1 files changed, 359 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch
new file mode 100644
index 0000000..7370c49
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch
@@ -0,0 +1,359 @@
+From a58703e6601fcfcfe69fdb3e7152ed76b40d67e9 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@freescale.com>
+Date: Tue, 31 Mar 2015 16:32:35 +0300
+Subject: [PATCH 20/26] eng_cryptodev: add support for TLSv1.2 record offload
+Supported cipher suites:
+- 3des-ede-cbc-sha
+- aes-128-cbc-hmac-sha
+- aes-256-cbc-hmac-sha
+- aes-128-cbc-hmac-sha256
+- aes-256-cbc-hmac-sha256
+Requires TLS patches on cryptodev and TLS algorithm support in Linux
+kernel driver.
+Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
+Change-Id: I0ac6953dd62e2655a59d8f3eaefd012b7ecebf55
+Reviewed-on: http://git.am.freescale.net:8181/34003
+Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
+Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
+---
+ crypto/engine/eng_cryptodev.c | 123 ++++++++++++++++++++++++++++++++++++++++++
+ crypto/objects/obj_dat.h      |  26 +++++++--
+ crypto/objects/obj_mac.h      |  20 +++++++
+ crypto/objects/obj_mac.num    |   5 ++
+ crypto/objects/objects.txt    |   5 ++
+ ssl/ssl_ciph.c                |  25 +++++++++
+ 6 files changed, 201 insertions(+), 3 deletions(-)
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index f71ab27..fa5fe1b 100644
+--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
+@@ -140,6 +140,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1;
+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256;
+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256;
+ 
+ inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin,  int *bin_len)
+ {
+@@ -263,6 +268,11 @@ static struct {
+        { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+        { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
+        { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
+       { CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+       { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16, 20},
+       { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32, 20},
+       { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16, 16, 32},
+       { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16, 32, 32},
+        { CRYPTO_AES_GCM,       NID_aes_128_gcm,  16, 16, 0},
+        { 0, NID_undef, 0, 0, 0},
+ };
+@@ -487,6 +497,21 @@ cryptodev_usable_ciphers(const int **nids)
+                case NID_tls11_aes_256_cbc_hmac_sha1:
+                        EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
+                        break;
+               case NID_tls12_des_ede3_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1);
+                       break;
+               case NID_tls12_aes_128_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1);
+                       break;
+               case NID_tls12_aes_256_cbc_hmac_sha1:
+                       EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1);
+                       break;
+               case NID_tls12_aes_128_cbc_hmac_sha256:
+                       EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256);
+                       break;
+               case NID_tls12_aes_256_cbc_hmac_sha256:
+                       EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256);
+                       break;
+                }
+        }
+        return count;
+@@ -596,6 +621,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+        case NID_tls11_des_ede3_cbc_hmac_sha1:
+        case NID_tls11_aes_128_cbc_hmac_sha1:
+        case NID_tls11_aes_256_cbc_hmac_sha1:
+       case NID_tls12_des_ede3_cbc_hmac_sha1:
+       case NID_tls12_aes_128_cbc_hmac_sha1:
+       case NID_tls12_aes_256_cbc_hmac_sha1:
+       case NID_tls12_aes_128_cbc_hmac_sha256:
+       case NID_tls12_aes_256_cbc_hmac_sha256:
+                cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+        }
+        cryp.ses = sess->ses;
+@@ -795,9 +825,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+                case NID_tls11_des_ede3_cbc_hmac_sha1:
+                case NID_tls11_aes_128_cbc_hmac_sha1:
+                case NID_tls11_aes_256_cbc_hmac_sha1:
+               case NID_tls12_des_ede3_cbc_hmac_sha1:
+               case NID_tls12_aes_128_cbc_hmac_sha1:
+               case NID_tls12_aes_256_cbc_hmac_sha1:
+                        maclen = SHA_DIGEST_LENGTH;
+                        aad_needs_fix = true;
+                        break;
+               case NID_tls12_aes_128_cbc_hmac_sha256:
+               case NID_tls12_aes_256_cbc_hmac_sha256:
+                       maclen = SHA256_DIGEST_LENGTH;
+                       aad_needs_fix = true;
+                       break;
+                }
+ 
+                /* Correct length for AAD Length field */
+@@ -1207,6 +1245,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
+        NULL
+ };
+ 
+const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = {
+       NID_tls12_des_ede3_cbc_hmac_sha1,
+       8, 24, 8,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = {
+       NID_tls12_aes_128_cbc_hmac_sha1,
+       16, 16, 16,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = {
+       NID_tls12_aes_256_cbc_hmac_sha1,
+       16, 32, 16,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = {
+       NID_tls12_aes_128_cbc_hmac_sha256,
+       16, 16, 16,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = {
+       NID_tls12_aes_256_cbc_hmac_sha256,
+       16, 32, 16,
+       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+       cryptodev_init_aead_key,
+       cryptodev_aead_cipher,
+       cryptodev_cleanup,
+       sizeof(struct dev_crypto_state),
+       EVP_CIPHER_set_asn1_iv,
+       EVP_CIPHER_get_asn1_iv,
+       cryptodev_cbc_hmac_sha1_ctrl,
+       NULL
+};
+
+ const EVP_CIPHER cryptodev_aes_128_gcm = {
+        NID_aes_128_gcm,
+        1, 16, 12,
+@@ -1281,6 +1389,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+        case NID_tls11_aes_256_cbc_hmac_sha1:
+                *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
+                break;
+       case NID_tls12_des_ede3_cbc_hmac_sha1:
+               *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1;
+               break;
+       case NID_tls12_aes_128_cbc_hmac_sha1:
+               *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1;
+               break;
+       case NID_tls12_aes_256_cbc_hmac_sha1:
+               *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1;
+               break;
+       case NID_tls12_aes_128_cbc_hmac_sha256:
+               *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256;
+               break;
+       case NID_tls12_aes_256_cbc_hmac_sha256:
+               *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256;
+               break;
+        default:
+                *cipher = NULL;
+                break;
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index dc89b0a..dfe19da 100644
+--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
+@@ -62,9 +62,9 @@
+  * [including the GNU Public Licence.]
+  */
+ 
+-#define NUM_NID 924
+-#define NUM_SN 917
+-#define NUM_LN 917
+#define NUM_NID 929
+#define NUM_SN 922
+#define NUM_LN 922
+ #define NUM_OBJ 857
+ 
+ static const unsigned char lvalues[5974]={
+@@ -2407,6 +2407,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
+        NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
+ {"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
+        NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
+{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1",
+       NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0},
+{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1",
+       NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0},
+{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1",
+       NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0},
+{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256",
+       NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0},
+{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256",
+       NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0},
+ };
+ 
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2595,6 +2605,11 @@ static const unsigned int sn_objs[NUM_SN]={
+ 922,   /* "TLS11-AES-128-CBC-HMAC-SHA1" */
+ 923,   /* "TLS11-AES-256-CBC-HMAC-SHA1" */
+ 921,   /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
+925,   /* "TLS12-AES-128-CBC-HMAC-SHA1" */
+927,   /* "TLS12-AES-128-CBC-HMAC-SHA256" */
+926,   /* "TLS12-AES-256-CBC-HMAC-SHA1" */
+928,   /* "TLS12-AES-256-CBC-HMAC-SHA256" */
+924,   /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */
+ 458,   /* "UID" */
+  0,    /* "UNDEF" */
+ 11,    /* "X500" */
+@@ -4217,6 +4232,11 @@ static const unsigned int ln_objs[NUM_LN]={
+ 922,   /* "tls11-aes-128-cbc-hmac-sha1" */
+ 923,   /* "tls11-aes-256-cbc-hmac-sha1" */
+ 921,   /* "tls11-des-ede3-cbc-hmac-sha1" */
+925,   /* "tls12-aes-128-cbc-hmac-sha1" */
+927,   /* "tls12-aes-128-cbc-hmac-sha256" */
+926,   /* "tls12-aes-256-cbc-hmac-sha1" */
+928,   /* "tls12-aes-256-cbc-hmac-sha256" */
+924,   /* "tls12-des-ede3-cbc-hmac-sha1" */
+ 682,   /* "tpBasis" */
+ 436,   /* "ucl" */
+  0,    /* "undefined" */
+diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
+index f181890..5af125e 100644
+--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
+@@ -4046,3 +4046,23 @@
+ #define LN_tls11_aes_256_cbc_hmac_sha1         "tls11-aes-256-cbc-hmac-sha1"
+ #define NID_tls11_aes_256_cbc_hmac_sha1                923
+ 
+#define SN_tls12_des_ede3_cbc_hmac_sha1                "TLS12-DES-EDE3-CBC-HMAC-SHA1"
+#define LN_tls12_des_ede3_cbc_hmac_sha1                "tls12-des-ede3-cbc-hmac-sha1"
+#define NID_tls12_des_ede3_cbc_hmac_sha1               924
+
+#define SN_tls12_aes_128_cbc_hmac_sha1         "TLS12-AES-128-CBC-HMAC-SHA1"
+#define LN_tls12_aes_128_cbc_hmac_sha1         "tls12-aes-128-cbc-hmac-sha1"
+#define NID_tls12_aes_128_cbc_hmac_sha1                925
+
+#define SN_tls12_aes_256_cbc_hmac_sha1         "TLS12-AES-256-CBC-HMAC-SHA1"
+#define LN_tls12_aes_256_cbc_hmac_sha1         "tls12-aes-256-cbc-hmac-sha1"
+#define NID_tls12_aes_256_cbc_hmac_sha1                926
+
+#define SN_tls12_aes_128_cbc_hmac_sha256               "TLS12-AES-128-CBC-HMAC-SHA256"
+#define LN_tls12_aes_128_cbc_hmac_sha256               "tls12-aes-128-cbc-hmac-sha256"
+#define NID_tls12_aes_128_cbc_hmac_sha256              927
+
+#define SN_tls12_aes_256_cbc_hmac_sha256               "TLS12-AES-256-CBC-HMAC-SHA256"
+#define LN_tls12_aes_256_cbc_hmac_sha256               "tls12-aes-256-cbc-hmac-sha256"
+#define NID_tls12_aes_256_cbc_hmac_sha256              928
+
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index a02b58c..deeba3a 100644
+--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
+@@ -921,3 +921,8 @@ des_ede3_cbc_hmac_sha1              920
+ tls11_des_ede3_cbc_hmac_sha1           921
+ tls11_aes_128_cbc_hmac_sha1            922
+ tls11_aes_256_cbc_hmac_sha1            923
+tls12_des_ede3_cbc_hmac_sha1           924
+tls12_aes_128_cbc_hmac_sha1            925
+tls12_aes_256_cbc_hmac_sha1            926
+tls12_aes_128_cbc_hmac_sha256          927
+tls12_aes_256_cbc_hmac_sha256          928
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index 1973658..6e4ac93 100644
+--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
+@@ -1294,3 +1294,8 @@ kisa 1 6                : SEED-OFB      : seed-ofb
+                        : TLS11-DES-EDE3-CBC-HMAC-SHA1  : tls11-des-ede3-cbc-hmac-sha1
+                        : TLS11-AES-128-CBC-HMAC-SHA1   : tls11-aes-128-cbc-hmac-sha1
+                        : TLS11-AES-256-CBC-HMAC-SHA1   : tls11-aes-256-cbc-hmac-sha1
+                       : TLS12-DES-EDE3-CBC-HMAC-SHA1  : tls12-des-ede3-cbc-hmac-sha1
+                       : TLS12-AES-128-CBC-HMAC-SHA1   : tls12-aes-128-cbc-hmac-sha1
+                       : TLS12-AES-256-CBC-HMAC-SHA1   : tls12-aes-256-cbc-hmac-sha1
+                       : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256
+                       : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 0408986..77a82f6 100644
+--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
+@@ -661,6 +661,31 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+                         c->algorithm_mac == SSL_SHA1 &&
+                         (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
+                        *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_2_VERSION &&
+                        c->algorithm_enc == SSL_3DES &&
+                        c->algorithm_mac == SSL_SHA1 &&
+                        (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_2_VERSION &&
+                        c->algorithm_enc == SSL_AES128 &&
+                        c->algorithm_mac == SSL_SHA1 &&
+                        (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_2_VERSION &&
+                        c->algorithm_enc == SSL_AES256 &&
+                        c->algorithm_mac == SSL_SHA1 &&
+                        (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_2_VERSION &&
+                        c->algorithm_enc == SSL_AES128 &&
+                        c->algorithm_mac == SSL_SHA256 &&
+                        (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256")))
+                       *enc = evp, *md = NULL;
+               else if (s->ssl_version == TLS1_2_VERSION &&
+                        c->algorithm_enc == SSL_AES256 &&
+                        c->algorithm_mac == SSL_SHA256 &&
+                        (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256")))
+                       *enc = evp, *md = NULL;
+                return(1);
+                }
+        else
+-- 
+2.3.5

diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch new file mode 100644 index 0000000..7370c49 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch
@@ -0,0 +1,359 @@
	1	From a58703e6601fcfcfe69fdb3e7152ed76b40d67e9 Mon Sep 17 00:00:00 2001
	2	From: Tudor Ambarus <tudor.ambarus@freescale.com>
	3	Date: Tue, 31 Mar 2015 16:32:35 +0300
	4	Subject: [PATCH 20/26] eng_cryptodev: add support for TLSv1.2 record offload
	5
	6	Supported cipher suites:
	7	- 3des-ede-cbc-sha
	8	- aes-128-cbc-hmac-sha
	9	- aes-256-cbc-hmac-sha
	10	- aes-128-cbc-hmac-sha256
	11	- aes-256-cbc-hmac-sha256
	12
	13	Requires TLS patches on cryptodev and TLS algorithm support in Linux
	14	kernel driver.
	15
	16	Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
	17	Change-Id: I0ac6953dd62e2655a59d8f3eaefd012b7ecebf55
	18	Reviewed-on: http://git.am.freescale.net:8181/34003
	19	Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
	20	Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
	21	---
	22	crypto/engine/eng_cryptodev.c \| 123 ++++++++++++++++++++++++++++++++++++++++++
	23	crypto/objects/obj_dat.h \| 26 +++++++--
	24	crypto/objects/obj_mac.h \| 20 +++++++
	25	crypto/objects/obj_mac.num \| 5 ++
	26	crypto/objects/objects.txt \| 5 ++
	27	ssl/ssl_ciph.c \| 25 +++++++++
	28	6 files changed, 201 insertions(+), 3 deletions(-)
	29
	30	diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
	31	index f71ab27..fa5fe1b 100644
	32	--- a/crypto/engine/eng_cryptodev.c
	33	+++ b/crypto/engine/eng_cryptodev.c
	34	@@ -140,6 +140,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
	35	const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
	36	const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
	37	const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
	38	+const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1;
	39	+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1;
	40	+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1;
	41	+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256;
	42	+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256;
	43
	44	inline int spcf_bn2bin(BIGNUM bn, unsigned char bin, int bin_len)
	45	{
	46	@@ -263,6 +268,11 @@ static struct {
	47	{ CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
	48	{ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
	49	{ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
	50	+ { CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8, 24, 20},
	51	+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16, 20},
	52	+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32, 20},
	53	+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16, 16, 32},
	54	+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16, 32, 32},
	55	{ CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0},
	56	{ 0, NID_undef, 0, 0, 0},
	57	};
	58	@@ -487,6 +497,21 @@ cryptodev_usable_ciphers(const int **nids)
	59	case NID_tls11_aes_256_cbc_hmac_sha1:
	60	EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
	61	break;
	62	+ case NID_tls12_des_ede3_cbc_hmac_sha1:
	63	+ EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1);
	64	+ break;
	65	+ case NID_tls12_aes_128_cbc_hmac_sha1:
	66	+ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1);
	67	+ break;
	68	+ case NID_tls12_aes_256_cbc_hmac_sha1:
	69	+ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1);
	70	+ break;
	71	+ case NID_tls12_aes_128_cbc_hmac_sha256:
	72	+ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256);
	73	+ break;
	74	+ case NID_tls12_aes_256_cbc_hmac_sha256:
	75	+ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256);
	76	+ break;
	77	}
	78	}
	79	return count;
	80	@@ -596,6 +621,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
	81	case NID_tls11_des_ede3_cbc_hmac_sha1:
	82	case NID_tls11_aes_128_cbc_hmac_sha1:
	83	case NID_tls11_aes_256_cbc_hmac_sha1:
	84	+ case NID_tls12_des_ede3_cbc_hmac_sha1:
	85	+ case NID_tls12_aes_128_cbc_hmac_sha1:
	86	+ case NID_tls12_aes_256_cbc_hmac_sha1:
	87	+ case NID_tls12_aes_128_cbc_hmac_sha256:
	88	+ case NID_tls12_aes_256_cbc_hmac_sha256:
	89	cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
	90	}
	91	cryp.ses = sess->ses;
	92	@@ -795,9 +825,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
	93	case NID_tls11_des_ede3_cbc_hmac_sha1:
	94	case NID_tls11_aes_128_cbc_hmac_sha1:
	95	case NID_tls11_aes_256_cbc_hmac_sha1:
	96	+ case NID_tls12_des_ede3_cbc_hmac_sha1:
	97	+ case NID_tls12_aes_128_cbc_hmac_sha1:
	98	+ case NID_tls12_aes_256_cbc_hmac_sha1:
	99	maclen = SHA_DIGEST_LENGTH;
	100	aad_needs_fix = true;
	101	break;
	102	+ case NID_tls12_aes_128_cbc_hmac_sha256:
	103	+ case NID_tls12_aes_256_cbc_hmac_sha256:
	104	+ maclen = SHA256_DIGEST_LENGTH;
	105	+ aad_needs_fix = true;
	106	+ break;
	107	}
	108
	109	/* Correct length for AAD Length field */
	110	@@ -1207,6 +1245,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
	111	NULL
	112	};
	113
	114	+const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = {
	115	+ NID_tls12_des_ede3_cbc_hmac_sha1,
	116	+ 8, 24, 8,
	117	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	118	+ cryptodev_init_aead_key,
	119	+ cryptodev_aead_cipher,
	120	+ cryptodev_cleanup,
	121	+ sizeof(struct dev_crypto_state),
	122	+ EVP_CIPHER_set_asn1_iv,
	123	+ EVP_CIPHER_get_asn1_iv,
	124	+ cryptodev_cbc_hmac_sha1_ctrl,
	125	+ NULL
	126	+};
	127	+
	128	+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = {
	129	+ NID_tls12_aes_128_cbc_hmac_sha1,
	130	+ 16, 16, 16,
	131	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	132	+ cryptodev_init_aead_key,
	133	+ cryptodev_aead_cipher,
	134	+ cryptodev_cleanup,
	135	+ sizeof(struct dev_crypto_state),
	136	+ EVP_CIPHER_set_asn1_iv,
	137	+ EVP_CIPHER_get_asn1_iv,
	138	+ cryptodev_cbc_hmac_sha1_ctrl,
	139	+ NULL
	140	+};
	141	+
	142	+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = {
	143	+ NID_tls12_aes_256_cbc_hmac_sha1,
	144	+ 16, 32, 16,
	145	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	146	+ cryptodev_init_aead_key,
	147	+ cryptodev_aead_cipher,
	148	+ cryptodev_cleanup,
	149	+ sizeof(struct dev_crypto_state),
	150	+ EVP_CIPHER_set_asn1_iv,
	151	+ EVP_CIPHER_get_asn1_iv,
	152	+ cryptodev_cbc_hmac_sha1_ctrl,
	153	+ NULL
	154	+};
	155	+
	156	+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = {
	157	+ NID_tls12_aes_128_cbc_hmac_sha256,
	158	+ 16, 16, 16,
	159	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	160	+ cryptodev_init_aead_key,
	161	+ cryptodev_aead_cipher,
	162	+ cryptodev_cleanup,
	163	+ sizeof(struct dev_crypto_state),
	164	+ EVP_CIPHER_set_asn1_iv,
	165	+ EVP_CIPHER_get_asn1_iv,
	166	+ cryptodev_cbc_hmac_sha1_ctrl,
	167	+ NULL
	168	+};
	169	+
	170	+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = {
	171	+ NID_tls12_aes_256_cbc_hmac_sha256,
	172	+ 16, 32, 16,
	173	+ EVP_CIPH_CBC_MODE \| EVP_CIPH_FLAG_AEAD_CIPHER,
	174	+ cryptodev_init_aead_key,
	175	+ cryptodev_aead_cipher,
	176	+ cryptodev_cleanup,
	177	+ sizeof(struct dev_crypto_state),
	178	+ EVP_CIPHER_set_asn1_iv,
	179	+ EVP_CIPHER_get_asn1_iv,
	180	+ cryptodev_cbc_hmac_sha1_ctrl,
	181	+ NULL
	182	+};
	183	+
	184	const EVP_CIPHER cryptodev_aes_128_gcm = {
	185	NID_aes_128_gcm,
	186	1, 16, 12,
	187	@@ -1281,6 +1389,21 @@ cryptodev_engine_ciphers(ENGINE e, const EVP_CIPHER *cipher,
	188	case NID_tls11_aes_256_cbc_hmac_sha1:
	189	*cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
	190	break;
	191	+ case NID_tls12_des_ede3_cbc_hmac_sha1:
	192	+ *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1;
	193	+ break;
	194	+ case NID_tls12_aes_128_cbc_hmac_sha1:
	195	+ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1;
	196	+ break;
	197	+ case NID_tls12_aes_256_cbc_hmac_sha1:
	198	+ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1;
	199	+ break;
	200	+ case NID_tls12_aes_128_cbc_hmac_sha256:
	201	+ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256;
	202	+ break;
	203	+ case NID_tls12_aes_256_cbc_hmac_sha256:
	204	+ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256;
	205	+ break;
	206	default:
	207	*cipher = NULL;
	208	break;
	209	diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
	210	index dc89b0a..dfe19da 100644
	211	--- a/crypto/objects/obj_dat.h
	212	+++ b/crypto/objects/obj_dat.h
	213	@@ -62,9 +62,9 @@
	214	* [including the GNU Public Licence.]
	215	*/
	216
	217	-#define NUM_NID 924
	218	-#define NUM_SN 917
	219	-#define NUM_LN 917
	220	+#define NUM_NID 929
	221	+#define NUM_SN 922
	222	+#define NUM_LN 922
	223	#define NUM_OBJ 857
	224
	225	static const unsigned char lvalues[5974]={
	226	@@ -2407,6 +2407,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
	227	NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
	228	{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
	229	NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
	230	+{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1",
	231	+ NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0},
	232	+{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1",
	233	+ NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0},
	234	+{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1",
	235	+ NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0},
	236	+{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256",
	237	+ NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0},
	238	+{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256",
	239	+ NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0},
	240	};
	241
	242	static const unsigned int sn_objs[NUM_SN]={
	243	@@ -2595,6 +2605,11 @@ static const unsigned int sn_objs[NUM_SN]={
	244	922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */
	245	923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */
	246	921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
	247	+925, /* "TLS12-AES-128-CBC-HMAC-SHA1" */
	248	+927, /* "TLS12-AES-128-CBC-HMAC-SHA256" */
	249	+926, /* "TLS12-AES-256-CBC-HMAC-SHA1" */
	250	+928, /* "TLS12-AES-256-CBC-HMAC-SHA256" */
	251	+924, /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */
	252	458, /* "UID" */
	253	0, /* "UNDEF" */
	254	11, /* "X500" */
	255	@@ -4217,6 +4232,11 @@ static const unsigned int ln_objs[NUM_LN]={
	256	922, /* "tls11-aes-128-cbc-hmac-sha1" */
	257	923, /* "tls11-aes-256-cbc-hmac-sha1" */
	258	921, /* "tls11-des-ede3-cbc-hmac-sha1" */
	259	+925, /* "tls12-aes-128-cbc-hmac-sha1" */
	260	+927, /* "tls12-aes-128-cbc-hmac-sha256" */
	261	+926, /* "tls12-aes-256-cbc-hmac-sha1" */
	262	+928, /* "tls12-aes-256-cbc-hmac-sha256" */
	263	+924, /* "tls12-des-ede3-cbc-hmac-sha1" */
	264	682, /* "tpBasis" */
	265	436, /* "ucl" */
	266	0, /* "undefined" */
	267	diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
	268	index f181890..5af125e 100644
	269	--- a/crypto/objects/obj_mac.h
	270	+++ b/crypto/objects/obj_mac.h
	271	@@ -4046,3 +4046,23 @@
	272	#define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1"
	273	#define NID_tls11_aes_256_cbc_hmac_sha1 923
	274
	275	+#define SN_tls12_des_ede3_cbc_hmac_sha1 "TLS12-DES-EDE3-CBC-HMAC-SHA1"
	276	+#define LN_tls12_des_ede3_cbc_hmac_sha1 "tls12-des-ede3-cbc-hmac-sha1"
	277	+#define NID_tls12_des_ede3_cbc_hmac_sha1 924
	278	+
	279	+#define SN_tls12_aes_128_cbc_hmac_sha1 "TLS12-AES-128-CBC-HMAC-SHA1"
	280	+#define LN_tls12_aes_128_cbc_hmac_sha1 "tls12-aes-128-cbc-hmac-sha1"
	281	+#define NID_tls12_aes_128_cbc_hmac_sha1 925
	282	+
	283	+#define SN_tls12_aes_256_cbc_hmac_sha1 "TLS12-AES-256-CBC-HMAC-SHA1"
	284	+#define LN_tls12_aes_256_cbc_hmac_sha1 "tls12-aes-256-cbc-hmac-sha1"
	285	+#define NID_tls12_aes_256_cbc_hmac_sha1 926
	286	+
	287	+#define SN_tls12_aes_128_cbc_hmac_sha256 "TLS12-AES-128-CBC-HMAC-SHA256"
	288	+#define LN_tls12_aes_128_cbc_hmac_sha256 "tls12-aes-128-cbc-hmac-sha256"
	289	+#define NID_tls12_aes_128_cbc_hmac_sha256 927
	290	+
	291	+#define SN_tls12_aes_256_cbc_hmac_sha256 "TLS12-AES-256-CBC-HMAC-SHA256"
	292	+#define LN_tls12_aes_256_cbc_hmac_sha256 "tls12-aes-256-cbc-hmac-sha256"
	293	+#define NID_tls12_aes_256_cbc_hmac_sha256 928
	294	+
	295	diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
	296	index a02b58c..deeba3a 100644
	297	--- a/crypto/objects/obj_mac.num
	298	+++ b/crypto/objects/obj_mac.num
	299	@@ -921,3 +921,8 @@ des_ede3_cbc_hmac_sha1 920
	300	tls11_des_ede3_cbc_hmac_sha1 921
	301	tls11_aes_128_cbc_hmac_sha1 922
	302	tls11_aes_256_cbc_hmac_sha1 923
	303	+tls12_des_ede3_cbc_hmac_sha1 924
	304	+tls12_aes_128_cbc_hmac_sha1 925
	305	+tls12_aes_256_cbc_hmac_sha1 926
	306	+tls12_aes_128_cbc_hmac_sha256 927
	307	+tls12_aes_256_cbc_hmac_sha256 928
	308	diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
	309	index 1973658..6e4ac93 100644
	310	--- a/crypto/objects/objects.txt
	311	+++ b/crypto/objects/objects.txt
	312	@@ -1294,3 +1294,8 @@ kisa 1 6 : SEED-OFB : seed-ofb
	313	: TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1
	314	: TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1
	315	: TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1
	316	+ : TLS12-DES-EDE3-CBC-HMAC-SHA1 : tls12-des-ede3-cbc-hmac-sha1
	317	+ : TLS12-AES-128-CBC-HMAC-SHA1 : tls12-aes-128-cbc-hmac-sha1
	318	+ : TLS12-AES-256-CBC-HMAC-SHA1 : tls12-aes-256-cbc-hmac-sha1
	319	+ : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256
	320	+ : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256
	321	diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
	322	index 0408986..77a82f6 100644
	323	--- a/ssl/ssl_ciph.c
	324	+++ b/ssl/ssl_ciph.c
	325	@@ -661,6 +661,31 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
	326	c->algorithm_mac == SSL_SHA1 &&
	327	(evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
	328	enc = evp, md = NULL;
	329	+ else if (s->ssl_version == TLS1_2_VERSION &&
	330	+ c->algorithm_enc == SSL_3DES &&
	331	+ c->algorithm_mac == SSL_SHA1 &&
	332	+ (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1")))
	333	+ enc = evp, md = NULL;
	334	+ else if (s->ssl_version == TLS1_2_VERSION &&
	335	+ c->algorithm_enc == SSL_AES128 &&
	336	+ c->algorithm_mac == SSL_SHA1 &&
	337	+ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1")))
	338	+ enc = evp, md = NULL;
	339	+ else if (s->ssl_version == TLS1_2_VERSION &&
	340	+ c->algorithm_enc == SSL_AES256 &&
	341	+ c->algorithm_mac == SSL_SHA1 &&
	342	+ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1")))
	343	+ enc = evp, md = NULL;
	344	+ else if (s->ssl_version == TLS1_2_VERSION &&
	345	+ c->algorithm_enc == SSL_AES128 &&
	346	+ c->algorithm_mac == SSL_SHA256 &&
	347	+ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256")))
	348	+ enc = evp, md = NULL;
	349	+ else if (s->ssl_version == TLS1_2_VERSION &&
	350	+ c->algorithm_enc == SSL_AES256 &&
	351	+ c->algorithm_mac == SSL_SHA256 &&
	352	+ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256")))
	353	+ enc = evp, md = NULL;
	354	return(1);
	355	}
	356	else
	357	--
	358	2.3.5
	359