code.ossystems Code Review - meta-freescale.git/blob

   1 From a58703e6601fcfcfe69fdb3e7152ed76b40d67e9 Mon Sep 17 00:00:00 2001
   2 From: Tudor Ambarus <tudor.ambarus@freescale.com>
   3 Date: Tue, 31 Mar 2015 16:32:35 +0300
   4 Subject: [PATCH 20/26] eng_cryptodev: add support for TLSv1.2 record offload
   5
   6 Supported cipher suites:
   7 - 3des-ede-cbc-sha
   8 - aes-128-cbc-hmac-sha
   9 - aes-256-cbc-hmac-sha
  10 - aes-128-cbc-hmac-sha256
  11 - aes-256-cbc-hmac-sha256
  12
  13 Requires TLS patches on cryptodev and TLS algorithm support in Linux
  14 kernel driver.
  15
  16 Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
  17 Change-Id: I0ac6953dd62e2655a59d8f3eaefd012b7ecebf55
  18 Reviewed-on: http://git.am.freescale.net:8181/34003
  19 Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
  20 Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
  21 ---
  22  crypto/engine/eng_cryptodev.c | 123 ++++++++++++++++++++++++++++++++++++++++++
  23  crypto/objects/obj_dat.h      |  26 +++++++--
  24  crypto/objects/obj_mac.h      |  20 +++++++
  25  crypto/objects/obj_mac.num    |   5 ++
  26  crypto/objects/objects.txt    |   5 ++
  27  ssl/ssl_ciph.c                |  25 +++++++++
  28  6 files changed, 201 insertions(+), 3 deletions(-)
  29
  30 diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
  31 index f71ab27..fa5fe1b 100644
  32 --- a/crypto/engine/eng_cryptodev.c
  33 +++ b/crypto/engine/eng_cryptodev.c
  34 @@ -140,6 +140,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
  35  const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
  36  const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
  37  const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
  38 +const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1;
  39 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1;
  40 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1;
  41 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256;
  42 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256;
  43
  44  inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin,  int *bin_len)
  45  {
  46 @@ -263,6 +268,11 @@ static struct {
  47         { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
  48         { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
  49         { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
  50 +       { CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8, 24, 20},
  51 +       { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16, 20},
  52 +       { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32, 20},
  53 +       { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16, 16, 32},
  54 +       { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16, 32, 32},
  55         { CRYPTO_AES_GCM,       NID_aes_128_gcm,  16, 16, 0},
  56         { 0, NID_undef, 0, 0, 0},
  57  };
  58 @@ -487,6 +497,21 @@ cryptodev_usable_ciphers(const int **nids)
  59                 case NID_tls11_aes_256_cbc_hmac_sha1:
  60                         EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
  61                         break;
  62 +               case NID_tls12_des_ede3_cbc_hmac_sha1:
  63 +                       EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1);
  64 +                       break;
  65 +               case NID_tls12_aes_128_cbc_hmac_sha1:
  66 +                       EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1);
  67 +                       break;
  68 +               case NID_tls12_aes_256_cbc_hmac_sha1:
  69 +                       EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1);
  70 +                       break;
  71 +               case NID_tls12_aes_128_cbc_hmac_sha256:
  72 +                       EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256);
  73 +                       break;
  74 +               case NID_tls12_aes_256_cbc_hmac_sha256:
  75 +                       EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256);
  76 +                       break;
  77                 }
  78         }
  79         return count;
  80 @@ -596,6 +621,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  81         case NID_tls11_des_ede3_cbc_hmac_sha1:
  82         case NID_tls11_aes_128_cbc_hmac_sha1:
  83         case NID_tls11_aes_256_cbc_hmac_sha1:
  84 +       case NID_tls12_des_ede3_cbc_hmac_sha1:
  85 +       case NID_tls12_aes_128_cbc_hmac_sha1:
  86 +       case NID_tls12_aes_256_cbc_hmac_sha1:
  87 +       case NID_tls12_aes_128_cbc_hmac_sha256:
  88 +       case NID_tls12_aes_256_cbc_hmac_sha256:
  89                 cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
  90         }
  91         cryp.ses = sess->ses;
  92 @@ -795,9 +825,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
  93                 case NID_tls11_des_ede3_cbc_hmac_sha1:
  94                 case NID_tls11_aes_128_cbc_hmac_sha1:
  95                 case NID_tls11_aes_256_cbc_hmac_sha1:
  96 +               case NID_tls12_des_ede3_cbc_hmac_sha1:
  97 +               case NID_tls12_aes_128_cbc_hmac_sha1:
  98 +               case NID_tls12_aes_256_cbc_hmac_sha1:
  99                         maclen = SHA_DIGEST_LENGTH;
 100                         aad_needs_fix = true;
 101                         break;
 102 +               case NID_tls12_aes_128_cbc_hmac_sha256:
 103 +               case NID_tls12_aes_256_cbc_hmac_sha256:
 104 +                       maclen = SHA256_DIGEST_LENGTH;
 105 +                       aad_needs_fix = true;
 106 +                       break;
 107                 }
 108
 109                 /* Correct length for AAD Length field */
 110 @@ -1207,6 +1245,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
 111         NULL
 112  };
 113
 114 +const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = {
 115 +       NID_tls12_des_ede3_cbc_hmac_sha1,
 116 +       8, 24, 8,
 117 +       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
 118 +       cryptodev_init_aead_key,
 119 +       cryptodev_aead_cipher,
 120 +       cryptodev_cleanup,
 121 +       sizeof(struct dev_crypto_state),
 122 +       EVP_CIPHER_set_asn1_iv,
 123 +       EVP_CIPHER_get_asn1_iv,
 124 +       cryptodev_cbc_hmac_sha1_ctrl,
 125 +       NULL
 126 +};
 127 +
 128 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = {
 129 +       NID_tls12_aes_128_cbc_hmac_sha1,
 130 +       16, 16, 16,
 131 +       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
 132 +       cryptodev_init_aead_key,
 133 +       cryptodev_aead_cipher,
 134 +       cryptodev_cleanup,
 135 +       sizeof(struct dev_crypto_state),
 136 +       EVP_CIPHER_set_asn1_iv,
 137 +       EVP_CIPHER_get_asn1_iv,
 138 +       cryptodev_cbc_hmac_sha1_ctrl,
 139 +       NULL
 140 +};
 141 +
 142 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = {
 143 +       NID_tls12_aes_256_cbc_hmac_sha1,
 144 +       16, 32, 16,
 145 +       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
 146 +       cryptodev_init_aead_key,
 147 +       cryptodev_aead_cipher,
 148 +       cryptodev_cleanup,
 149 +       sizeof(struct dev_crypto_state),
 150 +       EVP_CIPHER_set_asn1_iv,
 151 +       EVP_CIPHER_get_asn1_iv,
 152 +       cryptodev_cbc_hmac_sha1_ctrl,
 153 +       NULL
 154 +};
 155 +
 156 +const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = {
 157 +       NID_tls12_aes_128_cbc_hmac_sha256,
 158 +       16, 16, 16,
 159 +       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
 160 +       cryptodev_init_aead_key,
 161 +       cryptodev_aead_cipher,
 162 +       cryptodev_cleanup,
 163 +       sizeof(struct dev_crypto_state),
 164 +       EVP_CIPHER_set_asn1_iv,
 165 +       EVP_CIPHER_get_asn1_iv,
 166 +       cryptodev_cbc_hmac_sha1_ctrl,
 167 +       NULL
 168 +};
 169 +
 170 +const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = {
 171 +       NID_tls12_aes_256_cbc_hmac_sha256,
 172 +       16, 32, 16,
 173 +       EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
 174 +       cryptodev_init_aead_key,
 175 +       cryptodev_aead_cipher,
 176 +       cryptodev_cleanup,
 177 +       sizeof(struct dev_crypto_state),
 178 +       EVP_CIPHER_set_asn1_iv,
 179 +       EVP_CIPHER_get_asn1_iv,
 180 +       cryptodev_cbc_hmac_sha1_ctrl,
 181 +       NULL
 182 +};
 183 +
 184  const EVP_CIPHER cryptodev_aes_128_gcm = {
 185         NID_aes_128_gcm,
 186         1, 16, 12,
 187 @@ -1281,6 +1389,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
 188         case NID_tls11_aes_256_cbc_hmac_sha1:
 189                 *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
 190                 break;
 191 +       case NID_tls12_des_ede3_cbc_hmac_sha1:
 192 +               *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1;
 193 +               break;
 194 +       case NID_tls12_aes_128_cbc_hmac_sha1:
 195 +               *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1;
 196 +               break;
 197 +       case NID_tls12_aes_256_cbc_hmac_sha1:
 198 +               *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1;
 199 +               break;
 200 +       case NID_tls12_aes_128_cbc_hmac_sha256:
 201 +               *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256;
 202 +               break;
 203 +       case NID_tls12_aes_256_cbc_hmac_sha256:
 204 +               *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256;
 205 +               break;
 206         default:
 207                 *cipher = NULL;
 208                 break;
 209 diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
 210 index dc89b0a..dfe19da 100644
 211 --- a/crypto/objects/obj_dat.h
 212 +++ b/crypto/objects/obj_dat.h
 213 @@ -62,9 +62,9 @@
 214   * [including the GNU Public Licence.]
 215   */
 216
 217 -#define NUM_NID 924
 218 -#define NUM_SN 917
 219 -#define NUM_LN 917
 220 +#define NUM_NID 929
 221 +#define NUM_SN 922
 222 +#define NUM_LN 922
 223  #define NUM_OBJ 857
 224
 225  static const unsigned char lvalues[5974]={
 226 @@ -2407,6 +2407,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 227         NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
 228  {"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
 229         NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
 230 +{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1",
 231 +       NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0},
 232 +{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1",
 233 +       NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0},
 234 +{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1",
 235 +       NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0},
 236 +{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256",
 237 +       NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0},
 238 +{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256",
 239 +       NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0},
 240  };
 241
 242  static const unsigned int sn_objs[NUM_SN]={
 243 @@ -2595,6 +2605,11 @@ static const unsigned int sn_objs[NUM_SN]={
 244  922,   /* "TLS11-AES-128-CBC-HMAC-SHA1" */
 245  923,   /* "TLS11-AES-256-CBC-HMAC-SHA1" */
 246  921,   /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
 247 +925,   /* "TLS12-AES-128-CBC-HMAC-SHA1" */
 248 +927,   /* "TLS12-AES-128-CBC-HMAC-SHA256" */
 249 +926,   /* "TLS12-AES-256-CBC-HMAC-SHA1" */
 250 +928,   /* "TLS12-AES-256-CBC-HMAC-SHA256" */
 251 +924,   /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */
 252  458,   /* "UID" */
 253   0,    /* "UNDEF" */
 254  11,    /* "X500" */
 255 @@ -4217,6 +4232,11 @@ static const unsigned int ln_objs[NUM_LN]={
 256  922,   /* "tls11-aes-128-cbc-hmac-sha1" */
 257  923,   /* "tls11-aes-256-cbc-hmac-sha1" */
 258  921,   /* "tls11-des-ede3-cbc-hmac-sha1" */
 259 +925,   /* "tls12-aes-128-cbc-hmac-sha1" */
 260 +927,   /* "tls12-aes-128-cbc-hmac-sha256" */
 261 +926,   /* "tls12-aes-256-cbc-hmac-sha1" */
 262 +928,   /* "tls12-aes-256-cbc-hmac-sha256" */
 263 +924,   /* "tls12-des-ede3-cbc-hmac-sha1" */
 264  682,   /* "tpBasis" */
 265  436,   /* "ucl" */
 266   0,    /* "undefined" */
 267 diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
 268 index f181890..5af125e 100644
 269 --- a/crypto/objects/obj_mac.h
 270 +++ b/crypto/objects/obj_mac.h
 271 @@ -4046,3 +4046,23 @@
 272  #define LN_tls11_aes_256_cbc_hmac_sha1         "tls11-aes-256-cbc-hmac-sha1"
 273  #define NID_tls11_aes_256_cbc_hmac_sha1                923
 274
 275 +#define SN_tls12_des_ede3_cbc_hmac_sha1                "TLS12-DES-EDE3-CBC-HMAC-SHA1"
 276 +#define LN_tls12_des_ede3_cbc_hmac_sha1                "tls12-des-ede3-cbc-hmac-sha1"
 277 +#define NID_tls12_des_ede3_cbc_hmac_sha1               924
 278 +
 279 +#define SN_tls12_aes_128_cbc_hmac_sha1         "TLS12-AES-128-CBC-HMAC-SHA1"
 280 +#define LN_tls12_aes_128_cbc_hmac_sha1         "tls12-aes-128-cbc-hmac-sha1"
 281 +#define NID_tls12_aes_128_cbc_hmac_sha1                925
 282 +
 283 +#define SN_tls12_aes_256_cbc_hmac_sha1         "TLS12-AES-256-CBC-HMAC-SHA1"
 284 +#define LN_tls12_aes_256_cbc_hmac_sha1         "tls12-aes-256-cbc-hmac-sha1"
 285 +#define NID_tls12_aes_256_cbc_hmac_sha1                926
 286 +
 287 +#define SN_tls12_aes_128_cbc_hmac_sha256               "TLS12-AES-128-CBC-HMAC-SHA256"
 288 +#define LN_tls12_aes_128_cbc_hmac_sha256               "tls12-aes-128-cbc-hmac-sha256"
 289 +#define NID_tls12_aes_128_cbc_hmac_sha256              927
 290 +
 291 +#define SN_tls12_aes_256_cbc_hmac_sha256               "TLS12-AES-256-CBC-HMAC-SHA256"
 292 +#define LN_tls12_aes_256_cbc_hmac_sha256               "tls12-aes-256-cbc-hmac-sha256"
 293 +#define NID_tls12_aes_256_cbc_hmac_sha256              928
 294 +
 295 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
 296 index a02b58c..deeba3a 100644
 297 --- a/crypto/objects/obj_mac.num
 298 +++ b/crypto/objects/obj_mac.num
 299 @@ -921,3 +921,8 @@ des_ede3_cbc_hmac_sha1              920
 300  tls11_des_ede3_cbc_hmac_sha1           921
 301  tls11_aes_128_cbc_hmac_sha1            922
 302  tls11_aes_256_cbc_hmac_sha1            923
 303 +tls12_des_ede3_cbc_hmac_sha1           924
 304 +tls12_aes_128_cbc_hmac_sha1            925
 305 +tls12_aes_256_cbc_hmac_sha1            926
 306 +tls12_aes_128_cbc_hmac_sha256          927
 307 +tls12_aes_256_cbc_hmac_sha256          928
 308 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
 309 index 1973658..6e4ac93 100644
 310 --- a/crypto/objects/objects.txt
 311 +++ b/crypto/objects/objects.txt
 312 @@ -1294,3 +1294,8 @@ kisa 1 6                : SEED-OFB      : seed-ofb
 313                         : TLS11-DES-EDE3-CBC-HMAC-SHA1  : tls11-des-ede3-cbc-hmac-sha1
 314                         : TLS11-AES-128-CBC-HMAC-SHA1   : tls11-aes-128-cbc-hmac-sha1
 315                         : TLS11-AES-256-CBC-HMAC-SHA1   : tls11-aes-256-cbc-hmac-sha1
 316 +                       : TLS12-DES-EDE3-CBC-HMAC-SHA1  : tls12-des-ede3-cbc-hmac-sha1
 317 +                       : TLS12-AES-128-CBC-HMAC-SHA1   : tls12-aes-128-cbc-hmac-sha1
 318 +                       : TLS12-AES-256-CBC-HMAC-SHA1   : tls12-aes-256-cbc-hmac-sha1
 319 +                       : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256
 320 +                       : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256
 321 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
 322 index 0408986..77a82f6 100644
 323 --- a/ssl/ssl_ciph.c
 324 +++ b/ssl/ssl_ciph.c
 325 @@ -661,6 +661,31 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 326                          c->algorithm_mac == SSL_SHA1 &&
 327                          (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
 328                         *enc = evp, *md = NULL;
 329 +               else if (s->ssl_version == TLS1_2_VERSION &&
 330 +                        c->algorithm_enc == SSL_3DES &&
 331 +                        c->algorithm_mac == SSL_SHA1 &&
 332 +                        (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1")))
 333 +                       *enc = evp, *md = NULL;
 334 +               else if (s->ssl_version == TLS1_2_VERSION &&
 335 +                        c->algorithm_enc == SSL_AES128 &&
 336 +                        c->algorithm_mac == SSL_SHA1 &&
 337 +                        (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1")))
 338 +                       *enc = evp, *md = NULL;
 339 +               else if (s->ssl_version == TLS1_2_VERSION &&
 340 +                        c->algorithm_enc == SSL_AES256 &&
 341 +                        c->algorithm_mac == SSL_SHA1 &&
 342 +                        (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1")))
 343 +                       *enc = evp, *md = NULL;
 344 +               else if (s->ssl_version == TLS1_2_VERSION &&
 345 +                        c->algorithm_enc == SSL_AES128 &&
 346 +                        c->algorithm_mac == SSL_SHA256 &&
 347 +                        (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256")))
 348 +                       *enc = evp, *md = NULL;
 349 +               else if (s->ssl_version == TLS1_2_VERSION &&
 350 +                        c->algorithm_enc == SSL_AES256 &&
 351 +                        c->algorithm_mac == SSL_SHA256 &&
 352 +                        (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256")))
 353 +                       *enc = evp, *md = NULL;
 354                 return(1);
 355                 }
 356         else
 357 --
 358 2.3.5
 359