openssl: rebase patches for OpenSSL 3.5.5
This fixes the build failure caused by the OpenSSL update in Poky. Import the OpenSSL patch set from NXP's whinlatter release. Since NXP's whinlatter release is based on OpenSSL 3.5.4, rebase the patches on top of OpenSSL 3.5.5 to match the current version. https://onedigi.atlassian.net/browse/DEL-10019 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera
parent
5b18593bfd
commit
2ec067c6ee
|
|
@ -1,7 +1,6 @@
|
|||
From d6c1bf7031cbd96c1d0dec589f318ad942107d23 Mon Sep 17 00:00:00 2001
|
||||
From: Pankaj Gupta <pankaj.gupta@nxp.com>
|
||||
Date: Tue, 18 Jan 2022 17:37:37 +0530
|
||||
Subject: [PATCH 1/2] e_devcrypto: add func ptr for init, do, ctrl
|
||||
Subject: [PATCH] e_devcrypto: add func ptr for init, do, ctrl
|
||||
|
||||
In engine "devcrypto", as part prepare_cipher_methods()
|
||||
- Added function pointer for init, do, ctrl and
|
||||
|
|
@ -12,27 +11,26 @@ In engine "devcrypto", as part prepare_cipher_methods()
|
|||
Upstream-Status: Pending [i.MX, Layerscape specific]
|
||||
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
|
||||
---
|
||||
engines/e_devcrypto.c | 34 ++++++++++++++++++++++++----------
|
||||
1 file changed, 24 insertions(+), 10 deletions(-)
|
||||
engines/e_devcrypto.c | 31 ++++++++++++++++++++++++-------
|
||||
1 file changed, 24 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
|
||||
index fa01317db5..eb56baec19 100644
|
||||
index f66c7f1c1cf4..a46196b9f4aa 100644
|
||||
--- a/engines/e_devcrypto.c
|
||||
+++ b/engines/e_devcrypto.c
|
||||
@@ -408,7 +408,11 @@ static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
|
||||
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
|
||||
@@ -403,6 +403,11 @@ static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = {
|
||||
};
|
||||
static int selected_ciphers[OSSL_NELEM(cipher_data)];
|
||||
static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)];
|
||||
-
|
||||
+int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
+ const unsigned char *iv, int enc);
|
||||
+int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
+ const unsigned char *in, size_t inl);
|
||||
+int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
|
||||
|
||||
|
||||
static int devcrypto_test_cipher(size_t cipher_data_index)
|
||||
{
|
||||
@@ -427,6 +431,7 @@ static void prepare_cipher_methods(void)
|
||||
@@ -421,6 +426,7 @@ static void prepare_cipher_methods(void)
|
||||
size_t i;
|
||||
session_op_t sess;
|
||||
unsigned long cipher_mode;
|
||||
|
|
@ -40,15 +38,15 @@ index fa01317db5..eb56baec19 100644
|
|||
#ifdef CIOCGSESSION2
|
||||
struct crypt_find_op fop;
|
||||
enum devcrypto_accelerated_t accelerated;
|
||||
@@ -438,16 +443,26 @@ static void prepare_cipher_methods(void)
|
||||
|
||||
@@ -432,16 +438,26 @@ static void prepare_cipher_methods(void)
|
||||
|
||||
memset(&sess, 0, sizeof(sess));
|
||||
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
|
||||
+ sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO";
|
||||
|
||||
|
||||
for (i = 0, known_cipher_nids_amount = 0;
|
||||
i < OSSL_NELEM(cipher_data); i++) {
|
||||
|
||||
i < OSSL_NELEM(cipher_data); i++) {
|
||||
|
||||
selected_ciphers[i] = 1;
|
||||
+
|
||||
+ init = cipher_init;
|
||||
|
|
@ -67,38 +65,33 @@ index fa01317db5..eb56baec19 100644
|
|||
#ifdef CIOCGSESSION2
|
||||
/*
|
||||
* When using CIOCGSESSION2, first try to allocate a hardware
|
||||
@@ -474,6 +489,10 @@ static void prepare_cipher_methods(void)
|
||||
|
||||
@@ -468,6 +484,10 @@ static void prepare_cipher_methods(void)
|
||||
|
||||
cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
|
||||
|
||||
|
||||
+ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ?
|
||||
+ ctr_do_cipher :
|
||||
+ cipher_do_cipher);
|
||||
+
|
||||
if ((known_cipher_methods[i] =
|
||||
EVP_CIPHER_meth_new(cipher_data[i].nid,
|
||||
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
|
||||
@@ -482,16 +501,11 @@ static void prepare_cipher_methods(void)
|
||||
if ((known_cipher_methods[i] = EVP_CIPHER_meth_new(cipher_data[i].nid,
|
||||
cipher_mode == EVP_CIPH_CTR_MODE ? 1 : cipher_data[i].blocksize,
|
||||
cipher_data[i].keylen))
|
||||
@@ -475,14 +495,11 @@ static void prepare_cipher_methods(void)
|
||||
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
|
||||
cipher_data[i].ivlen)
|
||||
cipher_data[i].ivlen)
|
||||
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
|
||||
- cipher_data[i].flags
|
||||
- | EVP_CIPH_CUSTOM_COPY
|
||||
- | EVP_CIPH_CTRL_INIT
|
||||
- | EVP_CIPH_FLAG_DEFAULT_ASN1)
|
||||
- cipher_data[i].flags
|
||||
- | EVP_CIPH_CUSTOM_COPY
|
||||
- | EVP_CIPH_CTRL_INIT
|
||||
- | EVP_CIPH_FLAG_DEFAULT_ASN1)
|
||||
- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|
||||
+ flags)
|
||||
+ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init)
|
||||
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
|
||||
- cipher_mode == EVP_CIPH_CTR_MODE ?
|
||||
- ctr_do_cipher :
|
||||
- cipher_do_cipher)
|
||||
- cipher_mode == EVP_CIPH_CTR_MODE ? ctr_do_cipher : cipher_do_cipher)
|
||||
- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|
||||
+ do_cipher)
|
||||
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl)
|
||||
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
|
||||
cipher_cleanup)
|
||||
cipher_cleanup)
|
||||
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
From f674b2f81a18af2146291eda1bbf60d6f71b2935 Mon Sep 17 00:00:00 2001
|
||||
From: Pankaj Gupta <pankaj.gupta@nxp.com>
|
||||
Date: Tue, 18 Jan 2022 17:38:11 +0530
|
||||
Subject: [PATCH] e_devcrypto: add support for TLS1.2 algorithms offload
|
||||
|
|
@ -17,13 +16,12 @@ Fix: Remove the support for TLS1.0.
|
|||
|
||||
Upstream-Status: Pending [i.MX, Layerscape specific]
|
||||
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
|
||||
|
||||
---
|
||||
engines/e_devcrypto.c | 273 ++++++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 249 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
|
||||
index 02f3abc..8529bac 100644
|
||||
index a46196b9f4aa..1d21dffabfbf 100644
|
||||
--- a/engines/e_devcrypto.c
|
||||
+++ b/engines/e_devcrypto.c
|
||||
@@ -28,6 +28,7 @@
|
||||
|
|
@ -33,11 +31,11 @@ index 02f3abc..8529bac 100644
|
|||
+#define TLS1_1_VERSION 0x0302
|
||||
|
||||
#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
|
||||
# define CHECK_BSD_STYLE_MACROS
|
||||
@@ -107,10 +108,14 @@ struct cipher_ctx {
|
||||
#define CHECK_BSD_STYLE_MACROS
|
||||
@@ -108,10 +109,14 @@ struct cipher_ctx {
|
||||
session_op_t sess;
|
||||
int op; /* COP_ENCRYPT or COP_DECRYPT */
|
||||
unsigned long mode; /* EVP_CIPH_*_MODE */
|
||||
int op; /* COP_ENCRYPT or COP_DECRYPT */
|
||||
unsigned long mode; /* EVP_CIPH_*_MODE */
|
||||
+ unsigned char *aad;
|
||||
+ unsigned int aad_len;
|
||||
+ unsigned int len;
|
||||
|
|
@ -49,7 +47,7 @@ index 02f3abc..8529bac 100644
|
|||
};
|
||||
|
||||
static const struct cipher_data_st {
|
||||
@@ -120,49 +125,66 @@ static const struct cipher_data_st {
|
||||
@@ -121,49 +126,66 @@ static const struct cipher_data_st {
|
||||
int ivlen;
|
||||
int flags;
|
||||
int devcryptoid;
|
||||
|
|
@ -99,7 +97,7 @@ index 02f3abc..8529bac 100644
|
|||
+ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
|
||||
+ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
|
||||
#endif
|
||||
#if 0 /* Not yet supported */
|
||||
#if 0 /* Not yet supported */
|
||||
- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
|
||||
- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
|
||||
+ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 },
|
||||
|
|
@ -113,7 +111,7 @@ index 02f3abc..8529bac 100644
|
|||
+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
|
||||
+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
|
||||
#endif
|
||||
#if 0 /* Not yet supported */
|
||||
#if 0 /* Not yet supported */
|
||||
- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
|
||||
- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
|
||||
- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
|
||||
|
|
@ -127,18 +125,18 @@ index 02f3abc..8529bac 100644
|
|||
#endif
|
||||
#ifndef OPENSSL_NO_CAMELLIA
|
||||
{ NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE,
|
||||
- CRYPTO_CAMELLIA_CBC },
|
||||
+ CRYPTO_CAMELLIA_CBC, 0 },
|
||||
- CRYPTO_CAMELLIA_CBC },
|
||||
+ CRYPTO_CAMELLIA_CBC, 0 },
|
||||
{ NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE,
|
||||
- CRYPTO_CAMELLIA_CBC },
|
||||
+ CRYPTO_CAMELLIA_CBC, 0 },
|
||||
- CRYPTO_CAMELLIA_CBC },
|
||||
+ CRYPTO_CAMELLIA_CBC, 0 },
|
||||
{ NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE,
|
||||
- CRYPTO_CAMELLIA_CBC },
|
||||
+ CRYPTO_CAMELLIA_CBC, 0 },
|
||||
- CRYPTO_CAMELLIA_CBC },
|
||||
+ CRYPTO_CAMELLIA_CBC, 0 },
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -197,6 +219,193 @@ static const struct cipher_data_st *get_cipher_data(int nid)
|
||||
@@ -198,6 +220,193 @@ static const struct cipher_data_st *get_cipher_data(int nid)
|
||||
return &cipher_data[get_cipher_data_index(nid)];
|
||||
}
|
||||
|
||||
|
|
@ -332,7 +330,7 @@ index 02f3abc..8529bac 100644
|
|||
/*
|
||||
* Following are the three necessary functions to map OpenSSL functionality
|
||||
* with cryptodev.
|
||||
@@ -463,6 +672,7 @@ static void prepare_cipher_methods(void)
|
||||
@@ -457,6 +666,7 @@ static void prepare_cipher_methods(void)
|
||||
*/
|
||||
sess.cipher = cipher_data[i].devcryptoid;
|
||||
sess.keylen = cipher_data[i].keylen;
|
||||
|
|
@ -340,7 +338,7 @@ index 02f3abc..8529bac 100644
|
|||
|
||||
#ifdef CIOCGSESSION2
|
||||
/*
|
||||
@@ -494,6 +704,15 @@ static void prepare_cipher_methods(void)
|
||||
@@ -488,6 +698,15 @@ static void prepare_cipher_methods(void)
|
||||
ctr_do_cipher :
|
||||
cipher_do_cipher);
|
||||
|
||||
|
|
@ -353,10 +351,10 @@ index 02f3abc..8529bac 100644
|
|||
+ ctrl = cryptodev_cbc_hmac_sha1_ctrl;
|
||||
+ flags = cipher_data[i].flags;
|
||||
+ }
|
||||
if ((known_cipher_methods[i] =
|
||||
EVP_CIPHER_meth_new(cipher_data[i].nid,
|
||||
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
|
||||
@@ -538,11 +757,17 @@ static void prepare_cipher_methods(void)
|
||||
if ((known_cipher_methods[i] = EVP_CIPHER_meth_new(cipher_data[i].nid,
|
||||
cipher_mode == EVP_CIPH_CTR_MODE ? 1 : cipher_data[i].blocksize,
|
||||
cipher_data[i].keylen))
|
||||
@@ -529,10 +748,16 @@ static void prepare_cipher_methods(void)
|
||||
}
|
||||
#endif /* CIOCGSESSINFO */
|
||||
}
|
||||
|
|
@ -370,8 +368,7 @@ index 02f3abc..8529bac 100644
|
|||
ioctl(cfd, CIOCFSESSION, &sess.ses);
|
||||
- if (devcrypto_test_cipher(i)) {
|
||||
+ if (devcrypto_test_cipher(i))
|
||||
known_cipher_nids[known_cipher_nids_amount++] =
|
||||
cipher_data[i].nid;
|
||||
known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid;
|
||||
- }
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,20 +1,18 @@
|
|||
From 27e4bd35a42287248bd5253836c265dd555b1ee2 Mon Sep 17 00:00:00 2001
|
||||
From: Ilie Halip <ilie.halip@nxp.com>
|
||||
Date: Wed, 10 Sep 2025 08:46:50 +0200
|
||||
Subject: [PATCH] [PATCH] Set "algorithm-id" before generating the EC key.
|
||||
Date: Wed, 12 Mar 2025 20:57:10 +0200
|
||||
Subject: [PATCH] Set "algorithm-id" before generating the EC key.
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Ilie Halip <ilie.halip@nxp.com>
|
||||
---
|
||||
ssl/s3_lib.c | 30 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index d6ed169f39..68938bb8fb 100644
|
||||
index 0e1445b38fb7..62f7409cb2aa 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -4742,6 +4742,30 @@ int ssl_generate_master_secret(SSL_CONNECTION *s, unsigned char *pms,
|
||||
@@ -5274,6 +5274,30 @@ err:
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
@ -45,17 +43,17 @@ index d6ed169f39..68938bb8fb 100644
|
|||
/* Generate a private key from parameters */
|
||||
EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
|
||||
{
|
||||
@@ -4756,6 +4780,9 @@ EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
|
||||
@@ -5288,6 +5312,9 @@ EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
|
||||
goto err;
|
||||
if (EVP_PKEY_keygen_init(pctx) <= 0)
|
||||
goto err;
|
||||
+
|
||||
+
|
||||
+ ssl_generate_set_pkey_alg(s, pctx);
|
||||
+
|
||||
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
|
||||
EVP_PKEY_free(pkey);
|
||||
pkey = NULL;
|
||||
@@ -4794,6 +4821,9 @@ EVP_PKEY *ssl_generate_pkey_group(SSL_CONNECTION *s, uint16_t id)
|
||||
@@ -5326,6 +5353,9 @@ EVP_PKEY *ssl_generate_pkey_group(SSL_CONNECTION *s, uint16_t id)
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
|
@ -65,6 +63,3 @@ index d6ed169f39..68938bb8fb 100644
|
|||
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
|
||||
EVP_PKEY_free(pkey);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
|
|||
|
|
@ -1,267 +0,0 @@
|
|||
From 284653acb6df4d68e276d4515a45ccd50ff54eab Mon Sep 17 00:00:00 2001
|
||||
From: Richard Levitte <levitte@openssl.org>
|
||||
Date: Thu, 25 Jul 2024 11:56:13 +0200
|
||||
Subject: [PATCH] Amend the design of AlgorithmIdentifier parameter passing
|
||||
|
||||
I realised that any application that passes AlgorithmIdentifier parameters
|
||||
to and from a provider may also be interested in the full AlgorithmIdentifier
|
||||
of the implementation invocation.
|
||||
|
||||
Likewise, any application that wants to get the full AlgorithmIdentifier
|
||||
from an implementation invocation may also want to pass AlgorithmIdentifier
|
||||
parameters to that same implementation invocation.
|
||||
|
||||
These amendments should be useful to cover all intended uses of the legacy
|
||||
ctrls for PKCS7 and CMS:
|
||||
|
||||
- EVP_PKEY_CTRL_PKCS7_ENCRYPT
|
||||
- EVP_PKEY_CTRL_PKCS7_DECRYPT
|
||||
- EVP_PKEY_CTRL_PKCS7_SIGN
|
||||
- EVP_PKEY_CTRL_CMS_ENCRYPT
|
||||
- EVP_PKEY_CTRL_CMS_DECRYPT
|
||||
- EVP_PKEY_CTRL_CMS_SIGN
|
||||
|
||||
It should also cover a number of other cases that were previously implemented
|
||||
through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the
|
||||
application has had to assemble a X509_ALGOR on their own.
|
||||
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/0941666728c44d701496004ebd5bf96ac7b715fb]
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/25000)
|
||||
---
|
||||
.../passing-algorithmidentifier-parameters.md | 65 ++++++++++++-------
|
||||
doc/man3/EVP_EncryptInit.pod | 19 ++++--
|
||||
util/perl/OpenSSL/paramnames.pm | 57 ++++++++++++----
|
||||
3 files changed, 101 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/doc/designs/passing-algorithmidentifier-parameters.md b/doc/designs/passing-algorithmidentifier-parameters.md
|
||||
index bb3821e337..f33862e45e 100644
|
||||
--- a/doc/designs/passing-algorithmidentifier-parameters.md
|
||||
+++ b/doc/designs/passing-algorithmidentifier-parameters.md
|
||||
@@ -1,11 +1,13 @@
|
||||
-Passing AlgorithmIdentifier parameters to operations
|
||||
-====================================================
|
||||
+Handling AlgorithmIdentifier and its parameters with provider operations
|
||||
+========================================================================
|
||||
|
||||
Quick background
|
||||
----------------
|
||||
|
||||
We currently only support passing the AlgorithmIdentifier (`X509_ALGOR`)
|
||||
-parameter field to symmetric cipher provider implementations.
|
||||
+parameter field to symmetric cipher provider implementations. We currently
|
||||
+only support getting full AlgorithmIdentifier (`X509_ALGOR`) from signature
|
||||
+provider implementations.
|
||||
|
||||
We do support passing them to legacy implementations of other types of
|
||||
operation algorithms as well, but it's done in a way that can't be supported
|
||||
@@ -15,18 +17,30 @@ libcrypto and the backend implementation.
|
||||
For a longer background and explanation, see
|
||||
[Background / tl;dr](#background-tldr) at the end of this design.
|
||||
|
||||
-Establish an OSSL_PARAM key that any algorithms may become aware of
|
||||
--------------------------------------------------------------------
|
||||
+Establish OSSL_PARAM keys that any algorithms may become aware of
|
||||
+-----------------------------------------------------------------
|
||||
|
||||
-We already have a parameter key, but it's currently only specified for
|
||||
-`EVP_CIPHER`, in support of `EVP_CIPHER_param_to_asn1()` and
|
||||
-`EVP_CIPHER_asn1_to_param()`.
|
||||
+We already have known parameter keys:
|
||||
|
||||
-"alg_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`
|
||||
+- "algor_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`.
|
||||
|
||||
-This parameter can be used in the exact same manner with other operations,
|
||||
-with the value of the AlgorithmIdentifier parameter as an octet string, to
|
||||
-be interpreted by the implementations in whatever way they see fit.
|
||||
+ This is currently only specified for `EVP_CIPHER`, in support of
|
||||
+ `EVP_CIPHER_param_to_asn1()` and `EVP_CIPHER_asn1_to_param()`
|
||||
+
|
||||
+- "algorithm-id", also known as the macro `OSSL_SIGNATURE_PARAM_ALGORITHM_ID`.
|
||||
+
|
||||
+This design proposes:
|
||||
+
|
||||
+1. Adding a parameter key "algorithm-id-params", to replace "algor_id_param",
|
||||
+ and deprecate the latter.
|
||||
+2. Making both "algorithm-id" and "algorithm-id-params" generically available,
|
||||
+ rather than only tied to `EVP_SIGNATURE` ("algorithm-id") or `EVP_CIPHER`
|
||||
+ ("algor_id_param").
|
||||
+
|
||||
+This way, these parameters can be used in the exact same manner with other
|
||||
+operations, with the value of the AlgorithmIdentifier as well as its
|
||||
+parameters as octet strings, to be used and interpreted by applications and
|
||||
+provider implementations alike in whatever way they see fit.
|
||||
|
||||
Applications can choose to add these in an `OSSL_PARAM` array, to be passed
|
||||
with the multitude of initialization functions that take such an array, or
|
||||
@@ -34,7 +48,7 @@ using specific operation `OSSL_PARAM` setters and getters (such as
|
||||
`EVP_PKEY_CTX_set_params`), or using other available convenience functions
|
||||
(see below).
|
||||
|
||||
-This parameter will have to be documented in the following files:
|
||||
+These parameter will have to be documented in the following files:
|
||||
|
||||
- `doc/man7/provider-asym_cipher.pod`
|
||||
- `doc/man7/provider-cipher.pod`
|
||||
@@ -67,20 +81,25 @@ such parameter data from them.
|
||||
* These two would essentially be aliases for EVP_CIPHER_param_to_asn1()
|
||||
* and EVP_CIPHER_asn1_to_param().
|
||||
*/
|
||||
-EVP_CIPHER_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
-EVP_CIPHER_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_CIPHER_CTX_set_algor_params(EVP_CIPHER_CTX *ctx, const X509_ALGOR *alg);
|
||||
+EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_CIPHER_CTX_get_algor(EVP_CIPHER_CTX *ctx, X509_ALGOR **alg);
|
||||
|
||||
-EVP_MD_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
-EVP_MD_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_MD_CTX_set_algor_params(EVP_MD_CTX *ctx, const X509_ALGOR *alg);
|
||||
+EVP_MD_CTX_get_algor_params(EVP_MD_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_MD_CTX_get_algor(EVP_MD_CTX *ctx, X509_ALGOR **alg);
|
||||
|
||||
-EVP_MAC_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
-EVP_MAC_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_MAC_CTX_set_algor_params(EVP_MAC_CTX *ctx, const X509_ALGOR *alg);
|
||||
+EVP_MAC_CTX_get_algor_params(EVP_MAC_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_MAC_CTX_get_algor(EVP_MAC_CTX *ctx, X509_ALGOR **alg);
|
||||
|
||||
-EVP_KDF_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
-EVP_KDF_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_KDF_CTX_set_algor_params(EVP_KDF_CTX *ctx, const X509_ALGOR *alg);
|
||||
+EVP_KDF_CTX_get_algor_params(EVP_KDF_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_KDF_CTX_get_algor(EVP_KDF_CTX *ctx, X509_ALGOR **alg);
|
||||
|
||||
-EVP_PKEY_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
-EVP_PKEY_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_PKEY_CTX_set_algor_params(EVP_PKEY_CTX *ctx, const X509_ALGOR *alg);
|
||||
+EVP_PKEY_CTX_get_algor_params(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
|
||||
+EVP_PKEY_CTX_get_algor(EVP_PKEY_CTX *ctx, X509_ALGOR **alg);
|
||||
```
|
||||
|
||||
Note that all might not need to be added immediately, depending on if they
|
||||
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
|
||||
index 45c3cb062c..648dc60853 100644
|
||||
--- a/doc/man3/EVP_EncryptInit.pod
|
||||
+++ b/doc/man3/EVP_EncryptInit.pod
|
||||
@@ -770,12 +770,23 @@ The length of the "keybits" parameter should not exceed that of a B<size_t>.
|
||||
Gets or sets the number of rounds to be used for a cipher.
|
||||
This is used by the RC5 cipher.
|
||||
|
||||
-=item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
|
||||
+=item "algorithm-id" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID>) <octet string>
|
||||
+
|
||||
+Used to get the DER encoded AlgorithmIdentifier from the cipher
|
||||
+implementation. Functions like L<EVP_PKEY_CTX_get_algor(3)> use this
|
||||
+parameter.
|
||||
+
|
||||
+=item "algorithm-id-params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
|
||||
|
||||
Used to pass the DER encoded AlgorithmIdentifier parameter to or from
|
||||
-the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)>
|
||||
-and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation
|
||||
-that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
|
||||
+the cipher implementation.
|
||||
+Functions like L<EVP_CIPHER_CTX_set_algor_params(3)> and
|
||||
+L<EVP_CIPHER_CTX_get_algor_params(3)> use this parameter.
|
||||
+
|
||||
+=item "alg_id_params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD>) <octet string>
|
||||
+
|
||||
+An deprecated alias for "algorithm-id-params", only used by
|
||||
+L<EVP_CIPHER_param_to_asn1(3)> and L<EVP_CIPHER_asn1_to_param(3)>.
|
||||
|
||||
=item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
|
||||
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index bfa75f760c..8c70a594b9 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -68,6 +68,16 @@ my %params = (
|
||||
'ALG_PARAM_MAC' => "mac", # utf8_string
|
||||
'ALG_PARAM_PROPERTIES' => "properties", # utf8_string
|
||||
|
||||
+ # For any operation that deals with AlgorithmIdentifier, they should
|
||||
+ # implement both of these.
|
||||
+ # ALG_PARAM_ALGORITHM_ID is intended to be gettable, and is the
|
||||
+ # implementation's idea of what its full AlgID should look like.
|
||||
+ # ALG_PARAM_ALGORITHM_ID_PARAMS is intended to be both settable
|
||||
+ # and gettable, to allow the calling application to pass or get
|
||||
+ # AlgID parameters to and from the provided implementation.
|
||||
+ 'ALG_PARAM_ALGORITHM_ID' => "algorithm-id", # octet_string (DER)
|
||||
+ 'ALG_PARAM_ALGORITHM_ID_PARAMS' => "algorithm-id-params", # octet_string
|
||||
+
|
||||
# cipher parameters
|
||||
'CIPHER_PARAM_PADDING' => "padding", # uint
|
||||
'CIPHER_PARAM_USE_BITS' => "use-bits", # uint
|
||||
@@ -100,8 +110,16 @@ my %params = (
|
||||
'CIPHER_PARAM_RC2_KEYBITS' => "keybits", # size_t
|
||||
'CIPHER_PARAM_SPEED' => "speed", # uint
|
||||
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
|
||||
-# For passing the AlgorithmIdentifier parameter in DER form
|
||||
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||
+ 'CIPHER_PARAM_DECRYPT_ONLY' => "decrypt-only", # int, 0 or 1
|
||||
+ 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
|
||||
+ 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
|
||||
+ 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
|
||||
+ # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
|
||||
+ # time being, the old libcrypto functions will use both, so old providers
|
||||
+ # continue to work.
|
||||
+ # New providers are encouraged to use CIPHER_PARAM_ALGORITHM_ID_PARAMS.
|
||||
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS',
|
||||
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD' => "alg_id_param", # octet_string
|
||||
'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||
|
||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
|
||||
@@ -250,6 +268,10 @@ my %params = (
|
||||
# it for API stability, but please use ASYM_CIPHER_PARAM_IMPLICIT_REJECTION
|
||||
# instead.
|
||||
'PKEY_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
||||
+ 'PKEY_PARAM_FIPS_DIGEST_CHECK' => "digest-check",
|
||||
+ 'PKEY_PARAM_FIPS_KEY_CHECK' => "key-check",
|
||||
+ 'PKEY_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
|
||||
+ 'PKEY_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS',
|
||||
|
||||
# Diffie-Hellman/DSA Parameters
|
||||
'PKEY_PARAM_FFC_P' => "p",
|
||||
@@ -378,17 +400,26 @@ my %params = (
|
||||
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
|
||||
|
||||
# Signature parameters
|
||||
- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
||||
- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
||||
- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
||||
- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
||||
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
+ 'SIGNATURE_PARAM_ALGORITHM_ID' => '*PKEY_PARAM_ALGORITHM_ID',
|
||||
+ 'SIGNATURE_PARAM_ALGORITHM_ID_PARAMS' => '*PKEY_PARAM_ALGORITHM_ID_PARAMS',
|
||||
+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
||||
+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
||||
+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
||||
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
+ 'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' => '*PKEY_PARAM_FIPS_DIGEST_CHECK',
|
||||
+ 'SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE' => 'verify-message',
|
||||
+ 'SIGNATURE_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
|
||||
+ 'SIGNATURE_PARAM_FIPS_SIGN_CHECK' => '*PKEY_PARAM_FIPS_SIGN_CHECK',
|
||||
+ 'SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check",
|
||||
+ 'SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK' => "sign-x931-pad-check",
|
||||
+ 'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
|
||||
+ 'SIGNATURE_PARAM_SIGNATURE' => "signature",
|
||||
|
||||
# Asym cipher parameters
|
||||
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
From 24254454e5f5fc503b5e4cc1fa8c6d9b1a3ae9ba Mon Sep 17 00:00:00 2001
|
||||
From: Gaurav Jain <gaurav.jain@nxp.com>
|
||||
Date: Wed, 19 Jan 2022 15:45:29 +0530
|
||||
Subject: [PATCH] openssl 3.0: add Kernel TLS configuration
|
||||
|
|
@ -10,7 +9,7 @@ Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
|
|||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
||||
index 03330e0120..ec18df388e 100644
|
||||
index abace0ea7f1c..f4d5ec19de27 100644
|
||||
--- a/apps/openssl.cnf
|
||||
+++ b/apps/openssl.cnf
|
||||
@@ -30,6 +30,15 @@ oid_section = new_oids
|
||||
|
|
@ -29,6 +28,3 @@ index 03330e0120..ec18df388e 100644
|
|||
[ new_oids ]
|
||||
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
||||
# Add a simple OID like this:
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright (C) 2022,2026 Digi International Inc.
|
||||
# Copyright (C) 2022-2026 Digi International Inc.
|
||||
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
||||
|
||||
|
|
@ -6,7 +6,7 @@ SRC_URI += "file://openssl-3.0-add-Kernel-TLS-configuration.patch \
|
|||
file://0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch \
|
||||
file://0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch \
|
||||
file://0003-Set-algorithm-id-before-generating-the-EC-key.patch \
|
||||
file://0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch"
|
||||
"
|
||||
|
||||
PACKAGECONFIG:append:imx-nxp-bsp = " cryptodev-linux"
|
||||
|
||||
Loading…
Reference in New Issue