recipes-digi: add cryptoauth-openssl-engine

https://jira.digi.com/browse/DEL-5592 Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
2018-05-07 12:23:36 +02:00 · 2018-05-07 12:23:36 +02:00 · d08f067e12
parent 7f58541f9a
commit d08f067e12
5 changed files with 300 additions and 1 deletions
--- a/meta-digi-arm/conf/machine/ccimx6qpsbc.conf
+++ b/meta-digi-arm/conf/machine/ccimx6qpsbc.conf
@ -11,7 +11,10 @@ WIRELESS_MODULE_append = " ${@base_conditional('HAVE_WIFI', '1', 'kernel-module-
 # Wireless p2p interface
 WLAN_P2P_INTERFACE ?= "p2p0"

-MACHINE_EXTRA_RRECOMMENDS += "cryptoauthlib"
+MACHINE_EXTRA_RRECOMMENDS += " \
+    cryptoauthlib \
+    cryptoauth-openssl-engine \
+"

 # Firmware
 MACHINE_FIRMWARE_append = " ${@base_conditional('HAVE_BT', '1', 'firmware-qualcomm-qca6564-bt', '', d)}"
--- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
@ -35,6 +35,7 @@ MACHINE_EXTRA_RRECOMMENDS += " \
    ${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'imx-alsa-plugins', '', d)} \
    cryptoauthlib \
    cryptodev-module \
+    cryptoauth-openssl-engine \
 "

 MACHINE_FEATURES += "wifi bluetooth"
--- a/meta-digi-arm/custom-licenses/MICROCHIP_ENGINE_LICENSE
+++ b/meta-digi-arm/custom-licenses/MICROCHIP_ENGINE_LICENSE
@ -0,0 +1,30 @@
+Copyright (c) 2017 Microchip Technology Inc. and its subsidiaries (Microchip). All rights reserved.
+
+You are permitted to use this software and its derivatives with Microchip
+products. Redistribution and use in source and binary forms, with or without
+modification, is permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. The name of Microchip may not be used to endorse or promote products derived
+   from this software without specific prior written permission.
+
+4. This software may only be redistributed and used in connection with a
+   Microchip integrated circuit.
+
+THIS SOFTWARE IS PROVIDED BY MICROCHIP "AS IS" AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE
+EXPRESSLY AND SPECIFICALLY DISCLAIMED. IN NO EVENT SHALL MICROCHIP BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
--- a/meta-digi-dey/recipes-digi/cryptoauth-openssl-engine/cryptoauth-openssl-engine/0001-Digi-modifications-to-the-cryptoauth-OpenSSL-engine.patch
+++ b/meta-digi-dey/recipes-digi/cryptoauth-openssl-engine/cryptoauth-openssl-engine/0001-Digi-modifications-to-the-cryptoauth-OpenSSL-engine.patch
@ -0,0 +1,228 @@
+From: Gabriel Valcazar <gabriel.valcazar@digi.com>
+Date: Fri, 27 Apr 2018 13:24:49 +0200
+Subject: [PATCH] Digi modifications to the cryptoauth OpenSSL engine
+
+https://jira.digi.com/browse/DEL-5592
+
+Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
+---
+ Makefile                                      |  1 +
+ cryptoauthlib/Makefile                        | 40 +++++++++++++++------------
+ cryptoauthlib/lib/atca_cfgs.c                 | 16 +++++++++--
+ cryptoauthlib/lib/openssl/eccx08_eckey_meth.c | 16 +++++------
+ cryptoauthlib/lib/openssl/eccx08_engine.h     |  4 +++
+ 5 files changed, 49 insertions(+), 28 deletions(-)
+ create mode 100644 Makefile
+
+diff --git a/Makefile b/Makefile
+new file mode 100644
+index 0000000..3025439
+--- /dev/null
+++ b/Makefile
+@@ -0,0 +1 @@
+include cryptoauthlib/Makefile
+diff --git a/cryptoauthlib/Makefile b/cryptoauthlib/Makefile
+index 399db53..b2596bb 100644
+--- a/cryptoauthlib/Makefile
+++ b/cryptoauthlib/Makefile
+@@ -1,8 +1,11 @@
+ .PHONY: all libcryptoauth libateccssl libpkcs11 dist install clean
+ 
+-OPTIONS := ATCAPRINTF ATCA_HAL_KIT_CDC ENGINE_DYNAMIC_SUPPORT USE_ECCX08 ECC_DEBUG
+OPTIONS := ATCAPRINTF ATCA_HAL_I2C ENGINE_DYNAMIC_SUPPORT USE_ECCX08 ECC_DEBUG
+ 
+-SYSTEM_INCLUDES := /usr/include
+SYSTEM_INCLUDES := $(DESTDIR)/usr/include
+
+TARGET_ARCH = Linux
+TARGET_HAL = I2C
+ 
+ # Check platform
+ ifeq ($(OS),Windows_NT)
+@@ -38,7 +41,7 @@ endif
+ endif
+ 
+ ifeq ($(uname_S),Linux)
+-CFLAGS += -g -O1 -m64 -Wall -fPIC $(addprefix -D,$(OPTIONS))
+CFLAGS += -g -O1 -Wall -fPIC $(addprefix -D,$(OPTIONS))
+ TARGET_ARCH := Linux
+ endif
+ #    ifeq ($(uname_S),Darwin)
+@@ -55,32 +58,32 @@ endif
+ #        CCFLAGS += -D ARM
+ #    endif
+ 
+-OPENSSLDIR = /usr/include/openssl
+OPENSSLDIR = $(DESTDIR)/usr/include/openssl
+ 
+-OUTDIR := $(abspath .build)
+OUTDIR := $(abspath cryptoauthlib/.build)
+ 
+ DEPFLAGS = -MT $@ -MMD -MP -MF $(OUTDIR)/$*.d
+ ARFLAGS = rcs
+ 
+ 
+ # Wildcard all the sources and headers
+-SOURCES := $(call FIND,lib,*.c)
+-INCLUDE := $(sort $(dir $(call FIND, lib, *.h)))
+SOURCES := $(call FIND,cryptoauthlib/lib,*.c)
+INCLUDE := $(sort $(dir $(call FIND, cryptoauthlib/lib, *.h)))
+ 
+ # Gather OpenSSL Engine objects
+-LIBATECCSSL_OBJECTS := $(filter $(abspath lib/openssl)/%, $(SOURCES))
+LIBATECCSSL_OBJECTS := $(filter $(abspath cryptoauthlib/lib/openssl)/%, $(SOURCES))
+ # Example if statically linking in the certificate definition
+ #LIBATECCSSL_OBJECTS += cert_def_1_signer.c cert_def_2_signer.c
+ LIBATECCSSL_OBJECTS := $(addprefix $(OUTDIR)/,$(notdir $(LIBATECCSSL_OBJECTS:.c=.o)))
+ 
+ # Gather PKCS11 Objects
+-LIBPKCS11_OBJECTS := $(filter $(abspath lib/pkcs11)/%, $(SOURCES))
+LIBPKCS11_OBJECTS := $(filter $(abspath cryptoauthlib/lib/pkcs11)/%, $(SOURCES))
+ LIBPKCS11_OBJECTS := $(addprefix $(OUTDIR)/,$(notdir $(LIBPKCS11_OBJECTS:.c=.o)))
+ 
+ # Gather libcryptoauth objects
+-LIBCRYPTOAUTH_OBJECTS := $(filter-out $(abspath lib/hal)/%, $(SOURCES))
+-LIBCRYPTOAUTH_OBJECTS := $(filter-out $(abspath lib/pkcs11)/%, $(LIBCRYPTOAUTH_OBJECTS))
+-LIBCRYPTOAUTH_OBJECTS := $(filter-out $(abspath lib/openssl)/%, $(LIBCRYPTOAUTH_OBJECTS))
+LIBCRYPTOAUTH_OBJECTS := $(filter-out $(abspath cryptoauthlib/lib/hal)/%, $(SOURCES))
+LIBCRYPTOAUTH_OBJECTS := $(filter-out $(abspath cryptoauthlib/lib/pkcs11)/%, $(LIBCRYPTOAUTH_OBJECTS))
+LIBCRYPTOAUTH_OBJECTS := $(filter-out $(abspath cryptoauthlib/lib/openssl)/%, $(LIBCRYPTOAUTH_OBJECTS))
+ LIBCRYPTOAUTH_OBJECTS += atca_hal.c
+ 
+ ifeq ($(TARGET_ARCH),Windows)
+@@ -101,9 +104,9 @@ LIBCRYPTOAUTH_OBJECTS += hal_linux_kit_cdc.c kit_protocol.c
+ endif
+ endif
+ 
+-TEST_SOURCES := $(call FIND,test,*.c)
+TEST_SOURCES := $(call FIND,cryptoauthlib/test,*.c)
+ #TEST_INCLUDE := $(sort $(dir $(call FIND, test, *.h)))
+-TEST_INCLUDE := $(abspath .)
+TEST_INCLUDE := $(abspath cryptoauthlib/.)
+ TEST_OBJECTS := $(addprefix $(OUTDIR)/,$(notdir $(TEST_SOURCES:.c=.o)))
+ 
+ LIBCRYPTOAUTH_OBJECTS := $(addprefix $(OUTDIR)/,$(notdir $(LIBCRYPTOAUTH_OBJECTS:.c=.o)))
+@@ -126,7 +129,7 @@ $(OUTDIR)/libcryptoauth.a: $(LIBCRYPTOAUTH_OBJECTS) | $(OUTDIR)
+ 	$(AR) $(ARFLAGS) $@ $(LIBCRYPTOAUTH_OBJECTS)
+ 
+ $(OUTDIR)/libateccssl.so: $(LIBATECCSSL_OBJECTS) $(LIBCRYPTOAUTH_OBJECTS) | $(OUTDIR)
+-	$(LD) -dll -shared $(LIBATECCSSL_OBJECTS) $(LIBCRYPTOAUTH_OBJECTS) -o $@ -lcrypto -lrt
+	$(CC) -dll -shared $(LIBATECCSSL_OBJECTS) $(LIBCRYPTOAUTH_OBJECTS) -o $@ -lcrypto -lrt
+ 
+ $(OUTDIR)/test: $(OUTDIR)/libateccssl.so $(TEST_OBJECTS) | $(OUTDIR)
+ 	$(CC) -o $@ $(TEST_OBJECTS) -L$(OUTDIR) -lateccssl -lcrypto -lssl
+@@ -142,7 +145,10 @@ libcryptoauth: $(OUTDIR)/libcryptoauth.a | $(OUTDIR)
+ all: $(LIBCRYPTOAUTH_OBJECTS) $(LIBATECCSSL_OBJECTS) $(LIBPKCS11_OBJECTS) | $(OUTDIR)
+ 
+ test: $(OUTDIR)/test | $(OUTDIR)
+-	env LD_LIBRARY_PATH=$(OUTDIR) $(OUTDIR)/test
+
+install: libateccssl | $(OUTDIR)
+	install -d $(DESTDIR)/usr/lib/ssl/engines
+	install -m 0755 $(OUTDIR)/libateccssl.so $(DESTDIR)/usr/lib/ssl/engines
+ 
+ clean:
+-	rm -r $(OUTDIR)
+	rm -rf $(OUTDIR)
+diff --git a/cryptoauthlib/lib/atca_cfgs.c b/cryptoauthlib/lib/atca_cfgs.c
+index a8f6b68..5775f91 100644
+--- a/cryptoauthlib/lib/atca_cfgs.c
+++ b/cryptoauthlib/lib/atca_cfgs.c
+@@ -47,14 +47,24 @@
+ 
+ /* if the number of these configurations grows large, we can #ifdef them based on required device support */
+ 
+/* Default I2C configuration */
+#ifndef ATCA_HAL_I2C_BUS
+#define ATCA_HAL_I2C_BUS 0
+#warning "Using default value for ATCA_HAL_I2C_BUS: 0"
+#endif
+
+#ifndef ATCA_HAL_I2C_SPEED
+#define ATCA_HAL_I2C_SPEED 400000
+#warning "Using default value for ATCA_HAL_I2C_SPEED: 400000"
+#endif
+
+ /** \brief default configuration for an ECCx08A device */
+ ATCAIfaceCfg cfg_ateccx08a_i2c_default = {
+     .iface_type             = ATCA_I2C_IFACE,
+     .devtype                = ATECC508A,
+     .atcai2c.slave_address  = 0xC0,
+-    .atcai2c.bus            = 2,
+-    .atcai2c.baud           = 400000,
+-    //.atcai2c.baud = 100000,
+    .atcai2c.bus            = ATCA_HAL_I2C_BUS,
+    .atcai2c.baud           = ATCA_HAL_I2C_SPEED,
+     .wake_delay             = 1500,
+     .rx_retries             = 20
+ };
+diff --git a/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c b/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c
+index a857a92..f79a98f 100644
+--- a/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c
+++ b/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c
+@@ -818,7 +818,7 @@ int eccx08_pmeth_selector(ENGINE *e, EVP_PKEY_METHOD **pkey_meth,
+ #if ATCA_OPENSSL_OLD_API
+ /* These are from the OpenSSL 1.1.x API */
+ 
+-static void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, 
+static void ECCX08_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
+     int(**pinit) (EVP_PKEY_CTX *ctx))
+ {
+     if (pmeth && pinit)
+@@ -827,7 +827,7 @@ static void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
+     }
+ }
+ 
+-static void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+static void ECCX08_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+     int(**pkeygen_init) (EVP_PKEY_CTX *ctx),
+     int(**pkeygen) (EVP_PKEY_CTX *ctx,
+         EVP_PKEY *pkey))
+@@ -845,7 +845,7 @@ static void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+     }
+ }
+ 
+-static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+static void ECCX08_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+     int(**psign_init) (EVP_PKEY_CTX *ctx),
+     int(**psign) (EVP_PKEY_CTX *ctx,
+         unsigned char *sig, size_t *siglen,
+@@ -865,7 +865,7 @@ static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+     }
+ }
+ 
+-static void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
+static void ECCX08_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
+     int(**pderive_init) (EVP_PKEY_CTX *ctx),
+     int(**pderive) (EVP_PKEY_CTX *ctx,
+         unsigned char *key,
+@@ -951,10 +951,10 @@ int eccx08_pkey_meth_init(void)
+     EVP_PKEY_meth_copy(eccx08_pkey_meth, defaults);
+ 
+     /* Retain default methods we'll be replacing */
+-    EVP_PKEY_meth_get_init(defaults, &eccx08_pkey_def_f.init);
+-    EVP_PKEY_meth_get_keygen(defaults, &eccx08_pkey_def_f.keygen_init, &eccx08_pkey_def_f.keygen);
+-    EVP_PKEY_meth_get_sign(defaults, &eccx08_pkey_def_f.sign_init, &eccx08_pkey_def_f.sign);
+-    EVP_PKEY_meth_get_derive(defaults, &eccx08_pkey_def_f.derive_init, &eccx08_pkey_def_f.derive);
+    ECCX08_PKEY_meth_get_init(defaults, &eccx08_pkey_def_f.init);
+    ECCX08_PKEY_meth_get_keygen(defaults, &eccx08_pkey_def_f.keygen_init, &eccx08_pkey_def_f.keygen);
+    ECCX08_PKEY_meth_get_sign(defaults, &eccx08_pkey_def_f.sign_init, &eccx08_pkey_def_f.sign);
+    ECCX08_PKEY_meth_get_derive(defaults, &eccx08_pkey_def_f.derive_init, &eccx08_pkey_def_f.derive);
+ 
+     /* Replace those we need to intercept */
+     EVP_PKEY_meth_set_init(eccx08_pkey_meth, eccx08_pkey_ec_init);
+diff --git a/cryptoauthlib/lib/openssl/eccx08_engine.h b/cryptoauthlib/lib/openssl/eccx08_engine.h
+index 0df331f..90f9673 100644
+--- a/cryptoauthlib/lib/openssl/eccx08_engine.h
+++ b/cryptoauthlib/lib/openssl/eccx08_engine.h
+@@ -52,6 +52,10 @@
+ 
+ /* Configuration options */
+ 
+#define ATCA_OPENSSL_ENGINE_STATIC_CONFIG       (0)
+#define ATCA_OPENSSL_ENGINE_ENABLE_RAND         (1)
+#define ATCA_OPENSSL_ENGINE_ENABLE_SHA256       (1)
+
+ /** \brief Advertize RNG to OpenSSL*/
+ #ifndef ATCA_OPENSSL_ENGINE_ENABLE_RAND
+ #define ATCA_OPENSSL_ENGINE_ENABLE_RAND         (0)
--- a/meta-digi-dey/recipes-digi/cryptoauth-openssl-engine/cryptoauth-openssl-engine_git.bb
+++ b/meta-digi-dey/recipes-digi/cryptoauth-openssl-engine/cryptoauth-openssl-engine_git.bb
@ -0,0 +1,37 @@
+# Copyright (C) 2018 Digi International Inc.
+
+SUMMARY = "Microchip CryptoAuthentication OpenSSL engine"
+SECTION = "libs"
+LICENSE = "MICROCHIP_ENGINE_LICENSE"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3fdaa96f37898a0641820700bbf5f7b8"
+
+SRCBRANCH = "master"
+SRCREV = "a69a4f92af6bee9cb13035c2f859912744796380"
+
+GIT_URI ?= "git://github.com/MicrochipTech/cryptoauth-openssl-engine.git;protocol=git"
+
+SRC_URI = " \
+    ${GIT_URI};nobranch=1 \
+    file://0001-Digi-modifications-to-the-cryptoauth-OpenSSL-engine.patch \
+"
+
+S = "${WORKDIR}/git"
+
+I2C_BUS ?= "0"
+I2C_BUS_ccimx6qpsbc = "1"
+
+I2C_SPEED ?= "100000"
+
+CFLAGS += "-DATCA_HAL_I2C_BUS=${I2C_BUS} -DATCA_HAL_I2C_SPEED=${I2C_SPEED}"
+
+do_install() {
+	oe_runmake DESTDIR=${D} install
+}
+
+DEPENDS += "openssl"
+
+TARGET_CC_ARCH += "${LDFLAGS}"
+FILES_${PN} += "${libdir}/ssl/engines/libateccssl.so"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+COMPATIBLE_MACHINE = "(ccimx6qpsbc|ccimx6ul)"