From 9297e3834518ff0558d6e7004a62adfd107e659a Mon Sep 17 00:00:00 2001
From: Cristian Stoica <cristian.stoica@freescale.com>
Date: Tue, 10 Sep 2013 12:46:46 +0300
-Subject: [PATCH 01/17] remove double initialization of cryptodev engine
+Subject: [PATCH 01/26] remove double initialization of cryptodev engine
cryptodev engine is initialized together with the other engines in
ENGINE_load_builtin_engines. The initialization done through
EVP_aes_128_cfb8 3248 EXIST::FUNCTION:AES
FIPS_corrupt_rsa 3249 NOEXIST::FUNCTION:
--
-1.8.3.1
+2.3.5
From dfd6ba263dc25ea2a4bbc32448b24ca2b1fc40e8 Mon Sep 17 00:00:00 2001
From: Cristian Stoica <cristian.stoica@freescale.com>
Date: Thu, 29 Aug 2013 16:51:18 +0300
-Subject: [PATCH 02/17] eng_cryptodev: add support for TLS algorithms offload
+Subject: [PATCH 02/26] eng_cryptodev: add support for TLS algorithms offload
- aes-128-cbc-hmac-sha1
- aes-256-cbc-hmac-sha1
!ENGINE_set_name(engine, "BSD cryptodev engine") ||
!ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
--
-1.8.3.1
+2.3.5
From 084fa469a8fef530d71a0870364df1c7997f6465 Mon Sep 17 00:00:00 2001
From: Cristian Stoica <cristian.stoica@freescale.com>
Date: Thu, 31 Jul 2014 14:06:19 +0300
-Subject: [PATCH 03/17] cryptodev: fix algorithm registration
+Subject: [PATCH 03/26] cryptodev: fix algorithm registration
Cryptodev specific algorithms must register only if available in kernel.
!ENGINE_set_name(engine, "BSD cryptodev engine") ||
!ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
--
-1.8.3.1
+2.3.5
From 7d770f0324498d1fa78300cc5cecc8c1dcd3b788 Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Sun, 21 Oct 2012 18:19:41 +0000
-Subject: [PATCH 04/17] linux-pcc: make it more robust and recognize
+Subject: [PATCH 04/26] linux-pcc: make it more robust and recognize
KERNEL_BITS variable.
(cherry picked from commit 78c3e20579d3baa159c8b51b59d415b6e521614b)
{
OPENSSL_ppc64_probe();
--
-1.8.3.1
+2.3.5
From 15abbcd740eafbf2a46b5da24be76acf4982743d Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Tue, 11 Mar 2014 05:56:54 +0545
-Subject: [PATCH 05/17] ECC Support header for Cryptodev Engine
+Subject: [PATCH 05/26] ECC Support header for Cryptodev Engine
Upstream-status: Pending
+};
+#endif
--
-1.8.3.1
+2.3.5
From 39a9e609290a8a1163a721915bcde0c7cf8f92f7 Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Tue, 11 Mar 2014 05:57:47 +0545
-Subject: [PATCH 06/17] Fixed private key support for DH
+Subject: [PATCH 06/26] Fixed private key support for DH
Upstream-status: Pending
return 1;
}
--
-1.8.3.1
+2.3.5
From 8322e4157bf49d992b5b9e460f2c0785865dd1c1 Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Thu, 20 Mar 2014 19:55:51 -0500
-Subject: [PATCH 07/17] Fixed private key support for DH
+Subject: [PATCH 07/26] Fixed private key support for DH
Upstream-status: Pending
return 1;
}
--
-1.8.3.1
+2.3.5
From 107a10d45db0f2e58482f698add04ed9183f7268 Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Tue, 11 Mar 2014 06:29:52 +0545
-Subject: [PATCH 08/17] Initial support for PKC in cryptodev engine
+Subject: [PATCH 08/26] Initial support for PKC in cryptodev engine
Upstream-status: Pending
}
--
-1.8.3.1
+2.3.5
From 81c4c62a4f5f5542843381bfb34e39a6171d5cdd Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Tue, 11 Mar 2014 06:42:59 +0545
-Subject: [PATCH 09/17] Added hwrng dev file as source of RNG
+Subject: [PATCH 09/26] Added hwrng dev file as source of RNG
Upstream-status: Pending
#ifndef DEVRANDOM_EGD
/* set this to a comma-seperated list of 'egd' sockets to try out. These
--
-1.8.3.1
+2.3.5
From a933e6341fd8989bdd82f8a5446b6f04aa00eef9 Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Tue, 11 Mar 2014 07:14:30 +0545
-Subject: [PATCH 10/17] Asynchronous interface added for PKC cryptodev
+Subject: [PATCH 10/26] Asynchronous interface added for PKC cryptodev
interface
Upstream-status: Pending
int (*finish)(RSA *rsa); /* called at free */
int flags; /* RSA_METHOD_FLAG_* things */
--
-1.8.3.1
+2.3.5
From e4fc051f8ae1c093b25ca346c2ec351ff3b700d1 Mon Sep 17 00:00:00 2001
From: Hou Zhiqiang <B48286@freescale.com>
Date: Wed, 2 Apr 2014 16:10:43 +0800
-Subject: [PATCH 11/17] Add RSA keygen operation and support gendsa command
+Subject: [PATCH 11/26] Add RSA keygen operation and support gendsa command
with hardware engine
Upstream-status: Pending
}
--
-1.8.3.1
+2.3.5
From ac777f046da7151386d667391362ecb553ceee90 Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Wed, 16 Apr 2014 22:53:04 +0545
-Subject: [PATCH 12/17] RSA Keygen Fix
+Subject: [PATCH 12/26] RSA Keygen Fix
Upstream-status: Pending
return ret;
--
-1.8.3.1
+2.3.5
From 6aaa306cdf878250d7b6eaf30978de313653886b Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Thu, 17 Apr 2014 06:57:59 +0545
-Subject: [PATCH 13/17] Removed local copy of curve_t type
+Subject: [PATCH 13/26] Removed local copy of curve_t type
Upstream-status: Pending
-};
#endif
--
-1.8.3.1
+2.3.5
From 14623ca9e417ccef1ad3f4138acfac0ebe682f1f Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Tue, 22 Apr 2014 22:58:33 +0545
-Subject: [PATCH 14/17] Modulus parameter is not populated by dhparams
+Subject: [PATCH 14/26] Modulus parameter is not populated by dhparams
Upstream-status: Pending
kop.crk_param[2].crp_p = g;
kop.crk_param[2].crp_nbits = g_len * 8;
--
-1.8.3.1
+2.3.5
From 10be401a33e6ebcc325d6747914c70595cd53d0a Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Thu, 24 Apr 2014 00:35:34 +0545
-Subject: [PATCH 15/17] SW Backoff mechanism for dsa keygen
+Subject: [PATCH 15/26] SW Backoff mechanism for dsa keygen
Upstream-status: Pending
}
return ret;
--
-1.8.3.1
+2.3.5
From d2c868c6370bcc0d0a254e641907da2cdf992d62 Mon Sep 17 00:00:00 2001
From: Yashpal Dutta <yashpal.dutta@freescale.com>
Date: Thu, 1 May 2014 06:35:45 +0545
-Subject: [PATCH 16/17] Fixed DH keygen pair generator
+Subject: [PATCH 16/26] Fixed DH keygen pair generator
Upstream-status: Pending
sw_try:
{
--
-1.8.3.1
+2.3.5
From 11b55103463bac614e00d74e9f196ec4ec6bade1 Mon Sep 17 00:00:00 2001
From: Cristian Stoica <cristian.stoica@freescale.com>
Date: Mon, 16 Jun 2014 14:06:21 +0300
-Subject: [PATCH 17/17] cryptodev: add support for aes-gcm algorithm offloading
+Subject: [PATCH 17/26] cryptodev: add support for aes-gcm algorithm offloading
Change-Id: I3b77dc5ef8b8f707309549244a02852d95b36168
Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
*cipher = NULL;
break;
--
-1.8.3.1
+2.3.5
--- /dev/null
+From 21e3ca4ec77f9258aa4001f07faac1c4942b48b4 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@freescale.com>
+Date: Fri, 9 May 2014 17:54:06 +0300
+Subject: [PATCH 18/26] eng_cryptodev: extend TLS offload with
+ 3des_cbc_hmac_sha1
+
+Both obj_mac.h and obj_dat.h were generated using the scripts
+from crypto/objects:
+
+$ cd crypto/objects
+$ perl objects.pl objects.txt obj_mac.num obj_mac.h
+$ perl obj_dat.pl obj_mac.h obj_dat.h
+
+Change-Id: I94f13cdd09df67e33e6acd3c00aab47cb358ac46
+Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34001
+---
+ crypto/engine/eng_cryptodev.c | 24 ++++++++++++++++++++++++
+ crypto/objects/obj_dat.h | 10 +++++++---
+ crypto/objects/obj_mac.h | 4 ++++
+ crypto/objects/obj_mac.num | 1 +
+ crypto/objects/objects.txt | 1 +
+ ssl/ssl_ciph.c | 4 ++++
+ 6 files changed, 41 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 79b2678..299e84b 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -135,6 +135,7 @@ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
+ void ENGINE_load_cryptodev(void);
+ const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
+
+ inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len)
+ {
+@@ -252,6 +253,7 @@ static struct {
+ { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, 0},
+ { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, 0},
+ { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, 0},
++ { CRYPTO_TLS10_3DES_CBC_HMAC_SHA1, NID_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+ { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20},
+ { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20},
+ { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0},
+@@ -466,6 +468,9 @@ cryptodev_usable_ciphers(const int **nids)
+ case NID_aes_256_cbc_hmac_sha1:
+ EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1);
+ break;
++ case NID_des_ede3_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
++ break;
+ }
+ }
+ return count;
+@@ -571,6 +576,7 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ switch (ctx->cipher->nid) {
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
++ case NID_des_ede3_cbc_hmac_sha1:
+ cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+ }
+ cryp.ses = sess->ses;
+@@ -763,6 +769,7 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+ switch (ctx->cipher->nid) {
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
++ case NID_des_ede3_cbc_hmac_sha1:
+ maclen = SHA_DIGEST_LENGTH;
+ }
+
+@@ -1082,6 +1089,20 @@ const EVP_CIPHER cryptodev_aes_256_cbc = {
+ NULL
+ };
+
++const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1 = {
++ NID_des_ede3_cbc_hmac_sha1,
++ 8, 24, 8,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
+ const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1 = {
+ NID_aes_128_cbc_hmac_sha1,
+ 16, 16, 16,
+@@ -1163,6 +1184,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+ case NID_aes_256_cbc:
+ *cipher = &cryptodev_aes_256_cbc;
+ break;
++ case NID_des_ede3_cbc_hmac_sha1:
++ *cipher = &cryptodev_3des_cbc_hmac_sha1;
++ break;
+ case NID_aes_128_cbc_hmac_sha1:
+ *cipher = &cryptodev_aes_128_cbc_hmac_sha1;
+ break;
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index bc69665..9f2267a 100644
+--- a/crypto/objects/obj_dat.h
++++ b/crypto/objects/obj_dat.h
+@@ -62,9 +62,9 @@
+ * [including the GNU Public Licence.]
+ */
+
+-#define NUM_NID 920
+-#define NUM_SN 913
+-#define NUM_LN 913
++#define NUM_NID 921
++#define NUM_SN 914
++#define NUM_LN 914
+ #define NUM_OBJ 857
+
+ static const unsigned char lvalues[5974]={
+@@ -2399,6 +2399,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
+ {"AES-256-CBC-HMAC-SHA1","aes-256-cbc-hmac-sha1",
+ NID_aes_256_cbc_hmac_sha1,0,NULL,0},
+ {"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0},
++{"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1",
++ NID_des_ede3_cbc_hmac_sha1,0,NULL,0},
+ };
+
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2474,6 +2476,7 @@ static const unsigned int sn_objs[NUM_SN]={
+ 62, /* "DES-EDE-OFB" */
+ 33, /* "DES-EDE3" */
+ 44, /* "DES-EDE3-CBC" */
++920, /* "DES-EDE3-CBC-HMAC-SHA1" */
+ 61, /* "DES-EDE3-CFB" */
+ 658, /* "DES-EDE3-CFB1" */
+ 659, /* "DES-EDE3-CFB8" */
+@@ -3585,6 +3588,7 @@ static const unsigned int ln_objs[NUM_LN]={
+ 62, /* "des-ede-ofb" */
+ 33, /* "des-ede3" */
+ 44, /* "des-ede3-cbc" */
++920, /* "des-ede3-cbc-hmac-sha1" */
+ 61, /* "des-ede3-cfb" */
+ 658, /* "des-ede3-cfb1" */
+ 659, /* "des-ede3-cfb8" */
+diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
+index b5ea7cd..8751902 100644
+--- a/crypto/objects/obj_mac.h
++++ b/crypto/objects/obj_mac.h
+@@ -4030,3 +4030,7 @@
+ #define LN_aes_256_cbc_hmac_sha1 "aes-256-cbc-hmac-sha1"
+ #define NID_aes_256_cbc_hmac_sha1 918
+
++#define SN_des_ede3_cbc_hmac_sha1 "DES-EDE3-CBC-HMAC-SHA1"
++#define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1"
++#define NID_des_ede3_cbc_hmac_sha1 920
++
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index 1d0a7c8..9d44bb5 100644
+--- a/crypto/objects/obj_mac.num
++++ b/crypto/objects/obj_mac.num
+@@ -917,3 +917,4 @@ aes_128_cbc_hmac_sha1 916
+ aes_192_cbc_hmac_sha1 917
+ aes_256_cbc_hmac_sha1 918
+ rsaesOaep 919
++des_ede3_cbc_hmac_sha1 920
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index d3bfad7..90d2fc5 100644
+--- a/crypto/objects/objects.txt
++++ b/crypto/objects/objects.txt
+@@ -1290,3 +1290,4 @@ kisa 1 6 : SEED-OFB : seed-ofb
+ : AES-128-CBC-HMAC-SHA1 : aes-128-cbc-hmac-sha1
+ : AES-192-CBC-HMAC-SHA1 : aes-192-cbc-hmac-sha1
+ : AES-256-CBC-HMAC-SHA1 : aes-256-cbc-hmac-sha1
++ : DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 8188ff5..310fe76 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -639,6 +639,10 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ c->algorithm_mac == SSL_SHA1 &&
+ (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
+ *enc = evp, *md = NULL;
++ else if (c->algorithm_enc == SSL_3DES &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
+ return(1);
+ }
+ else
+--
+2.3.5
+
--- /dev/null
+From 1de2b740a3bdcd8e98abb5f4e176d46fd817b932 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@freescale.com>
+Date: Tue, 31 Mar 2015 16:30:17 +0300
+Subject: [PATCH 19/26] eng_cryptodev: add support for TLSv1.1 record offload
+
+Supported cipher suites:
+- 3des-ede-cbc-sha
+- aes-128-cbc-hmac-sha
+- aes-256-cbc-hmac-sha
+
+Requires TLS patches on cryptodev and TLS algorithm support in Linux
+kernel driver.
+
+Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
+Change-Id: Id414f36a528de3f476b72688cf85714787d7ccae
+Reviewed-on: http://git.am.freescale.net:8181/34002
+Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
+Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
+---
+ crypto/engine/eng_cryptodev.c | 101 ++++++++++++++++++++++++++++++++++++++----
+ crypto/objects/obj_dat.h | 18 ++++++--
+ crypto/objects/obj_mac.h | 12 +++++
+ crypto/objects/obj_mac.num | 3 ++
+ crypto/objects/objects.txt | 3 ++
+ ssl/ssl_ciph.c | 26 +++++++++--
+ 6 files changed, 148 insertions(+), 15 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 299e84b..f71ab27 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -66,6 +66,7 @@ ENGINE_load_cryptodev(void)
+ #include <sys/ioctl.h>
+ #include <errno.h>
+ #include <stdio.h>
++#include <stdbool.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <stdarg.h>
+@@ -133,9 +134,12 @@ static int cryptodev_dh_compute_key(unsigned char *key,
+ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
+ void (*f)(void));
+ void ENGINE_load_cryptodev(void);
++const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
+-const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
+
+ inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len)
+ {
+@@ -256,6 +260,9 @@ static struct {
+ { CRYPTO_TLS10_3DES_CBC_HMAC_SHA1, NID_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+ { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20},
+ { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20},
++ { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
++ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
++ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
+ { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0},
+ { 0, NID_undef, 0, 0, 0},
+ };
+@@ -462,14 +469,23 @@ cryptodev_usable_ciphers(const int **nids)
+ /* add ciphers specific to cryptodev if found in kernel */
+ for(i = 0; i < count; i++) {
+ switch (*(*nids + i)) {
++ case NID_des_ede3_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
++ break;
+ case NID_aes_128_cbc_hmac_sha1:
+ EVP_add_cipher(&cryptodev_aes_128_cbc_hmac_sha1);
+ break;
+ case NID_aes_256_cbc_hmac_sha1:
+ EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1);
+ break;
+- case NID_des_ede3_cbc_hmac_sha1:
+- EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1);
++ case NID_tls11_des_ede3_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1);
++ break;
++ case NID_tls11_aes_128_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1);
++ break;
++ case NID_tls11_aes_256_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
+ break;
+ }
+ }
+@@ -574,9 +590,12 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+
+ /* TODO: make a seamless integration with cryptodev flags */
+ switch (ctx->cipher->nid) {
++ case NID_des_ede3_cbc_hmac_sha1:
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
+- case NID_des_ede3_cbc_hmac_sha1:
++ case NID_tls11_des_ede3_cbc_hmac_sha1:
++ case NID_tls11_aes_128_cbc_hmac_sha1:
++ case NID_tls11_aes_256_cbc_hmac_sha1:
+ cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+ }
+ cryp.ses = sess->ses;
+@@ -758,8 +777,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+ struct dev_crypto_state *state = ctx->cipher_data;
+ unsigned char *p = ptr;
+ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
+- unsigned int maclen, padlen;
++ unsigned int maclen, padlen, len;
+ unsigned int bs = ctx->cipher->block_size;
++ bool aad_needs_fix = false;
+
+ state->aad = ptr;
+ state->aad_len = arg;
+@@ -767,10 +787,24 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+
+ /* TODO: this should be an extension of EVP_CIPHER struct */
+ switch (ctx->cipher->nid) {
++ case NID_des_ede3_cbc_hmac_sha1:
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
+- case NID_des_ede3_cbc_hmac_sha1:
+ maclen = SHA_DIGEST_LENGTH;
++ break;
++ case NID_tls11_des_ede3_cbc_hmac_sha1:
++ case NID_tls11_aes_128_cbc_hmac_sha1:
++ case NID_tls11_aes_256_cbc_hmac_sha1:
++ maclen = SHA_DIGEST_LENGTH;
++ aad_needs_fix = true;
++ break;
++ }
++
++ /* Correct length for AAD Length field */
++ if (ctx->encrypt && aad_needs_fix) {
++ len = cryptlen - bs;
++ p[arg-2] = len >> 8;
++ p[arg-1] = len & 0xff;
+ }
+
+ /* space required for encryption (not only TLS padding) */
+@@ -1131,6 +1165,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = {
+ NULL
+ };
+
++const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = {
++ NID_tls11_des_ede3_cbc_hmac_sha1,
++ 8, 24, 8,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
++const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = {
++ NID_tls11_aes_128_cbc_hmac_sha1,
++ 16, 16, 16,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
++const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
++ NID_tls11_aes_256_cbc_hmac_sha1,
++ 16, 32, 16,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
+ const EVP_CIPHER cryptodev_aes_128_gcm = {
+ NID_aes_128_gcm,
+ 1, 16, 12,
+@@ -1184,6 +1260,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+ case NID_aes_256_cbc:
+ *cipher = &cryptodev_aes_256_cbc;
+ break;
++ case NID_aes_128_gcm:
++ *cipher = &cryptodev_aes_128_gcm;
++ break;
+ case NID_des_ede3_cbc_hmac_sha1:
+ *cipher = &cryptodev_3des_cbc_hmac_sha1;
+ break;
+@@ -1193,8 +1272,14 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+ case NID_aes_256_cbc_hmac_sha1:
+ *cipher = &cryptodev_aes_256_cbc_hmac_sha1;
+ break;
+- case NID_aes_128_gcm:
+- *cipher = &cryptodev_aes_128_gcm;
++ case NID_tls11_des_ede3_cbc_hmac_sha1:
++ *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1;
++ break;
++ case NID_tls11_aes_128_cbc_hmac_sha1:
++ *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1;
++ break;
++ case NID_tls11_aes_256_cbc_hmac_sha1:
++ *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
+ break;
+ default:
+ *cipher = NULL;
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index 9f2267a..dc89b0a 100644
+--- a/crypto/objects/obj_dat.h
++++ b/crypto/objects/obj_dat.h
+@@ -62,9 +62,9 @@
+ * [including the GNU Public Licence.]
+ */
+
+-#define NUM_NID 921
+-#define NUM_SN 914
+-#define NUM_LN 914
++#define NUM_NID 924
++#define NUM_SN 917
++#define NUM_LN 917
+ #define NUM_OBJ 857
+
+ static const unsigned char lvalues[5974]={
+@@ -2401,6 +2401,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
+ {"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0},
+ {"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1",
+ NID_des_ede3_cbc_hmac_sha1,0,NULL,0},
++{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1",
++ NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0},
++{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1",
++ NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
++{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
++ NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
+ };
+
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2586,6 +2592,9 @@ static const unsigned int sn_objs[NUM_SN]={
+ 100, /* "SN" */
+ 16, /* "ST" */
+ 143, /* "SXNetID" */
++922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */
++923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */
++921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
+ 458, /* "UID" */
+ 0, /* "UNDEF" */
+ 11, /* "X500" */
+@@ -4205,6 +4214,9 @@ static const unsigned int ln_objs[NUM_LN]={
+ 459, /* "textEncodedORAddress" */
+ 293, /* "textNotice" */
+ 106, /* "title" */
++922, /* "tls11-aes-128-cbc-hmac-sha1" */
++923, /* "tls11-aes-256-cbc-hmac-sha1" */
++921, /* "tls11-des-ede3-cbc-hmac-sha1" */
+ 682, /* "tpBasis" */
+ 436, /* "ucl" */
+ 0, /* "undefined" */
+diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
+index 8751902..f181890 100644
+--- a/crypto/objects/obj_mac.h
++++ b/crypto/objects/obj_mac.h
+@@ -4034,3 +4034,15 @@
+ #define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1"
+ #define NID_des_ede3_cbc_hmac_sha1 920
+
++#define SN_tls11_des_ede3_cbc_hmac_sha1 "TLS11-DES-EDE3-CBC-HMAC-SHA1"
++#define LN_tls11_des_ede3_cbc_hmac_sha1 "tls11-des-ede3-cbc-hmac-sha1"
++#define NID_tls11_des_ede3_cbc_hmac_sha1 921
++
++#define SN_tls11_aes_128_cbc_hmac_sha1 "TLS11-AES-128-CBC-HMAC-SHA1"
++#define LN_tls11_aes_128_cbc_hmac_sha1 "tls11-aes-128-cbc-hmac-sha1"
++#define NID_tls11_aes_128_cbc_hmac_sha1 922
++
++#define SN_tls11_aes_256_cbc_hmac_sha1 "TLS11-AES-256-CBC-HMAC-SHA1"
++#define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1"
++#define NID_tls11_aes_256_cbc_hmac_sha1 923
++
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index 9d44bb5..a02b58c 100644
+--- a/crypto/objects/obj_mac.num
++++ b/crypto/objects/obj_mac.num
+@@ -918,3 +918,6 @@ aes_192_cbc_hmac_sha1 917
+ aes_256_cbc_hmac_sha1 918
+ rsaesOaep 919
+ des_ede3_cbc_hmac_sha1 920
++tls11_des_ede3_cbc_hmac_sha1 921
++tls11_aes_128_cbc_hmac_sha1 922
++tls11_aes_256_cbc_hmac_sha1 923
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index 90d2fc5..1973658 100644
+--- a/crypto/objects/objects.txt
++++ b/crypto/objects/objects.txt
+@@ -1291,3 +1291,6 @@ kisa 1 6 : SEED-OFB : seed-ofb
+ : AES-192-CBC-HMAC-SHA1 : aes-192-cbc-hmac-sha1
+ : AES-256-CBC-HMAC-SHA1 : aes-256-cbc-hmac-sha1
+ : DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1
++ : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1
++ : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1
++ : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 310fe76..0408986 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -631,17 +631,35 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ c->algorithm_mac == SSL_MD5 &&
+ (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
+ *enc = evp, *md = NULL;
+- else if (c->algorithm_enc == SSL_AES128 &&
++ else if (s->ssl_version == TLS1_VERSION &&
++ c->algorithm_enc == SSL_3DES &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp=EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_VERSION &&
++ c->algorithm_enc == SSL_AES128 &&
+ c->algorithm_mac == SSL_SHA1 &&
+ (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
+ *enc = evp, *md = NULL;
+- else if (c->algorithm_enc == SSL_AES256 &&
++ else if (s->ssl_version == TLS1_VERSION &&
++ c->algorithm_enc == SSL_AES256 &&
+ c->algorithm_mac == SSL_SHA1 &&
+ (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
+ *enc = evp, *md = NULL;
+- else if (c->algorithm_enc == SSL_3DES &&
++ else if (s->ssl_version == TLS1_1_VERSION &&
++ c->algorithm_enc == SSL_3DES &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp=EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_1_VERSION &&
++ c->algorithm_enc == SSL_AES128 &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp=EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_1_VERSION &&
++ c->algorithm_enc == SSL_AES256 &&
+ c->algorithm_mac == SSL_SHA1 &&
+- (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1")))
++ (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
+ *enc = evp, *md = NULL;
+ return(1);
+ }
+--
+2.3.5
+
--- /dev/null
+From a58703e6601fcfcfe69fdb3e7152ed76b40d67e9 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@freescale.com>
+Date: Tue, 31 Mar 2015 16:32:35 +0300
+Subject: [PATCH 20/26] eng_cryptodev: add support for TLSv1.2 record offload
+
+Supported cipher suites:
+- 3des-ede-cbc-sha
+- aes-128-cbc-hmac-sha
+- aes-256-cbc-hmac-sha
+- aes-128-cbc-hmac-sha256
+- aes-256-cbc-hmac-sha256
+
+Requires TLS patches on cryptodev and TLS algorithm support in Linux
+kernel driver.
+
+Signed-off-by: Tudor Ambarus <tudor.ambarus@freescale.com>
+Change-Id: I0ac6953dd62e2655a59d8f3eaefd012b7ecebf55
+Reviewed-on: http://git.am.freescale.net:8181/34003
+Reviewed-by: Cristian Stoica <cristian.stoica@freescale.com>
+Tested-by: Cristian Stoica <cristian.stoica@freescale.com>
+---
+ crypto/engine/eng_cryptodev.c | 123 ++++++++++++++++++++++++++++++++++++++++++
+ crypto/objects/obj_dat.h | 26 +++++++--
+ crypto/objects/obj_mac.h | 20 +++++++
+ crypto/objects/obj_mac.num | 5 ++
+ crypto/objects/objects.txt | 5 ++
+ ssl/ssl_ciph.c | 25 +++++++++
+ 6 files changed, 201 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index f71ab27..fa5fe1b 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -140,6 +140,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1;
+ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1;
++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256;
++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256;
+
+ inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len)
+ {
+@@ -263,6 +268,11 @@ static struct {
+ { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20},
+ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20},
+ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20},
++ { CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8, 24, 20},
++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16, 20},
++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32, 20},
++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16, 16, 32},
++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16, 32, 32},
+ { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0},
+ { 0, NID_undef, 0, 0, 0},
+ };
+@@ -487,6 +497,21 @@ cryptodev_usable_ciphers(const int **nids)
+ case NID_tls11_aes_256_cbc_hmac_sha1:
+ EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1);
+ break;
++ case NID_tls12_des_ede3_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1);
++ break;
++ case NID_tls12_aes_128_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1);
++ break;
++ case NID_tls12_aes_256_cbc_hmac_sha1:
++ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1);
++ break;
++ case NID_tls12_aes_128_cbc_hmac_sha256:
++ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256);
++ break;
++ case NID_tls12_aes_256_cbc_hmac_sha256:
++ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256);
++ break;
+ }
+ }
+ return count;
+@@ -596,6 +621,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ case NID_tls11_des_ede3_cbc_hmac_sha1:
+ case NID_tls11_aes_128_cbc_hmac_sha1:
+ case NID_tls11_aes_256_cbc_hmac_sha1:
++ case NID_tls12_des_ede3_cbc_hmac_sha1:
++ case NID_tls12_aes_128_cbc_hmac_sha1:
++ case NID_tls12_aes_256_cbc_hmac_sha1:
++ case NID_tls12_aes_128_cbc_hmac_sha256:
++ case NID_tls12_aes_256_cbc_hmac_sha256:
+ cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+ }
+ cryp.ses = sess->ses;
+@@ -795,9 +825,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+ case NID_tls11_des_ede3_cbc_hmac_sha1:
+ case NID_tls11_aes_128_cbc_hmac_sha1:
+ case NID_tls11_aes_256_cbc_hmac_sha1:
++ case NID_tls12_des_ede3_cbc_hmac_sha1:
++ case NID_tls12_aes_128_cbc_hmac_sha1:
++ case NID_tls12_aes_256_cbc_hmac_sha1:
+ maclen = SHA_DIGEST_LENGTH;
+ aad_needs_fix = true;
+ break;
++ case NID_tls12_aes_128_cbc_hmac_sha256:
++ case NID_tls12_aes_256_cbc_hmac_sha256:
++ maclen = SHA256_DIGEST_LENGTH;
++ aad_needs_fix = true;
++ break;
+ }
+
+ /* Correct length for AAD Length field */
+@@ -1207,6 +1245,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = {
+ NULL
+ };
+
++const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = {
++ NID_tls12_des_ede3_cbc_hmac_sha1,
++ 8, 24, 8,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = {
++ NID_tls12_aes_128_cbc_hmac_sha1,
++ 16, 16, 16,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = {
++ NID_tls12_aes_256_cbc_hmac_sha1,
++ 16, 32, 16,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = {
++ NID_tls12_aes_128_cbc_hmac_sha256,
++ 16, 16, 16,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = {
++ NID_tls12_aes_256_cbc_hmac_sha256,
++ 16, 32, 16,
++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++ cryptodev_init_aead_key,
++ cryptodev_aead_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ cryptodev_cbc_hmac_sha1_ctrl,
++ NULL
++};
++
+ const EVP_CIPHER cryptodev_aes_128_gcm = {
+ NID_aes_128_gcm,
+ 1, 16, 12,
+@@ -1281,6 +1389,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+ case NID_tls11_aes_256_cbc_hmac_sha1:
+ *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1;
+ break;
++ case NID_tls12_des_ede3_cbc_hmac_sha1:
++ *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1;
++ break;
++ case NID_tls12_aes_128_cbc_hmac_sha1:
++ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1;
++ break;
++ case NID_tls12_aes_256_cbc_hmac_sha1:
++ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1;
++ break;
++ case NID_tls12_aes_128_cbc_hmac_sha256:
++ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256;
++ break;
++ case NID_tls12_aes_256_cbc_hmac_sha256:
++ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256;
++ break;
+ default:
+ *cipher = NULL;
+ break;
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index dc89b0a..dfe19da 100644
+--- a/crypto/objects/obj_dat.h
++++ b/crypto/objects/obj_dat.h
+@@ -62,9 +62,9 @@
+ * [including the GNU Public Licence.]
+ */
+
+-#define NUM_NID 924
+-#define NUM_SN 917
+-#define NUM_LN 917
++#define NUM_NID 929
++#define NUM_SN 922
++#define NUM_LN 922
+ #define NUM_OBJ 857
+
+ static const unsigned char lvalues[5974]={
+@@ -2407,6 +2407,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
+ NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0},
+ {"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1",
+ NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0},
++{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1",
++ NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0},
++{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1",
++ NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0},
++{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1",
++ NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0},
++{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256",
++ NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0},
++{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256",
++ NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0},
+ };
+
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2595,6 +2605,11 @@ static const unsigned int sn_objs[NUM_SN]={
+ 922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */
+ 923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */
+ 921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */
++925, /* "TLS12-AES-128-CBC-HMAC-SHA1" */
++927, /* "TLS12-AES-128-CBC-HMAC-SHA256" */
++926, /* "TLS12-AES-256-CBC-HMAC-SHA1" */
++928, /* "TLS12-AES-256-CBC-HMAC-SHA256" */
++924, /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */
+ 458, /* "UID" */
+ 0, /* "UNDEF" */
+ 11, /* "X500" */
+@@ -4217,6 +4232,11 @@ static const unsigned int ln_objs[NUM_LN]={
+ 922, /* "tls11-aes-128-cbc-hmac-sha1" */
+ 923, /* "tls11-aes-256-cbc-hmac-sha1" */
+ 921, /* "tls11-des-ede3-cbc-hmac-sha1" */
++925, /* "tls12-aes-128-cbc-hmac-sha1" */
++927, /* "tls12-aes-128-cbc-hmac-sha256" */
++926, /* "tls12-aes-256-cbc-hmac-sha1" */
++928, /* "tls12-aes-256-cbc-hmac-sha256" */
++924, /* "tls12-des-ede3-cbc-hmac-sha1" */
+ 682, /* "tpBasis" */
+ 436, /* "ucl" */
+ 0, /* "undefined" */
+diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
+index f181890..5af125e 100644
+--- a/crypto/objects/obj_mac.h
++++ b/crypto/objects/obj_mac.h
+@@ -4046,3 +4046,23 @@
+ #define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1"
+ #define NID_tls11_aes_256_cbc_hmac_sha1 923
+
++#define SN_tls12_des_ede3_cbc_hmac_sha1 "TLS12-DES-EDE3-CBC-HMAC-SHA1"
++#define LN_tls12_des_ede3_cbc_hmac_sha1 "tls12-des-ede3-cbc-hmac-sha1"
++#define NID_tls12_des_ede3_cbc_hmac_sha1 924
++
++#define SN_tls12_aes_128_cbc_hmac_sha1 "TLS12-AES-128-CBC-HMAC-SHA1"
++#define LN_tls12_aes_128_cbc_hmac_sha1 "tls12-aes-128-cbc-hmac-sha1"
++#define NID_tls12_aes_128_cbc_hmac_sha1 925
++
++#define SN_tls12_aes_256_cbc_hmac_sha1 "TLS12-AES-256-CBC-HMAC-SHA1"
++#define LN_tls12_aes_256_cbc_hmac_sha1 "tls12-aes-256-cbc-hmac-sha1"
++#define NID_tls12_aes_256_cbc_hmac_sha1 926
++
++#define SN_tls12_aes_128_cbc_hmac_sha256 "TLS12-AES-128-CBC-HMAC-SHA256"
++#define LN_tls12_aes_128_cbc_hmac_sha256 "tls12-aes-128-cbc-hmac-sha256"
++#define NID_tls12_aes_128_cbc_hmac_sha256 927
++
++#define SN_tls12_aes_256_cbc_hmac_sha256 "TLS12-AES-256-CBC-HMAC-SHA256"
++#define LN_tls12_aes_256_cbc_hmac_sha256 "tls12-aes-256-cbc-hmac-sha256"
++#define NID_tls12_aes_256_cbc_hmac_sha256 928
++
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index a02b58c..deeba3a 100644
+--- a/crypto/objects/obj_mac.num
++++ b/crypto/objects/obj_mac.num
+@@ -921,3 +921,8 @@ des_ede3_cbc_hmac_sha1 920
+ tls11_des_ede3_cbc_hmac_sha1 921
+ tls11_aes_128_cbc_hmac_sha1 922
+ tls11_aes_256_cbc_hmac_sha1 923
++tls12_des_ede3_cbc_hmac_sha1 924
++tls12_aes_128_cbc_hmac_sha1 925
++tls12_aes_256_cbc_hmac_sha1 926
++tls12_aes_128_cbc_hmac_sha256 927
++tls12_aes_256_cbc_hmac_sha256 928
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index 1973658..6e4ac93 100644
+--- a/crypto/objects/objects.txt
++++ b/crypto/objects/objects.txt
+@@ -1294,3 +1294,8 @@ kisa 1 6 : SEED-OFB : seed-ofb
+ : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1
+ : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1
+ : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1
++ : TLS12-DES-EDE3-CBC-HMAC-SHA1 : tls12-des-ede3-cbc-hmac-sha1
++ : TLS12-AES-128-CBC-HMAC-SHA1 : tls12-aes-128-cbc-hmac-sha1
++ : TLS12-AES-256-CBC-HMAC-SHA1 : tls12-aes-256-cbc-hmac-sha1
++ : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256
++ : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 0408986..77a82f6 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -661,6 +661,31 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ c->algorithm_mac == SSL_SHA1 &&
+ (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1")))
+ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_2_VERSION &&
++ c->algorithm_enc == SSL_3DES &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_2_VERSION &&
++ c->algorithm_enc == SSL_AES128 &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_2_VERSION &&
++ c->algorithm_enc == SSL_AES256 &&
++ c->algorithm_mac == SSL_SHA1 &&
++ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_2_VERSION &&
++ c->algorithm_enc == SSL_AES128 &&
++ c->algorithm_mac == SSL_SHA256 &&
++ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256")))
++ *enc = evp, *md = NULL;
++ else if (s->ssl_version == TLS1_2_VERSION &&
++ c->algorithm_enc == SSL_AES256 &&
++ c->algorithm_mac == SSL_SHA256 &&
++ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256")))
++ *enc = evp, *md = NULL;
+ return(1);
+ }
+ else
+--
+2.3.5
+
--- /dev/null
+From ea4abc255c6c5feec01cb1e30c6082cfe47860e2 Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@freescale.com>
+Date: Thu, 19 Feb 2015 16:11:53 +0200
+Subject: [PATCH 21/26] cryptodev: drop redundant function
+
+get_dev_crypto already caches the result. Another cache in-between is
+useless.
+
+Change-Id: Ibd162529d3fb7a561a17f1a707d5d287c1586a3a
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34216
+---
+ crypto/engine/eng_cryptodev.c | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index fa5fe1b..1ab5551 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -96,7 +96,6 @@ struct dev_crypto_state {
+
+ static u_int32_t cryptodev_asymfeat = 0;
+
+-static int get_asym_dev_crypto(void);
+ static int open_dev_crypto(void);
+ static int get_dev_crypto(void);
+ static int get_cryptodev_ciphers(const int **cnids);
+@@ -357,17 +356,6 @@ static void put_dev_crypto(int fd)
+ #endif
+ }
+
+-/* Caching version for asym operations */
+-static int
+-get_asym_dev_crypto(void)
+-{
+- static int fd = -1;
+-
+- if (fd == -1)
+- fd = get_dev_crypto();
+- return fd;
+-}
+-
+ /*
+ * Find out what ciphers /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+@@ -1796,7 +1784,7 @@ cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s)
+ {
+ int fd, ret = -1;
+
+- if ((fd = get_asym_dev_crypto()) < 0)
++ if ((fd = get_dev_crypto()) < 0)
+ return (ret);
+
+ if (r) {
+@@ -2374,7 +2362,7 @@ static int cryptodev_rsa_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
+ int p_len, q_len;
+ int i;
+
+- if ((fd = get_asym_dev_crypto()) < 0)
++ if ((fd = get_dev_crypto()) < 0)
+ goto sw_try;
+
+ if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
+@@ -3928,7 +3916,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ BIGNUM *temp = NULL;
+ unsigned char *padded_pub_key = NULL, *p = NULL;
+
+- if ((fd = get_asym_dev_crypto()) < 0)
++ if ((fd = get_dev_crypto()) < 0)
+ goto sw_try;
+
+ memset(&kop, 0, sizeof kop);
+--
+2.3.5
+
--- /dev/null
+From 75e3e7d600eb72e7374b1ecf5ece7b831bc98ed8 Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@freescale.com>
+Date: Tue, 17 Feb 2015 13:12:53 +0200
+Subject: [PATCH 22/26] cryptodev: do not zero the buffer before use
+
+- The buffer is just about to be overwritten. Zeroing it before that has
+ no purpose
+
+Change-Id: I478c31bd2e254561474a7edf5e37980ca04217ce
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34217
+---
+ crypto/engine/eng_cryptodev.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 1ab5551..dbc5989 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -1681,21 +1681,16 @@ static int
+ bn2crparam(const BIGNUM *a, struct crparam *crp)
+ {
+ ssize_t bytes, bits;
+- u_char *b;
+-
+- crp->crp_p = NULL;
+- crp->crp_nbits = 0;
+
+ bits = BN_num_bits(a);
+ bytes = (bits + 7) / 8;
+
+- b = malloc(bytes);
+- if (b == NULL)
++ crp->crp_nbits = bits;
++ crp->crp_p = malloc(bytes);
++
++ if (crp->crp_p == NULL)
+ return (1);
+- memset(b, 0, bytes);
+
+- crp->crp_p = (caddr_t) b;
+- crp->crp_nbits = bits;
+ BN_bn2bin(a, crp->crp_p);
+ return (0);
+ }
+--
+2.3.5
+
--- /dev/null
+From 4453b06b940fc03a0973cfd96f908e46cce61054 Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@freescale.com>
+Date: Wed, 18 Feb 2015 10:39:46 +0200
+Subject: [PATCH 23/26] cryptodev: clean-up code layout
+
+This is just a refactoring that uses else branch to check for malloc failures
+
+Change-Id: I6dc157af36d6ec51a4edfc82cf97fae2e7e83628
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34218
+---
+ crypto/engine/eng_cryptodev.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index dbc5989..dceb4f5 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -1745,30 +1745,28 @@ cryptodev_asym_async(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen,
+ fd = *(int *)cookie->eng_handle;
+
+ eng_cookie = malloc(sizeof(struct cryptodev_cookie_s));
+-
+- if (eng_cookie) {
+- memset(eng_cookie, 0, sizeof(struct cryptodev_cookie_s));
+- if (r) {
+- kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char));
+- if (!kop->crk_param[kop->crk_iparams].crp_p)
+- return -ENOMEM;
+- kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8;
+- kop->crk_oparams++;
+- eng_cookie->r = r;
+- eng_cookie->r_param = kop->crk_param[kop->crk_iparams];
+- }
+- if (s) {
+- kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char));
+- if (!kop->crk_param[kop->crk_iparams+1].crp_p)
+- return -ENOMEM;
+- kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8;
+- kop->crk_oparams++;
+- eng_cookie->s = s;
+- eng_cookie->s_param = kop->crk_param[kop->crk_iparams + 1];
+- }
+- } else
++ if (!eng_cookie)
+ return -ENOMEM;
+
++ memset(eng_cookie, 0, sizeof(struct cryptodev_cookie_s));
++ if (r) {
++ kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char));
++ if (!kop->crk_param[kop->crk_iparams].crp_p)
++ return -ENOMEM;
++ kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8;
++ kop->crk_oparams++;
++ eng_cookie->r = r;
++ eng_cookie->r_param = kop->crk_param[kop->crk_iparams];
++ }
++ if (s) {
++ kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char));
++ if (!kop->crk_param[kop->crk_iparams+1].crp_p)
++ return -ENOMEM;
++ kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8;
++ kop->crk_oparams++;
++ eng_cookie->s = s;
++ eng_cookie->s_param = kop->crk_param[kop->crk_iparams + 1];
++ }
+ eng_cookie->kop = kop;
+ cookie->eng_cookie = eng_cookie;
+ return ioctl(fd, CIOCASYMASYNCRYPT, kop);
+--
+2.3.5
+
--- /dev/null
+From a44701abd995b3db80001d0c5d88e9ead05972c1 Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@freescale.com>
+Date: Thu, 19 Feb 2015 16:43:29 +0200
+Subject: [PATCH 24/26] cryptodev: do not cache file descriptor in 'open'
+
+The file descriptor returned by get_dev_crypto is cached after a
+successful return. The issue is, it is cached inside 'open_dev_crypto'
+which is no longer useful as a general purpose open("/dev/crypto")
+function.
+
+This patch is a refactoring that moves the caching operation from
+open_dev_crypto to get_dev_crypto and leaves the former as a simpler
+function true to its name
+
+Change-Id: I980170969410381973ce75f6679a4a1401738847
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34219
+---
+ crypto/engine/eng_cryptodev.c | 50 +++++++++++++++++++++----------------------
+ 1 file changed, 24 insertions(+), 26 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index dceb4f5..b74fc7c 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -306,47 +306,45 @@ static void ctr64_inc(unsigned char *counter) {
+ if (c) return;
+ } while (n);
+ }
+-/*
+- * Return a fd if /dev/crypto seems usable, 0 otherwise.
+- */
+-static int
+-open_dev_crypto(void)
++
++static int open_dev_crypto(void)
+ {
+- static int fd = -1;
++ int fd;
+
+- if (fd == -1) {
+- if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
+- return (-1);
+- /* close on exec */
+- if (fcntl(fd, F_SETFD, 1) == -1) {
+- close(fd);
+- fd = -1;
+- return (-1);
+- }
++ fd = open("/dev/crypto", O_RDWR, 0);
++ if ( fd < 0)
++ return -1;
++
++ /* close on exec */
++ if (fcntl(fd, F_SETFD, 1) == -1) {
++ close(fd);
++ return -1;
+ }
+- return (fd);
++
++ return fd;
+ }
+
+-static int
+-get_dev_crypto(void)
++static int get_dev_crypto(void)
+ {
+- int fd, retfd;
++ static int fd = -1;
++ int retfd;
+
+- if ((fd = open_dev_crypto()) == -1)
+- return (-1);
+-#ifndef CRIOGET_NOT_NEEDED
++ if (fd == -1)
++ fd = open_dev_crypto();
++#ifdef CRIOGET_NOT_NEEDED
++ return fd;
++#else
++ if (fd == -1)
++ return -1;
+ if (ioctl(fd, CRIOGET, &retfd) == -1)
+ return (-1);
+-
+ /* close on exec */
+ if (fcntl(retfd, F_SETFD, 1) == -1) {
+ close(retfd);
+ return (-1);
+ }
+-#else
+- retfd = fd;
++ return retfd;
+ #endif
+- return (retfd);
+ }
+
+ static void put_dev_crypto(int fd)
+--
+2.3.5
+
--- /dev/null
+From 84a8007b6e92fe4c2696cc9e330207ee03303a20 Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@freescale.com>
+Date: Thu, 19 Feb 2015 13:09:32 +0200
+Subject: [PATCH 25/26] cryptodev: put_dev_crypto should be an int
+
+Change-Id: Ie0a83bc07a37132286c098b17ef35d98de74b043
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34220
+---
+ crypto/engine/eng_cryptodev.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index b74fc7c..c9db27d 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -347,10 +347,12 @@ static int get_dev_crypto(void)
+ #endif
+ }
+
+-static void put_dev_crypto(int fd)
++static int put_dev_crypto(int fd)
+ {
+-#ifndef CRIOGET_NOT_NEEDED
+- close(fd);
++#ifdef CRIOGET_NOT_NEEDED
++ return 0;
++#else
++ return close(fd);
+ #endif
+ }
+
+--
+2.3.5
+
--- /dev/null
+From 787539e7720c99785f6c664a7484842bba08f6ed Mon Sep 17 00:00:00 2001
+From: Cristian Stoica <cristian.stoica@freescale.com>
+Date: Thu, 19 Feb 2015 13:39:52 +0200
+Subject: [PATCH 26/26] cryptodev: simplify cryptodev pkc support code
+
+- Engine init returns directly a file descriptor instead of a pointer to one
+- Similarly, the Engine close will now just close the file
+
+Change-Id: Ief736d0776c7009dee002204fb1d4ce9d31c8787
+Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
+Reviewed-on: http://git.am.freescale.net:8181/34221
+---
+ crypto/crypto.h | 2 +-
+ crypto/engine/eng_cryptodev.c | 35 +++-----------------------
+ crypto/engine/eng_int.h | 14 +++--------
+ crypto/engine/eng_lib.c | 57 +++++++++++++++++++++----------------------
+ crypto/engine/engine.h | 13 +++++-----
+ 5 files changed, 42 insertions(+), 79 deletions(-)
+
+diff --git a/crypto/crypto.h b/crypto/crypto.h
+index ce12731..292427e 100644
+--- a/crypto/crypto.h
++++ b/crypto/crypto.h
+@@ -618,7 +618,7 @@ struct pkc_cookie_s {
+ * -EINVAL: Parameters Invalid
+ */
+ void (*pkc_callback)(struct pkc_cookie_s *cookie, int status);
+- void *eng_handle;
++ int eng_handle;
+ };
+
+ #ifdef __cplusplus
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index c9db27d..f173bde 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -1742,7 +1742,7 @@ cryptodev_asym_async(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen,
+ struct pkc_cookie_s *cookie = kop->cookie;
+ struct cryptodev_cookie_s *eng_cookie;
+
+- fd = *(int *)cookie->eng_handle;
++ fd = cookie->eng_handle;
+
+ eng_cookie = malloc(sizeof(struct cryptodev_cookie_s));
+ if (!eng_cookie)
+@@ -1802,38 +1802,11 @@ cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s)
+ return (ret);
+ }
+
+-/* Close an opened instance of cryptodev engine */
+-void cryptodev_close_instance(void *handle)
+-{
+- int fd;
+-
+- if (handle) {
+- fd = *(int *)handle;
+- close(fd);
+- free(handle);
+- }
+-}
+-
+-/* Create an instance of cryptodev for asynchronous interface */
+-void *cryptodev_init_instance(void)
+-{
+- int *fd = malloc(sizeof(int));
+-
+- if (fd) {
+- if ((*fd = open("/dev/crypto", O_RDWR, 0)) == -1) {
+- free(fd);
+- return NULL;
+- }
+- }
+- return fd;
+-}
+-
+ #include <poll.h>
+
+ /* Return 0 on success and 1 on failure */
+-int cryptodev_check_availability(void *eng_handle)
++int cryptodev_check_availability(int fd)
+ {
+- int fd = *(int *)eng_handle;
+ struct pkc_cookie_list_s cookie_list;
+ struct pkc_cookie_s *cookie;
+ int i;
+@@ -4540,8 +4513,8 @@ ENGINE_load_cryptodev(void)
+ }
+
+ ENGINE_set_check_pkc_availability(engine, cryptodev_check_availability);
+- ENGINE_set_close_instance(engine, cryptodev_close_instance);
+- ENGINE_set_init_instance(engine, cryptodev_init_instance);
++ ENGINE_set_close_instance(engine, put_dev_crypto);
++ ENGINE_set_open_instance(engine, open_dev_crypto);
+ ENGINE_set_async_map(engine, ENGINE_ALLPKC_ASYNC);
+
+ ENGINE_add(engine);
+diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h
+index 8fc3077..8fb79c0 100644
+--- a/crypto/engine/eng_int.h
++++ b/crypto/engine/eng_int.h
+@@ -181,23 +181,15 @@ struct engine_st
+ ENGINE_LOAD_KEY_PTR load_pubkey;
+
+ ENGINE_SSL_CLIENT_CERT_PTR load_ssl_client_cert;
+- /*
+- * Instantiate Engine handle to be passed in check_pkc_availability
+- * Ensure that Engine is instantiated before any pkc asynchronous call.
+- */
+- void *(*engine_init_instance)(void);
+- /*
+- * Instantiated Engine handle will be closed with this call.
+- * Ensure that no pkc asynchronous call is made after this call
+- */
+- void (*engine_close_instance)(void *handle);
++ int (*engine_open_instance)(void);
++ int (*engine_close_instance)(int fd);
+ /*
+ * Check availability will extract the data from kernel.
+ * eng_handle: This is the Engine handle corresponds to which
+ * the cookies needs to be polled.
+ * return 0 if cookie available else 1
+ */
+- int (*check_pkc_availability)(void *eng_handle);
++ int (*check_pkc_availability)(int fd);
+ /*
+ * The following map is used to check if the engine supports asynchronous implementation
+ * ENGINE_ASYNC_FLAG* for available bitmap. Any application checking for asynchronous
+diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c
+index 6fa621c..6c9471b 100644
+--- a/crypto/engine/eng_lib.c
++++ b/crypto/engine/eng_lib.c
+@@ -99,7 +99,7 @@ void engine_set_all_null(ENGINE *e)
+ e->load_privkey = NULL;
+ e->load_pubkey = NULL;
+ e->check_pkc_availability = NULL;
+- e->engine_init_instance = NULL;
++ e->engine_open_instance = NULL;
+ e->engine_close_instance = NULL;
+ e->cmd_defns = NULL;
+ e->async_map = 0;
+@@ -237,47 +237,46 @@ int ENGINE_set_id(ENGINE *e, const char *id)
+ return 1;
+ }
+
+-void ENGINE_set_init_instance(ENGINE *e, void *(*engine_init_instance)(void))
+- {
+- e->engine_init_instance = engine_init_instance;
+- }
++void ENGINE_set_open_instance(ENGINE *e, int (*engine_open_instance)(void))
++{
++ e->engine_open_instance = engine_open_instance;
++}
+
+-void ENGINE_set_close_instance(ENGINE *e,
+- void (*engine_close_instance)(void *))
+- {
+- e->engine_close_instance = engine_close_instance;
+- }
++void ENGINE_set_close_instance(ENGINE *e, int (*engine_close_instance)(int))
++{
++ e->engine_close_instance = engine_close_instance;
++}
+
+ void ENGINE_set_async_map(ENGINE *e, int async_map)
+ {
+ e->async_map = async_map;
+ }
+
+-void *ENGINE_init_instance(ENGINE *e)
+- {
+- return e->engine_init_instance();
+- }
+-
+-void ENGINE_close_instance(ENGINE *e, void *eng_handle)
+- {
+- e->engine_close_instance(eng_handle);
+- }
+-
+ int ENGINE_get_async_map(ENGINE *e)
+ {
+ return e->async_map;
+ }
+
+-void ENGINE_set_check_pkc_availability(ENGINE *e,
+- int (*check_pkc_availability)(void *eng_handle))
+- {
+- e->check_pkc_availability = check_pkc_availability;
+- }
++int ENGINE_open_instance(ENGINE *e)
++{
++ return e->engine_open_instance();
++}
+
+-int ENGINE_check_pkc_availability(ENGINE *e, void *eng_handle)
+- {
+- return e->check_pkc_availability(eng_handle);
+- }
++int ENGINE_close_instance(ENGINE *e, int fd)
++{
++ return e->engine_close_instance(fd);
++}
++
++void ENGINE_set_check_pkc_availability(ENGINE *e,
++ int (*check_pkc_availability)(int fd))
++{
++ e->check_pkc_availability = check_pkc_availability;
++}
++
++int ENGINE_check_pkc_availability(ENGINE *e, int fd)
++{
++ return e->check_pkc_availability(fd);
++}
+
+ int ENGINE_set_name(ENGINE *e, const char *name)
+ {
+diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
+index ccff86a..3ba3e97 100644
+--- a/crypto/engine/engine.h
++++ b/crypto/engine/engine.h
+@@ -473,9 +473,6 @@ ENGINE *ENGINE_new(void);
+ int ENGINE_free(ENGINE *e);
+ int ENGINE_up_ref(ENGINE *e);
+ int ENGINE_set_id(ENGINE *e, const char *id);
+-void ENGINE_set_init_instance(ENGINE *e, void *(*engine_init_instance)(void));
+-void ENGINE_set_close_instance(ENGINE *e,
+- void (*engine_free_instance)(void *));
+ /*
+ * Following FLAGS are bitmap store in async_map to set asynchronous interface capability
+ *of the engine
+@@ -492,11 +489,13 @@ void ENGINE_set_async_map(ENGINE *e, int async_map);
+ * to confirm asynchronous methods supported
+ */
+ int ENGINE_get_async_map(ENGINE *e);
+-void *ENGINE_init_instance(ENGINE *e);
+-void ENGINE_close_instance(ENGINE *e, void *eng_handle);
++int ENGINE_open_instance(ENGINE *e);
++int ENGINE_close_instance(ENGINE *e, int fd);
++void ENGINE_set_init_instance(ENGINE *e, int(*engine_init_instance)(void));
++void ENGINE_set_close_instance(ENGINE *e, int(*engine_close_instance)(int));
+ void ENGINE_set_check_pkc_availability(ENGINE *e,
+- int (*check_pkc_availability)(void *eng_handle));
+-int ENGINE_check_pkc_availability(ENGINE *e, void *eng_handle);
++ int (*check_pkc_availability)(int fd));
++int ENGINE_check_pkc_availability(ENGINE *e, int fd);
+ int ENGINE_set_name(ENGINE *e, const char *name);
+ int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
+ int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
+--
+2.3.5
+
file://0015-SW-Backoff-mechanism-for-dsa-keygen.patch \
file://0016-Fixed-DH-keygen-pair-generator.patch \
file://0017-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch \
+ file://0018-eng_cryptodev-extend-TLS-offload-with-3des_cbc_hmac_.patch \
+ file://0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch \
+ file://0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch \
+ file://0021-cryptodev-drop-redundant-function.patch \
+ file://0022-cryptodev-do-not-zero-the-buffer-before-use.patch \
+ file://0023-cryptodev-clean-up-code-layout.patch \
+ file://0024-cryptodev-do-not-cache-file-descriptor-in-open.patch \
+ file://0025-cryptodev-put_dev_crypto-should-be-an-int.patch \
+ file://0026-cryptodev-simplify-cryptodev-pkc-support-code.patch \
"
+
# Digest offloading through cryptodev is not recommended because of the
# performance penalty of the Openssl engine interface. Openssl generates a huge
# number of calls to digest functions for even a small amount of work data.
