Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssl: integrate support for pkcs11-provider NXP fork 

This is the version used in NXP's lf-6.6.52-2.2.2 release.

https://onedigi.atlassian.net/browse/DEL-9905

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2026-01-20 17:55:01 +01:00
parent 618d842d75
commit 4f9f4b113e
7 changed files with 895 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
meta-digi-arm/dynamic-layers/freescale-layer/recipes-support/pkcs11-provider/pkcs11-provider_1.0.imx.bb Normal file
View File

@ -0,0 +1,30 @@
SUMMARY = "An OpenSSL provider that allows direct interfacing with pkcs11 drivers"
DESCRIPTION = "\
This is an Openssl 3.x provider to access Hardware or Software Tokens using \
the PKCS#11 Cryptographic Token Interface\
\
This code targets version 3.1 of the interface but should be backwards \
compatible to previous versions as well.\
"
HOMEPAGE = "https://github.com/latchset/pkcs11-provider"
SECTION = "libs"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=b53b787444a60266932bd270d1cf2d45"
DEPENDS = "\
openssl \
p11-kit \
"
SRC_URI = "${PKCS11_PROVIDER_SRC};branch=${SRCBRANCH}"
PKCS11_PROVIDER_SRC ?= "git://github.com/nxp-imx/${BPN}.git;branch=main;protocol=https"
SRCBRANCH = "lf-6.6.52_2.2.2"
SRCREV = "ededfa20fe2430f33a5e8ea8971af708a2eb65eb"
S = "${WORKDIR}/git"
inherit meson pkgconfig
# Overwrite default pkcs11 module path
#EXTRA_OEMESON += "-Ddefault_pkcs11_module=/path/to/mymodule.so"
FILES:${PN} += "${libdir}/ossl-modules/pkcs11.so"

104
meta-digi-dey/recipes-connectivity/openssl/openssl/0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch Normal file
View File

@ -0,0 +1,104 @@
From d6c1bf7031cbd96c1d0dec589f318ad942107d23 Mon Sep 17 00:00:00 2001
From: Pankaj Gupta <pankaj.gupta@nxp.com>
Date: Tue, 18 Jan 2022 17:37:37 +0530
Subject: [PATCH 1/2] e_devcrypto: add func ptr for init, do, ctrl
In engine "devcrypto", as part prepare_cipher_methods()
- Added function pointer for init, do, ctrl and
variable "flags" such that:
- New cipher can override them to support offloads
to h/w via devcrypto.
Upstream-Status: Pending [i.MX, Layerscape specific]
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
engines/e_devcrypto.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
index fa01317db5..eb56baec19 100644
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -408,7 +408,11 @@ static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
static int selected_ciphers[OSSL_NELEM(cipher_data)];
static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)];
-
+int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc);
+int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl);
+int (*ctrl)(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
static int devcrypto_test_cipher(size_t cipher_data_index)
{
@@ -427,6 +431,7 @@ static void prepare_cipher_methods(void)
size_t i;
session_op_t sess;
unsigned long cipher_mode;
+ unsigned long flags;
#ifdef CIOCGSESSION2
struct crypt_find_op fop;
enum devcrypto_accelerated_t accelerated;
@@ -438,16 +443,26 @@ static void prepare_cipher_methods(void)
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
+ sess.mackey = (void *)"123456789ABCDEFGHIJKLMNO";
for (i = 0, known_cipher_nids_amount = 0;
i < OSSL_NELEM(cipher_data); i++) {
selected_ciphers[i] = 1;
+
+ init = cipher_init;
+ ctrl = cipher_ctrl;
+ flags = cipher_data[i].flags
+ | EVP_CIPH_CUSTOM_COPY
+ | EVP_CIPH_CTRL_INIT
+ | EVP_CIPH_FLAG_DEFAULT_ASN1;
+
/*
* Check that the cipher is usable
*/
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
+
#ifdef CIOCGSESSION2
/*
* When using CIOCGSESSION2, first try to allocate a hardware
@@ -474,6 +489,10 @@ static void prepare_cipher_methods(void)
cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
+ do_cipher = (cipher_mode == EVP_CIPH_CTR_MODE ?
+ ctr_do_cipher :
+ cipher_do_cipher);
+
if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
@@ -482,16 +501,11 @@ static void prepare_cipher_methods(void)
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
cipher_data[i].ivlen)
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
- cipher_data[i].flags
- | EVP_CIPH_CUSTOM_COPY
- | EVP_CIPH_CTRL_INIT
- | EVP_CIPH_FLAG_DEFAULT_ASN1)
- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+ flags)
+ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
- cipher_mode == EVP_CIPH_CTR_MODE ?
- ctr_do_cipher :
- cipher_do_cipher)
- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+ do_cipher)
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
--
2.17.1

378
meta-digi-dey/recipes-connectivity/openssl/openssl/0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch Normal file
View File

@ -0,0 +1,378 @@
From f674b2f81a18af2146291eda1bbf60d6f71b2935 Mon Sep 17 00:00:00 2001
From: Pankaj Gupta <pankaj.gupta@nxp.com>
Date: Tue, 18 Jan 2022 17:38:11 +0530
Subject: [PATCH] e_devcrypto: add support for TLS1.2 algorithms offload
- aes-128-cbc-hmac-sha256
- aes-256-cbc-hmac-sha256
Enabled the support of TLS1.1 algorithms offload
- aes-128-cbc-hmac-sha1
- aes-256-cbc-hmac-sha1
TLS algorithm support in CAAM Linux kernel driver.
Fix: Remove the support for TLS1.0.
Upstream-Status: Pending [i.MX, Layerscape specific]
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
engines/e_devcrypto.c | 273 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 249 insertions(+), 24 deletions(-)
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
index 02f3abc..8529bac 100644
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -28,6 +28,7 @@
#include "internal/nelem.h"
/* #define ENGINE_DEVCRYPTO_DEBUG */
+#define TLS1_1_VERSION 0x0302
#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
# define CHECK_BSD_STYLE_MACROS
@@ -107,10 +108,14 @@ struct cipher_ctx {
session_op_t sess;
int op; /* COP_ENCRYPT or COP_DECRYPT */
unsigned long mode; /* EVP_CIPH_*_MODE */
+ unsigned char *aad;
+ unsigned int aad_len;
+ unsigned int len;
/* to handle ctr mode being a stream cipher */
unsigned char partial[EVP_MAX_BLOCK_LENGTH];
unsigned int blocksize, num;
+ unsigned int tls_ver;
};
static const struct cipher_data_st {
@@ -120,49 +125,66 @@ static const struct cipher_data_st {
int ivlen;
int flags;
int devcryptoid;
+ int mackeylen;
} cipher_data[] = {
#ifndef OPENSSL_NO_DES
- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC },
- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC },
+ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC, 0 },
+ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC, 0 },
#endif
#ifndef OPENSSL_NO_BF
- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC },
+ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC, 0 },
#endif
#ifndef OPENSSL_NO_CAST
- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC },
+ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC, 0 },
#endif
- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
+ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
+ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
+ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC, 0 },
+ { NID_aes_128_cbc_hmac_sha1, 16, 16, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 },
+ { NID_aes_256_cbc_hmac_sha1, 16, 32, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS11_AES_CBC_HMAC_SHA1, 20 },
+ { NID_aes_128_cbc_hmac_sha256, 16, 16, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 },
+ { NID_aes_256_cbc_hmac_sha256, 16, 32, 16,
+ EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER,
+ CRYPTO_TLS12_AES_CBC_HMAC_SHA256, 32 },
#ifndef OPENSSL_NO_RC4
- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 },
+ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4, 0 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR)
- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
+ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
+ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
+ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR, 0 },
#endif
#if 0 /* Not yet supported */
- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
+ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 },
+ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS, 0 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB, 0 },
#endif
#if 0 /* Not yet supported */
- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+#endif
+#ifdef OPENSSL_NXP_CAAM
+ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
+ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM, 0 },
#endif
#ifndef OPENSSL_NO_CAMELLIA
{ NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE,
- CRYPTO_CAMELLIA_CBC },
+ CRYPTO_CAMELLIA_CBC, 0 },
{ NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE,
- CRYPTO_CAMELLIA_CBC },
+ CRYPTO_CAMELLIA_CBC, 0 },
{ NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE,
- CRYPTO_CAMELLIA_CBC },
+ CRYPTO_CAMELLIA_CBC, 0 },
#endif
};
@@ -197,6 +219,193 @@ static const struct cipher_data_st *get_cipher_data(int nid)
return &cipher_data[get_cipher_data_index(nid)];
}
+/*
+ * Save the encryption key provided by upper layers. This function is called
+ * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do
+ * much here because the mac key is not available. The next call should/will
+ * be to cryptodev_cbc_hmac_sha1_ctrl with parameter
+ * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION
+ * with both the crypto and hmac keys.
+ */
+static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key, const unsigned char *iv, int enc)
+{
+ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct session_op *sess = &state->sess;
+ int cipher = -1, i;
+
+ for (i = 0; cipher_data[i].devcryptoid; i++) {
+ if (EVP_CIPHER_CTX_nid(ctx) == cipher_data[i].nid &&
+ EVP_CIPHER_CTX_iv_length(ctx) <= cipher_data[i].ivlen &&
+ EVP_CIPHER_CTX_key_length(ctx) == cipher_data[i].keylen) {
+ cipher = cipher_data[i].devcryptoid;
+ break;
+ }
+ }
+
+ if (!cipher_data[i].devcryptoid)
+ return (0);
+
+ memset(sess, 0, sizeof(*sess));
+
+ sess->key = (void *) key;
+ sess->keylen = EVP_CIPHER_CTX_key_length(ctx);
+ sess->cipher = cipher;
+
+ /* for whatever reason, (1) means success */
+ return 1;
+}
+
+static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ struct crypt_auth_op cryp;
+ struct cipher_ctx *state = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct session_op *sess = &state->sess;
+ const void *iiv;
+ unsigned char save_iv[EVP_MAX_IV_LENGTH];
+
+ if (cfd < 0)
+ return (0);
+ if (!len)
+ return (1);
+ if ((len % EVP_CIPHER_CTX_block_size(ctx)) != 0)
+ return (0);
+
+ memset(&cryp, 0, sizeof(cryp));
+
+ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ iiv = in + len - EVP_CIPHER_CTX_iv_length(ctx);
+ memcpy(save_iv, iiv, EVP_CIPHER_CTX_iv_length(ctx));
+
+ if (state->tls_ver >= TLS1_1_VERSION) {
+ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in,
+ EVP_CIPHER_CTX_iv_length(ctx));
+ in += EVP_CIPHER_CTX_iv_length(ctx);
+ out += EVP_CIPHER_CTX_iv_length(ctx);
+ len -= EVP_CIPHER_CTX_iv_length(ctx);
+ }
+ }
+ cryp.iv = (void *) EVP_CIPHER_CTX_iv(ctx);
+ } else
+ cryp.iv = NULL;
+
+ /* TODO: make a seamless integration with cryptodev flags */
+ switch (EVP_CIPHER_CTX_nid(ctx)) {
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
+ case NID_aes_128_cbc_hmac_sha256:
+ case NID_aes_256_cbc_hmac_sha256:
+ cryp.flags = COP_FLAG_AEAD_TLS_TYPE;
+ }
+ cryp.ses = sess->ses;
+ cryp.len = state->len;
+ cryp.src = (void *) in;
+ cryp.dst = (void *) out;
+ cryp.auth_src = state->aad;
+ cryp.auth_len = state->aad_len;
+
+ cryp.op = EVP_CIPHER_CTX_encrypting(ctx) ? COP_ENCRYPT : COP_DECRYPT;
+
+ if (ioctl(cfd, CIOCAUTHCRYPT, &cryp) == -1) {
+ /*
+ * XXX need better errror handling this can fail for a number of
+ * different reasons.
+ */
+ return 0;
+ }
+
+ if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+ if (EVP_CIPHER_CTX_encrypting(ctx))
+ iiv = out + len - EVP_CIPHER_CTX_iv_length(ctx);
+ else
+ iiv = save_iv;
+
+ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iiv,
+ EVP_CIPHER_CTX_iv_length(ctx));
+ }
+ return 1;
+}
+
+static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
+ int arg, void *ptr)
+{
+ switch (type) {
+ case EVP_CTRL_AEAD_SET_MAC_KEY:
+ {
+ /* TODO: what happens with hmac keys larger than 64 bytes? */
+ struct cipher_ctx *state =
+ EVP_CIPHER_CTX_get_cipher_data(ctx);
+ struct session_op *sess = &state->sess;
+
+ /* the rest should have been set in cryptodev_init_aead_key */
+ sess->mackey = ptr;
+ sess->mackeylen = arg;
+ if (ioctl(cfd, CIOCGSESSION, sess) == -1)
+ return 0;
+
+ return 1;
+ }
+ case EVP_CTRL_AEAD_TLS1_AAD:
+ {
+ /* ptr points to the associated data buffer of 13 bytes */
+ struct cipher_ctx *state =
+ EVP_CIPHER_CTX_get_cipher_data(ctx);
+ unsigned char *p = ptr;
+ unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1];
+ unsigned int maclen;
+ unsigned int blocksize = EVP_CIPHER_CTX_block_size(ctx);
+ int ret;
+
+ state->tls_ver = p[arg - 4] << 8 | p[arg - 3];
+ state->aad = ptr;
+ state->aad_len = arg;
+
+ /* TODO: this should be an extension of EVP_CIPHER struct */
+ switch (EVP_CIPHER_CTX_nid(ctx)) {
+ case NID_aes_128_cbc_hmac_sha1:
+ case NID_aes_256_cbc_hmac_sha1:
+ maclen = SHA_DIGEST_LENGTH;
+ break;
+ case NID_aes_128_cbc_hmac_sha256:
+ case NID_aes_256_cbc_hmac_sha256:
+ maclen = SHA256_DIGEST_LENGTH;
+ break;
+ default:
+ /*
+ * Only above 4 supported NIDs are used to enter to this
+ * function. If any other NID reaches this function,
+ * there's a grave coding error further down.
+ */
+ assert("Code that never should be reached" == NULL);
+ return -1;
+ }
+
+ /* space required for encryption (not only TLS padding) */
+ if (EVP_CIPHER_CTX_encrypting(ctx)) {
+ if (state->tls_ver >= TLS1_1_VERSION) {
+ p[arg - 2] = (cryptlen - blocksize) >> 8;
+ p[arg - 1] = (cryptlen - blocksize);
+ }
+ ret = (int)(((cryptlen + maclen +
+ blocksize) & -blocksize) - cryptlen);
+ } else {
+ if (state->tls_ver >= TLS1_1_VERSION) {
+ cryptlen -= blocksize;
+ p[arg - 2] = cryptlen >> 8;
+ p[arg - 1] = cryptlen;
+ }
+ ret = maclen;
+ }
+ state->len = cryptlen;
+ return ret;
+ }
+ default:
+ return -1;
+ }
+}
+
/*
* Following are the three necessary functions to map OpenSSL functionality
* with cryptodev.
@@ -463,6 +672,7 @@ static void prepare_cipher_methods(void)
*/
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
+ sess.mackeylen = cipher_data[i].mackeylen;
#ifdef CIOCGSESSION2
/*
@@ -494,6 +704,15 @@ static void prepare_cipher_methods(void)
ctr_do_cipher :
cipher_do_cipher);
+ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256) {
+ init = cryptodev_init_aead_key;
+ do_cipher = cryptodev_aead_cipher;
+ ctrl = cryptodev_cbc_hmac_sha1_ctrl;
+ flags = cipher_data[i].flags;
+ }
if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
@@ -538,11 +757,17 @@ static void prepare_cipher_methods(void)
}
#endif /* CIOCGSESSINFO */
}
+
+ if (cipher_data[i].nid == NID_aes_128_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha1
+ || cipher_data[i].nid == NID_aes_128_cbc_hmac_sha256
+ || cipher_data[i].nid == NID_aes_256_cbc_hmac_sha256)
+ EVP_add_cipher(known_cipher_methods[i]);
+
ioctl(cfd, CIOCFSESSION, &sess.ses);
- if (devcrypto_test_cipher(i)) {
+ if (devcrypto_test_cipher(i))
known_cipher_nids[known_cipher_nids_amount++] =
cipher_data[i].nid;
- }
}
}

70
meta-digi-dey/recipes-connectivity/openssl/openssl/0003-Set-algorithm-id-before-generating-the-EC-key.patch Normal file
View File

@ -0,0 +1,70 @@
From 27e4bd35a42287248bd5253836c265dd555b1ee2 Mon Sep 17 00:00:00 2001
From: Ilie Halip <ilie.halip@nxp.com>
Date: Wed, 10 Sep 2025 08:46:50 +0200
Subject: [PATCH] [PATCH] Set "algorithm-id" before generating the EC key.
Upstream-Status: Pending
Signed-off-by: Ilie Halip <ilie.halip@nxp.com>
---
ssl/s3_lib.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index d6ed169f39..68938bb8fb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4742,6 +4742,30 @@ int ssl_generate_master_secret(SSL_CONNECTION *s, unsigned char *pms,
return ret;
}
+void ssl_generate_set_pkey_alg(SSL_CONNECTION *s, EVP_PKEY_CTX *pctx)
+{
+ const char *alg = NULL;
+ OSSL_PARAM algparams[2] = { 0 };
+
+ switch (s->version) {
+ case TLS1_2_VERSION:
+ alg = "tls1.2";
+ break;
+ case TLS1_3_VERSION:
+ alg = "tls1.3";
+ break;
+ }
+
+ if (alg) {
+ algparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_ALGORITHM_ID,
+ (char *)alg, 0);
+ algparams[1] = OSSL_PARAM_construct_end();
+
+ /* intentionally ignore the result */
+ EVP_PKEY_CTX_set_params(pctx, algparams);
+ }
+}
+
/* Generate a private key from parameters */
EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
{
@@ -4756,6 +4780,9 @@ EVP_PKEY *ssl_generate_pkey(SSL_CONNECTION *s, EVP_PKEY *pm)
goto err;
if (EVP_PKEY_keygen_init(pctx) <= 0)
goto err;
+
+ ssl_generate_set_pkey_alg(s, pctx);
+
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
EVP_PKEY_free(pkey);
pkey = NULL;
@@ -4794,6 +4821,9 @@ EVP_PKEY *ssl_generate_pkey_group(SSL_CONNECTION *s, uint16_t id)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
goto err;
}
+
+ ssl_generate_set_pkey_alg(s, pctx);
+
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
EVP_PKEY_free(pkey);
--
2.43.0

267
meta-digi-dey/recipes-connectivity/openssl/openssl/0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch Normal file
View File

@ -0,0 +1,267 @@
From 284653acb6df4d68e276d4515a45ccd50ff54eab Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Thu, 25 Jul 2024 11:56:13 +0200
Subject: [PATCH] Amend the design of AlgorithmIdentifier parameter passing
I realised that any application that passes AlgorithmIdentifier parameters
to and from a provider may also be interested in the full AlgorithmIdentifier
of the implementation invocation.
Likewise, any application that wants to get the full AlgorithmIdentifier
from an implementation invocation may also want to pass AlgorithmIdentifier
parameters to that same implementation invocation.
These amendments should be useful to cover all intended uses of the legacy
ctrls for PKCS7 and CMS:
- EVP_PKEY_CTRL_PKCS7_ENCRYPT
- EVP_PKEY_CTRL_PKCS7_DECRYPT
- EVP_PKEY_CTRL_PKCS7_SIGN
- EVP_PKEY_CTRL_CMS_ENCRYPT
- EVP_PKEY_CTRL_CMS_DECRYPT
- EVP_PKEY_CTRL_CMS_SIGN
It should also cover a number of other cases that were previously implemented
through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the
application has had to assemble a X509_ALGOR on their own.
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/0941666728c44d701496004ebd5bf96ac7b715fb]
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
---
.../passing-algorithmidentifier-parameters.md | 65 ++++++++++++-------
doc/man3/EVP_EncryptInit.pod | 19 ++++--
util/perl/OpenSSL/paramnames.pm | 57 ++++++++++++----
3 files changed, 101 insertions(+), 40 deletions(-)
diff --git a/doc/designs/passing-algorithmidentifier-parameters.md b/doc/designs/passing-algorithmidentifier-parameters.md
index bb3821e337..f33862e45e 100644
--- a/doc/designs/passing-algorithmidentifier-parameters.md
+++ b/doc/designs/passing-algorithmidentifier-parameters.md
@@ -1,11 +1,13 @@
-Passing AlgorithmIdentifier parameters to operations
-====================================================
+Handling AlgorithmIdentifier and its parameters with provider operations
+========================================================================
Quick background
----------------
We currently only support passing the AlgorithmIdentifier (`X509_ALGOR`)
-parameter field to symmetric cipher provider implementations.
+parameter field to symmetric cipher provider implementations. We currently
+only support getting full AlgorithmIdentifier (`X509_ALGOR`) from signature
+provider implementations.
We do support passing them to legacy implementations of other types of
operation algorithms as well, but it's done in a way that can't be supported
@@ -15,18 +17,30 @@ libcrypto and the backend implementation.
For a longer background and explanation, see
[Background / tl;dr](#background-tldr) at the end of this design.
-Establish an OSSL_PARAM key that any algorithms may become aware of
--------------------------------------------------------------------
+Establish OSSL_PARAM keys that any algorithms may become aware of
+-----------------------------------------------------------------
-We already have a parameter key, but it's currently only specified for
-`EVP_CIPHER`, in support of `EVP_CIPHER_param_to_asn1()` and
-`EVP_CIPHER_asn1_to_param()`.
+We already have known parameter keys:
-"alg_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`
+- "algor_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS`.
-This parameter can be used in the exact same manner with other operations,
-with the value of the AlgorithmIdentifier parameter as an octet string, to
-be interpreted by the implementations in whatever way they see fit.
+ This is currently only specified for `EVP_CIPHER`, in support of
+ `EVP_CIPHER_param_to_asn1()` and `EVP_CIPHER_asn1_to_param()`
+
+- "algorithm-id", also known as the macro `OSSL_SIGNATURE_PARAM_ALGORITHM_ID`.
+
+This design proposes:
+
+1. Adding a parameter key "algorithm-id-params", to replace "algor_id_param",
+ and deprecate the latter.
+2. Making both "algorithm-id" and "algorithm-id-params" generically available,
+ rather than only tied to `EVP_SIGNATURE` ("algorithm-id") or `EVP_CIPHER`
+ ("algor_id_param").
+
+This way, these parameters can be used in the exact same manner with other
+operations, with the value of the AlgorithmIdentifier as well as its
+parameters as octet strings, to be used and interpreted by applications and
+provider implementations alike in whatever way they see fit.
Applications can choose to add these in an `OSSL_PARAM` array, to be passed
with the multitude of initialization functions that take such an array, or
@@ -34,7 +48,7 @@ using specific operation `OSSL_PARAM` setters and getters (such as
`EVP_PKEY_CTX_set_params`), or using other available convenience functions
(see below).
-This parameter will have to be documented in the following files:
+These parameter will have to be documented in the following files:
- `doc/man7/provider-asym_cipher.pod`
- `doc/man7/provider-cipher.pod`
@@ -67,20 +81,25 @@ such parameter data from them.
* These two would essentially be aliases for EVP_CIPHER_param_to_asn1()
* and EVP_CIPHER_asn1_to_param().
*/
-EVP_CIPHER_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
-EVP_CIPHER_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+EVP_CIPHER_CTX_set_algor_params(EVP_CIPHER_CTX *ctx, const X509_ALGOR *alg);
+EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg);
+EVP_CIPHER_CTX_get_algor(EVP_CIPHER_CTX *ctx, X509_ALGOR **alg);
-EVP_MD_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
-EVP_MD_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+EVP_MD_CTX_set_algor_params(EVP_MD_CTX *ctx, const X509_ALGOR *alg);
+EVP_MD_CTX_get_algor_params(EVP_MD_CTX *ctx, X509_ALGOR *alg);
+EVP_MD_CTX_get_algor(EVP_MD_CTX *ctx, X509_ALGOR **alg);
-EVP_MAC_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
-EVP_MAC_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+EVP_MAC_CTX_set_algor_params(EVP_MAC_CTX *ctx, const X509_ALGOR *alg);
+EVP_MAC_CTX_get_algor_params(EVP_MAC_CTX *ctx, X509_ALGOR *alg);
+EVP_MAC_CTX_get_algor(EVP_MAC_CTX *ctx, X509_ALGOR **alg);
-EVP_KDF_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
-EVP_KDF_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+EVP_KDF_CTX_set_algor_params(EVP_KDF_CTX *ctx, const X509_ALGOR *alg);
+EVP_KDF_CTX_get_algor_params(EVP_KDF_CTX *ctx, X509_ALGOR *alg);
+EVP_KDF_CTX_get_algor(EVP_KDF_CTX *ctx, X509_ALGOR **alg);
-EVP_PKEY_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
-EVP_PKEY_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+EVP_PKEY_CTX_set_algor_params(EVP_PKEY_CTX *ctx, const X509_ALGOR *alg);
+EVP_PKEY_CTX_get_algor_params(EVP_PKEY_CTX *ctx, X509_ALGOR *alg);
+EVP_PKEY_CTX_get_algor(EVP_PKEY_CTX *ctx, X509_ALGOR **alg);
```
Note that all might not need to be added immediately, depending on if they
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 45c3cb062c..648dc60853 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -770,12 +770,23 @@ The length of the "keybits" parameter should not exceed that of a B<size_t>.
Gets or sets the number of rounds to be used for a cipher.
This is used by the RC5 cipher.
-=item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
+=item "algorithm-id" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID>) <octet string>
+
+Used to get the DER encoded AlgorithmIdentifier from the cipher
+implementation. Functions like L<EVP_PKEY_CTX_get_algor(3)> use this
+parameter.
+
+=item "algorithm-id-params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
Used to pass the DER encoded AlgorithmIdentifier parameter to or from
-the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)>
-and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation
-that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
+the cipher implementation.
+Functions like L<EVP_CIPHER_CTX_set_algor_params(3)> and
+L<EVP_CIPHER_CTX_get_algor_params(3)> use this parameter.
+
+=item "alg_id_params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD>) <octet string>
+
+An deprecated alias for "algorithm-id-params", only used by
+L<EVP_CIPHER_param_to_asn1(3)> and L<EVP_CIPHER_asn1_to_param(3)>.
=item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index bfa75f760c..8c70a594b9 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -68,6 +68,16 @@ my %params = (
'ALG_PARAM_MAC' => "mac", # utf8_string
'ALG_PARAM_PROPERTIES' => "properties", # utf8_string
+ # For any operation that deals with AlgorithmIdentifier, they should
+ # implement both of these.
+ # ALG_PARAM_ALGORITHM_ID is intended to be gettable, and is the
+ # implementation's idea of what its full AlgID should look like.
+ # ALG_PARAM_ALGORITHM_ID_PARAMS is intended to be both settable
+ # and gettable, to allow the calling application to pass or get
+ # AlgID parameters to and from the provided implementation.
+ 'ALG_PARAM_ALGORITHM_ID' => "algorithm-id", # octet_string (DER)
+ 'ALG_PARAM_ALGORITHM_ID_PARAMS' => "algorithm-id-params", # octet_string
+
# cipher parameters
'CIPHER_PARAM_PADDING' => "padding", # uint
'CIPHER_PARAM_USE_BITS' => "use-bits", # uint
@@ -100,8 +110,16 @@ my %params = (
'CIPHER_PARAM_RC2_KEYBITS' => "keybits", # size_t
'CIPHER_PARAM_SPEED' => "speed", # uint
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
-# For passing the AlgorithmIdentifier parameter in DER form
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
+ 'CIPHER_PARAM_DECRYPT_ONLY' => "decrypt-only", # int, 0 or 1
+ 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
+ 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+ 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
+ # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
+ # time being, the old libcrypto functions will use both, so old providers
+ # continue to work.
+ # New providers are encouraged to use CIPHER_PARAM_ALGORITHM_ID_PARAMS.
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS',
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD' => "alg_id_param", # octet_string
'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
@@ -250,6 +268,10 @@ my %params = (
# it for API stability, but please use ASYM_CIPHER_PARAM_IMPLICIT_REJECTION
# instead.
'PKEY_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
+ 'PKEY_PARAM_FIPS_DIGEST_CHECK' => "digest-check",
+ 'PKEY_PARAM_FIPS_KEY_CHECK' => "key-check",
+ 'PKEY_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
+ 'PKEY_PARAM_ALGORITHM_ID_PARAMS' => '*ALG_PARAM_ALGORITHM_ID_PARAMS',
# Diffie-Hellman/DSA Parameters
'PKEY_PARAM_FFC_P' => "p",
@@ -378,17 +400,26 @@ my %params = (
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
# Signature parameters
- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
+ 'SIGNATURE_PARAM_ALGORITHM_ID' => '*PKEY_PARAM_ALGORITHM_ID',
+ 'SIGNATURE_PARAM_ALGORITHM_ID_PARAMS' => '*PKEY_PARAM_ALGORITHM_ID_PARAMS',
+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
+ 'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' => '*PKEY_PARAM_FIPS_DIGEST_CHECK',
+ 'SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE' => 'verify-message',
+ 'SIGNATURE_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'SIGNATURE_PARAM_FIPS_SIGN_CHECK' => '*PKEY_PARAM_FIPS_SIGN_CHECK',
+ 'SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check",
+ 'SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK' => "sign-x931-pad-check",
+ 'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+ 'SIGNATURE_PARAM_SIGNATURE' => "signature",
# Asym cipher parameters
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
--
2.43.0

34
meta-digi-dey/recipes-connectivity/openssl/openssl/openssl-3.0-add-Kernel-TLS-configuration.patch Normal file
View File

@ -0,0 +1,34 @@
From 24254454e5f5fc503b5e4cc1fa8c6d9b1a3ae9ba Mon Sep 17 00:00:00 2001
From: Gaurav Jain <gaurav.jain@nxp.com>
Date: Wed, 19 Jan 2022 15:45:29 +0530
Subject: [PATCH] openssl 3.0: add Kernel TLS configuration
Upstream-Status: Inappropriate [i.MX, Layerscape specific]
Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
---
apps/openssl.cnf | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 03330e0120..ec18df388e 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -30,6 +30,15 @@ oid_section = new_oids
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
+[ openssl_init ]
+ssl_conf = ssl_configuration
+
+[ ssl_configuration ]
+ktls = ktls_conf
+
+[ ktls_conf ]
+Options = KTLS
+
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
--
2.25.1

13
meta-digi-dey/recipes-connectivity/openssl/openssl_%.bbappend
View File

@ -1,3 +1,14 @@
# Copyright (C) 2022, Digi International Inc. # Copyright (C) 2022,2026 Digi International Inc.
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://openssl-3.0-add-Kernel-TLS-configuration.patch \
file://0001-e_devcrypto-add-func-ptr-for-init-do-ctrl.patch \
file://0002-e_devcrypto-add-support-for-TLS1.2-algorithms-offloa.patch \
file://0003-Set-algorithm-id-before-generating-the-EC-key.patch \
file://0004-Amend-the-design-of-AlgorithmIdentifier-parameter-pa.patch"
PACKAGECONFIG:append:imx-nxp-bsp = " cryptodev-linux"
EXTRA_OECONF:append = " enable-ktls"
EXTRA_OECONF:append = " enable-weak-ssl-ciphers" EXTRA_OECONF:append = " enable-weak-ssl-ciphers"