MIRRORS/meta-freescale
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-freescale.git synced 2025-10-22 14:52:19 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

openssl-qoriq: remove bbappend and patches

Browse Source 
As oe-core upgrades openssl to 3.0.0, the two patches don't apply any
more. Currenly no plan to port them for 3.0.0. Remove to not break build.

Signed-off-by: Ting Liu <ting.liu@nxp.com>
This commit is contained in:
Ting Liu 2021-10-15 16:05:56 +08:00
parent 537fc132d9
commit f367bae4cd
4 changed files with 0 additions and 694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

389
recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch
View File

@ -1,389 +0,0 @@
From 501988587567b996c9c4a14239f575e77ed27791 Mon Sep 17 00:00:00 2001
From: Pankaj Gupta <pankaj.gupta@nxp.com>
Date: Fri, 20 Sep 2019 12:18:16 +0530
Subject: [PATCH 1/2] eng_devcrypto: add support for TLS algorithms offload
- aes-128-cbc-hmac-sha1
- aes-256-cbc-hmac-sha1
Requires TLS patches on cryptodev and TLS algorithm support in Linux
kernel driver.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
crypto/engine/eng_devcrypto.c | 265 +++++++++++++++++++++++++++++-----
1 file changed, 231 insertions(+), 34 deletions(-)
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
index 49e9ce1af3..727a660e75 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -60,6 +60,9 @@ struct cipher_ctx {
struct session_op sess;
int op; /* COP_ENCRYPT or COP_DECRYPT */
unsigned long mode; /* EVP_CIPH_*_MODE */
+ unsigned char *aad;
+ unsigned int aad_len;
+ unsigned int len;
/* to handle ctr mode being a stream cipher */
unsigned char partial[EVP_MAX_BLOCK_LENGTH];
@@ -73,49 +76,62 @@ static const struct cipher_data_st {
int ivlen;
int flags;
int devcryptoid;
+ int mackeylen;
} cipher_data[] = {
#ifndef OPENSSL_NO_DES
- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC },
- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC },
+ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC, 0 },
+ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC, 0 },
#endif
#ifndef OPENSSL_NO_BF
- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC },
+ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC, 0 },
#endif
#ifndef OPENSSL_NO_CAST
- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC },
+ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC, 0 },
#endif
- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
+ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
+ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
+ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
+ { NID_aes_128_cbc_hmac_sha1, 16, 16, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 },
+ { NID_aes_256_cbc_hmac_sha1, 16, 32, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 },
#ifndef OPENSSL_NO_RC4
- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 },
+ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR)
- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
+ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
+ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
+ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
#endif
#if 0 /* Not yet supported */
- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
+ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS,
+ 0 },
+ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS,
+ 0 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
#endif
#if 0 /* Not yet supported */
- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+#endif
+#ifdef OPENSSL_NXP_CAAM
+ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
#endif
#ifndef OPENSSL_NO_CAMELLIA
{ NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE,
- CRYPTO_CAMELLIA_CBC },
+ CRYPTO_CAMELLIA_CBC, 0 },
{ NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE,
- CRYPTO_CAMELLIA_CBC },
+ CRYPTO_CAMELLIA_CBC, 0 },
{ NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE,
- CRYPTO_CAMELLIA_CBC },
+ CRYPTO_CAMELLIA_CBC, 0 },
#endif
};
@@ -141,6 +157,158 @@ static const struct cipher_data_st *get_cipher_data(int nid)
return &cipher_data[get_cipher_data_index(nid)];
}
+/*
+ * Save the encryption key provided by upper layers. This function is called
+ * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do
+ * much here because the mac key is not available. The next call should/will
+ * be to cryptodev_cbc_hmac_sha1_ctrl with parameter
+ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION
+ * with both the crypto and hmac keys.
+ */
+static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key, const unsigned char *iv, int enc)
+{
+ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct session_op *sess = &state->sess;
+ int cipher = -1, i;
+
+ for (i = 0; cipher_data[i].devcryptoid; i++) {
+ if (EVP_CIPHER_CTX_nid(ctx) == cipher_data[i].nid &&
+ EVP_CIPHER_CTX_iv_length(ctx) <= cipher_data[i].ivlen &&
+ EVP_CIPHER_CTX_key_length(ctx) == cipher_data[i].keylen) {
+ cipher = cipher_data[i].devcryptoid;
+ break;
+ }
+ }
+
+ if (!cipher_data[i].devcryptoid)
+ return (0);
+
+ memset(sess, 0, sizeof(*sess));
+
+ sess->key = (void *) key;
+ sess->keylen = EVP_CIPHER_CTX_key_length(ctx);
+ sess->cipher = cipher;
+
+ /* for whatever reason, (1) means success */
+ return 1;
+}
+
+static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ struct crypt_auth_op cryp;
+ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct session_op *sess = &state->sess;
+ const void *iiv;
+ unsigned char save_iv[EVP_MAX_IV_LENGTH];
+
+ if (cfd < 0)
+ return (0);
+ if (!len)
+ return (1);
+ if ((len % EVP_CIPHER_CTX_block_size(ctx)) != 0)
+ return (0);
+
+ memset(&cryp, 0, sizeof(cryp));
+
+ /* TODO: make a seamless integration with cryptodev flags */
+ switch (EVP_CIPHER_CTX_nid(ctx)) {
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
+ cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+ }
+ cryp.ses = sess->ses;
+ cryp.len = state->len;
+ cryp.src = (void *) in;
+ cryp.dst = (void *) out;
+ cryp.auth_src = state->aad;
+ cryp.auth_len = state->aad_len;
+
+ cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT;
+
+ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx);
+ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx);
+ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx));
+ }
+ } else
+ cryp.iv = NULL;
+
+ if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) {
+ /*
+ * XXX need better errror handling this can fail for a number of
+ * different reasons.
+ */
+ return 0;
+ }
+
+ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+ if (EVP_CIPHER_CTX_encrypting(ctx))
+ iiv = out + len - EVP_CIPHER_CTX_iv_length(ctx);
+ else
+ iiv = save_iv;
+
+ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iiv,
+ EVP_CIPHER_CTX_iv_length(ctx));
+ }
+ return 1;
+}
+
+static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
+ int arg, void *ptr)
+{
+ switch (type) {
+ case EVP_CTRL_AEAD_SET_MAC_KEY:
+ {
+ /* TODO: what happens with hmac keys larger than 64 bytes? */
+ struct cipher_ctx *state =
+ EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct session_op *sess = &state->sess;
+
+ /* the rest should have been set in cryptodev_init_aead_key */
+ sess->mackey = ptr;
+ sess->mackeylen = arg;
+ if (ioctl(cfd, CIOCGSESSION, sess) == -1)
+ return 0;
+
+ return 1;
+ }
+ case EVP_CTRL_AEAD_TLS1_AAD:
+ {
+ /* ptr points to the associated data buffer of 13 bytes */
+ struct cipher_ctx *state =
+ EVP_CIPHER_CTX_get_cipher_data(ctx);
+ unsigned char *p = ptr;
+ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
+ unsigned int maclen, padlen;
+ unsigned int bs = EVP_CIPHER_CTX_block_size(ctx);
+
+ state->aad = ptr;
+ state->aad_len = arg;
+ state->len = cryptlen;
+
+ /* TODO: this should be an extension of EVP_CIPHER struct */
+ switch (EVP_CIPHER_CTX_nid(ctx)) {
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
+ maclen = SHA_DIGEST_LENGTH;
+ }
+
+ /* space required for encryption (not only TLS padding) */
+ padlen = maclen;
+ if (EVP_CIPHER_CTX_encrypting(ctx)) {
+ cryptlen += maclen;
+ padlen += bs - (cryptlen % bs);
+ }
+ return padlen;
+ }
+ default:
+ return -1;
+ }
+}
+
/*
* Following are the three necessary functions to map OpenSSL functionality
* with cryptodev.
@@ -165,6 +333,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
cipher_ctx->blocksize = cipher_d->blocksize;
+
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -180,6 +349,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
struct crypt_op cryp;
unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+
#if !defined(COP_FLAG_WRITE_IV)
unsigned char saved_iv[EVP_MAX_IV_LENGTH];
const unsigned char *ivptr;
@@ -340,32 +510,59 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
static int known_cipher_nids[OSSL_NELEM(cipher_data)];
static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
+int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc);
+int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl);
+int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr);
static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
unsigned long cipher_mode;
+ unsigned long flags;
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
+ sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO";
for (i = 0, known_cipher_nids_amount = 0;
i < OSSL_NELEM(cipher_data); i++) {
+ init = cipher_init;
+ ctrl = cipher_ctrl;
+ flags = cipher_data[i].flags
+ | EVP_CIPH_CUSTOM_COPY
+ | EVP_CIPH_CTRL_INIT
+ | EVP_CIPH_FLAG_DEFAULT_ASN1;
+
/*
* Check that the algo is really availably by trying to open and close
* a session.
*/
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
+ sess.mackeylen = cipher_data[i].mackeylen;
+
+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
+
+ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ?
+ ctr_do_cipher :
+ cipher_do_cipher);
+ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) {
+ init = cryptodev_init_aead_key;
+ do_cipher = cryptodev_aead_cipher;
+ ctrl = cryptodev_cbc_hmac_sha1_ctrl;
+ flags = cipher_data[i].flags;
+ }
+
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
- cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
-
- if ((known_cipher_methods[i] =
+ if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
cipher_data[i].blocksize,
@@ -373,16 +570,12 @@ static void prepare_cipher_methods(void)
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
cipher_data[i].ivlen)
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
- cipher_data[i].flags
- | EVP_CIPH_CUSTOM_COPY
- | EVP_CIPH_CTRL_INIT
- | EVP_CIPH_FLAG_DEFAULT_ASN1)
- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+ flags)
+ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
- cipher_mode == EVP_CIPH_CTR_MODE ?
- ctr_do_cipher :
- cipher_do_cipher)
- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+ do_cipher)
+ /* AEAD Support to be added. */
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
@@ -393,6 +586,10 @@ static void prepare_cipher_methods(void)
known_cipher_nids[known_cipher_nids_amount++] =
cipher_data[i].nid;
}
+
+ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1)
+ EVP_add_cipher(known_cipher_methods[i]);
}
}
--
2.17.1

285
recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch
View File

@ -1,285 +0,0 @@
From db9d8be9d0d81bdb2ddb78f8616243593a3d24c5 Mon Sep 17 00:00:00 2001
From: Pankaj Gupta <pankaj.gupta@nxp.com>
Date: Fri, 10 Jan 2020 15:38:38 +0530
Subject: [PATCH 2/2] eng_devcrypto: add support for TLS1.2 algorithms offload
- aes-128-cbc-hmac-sha256
- aes-256-cbc-hmac-sha256
Enabled the support of TLS1.1 algorithms offload
- aes-128-cbc-hmac-sha1
- aes-256-cbc-hmac-sha1
Requires TLS patches on cryptodev and TLS algorithm support in Linux
kernel driver.
Fix: Remove the support for TLS1.0.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Signed-off-by: Arun Pathak <arun.pathak@nxp.com>
---
crypto/engine/eng_devcrypto.c | 133 +++++++++++++++++++++++-----------
1 file changed, 90 insertions(+), 43 deletions(-)
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
index 727a660e75..be63f65e04 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -25,6 +25,7 @@
#include "crypto/engine.h"
/* #define ENGINE_DEVCRYPTO_DEBUG */
+#define TLS1_1_VERSION 0x0302
#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
# define CHECK_BSD_STYLE_MACROS
@@ -67,6 +68,7 @@ struct cipher_ctx {
/* to handle ctr mode being a stream cipher */
unsigned char partial[EVP_MAX_BLOCK_LENGTH];
unsigned int blocksize, num;
+ unsigned int tls_ver;
};
static const struct cipher_data_st {
@@ -92,11 +94,17 @@ static const struct cipher_data_st {
{ NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
{ NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
{ NID_aes_128_cbc_hmac_sha1, 16, 16, 16,
- EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
- CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 },
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 },
{ NID_aes_256_cbc_hmac_sha1, 16, 32, 16,
- EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
- CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 },
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 },
+ { NID_aes_128_cbc_hmac_sha256, 16, 16, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 },
+ { NID_aes_256_cbc_hmac_sha256, 16, 32, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 },
#ifndef OPENSSL_NO_RC4
{ NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 },
#endif
@@ -107,9 +115,9 @@ static const struct cipher_data_st {
#endif
#if 0 /* Not yet supported */
{ NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS,
- 0 },
+ 0 },
{ NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS,
- 0 },
+ 0 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
{ NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
@@ -166,7 +174,7 @@ static const struct cipher_data_st *get_cipher_data(int nid)
* with both the crypto and hmac keys.
*/
static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx,
- const unsigned char *key, const unsigned char *iv, int enc)
+ const unsigned char *key, const unsigned char *iv, int enc)
{
struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
struct session_op *sess = &state->sess;
@@ -212,10 +220,29 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
memset(&cryp, 0, sizeof(cryp));
+ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx);
+ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx));
+
+ if (state->tls_ver >= TLS1_1_VERSION) {
+ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in,
+ EVP_CIPHER_CTX_iv_length(ctx));
+ in += EVP_CIPHER_CTX_iv_length(ctx);
+ out += EVP_CIPHER_CTX_iv_length(ctx);
+ len -= EVP_CIPHER_CTX_iv_length(ctx);
+ }
+ }
+ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx);
+ } else
+ cryp.iv = NULL;
+
/* TODO: make a seamless integration with cryptodev flags */
switch (EVP_CIPHER_CTX_nid(ctx)) {
case NID_aes_128_cbc_hmac_sha1:
case NID_aes_256_cbc_hmac_sha1:
+ case NID_aes_128_cbc_hmac_sha256:
+ case NID_aes_256_cbc_hmac_sha256:
cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
}
cryp.ses = sess->ses;
@@ -227,15 +254,6 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT;
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx);
- if (!EVP_CIPHER_CTX_encrypting(ctx)) {
- iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx);
- memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx));
- }
- } else
- cryp.iv = NULL;
-
if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) {
/*
* XXX need better errror handling this can fail for a number of
@@ -262,7 +280,7 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
switch (type) {
case EVP_CTRL_AEAD_SET_MAC_KEY:
{
- /* TODO: what happens with hmac keys larger than 64 bytes? */
+ /* TODO: what happens with hmac keys larger than 64 bytes? */
struct cipher_ctx *state =
EVP_CIPHER_CTX_get_cipher_data(ctx);
struct session_op *sess = &state->sess;
@@ -282,27 +300,52 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
EVP_CIPHER_CTX_get_cipher_data(ctx);
unsigned char *p = ptr;
unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
- unsigned int maclen, padlen;
- unsigned int bs = EVP_CIPHER_CTX_block_size(ctx);
+ unsigned int maclen;
+ unsigned int blocksize = EVP_CIPHER_CTX_block_size(ctx);
+ int ret;
+ state->tls_ver = p[arg - 4] << 8 | p[arg - 3];
state->aad = ptr;
state->aad_len = arg;
- state->len = cryptlen;
/* TODO: this should be an extension of EVP_CIPHER struct */
switch (EVP_CIPHER_CTX_nid(ctx)) {
case NID_aes_128_cbc_hmac_sha1:
case NID_aes_256_cbc_hmac_sha1:
maclen = SHA_DIGEST_LENGTH;
+ break;
+ case NID_aes_128_cbc_hmac_sha256:
+ case NID_aes_256_cbc_hmac_sha256:
+ maclen = SHA256_DIGEST_LENGTH;
+ break;
+ default:
+ /*
+ * Only above 4 supported NIDs are used to enter to this
+ * function. If any other NID reaches this function,
+ * there's a grave coding error further down.
+ */
+ assert("Code that never should be reached" == NULL);
+ return -1;
}
/* space required for encryption (not only TLS padding) */
- padlen = maclen;
if (EVP_CIPHER_CTX_encrypting(ctx)) {
- cryptlen += maclen;
- padlen += bs - (cryptlen % bs);
+ if (state->tls_ver >= TLS1_1_VERSION) {
+ p[arg - 2] = (cryptlen - blocksize) >> 8;
+ p[arg - 1] = (cryptlen - blocksize);
+ }
+ ret = (int)(((cryptlen + maclen +
+ blocksize) & -blocksize) - cryptlen);
+ } else {
+ if (state->tls_ver >= TLS1_1_VERSION) {
+ cryptlen -= blocksize;
+ p[arg - 2] = cryptlen >> 8;
+ p[arg - 1] = cryptlen;
+ }
+ ret = maclen;
}
- return padlen;
+ state->len = cryptlen;
+ return ret;
}
default:
return -1;
@@ -510,11 +553,11 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
static int known_cipher_nids[OSSL_NELEM(cipher_data)];
static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
-int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv, int enc);
-int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, size_t inl);
-int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr);
+int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc);
+int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl);
+int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
static void prepare_cipher_methods(void)
{
@@ -543,26 +586,28 @@ static void prepare_cipher_methods(void)
*/
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
- sess.mackeylen = cipher_data[i].mackeylen;
+ sess.mackeylen = cipher_data[i].mackeylen;
cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
- do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ?
+ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ?
ctr_do_cipher :
cipher_do_cipher);
- if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
- || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) {
- init = cryptodev_init_aead_key;
- do_cipher = cryptodev_aead_cipher;
- ctrl = cryptodev_cbc_hmac_sha1_ctrl;
- flags = cipher_data[i].flags;
- }
+ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) {
+ init = cryptodev_init_aead_key;
+ do_cipher = cryptodev_aead_cipher;
+ ctrl = cryptodev_cbc_hmac_sha1_ctrl;
+ flags = cipher_data[i].flags;
+ }
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
- if ((known_cipher_methods[i] =
+ if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
cipher_data[i].blocksize,
@@ -574,7 +619,7 @@ static void prepare_cipher_methods(void)
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
do_cipher)
- /* AEAD Support to be added. */
+ /* AEAD Support to be added. */
|| !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
cipher_cleanup)
@@ -587,9 +632,11 @@ static void prepare_cipher_methods(void)
cipher_data[i].nid;
}
- if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
- || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1)
- EVP_add_cipher(known_cipher_methods[i]);
+ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256)
+ EVP_add_cipher(known_cipher_methods[i]);
}
}
--
2.17.1

12
recipes-connectivity/openssl/openssl-qoriq/run-ptest
View File

@ -1,12 +0,0 @@
#!/bin/sh
set -e
# Optional arguments are 'list' to lists all tests, or the test name (base name
# ie test_evp, not 03_test_evp.t).
export TOP=.
# OPENSSL_ENGINES is relative from the test binaries
export OPENSSL_ENGINES=../engines
perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;'

8
recipes-connectivity/openssl/openssl_%.bbappend
View File

@ -1,8 +0,0 @@
FILESEXTRAPATHS:append := "${THISDIR}/${PN}-qoriq:"
SRC_URI:append:qoriq = " \
file://0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch \
file://0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch \
"
PACKAGECONFIG:append:qoriq = " cryptodev-linux"