From be3892284ca77a69615351b106b8dfbadad728c4 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 22 Oct 2018 11:32:56 -0300
Subject: [PATCH] openssl: add configuration options, disable ssl3

Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
---
 package/libs/openssl/Config.in                | 206 ++++++++++--
 package/libs/openssl/Makefile                 | 182 ++++++++---
 .../libs/openssl/include/crypto/cryptodev.h   | 292 ------------------
 .../openssl/patches/100-openwrt_targets.patch |  44 +++
 .../patches/110-optimize-for-size.patch       |  16 -
 ...30-perl-path.patch => 110-perl-path.patch} |   0
 ...ile-dirs.patch => 120-makefile-dirs.patch} |   2 +-
 ...ests.patch => 130-disable_doc_tests.patch} |   0
 ...70-bash_path.patch => 140-bash_path.patch} |   0
 ...ault.patch => 150-fix_link_segfault.patch} |   0
 .../libs/openssl/patches/150-no_engines.patch |  81 -----
 ...patch => 160-remove_timestamp_check.patch} |   0
 ...l_build.patch => 170-parallel_build.patch} |   8 +-
 .../180-strip-cflags-from-binary.patch        |  21 ++
 14 files changed, 376 insertions(+), 476 deletions(-)
 delete mode 100644 package/libs/openssl/include/crypto/cryptodev.h
 create mode 100644 package/libs/openssl/patches/100-openwrt_targets.patch
 delete mode 100644 package/libs/openssl/patches/110-optimize-for-size.patch
 rename package/libs/openssl/patches/{130-perl-path.patch => 110-perl-path.patch} (100%)
 rename package/libs/openssl/patches/{140-makefile-dirs.patch => 120-makefile-dirs.patch} (83%)
 rename package/libs/openssl/patches/{160-disable_doc_tests.patch => 130-disable_doc_tests.patch} (100%)
 rename package/libs/openssl/patches/{170-bash_path.patch => 140-bash_path.patch} (100%)
 rename package/libs/openssl/patches/{180-fix_link_segfault.patch => 150-fix_link_segfault.patch} (100%)
 delete mode 100644 package/libs/openssl/patches/150-no_engines.patch
 rename package/libs/openssl/patches/{190-remove_timestamp_check.patch => 160-remove_timestamp_check.patch} (100%)
 rename package/libs/openssl/patches/{200-parallel_build.patch => 170-parallel_build.patch} (97%)
 create mode 100644 package/libs/openssl/patches/180-strip-cflags-from-binary.patch

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index c39e28510f..fe73229915 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -1,72 +1,216 @@
 if PACKAGE_libopenssl
 
-config OPENSSL_WITH_EC
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+	bool
+	prompt "Enable optimization for speed instead of size"
+	select OPENSSL_WITH_ASM
+	help
+		Enabling this option increases code size (around 20%) and
+		performance.  The increase in performance and size depends on the
+		target CPU. EC and AES seem to benefit the most, with EC speed
+		increased by 20%-50% (mipsel & x86).
+		AES-GCM is supposed to be 3x faster on x86. YMMV.
+
+config OPENSSL_WITH_ASM
 	bool
 	default y
-	prompt "Enable elliptic curve support"
+	prompt "Compile with optimized assembly code"
+	depends on !arc
+	help
+		Disabling this option will reduce code size and performance.
+		The increase in performance and size depends on the target
+		CPU and on the algorithms being optimized.  As of 1.1.0i*:
 
-config OPENSSL_WITH_EC2M
-        bool
-        depends on OPENSSL_WITH_EC
-        prompt "Enable ec2m support"
+		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
+		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
+		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
+		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
+		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
+		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
+		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
+		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
 
-config OPENSSL_WITH_SSL3
+		* Only most common algorithms shown. Your mileage may vary.
+		  BN (bignum) performance was measured using RSA sign/verify.
+
+config OPENSSL_WITH_SSE2
 	bool
-	default n
-	prompt "Enable sslv3 support"
+	default y if !TARGET_x86_legacy && !TARGET_x86_geode
+	prompt "Enable use of x86 SSE2 instructions"
+	depends on OPENSSL_WITH_ASM && i386
+	help
+		Use of SSE2 instructions greatly increase performance (up to
+		3x faster) with a minimum (~0.2%, or 23KB) increase in package
+		size, but it will bring no benefit if your hardware does not
+		support them, such as Geode GX and LX.  In this case you may
+		save 23KB by saying yes here.  AMD Geode NX, and Intel
+		Pentium 4 and above support SSE2.
 
 config OPENSSL_WITH_DEPRECATED
 	bool
 	default y
-	prompt "Include deprecated APIs"
+	prompt "Include deprecated APIs (See help for a list of packages that need this)"
+	help
+		Squid currently requires this.
 
 config OPENSSL_NO_DEPRECATED
 	bool
 	default !OPENSSL_WITH_DEPRECATED
 
-config OPENSSL_WITH_DTLS
+config OPENSSL_WITH_ERROR_MESSAGES
 	bool
-	default n
-	prompt "Enable DTLS support"
+	prompt "Include error messages"
+	help
+		This option aids debugging, but increases package size and
+		memory usage.
 
-config OPENSSL_WITH_COMPRESSION
+comment "Protocol Support"
+
+config OPENSSL_WITH_DTLS
 	bool
-	default n
-	prompt "Enable compression support"
+	prompt "Enable DTLS support"
+	help
+		Datagram Transport Layer Security (DTLS) provides TLS-like security
+		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
 
 config OPENSSL_WITH_NPN
 	bool
 	default y
 	prompt "Enable NPN support"
+	help
+		NPN is a TLS extension, obsoleted and replaced with ALPN,
+		used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+	bool
+	default y
+	prompt "Enable SRP support"
+	help
+		The Secure Remote Password protocol (SRP) is an augmented
+		password-authenticated key agreement (PAKE) protocol, specifically
+		designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+	bool
+	default y
+	prompt "Enable CMS (RFC 5652) support"
+	help
+		Cryptographic Message Syntax (CMS) is used to digitally sign,
+		digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC
+	bool
+	default y
+	prompt "Enable elliptic curve support"
+	help
+		Elliptic-curve cryptography (ECC) is an approach to public-key
+		cryptography based on the algebraic structure of elliptic curves
+		over finite fields. ECC requires smaller keys compared to non-ECC
+		cryptography to provide equivalent security.
+
+config OPENSSL_WITH_EC2M
+	bool
+	depends on OPENSSL_WITH_EC
+	prompt "Enable ec2m support"
+	help
+		This option enables the more efficient, yet less common, binary
+		field elliptic curves.
 
 config OPENSSL_WITH_PSK
 	bool
 	default y
 	prompt "Enable PSK support"
+	help
+		Build support for Pre-Shared Key based cipher suites.
 
-config OPENSSL_WITH_SRP
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_CAMELLIA
 	bool
-	default y
-	prompt "Enable SRP support"
+	prompt "Enable Camellia cipher support"
+	help
+		Camellia is a bock cipher with security levels and processing
+		abilities comparable to AES.
 
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_IDEA
 	bool
-	depends on OPENSSL_ENGINE_CRYPTO
-	prompt "Digests acceleration support"
+	prompt "Enable IDEA cipher support"
+	help
+		IDEA is a block cipher with 128-bit keys.
 
-config OPENSSL_HARDWARE_SUPPORT
+config OPENSSL_WITH_SEED
 	bool
-	default n
-	prompt "Enable hardware support"
+	prompt "Enable SEED cipher support"
+	help
+		SEED is a block cipher with 128-bit keys broadly used in
+		South Korea, but seldom found elsewhere.
 
-config OPENSSL_OPTIMIZE_SPEED
+config OPENSSL_WITH_MDC2
 	bool
-	default n
-	prompt "Enable optimization for speed instead of size"
+	prompt "Enable MDC2 digest support"
 
-endif
+config OPENSSL_WITH_WHIRLPOOL
+	bool
+	prompt "Enable Whirlpool digest support"
+
+config OPENSSL_WITH_COMPRESSION
+	bool
+	prompt "Enable compression support"
+	help
+		TLS compression is not recommended, as it is deemed insecure.
+		The CRIME attack exploits this weakness.
+		Even with this option turned on, it is disabled by default, and the
+		application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+	bool
+	prompt "Enable RFC3779 support (BGP)"
+	help
+		RFC 3779 defines two X.509 v3 certificate extensions.  The first
+		binds a list of IP address blocks, or prefixes, to the subject of a
+		certificate.  The second binds a list of autonomous system
+		identifiers to the subject of a certificate.  These extensions may be
+		used to convey the authorization of the subject to use the IP
+		addresses and autonomous system identifiers contained in the
+		extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+	bool "Enable engine support"
+	help
+		This enables alternative cryptography implementations,
+		most commonly for interfacing with external crypto devices,
+		or supporting new/alternative ciphers and digests.
 
 config OPENSSL_ENGINE_CRYPTO
 	bool
-	select OPENSSL_HARDWARE_SUPPORT
-	prompt "Crypto acceleration support" if PACKAGE_libopenssl
+	select OPENSSL_ENGINE
+	select PACKAGE_kmod-cryptodev
+	prompt "Acceleration support through /dev/crypto"
+	help
+		This enables use of hardware acceleration through OpenBSD
+		Cryptodev API (/dev/crypto) interface.
+		You must install kmod-cryptodev (under Kernel modules, Cryptographic
+		API modules) for /dev/crypto to show up and use hardware
+		acceleration; otherwise it falls back to software.
+
+config OPENSSL_ENGINE_DIGEST
+	bool
+	depends on OPENSSL_ENGINE_CRYPTO
+	prompt "/dev/crypto digest (md5/sha1) acceleration support"
+
+config OPENSSL_WITH_GOST
+	bool
+	prompt "Prepare library for GOST engine"
+	depends on OPENSSL_ENGINE
+	help
+		This option prepares the library to accept engine support
+		for Russian GOST crypto algorithms.
+
+endif
+
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 71c2c9c028..d9b1de2581 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -15,7 +15,7 @@ PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=0
-
+PKG_BUILD_DEPENDS:=cryptodev-linux
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:= \
@@ -25,24 +25,35 @@ PKG_SOURCE_URL:= \
 	http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/
 PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
+ENGINES_DIR=engines
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
 PKG_CPE_ID:=cpe:/a:openssl:openssl
 PKG_CONFIG_DEPENDS:= \
+	CONFIG_OPENSSL_ENGINE \
 	CONFIG_OPENSSL_ENGINE_CRYPTO \
 	CONFIG_OPENSSL_ENGINE_DIGEST \
-	CONFIG_OPENSSL_WITH_EC \
-	CONFIG_OPENSSL_WITH_EC2M \
-	CONFIG_OPENSSL_WITH_SSL3 \
-	CONFIG_OPENSSL_HARDWARE_SUPPORT \
 	CONFIG_OPENSSL_NO_DEPRECATED \
-	CONFIG_OPENSSL_WITH_DTLS \
+	CONFIG_OPENSSL_OPTIMIZE_SPEED \
+	CONFIG_OPENSSL_WITH_ASM \
+	CONFIG_OPENSSL_WITH_CAMELLIA \
+	CONFIG_OPENSSL_WITH_CMS \
 	CONFIG_OPENSSL_WITH_COMPRESSION \
+	CONFIG_OPENSSL_WITH_DTLS \
+	CONFIG_OPENSSL_WITH_EC \
+	CONFIG_OPENSSL_WITH_EC2M \
+	CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
+	CONFIG_OPENSSL_WITH_GOST \
+	CONFIG_OPENSSL_WITH_IDEA \
+	CONFIG_OPENSSL_WITH_MDC2 \
 	CONFIG_OPENSSL_WITH_NPN \
 	CONFIG_OPENSSL_WITH_PSK \
+	CONFIG_OPENSSL_WITH_RFC3779 \
+	CONFIG_OPENSSL_WITH_SEED \
 	CONFIG_OPENSSL_WITH_SRP \
-	CONFIG_OPENSSL_OPTIMIZE_SPEED
+	CONFIG_OPENSSL_WITH_SSE2 \
+	CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -54,6 +65,8 @@ endif
 define Package/openssl/Default
   TITLE:=Open source SSL toolkit
   URL:=http://www.openssl.org/
+  SECTION:=libs
+  CATEGORY:=Libraries
 endef
 
 define Package/libopenssl/config
@@ -62,16 +75,14 @@ endef
 
 define Package/openssl/Default/description
 The OpenSSL Project is a collaborative effort to develop a robust,
-commercial-grade, full-featured, and Open Source toolkit implementing the Secure
-Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
-as a full-strength general purpose cryptography library.
+commercial-grade, full-featured, and Open Source toolkit implementing the
+Transport Layer Security (TLS) protocol as well as a full-strength
+general-purpose cryptography library.
 endef
 
 define Package/libopenssl
 $(call Package/openssl/Default)
-  SECTION:=libs
   SUBMENU:=SSL
-  CATEGORY:=Libraries
   DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
   TITLE+= (libraries)
   ABI_VERSION:=1.0.0
@@ -100,19 +111,35 @@ $(call Package/openssl/Default/description)
 This package contains the OpenSSL command-line utility.
 endef
 
+define Package/libopenssl-gost
+  $(call Package/openssl/Default)
+  SUBMENU:=SSL
+  TITLE:=Russian GOST algorithms engine
+  DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
+endef
+
+define Package/libopenssl-gost/description
+This package adds an engine that enables Russian GOST algorithms.
+To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+The engine_id is "gost"
+endef
 
-OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
- no-whrlpool no-whirlpool no-seed no-jpake
-OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
+define Package/libopenssl-padlock
+  $(call Package/openssl/Default)
+  SUBMENU:=SSL
+  TITLE:=VIA Padlock hardware acceleration engine
+  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock
+endef
 
-ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
-  OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
-  ifdef CONFIG_OPENSSL_ENGINE_DIGEST
-    OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
-  endif
-else
-  OPENSSL_OPTIONS += no-engines
-endif
+define Package/libopenssl-padlock/description
+This package adds an engine that enables VIA Padlock hardware acceleration.
+To use it, you need to configure it in /etc/ssl/openssl.cnf.
+See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+The engine_id is "padlock"
+endef
+
+OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
 
 ifndef CONFIG_OPENSSL_WITH_EC
   OPENSSL_OPTIONS += no-ec
@@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M
   OPENSSL_OPTIONS += no-ec2m
 endif
 
-ifndef CONFIG_OPENSSL_WITH_SSL3
-  OPENSSL_OPTIONS += no-ssl3 no-ssl3-method
+ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
+  OPENSSL_OPTIONS += no-err
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CAMELLIA
+  OPENSSL_OPTIONS += no-camellia
+endif
+
+ifndef CONFIG_OPENSSL_WITH_IDEA
+  OPENSSL_OPTIONS += no-idea
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SEED
+  OPENSSL_OPTIONS += no-seed
 endif
 
-ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT
-  OPENSSL_OPTIONS += no-hw
+ifndef CONFIG_OPENSSL_WITH_MDC2
+  OPENSSL_OPTIONS += no-mdc2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
+  OPENSSL_OPTIONS += no-whirlpool
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CMS
+  OPENSSL_OPTIONS += no-cms
+endif
+
+ifdef CONFIG_OPENSSL_WITH_RFC3779
+  OPENSSL_OPTIONS += enable-rfc3779
 endif
 
 ifdef CONFIG_OPENSSL_NO_DEPRECATED
   OPENSSL_OPTIONS += no-deprecated
 endif
 
+ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
+  TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
+else
+  OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
+endif
+
+ifdef CONFIG_OPENSSL_ENGINE
+  ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
+    OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
+    ifdef CONFIG_OPENSSL_ENGINE_DIGEST
+      OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
+    endif
+  endif
+  ifndef CONFIG_PACKAGE_libopenssl-padlock
+    OPENSSL_OPTIONS += no-hw-padlock
+  endif
+else
+  OPENSSL_OPTIONS += no-engine
+endif
+
+ifndef CONFIG_OPENSSL_WITH_GOST
+  OPENSSL_OPTIONS += no-gost
+endif
+
+# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
+# but openssl util gets built without it
 ifndef CONFIG_OPENSSL_WITH_DTLS
-  OPENSSL_OPTIONS += no-dtls
+  OPENSSL_OPTIONS += no-dtls no-dtls1
 endif
 
 ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP
   OPENSSL_OPTIONS += no-srp
 endif
 
-ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
-  TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3
+ifndef CONFIG_OPENSSL_WITH_ASM
+  OPENSSL_OPTIONS += no-asm
 endif
 
-ifeq ($(CONFIG_x86_64),y)
-  OPENSSL_TARGET:=linux-x86_64-openwrt
-  OPENSSL_MAKEFLAGS += LIBDIR=lib
-else
-  OPENSSL_OPTIONS+=no-sse2
-  ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y)
-    OPENSSL_TARGET:=linux-mips-openwrt
-  else ifeq ($(CONFIG_aarch64),y)
-    OPENSSL_TARGET:=linux-aarch64-openwrt
-  else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y)
-    OPENSSL_TARGET:=linux-armv4-openwrt
-  else
-    OPENSSL_TARGET:=linux-generic-openwrt
-    OPENSSL_OPTIONS+=no-perlasm
+ifdef CONFIG_i386
+  ifndef CONFIG_OPENSSL_WITH_SSE2
+    OPENSSL_OPTIONS += no-sse2
   endif
 endif
 
+OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
+
 STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5)
 
 define Build/Configure
@@ -187,11 +255,10 @@ define Build/Configure
 	(cd $(PKG_BUILD_DIR); \
 		./Configure $(OPENSSL_TARGET) \
 			--prefix=/usr \
+			--libdir=lib \
 			--openssldir=/etc/ssl \
 			$(TARGET_CPPFLAGS) \
-			$(TARGET_LDFLAGS) -ldl \
-			$(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \
-			$(OPENSSL_NO_CIPHERS) \
+			$(TARGET_LDFLAGS) \
 			$(OPENSSL_OPTIONS) \
 	)
 	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
@@ -202,7 +269,7 @@ define Build/Configure
 		depend
 endef
 
-TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections
+TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
 TARGET_LDFLAGS += -Wl,--gc-sections
 
 define Build/Compile
@@ -251,20 +318,33 @@ define Build/InstallDev
 endef
 
 define Package/libopenssl/install
+	$(INSTALL_DIR) $(1)/etc/ssl/certs
+	$(INSTALL_DIR) $(1)/etc/ssl/private
+	chmod 0700 $(1)/etc/ssl/private
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
+	$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
 endef
 
 define Package/openssl-util/install
 	$(INSTALL_DIR) $(1)/etc/ssl
 	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
-	$(INSTALL_DIR) $(1)/etc/ssl/certs
-	$(INSTALL_DIR) $(1)/etc/ssl/private
-	chmod 0700 $(1)/etc/ssl/private
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
 endef
 
+define Package/libopenssl-padlock/install
+	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+endef
+
+define Package/libopenssl-gost/install
+	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
+endef
+
 $(eval $(call BuildPackage,libopenssl))
+$(eval $(call BuildPackage,libopenssl-gost))
+$(eval $(call BuildPackage,libopenssl-padlock))
 $(eval $(call BuildPackage,openssl-util))
diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h
deleted file mode 100644
index 7fb9c7dcda..0000000000
--- a/package/libs/openssl/include/crypto/cryptodev.h
+++ /dev/null
@@ -1,292 +0,0 @@
-/* This is a source compatible implementation with the original API of
- * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h.
- * Placed under public domain */
-
-#ifndef L_CRYPTODEV_H
-#define L_CRYPTODEV_H
-
-#include <linux/types.h>
-#ifndef __KERNEL__
-#define __user
-#endif
-
-/* API extensions for linux */
-#define CRYPTO_HMAC_MAX_KEY_LEN		512
-#define CRYPTO_CIPHER_MAX_KEY_LEN	64
-
-/* All the supported algorithms
- */
-enum cryptodev_crypto_op_t {
-	CRYPTO_DES_CBC = 1,
-	CRYPTO_3DES_CBC = 2,
-	CRYPTO_BLF_CBC = 3,
-	CRYPTO_CAST_CBC = 4,
-	CRYPTO_SKIPJACK_CBC = 5,
-	CRYPTO_MD5_HMAC = 6,
-	CRYPTO_SHA1_HMAC = 7,
-	CRYPTO_RIPEMD160_HMAC = 8,
-	CRYPTO_MD5_KPDK = 9,
-	CRYPTO_SHA1_KPDK = 10,
-	CRYPTO_RIJNDAEL128_CBC = 11,
-	CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC,
-	CRYPTO_ARC4 = 12,
-	CRYPTO_MD5 = 13,
-	CRYPTO_SHA1 = 14,
-	CRYPTO_DEFLATE_COMP = 15,
-	CRYPTO_NULL = 16,
-	CRYPTO_LZS_COMP = 17,
-	CRYPTO_SHA2_256_HMAC = 18,
-	CRYPTO_SHA2_384_HMAC = 19,
-	CRYPTO_SHA2_512_HMAC = 20,
-	CRYPTO_AES_CTR = 21,
-	CRYPTO_AES_XTS = 22,
-	CRYPTO_AES_ECB = 23,
-	CRYPTO_AES_GCM = 50,
-
-	CRYPTO_CAMELLIA_CBC = 101,
-	CRYPTO_RIPEMD160,
-	CRYPTO_SHA2_224,
-	CRYPTO_SHA2_256,
-	CRYPTO_SHA2_384,
-	CRYPTO_SHA2_512,
-	CRYPTO_SHA2_224_HMAC,
-	CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */
-};
-
-#define	CRYPTO_ALGORITHM_MAX	(CRYPTO_ALGORITHM_ALL - 1)
-
-/* Values for ciphers */
-#define DES_BLOCK_LEN		8
-#define DES3_BLOCK_LEN		8
-#define RIJNDAEL128_BLOCK_LEN	16
-#define AES_BLOCK_LEN		RIJNDAEL128_BLOCK_LEN
-#define CAMELLIA_BLOCK_LEN      16
-#define BLOWFISH_BLOCK_LEN	8
-#define SKIPJACK_BLOCK_LEN	8
-#define CAST128_BLOCK_LEN	8
-
-/* the maximum of the above */
-#define EALG_MAX_BLOCK_LEN	16
-
-/* Values for hashes/MAC */
-#define AALG_MAX_RESULT_LEN		64
-
-/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */
-#define CRYPTODEV_MAX_ALG_NAME		64
-
-#define HASH_MAX_LEN 64
-
-/* input of CIOCGSESSION */
-struct session_op {
-	/* Specify either cipher or mac
-	 */
-	__u32	cipher;		/* cryptodev_crypto_op_t */
-	__u32	mac;		/* cryptodev_crypto_op_t */
-
-	__u32	keylen;
-	__u8	__user *key;
-	__u32	mackeylen;
-	__u8	__user *mackey;
-
-	__u32	ses;		/* session identifier */
-};
-
-struct session_info_op {
-	__u32 ses;		/* session identifier */
-
-	/* verbose names for the requested ciphers */
-	struct alg_info {
-		char cra_name[CRYPTODEV_MAX_ALG_NAME];
-		char cra_driver_name[CRYPTODEV_MAX_ALG_NAME];
-	} cipher_info, hash_info;
-
-	__u16	alignmask;	/* alignment constraints */
-	__u32   flags;          /* SIOP_FLAGS_* */
-};
-
-/* If this flag is set then this algorithm uses
- * a driver only available in kernel (software drivers,
- * or drivers based on instruction sets do not set this flag).
- *
- * If multiple algorithms are involved (as in AEAD case), then
- * if one of them is kernel-driver-only this flag will be set.
- */
-#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1
-
-#define	COP_ENCRYPT	0
-#define COP_DECRYPT	1
-
-/* input of CIOCCRYPT */
-struct crypt_op {
-	__u32	ses;		/* session identifier */
-	__u16	op;		/* COP_ENCRYPT or COP_DECRYPT */
-	__u16	flags;		/* see COP_FLAG_* */
-	__u32	len;		/* length of source data */
-	__u8	__user *src;	/* source data */
-	__u8	__user *dst;	/* pointer to output data */
-	/* pointer to output data for hash/MAC operations */
-	__u8	__user *mac;
-	/* initialization vector for encryption operations */
-	__u8	__user *iv;
-};
-
-/* input of CIOCAUTHCRYPT */
-struct crypt_auth_op {
-	__u32	ses;		/* session identifier */
-	__u16	op;		/* COP_ENCRYPT or COP_DECRYPT */
-	__u16	flags;		/* see COP_FLAG_AEAD_* */
-	__u32	len;		/* length of source data */
-	__u32	auth_len;	/* length of auth data */
-	__u8	__user *auth_src;	/* authenticated-only data */
-
-	/* The current implementation is more efficient if data are
-	 * encrypted in-place (src==dst). */
-	__u8	__user *src;	/* data to be encrypted and authenticated */
-	__u8	__user *dst;	/* pointer to output data. Must have
-	                         * space for tag. For TLS this should be at least 
-	                         * len + tag_size + block_size for padding */
-
-	__u8    __user *tag;    /* where the tag will be copied to. TLS mode
-                                 * doesn't use that as tag is copied to dst.
-                                 * SRTP mode copies tag there. */
-	__u32	tag_len;	/* the length of the tag. Use zero for digest size or max tag. */
-
-	/* initialization vector for encryption operations */
-	__u8	__user *iv;
-	__u32   iv_len;
-};
-
-/* In plain AEAD mode the following are required:
- *  flags   : 0
- *  iv      : the initialization vector (12 bytes)
- *  auth_len: the length of the data to be authenticated
- *  auth_src: the data to be authenticated
- *  len     : length of data to be encrypted
- *  src     : the data to be encrypted
- *  dst     : space to hold encrypted data. It must have
- *            at least a size of len + tag_size.
- *  tag_size: the size of the desired authentication tag or zero to use
- *            the maximum tag output.
- *
- * Note tag isn't being used because the Linux AEAD interface
- * copies the tag just after data.
- */
-
-/* In TLS mode (used for CBC ciphers that required padding) 
- * the following are required:
- *  flags   : COP_FLAG_AEAD_TLS_TYPE
- *  iv      : the initialization vector
- *  auth_len: the length of the data to be authenticated only
- *  len     : length of data to be encrypted
- *  auth_src: the data to be authenticated
- *  src     : the data to be encrypted
- *  dst     : space to hold encrypted data (preferably in-place). It must have
- *            at least a size of len + tag_size + blocksize.
- *  tag_size: the size of the desired authentication tag or zero to use
- *            the default mac output.
- *
- * Note that the padding used is the minimum padding.
- */
-
-/* In SRTP mode the following are required:
- *  flags   : COP_FLAG_AEAD_SRTP_TYPE
- *  iv      : the initialization vector
- *  auth_len: the length of the data to be authenticated. This must
- *            include the SRTP header + SRTP payload (data to be encrypted) + rest
- *            
- *  len     : length of data to be encrypted
- *  auth_src: pointer the data to be authenticated. Should point at the same buffer as src.
- *  src     : pointer to the data to be encrypted.
- *  dst     : This is mandatory to be the same as src (in-place only).
- *  tag_size: the size of the desired authentication tag or zero to use
- *            the default mac output.
- *  tag     : Pointer to an address where the authentication tag will be copied.
- */
-
-
-/* struct crypt_op flags */
-
-#define COP_FLAG_NONE		(0 << 0) /* totally no flag */
-#define COP_FLAG_UPDATE		(1 << 0) /* multi-update hash mode */
-#define COP_FLAG_FINAL		(1 << 1) /* multi-update final hash mode */
-#define COP_FLAG_WRITE_IV	(1 << 2) /* update the IV during operation */
-#define COP_FLAG_NO_ZC		(1 << 3) /* do not zero-copy */
-#define COP_FLAG_AEAD_TLS_TYPE  (1 << 4) /* authenticate and encrypt using the 
-                                          * TLS protocol rules */
-#define COP_FLAG_AEAD_SRTP_TYPE  (1 << 5) /* authenticate and encrypt using the 
-                                           * SRTP protocol rules */
-#define COP_FLAG_RESET		(1 << 6) /* multi-update reset the state.
-                                          * should be used in combination
-                                          * with COP_FLAG_UPDATE */
-
-
-/* Stuff for bignum arithmetic and public key
- * cryptography - not supported yet by linux
- * cryptodev.
- */
-
-#define	CRYPTO_ALG_FLAG_SUPPORTED	1
-#define	CRYPTO_ALG_FLAG_RNG_ENABLE	2
-#define	CRYPTO_ALG_FLAG_DSA_SHA		4
-
-struct crparam {
-	__u8	*crp_p;
-	__u32	crp_nbits;
-};
-
-#define CRK_MAXPARAM	8
-
-/* input of CIOCKEY */
-struct crypt_kop {
-	__u32	crk_op;		/* cryptodev_crk_op_t */
-	__u32	crk_status;
-	__u16	crk_iparams;
-	__u16	crk_oparams;
-	__u32	crk_pad1;
-	struct crparam	crk_param[CRK_MAXPARAM];
-};
-
-enum cryptodev_crk_op_t {
-	CRK_MOD_EXP = 0,
-	CRK_MOD_EXP_CRT = 1,
-	CRK_DSA_SIGN = 2,
-	CRK_DSA_VERIFY = 3,
-	CRK_DH_COMPUTE_KEY = 4,
-	CRK_ALGORITHM_ALL
-};
-
-#define CRK_ALGORITHM_MAX	(CRK_ALGORITHM_ALL-1)
-
-/* features to be queried with CIOCASYMFEAT ioctl
- */
-#define CRF_MOD_EXP		(1 << CRK_MOD_EXP)
-#define CRF_MOD_EXP_CRT		(1 << CRK_MOD_EXP_CRT)
-#define CRF_DSA_SIGN		(1 << CRK_DSA_SIGN)
-#define CRF_DSA_VERIFY		(1 << CRK_DSA_VERIFY)
-#define CRF_DH_COMPUTE_KEY	(1 << CRK_DH_COMPUTE_KEY)
-
-
-/* ioctl's. Compatible with old linux cryptodev.h
- */
-#define CRIOGET         _IOWR('c', 101, __u32)
-#define CIOCGSESSION    _IOWR('c', 102, struct session_op)
-#define CIOCFSESSION    _IOW('c', 103, __u32)
-#define CIOCCRYPT       _IOWR('c', 104, struct crypt_op)
-#define CIOCKEY         _IOWR('c', 105, struct crypt_kop)
-#define CIOCASYMFEAT    _IOR('c', 106, __u32)
-#define CIOCGSESSINFO	_IOWR('c', 107, struct session_info_op)
-
-/* to indicate that CRIOGET is not required in linux
- */
-#define CRIOGET_NOT_NEEDED 1
-
-/* additional ioctls for AEAD */
-#define CIOCAUTHCRYPT   _IOWR('c', 109, struct crypt_auth_op)
-
-/* additional ioctls for asynchronous operation.
- * These are conditionally enabled since version 1.6.
- */
-#define CIOCASYNCCRYPT    _IOW('c', 110, struct crypt_op)
-#define CIOCASYNCFETCH    _IOR('c', 111, struct crypt_op)
-
-#endif /* L_CRYPTODEV_H */
diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch
new file mode 100644
index 0000000000..52a51f9f47
--- /dev/null
+++ b/package/libs/openssl/patches/100-openwrt_targets.patch
@@ -0,0 +1,44 @@
+From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 26 Sep 2018 16:21:27 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -470,6 +470,32 @@ my %table=(
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ 
++# OpenWrt targets
++# from linux-aarch64
++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-generic32
++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-armv4
++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-armv4
++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-elf
++"linux-i386-openwrt",	"gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-mips32
++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux64-mips64
++"linux-mips64-openwrt",   "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux64-mips64
++"linux-mips64el-openwrt",   "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux-mips32
++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-ppc
++"linux-powerpc-openwrt",	"gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++# from linux-x86_64
++"linux-x86_64-openwrt",	"gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++# from linux-generic32
++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++
+ # Android: linux-* but without pointers to headers and libs.
+ "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch
deleted file mode 100644
index d6d4a21111..0000000000
--- a/package/libs/openssl/patches/110-optimize-for-size.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -470,6 +470,13 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- 
-+# OpenWrt targets
-+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64-openwrt",	"gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
- # Android: linux-* but without pointers to headers and libs.
- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch
similarity index 100%
rename from package/libs/openssl/patches/130-perl-path.patch
rename to package/libs/openssl/patches/110-perl-path.patch
diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch
similarity index 83%
rename from package/libs/openssl/patches/140-makefile-dirs.patch
rename to package/libs/openssl/patches/120-makefile-dirs.patch
index 83c412f444..5bcb316486 100644
--- a/package/libs/openssl/patches/140-makefile-dirs.patch
+++ b/package/libs/openssl/patches/120-makefile-dirs.patch
@@ -5,7 +5,7 @@
  BASEADDR=
  
 -DIRS=   crypto ssl engines apps test tools
-+DIRS=   crypto ssl apps
++DIRS=   crypto ssl engines apps
  ENGDIRS= ccgost
  SHLIBDIRS= crypto ssl
  
diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch
similarity index 100%
rename from package/libs/openssl/patches/160-disable_doc_tests.patch
rename to package/libs/openssl/patches/130-disable_doc_tests.patch
diff --git a/package/libs/openssl/patches/170-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch
similarity index 100%
rename from package/libs/openssl/patches/170-bash_path.patch
rename to package/libs/openssl/patches/140-bash_path.patch
diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch
similarity index 100%
rename from package/libs/openssl/patches/180-fix_link_segfault.patch
rename to package/libs/openssl/patches/150-fix_link_segfault.patch
diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch
deleted file mode 100644
index a518a00496..0000000000
--- a/package/libs/openssl/patches/150-no_engines.patch
+++ /dev/null
@@ -1,81 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -2144,6 +2144,11 @@ EOF
- 	close(OUT);
-   }
-   
-+# ugly hack to disable engines
-+if($target eq "mingwx") {
-+	system("sed -e s/^LIB/XLIB/g -i engines/Makefile");
-+}
-+
- print <<EOF;
- 
- Configured for $target.
---- a/util/libeay.num
-+++ b/util/libeay.num
-@@ -2075,7 +2075,6 @@ PKCS7_ATTR_SIGN_it
- UI_add_error_string                     2633	EXIST::FUNCTION:
- KRB5_CHECKSUM_free                      2634	EXIST::FUNCTION:
- OCSP_REQUEST_get_ext                    2635	EXIST::FUNCTION:
--ENGINE_load_ubsec                       2636	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- ENGINE_register_all_digests             2637	EXIST::FUNCTION:ENGINE
- PKEY_USAGE_PERIOD_it                    2638	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKEY_USAGE_PERIOD_it                    2638	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2549,7 +2548,6 @@ OCSP_RESPONSE_new
- AES_set_encrypt_key                     3024	EXIST::FUNCTION:AES
- OCSP_resp_count                         3025	EXIST::FUNCTION:
- KRB5_CHECKSUM_new                       3026	EXIST::FUNCTION:
--ENGINE_load_cswift                      3027	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_onereq_get0_id                     3028	EXIST::FUNCTION:
- ENGINE_set_default_ciphers              3029	EXIST::FUNCTION:ENGINE
- NOTICEREF_it                            3030	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2580,7 +2578,6 @@ ASN1_primitive_free
- i2d_EXTENDED_KEY_USAGE                  3052	EXIST::FUNCTION:
- i2d_OCSP_SIGNATURE                      3053	EXIST::FUNCTION:
- asn1_enc_save                           3054	EXIST::FUNCTION:
--ENGINE_load_nuron                       3055	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_old_des_pcbc_encrypt              3056	EXIST::FUNCTION:DES
- PKCS12_MAC_DATA_it                      3057	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKCS12_MAC_DATA_it                      3057	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2604,7 +2601,6 @@ asn1_get_choice_selector
- i2d_KRB5_CHECKSUM                       3072	EXIST::FUNCTION:
- ENGINE_set_table_flags                  3073	EXIST::FUNCTION:ENGINE
- AES_options                             3074	EXIST::FUNCTION:AES
--ENGINE_load_chil                        3075	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_id_cmp                             3076	EXIST::FUNCTION:
- OCSP_BASICRESP_new                      3077	EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_by_NID             3078	EXIST::FUNCTION:
-@@ -2671,7 +2667,6 @@ OCSP_CRLID_it
- OCSP_CRLID_it                           3127	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- i2d_KRB5_AUTHENTBODY                    3128	EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_count              3129	EXIST::FUNCTION:
--ENGINE_load_atalla                      3130	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- X509_NAME_it                            3131	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_NAME_it                            3131	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- USERNOTICE_it                           3132	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2766,8 +2761,6 @@ DES_read_2passwords
- DES_read_password                       3207	EXIST::FUNCTION:DES
- UI_UTIL_read_pw                         3208	EXIST::FUNCTION:
- UI_UTIL_read_pw_string                  3209	EXIST::FUNCTION:
--ENGINE_load_aep                         3210	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
--ENGINE_load_sureware                    3211	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OPENSSL_add_all_algorithms_noconf       3212	EXIST:!VMS:FUNCTION:
- OPENSSL_add_all_algo_noconf             3212	EXIST:VMS:FUNCTION:
- OPENSSL_add_all_algorithms_conf         3213	EXIST:!VMS:FUNCTION:
-@@ -2776,7 +2769,6 @@ OPENSSL_load_builtin_modules
- AES_ofb128_encrypt                      3215	EXIST::FUNCTION:AES
- AES_ctr128_encrypt                      3216	EXIST::FUNCTION:AES
- AES_cfb128_encrypt                      3217	EXIST::FUNCTION:AES
--ENGINE_load_4758cca                     3218	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_096_des_random_seed               3219	EXIST::FUNCTION:DES
- EVP_aes_256_ofb                         3220	EXIST::FUNCTION:AES
- EVP_aes_192_ofb                         3221	EXIST::FUNCTION:AES
-@@ -3111,7 +3103,6 @@ EC_GFp_nist_method
- STORE_meth_set_modify_fn                3530	NOEXIST::FUNCTION:
- STORE_method_set_modify_function        3530	NOEXIST::FUNCTION:
- STORE_parse_attrs_next                  3531	NOEXIST::FUNCTION:
--ENGINE_load_padlock                     3532	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- EC_GROUP_set_curve_name                 3533	EXIST::FUNCTION:EC
- X509_CERT_PAIR_it                       3534	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_CERT_PAIR_it                       3534	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
diff --git a/package/libs/openssl/patches/190-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch
similarity index 100%
rename from package/libs/openssl/patches/190-remove_timestamp_check.patch
rename to package/libs/openssl/patches/160-remove_timestamp_check.patch
diff --git a/package/libs/openssl/patches/200-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch
similarity index 97%
rename from package/libs/openssl/patches/200-parallel_build.patch
rename to package/libs/openssl/patches/170-parallel_build.patch
index 37134e4030..cbe5d51241 100644
--- a/package/libs/openssl/patches/200-parallel_build.patch
+++ b/package/libs/openssl/patches/170-parallel_build.patch
@@ -92,7 +92,7 @@
  		fi; \
 --- a/crypto/Makefile
 +++ b/crypto/Makefile
-@@ -85,11 +85,11 @@ testapps:
+@@ -87,11 +87,11 @@ testapps:
  	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
  
  subdirs:
@@ -106,7 +106,7 @@
  
  links:
  	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@ links:
+@@ -102,7 +102,7 @@ links:
  # lib: $(LIB): are splitted to avoid end-less loop
  lib:	$(LIB)
  	@touch lib
@@ -115,7 +115,7 @@
  	$(AR) $(LIB) $(LIBOBJ)
  	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
  	$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs
+@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
  	fi
  
  libs:
@@ -124,7 +124,7 @@
  
  install:
  	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@ install:
+@@ -122,7 +122,7 @@ install:
  	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
  	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
  	done;
diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
new file mode 100644
index 0000000000..e70bd077d5
--- /dev/null
+++ b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 26 Sep 2018 18:04:58 -0300
+Subject: Avoid exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -57,7 +57,7 @@ top:
+ all: shared
+ 
+ buildinf.h: ../Makefile
+-	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
++	$(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap%  -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
+ 
+ x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
+ 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
-- 
2.30.2