ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
new file mode 100644
index 0000000..871080a
--- /dev/null
+++ b/package/libs/openssl/Config.in
@@ -0,0 +1,310 @@
+if PACKAGE_libopenssl
+
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+ bool
+ default y if x86_64 || i386
+ prompt "Enable optimization for speed instead of size"
+ select OPENSSL_WITH_ASM
+ help
+ Enabling this option increases code size and performance.
+ The increase in performance and size depends on the
+ target CPU. EC and AES seem to benefit the most.
+
+config OPENSSL_SMALL_FOOTPRINT
+ bool
+ depends on !OPENSSL_OPTIMIZE_SPEED
+ default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
+ prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
+ help
+ This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
+ 1-3% of of the ipk size. The performance drop depends on
+ architecture and algorithm. MIPS drops 13% of performance for
+ a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
+ size, ghash and GCM performance decreases 90%, while
+ Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
+ for 3% of performance. Other arches have not been tested.
+
+config OPENSSL_WITH_ASM
+ bool
+ default y
+ prompt "Compile with optimized assembly code"
+ depends on !arc
+ help
+ Disabling this option will reduce code size and performance.
+ The increase in performance and size depends on the target
+ CPU and on the algorithms being optimized.
+
+config OPENSSL_WITH_SSE2
+ bool
+ default y if !TARGET_x86_legacy && !TARGET_x86_geode
+ prompt "Enable use of x86 SSE2 instructions"
+ depends on OPENSSL_WITH_ASM && i386
+ help
+ Use of SSE2 instructions greatly increase performance with a
+ minimum increase in package size, but it will bring no benefit
+ if your hardware does not support them, such as Geode GX and LX.
+ AMD Geode NX, and Intel Pentium 4 and above support SSE2.
+
+config OPENSSL_WITH_DEPRECATED
+ bool
+ default y
+ prompt "Include deprecated APIs"
+ help
+ This drops all deprecated API, including engine support.
+
+config OPENSSL_NO_DEPRECATED
+ bool
+ default !OPENSSL_WITH_DEPRECATED
+
+config OPENSSL_WITH_ERROR_MESSAGES
+ bool
+ default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
+ prompt "Include error messages"
+ help
+ This option aids debugging, but increases package size and
+ memory usage.
+
+comment "Protocol Support"
+
+config OPENSSL_WITH_TLS13
+ bool
+ default y
+ prompt "Enable support for TLS 1.3"
+ help
+ TLS 1.3 is the newest version of the TLS specification.
+ It aims:
+ * to increase the overall security of the protocol,
+ removing outdated algorithms, and encrypting more of the
+ protocol;
+ * to increase performance by reducing the number of round-trips
+ when performing a full handshake.
+
+config OPENSSL_WITH_DTLS
+ bool
+ prompt "Enable DTLS support"
+ help
+ Datagram Transport Layer Security (DTLS) provides TLS-like security
+ for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
+
+config OPENSSL_WITH_NPN
+ bool
+ prompt "Enable NPN support"
+ help
+ NPN is a TLS extension, obsoleted and replaced with ALPN,
+ used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+ bool
+ default y
+ prompt "Enable SRP support"
+ help
+ The Secure Remote Password protocol (SRP) is an augmented
+ password-authenticated key agreement (PAKE) protocol, specifically
+ designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+ bool
+ default y
+ prompt "Enable CMS (RFC 5652) support"
+ help
+ Cryptographic Message Syntax (CMS) is used to digitally sign,
+ digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC2M
+ bool
+ prompt "Enable ec2m support"
+ help
+ This option enables the more efficient, yet less common, binary
+ field elliptic curves.
+
+config OPENSSL_WITH_CHACHA_POLY1305
+ bool
+ default y
+ prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+ help
+ ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+ combining ChaCha stream cipher with Poly1305 MAC.
+ It is 3x faster than AES, when not using a CPU with AES-specific
+ instructions, as is the case of most embedded devices.
+
+config OPENSSL_PREFER_CHACHA_OVER_GCM
+ bool
+ default y if !x86_64 && !aarch64
+ prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
+ depends on OPENSSL_WITH_CHACHA_POLY1305
+ help
+ The default openssl preference is for AES-GCM before ChaCha, but
+ that takes into account AES-NI capable chips. It is not the
+ case with most embedded chips, so it may be better to invert
+ that preference. This is just for the default case. The
+ application can always override this.
+
+config OPENSSL_WITH_PSK
+ bool
+ default y
+ prompt "Enable PSK support"
+ help
+ Build support for Pre-Shared Key based cipher suites.
+
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_ARIA
+ bool
+ prompt "Enable ARIA support"
+ help
+ ARIA is a block cipher developed in South Korea, based on AES.
+
+config OPENSSL_WITH_CAMELLIA
+ bool
+ prompt "Enable Camellia cipher support"
+ help
+ Camellia is a bock cipher with security levels and processing
+ abilities comparable to AES.
+
+config OPENSSL_WITH_IDEA
+ bool
+ default y if !SMALL_FLASH
+ prompt "Enable IDEA cipher support (needs legacy provider)"
+ help
+ IDEA is a block cipher with 128-bit keys.
+ To use the cipher, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
+
+config OPENSSL_WITH_SEED
+ bool
+ default y if !SMALL_FLASH
+ prompt "Enable SEED cipher support (needs legacy provider)"
+ help
+ SEED is a block cipher with 128-bit keys broadly used in
+ South Korea, but seldom found elsewhere.
+ To use the cipher, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
+
+config OPENSSL_WITH_SM234
+ bool
+ prompt "Enable SM2/3/4 algorithms support"
+ help
+ These algorithms are a set of "Commercial Cryptography"
+ algorithms approved for use in China.
+ * SM2 is an EC algorithm equivalent to ECDSA P-256
+ * SM3 is a hash function equivalent to SHA-256
+ * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+ bool
+ prompt "Enable BLAKE2 digest support"
+ help
+ BLAKE2 is a cryptographic hash function based on the ChaCha
+ stream cipher.
+
+config OPENSSL_WITH_MDC2
+ bool
+ default y if !SMALL_FLASH
+ prompt "Enable MDC2 digest support (needs legacy provider)"
+ help
+ To use the digest, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
+
+config OPENSSL_WITH_WHIRLPOOL
+ bool
+ default y if !SMALL_FLASH
+ prompt "Enable Whirlpool digest support (needs legacy provider)"
+ help
+ To use the digest, one must install the libopenssl-legacy
+ package, using a main libopenssl package compiled with this
+ option enabled as well.
+
+config OPENSSL_WITH_COMPRESSION
+ bool
+ prompt "Enable compression support"
+ help
+ TLS compression is not recommended, as it is deemed insecure.
+ The CRIME attack exploits this weakness.
+ Even with this option turned on, it is disabled by default, and the
+ application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+ bool
+ prompt "Enable RFC3779 support (BGP)"
+ help
+ RFC 3779 defines two X.509 v3 certificate extensions. The first
+ binds a list of IP address blocks, or prefixes, to the subject of a
+ certificate. The second binds a list of autonomous system
+ identifiers to the subject of a certificate. These extensions may be
+ used to convey the authorization of the subject to use the IP
+ addresses and autonomous system identifiers contained in the
+ extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+ bool "Enable engine support"
+ select OPENSSL_WITH_DEPRECATED
+ default y
+ help
+ This enables alternative cryptography implementations,
+ most commonly for interfacing with external crypto devices,
+ or supporting new/alternative ciphers and digests.
+ If you compile the library with this option disabled, packages built
+ using an engine-enabled library (i.e. from the official repo) may
+ fail to run. Compile and install the packages with engine support
+ disabled, and you should be fine.
+ Note that you need to enable KERNEL_AIO to be able to build the
+ afalg engine package.
+
+config OPENSSL_ENGINE_BUILTIN
+ bool "Build chosen engines into libcrypto"
+ depends on OPENSSL_ENGINE
+ help
+ This builds all chosen engines into libcrypto.so, instead of building
+ them as dynamic engines in separate packages.
+ The benefit of building the engines into libcrypto is that they won't
+ require any configuration to be used by default.
+
+config OPENSSL_ENGINE_BUILTIN_AFALG
+ bool
+ prompt "Acceleration support through AF_ALG sockets engine"
+ depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
+ select PACKAGE_libopenssl-conf
+ help
+ This enables use of hardware acceleration through the
+ AF_ALG kernel interface.
+
+config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
+ bool
+ prompt "Acceleration support through /dev/crypto"
+ depends on OPENSSL_ENGINE_BUILTIN
+ select PACKAGE_libopenssl-conf
+ help
+ This enables use of hardware acceleration through OpenBSD
+ Cryptodev API (/dev/crypto) interface.
+ Even though configuration is not strictly needed, it is worth seeing
+ https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+ for information on how to configure the engine.
+
+config OPENSSL_ENGINE_BUILTIN_PADLOCK
+ bool
+ prompt "VIA Padlock Acceleration support engine"
+ depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
+ select PACKAGE_libopenssl-conf
+ help
+ This enables use of hardware acceleration through the
+ VIA Padlock module.
+
+config OPENSSL_WITH_ASYNC
+ bool
+ prompt "Enable asynchronous jobs support"
+ depends on OPENSSL_ENGINE && USE_GLIBC
+ help
+ Enables async-aware applications to be able to use OpenSSL to
+ initiate crypto operations asynchronously. In order to work
+ this will require the presence of an async capable engine.
+
+endif
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
new file mode 100644
index 0000000..4829670
--- /dev/null
+++ b/package/libs/openssl/Makefile
@@ -0,0 +1,437 @@
+#
+# Copyright (C) 2006-2016 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=openssl
+PKG_VERSION:=3.0.16
+PKG_RELEASE:=1
+PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
+
+PKG_BUILD_PARALLEL:=1
+
+PKG_BASE:=$(subst $(space),.,$(wordlist 1,2,$(subst .,$(space),$(PKG_VERSION))))
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:= \
+ https://www.openssl.org/source/ \
+ https://www.openssl.org/source/old/$(PKG_BASE)/ \
+ https://github.com/openssl/openssl/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
+
+PKG_HASH:=57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86
+
+PKG_LICENSE:=Apache-2.0
+PKG_LICENSE_FILES:=LICENSE
+PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
+PKG_CPE_ID:=cpe:/a:openssl:openssl
+PKG_CONFIG_DEPENDS:= \
+ CONFIG_OPENSSL_ENGINE \
+ CONFIG_OPENSSL_ENGINE_BUILTIN \
+ CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \
+ CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \
+ CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \
+ CONFIG_OPENSSL_NO_DEPRECATED \
+ CONFIG_OPENSSL_OPTIMIZE_SPEED \
+ CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
+ CONFIG_OPENSSL_SMALL_FOOTPRINT \
+ CONFIG_OPENSSL_WITH_ARIA \
+ CONFIG_OPENSSL_WITH_ASM \
+ CONFIG_OPENSSL_WITH_ASYNC \
+ CONFIG_OPENSSL_WITH_BLAKE2 \
+ CONFIG_OPENSSL_WITH_CAMELLIA \
+ CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
+ CONFIG_OPENSSL_WITH_CMS \
+ CONFIG_OPENSSL_WITH_COMPRESSION \
+ CONFIG_OPENSSL_WITH_DTLS \
+ CONFIG_OPENSSL_WITH_EC2M \
+ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
+ CONFIG_OPENSSL_WITH_IDEA \
+ CONFIG_OPENSSL_WITH_MDC2 \
+ CONFIG_OPENSSL_WITH_NPN \
+ CONFIG_OPENSSL_WITH_PSK \
+ CONFIG_OPENSSL_WITH_RFC3779 \
+ CONFIG_OPENSSL_WITH_SEED \
+ CONFIG_OPENSSL_WITH_SM234 \
+ CONFIG_OPENSSL_WITH_SRP \
+ CONFIG_OPENSSL_WITH_SSE2 \
+ CONFIG_OPENSSL_WITH_TLS13 \
+ CONFIG_OPENSSL_WITH_WHIRLPOOL
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/openssl-module.mk
+
+ifneq ($(CONFIG_CCACHE),)
+HOSTCC=$(HOSTCC_NOCACHE)
+HOSTCXX=$(HOSTCXX_NOCACHE)
+endif
+
+define Package/openssl/Default
+ TITLE:=Open source SSL toolkit
+ URL:=https://www.openssl.org/
+ SECTION:=libs
+ CATEGORY:=Libraries
+endef
+
+define Package/libopenssl/config
+source "$(SOURCE)/Config.in"
+endef
+
+define Package/openssl/Default/description
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and Open Source toolkit implementing the
+Transport Layer Security (TLS) protocol as well as a full-strength
+general-purpose cryptography library.
+endef
+
+define Package/libopenssl
+$(call Package/openssl/Default)
+ SUBMENU:=SSL
+ DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
+ +OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
+ +OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
+ +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock \
+ +(arm||armeb||mips||mipsel||powerpc||arc):libatomic
+ TITLE+= (libraries)
+ ABI_VERSION:=$(firstword $(subst .,$(space),$(PKG_VERSION)))
+ MENU:=1
+endef
+
+define Package/libopenssl/description
+$(call Package/openssl/Default/description)
+This package contains the OpenSSL shared libraries, needed by other programs.
+endef
+
+define Package/openssl-util
+ $(call Package/openssl/Default)
+ SECTION:=utils
+ CATEGORY:=Utilities
+ DEPENDS:=+libopenssl +libopenssl-conf
+ TITLE+= (utility)
+endef
+
+define Package/openssl-util/description
+$(call Package/openssl/Default/description)
+This package contains the OpenSSL command-line utility.
+endef
+
+define Package/libopenssl-conf
+ $(call Package/openssl/Default)
+ SUBMENU:=SSL
+ TITLE:=/etc/ssl/openssl.cnf config file
+ DEPENDS:=libopenssl
+endef
+
+define Package/libopenssl-conf/conffiles
+/etc/ssl/openssl.cnf
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
+endef
+
+define Package/libopenssl-conf/description
+$(call Package/openssl/Default/description)
+This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
+endef
+
+ifneq ($(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK)$(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),)
+define Package/libopenssl-conf/postinst
+#!/bin/sh
+
+add_engine_config() {
+ if [ -z "$${IPKG_INSTROOT}" ] && uci -q get "openssl.$$1" >/dev/null; then
+ [ "$$(uci -q get "openssl.$$1.builtin")" = 1 ] && return
+ uci set "openssl.$$1.builtin=1" && uci commit openssl
+ return
+ fi
+}
+
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),add_engine_config devcrypto)
+$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
+endef
+endif
+
+$(eval $(call Package/openssl/add-provider,legacy))
+define Package/libopenssl-legacy
+ $(call Package/openssl/Default)
+ $(call Package/openssl/module/Default)
+ TITLE:=OpenSSL legacy provider
+endef
+
+define Package/libopenssl-legacy/description
+The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
+have been deemed legacy. Such algorithms have commonly fallen out of use, have
+been deemed insecure by the cryptography community, or something similar. See
+https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
+endef
+
+$(eval $(call Package/openssl/add-engine,afalg))
+define Package/libopenssl-afalg
+ $(call Package/openssl/Default)
+ $(call Package/openssl/engine/Default)
+ TITLE:=AFALG hardware acceleration engine
+ DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+ @!OPENSSL_ENGINE_BUILTIN
+endef
+
+define Package/libopenssl-afalg/description
+This package adds an engine that enables hardware acceleration
+through the AF_ALG kernel interface.
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
+and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+The engine_id is "afalg"
+endef
+
+$(eval $(call Package/openssl/add-engine,devcrypto))
+define Package/libopenssl-devcrypto
+ $(call Package/openssl/Default)
+ $(call Package/openssl/engine/Default)
+ TITLE:=/dev/crypto hardware acceleration engine
+ DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
+endef
+
+define Package/libopenssl-devcrypto/description
+This package adds an engine that enables hardware acceleration
+through the /dev/crypto kernel interface.
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
+and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+The engine_id is "devcrypto"
+endef
+
+$(eval $(call Package/openssl/add-engine,padlock))
+define Package/libopenssl-padlock
+ $(call Package/openssl/Default)
+ $(call Package/openssl/engine/Default)
+ TITLE:=VIA Padlock hardware acceleration engine
+ DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+ @!OPENSSL_ENGINE_BUILTIN
+endef
+
+define Package/libopenssl-padlock/description
+This package adds an engine that enables VIA Padlock hardware acceleration.
+See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
+and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+The engine_id is "padlock"
+endef
+
+OPENSSL_OPTIONS:= shared no-tests
+
+ifndef CONFIG_OPENSSL_WITH_BLAKE2
+ OPENSSL_OPTIONS += no-blake2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
+ OPENSSL_OPTIONS += no-chacha no-poly1305
+else
+ ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
+ OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
+ endif
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ASYNC
+ OPENSSL_OPTIONS += no-async
+endif
+
+ifndef CONFIG_OPENSSL_WITH_EC2M
+ OPENSSL_OPTIONS += no-ec2m
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
+ OPENSSL_OPTIONS += no-err
+endif
+
+ifndef CONFIG_OPENSSL_WITH_TLS13
+ OPENSSL_OPTIONS += no-tls1_3
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ARIA
+ OPENSSL_OPTIONS += no-aria
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SM234
+ OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CAMELLIA
+ OPENSSL_OPTIONS += no-camellia
+endif
+
+ifndef CONFIG_OPENSSL_WITH_IDEA
+ OPENSSL_OPTIONS += no-idea
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SEED
+ OPENSSL_OPTIONS += no-seed
+endif
+
+ifndef CONFIG_OPENSSL_WITH_MDC2
+ OPENSSL_OPTIONS += no-mdc2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
+ OPENSSL_OPTIONS += no-whirlpool
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CMS
+ OPENSSL_OPTIONS += no-cms
+endif
+
+ifndef CONFIG_OPENSSL_WITH_RFC3779
+ OPENSSL_OPTIONS += no-rfc3779
+endif
+
+ifdef CONFIG_OPENSSL_NO_DEPRECATED
+ OPENSSL_OPTIONS += no-deprecated
+endif
+
+ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
+ TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
+endif
+
+ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y)
+ OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
+endif
+
+ifdef CONFIG_OPENSSL_ENGINE
+ ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
+ OPENSSL_OPTIONS += disable-dynamic-engine
+ ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG
+ OPENSSL_OPTIONS += no-afalgeng
+ endif
+ ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
+ OPENSSL_OPTIONS += enable-devcryptoeng
+ endif
+ ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
+ OPENSSL_OPTIONS += no-padlockeng
+ endif
+ else
+ ifdef CONFIG_PACKAGE_libopenssl-devcrypto
+ OPENSSL_OPTIONS += enable-devcryptoeng
+ endif
+ ifndef CONFIG_PACKAGE_libopenssl-afalg
+ OPENSSL_OPTIONS += no-afalgeng
+ endif
+ ifndef CONFIG_PACKAGE_libopenssl-padlock
+ OPENSSL_OPTIONS += no-padlockeng
+ endif
+ endif
+else
+ OPENSSL_OPTIONS += no-engine
+endif
+
+ifndef CONFIG_OPENSSL_WITH_DTLS
+ OPENSSL_OPTIONS += no-dtls
+endif
+
+ifdef CONFIG_OPENSSL_WITH_COMPRESSION
+ OPENSSL_OPTIONS += zlib-dynamic
+else
+ OPENSSL_OPTIONS += no-comp
+endif
+
+ifndef CONFIG_OPENSSL_WITH_NPN
+ OPENSSL_OPTIONS += no-nextprotoneg
+endif
+
+ifndef CONFIG_OPENSSL_WITH_PSK
+ OPENSSL_OPTIONS += no-psk
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SRP
+ OPENSSL_OPTIONS += no-srp
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ASM
+ OPENSSL_OPTIONS += no-asm
+endif
+
+ifdef CONFIG_i386
+ ifndef CONFIG_OPENSSL_WITH_SSE2
+ OPENSSL_OPTIONS += no-sse2
+ endif
+endif
+
+OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
+
+STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | $(MKHASH) md5)
+
+define Build/Configure
+ (cd $(PKG_BUILD_DIR); \
+ ./Configure $(OPENSSL_TARGET) \
+ --prefix=/usr \
+ --libdir=lib \
+ --openssldir=/etc/ssl \
+ --cross-compile-prefix="$(TARGET_CROSS)" \
+ $(TARGET_CFLAGS) \
+ $(TARGET_CPPFLAGS) \
+ $(TARGET_LDFLAGS) \
+ $(OPENSSL_OPTIONS) && \
+ { [ -f $(STAMP_CONFIGURED) ] || make clean; } \
+ )
+endef
+
+TARGET_CFLAGS += $(FPIC)
+
+define Build/Compile
+ +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
+ CC="$(TARGET_CC)" \
+ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
+ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
+ $(OPENSSL_MAKEFLAGS) \
+ all
+ $(MAKE) -C $(PKG_BUILD_DIR) \
+ CC="$(TARGET_CC)" \
+ DESTDIR="$(PKG_INSTALL_DIR)" \
+ $(OPENSSL_MAKEFLAGS) \
+ install_sw install_ssldirs
+endef
+
+define Build/InstallDev
+ $(INSTALL_DIR) $(1)/usr/include
+ $(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(1)/usr/include/
+ $(INSTALL_DIR) $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.{a,so*} $(1)/usr/lib/
+ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc $(1)/usr/lib/pkgconfig/
+ [ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc || true
+endef
+
+define Package/libopenssl/install
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ $(INSTALL_DIR) $(1)/etc/ssl/private
+ chmod 0700 $(1)/etc/ssl/private
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
+ $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
+endef
+
+define Package/libopenssl-conf/install
+ $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
+ $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
+ $(if $(CONFIG_OPENSSL_ENGINE),,
+ $(SED) 's!engines = engines_sect!#&!' $(1)/etc/ssl/openssl.cnf)
+ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+ $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl)
+ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
+ $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl)
+endef
+
+define Package/openssl-util/install
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
+endef
+
+$(eval $(call BuildPackage,libopenssl))
+$(eval $(call BuildPackage,libopenssl-conf))
+$(eval $(call BuildPackage,libopenssl-afalg))
+$(eval $(call BuildPackage,libopenssl-devcrypto))
+$(eval $(call BuildPackage,libopenssl-legacy))
+$(eval $(call BuildPackage,libopenssl-padlock))
+$(eval $(call BuildPackage,openssl-util))
diff --git a/package/libs/openssl/files/afalg.cnf b/package/libs/openssl/files/afalg.cnf
new file mode 100644
index 0000000..fd20636
--- /dev/null
+++ b/package/libs/openssl/files/afalg.cnf
@@ -0,0 +1,3 @@
+[afalg_sect]
+default_algorithms = ALL
+
diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf
new file mode 100644
index 0000000..91d0eee
--- /dev/null
+++ b/package/libs/openssl/files/devcrypto.cnf
@@ -0,0 +1,34 @@
+[devcrypto_sect]
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
+default_algorithms = ALL
+
+# Configuration commands:
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
+# list of supported algorithms, along with their driver, whether they
+# are hw accelerated or not, and the engine's configuration commands.
+
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
+# if acceleration can't be determined) [default=2]
+#USE_SOFTDRIVERS = 2
+
+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
+# enable [default=ALL]
+# It is recommended to disable the ECB ciphers; in most cases, it will
+# only be used for PRNG, in small blocks, where performance is poor,
+# and there may be problems with apps forking with open crypto
+# contexts, leading to failures. The CBC ciphers work well.
+CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \
+ AES-128-CTR, AES-192-CTR, AES-256-CTR
+
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
+# enable [default=NONE]
+# It is strongly recommended not to enable digests; their performance
+# is poor, and there are many cases in which they will not work,
+# especially when calling fork with open crypto contexts. Openssh,
+# for example, does this, and you may not be able to login.
+# Sysupgrade will fail as well. If you're adventurous enough to change
+# this, you should change it back to NONE, and reboot before running
+# sysupgrade!
+DIGESTS = NONE
+
diff --git a/package/libs/openssl/files/legacy.cnf b/package/libs/openssl/files/legacy.cnf
new file mode 100644
index 0000000..4c20617
--- /dev/null
+++ b/package/libs/openssl/files/legacy.cnf
@@ -0,0 +1,3 @@
+[legacy_sect]
+activate = 1
+
diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init
new file mode 100755
index 0000000..1c1e874
--- /dev/null
+++ b/package/libs/openssl/files/openssl.init
@@ -0,0 +1,72 @@
+#!/bin/sh /etc/rc.common
+
+START=13
+ENGINES_CNF=/var/etc/ssl/engines.cnf
+ENGINES_DIR=%ENGINES_DIR%
+MODULES_DIR=/usr/lib/ossl-modules
+PROVIDERS_CNF=/var/etc/ssl/providers.cnf
+
+#1: cnf file
+write_cnf_header() {
+ mkdir -p "$(dirname "$1")" && \
+ echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
+ echo "Error writing to $1."
+ return 1
+ }
+}
+
+
+#1: module name
+#2: output cnf file
+#3: module.so
+enable_module() {
+ local builtin enabled force
+
+ config_get_bool builtin "$1" builtin 0
+ config_get_bool enabled "$1" enabled 1
+ config_get_bool force "$1" force 0
+
+ if [ "$enabled" = 0 ]; then
+ [ "$builtin" = 0 ] && return 1
+ echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
+ echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
+ elif [ "$force" = 1 ]; then
+ printf "[Forced] "
+ elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
+ echo "$1: Could not find section [$1] in config files."
+ return 1
+ elif [ "$builtin" = 1 ]; then
+ printf "[Builtin] "
+ elif [ ! -f "$3" ];then
+ echo "Skipping $1: $3 not found."
+ return 1
+ fi
+ echo "Enabling $1"
+ echo "$1=$1_sect" >>"$2"
+}
+
+config_engine() {
+ enable_module "$1" "$ENGINES_CNF" \
+ "${ENGINES_DIR}/${1}.so"
+}
+
+config_provider() {
+ enable_module "$1" "$PROVIDERS_CNF" \
+ "${MODULES_DIR}/${1}.so"
+}
+
+start() {
+ local ret=0
+
+ config_load openssl
+
+ echo Generating engines.cnf
+ write_cnf_header "${ENGINES_CNF}" && \
+ config_foreach config_engine engine || ret=$?
+
+ echo Generating providers.cnf
+ write_cnf_header "${PROVIDERS_CNF}" && \
+ config_foreach config_provider provider || ret=$?
+
+ return $ret
+}
diff --git a/package/libs/openssl/files/padlock.cnf b/package/libs/openssl/files/padlock.cnf
new file mode 100644
index 0000000..f4085d9
--- /dev/null
+++ b/package/libs/openssl/files/padlock.cnf
@@ -0,0 +1,3 @@
+[padlock_sect]
+default_algorithms = ALL
+
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch
new file mode 100644
index 0000000..e9cd7bf
--- /dev/null
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:29:21 -0300
+Subject: Do not use host kernel version to disable AFALG
+
+This patch prevents the Configure script from using the host kernel
+version to disable building the AFALG engine on openwrt targets.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -1677,7 +1677,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
+
+ unless ($disabled{afalgeng}) {
+ $config{afalgeng}="";
+- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
++ if ($target =~ m/openwrt$/) {
++ push @{$config{engdirs}}, "afalg";
++ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ my $minver = 4*10000 + 1*100 + 0;
+ if ($config{CROSS_COMPILE} eq "") {
+ my $verstr = `uname -r`;
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch
new file mode 100644
index 0000000..d02bc03
--- /dev/null
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:30:24 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- /dev/null
++++ b/Configurations/25-openwrt.conf
+@@ -0,0 +1,59 @@
++## Openwrt "CONFIG_ARCH" matching targets.
++
++# The targets need to end in '-openwrt' for the AFALG patch to work
++
++my %targets = (
++ "openwrt" => {
++ template => 1,
++ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
++ },
++ "linux-aarch64-openwrt" => {
++ inherit_from => [ "linux-aarch64", "openwrt" ],
++ },
++ "linux-arc-openwrt" => {
++ inherit_from => [ "linux-latomic", "openwrt" ],
++ },
++ "linux-arm-openwrt" => {
++ inherit_from => [ "linux-armv4", "openwrt" ],
++ },
++ "linux-armeb-openwrt" => {
++ inherit_from => [ "linux-armv4", "openwrt" ],
++ },
++ "linux-i386-openwrt" => {
++ inherit_from => [ "linux-x86", "openwrt" ],
++ },
++ "linux-loongarch64-openwrt" => {
++ inherit_from => [ "linux64-loongarch64", "openwrt" ],
++ },
++ "linux-mips-openwrt" => {
++ inherit_from => [ "linux-mips32", "openwrt" ],
++ },
++ "linux-mips64-openwrt" => {
++ inherit_from => [ "linux64-mips64", "openwrt" ],
++ },
++ "linux-mips64el-openwrt" => {
++ inherit_from => [ "linux64-mips64", "openwrt" ],
++ },
++ "linux-mipsel-openwrt" => {
++ inherit_from => [ "linux-mips32", "openwrt" ],
++ },
++ "linux-powerpc-openwrt" => {
++ inherit_from => [ "linux-ppc", "openwrt" ],
++ },
++ "linux-powerpc64-openwrt" => {
++ inherit_from => [ "linux-ppc64", "openwrt" ],
++ perlasm_scheme => "linux64v2",
++ },
++ "linux-riscv64-openwrt" => {
++ inherit_from => [ "linux-generic64", "openwrt" ],
++ perlasm_scheme => "linux64",
++ },
++ "linux-x86_64-openwrt" => {
++ inherit_from => [ "linux-x86_64", "openwrt" ],
++ },
++
++### Basic default option
++ "linux-generic32-openwrt" => {
++ inherit_from => [ "linux-generic32", "openwrt" ],
++ },
++);
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
new file mode 100644
index 0000000..ebdb940
--- /dev/null
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:31:38 -0300
+Subject: Avoid exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+
+ DEPEND[info.o]=buildinf.h
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
+
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
diff --git a/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch
new file mode 100644
index 0000000..60c4663
--- /dev/null
+++ b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch
@@ -0,0 +1,20 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:34:38 -0300
+Subject: Do not build tests and fuzz directories
+
+This shortens build time.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/build.info
++++ b/build.info
+@@ -1,7 +1,7 @@
+ # Note that some of these directories are filtered in Configure. Look for
+ # %skipdir there for further explanations.
+
+-SUBDIRS=crypto ssl apps util tools fuzz providers doc
++SUBDIRS=crypto ssl apps util tools providers
+ IF[{- !$disabled{tests} -}]
+ SUBDIRS=test
+ ENDIF
diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
new file mode 100644
index 0000000..fb7bc84
--- /dev/null
+++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
@@ -0,0 +1,92 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:44:39 -0300
+Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
+
+This enables a compile-time option to prefer ChaCha20-Poly1305 over
+AES-GCM in the openssl default ciphersuite, which is useful in systems
+without AES specific CPU instructions.
+OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
+
+Note that this does not have the same effect as the
+SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
+when the client has it on top of its ciphersuite preference.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -1506,11 +1506,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
+ &tail);
+
++ /*
++ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
++ * will be placed before AES-256. Otherwise, the default behavior of
++ * preferring GCM over CHACHA is used.
++ * This is useful for systems that do not have AES-specific CPU
++ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
++ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
++ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
++ * of its ciphersuite preference.
++ */
++
++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
++ &head, &tail);
++ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
++ &head, &tail);
++#else
+ /* Within each strength group, we prefer GCM over CHACHA... */
+ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
+ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
++#endif
+
+ /*
+ * ...and generally, our preferred cipher is AES.
+@@ -1565,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * Within each group, ciphers remain sorted by strength and previous
+ * preference, i.e.,
+ * 1) ECDHE > DHE
+- * 2) GCM > CHACHA
++ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
+ * 3) AES > rest
+ * 4) TLS 1.2 > legacy
+ *
+@@ -2236,7 +2254,13 @@ const char *OSSL_default_cipher_list(voi
+ */
+ const char *OSSL_default_ciphersuites(void)
+ {
++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++ return "TLS_CHACHA20_POLY1305_SHA256:"
++ "TLS_AES_256_GCM_SHA384:"
++ "TLS_AES_128_GCM_SHA256";
++#else
+ return "TLS_AES_256_GCM_SHA384:"
+ "TLS_CHACHA20_POLY1305_SHA256:"
+ "TLS_AES_128_GCM_SHA256";
++#endif
+ }
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -195,9 +195,15 @@ extern "C" {
+ * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
+ * Update both macro and function simultaneously
+ */
+-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+- "TLS_CHACHA20_POLY1305_SHA256:" \
+- "TLS_AES_128_GCM_SHA256"
++# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
++ "TLS_AES_256_GCM_SHA384:" \
++ "TLS_AES_128_GCM_SHA256"
++# else
++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
++ "TLS_CHACHA20_POLY1305_SHA256:" \
++ "TLS_AES_128_GCM_SHA256"
++# endif
+ # endif
+ /*
+ * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
new file mode 100644
index 0000000..9fe9cdf
--- /dev/null
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 27 Mar 2021 17:43:25 -0300
+Subject: openssl.cnf: add engine configuration
+
+This adds configuration options for engines, loading all cnf files under
+/etc/ssl/engines.cnf.d/.
+
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
+
+ [openssl_init]
+ providers = provider_sect
++engines = engines_sect
+
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
++.include /var/etc/ssl/providers.cnf
++
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,7 +72,13 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
++activate = 1
++
++[engines_sect]
++.include /var/etc/ssl/engines.cnf
++
++.include /etc/ssl/modules.cnf.d
++
+
+
+ ####################################################################
diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
new file mode 100644
index 0000000..f183263
--- /dev/null
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 09:29:13 -0300
+Subject: e_devcrypto: default to not use digests in engine
+
+Digests are almost always slower when using /dev/crypto because of the
+cost of the context switches. Only for large blocks it is worth it.
+
+Also, when forking, the open context structures are duplicated, but the
+internal kernel sessions are still shared between forks, which means an
+update/close operation in one fork affects all processes using that
+session.
+
+This affects digests, especially for HMAC, where the session with the
+key hash is used as a source for subsequent operations. At least one
+popular application does this across a fork. Disabling digests by
+default will mitigate the problem, while still allowing the user to
+turn them on if it is safe and fast enough.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+ i++) {
+
+- selected_digests[i] = 1;
++ selected_digests[i] = 0;
+
+ /*
+ * Check that the digest is usable
+@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+ #ifdef IMPLEMENT_DIGEST
+ {DEVCRYPTO_CMD_DIGESTS,
+ "DIGESTS",
+- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
+ ENGINE_CMD_FLAG_STRING},
+ #endif
+
diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
new file mode 100644
index 0000000..40b1dc7
--- /dev/null
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 10:15:14 -0300
+Subject: e_devcrypto: ignore error when closing session
+
+In cipher_init, ignore an eventual error when closing the previous
+session. It may have been closed by another process after a fork.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+ int ret;
+
+ /* cleanup a previous session */
+- if (cipher_ctx->sess.ses != 0 &&
+- clean_devcrypto_session(&cipher_ctx->sess) == 0)
+- return 0;
++ if (cipher_ctx->sess.ses != 0)
++ clean_devcrypto_session(&cipher_ctx->sess);
+
+ cipher_ctx->sess.cipher = cipher_d->devcryptoid;
+ cipher_ctx->sess.keylen = cipher_d->keylen;