diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-support/pkcs11-provider/pkcs11-provider_1.0.imx.bb b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-support/pkcs11-provider/pkcs11-provider_1.0.imx.bb new file mode 100644 index 000000000..10e28083e --- /dev/null +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-support/pkcs11-provider/pkcs11-provider_1.0.imx.bb @@ -0,0 +1,30 @@ +SUMMARY = "An OpenSSL provider that allows direct interfacing with pkcs11 drivers" +DESCRIPTION = "\ +This is an Openssl 3.x provider to access Hardware or Software Tokens using \ +the PKCS#11 Cryptographic Token Interface\ +\ +This code targets version 3.1 of the interface but should be backwards \ +compatible to previous versions as well.\ +" +HOMEPAGE = "https://github.com/latchset/pkcs11-provider" +SECTION = "libs" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=b53b787444a60266932bd270d1cf2d45" +DEPENDS = "\ + openssl \ + p11-kit \ +" + +SRC_URI = "${PKCS11_PROVIDER_SRC};branch=${SRCBRANCH}" +PKCS11_PROVIDER_SRC ?= "git://github.com/nxp-imx/${BPN}.git;branch=main;protocol=https" +SRCBRANCH = "lf-6.6.52_2.2.2" +SRCREV = "ededfa20fe2430f33a5e8ea8971af708a2eb65eb" + +S = "${WORKDIR}/git" + +inherit meson pkgconfig + +# Overwrite default pkcs11 module path +#EXTRA_OEMESON += "-Ddefault_pkcs11_module=/path/to/mymodule.so" + +FILES:${PN} += "${libdir}/ossl-modules/pkcs11.so" diff --git a/meta-digi-dey/recipes-connectivity/openssl/openssl/0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch b/meta-digi-dey/recipes-connectivity/openssl/openssl/0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch new file mode 100644 index 000000000..e016fb5ce --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/openssl/openssl/0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch @@ -0,0 +1,104 @@ +From d6c1bf7031cbd96c1d0dec589f318ad942107d23 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Tue, 18 Jan 2022 17:37:37 +0530 +Subject: [PATCH 1/2] e_devcrypto: add func ptr for init, do, ctrl + +In engine "devcrypto", as part prepare_cipher_methods() +- Added function pointer for init, do, ctrl and + variable "flags" such that: +- New cipher can override them to support offloads + to h/w via devcrypto. + +Upstream-Status: Pending [i.MX, Layerscape specific] +Signed-off-by: Pankaj Gupta +--- + engines/e_devcrypto.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c +index fa01317db5..eb56baec19 100644 +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -408,7 +408,11 @@ static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; + static int selected_ciphers[OSSL_NELEM(cipher_data)]; + static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; +- ++int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); + + static int devcrypto_test_cipher(size_t cipher_data_index) + { +@@ -427,6 +431,7 @@ static void prepare_cipher_methods(void) + size_t i; + session_op_t sess; + unsigned long cipher_mode; ++ unsigned long flags; + #ifdef CIOCGSESSION2 + struct crypt_find_op fop; + enum devcrypto_accelerated_t accelerated; +@@ -438,16 +443,26 @@ static void prepare_cipher_methods(void) + + memset(&sess, 0, sizeof(sess)); + sess.key = (void *)"01234567890123456789012345678901234567890123456789"; ++ sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO"; + + for (i = 0, known_cipher_nids_amount = 0; + i < OSSL_NELEM(cipher_data); i++) { + + selected_ciphers[i] = 1; ++ ++ init = cipher_init; ++ ctrl = cipher_ctrl; ++ flags = cipher_data[i].flags ++ | EVP_CIPH_CUSTOM_COPY ++ | EVP_CIPH_CTRL_INIT ++ | EVP_CIPH_FLAG_DEFAULT_ASN1; ++ + /* + * Check that the cipher is usable + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; ++ + #ifdef CIOCGSESSION2 + /* + * When using CIOCGSESSION2, first try to allocate a hardware +@@ -474,6 +489,10 @@ static void prepare_cipher_methods(void) + + cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; + ++ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ? ++ ctr_do_cipher : ++ cipher_do_cipher); ++ + if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, + cipher_mode == EVP_CIPH_CTR_MODE ? 1 : +@@ -482,16 +501,11 @@ static void prepare_cipher_methods(void) + || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], + cipher_data[i].ivlen) + || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], +- cipher_data[i].flags +- | EVP_CIPH_CUSTOM_COPY +- | EVP_CIPH_CTRL_INIT +- | EVP_CIPH_FLAG_DEFAULT_ASN1) +- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) ++ flags) ++ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], +- cipher_mode == EVP_CIPH_CTR_MODE ? +- ctr_do_cipher : +- cipher_do_cipher) +- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) ++ do_cipher) ++ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], +-- +2.17.1 + diff --git a/meta-digi-dey/recipes-connectivity/openssl/openssl/0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch b/meta-digi-dey/recipes-connectivity/openssl/openssl/0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch new file mode 100644 index 000000000..01ffbd5ea --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/openssl/openssl/0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch @@ -0,0 +1,378 @@ +From f674b2f81a18af2146291eda1bbf60d6f71b2935 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Tue, 18 Jan 2022 17:38:11 +0530 +Subject: [PATCH] e_devcrypto: add support for TLS1.2 algorithms offload + + - aes-128-cbc-hmac-sha256 + - aes-256-cbc-hmac-sha256 + +Enabled the support of TLS1.1 algorithms offload + + - aes-128-cbc-hmac-sha1 + - aes-256-cbc-hmac-sha1 + +TLS algorithm support in CAAM Linux kernel driver. + +Fix: Remove the support for TLS1.0. + +Upstream-Status: Pending [i.MX, Layerscape specific] +Signed-off-by: Pankaj Gupta + +--- + engines/e_devcrypto.c | 273 ++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 249 insertions(+), 24 deletions(-) + +diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c +index 02f3abc..8529bac 100644 +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -28,6 +28,7 @@ + #include "internal/nelem.h" + + /* #define ENGINE_DEVCRYPTO_DEBUG */ ++#define TLS1_1_VERSION 0x0302 + + #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX + # define CHECK_BSD_STYLE_MACROS +@@ -107,10 +108,14 @@ struct cipher_ctx { + session_op_t sess; + int op; /* COP_ENCRYPT or COP_DECRYPT */ + unsigned long mode; /* EVP_CIPH_*_MODE */ ++ unsigned char *aad; ++ unsigned int aad_len; ++ unsigned int len; + + /* to handle ctr mode being a stream cipher */ + unsigned char partial[EVP_MAX_BLOCK_LENGTH]; + unsigned int blocksize, num; ++ unsigned int tls_ver; + }; + + static const struct cipher_data_st { +@@ -120,49 +125,66 @@ static const struct cipher_data_st { + int ivlen; + int flags; + int devcryptoid; ++ int mackeylen; + } cipher_data[] = { + #ifndef OPENSSL_NO_DES +- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, +- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, ++ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC, 0 }, ++ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC, 0 }, + #endif + #ifndef OPENSSL_NO_BF +- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, ++ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC, 0 }, + #endif + #ifndef OPENSSL_NO_CAST +- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, ++ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC, 0 }, + #endif +- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, ++ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 }, ++ { NID_aes_128_cbc_hmac_sha1, 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 }, ++ { NID_aes_256_cbc_hmac_sha1, 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 }, ++ { NID_aes_128_cbc_hmac_sha256, 16, 16, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 }, ++ { NID_aes_256_cbc_hmac_sha256, 16, 32, 16, ++ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, ++ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 }, + #ifndef OPENSSL_NO_RC4 +- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, ++ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) +- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, ++ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, ++ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, ++ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 }, + #endif + #if 0 /* Not yet supported */ +- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, +- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, ++ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 }, ++ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) +- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, ++ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, ++ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 }, + #endif + #if 0 /* Not yet supported */ +- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++#endif ++#ifdef OPENSSL_NXP_CAAM ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 }, + #endif + #ifndef OPENSSL_NO_CAMELLIA + { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, ++ CRYPTO_CAMELLIA_CBC, 0 }, + #endif + }; + +@@ -197,6 +219,193 @@ static const struct cipher_data_st *get_cipher_data(int nid) + return &cipher_data[get_cipher_data_index(nid)]; + } + ++/* ++ * Save the encryption key provided by upper layers. This function is called ++ * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do ++ * much here because the mac key is not available. The next call should/will ++ * be to cryptodev_cbc_hmac_sha1_ctrl with parameter ++ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION ++ * with both the crypto and hmac keys. ++ */ ++static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, ++ const unsigned char *key, const unsigned char *iv, int enc) ++{ ++ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ int cipher = -1, i; ++ ++ for (i = 0; cipher_data[i].devcryptoid; i++) { ++ if (EVP_CIPHER_CTX_nid(ctx) == cipher_data[i].nid && ++ EVP_CIPHER_CTX_iv_length(ctx) <= cipher_data[i].ivlen && ++ EVP_CIPHER_CTX_key_length(ctx) == cipher_data[i].keylen) { ++ cipher = cipher_data[i].devcryptoid; ++ break; ++ } ++ } ++ ++ if (!cipher_data[i].devcryptoid) ++ return (0); ++ ++ memset(sess, 0, sizeof(*sess)); ++ ++ sess->key = (void *) key; ++ sess->keylen = EVP_CIPHER_CTX_key_length(ctx); ++ sess->cipher = cipher; ++ ++ /* for whatever reason, (1) means success */ ++ return 1; ++} ++ ++static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t len) ++{ ++ struct crypt_auth_op cryp; ++ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ const void *iiv; ++ unsigned char save_iv[EVP_MAX_IV_LENGTH]; ++ ++ if (cfd < 0) ++ return (0); ++ if (!len) ++ return (1); ++ if ((len % EVP_CIPHER_CTX_block_size(ctx)) != 0) ++ return (0); ++ ++ memset(&cryp, 0, sizeof(cryp)); ++ ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx); ++ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx)); ++ ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in, ++ EVP_CIPHER_CTX_iv_length(ctx)); ++ in += EVP_CIPHER_CTX_iv_length(ctx); ++ out += EVP_CIPHER_CTX_iv_length(ctx); ++ len -= EVP_CIPHER_CTX_iv_length(ctx); ++ } ++ } ++ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx); ++ } else ++ cryp.iv = NULL; ++ ++ /* TODO: make a seamless integration with cryptodev flags */ ++ switch (EVP_CIPHER_CTX_nid(ctx)) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ case NID_aes_128_cbc_hmac_sha256: ++ case NID_aes_256_cbc_hmac_sha256: ++ cryp.flags = COP_FLAG_AEAD_TLS_TYPE; ++ } ++ cryp.ses = sess->ses; ++ cryp.len = state->len; ++ cryp.src = (void *) in; ++ cryp.dst = (void *) out; ++ cryp.auth_src = state->aad; ++ cryp.auth_len = state->aad_len; ++ ++ cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT; ++ ++ if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) { ++ /* ++ * XXX need better errror handling this can fail for a number of ++ * different reasons. ++ */ ++ return 0; ++ } ++ ++ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { ++ if (EVP_CIPHER_CTX_encrypting(ctx)) ++ iiv = out + len - EVP_CIPHER_CTX_iv_length(ctx); ++ else ++ iiv = save_iv; ++ ++ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iiv, ++ EVP_CIPHER_CTX_iv_length(ctx)); ++ } ++ return 1; ++} ++ ++static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, ++ int arg, void *ptr) ++{ ++ switch (type) { ++ case EVP_CTRL_AEAD_SET_MAC_KEY: ++ { ++ /* TODO: what happens with hmac keys larger than 64 bytes? */ ++ struct cipher_ctx *state = ++ EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct session_op *sess = &state->sess; ++ ++ /* the rest should have been set in cryptodev_init_aead_key */ ++ sess->mackey = ptr; ++ sess->mackeylen = arg; ++ if (ioctl(cfd, CIOCGSESSION, sess) == -1) ++ return 0; ++ ++ return 1; ++ } ++ case EVP_CTRL_AEAD_TLS1_AAD: ++ { ++ /* ptr points to the associated data buffer of 13 bytes */ ++ struct cipher_ctx *state = ++ EVP_CIPHER_CTX_get_cipher_data(ctx); ++ unsigned char *p = ptr; ++ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; ++ unsigned int maclen; ++ unsigned int blocksize = EVP_CIPHER_CTX_block_size(ctx); ++ int ret; ++ ++ state->tls_ver = p[arg - 4] << 8 | p[arg - 3]; ++ state->aad = ptr; ++ state->aad_len = arg; ++ ++ /* TODO: this should be an extension of EVP_CIPHER struct */ ++ switch (EVP_CIPHER_CTX_nid(ctx)) { ++ case NID_aes_128_cbc_hmac_sha1: ++ case NID_aes_256_cbc_hmac_sha1: ++ maclen = SHA_DIGEST_LENGTH; ++ break; ++ case NID_aes_128_cbc_hmac_sha256: ++ case NID_aes_256_cbc_hmac_sha256: ++ maclen = SHA256_DIGEST_LENGTH; ++ break; ++ default: ++ /* ++ * Only above 4 supported NIDs are used to enter to this ++ * function. If any other NID reaches this function, ++ * there's a grave coding error further down. ++ */ ++ assert("Code that never should be reached" == NULL); ++ return -1; ++ } ++ ++ /* space required for encryption (not only TLS padding) */ ++ if (EVP_CIPHER_CTX_encrypting(ctx)) { ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ p[arg - 2] = (cryptlen - blocksize) >> 8; ++ p[arg - 1] = (cryptlen - blocksize); ++ } ++ ret = (int)(((cryptlen + maclen + ++ blocksize) & -blocksize) - cryptlen); ++ } else { ++ if (state->tls_ver >= TLS1_1_VERSION) { ++ cryptlen -= blocksize; ++ p[arg - 2] = cryptlen >> 8; ++ p[arg - 1] = cryptlen; ++ } ++ ret = maclen; ++ } ++ state->len = cryptlen; ++ return ret; ++ } ++ default: ++ return -1; ++ } ++} ++ + /* + * Following are the three necessary functions to map OpenSSL functionality + * with cryptodev. +@@ -463,6 +672,7 @@ static void prepare_cipher_methods(void) + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; ++ sess.mackeylen = cipher_data[i].mackeylen; + + #ifdef CIOCGSESSION2 + /* +@@ -494,6 +704,15 @@ static void prepare_cipher_methods(void) + ctr_do_cipher : + cipher_do_cipher); + ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) { ++ init = cryptodev_init_aead_key; ++ do_cipher = cryptodev_aead_cipher; ++ ctrl = cryptodev_cbc_hmac_sha1_ctrl; ++ flags = cipher_data[i].flags; ++ } + if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, + cipher_mode == EVP_CIPH_CTR_MODE ? 1 : +@@ -538,11 +757,17 @@ static void prepare_cipher_methods(void) + } + #endif /* CIOCGSESSINFO */ + } ++ ++ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1 ++ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256 ++ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) ++ EVP_add_cipher(known_cipher_methods[i]); ++ + ioctl(cfd, CIOCFSESSION, &sess.ses); +- if (devcrypto_test_cipher(i)) { ++ if (devcrypto_test_cipher(i)) + known_cipher_nids[known_cipher_nids_amount++] = + cipher_data[i].nid; +- } + } + } + diff --git a/meta-digi-dey/recipes-connectivity/openssl/openssl/0003-Set-algorithm-id-before-generating-the-EC-key.patch b/meta-digi-dey/recipes-connectivity/openssl/openssl/0003-Set-algorithm-id-before-generating-the-EC-key.patch new file mode 100644 index 000000000..69cdce7d0 --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/openssl/openssl/0003-Set-algorithm-id-before-generating-the-EC-key.patch @@ -0,0 +1,70 @@ +From 27e4bd35a42287248bd5253836c265dd555b1ee2 Mon Sep 17 00:00:00 2001 +From: Ilie Halip +Date: Wed, 10 Sep 2025 08:46:50 +0200 +Subject: [PATCH] [PATCH] Set "algorithm-id" before generating the EC key. + +Upstream-Status: Pending + +Signed-off-by: Ilie Halip +--- + ssl/s3_lib.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index d6ed169f39..68938bb8fb 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -4742,6 +4742,30 @@ int ssl_generate_master_secret(SSL_CONNECTION *s, unsigned char *pms, + return ret; + } + ++void ssl_generate_set_pkey_alg(SSL_CONNECTION *s, EVP_PKEY_CTX *pctx) ++{ ++ const char *alg = NULL; ++ OSSL_PARAM algparams[2] = { 0 }; ++ ++ switch (s->version) { ++ case TLS1_2_VERSION: ++ alg = "tls1.2"; ++ break; ++ case TLS1_3_VERSION: ++ alg = "tls1.3"; ++ break; ++ } ++ ++ if (alg) { ++ algparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_ALGORITHM_ID, ++ (char *)alg, 0); ++ algparams[1] = OSSL_PARAM_construct_end(); ++ ++ /* intentionally ignore the result */ ++ EVP_PKEY_CTX_set_params(pctx, algparams); ++ } ++} ++ + /* Generate a private key from parameters */ + EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm) + { +@@ -4756,6 +4780,9 @@ EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm) + goto err; + if (EVP_PKEY_keygen_init(pctx) <= 0) + goto err; ++ ++ ssl_generate_set_pkey_alg(s, pctx); ++ + if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { + EVP_PKEY_free(pkey); + pkey = NULL; +@@ -4794,6 +4821,9 @@ EVP_PKEY *ssl_generate_pkey_group(SSL_CONNECTION *s, uint16_t id) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); + goto err; + } ++ ++ ssl_generate_set_pkey_alg(s, pctx); ++ + if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); + EVP_PKEY_free(pkey); +-- +2.43.0 + diff --git a/meta-digi-dey/recipes-connectivity/openssl/openssl/0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch b/meta-digi-dey/recipes-connectivity/openssl/openssl/0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch new file mode 100644 index 000000000..140e477c2 --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/openssl/openssl/0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch @@ -0,0 +1,267 @@ +From 284653acb6df4d68e276d4515a45ccd50ff54eab Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 25 Jul 2024 11:56:13 +0200 +Subject: [PATCH] Amend the design of AlgorithmIdentifier parameter passing + +I realised that any application that passes AlgorithmIdentifier parameters +to and from a provider may also be interested in the full AlgorithmIdentifier +of the implementation invocation. + +Likewise, any application that wants to get the full AlgorithmIdentifier +from an implementation invocation may also want to pass AlgorithmIdentifier +parameters to that same implementation invocation. + +These amendments should be useful to cover all intended uses of the legacy +ctrls for PKCS7 and CMS: + +- EVP_PKEY_CTRL_PKCS7_ENCRYPT +- EVP_PKEY_CTRL_PKCS7_DECRYPT +- EVP_PKEY_CTRL_PKCS7_SIGN +- EVP_PKEY_CTRL_CMS_ENCRYPT +- EVP_PKEY_CTRL_CMS_DECRYPT +- EVP_PKEY_CTRL_CMS_SIGN + +It should also cover a number of other cases that were previously implemented +through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the +application has had to assemble a X509_ALGOR on their own. + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/0941666728c44d701496004ebd5bf96ac7b715fb] +Reviewed-by: Matt Caswell +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/25000) +--- + .../passing-algorithmidentifier-parameters.md | 65 ++++++++++++------- + doc/man3/EVP_EncryptInit.pod | 19 ++++-- + util/perl/OpenSSL/paramnames.pm | 57 ++++++++++++---- + 3 files changed, 101 insertions(+), 40 deletions(-) + +diff --git a/doc/designs/passing-algorithmidentifier-parameters.md b/doc/designs/passing-algorithmidentifier-parameters.md +index bb3821e337..f33862e45e 100644 +--- a/doc/designs/passing-algorithmidentifier-parameters.md ++++ b/doc/designs/passing-algorithmidentifier-parameters.md +@@ -1,11 +1,13 @@ +-Passing AlgorithmIdentifier parameters to operations +-==================================================== ++Handling AlgorithmIdentifier and its parameters with provider operations ++======================================================================== + + Quick background + ---------------- + + We currently only support passing the AlgorithmIdentifier (`X509_ALGOR`) +-parameter field to symmetric cipher provider implementations. ++parameter field to symmetric cipher provider implementations. We currently ++only support getting full AlgorithmIdentifier (`X509_ALGOR`) from signature ++provider implementations. + + We do support passing them to legacy implementations of other types of + operation algorithms as well, but it's done in a way that can't be supported +@@ -15,18 +17,30 @@ libcrypto and the backend implementation. + For a longer background and explanation, see + [Background / tl;dr](#background-tldr) at the end of this design. + +-Establish an OSSL_PARAM key that any algorithms may become aware of +-------------------------------------------------------------------- ++Establish OSSL_PARAM keys that any algorithms may become aware of ++----------------------------------------------------------------- + +-We already have a parameter key, but it's currently only specified for +-`EVP_CIPHER`, in support of `EVP_CIPHER_param_to_asn1()` and +-`EVP_CIPHER_asn1_to_param()`. ++We already have known parameter keys: + +-"alg_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS` ++- "algor_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`. + +-This parameter can be used in the exact same manner with other operations, +-with the value of the AlgorithmIdentifier parameter as an octet string, to +-be interpreted by the implementations in whatever way they see fit. ++ This is currently only specified for `EVP_CIPHER`, in support of ++ `EVP_CIPHER_param_to_asn1()` and `EVP_CIPHER_asn1_to_param()` ++ ++- "algorithm-id", also known as the macro `OSSL_SIGNATURE_PARAM_ALGORITHM_ID`. ++ ++This design proposes: ++ ++1. Adding a parameter key "algorithm-id-params", to replace "algor_id_param", ++ and deprecate the latter. ++2. Making both "algorithm-id" and "algorithm-id-params" generically available, ++ rather than only tied to `EVP_SIGNATURE` ("algorithm-id") or `EVP_CIPHER` ++ ("algor_id_param"). ++ ++This way, these parameters can be used in the exact same manner with other ++operations, with the value of the AlgorithmIdentifier as well as its ++parameters as octet strings, to be used and interpreted by applications and ++provider implementations alike in whatever way they see fit. + + Applications can choose to add these in an `OSSL_PARAM` array, to be passed + with the multitude of initialization functions that take such an array, or +@@ -34,7 +48,7 @@ using specific operation `OSSL_PARAM` setters and getters (such as + `EVP_PKEY_CTX_set_params`), or using other available convenience functions + (see below). + +-This parameter will have to be documented in the following files: ++These parameter will have to be documented in the following files: + + - `doc/man7/provider-asym_cipher.pod` + - `doc/man7/provider-cipher.pod` +@@ -67,20 +81,25 @@ such parameter data from them. + * These two would essentially be aliases for EVP_CIPHER_param_to_asn1() + * and EVP_CIPHER_asn1_to_param(). + */ +-EVP_CIPHER_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +-EVP_CIPHER_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); ++EVP_CIPHER_CTX_set_algor_params(EVP_CIPHER_CTX *ctx, const X509_ALGOR *alg); ++EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg); ++EVP_CIPHER_CTX_get_algor(EVP_CIPHER_CTX *ctx, X509_ALGOR **alg); + +-EVP_MD_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +-EVP_MD_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); ++EVP_MD_CTX_set_algor_params(EVP_MD_CTX *ctx, const X509_ALGOR *alg); ++EVP_MD_CTX_get_algor_params(EVP_MD_CTX *ctx, X509_ALGOR *alg); ++EVP_MD_CTX_get_algor(EVP_MD_CTX *ctx, X509_ALGOR **alg); + +-EVP_MAC_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +-EVP_MAC_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); ++EVP_MAC_CTX_set_algor_params(EVP_MAC_CTX *ctx, const X509_ALGOR *alg); ++EVP_MAC_CTX_get_algor_params(EVP_MAC_CTX *ctx, X509_ALGOR *alg); ++EVP_MAC_CTX_get_algor(EVP_MAC_CTX *ctx, X509_ALGOR **alg); + +-EVP_KDF_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +-EVP_KDF_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); ++EVP_KDF_CTX_set_algor_params(EVP_KDF_CTX *ctx, const X509_ALGOR *alg); ++EVP_KDF_CTX_get_algor_params(EVP_KDF_CTX *ctx, X509_ALGOR *alg); ++EVP_KDF_CTX_get_algor(EVP_KDF_CTX *ctx, X509_ALGOR **alg); + +-EVP_PKEY_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +-EVP_PKEY_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); ++EVP_PKEY_CTX_set_algor_params(EVP_PKEY_CTX *ctx, const X509_ALGOR *alg); ++EVP_PKEY_CTX_get_algor_params(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); ++EVP_PKEY_CTX_get_algor(EVP_PKEY_CTX *ctx, X509_ALGOR **alg); + ``` + + Note that all might not need to be added immediately, depending on if they +diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod +index 45c3cb062c..648dc60853 100644 +--- a/doc/man3/EVP_EncryptInit.pod ++++ b/doc/man3/EVP_EncryptInit.pod +@@ -770,12 +770,23 @@ The length of the "keybits" parameter should not exceed that of a B. + Gets or sets the number of rounds to be used for a cipher. + This is used by the RC5 cipher. + +-=item "alg_id_param" (B) ++=item "algorithm-id" (B) ++ ++Used to get the DER encoded AlgorithmIdentifier from the cipher ++implementation. Functions like L use this ++parameter. ++ ++=item "algorithm-id-params" (B) + + Used to pass the DER encoded AlgorithmIdentifier parameter to or from +-the cipher implementation. Functions like L +-and L use this parameter for any implementation +-that has the flag B set. ++the cipher implementation. ++Functions like L and ++L use this parameter. ++ ++=item "alg_id_params" (B) ++ ++An deprecated alias for "algorithm-id-params", only used by ++L and L. + + =item "cts_mode" (B) + +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index bfa75f760c..8c70a594b9 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -68,6 +68,16 @@ my %params = ( + 'ALG_PARAM_MAC' => "mac", # utf8_string + 'ALG_PARAM_PROPERTIES' => "properties", # utf8_string + ++ # For any operation that deals with AlgorithmIdentifier, they should ++ # implement both of these. ++ # ALG_PARAM_ALGORITHM_ID is intended to be gettable, and is the ++ # implementation's idea of what its full AlgID should look like. ++ # ALG_PARAM_ALGORITHM_ID_PARAMS is intended to be both settable ++ # and gettable, to allow the calling application to pass or get ++ # AlgID parameters to and from the provided implementation. ++ 'ALG_PARAM_ALGORITHM_ID' => "algorithm-id", # octet_string (DER) ++ 'ALG_PARAM_ALGORITHM_ID_PARAMS' => "algorithm-id-params", # octet_string ++ + # cipher parameters + 'CIPHER_PARAM_PADDING' => "padding", # uint + 'CIPHER_PARAM_USE_BITS' => "use-bits", # uint +@@ -100,8 +110,16 @@ my %params = ( + 'CIPHER_PARAM_RC2_KEYBITS' => "keybits", # size_t + 'CIPHER_PARAM_SPEED' => "speed", # uint + 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string +-# For passing the AlgorithmIdentifier parameter in DER form +- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string ++ 'CIPHER_PARAM_DECRYPT_ONLY' => "decrypt-only", # int, 0 or 1 ++ 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int ++ 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', ++ 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID', ++ # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the ++ # time being, the old libcrypto functions will use both, so old providers ++ # continue to work. ++ # New providers are encouraged to use CIPHER_PARAM_ALGORITHM_ID_PARAMS. ++ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS', ++ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD' => "alg_id_param", # octet_string + 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string + + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint +@@ -250,6 +268,10 @@ my %params = ( + # it for API stability, but please use ASYM_CIPHER_PARAM_IMPLICIT_REJECTION + # instead. + 'PKEY_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", ++ 'PKEY_PARAM_FIPS_DIGEST_CHECK' => "digest-check", ++ 'PKEY_PARAM_FIPS_KEY_CHECK' => "key-check", ++ 'PKEY_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID', ++ 'PKEY_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS', + + # Diffie-Hellman/DSA Parameters + 'PKEY_PARAM_FFC_P' => "p", +@@ -378,17 +400,26 @@ my %params = ( + 'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm", + + # Signature parameters +- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", +- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', +- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', +- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', +- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", +- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', +- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', +- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', +- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", +- 'SIGNATURE_PARAM_INSTANCE' => "instance", +- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", ++ 'SIGNATURE_PARAM_ALGORITHM_ID' => '*PKEY_PARAM_ALGORITHM_ID', ++ 'SIGNATURE_PARAM_ALGORITHM_ID_PARAMS' => '*PKEY_PARAM_ALGORITHM_ID_PARAMS', ++ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', ++ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', ++ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', ++ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", ++ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', ++ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', ++ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', ++ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", ++ 'SIGNATURE_PARAM_INSTANCE' => "instance", ++ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", ++ 'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' => '*PKEY_PARAM_FIPS_DIGEST_CHECK', ++ 'SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE' => 'verify-message', ++ 'SIGNATURE_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', ++ 'SIGNATURE_PARAM_FIPS_SIGN_CHECK' => '*PKEY_PARAM_FIPS_SIGN_CHECK', ++ 'SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check", ++ 'SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK' => "sign-x931-pad-check", ++ 'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', ++ 'SIGNATURE_PARAM_SIGNATURE' => "signature", + + # Asym cipher parameters + 'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', +-- +2.43.0 + diff --git a/meta-digi-dey/recipes-connectivity/openssl/openssl/openssl-3.0-add-Kernel-TLS-configuration.patch b/meta-digi-dey/recipes-connectivity/openssl/openssl/openssl-3.0-add-Kernel-TLS-configuration.patch new file mode 100644 index 000000000..8983db913 --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/openssl/openssl/openssl-3.0-add-Kernel-TLS-configuration.patch @@ -0,0 +1,34 @@ +From 24254454e5f5fc503b5e4cc1fa8c6d9b1a3ae9ba Mon Sep 17 00:00:00 2001 +From: Gaurav Jain +Date: Wed, 19 Jan 2022 15:45:29 +0530 +Subject: [PATCH] openssl 3.0: add Kernel TLS configuration + +Upstream-Status: Inappropriate [i.MX, Layerscape specific] +Signed-off-by: Gaurav Jain +--- + apps/openssl.cnf | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf +index 03330e0120..ec18df388e 100644 +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -30,6 +30,15 @@ oid_section = new_oids + # (Alternatively, use a configuration file that has only + # X.509v3 extensions in its main [= default] section.) + ++[ openssl_init ] ++ssl_conf = ssl_configuration ++ ++[ ssl_configuration ] ++ktls = ktls_conf ++ ++[ ktls_conf ] ++Options = KTLS ++ + [ new_oids ] + # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. + # Add a simple OID like this: +-- +2.25.1 + diff --git a/meta-digi-dey/recipes-connectivity/openssl/openssl_%.bbappend b/meta-digi-dey/recipes-connectivity/openssl/openssl_%.bbappend index 78a05fbf6..7beba0439 100644 --- a/meta-digi-dey/recipes-connectivity/openssl/openssl_%.bbappend +++ b/meta-digi-dey/recipes-connectivity/openssl/openssl_%.bbappend @@ -1,3 +1,14 @@ -# Copyright (C) 2022, Digi International Inc. +# Copyright (C) 2022,2026 Digi International Inc. +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://openssl-3.0-add-Kernel-TLS-configuration.patch \ + file://0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch \ + file://0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch \ + file://0003-Set-algorithm-id-before-generating-the-EC-key.patch \ + file://0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch" + +PACKAGECONFIG:append:imx-nxp-bsp = " cryptodev-linux" + +EXTRA_OECONF:append = " enable-ktls" EXTRA_OECONF:append = " enable-weak-ssl-ciphers"