From aaf2c4beb205e9f9eef1b8a9732468acb7f1a4ee Mon Sep 17 00:00:00 2001 From: Chunrong Guo Date: Wed, 15 Nov 2017 13:26:10 +0800 Subject: openssl-qoriq: update recipes *Update URL to fetch qoriq-open-source github *Update to b9e6572 This includes the following changes: b9e6572 - eng_cryptodev: add support for TLS algorithms offload b3a3bab - Prepare for 1.0.2l release 539c4d3 - make update cde19ec - Update CHANGES and NEWS for new release 8ded5f1 - Ignore -rle and -comp when compiled with OPENSSL_NO_COMP. Fixes make test when configured with no-comp. d130456 - Fix regression in openssl req -x509 behaviour. 7c300b9 - Remove notification settings from appveyor.yml b020bf6 - Remove dead code. ea3fc60 - Copy custom extension flags in a call to SSL_set_SSL_CTX() 4ae5993 - perlasm/x86_64-xlate.pl: work around problem with hex constants in masm. 16d78fb - Fix some error path logic in i2v_AUTHORITY_INFO_ACCESS and i2v_GENERAL_NAME 6b8fa5b - RT2867: des_ede3_cfb1 ignored "size in bits" flag 5453820 - Fix URL links in comment d2335f3 - Fix time offset calculation. 13f70ae - Check fflush on BIO_ctrl call de46e82 - Remove unnecessary loop in pkey_rsa_decrypt. b99f102 - check length sanity before correcting in EVP_CTRL_AEAD_TLS1_AAD fb2345a - Annotate ASN.1 attributes of the jurisdictionCountryName NID 60a70a5 - Fixed typo in X509_STORE_CTX_new description 74bcd77 - Numbers greater than 1 are usually non-negative. e8f2e2f - pkeyutl exit with 0 if the verification succeeded 71d66c4 - Additional check to handle BAD SSL_write retry a91bfe2 - crypto/ppccap.c: SIGILL-free processor capabilities detection on MacOS X. 3f524f7 - Ensure dhparams can handle X9.42 params in DER 1f3b0fe - Add missing macros for DHxparams 248cf95 - Fix for #2730. Add CRLDP extension to list of supported extensions d75c56f - Free the compression methods in s_server and s_client 4bc46d - doc: Add stitched ciphers to EVP_EncryptInit.pod 8625e92 - doc: Add missing options in s_{server,client} 62f488d - Fix the error handling in CRYPTO_dup_ex_data. 144ab9b - Add documentation for SNI APIs *Openssl git includes all qoriq patches so remove qoriq patches folder Signed-off-by: Chunrong Guo Signed-off-by: Otavio Salvador --- ...dd-support-for-aes-gcm-algorithm-offloadi.patch | 321 --------------------- 1 file changed, 321 deletions(-) delete mode 100644 recipes-connectivity/openssl/openssl-qoriq/qoriq/0014-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch (limited to 'recipes-connectivity/openssl/openssl-qoriq/qoriq/0014-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch') diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0014-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0014-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch deleted file mode 100644 index 898499b4..00000000 --- a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0014-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch +++ /dev/null @@ -1,321 +0,0 @@ -From fcbd6199deb715b117153b7df00cdd4cdec44d79 Mon Sep 17 00:00:00 2001 -From: Cristian Stoica -Date: Mon, 16 Jun 2014 14:06:21 +0300 -Subject: [PATCH 14/48] cryptodev: add support for aes-gcm algorithm offloading - -Signed-off-by: Cristian Stoica ---- - apps/speed.c | 6 +- - crypto/engine/eng_cryptodev.c | 236 +++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 240 insertions(+), 2 deletions(-) - -diff --git a/apps/speed.c b/apps/speed.c -index b862868..fd2a2a5 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -226,7 +226,11 @@ - # endif - - # undef BUFSIZE --# define BUFSIZE ((long)1024*8+1) -+/* The buffer overhead allows GCM tag at the end of the encrypted data. This -+ avoids buffer overflows from cryptodev since Linux kernel GCM -+ implementation allways adds the tag - unlike e_aes.c:aes_gcm_cipher() -+ which doesn't */ -+#define BUFSIZE ((long)1024*8 + EVP_GCM_TLS_TAG_LEN) - static volatile int run = 0; - - static int mr = 0; -diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c -index 5a9f4b7..1754917 100644 ---- a/crypto/engine/eng_cryptodev.c -+++ b/crypto/engine/eng_cryptodev.c -@@ -2,6 +2,7 @@ - * Copyright (c) 2002 Bob Beck - * Copyright (c) 2002 Theo de Raadt - * Copyright (c) 2002 Markus Friedl -+ * Copyright (c) 2013-2014 Freescale Semiconductor, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without -@@ -78,8 +79,10 @@ struct dev_crypto_state { - struct session_op d_sess; - int d_fd; - unsigned char *aad; -- unsigned int aad_len; -+ int aad_len; - unsigned int len; -+ unsigned char *iv; -+ int ivlen; - # ifdef USE_CRYPTODEV_DIGESTS - char dummy_mac_key[HASH_MAX_LEN]; - unsigned char digest_res[HASH_MAX_LEN]; -@@ -288,6 +291,9 @@ static struct { - CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20 - }, - { -+ CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0 -+ }, -+ { - 0, NID_undef, 0, 0, 0 - }, - }; -@@ -326,6 +332,22 @@ static struct { - }; - # endif - -+/* increment counter (64-bit int) by 1 */ -+static void ctr64_inc(unsigned char *counter) -+{ -+ int n = 8; -+ unsigned char c; -+ -+ do { -+ --n; -+ c = counter[n]; -+ ++c; -+ counter[n] = c; -+ if (c) -+ return; -+ } while (n); -+} -+ - /* - * Return a fd if /dev/crypto seems usable, 0 otherwise. - */ -@@ -808,6 +830,199 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, - } - } - -+static int cryptodev_init_gcm_key(EVP_CIPHER_CTX *ctx, -+ const unsigned char *key, -+ const unsigned char *iv, int enc) -+{ -+ struct dev_crypto_state *state = ctx->cipher_data; -+ struct session_op *sess = &state->d_sess; -+ int cipher = -1, i; -+ if (!iv && !key) -+ return 1; -+ -+ if (iv) -+ memcpy(ctx->iv, iv, ctx->cipher->iv_len); -+ -+ for (i = 0; ciphers[i].id; i++) -+ if (ctx->cipher->nid == ciphers[i].nid && -+ ctx->cipher->iv_len <= ciphers[i].ivmax && -+ ctx->key_len == ciphers[i].keylen) { -+ cipher = ciphers[i].id; -+ break; -+ } -+ -+ if (!ciphers[i].id) { -+ state->d_fd = -1; -+ return 0; -+ } -+ -+ memset(sess, 0, sizeof(struct session_op)); -+ -+ if ((state->d_fd = get_dev_crypto()) < 0) -+ return 0; -+ -+ sess->key = (unsigned char *)key; -+ sess->keylen = ctx->key_len; -+ sess->cipher = cipher; -+ -+ if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { -+ put_dev_crypto(state->d_fd); -+ state->d_fd = -1; -+ return 0; -+ } -+ return 1; -+} -+ -+static int cryptodev_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t len) -+{ -+ struct crypt_auth_op cryp = { 0 }; -+ struct dev_crypto_state *state = ctx->cipher_data; -+ struct session_op *sess = &state->d_sess; -+ int rv = len; -+ -+ if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? -+ EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, -+ EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) -+ return 0; -+ -+ in += EVP_GCM_TLS_EXPLICIT_IV_LEN; -+ out += EVP_GCM_TLS_EXPLICIT_IV_LEN; -+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; -+ -+ if (ctx->encrypt) { -+ len -= EVP_GCM_TLS_TAG_LEN; -+ } -+ cryp.ses = sess->ses; -+ cryp.len = len; -+ cryp.src = (unsigned char *)in; -+ cryp.dst = out; -+ cryp.auth_src = state->aad; -+ cryp.auth_len = state->aad_len; -+ cryp.iv = ctx->iv; -+ cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; -+ -+ if (ioctl(state->d_fd, CIOCAUTHCRYPT, &cryp) == -1) { -+ return 0; -+ } -+ -+ if (ctx->encrypt) -+ ctr64_inc(state->iv + state->ivlen - 8); -+ else -+ rv = len - EVP_GCM_TLS_TAG_LEN; -+ -+ return rv; -+} -+ -+static int cryptodev_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t len) -+{ -+ struct crypt_auth_op cryp; -+ struct dev_crypto_state *state = ctx->cipher_data; -+ struct session_op *sess = &state->d_sess; -+ -+ if (state->d_fd < 0) -+ return 0; -+ -+ if ((len % ctx->cipher->block_size) != 0) -+ return 0; -+ -+ if (state->aad_len >= 0) -+ return cryptodev_gcm_tls_cipher(ctx, out, in, len); -+ -+ memset(&cryp, 0, sizeof(cryp)); -+ -+ cryp.ses = sess->ses; -+ cryp.len = len; -+ cryp.src = (unsigned char *)in; -+ cryp.dst = out; -+ cryp.auth_src = NULL; -+ cryp.auth_len = 0; -+ cryp.iv = ctx->iv; -+ cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; -+ -+ if (ioctl(state->d_fd, CIOCAUTHCRYPT, &cryp) == -1) { -+ return 0; -+ } -+ -+ return len; -+} -+ -+static int cryptodev_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, -+ void *ptr) -+{ -+ struct dev_crypto_state *state = ctx->cipher_data; -+ switch (type) { -+ case EVP_CTRL_INIT: -+ { -+ state->ivlen = ctx->cipher->iv_len; -+ state->iv = ctx->iv; -+ state->aad_len = -1; -+ return 1; -+ } -+ case EVP_CTRL_GCM_SET_IV_FIXED: -+ { -+ /* Special case: -1 length restores whole IV */ -+ if (arg == -1) { -+ memcpy(state->iv, ptr, state->ivlen); -+ return 1; -+ } -+ /* -+ * Fixed field must be at least 4 bytes and invocation field at -+ * least 8. -+ */ -+ if ((arg < 4) || (state->ivlen - arg) < 8) -+ return 0; -+ if (arg) -+ memcpy(state->iv, ptr, arg); -+ if (ctx->encrypt && -+ RAND_bytes(state->iv + arg, state->ivlen - arg) <= 0) -+ return 0; -+ return 1; -+ } -+ case EVP_CTRL_AEAD_TLS1_AAD: -+ { -+ unsigned int len; -+ if (arg != 13) -+ return 0; -+ -+ memcpy(ctx->buf, ptr, arg); -+ len = ctx->buf[arg - 2] << 8 | ctx->buf[arg - 1]; -+ -+ /* Correct length for explicit IV */ -+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; -+ -+ /* If decrypting correct for tag too */ -+ if (!ctx->encrypt) -+ len -= EVP_GCM_TLS_TAG_LEN; -+ -+ ctx->buf[arg - 2] = len >> 8; -+ ctx->buf[arg - 1] = len & 0xff; -+ -+ state->aad = ctx->buf; -+ state->aad_len = arg; -+ state->len = len; -+ -+ /* Extra padding: tag appended to record */ -+ return EVP_GCM_TLS_TAG_LEN; -+ } -+ case EVP_CTRL_GCM_SET_IV_INV: -+ { -+ if (ctx->encrypt) -+ return 0; -+ memcpy(state->iv + state->ivlen - arg, ptr, arg); -+ return 1; -+ } -+ case EVP_CTRL_GCM_IV_GEN: -+ if (arg <= 0 || arg > state->ivlen) -+ arg = state->ivlen; -+ memcpy(ptr, state->iv + state->ivlen - arg, arg); -+ return 1; -+ default: -+ return -1; -+ } -+} -+ - /* - * libcrypto EVP stuff - this is how we get wired to EVP so the engine - * gets called when libcrypto requests a cipher NID. -@@ -948,6 +1163,22 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = { - NULL - }; - -+const EVP_CIPHER cryptodev_aes_128_gcm = { -+ NID_aes_128_gcm, -+ 1, 16, 12, -+ EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 -+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER -+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT, -+ cryptodev_init_gcm_key, -+ cryptodev_gcm_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ cryptodev_gcm_ctrl, -+ NULL -+}; -+ - # ifdef CRYPTO_AES_CTR - const EVP_CIPHER cryptodev_aes_ctr = { - NID_aes_128_ctr, -@@ -1042,6 +1273,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - case NID_aes_256_cbc_hmac_sha1: - *cipher = &cryptodev_aes_256_cbc_hmac_sha1; - break; -+ case NID_aes_128_gcm: -+ *cipher = &cryptodev_aes_128_gcm; -+ break; - default: - *cipher = NULL; - break; --- -2.7.3 - -- cgit v1.2.3-54-g00ecf