[Buildroot] [PATCH 01/10] package/libshout: Add support for openssl 1.1.x

[Buildroot] [PATCH 01/10] package/libshout: Add support for openssl 1.1.x

[Patrick Havelange]

From: Vadim Kochan <vadim4j@gmail.com>

Added upstream patch.

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - Added Signed-off-by to the patch
---
 ...shout-tls-compile-with-OpenSSL-1.1.0.patch | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 package/libshout/0003-libshout-tls-compile-with-OpenSSL-1.1.0.patch

diff --git a/package/libshout/0003-libshout-tls-compile-with-OpenSSL-1.1.0.patch b/package/libshout/0003-libshout-tls-compile-with-OpenSSL-1.1.0.patch
new file mode 100644
index 0000000000..49b71501ed
--- /dev/null
+++ b/package/libshout/0003-libshout-tls-compile-with-OpenSSL-1.1.0.patch
@@ -0,0 +1,59 @@
+From 01fafc449f0de56743d08e7976933c49e2915bfa Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Wed, 15 Nov 2017 12:46:25 +0000
+Subject: [PATCH] tls: compile with OpenSSL 1.1.0
+
+The init functions are not longer required in OpenSSL 1.1 so I dropped
+them.
+
+TLSv1_client_method() should not be used because it enables only the
+TLSv1.0 protocol. Better is to use SSLv23_client_method() which enable
+all the protocols including TLSv1.2. With this functions SSLv2 and SSLv3
+is theoretically possible but as of today those protocols are usually
+build-time disabled.
+To avoid all this OpenSSL 1.1 provides TLS_client_method() which is aim
+to provide to highest TLS protocol version (same as
+SSLv23_client_method() but it is deprecated in 1.1).
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
+---
+ src/tls.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/tls.c b/src/tls.c
+index 4562c7327077..e0e5c1a5f079 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -24,6 +24,7 @@
+ #endif
+ 
+ #include <shout/shout.h>
++#include <string.h>
+ #include "shout_private.h"
+ 
+ #ifndef XXX_HAVE_X509_check_host
+@@ -61,14 +62,17 @@ shout_tls_t *shout_tls_new(shout_t *self, sock_t socket)
+ 
+ static inline int tls_setup(shout_tls_t *tls)
+ {
+-	SSL_METHOD *meth;
+-
++	const SSL_METHOD *meth;
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
+ 	SSLeay_add_all_algorithms();
+- 	SSLeay_add_ssl_algorithms();
++	SSLeay_add_ssl_algorithms();
+ 
+-	meth = TLSv1_client_method();
++	meth = SSLv23_client_method();
++#else
++	meth = TLS_client_method();
++#endif
+ 	if (!meth)
+ 		goto error;
+ 
+-- 
+2.15.0
-- 
2.17.1

[Buildroot] [PATCH 02/10] package/nut: Add support for openssl 1.1.x

[Patrick Havelange]

From: Vadim Kochan <vadim4j@gmail.com>

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - use the actual upstream patch
  - drop unrelated patch
---
 ...Add-compatibility-with-openssl-1.1.0.patch | 75 +++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch

diff --git a/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
new file mode 100644
index 0000000000..65b7f2d6f7
--- /dev/null
+++ b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
@@ -0,0 +1,75 @@
+From fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Fri, 1 Jun 2018 11:17:28 -0300
+Subject: [PATCH 1/2] Add compatibility with openssl 1.1.0
+
+Minor adjustments were needed:
+* Openssl 1.1 libs do not need to be initialized.
+* TLSv*_method became TLS_*_method.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Upstream: https://github.com/networkupstools/nut/pull/558/
+Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
+---
+ clients/upsclient.c        | 5 ++++-
+ m4/nut_check_libopenssl.m4 | 2 +-
+ server/netssl.c            | 7 +++++--
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/clients/upsclient.c b/clients/upsclient.c
+index b90587b0..053d60fb 100644
+--- a/clients/upsclient.c
++++ b/clients/upsclient.c
+@@ -316,10 +316,13 @@ int upscli_init(int certverify, const char *certpath,
+ 	
+ #ifdef WITH_OPENSSL
+ 	
++# if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
++#  define TLS_client_method TLSv1_client_method
++# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+-	ssl_method = TLSv1_client_method();
++	ssl_method = TLS_client_method();
+ 
+ 	if (!ssl_method) {
+ 		return 0;
+diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4
+index 1b875077..7eb401cd 100644
+--- a/m4/nut_check_libopenssl.m4
++++ b/m4/nut_check_libopenssl.m4
+@@ -58,7 +58,7 @@ if test -z "${nut_have_libopenssl_seen}"; then
+ 
+ 	dnl check if openssl is usable
+ 	AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
+-	AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
++	AC_CHECK_FUNCS(SSL_CTX_new, [], [nut_have_openssl=no])
+ 
+ 	if test "${nut_have_openssl}" = "yes"; then
+ 		nut_with_ssl="yes"
+diff --git a/server/netssl.c b/server/netssl.c
+index c2f40989..0289e296 100644
+--- a/server/netssl.c
++++ b/server/netssl.c
+@@ -387,12 +387,15 @@ void ssl_init(void)
+ 
+ #ifdef WITH_OPENSSL
+ 
++# if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_load_error_strings();
+ 	SSL_library_init();
++#  define TLS_server_method TLSv1_server_method
++# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+-	if ((ssl_method = TLSv1_server_method()) == NULL) {
++	if ((ssl_method = TLS_server_method()) == NULL) {
+ 		ssl_debug();
+-		fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
++		fatalx(EXIT_FAILURE, "TLS_server_method failed");
+ 	}
+ 
+ 	if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
+-- 
+2.16.1
+
-- 
2.17.1

[Buildroot] [PATCH 03/10] package/vboot-utils: Add support for openssl 1.1.x

[Patrick Havelange]

From: Vadim Kochan <vadim4j@gmail.com>

Backported changes from commit bce7904376beee2912932433a4634c1c25afe2f5,
there was some conflicts in few places which includes openssl_compat.h and
1 place in vb2_rsa_sig_alg function.

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - Added original commit hash in patch
---
 .../0006-Update-for-openssl-1.1.patch         | 268 ++++++++++++++++++
 1 file changed, 268 insertions(+)
 create mode 100644 package/vboot-utils/0006-Update-for-openssl-1.1.patch

diff --git a/package/vboot-utils/0006-Update-for-openssl-1.1.patch b/package/vboot-utils/0006-Update-for-openssl-1.1.patch
new file mode 100644
index 0000000000..77e71e58b8
--- /dev/null
+++ b/package/vboot-utils/0006-Update-for-openssl-1.1.patch
@@ -0,0 +1,268 @@
+From 2e730b2259c701f16d473dbfb7e58e86a6e71b01 Mon Sep 17 00:00:00 2001
+From: Daniel Kurtz <djkurtz@chromium.org>
+Date: Fri, 18 Jan 2019 13:04:59 +0200
+Subject: [PATCH] Update for openssl 1.1
+
+OpenSSL 1.1 has made significant non-backwards compatible changes to its
+API as outlined in:
+https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
+
+BRANCH=none
+BUG=chromium:738114
+TEST=cros_workon --host start vboot_reference
+TEST=w/ openssl-1.0.2k: sudo emerge vboot_reference
+TEST=w/ openssl-1.1.0e: sudo emerge vboot_reference
+ => both build ok
+ $ futility version
+  => command runs without error
+TEST=cros_workon --board=soraka start vboot_reference coreboot
+TEST=w/ openssl-1.0.2k: emerge-soraka vboot_reference coreboot
+TEST=w/ openssl-1.1.0e: emerge-soraka vboot_reference coreboot
+ => All build ok
+
+Change-Id: I37cfc8cbb04a092eab7b0b3224f475b82609447c
+Reviewed-on: https://chromium-review.googlesource.com/557739
+Commit-Ready: Daniel Kurtz <djkurtz@chromium.org>
+Tested-by: Daniel Kurtz <djkurtz@chromium.org>
+Reviewed-by: Randall Spangler <rspangler@chromium.org>
+Reviewed-by: Mike Frysinger <vapier@chromium.org>
+
+(cherry-picked from bce7904376beee2912932433a4634c1c25afe2f5)
+Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
+---
+ futility/cmd_create.c         |  5 ++++-
+ futility/vb2_helper.c         |  7 +++++--
+ host/include/openssl_compat.h | 26 ++++++++++++++++++++++++++
+ host/lib/util_misc.c          |  7 +++++--
+ host/lib21/host_key.c         |  8 +++++++-
+ utility/dumpRSAPublicKey.c    | 19 ++++++++++++++-----
+ 6 files changed, 61 insertions(+), 11 deletions(-)
+ create mode 100644 host/include/openssl_compat.h
+
+diff --git a/futility/cmd_create.c b/futility/cmd_create.c
+index 143ea9ae..80d3fd90 100644
+--- a/futility/cmd_create.c
++++ b/futility/cmd_create.c
+@@ -13,6 +13,7 @@
+ #include "2common.h"
+ #include "2id.h"
+ #include "2rsa.h"
++#include "openssl_compat.h"
+ #include "util_misc.h"
+ #include "vb2_common.h"
+ #include "vb2_struct.h"
+@@ -170,6 +171,7 @@ static int vb2_make_keypair()
+ 	enum vb2_signature_algorithm sig_alg;
+ 	uint8_t *pubkey_buf = 0;
+ 	int has_priv = 0;
++	const BIGNUM *rsa_d;
+ 
+ 	FILE *fp;
+ 	int ret = 1;
+@@ -193,7 +195,8 @@ static int vb2_make_keypair()
+ 		goto done;
+ 	}
+ 	/* Public keys doesn't have the private exponent */
+-	has_priv = !!rsa_key->d;
++	RSA_get0_key(rsa_key, NULL, NULL, &rsa_d);
++	has_priv = !!rsa_d;
+ 	if (!has_priv)
+ 		fprintf(stderr, "%s has a public key only.\n", infile);
+ 
+diff --git a/futility/vb2_helper.c b/futility/vb2_helper.c
+index 51a78375..c6cc0fdd 100644
+--- a/futility/vb2_helper.c
++++ b/futility/vb2_helper.c
+@@ -11,6 +11,7 @@
+ #include "2common.h"
+ #include "2id.h"
+ #include "2rsa.h"
++#include "openssl_compat.h"
+ #include "util_misc.h"
+ #include "vb2_common.h"
+ #include "vb2_struct.h"
+@@ -216,6 +217,7 @@ int ft_show_pem(const char *name, uint8_t *buf, uint32_t len, void *data)
+ 	uint8_t *keyb, *digest;
+ 	uint32_t keyb_len;
+ 	int i, bits;
++	const BIGNUM *rsa_key_n, *rsa_key_d;
+ 
+ 	/* We're called only after ft_recognize_pem, so this should work. */
+ 	rsa_key = rsa_from_buffer(buf, len);
+@@ -223,10 +225,11 @@ int ft_show_pem(const char *name, uint8_t *buf, uint32_t len, void *data)
+ 		DIE;
+ 
+ 	/* Use to presence of the private exponent to decide if it's public */
+-	printf("%s Key file:      %s\n", rsa_key->d ? "Private" : "Public",
++	RSA_get0_key(rsa_key, &rsa_key_n, NULL, &rsa_key_d);
++	printf("%s Key file:      %s\n", rsa_key_d ? "Private" : "Public",
+ 					 name);
+ 
+-	bits = BN_num_bits(rsa_key->n);
++	bits = BN_num_bits(rsa_key_n);
+ 	printf("  Key length:          %d\n", bits);
+ 
+ 	if (vb_keyb_from_rsa(rsa_key, &keyb, &keyb_len)) {
+diff --git a/host/include/openssl_compat.h b/host/include/openssl_compat.h
+new file mode 100644
+index 00000000..7771f32a
+--- /dev/null
++++ b/host/include/openssl_compat.h
+@@ -0,0 +1,26 @@
++/* Copyright 2017 The Chromium OS Authors. All rights reserved.
++ * Use of this source code is governed by a BSD-style license that can be
++ * found in the LICENSE file.
++ */
++
++#ifndef VBOOT_REFERENCE_OPENSSL_COMPAT_H_
++#define VBOOT_REFERENCE_OPENSSL_COMPAT_H_
++
++#include <openssl/rsa.h>
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++static inline void RSA_get0_key(const RSA *rsa, const BIGNUM **n,
++				const BIGNUM **e, const BIGNUM **d)
++{
++	if (n != NULL)
++		*n = rsa->n;
++	if (e != NULL)
++		*e = rsa->e;
++	if (d != NULL)
++		*d = rsa->d;
++}
++
++#endif  /* OPENSSL_VERSION_NUMBER < 0x10100000L */
++
++#endif  /* VBOOT_REFERENCE_OPENSSL_COMPAT_H_ */
+diff --git a/host/lib/util_misc.c b/host/lib/util_misc.c
+index 03ec683f..f0a1f7ad 100644
+--- a/host/lib/util_misc.c
++++ b/host/lib/util_misc.c
+@@ -15,6 +15,7 @@
+ 
+ #include "cryptolib.h"
+ #include "host_common.h"
++#include "openssl_compat.h"
+ #include "util_misc.h"
+ #include "vboot_common.h"
+ 
+@@ -58,6 +59,7 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key,
+ 	BIGNUM *N0inv = NULL, *R = NULL, *RR = NULL;
+ 	BIGNUM *RRTemp = NULL, *NnumBits = NULL;
+ 	BIGNUM *n = NULL, *rr = NULL;
++	const BIGNUM *rsa_private_key_n;
+ 	BN_CTX *bn_ctx = BN_CTX_new();
+ 	uint32_t n0invout;
+ 	uint32_t bufsize;
+@@ -65,7 +67,7 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key,
+ 	int retval = 1;
+ 
+ 	/* Size of RSA key in 32-bit words */
+-	nwords = BN_num_bits(rsa_private_key->n) / 32;
++	nwords = RSA_size(rsa_private_key) / 4;
+ 
+ 	bufsize = (2 + nwords + nwords) * sizeof(uint32_t);
+ 	outbuf = malloc(bufsize);
+@@ -94,7 +96,8 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key,
+ 	NEW_BIGNUM(B);
+ #undef NEW_BIGNUM
+ 
+-	BN_copy(N, rsa_private_key->n);
++	RSA_get0_key(rsa_private_key, &rsa_private_key_n, NULL, NULL);
++	BN_copy(N, rsa_private_key_n);
+ 	BN_set_word(Big1, 1L);
+ 	BN_set_word(Big2, 2L);
+ 	BN_set_word(Big32, 32L);
+diff --git a/host/lib21/host_key.c b/host/lib21/host_key.c
+index f7ea1622..f9419ad3 100644
+--- a/host/lib21/host_key.c
++++ b/host/lib21/host_key.c
+@@ -17,6 +17,7 @@
+ #include "host_common.h"
+ #include "host_key2.h"
+ #include "host_misc.h"
++#include "openssl_compat.h"
+ 
+ struct vb2_text_vs_enum vb2_text_vs_algorithm[] = {
+ 	{"RSA1024 SHA1",   VB2_ALG_RSA1024_SHA1},
+@@ -544,7 +545,12 @@ int vb2_public_key_hash(struct vb2_public_key *key,
+ 
+ enum vb2_signature_algorithm vb2_rsa_sig_alg(struct rsa_st *rsa)
+ {
+-	int bits = BN_num_bits(rsa->n);
++	const BIGNUM *e, *n;
++	int exp, bits;
++
++	RSA_get0_key(rsa, &n, &e, NULL);
++	exp = BN_get_word(e);
++	bits = BN_num_bits(n);
+ 
+ 	switch (bits) {
+ 	case 1024:
+diff --git a/utility/dumpRSAPublicKey.c b/utility/dumpRSAPublicKey.c
+index b3b7b96b..a17b159e 100644
+--- a/utility/dumpRSAPublicKey.c
++++ b/utility/dumpRSAPublicKey.c
+@@ -14,14 +14,20 @@
+ #include <string.h>
+ #include <unistd.h>
+ 
++#include "openssl_compat.h"
++
+ /* Command line tool to extract RSA public keys from X.509 certificates
+  * and output a pre-processed version of keys for use by RSA verification
+  * routines.
+  */
+ 
+ int check(RSA* key) {
+-  int public_exponent = BN_get_word(key->e);
+-  int modulus = BN_num_bits(key->n);
++  const BIGNUM *n, *e;
++  int public_exponent, modulus;
++
++  RSA_get0_key(key, &n, &e, NULL);
++  public_exponent = BN_get_word(e);
++  modulus = BN_num_bits(n);
+ 
+   if (public_exponent != 65537) {
+     fprintf(stderr, "WARNING: Public exponent should be 65537 (but is %d).\n",
+@@ -40,7 +46,8 @@ int check(RSA* key) {
+  */
+ void output(RSA* key) {
+   int i, nwords;
+-  BIGNUM *N = key->n;
++  const BIGNUM *key_n;
++  BIGNUM *N = NULL;
+   BIGNUM *Big1 = NULL, *Big2 = NULL, *Big32 = NULL, *BigMinus1 = NULL;
+   BIGNUM *B = NULL;
+   BIGNUM *N0inv= NULL, *R = NULL, *RR = NULL, *RRTemp = NULL, *NnumBits = NULL;
+@@ -48,14 +55,15 @@ void output(RSA* key) {
+   BN_CTX *bn_ctx = BN_CTX_new();
+   uint32_t n0invout;
+ 
+-  N = key->n;
+   /* Output size of RSA key in 32-bit words */
+-  nwords = BN_num_bits(N) / 32;
++  nwords = RSA_size(key) / 4;
+   if (-1 == write(1, &nwords, sizeof(nwords)))
+     goto failure;
+ 
+ 
+   /* Initialize BIGNUMs */
++  RSA_get0_key(key, &key_n, NULL, NULL);
++  N = BN_dup(key_n);
+   Big1 = BN_new();
+   Big2 = BN_new();
+   Big32 = BN_new();
+@@ -120,6 +128,7 @@ void output(RSA* key) {
+ 
+ failure:
+   /* Free BIGNUMs. */
++  BN_free(N);
+   BN_free(Big1);
+   BN_free(Big2);
+   BN_free(Big32);
+-- 
+2.14.1
+
-- 
2.17.1

[Buildroot] [PATCH 04/10] package/pound: Fix build with OpenSSL 1.1.x

[Patrick Havelange]

From: Bernd Kuhls <bernd.kuhls@t-online.de>

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - none
---
 package/pound/0002-fix-openssl-1.1.0.patch | 331 +++++++++++++++++++++
 1 file changed, 331 insertions(+)
 create mode 100644 package/pound/0002-fix-openssl-1.1.0.patch

diff --git a/package/pound/0002-fix-openssl-1.1.0.patch b/package/pound/0002-fix-openssl-1.1.0.patch
new file mode 100644
index 0000000000..a94a6386b7
--- /dev/null
+++ b/package/pound/0002-fix-openssl-1.1.0.patch
@@ -0,0 +1,331 @@
+From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 28 Feb 2018 13:44:01 +0000
+Subject: [PATCH] Support for Openssl 1.1
+
+Downloaded from github fork:
+https://github.com/graygnuorg/pound/commit/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60
+
+This patch was announced on the upstream mailinglist:
+http://www.apsis.ch/pound/pound_list/archive/2018/2018-03/1519920322000
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ .gitignore |  15 ++++++++
+ config.c   |  17 +++++++--
+ http.c     |  12 ++++++-
+ pound.h    |   4 ++-
+ svc.c      | 101 +++++++++++++++++++++++++++++++++++++++++++----------
+ 5 files changed, 125 insertions(+), 24 deletions(-)
+ create mode 100644 .gitignore
+
+diff --git a/config.c b/config.c
+index d41a3ee..e8fec0f 100644
+--- a/config.c
++++ b/config.c
+@@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max)
+     }
+ }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define general_name_string(n) \
++	strndup(ASN1_STRING_get0_data(n->d.dNSName),	\
++	        ASN1_STRING_length(n->d.dNSName) + 1)
++#else
++# define general_name_string(n) \
++	strndup(ASN1_STRING_data(n->d.dNSName),	\
++	       ASN1_STRING_length(n->d.dNSName) + 1)
++#endif
++
+ unsigned char **
+ get_subjectaltnames(X509 *x509, unsigned int *count)
+ {
+@@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count)
+         name = sk_GENERAL_NAME_pop(san_stack);
+         switch(name->type) {
+             case GEN_DNS:
+-                temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)
+-                                    + 1);
++ 	        temp[local_count] = general_name_string(name);
+                 if(temp[local_count] == NULL)
+                     conf_err("out of memory");
+                 local_count++;
+@@ -565,7 +574,9 @@ parse_service(const char *svc_name)
+     pthread_mutex_init(&res->mut, NULL);
+     if(svc_name)
+         strncpy(res->name, svc_name, KEY_SIZE);
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL)    
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL)
+ #else
+     if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL)
+diff --git a/http.c b/http.c
+index dd211e4..c8e756a 100644
+--- a/http.c
++++ b/http.c
+@@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt)
+ 
+ /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define clear_error()
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
++# define clear_error() \
++	if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); }
++#else
++# define clear_error() \
++	if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); }
++#endif
++
+ #define clean_all() {   \
+     if(ssl != NULL) { BIO_ssl_shutdown(cl); } \
+     if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \
+     if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \
+     if(x509 != NULL) { X509_free(x509); x509 = NULL; } \
+-    if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \
++    clear_error(); \
+ }
+ 
+ /*
+diff --git a/pound.h b/pound.h
+index fa22c36..9603b91 100644
+--- a/pound.h
++++ b/pound.h
+@@ -344,7 +344,9 @@ typedef struct _tn {
+ /* maximal session key size */
+ #define KEY_SIZE    127
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++  DEFINE_LHASH_OF(TABNODE);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ DECLARE_LHASH_OF(TABNODE);
+ #endif
+ 
+diff --git a/svc.c b/svc.c
+index 60ba488..063b92c 100644
+--- a/svc.c
++++ b/svc.c
+@@ -27,10 +27,17 @@
+ 
+ #include    "pound.h"
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t)
++# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n)
++#else
+ #ifndef LHASH_OF
+ #define LHASH_OF(x) LHASH
+ #define CHECKED_LHASH_OF(type, h) h
+ #endif
++# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load)
++# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n)
++#endif
+ 
+ /*
+  * Add a new key/content pair to a hash table
+@@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const
+     }
+     memcpy(t->content, content, cont_len);
+     t->last_acc = time(NULL);
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((old = lh_TABNODE_insert(tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) {
+ #else
+     if((old = (TABNODE *)lh_insert(tab, t)) != NULL) {
+@@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key)
+     TABNODE t, *res;
+ 
+     t.key = key;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) {
+ #else
+     if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) {
+@@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key)
+     TABNODE t, *res;
+ 
+     t.key = key;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((res = lh_TABNODE_delete(tab, &t)) != NULL) {    
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) {
+ #else
+     if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) {
+@@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a)
+     TABNODE *res;
+ 
+     if(t->last_acc < a->lim)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++        if((res = lh_TABNODE_delete(a->tab, t)) != NULL) {	    
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+         if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) {
+ #else
+         if((res = lh_delete(a->tab, t)) != NULL) {
+@@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG)
+ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *)
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG);
++#endif
++
+ /*
+  * Expire all old nodes
+  */
+@@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim)
+ 
+     a.tab = tab;
+     a.lim = lim;
+-    down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++    down_load = TABNODE_GET_DOWN_LOAD(tab);
++    TABNODE_SET_DOWN_LOAD(tab, 0);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a);
+ #else
+     lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a);
+ #endif
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
++    TABNODE_SET_DOWN_LOAD(tab, down_load);
+     return;
+ }
+ 
+@@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg)
+     TABNODE *res;
+ 
+     if(memcmp(t->content, arg->content, arg->cont_len) == 0)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++        if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+         if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) {
+ #else
+         if((res = lh_delete(arg->tab, t)) != NULL) {
+@@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len
+     a.tab = tab;
+     a.content = content;
+     a.cont_len = cont_len;
+-    down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++    down_load = TABNODE_GET_DOWN_LOAD(tab);
++    TABNODE_SET_DOWN_LOAD(tab, 0);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a);
+ #else
+     lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a);
+ #endif
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
+-    return;
++    TABNODE_SET_DOWN_LOAD(tab, down_load);
+ }
+ 
+ /*
+@@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen
+     return res;
+ }
+ 
++static int
++generate_key(RSA **ret_rsa, unsigned long bits)
++{
++#if OPENSSL_VERSION_NUMBER > 0x00908000L
++    int rc = 0;
++    RSA *rsa;
++
++    rsa = RSA_new();
++    if (rsa) {
++	BIGNUM *bne = BN_new();
++	if (BN_set_word(bne, RSA_F4))
++	    rc = RSA_generate_key_ex(rsa, bits, bne, NULL);
++	BN_free(bne);
++	if (rc)
++	    *ret_rsa = rsa;
++	else
++	    RSA_free(rsa);
++    }
++    return rc;
++#else
++    *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
++    return *ret_rsa != NULL;
++#endif
++}
++
+ /*
+  * Periodically regenerate ephemeral RSA keys
+  * runs every T_RSA_KEYS seconds
+@@ -1274,8 +1323,9 @@ do_RSAgen(void)
+     RSA *t_RSA1024_keys[N_RSA_KEYS];
+ 
+     for(n = 0; n < N_RSA_KEYS; n++) {
+-        t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL);
+-        t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL);
++        /* FIXME: Error handling */
++        generate_key(&t_RSA512_keys[n], 512);
++	generate_key(&t_RSA1024_keys[n], 1024);
+     }
+     if(ret_val = pthread_mutex_lock(&RSA_mut))
+         logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val));
+@@ -1329,11 +1379,11 @@ init_timer(void)
+      * Pre-generate ephemeral RSA keys
+      */
+     for(n = 0; n < N_RSA_KEYS; n++) {
+-        if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
++        if(!generate_key(&RSA512_keys[n], 512)) {
+             logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n);
+             return;
+         }
+-        if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
++        if(!generate_key(&RSA1024_keys[n], 1024)) {
+             logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n);
+             return;
+         }
+@@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG)
+ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *)
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG);
++#endif
++	
+ /*
+  * write sessions to the control socket
+  */
+@@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const
+ 
+     a.control_sock = control_sock;
+     a.backends = backends;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a);
+ #else
+     lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a);
+@@ -1664,6 +1720,13 @@ thr_control(void *arg)
+     }
+ }
+ 
++#ifndef SSL3_ST_SR_CLNT_HELLO_A
++# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
++#endif
++#ifndef SSL23_ST_SR_CLNT_HELLO_A
++# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
++#endif
++		
+ void
+ SSLINFO_callback(const SSL *ssl, int where, int rc)
+ {
-- 
2.17.1

[Buildroot] [PATCH 05/10] mariadb: use host-openssl from buildroot-system

[Patrick Havelange]

From: Peter Seiderer <ps.report@gmx.net>

- change WITH_SSL for host build from bundled to system (and add
  host-openssl dependency) to avoid the following configure failure:

  CMake Error at /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
    Could NOT find GnuTLS (missing: GNUTLS_LIBRARY GNUTLS_INCLUDE_DIR)
    (Required is at least version "3.3.24")
  Call Stack (most recent call first):
    /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)
    /usr/share/cmake/Modules/FindGnuTLS.cmake:54 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
    libmariadb/CMakeLists.txt:298 (FIND_PACKAGE)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - none
---
 package/mariadb/mariadb.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/mariadb/mariadb.mk b/package/mariadb/mariadb.mk
index e17649209a..e354a9137c 100644
--- a/package/mariadb/mariadb.mk
+++ b/package/mariadb/mariadb.mk
@@ -86,7 +86,8 @@ MARIADB_CONF_OPTS += \
 	-DMYSQL_DATADIR=/var/lib/mysql \
 	-DMYSQL_UNIX_ADDR=$(MYSQL_SOCKET)
 
-HOST_MARIADB_CONF_OPTS += -DWITH_SSL=OFF
+HOST_MARIADB_DEPENDENCIES = host-openssl
+HOST_MARIADB_CONF_OPTS += -DWITH_SSL=system
 
 # Some helpers must be compiled for host in order to crosscompile mariadb for
 # the target. They are then included by import_executables.cmake which is
-- 
2.17.1

[Buildroot] [PATCH 06/10] Introduce the variable BR2_TOOLCHAIN_HAS_UCONTEXT

[Patrick Havelange]

It is set when the platform exposes the struct ucontext_t.

This avoids duplication of logic inside each package requiring
the use of that type.

Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - Wrap Config.in at 80 char
---
 package/libsigsegv/Config.in | 11 +----------
 toolchain/Config.in          | 10 ++++++++++
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/package/libsigsegv/Config.in b/package/libsigsegv/Config.in
index f258dc9e8a..8e89ff5aa4 100644
--- a/package/libsigsegv/Config.in
+++ b/package/libsigsegv/Config.in
@@ -1,15 +1,6 @@
 config BR2_PACKAGE_LIBSIGSEGV_ARCH_SUPPORTS
 	bool
-	# with glibc/musl, ucontext is available for all supported
-	# architectures
-	default y if BR2_TOOLCHAIN_USES_GLIBC
-	default y if BR2_TOOLCHAIN_USES_MUSL
-	# with uclibc, ucontext is only available for a subset of the
-	# supported architectures
-	default y if BR2_TOOLCHAIN_USES_UCLIBC && \
-		(BR2_ARM_CPU_HAS_ARM || BR2_i386 || \
-		 BR2_mips || BR2_mipsel || BR2_mips64 || BR2_mips64el || \
-		 BR2_sparc || BR2_x86_64)
+	default y if BR2_TOOLCHAIN_HAS_UCONTEXT
 
 config BR2_PACKAGE_LIBSIGSEGV
 	bool "libsigsegv"
diff --git a/toolchain/Config.in b/toolchain/Config.in
index baf192c936..275f9f9cdd 100644
--- a/toolchain/Config.in
+++ b/toolchain/Config.in
@@ -15,10 +15,16 @@ config BR2_TOOLCHAIN_USES_GLIBC
 	select BR2_TOOLCHAIN_HAS_THREADS
 	select BR2_TOOLCHAIN_HAS_THREADS_DEBUG
 	select BR2_TOOLCHAIN_HAS_THREADS_NPTL
+	select BR2_TOOLCHAIN_HAS_UCONTEXT
 	select BR2_TOOLCHAIN_SUPPORTS_PIE
 
 config BR2_TOOLCHAIN_USES_UCLIBC
 	bool
+	# ucontext is only available for a subset of the supported
+	# architectures
+	select BR2_TOOLCHAIN_HAS_UCONTEXT if BR2_ARM_CPU_HAS_ARM || BR2_i386 \
+		|| BR2_mips || BR2_mipsel || BR2_mips64 || BR2_mips64el \
+		|| BR2_sparc || BR2_x86_64
 	select BR2_TOOLCHAIN_SUPPORTS_PIE if !BR2_m68k && !BR2_microblaze && !BR2_STATIC_LIBS
 
 config BR2_TOOLCHAIN_USES_MUSL
@@ -28,6 +34,7 @@ config BR2_TOOLCHAIN_USES_MUSL
 	select BR2_TOOLCHAIN_HAS_THREADS
 	select BR2_TOOLCHAIN_HAS_THREADS_DEBUG
 	select BR2_TOOLCHAIN_HAS_THREADS_NPTL
+	select BR2_TOOLCHAIN_HAS_UCONTEXT
 	select BR2_TOOLCHAIN_SUPPORTS_PIE if !BR2_STATIC_LIBS
 
 choice
@@ -145,6 +152,9 @@ config BR2_TOOLCHAIN_HAS_THREADS_NPTL
 config BR2_TOOLCHAIN_HAS_SSP
 	bool
 
+config BR2_TOOLCHAIN_HAS_UCONTEXT
+	bool
+
 config BR2_TOOLCHAIN_SUPPORTS_PIE
 	bool
 
-- 
2.17.1

[Buildroot] [PATCH 07/10] package/thrift: bump to 0.12.0, add support for openssl 1.1.x

[Patrick Havelange]

Switching to CMake as the autotools are not crosscompiler compatible.
Removed the patches related to autotools as no longer used.
Added patch to avoid linker issue.
Added license hash.

Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - Commit msg
  - Use SHA256 instead of md5
---
 ...ipedTransport-peek-to-avoid-linker-e.patch | 31 +++++++
 package/thrift/0001-libevent-cross.patch      | 16 ----
 package/thrift/0002-autoreconf.patch          | 28 -------
 package/thrift/0003-zlib-cross.patch          | 16 ----
 ...k-minimum-required-version-of-automa.patch | 47 -----------
 .../0005-configure.ac-C-11-is-optional.patch  | 28 -------
 package/thrift/thrift.hash                    |  6 +-
 package/thrift/thrift.mk                      | 84 +++++++++----------
 8 files changed, 73 insertions(+), 183 deletions(-)
 create mode 100644 package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch
 delete mode 100644 package/thrift/0001-libevent-cross.patch
 delete mode 100644 package/thrift/0002-autoreconf.patch
 delete mode 100644 package/thrift/0003-zlib-cross.patch
 delete mode 100644 package/thrift/0004-THRIFT-3071-check-minimum-required-version-of-automa.patch
 delete mode 100644 package/thrift/0005-configure.ac-C-11-is-optional.patch

diff --git a/package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch b/package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch
new file mode 100644
index 0000000000..92c55d05a4
--- /dev/null
+++ b/package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch
@@ -0,0 +1,31 @@
+From f87ae3963e651fe9f4b3125192c77aae86c007e0 Mon Sep 17 00:00:00 2001
+From: Patrick Havelange <patrick.havelange@essensium.com>
+Date: Mon, 21 Jan 2019 09:49:23 +0100
+Subject: [PATCH] Force to keep TPipedTransport::peek() to avoid linker error.
+
+Otherwise got the "defined in discarded section" linker error
+with x86-64-musl toolchain. This is probably a toolchain issue - the
+compiler shouldn't remove that function.
+
+Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
+Upstream-status: Not Applicable
+---
+ lib/cpp/src/thrift/transport/TTransportUtils.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/cpp/src/thrift/transport/TTransportUtils.h b/lib/cpp/src/thrift/transport/TTransportUtils.h
+index f3b4c5a..7589182 100644
+--- a/lib/cpp/src/thrift/transport/TTransportUtils.h
++++ b/lib/cpp/src/thrift/transport/TTransportUtils.h
+@@ -114,7 +114,7 @@ public:
+ 
+   bool isOpen() { return srcTrans_->isOpen(); }
+ 
+-  bool peek() {
++  bool __attribute__ ((used)) peek() {
+     if (rPos_ >= rLen_) {
+       // Double the size of the underlying buffer if it is full
+       if (rLen_ == rBufSize_) {
+-- 
+2.17.1
+
diff --git a/package/thrift/0001-libevent-cross.patch b/package/thrift/0001-libevent-cross.patch
deleted file mode 100644
index f07caa762a..0000000000
--- a/package/thrift/0001-libevent-cross.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Make it cross-compile happy the hard way, there's no clean way.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura thrift-0.9.1.orig/aclocal/ax_lib_event.m4 thrift-0.9.1/aclocal/ax_lib_event.m4
---- thrift-0.9.1.orig/aclocal/ax_lib_event.m4	2013-08-15 11:04:29.000000000 -0300
-+++ thrift-0.9.1/aclocal/ax_lib_event.m4	2013-10-07 20:40:44.076435613 -0300
-@@ -75,7 +75,7 @@
-           AC_LANG_PUSH([C])
-           dnl This can be changed to AC_LINK_IFELSE if you are cross-compiling,
-           dnl but then the version cannot be checked.
--          AC_RUN_IFELSE([AC_LANG_PROGRAM([[
-+          AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-           #include <sys/types.h>
-           #include <event.h>
-           ]], [[
diff --git a/package/thrift/0002-autoreconf.patch b/package/thrift/0002-autoreconf.patch
deleted file mode 100644
index 1a52f7c70d..0000000000
--- a/package/thrift/0002-autoreconf.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Fillers to make autoreconf (automake) happy.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura thrift-0.9.2.orig/AUTHORS thrift-0.9.2/AUTHORS
---- thrift-0.9.2.orig/AUTHORS	1969-12-31 21:00:00.000000000 -0300
-+++ thrift-0.9.2/AUTHORS	2014-12-05 14:46:20.431211224 -0300
-@@ -0,0 +1,2 @@
-+
-+
-diff -Nura thrift-0.9.2.orig/ChangeLog thrift-0.9.2/ChangeLog
---- thrift-0.9.2.orig/ChangeLog	1969-12-31 21:00:00.000000000 -0300
-+++ thrift-0.9.2/ChangeLog	2014-12-05 14:46:34.290686170 -0300
-@@ -0,0 +1,2 @@
-+
-+
-diff -Nura thrift-0.9.2.orig/NEWS thrift-0.9.2/NEWS
---- thrift-0.9.2.orig/NEWS	1969-12-31 21:00:00.000000000 -0300
-+++ thrift-0.9.2/NEWS	2014-12-05 14:46:32.308618241 -0300
-@@ -0,0 +1,2 @@
-+
-+
-diff -Nura thrift-0.9.2.orig/README thrift-0.9.2/README
---- thrift-0.9.2.orig/README	1969-12-31 21:00:00.000000000 -0300
-+++ thrift-0.9.2/README	2014-12-05 14:46:28.305481028 -0300
-@@ -0,0 +1,2 @@
-+
-+
diff --git a/package/thrift/0003-zlib-cross.patch b/package/thrift/0003-zlib-cross.patch
deleted file mode 100644
index 3af39c4691..0000000000
--- a/package/thrift/0003-zlib-cross.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Make zlib version detection cross-compile happy.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura thrift-0.9.1.orig/aclocal/ax_lib_zlib.m4 thrift-0.9.1/aclocal/ax_lib_zlib.m4
---- thrift-0.9.1.orig/aclocal/ax_lib_zlib.m4	2013-08-15 11:04:29.000000000 -0300
-+++ thrift-0.9.1/aclocal/ax_lib_zlib.m4	2013-10-07 20:47:44.523177973 -0300
-@@ -73,7 +73,7 @@
-           #   (defined in the library).
-           AC_LANG_PUSH([C])
-           dnl This can be changed to AC_LINK_IFELSE if you are cross-compiling.
--          AC_RUN_IFELSE([AC_LANG_PROGRAM([[
-+          AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-           #include <zlib.h>
-           #if ZLIB_VERNUM >= 0x$WANT_ZLIB_VERSION
-           #else
diff --git a/package/thrift/0004-THRIFT-3071-check-minimum-required-version-of-automa.patch b/package/thrift/0004-THRIFT-3071-check-minimum-required-version-of-automa.patch
deleted file mode 100644
index ec2e22566c..0000000000
--- a/package/thrift/0004-THRIFT-3071-check-minimum-required-version-of-automa.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 9b03d2b02d32302008d2bd0218b31b9a0ca5a748 Mon Sep 17 00:00:00 2001
-From: Jens Geyer <jensg@apache.org>
-Date: Fri, 3 Apr 2015 12:37:03 +0200
-Subject: [PATCH] THRIFT-3071 check minimum required version of automake in bootstrap.sh
-Client: Build process
-Patch: James E. King, III <jim.king@simplivity.com>
-
-This closes #421
-
-- remove a warning when using libtool
-
-"libtoolize: Consider adding 'AC_CONFIG_MACRO_DIRS([./aclocal])' to configure.ac,"
-
-[Romain:
-  - This is upstream commit 4aa95df383bfa13c46a4dc0b41672ec29d476300
-  - remove the part for bootstrap.sh which is not
-    bundled in thrift archive.
-  - fix the commit log accordingly]
-
-Signed-off-by: Romain Naour <romain.naour@openwide.fr>
----
- configure.ac | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 5fa611e..8daeb03 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -18,6 +18,7 @@
- #
- 
- AC_PREREQ(2.65)
-+AC_CONFIG_MACRO_DIR([./aclocal])
- 
- AC_INIT([thrift], [0.9.2])
- 
-@@ -540,6 +541,7 @@ AC_CHECK_FUNCS([memset])
- AC_CHECK_FUNCS([mkdir])
- AC_CHECK_FUNCS([realpath])
- AC_CHECK_FUNCS([select])
-+AC_CHECK_FUNCS([setlocale])
- AC_CHECK_FUNCS([socket])
- AC_CHECK_FUNCS([strchr])
- AC_CHECK_FUNCS([strdup])
--- 
-1.9.3
-
diff --git a/package/thrift/0005-configure.ac-C-11-is-optional.patch b/package/thrift/0005-configure.ac-C-11-is-optional.patch
deleted file mode 100644
index 9ed7e0a691..0000000000
--- a/package/thrift/0005-configure.ac-C-11-is-optional.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 9c3a7e79b256730dd85a7acadbaf57ab018b3127 Mon Sep 17 00:00:00 2001
-From: Romain Naour <romain.naour@openwide.fr>
-Date: Tue, 7 Apr 2015 07:37:26 +0200
-Subject: [PATCH] configure.ac: C++11 is optional
-
-Thrift build fine whitout c++11 support.
-
-Signed-off-by: Romain Naour <romain.naour@openwide.fr>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 8daeb03..bfd49ae 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -99,7 +99,7 @@ AC_PROG_AWK
- AC_PROG_RANLIB
- 
- AC_LANG([C++])
--AX_CXX_COMPILE_STDCXX_11([noext])
-+AX_CXX_COMPILE_STDCXX_11([noext], [optional])
- 
- AC_ARG_ENABLE([libs],
-   AS_HELP_STRING([--enable-libs], [build the Apache Thrift libraries [default=yes]]),
--- 
-1.9.3
-
diff --git a/package/thrift/thrift.hash b/package/thrift/thrift.hash
index 811aa988e3..7aca8b5a7e 100644
--- a/package/thrift/thrift.hash
+++ b/package/thrift/thrift.hash
@@ -1,2 +1,4 @@
-# From https://www.apache.org/dist/thrift/0.9.2/thrift-0.9.2.tar.gz.md5
-md5	89f63cc4d0100912f4a1f8a9dee63678	thrift-0.9.2.tar.gz
+# From https://www.apache.org/dist/thrift/0.12.0/thrift-0.12.0.tar.gz.sha256
+sha256  c336099532b765a6815173f62df0ed897528a9d551837d627c1f87fadad90428	thrift-0.12.0.tar.gz
+# License files, locally calculated
+sha256  23df881cec3192d1f4474633c14eb2ec30a45b84f8daeb82b9de5d2bd3ac8218        LICENSE
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 741d33f571..8a284229a1 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -4,75 +4,67 @@
 #
 ################################################################################
 
-THRIFT_VERSION = 0.9.2
+THRIFT_VERSION = 0.12.0
 THRIFT_SITE = http://www.us.apache.org/dist/thrift/$(THRIFT_VERSION)
-THRIFT_DEPENDENCIES = host-autoconf-archive host-pkgconf host-thrift boost \
+THRIFT_LICENSE = Apache-2.0
+THRIFT_LICENSE_FILES = LICENSE
+
+THRIFT_DEPENDENCIES = host-pkgconf host-thrift boost \
 	libevent openssl zlib
 THRIFT_INSTALL_STAGING = YES
-HOST_THRIFT_DEPENDENCIES = host-autoconf-archive host-bison host-boost \
+HOST_THRIFT_DEPENDENCIES = host-bison host-boost \
 	host-flex host-libevent host-openssl host-pkgconf host-zlib
 
-THRIFT_CONF_OPTS = --with-sysroot=$(STAGING_DIR) \
-	--with-boost \
-	--with-boost-libdir=$(STAGING_DIR)/usr/lib \
-	--disable-tests \
-	--disable-tutorial
-HOST_THRIFT_CONF_OPTS = --with-sysroot=$(HOST_DIR) \
-	--disable-tests \
-	--disable-tutorial
-THRIFT_AUTORECONF = YES
-THRIFT_AUTORECONF_OPTS = -I $(HOST_DIR)/share/autoconf-archive
-THRIFT_LICENSE = Apache-2.0
-THRIFT_LICENSE_FILES = LICENSE
+THRIFT_COMMON_CONF_OPTS = -DBUILD_TUTORIALS=OFF \
+	-DBUILD_TESTING=OFF \
+	-DWITH_PYTHON=OFF \
+	-DWITH_JAVA=OFF \
+	-DWITH_QT5=OFF
+
+THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=OFF
+HOST_THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=ON
 
 # relocation truncated to fit: R_68K_GOT16O
 ifeq ($(BR2_m68k_cf),y)
 THRIFT_CONF_ENV += CXXFLAGS="$(TARGET_CXXFLAGS) -mxgot"
 endif
 
+# thrift doesn't use the regular flags BUILD_{STATIC,SHARED}_LIBS
 ifeq ($(BR2_STATIC_LIBS),y)
 # openssl uses zlib, so we need to explicitly link with it when static
 THRIFT_CONF_ENV += LIBS=-lz
+THRIFT_CONF_OPTS += -DWITH_STATIC_LIB=ON -DWITH_BOOST_STATIC=ON -DWITH_SHARED_LIB=OFF
+else ifeq ($(BR2_SHARED_LIBS),y)
+THRIFT_CONF_OPTS += -DWITH_STATIC_LIB=OFF -DWITH_BOOST_STATIC=OFF -DWITH_SHARED_LIB=ON
+else
+# BR2_SHARED_STATIC_LIBS
+THRIFT_CONF_OPTS += -DWITH_STATIC_LIB=ON -DWITH_BOOST_STATIC=OFF -DWITH_SHARED_LIB=ON
 endif
 
-# Language selection
-# The generator (host tool) works with all of them regardless
-# This is just for the libraries / bindings
-THRIFT_LANG_CONF_OPTS += --without-csharp --without-java --without-erlang \
-	--without-python --without-perl --without-php --without-php_extension \
-	--without-ruby --without-haskell --without-go --without-d \
-	--without-qt4 --without-lua
-HOST_THRIFT_CONF_OPTS += $(THRIFT_LANG_CONF_OPTS) --without-c_glib
-THRIFT_CONF_OPTS += $(THRIFT_LANG_CONF_OPTS)
+# Language selection for the compiler
+HOST_THRIFT_CONF_OPTS += -DTHRIFT_COMPILER_CSHARP=OFF \
+	-DTHRIFT_COMPILER_JAVA=OFF \
+	-DTHRIFT_COMPILER_ERL=OFF \
+	-DTHRIFT_COMPILER_PY=OFF \
+	-DTHRIFT_COMPILER_PERL=OFF \
+	-DTHRIFT_COMPILER_PHP=OFF \
+	-DTHRIFT_COMPILER_RB=OFF \
+	-DTHRIFT_COMPILER_HS=OFF \
+	-DTHRIFT_COMPILER_GO=OFF \
+	-DTHRIFT_COMPILER_D=OFF \
+	-DTHRIFT_COMPILER_LUA=OFF \
+	-DBUILD_C_GLIB=OFF
 
 # C bindings
 ifeq ($(BR2_PACKAGE_LIBGLIB2),y)
 THRIFT_DEPENDENCIES += libglib2
+THRIFT_CONF_OPTS += -DBUILD_C_GLIB=ON
 else
-THRIFT_CONF_OPTS += --without-c_glib
+THRIFT_CONF_OPTS += -DBUILD_C_GLIB=OFF
 endif
 
-# De-hardcode THRIFT for cross compiling
-define THRIFT_TOOL_NO_HARDCODE
-	for f in `find $(@D) -name Makefile.am -type f`; do \
-		$(SED) "/^THRIFT =/d" $$f; \
-	done
-	$(SED) "s:top_builddir)/compiler/cpp/thrift:THRIFT):" $(@D)/tutorial/Makefile.am
-endef
-
-THRIFT_POST_PATCH_HOOKS += THRIFT_TOOL_NO_HARDCODE
-
-define THRIFT_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) THRIFT=$(HOST_DIR)/bin/thrift -C $(@D)
-endef
-
-# Install runtime only
-define THRIFT_INSTALL_TARGET_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/lib DESTDIR=$(TARGET_DIR) install
-endef
-
-$(eval $(autotools-package))
-$(eval $(host-autotools-package))
+$(eval $(cmake-package))
+$(eval $(host-cmake-package))
 
 # to be used by other packages
 THRIFT = $(HOST_DIR)/bin/thrift
-- 
2.17.1

[Buildroot] [PATCH 08/10] package/rtmpdump: Fix compilation issues with openssl 1.1.x

[Patrick Havelange]

From: Vadim Kochan <vadim4j@gmail.com>

Upstream is dead, other distros use gnutls exclusively,
so patch is not sent upstream.

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v6:
  - Commit msg
---
 ...p-Fix-compilation-with-openssl-1.1.x.patch | 276 ++++++++++++++++++
 1 file changed, 276 insertions(+)
 create mode 100644 package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch

diff --git a/package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch b/package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch
new file mode 100644
index 0000000000..44e70b495a
--- /dev/null
+++ b/package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch
@@ -0,0 +1,276 @@
+From f3ca4b9450e273afc5b773e5e5637b7fcbc71dd8 Mon Sep 17 00:00:00 2001
+From: Vadim Kochan <vadim4j@gmail.com>
+Date: Fri, 18 Jan 2019 01:15:33 +0200
+Subject: [PATCH] librtmp: Fix compilation with openssl 1.1.x
+
+Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
+---
+ librtmp/dh.h        | 70 +++++++++++++++++++++++++++++++++++++++++++----------
+ librtmp/handshake.h | 13 ++++++----
+ librtmp/hashswf.c   | 18 +++++++++-----
+ librtmp/rtmp.c      |  4 +--
+ 4 files changed, 78 insertions(+), 27 deletions(-)
+
+diff --git a/librtmp/dh.h b/librtmp/dh.h
+index 5fc3f32..2cf6b8c 100644
+--- a/librtmp/dh.h
++++ b/librtmp/dh.h
+@@ -186,6 +186,32 @@ typedef BIGNUM * MP_t;
+ #define MDH_free(dh)  DH_free(dh)
+ #define MDH_generate_key(dh)  DH_generate_key(dh)
+ #define MDH_compute_key(secret, seclen, pub, dh)      DH_compute_key(secret, pub, dh)
++#define MDH_set_g(dh, g) DH_set0_pqg(dh, NULL, NULL, g)
++#define MDH_set_p(dh, p) DH_set0_pqg(dh, p, NULL, NULL)
++#define MDH_set_len(dh, l) DH_set_length(dh, l)
++#define MDH_set_pub_key(dh, pub) DH_set0_key(dh, pub, NULL)
++#define MDH_set_priv_key(dh, priv) DH_set0_key(dh, NULL, priv)
++
++static inline BIGNUM *MDH_get_p(DH *dh)
++{
++  const BIGNUM *p;
++  DH_get0_pqg(dh, &p, NULL, NULL);
++  return (BIGNUM *) p;
++}
++
++static inline BIGNUM *MDH_get_pub_key(DH *dh)
++{
++  const BIGNUM *pub;
++  DH_get0_key(dh, &pub, NULL);
++  return (BIGNUM *) pub;
++}
++
++static inline BIGNUM *MDH_get_priv_key(DH *dh)
++{
++  const BIGNUM *priv;
++  DH_get0_key(dh, NULL, &priv);
++  return (BIGNUM *) priv;
++}
+
+ #endif
+
+@@ -249,24 +275,28 @@ DHInit(int nKeyBits)
+ {
+   size_t res;
+   MDH *dh = MDH_new();
++  MP_t g, p;
+
+   if (!dh)
+     goto failed;
+
+-  MP_new(dh->g);
++  MP_new(g);
+
+-  if (!dh->g)
++  if (g)
+     goto failed;
+
+-  MP_gethex(dh->p, P1024, res);       /* prime P1024, see dhgroups.h */
++  MDH_set_g(dh, g);
++  p = MDH_get_p(dh);
++  MP_gethex(p, P1024, res);   /* prime P1024, see dhgroups.h */
+   if (!res)
+     {
+       goto failed;
+     }
+
+-  MP_set_w(dh->g, 2); /* base 2 */
++  MDH_set_p(dh, p);
++  MP_set_w(g, 2);     /* base 2 */
++  MDH_set_len(dh, nKeyBits);
+
+-  dh->length = nKeyBits;
+   return dh;
+
+ failed:
+@@ -286,6 +316,9 @@ DHGenerateKey(MDH *dh)
+   while (!res)
+     {
+       MP_t q1 = NULL;
++      MP_t priv_key;
++      MP_t pub_key;
++      MP_t p;
+
+       if (!MDH_generate_key(dh))
+       return 0;
+@@ -293,12 +326,17 @@ DHGenerateKey(MDH *dh)
+       MP_gethex(q1, Q1024, res);
+       assert(res);
+
+-      res = isValidPublicKey(dh->pub_key, dh->p, q1);
++      priv_key = MDH_get_priv_key(dh);
++      pub_key = MDH_get_pub_key(dh);
++      p = MDH_get_p(dh);
++
++      res = isValidPublicKey(pub_key, p, q1);
+       if (!res)
+       {
+-        MP_free(dh->pub_key);
+-        MP_free(dh->priv_key);
+-        dh->pub_key = dh->priv_key = 0;
++        MP_free(pub_key);
++        MP_free(priv_key);
++        MDH_set_pub_key(dh, NULL);
++        MDH_set_priv_key(dh, NULL);
+       }
+
+       MP_free(q1);
+@@ -313,16 +351,22 @@ DHGenerateKey(MDH *dh)
+ static int
+ DHGetPublicKey(MDH *dh, uint8_t *pubkey, size_t nPubkeyLen)
+ {
++  MP_t pub_key;
+   int len;
+-  if (!dh || !dh->pub_key)
++
++  if (!dh)
++    return 0;
++
++  pub_key = MDH_get_pub_key(dh);
++  if (!pub_key)
+     return 0;
+
+-  len = MP_bytes(dh->pub_key);
++  len = MP_bytes(pub_key);
+   if (len <= 0 || len > (int) nPubkeyLen)
+     return 0;
+
+   memset(pubkey, 0, nPubkeyLen);
+-  MP_setbin(dh->pub_key, pubkey + (nPubkeyLen - len), len);
++  MP_setbin(pub_key, pubkey + (nPubkeyLen - len), len);
+   return 1;
+ }
+
+@@ -364,7 +408,7 @@ DHComputeSharedSecretKey(MDH *dh, uint8_t *pubkey, size_t nPubkeyLen,
+   MP_gethex(q1, Q1024, len);
+   assert(len);
+
+-  if (isValidPublicKey(pubkeyBn, dh->p, q1))
++  if (isValidPublicKey(pubkeyBn, MDH_get_p(dh), q1))
+     res = MDH_compute_key(secret, nPubkeyLen, pubkeyBn, dh);
+   else
+     res = -1;
+diff --git a/librtmp/handshake.h b/librtmp/handshake.h
+index 0438486..1e84b3a 100644
+--- a/librtmp/handshake.h
++++ b/librtmp/handshake.h
+@@ -69,9 +69,9 @@ typedef struct arcfour_ctx*  RC4_handle;
+ #if OPENSSL_VERSION_NUMBER < 0x0090800 || !defined(SHA256_DIGEST_LENGTH)
+ #error Your OpenSSL is too old, need 0.9.8 or newer with SHA256
+ #endif
+-#define HMAC_setup(ctx, key, len)     HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, key, len, EVP_sha256(), 0)
+-#define HMAC_crunch(ctx, buf, len)    HMAC_Update(&ctx, buf, len)
+-#define HMAC_finish(ctx, dig, dlen)   HMAC_Final(&ctx, dig, &dlen); HMAC_CTX_cleanup(&ctx)
++#define HMAC_setup(ctx, key, len)     HMAC_CTX_reset(ctx); HMAC_Init_ex(ctx, key, len, EVP_sha256(), 0)
++#define HMAC_crunch(ctx, buf, len)    HMAC_Update(ctx, buf, len)
++#define HMAC_finish(ctx, dig, dlen)   HMAC_Final(ctx, dig, &dlen);
+
+ typedef RC4_KEY *     RC4_handle;
+ #define RC4_alloc(h)  *h = malloc(sizeof(RC4_KEY))
+@@ -117,7 +117,7 @@ static void InitRC4Encryption
+ {
+   uint8_t digest[SHA256_DIGEST_LENGTH];
+   unsigned int digestLen = 0;
+-  HMAC_CTX ctx;
++  HMAC_CTX *ctx = HMAC_CTX_new();
+
+   RC4_alloc(rc4keyIn);
+   RC4_alloc(rc4keyOut);
+@@ -139,6 +139,8 @@ static void InitRC4Encryption
+   RTMP_LogHex(RTMP_LOGDEBUG, digest, 16);
+
+   RC4_setkey(*rc4keyIn, 16, digest);
++
++  HMAC_CTX_free(ctx);
+ }
+
+ typedef unsigned int (getoff)(uint8_t *buf, unsigned int len);
+@@ -266,12 +268,13 @@ HMACsha256(const uint8_t *message, size_t messageLen, const uint8_t *key,
+          size_t keylen, uint8_t *digest)
+ {
+   unsigned int digestLen;
+-  HMAC_CTX ctx;
++  HMAC_CTX *ctx = HMAC_CTX_new();
+
+   HMAC_setup(ctx, key, keylen);
+   HMAC_crunch(ctx, message, messageLen);
+   HMAC_finish(ctx, digest, digestLen);
+
++  HMAC_CTX_free(ctx);
+   assert(digestLen == 32);
+ }
+
+diff --git a/librtmp/hashswf.c b/librtmp/hashswf.c
+index 9f4e2c0..ba2c228 100644
+--- a/librtmp/hashswf.c
++++ b/librtmp/hashswf.c
+@@ -57,10 +57,10 @@
+ #include <openssl/sha.h>
+ #include <openssl/hmac.h>
+ #include <openssl/rc4.h>
+-#define HMAC_setup(ctx, key, len)     HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, (unsigned char *)key, len, EVP_sha256(), 0)
+-#define HMAC_crunch(ctx, buf, len)    HMAC_Update(&ctx, (unsigned char *)buf, len)
+-#define HMAC_finish(ctx, dig, dlen)   HMAC_Final(&ctx, (unsigned char *)dig, &dlen);
+-#define HMAC_close(ctx)       HMAC_CTX_cleanup(&ctx)
++#define HMAC_setup(ctx, key, len)     HMAC_CTX_reset(ctx); HMAC_Init_ex(ctx, (unsigned char *)key, len, EVP_sha256(), 0)
++#define HMAC_crunch(ctx, buf, len)    HMAC_Update(ctx, (unsigned char *)buf, len)
++#define HMAC_finish(ctx, dig, dlen)   HMAC_Final(ctx, (unsigned char *)dig, &dlen);
++#define HMAC_close(ctx)
+ #endif
+
+ extern void RTMP_TLS_Init();
+@@ -289,7 +289,7 @@ leave:
+ struct info
+ {
+   z_stream *zs;
+-  HMAC_CTX ctx;
++  HMAC_CTX *ctx;
+   int first;
+   int zlib;
+   int size;
+@@ -582,6 +582,10 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
+     }
+
+   in.first = 1;
++  in.ctx = HMAC_CTX_new();
++  if (!in.ctx)
++    goto out;
++
+   HMAC_setup(in.ctx, "Genuine Adobe Flash Player 001", 30);
+   inflateInit(&zs);
+   in.zs = &zs;
+@@ -621,7 +625,7 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
+                 "%s: couldn't open %s for writing, errno %d (%s)",
+                 __FUNCTION__, path, err, strerror(err));
+             ret = -1;
+-            goto out;
++            goto free_ctx;
+           }
+         fseek(f, 0, SEEK_END);
+         q = strchr(url, '?');
+@@ -649,6 +653,8 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
+       }
+     }
+   HMAC_close(in.ctx);
++free_ctx:
++  HMAC_CTX_free(in.ctx);
+ out:
+   free(path);
+   if (f)
+diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
+index a2863b0..c995568 100644
+--- a/librtmp/rtmp.c
++++ b/librtmp/rtmp.c
+@@ -245,9 +245,7 @@ RTMP_TLS_Init()
+       "ca.pem", GNUTLS_X509_FMT_PEM);
+ #elif !defined(NO_SSL) /* USE_OPENSSL */
+   /* libcrypto doesn't need anything special */
+-  SSL_load_error_strings();
+-  SSL_library_init();
+-  OpenSSL_add_all_digests();
++  OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+   RTMP_TLS_ctx = SSL_CTX_new(SSLv23_method());
+   SSL_CTX_set_options(RTMP_TLS_ctx, SSL_OP_ALL);
+   SSL_CTX_set_default_verify_paths(RTMP_TLS_ctx);
+--
+2.14.1
+
-- 
2.17.1

[Buildroot] [PATCH 09/10] freeswitch: bump to git master 8f10ae54a18a19fc6ed938e4f662bd218ba54b5e

[Patrick Havelange]

From: Peter Seiderer <ps.report@gmx.net>

Enables openssl-1.1.0h compatible compile.

- add bootstrap.sh post-patch call (normal AUTORECONF is broken)
- add tiff dependency (bundled tiff source is gone)
- rebase (and git format) 001-libvpx-cross.patch patch
- update libs/srtp/LICENSE file hash (updated copyright year)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
---
 .../0001-Fix-cross-compiling-libvpx.patch     | 30 ++++++++++++-------
 package/freeswitch/freeswitch.hash            | 11 +++----
 package/freeswitch/freeswitch.mk              | 16 ++++++++--
 3 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/package/freeswitch/0001-Fix-cross-compiling-libvpx.patch b/package/freeswitch/0001-Fix-cross-compiling-libvpx.patch
index 1d4b97a7a0..9542d037ed 100644
--- a/package/freeswitch/0001-Fix-cross-compiling-libvpx.patch
+++ b/package/freeswitch/0001-Fix-cross-compiling-libvpx.patch
@@ -1,4 +1,7 @@
-Fix cross-compiling libvpx
+From 4ba073af7877242a79579b040e3be00bed4275cc Mon Sep 17 00:00:00 2001
+From: Bernd Kuhls <bernd.kuhls@t-online.de>
+Date: Thu, 3 May 2018 22:24:23 +0200
+Subject: [PATCH] Fix cross-compiling libvpx
 
 Freeswitch since version 1.6.7 only uses an in-tree-version of libvpx:
 https://freeswitch.org/fisheye/changelog/freeswitch?cs=febe0f8dacea2d2a31902b3dc469be757f8c3c4d
@@ -10,20 +13,27 @@ package/freeswitch/freeswitch.mk and add target=generic-gnu as
 configure parameter:
 https://freeswitch.org/stash/projects/FS/repos/freeswitch/browse/libs/libvpx/README#110
 
-And yes, autoreconf is also broken, so we patch Makefile.in instead
-of Makefile.am.
-
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 
-diff -uNr freeswitch-1.6.7.org/Makefile.in freeswitch-1.6.7/Makefile.in
---- freeswitch-1.6.7.org/Makefile.in	2016-04-01 18:09:54.000000000 +0200
-+++ freeswitch-1.6.7/Makefile.in	2016-04-22 20:11:37.938961730 +0200
-@@ -4025,7 +4025,7 @@
+[rebased on freeswitch git master branch]
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 53bd7c66aa..2e4059740a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -567,7 +567,7 @@ libs/libzrtp/libzrtp.a:
  	cd libs/libzrtp && $(MAKE)
  
  libs/libvpx/Makefile:
--	cd libs/libvpx && CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --size-limit=16384x16384 --extra-cflags="$(VISIBILITY_FLAG)"
-+	cd libs/libvpx && CROSS=$(CROSS) CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --target=generic-gnu --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --size-limit=16384x16384 --extra-cflags="$(VISIBILITY_FLAG)"
+-	cd libs/libvpx && CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --extra-cflags="$(VISIBILITY_FLAG)"
++	cd libs/libvpx && CROSS=$(CROSS) CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --target=generic-gnu --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --extra-cflags="$(VISIBILITY_FLAG)"
  
  libs/libvpx/libvpx.a: libs/libvpx/Makefile
  	@cd libs/libvpx && $(MAKE)
+-- 
+2.19.2
+
diff --git a/package/freeswitch/freeswitch.hash b/package/freeswitch/freeswitch.hash
index dab2fb237b..23dab45dc5 100644
--- a/package/freeswitch/freeswitch.hash
+++ b/package/freeswitch/freeswitch.hash
@@ -1,10 +1,7 @@
-# From http://files.freeswitch.org/freeswitch-releases/freeswitch-1.8.2.tar.xz.md5
-md5 61de81cd70afb056dde7b1dcb91ad967 freeswitch-1.8.2.tar.xz
-# From http://files.freeswitch.org/freeswitch-releases/freeswitch-1.8.2.tar.xz.sha1
-sha1 f2c077db40b05c5fdf66cbe77bd879f41132f79a freeswitch-1.8.2.tar.xz
-# From http://files.freeswitch.org/freeswitch-releases/freeswitch-1.8.2.tar.xz.sha256
-sha256 ebcf3db970ea9bb534c0983a1c9eef88395deb6e0902d8d6407bf217b2f27b9a freeswitch-1.8.2.tar.xz
-# Locally computed
+# Locally computed:
+sha256 56d932c001f3cc53b6ee5d835536b01fceacf1e360a6b48c5c1265eda5d6be86  freeswitch-8f10ae54a18a19fc6ed938e4f662bd218ba54b5e.tar.gz
+
+# License files:
 sha256 10299420c1e8602c0daf5a59d022621cd72a9148d1f0f33501edb3db3445c7fe  COPYING
 sha256 e8e26b16da14aa3e6ed5c22c705fdc1f45d6225fca461ea9f7314bcdfdc414c4  libs/apr/LICENSE
 sha256 1eefb2ea1db0af7729a9d8a27d7c65d8a37ab185393f935b029aac6828ce315a  libs/apr-util/LICENSE
diff --git a/package/freeswitch/freeswitch.mk b/package/freeswitch/freeswitch.mk
index 577d6c9450..a7d52995ce 100644
--- a/package/freeswitch/freeswitch.mk
+++ b/package/freeswitch/freeswitch.mk
@@ -4,9 +4,10 @@
 #
 ################################################################################
 
-FREESWITCH_VERSION = 1.8.2
-FREESWITCH_SOURCE = freeswitch-$(FREESWITCH_VERSION).tar.xz
-FREESWITCH_SITE = http://files.freeswitch.org/freeswitch-releases
+FREESWITCH_VERSION = 8f10ae54a18a19fc6ed938e4f662bd218ba54b5e
+#FREESWITCH_SOURCE = freeswitch-$(FREESWITCH_VERSION).tar.xz
+FREESWITCH_SITE = https://freeswitch.org/stash/scm/fs/freeswitch.git
+FREESWITCH_SITE_METHOD = git
 # External modules need headers/libs from staging
 FREESWITCH_INSTALL_STAGING = YES
 FREESWITCH_LICENSE = MPL-1.1, \
@@ -38,6 +39,15 @@ FREESWITCH_DEPENDENCIES = \
 	util-linux \
 	zlib
 
+# run bootstrap.sh (normal AUTORECONF is broken)
+define FREESWITCH_RUN_BOOTSTRAP
+	cd $(@D); PATH=$(BR_PATH) ./bootstrap.sh
+endef
+
+# running while POST_PATCH stage enables libtool patching
+FREESWITCH_POST_PATCH_HOOKS += FREESWITCH_RUN_BOOTSTRAP
+FREESWITCH_DEPENDENCIES += host-automake host-autoconf host-libtool
+
 # disable display of ClueCon banner in fs_cli
 FREESWITCH_CONF_ENV += \
 	disable_cc=yes
-- 
2.17.1

[Buildroot] [PATCH 10/10] libopenssl: bump version to 1.1.1a

[Patrick Havelange]

From: Peter Seiderer <ps.report@gmx.net>

- use BR2_TOOLCHAIN_HAS_UCONTEXT
    This is used to set -DOPENSSL_NO_ASYNC if needed.

- apply the CFLAGS correctly when compiling with -Os (bugfix).

- use -latomic when needed
    This fixes the build for br-sparc-uclibc-2018.05

- don't use madvise() if no MMU
    Trying to do so results in undefined reference to madvise() as
    it is not available on uclibc without MMU.
    The original openssl code checks if a macro used in the madvise call
    is defined. The problem comes from the fact that the code in
    crypto/mem_sec.c also includes a kernel header defining the same macro
    unconditionally. Thus the check is always true in that case.
    Upstream: https://github.com/openssl/openssl/pull/8089

- don't compile test/fuzzers
    These binaries introduced with 1.1.x sometimes do not compile.
    This is the case with the br-arm-cortex-m4-full toolchain

- don't build ocsp daemon if no MMU.
    Patch from  Richard Levitte.

- correctly enable cryptodev engine
    Thanks to Arnout Vandecappelle for spotting this.

- remove all parallel build patches (openssl build-system changed)

- rebased 0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
  to apply to Configurations/unix-Makefile.tmpl (Makefile template)

- removed 0002-cryptodev-Fix-issue-with-signature-generation.patch
  (upstream applied)

- rebased 0003-Reproducible-build-do-not-leak-compiler-path.patch to
  apply to crypto/build.info (Makefile template)

- fix musl/uclibc build failure, use '-DOPENSSL_NO_ASYNC'

- remove legacy enable-tlsext configure option

- remove target/host libdir configure options, fixes openssl.pc installation
  path, fixes wget compile

- change legacy INSTALL_PREFIX to DESTDIR

- remove 'libraries gets installed read only, so strip fails'
  workaround (not needed anymore)

- change engine directory from /usr/lib/engines to
  /usr/lib/engines-1.1

- change license file hash, no license change, only the following
  hint was removed:

    Actually both licenses are BSD-style Open Source licenses.
    In case of any license issues related to OpenSSL please
    contact openssl-core at openssl.org.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

---
Changes v5 -> v6:
  - use BR2_TOOLCHAIN_HAS_UCONTEXT
  - apply the CFLAGS correctly
  - use -latomic when needed
  - don't use madvise() if no MMU
  - don't compile test/fuzzers
  - don't build ocsp daemon if no MMU
  - correctly enable cryptodev engine
  - remove explicit rpath argument

Changes v4 -> v5:
  - remove libdir config options (suggested by Arnout Vandecappelle)

Changes v3 -> v4:
  - bump version to 1.1.1a
  - remove all parallel build patches hash file entries
  - re-remove 0004-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
    (upstream applied)
  - fix hist library install path
  - removed 0002-cryptodev-Fix-issue-with-signature-generation.patch
    (upstram applied)
  - remove follow up patch for openssh (not longer needed since
    version bump to 7.9p1, see https://www.openssh.com/releasenotes.html
    Portability)

Changes v2 -> v3:
  - no changes

Changes v1 -> v2:
  - add OPENSSL_NO_ASYNC workaround for musl compile too
    (suggested by Bernd Kuhls)

  - fix host-libopenssl compile (reported by Ryan Coe) by setting rpath
    (suggested by Ryan Coe)

  - fix 0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
    and 0003-Reproducible-build-do-not-leak-compiler-path.patch to apply
    to the Makefile templates (instead of re-generated Makefile)
    (reported by Ryan Coe)

  - add 0004-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
    (suggested by Bernd Kuhls)

Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
---
 ...building-manpages-if-we-re-not-going.patch |  34 +-
 ...-Fix-issue-with-signature-generation.patch | 450 ------------------
 ...ible-build-do-not-leak-compiler-path.patch |  31 +-
 ...ENSSL_NO_MADVISE-to-disable-call-to-.patch |  27 ++
 ...the-same-HAVE_FORK-NO_FORK-as-in-spe.patch |  46 ++
 package/libopenssl/libopenssl.hash            |  15 +-
 package/libopenssl/libopenssl.mk              |  59 ++-
 7 files changed, 147 insertions(+), 515 deletions(-)
 delete mode 100644 package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
 create mode 100644 package/libopenssl/0004-Introduce-the-OPENSSL_NO_MADVISE-to-disable-call-to-.patch
 create mode 100644 package/libopenssl/0005-apps-ocsp.c-Use-the-same-HAVE_FORK-NO_FORK-as-in-spe.patch

diff --git a/package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch b/package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
index 10d2b7526c..f20b6f0834 100644
--- a/package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
+++ b/package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
@@ -1,27 +1,31 @@
-From 389efb564fa1453a9da835393eec9006bfae2a52 Mon Sep 17 00:00:00 2001
+From d8f104bffb0c4acb8c5fcdf49628f7d02ed48f7f Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@gentoo.org>
 Date: Sat, 16 May 2015 18:53:51 +0200
-Subject: Dont waste time building manpages if we're not going to use em.
+Subject: [PATCH] Dont waste time building manpages if we're not going to use
+ em.
 
 Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
 [Gustavo: update for parallel-build]
+
+[rebased on openssl-1.1.0h]
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
 ---
- Makefile.org | 2 +-
+ Configurations/unix-Makefile.tmpl | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/Makefile.org b/Makefile.org
-index 60f07cc..976ceaf 100644
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -527,7 +527,7 @@ dist:
- dist_pem_h:
- 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 40cf2c3..777d9ca 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -268,7 +268,7 @@ list-tests:
+ 	@echo "Tests are not supported with your chosen Configure options"
+ 	@ : {- output_on() if !$disabled{tests}; "" -}
+ 
+-install: install_sw install_ssldirs install_docs
++install: install_sw install_ssldirs
  
--install: install_docs install_sw
-+install: install_sw
+ uninstall: uninstall_docs uninstall_sw
  
- install_sw:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 -- 
-1.9.1
+2.16.3
 
diff --git a/package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch b/package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
deleted file mode 100644
index 47295500c0..0000000000
--- a/package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
+++ /dev/null
@@ -1,450 +0,0 @@
-From 90fd7e8f1a316cda86ee442b43fcd7d5e5baeede Mon Sep 17 00:00:00 2001
-From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Sat, 16 May 2015 18:55:08 +0200
-Subject: cryptodev: Fix issue with signature generation
-
-Forward port of 0001-cryptodev-Fix-issue-with-signature-generation.patch
-from http://rt.openssl.org/Ticket/Display.html?id=2770&user=guest&pass=guest
-It was originally targetted at 1.0.2-beta3.
-
-Without this patch digest acceleration via cryptodev is broken.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
----
- crypto/engine/eng_cryptodev.c | 195 +++++++++++++++++++++++++++++++-----------
- 1 file changed, 146 insertions(+), 49 deletions(-)
-
-diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
-index 926d95c..7021d9a 100644
---- a/crypto/engine/eng_cryptodev.c
-+++ b/crypto/engine/eng_cryptodev.c
-@@ -2,6 +2,7 @@
-  * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
-  * Copyright (c) 2002 Theo de Raadt
-  * Copyright (c) 2002 Markus Friedl
-+ * Copyright (c) 2012 Nikos Mavrogiannopoulos
-  * All rights reserved.
-  *
-  * Redistribution and use in source and binary forms, with or without
-@@ -72,7 +73,6 @@ struct dev_crypto_state {
-     struct session_op d_sess;
-     int d_fd;
- # ifdef USE_CRYPTODEV_DIGESTS
--    char dummy_mac_key[HASH_MAX_LEN];
-     unsigned char digest_res[HASH_MAX_LEN];
-     char *mac_data;
-     int mac_len;
-@@ -189,8 +189,10 @@ static struct {
- static struct {
-     int id;
-     int nid;
--    int keylen;
-+    int digestlen;
- } digests[] = {
-+#if 0
-+    /* HMAC is not supported */
-     {
-         CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16
-     },
-@@ -198,15 +200,15 @@ static struct {
-         CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20
-     },
-     {
--        CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16
--        /* ? */
-+        CRYPTO_SHA2_256_HMAC, NID_hmacWithSHA256, 32
-     },
-     {
--        CRYPTO_MD5_KPDK, NID_undef, 0
-+        CRYPTO_SHA2_384_HMAC, NID_hmacWithSHA384, 48
-     },
-     {
--        CRYPTO_SHA1_KPDK, NID_undef, 0
-+        CRYPTO_SHA2_512_HMAC, NID_hmacWithSHA512, 64
-     },
-+#endif
-     {
-         CRYPTO_MD5, NID_md5, 16
-     },
-@@ -214,6 +216,15 @@ static struct {
-         CRYPTO_SHA1, NID_sha1, 20
-     },
-     {
-+        CRYPTO_SHA2_256, NID_sha256, 32
-+    },
-+    {
-+        CRYPTO_SHA2_384, NID_sha384, 48
-+    },
-+    {
-+        CRYPTO_SHA2_512, NID_sha512, 64
-+    },
-+    {
-         0, NID_undef, 0
-     },
- };
-@@ -288,13 +299,14 @@ static int get_cryptodev_ciphers(const int **cnids)
-     static int nids[CRYPTO_ALGORITHM_MAX];
-     struct session_op sess;
-     int fd, i, count = 0;
-+    unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
- 
-     if ((fd = get_dev_crypto()) < 0) {
-         *cnids = NULL;
-         return (0);
-     }
-     memset(&sess, 0, sizeof(sess));
--    sess.key = (caddr_t) "123456789abcdefghijklmno";
-+    sess.key = (void*)fake_key;
- 
-     for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
-         if (ciphers[i].nid == NID_undef)
-@@ -327,18 +339,19 @@ static int get_cryptodev_digests(const int **cnids)
-     static int nids[CRYPTO_ALGORITHM_MAX];
-     struct session_op sess;
-     int fd, i, count = 0;
-+    unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
- 
-     if ((fd = get_dev_crypto()) < 0) {
-         *cnids = NULL;
-         return (0);
-     }
-     memset(&sess, 0, sizeof(sess));
--    sess.mackey = (caddr_t) "123456789abcdefghijklmno";
-+    sess.mackey = fake_key;
-     for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
-         if (digests[i].nid == NID_undef)
-             continue;
-         sess.mac = digests[i].id;
--        sess.mackeylen = digests[i].keylen;
-+        sess.mackeylen = 8;
-         sess.cipher = 0;
-         if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
-             ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
-@@ -424,14 +437,14 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-     cryp.ses = sess->ses;
-     cryp.flags = 0;
-     cryp.len = inl;
--    cryp.src = (caddr_t) in;
--    cryp.dst = (caddr_t) out;
-+    cryp.src = (void*) in;
-+    cryp.dst = (void*) out;
-     cryp.mac = 0;
- 
-     cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
- 
-     if (ctx->cipher->iv_len) {
--        cryp.iv = (caddr_t) ctx->iv;
-+	cryp.iv = (void*) ctx->iv;
-         if (!ctx->encrypt) {
-             iiv = in + inl - ctx->cipher->iv_len;
-             memcpy(save_iv, iiv, ctx->cipher->iv_len);
-@@ -483,7 +496,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-     if ((state->d_fd = get_dev_crypto()) < 0)
-         return (0);
- 
--    sess->key = (caddr_t) key;
-+    sess->key = (void*)key;
-     sess->keylen = ctx->key_len;
-     sess->cipher = cipher;
- 
-@@ -749,16 +762,6 @@ static int digest_nid_to_cryptodev(int nid)
-     return (0);
- }
- 
--static int digest_key_length(int nid)
--{
--    int i;
--
--    for (i = 0; digests[i].id; i++)
--        if (digests[i].nid == nid)
--            return digests[i].keylen;
--    return (0);
--}
--
- static int cryptodev_digest_init(EVP_MD_CTX *ctx)
- {
-     struct dev_crypto_state *state = ctx->md_data;
-@@ -769,7 +772,6 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
-         printf("cryptodev_digest_init: Can't get digest \n");
-         return (0);
-     }
--
-     memset(state, 0, sizeof(struct dev_crypto_state));
- 
-     if ((state->d_fd = get_dev_crypto()) < 0) {
-@@ -777,8 +779,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
-         return (0);
-     }
- 
--    sess->mackey = state->dummy_mac_key;
--    sess->mackeylen = digest_key_length(ctx->digest->type);
-+    sess->mackey = NULL;
-+    sess->mackeylen = 0;
-     sess->mac = digest;
- 
-     if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
-@@ -794,8 +796,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
- static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
-                                    size_t count)
- {
--    struct crypt_op cryp;
-     struct dev_crypto_state *state = ctx->md_data;
-+    struct crypt_op cryp;
-     struct session_op *sess = &state->d_sess;
- 
-     if (!data || state->d_fd < 0) {
-@@ -804,7 +806,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
-     }
- 
-     if (!count) {
--        return (0);
-+        return (1);
-     }
- 
-     if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) {
-@@ -828,9 +830,9 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
-     cryp.ses = sess->ses;
-     cryp.flags = 0;
-     cryp.len = count;
--    cryp.src = (caddr_t) data;
-+    cryp.src = (void*) data;
-     cryp.dst = NULL;
--    cryp.mac = (caddr_t) state->digest_res;
-+    cryp.mac = (void*) state->digest_res;
-     if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
-         printf("cryptodev_digest_update: digest failed\n");
-         return (0);
-@@ -844,8 +846,6 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
-     struct dev_crypto_state *state = ctx->md_data;
-     struct session_op *sess = &state->d_sess;
- 
--    int ret = 1;
--
-     if (!md || state->d_fd < 0) {
-         printf("cryptodev_digest_final: illegal input\n");
-         return (0);
-@@ -859,7 +859,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
-         cryp.len = state->mac_len;
-         cryp.src = state->mac_data;
-         cryp.dst = NULL;
--        cryp.mac = (caddr_t) md;
-+	cryp.mac = (void*)md;
-         if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
-             printf("cryptodev_digest_final: digest failed\n");
-             return (0);
-@@ -870,7 +870,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
- 
-     memcpy(md, state->digest_res, ctx->digest->md_size);
- 
--    return (ret);
-+    return 1;
- }
- 
- static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
-@@ -921,8 +921,8 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
- 
-     digest = digest_nid_to_cryptodev(to->digest->type);
- 
--    sess->mackey = dstate->dummy_mac_key;
--    sess->mackeylen = digest_key_length(to->digest->type);
-+    sess->mackey = NULL;
-+    sess->mackeylen = 0;
-     sess->mac = digest;
- 
-     dstate->d_fd = get_dev_crypto();
-@@ -947,32 +947,116 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
- 
- const EVP_MD cryptodev_sha1 = {
-     NID_sha1,
--    NID_undef,
-+    NID_sha1WithRSAEncryption,
-     SHA_DIGEST_LENGTH,
-+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
-+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
-+    EVP_MD_FLAG_DIGALGID_ABSENT|
-+#endif
-     EVP_MD_FLAG_ONESHOT,
-     cryptodev_digest_init,
-     cryptodev_digest_update,
-     cryptodev_digest_final,
-     cryptodev_digest_copy,
-     cryptodev_digest_cleanup,
--    EVP_PKEY_NULL_method,
-+    EVP_PKEY_RSA_method,
-     SHA_CBLOCK,
--    sizeof(struct dev_crypto_state),
-+    sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
- };
- 
--const EVP_MD cryptodev_md5 = {
-+static const EVP_MD cryptodev_sha256 = {
-+    NID_sha256,
-+    NID_sha256WithRSAEncryption,
-+    SHA256_DIGEST_LENGTH, 
-+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
-+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
-+    EVP_MD_FLAG_DIGALGID_ABSENT|
-+#endif
-+    EVP_MD_FLAG_ONESHOT,
-+    cryptodev_digest_init,
-+    cryptodev_digest_update,
-+    cryptodev_digest_final,
-+    cryptodev_digest_copy,
-+    cryptodev_digest_cleanup,
-+    EVP_PKEY_RSA_method,
-+    SHA256_CBLOCK,
-+    sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
-+};
-+
-+static const EVP_MD cryptodev_sha224 = {
-+    NID_sha224,
-+    NID_sha224WithRSAEncryption, 
-+    SHA224_DIGEST_LENGTH, 
-+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
-+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
-+    EVP_MD_FLAG_DIGALGID_ABSENT|
-+#endif
-+    EVP_MD_FLAG_ONESHOT,
-+    cryptodev_digest_init,
-+    cryptodev_digest_update,
-+    cryptodev_digest_final,
-+    cryptodev_digest_copy,
-+    cryptodev_digest_cleanup,
-+    EVP_PKEY_RSA_method,
-+    SHA256_CBLOCK,
-+    sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
-+};
-+
-+static const EVP_MD cryptodev_sha384 = {
-+    NID_sha384,
-+    NID_sha384WithRSAEncryption, 
-+    SHA384_DIGEST_LENGTH, 
-+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
-+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
-+    EVP_MD_FLAG_DIGALGID_ABSENT|
-+#endif
-+    EVP_MD_FLAG_ONESHOT,
-+    cryptodev_digest_init,
-+    cryptodev_digest_update,
-+    cryptodev_digest_final,
-+    cryptodev_digest_copy,
-+    cryptodev_digest_cleanup,
-+    EVP_PKEY_RSA_method,
-+    SHA512_CBLOCK,
-+    sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
-+};
-+
-+static const EVP_MD cryptodev_sha512 = {
-+    NID_sha512,
-+    NID_sha512WithRSAEncryption, 
-+    SHA512_DIGEST_LENGTH, 
-+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
-+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
-+    EVP_MD_FLAG_DIGALGID_ABSENT|
-+#endif
-+    EVP_MD_FLAG_ONESHOT,
-+    cryptodev_digest_init,
-+    cryptodev_digest_update,
-+    cryptodev_digest_final,
-+    cryptodev_digest_copy,
-+    cryptodev_digest_cleanup,
-+    EVP_PKEY_RSA_method,
-+    SHA512_CBLOCK,
-+    sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
-+};
-+
-+static const EVP_MD cryptodev_md5 = {
-     NID_md5,
--    NID_undef,
-+    NID_md5WithRSAEncryption,
-     16 /* MD5_DIGEST_LENGTH */ ,
-+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
-+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
-+    EVP_MD_FLAG_DIGALGID_ABSENT|
-+#endif
-     EVP_MD_FLAG_ONESHOT,
-     cryptodev_digest_init,
-     cryptodev_digest_update,
-     cryptodev_digest_final,
-     cryptodev_digest_copy,
-     cryptodev_digest_cleanup,
--    EVP_PKEY_NULL_method,
-+    EVP_PKEY_RSA_method,
-     64 /* MD5_CBLOCK */ ,
--    sizeof(struct dev_crypto_state),
-+    sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
- };
- 
- # endif                         /* USE_CRYPTODEV_DIGESTS */
-@@ -992,6 +1076,18 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
-     case NID_sha1:
-         *digest = &cryptodev_sha1;
-         break;
-+    case NID_sha224:
-+        *digest = &cryptodev_sha224;
-+	break;
-+    case NID_sha256:
-+        *digest = &cryptodev_sha256;
-+	break;
-+    case NID_sha384:
-+        *digest = &cryptodev_sha384;
-+	break;
-+    case NID_sha512:
-+    	*digest = &cryptodev_sha512;
-+	break;
-     default:
- # endif                         /* USE_CRYPTODEV_DIGESTS */
-         *digest = NULL;
-@@ -1022,7 +1118,7 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp)
-         return (1);
-     memset(b, 0, bytes);
- 
--    crp->crp_p = (caddr_t) b;
-+    crp->crp_p = (void*) b;
-     crp->crp_nbits = bits;
- 
-     for (i = 0, j = 0; i < a->top; i++) {
-@@ -1277,7 +1373,7 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen,
-     kop.crk_op = CRK_DSA_SIGN;
- 
-     /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
--    kop.crk_param[0].crp_p = (caddr_t) dgst;
-+    kop.crk_param[0].crp_p = (void*)dgst;
-     kop.crk_param[0].crp_nbits = dlen * 8;
-     if (bn2crparam(dsa->p, &kop.crk_param[1]))
-         goto err;
-@@ -1317,7 +1413,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
-     kop.crk_op = CRK_DSA_VERIFY;
- 
-     /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
--    kop.crk_param[0].crp_p = (caddr_t) dgst;
-+    kop.crk_param[0].crp_p = (void*)dgst;
-     kop.crk_param[0].crp_nbits = dlen * 8;
-     if (bn2crparam(dsa->p, &kop.crk_param[1]))
-         goto err;
-@@ -1398,9 +1494,10 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-         goto err;
-     kop.crk_iparams = 3;
- 
--    kop.crk_param[3].crp_p = (caddr_t) key;
--    kop.crk_param[3].crp_nbits = keylen * 8;
-+    kop.crk_param[3].crp_p = (void*) key;
-+    kop.crk_param[3].crp_nbits = keylen;
-     kop.crk_oparams = 1;
-+    dhret = keylen / 8;
- 
-     if (ioctl(fd, CIOCKEY, &kop) == -1) {
-         const DH_METHOD *meth = DH_OpenSSL();
-@@ -1470,7 +1567,7 @@ void ENGINE_load_cryptodev(void)
-     put_dev_crypto(fd);
- 
-     if (!ENGINE_set_id(engine, "cryptodev") ||
--        !ENGINE_set_name(engine, "BSD cryptodev engine") ||
-+        !ENGINE_set_name(engine, "cryptodev engine") ||
-         !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
-         !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
-         !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
--- 
-1.9.1
-
diff --git a/package/libopenssl/0003-Reproducible-build-do-not-leak-compiler-path.patch b/package/libopenssl/0003-Reproducible-build-do-not-leak-compiler-path.patch
index eff72c548a..820c2addf1 100644
--- a/package/libopenssl/0003-Reproducible-build-do-not-leak-compiler-path.patch
+++ b/package/libopenssl/0003-Reproducible-build-do-not-leak-compiler-path.patch
@@ -1,26 +1,29 @@
-From 875fcad2ad84877763cba86c1265b57679b878b0 Mon Sep 17 00:00:00 2001
+From b70be8c65365a8fc564226360d45adbbb29fc0af Mon Sep 17 00:00:00 2001
 From: Peter Seiderer <ps.report@gmx.net>
 Date: Tue, 24 Oct 2017 16:58:32 +0200
 Subject: [PATCH] Reproducible build: do not leak compiler path
 
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+
+[Rebased on openssl-1.1.1.a]
 Signed-off-by: Peter Seiderer <ps.report@gmx.net>
 ---
- crypto/Makefile | 2 +-
+ crypto/build.info | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/crypto/Makefile b/crypto/Makefile
-index 7869996..7e63291 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -55,7 +55,7 @@ top:
- all: shared
+diff --git a/crypto/build.info b/crypto/build.info
+index 2c619c6..49ca6ab 100644
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
+         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
  
- buildinf.h: ../Makefile
--	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
-+	$(PERL) $(TOP)/util/mkbuildinf.pl "$$(basename $(CC)) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$$(basename $(CC)) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+ DEPEND[buildinf.h]=../configdata.pm
  
- x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
- 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+ GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
 -- 
-2.11.0
+2.20.1
 
diff --git a/package/libopenssl/0004-Introduce-the-OPENSSL_NO_MADVISE-to-disable-call-to-.patch b/package/libopenssl/0004-Introduce-the-OPENSSL_NO_MADVISE-to-disable-call-to-.patch
new file mode 100644
index 0000000000..c51a3cd684
--- /dev/null
+++ b/package/libopenssl/0004-Introduce-the-OPENSSL_NO_MADVISE-to-disable-call-to-.patch
@@ -0,0 +1,27 @@
+From 1281ffc7959bd2070563e17a52ee4424196d885c Mon Sep 17 00:00:00 2001
+From: Patrick Havelange <patrick.havelange@essensium.com>
+Date: Wed, 23 Jan 2019 12:21:21 +0100
+Subject: [PATCH] Introduce the OPENSSL_NO_MADVISE to disable call to madvise()
+
+Upstream: https://github.com/openssl/openssl/pull/8089
+Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
+---
+ crypto/mem_sec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
+index 9e0f670..32c7282 100644
+--- a/crypto/mem_sec.c
++++ b/crypto/mem_sec.c
+@@ -485,7 +485,7 @@ static int sh_init(size_t size, int minsize)
+     if (mlock(sh.arena, sh.arena_size) < 0)
+         ret = 2;
+ #endif
+-#ifdef MADV_DONTDUMP
++#if defined(MADV_DONTDUMP) && !defined(OPENSSL_NO_MADVISE)
+     if (madvise(sh.arena, sh.arena_size, MADV_DONTDUMP) < 0)
+         ret = 2;
+ #endif
+-- 
+2.17.1
+
diff --git a/package/libopenssl/0005-apps-ocsp.c-Use-the-same-HAVE_FORK-NO_FORK-as-in-spe.patch b/package/libopenssl/0005-apps-ocsp.c-Use-the-same-HAVE_FORK-NO_FORK-as-in-spe.patch
new file mode 100644
index 0000000000..83989fe742
--- /dev/null
+++ b/package/libopenssl/0005-apps-ocsp.c-Use-the-same-HAVE_FORK-NO_FORK-as-in-spe.patch
@@ -0,0 +1,46 @@
+From 4c992673890f1d1ecb9aa46112b2ca80db016b67 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Mon, 12 Nov 2018 18:16:27 +0100
+Subject: [PATCH] apps/ocsp.c Use the same HAVE_FORK / NO_FORK as in speed.c
+
+This allows the user to override our defaults if needed, and in a
+consistent manner.
+
+Partial fix for #7607
+
+Upstream: https://github.com/openssl/openssl/pull/7624
+Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
+---
+ apps/ocsp.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/apps/ocsp.c b/apps/ocsp.c
+index 7fd78624bb..315b072932 100644
+--- a/apps/ocsp.c
++++ b/apps/ocsp.c
+@@ -36,7 +36,21 @@ NON_EMPTY_TRANSLATION_UNIT
+ # include <openssl/x509v3.h>
+ # include <openssl/rand.h>
+ 
+-# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \
++#ifndef HAVE_FORK
++# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
++#  define HAVE_FORK 0
++# else
++#  define HAVE_FORK 1
++# endif
++#endif
++
++#if HAVE_FORK
++# undef NO_FORK
++#else
++# define NO_FORK
++#endif
++
++# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+      && !defined(OPENSSL_NO_POSIX_IO)
+ #  define OCSP_DAEMON
+ #  include <sys/types.h>
+-- 
+2.17.1
+
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 83fb8bd513..568d7e8b52 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,10 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.0.2q.tar.gz.sha256
-sha256	5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684	openssl-1.0.2q.tar.gz
-# From https://www.openssl.org/source/openssl-1.0.2q.tar.gz.sha1
-sha1	692f5f2f1b114f8adaadaa3e7be8cce1907f38c5				openssl-1.0.2q.tar.gz
-# Locally computed
-sha256	eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9	openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
-sha256	147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f	openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
-sha256	30cb49489de5041841a74da9155cd4fabfbce33237262ba7cd23974314ae2956	openssl-1.0.2a-parallel-symlinking.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
-sha256	deaf6f3af41874ecc6d63841ea14b8e6c71cea81d4a511a754bc90c9a993147f	openssl-1.0.2d-parallel-build.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
-sha256	c8f60f4842bbad0353f5d81620e72b168b5638ca3a0a999f5da113b22491612e	LICENSE
+# From https://www.openssl.org/source/openssl-1.1.1a.tar.gz.sha256
+sha256	fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41	openssl-1.1.1a.tar.gz
+
+# License files
+sha256	350c7817af2ef980d3f3922bc5e0bb6a9d9f6cc21e784a699bcd2a31c74a84b1	LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index dc15abf66a..0bfc74ed0e 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBOPENSSL_VERSION = 1.0.2q
+LIBOPENSSL_VERSION = 1.1.1a
 LIBOPENSSL_SITE = https://www.openssl.org/source
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = OpenSSL or SSLeay
@@ -15,11 +15,6 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
 LIBOPENSSL_TARGET_ARCH = generic32
 LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
 LIBOPENSSL_PROVIDES = openssl
-LIBOPENSSL_PATCH = \
-	https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
-	https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
-	https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
-	https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
 
 # relocation truncated to fit: R_68K_GOT16O
 ifeq ($(BR2_m68k_cf),y)
@@ -27,14 +22,31 @@ LIBOPENSSL_CFLAGS += -mxgot
 endif
 
 ifeq ($(BR2_USE_MMU),)
-LIBOPENSSL_CFLAGS += -DHAVE_FORK=0
+LIBOPENSSL_CFLAGS += -DHAVE_FORK=0 -DOPENSSL_NO_MADVISE
 endif
 
 ifeq ($(BR2_PACKAGE_HAS_CRYPTODEV),y)
-LIBOPENSSL_CFLAGS += -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
 LIBOPENSSL_DEPENDENCIES += cryptodev
 endif
 
+# fixes the following build failures:
+#
+# - musl
+#   ./libcrypto.so: undefined reference to `getcontext'
+#   ./libcrypto.so: undefined reference to `setcontext'
+#   ./libcrypto.so: undefined reference to `makecontext'
+#
+# - uclibc:
+#   crypto/async/arch/../arch/async_posix.h:32:5: error: unknown type name ?ucontext_t?
+#
+
+ifeq ($(BR2_TOOLCHAIN_USES_MUSL),y)
+LIBOPENSSL_CFLAGS += -DOPENSSL_NO_ASYNC
+endif
+ifeq ($(BR2_TOOLCHAIN_HAS_UCONTEXT),)
+LIBOPENSSL_CFLAGS += -DOPENSSL_NO_ASYNC
+endif
+
 # Some architectures are optimized in OpenSSL
 # Doesn't work for thumb-only (Cortex-M?)
 ifeq ($(BR2_ARM_CPU_HAS_ARM),y)
@@ -65,11 +77,13 @@ define HOST_LIBOPENSSL_CONFIGURE_CMDS
 		./config \
 		--prefix=$(HOST_DIR) \
 		--openssldir=$(HOST_DIR)/etc/ssl \
-		--libdir=/lib \
+		no-tests \
+		no-fuzz-libfuzzer \
+		no-fuzz-afl \
 		shared \
 		zlib-dynamic \
 	)
-	$(SED) "s#-O[0-9]#$(HOST_CFLAGS)#" $(@D)/Makefile
+	$(SED) "s#-O[0-9s]#$(HOST_CFLAGS)#" $(@D)/Makefile
 endef
 
 define LIBOPENSSL_CONFIGURE_CMDS
@@ -80,18 +94,21 @@ define LIBOPENSSL_CONFIGURE_CMDS
 			linux-$(LIBOPENSSL_TARGET_ARCH) \
 			--prefix=/usr \
 			--openssldir=/etc/ssl \
-			--libdir=/lib \
+			$(if $(BR2_TOOLCHAIN_HAS_LIBATOMIC),-latomic) \
 			$(if $(BR2_TOOLCHAIN_HAS_THREADS),threads,no-threads) \
 			$(if $(BR2_STATIC_LIBS),no-shared,shared) \
+			$(if $(BR2_PACKAGE_HAS_CRYPTODEV),enable-devcryptoeng) \
 			no-rc5 \
 			enable-camellia \
 			enable-mdc2 \
-			enable-tlsext \
+			no-tests \
+			no-fuzz-libfuzzer \
+			no-fuzz-afl \
 			$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
 			$(if $(BR2_STATIC_LIBS),no-dso) \
 	)
 	$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
-	$(SED) "s#-O[0-9]#$(LIBOPENSSL_CFLAGS)#" $(@D)/Makefile
+	$(SED) "s#-O[0-9s]#$(LIBOPENSSL_CFLAGS)#" $(@D)/Makefile
 	$(SED) "s# build_tests##" $(@D)/Makefile
 endef
 
@@ -112,7 +129,7 @@ define LIBOPENSSL_BUILD_CMDS
 endef
 
 define LIBOPENSSL_INSTALL_STAGING_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(STAGING_DIR) install
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) install
 endef
 
 define HOST_LIBOPENSSL_INSTALL_CMDS
@@ -120,7 +137,7 @@ define HOST_LIBOPENSSL_INSTALL_CMDS
 endef
 
 define LIBOPENSSL_INSTALL_TARGET_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(TARGET_DIR) install
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
 	rm -rf $(TARGET_DIR)/usr/lib/ssl
 	rm -f $(TARGET_DIR)/usr/bin/c_rehash
 endef
@@ -135,16 +152,6 @@ endef
 LIBOPENSSL_POST_INSTALL_STAGING_HOOKS += LIBOPENSSL_FIXUP_STATIC_PKGCONFIG
 endif
 
-ifneq ($(BR2_STATIC_LIBS),y)
-# libraries gets installed read only, so strip fails
-define LIBOPENSSL_INSTALL_FIXUPS_SHARED
-	chmod +w $(TARGET_DIR)/usr/lib/engines/lib*.so
-	for i in $(addprefix $(TARGET_DIR)/usr/lib/,libcrypto.so.* libssl.so.*); \
-	do chmod +w $$i; done
-endef
-LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_INSTALL_FIXUPS_SHARED
-endif
-
 ifeq ($(BR2_PACKAGE_PERL),)
 define LIBOPENSSL_REMOVE_PERL_SCRIPTS
 	$(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.pl,tsget}
@@ -162,7 +169,7 @@ endif
 
 ifneq ($(BR2_PACKAGE_LIBOPENSSL_ENGINES),y)
 define LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
-	rm -rf $(TARGET_DIR)/usr/lib/engines
+	rm -rf $(TARGET_DIR)/usr/lib/engines-1.1
 endef
 LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
 endif
-- 
2.17.1

[Buildroot] [PATCH 01/10] package/libshout: Add support for openssl 1.1.x

[Peter Korsgaard]

>>>>> "Patrick" == Patrick Havelange <patrick.havelange@essensium.com> writes:

 > From: Vadim Kochan <vadim4j@gmail.com>
 > Added upstream patch.

Upstream? I don't see this commit in upstream git:

https://git.xiph.org/?p=icecast-libshout.git;a=history;f=src/tls.c

An earlier version of this patch mentioned this patch was from Debian:

https://sources.debian.org/data/main/libs/libshout/2.4.1-2/debian/patches/

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 02/10] package/nut: Add support for openssl 1.1.x

[Peter Korsgaard]

>>>>> "Patrick" == Patrick Havelange <patrick.havelange@essensium.com> writes:

 > From: Vadim Kochan <vadim4j@gmail.com>
 > Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
 > Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

 > ---
 > Changes v6:
 >   - use the actual upstream patch
 >   - drop unrelated patch
 > ---
 >  ...Add-compatibility-with-openssl-1.1.0.patch | 75 +++++++++++++++++++
 >  1 file changed, 75 insertions(+)
 >  create mode 100644 package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch

 > diff --git a/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
 > new file mode 100644
 > index 0000000000..65b7f2d6f7
 > --- /dev/null
 > +++ b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
 > @@ -0,0 +1,75 @@
 > +From fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d Mon Sep 17 00:00:00 2001
 > +From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 > +Date: Fri, 1 Jun 2018 11:17:28 -0300
 > +Subject: [PATCH 1/2] Add compatibility with openssl 1.1.0
 > +
 > +Minor adjustments were needed:
 > +* Openssl 1.1 libs do not need to be initialized.
 > +* TLSv*_method became TLS_*_method.
 > +
 > +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
 > +Upstream: https://github.com/networkupstools/nut/pull/558/
 > +Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
 > +---
 > + clients/upsclient.c        | 5 ++++-
 > + m4/nut_check_libopenssl.m4 | 2 +-
 > + server/netssl.c            | 7 +++++--
 > + 3 files changed, 10 insertions(+), 4 deletions(-)
 > +
 > +diff --git a/clients/upsclient.c b/clients/upsclient.c
 > +index b90587b0..053d60fb 100644
 > +--- a/clients/upsclient.c
 > ++++ b/clients/upsclient.c
 > +@@ -316,10 +316,13 @@ int upscli_init(int certverify, const char *certpath,
 > + 	
 > + #ifdef WITH_OPENSSL
 > + 	
 > ++# if OPENSSL_VERSION_NUMBER < 0x10100000L
 > + 	SSL_library_init();
 > + 	SSL_load_error_strings();
 > ++#  define TLS_client_method TLSv1_client_method
 > ++# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
 > + 
 > +-	ssl_method = TLSv1_client_method();
 > ++	ssl_method = TLS_client_method();
 > + 
 > + 	if (!ssl_method) {
 > + 		return 0;
 > +diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4
 > +index 1b875077..7eb401cd 100644
 > +--- a/m4/nut_check_libopenssl.m4
 > ++++ b/m4/nut_check_libopenssl.m4
 > +@@ -58,7 +58,7 @@ if test -z "${nut_have_libopenssl_seen}"; then
 > + 
 > + 	dnl check if openssl is usable
 > + 	AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
 > +-	AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
 > ++	AC_CHECK_FUNCS(SSL_CTX_new, [], [nut_have_openssl=no])
 > + 
 > + 	if test "${nut_have_openssl}" = "yes"; then
 > + 		nut_with_ssl="yes"
 > +diff --git a/server/netssl.c b/server/netssl.c
 > +index c2f40989..0289e296 100644
 > +--- a/server/netssl.c
 > ++++ b/server/netssl.c
 > +@@ -387,12 +387,15 @@ void ssl_init(void)
 > + 
 > + #ifdef WITH_OPENSSL
 > + 
 > ++# if OPENSSL_VERSION_NUMBER < 0x10100000L

The libshout patch alternatively checked for libressl, but that is not
done here?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 02/10] package/nut: Add support for openssl 1.1.x

[Peter Korsgaard]

>>>>> "Patrick" == Patrick Havelange <patrick.havelange@essensium.com> writes:

 > From: Vadim Kochan <vadim4j@gmail.com>
 > Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
 > Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

 > ---
 > Changes v6:
 >   - use the actual upstream patch
 >   - drop unrelated patch
 > ---
>  ...Add-compatibility-with-openssl-1.1.0.patch | 75 +++++++++++++++++++
 >  1 file changed, 75 insertions(+)
 >  create mode 100644 package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch

 > diff --git a/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
 > new file mode 100644
 > index 0000000000..65b7f2d6f7
 > --- /dev/null
 > +++ b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
 > @@ -0,0 +1,75 @@
 > +From fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d Mon Sep 17 00:00:00 2001
 > +From: Eneas U de Queiroz <cote2004-github@yahoo.com>
 > +Date: Fri, 1 Jun 2018 11:17:28 -0300
 > +Subject: [PATCH 1/2] Add compatibility with openssl 1.1.0

NIT: check-package complains about PATCH n/m:

package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch:4: generate your patches with 'git format-patch -N'

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 03/10] package/vboot-utils: Add support for openssl 1.1.x

[Peter Korsgaard]

>>>>> "Patrick" == Patrick Havelange <patrick.havelange@essensium.com> writes:

 > From: Vadim Kochan <vadim4j@gmail.com>
 > Backported changes from commit bce7904376beee2912932433a4634c1c25afe2f5,
 > there was some conflicts in few places which includes openssl_compat.h and
 > 1 place in vb2_rsa_sig_alg function.

 > Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
 > Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

 > ---
 > Changes v6:
 >   - Added original commit hash in patch

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 02/10] package/nut: Add support for openssl 1.1.x

[Patrick Havelange]

Hi Peter,

Thanks for the comments, those are fixed in the v7 that I'll send soon.

Patrick Havelange.


On Sun, Jan 27, 2019 at 10:04 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Patrick" == Patrick Havelange <patrick.havelange@essensium.com> writes:
>
>  > From: Vadim Kochan <vadim4j@gmail.com>
>  > Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
>  > Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
>
>  > ---
>  > Changes v6:
>  >   - use the actual upstream patch
>  >   - drop unrelated patch
>  > ---
> >  ...Add-compatibility-with-openssl-1.1.0.patch | 75 +++++++++++++++++++
>  >  1 file changed, 75 insertions(+)
>  >  create mode 100644 package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
>
>  > diff --git a/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
>  > new file mode 100644
>  > index 0000000000..65b7f2d6f7
>  > --- /dev/null
>  > +++ b/package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch
>  > @@ -0,0 +1,75 @@
>  > +From fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d Mon Sep 17 00:00:00 2001
>  > +From: Eneas U de Queiroz <cote2004-github@yahoo.com>
>  > +Date: Fri, 1 Jun 2018 11:17:28 -0300
>  > +Subject: [PATCH 1/2] Add compatibility with openssl 1.1.0
>
> NIT: check-package complains about PATCH n/m:
>
> package/nut/0003-Add-compatibility-with-openssl-1.1.0.patch:4: generate your patches with 'git format-patch -N'
>
> --
> Bye, Peter Korsgaard

[Buildroot] [PATCH 01/10] package/libshout: Add support for openssl 1.1.x

[Patrick Havelange]

On Sun, Jan 27, 2019 at 9:43 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Patrick" == Patrick Havelange <patrick.havelange@essensium.com> writes:
>
>  > From: Vadim Kochan <vadim4j@gmail.com>
>  > Added upstream patch.
>
> Upstream? I don't see this commit in upstream git:
>
> https://git.xiph.org/?p=icecast-libshout.git;a=history;f=src/tls.c
>
> An earlier version of this patch mentioned this patch was from Debian:
>
> https://sources.debian.org/data/main/libs/libshout/2.4.1-2/debian/patches/
>

Indeed, this will be reverted in v7.
Thanks for the comments.


Patrick Havelange