGEST
- OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
- endif
-else
- OPENSSL_OPTIONS += no-engines
-endif
+define Package/libopenssl-padlock/description
+This package adds an engine that enables VIA Padlock hardware acceleration.
+To use it, you need to configure it in /etc/ssl/openssl.cnf.
+See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+The engine_id is "padlock"
+endef
+
+OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
ifndef CONFIG_OPENSSL_WITH_EC
OPENSSL_OPTIONS += no-ec
@@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M
OPENSSL_OPTIONS += no-ec2m
endif
-ifndef CONFIG_OPENSSL_WITH_SSL3
- OPENSSL_OPTIONS += no-ssl3 no-ssl3-method
+ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
+ OPENSSL_OPTIONS += no-err
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CAMELLIA
+ OPENSSL_OPTIONS += no-camellia
+endif
+
+ifndef CONFIG_OPENSSL_WITH_IDEA
+ OPENSSL_OPTIONS += no-idea
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SEED
+ OPENSSL_OPTIONS += no-seed
endif
-ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT
- OPENSSL_OPTIONS += no-hw
+ifndef CONFIG_OPENSSL_WITH_MDC2
+ OPENSSL_OPTIONS += no-mdc2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
+ OPENSSL_OPTIONS += no-whirlpool
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CMS
+ OPENSSL_OPTIONS += no-cms
+endif
+
+ifdef CONFIG_OPENSSL_WITH_RFC3779
+ OPENSSL_OPTIONS += enable-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
OPENSSL_OPTIONS += no-deprecated
endif
+ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
+ TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
+else
+ OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
+endif
+
+ifdef CONFIG_OPENSSL_ENGINE
+ ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
+ OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
+ ifdef CONFIG_OPENSSL_ENGINE_DIGEST
+ OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
+ endif
+ endif
+ ifndef CONFIG_PACKAGE_libopenssl-padlock
+ OPENSSL_OPTIONS += no-hw-padlock
+ endif
+else
+ OPENSSL_OPTIONS += no-engine
+endif
+
+ifndef CONFIG_OPENSSL_WITH_GOST
+ OPENSSL_OPTIONS += no-gost
+endif
+
+# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
+# but openssl util gets built without it
ifndef CONFIG_OPENSSL_WITH_DTLS
- OPENSSL_OPTIONS += no-dtls
+ OPENSSL_OPTIONS += no-dtls no-dtls1
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP
OPENSSL_OPTIONS += no-srp
endif
-ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
- TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3
+ifndef CONFIG_OPENSSL_WITH_ASM
+ OPENSSL_OPTIONS += no-asm
endif
-ifeq ($(CONFIG_x86_64),y)
- OPENSSL_TARGET:=linux-x86_64-openwrt
- OPENSSL_MAKEFLAGS += LIBDIR=lib
-else
- OPENSSL_OPTIONS+=no-sse2
- ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y)
- OPENSSL_TARGET:=linux-mips-openwrt
- else ifeq ($(CONFIG_aarch64),y)
- OPENSSL_TARGET:=linux-aarch64-openwrt
- else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y)
- OPENSSL_TARGET:=linux-armv4-openwrt
- else
- OPENSSL_TARGET:=linux-generic-openwrt
- OPENSSL_OPTIONS+=no-perlasm
+ifdef CONFIG_i386
+ ifndef CONFIG_OPENSSL_WITH_SSE2
+ OPENSSL_OPTIONS += no-sse2
endif
endif
+OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
+
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5)
define Build/Configure
@@ -187,11 +255,10 @@ define Build/Configure
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/usr \
+ --libdir=lib \
--openssldir=/etc/ssl \
$(TARGET_CPPFLAGS) \
- $(TARGET_LDFLAGS) -ldl \
- $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \
- $(OPENSSL_NO_CIPHERS) \
+ $(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
@@ -202,7 +269,7 @@ define Build/Configure
depend
endef
-TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections
+TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Compile
@@ -251,20 +318,33 @@ define Build/InstallDev
endef
define Package/libopenssl/install
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ $(INSTALL_DIR) $(1)/etc/ssl/private
+ chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
+ $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/etc/ssl
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(INSTALL_DIR) $(1)/etc/ssl/certs
- $(INSTALL_DIR) $(1)/etc/ssl/private
- chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
+define Package/libopenssl-padlock/install
+ $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+endef
+
+define Package/libopenssl-gost/install
+ $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
+endef
+
$(eval $(call BuildPackage,libopenssl))
+$(eval $(call BuildPackage,libopenssl-gost))
+$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h
deleted file mode 100644
index 7fb9c7dcda..0000000000
--- a/package/libs/openssl/include/crypto/cryptodev.h
+++ /dev/null
@@ -1,292 +0,0 @@
-/* This is a source compatible implementation with the original API of
- * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h.
- * Placed under public domain */
-
-#ifndef L_CRYPTODEV_H
-#define L_CRYPTODEV_H
-
-#include <linux/types.h>
-#ifndef __KERNEL__
-#define __user
-#endif
-
-/* API extensions for linux */
-#define CRYPTO_HMAC_MAX_KEY_LEN 512
-#define CRYPTO_CIPHER_MAX_KEY_LEN 64
-
-/* All the supported algorithms
- */
-enum cryptodev_crypto_op_t {
- CRYPTO_DES_CBC = 1,
- CRYPTO_3DES_CBC = 2,
- CRYPTO_BLF_CBC = 3,
- CRYPTO_CAST_CBC = 4,
- CRYPTO_SKIPJACK_CBC = 5,
- CRYPTO_MD5_HMAC = 6,
- CRYPTO_SHA1_HMAC = 7,
- CRYPTO_RIPEMD160_HMAC = 8,
- CRYPTO_MD5_KPDK = 9,
- CRYPTO_SHA1_KPDK = 10,
- CRYPTO_RIJNDAEL128_CBC = 11,
- CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC,
- CRYPTO_ARC4 = 12,
- CRYPTO_MD5 = 13,
- CRYPTO_SHA1 = 14,
- CRYPTO_DEFLATE_COMP = 15,
- CRYPTO_NULL = 16,
- CRYPTO_LZS_COMP = 17,
- CRYPTO_SHA2_256_HMAC = 18,
- CRYPTO_SHA2_384_HMAC = 19,
- CRYPTO_SHA2_512_HMAC = 20,
- CRYPTO_AES_CTR = 21,
- CRYPTO_AES_XTS = 22,
- CRYPTO_AES_ECB = 23,
- CRYPTO_AES_GCM = 50,
-
- CRYPTO_CAMELLIA_CBC = 101,
- CRYPTO_RIPEMD160,
- CRYPTO_SHA2_224,
- CRYPTO_SHA2_256,
- CRYPTO_SHA2_384,
- CRYPTO_SHA2_512,
- CRYPTO_SHA2_224_HMAC,
- CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */
-};
-
-#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1)
-
-/* Values for ciphers */
-#define DES_BLOCK_LEN 8
-#define DES3_BLOCK_LEN 8
-#define RIJNDAEL128_BLOCK_LEN 16
-#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN
-#define CAMELLIA_BLOCK_LEN 16
-#define BLOWFISH_BLOCK_LEN 8
-#define SKIPJACK_BLOCK_LEN 8
-#define CAST128_BLOCK_LEN 8
-
-/* the maximum of the above */
-#define EALG_MAX_BLOCK_LEN 16
-
-/* Values for hashes/MAC */
-#define AALG_MAX_RESULT_LEN 64
-
-/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */
-#define CRYPTODEV_MAX_ALG_NAME 64
-
-#define HASH_MAX_LEN 64
-
-/* input of CIOCGSESSION */
-struct session_op {
- /* Specify either cipher or mac
- */
- __u32 cipher; /* cryptodev_crypto_op_t */
- __u32 mac; /* cryptodev_crypto_op_t */
-
- __u32 keylen;
- __u8 __user *key;
- __u32 mackeylen;
- __u8 __user *mackey;
-
- __u32 ses; /* session identifier */
-};
-
-struct session_info_op {
- __u32 ses; /* session identifier */
-
- /* verbose names for the requested ciphers */
- struct alg_info {
- char cra_name[CRYPTODEV_MAX_ALG_NAME];
- char cra_driver_name[CRYPTODEV_MAX_ALG_NAME];
- } cipher_info, hash_info;
-
- __u16 alignmask; /* alignment constraints */
- __u32 flags; /* SIOP_FLAGS_* */
-};
-
-/* If this flag is set then this algorithm uses
- * a driver only available in kernel (software drivers,
- * or drivers based on instruction sets do not set this flag).
- *
- * If multiple algorithms are involved (as in AEAD case), then
- * if one of them is kernel-driver-only this flag will be set.
- */
-#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1
-
-#define COP_ENCRYPT 0
-#define COP_DECRYPT 1
-
-/* input of CIOCCRYPT */
-struct crypt_op {
- __u32 ses; /* session identifier */
- __u16 op; /* COP_ENCRYPT or COP_DECRYPT */
- __u16 flags; /* see COP_FLAG_* */
- __u32 len; /* length of source data */
- __u8 __user *src; /* source data */
- __u8 __user *dst; /* pointer to output data */
- /* pointer to output data for hash/MAC operations */
- __u8 __user *mac;
- /* initialization vector for encryption operations */
- __u8 __user *iv;
-};
-
-/* input of CIOCAUTHCRYPT */
-struct crypt_auth_op {
- __u32 ses; /* session identifier */
- __u16 op; /* COP_ENCRYPT or COP_DECRYPT */
- __u16 flags; /* see COP_FLAG_AEAD_* */
- __u32 len; /* length of source data */
- __u32 auth_len; /* length of auth data */
- __u8 __user *auth_src; /* authenticated-only data */
-
- /* The current implementation is more efficient if data are
- * encrypted in-place (src==dst). */
- __u8 __user *src; /* data to be encrypted and authenticated */
- __u8 __user *dst; /* pointer to output data. Must have
- * space for tag. For TLS this should be at least
- * len + tag_size + block_size for padding */
-
- __u8 __user *tag; /* where the tag will be copied to. TLS mode
- * doesn't use that as tag is copied to dst.
- * SRTP mode copies tag there. */
- __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */
-
- /* initialization vector for encryption operations */
- __u8 __user *iv;
- __u32 iv_len;
-};
-
-/* In plain AEAD mode the following are required:
- * flags : 0
- * iv : the initialization vector (12 bytes)
- * auth_len: the length of the data to be authenticated
- * auth_src: the data to be authenticated
- * len : length of data to be encrypted
- * src : the data to be encrypted
- * dst : space to hold encrypted data. It must have
- * at least a size of len + tag_size.
- * tag_size: the size of the desired authentication tag or zero to use
- * the maximum tag output.
- *
- * Note tag isn't being used because the Linux AEAD interface
- * copies the tag just after data.
- */
-
-/* In TLS mode (used for CBC ciphers that required padding)
- * the following are required:
- * flags : COP_FLAG_AEAD_TLS_TYPE
- * iv : the initialization vector
- * auth_len: the length of the data to be authenticated only
- * len : length of data to be encrypted
- * auth_src: the data to be authenticated
- * src : the data to be encrypted
- * dst : space to hold encrypted data (preferably in-place). It must have
- * at least a size of len + tag_size + blocksize.
- * tag_size: the size of the desired authentication tag or zero to use
- * the default mac output.
- *
- * Note that the padding used is the minimum padding.
- */
-
-/* In SRTP mode the following are required:
- * flags : COP_FLAG_AEAD_SRTP_TYPE
- * iv : the initialization vector
- * auth_len: the length of the data to be authenticated. This must
- * include the SRTP header + SRTP payload (data to be encrypted) + rest
- *
- * len : length of data to be encrypted
- * auth_src: pointer the data to be authenticated. Should point at the same buffer as src.
- * src : pointer to the data to be encrypted.
- * dst : This is mandatory to be the same as src (in-place only).
- * tag_size: the size of the desired authentication tag or zero to use
- * the default mac output.
- * tag : Pointer to an address where the authentication tag will be copied.
- */
-
-
-/* struct crypt_op flags */
-
-#define COP_FLAG_NONE (0 << 0) /* totally no flag */
-#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */
-#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */
-#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */
-#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */
-#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the
- * TLS protocol rules */
-#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the
- * SRTP protocol rules */
-#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state.
- * should be used in combination
- * with COP_FLAG_UPDATE */
-
-
-/* Stuff for bignum arithmetic and public key
- * cryptography - not supported yet by linux
- * cryptodev.
- */
-
-#define CRYPTO_ALG_FLAG_SUPPORTED 1
-#define CRYPTO_ALG_FLAG_RNG_ENABLE 2
-#define CRYPTO_ALG_FLAG_DSA_SHA 4
-
-struct crparam {
- __u8 *crp_p;
- __u32 crp_nbits;
-};
-
-#define CRK_MAXPARAM 8
-
-/* input of CIOCKEY */
-struct crypt_kop {
- __u32 crk_op; /* cryptodev_crk_op_t */
- __u32 crk_status;
- __u16 crk_iparams;
- __u16 crk_oparams;
- __u32 crk_pad1;
- struct crparam crk_param[CRK_MAXPARAM];
-};
-
-enum cryptodev_crk_op_t {
- CRK_MOD_EXP = 0,
- CRK_MOD_EXP_CRT = 1,
- CRK_DSA_SIGN = 2,
- CRK_DSA_VERIFY = 3,
- CRK_DH_COMPUTE_KEY = 4,
- CRK_ALGORITHM_ALL
-};
-
-#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1)
-
-/* features to be queried with CIOCASYMFEAT ioctl
- */
-#define CRF_MOD_EXP (1 << CRK_MOD_EXP)
-#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT)
-#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN)
-#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY)
-#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY)
-
-
-/* ioctl's. Compatible with old linux cryptodev.h
- */
-#define CRIOGET _IOWR('c', 101, __u32)
-#define CIOCGSESSION _IOWR('c', 102, struct session_op)
-#define CIOCFSESSION _IOW('c', 103, __u32)
-#define CIOCCRYPT _IOWR('c', 104, struct crypt_op)
-#define CIOCKEY _IOWR('c', 105, struct crypt_kop)
-#define CIOCASYMFEAT _IOR('c', 106, __u32)
-#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op)
-
-/* to indicate that CRIOGET is not required in linux
- */
-#define CRIOGET_NOT_NEEDED 1
-
-/* additional ioctls for AEAD */
-#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op)
-
-/* additional ioctls for asynchronous operation.
- * These are conditionally enabled since version 1.6.
- */
-#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op)
-#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op)
-
-#endif /* L_CRYPTODEV_H */
diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch
new file mode 100644
index 0000000000..52a51f9f47
--- /dev/null
+++ b/package/libs/openssl/patches/100-openwrt_targets.patch
@@ -0,0 +1,44 @@
+From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 26 Sep 2018 16:21:27 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -470,6 +470,32 @@ my %table=(
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+
++# OpenWrt targets
++# from linux-aarch64
++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-generic32
++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-armv4
++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-armv4
++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-elf
++"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-mips32
++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux64-mips64
++"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux64-mips64
++"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux-mips32
++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-ppc
++"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-x86_64
++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux-generic32
++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++
+ # Android: linux-* but without pointers to headers and libs.
+ "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch
deleted file mode 100644
index d6d4a21111..0000000000
--- a/package/libs/openssl/patches/110-optimize-for-size.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -470,6 +470,13 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-+# OpenWrt targets
-+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
- # Android: linux-* but without pointers to headers and libs.
- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch
index 2dbdc76010..2dbdc76010 100644
--- a/package/libs/openssl/patches/130-perl-path.patch
+++ b/package/libs/openssl/patches/110-perl-path.patch
diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch
index 83c412f444..5bcb316486 100644
--- a/package/libs/openssl/patches/140-makefile-dirs.patch
+++ b/package/libs/openssl/patches/120-makefile-dirs.patch
@@ -5,7 +5,7 @@
BASEADDR=
-DIRS= crypto ssl engines apps test tools
-+DIRS= crypto ssl apps
++DIRS= crypto ssl engines apps
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch
index e38d44a768..e38d44a768 100644
--- a/package/libs/openssl/patches/160-disable_doc_tests.patch
+++ b/package/libs/openssl/patches/130-disable_doc_tests.patch
diff --git a/package/libs/openssl/patches/170-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch
index c29b59afdd..c29b59afdd 100644
--- a/package/libs/openssl/patches/170-bash_path.patch
+++ b/package/libs/openssl/patches/140-bash_path.patch
diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch
index 3e36beb49c..3e36beb49c 100644
--- a/package/libs/openssl/patches/180-fix_link_segfault.patch
+++ b/package/libs/openssl/patches/150-fix_link_segfault.patch
diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch
deleted file mode 100644
index a518a00496..0000000000
--- a/package/libs/openssl/patches/150-no_engines.patch
+++ /dev/null
@@ -1,81 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -2144,6 +2144,11 @@ EOF
- close(OUT);
- }
-
-+# ugly hack to disable engines
-+if($target eq "mingwx") {
-+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile");
-+}
-+
- print <<EOF;
-
- Configured for $target.
---- a/util/libeay.num
-+++ b/util/libeay.num
-@@ -2075,7 +2075,6 @@ PKCS7_ATTR_SIGN_it
- UI_add_error_string 2633 EXIST::FUNCTION:
- KRB5_CHECKSUM_free 2634 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext 2635 EXIST::FUNCTION:
--ENGINE_load_ubsec 2636 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE
- PKEY_USAGE_PERIOD_it 2638 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKEY_USAGE_PERIOD_it 2638 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2549,7 +2548,6 @@ OCSP_RESPONSE_new
- AES_set_encrypt_key 3024 EXIST::FUNCTION:AES
- OCSP_resp_count 3025 EXIST::FUNCTION:
- KRB5_CHECKSUM_new 3026 EXIST::FUNCTION:
--ENGINE_load_cswift 3027 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_onereq_get0_id 3028 EXIST::FUNCTION:
- ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE
- NOTICEREF_it 3030 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2580,7 +2578,6 @@ ASN1_primitive_free
- i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION:
- i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION:
- asn1_enc_save 3054 EXIST::FUNCTION:
--ENGINE_load_nuron 3055 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES
- PKCS12_MAC_DATA_it 3057 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKCS12_MAC_DATA_it 3057 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2604,7 +2601,6 @@ asn1_get_choice_selector
- i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION:
- ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE
- AES_options 3074 EXIST::FUNCTION:AES
--ENGINE_load_chil 3075 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_id_cmp 3076 EXIST::FUNCTION:
- OCSP_BASICRESP_new 3077 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION:
-@@ -2671,7 +2667,6 @@ OCSP_CRLID_it
- OCSP_CRLID_it 3127 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- i2d_KRB5_AUTHENTBODY 3128 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION:
--ENGINE_load_atalla 3130 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- X509_NAME_it 3131 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_NAME_it 3131 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- USERNOTICE_it 3132 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2766,8 +2761,6 @@ DES_read_2passwords
- DES_read_password 3207 EXIST::FUNCTION:DES
- UI_UTIL_read_pw 3208 EXIST::FUNCTION:
- UI_UTIL_read_pw_string 3209 EXIST::FUNCTION:
--ENGINE_load_aep 3210 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
--ENGINE_load_sureware 3211 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OPENSSL_add_all_algorithms_noconf 3212 EXIST:!VMS:FUNCTION:
- OPENSSL_add_all_algo_noconf 3212 EXIST:VMS:FUNCTION:
- OPENSSL_add_all_algorithms_conf 3213 EXIST:!VMS:FUNCTION:
-@@ -2776,7 +2769,6 @@ OPENSSL_load_builtin_modules
- AES_ofb128_encrypt 3215 EXIST::FUNCTION:AES
- AES_ctr128_encrypt 3216 EXIST::FUNCTION:AES
- AES_cfb128_encrypt 3217 EXIST::FUNCTION:AES
--ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES
- EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES
- EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES
-@@ -3111,7 +3103,6 @@ EC_GFp_nist_method
- STORE_meth_set_modify_fn 3530 NOEXIST::FUNCTION:
- STORE_method_set_modify_function 3530 NOEXIST::FUNCTION:
- STORE_parse_attrs_next 3531 NOEXIST::FUNCTION:
--ENGINE_load_padlock 3532 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- EC_GROUP_set_curve_name 3533 EXIST::FUNCTION:EC
- X509_CERT_PAIR_it 3534 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_CERT_PAIR_it 3534 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
diff --git a/package/libs/openssl/patches/190-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch
index 424e66063c..424e66063c 100644
--- a/package/libs/openssl/patches/190-remove_timestamp_check.patch
+++ b/package/libs/openssl/patches/160-remove_timestamp_check.patch
diff --git a/package/libs/openssl/patches/200-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch
index 37134e4030..cbe5d51241 100644
--- a/package/libs/openssl/patches/200-parallel_build.patch
+++ b/package/libs/openssl/patches/170-parallel_build.patch
@@ -92,7 +92,7 @@
fi; \
--- a/crypto/Makefile
+++ b/crypto/Makefile
-@@ -85,11 +85,11 @@ testapps:
+@@ -87,11 +87,11 @@ testapps:
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
subdirs:
@@ -106,7 +106,7 @@
links:
@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@ links:
+@@ -102,7 +102,7 @@ links:
# lib: $(LIB): are splitted to avoid end-less loop
lib: $(LIB)
@touch lib
@@ -115,7 +115,7 @@
$(AR) $(LIB) $(LIBOBJ)
test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs
+@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
fi
libs:
@@ -124,7 +124,7 @@
install:
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@ install:
+@@ -122,7 +122,7 @@ install:
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
new file mode 100644
index 0000000000..e70bd077d5
--- /dev/null
+++ b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 26 Sep 2018 18:04:58 -0300
+Subject: Avoid exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -57,7 +57,7 @@ top:
+ all: shared
+
+ buildinf.h: ../Makefile
+- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
++ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
+
+ x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
+ $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@