From: Cristian Stoica Date: Fri, 17 Jul 2015 09:29:43 +0000 (+0800) Subject: openssl: add sdk-v1.8 patches X-Git-Tag: 2.1~486 X-Git-Url: https://code.ossystems.io/gitweb?a=commitdiff_plain;h=a6e9e14a15a6f5007a5f53531eb18a24c7ab1ac4;p=meta-freescale.git openssl: add sdk-v1.8 patches The imports the following changes: eng_cryptodev: extend TLS offload with+ 3des_cbc_hmac_sha1 eng_cryptodev: add support for TLSv1.1 record offload eng_cryptodev: add support for TLSv1.2 record offload cryptodev: drop redundant function cryptodev: do not zero the buffer before use cryptodev: clean-up code layout cryptodev: do not cache file descriptor in 'open' cryptodev: put_dev_crypto should be an int cryptodev: simplify cryptodev pkc support code Signed-off-by: Cristian Stoica Acked-by: Otavio Salvador Signed-off-by: Otavio Salvador --- diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0001-remove-double-initialization-of-cryptodev-engine.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0001-remove-double-initialization-of-cryptodev-engine.patch index 233cf6e2..e7b874f5 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0001-remove-double-initialization-of-cryptodev-engine.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0001-remove-double-initialization-of-cryptodev-engine.patch @@ -1,7 +1,7 @@ From 9297e3834518ff0558d6e7004a62adfd107e659a Mon Sep 17 00:00:00 2001 From: Cristian Stoica Date: Tue, 10 Sep 2013 12:46:46 +0300 -Subject: [PATCH 01/17] remove double initialization of cryptodev engine +Subject: [PATCH 01/26] remove double initialization of cryptodev engine cryptodev engine is initialized together with the other engines in ENGINE_load_builtin_engines. The initialization done through @@ -79,5 +79,5 @@ index aa86b2b..ae50040 100755 EVP_aes_128_cfb8 3248 EXIST::FUNCTION:AES FIPS_corrupt_rsa 3249 NOEXIST::FUNCTION: -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch index 0b77bfa8..ab2b7ea9 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch @@ -1,7 +1,7 @@ From dfd6ba263dc25ea2a4bbc32448b24ca2b1fc40e8 Mon Sep 17 00:00:00 2001 From: Cristian Stoica Date: Thu, 29 Aug 2013 16:51:18 +0300 -Subject: [PATCH 02/17] eng_cryptodev: add support for TLS algorithms offload +Subject: [PATCH 02/26] eng_cryptodev: add support for TLS algorithms offload - aes-128-cbc-hmac-sha1 - aes-256-cbc-hmac-sha1 @@ -313,5 +313,5 @@ index 5a715ac..7588a28 100644 !ENGINE_set_name(engine, "BSD cryptodev engine") || !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0003-cryptodev-fix-algorithm-registration.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0003-cryptodev-fix-algorithm-registration.patch index b31668e1..f0d97e9a 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0003-cryptodev-fix-algorithm-registration.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0003-cryptodev-fix-algorithm-registration.patch @@ -1,7 +1,7 @@ From 084fa469a8fef530d71a0870364df1c7997f6465 Mon Sep 17 00:00:00 2001 From: Cristian Stoica Date: Thu, 31 Jul 2014 14:06:19 +0300 -Subject: [PATCH 03/17] cryptodev: fix algorithm registration +Subject: [PATCH 03/26] cryptodev: fix algorithm registration Cryptodev specific algorithms must register only if available in kernel. @@ -60,5 +60,5 @@ index 7588a28..e3eb98b 100644 !ENGINE_set_name(engine, "BSD cryptodev engine") || !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0004-linux-pcc-make-it-more-robust-and-recognize-KERNEL_B.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0004-linux-pcc-make-it-more-robust-and-recognize-KERNEL_B.patch index af30ad3d..2d722d8a 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0004-linux-pcc-make-it-more-robust-and-recognize-KERNEL_B.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0004-linux-pcc-make-it-more-robust-and-recognize-KERNEL_B.patch @@ -1,7 +1,7 @@ From 7d770f0324498d1fa78300cc5cecc8c1dcd3b788 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sun, 21 Oct 2012 18:19:41 +0000 -Subject: [PATCH 04/17] linux-pcc: make it more robust and recognize +Subject: [PATCH 04/26] linux-pcc: make it more robust and recognize KERNEL_BITS variable. (cherry picked from commit 78c3e20579d3baa159c8b51b59d415b6e521614b) @@ -70,5 +70,5 @@ index f71ba66..531f1b3 100644 { OPENSSL_ppc64_probe(); -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0005-ECC-Support-header-for-Cryptodev-Engine.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0005-ECC-Support-header-for-Cryptodev-Engine.patch index cfcf4a66..c9ff5aa8 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0005-ECC-Support-header-for-Cryptodev-Engine.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0005-ECC-Support-header-for-Cryptodev-Engine.patch @@ -1,7 +1,7 @@ From 15abbcd740eafbf2a46b5da24be76acf4982743d Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Tue, 11 Mar 2014 05:56:54 +0545 -Subject: [PATCH 05/17] ECC Support header for Cryptodev Engine +Subject: [PATCH 05/26] ECC Support header for Cryptodev Engine Upstream-status: Pending @@ -314,5 +314,5 @@ index 0000000..77aee71 +}; +#endif -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0006-Fixed-private-key-support-for-DH.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0006-Fixed-private-key-support-for-DH.patch index 41f48a2f..01c268b6 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0006-Fixed-private-key-support-for-DH.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0006-Fixed-private-key-support-for-DH.patch @@ -1,7 +1,7 @@ From 39a9e609290a8a1163a721915bcde0c7cf8f92f7 Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Tue, 11 Mar 2014 05:57:47 +0545 -Subject: [PATCH 06/17] Fixed private key support for DH +Subject: [PATCH 06/26] Fixed private key support for DH Upstream-status: Pending @@ -29,5 +29,5 @@ index 02ec2d4..ed32004 100644 return 1; } -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0007-Fixed-private-key-support-for-DH.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0007-Fixed-private-key-support-for-DH.patch index f507fff7..12fcd7df 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0007-Fixed-private-key-support-for-DH.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0007-Fixed-private-key-support-for-DH.patch @@ -1,7 +1,7 @@ From 8322e4157bf49d992b5b9e460f2c0785865dd1c1 Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Thu, 20 Mar 2014 19:55:51 -0500 -Subject: [PATCH 07/17] Fixed private key support for DH +Subject: [PATCH 07/26] Fixed private key support for DH Upstream-status: Pending @@ -31,5 +31,5 @@ index ed32004..02ec2d4 100644 return 1; } -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0008-Initial-support-for-PKC-in-cryptodev-engine.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0008-Initial-support-for-PKC-in-cryptodev-engine.patch index 6903c88d..8c8b1f22 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0008-Initial-support-for-PKC-in-cryptodev-engine.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0008-Initial-support-for-PKC-in-cryptodev-engine.patch @@ -1,7 +1,7 @@ From 107a10d45db0f2e58482f698add04ed9183f7268 Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Tue, 11 Mar 2014 06:29:52 +0545 -Subject: [PATCH 08/17] Initial support for PKC in cryptodev engine +Subject: [PATCH 08/26] Initial support for PKC in cryptodev engine Upstream-status: Pending @@ -1560,5 +1560,5 @@ index e3eb98b..7ee314b 100644 } -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0009-Added-hwrng-dev-file-as-source-of-RNG.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0009-Added-hwrng-dev-file-as-source-of-RNG.patch index 6a69c324..0fb01821 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0009-Added-hwrng-dev-file-as-source-of-RNG.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0009-Added-hwrng-dev-file-as-source-of-RNG.patch @@ -1,7 +1,7 @@ From 81c4c62a4f5f5542843381bfb34e39a6171d5cdd Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Tue, 11 Mar 2014 06:42:59 +0545 -Subject: [PATCH 09/17] Added hwrng dev file as source of RNG +Subject: [PATCH 09/26] Added hwrng dev file as source of RNG Upstream-status: Pending @@ -24,5 +24,5 @@ index 6a0aad1..57c0563 100644 #ifndef DEVRANDOM_EGD /* set this to a comma-seperated list of 'egd' sockets to try out. These -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0010-Asynchronous-interface-added-for-PKC-cryptodev-inter.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0010-Asynchronous-interface-added-for-PKC-cryptodev-inter.patch index b7702d10..0f889c0f 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0010-Asynchronous-interface-added-for-PKC-cryptodev-inter.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0010-Asynchronous-interface-added-for-PKC-cryptodev-inter.patch @@ -1,7 +1,7 @@ From a933e6341fd8989bdd82f8a5446b6f04aa00eef9 Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Tue, 11 Mar 2014 07:14:30 +0545 -Subject: [PATCH 10/17] Asynchronous interface added for PKC cryptodev +Subject: [PATCH 10/26] Asynchronous interface added for PKC cryptodev interface Upstream-status: Pending @@ -2035,5 +2035,5 @@ index 5f269e5..6ef1b15 100644 int (*finish)(RSA *rsa); /* called at free */ int flags; /* RSA_METHOD_FLAG_* things */ -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0011-Add-RSA-keygen-operation-and-support-gendsa-command-.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0011-Add-RSA-keygen-operation-and-support-gendsa-command-.patch index 5e742986..244d230e 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0011-Add-RSA-keygen-operation-and-support-gendsa-command-.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0011-Add-RSA-keygen-operation-and-support-gendsa-command-.patch @@ -1,7 +1,7 @@ From e4fc051f8ae1c093b25ca346c2ec351ff3b700d1 Mon Sep 17 00:00:00 2001 From: Hou Zhiqiang Date: Wed, 2 Apr 2014 16:10:43 +0800 -Subject: [PATCH 11/17] Add RSA keygen operation and support gendsa command +Subject: [PATCH 11/26] Add RSA keygen operation and support gendsa command with hardware engine Upstream-status: Pending @@ -149,5 +149,5 @@ index 9f2416e..b2919a8 100644 } -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0012-RSA-Keygen-Fix.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0012-RSA-Keygen-Fix.patch index 44899733..7f907da4 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0012-RSA-Keygen-Fix.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0012-RSA-Keygen-Fix.patch @@ -1,7 +1,7 @@ From ac777f046da7151386d667391362ecb553ceee90 Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Wed, 16 Apr 2014 22:53:04 +0545 -Subject: [PATCH 12/17] RSA Keygen Fix +Subject: [PATCH 12/26] RSA Keygen Fix Upstream-status: Pending @@ -60,5 +60,5 @@ index b2919a8..ed5f20f 100644 return ret; -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0013-Removed-local-copy-of-curve_t-type.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0013-Removed-local-copy-of-curve_t-type.patch index 183f3fbd..c9d8ace8 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0013-Removed-local-copy-of-curve_t-type.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0013-Removed-local-copy-of-curve_t-type.patch @@ -1,7 +1,7 @@ From 6aaa306cdf878250d7b6eaf30978de313653886b Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Thu, 17 Apr 2014 06:57:59 +0545 -Subject: [PATCH 13/17] Removed local copy of curve_t type +Subject: [PATCH 13/26] Removed local copy of curve_t type Upstream-status: Pending @@ -160,5 +160,5 @@ index 77aee71..a4b8da5 100644 -}; #endif -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0014-Modulus-parameter-is-not-populated-by-dhparams.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0014-Modulus-parameter-is-not-populated-by-dhparams.patch index 46846f8f..198bed70 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0014-Modulus-parameter-is-not-populated-by-dhparams.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0014-Modulus-parameter-is-not-populated-by-dhparams.patch @@ -1,7 +1,7 @@ From 14623ca9e417ccef1ad3f4138acfac0ebe682f1f Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Tue, 22 Apr 2014 22:58:33 +0545 -Subject: [PATCH 14/17] Modulus parameter is not populated by dhparams +Subject: [PATCH 14/26] Modulus parameter is not populated by dhparams Upstream-status: Pending @@ -39,5 +39,5 @@ index 5d883fa..6d69336 100644 kop.crk_param[2].crp_p = g; kop.crk_param[2].crp_nbits = g_len * 8; -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0015-SW-Backoff-mechanism-for-dsa-keygen.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0015-SW-Backoff-mechanism-for-dsa-keygen.patch index c20f9d71..59330a1e 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0015-SW-Backoff-mechanism-for-dsa-keygen.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0015-SW-Backoff-mechanism-for-dsa-keygen.patch @@ -1,7 +1,7 @@ From 10be401a33e6ebcc325d6747914c70595cd53d0a Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Thu, 24 Apr 2014 00:35:34 +0545 -Subject: [PATCH 15/17] SW Backoff mechanism for dsa keygen +Subject: [PATCH 15/26] SW Backoff mechanism for dsa keygen Upstream-status: Pending @@ -49,5 +49,5 @@ index 6d69336..dab8fea 100644 } return ret; -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0016-Fixed-DH-keygen-pair-generator.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0016-Fixed-DH-keygen-pair-generator.patch index abcc2efc..8923cb63 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0016-Fixed-DH-keygen-pair-generator.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0016-Fixed-DH-keygen-pair-generator.patch @@ -1,7 +1,7 @@ From d2c868c6370bcc0d0a254e641907da2cdf992d62 Mon Sep 17 00:00:00 2001 From: Yashpal Dutta Date: Thu, 1 May 2014 06:35:45 +0545 -Subject: [PATCH 16/17] Fixed DH keygen pair generator +Subject: [PATCH 16/26] Fixed DH keygen pair generator Upstream-status: Pending @@ -96,5 +96,5 @@ index dab8fea..13d924f 100644 sw_try: { -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0017-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0017-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch index a71bb456..bd9e61ac 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0017-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0017-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch @@ -1,7 +1,7 @@ From 11b55103463bac614e00d74e9f196ec4ec6bade1 Mon Sep 17 00:00:00 2001 From: Cristian Stoica Date: Mon, 16 Jun 2014 14:06:21 +0300 -Subject: [PATCH 17/17] cryptodev: add support for aes-gcm algorithm offloading +Subject: [PATCH 17/26] cryptodev: add support for aes-gcm algorithm offloading Change-Id: I3b77dc5ef8b8f707309549244a02852d95b36168 Signed-off-by: Cristian Stoica @@ -305,5 +305,5 @@ index 13d924f..4493490 100644 *cipher = NULL; break; -- -1.8.3.1 +2.3.5 diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0018-eng_cryptodev-extend-TLS-offload-with-3des_cbc_hmac_.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0018-eng_cryptodev-extend-TLS-offload-with-3des_cbc_hmac_.patch new file mode 100644 index 00000000..1118a6fc --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0018-eng_cryptodev-extend-TLS-offload-with-3des_cbc_hmac_.patch @@ -0,0 +1,193 @@ +From 21e3ca4ec77f9258aa4001f07faac1c4942b48b4 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 9 May 2014 17:54:06 +0300 +Subject: [PATCH 18/26] eng_cryptodev: extend TLS offload with + 3des_cbc_hmac_sha1 + +Both obj_mac.h and obj_dat.h were generated using the scripts +from crypto/objects: + +$ cd crypto/objects +$ perl objects.pl objects.txt obj_mac.num obj_mac.h +$ perl obj_dat.pl obj_mac.h obj_dat.h + +Change-Id: I94f13cdd09df67e33e6acd3c00aab47cb358ac46 +Signed-off-by: Tudor Ambarus +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34001 +--- + crypto/engine/eng_cryptodev.c | 24 ++++++++++++++++++++++++ + crypto/objects/obj_dat.h | 10 +++++++--- + crypto/objects/obj_mac.h | 4 ++++ + crypto/objects/obj_mac.num | 1 + + crypto/objects/objects.txt | 1 + + ssl/ssl_ciph.c | 4 ++++ + 6 files changed, 41 insertions(+), 3 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index 79b2678..299e84b 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -135,6 +135,7 @@ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, + void ENGINE_load_cryptodev(void); + const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1; + const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1; + + inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len) + { +@@ -252,6 +253,7 @@ static struct { + { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, 0}, + { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, 0}, + { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, 0}, ++ { CRYPTO_TLS10_3DES_CBC_HMAC_SHA1, NID_des_ede3_cbc_hmac_sha1, 8, 24, 20}, + { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20}, + { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20}, + { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0}, +@@ -466,6 +468,9 @@ cryptodev_usable_ciphers(const int **nids) + case NID_aes_256_cbc_hmac_sha1: + EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1); + break; ++ case NID_des_ede3_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1); ++ break; + } + } + return count; +@@ -571,6 +576,7 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + switch (ctx->cipher->nid) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: ++ case NID_des_ede3_cbc_hmac_sha1: + cryp.flags = COP_FLAG_AEAD_TLS_TYPE; + } + cryp.ses = sess->ses; +@@ -763,6 +769,7 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + switch (ctx->cipher->nid) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: ++ case NID_des_ede3_cbc_hmac_sha1: + maclen = SHA_DIGEST_LENGTH; + } + +@@ -1082,6 +1089,20 @@ const EVP_CIPHER cryptodev_aes_256_cbc = { + NULL + }; + ++const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1 = { ++ NID_des_ede3_cbc_hmac_sha1, ++ 8, 24, 8, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ + const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1 = { + NID_aes_128_cbc_hmac_sha1, + 16, 16, 16, +@@ -1163,6 +1184,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_256_cbc: + *cipher = &cryptodev_aes_256_cbc; + break; ++ case NID_des_ede3_cbc_hmac_sha1: ++ *cipher = &cryptodev_3des_cbc_hmac_sha1; ++ break; + case NID_aes_128_cbc_hmac_sha1: + *cipher = &cryptodev_aes_128_cbc_hmac_sha1; + break; +diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h +index bc69665..9f2267a 100644 +--- a/crypto/objects/obj_dat.h ++++ b/crypto/objects/obj_dat.h +@@ -62,9 +62,9 @@ + * [including the GNU Public Licence.] + */ + +-#define NUM_NID 920 +-#define NUM_SN 913 +-#define NUM_LN 913 ++#define NUM_NID 921 ++#define NUM_SN 914 ++#define NUM_LN 914 + #define NUM_OBJ 857 + + static const unsigned char lvalues[5974]={ +@@ -2399,6 +2399,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ + {"AES-256-CBC-HMAC-SHA1","aes-256-cbc-hmac-sha1", + NID_aes_256_cbc_hmac_sha1,0,NULL,0}, + {"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0}, ++{"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1", ++ NID_des_ede3_cbc_hmac_sha1,0,NULL,0}, + }; + + static const unsigned int sn_objs[NUM_SN]={ +@@ -2474,6 +2476,7 @@ static const unsigned int sn_objs[NUM_SN]={ + 62, /* "DES-EDE-OFB" */ + 33, /* "DES-EDE3" */ + 44, /* "DES-EDE3-CBC" */ ++920, /* "DES-EDE3-CBC-HMAC-SHA1" */ + 61, /* "DES-EDE3-CFB" */ + 658, /* "DES-EDE3-CFB1" */ + 659, /* "DES-EDE3-CFB8" */ +@@ -3585,6 +3588,7 @@ static const unsigned int ln_objs[NUM_LN]={ + 62, /* "des-ede-ofb" */ + 33, /* "des-ede3" */ + 44, /* "des-ede3-cbc" */ ++920, /* "des-ede3-cbc-hmac-sha1" */ + 61, /* "des-ede3-cfb" */ + 658, /* "des-ede3-cfb1" */ + 659, /* "des-ede3-cfb8" */ +diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h +index b5ea7cd..8751902 100644 +--- a/crypto/objects/obj_mac.h ++++ b/crypto/objects/obj_mac.h +@@ -4030,3 +4030,7 @@ + #define LN_aes_256_cbc_hmac_sha1 "aes-256-cbc-hmac-sha1" + #define NID_aes_256_cbc_hmac_sha1 918 + ++#define SN_des_ede3_cbc_hmac_sha1 "DES-EDE3-CBC-HMAC-SHA1" ++#define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1" ++#define NID_des_ede3_cbc_hmac_sha1 920 ++ +diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num +index 1d0a7c8..9d44bb5 100644 +--- a/crypto/objects/obj_mac.num ++++ b/crypto/objects/obj_mac.num +@@ -917,3 +917,4 @@ aes_128_cbc_hmac_sha1 916 + aes_192_cbc_hmac_sha1 917 + aes_256_cbc_hmac_sha1 918 + rsaesOaep 919 ++des_ede3_cbc_hmac_sha1 920 +diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt +index d3bfad7..90d2fc5 100644 +--- a/crypto/objects/objects.txt ++++ b/crypto/objects/objects.txt +@@ -1290,3 +1290,4 @@ kisa 1 6 : SEED-OFB : seed-ofb + : AES-128-CBC-HMAC-SHA1 : aes-128-cbc-hmac-sha1 + : AES-192-CBC-HMAC-SHA1 : aes-192-cbc-hmac-sha1 + : AES-256-CBC-HMAC-SHA1 : aes-256-cbc-hmac-sha1 ++ : DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1 +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 8188ff5..310fe76 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -639,6 +639,10 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, + c->algorithm_mac == SSL_SHA1 && + (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; ++ else if (c->algorithm_enc == SSL_3DES && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; + return(1); + } + else +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch new file mode 100644 index 00000000..988d79ea --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch @@ -0,0 +1,355 @@ +From 1de2b740a3bdcd8e98abb5f4e176d46fd817b932 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 31 Mar 2015 16:30:17 +0300 +Subject: [PATCH 19/26] eng_cryptodev: add support for TLSv1.1 record offload + +Supported cipher suites: +- 3des-ede-cbc-sha +- aes-128-cbc-hmac-sha +- aes-256-cbc-hmac-sha + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Signed-off-by: Tudor Ambarus +Change-Id: Id414f36a528de3f476b72688cf85714787d7ccae +Reviewed-on: http://git.am.freescale.net:8181/34002 +Reviewed-by: Cristian Stoica +Tested-by: Cristian Stoica +--- + crypto/engine/eng_cryptodev.c | 101 ++++++++++++++++++++++++++++++++++++++---- + crypto/objects/obj_dat.h | 18 ++++++-- + crypto/objects/obj_mac.h | 12 +++++ + crypto/objects/obj_mac.num | 3 ++ + crypto/objects/objects.txt | 3 ++ + ssl/ssl_ciph.c | 26 +++++++++-- + 6 files changed, 148 insertions(+), 15 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index 299e84b..f71ab27 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -66,6 +66,7 @@ ENGINE_load_cryptodev(void) + #include + #include + #include ++#include + #include + #include + #include +@@ -133,9 +134,12 @@ static int cryptodev_dh_compute_key(unsigned char *key, + static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, + void (*f)(void)); + void ENGINE_load_cryptodev(void); ++const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1; + const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1; + const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1; +-const EVP_CIPHER cryptodev_3des_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1; + + inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len) + { +@@ -256,6 +260,9 @@ static struct { + { CRYPTO_TLS10_3DES_CBC_HMAC_SHA1, NID_des_ede3_cbc_hmac_sha1, 8, 24, 20}, + { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20}, + { CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20}, ++ { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20}, ++ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20}, ++ { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20}, + { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0}, + { 0, NID_undef, 0, 0, 0}, + }; +@@ -462,14 +469,23 @@ cryptodev_usable_ciphers(const int **nids) + /* add ciphers specific to cryptodev if found in kernel */ + for(i = 0; i < count; i++) { + switch (*(*nids + i)) { ++ case NID_des_ede3_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1); ++ break; + case NID_aes_128_cbc_hmac_sha1: + EVP_add_cipher(&cryptodev_aes_128_cbc_hmac_sha1); + break; + case NID_aes_256_cbc_hmac_sha1: + EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1); + break; +- case NID_des_ede3_cbc_hmac_sha1: +- EVP_add_cipher(&cryptodev_3des_cbc_hmac_sha1); ++ case NID_tls11_des_ede3_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_tls11_3des_cbc_hmac_sha1); ++ break; ++ case NID_tls11_aes_128_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_tls11_aes_128_cbc_hmac_sha1); ++ break; ++ case NID_tls11_aes_256_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1); + break; + } + } +@@ -574,9 +590,12 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + /* TODO: make a seamless integration with cryptodev flags */ + switch (ctx->cipher->nid) { ++ case NID_des_ede3_cbc_hmac_sha1: + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: +- case NID_des_ede3_cbc_hmac_sha1: ++ case NID_tls11_des_ede3_cbc_hmac_sha1: ++ case NID_tls11_aes_128_cbc_hmac_sha1: ++ case NID_tls11_aes_256_cbc_hmac_sha1: + cryp.flags = COP_FLAG_AEAD_TLS_TYPE; + } + cryp.ses = sess->ses; +@@ -758,8 +777,9 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + struct dev_crypto_state *state = ctx->cipher_data; + unsigned char *p = ptr; + unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; +- unsigned int maclen, padlen; ++ unsigned int maclen, padlen, len; + unsigned int bs = ctx->cipher->block_size; ++ bool aad_needs_fix = false; + + state->aad = ptr; + state->aad_len = arg; +@@ -767,10 +787,24 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + + /* TODO: this should be an extension of EVP_CIPHER struct */ + switch (ctx->cipher->nid) { ++ case NID_des_ede3_cbc_hmac_sha1: + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: +- case NID_des_ede3_cbc_hmac_sha1: + maclen = SHA_DIGEST_LENGTH; ++ break; ++ case NID_tls11_des_ede3_cbc_hmac_sha1: ++ case NID_tls11_aes_128_cbc_hmac_sha1: ++ case NID_tls11_aes_256_cbc_hmac_sha1: ++ maclen = SHA_DIGEST_LENGTH; ++ aad_needs_fix = true; ++ break; ++ } ++ ++ /* Correct length for AAD Length field */ ++ if (ctx->encrypt && aad_needs_fix) { ++ len = cryptlen - bs; ++ p[arg-2] = len >> 8; ++ p[arg-1] = len & 0xff; + } + + /* space required for encryption (not only TLS padding) */ +@@ -1131,6 +1165,48 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = { + NULL + }; + ++const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1 = { ++ NID_tls11_des_ede3_cbc_hmac_sha1, ++ 8, 24, 8, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1 = { ++ NID_tls11_aes_128_cbc_hmac_sha1, ++ 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = { ++ NID_tls11_aes_256_cbc_hmac_sha1, ++ 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ + const EVP_CIPHER cryptodev_aes_128_gcm = { + NID_aes_128_gcm, + 1, 16, 12, +@@ -1184,6 +1260,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_256_cbc: + *cipher = &cryptodev_aes_256_cbc; + break; ++ case NID_aes_128_gcm: ++ *cipher = &cryptodev_aes_128_gcm; ++ break; + case NID_des_ede3_cbc_hmac_sha1: + *cipher = &cryptodev_3des_cbc_hmac_sha1; + break; +@@ -1193,8 +1272,14 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_256_cbc_hmac_sha1: + *cipher = &cryptodev_aes_256_cbc_hmac_sha1; + break; +- case NID_aes_128_gcm: +- *cipher = &cryptodev_aes_128_gcm; ++ case NID_tls11_des_ede3_cbc_hmac_sha1: ++ *cipher = &cryptodev_tls11_3des_cbc_hmac_sha1; ++ break; ++ case NID_tls11_aes_128_cbc_hmac_sha1: ++ *cipher = &cryptodev_tls11_aes_128_cbc_hmac_sha1; ++ break; ++ case NID_tls11_aes_256_cbc_hmac_sha1: ++ *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1; + break; + default: + *cipher = NULL; +diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h +index 9f2267a..dc89b0a 100644 +--- a/crypto/objects/obj_dat.h ++++ b/crypto/objects/obj_dat.h +@@ -62,9 +62,9 @@ + * [including the GNU Public Licence.] + */ + +-#define NUM_NID 921 +-#define NUM_SN 914 +-#define NUM_LN 914 ++#define NUM_NID 924 ++#define NUM_SN 917 ++#define NUM_LN 917 + #define NUM_OBJ 857 + + static const unsigned char lvalues[5974]={ +@@ -2401,6 +2401,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ + {"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0}, + {"DES-EDE3-CBC-HMAC-SHA1","des-ede3-cbc-hmac-sha1", + NID_des_ede3_cbc_hmac_sha1,0,NULL,0}, ++{"TLS11-DES-EDE3-CBC-HMAC-SHA1","tls11-des-ede3-cbc-hmac-sha1", ++ NID_tls11_des_ede3_cbc_hmac_sha1,0,NULL,0}, ++{"TLS11-AES-128-CBC-HMAC-SHA1","tls11-aes-128-cbc-hmac-sha1", ++ NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0}, ++{"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1", ++ NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0}, + }; + + static const unsigned int sn_objs[NUM_SN]={ +@@ -2586,6 +2592,9 @@ static const unsigned int sn_objs[NUM_SN]={ + 100, /* "SN" */ + 16, /* "ST" */ + 143, /* "SXNetID" */ ++922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */ ++923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */ ++921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */ + 458, /* "UID" */ + 0, /* "UNDEF" */ + 11, /* "X500" */ +@@ -4205,6 +4214,9 @@ static const unsigned int ln_objs[NUM_LN]={ + 459, /* "textEncodedORAddress" */ + 293, /* "textNotice" */ + 106, /* "title" */ ++922, /* "tls11-aes-128-cbc-hmac-sha1" */ ++923, /* "tls11-aes-256-cbc-hmac-sha1" */ ++921, /* "tls11-des-ede3-cbc-hmac-sha1" */ + 682, /* "tpBasis" */ + 436, /* "ucl" */ + 0, /* "undefined" */ +diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h +index 8751902..f181890 100644 +--- a/crypto/objects/obj_mac.h ++++ b/crypto/objects/obj_mac.h +@@ -4034,3 +4034,15 @@ + #define LN_des_ede3_cbc_hmac_sha1 "des-ede3-cbc-hmac-sha1" + #define NID_des_ede3_cbc_hmac_sha1 920 + ++#define SN_tls11_des_ede3_cbc_hmac_sha1 "TLS11-DES-EDE3-CBC-HMAC-SHA1" ++#define LN_tls11_des_ede3_cbc_hmac_sha1 "tls11-des-ede3-cbc-hmac-sha1" ++#define NID_tls11_des_ede3_cbc_hmac_sha1 921 ++ ++#define SN_tls11_aes_128_cbc_hmac_sha1 "TLS11-AES-128-CBC-HMAC-SHA1" ++#define LN_tls11_aes_128_cbc_hmac_sha1 "tls11-aes-128-cbc-hmac-sha1" ++#define NID_tls11_aes_128_cbc_hmac_sha1 922 ++ ++#define SN_tls11_aes_256_cbc_hmac_sha1 "TLS11-AES-256-CBC-HMAC-SHA1" ++#define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1" ++#define NID_tls11_aes_256_cbc_hmac_sha1 923 ++ +diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num +index 9d44bb5..a02b58c 100644 +--- a/crypto/objects/obj_mac.num ++++ b/crypto/objects/obj_mac.num +@@ -918,3 +918,6 @@ aes_192_cbc_hmac_sha1 917 + aes_256_cbc_hmac_sha1 918 + rsaesOaep 919 + des_ede3_cbc_hmac_sha1 920 ++tls11_des_ede3_cbc_hmac_sha1 921 ++tls11_aes_128_cbc_hmac_sha1 922 ++tls11_aes_256_cbc_hmac_sha1 923 +diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt +index 90d2fc5..1973658 100644 +--- a/crypto/objects/objects.txt ++++ b/crypto/objects/objects.txt +@@ -1291,3 +1291,6 @@ kisa 1 6 : SEED-OFB : seed-ofb + : AES-192-CBC-HMAC-SHA1 : aes-192-cbc-hmac-sha1 + : AES-256-CBC-HMAC-SHA1 : aes-256-cbc-hmac-sha1 + : DES-EDE3-CBC-HMAC-SHA1 : des-ede3-cbc-hmac-sha1 ++ : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1 ++ : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1 ++ : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1 +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 310fe76..0408986 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -631,17 +631,35 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, + c->algorithm_mac == SSL_MD5 && + (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) + *enc = evp, *md = NULL; +- else if (c->algorithm_enc == SSL_AES128 && ++ else if (s->ssl_version == TLS1_VERSION && ++ c->algorithm_enc == SSL_3DES && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp=EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_VERSION && ++ c->algorithm_enc == SSL_AES128 && + c->algorithm_mac == SSL_SHA1 && + (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; +- else if (c->algorithm_enc == SSL_AES256 && ++ else if (s->ssl_version == TLS1_VERSION && ++ c->algorithm_enc == SSL_AES256 && + c->algorithm_mac == SSL_SHA1 && + (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; +- else if (c->algorithm_enc == SSL_3DES && ++ else if (s->ssl_version == TLS1_1_VERSION && ++ c->algorithm_enc == SSL_3DES && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp=EVP_get_cipherbyname("TLS11-DES-EDE3-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_1_VERSION && ++ c->algorithm_enc == SSL_AES128 && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp=EVP_get_cipherbyname("TLS11-AES-128-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_1_VERSION && ++ c->algorithm_enc == SSL_AES256 && + c->algorithm_mac == SSL_SHA1 && +- (evp = EVP_get_cipherbyname("DES-EDE3-CBC-HMAC-SHA1"))) ++ (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; + return(1); + } +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch new file mode 100644 index 00000000..7370c496 --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch @@ -0,0 +1,359 @@ +From a58703e6601fcfcfe69fdb3e7152ed76b40d67e9 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 31 Mar 2015 16:32:35 +0300 +Subject: [PATCH 20/26] eng_cryptodev: add support for TLSv1.2 record offload + +Supported cipher suites: +- 3des-ede-cbc-sha +- aes-128-cbc-hmac-sha +- aes-256-cbc-hmac-sha +- aes-128-cbc-hmac-sha256 +- aes-256-cbc-hmac-sha256 + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Signed-off-by: Tudor Ambarus +Change-Id: I0ac6953dd62e2655a59d8f3eaefd012b7ecebf55 +Reviewed-on: http://git.am.freescale.net:8181/34003 +Reviewed-by: Cristian Stoica +Tested-by: Cristian Stoica +--- + crypto/engine/eng_cryptodev.c | 123 ++++++++++++++++++++++++++++++++++++++++++ + crypto/objects/obj_dat.h | 26 +++++++-- + crypto/objects/obj_mac.h | 20 +++++++ + crypto/objects/obj_mac.num | 5 ++ + crypto/objects/objects.txt | 5 ++ + ssl/ssl_ciph.c | 25 +++++++++ + 6 files changed, 201 insertions(+), 3 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index f71ab27..fa5fe1b 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -140,6 +140,11 @@ const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1; + const EVP_CIPHER cryptodev_tls11_3des_cbc_hmac_sha1; + const EVP_CIPHER cryptodev_tls11_aes_128_cbc_hmac_sha1; + const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1; ++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256; ++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256; + + inline int spcf_bn2bin(BIGNUM *bn, unsigned char **bin, int *bin_len) + { +@@ -263,6 +268,11 @@ static struct { + { CRYPTO_TLS11_3DES_CBC_HMAC_SHA1, NID_tls11_des_ede3_cbc_hmac_sha1, 8, 24, 20}, + { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_128_cbc_hmac_sha1, 16, 16, 20}, + { CRYPTO_TLS11_AES_CBC_HMAC_SHA1, NID_tls11_aes_256_cbc_hmac_sha1, 16, 32, 20}, ++ { CRYPTO_TLS12_3DES_CBC_HMAC_SHA1, NID_tls12_des_ede3_cbc_hmac_sha1, 8, 24, 20}, ++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_128_cbc_hmac_sha1, 16, 16, 20}, ++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA1, NID_tls12_aes_256_cbc_hmac_sha1, 16, 32, 20}, ++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_128_cbc_hmac_sha256, 16, 16, 32}, ++ { CRYPTO_TLS12_AES_CBC_HMAC_SHA256, NID_tls12_aes_256_cbc_hmac_sha256, 16, 32, 32}, + { CRYPTO_AES_GCM, NID_aes_128_gcm, 16, 16, 0}, + { 0, NID_undef, 0, 0, 0}, + }; +@@ -487,6 +497,21 @@ cryptodev_usable_ciphers(const int **nids) + case NID_tls11_aes_256_cbc_hmac_sha1: + EVP_add_cipher(&cryptodev_tls11_aes_256_cbc_hmac_sha1); + break; ++ case NID_tls12_des_ede3_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_tls12_3des_cbc_hmac_sha1); ++ break; ++ case NID_tls12_aes_128_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha1); ++ break; ++ case NID_tls12_aes_256_cbc_hmac_sha1: ++ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha1); ++ break; ++ case NID_tls12_aes_128_cbc_hmac_sha256: ++ EVP_add_cipher(&cryptodev_tls12_aes_128_cbc_hmac_sha256); ++ break; ++ case NID_tls12_aes_256_cbc_hmac_sha256: ++ EVP_add_cipher(&cryptodev_tls12_aes_256_cbc_hmac_sha256); ++ break; + } + } + return count; +@@ -596,6 +621,11 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + case NID_tls11_des_ede3_cbc_hmac_sha1: + case NID_tls11_aes_128_cbc_hmac_sha1: + case NID_tls11_aes_256_cbc_hmac_sha1: ++ case NID_tls12_des_ede3_cbc_hmac_sha1: ++ case NID_tls12_aes_128_cbc_hmac_sha1: ++ case NID_tls12_aes_256_cbc_hmac_sha1: ++ case NID_tls12_aes_128_cbc_hmac_sha256: ++ case NID_tls12_aes_256_cbc_hmac_sha256: + cryp.flags = COP_FLAG_AEAD_TLS_TYPE; + } + cryp.ses = sess->ses; +@@ -795,9 +825,17 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + case NID_tls11_des_ede3_cbc_hmac_sha1: + case NID_tls11_aes_128_cbc_hmac_sha1: + case NID_tls11_aes_256_cbc_hmac_sha1: ++ case NID_tls12_des_ede3_cbc_hmac_sha1: ++ case NID_tls12_aes_128_cbc_hmac_sha1: ++ case NID_tls12_aes_256_cbc_hmac_sha1: + maclen = SHA_DIGEST_LENGTH; + aad_needs_fix = true; + break; ++ case NID_tls12_aes_128_cbc_hmac_sha256: ++ case NID_tls12_aes_256_cbc_hmac_sha256: ++ maclen = SHA256_DIGEST_LENGTH; ++ aad_needs_fix = true; ++ break; + } + + /* Correct length for AAD Length field */ +@@ -1207,6 +1245,76 @@ const EVP_CIPHER cryptodev_tls11_aes_256_cbc_hmac_sha1 = { + NULL + }; + ++const EVP_CIPHER cryptodev_tls12_3des_cbc_hmac_sha1 = { ++ NID_tls12_des_ede3_cbc_hmac_sha1, ++ 8, 24, 8, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha1 = { ++ NID_tls12_aes_128_cbc_hmac_sha1, ++ 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha1 = { ++ NID_tls12_aes_256_cbc_hmac_sha1, ++ 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_tls12_aes_128_cbc_hmac_sha256 = { ++ NID_tls12_aes_128_cbc_hmac_sha256, ++ 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ ++const EVP_CIPHER cryptodev_tls12_aes_256_cbc_hmac_sha256 = { ++ NID_tls12_aes_256_cbc_hmac_sha256, ++ 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ cryptodev_init_aead_key, ++ cryptodev_aead_cipher, ++ cryptodev_cleanup, ++ sizeof(struct dev_crypto_state), ++ EVP_CIPHER_set_asn1_iv, ++ EVP_CIPHER_get_asn1_iv, ++ cryptodev_cbc_hmac_sha1_ctrl, ++ NULL ++}; ++ + const EVP_CIPHER cryptodev_aes_128_gcm = { + NID_aes_128_gcm, + 1, 16, 12, +@@ -1281,6 +1389,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_tls11_aes_256_cbc_hmac_sha1: + *cipher = &cryptodev_tls11_aes_256_cbc_hmac_sha1; + break; ++ case NID_tls12_des_ede3_cbc_hmac_sha1: ++ *cipher = &cryptodev_tls12_3des_cbc_hmac_sha1; ++ break; ++ case NID_tls12_aes_128_cbc_hmac_sha1: ++ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha1; ++ break; ++ case NID_tls12_aes_256_cbc_hmac_sha1: ++ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha1; ++ break; ++ case NID_tls12_aes_128_cbc_hmac_sha256: ++ *cipher = &cryptodev_tls12_aes_128_cbc_hmac_sha256; ++ break; ++ case NID_tls12_aes_256_cbc_hmac_sha256: ++ *cipher = &cryptodev_tls12_aes_256_cbc_hmac_sha256; ++ break; + default: + *cipher = NULL; + break; +diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h +index dc89b0a..dfe19da 100644 +--- a/crypto/objects/obj_dat.h ++++ b/crypto/objects/obj_dat.h +@@ -62,9 +62,9 @@ + * [including the GNU Public Licence.] + */ + +-#define NUM_NID 924 +-#define NUM_SN 917 +-#define NUM_LN 917 ++#define NUM_NID 929 ++#define NUM_SN 922 ++#define NUM_LN 922 + #define NUM_OBJ 857 + + static const unsigned char lvalues[5974]={ +@@ -2407,6 +2407,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ + NID_tls11_aes_128_cbc_hmac_sha1,0,NULL,0}, + {"TLS11-AES-256-CBC-HMAC-SHA1","tls11-aes-256-cbc-hmac-sha1", + NID_tls11_aes_256_cbc_hmac_sha1,0,NULL,0}, ++{"TLS12-DES-EDE3-CBC-HMAC-SHA1","tls12-des-ede3-cbc-hmac-sha1", ++ NID_tls12_des_ede3_cbc_hmac_sha1,0,NULL,0}, ++{"TLS12-AES-128-CBC-HMAC-SHA1","tls12-aes-128-cbc-hmac-sha1", ++ NID_tls12_aes_128_cbc_hmac_sha1,0,NULL,0}, ++{"TLS12-AES-256-CBC-HMAC-SHA1","tls12-aes-256-cbc-hmac-sha1", ++ NID_tls12_aes_256_cbc_hmac_sha1,0,NULL,0}, ++{"TLS12-AES-128-CBC-HMAC-SHA256","tls12-aes-128-cbc-hmac-sha256", ++ NID_tls12_aes_128_cbc_hmac_sha256,0,NULL,0}, ++{"TLS12-AES-256-CBC-HMAC-SHA256","tls12-aes-256-cbc-hmac-sha256", ++ NID_tls12_aes_256_cbc_hmac_sha256,0,NULL,0}, + }; + + static const unsigned int sn_objs[NUM_SN]={ +@@ -2595,6 +2605,11 @@ static const unsigned int sn_objs[NUM_SN]={ + 922, /* "TLS11-AES-128-CBC-HMAC-SHA1" */ + 923, /* "TLS11-AES-256-CBC-HMAC-SHA1" */ + 921, /* "TLS11-DES-EDE3-CBC-HMAC-SHA1" */ ++925, /* "TLS12-AES-128-CBC-HMAC-SHA1" */ ++927, /* "TLS12-AES-128-CBC-HMAC-SHA256" */ ++926, /* "TLS12-AES-256-CBC-HMAC-SHA1" */ ++928, /* "TLS12-AES-256-CBC-HMAC-SHA256" */ ++924, /* "TLS12-DES-EDE3-CBC-HMAC-SHA1" */ + 458, /* "UID" */ + 0, /* "UNDEF" */ + 11, /* "X500" */ +@@ -4217,6 +4232,11 @@ static const unsigned int ln_objs[NUM_LN]={ + 922, /* "tls11-aes-128-cbc-hmac-sha1" */ + 923, /* "tls11-aes-256-cbc-hmac-sha1" */ + 921, /* "tls11-des-ede3-cbc-hmac-sha1" */ ++925, /* "tls12-aes-128-cbc-hmac-sha1" */ ++927, /* "tls12-aes-128-cbc-hmac-sha256" */ ++926, /* "tls12-aes-256-cbc-hmac-sha1" */ ++928, /* "tls12-aes-256-cbc-hmac-sha256" */ ++924, /* "tls12-des-ede3-cbc-hmac-sha1" */ + 682, /* "tpBasis" */ + 436, /* "ucl" */ + 0, /* "undefined" */ +diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h +index f181890..5af125e 100644 +--- a/crypto/objects/obj_mac.h ++++ b/crypto/objects/obj_mac.h +@@ -4046,3 +4046,23 @@ + #define LN_tls11_aes_256_cbc_hmac_sha1 "tls11-aes-256-cbc-hmac-sha1" + #define NID_tls11_aes_256_cbc_hmac_sha1 923 + ++#define SN_tls12_des_ede3_cbc_hmac_sha1 "TLS12-DES-EDE3-CBC-HMAC-SHA1" ++#define LN_tls12_des_ede3_cbc_hmac_sha1 "tls12-des-ede3-cbc-hmac-sha1" ++#define NID_tls12_des_ede3_cbc_hmac_sha1 924 ++ ++#define SN_tls12_aes_128_cbc_hmac_sha1 "TLS12-AES-128-CBC-HMAC-SHA1" ++#define LN_tls12_aes_128_cbc_hmac_sha1 "tls12-aes-128-cbc-hmac-sha1" ++#define NID_tls12_aes_128_cbc_hmac_sha1 925 ++ ++#define SN_tls12_aes_256_cbc_hmac_sha1 "TLS12-AES-256-CBC-HMAC-SHA1" ++#define LN_tls12_aes_256_cbc_hmac_sha1 "tls12-aes-256-cbc-hmac-sha1" ++#define NID_tls12_aes_256_cbc_hmac_sha1 926 ++ ++#define SN_tls12_aes_128_cbc_hmac_sha256 "TLS12-AES-128-CBC-HMAC-SHA256" ++#define LN_tls12_aes_128_cbc_hmac_sha256 "tls12-aes-128-cbc-hmac-sha256" ++#define NID_tls12_aes_128_cbc_hmac_sha256 927 ++ ++#define SN_tls12_aes_256_cbc_hmac_sha256 "TLS12-AES-256-CBC-HMAC-SHA256" ++#define LN_tls12_aes_256_cbc_hmac_sha256 "tls12-aes-256-cbc-hmac-sha256" ++#define NID_tls12_aes_256_cbc_hmac_sha256 928 ++ +diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num +index a02b58c..deeba3a 100644 +--- a/crypto/objects/obj_mac.num ++++ b/crypto/objects/obj_mac.num +@@ -921,3 +921,8 @@ des_ede3_cbc_hmac_sha1 920 + tls11_des_ede3_cbc_hmac_sha1 921 + tls11_aes_128_cbc_hmac_sha1 922 + tls11_aes_256_cbc_hmac_sha1 923 ++tls12_des_ede3_cbc_hmac_sha1 924 ++tls12_aes_128_cbc_hmac_sha1 925 ++tls12_aes_256_cbc_hmac_sha1 926 ++tls12_aes_128_cbc_hmac_sha256 927 ++tls12_aes_256_cbc_hmac_sha256 928 +diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt +index 1973658..6e4ac93 100644 +--- a/crypto/objects/objects.txt ++++ b/crypto/objects/objects.txt +@@ -1294,3 +1294,8 @@ kisa 1 6 : SEED-OFB : seed-ofb + : TLS11-DES-EDE3-CBC-HMAC-SHA1 : tls11-des-ede3-cbc-hmac-sha1 + : TLS11-AES-128-CBC-HMAC-SHA1 : tls11-aes-128-cbc-hmac-sha1 + : TLS11-AES-256-CBC-HMAC-SHA1 : tls11-aes-256-cbc-hmac-sha1 ++ : TLS12-DES-EDE3-CBC-HMAC-SHA1 : tls12-des-ede3-cbc-hmac-sha1 ++ : TLS12-AES-128-CBC-HMAC-SHA1 : tls12-aes-128-cbc-hmac-sha1 ++ : TLS12-AES-256-CBC-HMAC-SHA1 : tls12-aes-256-cbc-hmac-sha1 ++ : TLS12-AES-128-CBC-HMAC-SHA256 : tls12-aes-128-cbc-hmac-sha256 ++ : TLS12-AES-256-CBC-HMAC-SHA256 : tls12-aes-256-cbc-hmac-sha256 +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 0408986..77a82f6 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -661,6 +661,31 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, + c->algorithm_mac == SSL_SHA1 && + (evp=EVP_get_cipherbyname("TLS11-AES-256-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_2_VERSION && ++ c->algorithm_enc == SSL_3DES && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp=EVP_get_cipherbyname("TLS12-DES-EDE3-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_2_VERSION && ++ c->algorithm_enc == SSL_AES128 && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_2_VERSION && ++ c->algorithm_enc == SSL_AES256 && ++ c->algorithm_mac == SSL_SHA1 && ++ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA1"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_2_VERSION && ++ c->algorithm_enc == SSL_AES128 && ++ c->algorithm_mac == SSL_SHA256 && ++ (evp=EVP_get_cipherbyname("TLS12-AES-128-CBC-HMAC-SHA256"))) ++ *enc = evp, *md = NULL; ++ else if (s->ssl_version == TLS1_2_VERSION && ++ c->algorithm_enc == SSL_AES256 && ++ c->algorithm_mac == SSL_SHA256 && ++ (evp=EVP_get_cipherbyname("TLS12-AES-256-CBC-HMAC-SHA256"))) ++ *enc = evp, *md = NULL; + return(1); + } + else +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0021-cryptodev-drop-redundant-function.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0021-cryptodev-drop-redundant-function.patch new file mode 100644 index 00000000..16cc6882 --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0021-cryptodev-drop-redundant-function.patch @@ -0,0 +1,75 @@ +From ea4abc255c6c5feec01cb1e30c6082cfe47860e2 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 19 Feb 2015 16:11:53 +0200 +Subject: [PATCH 21/26] cryptodev: drop redundant function + +get_dev_crypto already caches the result. Another cache in-between is +useless. + +Change-Id: Ibd162529d3fb7a561a17f1a707d5d287c1586a3a +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34216 +--- + crypto/engine/eng_cryptodev.c | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index fa5fe1b..1ab5551 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -96,7 +96,6 @@ struct dev_crypto_state { + + static u_int32_t cryptodev_asymfeat = 0; + +-static int get_asym_dev_crypto(void); + static int open_dev_crypto(void); + static int get_dev_crypto(void); + static int get_cryptodev_ciphers(const int **cnids); +@@ -357,17 +356,6 @@ static void put_dev_crypto(int fd) + #endif + } + +-/* Caching version for asym operations */ +-static int +-get_asym_dev_crypto(void) +-{ +- static int fd = -1; +- +- if (fd == -1) +- fd = get_dev_crypto(); +- return fd; +-} +- + /* + * Find out what ciphers /dev/crypto will let us have a session for. + * XXX note, that some of these openssl doesn't deal with yet! +@@ -1796,7 +1784,7 @@ cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) + { + int fd, ret = -1; + +- if ((fd = get_asym_dev_crypto()) < 0) ++ if ((fd = get_dev_crypto()) < 0) + return (ret); + + if (r) { +@@ -2374,7 +2362,7 @@ static int cryptodev_rsa_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb) + int p_len, q_len; + int i; + +- if ((fd = get_asym_dev_crypto()) < 0) ++ if ((fd = get_dev_crypto()) < 0) + goto sw_try; + + if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err; +@@ -3928,7 +3916,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + BIGNUM *temp = NULL; + unsigned char *padded_pub_key = NULL, *p = NULL; + +- if ((fd = get_asym_dev_crypto()) < 0) ++ if ((fd = get_dev_crypto()) < 0) + goto sw_try; + + memset(&kop, 0, sizeof kop); +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0022-cryptodev-do-not-zero-the-buffer-before-use.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0022-cryptodev-do-not-zero-the-buffer-before-use.patch new file mode 100644 index 00000000..0b2f0f1b --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0022-cryptodev-do-not-zero-the-buffer-before-use.patch @@ -0,0 +1,48 @@ +From 75e3e7d600eb72e7374b1ecf5ece7b831bc98ed8 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Tue, 17 Feb 2015 13:12:53 +0200 +Subject: [PATCH 22/26] cryptodev: do not zero the buffer before use + +- The buffer is just about to be overwritten. Zeroing it before that has + no purpose + +Change-Id: I478c31bd2e254561474a7edf5e37980ca04217ce +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34217 +--- + crypto/engine/eng_cryptodev.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index 1ab5551..dbc5989 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -1681,21 +1681,16 @@ static int + bn2crparam(const BIGNUM *a, struct crparam *crp) + { + ssize_t bytes, bits; +- u_char *b; +- +- crp->crp_p = NULL; +- crp->crp_nbits = 0; + + bits = BN_num_bits(a); + bytes = (bits + 7) / 8; + +- b = malloc(bytes); +- if (b == NULL) ++ crp->crp_nbits = bits; ++ crp->crp_p = malloc(bytes); ++ ++ if (crp->crp_p == NULL) + return (1); +- memset(b, 0, bytes); + +- crp->crp_p = (caddr_t) b; +- crp->crp_nbits = bits; + BN_bn2bin(a, crp->crp_p); + return (0); + } +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0023-cryptodev-clean-up-code-layout.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0023-cryptodev-clean-up-code-layout.patch new file mode 100644 index 00000000..5ff1c5ca --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0023-cryptodev-clean-up-code-layout.patch @@ -0,0 +1,72 @@ +From 4453b06b940fc03a0973cfd96f908e46cce61054 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Wed, 18 Feb 2015 10:39:46 +0200 +Subject: [PATCH 23/26] cryptodev: clean-up code layout + +This is just a refactoring that uses else branch to check for malloc failures + +Change-Id: I6dc157af36d6ec51a4edfc82cf97fae2e7e83628 +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34218 +--- + crypto/engine/eng_cryptodev.c | 42 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index dbc5989..dceb4f5 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -1745,30 +1745,28 @@ cryptodev_asym_async(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, + fd = *(int *)cookie->eng_handle; + + eng_cookie = malloc(sizeof(struct cryptodev_cookie_s)); +- +- if (eng_cookie) { +- memset(eng_cookie, 0, sizeof(struct cryptodev_cookie_s)); +- if (r) { +- kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); +- if (!kop->crk_param[kop->crk_iparams].crp_p) +- return -ENOMEM; +- kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; +- kop->crk_oparams++; +- eng_cookie->r = r; +- eng_cookie->r_param = kop->crk_param[kop->crk_iparams]; +- } +- if (s) { +- kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); +- if (!kop->crk_param[kop->crk_iparams+1].crp_p) +- return -ENOMEM; +- kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; +- kop->crk_oparams++; +- eng_cookie->s = s; +- eng_cookie->s_param = kop->crk_param[kop->crk_iparams + 1]; +- } +- } else ++ if (!eng_cookie) + return -ENOMEM; + ++ memset(eng_cookie, 0, sizeof(struct cryptodev_cookie_s)); ++ if (r) { ++ kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); ++ if (!kop->crk_param[kop->crk_iparams].crp_p) ++ return -ENOMEM; ++ kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; ++ kop->crk_oparams++; ++ eng_cookie->r = r; ++ eng_cookie->r_param = kop->crk_param[kop->crk_iparams]; ++ } ++ if (s) { ++ kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); ++ if (!kop->crk_param[kop->crk_iparams+1].crp_p) ++ return -ENOMEM; ++ kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; ++ kop->crk_oparams++; ++ eng_cookie->s = s; ++ eng_cookie->s_param = kop->crk_param[kop->crk_iparams + 1]; ++ } + eng_cookie->kop = kop; + cookie->eng_cookie = eng_cookie; + return ioctl(fd, CIOCASYMASYNCRYPT, kop); +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0024-cryptodev-do-not-cache-file-descriptor-in-open.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0024-cryptodev-do-not-cache-file-descriptor-in-open.patch new file mode 100644 index 00000000..e798d3e2 --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0024-cryptodev-do-not-cache-file-descriptor-in-open.patch @@ -0,0 +1,100 @@ +From a44701abd995b3db80001d0c5d88e9ead05972c1 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 19 Feb 2015 16:43:29 +0200 +Subject: [PATCH 24/26] cryptodev: do not cache file descriptor in 'open' + +The file descriptor returned by get_dev_crypto is cached after a +successful return. The issue is, it is cached inside 'open_dev_crypto' +which is no longer useful as a general purpose open("/dev/crypto") +function. + +This patch is a refactoring that moves the caching operation from +open_dev_crypto to get_dev_crypto and leaves the former as a simpler +function true to its name + +Change-Id: I980170969410381973ce75f6679a4a1401738847 +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34219 +--- + crypto/engine/eng_cryptodev.c | 50 +++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 26 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index dceb4f5..b74fc7c 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -306,47 +306,45 @@ static void ctr64_inc(unsigned char *counter) { + if (c) return; + } while (n); + } +-/* +- * Return a fd if /dev/crypto seems usable, 0 otherwise. +- */ +-static int +-open_dev_crypto(void) ++ ++static int open_dev_crypto(void) + { +- static int fd = -1; ++ int fd; + +- if (fd == -1) { +- if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1) +- return (-1); +- /* close on exec */ +- if (fcntl(fd, F_SETFD, 1) == -1) { +- close(fd); +- fd = -1; +- return (-1); +- } ++ fd = open("/dev/crypto", O_RDWR, 0); ++ if ( fd < 0) ++ return -1; ++ ++ /* close on exec */ ++ if (fcntl(fd, F_SETFD, 1) == -1) { ++ close(fd); ++ return -1; + } +- return (fd); ++ ++ return fd; + } + +-static int +-get_dev_crypto(void) ++static int get_dev_crypto(void) + { +- int fd, retfd; ++ static int fd = -1; ++ int retfd; + +- if ((fd = open_dev_crypto()) == -1) +- return (-1); +-#ifndef CRIOGET_NOT_NEEDED ++ if (fd == -1) ++ fd = open_dev_crypto(); ++#ifdef CRIOGET_NOT_NEEDED ++ return fd; ++#else ++ if (fd == -1) ++ return -1; + if (ioctl(fd, CRIOGET, &retfd) == -1) + return (-1); +- + /* close on exec */ + if (fcntl(retfd, F_SETFD, 1) == -1) { + close(retfd); + return (-1); + } +-#else +- retfd = fd; ++ return retfd; + #endif +- return (retfd); + } + + static void put_dev_crypto(int fd) +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0025-cryptodev-put_dev_crypto-should-be-an-int.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0025-cryptodev-put_dev_crypto-should-be-an-int.patch new file mode 100644 index 00000000..a48dc6a6 --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0025-cryptodev-put_dev_crypto-should-be-an-int.patch @@ -0,0 +1,35 @@ +From 84a8007b6e92fe4c2696cc9e330207ee03303a20 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 19 Feb 2015 13:09:32 +0200 +Subject: [PATCH 25/26] cryptodev: put_dev_crypto should be an int + +Change-Id: Ie0a83bc07a37132286c098b17ef35d98de74b043 +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34220 +--- + crypto/engine/eng_cryptodev.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index b74fc7c..c9db27d 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -347,10 +347,12 @@ static int get_dev_crypto(void) + #endif + } + +-static void put_dev_crypto(int fd) ++static int put_dev_crypto(int fd) + { +-#ifndef CRIOGET_NOT_NEEDED +- close(fd); ++#ifdef CRIOGET_NOT_NEEDED ++ return 0; ++#else ++ return close(fd); + #endif + } + +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0026-cryptodev-simplify-cryptodev-pkc-support-code.patch b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0026-cryptodev-simplify-cryptodev-pkc-support-code.patch new file mode 100644 index 00000000..6527ac8f --- /dev/null +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/0026-cryptodev-simplify-cryptodev-pkc-support-code.patch @@ -0,0 +1,250 @@ +From 787539e7720c99785f6c664a7484842bba08f6ed Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 19 Feb 2015 13:39:52 +0200 +Subject: [PATCH 26/26] cryptodev: simplify cryptodev pkc support code + +- Engine init returns directly a file descriptor instead of a pointer to one +- Similarly, the Engine close will now just close the file + +Change-Id: Ief736d0776c7009dee002204fb1d4ce9d31c8787 +Signed-off-by: Cristian Stoica +Reviewed-on: http://git.am.freescale.net:8181/34221 +--- + crypto/crypto.h | 2 +- + crypto/engine/eng_cryptodev.c | 35 +++----------------------- + crypto/engine/eng_int.h | 14 +++-------- + crypto/engine/eng_lib.c | 57 +++++++++++++++++++++---------------------- + crypto/engine/engine.h | 13 +++++----- + 5 files changed, 42 insertions(+), 79 deletions(-) + +diff --git a/crypto/crypto.h b/crypto/crypto.h +index ce12731..292427e 100644 +--- a/crypto/crypto.h ++++ b/crypto/crypto.h +@@ -618,7 +618,7 @@ struct pkc_cookie_s { + * -EINVAL: Parameters Invalid + */ + void (*pkc_callback)(struct pkc_cookie_s *cookie, int status); +- void *eng_handle; ++ int eng_handle; + }; + + #ifdef __cplusplus +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index c9db27d..f173bde 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -1742,7 +1742,7 @@ cryptodev_asym_async(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, + struct pkc_cookie_s *cookie = kop->cookie; + struct cryptodev_cookie_s *eng_cookie; + +- fd = *(int *)cookie->eng_handle; ++ fd = cookie->eng_handle; + + eng_cookie = malloc(sizeof(struct cryptodev_cookie_s)); + if (!eng_cookie) +@@ -1802,38 +1802,11 @@ cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) + return (ret); + } + +-/* Close an opened instance of cryptodev engine */ +-void cryptodev_close_instance(void *handle) +-{ +- int fd; +- +- if (handle) { +- fd = *(int *)handle; +- close(fd); +- free(handle); +- } +-} +- +-/* Create an instance of cryptodev for asynchronous interface */ +-void *cryptodev_init_instance(void) +-{ +- int *fd = malloc(sizeof(int)); +- +- if (fd) { +- if ((*fd = open("/dev/crypto", O_RDWR, 0)) == -1) { +- free(fd); +- return NULL; +- } +- } +- return fd; +-} +- + #include + + /* Return 0 on success and 1 on failure */ +-int cryptodev_check_availability(void *eng_handle) ++int cryptodev_check_availability(int fd) + { +- int fd = *(int *)eng_handle; + struct pkc_cookie_list_s cookie_list; + struct pkc_cookie_s *cookie; + int i; +@@ -4540,8 +4513,8 @@ ENGINE_load_cryptodev(void) + } + + ENGINE_set_check_pkc_availability(engine, cryptodev_check_availability); +- ENGINE_set_close_instance(engine, cryptodev_close_instance); +- ENGINE_set_init_instance(engine, cryptodev_init_instance); ++ ENGINE_set_close_instance(engine, put_dev_crypto); ++ ENGINE_set_open_instance(engine, open_dev_crypto); + ENGINE_set_async_map(engine, ENGINE_ALLPKC_ASYNC); + + ENGINE_add(engine); +diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h +index 8fc3077..8fb79c0 100644 +--- a/crypto/engine/eng_int.h ++++ b/crypto/engine/eng_int.h +@@ -181,23 +181,15 @@ struct engine_st + ENGINE_LOAD_KEY_PTR load_pubkey; + + ENGINE_SSL_CLIENT_CERT_PTR load_ssl_client_cert; +- /* +- * Instantiate Engine handle to be passed in check_pkc_availability +- * Ensure that Engine is instantiated before any pkc asynchronous call. +- */ +- void *(*engine_init_instance)(void); +- /* +- * Instantiated Engine handle will be closed with this call. +- * Ensure that no pkc asynchronous call is made after this call +- */ +- void (*engine_close_instance)(void *handle); ++ int (*engine_open_instance)(void); ++ int (*engine_close_instance)(int fd); + /* + * Check availability will extract the data from kernel. + * eng_handle: This is the Engine handle corresponds to which + * the cookies needs to be polled. + * return 0 if cookie available else 1 + */ +- int (*check_pkc_availability)(void *eng_handle); ++ int (*check_pkc_availability)(int fd); + /* + * The following map is used to check if the engine supports asynchronous implementation + * ENGINE_ASYNC_FLAG* for available bitmap. Any application checking for asynchronous +diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c +index 6fa621c..6c9471b 100644 +--- a/crypto/engine/eng_lib.c ++++ b/crypto/engine/eng_lib.c +@@ -99,7 +99,7 @@ void engine_set_all_null(ENGINE *e) + e->load_privkey = NULL; + e->load_pubkey = NULL; + e->check_pkc_availability = NULL; +- e->engine_init_instance = NULL; ++ e->engine_open_instance = NULL; + e->engine_close_instance = NULL; + e->cmd_defns = NULL; + e->async_map = 0; +@@ -237,47 +237,46 @@ int ENGINE_set_id(ENGINE *e, const char *id) + return 1; + } + +-void ENGINE_set_init_instance(ENGINE *e, void *(*engine_init_instance)(void)) +- { +- e->engine_init_instance = engine_init_instance; +- } ++void ENGINE_set_open_instance(ENGINE *e, int (*engine_open_instance)(void)) ++{ ++ e->engine_open_instance = engine_open_instance; ++} + +-void ENGINE_set_close_instance(ENGINE *e, +- void (*engine_close_instance)(void *)) +- { +- e->engine_close_instance = engine_close_instance; +- } ++void ENGINE_set_close_instance(ENGINE *e, int (*engine_close_instance)(int)) ++{ ++ e->engine_close_instance = engine_close_instance; ++} + + void ENGINE_set_async_map(ENGINE *e, int async_map) + { + e->async_map = async_map; + } + +-void *ENGINE_init_instance(ENGINE *e) +- { +- return e->engine_init_instance(); +- } +- +-void ENGINE_close_instance(ENGINE *e, void *eng_handle) +- { +- e->engine_close_instance(eng_handle); +- } +- + int ENGINE_get_async_map(ENGINE *e) + { + return e->async_map; + } + +-void ENGINE_set_check_pkc_availability(ENGINE *e, +- int (*check_pkc_availability)(void *eng_handle)) +- { +- e->check_pkc_availability = check_pkc_availability; +- } ++int ENGINE_open_instance(ENGINE *e) ++{ ++ return e->engine_open_instance(); ++} + +-int ENGINE_check_pkc_availability(ENGINE *e, void *eng_handle) +- { +- return e->check_pkc_availability(eng_handle); +- } ++int ENGINE_close_instance(ENGINE *e, int fd) ++{ ++ return e->engine_close_instance(fd); ++} ++ ++void ENGINE_set_check_pkc_availability(ENGINE *e, ++ int (*check_pkc_availability)(int fd)) ++{ ++ e->check_pkc_availability = check_pkc_availability; ++} ++ ++int ENGINE_check_pkc_availability(ENGINE *e, int fd) ++{ ++ return e->check_pkc_availability(fd); ++} + + int ENGINE_set_name(ENGINE *e, const char *name) + { +diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h +index ccff86a..3ba3e97 100644 +--- a/crypto/engine/engine.h ++++ b/crypto/engine/engine.h +@@ -473,9 +473,6 @@ ENGINE *ENGINE_new(void); + int ENGINE_free(ENGINE *e); + int ENGINE_up_ref(ENGINE *e); + int ENGINE_set_id(ENGINE *e, const char *id); +-void ENGINE_set_init_instance(ENGINE *e, void *(*engine_init_instance)(void)); +-void ENGINE_set_close_instance(ENGINE *e, +- void (*engine_free_instance)(void *)); + /* + * Following FLAGS are bitmap store in async_map to set asynchronous interface capability + *of the engine +@@ -492,11 +489,13 @@ void ENGINE_set_async_map(ENGINE *e, int async_map); + * to confirm asynchronous methods supported + */ + int ENGINE_get_async_map(ENGINE *e); +-void *ENGINE_init_instance(ENGINE *e); +-void ENGINE_close_instance(ENGINE *e, void *eng_handle); ++int ENGINE_open_instance(ENGINE *e); ++int ENGINE_close_instance(ENGINE *e, int fd); ++void ENGINE_set_init_instance(ENGINE *e, int(*engine_init_instance)(void)); ++void ENGINE_set_close_instance(ENGINE *e, int(*engine_close_instance)(int)); + void ENGINE_set_check_pkc_availability(ENGINE *e, +- int (*check_pkc_availability)(void *eng_handle)); +-int ENGINE_check_pkc_availability(ENGINE *e, void *eng_handle); ++ int (*check_pkc_availability)(int fd)); ++int ENGINE_check_pkc_availability(ENGINE *e, int fd); + int ENGINE_set_name(ENGINE *e, const char *name); + int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth); + int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth); +-- +2.3.5 + diff --git a/meta-fsl-ppc/recipes-connectivity/openssl/openssl_1.0.1i.bbappend b/meta-fsl-ppc/recipes-connectivity/openssl/openssl_1.0.1i.bbappend index 2fa098fd..7b381ffb 100644 --- a/meta-fsl-ppc/recipes-connectivity/openssl/openssl_1.0.1i.bbappend +++ b/meta-fsl-ppc/recipes-connectivity/openssl/openssl_1.0.1i.bbappend @@ -19,7 +19,17 @@ SRC_URI_append_class-target = " file://0001-remove-double-initialization-of-cryp file://0015-SW-Backoff-mechanism-for-dsa-keygen.patch \ file://0016-Fixed-DH-keygen-pair-generator.patch \ file://0017-cryptodev-add-support-for-aes-gcm-algorithm-offloadi.patch \ + file://0018-eng_cryptodev-extend-TLS-offload-with-3des_cbc_hmac_.patch \ + file://0019-eng_cryptodev-add-support-for-TLSv1.1-record-offload.patch \ + file://0020-eng_cryptodev-add-support-for-TLSv1.2-record-offload.patch \ + file://0021-cryptodev-drop-redundant-function.patch \ + file://0022-cryptodev-do-not-zero-the-buffer-before-use.patch \ + file://0023-cryptodev-clean-up-code-layout.patch \ + file://0024-cryptodev-do-not-cache-file-descriptor-in-open.patch \ + file://0025-cryptodev-put_dev_crypto-should-be-an-int.patch \ + file://0026-cryptodev-simplify-cryptodev-pkc-support-code.patch \ " + # Digest offloading through cryptodev is not recommended because of the # performance penalty of the Openssl engine interface. Openssl generates a huge # number of calls to digest functions for even a small amount of work data.