mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Oliver Graute <oliver.graute@gmail.com>
To: ptxdist@pengutronix.de
Cc: Oliver Graute <oliver.graute@neuhaus.de>
Subject: [ptxdist] [PATCHv2] openssl: version bump to 1.1.1a
Date: Wed,  9 Jan 2019 15:13:50 +0100	[thread overview]
Message-ID: <1547043230-11866-1-git-send-email-oliver.graute@neuhaus.de> (raw)

this patch bump openssl to LTS version 1.1.1a

Signed-off-by: Oliver Graute <oliver.graute@neuhaus.de>
---

changes in v2:

- use the patches from http://deb.debian.org/debian/pool/main/o/openssl/openssl_1.1.1a-1.debian.tar.xz
- removed the old 1.02q patchset

 patches/openssl-1.0.2q/0001-debian-targets.patch   |  85 ----
 patches/openssl-1.0.2q/0002-no-rpath.patch         |  24 --
 patches/openssl-1.0.2q/0003-pic.patch              | 189 ---------
 patches/openssl-1.0.2q/0004-valgrind.patch         |  31 --
 patches/openssl-1.0.2q/0005-shared-lib-ext.patch   |  25 --
 patches/openssl-1.0.2q/0006-block_diginotar.patch  |  74 ----
 .../0007-block_digicert_malaysia.patch             |  36 --
 .../openssl-1.0.2q/0008-Disable-the-freelist.patch |  41 --
 .../0009-Mark-3DES-and-RC4-ciphers-as-weak.patch   | 429 ---------------------
 ...-don-t-ask-dpkg-buildflags-for-more-flags.patch |  22 --
 .../0101-fix-parallel-building.patch               | 108 ------
 patches/openssl-1.0.2q/series                      |  16 -
 patches/openssl-1.1.1a/0001-debian-targets.patch   | 207 ++++++++++
 patches/openssl-1.1.1a/0002-man-section.patch      |  54 +++
 patches/openssl-1.1.1a/0003-no-symbolic.patch      |  21 +
 patches/openssl-1.1.1a/0004-pic.patch              | 186 +++++++++
 patches/openssl-1.1.1a/0005-c_rehash-compat.patch  |  72 ++++
 ...temwide-default-settings-for-libssl-users.patch |  42 ++
 patches/openssl-1.1.1a/series                      |   6 +
 rules/openssl.make                                 |  10 +-
 20 files changed, 593 insertions(+), 1085 deletions(-)
 delete mode 100644 patches/openssl-1.0.2q/0001-debian-targets.patch
 delete mode 100644 patches/openssl-1.0.2q/0002-no-rpath.patch
 delete mode 100644 patches/openssl-1.0.2q/0003-pic.patch
 delete mode 100644 patches/openssl-1.0.2q/0004-valgrind.patch
 delete mode 100644 patches/openssl-1.0.2q/0005-shared-lib-ext.patch
 delete mode 100644 patches/openssl-1.0.2q/0006-block_diginotar.patch
 delete mode 100644 patches/openssl-1.0.2q/0007-block_digicert_malaysia.patch
 delete mode 100644 patches/openssl-1.0.2q/0008-Disable-the-freelist.patch
 delete mode 100644 patches/openssl-1.0.2q/0009-Mark-3DES-and-RC4-ciphers-as-weak.patch
 delete mode 100644 patches/openssl-1.0.2q/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
 delete mode 100644 patches/openssl-1.0.2q/0101-fix-parallel-building.patch
 delete mode 100644 patches/openssl-1.0.2q/series
 create mode 100644 patches/openssl-1.1.1a/0001-debian-targets.patch
 create mode 100644 patches/openssl-1.1.1a/0002-man-section.patch
 create mode 100644 patches/openssl-1.1.1a/0003-no-symbolic.patch
 create mode 100644 patches/openssl-1.1.1a/0004-pic.patch
 create mode 100644 patches/openssl-1.1.1a/0005-c_rehash-compat.patch
 create mode 100644 patches/openssl-1.1.1a/0006-Set-systemwide-default-settings-for-libssl-users.patch
 create mode 100644 patches/openssl-1.1.1a/series

diff --git a/patches/openssl-1.0.2q/0001-debian-targets.patch b/patches/openssl-1.0.2q/0001-debian-targets.patch
deleted file mode 100644
index ca9b1e4..0000000
--- a/patches/openssl-1.0.2q/0001-debian-targets.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
-Date: Tue, 12 Dec 2017 23:35:23 +0100
-Subject: [PATCH] debian-targets
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Configure | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 56 insertions(+)
-
-diff --git a/Configure b/Configure
-index c7066dc97c58..79b7d5c90d8e 100755
---- a/Configure
-+++ b/Configure
-@@ -133,6 +133,10 @@ my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers
- # Warn that "make depend" should be run?
- my $warn_make_depend = 0;
- 
-+# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
-+my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
-+$debian_cflags =~ s/\n/ /g;
-+
- my $strict_warnings = 0;
- 
- my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
-@@ -369,6 +373,58 @@ my %table=(
- "osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
- "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
- 
-+# Debian GNU/* (various architectures)
-+"debian-alpha","gcc:${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-alpha-ev4","gcc:${debian_cflags} -mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-alpha-ev5","gcc:${debian_cflags} -mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-arm64","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-arm64ilp32","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-armel","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-armhf","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-amd64", "gcc:-m64 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
-+"debian-avr32", "gcc:-DB_ENDIAN ${debian_cflags} -fomit-frame-pointer::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-kfreebsd-i386","gcc:-DL_ENDIAN ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-hppa","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-hurd-i386","gcc:-DL_ENDIAN -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-ia64","gcc:${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386-i486","gcc:-DL_ENDIAN ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386-i586","gcc:-DL_ENDIAN ${debian_cflags} -march=i586::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386-i686/cmov","gcc:-DL_ENDIAN ${debian_cflags} -march=i686::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-m68k","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mips",   "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mipsel",   "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mipsn32",   "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mipsn32el",   "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mips64",   "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mips64el",   "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-netbsd-i386",	"gcc:-DL_ENDIAN ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-netbsd-m68k",	"gcc:-DB_ENDIAN ${debian_cflags}::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-netbsd-sparc",	"gcc:-DB_ENDIAN ${debian_cflags} -mv8::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-nios2", "gcc:-DB_ENDIAN ${debian_cflags}::(unknown)::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-openbsd-alpha","gcc:${debian_cflags}::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-openbsd-i386",  "gcc:-DL_ENDIAN ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-openbsd-mips","gcc:-DL_ENDIAN ${debian_cflags}::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-or1k", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-powerpc","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-powerpcspe","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-ppc64","gcc:-m64 -DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-ppc64el","gcc:-m64 -DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-riscv64","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-s390","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
-+"debian-s390x","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh3",   "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh4",   "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh3eb",   "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh4eb",   "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-m32r","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc-v8","gcc:-DB_ENDIAN ${debian_cflags} -mcpu=v8 -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc-v9","gcc:-DB_ENDIAN ${debian_cflags} -mcpu=v9 -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc64","gcc:-m64 -DB_ENDIAN ${debian_cflags} -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-x32","gcc:-mx32 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-+
- ####
- #### Variety of LINUX:-)
- ####
diff --git a/patches/openssl-1.0.2q/0002-no-rpath.patch b/patches/openssl-1.0.2q/0002-no-rpath.patch
deleted file mode 100644
index 231ee8b..0000000
--- a/patches/openssl-1.0.2q/0002-no-rpath.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
-Date: Tue, 12 Dec 2017 23:35:23 +0100
-Subject: [PATCH] no-rpath
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Makefile.shared | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile.shared b/Makefile.shared
-index e8d222ac6a00..f68d6ff877ac 100644
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
- 
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
- 
- #This is rather special.  It's a special target with which one can link
- #applications without bothering with any features that have anything to
diff --git a/patches/openssl-1.0.2q/0003-pic.patch b/patches/openssl-1.0.2q/0003-pic.patch
deleted file mode 100644
index c03a319..0000000
--- a/patches/openssl-1.0.2q/0003-pic.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
-Date: Tue, 12 Dec 2017 23:35:24 +0100
-Subject: [PATCH] pic
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/des/asm/desboth.pl | 17 ++++++++++++++---
- crypto/perlasm/cbc.pl     | 24 ++++++++++++++++++++----
- crypto/perlasm/x86gas.pl  | 16 ++++++++++++++++
- crypto/x86cpuid.pl        | 10 +++++-----
- 4 files changed, 55 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl
-index eec00886e4c6..ab6f52452bf3 100644
---- a/crypto/des/asm/desboth.pl
-+++ b/crypto/des/asm/desboth.pl
-@@ -16,6 +16,11 @@ sub DES_encrypt3
- 
- 	&push("edi");
- 
-+	&call   (&label("pic_point0"));
-+	&set_label("pic_point0");
-+	&blindpop("ebp");
-+	&add    ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
-+
- 	&comment("");
- 	&comment("Load the data words");
- 	&mov($L,&DWP(0,"ebx","",0));
-@@ -47,15 +52,21 @@ sub DES_encrypt3
- 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
- 	&mov(&swtmp(1),	"eax");
- 	&mov(&swtmp(0),	"ebx");
--	&call("DES_encrypt2");
-+	&exch("ebx", "ebp");
-+	&call("DES_encrypt2\@PLT");
-+	&exch("ebx", "ebp");
- 	&mov(&swtmp(2),	(DWC(($enc)?"0":"1")));
- 	&mov(&swtmp(1),	"edi");
- 	&mov(&swtmp(0),	"ebx");
--	&call("DES_encrypt2");
-+	&exch("ebx", "ebp");
-+	&call("DES_encrypt2\@PLT");
-+	&exch("ebx", "ebp");
- 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
- 	&mov(&swtmp(1),	"esi");
- 	&mov(&swtmp(0),	"ebx");
--	&call("DES_encrypt2");
-+	&exch("ebx", "ebp");
-+	&call("DES_encrypt2\@PLT");
-+	&exch("ebx", "ebp");
- 
- 	&stack_pop(3);
- 	&mov($L,&DWP(0,"ebx","",0));
-diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
-index 24561e759aba..269fb0b0c69f 100644
---- a/crypto/perlasm/cbc.pl
-+++ b/crypto/perlasm/cbc.pl
-@@ -122,7 +122,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($enc_func);
-+	&call	(&label("pic_point0"));
-+	&set_label("pic_point0");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
-+	&call("$enc_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-@@ -185,7 +189,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($enc_func);
-+	&call	(&label("pic_point1"));
-+	&set_label("pic_point1");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
-+	&call("$enc_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-@@ -218,7 +226,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($dec_func);
-+	&call	(&label("pic_point2"));
-+	&set_label("pic_point2");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
-+	&call("$dec_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-@@ -261,7 +273,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($dec_func);
-+	&call	(&label("pic_point3"));
-+	&set_label("pic_point3");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
-+	&call("$dec_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl
-index 63b2301fd1f0..176b04d24521 100644
---- a/crypto/perlasm/x86gas.pl
-+++ b/crypto/perlasm/x86gas.pl
-@@ -163,6 +163,7 @@ sub ::file_end
- 	if ($::macosx)	{ push (@out,"$tmp,2\n"); }
- 	elsif ($::elf)	{ push (@out,"$tmp,4\n"); }
- 	else		{ push (@out,"$tmp\n"); }
-+	if ($::elf)	{ push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
-     }
-     push(@out,$initseg) if ($initseg);
- }
-@@ -221,8 +222,23 @@ ___
-     elsif ($::elf)
-     {	$initseg.=<<___;
- .section	.init
-+___
-+        if ($::pic)
-+	{   $initseg.=<<___;
-+	pushl	%ebx
-+	call	.pic_point0
-+.pic_point0:
-+	popl	%ebx
-+	addl	\$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
-+	call	$f\@PLT
-+	popl	%ebx
-+___
-+	}
-+	else
-+	{   $initseg.=<<___;
- 	call	$f
- ___
-+	}
-     }
-     elsif ($::coff)
-     {   $initseg.=<<___;	# applies to both Cygwin and Mingw
-diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
-index 90ed196c09cd..b49d1be8c38c 100644
---- a/crypto/x86cpuid.pl
-+++ b/crypto/x86cpuid.pl
-@@ -8,6 +8,8 @@ require "x86asm.pl";
- 
- for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- 
-+push(@out, ".hidden OPENSSL_ia32cap_P\n");
-+
- &function_begin("OPENSSL_ia32_cpuid");
- 	&xor	("edx","edx");
- 	&pushf	();
-@@ -153,9 +155,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- &set_label("nocpuid");
- &function_end("OPENSSL_ia32_cpuid");
- 
--&external_label("OPENSSL_ia32cap_P");
--
--&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
-+&function_begin_B("OPENSSL_rdtsc");
- 	&xor	("eax","eax");
- 	&xor	("edx","edx");
- 	&picmeup("ecx","OPENSSL_ia32cap_P");
-@@ -169,7 +169,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
- # but it's safe to call it on any [supported] 32-bit platform...
- # Just check for [non-]zero return value...
--&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
-+&function_begin_B("OPENSSL_instrument_halt");
- 	&picmeup("ecx","OPENSSL_ia32cap_P");
- 	&bt	(&DWP(0,"ecx"),4);
- 	&jnc	(&label("nohalt"));	# no TSC
-@@ -236,7 +236,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- 	&ret	();
- &function_end_B("OPENSSL_far_spin");
- 
--&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
-+&function_begin_B("OPENSSL_wipe_cpu");
- 	&xor	("eax","eax");
- 	&xor	("edx","edx");
- 	&picmeup("ecx","OPENSSL_ia32cap_P");
diff --git a/patches/openssl-1.0.2q/0004-valgrind.patch b/patches/openssl-1.0.2q/0004-valgrind.patch
deleted file mode 100644
index e0f7ce7..0000000
--- a/patches/openssl-1.0.2q/0004-valgrind.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
-Date: Tue, 12 Dec 2017 23:35:24 +0100
-Subject: [PATCH] valgrind
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/rand/md_rand.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
-index 2983a3fda487..a16cc804cc56 100644
---- a/crypto/rand/md_rand.c
-+++ b/crypto/rand/md_rand.c
-@@ -488,6 +488,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
-             goto err;
- 
- #ifndef PURIFY                  /* purify complains */
-+#if 0
-         /*
-          * The following line uses the supplied buffer as a small source of
-          * entropy: since this buffer is often uninitialised it may cause
-@@ -497,6 +498,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
-          */
-         if (!MD_Update(&m, buf, j))
-             goto err;
-+#endif
- #endif
- 
-         k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num;
diff --git a/patches/openssl-1.0.2q/0005-shared-lib-ext.patch b/patches/openssl-1.0.2q/0005-shared-lib-ext.patch
deleted file mode 100644
index a3c186d..0000000
--- a/patches/openssl-1.0.2q/0005-shared-lib-ext.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
-Date: Tue, 12 Dec 2017 23:35:24 +0100
-Subject: [PATCH] shared-lib-ext
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Configure | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Configure b/Configure
-index 79b7d5c90d8e..97ce24d18a5c 100755
---- a/Configure
-+++ b/Configure
-@@ -1853,7 +1853,8 @@ while (<IN>)
- 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- 		{
- 		my $sotmp = $1;
--		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+#		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
- 		}
- 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- 		{
diff --git a/patches/openssl-1.0.2q/0006-block_diginotar.patch b/patches/openssl-1.0.2q/0006-block_diginotar.patch
deleted file mode 100644
index 95b8d6d..0000000
--- a/patches/openssl-1.0.2q/0006-block_diginotar.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From: Raphael Geissert <geissert@debian.org>
-Date: Tue, 12 Dec 2017 23:35:24 +0100
-Subject: [PATCH] block_diginotar
-
-Description: make X509_verify_cert indicate that any certificate whose
- name contains "DigiNotar" is revoked.
-Forwarded: not-needed
-Origin: vendor
-Last-Update: 2011-09-08
-Bug: http://bugs.debian.org/639744
-Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
-Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
-
-This is not meant as final patch.
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/x509/x509_vfy.c | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index da778d47b1cc..77bdb18882ce 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -120,6 +120,7 @@ static int check_trust(X509_STORE_CTX *ctx);
- static int check_revocation(X509_STORE_CTX *ctx);
- static int check_cert(X509_STORE_CTX *ctx);
- static int check_policy(X509_STORE_CTX *ctx);
-+static int check_ca_blacklist(X509_STORE_CTX *ctx);
- 
- static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
-                          unsigned int *preasons, X509_CRL *crl, X509 *x);
-@@ -502,6 +503,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
-     if (!ok)
-         goto err;
- 
-+	ok = check_ca_blacklist(ctx);
-+	if(!ok) goto err;
-+
- #ifndef OPENSSL_NO_RFC3779
-     /* RFC 3779 path validation, now that CRL check has been done */
-     ok = v3_asid_validate_path(ctx);
-@@ -1110,6 +1114,29 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
-     return 1;
- }
- 
-+static int check_ca_blacklist(X509_STORE_CTX *ctx)
-+	{
-+	X509 *x;
-+	int i;
-+	/* Check all certificates against the blacklist */
-+	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
-+		{
-+		x = sk_X509_value(ctx->chain, i);
-+		/* Mark DigiNotar certificates as revoked, no matter
-+		 * where in the chain they are.
-+		 */
-+		if (x->name && strstr(x->name, "DigiNotar"))
-+			{
-+			ctx->error = X509_V_ERR_CERT_REVOKED;
-+			ctx->error_depth = i;
-+			ctx->current_cert = x;
-+			if (!ctx->verify_cb(0,ctx))
-+				return 0;
-+			}
-+		}
-+	return 1;
-+	}
-+
- static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
-                       X509 **pissuer, int *pscore, unsigned int *preasons,
-                       STACK_OF(X509_CRL) *crls)
diff --git a/patches/openssl-1.0.2q/0007-block_digicert_malaysia.patch b/patches/openssl-1.0.2q/0007-block_digicert_malaysia.patch
deleted file mode 100644
index e502416..0000000
--- a/patches/openssl-1.0.2q/0007-block_digicert_malaysia.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Raphael Geissert <geissert@debian.org>
-Date: Tue, 12 Dec 2017 23:35:24 +0100
-Subject: [PATCH] block_digicert_malaysia
-
-Description: make X509_verify_cert indicate that any certificate whose
- name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked.
-Forwarded: not-needed
-Origin: vendor
-Last-Update: 2011-11-05
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/x509/x509_vfy.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 77bdb18882ce..f7f8ed76e05b 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1122,10 +1122,11 @@ static int check_ca_blacklist(X509_STORE_CTX *ctx)
- 	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
- 		{
- 		x = sk_X509_value(ctx->chain, i);
--		/* Mark DigiNotar certificates as revoked, no matter
--		 * where in the chain they are.
-+		/* Mark certificates containing the following names as
-+		 * revoked, no matter where in the chain they are.
- 		 */
--		if (x->name && strstr(x->name, "DigiNotar"))
-+		if (x->name && (strstr(x->name, "DigiNotar") ||
-+			strstr(x->name, "Digicert Sdn. Bhd.")))
- 			{
- 			ctx->error = X509_V_ERR_CERT_REVOKED;
- 			ctx->error_depth = i;
diff --git a/patches/openssl-1.0.2q/0008-Disable-the-freelist.patch b/patches/openssl-1.0.2q/0008-Disable-the-freelist.patch
deleted file mode 100644
index f1e959c..0000000
--- a/patches/openssl-1.0.2q/0008-Disable-the-freelist.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Kurt Roeckx <kurt@roeckx.be>
-Date: Tue, 12 Dec 2017 23:35:24 +0100
-Subject: [PATCH] Disable the freelist
-
-We don't define OPENSSL_NO_BUF_FREELISTS globally sinc it changes structures and
-would break the ABI.  Instead we just do it in the .c files that try to do
-something with it.
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- ssl/s3_both.c | 1 +
- ssl/ssl_lib.c | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 054ded1c9903..bb0085cf2ec0 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -584,6 +584,7 @@ int ssl_verify_alarm_type(long type)
-     return (al);
- }
- 
-+#define OPENSSL_NO_BUF_FREELISTS
- #ifndef OPENSSL_NO_BUF_FREELISTS
- /*-
-  * On some platforms, malloc() performance is bad enough that you can't just
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index cfcfe76b9ce1..5c108288b14b 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -162,6 +162,8 @@
- 
- const char *SSL_version_str = OPENSSL_VERSION_TEXT;
- 
-+#define OPENSSL_NO_BUF_FREELISTS
-+
- SSL3_ENC_METHOD ssl3_undef_enc_method = {
-     /*
-      * evil casts, but these functions are only called if there's a library
diff --git a/patches/openssl-1.0.2q/0009-Mark-3DES-and-RC4-ciphers-as-weak.patch b/patches/openssl-1.0.2q/0009-Mark-3DES-and-RC4-ciphers-as-weak.patch
deleted file mode 100644
index 0cc5ec9..0000000
--- a/patches/openssl-1.0.2q/0009-Mark-3DES-and-RC4-ciphers-as-weak.patch
+++ /dev/null
@@ -1,429 +0,0 @@
-From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
-Date: Sun, 18 Dec 2016 15:37:52 +0100
-Subject: [PATCH] Mark 3DES and RC4 ciphers as weak
-
-This disables RC4 and 3DES in our build
-
-Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
-
-Imported from openssl1.0_1.0.2q-2.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- ssl/s3_lib.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 58 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 10c6db683b6e..4b4032ba397a 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -216,6 +216,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 04 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_RSA_RC4_128_MD5,
-@@ -230,8 +231,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
- /* Cipher 05 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_RSA_RC4_128_SHA,
-@@ -246,7 +249,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
--
-+#endif
- /* Cipher 06 */
- #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-@@ -320,6 +323,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 0A */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_RSA_DES_192_CBC3_SHA,
-@@ -334,6 +338,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* The DH ciphers */
- /* Cipher 0B */
-@@ -373,6 +378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 0D */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
-@@ -387,6 +393,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* Cipher 0E */
- #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-@@ -425,6 +432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 10 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
-@@ -439,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* The Ephemeral DH ciphers */
- /* Cipher 11 */
-@@ -478,6 +487,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 13 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
-@@ -492,6 +502,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* Cipher 14 */
- #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-@@ -530,6 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 16 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
-@@ -544,6 +556,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* Cipher 17 */
- #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-@@ -564,6 +577,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 18 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_ADH_RC4_128_MD5,
-@@ -578,6 +592,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
- /* Cipher 19 */
- #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-@@ -616,6 +631,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- #endif
- 
- /* Cipher 1B */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_ADH_DES_192_CBC_SHA,
-@@ -630,6 +646,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* Fortezza ciphersuite from SSL 3.0 spec */
- #if 0
-@@ -703,6 +720,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- # endif
- 
- /* Cipher 1F */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-@@ -717,8 +735,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* Cipher 20 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_KRB5_RC4_128_SHA,
-@@ -733,6 +753,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
- /* Cipher 21 */
-     {
-@@ -769,6 +790,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- # endif
- 
- /* Cipher 23 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-@@ -783,8 +805,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
- /* Cipher 24 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_KRB5_RC4_128_MD5,
-@@ -799,6 +823,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
- /* Cipher 25 */
-     {
-@@ -1418,6 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- # endif
- 
-     /* Cipher 66 */
-+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-@@ -1432,6 +1458,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- #endif
- 
-     /* TLS v1.2 ciphersuites */
-@@ -1703,6 +1730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- 
- #ifndef OPENSSL_NO_PSK
-     /* Cipher 8A */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_PSK_WITH_RC4_128_SHA,
-@@ -1717,8 +1745,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
-     /* Cipher 8B */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
-@@ -1733,6 +1763,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher 8C */
-     {
-@@ -2095,6 +2126,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      },
- 
-     /* Cipher C002 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
-@@ -2109,8 +2141,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
-     /* Cipher C003 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-@@ -2125,6 +2159,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C004 */
-     {
-@@ -2175,6 +2210,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      },
- 
-     /* Cipher C007 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
-@@ -2189,8 +2225,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
-     /* Cipher C008 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
-@@ -2205,6 +2243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C009 */
-     {
-@@ -2255,6 +2294,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      },
- 
-     /* Cipher C00C */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
-@@ -2269,8 +2309,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
-     /* Cipher C00D */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-@@ -2285,6 +2327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C00E */
-     {
-@@ -2335,6 +2378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      },
- 
-     /* Cipher C011 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
-@@ -2349,8 +2393,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
-     /* Cipher C012 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
-@@ -2365,6 +2411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C013 */
-     {
-@@ -2415,6 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      },
- 
-     /* Cipher C016 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
-@@ -2429,8 +2477,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
- 
-     /* Cipher C017 */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
-@@ -2445,6 +2495,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C018 */
-     {
-@@ -2481,6 +2532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- 
- #ifndef OPENSSL_NO_SRP
-     /* Cipher C01A */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
-@@ -2495,8 +2547,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C01B */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
-@@ -2511,8 +2565,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C01C */
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
-@@ -2527,6 +2583,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
-      112,
-      168,
-      },
-+#endif
- 
-     /* Cipher C01D */
-     {
diff --git a/patches/openssl-1.0.2q/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch b/patches/openssl-1.0.2q/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
deleted file mode 100644
index b445ea7..0000000
--- a/patches/openssl-1.0.2q/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Mon, 11 Aug 2014 12:28:49 +0200
-Subject: [PATCH] Configure: don't ask dpkg-buildflags for more flags
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Configure | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Configure b/Configure
-index 9f58145ef000..4b6f13ee238c 100755
---- a/Configure
-+++ b/Configure
-@@ -134,7 +134,7 @@ my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers
- my $warn_make_depend = 0;
- 
- # There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
--my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
-+my $debian_cflags = "-g -O2 -Wformat -Werror=format-security " . "-Wa,--noexecstack -Wall";
- $debian_cflags =~ s/\n/ /g;
- 
- my $strict_warnings = 0;
diff --git a/patches/openssl-1.0.2q/0101-fix-parallel-building.patch b/patches/openssl-1.0.2q/0101-fix-parallel-building.patch
deleted file mode 100644
index 65a77a7..0000000
--- a/patches/openssl-1.0.2q/0101-fix-parallel-building.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Mon, 23 Mar 2015 09:29:05 +0100
-Subject: [PATCH] fix parallel building
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Makefile.org     | 22 ++++++++++++++--------
- crypto/Makefile  |  4 ++--
- engines/Makefile |  4 ++--
- 3 files changed, 18 insertions(+), 12 deletions(-)
-
-diff --git a/Makefile.org b/Makefile.org
-index f51f0a756c3e..aed1dd978ff4 100644
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -281,18 +281,24 @@ build_libs: build_libcrypto build_libssl openssl.pc
- build_libcrypto: build_crypto build_engines libcrypto.pc
- build_libssl: build_ssl libssl.pc
- 
-+ifeq ($(SHARED_LIBS),)
-+build_ssl: build_engines
-+else
-+build_engines: build_ssl
-+endif
-+
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	@+dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	@+dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	@+dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	@+dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	@+dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	@+dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -311,7 +317,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
- 			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
- 			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
- 		fi; \
--		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
-+		$(MAKE) -j1 -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
- 		(touch -c fips_premain_dso$(EXE_EXT) || :); \
- 	else \
- 		echo "There's no support for shared libraries on this platform" >&2; \
-@@ -320,7 +326,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
- 
- libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
- 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
--		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
-+		$(MAKE) -j1 SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
- 	else \
- 		echo "There's no support for shared libraries on this platform" >&2; \
- 		exit 1; \
-diff --git a/crypto/Makefile b/crypto/Makefile
-index 7869996a9c07..76690a1c8619 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -85,7 +85,7 @@ testapps:
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	@+target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
-@@ -100,7 +100,7 @@ links:
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- 	$(RANLIB) $(LIB) || echo Never mind.
-diff --git a/engines/Makefile b/engines/Makefile
-index 2058ff405afe..98e41437e1f2 100644
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@ top:
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@ lib:	$(LIBOBJ)
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	@+target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
diff --git a/patches/openssl-1.0.2q/series b/patches/openssl-1.0.2q/series
deleted file mode 100644
index cd63acf..0000000
--- a/patches/openssl-1.0.2q/series
+++ /dev/null
@@ -1,16 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-#tag:debian --start-number 1
-0001-debian-targets.patch
-0002-no-rpath.patch
-0003-pic.patch
-0004-valgrind.patch
-0005-shared-lib-ext.patch
-0006-block_diginotar.patch
-0007-block_digicert_malaysia.patch
-0008-Disable-the-freelist.patch
-0009-Mark-3DES-and-RC4-ciphers-as-weak.patch
-#tag:ptx --start-number 100
-0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
-0101-fix-parallel-building.patch
-# d6f7b68c6d4f0780398061fbcec6168c  - git-ptx-patches magic
diff --git a/patches/openssl-1.1.1a/0001-debian-targets.patch b/patches/openssl-1.1.1a/0001-debian-targets.patch
new file mode 100644
index 0000000..fe61436
--- /dev/null
+++ b/patches/openssl-1.1.1a/0001-debian-targets.patch
@@ -0,0 +1,207 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: debian-targets
+
+---
+ Configurations/20-debian.conf | 192 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 192 insertions(+)
+ create mode 100644 Configurations/20-debian.conf
+
+diff --git a/Configurations/20-debian.conf b/Configurations/20-debian.conf
+new file mode 100644
+index 000000000000..71215d94dfc1
+--- /dev/null
++++ b/Configurations/20-debian.conf
+@@ -0,0 +1,192 @@
++my %targets = (
++	"debian" => {
++		cflags => add("-Wa,--noexecstack -Wall"),
++	},
++	"debian-alpha" => {
++		inherit_from => [ "linux-alpha-gcc", "debian" ],
++	},
++	"debian-alpha-ev4" => {
++		inherit_from => [ "debian-alpha" ],
++		cflags => add("-mcpu=ev4"),
++	},
++	"debian-alpha-ev5" => {
++		inherit_from => [ "debian-alpha" ],
++		cflags => add("-mcpu=ev5"),
++	},
++	"debian-arm64" => {
++		inherit_from => [ "linux-aarch64", "debian" ],
++	},
++	"debian-arm64ilp32" => {
++		inherit_from => [ "linux-arm64ilp32", "debian" ],
++	},
++	"debian-armel" => {
++		inherit_from => [ "linux-armv4", "debian" ],
++	},
++	"debian-armhf" => {
++		inherit_from => [ "linux-armv4", "debian" ],
++	},
++	"debian-amd64" => {
++		inherit_from => [ "linux-x86_64", "debian" ],
++	},
++	"debian-i386" => {
++		inherit_from => [ "linux-elf", "debian" ],
++	},
++	"debian-avr32" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-kfreebsd-amd64" => {
++		inherit_from => [ "debian-amd64" ],
++		enable		=> [ ],
++	},
++	"debian-kfreebsd-i386" => {
++		inherit_from => [ "debian-i386" ],
++		enable		=> [ ],
++	},
++	"debian-hppa" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-hurd-i386" => {
++		inherit_from => [ "hurd-x86", "debian" ],
++	},
++	"debian-ia64" => {
++		inherit_from => [ "linux-ia64", "debian" ],
++	},
++	"debian-m68k" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-mips" => {
++		inherit_from => [ "linux-mips32", "debian" ],
++		cflags => add("-DB_ENDIAN"),
++	},
++	"debian-mipsel" => {
++		inherit_from => [ "linux-mips32", "debian" ],
++		cflags => add("-DL_ENDIAN"),
++	},
++	"debian-mipsn32" => {
++		inherit_from => [ "linux-mips64", "debian" ],
++		cflags => add("-DB_ENDIAN"),
++	},
++	"debian-mipsn32el" => {
++		inherit_from => [ "linux-mips64", "debian" ],
++		cflags => add("-DL_ENDIAN"),
++	},
++	"debian-mips64" => {
++		inherit_from => [ "linux64-mips64", "debian" ],
++		cflags => add("-DB_ENDIAN"),
++	},
++	"debian-mips64el" => {
++		inherit_from => [ "linux64-mips64", "debian" ],
++		cflags => add("-DL_ENDIAN"),
++	},
++
++	# Temporary MIPS R6 targets. Those will vanish approx in 1.1.1 because
++	# aes-mips.pl creates proper R6 ASM code. After that, we can inherit from
++	# the linux*-mips* targets.
++	"linux-mips32r6" => {
++	# Configure script adds minimally required -march for assembly
++	# support, if no -march was specified at command line.
++		inherit_from     => [ "linux-generic32"],
++		cflags           => add("-mabi=32"),
++		perlasm_scheme   => "o32",
++		shared_ldflag    => add("-mabi=32"),
++	},
++	# mips32 and mips64 below refer to contemporary MIPS Architecture
++	# specifications, MIPS32 and MIPS64, rather than to kernel bitness.
++	"linux-mips64r6" => {
++		inherit_from     => [ "linux-generic32"],
++		cflags           => add("-mabi=n32"),
++		bn_ops           => "SIXTY_FOUR_BIT RC4_CHAR",
++		perlasm_scheme   => "n32",
++		shared_ldflag    => add("-mabi=n32"),
++		multilib         => "32",
++	},
++	"linux64-mips64r6" => {
++		inherit_from     => [ "linux-generic64"],
++		cflags           => add("-mabi=64"),
++		perlasm_scheme   => "64",
++		shared_ldflag    => add("-mabi=64"),
++		multilib         => "64",
++	},
++	"debian-mipsr6" => {
++		inherit_from => [ "linux-mips32r6", "debian" ],
++		cflags => add("-DB_ENDIAN"),
++	},
++	"debian-mipsr6el" => {
++		inherit_from => [ "linux-mips32r6", "debian" ],
++		cflags => add("-DL_ENDIAN"),
++	},
++	"debian-mipsn32r6" => {
++		inherit_from => [ "linux-mips64r6", "debian" ],
++		cflags => add("-DB_ENDIAN"),
++	},
++	"debian-mipsn32r6el" => {
++		inherit_from => [ "linux-mips64r6", "debian" ],
++		cflags => add("-DL_ENDIAN"),
++	},
++	"debian-mips64r6" => {
++		inherit_from => [ "linux64-mips64r6", "debian" ],
++		cflags => add("-DB_ENDIAN"),
++	},
++	"debian-mips64r6el" => {
++		inherit_from => [ "linux64-mips64r6", "debian" ],
++		cflags => add("-DL_ENDIAN"),
++	},
++
++	"debian-nios2" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-powerpc" => {
++		inherit_from => [ "linux-ppc", "debian" ],
++	},
++	"debian-powerpcspe" => {
++		inherit_from => [ "linux-ppc", "debian" ],
++	},
++	"debian-ppc64" => {
++		inherit_from => [ "linux-generic64", "debian", asm("ppc64_asm") ],
++		cflags => add("-DB_ENDIAN"),
++		perlasm_scheme => "linux64",
++	},
++	"debian-ppc64el" => {
++		inherit_from => [ "linux-ppc64le", "debian" ],
++	},
++	"debian-riscv64" => {
++		inherit_from => [ "linux-generic64", "debian" ],
++	},
++	"debian-s390" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-s390x" => {
++		inherit_from => [ "linux64-s390x", "debian" ],
++	},
++	"debian-sh3" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-sh3eb" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-sh4" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-sh4eb" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-m32r" => {
++		inherit_from => [ "linux-generic32", "debian" ],
++	},
++	"debian-sparc" => {
++		inherit_from => [ "linux-generic32", "debian", asm("sparcv9_asm") ],
++		cflags => add("-DB_ENDIAN -DBN_DIV2W"),
++	},
++	"debian-sparc64" => {
++	        inherit_from => [ "linux-generic64", "debian", asm("sparcv9_asm") ],
++	        cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"),
++		bn_ops => "BN_LLONG RC4_CHAR",
++	},
++	"debian-tilegx" => {
++		inherit_from => [ "linux-generic64", "debian" ],
++	},
++	"debian-x32" => {
++		inherit_from => [ "linux-x32", "debian" ],
++	},
++);
++
diff --git a/patches/openssl-1.1.1a/0002-man-section.patch b/patches/openssl-1.1.1a/0002-man-section.patch
new file mode 100644
index 0000000..8ef4ed8
--- /dev/null
+++ b/patches/openssl-1.1.1a/0002-man-section.patch
@@ -0,0 +1,54 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: man-section
+
+---
+ Configurations/unix-Makefile.tmpl | 6 ++++--
+ util/process_docs.pl              | 3 ++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index e7120194ef8c..527ac3dc234c 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -183,7 +183,8 @@ HTMLDIR=$(DOCDIR)/html
+ # MANSUFFIX is for the benefit of anyone who may want to have a suffix
+ # appended after the manpage file section number.  "ssl" is popular,
+ # resulting in files such as config.5ssl rather than config.5.
+-MANSUFFIX=
++MANSUFFIX=ssl
++MANSECTION=SSL
+ HTMLSUFFIX=html
+ 
+ # For "optional" echo messages, to get "real" silence
+@@ -721,7 +722,8 @@ uninstall_runtime: uninstall_programs uninstall_runtime_libs
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@$(ECHO) "*** Installing manpages"
+ 	$(PERL) $(SRCDIR)/util/process_docs.pl \
+-		--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
++		--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) \
++		--mansection=$(MANSECTION)
+ 
+ uninstall_man_docs:
+ 	@$(ECHO) "*** Uninstalling manpages"
+diff --git a/util/process_docs.pl b/util/process_docs.pl
+index 30b149eb8fcc..424155ea808e 100755
+--- a/util/process_docs.pl
++++ b/util/process_docs.pl
+@@ -37,6 +37,7 @@ GetOptions(\%options,
+            'type=s',            # The result type, 'man' or 'html'
+            'suffix:s',          # Suffix to add to the extension.
+                                 # Only used with type=man
++           'mansection:s',      # Section to put to manpage in
+            'remove',            # To remove files rather than writing them
+            'dry-run|n',         # Only output file names on STDOUT
+            'debug|D+',
+@@ -97,7 +98,7 @@ foreach my $section (sort @{$options{section}}) {
+         my $name = uc $podname;
+         my $suffix = { man  => ".$podinfo{section}".($options{suffix} // ""),
+                        html => ".html" } -> {$options{type}};
+-        my $generate = { man  => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"",
++        my $generate = { man  => "pod2man --name=$name --section=$podinfo{section}$options{mansection} --center=OpenSSL --release=$config{version} \"$podpath\"",
+                          html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=man1:man3:man5:man7 \"--infile=$podpath\" \"--title=$podname\" --quiet"
+                          } -> {$options{type}};
+         my $output_dir = catdir($options{destdir}, "man$podinfo{section}");
diff --git a/patches/openssl-1.1.1a/0003-no-symbolic.patch b/patches/openssl-1.1.1a/0003-no-symbolic.patch
new file mode 100644
index 0000000..641bd0d
--- /dev/null
+++ b/patches/openssl-1.1.1a/0003-no-symbolic.patch
@@ -0,0 +1,21 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: no-symbolic
+
+---
+ Configurations/shared-info.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configurations/shared-info.pl b/Configurations/shared-info.pl
+index 47eddd68355b..208132e7307f 100644
+--- a/Configurations/shared-info.pl
++++ b/Configurations/shared-info.pl
+@@ -25,7 +25,7 @@ sub detect_gnu_cc {
+ my %shared_info;
+ %shared_info = (
+     'gnu-shared' => {
+-        shared_ldflag         => '-shared -Wl,-Bsymbolic',
++        shared_ldflag         => '-shared',
+         shared_sonameflag     => '-Wl,-soname=',
+     },
+     'linux-shared' => sub {
diff --git a/patches/openssl-1.1.1a/0004-pic.patch b/patches/openssl-1.1.1a/0004-pic.patch
new file mode 100644
index 0000000..fb12b02
--- /dev/null
+++ b/patches/openssl-1.1.1a/0004-pic.patch
@@ -0,0 +1,186 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: pic
+
+---
+ crypto/des/asm/desboth.pl | 17 ++++++++++++++---
+ crypto/perlasm/cbc.pl     | 24 ++++++++++++++++++++----
+ crypto/perlasm/x86gas.pl  | 16 ++++++++++++++++
+ crypto/x86cpuid.pl        | 10 +++++-----
+ 4 files changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl
+index ef7054e27506..50765d2b1552 100644
+--- a/crypto/des/asm/desboth.pl
++++ b/crypto/des/asm/desboth.pl
+@@ -23,6 +23,11 @@ sub DES_encrypt3
+ 
+ 	&push("edi");
+ 
++	&call   (&label("pic_point0"));
++	&set_label("pic_point0");
++	&blindpop("ebp");
++	&add    ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++
+ 	&comment("");
+ 	&comment("Load the data words");
+ 	&mov($L,&DWP(0,"ebx","",0));
+@@ -54,15 +59,21 @@ sub DES_encrypt3
+ 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
+ 	&mov(&swtmp(1),	"eax");
+ 	&mov(&swtmp(0),	"ebx");
+-	&call("DES_encrypt2");
++	&exch("ebx", "ebp");
++	&call("DES_encrypt2\@PLT");
++	&exch("ebx", "ebp");
+ 	&mov(&swtmp(2),	(DWC(($enc)?"0":"1")));
+ 	&mov(&swtmp(1),	"edi");
+ 	&mov(&swtmp(0),	"ebx");
+-	&call("DES_encrypt2");
++	&exch("ebx", "ebp");
++	&call("DES_encrypt2\@PLT");
++	&exch("ebx", "ebp");
+ 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
+ 	&mov(&swtmp(1),	"esi");
+ 	&mov(&swtmp(0),	"ebx");
+-	&call("DES_encrypt2");
++	&exch("ebx", "ebp");
++	&call("DES_encrypt2\@PLT");
++	&exch("ebx", "ebp");
+ 
+ 	&stack_pop(3);
+ 	&mov($L,&DWP(0,"ebx","",0));
+diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
+index 01bafe457d68..c093be5a4fd6 100644
+--- a/crypto/perlasm/cbc.pl
++++ b/crypto/perlasm/cbc.pl
+@@ -129,7 +129,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($enc_func);
++	&call	(&label("pic_point0"));
++	&set_label("pic_point0");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++	&call("$enc_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
+@@ -192,7 +196,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($enc_func);
++	&call	(&label("pic_point1"));
++	&set_label("pic_point1");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
++	&call("$enc_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
+@@ -225,7 +233,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($dec_func);
++	&call	(&label("pic_point2"));
++	&set_label("pic_point2");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
++	&call("$dec_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
+@@ -268,7 +280,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($dec_func);
++	&call	(&label("pic_point3"));
++	&set_label("pic_point3");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
++	&call("$dec_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
+diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl
+index 5c7ea3880e4d..7e49b55e97c7 100644
+--- a/crypto/perlasm/x86gas.pl
++++ b/crypto/perlasm/x86gas.pl
+@@ -170,6 +170,7 @@ sub ::file_end
+ 	if ($::macosx)	{ push (@out,"$tmp,2\n"); }
+ 	elsif ($::elf)	{ push (@out,"$tmp,4\n"); }
+ 	else		{ push (@out,"$tmp\n"); }
++	if ($::elf)	{ push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
+     }
+     push(@out,$initseg) if ($initseg);
+ }
+@@ -228,8 +229,23 @@ ___
+     elsif ($::elf)
+     {	$initseg.=<<___;
+ .section	.init
++___
++        if ($::pic)
++	{   $initseg.=<<___;
++	pushl	%ebx
++	call	.pic_point0
++.pic_point0:
++	popl	%ebx
++	addl	\$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
++	call	$f\@PLT
++	popl	%ebx
++___
++	}
++	else
++	{   $initseg.=<<___;
+ 	call	$f
+ ___
++	}
+     }
+     elsif ($::coff)
+     {   $initseg.=<<___;	# applies to both Cygwin and Mingw
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index d43dda4d935c..d72a36fbf0c5 100644
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -18,6 +18,8 @@ open OUT,">$output";
+ 
+ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ 
++push(@out, ".hidden OPENSSL_ia32cap_P\n");
++
+ &function_begin("OPENSSL_ia32_cpuid");
+ 	&xor	("edx","edx");
+ 	&pushf	();
+@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ &set_label("nocpuid");
+ &function_end("OPENSSL_ia32_cpuid");
+ 
+-&external_label("OPENSSL_ia32cap_P");
+-
+-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_rdtsc");
+ 	&xor	("eax","eax");
+ 	&xor	("edx","edx");
+ 	&picmeup("ecx","OPENSSL_ia32cap_P");
+@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
+ # but it's safe to call it on any [supported] 32-bit platform...
+ # Just check for [non-]zero return value...
+-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_instrument_halt");
+ 	&picmeup("ecx","OPENSSL_ia32cap_P");
+ 	&bt	(&DWP(0,"ecx"),4);
+ 	&jnc	(&label("nohalt"));	# no TSC
+@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ 	&ret	();
+ &function_end_B("OPENSSL_far_spin");
+ 
+-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_wipe_cpu");
+ 	&xor	("eax","eax");
+ 	&xor	("edx","edx");
+ 	&picmeup("ecx","OPENSSL_ia32cap_P");
diff --git a/patches/openssl-1.1.1a/0005-c_rehash-compat.patch b/patches/openssl-1.1.1a/0005-c_rehash-compat.patch
new file mode 100644
index 0000000..1ed5050
--- /dev/null
+++ b/patches/openssl-1.1.1a/0005-c_rehash-compat.patch
@@ -0,0 +1,72 @@
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Wed, 21 Apr 2010 15:52:10 +0200
+Subject: [PATCH] also create old hash for compatibility
+
+---
+ tools/c_rehash.in | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index 421fd892086f..5ad1ab1d655f 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
+ my $errorcount = 0;
+ my $openssl = $ENV{OPENSSL} || "openssl";
+ my $pwd;
+-my $x509hash = "-subject_hash";
+-my $crlhash = "-hash";
+ my $verbose = 0;
+ my $symlink_exists=eval {symlink("",""); 1};
+ my $removelinks = 1;
+@@ -27,10 +25,7 @@ my $removelinks = 1;
+ while ( $ARGV[0] =~ /^-/ ) {
+     my $flag = shift @ARGV;
+     last if ( $flag eq '--');
+-    if ( $flag eq '-old') {
+-	    $x509hash = "-subject_hash_old";
+-	    $crlhash = "-hash_old";
+-    } elsif ( $flag eq '-h' || $flag eq '-help' ) {
++    if ( $flag eq '-h' || $flag eq '-help' ) {
+ 	    help();
+     } elsif ( $flag eq '-n' ) {
+ 	    $removelinks = 0;
+@@ -128,7 +123,9 @@ sub hash_dir {
+ 			next;
+ 		}
+ 		link_hash_cert($fname) if ($cert);
++		link_hash_cert_old($fname) if ($cert);
+ 		link_hash_crl($fname) if ($crl);
++		link_hash_crl_old($fname) if ($crl);
+ 	}
+ }
+ 
+@@ -161,6 +158,7 @@ sub check_file {
+ 
+ sub link_hash_cert {
+ 		my $fname = $_[0];
++		my $x509hash = $_[1] || '-subject_hash';
+ 		$fname =~ s/'/'\\''/g;
+ 		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ 		chomp $hash;
+@@ -198,10 +196,20 @@ sub link_hash_cert {
+ 		$hashlist{$hash} = $fprint;
+ }
+ 
++sub link_hash_cert_old {
++		link_hash_cert($_[0], '-subject_hash_old');
++}
++
++sub link_hash_crl_old {
++		link_hash_crl($_[0], '-hash_old');
++}
++
++
+ # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
+ 
+ sub link_hash_crl {
+ 		my $fname = $_[0];
++		my $crlhash = $_[1] || "-hash";
+ 		$fname =~ s/'/'\\''/g;
+ 		my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ 		chomp $hash;
diff --git a/patches/openssl-1.1.1a/0006-Set-systemwide-default-settings-for-libssl-users.patch b/patches/openssl-1.1.1a/0006-Set-systemwide-default-settings-for-libssl-users.patch
new file mode 100644
index 0000000..9de855e
--- /dev/null
+++ b/patches/openssl-1.1.1a/0006-Set-systemwide-default-settings-for-libssl-users.patch
@@ -0,0 +1,42 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Tue, 20 Mar 2018 22:07:30 +0100
+Subject: Set systemwide default settings for libssl users
+
+This config change enforeces a TLS1.2 protocol version as minimum. It
+can be overwritten by the system administrator.
+
+It also changes the default security level from 1 to 2, moving from the 80 bit
+security level to the 112 bit security level.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ apps/openssl.cnf | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 6df2878d5021..d155d1eda0bd 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -15,6 +15,9 @@ HOME			= .
+ #oid_file		= $ENV::HOME/.oid
+ oid_section		= new_oids
+ 
++# System default
++openssl_conf = default_conf
++
+ # To use this configuration file with the "-extfile" option of the
+ # "openssl x509" utility, name here the section containing the
+ # X.509v3 extensions to use:
+@@ -348,3 +351,12 @@ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+ 				# (optional, default: no)
+ ess_cert_id_alg		= sha1	# algorithm to compute certificate
+ 				# identifier (optional, default: sha1)
++[default_conf]
++ssl_conf = ssl_sect
++
++[ssl_sect]
++system_default = system_default_sect
++
++[system_default_sect]
++MinProtocol = TLSv1.2
++CipherString = DEFAULT@SECLEVEL=2
diff --git a/patches/openssl-1.1.1a/series b/patches/openssl-1.1.1a/series
new file mode 100644
index 0000000..003a7c4
--- /dev/null
+++ b/patches/openssl-1.1.1a/series
@@ -0,0 +1,6 @@
+0001-debian-targets.patch
+0002-man-section.patch
+0003-no-symbolic.patch
+0004-pic.patch
+0005-c_rehash-compat.patch
+0006-Set-systemwide-default-settings-for-libssl-users.patch
diff --git a/rules/openssl.make b/rules/openssl.make
index d514077..0ace6c3 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -18,10 +18,10 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_BASE	:= 1.0.2
-OPENSSL_BUGFIX	:= q
+OPENSSL_BASE	:= 1.1.1
+OPENSSL_BUGFIX	:= a
 OPENSSL_VERSION	:= $(OPENSSL_BASE)$(OPENSSL_BUGFIX)
-OPENSSL_MD5	:= 7563e1ce046cb21948eeb6ba1a0eb71c
+OPENSSL_MD5	:= 963deb2272d6be7d4c2458afd2517b73
 OPENSSL		:= openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX	:= tar.gz
 OPENSSL_URL	:= \
@@ -74,7 +74,7 @@ endif
 OPENSSL_CONF_OPT := \
 	--prefix=/usr \
 	--openssldir=/usr/lib/ssl \
-	--install_prefix=$(OPENSSL_PKGDIR) \
+	DESTDIR=$(OPENSSL_PKGDIR) \
 	shared
 
 OPENSSL_INSTALL_OPT := \
@@ -106,7 +106,7 @@ ifdef PTXCONF_OPENSSL_BIN
 endif
 
 	@$(call install_alternative, openssl, 0, 0, 0644, \
-		/usr/lib/ssl/openssl.cnf)
+		/apps/openssl.cnf)
 
 	@$(call install_lib, openssl, 0, 0, 0644, libssl)
 	@$(call install_lib, openssl, 0, 0, 0644, libcrypto)
-- 
1.9.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

                 reply	other threads:[~2019-01-09 14:13 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1547043230-11866-1-git-send-email-oliver.graute@neuhaus.de \
    --to=oliver.graute@gmail.com \
    --cc=oliver.graute@neuhaus.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox