4 files changed, 73 insertions, 5 deletions

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 153d14a446..90aaafd31f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_VERSION:=3.0.8
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf
index 549275600d..8afd9b1b00 100644
--- a/package/libs/openssl/files/devcrypto.cnf
+++ b/package/libs/openssl/files/devcrypto.cnf
@@ -17,8 +17,9 @@ default_algorithms = ALL
 # It is recommended to disable the ECB ciphers; in most cases, it will
 # only be used for PRNG, in small blocks, where performance is poor,
 # and there may be problems with apps forking with open crypto
-# contexts, leading to failures.  The CBC ciphers work well:
-#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
+# contexts, leading to failures.  The CBC ciphers work well.
+CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \
+	AES-128-CTR, AES-192-CTR, AES-256-CTR
 
 # DIGESTS: either ALL, NONE, or a comma-separated list of digests to
 # enable [default=NONE]
@@ -26,6 +27,8 @@ default_algorithms = ALL
 # is poor, and there are many cases in which they will not work,
 # especially when calling fork with open crypto contexts.  Openssh,
 # for example, does this, and you may not be able to login.
-#DIGESTS = NONE
-
+# Sysupgrade will fail as well.  If you're adventurous enough to change
+# this, you should change it back to NONE, and reboot before running
+# sysupgrade!
+DIGESTS = NONE
 
diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
new file mode 100644
index 0000000000..f183263858
--- /dev/null
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 09:29:13 -0300
+Subject: e_devcrypto: default to not use digests in engine
+
+Digests are almost always slower when using /dev/crypto because of the
+cost of the context switches.  Only for large blocks it is worth it.
+
+Also, when forking, the open context structures are duplicated, but the
+internal kernel sessions are still shared between forks, which means an
+update/close operation in one fork affects all processes using that
+session.
+
+This affects digests, especially for HMAC, where the session with the
+key hash is used as a source for subsequent operations.  At least one
+popular application does this across a fork.  Disabling digests by
+default will mitigate the problem, while still allowing the user to
+turn them on if it is safe and fast enough.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
+     for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+          i++) {
+ 
+-        selected_digests[i] = 1;
++        selected_digests[i] = 0;
+ 
+         /*
+          * Check that the digest is usable
+@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+ #ifdef IMPLEMENT_DIGEST
+    {DEVCRYPTO_CMD_DIGESTS,
+     "DIGESTS",
+-    "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
++    "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
+     ENGINE_CMD_FLAG_STRING},
+ #endif
+ 
diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
new file mode 100644
index 0000000000..40b1dc78d3
--- /dev/null
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 10:15:14 -0300
+Subject: e_devcrypto: ignore error when closing session
+
+In cipher_init, ignore an eventual error when closing the previous
+session.  It may have been closed by another process after a fork.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+     int ret;
+ 
+     /* cleanup a previous session */
+-    if (cipher_ctx->sess.ses != 0 &&
+-        clean_devcrypto_session(&cipher_ctx->sess) == 0)
+-        return 0;
++    if (cipher_ctx->sess.ses != 0)
++        clean_devcrypto_session(&cipher_ctx->sess);
+ 
+     cipher_ctx->sess.cipher = cipher_d->devcryptoid;
+     cipher_ctx->sess.keylen = cipher_d->keylen;