From bd173142cc22d356d76bb74fbee15065faf299b8 Mon Sep 17 00:00:00 2001 From: Jens Rehsack Date: Tue, 7 Apr 2020 17:21:34 +0200 Subject: openssl-qoriq: upgrade to 1.1.1f/LSDK-20.04 Upgrade openssl-qoriq to 1.1.1f and rebase LSDK-20.04 changes on it, which causes in two patches for QorIQ: * 0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch * 0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch Signed-off-by: Jens Rehsack --- ...to-add-support-for-TLS-algorithms-offload.patch | 389 +++++++++++++++++++++ ...to-add-support-for-TLS1.2-algorithms-offl.patch | 285 +++++++++++++++ .../openssl/openssl-qoriq_1.1.1d.bb | 217 ------------ .../openssl/openssl-qoriq_1.1.1f.bb | 219 ++++++++++++ 4 files changed, 893 insertions(+), 217 deletions(-) create mode 100644 recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch create mode 100644 recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch delete mode 100644 recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb create mode 100644 recipes-connectivity/openssl/openssl-qoriq_1.1.1f.bb diff --git a/recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch b/recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch new file mode 100644 index 000000000..499df59bf --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch @@ -0,0 +1,389 @@ +From 501988587567b996c9c4a14239f575e77ed27791 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Fri, 20 Sep 2019 12:18:16 +0530 +Subject: [PATCH 1/2] eng_devcrypto: add support for TLS algorithms offload + + - aes-128-cbc-hmac-sha1 + - aes-256-cbc-hmac-sha1 + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Signed-off-by: Pankaj Gupta +--- + crypto/engine/eng_devcrypto.c | 265 +++++++++++++++++++++++++++++----- + 1 file changed, 231 insertions(+), 34 deletions(-) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 49e9ce1af3..727a660e75 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -60,6 +60,9 @@ struct cipher_ctx { + struct session_op sess; + int op; /* COP_ENCRYPT or COP_DECRYPT */ + unsigned long mode; /* EVP_CIPH_*_MODE */ ++ unsigned char *aad; ++ unsigned int aad_len; ++ unsigned int len; + + /* to handle ctr mode being a stream cipher */ + unsigned char partial[EVP_MAX_BLOCK_LENGTH]; +@@ -73,49 +76,62 @@ static const struct cipher_data_st { + int ivlen; + int flags; + int devcryptoid; ++ int mackeylen; + } cipher_data[] = { + #ifndef OPENSSL_NO_DES +- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, +- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, ++ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC, 0 }, ++ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC, 0 }, + #endif + #ifndef OPENSSL_NO_BF +- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, ++ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC, 0 }, + #endif + #ifndef OPENSSL_NO_CAST +- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, ++ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC, 0 }, + #endif +- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, ++ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_128_cbc_hmac_sha1, 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, ++ { NID_aes_256_cbc_hmac_sha1, 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, + #ifndef OPENSSL_NO_RC4 +- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, ++ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) +- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, ++ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, ++ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, ++ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, + #endif + #if 0 /* Not yet supported */ +- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, +- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, ++ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, ++ 0 }, ++ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, ++ 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) +- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, ++ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, ++ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, + #endif + #if 0 /* Not yet supported */ +- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++#endif ++#ifdef OPENSSL_NXP_CAAM ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, + #endif + #ifndef OPENSSL_NO_CAMELLIA + { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + #endif + }; + +@@ -141,6 +157,158 @@ static const struct cipher_data_st *get_cipher_data(int nid) + return &cipher_data[get_cipher_data_index(nid)]; + } + ++/* ++ * Save the encryption key provided by upper layers. This function is called ++ * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do ++ * much here because the mac key is not available. The next call should/will ++ * be to cryptodev_cbc_hmac_sha1_ctrl with parameter ++ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION ++ * with both the crypto and hmac keys. ++ */ ++static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, ++ const unsigned char *key, const unsigned char *iv, int enc) ++{ ++ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ int cipher = -1, i; ++ ++ for (i = 0; cipher_data[i].devcryptoid; i++) { ++ if (EVP_CIPHER_CTX_nid(ctx) == cipher_data[i].nid && ++ EVP_CIPHER_CTX_iv_length(ctx) <= cipher_data[i].ivlen && ++ EVP_CIPHER_CTX_key_length(ctx) == cipher_data[i].keylen) { ++ cipher = cipher_data[i].devcryptoid; ++ break; ++ } ++ } ++ ++ if (!cipher_data[i].devcryptoid) ++ return (0); ++ ++ memset(sess, 0, sizeof(*sess)); ++ ++ sess->key = (void *) key; ++ sess->keylen = EVP_CIPHER_CTX_key_length(ctx); ++ sess->cipher = cipher; ++ ++ /* for whatever reason, (1) means success */ ++ return 1; ++} ++ ++static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t len) ++{ ++ struct crypt_auth_op cryp; ++ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ const void *iiv; ++ unsigned char save_iv[EVP_MAX_IV_LENGTH]; ++ ++ if (cfd < 0) ++ return (0); ++ if (!len) ++ return (1); ++ if ((len % EVP_CIPHER_CTX_block_size(ctx)) != 0) ++ return (0); ++ ++ memset(&cryp, 0, sizeof(cryp)); ++ ++ /* TODO: make a seamless integration with cryptodev flags */ ++ switch (EVP_CIPHER_CTX_nid(ctx)) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ cryp.flags = COP_FLAG_AEAD_TLS_TYPE; ++ } ++ cryp.ses = sess->ses; ++ cryp.len = state->len; ++ cryp.src = (void *) in; ++ cryp.dst = (void *) out; ++ cryp.auth_src = state->aad; ++ cryp.auth_len = state->aad_len; ++ ++ cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT; ++ ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); ++ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); ++ } ++ } else ++ cryp.iv = NULL; ++ ++ if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) { ++ /* ++ * XXX need better errror handling this can fail for a number of ++ * different reasons. ++ */ ++ return 0; ++ } ++ ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ if (EVP_CIPHER_CTX_encrypting(ctx)) ++ iiv = out + len - EVP_CIPHER_CTX_iv_length(ctx); ++ else ++ iiv = save_iv; ++ ++ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iiv, ++ EVP_CIPHER_CTX_iv_length(ctx)); ++ } ++ return 1; ++} ++ ++static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, ++ int arg, void *ptr) ++{ ++ switch (type) { ++ case EVP_CTRL_AEAD_SET_MAC_KEY: ++ { ++ /* TODO: what happens with hmac keys larger than 64 bytes? */ ++ struct cipher_ctx *state = ++ EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ ++ /* the rest should have been set in cryptodev_init_aead_key */ ++ sess->mackey = ptr; ++ sess->mackeylen = arg; ++ if (ioctl(cfd, CIOCGSESSION, sess) == -1) ++ return 0; ++ ++ return 1; ++ } ++ case EVP_CTRL_AEAD_TLS1_AAD: ++ { ++ /* ptr points to the associated data buffer of 13 bytes */ ++ struct cipher_ctx *state = ++ EVP_CIPHER_CTX_get_cipher_data(ctx); ++ unsigned char *p = ptr; ++ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; ++ unsigned int maclen, padlen; ++ unsigned int bs = EVP_CIPHER_CTX_block_size(ctx); ++ ++ state->aad = ptr; ++ state->aad_len = arg; ++ state->len = cryptlen; ++ ++ /* TODO: this should be an extension of EVP_CIPHER struct */ ++ switch (EVP_CIPHER_CTX_nid(ctx)) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ maclen = SHA_DIGEST_LENGTH; ++ } ++ ++ /* space required for encryption (not only TLS padding) */ ++ padlen = maclen; ++ if (EVP_CIPHER_CTX_encrypting(ctx)) { ++ cryptlen += maclen; ++ padlen += bs - (cryptlen % bs); ++ } ++ return padlen; ++ } ++ default: ++ return -1; ++ } ++} ++ + /* + * Following are the three necessary functions to map OpenSSL functionality + * with cryptodev. +@@ -165,6 +333,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; + cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; + cipher_ctx->blocksize = cipher_d->blocksize; ++ + if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; +@@ -180,6 +349,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); + struct crypt_op cryp; + unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); ++ + #if !defined(COP_FLAG_WRITE_IV) + unsigned char saved_iv[EVP_MAX_IV_LENGTH]; + const unsigned char *ivptr; +@@ -340,32 +510,59 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + static int known_cipher_nids[OSSL_NELEM(cipher_data)]; + static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; ++int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr); + + static void prepare_cipher_methods(void) + { + size_t i; + struct session_op sess; + unsigned long cipher_mode; ++ unsigned long flags; + + memset(&sess, 0, sizeof(sess)); + sess.key = (void *)"01234567890123456789012345678901234567890123456789"; ++ sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO"; + + for (i = 0, known_cipher_nids_amount = 0; + i < OSSL_NELEM(cipher_data); i++) { + ++ init = cipher_init; ++ ctrl = cipher_ctrl; ++ flags = cipher_data[i].flags ++ | EVP_CIPH_CUSTOM_COPY ++ | EVP_CIPH_CTRL_INIT ++ | EVP_CIPH_FLAG_DEFAULT_ASN1; ++ + /* + * Check that the algo is really availably by trying to open and close + * a session. + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; ++ sess.mackeylen = cipher_data[i].mackeylen; ++ ++ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; ++ ++ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? ++ ctr_do_cipher : ++ cipher_do_cipher); ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) { ++ init = cryptodev_init_aead_key; ++ do_cipher = cryptodev_aead_cipher; ++ ctrl = cryptodev_cbc_hmac_sha1_ctrl; ++ flags = cipher_data[i].flags; ++ } ++ + if (ioctl(cfd, CIOCGSESSION, &sess) < 0 + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) + continue; + +- cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; +- +- if ((known_cipher_methods[i] = ++ if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, + cipher_mode == EVP_CIPH_CTR_MODE ? 1 : + cipher_data[i].blocksize, +@@ -373,16 +570,12 @@ static void prepare_cipher_methods(void) + || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], + cipher_data[i].ivlen) + || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], +- cipher_data[i].flags +- | EVP_CIPH_CUSTOM_COPY +- | EVP_CIPH_CTRL_INIT +- | EVP_CIPH_FLAG_DEFAULT_ASN1) +- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) ++ flags) ++ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], +- cipher_mode == EVP_CIPH_CTR_MODE ? +- ctr_do_cipher : +- cipher_do_cipher) +- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) ++ do_cipher) ++ /* AEAD Support to be added. */ ++ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], +@@ -393,6 +586,10 @@ static void prepare_cipher_methods(void) + known_cipher_nids[known_cipher_nids_amount++] = + cipher_data[i].nid; + } ++ ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) ++ EVP_add_cipher(known_cipher_methods[i]); + } + } + +-- +2.17.1 + diff --git a/recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch b/recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch new file mode 100644 index 000000000..b12af56e5 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch @@ -0,0 +1,285 @@ +From db9d8be9d0d81bdb2ddb78f8616243593a3d24c5 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Fri, 10 Jan 2020 15:38:38 +0530 +Subject: [PATCH 2/2] eng_devcrypto: add support for TLS1.2 algorithms offload + + - aes-128-cbc-hmac-sha256 + - aes-256-cbc-hmac-sha256 + +Enabled the support of TLS1.1 algorithms offload + + - aes-128-cbc-hmac-sha1 + - aes-256-cbc-hmac-sha1 + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Fix: Remove the support for TLS1.0. + +Signed-off-by: Pankaj Gupta +Signed-off-by: Arun Pathak +--- + crypto/engine/eng_devcrypto.c | 133 +++++++++++++++++++++++----------- + 1 file changed, 90 insertions(+), 43 deletions(-) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 727a660e75..be63f65e04 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -25,6 +25,7 @@ + #include "crypto/engine.h" + + /* #define ENGINE_DEVCRYPTO_DEBUG */ ++#define TLS1_1_VERSION 0x0302 + + #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX + # define CHECK_BSD_STYLE_MACROS +@@ -67,6 +68,7 @@ struct cipher_ctx { + /* to handle ctr mode being a stream cipher */ + unsigned char partial[EVP_MAX_BLOCK_LENGTH]; + unsigned int blocksize, num; ++ unsigned int tls_ver; + }; + + static const struct cipher_data_st { +@@ -92,11 +94,17 @@ static const struct cipher_data_st { + { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, + { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, + { NID_aes_128_cbc_hmac_sha1, 16, 16, 16, +- EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, +- CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 }, + { NID_aes_256_cbc_hmac_sha1, 16, 32, 16, +- EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, +- CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 }, ++ { NID_aes_128_cbc_hmac_sha256, 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 }, ++ { NID_aes_256_cbc_hmac_sha256, 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 }, + #ifndef OPENSSL_NO_RC4 + { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 }, + #endif +@@ -107,9 +115,9 @@ static const struct cipher_data_st { + #endif + #if 0 /* Not yet supported */ + { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, +- 0 }, ++ 0 }, + { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, +- 0 }, ++ 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) + { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, +@@ -166,7 +174,7 @@ static const struct cipher_data_st *get_cipher_data(int nid) + * with both the crypto and hmac keys. + */ + static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, +- const unsigned char *key, const unsigned char *iv, int enc) ++ const unsigned char *key, const unsigned char *iv, int enc) + { + struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); + struct session_op *sess = &state->sess; +@@ -212,10 +220,29 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + memset(&cryp, 0, sizeof(cryp)); + ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); ++ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); ++ ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in, ++ EVP_CIPHER_CTX_iv_length(ctx)); ++ in += EVP_CIPHER_CTX_iv_length(ctx); ++ out += EVP_CIPHER_CTX_iv_length(ctx); ++ len -= EVP_CIPHER_CTX_iv_length(ctx); ++ } ++ } ++ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); ++ } else ++ cryp.iv = NULL; ++ + /* TODO: make a seamless integration with cryptodev flags */ + switch (EVP_CIPHER_CTX_nid(ctx)) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: ++ case NID_aes_128_cbc_hmac_sha256: ++ case NID_aes_256_cbc_hmac_sha256: + cryp.flags = COP_FLAG_AEAD_TLS_TYPE; + } + cryp.ses = sess->ses; +@@ -227,15 +254,6 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT; + +- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { +- cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); +- if (!EVP_CIPHER_CTX_encrypting(ctx)) { +- iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); +- memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); +- } +- } else +- cryp.iv = NULL; +- + if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) { + /* + * XXX need better errror handling this can fail for a number of +@@ -262,7 +280,7 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + switch (type) { + case EVP_CTRL_AEAD_SET_MAC_KEY: + { +- /* TODO: what happens with hmac keys larger than 64 bytes? */ ++ /* TODO: what happens with hmac keys larger than 64 bytes? */ + struct cipher_ctx *state = + EVP_CIPHER_CTX_get_cipher_data(ctx); + struct session_op *sess = &state->sess; +@@ -282,27 +300,52 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + EVP_CIPHER_CTX_get_cipher_data(ctx); + unsigned char *p = ptr; + unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; +- unsigned int maclen, padlen; +- unsigned int bs = EVP_CIPHER_CTX_block_size(ctx); ++ unsigned int maclen; ++ unsigned int blocksize = EVP_CIPHER_CTX_block_size(ctx); ++ int ret; + ++ state->tls_ver = p[arg - 4] << 8 | p[arg - 3]; + state->aad = ptr; + state->aad_len = arg; +- state->len = cryptlen; + + /* TODO: this should be an extension of EVP_CIPHER struct */ + switch (EVP_CIPHER_CTX_nid(ctx)) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: + maclen = SHA_DIGEST_LENGTH; ++ break; ++ case NID_aes_128_cbc_hmac_sha256: ++ case NID_aes_256_cbc_hmac_sha256: ++ maclen = SHA256_DIGEST_LENGTH; ++ break; ++ default: ++ /* ++ * Only above 4 supported NIDs are used to enter to this ++ * function. If any other NID reaches this function, ++ * there's a grave coding error further down. ++ */ ++ assert("Code that never should be reached" == NULL); ++ return -1; + } + + /* space required for encryption (not only TLS padding) */ +- padlen = maclen; + if (EVP_CIPHER_CTX_encrypting(ctx)) { +- cryptlen += maclen; +- padlen += bs - (cryptlen % bs); ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ p[arg - 2] = (cryptlen - blocksize) >> 8; ++ p[arg - 1] = (cryptlen - blocksize); ++ } ++ ret = (int)(((cryptlen + maclen + ++ blocksize) & -blocksize) - cryptlen); ++ } else { ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ cryptlen -= blocksize; ++ p[arg - 2] = cryptlen >> 8; ++ p[arg - 1] = cryptlen; ++ } ++ ret = maclen; + } +- return padlen; ++ state->len = cryptlen; ++ return ret; + } + default: + return -1; +@@ -510,11 +553,11 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + static int known_cipher_nids[OSSL_NELEM(cipher_data)]; + static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; +-int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key, +- const unsigned char *iv, int enc); +-int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out, +- const unsigned char *in, size_t inl); +-int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr); ++int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); + + static void prepare_cipher_methods(void) + { +@@ -543,26 +586,28 @@ static void prepare_cipher_methods(void) + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; +- sess.mackeylen = cipher_data[i].mackeylen; ++ sess.mackeylen = cipher_data[i].mackeylen; + + cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; + +- do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? ++ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? + ctr_do_cipher : + cipher_do_cipher); +- if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 +- || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) { +- init = cryptodev_init_aead_key; +- do_cipher = cryptodev_aead_cipher; +- ctrl = cryptodev_cbc_hmac_sha1_ctrl; +- flags = cipher_data[i].flags; +- } ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) { ++ init = cryptodev_init_aead_key; ++ do_cipher = cryptodev_aead_cipher; ++ ctrl = cryptodev_cbc_hmac_sha1_ctrl; ++ flags = cipher_data[i].flags; ++ } + + if (ioctl(cfd, CIOCGSESSION, &sess) < 0 + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) + continue; + +- if ((known_cipher_methods[i] = ++ if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, + cipher_mode == EVP_CIPH_CTR_MODE ? 1 : + cipher_data[i].blocksize, +@@ -574,7 +619,7 @@ static void prepare_cipher_methods(void) + || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], + do_cipher) +- /* AEAD Support to be added. */ ++ /* AEAD Support to be added. */ + || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], + cipher_cleanup) +@@ -587,9 +632,11 @@ static void prepare_cipher_methods(void) + cipher_data[i].nid; + } + +- if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 +- || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) +- EVP_add_cipher(known_cipher_methods[i]); ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) ++ EVP_add_cipher(known_cipher_methods[i]); + } + } + +-- +2.17.1 + diff --git a/recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb b/recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb deleted file mode 100644 index 13d9fe758..000000000 --- a/recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb +++ /dev/null @@ -1,217 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -DISABLE_STATIC = "" - -# "openssl" here actually means both OpenSSL and SSLeay licenses apply -# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" - -DEPENDS = "hostperl-runtime-native" - -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/openssl;nobranch=1 \ - file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ - file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ - " - -SRCREV = "894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596" - -SRC_URI_append_class-nativesdk = " \ - file://environment.d-openssl.sh \ - " -inherit lib_package multilib_header multilib_script ptest -MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" - -PROVIDES = "openssl" - -python() { - pkgs = d.getVar('PACKAGES').split() - for p in pkgs: - if 'openssl-qoriq' in p: - d.appendVar("RPROVIDES_%s" % p, p.replace('openssl-qoriq', 'openssl')) - d.appendVar("RCONFLICTS_%s" % p, p.replace('openssl-qoriq', 'openssl')) - d.appendVar("RREPLACES_%s" % p, p.replace('openssl-qoriq', 'openssl')) -} - -PACKAGECONFIG ?= "" -PACKAGECONFIG_class-native = "" -PACKAGECONFIG_class-nativesdk = "" - -PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux" - -B = "${WORKDIR}/build" -do_configure[cleandirs] = "${B}" - -S = "${WORKDIR}/git" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF_append_libc-musl = " no-async" -EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" - -# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions -# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) -EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" -EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" - -# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" - -do_configure () { - os=${HOST_OS} - case $os in - linux-gnueabi |\ - linux-gnuspe |\ - linux-musleabi |\ - linux-muslspe |\ - linux-musl ) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm*) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-i?86 | linux-viac3) - target=linux-x86 - ;; - linux-gnux32-x86_64 | linux-muslx32-x86_64 ) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips | linux-mipsel) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-sparc | linux-supersparc) - target=linux-sparcv9 - ;; - esac - - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the - # environment variables set by bitbake. Adjust the environment variables instead. - PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target - perl ${B}/configdata.pm --dump -} - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - - oe_multilib_header openssl/opensslconf.h - - # Create SSL structure for packages such as ca-certificates which - # contain hard-coded paths to /etc/ssl. Debian does the same. - install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ - ${D}${sysconfdir}/ssl/ - - # Although absolute symlinks would be OK for the target, they become - # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf -} - -do_install_append_class-native () { - create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines -} - -do_install_append_class-nativesdk () { - mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh -} - -PTEST_BUILD_HOST_FILES += "configdata.pm" -PTEST_BUILD_HOST_PATTERN = "perl_version =" -do_install_ptest () { - # Prune the build tree - rm -f ${B}/fuzz/*.* ${B}/test/*.* - - cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} - cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} - - # For test_shlibload - ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ - ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ - - install -d ${D}${PTEST_PATH}/apps - ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps - install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps - install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps - - install -d ${D}${PTEST_PATH}/engines - install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines -} - -# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto -# package RRECOMMENDS on this package. This will enable the configuration -# file to be installed for both the openssl-bin package and the libcrypto -# package since the openssl-bin package depends on the libcrypto package. - -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" - -FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES_libssl = "${libdir}/libssl${SOLIBS}" -FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -FILES_${PN}-engines = "${libdir}/engines-1.1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" -FILES_${PN} =+ "${libdir}/ssl-1.1/*" -FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" - -CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" - -RRECOMMENDS_libcrypto += "openssl-conf" -RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "openssl:openssl" diff --git a/recipes-connectivity/openssl/openssl-qoriq_1.1.1f.bb b/recipes-connectivity/openssl/openssl-qoriq_1.1.1f.bb new file mode 100644 index 000000000..d9af242d5 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq_1.1.1f.bb @@ -0,0 +1,219 @@ +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +DISABLE_STATIC = "" + +# "openssl" here actually means both OpenSSL and SSLeay licenses apply +# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" + +DEPENDS = "hostperl-runtime-native" + +SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/openssl;nobranch=1 \ + file://run-ptest \ + file://0001-skip-test_symbol_presence.patch \ + file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ + file://afalg.patch \ + file://0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch \ + file://0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch \ + " + +SRCREV = "36eadf1f84daa965041cce410b4ff32cbda4ef08" + +SRC_URI_append_class-nativesdk = " \ + file://environment.d-openssl.sh \ + " +inherit lib_package multilib_header multilib_script ptest +MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" + +PROVIDES = "openssl" + +python() { + pkgs = d.getVar('PACKAGES').split() + for p in pkgs: + if 'openssl-qoriq' in p: + d.appendVar("RPROVIDES_%s" % p, p.replace('openssl-qoriq', 'openssl')) + d.appendVar("RCONFLICTS_%s" % p, p.replace('openssl-qoriq', 'openssl')) + d.appendVar("RREPLACES_%s" % p, p.replace('openssl-qoriq', 'openssl')) +} + +PACKAGECONFIG ?= "" +PACKAGECONFIG_class-native = "" +PACKAGECONFIG_class-nativesdk = "" + +PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux" + +B = "${WORKDIR}/build" +do_configure[cleandirs] = "${B}" + +S = "${WORKDIR}/git" + +#| ./libcrypto.so: undefined reference to `getcontext' +#| ./libcrypto.so: undefined reference to `setcontext' +#| ./libcrypto.so: undefined reference to `makecontext' +EXTRA_OECONF_append_libc-musl = " no-async" +EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" + +# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions +# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) +EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" +EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" + +# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. +CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" + +do_configure () { + os=${HOST_OS} + case $os in + linux-gnueabi |\ + linux-gnuspe |\ + linux-musleabi |\ + linux-muslspe |\ + linux-musl ) + os=linux + ;; + *) + ;; + esac + target="$os-${HOST_ARCH}" + case $target in + linux-arm*) + target=linux-armv4 + ;; + linux-aarch64*) + target=linux-aarch64 + ;; + linux-i?86 | linux-viac3) + target=linux-x86 + ;; + linux-gnux32-x86_64 | linux-muslx32-x86_64 ) + target=linux-x32 + ;; + linux-gnu64-x86_64) + target=linux-x86_64 + ;; + linux-mips | linux-mipsel) + # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags + target="linux-mips32 ${TARGET_CC_ARCH}" + ;; + linux-gnun32-mips*) + target=linux-mips64 + ;; + linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) + target=linux64-mips64 + ;; + linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + target=linux-generic32 + ;; + linux-powerpc) + target=linux-ppc + ;; + linux-powerpc64) + target=linux-ppc64 + ;; + linux-riscv32) + target=linux-generic32 + ;; + linux-riscv64) + target=linux-generic64 + ;; + linux-sparc | linux-supersparc) + target=linux-sparcv9 + ;; + esac + + useprefix=${prefix} + if [ "x$useprefix" = "x" ]; then + useprefix=/ + fi + # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the + # environment variables set by bitbake. Adjust the environment variables instead. + PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${B}/configdata.pm --dump +} + +do_install () { + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + + oe_multilib_header openssl/opensslconf.h + + # Create SSL structure for packages such as ca-certificates which + # contain hard-coded paths to /etc/ssl. Debian does the same. + install -d ${D}${sysconfdir}/ssl + mv ${D}${libdir}/ssl-1.1/certs \ + ${D}${libdir}/ssl-1.1/private \ + ${D}${libdir}/ssl-1.1/openssl.cnf \ + ${D}${sysconfdir}/ssl/ + + # Although absolute symlinks would be OK for the target, they become + # invalid if native or nativesdk are relocated from sstate. + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf +} + +do_install_append_class-native () { + create_wrapper ${D}${bindir}/openssl \ + OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ + SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ + OPENSSL_ENGINES=${libdir}/ssl-1.1/engines +} + +do_install_append_class-nativesdk () { + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh +} + +PTEST_BUILD_HOST_FILES += "configdata.pm" +PTEST_BUILD_HOST_PATTERN = "perl_version =" +do_install_ptest () { + # Prune the build tree + rm -f ${B}/fuzz/*.* ${B}/test/*.* + + cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} + cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} + + # For test_shlibload + ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ + ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ + + install -d ${D}${PTEST_PATH}/apps + ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps + install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps + install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps + + install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines +} + +# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto +# package RRECOMMENDS on this package. This will enable the configuration +# file to be installed for both the openssl-bin package and the libcrypto +# package since the openssl-bin package depends on the libcrypto package. + +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" + +FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES_libssl = "${libdir}/libssl${SOLIBS}" +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +FILES_${PN}-engines = "${libdir}/engines-1.1" +FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" +FILES_${PN} =+ "${libdir}/ssl-1.1/*" +FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" + +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" + +RRECOMMENDS_libcrypto += "openssl-conf" +RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "openssl:openssl" -- cgit v1.2.3-54-g00ecf