From 84cb2cc407cf85459fb463be2aabedd4f12ade77 Mon Sep 17 00:00:00 2001 From: Cristian Stoica Date: Mon, 25 Jan 2016 13:33:46 +0200 Subject: openssl-qoriq: upgrade to 1.0.2h plus fsl patches upstream recipe extended with patches from fsl and CIOCHASH feature. Signed-off-by: Cristian Stoica --- ...ev-add-support-for-TLSv1.2-record-offload.patch | 359 --------------------- 1 file changed, 359 deletions(-) delete mode 100644 recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch (limited to 'recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch') diff --git a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch deleted file mode 100644 index 7370c49..0000000 --- a/recipes-connectivity/openssl/openssl-qoriq/qoriq/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch +++ /dev/null @@ -1,359 +0,0 @@ -From a58703e6601fcfcfe69fdb3e7152ed76b40d67e9 Mon Sep 17 00:00:00 2001 -From: Tudor Ambarus -Date: Tue, 31 Mar 2015 16:32:35 +0300 -Subject: [PATCH 20/26] eng_cryptodev: add support for TLSv1.2 record offload - -Supported cipher suites: -- 3des-ede-cbc-sha -- aes-128-cbc-hmac-sha -- aes-256-cbc-hmac-sha -- aes-128-cbc-hmac-sha256 -- aes-256-cbc-hmac-sha256 - -Requires TLS patches on cryptodev and TLS algorithm support in Linux -kernel driver. - -Signed-off-by: Tudor Ambarus -Change-Id: I0ac6953dd62e2655a59d8f3eaefd012b7ecebf55 -Reviewed-on: http://git.am.freescale.net:8181/34003 -Reviewed-by: Cristian Stoica -Tested-by: Cristian Stoica ---- - crypto/engine/eng_cryptodev.c | 123 ++++++++++++++++++++++++++++++++++++++++++ - crypto/objects/obj_dat.h | 26 +++++++-- - crypto/objects/obj_mac.h | 20 +++++++ - crypto/objects/obj_mac.num | 5 ++ - crypto/objects/objects.txt | 5 ++ - ssl/ssl_ciph.c | 25 +++++++++ - 6 files changed, 201 insertions(+), 3 deletions(-) - -diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c -index f71ab27..fa5fe1b 100644 ---- a/crypto/engine/eng_cryptodev.c -+++ b/crypto/engine/eng_cryptodev.c -@@ -140,6 +140,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1; - const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1; - const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1; - const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1; -+const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1; -+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1; -+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1; -+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256; -+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256; - - inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len) - { -@@ -263,6 +268,11 @@ static struct { - { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20}, - { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20}, - { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20}, -+ { CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8, 24, 20}, -+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16, 20}, -+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32, 20}, -+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16, 16, 32}, -+ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16, 32, 32}, - { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0}, - { 0, NID_undef, 0, 0, 0}, - }; -@@ -487,6 +497,21 @@ cryptodev_usable_ciphers(const int **nids) - case NID_tls11_aes_256_cbc_hmac_sha1: - EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1); - break; -+ case NID_tls12_des_ede3_cbc_hmac_sha1: -+ EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1); -+ break; -+ case NID_tls12_aes_128_cbc_hmac_sha1: -+ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1); -+ break; -+ case NID_tls12_aes_256_cbc_hmac_sha1: -+ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1); -+ break; -+ case NID_tls12_aes_128_cbc_hmac_sha256: -+ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256); -+ break; -+ case NID_tls12_aes_256_cbc_hmac_sha256: -+ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256); -+ break; - } - } - return count; -@@ -596,6 +621,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - case NID_tls11_des_ede3_cbc_hmac_sha1: - case NID_tls11_aes_128_cbc_hmac_sha1: - case NID_tls11_aes_256_cbc_hmac_sha1: -+ case NID_tls12_des_ede3_cbc_hmac_sha1: -+ case NID_tls12_aes_128_cbc_hmac_sha1: -+ case NID_tls12_aes_256_cbc_hmac_sha1: -+ case NID_tls12_aes_128_cbc_hmac_sha256: -+ case NID_tls12_aes_256_cbc_hmac_sha256: - cryp.flags = COP_FLAG_AEAD_TLS_TYPE; - } - cryp.ses = sess->ses; -@@ -795,9 +825,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, - case NID_tls11_des_ede3_cbc_hmac_sha1: - case NID_tls11_aes_128_cbc_hmac_sha1: - case NID_tls11_aes_256_cbc_hmac_sha1: -+ case NID_tls12_des_ede3_cbc_hmac_sha1: -+ case NID_tls12_aes_128_cbc_hmac_sha1: -+ case NID_tls12_aes_256_cbc_hmac_sha1: - maclen = SHA_DIGEST_LENGTH; - aad_needs_fix = true; - break; -+ case NID_tls12_aes_128_cbc_hmac_sha256: -+ case NID_tls12_aes_256_cbc_hmac_sha256: -+ maclen = SHA256_DIGEST_LENGTH; -+ aad_needs_fix = true; -+ break; - } - - /* Correct length for AAD Length field */ -@@ -1207,6 +1245,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = { - NULL - }; - -+const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = { -+ NID_tls12_des_ede3_cbc_hmac_sha1, -+ 8, 24, 8, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, -+ cryptodev_init_aead_key, -+ cryptodev_aead_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ cryptodev_cbc_hmac_sha1_ctrl, -+ NULL -+}; -+ -+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = { -+ NID_tls12_aes_128_cbc_hmac_sha1, -+ 16, 16, 16, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, -+ cryptodev_init_aead_key, -+ cryptodev_aead_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ cryptodev_cbc_hmac_sha1_ctrl, -+ NULL -+}; -+ -+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = { -+ NID_tls12_aes_256_cbc_hmac_sha1, -+ 16, 32, 16, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, -+ cryptodev_init_aead_key, -+ cryptodev_aead_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ cryptodev_cbc_hmac_sha1_ctrl, -+ NULL -+}; -+ -+const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = { -+ NID_tls12_aes_128_cbc_hmac_sha256, -+ 16, 16, 16, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, -+ cryptodev_init_aead_key, -+ cryptodev_aead_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ cryptodev_cbc_hmac_sha1_ctrl, -+ NULL -+}; -+ -+const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = { -+ NID_tls12_aes_256_cbc_hmac_sha256, -+ 16, 32, 16, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, -+ cryptodev_init_aead_key, -+ cryptodev_aead_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ cryptodev_cbc_hmac_sha1_ctrl, -+ NULL -+}; -+ - const EVP_CIPHER cryptodev_aes_128_gcm = { - NID_aes_128_gcm, - 1, 16, 12, -@@ -1281,6 +1389,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - case NID_tls11_aes_256_cbc_hmac_sha1: - *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1; - break; -+ case NID_tls12_des_ede3_cbc_hmac_sha1: -+ *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1; -+ break; -+ case NID_tls12_aes_128_cbc_hmac_sha1: -+ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1; -+ break; -+ case NID_tls12_aes_256_cbc_hmac_sha1: -+ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1; -+ break; -+ case NID_tls12_aes_128_cbc_hmac_sha256: -+ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256; -+ break; -+ case NID_tls12_aes_256_cbc_hmac_sha256: -+ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256; -+ break; - default: - *cipher = NULL; - break; -diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h -index dc89b0a..dfe19da 100644 ---- a/crypto/objects/obj_dat.h -+++ b/crypto/objects/obj_dat.h -@@ -62,9 +62,9 @@ - * [including the GNU Public Licence.] - */ - --#define NUM_NID 924 --#define NUM_SN 917 --#define NUM_LN 917 -+#define NUM_NID 929 -+#define NUM_SN 922 -+#define NUM_LN 922 - #define NUM_OBJ 857 - - static const unsigned char lvalues[5974]={ -@@ -2407,6 +2407,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ - NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0}, - {"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1", - NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0}, -+{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1", -+ NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0}, -+{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1", -+ NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0}, -+{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1", -+ NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0}, -+{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256", -+ NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0}, -+{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256", -+ NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0}, - }; - - static const unsigned int sn_objs[NUM_SN]={ -@@ -2595,6 +2605,11 @@ static const unsigned int sn_objs[NUM_SN]={ - 922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */ - 923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */ - 921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */ -+925, /* "TLS12-AES-128-CBC-HMAC-SHA1" */ -+927, /* "TLS12-AES-128-CBC-HMAC-SHA256" */ -+926, /* "TLS12-AES-256-CBC-HMAC-SHA1" */ -+928, /* "TLS12-AES-256-CBC-HMAC-SHA256" */ -+924, /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */ - 458, /* "UID" */ - 0, /* "UNDEF" */ - 11, /* "X500" */ -@@ -4217,6 +4232,11 @@ static const unsigned int ln_objs[NUM_LN]={ - 922, /* "tls11-aes-128-cbc-hmac-sha1" */ - 923, /* "tls11-aes-256-cbc-hmac-sha1" */ - 921, /* "tls11-des-ede3-cbc-hmac-sha1" */ -+925, /* "tls12-aes-128-cbc-hmac-sha1" */ -+927, /* "tls12-aes-128-cbc-hmac-sha256" */ -+926, /* "tls12-aes-256-cbc-hmac-sha1" */ -+928, /* "tls12-aes-256-cbc-hmac-sha256" */ -+924, /* "tls12-des-ede3-cbc-hmac-sha1" */ - 682, /* "tpBasis" */ - 436, /* "ucl" */ - 0, /* "undefined" */ -diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h -index f181890..5af125e 100644 ---- a/crypto/objects/obj_mac.h -+++ b/crypto/objects/obj_mac.h -@@ -4046,3 +4046,23 @@ - #define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1" - #define NID_tls11_aes_256_cbc_hmac_sha1 923 - -+#define SN_tls12_des_ede3_cbc_hmac_sha1 "TLS12-DES-EDE3-CBC-HMAC-SHA1" -+#define LN_tls12_des_ede3_cbc_hmac_sha1 "tls12-des-ede3-cbc-hmac-sha1" -+#define NID_tls12_des_ede3_cbc_hmac_sha1 924 -+ -+#define SN_tls12_aes_128_cbc_hmac_sha1 "TLS12-AES-128-CBC-HMAC-SHA1" -+#define LN_tls12_aes_128_cbc_hmac_sha1 "tls12-aes-128-cbc-hmac-sha1" -+#define NID_tls12_aes_128_cbc_hmac_sha1 925 -+ -+#define SN_tls12_aes_256_cbc_hmac_sha1 "TLS12-AES-256-CBC-HMAC-SHA1" -+#define LN_tls12_aes_256_cbc_hmac_sha1 "tls12-aes-256-cbc-hmac-sha1" -+#define NID_tls12_aes_256_cbc_hmac_sha1 926 -+ -+#define SN_tls12_aes_128_cbc_hmac_sha256 "TLS12-AES-128-CBC-HMAC-SHA256" -+#define LN_tls12_aes_128_cbc_hmac_sha256 "tls12-aes-128-cbc-hmac-sha256" -+#define NID_tls12_aes_128_cbc_hmac_sha256 927 -+ -+#define SN_tls12_aes_256_cbc_hmac_sha256 "TLS12-AES-256-CBC-HMAC-SHA256" -+#define LN_tls12_aes_256_cbc_hmac_sha256 "tls12-aes-256-cbc-hmac-sha256" -+#define NID_tls12_aes_256_cbc_hmac_sha256 928 -+ -diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num -index a02b58c..deeba3a 100644 ---- a/crypto/objects/obj_mac.num -+++ b/crypto/objects/obj_mac.num -@@ -921,3 +921,8 @@ des_ede3_cbc_hmac_sha1 920 - tls11_des_ede3_cbc_hmac_sha1 921 - tls11_aes_128_cbc_hmac_sha1 922 - tls11_aes_256_cbc_hmac_sha1 923 -+tls12_des_ede3_cbc_hmac_sha1 924 -+tls12_aes_128_cbc_hmac_sha1 925 -+tls12_aes_256_cbc_hmac_sha1 926 -+tls12_aes_128_cbc_hmac_sha256 927 -+tls12_aes_256_cbc_hmac_sha256 928 -diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt -index 1973658..6e4ac93 100644 ---- a/crypto/objects/objects.txt -+++ b/crypto/objects/objects.txt -@@ -1294,3 +1294,8 @@ kisa 1 6 : SEED-OFB : seed-ofb - : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1 - : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1 - : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1 -+ : TLS12-DES-EDE3-CBC-HMAC-SHA1 : tls12-des-ede3-cbc-hmac-sha1 -+ : TLS12-AES-128-CBC-HMAC-SHA1 : tls12-aes-128-cbc-hmac-sha1 -+ : TLS12-AES-256-CBC-HMAC-SHA1 : tls12-aes-256-cbc-hmac-sha1 -+ : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256 -+ : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256 -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 0408986..77a82f6 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -661,6 +661,31 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, - c->algorithm_mac == SSL_SHA1 && - (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; -+ else if (s->ssl_version == TLS1_2_VERSION && -+ c->algorithm_enc == SSL_3DES && -+ c->algorithm_mac == SSL_SHA1 && -+ (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1"))) -+ *enc = evp, *md = NULL; -+ else if (s->ssl_version == TLS1_2_VERSION && -+ c->algorithm_enc == SSL_AES128 && -+ c->algorithm_mac == SSL_SHA1 && -+ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1"))) -+ *enc = evp, *md = NULL; -+ else if (s->ssl_version == TLS1_2_VERSION && -+ c->algorithm_enc == SSL_AES256 && -+ c->algorithm_mac == SSL_SHA1 && -+ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1"))) -+ *enc = evp, *md = NULL; -+ else if (s->ssl_version == TLS1_2_VERSION && -+ c->algorithm_enc == SSL_AES128 && -+ c->algorithm_mac == SSL_SHA256 && -+ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256"))) -+ *enc = evp, *md = NULL; -+ else if (s->ssl_version == TLS1_2_VERSION && -+ c->algorithm_enc == SSL_AES256 && -+ c->algorithm_mac == SSL_SHA256 && -+ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256"))) -+ *enc = evp, *md = NULL; - return(1); - } - else --- -2.3.5 - -- cgit v1.2.3-54-g00ecf