summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/openssl/0002-busybox-basename.patch34
-rw-r--r--system/openssl/0003-use-termios.patch26
-rw-r--r--system/openssl/0004-fix-default-ca-path-for-apps.patch79
-rw-r--r--system/openssl/0005-fix-parallel-build.patch349
-rw-r--r--system/openssl/0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch68
-rw-r--r--system/openssl/0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch27
-rw-r--r--system/openssl/0009-no-rpath.patch11
-rw-r--r--system/openssl/0010-ssl-env-zlib.patch38
-rw-r--r--system/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch88
-rw-r--r--system/openssl/1002-backport-changes-from-upstream-padlock-module.patch200
-rw-r--r--system/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch782
-rw-r--r--system/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch33
-rw-r--r--system/openssl/APKBUILD142
13 files changed, 1877 insertions, 0 deletions
diff --git a/system/openssl/0002-busybox-basename.patch b/system/openssl/0002-busybox-basename.patch
new file mode 100644
index 000000000..9bbc284f3
--- /dev/null
+++ b/system/openssl/0002-busybox-basename.patch
@@ -0,0 +1,34 @@
+From c276ddc394dd402327603959271eac63a2e1ec1c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 08:40:00 +0200
+Subject: [PATCH] busybox basename
+
+---
+ Makefile.org | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.org b/Makefile.org
+index b7a3f96..035fa83 100644
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -649,7 +649,7 @@ install_docs:
+ filecase=-i; \
+ esac; \
+ set -e; for i in doc/apps/*.pod; do \
+- fn=`basename $$i .pod`; \
++ fn=`basename $$i .pod || true`; \
+ sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+@@ -666,7 +666,7 @@ install_docs:
+ done); \
+ done; \
+ set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+- fn=`basename $$i .pod`; \
++ fn=`basename $$i .pod || true`; \
+ sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+--
+2.2.2
+
diff --git a/system/openssl/0003-use-termios.patch b/system/openssl/0003-use-termios.patch
new file mode 100644
index 000000000..3312d1856
--- /dev/null
+++ b/system/openssl/0003-use-termios.patch
@@ -0,0 +1,26 @@
+From 5caf1bdcdb56358c0ce38ef404fedbe323e66cb9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 08:40:32 +0200
+Subject: [PATCH] use termios
+
+---
+ crypto/ui/ui_openssl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
+index 8bda83c..a89b5f2 100644
+--- a/crypto/ui/ui_openssl.c
++++ b/crypto/ui/ui_openssl.c
+@@ -224,6 +224,9 @@
+ # undef SGTTY
+ #endif
+
++#define TERMIOS
++#undef TERMIO
++
+ #ifdef TERMIOS
+ # include <termios.h>
+ # define TTY_STRUCT struct termios
+--
+2.2.2
+
diff --git a/system/openssl/0004-fix-default-ca-path-for-apps.patch b/system/openssl/0004-fix-default-ca-path-for-apps.patch
new file mode 100644
index 000000000..c2c53184a
--- /dev/null
+++ b/system/openssl/0004-fix-default-ca-path-for-apps.patch
@@ -0,0 +1,79 @@
+From 09e6425ad6927a825b077af85c50b2fb04773757 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 08:52:05 +0200
+Subject: [PATCH] fix default ca path for apps
+
+---
+ apps/s_server.c | 22 ++++++++++++++--------
+ apps/s_time.c | 13 ++++++-------
+ 3 files changed, 26 insertions(+), 22 deletions(-)
+
+diff --git a/apps/s_server.c b/apps/s_server.c
+index baa2455..2d5dc97 100644
+--- a/apps/s_server.c
++++ b/apps/s_server.c
+@@ -1770,12 +1770,14 @@ int MAIN(int argc, char *argv[])
+ }
+ #endif
+
+- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx))) {
+- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx))
++ ERR_print_errors(bio_err);
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
++ ERR_print_errors(bio_err);
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx, vpm);
+
+@@ -1838,10 +1840,14 @@ int MAIN(int argc, char *argv[])
+ else
+ SSL_CTX_sess_set_cache_size(ctx2, 128);
+
+- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx2))) {
+- ERR_print_errors(bio_err);
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx2))
++ ERR_print_errors(bio_err);
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath))
++ ERR_print_errors(bio_err);
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx2, vpm);
+
+diff --git a/apps/s_time.c b/apps/s_time.c
+index 5846f3a..c8f371a 100644
+--- a/apps/s_time.c
++++ b/apps/s_time.c
+@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv)
+
+ SSL_load_error_strings();
+
+- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+- /*
+- * BIO_printf(bio_err,"error setting default verify locations\n");
+- */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
++ ERR_print_errors(bio_err);
++ } else {
++ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath))
++ ERR_print_errors(bio_err);
+ }
+
+ if (tm_cipher == NULL)
+--
+2.2.2
+
diff --git a/system/openssl/0005-fix-parallel-build.patch b/system/openssl/0005-fix-parallel-build.patch
new file mode 100644
index 000000000..70073fd19
--- /dev/null
+++ b/system/openssl/0005-fix-parallel-build.patch
@@ -0,0 +1,349 @@
+diff -ru openssl-1.0.2a.orig/Makefile.org openssl-1.0.2a/Makefile.org
+--- openssl-1.0.2d.orig/Makefile.org 2015-07-09 16:30:50.201986573 -0300
++++ openssl-1.0.2d/Makefile.org 2015-07-09 16:30:50.201986573 -0300
+@@ -278,17 +278,17 @@
+ build_libssl: build_ssl libssl.pc
+
+ build_crypto:
+- @dir=crypto; target=all; $(BUILD_ONE_CMD)
++ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
+ build_ssl: build_crypto
+- @dir=ssl; target=all; $(BUILD_ONE_CMD)
++ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
+ build_engines: build_crypto
+- @dir=engines; target=all; $(BUILD_ONE_CMD)
++ +@dir=engines; target=all; $(BUILD_ONE_CMD)
+ build_apps: build_libs
+- @dir=apps; target=all; $(BUILD_ONE_CMD)
++ +@dir=apps; target=all; $(BUILD_ONE_CMD)
+ build_tests: build_libs
+- @dir=test; target=all; $(BUILD_ONE_CMD)
++ +@dir=test; target=all; $(BUILD_ONE_CMD)
+ build_tools: build_libs
+- @dir=tools; target=all; $(BUILD_ONE_CMD)
++ +@dir=tools; target=all; $(BUILD_ONE_CMD)
+
+ all_testapps: build_libs build_testapps
+ build_testapps:
+@@ -536,9 +536,9 @@
+ dist_pem_h:
+ (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+
+-install: all install_docs install_sw
++install: install_docs install_sw
+
+-install_sw:
++install_dirs:
+ @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
+@@ -547,12 +547,19 @@
+ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
+ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
+ $(INSTALL_PREFIX)$(OPENSSLDIR)/private
++ @$(PERL) $(TOP)/util/mkdir-p.pl \
++ $(INSTALL_PREFIX)$(MANDIR)/man1 \
++ $(INSTALL_PREFIX)$(MANDIR)/man3 \
++ $(INSTALL_PREFIX)$(MANDIR)/man5 \
++ $(INSTALL_PREFIX)$(MANDIR)/man7
++
++install_sw: install_dirs
+ @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
+ do \
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
++ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
+ do \
+ if [ -f "$$i" ]; then \
+@@ -636,12 +643,7 @@
+ done; \
+ done
+
+-install_docs:
+- @$(PERL) $(TOP)/util/mkdir-p.pl \
+- $(INSTALL_PREFIX)$(MANDIR)/man1 \
+- $(INSTALL_PREFIX)$(MANDIR)/man3 \
+- $(INSTALL_PREFIX)$(MANDIR)/man5 \
+- $(INSTALL_PREFIX)$(MANDIR)/man7
++install_docs: install_dirs
+ @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
+ here="`pwd`"; \
+ filecase=; \
+diff -ru openssl-1.0.2a.orig/Makefile.shared openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a.orig/Makefile.shared 2015-01-20 12:33:36.000000000 +0000
++++ openssl-1.0.2a/Makefile.shared 2015-03-19 14:53:31.246908039 +0000
+@@ -105,6 +105,7 @@
+ SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
+ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
++ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
+ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+ $${SHAREDCMD} $${SHAREDFLAGS} \
+ -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+@@ -122,6 +123,7 @@
+ done; \
+ fi; \
+ if [ -n "$$SHLIB_SOVER" ]; then \
++ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
+ ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
+ ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+ fi; \
+diff -ru openssl-1.0.2a.orig/crypto/Makefile openssl-1.0.2a/crypto/Makefile
+--- openssl-1.0.2a.orig/crypto/Makefile 2015-03-19 13:31:02.000000000 +0000
++++ openssl-1.0.2a/crypto/Makefile 2015-03-19 14:53:31.246908039 +0000
+@@ -85,11 +85,11 @@
+ @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+
+ subdirs:
+- @target=all; $(RECURSIVE_MAKE)
++ +@target=all; $(RECURSIVE_MAKE)
+
+ files:
+ $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
+- @target=files; $(RECURSIVE_MAKE)
++ +@target=files; $(RECURSIVE_MAKE)
+
+ links:
+ @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+@@ -100,7 +100,7 @@
+ # lib: $(LIB): are splitted to avoid end-less loop
+ lib: $(LIB)
+ @touch lib
+-$(LIB): $(LIBOBJ)
++$(LIB): $(LIBOBJ) | subdirs
+ $(AR) $(LIB) $(LIBOBJ)
+ test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+ $(RANLIB) $(LIB) || echo Never mind.
+@@ -111,7 +111,7 @@
+ fi
+
+ libs:
+- @target=lib; $(RECURSIVE_MAKE)
++ +@target=lib; $(RECURSIVE_MAKE)
+
+ install:
+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+@@ -120,7 +120,7 @@
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+- @target=install; $(RECURSIVE_MAKE)
++ +@target=install; $(RECURSIVE_MAKE)
+
+ lint:
+ @target=lint; $(RECURSIVE_MAKE)
+diff -ru openssl-1.0.2a.orig/engines/Makefile openssl-1.0.2a/engines/Makefile
+--- openssl-1.0.2a.orig/engines/Makefile 2015-03-19 13:31:14.000000000 +0000
++++ openssl-1.0.2a/engines/Makefile 2015-03-19 14:53:31.246908039 +0000
+@@ -72,7 +72,7 @@
+
+ all: lib subdirs
+
+-lib: $(LIBOBJ)
++lib: $(LIBOBJ) | subdirs
+ @if [ -n "$(SHARED_LIBS)" ]; then \
+ set -e; \
+ for l in $(LIBNAMES); do \
+@@ -89,7 +89,7 @@
+
+ subdirs:
+ echo $(EDIRS)
+- @target=all; $(RECURSIVE_MAKE)
++ +@target=all; $(RECURSIVE_MAKE)
+
+ files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+@@ -128,7 +128,7 @@
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
+- @target=install; $(RECURSIVE_MAKE)
++ +@target=install; $(RECURSIVE_MAKE)
+
+ tags:
+ ctags $(SRC)
+diff -ru openssl-1.0.2a.orig/test/Makefile openssl-1.0.2a/test/Makefile
+--- openssl-1.0.2a.orig/test/Makefile 2015-03-19 13:31:16.000000000 +0000
++++ openssl-1.0.2a/test/Makefile 2015-03-19 14:55:44.146017128 +0000
+@@ -133,7 +133,7 @@
+ tags:
+ ctags $(SRC)
+
+-tests: exe apps $(TESTS)
++tests: exe $(TESTS)
+
+ apps:
+ @(cd ..; $(MAKE) DIRS=apps all)
+@@ -402,121 +402,121 @@
+ link_app.$${shlib_target}
+
+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
+- @target=$(RSATEST); $(BUILD_CMD)
++ +@target=$(RSATEST); $(BUILD_CMD)
+
+ $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
+- @target=$(BNTEST); $(BUILD_CMD)
++ +@target=$(BNTEST); $(BUILD_CMD)
+
+ $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
+- @target=$(ECTEST); $(BUILD_CMD)
++ +@target=$(ECTEST); $(BUILD_CMD)
+
+ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
+- @target=$(EXPTEST); $(BUILD_CMD)
++ +@target=$(EXPTEST); $(BUILD_CMD)
+
+ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
+- @target=$(IDEATEST); $(BUILD_CMD)
++ +@target=$(IDEATEST); $(BUILD_CMD)
+
+ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
+- @target=$(MD2TEST); $(BUILD_CMD)
++ +@target=$(MD2TEST); $(BUILD_CMD)
+
+ $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
+- @target=$(SHATEST); $(BUILD_CMD)
++ +@target=$(SHATEST); $(BUILD_CMD)
+
+ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
+- @target=$(SHA1TEST); $(BUILD_CMD)
++ +@target=$(SHA1TEST); $(BUILD_CMD)
+
+ $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
+- @target=$(SHA256TEST); $(BUILD_CMD)
++ +@target=$(SHA256TEST); $(BUILD_CMD)
+
+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+- @target=$(SHA512TEST); $(BUILD_CMD)
++ +@target=$(SHA512TEST); $(BUILD_CMD)
+
+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
+- @target=$(RMDTEST); $(BUILD_CMD)
++ +@target=$(RMDTEST); $(BUILD_CMD)
+
+ $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
+- @target=$(MDC2TEST); $(BUILD_CMD)
++ +@target=$(MDC2TEST); $(BUILD_CMD)
+
+ $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
+- @target=$(MD4TEST); $(BUILD_CMD)
++ +@target=$(MD4TEST); $(BUILD_CMD)
+
+ $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
+- @target=$(MD5TEST); $(BUILD_CMD)
++ +@target=$(MD5TEST); $(BUILD_CMD)
+
+ $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
+- @target=$(HMACTEST); $(BUILD_CMD)
++ +@target=$(HMACTEST); $(BUILD_CMD)
+
+ $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
+- @target=$(WPTEST); $(BUILD_CMD)
++ +@target=$(WPTEST); $(BUILD_CMD)
+
+ $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
+- @target=$(RC2TEST); $(BUILD_CMD)
++ +@target=$(RC2TEST); $(BUILD_CMD)
+
+ $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
+- @target=$(BFTEST); $(BUILD_CMD)
++ +@target=$(BFTEST); $(BUILD_CMD)
+
+ $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
+- @target=$(CASTTEST); $(BUILD_CMD)
++ +@target=$(CASTTEST); $(BUILD_CMD)
+
+ $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
+- @target=$(RC4TEST); $(BUILD_CMD)
++ +@target=$(RC4TEST); $(BUILD_CMD)
+
+ $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
+- @target=$(RC5TEST); $(BUILD_CMD)
++ +@target=$(RC5TEST); $(BUILD_CMD)
+
+ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
+- @target=$(DESTEST); $(BUILD_CMD)
++ +@target=$(DESTEST); $(BUILD_CMD)
+
+ $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
+- @target=$(RANDTEST); $(BUILD_CMD)
++ +@target=$(RANDTEST); $(BUILD_CMD)
+
+ $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
+- @target=$(DHTEST); $(BUILD_CMD)
++ +@target=$(DHTEST); $(BUILD_CMD)
+
+ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
+- @target=$(DSATEST); $(BUILD_CMD)
++ +@target=$(DSATEST); $(BUILD_CMD)
+
+ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
+- @target=$(METHTEST); $(BUILD_CMD)
++ +@target=$(METHTEST); $(BUILD_CMD)
+
+ $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
++ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
+
+ $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
+- @target=$(ENGINETEST); $(BUILD_CMD)
++ +@target=$(ENGINETEST); $(BUILD_CMD)
+
+ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
+- @target=$(EVPTEST); $(BUILD_CMD)
++ +@target=$(EVPTEST); $(BUILD_CMD)
+
+ $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
+- @target=$(EVPEXTRATEST); $(BUILD_CMD)
++ +@target=$(EVPEXTRATEST); $(BUILD_CMD)
+
+ $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
+- @target=$(ECDSATEST); $(BUILD_CMD)
++ +@target=$(ECDSATEST); $(BUILD_CMD)
+
+ $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
+- @target=$(ECDHTEST); $(BUILD_CMD)
++ +@target=$(ECDHTEST); $(BUILD_CMD)
+
+ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
+- @target=$(IGETEST); $(BUILD_CMD)
++ +@target=$(IGETEST); $(BUILD_CMD)
+
+ $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
+- @target=$(JPAKETEST); $(BUILD_CMD)
++ +@target=$(JPAKETEST); $(BUILD_CMD)
+
+ $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
+- @target=$(ASN1TEST); $(BUILD_CMD)
++ +@target=$(ASN1TEST); $(BUILD_CMD)
+
+ $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
+- @target=$(SRPTEST); $(BUILD_CMD)
++ +@target=$(SRPTEST); $(BUILD_CMD)
+
+ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
+- @target=$(V3NAMETEST); $(BUILD_CMD)
++ +@target=$(V3NAMETEST); $(BUILD_CMD)
+
+ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
+- @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
++ +@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
+
+ $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
+- @target=$(CONSTTIMETEST) $(BUILD_CMD)
++ +@target=$(CONSTTIMETEST) $(BUILD_CMD)
+
+ #$(AESTEST).o: $(AESTEST).c
+ # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+@@ -529,7 +529,7 @@
+ # fi
+
+ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
+- @target=dummytest; $(BUILD_CMD)
++ +@target=dummytest; $(BUILD_CMD)
+
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+
diff --git a/system/openssl/0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch b/system/openssl/0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
new file mode 100644
index 000000000..daa6df02f
--- /dev/null
+++ b/system/openssl/0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
@@ -0,0 +1,68 @@
+From 4785c095dbfb3630ddf6685f23e3a19c7c804cbc Mon Sep 17 00:00:00 2001
+From: William Pitcock <nenolod@dereferenced.org>
+Date: Thu, 5 Feb 2015 09:02:00 +0200
+Subject: [PATCH] add ircv3 tls-3.1 extension support to s_client
+
+---
+ apps/s_client.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/apps/s_client.c b/apps/s_client.c
+index 8aee02a..0a28b89 100644
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -401,7 +401,7 @@ static void sc_usage(void)
+ BIO_printf(bio_err,
+ " 'prot' defines which one to assume. Currently,\n");
+ BIO_printf(bio_err,
+- " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
++ " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"ircv3\"\n");
+ BIO_printf(bio_err, " are supported.\n");
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err,
+@@ -640,7 +640,8 @@ enum {
+ PROTO_POP3,
+ PROTO_IMAP,
+ PROTO_FTP,
+- PROTO_XMPP
++ PROTO_XMPP,
++ PROTO_IRCV3,
+ };
+
+ int MAIN(int, char **);
+@@ -1062,6 +1063,8 @@ int MAIN(int argc, char **argv)
+ starttls_proto = PROTO_FTP;
+ else if (strcmp(*argv, "xmpp") == 0)
+ starttls_proto = PROTO_XMPP;
++ else if (strcmp(*argv, "ircv3") == 0)
++ starttls_proto = PROTO_IRCV3;
+ else
+ goto bad;
+ }
+@@ -1646,6 +1649,23 @@ int MAIN(int argc, char **argv)
+ goto shut;
+ mbuf[0] = 0;
+ }
++ if (starttls_proto == PROTO_IRCV3) {
++ int seen = 0;
++ BIO_printf(sbio,"CAP REQ :tls\r\n");
++
++ while (!strstr(mbuf,"CAP")) {
++ seen = BIO_read(sbio,mbuf,BUFSIZZ);
++ mbuf[seen] = 0;
++ }
++ if (!strstr(mbuf,"ACK"))
++ goto shut;
++ BIO_printf(sbio,"CAP END\r\nSTARTTLS\r\n");
++ while (!strstr(sbuf, "670")) {
++ seen = BIO_read(sbio,sbuf,BUFSIZZ);
++ sbuf[seen] = 0;
++ }
++ mbuf[0] = 0;
++ }
+
+ for (;;) {
+ FD_ZERO(&readfds);
+--
+2.2.2
+
diff --git a/system/openssl/0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch b/system/openssl/0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
new file mode 100644
index 000000000..ff3d25eff
--- /dev/null
+++ b/system/openssl/0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
@@ -0,0 +1,27 @@
+From 7457e26d3a78c7cd923242d87d04febadddea086 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 10:06:31 +0200
+Subject: [PATCH] maintain abi compat with no-freelist and regular build
+
+---
+ ssl/ssl.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 2b0f662..636cb5d 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -1113,6 +1113,10 @@ struct ssl_ctx_st {
+ unsigned int freelist_max_len;
+ struct ssl3_buf_freelist_st *wbuf_freelist;
+ struct ssl3_buf_freelist_st *rbuf_freelist;
++# else
++ unsigned int freelist_dummy0;
++ void *freelist_dummy1;
++ void *freelist_dummy2;
+ # endif
+ # ifndef OPENSSL_NO_SRP
+ SRP_CTX srp_ctx; /* ctx for SRP authentication */
+--
+2.2.2
+
diff --git a/system/openssl/0009-no-rpath.patch b/system/openssl/0009-no-rpath.patch
new file mode 100644
index 000000000..56df75b79
--- /dev/null
+++ b/system/openssl/0009-no-rpath.patch
@@ -0,0 +1,11 @@
+--- a/Makefile.shared 2005-06-23 22:47:54.000000000 +0200
++++ b/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
+@@ -153,7 +153,7 @@
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+ #This is rather special. It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/system/openssl/0010-ssl-env-zlib.patch b/system/openssl/0010-ssl-env-zlib.patch
new file mode 100644
index 000000000..9eae15d72
--- /dev/null
+++ b/system/openssl/0010-ssl-env-zlib.patch
@@ -0,0 +1,38 @@
+diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-01-15 16:43:14.000000000 -0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-03-27 15:18:47.280054883 -0200
+@@ -47,6 +47,13 @@
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+
+ SSL_COMP_add_compression_method() may return the following values:
+diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-03-19 15:30:36.000000000 -0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-03-27 15:23:05.960057092 -0200
+@@ -141,6 +141,8 @@
+ */
+
+ #include <stdio.h>
++#include <stdlib.h>
++#include <sys/auxv.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+ # include <openssl/comp.h>
+@@ -481,7 +483,7 @@
+
+ MemCheck_off();
+ ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL) {
++ if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL) {
+ comp->method = COMP_zlib();
diff --git a/system/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch b/system/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
new file mode 100644
index 000000000..ef46faa84
--- /dev/null
+++ b/system/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
@@ -0,0 +1,88 @@
+From 83c96cbc76604daccbc31cea9411555aea96fd6d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 09:16:51 +0200
+Subject: [PATCH] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it
+ properly
+
+Some engines (namely VIA C7 Padlock) work only if EVP_MD_CTX_FLAG_ONESHOT
+is set before final update. This is because some crypto accelerators cannot
+perform non-finalizing transform of the digest.
+
+The usage of EVP_MD_CTX_FLAG_ONESHOT is used semantically slightly
+differently here. It is set before the final EVP_DigestUpdate call, not
+necessarily before EVP_DigestInit call. This will not cause any problems
+though.
+---
+ crypto/hmac/hmac.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
+index 1fc9e2c..6f16578 100644
+--- a/crypto/hmac/hmac.c
++++ b/crypto/hmac/hmac.c
+@@ -109,7 +109,8 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+ j = EVP_MD_block_size(md);
+ OPENSSL_assert(j <= (int)sizeof(ctx->key));
+ if (j < len) {
+- if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
++ EVP_MD_CTX_set_flags(&ctx->md_ctx, EVP_MD_CTX_FLAG_ONESHOT);
++ if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
+ goto err;
+ if (!EVP_DigestUpdate(&ctx->md_ctx, key, len))
+ goto err;
+@@ -129,6 +130,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+ if (reset) {
+ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
+ pad[i] = 0x36 ^ ctx->key[i];
++ EVP_MD_CTX_clear_flags(&ctx->i_ctx, EVP_MD_CTX_FLAG_ONESHOT);
+ if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl))
+ goto err;
+ if (!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md)))
+@@ -136,6 +138,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+
+ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
+ pad[i] = 0x5c ^ ctx->key[i];
++ EVP_MD_CTX_clear_flags(&ctx->o_ctx, EVP_MD_CTX_FLAG_ONESHOT);
+ if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl))
+ goto err;
+ if (!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md)))
+@@ -143,6 +146,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+ }
+ if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx))
+ goto err;
++ EVP_MD_CTX_clear_flags(&ctx->md_ctx, EVP_MD_CTX_FLAG_ONESHOT);
+ return 1;
+ err:
+ return 0;
+@@ -177,6 +181,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
+ goto err;
+ if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx))
+ goto err;
++ EVP_MD_CTX_set_flags(&ctx->md_ctx,EVP_MD_CTX_FLAG_ONESHOT);
+ if (!EVP_DigestUpdate(&ctx->md_ctx, buf, i))
+ goto err;
+ if (!EVP_DigestFinal_ex(&ctx->md_ctx, md, len))
+@@ -233,8 +238,9 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+ if (md == NULL)
+ md = m;
+ HMAC_CTX_init(&c);
+- if (!HMAC_Init(&c, key, key_len, evp_md))
++ if (!HMAC_Init_ex(&c, key, key_len, evp_md, NULL))
+ goto err;
++ HMAC_CTX_set_flags(&c,EVP_MD_CTX_FLAG_ONESHOT);
+ if (!HMAC_Update(&c, d, n))
+ goto err;
+ if (!HMAC_Final(&c, md, md_len))
+@@ -247,7 +253,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+
+ void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+ {
+- EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+- EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
++ EVP_MD_CTX_set_flags(&ctx->i_ctx, flags & ~EVP_MD_CTX_FLAG_ONESHOT);
++ EVP_MD_CTX_set_flags(&ctx->o_ctx, flags & ~EVP_MD_CTX_FLAG_ONESHOT);
+ EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+ }
+--
+2.2.2
+
diff --git a/system/openssl/1002-backport-changes-from-upstream-padlock-module.patch b/system/openssl/1002-backport-changes-from-upstream-padlock-module.patch
new file mode 100644
index 000000000..f63bbcd1c
--- /dev/null
+++ b/system/openssl/1002-backport-changes-from-upstream-padlock-module.patch
@@ -0,0 +1,200 @@
+From ba17588a940ee712c3ef6d458adb1087f0c84521 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 09:28:10 +0200
+Subject: [PATCH] backport changes from upstream padlock module.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Includes support for VIA Nano 64-bit mode.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ engines/e_padlock.c | 142 +++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 125 insertions(+), 17 deletions(-)
+
+diff --git a/engines/e_padlock.c b/engines/e_padlock.c
+index 2898e4c..94406cb 100644
+--- a/engines/e_padlock.c
++++ b/engines/e_padlock.c
+@@ -101,7 +101,10 @@
+ */
+ # undef COMPILE_HW_PADLOCK
+ # if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
+-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
++# if (defined(__GNUC__) && __GNUC__>=2 && \
++ (defined(__i386__) || defined(__i386) || \
++ defined(__x86_64__) || defined(__x86_64)) \
++ ) || \
+ (defined(_MSC_VER) && defined(_M_IX86))
+ # define COMPILE_HW_PADLOCK
+ # endif
+@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context;
+ * =======================================================
+ */
+ # if defined(__GNUC__) && __GNUC__>=2
++# if defined(__i386__) || defined(__i386)
+ /*
+ * As for excessive "push %ebx"/"pop %ebx" found all over.
+ * When generating position-independent code GCC won't let
+@@ -379,22 +383,6 @@ static int padlock_available(void)
+ return padlock_use_ace + padlock_use_rng;
+ }
+
+-# ifndef OPENSSL_NO_AES
+-# ifndef AES_ASM
+-/* Our own htonl()/ntohl() */
+-static inline void padlock_bswapl(AES_KEY *ks)
+-{
+- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+- unsigned int *key = ks->rd_key;
+-
+- while (i--) {
+- asm volatile ("bswapl %0":"+r" (*key));
+- key++;
+- }
+-}
+-# endif
+-# endif
+-
+ /*
+ * Force key reload from memory to the CPU microcode. Loading EFLAGS from the
+ * stack clears EFLAGS[30] which does the trick.
+@@ -448,6 +436,110 @@ static inline void *name(size_t cnt, \
+ : "edx", "cc", "memory"); \
+ return iv; \
+ }
++#endif
++
++#elif defined(__x86_64__) || defined(__x86_64)
++
++/* Load supported features of the CPU to see if
++ the PadLock is available. */
++static int
++padlock_available(void)
++{
++ char vendor_string[16];
++ unsigned int eax, edx;
++
++ /* Are we running on the Centaur (VIA) CPU? */
++ eax = 0x00000000;
++ vendor_string[12] = 0;
++ asm volatile (
++ "cpuid\n"
++ "movl %%ebx,(%1)\n"
++ "movl %%edx,4(%1)\n"
++ "movl %%ecx,8(%1)\n"
++ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
++ if (strcmp(vendor_string, "CentaurHauls") != 0)
++ return 0;
++
++ /* Check for Centaur Extended Feature Flags presence */
++ eax = 0xC0000000;
++ asm volatile ("cpuid"
++ : "+a"(eax) : : "rbx", "rcx", "rdx");
++ if (eax < 0xC0000001)
++ return 0;
++
++ /* Read the Centaur Extended Feature Flags */
++ eax = 0xC0000001;
++ asm volatile ("cpuid"
++ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
++
++ /* Fill up some flags */
++ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
++ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
++
++ return padlock_use_ace + padlock_use_rng;
++}
++
++/* Force key reload from memory to the CPU microcode.
++ Loading EFLAGS from the stack clears EFLAGS[30]
++ which does the trick. */
++static inline void
++padlock_reload_key(void)
++{
++ asm volatile ("pushfq; popfq");
++}
++
++#ifndef OPENSSL_NO_AES
++/*
++ * This is heuristic key context tracing. At first one
++ * believes that one should use atomic swap instructions,
++ * but it's not actually necessary. Point is that if
++ * padlock_saved_context was changed by another thread
++ * after we've read it and before we compare it with cdata,
++ * our key *shall* be reloaded upon thread context switch
++ * and we are therefore set in either case...
++ */
++static inline void
++padlock_verify_context(struct padlock_cipher_data *cdata)
++{
++ asm volatile (
++ "pushfq\n"
++" btl $30,(%%rsp)\n"
++" jnc 1f\n"
++" cmpq %2,%1\n"
++" je 1f\n"
++" popfq\n"
++" subq $8,%%rsp\n"
++"1: addq $8,%%rsp\n"
++" movq %2,%0"
++ :"+m"(padlock_saved_context)
++ : "r"(padlock_saved_context), "r"(cdata) : "cc");
++}
++
++/* Template for padlock_xcrypt_* modes */
++/* BIG FAT WARNING:
++ * The offsets used with 'leal' instructions
++ * describe items of the 'padlock_cipher_data'
++ * structure.
++ */
++#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
++static inline void *name(size_t cnt, \
++ struct padlock_cipher_data *cdata, \
++ void *out, const void *inp) \
++{ void *iv; \
++ asm volatile ( "leaq 16(%0),%%rdx\n" \
++ " leaq 32(%0),%%rbx\n" \
++ rep_xcrypt "\n" \
++ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
++ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
++ : "rbx", "rdx", "cc", "memory"); \
++ return iv; \
++}
++#endif
++
++#endif /* cpu */
++
++
++# ifndef OPENSSL_NO_AES
+
+ /* Generate all functions with appropriate opcodes */
+ /* rep xcryptecb */
+@@ -458,7 +550,23 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
+ /* rep xcryptofb */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
++
++# ifndef AES_ASM
++/* Our own htonl()/ntohl() */
++static inline void padlock_bswapl(AES_KEY *ks)
++{
++ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
++ unsigned int *key = ks->rd_key;
++
++ while (i--) {
++ asm volatile ("bswapl %0":"+r" (*key));
++ key++;
++ }
++}
++# endif
++
+ # endif
++
+ /* The RNG call itself */
+ static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
+ {
+--
+2.2.2
+
diff --git a/system/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch b/system/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
new file mode 100644
index 000000000..5a2cdd633
--- /dev/null
+++ b/system/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
@@ -0,0 +1,782 @@
+From 728af0306505f1ff91364ac2175fb6bf5da90ec3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 5 Feb 2015 09:41:12 +0200
+Subject: [PATCH] engines/e_padlock: implement sha1/sha224/sha256 acceleration
+
+Limited support for VIA C7 that works only when EVP_MD_CTX_FLAG_ONESHOT
+is used appropriately (as done by EVP_Digest, and my previous HMAC patch).
+
+Full support for VIA Nano including partial transformation and 64-bit mode.
+
+Benchmarks from VIA Nano 1.6GHz, done with including the previous HMAC and
+apps/speed patches done. From single run, error margin of about 100-200k.
+
+No padlock
+
+type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
+sha1 20057.60k 51514.05k 99721.39k 130167.81k 142811.14k
+sha256 7757.72k 16907.18k 28937.05k 35181.23k 37568.51k
+hmac(sha1) 8582.53k 27644.69k 70402.30k 114602.67k 140167.85k
+
+With the patch
+
+sha1 37713.77k 114562.71k 259637.33k 379907.41k 438818.13k
+sha256 34262.86k 103233.75k 232476.07k 338386.60k 389860.01k
+hmac(sha1) 8424.70k 31475.11k 104036.10k 245559.30k 406667.26k
+---
+ engines/e_padlock.c | 663 ++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 614 insertions(+), 49 deletions(-)
+
+diff --git a/engines/e_padlock.c b/engines/e_padlock.c
+index 94406cb..5e99114 100644
+--- a/engines/e_padlock.c
++++ b/engines/e_padlock.c
+@@ -3,6 +3,9 @@
+ * Written by Michal Ludvig <michal@logix.cz>
+ * http://www.logix.cz/michal
+ *
++ * SHA support by Timo Teras <timo.teras@iki.fi>. Portions based on
++ * code originally written by Michal Ludvig.
++ *
+ * Big thanks to Andy Polyakov for a help with optimization,
+ * assembler fixes, port to MS Windows and a lot of other
+ * valuable work on this engine!
+@@ -63,7 +66,9 @@
+ */
+
+ #include <stdio.h>
++#include <stdint.h>
+ #include <string.h>
++#include <netinet/in.h>
+
+ #include <openssl/opensslconf.h>
+ #include <openssl/crypto.h>
+@@ -73,11 +78,32 @@
+ #ifndef OPENSSL_NO_AES
+ # include <openssl/aes.h>
+ #endif
++#ifndef OPENSSL_NO_SHA
++# include <openssl/sha.h>
++#endif
+ #include <openssl/rand.h>
+ #include <openssl/err.h>
+
+ #ifndef OPENSSL_NO_HW
+-# ifndef OPENSSL_NO_HW_PADLOCK
++# ifndef OPENSSL_NO_HW_PADLOCK
++
++/* PadLock RNG is disabled by default */
++# define PADLOCK_NO_RNG 1
++
++/* No ASM routines for SHA in MSC yet */
++# ifdef _MSC_VER
++# define OPENSSL_NO_SHA
++# endif
++
++/* 64-bit mode does not need software SHA1 as fallback, we can
++ * do all operations with padlock */
++# if defined(__x86_64__) || defined(__x86_64)
++# define PADLOCK_NEED_FALLBACK_SHA 0
++# else
++# define PADLOCK_NEED_FALLBACK_SHA 1
++# endif
++
++# define PADLOCK_MAX_FINALIZING_LENGTH 0x1FFFFFFE
+
+ /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
+ # if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+@@ -151,60 +177,42 @@ void ENGINE_load_padlock(void)
+ static int padlock_available(void);
+ static int padlock_init(ENGINE *e);
+
++# ifndef PADLOCK_NO_RNG
+ /* RNG Stuff */
+ static RAND_METHOD padlock_rand;
+-
+-/* Cipher Stuff */
+-# ifndef OPENSSL_NO_AES
+-static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+- const int **nids, int nid);
+ # endif
+
+ /* Engine names */
+ static const char *padlock_id = "padlock";
+ static char padlock_name[100];
+
++static int padlock_bind_helper(ENGINE *e);
++
+ /* Available features */
+-static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
+-static int padlock_use_rng = 0; /* Random Number Generator */
++enum padlock_flags {
++ PADLOCK_RNG = 0x01,
++ PADLOCK_ACE = 0x02,
++ PADLOCK_ACE2 = 0x04,
++ PADLOCK_PHE = 0x08,
++ PADLOCK_PMM = 0x10,
++ PADLOCK_NANO = 0x20,
++};
++enum padlock_flags padlock_flags;
++
++#define PADLOCK_HAVE_RNG (padlock_flags & PADLOCK_RNG)
++#define PADLOCK_HAVE_ACE (padlock_flags & (PADLOCK_ACE|PADLOCK_ACE2))
++#define PADLOCK_HAVE_ACE1 (padlock_flags & PADLOCK_ACE)
++#define PADLOCK_HAVE_ACE2 (padlock_flags & PADLOCK_ACE2)
++#define PADLOCK_HAVE_PHE (padlock_flags & PADLOCK_PHE)
++#define PADLOCK_HAVE_PMM (padlock_flags & PADLOCK_PMM)
++#define PADLOCK_HAVE_NANO (padlock_flags & PADLOCK_NANO)
++
+ # ifndef OPENSSL_NO_AES
+ static int padlock_aes_align_required = 1;
+ # endif
+
+ /* ===== Engine "management" functions ===== */
+
+-/* Prepare the ENGINE structure for registration */
+-static int padlock_bind_helper(ENGINE *e)
+-{
+- /* Check available features */
+- padlock_available();
+-
+-# if 1 /* disable RNG for now, see commentary in
+- * vicinity of RNG code */
+- padlock_use_rng = 0;
+-# endif
+-
+- /* Generate a nice engine name with available features */
+- BIO_snprintf(padlock_name, sizeof(padlock_name),
+- "VIA PadLock (%s, %s)",
+- padlock_use_rng ? "RNG" : "no-RNG",
+- padlock_use_ace ? "ACE" : "no-ACE");
+-
+- /* Register everything or return with an error */
+- if (!ENGINE_set_id(e, padlock_id) ||
+- !ENGINE_set_name(e, padlock_name) ||
+- !ENGINE_set_init_function(e, padlock_init) ||
+-# ifndef OPENSSL_NO_AES
+- (padlock_use_ace && !ENGINE_set_ciphers(e, padlock_ciphers)) ||
+-# endif
+- (padlock_use_rng && !ENGINE_set_RAND(e, &padlock_rand))) {
+- return 0;
+- }
+-
+- /* Everything looks good */
+- return 1;
+-}
+-
+ # ifdef OPENSSL_NO_DYNAMIC_ENGINE
+
+ /* Constructor */
+@@ -229,7 +237,7 @@ static ENGINE *ENGINE_padlock(void)
+ /* Check availability of the engine */
+ static int padlock_init(ENGINE *e)
+ {
+- return (padlock_use_rng || padlock_use_ace);
++ return padlock_flags;
+ }
+
+ /*
+@@ -377,10 +385,20 @@ static int padlock_available(void)
+ "=d"(edx)::"ecx");
+
+ /* Fill up some flags */
+- padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
+- padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
+-
+- return padlock_use_ace + padlock_use_rng;
++ padlock_flags |= ((edx & (0x3<<3)) ? PADLOCK_RNG : 0);
++ padlock_flags |= ((edx & (0x3<<7)) ? PADLOCK_ACE : 0);
++ padlock_flags |= ((edx & (0x3<<9)) ? PADLOCK_ACE2 : 0);
++ padlock_flags |= ((edx & (0x3<<11)) ? PADLOCK_PHE : 0);
++ padlock_flags |= ((edx & (0x3<<13)) ? PADLOCK_PMM : 0);
++
++ /* Check for VIA Nano CPU */
++ eax = 0x00000001;
++ asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
++ : "+a"(eax) : : "ecx", "edx");
++ if ((eax | 0x000F) == 0x06FF)
++ padlock_flags |= PADLOCK_NANO;
++
++ return padlock_flags;
+ }
+
+ /*
+@@ -473,10 +491,14 @@ padlock_available(void)
+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
+
+ /* Fill up some flags */
+- padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
+- padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
+-
+- return padlock_use_ace + padlock_use_rng;
++ padlock_flags |= ((edx & (0x3<<3)) ? PADLOCK_RNG : 0);
++ padlock_flags |= ((edx & (0x3<<7)) ? PADLOCK_ACE : 0);
++ padlock_flags |= ((edx & (0x3<<9)) ? PADLOCK_ACE2 : 0);
++ padlock_flags |= ((edx & (0x3<<11)) ? PADLOCK_PHE : 0);
++ padlock_flags |= ((edx & (0x3<<13)) ? PADLOCK_PMM : 0);
++ padlock_flags |= PADLOCK_NANO;
++
++ return padlock_flags;
+ }
+
+ /* Force key reload from memory to the CPU microcode.
+@@ -1293,6 +1315,496 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+
+ # endif /* OPENSSL_NO_AES */
+
++#ifndef OPENSSL_NO_SHA
++
++static inline void
++padlock_copy_bswap(void *dst, void *src, size_t count)
++{
++ uint32_t *udst = dst, *usrc = src;
++ int i = 0;
++
++ for (i = 0; i < count; i++)
++ udst[i] = htonl(usrc[i]);
++}
++
++static unsigned long padlock_sha_prepare_padding(
++ EVP_MD_CTX *ctx,
++ unsigned char *padding,
++ unsigned char *data, size_t data_len,
++ uint64_t total)
++{
++ unsigned int padding_len;
++
++ padding_len = data_len < 56 ? SHA_CBLOCK : 2 * SHA_CBLOCK;
++ if (data_len)
++ memcpy(padding, data, data_len);
++
++ memset(padding + data_len, 0, padding_len - data_len);
++ padding[data_len] = 0x80;
++ *(uint32_t *)(padding + padding_len - 8) = htonl(total >> 32);
++ *(uint32_t *)(padding + padding_len - 4) = htonl(total & 0xffffffff);
++
++ return data_len < 56 ? 1 : 2;
++}
++
++#define PADLOCK_SHA_ALIGN(dd) (uint32_t*)(((uintptr_t)(dd) + 15) & ~15)
++#define PADLOCK_SHA_HWCTX (128+16)
++
++static void
++padlock_sha1(void *hwctx, const void *buf, unsigned long total, unsigned long now)
++{
++ unsigned long pos = total - now;
++
++ asm volatile ("xsha1"
++ : "+S"(buf), "+D"(hwctx), "+a"(pos), "+c"(total)
++ : : "memory");
++}
++
++static void
++padlock_sha1_partial(void *hwctx, const void *buf, unsigned long blocks)
++{
++ asm volatile ("xsha1"
++ : "+S"(buf), "+D"(hwctx), "+c"(blocks)
++ : "a"(-1L) : "memory");
++}
++
++static int padlock_sha1_init(EVP_MD_CTX *ctx)
++{
++ return SHA1_Init(ctx->md_data);
++}
++
++#if PADLOCK_NEED_FALLBACK_SHA
++
++static int padlock_sha1_update_eden(EVP_MD_CTX *ctx, const void *data,
++ size_t len)
++{
++ unsigned char hwctx[PADLOCK_SHA_HWCTX];
++ uint32_t *aligned = PADLOCK_SHA_ALIGN(hwctx);
++ SHA_CTX *c = ctx->md_data;
++ uint_fast64_t total;
++ const unsigned char *p = data;
++ unsigned long l = 0;
++
++ /* Calculate total length (Nl,Nh) is length in bits */
++ total = (((uint_fast64_t) c->Nh) << 29) + (c->Nl >> 3);
++ total += len;
++
++ if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
++ (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
++ if (c->num != 0) {
++ l = (len < SHA_CBLOCK - c->num) ? len : (SHA_CBLOCK - c->num);
++ if (!SHA1_Update(c, data, l))
++ return 0;
++ p += l;
++ if (c->num != 0) {
++ p = (unsigned char *) c->data;
++ len = c->num;
++ l = 0;
++ }
++ }
++ memcpy(aligned, &c->h0, 5 * sizeof(SHA_LONG));
++ padlock_sha1(aligned, p, total, len - l);
++ memcpy(&c->h0, aligned, 5 * sizeof(SHA_LONG));
++ c->num = -1;
++ return 1;
++ }
++
++ return SHA1_Update(c, data, len);
++}
++#endif
++
++static int padlock_sha1_update(EVP_MD_CTX *ctx, const void *data,
++ size_t len)
++{
++ unsigned char hwctx[PADLOCK_SHA_HWCTX];
++ uint32_t *aligned = PADLOCK_SHA_ALIGN(hwctx);
++ SHA_CTX *c = ctx->md_data;
++ uint_fast64_t total;
++ unsigned char *p;
++ unsigned long n;
++
++ /* Calculate total length (Nl,Nh) is length in bits */
++ total = (((uint_fast64_t) c->Nh) << 29) + (c->Nl >> 3);
++ total += len;
++ c->Nh = total >> 29;
++ c->Nl = (total << 3) & 0xffffffffUL;
++
++ memcpy(aligned, &c->h0, 5 * sizeof(SHA_LONG));
++
++ /* Check partial data */
++ n = c->num;
++ if (n) {
++ p = (unsigned char *) c->data;
++ if (len >= SHA_CBLOCK || len+n >= SHA_CBLOCK) {
++ memcpy(p+n, data, SHA_CBLOCK-n);
++ padlock_sha1_partial(aligned, p, 1);
++ n = SHA_CBLOCK - n;
++ data += n;
++ len -= n;
++ c->num = 0;
++ memset(p, 0, SHA_CBLOCK);
++ } else {
++ memcpy(p+n, data, len);
++ c->num += (unsigned int)len;
++ return 1;
++ }
++ }
++
++ /* Can we finalize straight away? */
++ if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
++ (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
++ padlock_sha1(aligned, data, total, len);
++ memcpy(&c->h0, aligned, 5 * sizeof(SHA_LONG));
++ c->num = -1;
++ return 1;
++ }
++
++ /* Use nonfinalizing update */
++ n = len / SHA_CBLOCK;
++ if (n != 0) {
++ padlock_sha1_partial(aligned, data, n);
++ data += n * SHA_CBLOCK;
++ len -= n * SHA_CBLOCK;
++ }
++ memcpy(&c->h0, aligned, 5 * sizeof(SHA_LONG));
++
++ /* Buffer remaining bytes */
++ if (len) {
++ memcpy(c->data, data, len);
++ c->num = len;
++ }
++
++ return 1;
++}
++
++static int padlock_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
++{
++ unsigned char hwctx[PADLOCK_SHA_HWCTX];
++ uint32_t *aligned = PADLOCK_SHA_ALIGN(hwctx);
++ uint64_t total;
++ SHA_CTX *c = ctx->md_data;
++
++ if (c->num == -1) {
++ padlock_copy_bswap(md, &c->h0, 5);
++ c->num = 0;
++ return 1;
++ }
++
++ total = (((uint_fast64_t) c->Nh) << 29) + (c->Nl >> 3);
++#if PADLOCK_NEED_FALLBACK_SHA
++ if ((!PADLOCK_HAVE_NANO) && (total > PADLOCK_MAX_FINALIZING_LENGTH))
++ return SHA1_Final(md, c);
++#endif
++
++ memcpy(aligned, &c->h0, 5 * sizeof(SHA_LONG));
++ if (total > PADLOCK_MAX_FINALIZING_LENGTH) {
++ unsigned char padding[2 * SHA_CBLOCK];
++ unsigned long n;
++
++ n = padlock_sha_prepare_padding(ctx, padding,
++ (unsigned char *) c->data, c->num, total << 3);
++ padlock_sha1_partial(aligned, padding, n);
++ } else {
++ padlock_sha1(aligned, c->data, total, c->num);
++ }
++ padlock_copy_bswap(md, aligned, 5);
++ c->num = 0;
++
++ return 1;
++}
++
++static EVP_MD padlock_sha1_md = {
++ NID_sha1,
++ NID_sha1WithRSAEncryption,
++ SHA_DIGEST_LENGTH,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
++ padlock_sha1_init,
++ padlock_sha1_update,
++ padlock_sha1_final,
++ NULL,
++ NULL,
++ EVP_PKEY_RSA_method,
++ SHA_CBLOCK,
++ sizeof(SHA_CTX),
++};
++
++static EVP_MD padlock_dss1_md = {
++ NID_dsa,
++ NID_dsaWithSHA1,
++ SHA_DIGEST_LENGTH,
++ 0,
++ padlock_sha1_init,
++ padlock_sha1_update,
++ padlock_sha1_final,
++ NULL,
++ NULL,
++ EVP_PKEY_DSA_method,
++ SHA_CBLOCK,
++ sizeof(SHA_CTX),
++};
++
++
++#if !defined(OPENSSL_NO_SHA256)
++
++static void
++padlock_sha256(void *hwctx, const void *buf, unsigned long total, unsigned long now)
++{
++ unsigned long pos = total - now;
++
++ asm volatile ("xsha256"
++ : "+S"(buf), "+D"(hwctx), "+a"(pos), "+c"(total)
++ : : "memory");
++}
++
++static void
++padlock_sha256_partial(void *hwctx, const void *buf, unsigned long blocks)
++{
++ asm volatile ("xsha256"
++ : "+S"(buf), "+D"(hwctx), "+c"(blocks)
++ : "a"(-1L) : "memory");
++}
++
++#if PADLOCK_NEED_FALLBACK_SHA
++
++static int padlock_sha256_update_eden(EVP_MD_CTX *ctx, const void *data,
++ size_t len)
++{
++ unsigned char hwctx[PADLOCK_SHA_HWCTX];
++ uint32_t *aligned = PADLOCK_SHA_ALIGN(hwctx);
++ SHA256_CTX *c = ctx->md_data;
++ uint_fast64_t total;
++ const unsigned char *p = data;
++ unsigned int l = 0;
++
++ /* Calculate total length (Nl,Nh) is length in bits */
++ total = (((uint_fast64_t) c->Nh) << 29) + (c->Nl >> 3);
++ total += len;
++
++ if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
++ (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
++ if (c->num != 0) {
++ l = (len < SHA256_CBLOCK - c->num) ? len : (SHA256_CBLOCK - c->num);
++ if (!SHA256_Update(c, data, l))
++ return 0;
++ p += l;
++ if (c->num != 0) {
++ p = (unsigned char *) c->data;
++ len = c->num;
++ l = 0;
++ }
++ }
++ memcpy(aligned, c->h, sizeof(c->h));
++ padlock_sha256(aligned, p, total, len - l);
++ memcpy(c->h, aligned, sizeof(c->h));
++ c->num = -1;
++ return 1;
++ }
++
++ return SHA256_Update(c, data, len);
++}
++
++#endif
++
++static int padlock_sha256_update(EVP_MD_CTX *ctx, const void *data,
++ size_t len)
++{
++ unsigned char hwctx[PADLOCK_SHA_HWCTX];
++ uint32_t *aligned = PADLOCK_SHA_ALIGN(hwctx);
++ SHA256_CTX *c = ctx->md_data;
++ uint_fast64_t total;
++ unsigned char *p;
++ unsigned long n;
++
++ /* Calculate total length (Nl,Nh) is length in bits */
++ total = (((uint_fast64_t) c->Nh) << 29) + (c->Nl >> 3);
++ total += len;
++ c->Nh = total >> 29;
++ c->Nl = (total << 3) & 0xffffffffUL;
++
++ memcpy(aligned, c->h, sizeof(c->h));
++
++ /* Check partial data */
++ n = c->num;
++ if (n) {
++ p = (unsigned char *) c->data;
++ if (len >= SHA256_CBLOCK || len+n >= SHA256_CBLOCK) {
++ memcpy(p+n, data, SHA256_CBLOCK-n);
++ padlock_sha256_partial(aligned, p, 1);
++ n = SHA256_CBLOCK - n;
++ data += n;
++ len -= n;
++ c->num = 0;
++ memset(p, 0, SHA256_CBLOCK);
++ } else {
++ memcpy(p+n, data, len);
++ c->num += (unsigned int)len;
++ return 1;
++ }
++ }
++
++ /* Can we finalize straight away? */
++ if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
++ (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
++ padlock_sha256(aligned, data, total, len);
++ memcpy(c->h, aligned, sizeof(c->h));
++ c->num = -1;
++ return 1;
++ }
++
++ /* Use nonfinalizing update */
++ n = len / SHA256_CBLOCK;
++ if (n != 0) {
++ padlock_sha256_partial(aligned, data, n);
++ data += n * SHA256_CBLOCK;
++ len -= n * SHA256_CBLOCK;
++ }
++ memcpy(c->h, aligned, sizeof(c->h));
++
++ /* Buffer remaining bytes */
++ if (len) {
++ memcpy(c->data, data, len);
++ c->num = len;
++ }
++
++ return 1;
++}
++
++static int padlock_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
++{
++ unsigned char hwctx[PADLOCK_SHA_HWCTX];
++ uint32_t *aligned = PADLOCK_SHA_ALIGN(hwctx);
++ uint64_t total;
++ SHA256_CTX *c = ctx->md_data;
++
++ if (c->num == -1) {
++ padlock_copy_bswap(md, c->h, sizeof(c->h)/sizeof(c->h[0]));
++ c->num = 0;
++ return 1;
++ }
++
++ total = (((uint_fast64_t) c->Nh) << 29) + (c->Nl >> 3);
++#if PADLOCK_NEED_FALLBACK_SHA
++ if ((!PADLOCK_HAVE_NANO) && (total > PADLOCK_MAX_FINALIZING_LENGTH))
++ return SHA256_Final(md, c);
++#endif
++
++ memcpy(aligned, c->h, sizeof(c->h));
++ if (total > PADLOCK_MAX_FINALIZING_LENGTH) {
++ unsigned char padding[2 * SHA_CBLOCK];
++ unsigned long n;
++
++ n = padlock_sha_prepare_padding(ctx, padding,
++ (unsigned char *) c->data, c->num, total << 3);
++ padlock_sha256_partial(aligned, padding, n);
++ } else {
++ padlock_sha256(aligned, c->data, total, c->num);
++ }
++ padlock_copy_bswap(md, aligned, sizeof(c->h)/sizeof(c->h[0]));
++ c->num = 0;
++ return 1;
++}
++
++#if !defined(OPENSSL_NO_SHA224)
++
++static int padlock_sha224_init(EVP_MD_CTX *ctx)
++{
++ return SHA224_Init(ctx->md_data);
++}
++
++static EVP_MD padlock_sha224_md = {
++ NID_sha224,
++ NID_sha224WithRSAEncryption,
++ SHA224_DIGEST_LENGTH,
++ 0,
++ padlock_sha224_init,
++ padlock_sha256_update,
++ padlock_sha256_final,
++ NULL,
++ NULL,
++ EVP_PKEY_RSA_method,
++ SHA_CBLOCK,
++ sizeof(SHA256_CTX),
++};
++#endif /* !OPENSSL_NO_SHA224 */
++
++static int padlock_sha256_init(EVP_MD_CTX *ctx)
++{
++ return SHA256_Init(ctx->md_data);
++}
++
++static EVP_MD padlock_sha256_md = {
++ NID_sha256,
++ NID_sha256WithRSAEncryption,
++ SHA256_DIGEST_LENGTH,
++ 0,
++ padlock_sha256_init,
++ padlock_sha256_update,
++ padlock_sha256_final,
++ NULL,
++ NULL,
++ EVP_PKEY_RSA_method,
++ SHA_CBLOCK,
++ sizeof(SHA256_CTX),
++};
++#endif /* !OPENSSL_NO_SHA256 */
++
++static int padlock_digest_nids[] = {
++#if !defined(OPENSSL_NO_SHA)
++ NID_sha1,
++ NID_dsa,
++#endif
++#if !defined(OPENSSL_NO_SHA256)
++#if !defined(OPENSSL_NO_SHA224)
++ NID_sha224,
++#endif
++ NID_sha256,
++#endif
++};
++
++static int padlock_digest_nids_num = sizeof(padlock_digest_nids)/sizeof(padlock_digest_nids[0]);
++
++static int
++padlock_digests (ENGINE *e, const EVP_MD **digest, const int **nids, int nid)
++{
++ /* No specific digest => return a list of supported nids ... */
++ if (!digest) {
++ *nids = padlock_digest_nids;
++ return padlock_digest_nids_num;
++ }
++
++ /* ... or the requested "digest" otherwise */
++ switch (nid) {
++#if !defined(OPENSSL_NO_SHA)
++ case NID_sha1:
++ *digest = &padlock_sha1_md;
++ break;
++ case NID_dsa:
++ *digest = &padlock_dss1_md;
++ break;
++#endif
++#if !defined(OPENSSL_NO_SHA256)
++#if !defined(OPENSSL_NO_SHA224)
++ case NID_sha224:
++ *digest = &padlock_sha224_md;
++ break;
++#endif /* OPENSSL_NO_SHA224 */
++ case NID_sha256:
++ *digest = &padlock_sha256_md;
++ break;
++#endif /* OPENSSL_NO_SHA256 */
++ default:
++ /* Sorry, we don't support this NID */
++ *digest = NULL;
++ return 0;
++ }
++
++ return 1;
++}
++
++#endif /* OPENSSL_NO_SHA */
++
++#ifndef PADLOCK_NO_RNG
++
+ /* ===== Random Number Generator ===== */
+ /*
+ * This code is not engaged. The reason is that it does not comply
+@@ -1356,6 +1868,59 @@ static RAND_METHOD padlock_rand = {
+ padlock_rand_bytes, /* pseudorand */
+ padlock_rand_status, /* rand status */
+ };
++#endif /* PADLOCK_NO_RNG */
++
++/* Prepare the ENGINE structure for registration */
++static int
++padlock_bind_helper(ENGINE *e)
++{
++ /* Check available features */
++ padlock_available();
++
++ /* Generate a nice engine name with available features */
++ BIO_snprintf(padlock_name, sizeof(padlock_name),
++ "VIA PadLock: %s%s%s%s%s%s",
++ padlock_flags ? "" : "not supported",
++ PADLOCK_HAVE_RNG ? "RNG " : "",
++ PADLOCK_HAVE_ACE ? (PADLOCK_HAVE_ACE2 ? "ACE2 " : "ACE ") : "",
++ PADLOCK_HAVE_PHE ? "PHE " : "",
++ PADLOCK_HAVE_PMM ? "PMM " : "",
++ PADLOCK_HAVE_NANO ? "NANO " : ""
++ );
++
++#if PADLOCK_NEED_FALLBACK_SHA && !defined(OPENSSL_NO_SHA)
++ if (!PADLOCK_HAVE_NANO) {
++ padlock_sha1_md.update = padlock_sha1_update_eden;
++ padlock_dss1_md.update = padlock_sha1_update_eden;
++#if !defined(OPENSSL_NO_SHA256)
++#if !defined(OPENSSL_NO_SHA224)
++ padlock_sha224_md.update = padlock_sha256_update_eden;
++#endif
++ padlock_sha256_md.update = padlock_sha256_update_eden;
++#endif
++ }
++#endif
++
++ /* Register everything or return with an error */
++ if (!ENGINE_set_id(e, padlock_id) ||
++ !ENGINE_set_name(e, padlock_name) ||
++ !ENGINE_set_init_function(e, padlock_init)
++#ifndef OPENSSL_NO_AES
++ || (PADLOCK_HAVE_ACE && !ENGINE_set_ciphers (e, padlock_ciphers))
++#endif
++#ifndef OPENSSL_NO_SHA
++ || (PADLOCK_HAVE_PHE && !ENGINE_set_digests (e, padlock_digests))
++#endif
++#ifndef PADLOCK_NO_RNG
++ || (PADLOCK_HAVE_RNG && !ENGINE_set_RAND (e, &padlock_rand))
++#endif
++ ) {
++ return 0;
++ }
++
++ /* Everything looks good */
++ return 1;
++}
+
+ # else /* !COMPILE_HW_PADLOCK */
+ # ifndef OPENSSL_NO_DYNAMIC_ENGINE
+--
+2.2.2
+
diff --git a/system/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch b/system/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch
new file mode 100644
index 000000000..66f37451e
--- /dev/null
+++ b/system/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch
@@ -0,0 +1,33 @@
+From a58658f191e83f4c6417d2cc879fa572f7978537 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Thu, 4 Feb 2016 16:28:15 +0100
+Subject: [PATCH] crypto/engine: autoload padlock dynamic engine
+
+---
+ crypto/engine/eng_all.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
+index 48ad0d2..822aa23 100644
+--- a/crypto/engine/eng_all.c
++++ b/crypto/engine/eng_all.c
+@@ -120,6 +120,16 @@ void ENGINE_load_builtin_engines(void)
+ ENGINE_load_capi();
+ # endif
+ #endif
++#ifdef OPENSSL_NO_STATIC_ENGINE
++ {
++ ENGINE *e = ENGINE_by_id("padlock");
++ if (e != NULL) {
++ ENGINE_add(e);
++ ENGINE_free(e);
++ ERR_clear_error();
++ }
++ }
++#endif
+ ENGINE_register_all_complete();
+ }
+
+--
+2.7.0
+
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
new file mode 100644
index 000000000..4f3c29923
--- /dev/null
+++ b/system/openssl/APKBUILD
@@ -0,0 +1,142 @@
+# Maintainer: Timo Teras <timo.teras@iki.fi>
+pkgname=openssl
+pkgver=1.0.2m
+pkgrel=0
+pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
+url="http://openssl.org"
+depends=
+makedepends_build="perl"
+makedepends_host="zlib-dev"
+makedepends="$makedepends_host $makedepends_build"
+depends_dev="zlib-dev"
+checkdepends="perl"
+arch="all"
+license="openssl"
+
+subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.0:libcrypto libssl1.0:libssl"
+
+source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
+ 0002-busybox-basename.patch
+ 0003-use-termios.patch
+ 0004-fix-default-ca-path-for-apps.patch
+ 0005-fix-parallel-build.patch
+ 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
+ 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
+ 0009-no-rpath.patch
+ 0010-ssl-env-zlib.patch
+ 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+ 1002-backport-changes-from-upstream-padlock-module.patch
+ 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+ "
+
+# secfixes:
+# 1.0.2h-r0:
+# - CVE-2016-2107
+# - CVE-2016-2105
+# - CVE-2016-2106
+# - CVE-2016-2109
+# - CVE-2016-2176
+# 1.0.2h-r1:
+# - CVE-2016-2177
+# - CVE-2016-2178
+# 1.0.2h-r2:
+# - CVE-2016-2180
+# 1.0.2h-r3:
+# - CVE-2016-2179
+# - CVE-2016-2182
+# - CVE-2016-6302
+# - CVE-2016-6303
+# 1.0.2h-r4:
+# - CVE-2016-2181
+# 1.0.2i-r0:
+# - CVE-2016-2183
+# - CVE-2016-6304
+# - CVE-2016-6306
+# 1.0.2m-r0:
+# - CVE-2017-3735
+# - CVE-2017-3736
+
+builddir="$srcdir"/$pkgname-$pkgver
+
+build() {
+ local _target _optflags
+ cd "$builddir"
+
+ # openssl will prepend crosscompile always core CC et al
+ CC=${CC#${CROSS_COMPILE}}
+ CXX=${CXX#${CROSS_COMPILE}}
+ CPP=${CPP#${CROSS_COMPILE}}
+
+ # determine target OS for openssl
+ case "$CARCH" in
+ aarch64*) _target="linux-aarch64" ;;
+ arm*) _target="linux-armv4" ;;
+ ppc) _target="linux-ppc" ;;
+ ppc64) _target="linux-ppc64"; _optflags="no-asm" ;;
+ ppc64le) _target="linux-ppc64le" ;;
+ i528 | pmmx | x86) _target="linux-elf" ;;
+ x86_64) _target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;;
+ s390x) _target="linux64-s390x";;
+ *) msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;;
+ esac
+
+ # Configure assumes --options are for it, so can't use
+ # gcc's --sysroot fake this by overriding CC
+ [ -n "$CBUILDROOT" ] && CC="$CC --sysroot=${CBUILDROOT}"
+
+ perl ./Configure $_target --prefix=/usr \
+ --libdir=lib \
+ --openssldir=/etc/ssl \
+ shared zlib enable-montasm enable-md2 $_optflags \
+ -DOPENSSL_NO_BUF_FREELISTS \
+ $CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack \
+ enable-ssl2
+
+ make && make build-shared
+}
+
+check() {
+ cd "$builddir"
+ make -j1 test
+}
+
+package() {
+ cd "$builddir"
+ make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install
+ # remove the script c_rehash
+ rm "$pkgdir"/usr/bin/c_rehash
+}
+
+libcrypto() {
+ pkgdesc="Crypto library from openssl"
+
+ mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
+ for i in "$pkgdir"/usr/lib/libcrypto*; do
+ mv $i "$subpkgdir"/lib/
+ ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
+ done
+ mv "$pkgdir"/usr/lib/engines "$subpkgdir"/usr/lib/
+}
+
+libssl() {
+ pkgdesc="SSL shared libraries"
+
+ mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
+ for i in "$pkgdir"/usr/lib/libssl*; do
+ mv $i "$subpkgdir"/lib/
+ ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
+ done
+}
+
+sha512sums="7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93 openssl-1.0.2m.tar.gz
+2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch
+58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch
+c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch
+5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb 0005-fix-parallel-build.patch
+820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
+17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
+5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1 0009-no-rpath.patch
+5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch
+8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch
+6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch"