diff options
Diffstat (limited to 'bsp/meta-freescale/recipes-connectivity/openssl')
9 files changed, 691 insertions, 591 deletions
diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch deleted file mode 100644 index 736bb39a..00000000 --- a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Fri, 7 Apr 2017 18:01:52 +0300 -Subject: [PATCH] Remove test that requires running as non-root - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - test/recipes/40-test_rehash.t | 17 +---------------- - 1 file changed, 1 insertion(+), 16 deletions(-) - -diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t -index f902c23..c7567c1 100644 ---- a/test/recipes/40-test_rehash.t -+++ b/test/recipes/40-test_rehash.t -@@ -23,7 +23,7 @@ setup("test_rehash"); - plan skip_all => "test_rehash is not available on this platform" - unless run(app(["openssl", "rehash", "-help"])); - --plan tests => 5; -+plan tests => 3; - - indir "rehash.$$" => sub { - prepare(); -@@ -42,21 +42,6 @@ indir "rehash.$$" => sub { - 'Testing rehash operations on empty directory'); - }, create => 1, cleanup => 1; - --indir "rehash.$$" => sub { -- prepare(); -- chmod 0500, curdir(); -- SKIP: { -- if (!ok(!open(FOO, ">unwritable.txt"), -- "Testing that we aren't running as a privileged user, such as root")) { -- close FOO; -- skip "It's pointless to run the next test as root", 1; -- } -- isnt(run(app(["openssl", "rehash", curdir()])), 1, -- 'Testing rehash operations on readonly directory'); -- } -- chmod 0700, curdir(); # make it writable again, so cleanup works --}, create => 1, cleanup => 1; -- - sub prepare { - my @pemsourcefiles = sort glob(srctop_file('test', "*.pem")); - my @destfiles = (); --- -2.11.0 - diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch deleted file mode 100644 index 6ce4e47d..00000000 --- a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Tue, 28 Mar 2017 16:40:12 +0300 -Subject: [PATCH] Take linking flags from LDFLAGS env var - -This fixes "No GNU_HASH in the elf binary" issues. - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - Configurations/unix-Makefile.tmpl | 2 +- - Configure | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index c029817..43b769b 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -} - CC= $(CROSS_COMPILE){- $target{cc} -} - CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -} - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -} --LDFLAGS= {- $target{lflags} -} -+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -} - PLIB_LDFLAGS= {- $target{plib_lflags} -} - EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -} - LIB_CFLAGS={- $target{shared_cflag} || "" -} -diff --git a/Configure b/Configure -index aee7cc3..274d236 100755 ---- a/Configure -+++ b/Configure -@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file}; - $config{defines} = []; - $config{cflags} = ""; - $config{ex_libs} = ""; --$config{shared_ldflag} = ""; -+$config{shared_ldflag} = $ENV{'LDFLAGS'}; - - # Make sure build_scheme is consistent. - $target{build_scheme} = [ $target{build_scheme} ] --- -2.11.0 - diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch deleted file mode 100644 index bb0a1689..00000000 --- a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From bcc096a50811bf0f0c4fd34b2993fed7a7015972 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov <appro@openssl.org> -Date: Fri, 3 Nov 2017 23:30:01 +0100 -Subject: [PATCH] aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with - binutils-2.29. - -It's not clear if it's a feature or bug, but binutils-2.29[.1] -interprets 'adr' instruction with Thumb2 code reference differently, -in a way that affects calculation of addresses of constants' tables. - -Upstream-Status: Backport - -Reviewed-by: Tim Hudson <tjh@openssl.org> -Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> -Signed-off-by: Stefan Agner <stefan.agner@toradex.com> -(Merged from https://github.com/openssl/openssl/pull/4669) - -(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda) ---- - crypto/aes/asm/aes-armv4.pl | 6 +++--- - crypto/aes/asm/bsaes-armv7.pl | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl -index 16d79aae53..c6474b8aad 100644 ---- a/crypto/aes/asm/aes-armv4.pl -+++ b/crypto/aes/asm/aes-armv4.pl -@@ -200,7 +200,7 @@ AES_encrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_encrypt - #else -- adr r3,AES_encrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -@@ -450,7 +450,7 @@ _armv4_AES_set_encrypt_key: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_set_encrypt_key - #else -- adr r3,AES_set_encrypt_key -+ adr r3,. - #endif - teq r0,#0 - #ifdef __thumb2__ -@@ -976,7 +976,7 @@ AES_decrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_decrypt - #else -- adr r3,AES_decrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl -index 9f288660ef..a27bb4a179 100644 ---- a/crypto/aes/asm/bsaes-armv7.pl -+++ b/crypto/aes/asm/bsaes-armv7.pl -@@ -744,7 +744,7 @@ $code.=<<___; - .type _bsaes_decrypt8,%function - .align 4 - _bsaes_decrypt8: -- adr $const,_bsaes_decrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0ISR -@@ -843,7 +843,7 @@ _bsaes_const: - .type _bsaes_encrypt8,%function - .align 4 - _bsaes_encrypt8: -- adr $const,_bsaes_encrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0SR -@@ -951,7 +951,7 @@ $code.=<<___; - .type _bsaes_key_convert,%function - .align 4 - _bsaes_key_convert: -- adr $const,_bsaes_key_convert -+ adr $const,. - vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key - #ifdef __APPLE__ - adr $const,.LM0 --- -2.15.0 - diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch new file mode 100644 index 00000000..499df59b --- /dev/null +++ b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch @@ -0,0 +1,389 @@ +From 501988587567b996c9c4a14239f575e77ed27791 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta <pankaj.gupta@nxp.com> +Date: Fri, 20 Sep 2019 12:18:16 +0530 +Subject: [PATCH 1/2] eng_devcrypto: add support for TLS algorithms offload + + - aes-128-cbc-hmac-sha1 + - aes-256-cbc-hmac-sha1 + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> +--- + crypto/engine/eng_devcrypto.c | 265 +++++++++++++++++++++++++++++----- + 1 file changed, 231 insertions(+), 34 deletions(-) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 49e9ce1af3..727a660e75 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -60,6 +60,9 @@ struct cipher_ctx { + struct session_op sess; + int op; /* COP_ENCRYPT or COP_DECRYPT */ + unsigned long mode; /* EVP_CIPH_*_MODE */ ++ unsigned char *aad; ++ unsigned int aad_len; ++ unsigned int len; + + /* to handle ctr mode being a stream cipher */ + unsigned char partial[EVP_MAX_BLOCK_LENGTH]; +@@ -73,49 +76,62 @@ static const struct cipher_data_st { + int ivlen; + int flags; + int devcryptoid; ++ int mackeylen; + } cipher_data[] = { + #ifndef OPENSSL_NO_DES +- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, +- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, ++ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC, 0 }, ++ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC, 0 }, + #endif + #ifndef OPENSSL_NO_BF +- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, ++ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC, 0 }, + #endif + #ifndef OPENSSL_NO_CAST +- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, ++ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC, 0 }, + #endif +- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, ++ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_128_cbc_hmac_sha1, 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, ++ { NID_aes_256_cbc_hmac_sha1, 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, + #ifndef OPENSSL_NO_RC4 +- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, ++ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) +- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, ++ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, ++ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, ++ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, + #endif + #if 0 /* Not yet supported */ +- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, +- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, ++ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, ++ 0 }, ++ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, ++ 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) +- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, ++ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, ++ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, + #endif + #if 0 /* Not yet supported */ +- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++#endif ++#ifdef OPENSSL_NXP_CAAM ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, + #endif + #ifndef OPENSSL_NO_CAMELLIA + { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + #endif + }; + +@@ -141,6 +157,158 @@ static const struct cipher_data_st *get_cipher_data(int nid) + return &cipher_data[get_cipher_data_index(nid)]; + } + ++/* ++ * Save the encryption key provided by upper layers. This function is called ++ * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do ++ * much here because the mac key is not available. The next call should/will ++ * be to cryptodev_cbc_hmac_sha1_ctrl with parameter ++ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION ++ * with both the crypto and hmac keys. ++ */ ++static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, ++ const unsigned char *key, const unsigned char *iv, int enc) ++{ ++ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ int cipher = -1, i; ++ ++ for (i = 0; cipher_data[i].devcryptoid; i++) { ++ if (EVP_CIPHER_CTX_nid(ctx) == cipher_data[i].nid && ++ EVP_CIPHER_CTX_iv_length(ctx) <= cipher_data[i].ivlen && ++ EVP_CIPHER_CTX_key_length(ctx) == cipher_data[i].keylen) { ++ cipher = cipher_data[i].devcryptoid; ++ break; ++ } ++ } ++ ++ if (!cipher_data[i].devcryptoid) ++ return (0); ++ ++ memset(sess, 0, sizeof(*sess)); ++ ++ sess->key = (void *) key; ++ sess->keylen = EVP_CIPHER_CTX_key_length(ctx); ++ sess->cipher = cipher; ++ ++ /* for whatever reason, (1) means success */ ++ return 1; ++} ++ ++static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t len) ++{ ++ struct crypt_auth_op cryp; ++ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ const void *iiv; ++ unsigned char save_iv[EVP_MAX_IV_LENGTH]; ++ ++ if (cfd < 0) ++ return (0); ++ if (!len) ++ return (1); ++ if ((len % EVP_CIPHER_CTX_block_size(ctx)) != 0) ++ return (0); ++ ++ memset(&cryp, 0, sizeof(cryp)); ++ ++ /* TODO: make a seamless integration with cryptodev flags */ ++ switch (EVP_CIPHER_CTX_nid(ctx)) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ cryp.flags = COP_FLAG_AEAD_TLS_TYPE; ++ } ++ cryp.ses = sess->ses; ++ cryp.len = state->len; ++ cryp.src = (void *) in; ++ cryp.dst = (void *) out; ++ cryp.auth_src = state->aad; ++ cryp.auth_len = state->aad_len; ++ ++ cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT; ++ ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); ++ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); ++ } ++ } else ++ cryp.iv = NULL; ++ ++ if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) { ++ /* ++ * XXX need better errror handling this can fail for a number of ++ * different reasons. ++ */ ++ return 0; ++ } ++ ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ if (EVP_CIPHER_CTX_encrypting(ctx)) ++ iiv = out + len - EVP_CIPHER_CTX_iv_length(ctx); ++ else ++ iiv = save_iv; ++ ++ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iiv, ++ EVP_CIPHER_CTX_iv_length(ctx)); ++ } ++ return 1; ++} ++ ++static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, ++ int arg, void *ptr) ++{ ++ switch (type) { ++ case EVP_CTRL_AEAD_SET_MAC_KEY: ++ { ++ /* TODO: what happens with hmac keys larger than 64 bytes? */ ++ struct cipher_ctx *state = ++ EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ ++ /* the rest should have been set in cryptodev_init_aead_key */ ++ sess->mackey = ptr; ++ sess->mackeylen = arg; ++ if (ioctl(cfd, CIOCGSESSION, sess) == -1) ++ return 0; ++ ++ return 1; ++ } ++ case EVP_CTRL_AEAD_TLS1_AAD: ++ { ++ /* ptr points to the associated data buffer of 13 bytes */ ++ struct cipher_ctx *state = ++ EVP_CIPHER_CTX_get_cipher_data(ctx); ++ unsigned char *p = ptr; ++ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; ++ unsigned int maclen, padlen; ++ unsigned int bs = EVP_CIPHER_CTX_block_size(ctx); ++ ++ state->aad = ptr; ++ state->aad_len = arg; ++ state->len = cryptlen; ++ ++ /* TODO: this should be an extension of EVP_CIPHER struct */ ++ switch (EVP_CIPHER_CTX_nid(ctx)) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ maclen = SHA_DIGEST_LENGTH; ++ } ++ ++ /* space required for encryption (not only TLS padding) */ ++ padlen = maclen; ++ if (EVP_CIPHER_CTX_encrypting(ctx)) { ++ cryptlen += maclen; ++ padlen += bs - (cryptlen % bs); ++ } ++ return padlen; ++ } ++ default: ++ return -1; ++ } ++} ++ + /* + * Following are the three necessary functions to map OpenSSL functionality + * with cryptodev. +@@ -165,6 +333,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; + cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; + cipher_ctx->blocksize = cipher_d->blocksize; ++ + if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; +@@ -180,6 +349,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); + struct crypt_op cryp; + unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); ++ + #if !defined(COP_FLAG_WRITE_IV) + unsigned char saved_iv[EVP_MAX_IV_LENGTH]; + const unsigned char *ivptr; +@@ -340,32 +510,59 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + static int known_cipher_nids[OSSL_NELEM(cipher_data)]; + static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; ++int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr); + + static void prepare_cipher_methods(void) + { + size_t i; + struct session_op sess; + unsigned long cipher_mode; ++ unsigned long flags; + + memset(&sess, 0, sizeof(sess)); + sess.key = (void *)"01234567890123456789012345678901234567890123456789"; ++ sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO"; + + for (i = 0, known_cipher_nids_amount = 0; + i < OSSL_NELEM(cipher_data); i++) { + ++ init = cipher_init; ++ ctrl = cipher_ctrl; ++ flags = cipher_data[i].flags ++ | EVP_CIPH_CUSTOM_COPY ++ | EVP_CIPH_CTRL_INIT ++ | EVP_CIPH_FLAG_DEFAULT_ASN1; ++ + /* + * Check that the algo is really availably by trying to open and close + * a session. + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; ++ sess.mackeylen = cipher_data[i].mackeylen; ++ ++ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; ++ ++ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? ++ ctr_do_cipher : ++ cipher_do_cipher); ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) { ++ init = cryptodev_init_aead_key; ++ do_cipher = cryptodev_aead_cipher; ++ ctrl = cryptodev_cbc_hmac_sha1_ctrl; ++ flags = cipher_data[i].flags; ++ } ++ + if (ioctl(cfd, CIOCGSESSION, &sess) < 0 + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) + continue; + +- cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; +- +- if ((known_cipher_methods[i] = ++ if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, + cipher_mode == EVP_CIPH_CTR_MODE ? 1 : + cipher_data[i].blocksize, +@@ -373,16 +570,12 @@ static void prepare_cipher_methods(void) + || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], + cipher_data[i].ivlen) + || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], +- cipher_data[i].flags +- | EVP_CIPH_CUSTOM_COPY +- | EVP_CIPH_CTRL_INIT +- | EVP_CIPH_FLAG_DEFAULT_ASN1) +- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) ++ flags) ++ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], +- cipher_mode == EVP_CIPH_CTR_MODE ? +- ctr_do_cipher : +- cipher_do_cipher) +- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) ++ do_cipher) ++ /* AEAD Support to be added. */ ++ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], +@@ -393,6 +586,10 @@ static void prepare_cipher_methods(void) + known_cipher_nids[known_cipher_nids_amount++] = + cipher_data[i].nid; + } ++ ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) ++ EVP_add_cipher(known_cipher_methods[i]); + } + } + +-- +2.17.1 + diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch new file mode 100644 index 00000000..b12af56e --- /dev/null +++ b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch @@ -0,0 +1,285 @@ +From db9d8be9d0d81bdb2ddb78f8616243593a3d24c5 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta <pankaj.gupta@nxp.com> +Date: Fri, 10 Jan 2020 15:38:38 +0530 +Subject: [PATCH 2/2] eng_devcrypto: add support for TLS1.2 algorithms offload + + - aes-128-cbc-hmac-sha256 + - aes-256-cbc-hmac-sha256 + +Enabled the support of TLS1.1 algorithms offload + + - aes-128-cbc-hmac-sha1 + - aes-256-cbc-hmac-sha1 + +Requires TLS patches on cryptodev and TLS algorithm support in Linux +kernel driver. + +Fix: Remove the support for TLS1.0. + +Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> +Signed-off-by: Arun Pathak <arun.pathak@nxp.com> +--- + crypto/engine/eng_devcrypto.c | 133 +++++++++++++++++++++++----------- + 1 file changed, 90 insertions(+), 43 deletions(-) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 727a660e75..be63f65e04 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -25,6 +25,7 @@ + #include "crypto/engine.h" + + /* #define ENGINE_DEVCRYPTO_DEBUG */ ++#define TLS1_1_VERSION 0x0302 + + #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX + # define CHECK_BSD_STYLE_MACROS +@@ -67,6 +68,7 @@ struct cipher_ctx { + /* to handle ctr mode being a stream cipher */ + unsigned char partial[EVP_MAX_BLOCK_LENGTH]; + unsigned int blocksize, num; ++ unsigned int tls_ver; + }; + + static const struct cipher_data_st { +@@ -92,11 +94,17 @@ static const struct cipher_data_st { + { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, + { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, + { NID_aes_128_cbc_hmac_sha1, 16, 16, 16, +- EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, +- CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 }, + { NID_aes_256_cbc_hmac_sha1, 16, 32, 16, +- EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, +- CRYPTO_TLS10_AES_CBC_HMAC_SHA1, 20 }, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 }, ++ { NID_aes_128_cbc_hmac_sha256, 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 }, ++ { NID_aes_256_cbc_hmac_sha256, 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 }, + #ifndef OPENSSL_NO_RC4 + { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 }, + #endif +@@ -107,9 +115,9 @@ static const struct cipher_data_st { + #endif + #if 0 /* Not yet supported */ + { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, +- 0 }, ++ 0 }, + { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, +- 0 }, ++ 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) + { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, +@@ -166,7 +174,7 @@ static const struct cipher_data_st *get_cipher_data(int nid) + * with both the crypto and hmac keys. + */ + static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, +- const unsigned char *key, const unsigned char *iv, int enc) ++ const unsigned char *key, const unsigned char *iv, int enc) + { + struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); + struct session_op *sess = &state->sess; +@@ -212,10 +220,29 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + memset(&cryp, 0, sizeof(cryp)); + ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); ++ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); ++ ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in, ++ EVP_CIPHER_CTX_iv_length(ctx)); ++ in += EVP_CIPHER_CTX_iv_length(ctx); ++ out += EVP_CIPHER_CTX_iv_length(ctx); ++ len -= EVP_CIPHER_CTX_iv_length(ctx); ++ } ++ } ++ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); ++ } else ++ cryp.iv = NULL; ++ + /* TODO: make a seamless integration with cryptodev flags */ + switch (EVP_CIPHER_CTX_nid(ctx)) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: ++ case NID_aes_128_cbc_hmac_sha256: ++ case NID_aes_256_cbc_hmac_sha256: + cryp.flags = COP_FLAG_AEAD_TLS_TYPE; + } + cryp.ses = sess->ses; +@@ -227,15 +254,6 @@ static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT; + +- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { +- cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); +- if (!EVP_CIPHER_CTX_encrypting(ctx)) { +- iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); +- memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); +- } +- } else +- cryp.iv = NULL; +- + if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) { + /* + * XXX need better errror handling this can fail for a number of +@@ -262,7 +280,7 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + switch (type) { + case EVP_CTRL_AEAD_SET_MAC_KEY: + { +- /* TODO: what happens with hmac keys larger than 64 bytes? */ ++ /* TODO: what happens with hmac keys larger than 64 bytes? */ + struct cipher_ctx *state = + EVP_CIPHER_CTX_get_cipher_data(ctx); + struct session_op *sess = &state->sess; +@@ -282,27 +300,52 @@ static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + EVP_CIPHER_CTX_get_cipher_data(ctx); + unsigned char *p = ptr; + unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; +- unsigned int maclen, padlen; +- unsigned int bs = EVP_CIPHER_CTX_block_size(ctx); ++ unsigned int maclen; ++ unsigned int blocksize = EVP_CIPHER_CTX_block_size(ctx); ++ int ret; + ++ state->tls_ver = p[arg - 4] << 8 | p[arg - 3]; + state->aad = ptr; + state->aad_len = arg; +- state->len = cryptlen; + + /* TODO: this should be an extension of EVP_CIPHER struct */ + switch (EVP_CIPHER_CTX_nid(ctx)) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: + maclen = SHA_DIGEST_LENGTH; ++ break; ++ case NID_aes_128_cbc_hmac_sha256: ++ case NID_aes_256_cbc_hmac_sha256: ++ maclen = SHA256_DIGEST_LENGTH; ++ break; ++ default: ++ /* ++ * Only above 4 supported NIDs are used to enter to this ++ * function. If any other NID reaches this function, ++ * there's a grave coding error further down. ++ */ ++ assert("Code that never should be reached" == NULL); ++ return -1; + } + + /* space required for encryption (not only TLS padding) */ +- padlen = maclen; + if (EVP_CIPHER_CTX_encrypting(ctx)) { +- cryptlen += maclen; +- padlen += bs - (cryptlen % bs); ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ p[arg - 2] = (cryptlen - blocksize) >> 8; ++ p[arg - 1] = (cryptlen - blocksize); ++ } ++ ret = (int)(((cryptlen + maclen + ++ blocksize) & -blocksize) - cryptlen); ++ } else { ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ cryptlen -= blocksize; ++ p[arg - 2] = cryptlen >> 8; ++ p[arg - 1] = cryptlen; ++ } ++ ret = maclen; + } +- return padlen; ++ state->len = cryptlen; ++ return ret; + } + default: + return -1; +@@ -510,11 +553,11 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + static int known_cipher_nids[OSSL_NELEM(cipher_data)]; + static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; +-int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key, +- const unsigned char *iv, int enc); +-int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out, +- const unsigned char *in, size_t inl); +-int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr); ++int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); + + static void prepare_cipher_methods(void) + { +@@ -543,26 +586,28 @@ static void prepare_cipher_methods(void) + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; +- sess.mackeylen = cipher_data[i].mackeylen; ++ sess.mackeylen = cipher_data[i].mackeylen; + + cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; + +- do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? ++ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? + ctr_do_cipher : + cipher_do_cipher); +- if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 +- || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) { +- init = cryptodev_init_aead_key; +- do_cipher = cryptodev_aead_cipher; +- ctrl = cryptodev_cbc_hmac_sha1_ctrl; +- flags = cipher_data[i].flags; +- } ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) { ++ init = cryptodev_init_aead_key; ++ do_cipher = cryptodev_aead_cipher; ++ ctrl = cryptodev_cbc_hmac_sha1_ctrl; ++ flags = cipher_data[i].flags; ++ } + + if (ioctl(cfd, CIOCGSESSION, &sess) < 0 + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) + continue; + +- if ((known_cipher_methods[i] = ++ if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, + cipher_mode == EVP_CIPH_CTR_MODE ? 1 : + cipher_data[i].blocksize, +@@ -574,7 +619,7 @@ static void prepare_cipher_methods(void) + || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], + do_cipher) +- /* AEAD Support to be added. */ ++ /* AEAD Support to be added. */ + || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], + cipher_cleanup) +@@ -587,9 +632,11 @@ static void prepare_cipher_methods(void) + cipher_data[i].nid; + } + +- if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 +- || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1) +- EVP_add_cipher(known_cipher_methods[i]); ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) ++ EVP_add_cipher(known_cipher_methods[i]); + } + } + +-- +2.17.1 + diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh deleted file mode 100644 index 6620fdcb..00000000 --- a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/sh -# -# Ben Secrest <blsecres@gmail.com> -# -# sh c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. -# -# based on the c_rehash perl script distributed with openssl -# -# LICENSE: See OpenSSL license -# ^^acceptable?^^ -# - -# default certificate location -DIR=/etc/openssl - -# for filetype bitfield -IS_CERT=$(( 1 << 0 )) -IS_CRL=$(( 1 << 1 )) - - -# check to see if a file is a certificate file or a CRL file -# arguments: -# 1. the filename to be scanned -# returns: -# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} -# -check_file() -{ - local IS_TYPE=0 - - # make IFS a newline so we can process grep output line by line - local OLDIFS=${IFS} - IFS=$( printf "\n" ) - - # XXX: could be more efficient to have two 'grep -m' but is -m portable? - for LINE in $( grep '^-----BEGIN .*-----' ${1} ) - do - if echo ${LINE} \ - | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) - - if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] - then - break - fi - elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) - - if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] - then - break - fi - fi - done - - # restore IFS - IFS=${OLDIFS} - - return ${IS_TYPE} -} - - -# -# use openssl to fingerprint a file -# arguments: -# 1. the filename to fingerprint -# 2. the method to use (x509, crl) -# returns: -# none -# assumptions: -# user will capture output from last stage of pipeline -# -fingerprint() -{ - ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' -} - - -# -# link_hash - create links to certificate files -# arguments: -# 1. the filename to create a link for -# 2. the type of certificate being linked (x509, crl) -# returns: -# 0 on success, 1 otherwise -# -link_hash() -{ - local FINGERPRINT=$( fingerprint ${1} ${2} ) - local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) - local SUFFIX=0 - local LINKFILE='' - local TAG='' - - if [ ${2} = "crl" ] - then - TAG='r' - fi - - LINKFILE=${HASH}.${TAG}${SUFFIX} - - while [ -f ${LINKFILE} ] - do - if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] - then - echo "NOTE: Skipping duplicate file ${1}" >&2 - return 1 - fi - - SUFFIX=$(( ${SUFFIX} + 1 )) - LINKFILE=${HASH}.${TAG}${SUFFIX} - done - - echo "${3} => ${LINKFILE}" - - # assume any system with a POSIX shell will either support symlinks or - # do something to handle this gracefully - ln -s ${3} ${LINKFILE} - - return 0 -} - - -# hash_dir create hash links in a given directory -hash_dir() -{ - echo "Doing ${1}" - - cd ${1} - - ls -1 * 2>/dev/null | while read FILE - do - if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ - && [ -h "${FILE}" ] - then - rm ${FILE} - fi - done - - ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE - do - REAL_FILE=${FILE} - # if we run on build host then get to the real files in rootfs - if [ -n "${SYSROOT}" -a -h ${FILE} ] - then - FILE=$( readlink ${FILE} ) - # check the symlink is absolute (or dangling in other word) - if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] - then - REAL_FILE=${SYSROOT}/${FILE} - fi - fi - - check_file ${REAL_FILE} - local FILE_TYPE=${?} - local TYPE_STR='' - - if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] - then - TYPE_STR='x509' - elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] - then - TYPE_STR='crl' - else - echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 - continue - fi - - link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} - done -} - - -# choose the name of an ssl application -if [ -n "${OPENSSL}" ] -then - SSL_CMD=$(which ${OPENSSL} 2>/dev/null) -else - SSL_CMD=/usr/bin/openssl - OPENSSL=${SSL_CMD} - export OPENSSL -fi - -# fix paths -PATH=${PATH}:${DIR}/bin -export PATH - -# confirm existance/executability of ssl command -if ! [ -x ${SSL_CMD} ] -then - echo "${0}: rehashing skipped ('openssl' program not available)" >&2 - exit 0 -fi - -# determine which directories to process -old_IFS=$IFS -if [ ${#} -gt 0 ] -then - IFS=':' - DIRLIST=${*} -elif [ -n "${SSL_CERT_DIR}" ] -then - DIRLIST=$SSL_CERT_DIR -else - DIRLIST=${DIR}/certs -fi - -IFS=':' - -# process directories -for CERT_DIR in ${DIRLIST} -do - if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] - then - IFS=$old_IFS - hash_dir ${CERT_DIR} - IFS=':' - fi -done diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/run-ptest b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/run-ptest index 65c6cc7b..3fb22471 100644 --- a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/run-ptest +++ b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq/run-ptest @@ -1,4 +1,12 @@ #!/bin/sh -cd test -OPENSSL_ENGINES=../engines BLDTOP=.. SRCTOP=.. perl run_tests.pl -cd .. + +set -e + +# Optional arguments are 'list' to lists all tests, or the test name (base name +# ie test_evp, not 03_test_evp.t). + +export TOP=. +# OPENSSL_ENGINES is relative from the test binaries +export OPENSSL_ENGINES=../engines + +perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;' diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb b/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb deleted file mode 100644 index 7a4897fd..00000000 --- a/bsp/meta-freescale/recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb +++ /dev/null @@ -1,186 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -DISABLE_STATIC = "" - -# "openssl | SSLeay" dual license -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=cae6da10f4ffd9703214776d2aabce32" - -DEPENDS += "cryptodev-linux" -DEPENDS_append_class-target = " openssl-native" - -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/openssl;nobranch=1 \ - file://run-ptest \ - file://openssl-c_rehash.sh \ - file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \ - file://0001-Remove-test-that-requires-running-as-non-root.patch \ - file://0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch \ - " - -SRCREV = "c2300d1fdb30a439f555b07f228d3bce498238d5" - -PROVIDES = "openssl" - -python() { - pkgs = d.getVar('PACKAGES', True).split() - for p in pkgs: - if 'openssl-qoriq' in p: - d.appendVar("RPROVIDES_%s" % p, p.replace('openssl-qoriq', 'openssl')) - d.appendVar("RCONFLICTS_%s" % p, p.replace('openssl-qoriq', 'openssl')) - d.appendVar("RREPLACES_%s" % p, p.replace('openssl-qoriq', 'openssl')) -} - -S = "${WORKDIR}/git" - -inherit lib_package multilib_header ptest - -do_configure () { - os=${HOST_OS} - case $os in - linux-uclibc |\ - linux-uclibceabi |\ - linux-gnueabi |\ - linux-uclibcspe |\ - linux-gnuspe |\ - linux-musl*) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm) - target=linux-armv4 - ;; - linux-armeb) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-sh3) - target=linux-generic32 - ;; - linux-sh4) - target=linux-generic32 - ;; - linux-i486) - target=linux-elf - ;; - linux-i586 | linux-viac3) - target=linux-elf - ;; - linux-i686) - target=linux-elf - ;; - linux-gnux32-x86_64) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-mipsel) - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64) - target=linux64-mips64 - ;; - linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze*|linux-nios2*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-supersparc) - target=linux-sparcv9 - ;; - linux-sparc) - target=linux-sparcv9 - ;; - darwin-i386) - target=darwin-i386-cc - ;; - esac - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - libdirleaf="$(echo ${libdir} | sed s:$useprefix::)" - perl ./Configure -DHAVE_CRYPTODEV ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target -} - -#| engines/afalg/e_afalg.c: In function 'eventfd': -#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function) -#| return syscall(__NR_eventfd, n); -#| ^~~~~~~~~~~~ -EXTRA_OECONF_aarch64 += "no-afalgeng" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC" - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - oe_multilib_header openssl/opensslconf.h -} - -do_install_append_class-native () { - # Install a custom version of c_rehash that can handle sysroots properly. - # This version is used for example when installing ca-certificates during - # image creation. - install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash - sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash -} - -do_install_ptest() { - cp -r * ${D}${PTEST_PATH} - - # Putting .so files in ptest package will mess up the dependencies of the main openssl package - # so we rename them to .so.ptest and patch the test accordingly - mv ${D}${PTEST_PATH}/libcrypto.so ${D}${PTEST_PATH}/libcrypto.so.ptest - mv ${D}${PTEST_PATH}/libssl.so ${D}${PTEST_PATH}/libssl.so.ptest - sed -i 's/$target{shared_extension_simple}/".so.ptest"/' ${D}${PTEST_PATH}/test/recipes/90-test_shlibload.t -} - -RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python" -RRECOMMENDS_libcrypto += "openssl-conf" -RDEPENDS_${PN}-bin = "perl" -RDEPENDS_${PN}-misc = "perl" - -FILES_${PN} =+ " ${libdir}/ssl-1.1/*" - -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" -FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES_libssl = "${libdir}/libssl${SOLIBS}" -FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -FILES_${PN}-engines = "${libdir}/engines-1.1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" - -RPROVIDES_openssl-conf = "openssl10-conf" -RREPLACES_openssl-conf = "openssl10-conf" -RCONFLICTS_openssl-conf = "openssl10-conf" diff --git a/bsp/meta-freescale/recipes-connectivity/openssl/openssl_%.bbappend b/bsp/meta-freescale/recipes-connectivity/openssl/openssl_%.bbappend new file mode 100644 index 00000000..182925e0 --- /dev/null +++ b/bsp/meta-freescale/recipes-connectivity/openssl/openssl_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_append := "${THISDIR}/${PN}-qoriq:" + +SRC_URI_append_qoriq = " \ + file://0001-eng_devcrypto-add-support-for-TLS-algorithms-offload.patch \ + file://0002-eng_devcrypto-add-support-for-TLS1.2-algorithms-offl.patch \ +" |