1 files changed, 355 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
new file mode 100644
index 0000000..988d79e
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
@@ -0,0 +1,355 @@
+From 1de2b740a3bdcd8e98abb5f4e176d46fd817b932 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@freescale.com>
+Date: Tue, 31 Mar 2015 16:30:17 +0300
+Subject: [PATCH 19/26] eng_cryptodev: add support for TLSv1.1 record offload
+Supported cipher suites:
+- 3des-ede-cbc-sha
+- aes-128-cbc-hmac-sha
+- aes-256-cbc-hmac-sha
+Requires TLS patches on cryptodev and TLS algorithm support in Linux
+kernel driver.
+Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
+Change-Id: Id414f36a528de3f476b72688cf85714787d7ccae
+Reviewed-on: http://git.am.freescale.net:8181/34002
+Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
+Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
+---
+ crypto/engine/eng_cryptodev.c | 101 ++++++++++++++++++++++++++++++++++++++----
+ crypto/objects/obj_dat.h      |  18 ++++++--
+ crypto/objects/obj_mac.h      |  12 +++++
+ crypto/objects/obj_mac.num    |   3 ++
+ crypto/objects/objects.txt    |   3 ++
+ ssl/ssl_ciph.c                |  26 +++++++++--
+ 6 files changed, 148 insertions(+), 15 deletions(-)
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 299e84b..f71ab27 100644
+--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
+@@ -66,6 +66,7 @@ ENGINE_load_cryptodev(void)
+ #include <sys/ioctl.h>
+ #include <errno.h>
+ #include <stdio.h>
+#include <stdbool.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <stdarg.h>
+@@ -133,9 +134,12 @@ static int cryptodev_dh_compute_key(unsigned char *key,
+ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
+     void (*f)(void));
+ void ENGINE_load_cryptodev(void);
+const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
+-const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
+ 
+ inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin,  int *bin_len)
+ {
+@@ -256,6 +260,9 @@ static struct {
+        { CRYPTO_TLS10_3DES_CBC_HMAC_SHA1, NID_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+        { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20},
+        { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20},
+       { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+       { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
+       { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
+        { CRYPTO_AES_GCM,       NID_aes_128_gcm,  16, 16, 0},
+        { 0, NID_undef, 0, 0, 0},
+ };
+@@ -462,14 +469,23 @@ cryptodev_usable_ciphers(const int **nids)
+        /* add ciphers specific to cryptodev if found in kernel */
+        for(i = 0; i < count; i++) {
+                switch (*(*nids + i)) {
+               case NID_des_ede3_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
+                       break;
+                case NID_aes_128_cbc_hmac_sha1:
+                        EVP_add_cipher(&cryptodev_aes_128_cbc_hmac_sha1);
+                        break;
+                case NID_aes_256_cbc_hmac_sha1:
+                        EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1);
+                        break;
+-               case NID_des_ede3_cbc_hmac_sha1:
+-                       EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
+               case NID_tls11_des_ede3_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1);
+                       break;
+               case NID_tls11_aes_128_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1);
+                       break;
+               case NID_tls11_aes_256_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
+                        break;
+                }
+        }
+@@ -574,9 +590,12 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ 
+        /* TODO: make a seamless integration with cryptodev flags */
+        switch (ctx->cipher->nid) {
+       case NID_des_ede3_cbc_hmac_sha1:
+        case NID_aes_128_cbc_hmac_sha1:
+        case NID_aes_256_cbc_hmac_sha1:
+-       case NID_des_ede3_cbc_hmac_sha1:
+       case NID_tls11_des_ede3_cbc_hmac_sha1:
+       case NID_tls11_aes_128_cbc_hmac_sha1:
+       case NID_tls11_aes_256_cbc_hmac_sha1:
+                cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+        }
+        cryp.ses = sess->ses;
+@@ -758,8 +777,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+                struct dev_crypto_state *state = ctx->cipher_data;
+                unsigned char *p = ptr;
+                unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
+-               unsigned int maclen, padlen;
+               unsigned int maclen, padlen, len;
+                unsigned int bs = ctx->cipher->block_size;
+               bool aad_needs_fix = false;
+ 
+                state->aad = ptr;
+                state->aad_len = arg;
+@@ -767,10 +787,24 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+ 
+                /* TODO: this should be an extension of EVP_CIPHER struct */
+                switch (ctx->cipher->nid) {
+               case NID_des_ede3_cbc_hmac_sha1:
+                case NID_aes_128_cbc_hmac_sha1:
+                case NID_aes_256_cbc_hmac_sha1:
+-               case NID_des_ede3_cbc_hmac_sha1:
+                        maclen = SHA_DIGEST_LENGTH;
+                       break;
+               case NID_tls11_des_ede3_cbc_hmac_sha1:
+               case NID_tls11_aes_128_cbc_hmac_sha1:
+               case NID_tls11_aes_256_cbc_hmac_sha1:
+                       maclen = SHA_DIGEST_LENGTH;
+                       aad_needs_fix = true;
+                       break;
+               }
+
+               /* Correct length for AAD Length field */
+               if (ctx->encrypt && aad_needs_fix) {
+                       len = cryptlen - bs;
+                       p[arg-2] = len >> 8;
+                       p[arg-1] = len & 0xff;
+                }
+ 
+                /* space required for encryption (not only TLS padding) */
+@@ -1131,6 +1165,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = {
+        NULL
+ };
+ 
+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = {
+       NID_tls11_des_ede3_cbc_hmac_sha1,
+       8, 24, 8,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = {
+       NID_tls11_aes_128_cbc_hmac_sha1,
+       16, 16, 16,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
+       NID_tls11_aes_256_cbc_hmac_sha1,
+       16, 32, 16,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+ const EVP_CIPHER cryptodev_aes_128_gcm = {
+        NID_aes_128_gcm,
+        1, 16, 12,
+@@ -1184,6 +1260,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+        case NID_aes_256_cbc:
+                *cipher = &cryptodev_aes_256_cbc;
+                break;
+       case NID_aes_128_gcm:
+               *cipher = &cryptodev_aes_128_gcm;
+               break;
+        case NID_des_ede3_cbc_hmac_sha1:
+                *cipher = &cryptodev_3des_cbc_hmac_sha1;
+                break;
+@@ -1193,8 +1272,14 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+        case NID_aes_256_cbc_hmac_sha1:
+                *cipher = &cryptodev_aes_256_cbc_hmac_sha1;
+                break;
+-       case NID_aes_128_gcm:
+-               *cipher = &cryptodev_aes_128_gcm;
+       case NID_tls11_des_ede3_cbc_hmac_sha1:
+               *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1;
+               break;
+       case NID_tls11_aes_128_cbc_hmac_sha1:
+               *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1;
+               break;
+       case NID_tls11_aes_256_cbc_hmac_sha1:
+               *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
+                break;
+        default:
+                *cipher = NULL;
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index 9f2267a..dc89b0a 100644
+--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
+@@ -62,9 +62,9 @@
+  * [including the GNU Public Licence.]
+  */
+ 
+-#define NUM_NID 921
+-#define NUM_SN 914
+-#define NUM_LN 914
+#define NUM_NID 924
+#define NUM_SN 917
+#define NUM_LN 917
+ #define NUM_OBJ 857
+ 
+ static const unsigned char lvalues[5974]={
+@@ -2401,6 +2401,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
+ {"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0},
+ {"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1",
+        NID_des_ede3_cbc_hmac_sha1,0,NULL,0},
+{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1",
+       NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0},
+{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1",
+       NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
+{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
+       NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
+ };
+ 
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2586,6 +2592,9 @@ static const unsigned int sn_objs[NUM_SN]={
+ 100,   /* "SN" */
+ 16,    /* "ST" */
+ 143,   /* "SXNetID" */
+922,   /* "TLS11-AES-128-CBC-HMAC-SHA1" */
+923,   /* "TLS11-AES-256-CBC-HMAC-SHA1" */
+921,   /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
+ 458,   /* "UID" */
+  0,    /* "UNDEF" */
+ 11,    /* "X500" */
+@@ -4205,6 +4214,9 @@ static const unsigned int ln_objs[NUM_LN]={
+ 459,   /* "textEncodedORAddress" */
+ 293,   /* "textNotice" */
+ 106,   /* "title" */
+922,   /* "tls11-aes-128-cbc-hmac-sha1" */
+923,   /* "tls11-aes-256-cbc-hmac-sha1" */
+921,   /* "tls11-des-ede3-cbc-hmac-sha1" */
+ 682,   /* "tpBasis" */
+ 436,   /* "ucl" */
+  0,    /* "undefined" */
+diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
+index 8751902..f181890 100644
+--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
+@@ -4034,3 +4034,15 @@
+ #define LN_des_ede3_cbc_hmac_sha1              "des-ede3-cbc-hmac-sha1"
+ #define NID_des_ede3_cbc_hmac_sha1             920
+ 
+#define SN_tls11_des_ede3_cbc_hmac_sha1                "TLS11-DES-EDE3-CBC-HMAC-SHA1"
+#define LN_tls11_des_ede3_cbc_hmac_sha1                "tls11-des-ede3-cbc-hmac-sha1"
+#define NID_tls11_des_ede3_cbc_hmac_sha1               921
+
+#define SN_tls11_aes_128_cbc_hmac_sha1         "TLS11-AES-128-CBC-HMAC-SHA1"
+#define LN_tls11_aes_128_cbc_hmac_sha1         "tls11-aes-128-cbc-hmac-sha1"
+#define NID_tls11_aes_128_cbc_hmac_sha1                922
+
+#define SN_tls11_aes_256_cbc_hmac_sha1         "TLS11-AES-256-CBC-HMAC-SHA1"
+#define LN_tls11_aes_256_cbc_hmac_sha1         "tls11-aes-256-cbc-hmac-sha1"
+#define NID_tls11_aes_256_cbc_hmac_sha1                923
+
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index 9d44bb5..a02b58c 100644
+--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
+@@ -918,3 +918,6 @@ aes_192_cbc_hmac_sha1               917
+ aes_256_cbc_hmac_sha1          918
+ rsaesOaep              919
+ des_ede3_cbc_hmac_sha1         920
+tls11_des_ede3_cbc_hmac_sha1           921
+tls11_aes_128_cbc_hmac_sha1            922
+tls11_aes_256_cbc_hmac_sha1            923
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index 90d2fc5..1973658 100644
+--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
+@@ -1291,3 +1291,6 @@ kisa 1 6                : SEED-OFB      : seed-ofb
+                        : AES-192-CBC-HMAC-SHA1         : aes-192-cbc-hmac-sha1
+                        : AES-256-CBC-HMAC-SHA1         : aes-256-cbc-hmac-sha1
+                        : DES-EDE3-CBC-HMAC-SHA1        : des-ede3-cbc-hmac-sha1
+                       : TLS11-DES-EDE3-CBC-HMAC-SHA1  : tls11-des-ede3-cbc-hmac-sha1
+                       : TLS11-AES-128-CBC-HMAC-SHA1   : tls11-aes-128-cbc-hmac-sha1
+                       : TLS11-AES-256-CBC-HMAC-SHA1   : tls11-aes-256-cbc-hmac-sha1
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 310fe76..0408986 100644
+--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
+@@ -631,17 +631,35 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+                         c->algorithm_mac == SSL_MD5 &&
+                         (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
+                        *enc = evp, *md = NULL;
+-               else if (c->algorithm_enc == SSL_AES128 &&
+               else if (s->ssl_version == TLS1_VERSION &&
+                        c->algorithm_enc == SSL_3DES &&
+                        c->algorithm_mac == SSL_SHA1 &&
+                        (evp=EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_VERSION &&
+                        c->algorithm_enc == SSL_AES128 &&
+                         c->algorithm_mac == SSL_SHA1 &&
+                         (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
+                        *enc = evp, *md = NULL;
+-               else if (c->algorithm_enc == SSL_AES256 &&
+               else if (s->ssl_version == TLS1_VERSION &&
+                        c->algorithm_enc == SSL_AES256 &&
+                         c->algorithm_mac == SSL_SHA1 &&
+                         (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
+                        *enc = evp, *md = NULL;
+-               else if (c->algorithm_enc == SSL_3DES &&
+               else if (s->ssl_version == TLS1_1_VERSION &&
+                        c->algorithm_enc == SSL_3DES &&
+                        c->algorithm_mac == SSL_SHA1 &&
+                        (evp=EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_1_VERSION &&
+                        c->algorithm_enc == SSL_AES128 &&
+                        c->algorithm_mac == SSL_SHA1 &&
+                        (evp=EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_1_VERSION &&
+                        c->algorithm_enc == SSL_AES256 &&
+                         c->algorithm_mac == SSL_SHA1 &&
+-                        (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
+                        (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
+                        *enc = evp, *md = NULL;
+                return(1);
+                }
+-- 
+2.3.5

diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch new file mode 100644 index 0000000..988d79e --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch
@@ -0,0 +1,355 @@
	1	From 1de2b740a3bdcd8e98abb5f4e176d46fd817b932 Mon Sep 17 00:00:00 2001
	2	From: Tudor Ambarus <tudor.ambarus@freescale.com>
	3	Date: Tue, 31 Mar 2015 16:30:17 +0300
	4	Subject: [PATCH 19/26] eng_cryptodev: add support for TLSv1.1 record offload
	5
	6	Supported cipher suites:
	7	- 3des-ede-cbc-sha
	8	- aes-128-cbc-hmac-sha
	9	- aes-256-cbc-hmac-sha
	10
	11	Requires TLS patches on cryptodev and TLS algorithm support in Linux
	12	kernel driver.
	13
	14	Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
	15	Change-Id: Id414f36a528de3f476b72688cf85714787d7ccae
	16	Reviewed-on: http://git.am.freescale.net:8181/34002
	17	Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
	18	Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
	19	---
	20	crypto/engine/eng_cryptodev.c \| 101 ++++++++++++++++++++++++++++++++++++++----
	21	crypto/objects/obj_dat.h \| 18 ++++++--
	22	crypto/objects/obj_mac.h \| 12 +++++
	23	crypto/objects/obj_mac.num \| 3 ++
	24	crypto/objects/objects.txt \| 3 ++
	25	ssl/ssl_ciph.c \| 26 +++++++++--
	26	6 files changed, 148 insertions(+), 15 deletions(-)
	27
	28	diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
	29	index 299e84b..f71ab27 100644
	30	--- a/crypto/engine/eng_cryptodev.c
	31	+++ b/crypto/engine/eng_cryptodev.c
	32	@@ -66,6 +66,7 @@ ENGINE_load_cryptodev(void)
	33	#include <sys/ioctl.h>
	34	#include <errno.h>
	35	#include <stdio.h>
	36	+#include <stdbool.h>
	37	#include <unistd.h>
	38	#include <fcntl.h>
	39	#include <stdarg.h>
	40	@@ -133,9 +134,12 @@ static int cryptodev_dh_compute_key(unsigned char *key,
	41	static int cryptodev_ctrl(ENGINE e, int cmd, long i, void p,
	42	void (*f)(void));
	43	void ENGINE_load_cryptodev(void);
	44	+const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
	45	const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1;
	46	const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
	47	-const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
	48	+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
	49	+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
	50	+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
	51
	52	inline int spcf_bn2bin(BIGNUM bn, unsigned char bin, int bin_len)
	53	{
	54	@@ -256,6 +260,9 @@ static struct {
	55	{ CRYPTO_TLS10_3DES_CBC_HMAC_SHA1, NID_des_ede3_cbc_hmac_sha1, 8, 24, 20},
	56	{ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20},
	57	{ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20},
	58	+ { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
	59	+ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
	60	+ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
	61	{ CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0},
	62	{ 0, NID_undef, 0, 0, 0},
	63	};
	64	@@ -462,14 +469,23 @@ cryptodev_usable_ciphers(const int **nids)
	65	/* add ciphers specific to cryptodev if found in kernel */
	66	for(i = 0; i < count; i++) {
	67	switch ((nids + i)) {
	68	+ case NID_des_ede3_cbc_hmac_sha1:
	69	+ EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
	70	+ break;
	71	case NID_aes_128_cbc_hmac_sha1:
	72	EVP_add_cipher(&cryptodev_aes_128_cbc_hmac_sha1);
	73	break;
	74	case NID_aes_256_cbc_hmac_sha1:
	75	EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1);
	76	break;
	77	- case NID_des_ede3_cbc_hmac_sha1:
	78	- EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
	79	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	80	+ EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1);
	81	+ break;
	82	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	83	+ EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1);
	84	+ break;
	85	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	86	+ EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
	87	break;
	88	}
	89	}
	90	@@ -574,9 +590,12 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
	91
	92	/* TODO: make a seamless integration with cryptodev flags */
	93	switch (ctx->cipher->nid) {
	94	+ case NID_des_ede3_cbc_hmac_sha1:
	95	case NID_aes_128_cbc_hmac_sha1:
	96	case NID_aes_256_cbc_hmac_sha1:
	97	- case NID_des_ede3_cbc_hmac_sha1:
	98	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	99	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	100	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	101	cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
	102	}
	103	cryp.ses = sess->ses;
	104	@@ -758,8 +777,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
	105	struct dev_crypto_state *state = ctx->cipher_data;
	106	unsigned char *p = ptr;
	107	unsigned int cryptlen = p[arg - 2] << 8 \| p[arg - 1];
	108	- unsigned int maclen, padlen;
	109	+ unsigned int maclen, padlen, len;
	110	unsigned int bs = ctx->cipher->block_size;
	111	+ bool aad_needs_fix = false;
	112
	113	state->aad = ptr;
	114	state->aad_len = arg;
	115	@@ -767,10 +787,24 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
	116
	117	/* TODO: this should be an extension of EVP_CIPHER struct */
	118	switch (ctx->cipher->nid) {
	119	+ case NID_des_ede3_cbc_hmac_sha1:
	120	case NID_aes_128_cbc_hmac_sha1:
	121	case NID_aes_256_cbc_hmac_sha1:
	122	- case NID_des_ede3_cbc_hmac_sha1:
	123	maclen = SHA_DIGEST_LENGTH;
	124	+ break;
	125	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	126	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	127	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	128	+ maclen = SHA_DIGEST_LENGTH;
	129	+ aad_needs_fix = true;
	130	+ break;
	131	+ }
	132	+
	133	+ /* Correct length for AAD Length field */
	134	+ if (ctx->encrypt && aad_needs_fix) {
	135	+ len = cryptlen - bs;
	136	+ p[arg-2] = len >> 8;
	137	+ p[arg-1] = len & 0xff;
	138	}
	139
	140	/* space required for encryption (not only TLS padding) */
	141	@@ -1131,6 +1165,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = {
	142	NULL
	143	};
	144
	145	+const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = {
	146	+ NID_tls11_des_ede3_cbc_hmac_sha1,
	147	+ 8, 24, 8,
	148	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	149	+ cryptodev_init_aead_key,
	150	+ cryptodev_aead_cipher,
	151	+ cryptodev_cleanup,
	152	+ sizeof(struct dev_crypto_state),
	153	+ EVP_CIPHER_set_asn1_iv,
	154	+ EVP_CIPHER_get_asn1_iv,
	155	+ cryptodev_cbc_hmac_sha1_ctrl,
	156	+ NULL
	157	+};
	158	+
	159	+const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = {
	160	+ NID_tls11_aes_128_cbc_hmac_sha1,
	161	+ 16, 16, 16,
	162	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	163	+ cryptodev_init_aead_key,
	164	+ cryptodev_aead_cipher,
	165	+ cryptodev_cleanup,
	166	+ sizeof(struct dev_crypto_state),
	167	+ EVP_CIPHER_set_asn1_iv,
	168	+ EVP_CIPHER_get_asn1_iv,
	169	+ cryptodev_cbc_hmac_sha1_ctrl,
	170	+ NULL
	171	+};
	172	+
	173	+const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
	174	+ NID_tls11_aes_256_cbc_hmac_sha1,
	175	+ 16, 32, 16,
	176	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	177	+ cryptodev_init_aead_key,
	178	+ cryptodev_aead_cipher,
	179	+ cryptodev_cleanup,
	180	+ sizeof(struct dev_crypto_state),
	181	+ EVP_CIPHER_set_asn1_iv,
	182	+ EVP_CIPHER_get_asn1_iv,
	183	+ cryptodev_cbc_hmac_sha1_ctrl,
	184	+ NULL
	185	+};
	186	+
	187	const EVP_CIPHER cryptodev_aes_128_gcm = {
	188	NID_aes_128_gcm,
	189	1, 16, 12,
	190	@@ -1184,6 +1260,9 @@ cryptodev_engine_ciphers(ENGINE e, const EVP_CIPHER *cipher,
	191	case NID_aes_256_cbc:
	192	*cipher = &cryptodev_aes_256_cbc;
	193	break;
	194	+ case NID_aes_128_gcm:
	195	+ *cipher = &cryptodev_aes_128_gcm;
	196	+ break;
	197	case NID_des_ede3_cbc_hmac_sha1:
	198	*cipher = &cryptodev_3des_cbc_hmac_sha1;
	199	break;
	200	@@ -1193,8 +1272,14 @@ cryptodev_engine_ciphers(ENGINE e, const EVP_CIPHER *cipher,
	201	case NID_aes_256_cbc_hmac_sha1:
	202	*cipher = &cryptodev_aes_256_cbc_hmac_sha1;
	203	break;
	204	- case NID_aes_128_gcm:
	205	- *cipher = &cryptodev_aes_128_gcm;
	206	+ case NID_tls11_des_ede3_cbc_hmac_sha1:
	207	+ *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1;
	208	+ break;
	209	+ case NID_tls11_aes_128_cbc_hmac_sha1:
	210	+ *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1;
	211	+ break;
	212	+ case NID_tls11_aes_256_cbc_hmac_sha1:
	213	+ *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
	214	break;
	215	default:
	216	*cipher = NULL;
	217	diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
	218	index 9f2267a..dc89b0a 100644
	219	--- a/crypto/objects/obj_dat.h
	220	+++ b/crypto/objects/obj_dat.h
	221	@@ -62,9 +62,9 @@
	222	* [including the GNU Public Licence.]
	223	*/
	224
	225	-#define NUM_NID 921
	226	-#define NUM_SN 914
	227	-#define NUM_LN 914
	228	+#define NUM_NID 924
	229	+#define NUM_SN 917
	230	+#define NUM_LN 917
	231	#define NUM_OBJ 857
	232
	233	static const unsigned char lvalues[5974]={
	234	@@ -2401,6 +2401,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
	235	{"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0},
	236	{"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1",
	237	NID_des_ede3_cbc_hmac_sha1,0,NULL,0},
	238	+{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1",
	239	+ NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0},
	240	+{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1",
	241	+ NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
	242	+{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
	243	+ NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
	244	};
	245
	246	static const unsigned int sn_objs[NUM_SN]={
	247	@@ -2586,6 +2592,9 @@ static const unsigned int sn_objs[NUM_SN]={
	248	100, /* "SN" */
	249	16, /* "ST" */
	250	143, /* "SXNetID" */
	251	+922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */
	252	+923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */
	253	+921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
	254	458, /* "UID" */
	255	0, /* "UNDEF" */
	256	11, /* "X500" */
	257	@@ -4205,6 +4214,9 @@ static const unsigned int ln_objs[NUM_LN]={
	258	459, /* "textEncodedORAddress" */
	259	293, /* "textNotice" */
	260	106, /* "title" */
	261	+922, /* "tls11-aes-128-cbc-hmac-sha1" */
	262	+923, /* "tls11-aes-256-cbc-hmac-sha1" */
	263	+921, /* "tls11-des-ede3-cbc-hmac-sha1" */
	264	682, /* "tpBasis" */
	265	436, /* "ucl" */
	266	0, /* "undefined" */
	267	diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
	268	index 8751902..f181890 100644
	269	--- a/crypto/objects/obj_mac.h
	270	+++ b/crypto/objects/obj_mac.h
	271	@@ -4034,3 +4034,15 @@
	272	#define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1"
	273	#define NID_des_ede3_cbc_hmac_sha1 920
	274
	275	+#define SN_tls11_des_ede3_cbc_hmac_sha1 "TLS11-DES-EDE3-CBC-HMAC-SHA1"
	276	+#define LN_tls11_des_ede3_cbc_hmac_sha1 "tls11-des-ede3-cbc-hmac-sha1"
	277	+#define NID_tls11_des_ede3_cbc_hmac_sha1 921
	278	+
	279	+#define SN_tls11_aes_128_cbc_hmac_sha1 "TLS11-AES-128-CBC-HMAC-SHA1"
	280	+#define LN_tls11_aes_128_cbc_hmac_sha1 "tls11-aes-128-cbc-hmac-sha1"
	281	+#define NID_tls11_aes_128_cbc_hmac_sha1 922
	282	+
	283	+#define SN_tls11_aes_256_cbc_hmac_sha1 "TLS11-AES-256-CBC-HMAC-SHA1"
	284	+#define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1"
	285	+#define NID_tls11_aes_256_cbc_hmac_sha1 923
	286	+
	287	diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
	288	index 9d44bb5..a02b58c 100644
	289	--- a/crypto/objects/obj_mac.num
	290	+++ b/crypto/objects/obj_mac.num
	291	@@ -918,3 +918,6 @@ aes_192_cbc_hmac_sha1 917
	292	aes_256_cbc_hmac_sha1 918
	293	rsaesOaep 919
	294	des_ede3_cbc_hmac_sha1 920
	295	+tls11_des_ede3_cbc_hmac_sha1 921
	296	+tls11_aes_128_cbc_hmac_sha1 922
	297	+tls11_aes_256_cbc_hmac_sha1 923
	298	diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
	299	index 90d2fc5..1973658 100644
	300	--- a/crypto/objects/objects.txt
	301	+++ b/crypto/objects/objects.txt
	302	@@ -1291,3 +1291,6 @@ kisa 1 6 : SEED-OFB : seed-ofb
	303	: AES-192-CBC-HMAC-SHA1 : aes-192-cbc-hmac-sha1
	304	: AES-256-CBC-HMAC-SHA1 : aes-256-cbc-hmac-sha1
	305	: DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1
	306	+ : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1
	307	+ : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1
	308	+ : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1
	309	diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
	310	index 310fe76..0408986 100644
	311	--- a/ssl/ssl_ciph.c
	312	+++ b/ssl/ssl_ciph.c
	313	@@ -631,17 +631,35 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
	314	c->algorithm_mac == SSL_MD5 &&
	315	(evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
	316	enc = evp, md = NULL;
	317	- else if (c->algorithm_enc == SSL_AES128 &&
	318	+ else if (s->ssl_version == TLS1_VERSION &&
	319	+ c->algorithm_enc == SSL_3DES &&
	320	+ c->algorithm_mac == SSL_SHA1 &&
	321	+ (evp=EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
	322	+ enc = evp, md = NULL;
	323	+ else if (s->ssl_version == TLS1_VERSION &&
	324	+ c->algorithm_enc == SSL_AES128 &&
	325	c->algorithm_mac == SSL_SHA1 &&
	326	(evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
	327	enc = evp, md = NULL;
	328	- else if (c->algorithm_enc == SSL_AES256 &&
	329	+ else if (s->ssl_version == TLS1_VERSION &&
	330	+ c->algorithm_enc == SSL_AES256 &&
	331	c->algorithm_mac == SSL_SHA1 &&
	332	(evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
	333	enc = evp, md = NULL;
	334	- else if (c->algorithm_enc == SSL_3DES &&
	335	+ else if (s->ssl_version == TLS1_1_VERSION &&
	336	+ c->algorithm_enc == SSL_3DES &&
	337	+ c->algorithm_mac == SSL_SHA1 &&
	338	+ (evp=EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1")))
	339	+ enc = evp, md = NULL;
	340	+ else if (s->ssl_version == TLS1_1_VERSION &&
	341	+ c->algorithm_enc == SSL_AES128 &&
	342	+ c->algorithm_mac == SSL_SHA1 &&
	343	+ (evp=EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1")))
	344	+ enc = evp, md = NULL;
	345	+ else if (s->ssl_version == TLS1_1_VERSION &&
	346	+ c->algorithm_enc == SSL_AES256 &&
	347	c->algorithm_mac == SSL_SHA1 &&
	348	- (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
	349	+ (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
	350	enc = evp, md = NULL;
	351	return(1);
	352	}
	353	--
	354	2.3.5
	355