]> code.ossystems Code Review - meta-freescale.git/blob
Code Review / meta-freescale.git / blob
? search:


5e65ec6ee57ee16627537afa1c28c5afb026e1c1
[meta-freescale.git] /
1 From 4c1531a088076118ce3c06cb0af15998f0796cb3 Mon Sep 17 00:00:00 2001
2 From: Tudor Ambarus <tudor.ambarus@freescale.com>
3 Date: Tue, 31 Mar 2015 16:32:35 +0300
4 Subject: [PATCH 17/48] eng_cryptodev: add support for TLSv1.2 record offload
5
6 Supported cipher suites:
7 - 3des-ede-cbc-sha
8 - aes-128-cbc-hmac-sha
9 - aes-256-cbc-hmac-sha
10 - aes-128-cbc-hmac-sha256
11 - aes-256-cbc-hmac-sha256
12
13 Requires TLS patches on cryptodev and TLS algorithm support in Linux
14 kernel driver.
15
16 Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
17 Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
18 ---
19  crypto/engine/eng_cryptodev.c | 138 ++++++++++++++++++++++++++++++++++++++++++
20  crypto/objects/obj_dat.h      |  26 +++++++-
21  crypto/objects/obj_mac.h      |  20 ++++++
22  crypto/objects/obj_mac.num    |   5 ++
23  crypto/objects/objects.txt    |   5 ++
24  ssl/ssl_ciph.c                |  25 ++++++++
25  6 files changed, 216 insertions(+), 3 deletions(-)
26
27 diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
28 index e37a661..e6f9f16 100644
29 --- a/crypto/engine/eng_cryptodev.c
30 +++ b/crypto/engine/eng_cryptodev.c
31 @@ -139,6 +139,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
32  const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
33  const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
34  const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
35 +const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1;
36 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1;
37 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1;
38 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256;
39 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256;
40  
41  inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len)
42  {
43 @@ -310,6 +315,26 @@ static struct {
44          20
45      },
46      {
47 +        CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8,
48 +        24, 20
49 +    },
50 +    {
51 +        CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16,
52 +        20
53 +    },
54 +    {
55 +        CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32,
56 +        20
57 +    },
58 +    {
59 +        CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16,
60 +        16, 32
61 +    },
62 +    {
63 +        CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16,
64 +        32, 32
65 +    },
66 +    {
67          CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0
68      },
69      {
70 @@ -551,6 +576,21 @@ static int cryptodev_usable_ciphers(const int **nids)
71          case NID_tls11_aes_256_cbc_hmac_sha1:
72              EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
73              break;
74 +        case NID_tls12_des_ede3_cbc_hmac_sha1:
75 +            EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1);
76 +            break;
77 +        case NID_tls12_aes_128_cbc_hmac_sha1:
78 +            EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1);
79 +            break;
80 +        case NID_tls12_aes_256_cbc_hmac_sha1:
81 +            EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1);
82 +            break;
83 +        case NID_tls12_aes_128_cbc_hmac_sha256:
84 +            EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256);
85 +            break;
86 +        case NID_tls12_aes_256_cbc_hmac_sha256:
87 +            EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256);
88 +            break;
89          }
90      }
91      return count;
92 @@ -659,6 +699,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
93      case NID_tls11_des_ede3_cbc_hmac_sha1:
94      case NID_tls11_aes_128_cbc_hmac_sha1:
95      case NID_tls11_aes_256_cbc_hmac_sha1:
96 +    case NID_tls12_des_ede3_cbc_hmac_sha1:
97 +    case NID_tls12_aes_128_cbc_hmac_sha1:
98 +    case NID_tls12_aes_256_cbc_hmac_sha1:
99 +    case NID_tls12_aes_128_cbc_hmac_sha256:
100 +    case NID_tls12_aes_256_cbc_hmac_sha256:
101          cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
102      }
103      cryp.ses = sess->ses;
104 @@ -856,9 +901,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
105              case NID_tls11_des_ede3_cbc_hmac_sha1:
106              case NID_tls11_aes_128_cbc_hmac_sha1:
107              case NID_tls11_aes_256_cbc_hmac_sha1:
108 +            case NID_tls12_des_ede3_cbc_hmac_sha1:
109 +            case NID_tls12_aes_128_cbc_hmac_sha1:
110 +            case NID_tls12_aes_256_cbc_hmac_sha1:
111                  maclen = SHA_DIGEST_LENGTH;
112                  aad_needs_fix = true;
113                  break;
114 +            case NID_tls12_aes_128_cbc_hmac_sha256:
115 +            case NID_tls12_aes_256_cbc_hmac_sha256:
116 +                maclen = SHA256_DIGEST_LENGTH;
117 +                aad_needs_fix = true;
118 +                break;
119              }
120  
121              /* Correct length for AAD Length field */
122 @@ -1270,6 +1323,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
123      NULL
124  };
125  
126 +const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = {
127 +    NID_tls12_des_ede3_cbc_hmac_sha1,
128 +    8, 24, 8,
129 +    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
130 +    cryptodev_init_aead_key,
131 +    cryptodev_aead_cipher,
132 +    cryptodev_cleanup,
133 +    sizeof(struct dev_crypto_state),
134 +    EVP_CIPHER_set_asn1_iv,
135 +    EVP_CIPHER_get_asn1_iv,
136 +    cryptodev_cbc_hmac_sha1_ctrl,
137 +    NULL
138 +};
139 +
140 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = {
141 +    NID_tls12_aes_128_cbc_hmac_sha1,
142 +    16, 16, 16,
143 +    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
144 +    cryptodev_init_aead_key,
145 +    cryptodev_aead_cipher,
146 +    cryptodev_cleanup,
147 +    sizeof(struct dev_crypto_state),
148 +    EVP_CIPHER_set_asn1_iv,
149 +    EVP_CIPHER_get_asn1_iv,
150 +    cryptodev_cbc_hmac_sha1_ctrl,
151 +    NULL
152 +};
153 +
154 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = {
155 +    NID_tls12_aes_256_cbc_hmac_sha1,
156 +    16, 32, 16,
157 +    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
158 +    cryptodev_init_aead_key,
159 +    cryptodev_aead_cipher,
160 +    cryptodev_cleanup,
161 +    sizeof(struct dev_crypto_state),
162 +    EVP_CIPHER_set_asn1_iv,
163 +    EVP_CIPHER_get_asn1_iv,
164 +    cryptodev_cbc_hmac_sha1_ctrl,
165 +    NULL
166 +};
167 +
168 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = {
169 +    NID_tls12_aes_128_cbc_hmac_sha256,
170 +    16, 16, 16,
171 +    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
172 +    cryptodev_init_aead_key,
173 +    cryptodev_aead_cipher,
174 +    cryptodev_cleanup,
175 +    sizeof(struct dev_crypto_state),
176 +    EVP_CIPHER_set_asn1_iv,
177 +    EVP_CIPHER_get_asn1_iv,
178 +    cryptodev_cbc_hmac_sha1_ctrl,
179 +    NULL
180 +};
181 +
182 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = {
183 +    NID_tls12_aes_256_cbc_hmac_sha256,
184 +    16, 32, 16,
185 +    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
186 +    cryptodev_init_aead_key,
187 +    cryptodev_aead_cipher,
188 +    cryptodev_cleanup,
189 +    sizeof(struct dev_crypto_state),
190 +    EVP_CIPHER_set_asn1_iv,
191 +    EVP_CIPHER_get_asn1_iv,
192 +    cryptodev_cbc_hmac_sha1_ctrl,
193 +    NULL
194 +};
195 +
196  const EVP_CIPHER cryptodev_aes_128_gcm = {
197      NID_aes_128_gcm,
198      1, 16, 12,
199 @@ -1395,6 +1518,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
200      case NID_aes_128_gcm:
201          *cipher = &cryptodev_aes_128_gcm;
202          break;
203 +    case NID_tls12_des_ede3_cbc_hmac_sha1:
204 +        *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1;
205 +        break;
206 +    case NID_tls12_aes_128_cbc_hmac_sha1:
207 +        *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1;
208 +        break;
209 +    case NID_tls12_aes_256_cbc_hmac_sha1:
210 +        *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1;
211 +        break;
212 +    case NID_tls12_aes_128_cbc_hmac_sha256:
213 +        *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256;
214 +        break;
215 +    case NID_tls12_aes_256_cbc_hmac_sha256:
216 +        *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256;
217 +        break;
218      default:
219          *cipher = NULL;
220          break;
221 diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
222 index 4dd32a1..e3a2505 100644
223 --- a/crypto/objects/obj_dat.h
224 +++ b/crypto/objects/obj_dat.h
225 @@ -62,9 +62,9 @@
226   * [including the GNU Public Licence.]
227   */
228  
229 -#define NUM_NID 962
230 -#define NUM_SN 955
231 -#define NUM_LN 955
232 +#define NUM_NID 967
233 +#define NUM_SN 960
234 +#define NUM_LN 960
235  #define NUM_OBJ 890
236  
237  static const unsigned char lvalues[6255]={
238 @@ -2522,6 +2522,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
239         NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
240  {"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
241         NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
242 +{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1",
243 +       NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0},
244 +{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1",
245 +       NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0},
246 +{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1",
247 +       NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0},
248 +{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256",
249 +       NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0},
250 +{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256",
251 +       NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0},
252  };
253  
254  static const unsigned int sn_objs[NUM_SN]={
255 @@ -2714,6 +2724,11 @@ static const unsigned int sn_objs[NUM_SN]={
256  960,   /* "TLS11-AES-128-CBC-HMAC-SHA1" */
257  961,   /* "TLS11-AES-256-CBC-HMAC-SHA1" */
258  959,   /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
259 +963,   /* "TLS12-AES-128-CBC-HMAC-SHA1" */
260 +965,   /* "TLS12-AES-128-CBC-HMAC-SHA256" */
261 +964,   /* "TLS12-AES-256-CBC-HMAC-SHA1" */
262 +966,   /* "TLS12-AES-256-CBC-HMAC-SHA256" */
263 +962,   /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */
264  458,   /* "UID" */
265   0,    /* "UNDEF" */
266  11,    /* "X500" */
267 @@ -4408,6 +4423,11 @@ static const unsigned int ln_objs[NUM_LN]={
268  960,   /* "tls11-aes-128-cbc-hmac-sha1" */
269  961,   /* "tls11-aes-256-cbc-hmac-sha1" */
270  959,   /* "tls11-des-ede3-cbc-hmac-sha1" */
271 +963,   /* "tls12-aes-128-cbc-hmac-sha1" */
272 +965,   /* "tls12-aes-128-cbc-hmac-sha256" */
273 +964,   /* "tls12-aes-256-cbc-hmac-sha1" */
274 +966,   /* "tls12-aes-256-cbc-hmac-sha256" */
275 +962,   /* "tls12-des-ede3-cbc-hmac-sha1" */
276  682,   /* "tpBasis" */
277  436,   /* "ucl" */
278   0,    /* "undefined" */
279 diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
280 index 5930563..f4a81cb 100644
281 --- a/crypto/objects/obj_mac.h
282 +++ b/crypto/objects/obj_mac.h
283 @@ -4063,6 +4063,26 @@
284  #define LN_tls11_aes_256_cbc_hmac_sha1          "tls11-aes-256-cbc-hmac-sha1"
285  #define NID_tls11_aes_256_cbc_hmac_sha1         961
286  
287 +#define SN_tls12_des_ede3_cbc_hmac_sha1         "TLS12-DES-EDE3-CBC-HMAC-SHA1"
288 +#define LN_tls12_des_ede3_cbc_hmac_sha1         "tls12-des-ede3-cbc-hmac-sha1"
289 +#define NID_tls12_des_ede3_cbc_hmac_sha1                962
290 +
291 +#define SN_tls12_aes_128_cbc_hmac_sha1          "TLS12-AES-128-CBC-HMAC-SHA1"
292 +#define LN_tls12_aes_128_cbc_hmac_sha1          "tls12-aes-128-cbc-hmac-sha1"
293 +#define NID_tls12_aes_128_cbc_hmac_sha1         963
294 +
295 +#define SN_tls12_aes_256_cbc_hmac_sha1          "TLS12-AES-256-CBC-HMAC-SHA1"
296 +#define LN_tls12_aes_256_cbc_hmac_sha1          "tls12-aes-256-cbc-hmac-sha1"
297 +#define NID_tls12_aes_256_cbc_hmac_sha1         964
298 +
299 +#define SN_tls12_aes_128_cbc_hmac_sha256                "TLS12-AES-128-CBC-HMAC-SHA256"
300 +#define LN_tls12_aes_128_cbc_hmac_sha256                "tls12-aes-128-cbc-hmac-sha256"
301 +#define NID_tls12_aes_128_cbc_hmac_sha256               965
302 +
303 +#define SN_tls12_aes_256_cbc_hmac_sha256                "TLS12-AES-256-CBC-HMAC-SHA256"
304 +#define LN_tls12_aes_256_cbc_hmac_sha256                "tls12-aes-256-cbc-hmac-sha256"
305 +#define NID_tls12_aes_256_cbc_hmac_sha256               966
306 +
307  #define SN_dhpublicnumber               "dhpublicnumber"
308  #define LN_dhpublicnumber               "X9.42 DH"
309  #define NID_dhpublicnumber              920
310 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
311 index 02f1728..401be03 100644
312 --- a/crypto/objects/obj_mac.num
313 +++ b/crypto/objects/obj_mac.num
314 @@ -959,3 +959,8 @@ des_ede3_cbc_hmac_sha1              958
315  tls11_des_ede3_cbc_hmac_sha1           959
316  tls11_aes_128_cbc_hmac_sha1            960
317  tls11_aes_256_cbc_hmac_sha1            961
318 +tls12_des_ede3_cbc_hmac_sha1           962
319 +tls12_aes_128_cbc_hmac_sha1            963
320 +tls12_aes_256_cbc_hmac_sha1            964
321 +tls12_aes_128_cbc_hmac_sha256          965
322 +tls12_aes_256_cbc_hmac_sha256          966
323 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
324 index cda81da..68a8da8 100644
325 --- a/crypto/objects/objects.txt
326 +++ b/crypto/objects/objects.txt
327 @@ -1298,6 +1298,11 @@ kisa 1 6                : SEED-OFB      : seed-ofb
328                         : TLS11-DES-EDE3-CBC-HMAC-SHA1  : tls11-des-ede3-cbc-hmac-sha1
329                         : TLS11-AES-128-CBC-HMAC-SHA1   : tls11-aes-128-cbc-hmac-sha1
330                         : TLS11-AES-256-CBC-HMAC-SHA1   : tls11-aes-256-cbc-hmac-sha1
331 +                       : TLS12-DES-EDE3-CBC-HMAC-SHA1  : tls12-des-ede3-cbc-hmac-sha1
332 +                       : TLS12-AES-128-CBC-HMAC-SHA1   : tls12-aes-128-cbc-hmac-sha1
333 +                       : TLS12-AES-256-CBC-HMAC-SHA1   : tls12-aes-256-cbc-hmac-sha1
334 +                       : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256
335 +                       : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256
336  
337  ISO-US 10046 2 1       : dhpublicnumber                : X9.42 DH
338  
339 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
340 index e3d73ac..4698528 100644
341 --- a/ssl/ssl_ciph.c
342 +++ b/ssl/ssl_ciph.c
343 @@ -690,6 +690,31 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
344                   c->algorithm_mac == SSL_SHA1 &&
345                   (evp = EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
346              *enc = evp, *md = NULL;
347 +        else if (s->ssl_version == TLS1_2_VERSION &&
348 +                 c->algorithm_enc == SSL_3DES &&
349 +                 c->algorithm_mac == SSL_SHA1 &&
350 +                 (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1")))
351 +            *enc = evp, *md = NULL;
352 +        else if (s->ssl_version == TLS1_2_VERSION &&
353 +                 c->algorithm_enc == SSL_AES128 &&
354 +                 c->algorithm_mac == SSL_SHA1 &&
355 +                 (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1")))
356 +            *enc = evp, *md = NULL;
357 +        else if (s->ssl_version == TLS1_2_VERSION &&
358 +                 c->algorithm_enc == SSL_AES256 &&
359 +                 c->algorithm_mac == SSL_SHA1 &&
360 +                 (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1")))
361 +            *enc = evp, *md = NULL;
362 +        else if (s->ssl_version == TLS1_2_VERSION &&
363 +                 c->algorithm_enc == SSL_AES128 &&
364 +                 c->algorithm_mac == SSL_SHA256 &&
365 +                 (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256")))
366 +            *enc = evp, *md = NULL;
367 +        else if (s->ssl_version == TLS1_2_VERSION &&
368 +                 c->algorithm_enc == SSL_AES256 &&
369 +                 c->algorithm_mac == SSL_SHA256 &&
370 +                 (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256")))
371 +            *enc = evp, *md = NULL;
372          return (1);
373      } else
374          return (0);
375 -- 
376 2.7.0
377