openssl: update to 22.03-rc6 version

Fixes: WIFI-10390 Signed-off-by: John Crispin <john@phrozen.org>
2025-10-30 01:52:51 +00:00 · 2022-08-23 09:01:07 +02:00
parent 9bd53e7d91
commit c9a76b8d76
1 changed files with 779 additions and 0 deletions
--- a/patches/backports/0036-openssl-backport-from-22.06-rc3.patch
+++ b/patches/backports/0036-openssl-backport-from-22.06-rc3.patch
@@ -0,0 +1,779 @@
+From 5cd97adeb33f5fc92ad1ff319b4ba34535c0a65b Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Tue, 23 Aug 2022 08:59:23 +0200
+Subject: [PATCH] openssl: backport from 22.06-rc3
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ include/openssl-engine.mk                     | 50 +++++++++++
+ package/libs/openssl/Config.in                | 11 ---
+ package/libs/openssl/Makefile                 | 64 ++++++--------
+ package/libs/openssl/files/afalg.cnf          |  3 +
+ package/libs/openssl/files/devcrypto.cnf      | 31 +++++++
+ package/libs/openssl/files/openssl.init       | 31 +++++++
+ package/libs/openssl/files/padlock.cnf        |  3 +
+ ...m-ppc-xlate.pl-add-linux64v2-flavour.patch | 56 +++++++++++++
+ .../patches/100-Configure-afalg-support.patch |  5 +-
+ .../openssl/patches/110-openwrt_targets.patch |  9 +-
+ .../120-strip-cflags-from-binary.patch        |  3 +-
+ .../patches/130-dont-build-tests-fuzz.patch   |  3 +-
+ .../patches/140-allow-prefer-chacha20.patch   |  4 +-
+ .../150-openssl.cnf-add-engines-conf.patch    | 83 ++++---------------
+ ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |  3 +-
+ ...ypto-add-command-to-dump-driver-info.patch |  3 +-
+ ...o-make-the-dev-crypto-engine-dynamic.patch | 12 +--
+ ...default-to-not-use-digests-in-engine.patch |  1 -
+ ...to-ignore-error-when-closing-session.patch |  1 -
+ 19 files changed, 232 insertions(+), 144 deletions(-)
+ create mode 100644 include/openssl-engine.mk
+ create mode 100644 package/libs/openssl/files/afalg.cnf
+ create mode 100644 package/libs/openssl/files/devcrypto.cnf
+ create mode 100755 package/libs/openssl/files/openssl.init
+ create mode 100644 package/libs/openssl/files/padlock.cnf
+ create mode 100644 package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
+
+diff --git a/include/openssl-engine.mk b/include/openssl-engine.mk
+new file mode 100644
+index 0000000000..d8baba482e
+--- /dev/null
+++ b/include/openssl-engine.mk
+@@ -0,0 +1,50 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022 Enéas Ulir de Queiroz
+
+ENGINES_DIR=engines-1.1
+
+define Package/openssl/engine/Default
+  SECTION:=libs
+  CATEGORY:=Libraries
+  SUBMENU:=SSL
+  DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+  OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
+  Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
+
+  define Package/$$(OSSL_ENG_PKG)/install
+	$$(INSTALL_DIR)  $$(1)/usr/lib/$(ENGINES_DIR)
+	$$(INSTALL_BIN)  $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
+			 $$(1)/usr/lib/$(ENGINES_DIR)
+	$$(INSTALL_DIR)  $$(1)/etc/ssl/engines.cnf.d
+	$$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
+  endef
+
+  define Package/$$(OSSL_ENG_PKG)/postinst :=
+#!/bin/sh
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
+
+[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
+
+cat << EOF >> "$$$${OPENSSL_UCI}"
+
+config engine '$(1)'
+	option enabled '1'
+EOF
+
+[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
+  endef
+
+  define Package/$$(OSSL_ENG_PKG)/postrm :=
+#!/bin/sh
+[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
+uci delete openssl.$(1)
+uci commit openssl
+/etc/init.d/openssl reload
+  endef
+endef
+diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
+index d1281ec6fa..bc2f0584b6 100644
+--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
+@@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC
+ 		initiate crypto operations asynchronously. In order to work
+ 		this will require the presence of an async capable engine.
+ 
+-config OPENSSL_WITH_GOST
+-	bool
+-	prompt "Prepare library for GOST engine"
+-	depends on OPENSSL_ENGINE
+-	help
+-		This option prepares the library to accept engine support
+-		for Russian GOST crypto algorithms.
+-		The gost engine is not included in standard openwrt feeds.
+-		To build such engine yourself, see:
+-		https://github.com/gost-engine/engine
+-
+ endif
+diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
+index 0397ab90c4..09bada3915 100644
+--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
+@@ -9,11 +9,10 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=openssl
+ PKG_BASE:=1.1.1
+-PKG_BUGFIX:=l
+PKG_BUGFIX:=q
+ PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
+-PKG_RELEASE:=1
+PKG_RELEASE:=$(AUTORELEASE)
+ PKG_USE_MIPS16:=0
+-ENGINES_DIR=engines-1.1
+ 
+ PKG_BUILD_PARALLEL:=1
+ 
+@@ -26,7 +25,7 @@ PKG_SOURCE_URL:= \
+ 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
+ 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
+ 
+-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca
+ 
+ PKG_LICENSE:=OpenSSL
+ PKG_LICENSE_FILES:=LICENSE
+@@ -52,7 +51,6 @@ PKG_CONFIG_DEPENDS:= \
+ 	CONFIG_OPENSSL_WITH_DTLS \
+ 	CONFIG_OPENSSL_WITH_EC2M \
+ 	CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
+-	CONFIG_OPENSSL_WITH_GOST \
+ 	CONFIG_OPENSSL_WITH_IDEA \
+ 	CONFIG_OPENSSL_WITH_MDC2 \
+ 	CONFIG_OPENSSL_WITH_NPN \
+@@ -66,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
+ 	CONFIG_OPENSSL_WITH_WHIRLPOOL
+ 
+ include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/openssl-engine.mk
+ 
+ ifneq ($(CONFIG_CCACHE),)
+ HOSTCC=$(HOSTCC_NOCACHE)
+@@ -129,6 +128,8 @@ endef
+ 
+ define Package/libopenssl-conf/conffiles
+ /etc/ssl/openssl.cnf
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
+ endef
+ 
+ define Package/libopenssl-conf/description
+@@ -136,51 +137,50 @@ $(call Package/openssl/Default/description)
+ This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
+ endef
+ 
+$(eval $(call Package/openssl/add-engine,afalg))
+ define Package/libopenssl-afalg
+   $(call Package/openssl/Default)
+-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
+   TITLE:=AFALG hardware acceleration engine
+-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
+-	   +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+	     @!OPENSSL_ENGINE_BUILTIN
+ endef
+ 
+ define Package/libopenssl-afalg/description
+ This package adds an engine that enables hardware acceleration
+ through the AF_ALG kernel interface.
+-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+ See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+ and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+ The engine_id is "afalg"
+ endef
+ 
+$(eval $(call Package/openssl/add-engine,devcrypto))
+ define Package/libopenssl-devcrypto
+   $(call Package/openssl/Default)
+-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
+   TITLE:=/dev/crypto hardware acceleration engine
+-  DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
+-	   @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
+ endef
+ 
+ define Package/libopenssl-devcrypto/description
+ This package adds an engine that enables hardware acceleration
+ through the /dev/crypto kernel interface.
+-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+ See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+ and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+ The engine_id is "devcrypto"
+ endef
+ 
+$(eval $(call Package/openssl/add-engine,padlock))
+ define Package/libopenssl-padlock
+   $(call Package/openssl/Default)
+-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
+   TITLE:=VIA Padlock hardware acceleration engine
+-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+-	   +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+	     @!OPENSSL_ENGINE_BUILTIN
+ endef
+ 
+ define Package/libopenssl-padlock/description
+ This package adds an engine that enables VIA Padlock hardware acceleration.
+-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+ See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+ and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+ The engine_id is "padlock"
+@@ -289,10 +289,6 @@ else
+   OPENSSL_OPTIONS += no-engine
+ endif
+ 
+-ifndef CONFIG_OPENSSL_WITH_GOST
+-  OPENSSL_OPTIONS += no-gost
+-endif
+-
+ ifndef CONFIG_OPENSSL_WITH_DTLS
+   OPENSSL_OPTIONS += no-dtls
+ endif
+@@ -381,8 +377,17 @@ define Package/libopenssl/install
+ endef
+ 
+ define Package/libopenssl-conf/install
+-	$(INSTALL_DIR) $(1)/etc/ssl
+	$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
+ 	$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+	$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+	$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
+	touch $(1)/etc/config/openssl
+	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+		$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
+		echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
+	$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
+		$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
+		echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
+ endef
+ 
+ define Package/openssl-util/install
+@@ -390,21 +395,6 @@ define Package/openssl-util/install
+ 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
+ endef
+ 
+-define Package/libopenssl-afalg/install
+-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
+-endef
+-
+-define Package/libopenssl-devcrypto/install
+-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
+-endef
+-
+-define Package/libopenssl-padlock/install
+-	$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
+-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+-endef
+-
+ $(eval $(call BuildPackage,libopenssl))
+ $(eval $(call BuildPackage,libopenssl-conf))
+ $(eval $(call BuildPackage,libopenssl-afalg))
+diff --git a/package/libs/openssl/files/afalg.cnf b/package/libs/openssl/files/afalg.cnf
+new file mode 100644
+index 0000000000..4f573d757c
+--- /dev/null
+++ b/package/libs/openssl/files/afalg.cnf
+@@ -0,0 +1,3 @@
+[afalg]
+default_algorithms = ALL
+
+diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf
+new file mode 100644
+index 0000000000..549275600d
+--- /dev/null
+++ b/package/libs/openssl/files/devcrypto.cnf
+@@ -0,0 +1,31 @@
+[devcrypto]
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
+default_algorithms = ALL
+
+# Configuration commands:
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
+# list of supported algorithms, along with their driver, whether they
+# are hw accelerated or not, and the engine's configuration commands.
+
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
+# if acceleration can't be determined) [default=2]
+#USE_SOFTDRIVERS = 2
+
+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
+# enable [default=ALL]
+# It is recommended to disable the ECB ciphers; in most cases, it will
+# only be used for PRNG, in small blocks, where performance is poor,
+# and there may be problems with apps forking with open crypto
+# contexts, leading to failures.  The CBC ciphers work well:
+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
+
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
+# enable [default=NONE]
+# It is strongly recommended not to enable digests; their performance
+# is poor, and there are many cases in which they will not work,
+# especially when calling fork with open crypto contexts.  Openssh,
+# for example, does this, and you may not be able to login.
+#DIGESTS = NONE
+
+
+diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init
+new file mode 100755
+index 0000000000..21e253e7a5
+--- /dev/null
+++ b/package/libs/openssl/files/openssl.init
+@@ -0,0 +1,31 @@
+#!/bin/sh /etc/rc.common
+
+START=13
+ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
+ENGINES_CNF="/var/etc/ssl/engines.cnf"
+ENGINES_DIR="%ENGINES_DIR%"
+
+config_engine() {
+	local enabled force
+	config_get_bool enabled "$1" enabled 1
+	config_get_bool force "$1" force 0
+	[ "$enabled" = 0 ] && return
+	if [ "$force" = 0 ] && \
+	   [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \
+	   [ ! -f "${ENGINES_DIR}/$1.so" ]; then
+	    echo Skipping engine "$1": not installed
+	    return
+	fi
+	echo Enabling engine "$1"
+	echo "$1=$1" >> "${ENGINES_CNF}"
+}
+
+start() {
+	mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
+	echo Generating engines.cnf
+	echo "# This file is automatically generated from /etc/config/openssl." \
+	      > "${ENGINES_CNF}" || \
+	      { echo Error writing ${ENGINES_CNF} >&2; exit 1; }
+        config_load openssl
+	config_foreach config_engine engine
+}
+diff --git a/package/libs/openssl/files/padlock.cnf b/package/libs/openssl/files/padlock.cnf
+new file mode 100644
+index 0000000000..ef91079e5d
+--- /dev/null
+++ b/package/libs/openssl/files/padlock.cnf
+@@ -0,0 +1,3 @@
+[padlock]
+default_algorithms = ALL
+
+diff --git a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
+new file mode 100644
+index 0000000000..e52a3d52ea
+--- /dev/null
+++ b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
+@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Sun, 5 May 2019 18:25:50 +0200
+Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a big endian ELFv2 configuration. ELFv2 was already being
+used for little endian, and big endian was traditionally ELFv1
+but there are practical configurations that use ELFv2 with big
+endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.)
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/8883)
+
+diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
+--- a/crypto/perlasm/ppc-xlate.pl
++++ b/crypto/perlasm/ppc-xlate.pl
+@@ -49,7 +49,7 @@ my $globl = sub {
+ 	/osx/		&& do { $name = "_$name";
+ 				last;
+ 			      };
+-	/linux.*(32|64le)/
++	/linux.*(32|64(le|v2))/
+ 			&& do {	$ret .= ".globl	$name";
+ 				if (!$$type) {
+ 				    $ret .= "\n.type	$name,\@function";
+@@ -80,7 +80,7 @@ my $globl = sub {
+ };
+ my $text = sub {
+     my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
+-    $ret = ".abiversion	2\n".$ret	if ($flavour =~ /linux.*64le/);
++    $ret = ".abiversion	2\n".$ret	if ($flavour =~ /linux.*64(le|v2)/);
+     $ret;
+ };
+ my $machine = sub {
+@@ -186,7 +186,7 @@ my $vmr = sub {
+ 
+ # Some ABIs specify vrsave, special-purpose register #256, as reserved
+ # for system use.
+-my $no_vrsave = ($flavour =~ /aix|linux64le/);
++my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/);
+ my $mtspr = sub {
+     my ($f,$idx,$ra) = @_;
+     if ($idx == 256 && $no_vrsave) {
+@@ -318,7 +318,7 @@ while($line=<>) {
+ 	if ($label) {
+ 	    my $xlated = ($GLOBALS{$label} or $label);
+ 	    print "$xlated:";
+-	    if ($flavour =~ /linux.*64le/) {
++	    if ($flavour =~ /linux.*64(le|v2)/) {
+ 		if ($TYPES{$label} =~ /function/) {
+ 		    printf "\n.localentry	%s,0\n",$xlated;
+ 		}
+diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch
+index 98944103b5..3125e37a94 100644
+--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
+@@ -1,4 +1,4 @@
+-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Thu, 27 Sep 2018 08:29:21 -0300
+ Subject: Do not use host kernel version to disable AFALG
+@@ -9,10 +9,9 @@ version to disable building the AFALG engine on openwrt targets.
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/Configure b/Configure
+-index 5a699836f3..74d057c219 100755
+ --- a/Configure
+ +++ b/Configure
+-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+  
+  unless ($disabled{afalgeng}) {
+      $config{afalgeng}="";
+diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch
+index d0530b4661..9d5db6cfd1 100644
+--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
+@@ -1,4 +1,4 @@
+-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Thu, 27 Sep 2018 08:30:24 -0300
+ Subject: Add openwrt targets
+@@ -9,10 +9,9 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
+ new file mode 100644
+-index 0000000000..86a86d31e4
+ --- /dev/null
+ +++ b/Configurations/25-openwrt.conf
+-@@ -0,0 +1,48 @@
+@@ -0,0 +1,52 @@
+ +## Openwrt "CONFIG_ARCH" matching targets.
+ +
+ +# The targets need to end in '-openwrt' for the AFALG patch to work
+@@ -52,6 +51,10 @@ index 0000000000..86a86d31e4
+ +    "linux-powerpc-openwrt" => {
+ +        inherit_from    => [ "linux-ppc", "openwrt" ],
+ +    },
++    "linux-powerpc64-openwrt" => {
++        inherit_from    => [ "linux-ppc64", "openwrt" ],
++        perlasm_scheme  => "linux64v2",
++    },
+ +    "linux-x86_64-openwrt" => {
+ +        inherit_from    => [ "linux-x86_64", "openwrt" ],
+ +    },
+diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+index 7faec9ab88..20fe21f2ac 100644
+--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+@@ -1,4 +1,4 @@
+-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Thu, 27 Sep 2018 08:31:38 -0300
+ Subject: Avoid exposing build directories
+@@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/crypto/build.info b/crypto/build.info
+-index 2c619c62e8..893128345a 100644
+ --- a/crypto/build.info
+ +++ b/crypto/build.info
+ @@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
+diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
+index 7f33cb9dae..4707554d2d 100644
+--- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
+++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
+@@ -1,4 +1,4 @@
+-From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Thu, 27 Sep 2018 08:34:38 -0300
+ Subject: Do not build tests and fuzz directories
+@@ -8,7 +8,6 @@ This shortens build time.
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/Configure b/Configure
+-index 74d057c219..5813e9f8fe 100755
+ --- a/Configure
+ +++ b/Configure
+ @@ -318,7 +318,7 @@ my $auto_threads=1;    # enable threads automatically? true by default
+diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
+index b293db28f7..b2418006a9 100644
+--- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
+++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
+@@ -1,4 +1,4 @@
+-From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Thu, 27 Sep 2018 08:44:39 -0300
+ Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
+@@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference.
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
+-index 6724ccf2d2..96d959427e 100644
+ --- a/include/openssl/ssl.h
+ +++ b/include/openssl/ssl.h
+ @@ -173,9 +173,15 @@ extern "C" {
+@@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644
+  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+                                     "TLS_AES_128_GCM_SHA256"
+ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+-index 27a1b2ec68..7039811323 100644
+ --- a/ssl/ssl_ciph.c
+ +++ b/ssl/ssl_ciph.c
+ @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+index 81d41963c6..8851116347 100644
+--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+@@ -1,6 +1,17 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 27 Mar 2021 17:43:25 -0300
+Subject: openssl.cnf: add engine configuration
+
+This adds configuration options for engines, loading all cnf files under
+/etc/ssl/engines.cnf.d/.
+
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+ --- a/apps/openssl.cnf
+ +++ b/apps/openssl.cnf
+-@@ -22,6 +22,82 @@ oid_section		= new_oids
+@@ -22,6 +22,16 @@ oid_section		= new_oids
+  # (Alternatively, use a configuration file that has only
+  # X.509v3 extensions in its main [= default] section.)
+  
+@@ -10,75 +21,9 @@
+ +engines=engines
+ +
+ +[engines]
+-+# To enable an engine, install the package, and uncomment it here:
+-+#devcrypto=devcrypto
+-+#afalg=afalg
+-+#padlock=padlock
++.include /var/etc/ssl/engines.cnf
+ +
+-+[afalg]
+-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
+-+default_algorithms = ALL
+-+
+-+# The following commands are only available if using the alternative
+-+# (sync) AFALG engine
+-+# Configuration commands:
+-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
+-+# list of supported algorithms, along with their driver, whether they
+-+# are hw accelerated or not, and the engine's configuration commands.
+-+
+-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
+-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
+-+# if acceleration can't be determined) [default=2]
+-+#USE_SOFTDRIVERS = 2
+-+
+-+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a
+-+# comma-separated list of ciphers to enable [default=NO_ECB]
+-+# Starting in 1.2.0, if you use a cipher list, each cipher may be
+-+# followed by a colon (:) and the minimum request length to use
+-+# AF_ALG drivers for that cipher; smaller requests are processed by
+-+# softare; a negative value will use the default for that cipher
+-+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0
+-+
+-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
+-+# enable [default=NONE]
+-+# It is strongly recommended not to enable digests; their performance
+-+# is poor, and there are many cases in which they will not work,
+-+# especially when calling fork with open crypto contexts.  Openssh,
+-+# for example, does this, and you may not be able to login.
+-+#DIGESTS = NONE
+-+
+-+[devcrypto]
+-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
+-+default_algorithms = ALL
+-+
+-+# Configuration commands:
+-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
+-+# list of supported algorithms, along with their driver, whether they
+-+# are hw accelerated or not, and the engine's configuration commands.
+-+
+-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
+-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
+-+# if acceleration can't be determined) [default=2]
+-+#USE_SOFTDRIVERS = 2
+-+
+-+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
+-+# enable [default=ALL]
+-+# It is recommended to disable the ECB ciphers; in most cases, it will
+-+# only be used for PRNG, in small blocks, where performance is poor,
+-+# and there may be problems with apps forking with open crypto
+-+# contexts, leading to failures.  The CBC ciphers work well:
+-+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
+-+
+-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
+-+# enable [default=NONE]
+-+# It is strongly recommended not to enable digests; their performance
+-+# is poor, and there are many cases in which they will not work,
+-+# especially when calling fork with open crypto contexts.  Openssh,
+-+# for example, does this, and you may not be able to login.
+-+#DIGESTS = NONE
+-+
+-+[padlock]
+-+default_algorithms = ALL
++.include /etc/ssl/engines.cnf.d
+ +
+  [ new_oids ]
+  
+diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch
+index 84c68b16a2..71c9fdd438 100644
+--- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch
+++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch
+@@ -1,4 +1,4 @@
+-From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Mon, 5 Nov 2018 15:54:17 -0200
+ Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
+@@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
+ (Merged from https://github.com/openssl/openssl/pull/7585)
+ 
+ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
+-index a727c6f646..a2c9a966f7 100644
+ --- a/crypto/engine/eng_devcrypto.c
+ +++ b/crypto/engine/eng_devcrypto.c
+ @@ -461,6 +461,7 @@ struct digest_ctx {
+diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch
+index ad83a51a10..83989a3625 100644
+--- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch
+++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch
+@@ -1,4 +1,4 @@
+-From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+ From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ Date: Tue, 6 Nov 2018 22:54:07 -0200
+ Subject: eng_devcrypto: add command to dump driver info
+@@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
+ (Merged from https://github.com/openssl/openssl/pull/7585)
+ 
+ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
+-index 5ec38ca8f3..64dc6b891d 100644
+ --- a/crypto/engine/eng_devcrypto.c
+ +++ b/crypto/engine/eng_devcrypto.c
+ @@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;
+diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+index ea3f8fb8a7..da9b704501 100644
+--- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+@@ -9,7 +9,6 @@ engines/e_devcrypto.c.
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/crypto/engine/build.info b/crypto/engine/build.info
+-index e00802a3fd..47fe948966 100644
+ --- a/crypto/engine/build.info
+ +++ b/crypto/engine/build.info
+ @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\
+@@ -20,10 +19,9 @@ index e00802a3fd..47fe948966 100644
+ -  SOURCE[../../libcrypto]=eng_devcrypto.c
+ -ENDIF
+ diff --git a/crypto/init.c b/crypto/init.c
+-index 1b0d523bea..ee3e2eb075 100644
+ --- a/crypto/init.c
+ +++ b/crypto/init.c
+-@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
+@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
+      engine_load_openssl_int();
+      return 1;
+  }
+@@ -42,7 +40,7 @@ index 1b0d523bea..ee3e2eb075 100644
+  
+  # ifndef OPENSSL_NO_RDRAND
+  static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT;
+-@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic)
+@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic)
+      return 1;
+  }
+  # ifndef OPENSSL_NO_STATIC_ENGINE
+@@ -61,7 +59,7 @@ index 1b0d523bea..ee3e2eb075 100644
+  #  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
+  static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT;
+  DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock)
+-@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+      if ((opts & OPENSSL_INIT_ENGINE_OPENSSL)
+              && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl))
+          return 0;
+@@ -73,7 +71,7 @@ index 1b0d523bea..ee3e2eb075 100644
+  # ifndef OPENSSL_NO_RDRAND
+      if ((opts & OPENSSL_INIT_ENGINE_RDRAND)
+              && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
+-@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+              && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
+          return 0;
+  # ifndef OPENSSL_NO_STATIC_ENGINE
+@@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644
+      if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
+              && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
+ diff --git a/engines/build.info b/engines/build.info
+-index 1db771971c..33a25d7004 100644
+ --- a/engines/build.info
+ +++ b/engines/build.info
+ @@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}]
+@@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c
+ similarity index 95%
+ rename from crypto/engine/eng_devcrypto.c
+ rename to engines/e_devcrypto.c
+-index 2c1b52d572..eff1ed3a7d 100644
+ --- a/crypto/engine/eng_devcrypto.c
+ +++ b/engines/e_devcrypto.c
+ @@ -7,7 +7,7 @@
+diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
+index 1f1cd7a582..fd4701307e 100644
+--- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
+@@ -20,7 +20,6 @@ turn them on if it is safe and fast enough.
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
+-index 3fcd81de7a..d25230d366 100644
+ --- a/engines/e_devcrypto.c
+ +++ b/engines/e_devcrypto.c
+ @@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
+diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
+index bc514b88c9..bf1c98b104 100644
+--- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
+@@ -9,7 +9,6 @@ session.  It may have been closed by another process after a fork.
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ 
+ diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
+-index d25230d366..f4570f1666 100644
+ --- a/engines/e_devcrypto.c
+ +++ b/engines/e_devcrypto.c
+ @@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+-- 
+2.25.1
+