diff options
Diffstat (limited to 'recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch')
-rw-r--r-- | recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch | 338 |
1 files changed, 338 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch new file mode 100644 index 00000000..c5866212 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch | |||
@@ -0,0 +1,338 @@ | |||
1 | From 3f34089ab0a3b31ec6b31a6cbf308ca20c6ef597 Mon Sep 17 00:00:00 2001 | ||
2 | From: Cristian Stoica <cristian.stoica@nxp.com> | ||
3 | Date: Fri, 22 Jan 2016 11:58:34 +0200 | ||
4 | Subject: [PATCH 16/48] eng_cryptodev: add support for TLSv1.1 record offload | ||
5 | |||
6 | Supported cipher suites: | ||
7 | - 3des-ede-cbc-sha | ||
8 | - aes-128-cbc-hmac-sha | ||
9 | - aes-256-cbc-hmac-sha | ||
10 | |||
11 | Requires TLS patches on cryptodev and TLS algorithm support in Linux | ||
12 | kernel driver. | ||
13 | |||
14 | Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com> | ||
15 | Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> | ||
16 | --- | ||
17 | crypto/engine/eng_cryptodev.c | 96 ++++++++++++++++++++++++++++++++++++++++++- | ||
18 | crypto/objects/obj_dat.h | 18 ++++++-- | ||
19 | crypto/objects/obj_mac.h | 12 ++++++ | ||
20 | crypto/objects/obj_mac.num | 3 ++ | ||
21 | crypto/objects/objects.txt | 3 ++ | ||
22 | ssl/ssl_ciph.c | 28 ++++++++++--- | ||
23 | 6 files changed, 151 insertions(+), 9 deletions(-) | ||
24 | |||
25 | diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c | ||
26 | index 8f73a18..e37a661 100644 | ||
27 | --- a/crypto/engine/eng_cryptodev.c | ||
28 | +++ b/crypto/engine/eng_cryptodev.c | ||
29 | @@ -66,6 +66,7 @@ void ENGINE_load_cryptodev(void) | ||
30 | # include <sys/ioctl.h> | ||
31 | # include <errno.h> | ||
32 | # include <stdio.h> | ||
33 | +# include <stdbool.h> | ||
34 | # include <unistd.h> | ||
35 | # include <fcntl.h> | ||
36 | # include <stdarg.h> | ||
37 | @@ -135,6 +136,9 @@ void ENGINE_load_cryptodev(void); | ||
38 | const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1; | ||
39 | const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1; | ||
40 | const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1; | ||
41 | +const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1; | ||
42 | +const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1; | ||
43 | +const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1; | ||
44 | |||
45 | inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len) | ||
46 | { | ||
47 | @@ -294,6 +298,18 @@ static struct { | ||
48 | CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20 | ||
49 | }, | ||
50 | { | ||
51 | + CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, | ||
52 | + 24, 20 | ||
53 | + }, | ||
54 | + { | ||
55 | + CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, | ||
56 | + 20 | ||
57 | + }, | ||
58 | + { | ||
59 | + CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, | ||
60 | + 20 | ||
61 | + }, | ||
62 | + { | ||
63 | CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0 | ||
64 | }, | ||
65 | { | ||
66 | @@ -526,6 +542,15 @@ static int cryptodev_usable_ciphers(const int **nids) | ||
67 | case NID_des_ede3_cbc_hmac_sha1: | ||
68 | EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1); | ||
69 | break; | ||
70 | + case NID_tls11_des_ede3_cbc_hmac_sha1: | ||
71 | + EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1); | ||
72 | + break; | ||
73 | + case NID_tls11_aes_128_cbc_hmac_sha1: | ||
74 | + EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1); | ||
75 | + break; | ||
76 | + case NID_tls11_aes_256_cbc_hmac_sha1: | ||
77 | + EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1); | ||
78 | + break; | ||
79 | } | ||
80 | } | ||
81 | return count; | ||
82 | @@ -631,6 +656,9 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||
83 | case NID_aes_128_cbc_hmac_sha1: | ||
84 | case NID_aes_256_cbc_hmac_sha1: | ||
85 | case NID_des_ede3_cbc_hmac_sha1: | ||
86 | + case NID_tls11_des_ede3_cbc_hmac_sha1: | ||
87 | + case NID_tls11_aes_128_cbc_hmac_sha1: | ||
88 | + case NID_tls11_aes_256_cbc_hmac_sha1: | ||
89 | cryp.flags = COP_FLAG_AEAD_TLS_TYPE; | ||
90 | } | ||
91 | cryp.ses = sess->ses; | ||
92 | @@ -810,8 +838,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, | ||
93 | struct dev_crypto_state *state = ctx->cipher_data; | ||
94 | unsigned char *p = ptr; | ||
95 | unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; | ||
96 | - unsigned int maclen, padlen; | ||
97 | + unsigned int maclen, padlen, len; | ||
98 | unsigned int bs = ctx->cipher->block_size; | ||
99 | + bool aad_needs_fix = false; | ||
100 | |||
101 | state->aad = ptr; | ||
102 | state->aad_len = arg; | ||
103 | @@ -823,6 +852,20 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, | ||
104 | case NID_aes_256_cbc_hmac_sha1: | ||
105 | case NID_des_ede3_cbc_hmac_sha1: | ||
106 | maclen = SHA_DIGEST_LENGTH; | ||
107 | + break; | ||
108 | + case NID_tls11_des_ede3_cbc_hmac_sha1: | ||
109 | + case NID_tls11_aes_128_cbc_hmac_sha1: | ||
110 | + case NID_tls11_aes_256_cbc_hmac_sha1: | ||
111 | + maclen = SHA_DIGEST_LENGTH; | ||
112 | + aad_needs_fix = true; | ||
113 | + break; | ||
114 | + } | ||
115 | + | ||
116 | + /* Correct length for AAD Length field */ | ||
117 | + if (ctx->encrypt && aad_needs_fix) { | ||
118 | + len = cryptlen - bs; | ||
119 | + p[arg - 2] = len >> 8; | ||
120 | + p[arg - 1] = len & 0xff; | ||
121 | } | ||
122 | |||
123 | /* space required for encryption (not only TLS padding) */ | ||
124 | @@ -1185,6 +1228,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = { | ||
125 | NULL | ||
126 | }; | ||
127 | |||
128 | +const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = { | ||
129 | + NID_tls11_des_ede3_cbc_hmac_sha1, | ||
130 | + 8, 24, 8, | ||
131 | + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, | ||
132 | + cryptodev_init_aead_key, | ||
133 | + cryptodev_aead_cipher, | ||
134 | + cryptodev_cleanup, | ||
135 | + sizeof(struct dev_crypto_state), | ||
136 | + EVP_CIPHER_set_asn1_iv, | ||
137 | + EVP_CIPHER_get_asn1_iv, | ||
138 | + cryptodev_cbc_hmac_sha1_ctrl, | ||
139 | + NULL | ||
140 | +}; | ||
141 | + | ||
142 | +const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = { | ||
143 | + NID_tls11_aes_128_cbc_hmac_sha1, | ||
144 | + 16, 16, 16, | ||
145 | + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, | ||
146 | + cryptodev_init_aead_key, | ||
147 | + cryptodev_aead_cipher, | ||
148 | + cryptodev_cleanup, | ||
149 | + sizeof(struct dev_crypto_state), | ||
150 | + EVP_CIPHER_set_asn1_iv, | ||
151 | + EVP_CIPHER_get_asn1_iv, | ||
152 | + cryptodev_cbc_hmac_sha1_ctrl, | ||
153 | + NULL | ||
154 | +}; | ||
155 | + | ||
156 | +const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = { | ||
157 | + NID_tls11_aes_256_cbc_hmac_sha1, | ||
158 | + 16, 32, 16, | ||
159 | + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, | ||
160 | + cryptodev_init_aead_key, | ||
161 | + cryptodev_aead_cipher, | ||
162 | + cryptodev_cleanup, | ||
163 | + sizeof(struct dev_crypto_state), | ||
164 | + EVP_CIPHER_set_asn1_iv, | ||
165 | + EVP_CIPHER_get_asn1_iv, | ||
166 | + cryptodev_cbc_hmac_sha1_ctrl, | ||
167 | + NULL | ||
168 | +}; | ||
169 | + | ||
170 | const EVP_CIPHER cryptodev_aes_128_gcm = { | ||
171 | NID_aes_128_gcm, | ||
172 | 1, 16, 12, | ||
173 | @@ -1298,6 +1383,15 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, | ||
174 | case NID_aes_256_cbc_hmac_sha1: | ||
175 | *cipher = &cryptodev_aes_256_cbc_hmac_sha1; | ||
176 | break; | ||
177 | + case NID_tls11_des_ede3_cbc_hmac_sha1: | ||
178 | + *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1; | ||
179 | + break; | ||
180 | + case NID_tls11_aes_128_cbc_hmac_sha1: | ||
181 | + *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1; | ||
182 | + break; | ||
183 | + case NID_tls11_aes_256_cbc_hmac_sha1: | ||
184 | + *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1; | ||
185 | + break; | ||
186 | case NID_aes_128_gcm: | ||
187 | *cipher = &cryptodev_aes_128_gcm; | ||
188 | break; | ||
189 | diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h | ||
190 | index 35d1abc..4dd32a1 100644 | ||
191 | --- a/crypto/objects/obj_dat.h | ||
192 | +++ b/crypto/objects/obj_dat.h | ||
193 | @@ -62,9 +62,9 @@ | ||
194 | * [including the GNU Public Licence.] | ||
195 | */ | ||
196 | |||
197 | -#define NUM_NID 959 | ||
198 | -#define NUM_SN 952 | ||
199 | -#define NUM_LN 952 | ||
200 | +#define NUM_NID 962 | ||
201 | +#define NUM_SN 955 | ||
202 | +#define NUM_LN 955 | ||
203 | #define NUM_OBJ 890 | ||
204 | |||
205 | static const unsigned char lvalues[6255]={ | ||
206 | @@ -2516,6 +2516,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ | ||
207 | NID_jurisdictionCountryName,11,&(lvalues[6243]),0}, | ||
208 | {"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1", | ||
209 | NID_des_ede3_cbc_hmac_sha1,0,NULL,0}, | ||
210 | +{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1", | ||
211 | + NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0}, | ||
212 | +{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1", | ||
213 | + NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0}, | ||
214 | +{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1", | ||
215 | + NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0}, | ||
216 | }; | ||
217 | |||
218 | static const unsigned int sn_objs[NUM_SN]={ | ||
219 | @@ -2705,6 +2711,9 @@ static const unsigned int sn_objs[NUM_SN]={ | ||
220 | 100, /* "SN" */ | ||
221 | 16, /* "ST" */ | ||
222 | 143, /* "SXNetID" */ | ||
223 | +960, /* "TLS11-AES-128-CBC-HMAC-SHA1" */ | ||
224 | +961, /* "TLS11-AES-256-CBC-HMAC-SHA1" */ | ||
225 | +959, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */ | ||
226 | 458, /* "UID" */ | ||
227 | 0, /* "UNDEF" */ | ||
228 | 11, /* "X500" */ | ||
229 | @@ -4396,6 +4405,9 @@ static const unsigned int ln_objs[NUM_LN]={ | ||
230 | 459, /* "textEncodedORAddress" */ | ||
231 | 293, /* "textNotice" */ | ||
232 | 106, /* "title" */ | ||
233 | +960, /* "tls11-aes-128-cbc-hmac-sha1" */ | ||
234 | +961, /* "tls11-aes-256-cbc-hmac-sha1" */ | ||
235 | +959, /* "tls11-des-ede3-cbc-hmac-sha1" */ | ||
236 | 682, /* "tpBasis" */ | ||
237 | 436, /* "ucl" */ | ||
238 | 0, /* "undefined" */ | ||
239 | diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h | ||
240 | index cb318bc..5930563 100644 | ||
241 | --- a/crypto/objects/obj_mac.h | ||
242 | +++ b/crypto/objects/obj_mac.h | ||
243 | @@ -4051,6 +4051,18 @@ | ||
244 | #define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1" | ||
245 | #define NID_des_ede3_cbc_hmac_sha1 958 | ||
246 | |||
247 | +#define SN_tls11_des_ede3_cbc_hmac_sha1 "TLS11-DES-EDE3-CBC-HMAC-SHA1" | ||
248 | +#define LN_tls11_des_ede3_cbc_hmac_sha1 "tls11-des-ede3-cbc-hmac-sha1" | ||
249 | +#define NID_tls11_des_ede3_cbc_hmac_sha1 959 | ||
250 | + | ||
251 | +#define SN_tls11_aes_128_cbc_hmac_sha1 "TLS11-AES-128-CBC-HMAC-SHA1" | ||
252 | +#define LN_tls11_aes_128_cbc_hmac_sha1 "tls11-aes-128-cbc-hmac-sha1" | ||
253 | +#define NID_tls11_aes_128_cbc_hmac_sha1 960 | ||
254 | + | ||
255 | +#define SN_tls11_aes_256_cbc_hmac_sha1 "TLS11-AES-256-CBC-HMAC-SHA1" | ||
256 | +#define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1" | ||
257 | +#define NID_tls11_aes_256_cbc_hmac_sha1 961 | ||
258 | + | ||
259 | #define SN_dhpublicnumber "dhpublicnumber" | ||
260 | #define LN_dhpublicnumber "X9.42 DH" | ||
261 | #define NID_dhpublicnumber 920 | ||
262 | diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num | ||
263 | index 02d1bb8..02f1728 100644 | ||
264 | --- a/crypto/objects/obj_mac.num | ||
265 | +++ b/crypto/objects/obj_mac.num | ||
266 | @@ -956,3 +956,6 @@ jurisdictionLocalityName 955 | ||
267 | jurisdictionStateOrProvinceName 956 | ||
268 | jurisdictionCountryName 957 | ||
269 | des_ede3_cbc_hmac_sha1 958 | ||
270 | +tls11_des_ede3_cbc_hmac_sha1 959 | ||
271 | +tls11_aes_128_cbc_hmac_sha1 960 | ||
272 | +tls11_aes_256_cbc_hmac_sha1 961 | ||
273 | diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt | ||
274 | index 4e1ff18..cda81da 100644 | ||
275 | --- a/crypto/objects/objects.txt | ||
276 | +++ b/crypto/objects/objects.txt | ||
277 | @@ -1295,6 +1295,9 @@ kisa 1 6 : SEED-OFB : seed-ofb | ||
278 | : AES-192-CBC-HMAC-SHA256 : aes-192-cbc-hmac-sha256 | ||
279 | : AES-256-CBC-HMAC-SHA256 : aes-256-cbc-hmac-sha256 | ||
280 | : DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1 | ||
281 | + : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1 | ||
282 | + : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1 | ||
283 | + : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1 | ||
284 | |||
285 | ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH | ||
286 | |||
287 | diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c | ||
288 | index a379273..e3d73ac 100644 | ||
289 | --- a/ssl/ssl_ciph.c | ||
290 | +++ b/ssl/ssl_ciph.c | ||
291 | @@ -652,11 +652,13 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | ||
292 | c->algorithm_mac == SSL_MD5 && | ||
293 | (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) | ||
294 | *enc = evp, *md = NULL; | ||
295 | - else if (c->algorithm_enc == SSL_AES128 && | ||
296 | + else if (s->ssl_version == TLS1_VERSION && | ||
297 | + c->algorithm_enc == SSL_AES128 && | ||
298 | c->algorithm_mac == SSL_SHA1 && | ||
299 | (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) | ||
300 | *enc = evp, *md = NULL; | ||
301 | - else if (c->algorithm_enc == SSL_AES256 && | ||
302 | + else if (s->ssl_version == TLS1_VERSION && | ||
303 | + c->algorithm_enc == SSL_AES256 && | ||
304 | c->algorithm_mac == SSL_SHA1 && | ||
305 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) | ||
306 | *enc = evp, *md = NULL; | ||
307 | @@ -668,9 +670,25 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | ||
308 | c->algorithm_mac == SSL_SHA256 && | ||
309 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256"))) | ||
310 | *enc = evp, *md = NULL; | ||
311 | - else if (c->algorithm_enc == SSL_3DES && | ||
312 | - c->algorithm_mac == SSL_SHA1 && | ||
313 | - (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1"))) | ||
314 | + else if (s->ssl_version == TLS1_VERSION && | ||
315 | + c->algorithm_enc == SSL_3DES && | ||
316 | + c->algorithm_mac == SSL_SHA1 && | ||
317 | + (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1"))) | ||
318 | + *enc = evp, *md = NULL; | ||
319 | + else if (s->ssl_version == TLS1_1_VERSION && | ||
320 | + c->algorithm_enc == SSL_3DES && | ||
321 | + c->algorithm_mac == SSL_SHA1 && | ||
322 | + (evp = EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1"))) | ||
323 | + *enc = evp, *md = NULL; | ||
324 | + else if (s->ssl_version == TLS1_1_VERSION && | ||
325 | + c->algorithm_enc == SSL_AES128 && | ||
326 | + c->algorithm_mac == SSL_SHA1 && | ||
327 | + (evp = EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1"))) | ||
328 | + *enc = evp, *md = NULL; | ||
329 | + else if (s->ssl_version == TLS1_1_VERSION && | ||
330 | + c->algorithm_enc == SSL_AES256 && | ||
331 | + c->algorithm_mac == SSL_SHA1 && | ||
332 | + (evp = EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1"))) | ||
333 | *enc = evp, *md = NULL; | ||
334 | return (1); | ||
335 | } else | ||
336 | -- | ||
337 | 2.7.0 | ||
338 | |||