From 4cc0cf8255a3726fe3f6cbbe1a877fe2fab7edc6 Mon Sep 17 00:00:00 2001 From: Ting Liu Date: Wed, 29 Jul 2015 18:11:18 -0300 Subject: openssl: rename to openssl-qoriq The QorIQ version of openssl needs to use another recipe name and have a common provider, which is than choosen for QorIQ-based machines. The recipe is now called 'openssl-qoriq' and it provides openssl so the preferrence is set just for QorIQ based machines. Signed-off-by: Ting Liu --- ...ev-add-support-for-TLS-algorithms-offload.patch | 317 +++++++++++++++++++++ 1 file changed, 317 insertions(+) create mode 100644 recipes-connectivity/openssl/openssl-qoriq/qoriq/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch (limited to 'recipes-connectivity/openssl/openssl-qoriq/qoriq/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch') diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch new file mode 100644 index 0000000..ab2b7ea --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch @@ -0,0 +1,317 @@ +From dfd6ba263dc25ea2a4bbc32448b24ca2b1fc40e8 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 29 Aug 2013 16:51:18 +0300 +Subject: [PATCH 02/26] eng_cryptodev: add support for TLS algorithms offload + +- aes-128-cbc-hmac-sha1 +- aes-256-cbc-hmac-sha1 + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Change-Id: I43048caa348414daddd6c1a5cdc55e769ac1945f +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/17223 +--- + crypto/engine/eng_cryptodev.c | 222 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 211 insertions(+), 11 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index 5a715ac..7588a28 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -72,6 +72,9 @@ ENGINE_load_cryptodev(void) + struct dev_crypto_state { + struct session_op d_sess; + int d_fd; ++ unsigned char *aad; ++ unsigned int aad_len; ++ unsigned int len; + + #ifdef USE_CRYPTODEV_DIGESTS + char dummy_mac_key[HASH_MAX_LEN]; +@@ -140,17 +143,20 @@ static struct { + int nid; + int ivmax; + int keylen; ++ int mackeylen; + } ciphers[] = { +- { CRYPTO_ARC4, NID_rc4, 0, 16, }, +- { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, +- { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, +- { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, +- { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, }, +- { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, }, +- { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, +- { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, +- { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, +- { 0, NID_undef, 0, 0, }, ++ { CRYPTO_ARC4, NID_rc4, 0, 16, 0}, ++ { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, 0}, ++ { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, 0}, ++ { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, 0}, ++ { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, 0}, ++ { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, 0}, ++ { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, 0}, ++ { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, 0}, ++ { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, 0}, ++ { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20}, ++ { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20}, ++ { 0, NID_undef, 0, 0, 0}, + }; + + #ifdef USE_CRYPTODEV_DIGESTS +@@ -250,13 +256,15 @@ get_cryptodev_ciphers(const int **cnids) + } + memset(&sess, 0, sizeof(sess)); + sess.key = (caddr_t)"123456789abcdefghijklmno"; ++ sess.mackey = (caddr_t)"123456789ABCDEFGHIJKLMNO"; + + for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { + if (ciphers[i].nid == NID_undef) + continue; + sess.cipher = ciphers[i].id; + sess.keylen = ciphers[i].keylen; +- sess.mac = 0; ++ sess.mackeylen = ciphers[i].mackeylen; ++ + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) + nids[count++] = ciphers[i].nid; +@@ -414,6 +422,67 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + return (1); + } + ++ ++static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t len) ++{ ++ struct crypt_auth_op cryp; ++ struct dev_crypto_state *state = ctx->cipher_data; ++ struct session_op *sess = &state->d_sess; ++ const void *iiv; ++ unsigned char save_iv[EVP_MAX_IV_LENGTH]; ++ ++ if (state->d_fd < 0) ++ return (0); ++ if (!len) ++ return (1); ++ if ((len % ctx->cipher->block_size) != 0) ++ return (0); ++ ++ memset(&cryp, 0, sizeof(cryp)); ++ ++ /* TODO: make a seamless integration with cryptodev flags */ ++ switch (ctx->cipher->nid) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ cryp.flags = COP_FLAG_AEAD_TLS_TYPE; ++ } ++ cryp.ses = sess->ses; ++ cryp.len = state->len; ++ cryp.src = (caddr_t) in; ++ cryp.dst = (caddr_t) out; ++ cryp.auth_src = state->aad; ++ cryp.auth_len = state->aad_len; ++ ++ cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; ++ ++ if (ctx->cipher->iv_len) { ++ cryp.iv = (caddr_t) ctx->iv; ++ if (!ctx->encrypt) { ++ iiv = in + len - ctx->cipher->iv_len; ++ memcpy(save_iv, iiv, ctx->cipher->iv_len); ++ } ++ } else ++ cryp.iv = NULL; ++ ++ if (ioctl(state->d_fd, CIOCAUTHCRYPT, &cryp) == -1) { ++ /* XXX need better errror handling ++ * this can fail for a number of different reasons. ++ */ ++ return (0); ++ } ++ ++ if (ctx->cipher->iv_len) { ++ if (ctx->encrypt) ++ iiv = out + len - ctx->cipher->iv_len; ++ else ++ iiv = save_iv; ++ memcpy(ctx->iv, iiv, ctx->cipher->iv_len); ++ } ++ return (1); ++} ++ ++ + static int + cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +@@ -452,6 +521,45 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + return (1); + } + ++/* Save the encryption key provided by upper layers. ++ * ++ * This function is called by EVP_CipherInit_ex to initialize the algorithm's ++ * extra data. We can't do much here because the mac key is not available. ++ * The next call should/will be to cryptodev_cbc_hmac_sha1_ctrl with parameter ++ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION ++ * with both the crypto and hmac keys. ++ */ ++static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, ++ const unsigned char *key, const unsigned char *iv, int enc) ++{ ++ struct dev_crypto_state *state = ctx->cipher_data; ++ struct session_op *sess = &state->d_sess; ++ int cipher = -1, i; ++ ++ for (i = 0; ciphers[i].id; i++) ++ if (ctx->cipher->nid == ciphers[i].nid && ++ ctx->cipher->iv_len <= ciphers[i].ivmax && ++ ctx->key_len == ciphers[i].keylen) { ++ cipher = ciphers[i].id; ++ break; ++ } ++ ++ if (!ciphers[i].id) { ++ state->d_fd = -1; ++ return (0); ++ } ++ ++ memset(sess, 0, sizeof(struct session_op)); ++ ++ sess->key = (caddr_t)key; ++ sess->keylen = ctx->key_len; ++ sess->cipher = cipher; ++ ++ /* for whatever reason, (1) means success */ ++ return (1); ++} ++ ++ + /* + * free anything we allocated earlier when initting a + * session, and close the session. +@@ -488,6 +596,63 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) + return (ret); + } + ++static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr) ++{ ++ switch (type) { ++ case EVP_CTRL_AEAD_SET_MAC_KEY: ++ { ++ /* TODO: what happens with hmac keys larger than 64 bytes? */ ++ struct dev_crypto_state *state = ctx->cipher_data; ++ struct session_op *sess = &state->d_sess; ++ ++ if ((state->d_fd = get_dev_crypto()) < 0) ++ return (0); ++ ++ /* the rest should have been set in cryptodev_init_aead_key */ ++ sess->mackey = ptr; ++ sess->mackeylen = arg; ++ ++ if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { ++ put_dev_crypto(state->d_fd); ++ state->d_fd = -1; ++ return (0); ++ } ++ return (1); ++ } ++ case EVP_CTRL_AEAD_TLS1_AAD: ++ { ++ /* ptr points to the associated data buffer of 13 bytes */ ++ struct dev_crypto_state *state = ctx->cipher_data; ++ unsigned char *p = ptr; ++ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; ++ unsigned int maclen, padlen; ++ unsigned int bs = ctx->cipher->block_size; ++ ++ state->aad = ptr; ++ state->aad_len = arg; ++ state->len = cryptlen; ++ ++ /* TODO: this should be an extension of EVP_CIPHER struct */ ++ switch (ctx->cipher->nid) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ maclen = SHA_DIGEST_LENGTH; ++ } ++ ++ /* space required for encryption (not only TLS padding) */ ++ padlen = maclen; ++ if (ctx->encrypt) { ++ cryptlen += maclen; ++ padlen += bs - (cryptlen % bs); ++ } ++ return padlen; ++ } ++ default: ++ return -1; ++ } ++} ++ + /* + * libcrypto EVP stuff - this is how we get wired to EVP so the engine + * gets called when libcrypto requests a cipher NID. +@@ -600,6 +765,33 @@ const EVP_CIPHER cryptodev_aes_256_cbc = { + NULL + }; + ++const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1 = { ++ NID_aes_128_cbc_hmac_sha1, ++ 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = { ++ NID_aes_256_cbc_hmac_sha1, ++ 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; + /* + * Registered by the ENGINE when used to find out how to deal with + * a particular NID in the ENGINE. this says what we'll do at the +@@ -637,6 +829,12 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_256_cbc: + *cipher = &cryptodev_aes_256_cbc; + break; ++ case NID_aes_128_cbc_hmac_sha1: ++ *cipher = &cryptodev_aes_128_cbc_hmac_sha1; ++ break; ++ case NID_aes_256_cbc_hmac_sha1: ++ *cipher = &cryptodev_aes_256_cbc_hmac_sha1; ++ break; + default: + *cipher = NULL; + break; +@@ -1384,6 +1582,8 @@ ENGINE_load_cryptodev(void) + } + put_dev_crypto(fd); + ++ EVP_add_cipher(&cryptodev_aes_128_cbc_hmac_sha1); ++ EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1); + if (!ENGINE_set_id(engine, "cryptodev") || + !ENGINE_set_name(engine, "BSD cryptodev engine") || + !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || +-- +2.3.5 + -- cgit v1.2.3-54-g00ecf