openssl-qoriq: upgrade to 1.0.2h plus fsl patches

upstream recipe extended with patches from fsl and CIOCHASH feature. Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
author: Cristian Stoica <cristian.stoica@nxp.com> 2016-01-25 13:33:46 +0200
committer: Zhenhua Luo <zhenhua.luo@nxp.com> 2016-06-23 10:58:51 +0800
commit: 84cb2cc407cf85459fb463be2aabedd4f12ade77 (patch)
tree: 5bcdd8c2673052d6c3670b7ef9a48767a8f685b6 /recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
parent: 4cc0cf8255a3726fe3f6cbbe1a877fe2fab7edc6 (diff)
download: meta-fsl-ppc-84cb2cc407cf85459fb463be2aabedd4f12ade77.tar.gz
1 files changed, 338 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
new file mode 100644
index 0000000..c586621
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
@@ -0,0 +1,338 @@
+From 3f34089ab0a3b31ec6b31a6cbf308ca20c6ef597 Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@nxp.com>
+Date: Fri, 22 Jan 2016 11:58:34 +0200
+Subject: [PATCH 16/48] eng_cryptodev: add support for TLSv1.1 record offload
+Supported cipher suites:
+- 3des-ede-cbc-sha
+- aes-128-cbc-hmac-sha
+- aes-256-cbc-hmac-sha
+Requires TLS patches on cryptodev and TLS algorithm support in Linux
+kernel driver.
+Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
+Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
+---
+ crypto/engine/eng_cryptodev.c | 96 ++++++++++++++++++++++++++++++++++++++++++-
+ crypto/objects/obj_dat.h      | 18 ++++++--
+ crypto/objects/obj_mac.h      | 12 ++++++
+ crypto/objects/obj_mac.num    |  3 ++
+ crypto/objects/objects.txt    |  3 ++
+ ssl/ssl_ciph.c                | 28 ++++++++++---
+ 6 files changed, 151 insertions(+), 9 deletions(-)
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 8f73a18..e37a661 100644
+--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
+@@ -66,6 +66,7 @@ void ENGINE_load_cryptodev(void)
+ # include <sys/ioctl.h>
+ # include <errno.h>
+ # include <stdio.h>
+# include <stdbool.h>
+ # include <unistd.h>
+ # include <fcntl.h>
+ # include <stdarg.h>
+@@ -135,6 +136,9 @@ void ENGINE_load_cryptodev(void);
+ const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
+ 
+ inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len)
+ {
+@@ -294,6 +298,18 @@ static struct {
+         CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20
+     },
+     {
+        CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8,
+        24, 20
+    },
+    {
+        CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16,
+        20
+    },
+    {
+        CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32,
+        20
+    },
+    {
+         CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0
+     },
+     {
+@@ -526,6 +542,15 @@ static int cryptodev_usable_ciphers(const int **nids)
+         case NID_des_ede3_cbc_hmac_sha1:
+             EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
+             break;
+        case NID_tls11_des_ede3_cbc_hmac_sha1:
+            EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1);
+            break;
+        case NID_tls11_aes_128_cbc_hmac_sha1:
+            EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1);
+            break;
+        case NID_tls11_aes_256_cbc_hmac_sha1:
+            EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
+            break;
+         }
+     }
+     return count;
+@@ -631,6 +656,9 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+     case NID_aes_128_cbc_hmac_sha1:
+     case NID_aes_256_cbc_hmac_sha1:
+     case NID_des_ede3_cbc_hmac_sha1:
+    case NID_tls11_des_ede3_cbc_hmac_sha1:
+    case NID_tls11_aes_128_cbc_hmac_sha1:
+    case NID_tls11_aes_256_cbc_hmac_sha1:
+         cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+     }
+     cryp.ses = sess->ses;
+@@ -810,8 +838,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
+             struct dev_crypto_state *state = ctx->cipher_data;
+             unsigned char *p = ptr;
+             unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
+-            unsigned int maclen, padlen;
+            unsigned int maclen, padlen, len;
+             unsigned int bs = ctx->cipher->block_size;
+            bool aad_needs_fix = false;
+ 
+             state->aad = ptr;
+             state->aad_len = arg;
+@@ -823,6 +852,20 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
+             case NID_aes_256_cbc_hmac_sha1:
+             case NID_des_ede3_cbc_hmac_sha1:
+                 maclen = SHA_DIGEST_LENGTH;
+                break;
+            case NID_tls11_des_ede3_cbc_hmac_sha1:
+            case NID_tls11_aes_128_cbc_hmac_sha1:
+            case NID_tls11_aes_256_cbc_hmac_sha1:
+                maclen = SHA_DIGEST_LENGTH;
+                aad_needs_fix = true;
+                break;
+            }
+
+            /* Correct length for AAD Length field */
+            if (ctx->encrypt && aad_needs_fix) {
+                len = cryptlen - bs;
+                p[arg - 2] = len >> 8;
+                p[arg - 1] = len & 0xff;
+             }
+ 
+             /* space required for encryption (not only TLS padding) */
+@@ -1185,6 +1228,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = {
+     NULL
+ };
+ 
+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = {
+    NID_tls11_des_ede3_cbc_hmac_sha1,
+    8, 24, 8,
+    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+    cryptodev_init_aead_key,
+    cryptodev_aead_cipher,
+    cryptodev_cleanup,
+    sizeof(struct dev_crypto_state),
+    EVP_CIPHER_set_asn1_iv,
+    EVP_CIPHER_get_asn1_iv,
+    cryptodev_cbc_hmac_sha1_ctrl,
+    NULL
+};
+
+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = {
+    NID_tls11_aes_128_cbc_hmac_sha1,
+    16, 16, 16,
+    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+    cryptodev_init_aead_key,
+    cryptodev_aead_cipher,
+    cryptodev_cleanup,
+    sizeof(struct dev_crypto_state),
+    EVP_CIPHER_set_asn1_iv,
+    EVP_CIPHER_get_asn1_iv,
+    cryptodev_cbc_hmac_sha1_ctrl,
+    NULL
+};
+
+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
+    NID_tls11_aes_256_cbc_hmac_sha1,
+    16, 32, 16,
+    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+    cryptodev_init_aead_key,
+    cryptodev_aead_cipher,
+    cryptodev_cleanup,
+    sizeof(struct dev_crypto_state),
+    EVP_CIPHER_set_asn1_iv,
+    EVP_CIPHER_get_asn1_iv,
+    cryptodev_cbc_hmac_sha1_ctrl,
+    NULL
+};
+
+ const EVP_CIPHER cryptodev_aes_128_gcm = {
+     NID_aes_128_gcm,
+     1, 16, 12,
+@@ -1298,6 +1383,15 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+     case NID_aes_256_cbc_hmac_sha1:
+         *cipher = &cryptodev_aes_256_cbc_hmac_sha1;
+         break;
+    case NID_tls11_des_ede3_cbc_hmac_sha1:
+        *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1;
+        break;
+    case NID_tls11_aes_128_cbc_hmac_sha1:
+        *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1;
+        break;
+    case NID_tls11_aes_256_cbc_hmac_sha1:
+        *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
+        break;
+     case NID_aes_128_gcm:
+         *cipher = &cryptodev_aes_128_gcm;
+         break;
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index 35d1abc..4dd32a1 100644
+--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
+@@ -62,9 +62,9 @@
+  * [including the GNU Public Licence.]
+  */
+ 
+-#define NUM_NID 959
+-#define NUM_SN 952
+-#define NUM_LN 952
+#define NUM_NID 962
+#define NUM_SN 955
+#define NUM_LN 955
+ #define NUM_OBJ 890
+ 
+ static const unsigned char lvalues[6255]={
+@@ -2516,6 +2516,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
+        NID_jurisdictionCountryName,11,&(lvalues[6243]),0},
+ {"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1",
+        NID_des_ede3_cbc_hmac_sha1,0,NULL,0},
+{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1",
+       NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0},
+{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1",
+       NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
+{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
+       NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
+ };
+ 
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2705,6 +2711,9 @@ static const unsigned int sn_objs[NUM_SN]={
+ 100,   /* "SN" */
+ 16,    /* "ST" */
+ 143,   /* "SXNetID" */
+960,   /* "TLS11-AES-128-CBC-HMAC-SHA1" */
+961,   /* "TLS11-AES-256-CBC-HMAC-SHA1" */
+959,   /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
+ 458,   /* "UID" */
+  0,    /* "UNDEF" */
+ 11,    /* "X500" */
+@@ -4396,6 +4405,9 @@ static const unsigned int ln_objs[NUM_LN]={
+ 459,   /* "textEncodedORAddress" */
+ 293,   /* "textNotice" */
+ 106,   /* "title" */
+960,   /* "tls11-aes-128-cbc-hmac-sha1" */
+961,   /* "tls11-aes-256-cbc-hmac-sha1" */
+959,   /* "tls11-des-ede3-cbc-hmac-sha1" */
+ 682,   /* "tpBasis" */
+ 436,   /* "ucl" */
+  0,    /* "undefined" */
+diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
+index cb318bc..5930563 100644
+--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
+@@ -4051,6 +4051,18 @@
+ #define LN_des_ede3_cbc_hmac_sha1               "des-ede3-cbc-hmac-sha1"
+ #define NID_des_ede3_cbc_hmac_sha1              958
+ 
+#define SN_tls11_des_ede3_cbc_hmac_sha1         "TLS11-DES-EDE3-CBC-HMAC-SHA1"
+#define LN_tls11_des_ede3_cbc_hmac_sha1         "tls11-des-ede3-cbc-hmac-sha1"
+#define NID_tls11_des_ede3_cbc_hmac_sha1                959
+
+#define SN_tls11_aes_128_cbc_hmac_sha1          "TLS11-AES-128-CBC-HMAC-SHA1"
+#define LN_tls11_aes_128_cbc_hmac_sha1          "tls11-aes-128-cbc-hmac-sha1"
+#define NID_tls11_aes_128_cbc_hmac_sha1         960
+
+#define SN_tls11_aes_256_cbc_hmac_sha1          "TLS11-AES-256-CBC-HMAC-SHA1"
+#define LN_tls11_aes_256_cbc_hmac_sha1          "tls11-aes-256-cbc-hmac-sha1"
+#define NID_tls11_aes_256_cbc_hmac_sha1         961
+
+ #define SN_dhpublicnumber               "dhpublicnumber"
+ #define LN_dhpublicnumber               "X9.42 DH"
+ #define NID_dhpublicnumber              920
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index 02d1bb8..02f1728 100644
+--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
+@@ -956,3 +956,6 @@ jurisdictionLocalityName            955
+ jurisdictionStateOrProvinceName                956
+ jurisdictionCountryName                957
+ des_ede3_cbc_hmac_sha1         958
+tls11_des_ede3_cbc_hmac_sha1           959
+tls11_aes_128_cbc_hmac_sha1            960
+tls11_aes_256_cbc_hmac_sha1            961
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index 4e1ff18..cda81da 100644
+--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
+@@ -1295,6 +1295,9 @@ kisa 1 6                : SEED-OFB      : seed-ofb
+                        : AES-192-CBC-HMAC-SHA256       : aes-192-cbc-hmac-sha256
+                        : AES-256-CBC-HMAC-SHA256       : aes-256-cbc-hmac-sha256
+                        : DES-EDE3-CBC-HMAC-SHA1        : des-ede3-cbc-hmac-sha1
+                       : TLS11-DES-EDE3-CBC-HMAC-SHA1  : tls11-des-ede3-cbc-hmac-sha1
+                       : TLS11-AES-128-CBC-HMAC-SHA1   : tls11-aes-128-cbc-hmac-sha1
+                       : TLS11-AES-256-CBC-HMAC-SHA1   : tls11-aes-256-cbc-hmac-sha1
+ 
+ ISO-US 10046 2 1       : dhpublicnumber                : X9.42 DH
+ 
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index a379273..e3d73ac 100644
+--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
+@@ -652,11 +652,13 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+             c->algorithm_mac == SSL_MD5 &&
+             (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
+             *enc = evp, *md = NULL;
+-        else if (c->algorithm_enc == SSL_AES128 &&
+        else if (s->ssl_version == TLS1_VERSION &&
+                 c->algorithm_enc == SSL_AES128 &&
+                  c->algorithm_mac == SSL_SHA1 &&
+                  (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
+             *enc = evp, *md = NULL;
+-        else if (c->algorithm_enc == SSL_AES256 &&
+        else if (s->ssl_version == TLS1_VERSION &&
+                 c->algorithm_enc == SSL_AES256 &&
+                  c->algorithm_mac == SSL_SHA1 &&
+                  (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
+             *enc = evp, *md = NULL;
+@@ -668,9 +670,25 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+                  c->algorithm_mac == SSL_SHA256 &&
+                  (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
+             *enc = evp, *md = NULL;
+-        else if (c->algorithm_enc == SSL_3DES &&
+-                c->algorithm_mac == SSL_SHA1 &&
+-                (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
+        else if (s->ssl_version == TLS1_VERSION &&
+                 c->algorithm_enc == SSL_3DES &&
+                 c->algorithm_mac == SSL_SHA1 &&
+                 (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
+            *enc = evp, *md = NULL;
+        else if (s->ssl_version == TLS1_1_VERSION &&
+                 c->algorithm_enc == SSL_3DES &&
+                 c->algorithm_mac == SSL_SHA1 &&
+                 (evp = EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1")))
+            *enc = evp, *md = NULL;
+        else if (s->ssl_version == TLS1_1_VERSION &&
+                 c->algorithm_enc == SSL_AES128 &&
+                 c->algorithm_mac == SSL_SHA1 &&
+                 (evp = EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1")))
+            *enc = evp, *md = NULL;
+        else if (s->ssl_version == TLS1_1_VERSION &&
+                 c->algorithm_enc == SSL_AES256 &&
+                 c->algorithm_mac == SSL_SHA1 &&
+                 (evp = EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
+             *enc = evp, *md = NULL;
+         return (1);
+     } else
+-- 
+2.7.0
author	Cristian Stoica <cristian.stoica@nxp.com>	2016-01-25 13:33:46 +0200
committer	Zhenhua Luo <zhenhua.luo@nxp.com>	2016-06-23 10:58:51 +0800
commit	84cb2cc407cf85459fb463be2aabedd4f12ade77 (patch)
tree	5bcdd8c2673052d6c3670b7ef9a48767a8f685b6 /recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
parent	4cc0cf8255a3726fe3f6cbbe1a877fe2fab7edc6 (diff)
download	meta-fsl-ppc-84cb2cc407cf85459fb463be2aabedd4f12ade77.tar.gz

diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch new file mode 100644 index 0000000..c586621 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0016-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
@@ -0,0 +1,338 @@
	1	From 3f34089ab0a3b31ec6b31a6cbf308ca20c6ef597 Mon Sep 17 00:00:00 2001
	2	From: Cristian Stoica <cristian.stoica@nxp.com>
	3	Date: Fri, 22 Jan 2016 11:58:34 +0200
	4	Subject: [PATCH 16/48] eng_cryptodev: add support for TLSv1.1 record offload
	5
	6	Supported cipher suites:
	7	- 3des-ede-cbc-sha
	8	- aes-128-cbc-hmac-sha
	9	- aes-256-cbc-hmac-sha
	10
	11	Requires TLS patches on cryptodev and TLS algorithm support in Linux
	12	kernel driver.
	13
	14	Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
	15	Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
	16	---
	17	crypto/engine/eng_cryptodev.c \| 96 ++++++++++++++++++++++++++++++++++++++++++-
	18	crypto/objects/obj_dat.h \| 18 ++++++--
	19	crypto/objects/obj_mac.h \| 12 ++++++
	20	crypto/objects/obj_mac.num \| 3 ++
	21	crypto/objects/objects.txt \| 3 ++
	22	ssl/ssl_ciph.c \| 28 ++++++++++---
	23	6 files changed, 151 insertions(+), 9 deletions(-)
	24
	25	diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
	26	index 8f73a18..e37a661 100644
	27	--- a/crypto/engine/eng_cryptodev.c
	28	+++ b/crypto/engine/eng_cryptodev.c
	29	@@ -66,6 +66,7 @@ void ENGINE_load_cryptodev(void)
	30	# include <sys/ioctl.h>
	31	# include <errno.h>
	32	# include <stdio.h>
	33	+# include <stdbool.h>
	34	# include <unistd.h>
	35	# include <fcntl.h>
	36	# include <stdarg.h>
	37	@@ -135,6 +136,9 @@ void ENGINE_load_cryptodev(void);
	38	const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
	39	const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1;
	40	const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
	41	+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
	42	+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
	43	+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
	44
	45	inline int spcf_bn2bin(BIGNUM bn, unsigned char bin, int bin_len)
	46	{
	47	@@ -294,6 +298,18 @@ static struct {
	48	CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20
	49	},
	50	{
	51	+ CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8,
	52	+ 24, 20
	53	+ },
	54	+ {
	55	+ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16,
	56	+ 20
	57	+ },
	58	+ {
	59	+ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32,
	60	+ 20
	61	+ },
	62	+ {
	63	CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0
	64	},
	65	{
	66	@@ -526,6 +542,15 @@ static int cryptodev_usable_ciphers(const int **nids)
	67	case NID_des_ede3_cbc_hmac_sha1:
	68	EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
	69	break;
	70	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	71	+ EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1);
	72	+ break;
	73	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	74	+ EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1);
	75	+ break;
	76	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	77	+ EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
	78	+ break;
	79	}
	80	}
	81	return count;
	82	@@ -631,6 +656,9 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
	83	case NID_aes_128_cbc_hmac_sha1:
	84	case NID_aes_256_cbc_hmac_sha1:
	85	case NID_des_ede3_cbc_hmac_sha1:
	86	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	87	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	88	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	89	cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
	90	}
	91	cryp.ses = sess->ses;
	92	@@ -810,8 +838,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
	93	struct dev_crypto_state *state = ctx->cipher_data;
	94	unsigned char *p = ptr;
	95	unsigned int cryptlen = p[arg - 2] << 8 \| p[arg - 1];
	96	- unsigned int maclen, padlen;
	97	+ unsigned int maclen, padlen, len;
	98	unsigned int bs = ctx->cipher->block_size;
	99	+ bool aad_needs_fix = false;
	100
	101	state->aad = ptr;
	102	state->aad_len = arg;
	103	@@ -823,6 +852,20 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
	104	case NID_aes_256_cbc_hmac_sha1:
	105	case NID_des_ede3_cbc_hmac_sha1:
	106	maclen = SHA_DIGEST_LENGTH;
	107	+ break;
	108	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	109	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	110	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	111	+ maclen = SHA_DIGEST_LENGTH;
	112	+ aad_needs_fix = true;
	113	+ break;
	114	+ }
	115	+
	116	+ /* Correct length for AAD Length field */
	117	+ if (ctx->encrypt && aad_needs_fix) {
	118	+ len = cryptlen - bs;
	119	+ p[arg - 2] = len >> 8;
	120	+ p[arg - 1] = len & 0xff;
	121	}
	122
	123	/* space required for encryption (not only TLS padding) */
	124	@@ -1185,6 +1228,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = {
	125	NULL
	126	};
	127
	128	+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = {
	129	+ NID_tls11_des_ede3_cbc_hmac_sha1,
	130	+ 8, 24, 8,
	131	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	132	+ cryptodev_init_aead_key,
	133	+ cryptodev_aead_cipher,
	134	+ cryptodev_cleanup,
	135	+ sizeof(struct dev_crypto_state),
	136	+ EVP_CIPHER_set_asn1_iv,
	137	+ EVP_CIPHER_get_asn1_iv,
	138	+ cryptodev_cbc_hmac_sha1_ctrl,
	139	+ NULL
	140	+};
	141	+
	142	+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = {
	143	+ NID_tls11_aes_128_cbc_hmac_sha1,
	144	+ 16, 16, 16,
	145	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	146	+ cryptodev_init_aead_key,
	147	+ cryptodev_aead_cipher,
	148	+ cryptodev_cleanup,
	149	+ sizeof(struct dev_crypto_state),
	150	+ EVP_CIPHER_set_asn1_iv,
	151	+ EVP_CIPHER_get_asn1_iv,
	152	+ cryptodev_cbc_hmac_sha1_ctrl,
	153	+ NULL
	154	+};
	155	+
	156	+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
	157	+ NID_tls11_aes_256_cbc_hmac_sha1,
	158	+ 16, 32, 16,
	159	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	160	+ cryptodev_init_aead_key,
	161	+ cryptodev_aead_cipher,
	162	+ cryptodev_cleanup,
	163	+ sizeof(struct dev_crypto_state),
	164	+ EVP_CIPHER_set_asn1_iv,
	165	+ EVP_CIPHER_get_asn1_iv,
	166	+ cryptodev_cbc_hmac_sha1_ctrl,
	167	+ NULL
	168	+};
	169	+
	170	const EVP_CIPHER cryptodev_aes_128_gcm = {
	171	NID_aes_128_gcm,
	172	1, 16, 12,
	173	@@ -1298,6 +1383,15 @@ cryptodev_engine_ciphers(ENGINE e, const EVP_CIPHER *cipher,
	174	case NID_aes_256_cbc_hmac_sha1:
	175	*cipher = &cryptodev_aes_256_cbc_hmac_sha1;
	176	break;
	177	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	178	+ *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1;
	179	+ break;
	180	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	181	+ *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1;
	182	+ break;
	183	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	184	+ *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
	185	+ break;
	186	case NID_aes_128_gcm:
	187	*cipher = &cryptodev_aes_128_gcm;
	188	break;
	189	diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
	190	index 35d1abc..4dd32a1 100644
	191	--- a/crypto/objects/obj_dat.h
	192	+++ b/crypto/objects/obj_dat.h
	193	@@ -62,9 +62,9 @@
	194	* [including the GNU Public Licence.]
	195	*/
	196
	197	-#define NUM_NID 959
	198	-#define NUM_SN 952
	199	-#define NUM_LN 952
	200	+#define NUM_NID 962
	201	+#define NUM_SN 955
	202	+#define NUM_LN 955
	203	#define NUM_OBJ 890
	204
	205	static const unsigned char lvalues[6255]={
	206	@@ -2516,6 +2516,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
	207	NID_jurisdictionCountryName,11,&(lvalues[6243]),0},
	208	{"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1",
	209	NID_des_ede3_cbc_hmac_sha1,0,NULL,0},
	210	+{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1",
	211	+ NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0},
	212	+{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1",
	213	+ NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
	214	+{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
	215	+ NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
	216	};
	217
	218	static const unsigned int sn_objs[NUM_SN]={
	219	@@ -2705,6 +2711,9 @@ static const unsigned int sn_objs[NUM_SN]={
	220	100, /* "SN" */
	221	16, /* "ST" */
	222	143, /* "SXNetID" */
	223	+960, /* "TLS11-AES-128-CBC-HMAC-SHA1" */
	224	+961, /* "TLS11-AES-256-CBC-HMAC-SHA1" */
	225	+959, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
	226	458, /* "UID" */
	227	0, /* "UNDEF" */
	228	11, /* "X500" */
	229	@@ -4396,6 +4405,9 @@ static const unsigned int ln_objs[NUM_LN]={
	230	459, /* "textEncodedORAddress" */
	231	293, /* "textNotice" */
	232	106, /* "title" */
	233	+960, /* "tls11-aes-128-cbc-hmac-sha1" */
	234	+961, /* "tls11-aes-256-cbc-hmac-sha1" */
	235	+959, /* "tls11-des-ede3-cbc-hmac-sha1" */
	236	682, /* "tpBasis" */
	237	436, /* "ucl" */
	238	0, /* "undefined" */
	239	diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
	240	index cb318bc..5930563 100644
	241	--- a/crypto/objects/obj_mac.h
	242	+++ b/crypto/objects/obj_mac.h
	243	@@ -4051,6 +4051,18 @@
	244	#define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1"
	245	#define NID_des_ede3_cbc_hmac_sha1 958
	246
	247	+#define SN_tls11_des_ede3_cbc_hmac_sha1 "TLS11-DES-EDE3-CBC-HMAC-SHA1"
	248	+#define LN_tls11_des_ede3_cbc_hmac_sha1 "tls11-des-ede3-cbc-hmac-sha1"
	249	+#define NID_tls11_des_ede3_cbc_hmac_sha1 959
	250	+
	251	+#define SN_tls11_aes_128_cbc_hmac_sha1 "TLS11-AES-128-CBC-HMAC-SHA1"
	252	+#define LN_tls11_aes_128_cbc_hmac_sha1 "tls11-aes-128-cbc-hmac-sha1"
	253	+#define NID_tls11_aes_128_cbc_hmac_sha1 960
	254	+
	255	+#define SN_tls11_aes_256_cbc_hmac_sha1 "TLS11-AES-256-CBC-HMAC-SHA1"
	256	+#define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1"
	257	+#define NID_tls11_aes_256_cbc_hmac_sha1 961
	258	+
	259	#define SN_dhpublicnumber "dhpublicnumber"
	260	#define LN_dhpublicnumber "X9.42 DH"
	261	#define NID_dhpublicnumber 920
	262	diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
	263	index 02d1bb8..02f1728 100644
	264	--- a/crypto/objects/obj_mac.num
	265	+++ b/crypto/objects/obj_mac.num
	266	@@ -956,3 +956,6 @@ jurisdictionLocalityName 955
	267	jurisdictionStateOrProvinceName 956
	268	jurisdictionCountryName 957
	269	des_ede3_cbc_hmac_sha1 958
	270	+tls11_des_ede3_cbc_hmac_sha1 959
	271	+tls11_aes_128_cbc_hmac_sha1 960
	272	+tls11_aes_256_cbc_hmac_sha1 961
	273	diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
	274	index 4e1ff18..cda81da 100644
	275	--- a/crypto/objects/objects.txt
	276	+++ b/crypto/objects/objects.txt
	277	@@ -1295,6 +1295,9 @@ kisa 1 6 : SEED-OFB : seed-ofb
	278	: AES-192-CBC-HMAC-SHA256 : aes-192-cbc-hmac-sha256
	279	: AES-256-CBC-HMAC-SHA256 : aes-256-cbc-hmac-sha256
	280	: DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1
	281	+ : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1
	282	+ : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1
	283	+ : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1
	284
	285	ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
	286
	287	diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
	288	index a379273..e3d73ac 100644
	289	--- a/ssl/ssl_ciph.c
	290	+++ b/ssl/ssl_ciph.c
	291	@@ -652,11 +652,13 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
	292	c->algorithm_mac == SSL_MD5 &&
	293	(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
	294	enc = evp, md = NULL;
	295	- else if (c->algorithm_enc == SSL_AES128 &&
	296	+ else if (s->ssl_version == TLS1_VERSION &&
	297	+ c->algorithm_enc == SSL_AES128 &&
	298	c->algorithm_mac == SSL_SHA1 &&
	299	(evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
	300	enc = evp, md = NULL;
	301	- else if (c->algorithm_enc == SSL_AES256 &&
	302	+ else if (s->ssl_version == TLS1_VERSION &&
	303	+ c->algorithm_enc == SSL_AES256 &&
	304	c->algorithm_mac == SSL_SHA1 &&
	305	(evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
	306	enc = evp, md = NULL;
	307	@@ -668,9 +670,25 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
	308	c->algorithm_mac == SSL_SHA256 &&
	309	(evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
	310	enc = evp, md = NULL;
	311	- else if (c->algorithm_enc == SSL_3DES &&
	312	- c->algorithm_mac == SSL_SHA1 &&
	313	- (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
	314	+ else if (s->ssl_version == TLS1_VERSION &&
	315	+ c->algorithm_enc == SSL_3DES &&
	316	+ c->algorithm_mac == SSL_SHA1 &&
	317	+ (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
	318	+ enc = evp, md = NULL;
	319	+ else if (s->ssl_version == TLS1_1_VERSION &&
	320	+ c->algorithm_enc == SSL_3DES &&
	321	+ c->algorithm_mac == SSL_SHA1 &&
	322	+ (evp = EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1")))
	323	+ enc = evp, md = NULL;
	324	+ else if (s->ssl_version == TLS1_1_VERSION &&
	325	+ c->algorithm_enc == SSL_AES128 &&
	326	+ c->algorithm_mac == SSL_SHA1 &&
	327	+ (evp = EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1")))
	328	+ enc = evp, md = NULL;
	329	+ else if (s->ssl_version == TLS1_1_VERSION &&
	330	+ c->algorithm_enc == SSL_AES256 &&
	331	+ c->algorithm_mac == SSL_SHA1 &&
	332	+ (evp = EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
	333	enc = evp, md = NULL;
	334	return (1);
	335	} else
	336	--
	337	2.7.0
	338