openssl: integrate support for pkcs11-provider NXP fork

This is the version used in NXP's lf-6.6.52-2.2.2 release.

https://onedigi.atlassian.net/browse/DEL-9905

Signed-off-by: Javier Viguera <javier.viguera@digi.com>

meta-digi-arm/dynamic-layers/freescale-layer/recipes-support/pkcs11-provider/pkcs11-provider_1.0.imx.bb

@@ -0,0 +1,30 @@
+SUMMARY = "An OpenSSL provider that allows direct interfacing with pkcs11 drivers"
+DESCRIPTION = "\
+This is an Openssl 3.x provider to access Hardware or Software Tokens using \
+the PKCS#11 Cryptographic Token Interface\
+\
+This code targets version 3.1 of the interface but should be backwards \
+compatible to previous versions as well.\
+"
+HOMEPAGE = "https://github.com/latchset/pkcs11-provider"
+SECTION = "libs"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b53b787444a60266932bd270d1cf2d45"
+DEPENDS = "\
+    openssl \
+    p11-kit \
+"
+
+SRC_URI = "${PKCS11_PROVIDER_SRC};branch=${SRCBRANCH}"
+PKCS11_PROVIDER_SRC ?= "git://github.com/nxp-imx/${BPN}.git;branch=main;protocol=https"
+SRCBRANCH = "lf-6.6.52_2.2.2"
+SRCREV = "ededfa20fe2430f33a5e8ea8971af708a2eb65eb"
+
+S = "${WORKDIR}/git"
+
+inherit meson pkgconfig
+
+# Overwrite default pkcs11 module path
+#EXTRA_OEMESON += "-Ddefault_pkcs11_module=/path/to/mymodule.so"
+
+FILES:${PN} += "${libdir}/ossl-modules/pkcs11.so"

meta-digi-dey/recipes-connectivity/openssl/openssl/0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch

@@ -0,0 +1,104 @@
+From d6c1bf7031cbd96c1d0dec589f318ad942107d23 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pankaj.gupta@nxp.com>
+Date: Tue, 18 Jan 2022 17:37:37 +0530
+Subject: [PATCH 1/2] e_devcrypto: add func ptr for init, do, ctrl
+
+In engine "devcrypto", as part prepare_cipher_methods()
+- Added function pointer for init, do, ctrl and
+  variable "flags" such that:
+- New cipher can override them to support offloads
+  to h/w via devcrypto.
+
+Upstream-Status: Pending [i.MX, Layerscape specific]
+Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
+---
+ engines/e_devcrypto.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
+index fa01317db5..eb56baec19 100644
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -408,7 +408,11 @@ static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
+ static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
+ static int selected_ciphers[OSSL_NELEM(cipher_data)];
+ static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)];
+-
++int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++                const unsigned char *iv, int enc);
++int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
++                const unsigned char *in, size_t inl);
++int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
+
+ static int devcrypto_test_cipher(size_t cipher_data_index)
+ {
+@@ -427,6 +431,7 @@ static void prepare_cipher_methods(void)
+     size_t i;
+     session_op_t sess;
+     unsigned long cipher_mode;
++    unsigned long flags;
+ #ifdef CIOCGSESSION2
+     struct crypt_find_op fop;
+     enum devcrypto_accelerated_t accelerated;
+@@ -438,16 +443,26 @@ static void prepare_cipher_methods(void)
+
+     memset(&sess, 0, sizeof(sess));
+     sess.key = (void *)"01234567890123456789012345678901234567890123456789";
++    sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO";
+
+     for (i = 0, known_cipher_nids_amount = 0;
+          i < OSSL_NELEM(cipher_data); i++) {
+
+         selected_ciphers[i] = 1;
++
++        init  = cipher_init;
++        ctrl  = cipher_ctrl;
++        flags = cipher_data[i].flags
++                | EVP_CIPH_CUSTOM_COPY
++                | EVP_CIPH_CTRL_INIT
++                | EVP_CIPH_FLAG_DEFAULT_ASN1;
++
+         /*
+          * Check that the cipher is usable
+          */
+         sess.cipher = cipher_data[i].devcryptoid;
+         sess.keylen = cipher_data[i].keylen;
++
+ #ifdef CIOCGSESSION2
+         /*
+          * When using CIOCGSESSION2, first try to allocate a hardware
+@@ -474,6 +489,10 @@ static void prepare_cipher_methods(void)
+
+         cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
+
++        do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ?
++                                              ctr_do_cipher :
++                                              cipher_do_cipher);
++
+         if ((known_cipher_methods[i] =
+                  EVP_CIPHER_meth_new(cipher_data[i].nid,
+                                      cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
+@@ -482,16 +501,11 @@ static void prepare_cipher_methods(void)
+             || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
+                                               cipher_data[i].ivlen)
+             || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
+-                                          cipher_data[i].flags
+-                                          | EVP_CIPH_CUSTOM_COPY
+-                                          | EVP_CIPH_CTRL_INIT
+-                                          | EVP_CIPH_FLAG_DEFAULT_ASN1)
+-            || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
++                                          flags)
++            || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init)
+             || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+-                                     cipher_mode == EVP_CIPH_CTR_MODE ?
+-                                              ctr_do_cipher :
+-                                              cipher_do_cipher)
+-            || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
++                                              do_cipher)
++            || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl)
+             || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
+                                             cipher_cleanup)
+             || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
+--
+2.17.1
+

meta-digi-dey/recipes-connectivity/openssl/openssl/0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch

@@ -0,0 +1,378 @@
+From f674b2f81a18af2146291eda1bbf60d6f71b2935 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pankaj.gupta@nxp.com>
+Date: Tue, 18 Jan 2022 17:38:11 +0530
+Subject: [PATCH] e_devcrypto: add support for TLS1.2 algorithms offload
+
+    - aes-128-cbc-hmac-sha256
+    - aes-256-cbc-hmac-sha256
+
+Enabled the support of TLS1.1 algorithms offload
+
+    - aes-128-cbc-hmac-sha1
+    - aes-256-cbc-hmac-sha1
+
+TLS algorithm support in CAAM Linux kernel driver.
+
+Fix: Remove the support for TLS1.0.
+
+Upstream-Status: Pending [i.MX, Layerscape specific]
+Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
+
+---
+ engines/e_devcrypto.c | 273 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 249 insertions(+), 24 deletions(-)
+
+diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
+index 02f3abc..8529bac 100644
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -28,6 +28,7 @@
+ #include "internal/nelem.h"
+ 
+ /* #define ENGINE_DEVCRYPTO_DEBUG */
++#define TLS1_1_VERSION  0x0302
+ 
+ #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
+ # define CHECK_BSD_STYLE_MACROS
+@@ -107,10 +108,14 @@ struct cipher_ctx {
+     session_op_t sess;
+     int op;                      /* COP_ENCRYPT or COP_DECRYPT */
+     unsigned long mode;          /* EVP_CIPH_*_MODE */
++    unsigned char *aad;
++    unsigned int aad_len;
++    unsigned int len;
+ 
+     /* to handle ctr mode being a stream cipher */
+     unsigned char partial[EVP_MAX_BLOCK_LENGTH];
+     unsigned int blocksize, num;
++    unsigned int tls_ver;
+ };
+ 
+ static const struct cipher_data_st {
+@@ -120,49 +125,66 @@ static const struct cipher_data_st {
+     int ivlen;
+     int flags;
+     int devcryptoid;
++    int mackeylen;
+ } cipher_data[] = {
+ #ifndef OPENSSL_NO_DES
+-    { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC },
+-    { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC },
++    { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC, 0 },
++    { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC, 0 },
+ #endif
+ #ifndef OPENSSL_NO_BF
+-    { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC },
++    { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC, 0 },
+ #endif
+ #ifndef OPENSSL_NO_CAST
+-    { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC },
++    { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC, 0 },
+ #endif
+-    { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
+-    { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
+-    { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
++    { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
++    { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
++    { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
++    { NID_aes_128_cbc_hmac_sha1, 16, 16, 16,
++            EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++            CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 },
++    { NID_aes_256_cbc_hmac_sha1, 16, 32, 16,
++            EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++            CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 },
++    { NID_aes_128_cbc_hmac_sha256, 16, 16, 16,
++           EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++           CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 },
++    { NID_aes_256_cbc_hmac_sha256, 16, 32, 16,
++           EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
++           CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 },
+ #ifndef OPENSSL_NO_RC4
+-    { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 },
++    { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 },
+ #endif
+ #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR)
+-    { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
+-    { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
+-    { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
++    { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
++    { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
++    { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
+ #endif
+ #if 0                            /* Not yet supported */
+-    { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
+-    { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
++    { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 },
++    { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 },
+ #endif
+ #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
+-    { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+-    { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+-    { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
++    { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
++    { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
+ #endif
+ #if 0                            /* Not yet supported */
+-    { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+-    { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+-    { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
++    { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
++    { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
++    { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
++#endif
++#ifdef OPENSSL_NXP_CAAM
++    { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
++    { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ #endif
+ #ifndef OPENSSL_NO_CAMELLIA
+     { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE,
+-      CRYPTO_CAMELLIA_CBC },
++      CRYPTO_CAMELLIA_CBC, 0 },
+     { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE,
+-      CRYPTO_CAMELLIA_CBC },
++      CRYPTO_CAMELLIA_CBC, 0 },
+     { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE,
+-      CRYPTO_CAMELLIA_CBC },
++      CRYPTO_CAMELLIA_CBC, 0 },
+ #endif
+ };
+ 
+@@ -197,6 +219,193 @@ static const struct cipher_data_st *get_cipher_data(int nid)
+     return &cipher_data[get_cipher_data_index(nid)];
+ }
+ 
++/*
++ * Save the encryption key provided by upper layers. This function is called
++ * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do
++ * much here because the mac key is not available. The next call should/will
++ * be to cryptodev_cbc_hmac_sha1_ctrl with parameter
++ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION
++ * with both the crypto and hmac keys.
++ */
++static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx,
++                const unsigned char *key, const unsigned char *iv, int enc)
++{
++    struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
++    struct session_op *sess = &state->sess;
++    int cipher = -1, i;
++
++    for (i = 0; cipher_data[i].devcryptoid; i++) {
++        if (EVP_CIPHER_CTX_nid(ctx) == cipher_data[i].nid &&
++            EVP_CIPHER_CTX_iv_length(ctx) <= cipher_data[i].ivlen &&
++            EVP_CIPHER_CTX_key_length(ctx) == cipher_data[i].keylen) {
++            cipher = cipher_data[i].devcryptoid;
++            break;
++        }
++    }
++
++    if (!cipher_data[i].devcryptoid)
++        return (0);
++
++    memset(sess, 0, sizeof(*sess));
++
++    sess->key = (void *) key;
++    sess->keylen = EVP_CIPHER_CTX_key_length(ctx);
++    sess->cipher = cipher;
++
++    /* for whatever reason, (1) means success */
++    return 1;
++}
++
++static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++                                 const unsigned char *in, size_t len)
++{
++    struct crypt_auth_op cryp;
++    struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
++    struct session_op *sess = &state->sess;
++    const void *iiv;
++    unsigned char save_iv[EVP_MAX_IV_LENGTH];
++
++    if (cfd < 0)
++        return (0);
++    if (!len)
++        return (1);
++    if ((len % EVP_CIPHER_CTX_block_size(ctx)) != 0)
++        return (0);
++
++    memset(&cryp, 0, sizeof(cryp));
++
++    if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
++        if (!EVP_CIPHER_CTX_encrypting(ctx)) {
++            iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx);
++            memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx));
++
++            if (state->tls_ver >= TLS1_1_VERSION) {
++                memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in,
++                       EVP_CIPHER_CTX_iv_length(ctx));
++                in += EVP_CIPHER_CTX_iv_length(ctx);
++                out += EVP_CIPHER_CTX_iv_length(ctx);
++                len -= EVP_CIPHER_CTX_iv_length(ctx);
++            }
++        }
++        cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx);
++    } else
++        cryp.iv = NULL;
++
++    /* TODO: make a seamless integration with cryptodev flags */
++    switch (EVP_CIPHER_CTX_nid(ctx)) {
++    case NID_aes_128_cbc_hmac_sha1:
++    case NID_aes_256_cbc_hmac_sha1:
++    case NID_aes_128_cbc_hmac_sha256:
++    case NID_aes_256_cbc_hmac_sha256:
++        cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
++    }
++    cryp.ses = sess->ses;
++    cryp.len = state->len;
++    cryp.src = (void *) in;
++    cryp.dst = (void *) out;
++    cryp.auth_src = state->aad;
++    cryp.auth_len = state->aad_len;
++
++    cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT;
++
++    if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) {
++        /*
++         * XXX need better errror handling this can fail for a number of
++         * different reasons.
++         */
++        return 0;
++    }
++
++    if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
++        if (EVP_CIPHER_CTX_encrypting(ctx))
++            iiv = out + len - EVP_CIPHER_CTX_iv_length(ctx);
++        else
++            iiv = save_iv;
++
++        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iiv,
++               EVP_CIPHER_CTX_iv_length(ctx));
++    }
++    return 1;
++}
++
++static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
++                                        int arg, void *ptr)
++{
++    switch (type) {
++    case EVP_CTRL_AEAD_SET_MAC_KEY:
++        {
++        /* TODO: what happens with hmac keys larger than 64 bytes? */
++            struct cipher_ctx *state =
++                EVP_CIPHER_CTX_get_cipher_data(ctx);
++            struct session_op *sess = &state->sess;
++
++            /* the rest should have been set in cryptodev_init_aead_key */
++            sess->mackey = ptr;
++            sess->mackeylen = arg;
++            if (ioctl(cfd, CIOCGSESSION, sess) == -1)
++                return 0;
++
++            return 1;
++        }
++    case EVP_CTRL_AEAD_TLS1_AAD:
++        {
++            /* ptr points to the associated data buffer of 13 bytes */
++            struct cipher_ctx *state =
++                EVP_CIPHER_CTX_get_cipher_data(ctx);
++            unsigned char *p = ptr;
++            unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
++            unsigned int maclen;
++            unsigned int blocksize = EVP_CIPHER_CTX_block_size(ctx);
++            int ret;
++
++            state->tls_ver = p[arg - 4] << 8 | p[arg - 3];
++            state->aad = ptr;
++            state->aad_len = arg;
++
++            /* TODO: this should be an extension of EVP_CIPHER struct */
++            switch (EVP_CIPHER_CTX_nid(ctx)) {
++            case NID_aes_128_cbc_hmac_sha1:
++            case NID_aes_256_cbc_hmac_sha1:
++                maclen = SHA_DIGEST_LENGTH;
++                break;
++            case NID_aes_128_cbc_hmac_sha256:
++            case NID_aes_256_cbc_hmac_sha256:
++                maclen = SHA256_DIGEST_LENGTH;
++                break;
++            default:
++            /*
++             * Only above 4 supported NIDs are used to enter to this
++             * function. If any other NID reaches this function,
++             * there's a grave coding error further down.
++             */
++                assert("Code that never should be reached" == NULL);
++                return -1;
++            }
++
++            /* space required for encryption (not only TLS padding) */
++            if (EVP_CIPHER_CTX_encrypting(ctx)) {
++                if (state->tls_ver >= TLS1_1_VERSION) {
++                    p[arg - 2] = (cryptlen - blocksize) >> 8;
++                    p[arg - 1] = (cryptlen - blocksize);
++                }
++                ret = (int)(((cryptlen + maclen +
++                      blocksize) & -blocksize) - cryptlen);
++            } else {
++                if (state->tls_ver >= TLS1_1_VERSION) {
++                    cryptlen -= blocksize;
++                    p[arg - 2] = cryptlen >> 8;
++                    p[arg - 1] = cryptlen;
++                }
++                ret = maclen;
++            }
++            state->len = cryptlen;
++            return ret;
++        }
++    default:
++        return -1;
++    }
++}
++
+ /*
+  * Following are the three necessary functions to map OpenSSL functionality
+  * with cryptodev.
+@@ -463,6 +672,7 @@ static void prepare_cipher_methods(void)
+          */
+         sess.cipher = cipher_data[i].devcryptoid;
+         sess.keylen = cipher_data[i].keylen;
++        sess.mackeylen = cipher_data[i].mackeylen;
+ 
+ #ifdef CIOCGSESSION2
+         /*
+@@ -494,6 +704,15 @@ static void prepare_cipher_methods(void)
+                                               ctr_do_cipher :
+                                               cipher_do_cipher);
+ 
++        if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
++                || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1
++                || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256
++                || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) {
++                init = cryptodev_init_aead_key;
++                do_cipher = cryptodev_aead_cipher;
++                ctrl = cryptodev_cbc_hmac_sha1_ctrl;
++                flags = cipher_data[i].flags;
++        }
+         if ((known_cipher_methods[i] =
+                  EVP_CIPHER_meth_new(cipher_data[i].nid,
+                                      cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
+@@ -538,11 +757,17 @@ static void prepare_cipher_methods(void)
+             }
+ #endif /* CIOCGSESSINFO */
+         }
++
++        if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
++                || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1
++                || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256
++                || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256)
++                EVP_add_cipher(known_cipher_methods[i]);
++
+         ioctl(cfd, CIOCFSESSION, &sess.ses);
+-        if (devcrypto_test_cipher(i)) {
++        if (devcrypto_test_cipher(i))
+             known_cipher_nids[known_cipher_nids_amount++] =
+                 cipher_data[i].nid;
+-        }
+     }
+ }
+ 

meta-digi-dey/recipes-connectivity/openssl/openssl/0003-Set-algorithm-id-before-generating-the-EC-key.patch

@@ -0,0 +1,70 @@
+From 27e4bd35a42287248bd5253836c265dd555b1ee2 Mon Sep 17 00:00:00 2001
+From: Ilie Halip <ilie.halip@nxp.com>
+Date: Wed, 10 Sep 2025 08:46:50 +0200
+Subject: [PATCH] [PATCH] Set "algorithm-id" before generating the EC key.
+
+Upstream-Status: Pending
+
+Signed-off-by: Ilie Halip <ilie.halip@nxp.com>
+---
+ ssl/s3_lib.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index d6ed169f39..68938bb8fb 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4742,6 +4742,30 @@ int ssl_generate_master_secret(SSL_CONNECTION *s, unsigned char *pms,
+     return ret;
+ }
+ 
++void ssl_generate_set_pkey_alg(SSL_CONNECTION *s, EVP_PKEY_CTX *pctx)
++{
++    const char *alg = NULL;
++    OSSL_PARAM algparams[2] = { 0 };
++
++    switch (s->version) {
++        case TLS1_2_VERSION:
++            alg = "tls1.2";
++            break;
++        case TLS1_3_VERSION:
++            alg = "tls1.3";
++            break;
++    }
++
++    if (alg) {
++        algparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_ALGORITHM_ID,
++            (char *)alg, 0);
++        algparams[1] = OSSL_PARAM_construct_end();
++
++        /* intentionally ignore the result */
++        EVP_PKEY_CTX_set_params(pctx, algparams);
++    }
++}
++
+ /* Generate a private key from parameters */
+ EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
+ {
+@@ -4756,6 +4780,9 @@ EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
+         goto err;
+     if (EVP_PKEY_keygen_init(pctx) <= 0)
+         goto err;
++        
++    ssl_generate_set_pkey_alg(s, pctx);
++
+     if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
+         EVP_PKEY_free(pkey);
+         pkey = NULL;
+@@ -4794,6 +4821,9 @@ EVP_PKEY *ssl_generate_pkey_group(SSL_CONNECTION *s, uint16_t id)
+         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
+         goto err;
+     }
++
++    ssl_generate_set_pkey_alg(s, pctx);
++
+     if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
+         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
+         EVP_PKEY_free(pkey);
+-- 
+2.43.0
+

meta-digi-dey/recipes-connectivity/openssl/openssl/0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch

@@ -0,0 +1,267 @@
+From 284653acb6df4d68e276d4515a45ccd50ff54eab Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 25 Jul 2024 11:56:13 +0200
+Subject: [PATCH] Amend the design of AlgorithmIdentifier parameter passing
+
+I realised that any application that passes AlgorithmIdentifier parameters
+to and from a provider may also be interested in the full AlgorithmIdentifier
+of the implementation invocation.
+
+Likewise, any application that wants to get the full AlgorithmIdentifier
+from an implementation invocation may also want to pass AlgorithmIdentifier
+parameters to that same implementation invocation.
+
+These amendments should be useful to cover all intended uses of the legacy
+ctrls for PKCS7 and CMS:
+
+- EVP_PKEY_CTRL_PKCS7_ENCRYPT
+- EVP_PKEY_CTRL_PKCS7_DECRYPT
+- EVP_PKEY_CTRL_PKCS7_SIGN
+- EVP_PKEY_CTRL_CMS_ENCRYPT
+- EVP_PKEY_CTRL_CMS_DECRYPT
+- EVP_PKEY_CTRL_CMS_SIGN
+
+It should also cover a number of other cases that were previously implemented
+through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the
+application has had to assemble a X509_ALGOR on their own.
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/0941666728c44d701496004ebd5bf96ac7b715fb]
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25000)
+---
+ .../passing-algorithmidentifier-parameters.md | 65 ++++++++++++-------
+ doc/man3/EVP_EncryptInit.pod                  | 19 ++++--
+ util/perl/OpenSSL/paramnames.pm               | 57 ++++++++++++----
+ 3 files changed, 101 insertions(+), 40 deletions(-)
+
+diff --git a/doc/designs/passing-algorithmidentifier-parameters.md b/doc/designs/passing-algorithmidentifier-parameters.md
+index bb3821e337..f33862e45e 100644
+--- a/doc/designs/passing-algorithmidentifier-parameters.md
++++ b/doc/designs/passing-algorithmidentifier-parameters.md
+@@ -1,11 +1,13 @@
+-Passing AlgorithmIdentifier parameters to operations
+-====================================================
++Handling AlgorithmIdentifier and its parameters with provider operations
++========================================================================
+ 
+ Quick background
+ ----------------
+ 
+ We currently only support passing the AlgorithmIdentifier (`X509_ALGOR`)
+-parameter field to symmetric cipher provider implementations.
++parameter field to symmetric cipher provider implementations.  We currently
++only support getting full AlgorithmIdentifier (`X509_ALGOR`) from signature
++provider implementations.
+ 
+ We do support passing them to legacy implementations of other types of
+ operation algorithms as well, but it's done in a way that can't be supported
+@@ -15,18 +17,30 @@ libcrypto and the backend implementation.
+ For a longer background and explanation, see
+ [Background / tl;dr](#background-tldr) at the end of this design.
+ 
+-Establish an OSSL_PARAM key that any algorithms may become aware of
+--------------------------------------------------------------------
++Establish OSSL_PARAM keys that any algorithms may become aware of
++-----------------------------------------------------------------
+ 
+-We already have a parameter key, but it's currently only specified for
+-`EVP_CIPHER`, in support of `EVP_CIPHER_param_to_asn1()` and
+-`EVP_CIPHER_asn1_to_param()`.
++We already have known parameter keys:
+ 
+-"alg_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`
++- "algor_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`.
+ 
+-This parameter can be used in the exact same manner with other operations,
+-with the value of the AlgorithmIdentifier parameter as an octet string, to
+-be interpreted by the implementations in whatever way they see fit.
++  This is currently only specified for `EVP_CIPHER`, in support of
++  `EVP_CIPHER_param_to_asn1()` and `EVP_CIPHER_asn1_to_param()`
++
++- "algorithm-id", also known as the macro `OSSL_SIGNATURE_PARAM_ALGORITHM_ID`.
++
++This design proposes:
++
++1. Adding a parameter key "algorithm-id-params", to replace "algor_id_param",
++   and deprecate the latter.
++2. Making both "algorithm-id" and "algorithm-id-params" generically available,
++   rather than only tied to `EVP_SIGNATURE` ("algorithm-id") or `EVP_CIPHER`
++   ("algor_id_param").
++
++This way, these parameters can be used in the exact same manner with other
++operations, with the value of the AlgorithmIdentifier as well as its
++parameters as octet strings, to be used and interpreted by applications and
++provider implementations alike in whatever way they see fit.
+ 
+ Applications can choose to add these in an `OSSL_PARAM` array, to be passed
+ with the multitude of initialization functions that take such an array, or
+@@ -34,7 +48,7 @@ using specific operation `OSSL_PARAM` setters and getters (such as
+ `EVP_PKEY_CTX_set_params`), or using other available convenience functions
+ (see below).
+ 
+-This parameter will have to be documented in the following files:
++These parameter will have to be documented in the following files:
+ 
+ - `doc/man7/provider-asym_cipher.pod`
+ - `doc/man7/provider-cipher.pod`
+@@ -67,20 +81,25 @@ such parameter data from them.
+  * These two would essentially be aliases for EVP_CIPHER_param_to_asn1()
+  * and EVP_CIPHER_asn1_to_param().
+  */
+-EVP_CIPHER_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+-EVP_CIPHER_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
++EVP_CIPHER_CTX_set_algor_params(EVP_CIPHER_CTX *ctx, const X509_ALGOR *alg);
++EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg);
++EVP_CIPHER_CTX_get_algor(EVP_CIPHER_CTX *ctx, X509_ALGOR **alg);
+ 
+-EVP_MD_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+-EVP_MD_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
++EVP_MD_CTX_set_algor_params(EVP_MD_CTX *ctx, const X509_ALGOR *alg);
++EVP_MD_CTX_get_algor_params(EVP_MD_CTX *ctx, X509_ALGOR *alg);
++EVP_MD_CTX_get_algor(EVP_MD_CTX *ctx, X509_ALGOR **alg);
+ 
+-EVP_MAC_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+-EVP_MAC_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
++EVP_MAC_CTX_set_algor_params(EVP_MAC_CTX *ctx, const X509_ALGOR *alg);
++EVP_MAC_CTX_get_algor_params(EVP_MAC_CTX *ctx, X509_ALGOR *alg);
++EVP_MAC_CTX_get_algor(EVP_MAC_CTX *ctx, X509_ALGOR **alg);
+ 
+-EVP_KDF_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+-EVP_KDF_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
++EVP_KDF_CTX_set_algor_params(EVP_KDF_CTX *ctx, const X509_ALGOR *alg);
++EVP_KDF_CTX_get_algor_params(EVP_KDF_CTX *ctx, X509_ALGOR *alg);
++EVP_KDF_CTX_get_algor(EVP_KDF_CTX *ctx, X509_ALGOR **alg);
+ 
+-EVP_PKEY_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+-EVP_PKEY_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
++EVP_PKEY_CTX_set_algor_params(EVP_PKEY_CTX *ctx, const X509_ALGOR *alg);
++EVP_PKEY_CTX_get_algor_params(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
++EVP_PKEY_CTX_get_algor(EVP_PKEY_CTX *ctx, X509_ALGOR **alg);
+ ```
+ 
+ Note that all might not need to be added immediately, depending on if they
+diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
+index 45c3cb062c..648dc60853 100644
+--- a/doc/man3/EVP_EncryptInit.pod
++++ b/doc/man3/EVP_EncryptInit.pod
+@@ -770,12 +770,23 @@ The length of the "keybits" parameter should not exceed that of a B<size_t>.
+ Gets or sets the number of rounds to be used for a cipher.
+ This is used by the RC5 cipher.
+ 
+-=item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
++=item "algorithm-id" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID>) <octet string>
++
++Used to get the DER encoded AlgorithmIdentifier from the cipher
++implementation.  Functions like L<EVP_PKEY_CTX_get_algor(3)> use this
++parameter.
++
++=item "algorithm-id-params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
+ 
+ Used to pass the DER encoded AlgorithmIdentifier parameter to or from
+-the cipher implementation.  Functions like L<EVP_CIPHER_param_to_asn1(3)>
+-and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation
+-that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
++the cipher implementation.
++Functions like L<EVP_CIPHER_CTX_set_algor_params(3)> and
++L<EVP_CIPHER_CTX_get_algor_params(3)> use this parameter.
++
++=item "alg_id_params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD>) <octet string>
++
++An deprecated alias for "algorithm-id-params", only used by
++L<EVP_CIPHER_param_to_asn1(3)> and L<EVP_CIPHER_asn1_to_param(3)>.
+ 
+ =item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
+ 
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index bfa75f760c..8c70a594b9 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -68,6 +68,16 @@ my %params = (
+     'ALG_PARAM_MAC' =>          "mac",          # utf8_string
+     'ALG_PARAM_PROPERTIES' =>   "properties",   # utf8_string
+ 
++    # For any operation that deals with AlgorithmIdentifier, they should
++    # implement both of these.
++    # ALG_PARAM_ALGORITHM_ID is intended to be gettable, and is the
++    # implementation's idea of what its full AlgID should look like.
++    # ALG_PARAM_ALGORITHM_ID_PARAMS is intended to be both settable
++    # and gettable, to allow the calling application to pass or get
++    # AlgID parameters to and from the provided implementation.
++    'ALG_PARAM_ALGORITHM_ID' => "algorithm-id", # octet_string (DER)
++    'ALG_PARAM_ALGORITHM_ID_PARAMS' =>  "algorithm-id-params", # octet_string
++
+ # cipher parameters
+     'CIPHER_PARAM_PADDING' =>              "padding",     # uint
+     'CIPHER_PARAM_USE_BITS' =>             "use-bits",    # uint
+@@ -100,8 +110,16 @@ my %params = (
+     'CIPHER_PARAM_RC2_KEYBITS' =>          "keybits",     # size_t
+     'CIPHER_PARAM_SPEED' =>                "speed",       # uint
+     'CIPHER_PARAM_CTS_MODE' =>             "cts_mode",    # utf8_string
+-# For passing the AlgorithmIdentifier parameter in DER form
+-    'CIPHER_PARAM_ALGORITHM_ID_PARAMS' =>  "alg_id_param",# octet_string
++    'CIPHER_PARAM_DECRYPT_ONLY' =>         "decrypt-only",  # int, 0 or 1
++    'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' =>   "encrypt-check", # int
++    'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
++    'CIPHER_PARAM_ALGORITHM_ID' =>         '*ALG_PARAM_ALGORITHM_ID',
++    # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used.  For the
++    # time being, the old libcrypto functions will use both, so old providers
++    # continue to work.
++    # New providers are encouraged to use CIPHER_PARAM_ALGORITHM_ID_PARAMS.
++    'CIPHER_PARAM_ALGORITHM_ID_PARAMS' =>  '*ALG_PARAM_ALGORITHM_ID_PARAMS',
++    'CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD' => "alg_id_param", # octet_string
+     'CIPHER_PARAM_XTS_STANDARD' =>         "xts_standard",# utf8_string
+ 
+     'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' =>  "tls1multi_maxsndfrag",# uint
+@@ -250,6 +268,10 @@ my %params = (
+     # it for API stability, but please use ASYM_CIPHER_PARAM_IMPLICIT_REJECTION
+     # instead.
+     'PKEY_PARAM_IMPLICIT_REJECTION' =>  "implicit-rejection",
++    'PKEY_PARAM_FIPS_DIGEST_CHECK' =>   "digest-check",
++    'PKEY_PARAM_FIPS_KEY_CHECK' =>      "key-check",
++    'PKEY_PARAM_ALGORITHM_ID' =>        '*ALG_PARAM_ALGORITHM_ID',
++    'PKEY_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS',
+ 
+ # Diffie-Hellman/DSA Parameters
+     'PKEY_PARAM_FFC_P' =>               "p",
+@@ -378,17 +400,26 @@ my %params = (
+     'EXCHANGE_PARAM_KDF_UKM' =>               "kdf-ukm",
+ 
+ # Signature parameters
+-    'SIGNATURE_PARAM_ALGORITHM_ID' =>       "algorithm-id",
+-    'SIGNATURE_PARAM_PAD_MODE' =>           '*PKEY_PARAM_PAD_MODE',
+-    'SIGNATURE_PARAM_DIGEST' =>             '*PKEY_PARAM_DIGEST',
+-    'SIGNATURE_PARAM_PROPERTIES' =>         '*PKEY_PARAM_PROPERTIES',
+-    'SIGNATURE_PARAM_PSS_SALTLEN' =>        "saltlen",
+-    'SIGNATURE_PARAM_MGF1_DIGEST' =>        '*PKEY_PARAM_MGF1_DIGEST',
+-    'SIGNATURE_PARAM_MGF1_PROPERTIES' =>    '*PKEY_PARAM_MGF1_PROPERTIES',
+-    'SIGNATURE_PARAM_DIGEST_SIZE' =>        '*PKEY_PARAM_DIGEST_SIZE',
+-    'SIGNATURE_PARAM_NONCE_TYPE' =>         "nonce-type",
+-    'SIGNATURE_PARAM_INSTANCE' =>           "instance",
+-    'SIGNATURE_PARAM_CONTEXT_STRING' =>     "context-string",
++    'SIGNATURE_PARAM_ALGORITHM_ID' =>         '*PKEY_PARAM_ALGORITHM_ID',
++    'SIGNATURE_PARAM_ALGORITHM_ID_PARAMS' =>  '*PKEY_PARAM_ALGORITHM_ID_PARAMS',
++    'SIGNATURE_PARAM_PAD_MODE' =>             '*PKEY_PARAM_PAD_MODE',
++    'SIGNATURE_PARAM_DIGEST' =>               '*PKEY_PARAM_DIGEST',
++    'SIGNATURE_PARAM_PROPERTIES' =>           '*PKEY_PARAM_PROPERTIES',
++    'SIGNATURE_PARAM_PSS_SALTLEN' =>          "saltlen",
++    'SIGNATURE_PARAM_MGF1_DIGEST' =>          '*PKEY_PARAM_MGF1_DIGEST',
++    'SIGNATURE_PARAM_MGF1_PROPERTIES' =>      '*PKEY_PARAM_MGF1_PROPERTIES',
++    'SIGNATURE_PARAM_DIGEST_SIZE' =>          '*PKEY_PARAM_DIGEST_SIZE',
++    'SIGNATURE_PARAM_NONCE_TYPE' =>           "nonce-type",
++    'SIGNATURE_PARAM_INSTANCE' =>             "instance",
++    'SIGNATURE_PARAM_CONTEXT_STRING' =>       "context-string",
++    'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' =>    '*PKEY_PARAM_FIPS_DIGEST_CHECK',
++    'SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE' =>  'verify-message',
++    'SIGNATURE_PARAM_FIPS_KEY_CHECK' =>       '*PKEY_PARAM_FIPS_KEY_CHECK',
++    'SIGNATURE_PARAM_FIPS_SIGN_CHECK' =>      '*PKEY_PARAM_FIPS_SIGN_CHECK',
++    'SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check",
++    'SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK' => "sign-x931-pad-check",
++    'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
++    'SIGNATURE_PARAM_SIGNATURE' =>          "signature",
+ 
+ # Asym cipher parameters
+     'ASYM_CIPHER_PARAM_DIGEST' =>                   '*PKEY_PARAM_DIGEST',
+-- 
+2.43.0
+

meta-digi-dey/recipes-connectivity/openssl/openssl/openssl-3.0-add-Kernel-TLS-configuration.patch

@@ -0,0 +1,34 @@
+From 24254454e5f5fc503b5e4cc1fa8c6d9b1a3ae9ba Mon Sep 17 00:00:00 2001
+From: Gaurav Jain <gaurav.jain@nxp.com>
+Date: Wed, 19 Jan 2022 15:45:29 +0530
+Subject: [PATCH] openssl 3.0: add Kernel TLS configuration
+
+Upstream-Status: Inappropriate [i.MX, Layerscape specific]
+Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
+---
+ apps/openssl.cnf | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 03330e0120..ec18df388e 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -30,6 +30,15 @@ oid_section = new_oids
+ # (Alternatively, use a configuration file that has only
+ # X.509v3 extensions in its main [= default] section.)
+ 
++[ openssl_init ]
++ssl_conf = ssl_configuration
++
++[ ssl_configuration ]
++ktls = ktls_conf
++
++[ ktls_conf ]
++Options = KTLS
++
+ [ new_oids ]
+ # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+ # Add a simple OID like this:
+-- 
+2.25.1
+

meta-digi-dey/recipes-connectivity/openssl/openssl_%.bbappend

@@ -1,3 +1,14 @@
-# Copyright (C) 2022, Digi International Inc.
+# Copyright (C) 2022,2026 Digi International Inc.
 
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://openssl-3.0-add-Kernel-TLS-configuration.patch \
+            file://0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch \
+            file://0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch \
+            file://0003-Set-algorithm-id-before-generating-the-EC-key.patch \
+            file://0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch"
+
+PACKAGECONFIG:append:imx-nxp-bsp = " cryptodev-linux"
+
+EXTRA_OECONF:append = " enable-ktls"
 EXTRA_OECONF:append = " enable-weak-ssl-ciphers"