Openssl #93
Openssl #93
Conversation
|
Looks good as far as I can tell. I'd like to go through it once more after all the new commits has been squashed in where they belong. |
|
Same for me. I've also asked Hervé Sibert to check about the licenses of the new added On 31 October 2014 07:42, Jens Wiklander notifications@github.com wrote:
|
|
OK, thanks to you both for the review. I am going to rebase the branch, merging the review patches with the previous ones where they belong. |
|
Yes, testing openssl compilation is good. On 31 October 2014 08:58, Jérôme Forissier notifications@github.com wrote:
|
|
HI, I have looked at the license. It's almost fine, but I see some problems. It’s mainly BSD but it adds some conditions, like “Redistributions of any form whatsoever must retain the following We should not get forced into that because of SW that in fact is not used by default, so I would much prefer that OP-TEE does not have to include OpenSSL SW. Is there a way to keep OP-TEE free from OpenSSL code? (it's not really good advertizing for security SW to include OpenSSL at this time :)) People who would want to replace LTC with OpenSSL and distribute OP-TEE with it would then have to fulfill the OpenSSL license but we, on the OP-TEE repository, would not. Moreover, including OpenSSL in OP-TEE would also raise the question of which OpenSSL version to incorporate, how to manage evolutions (as OpenSSL is evolving frequently), and I don't think we want to do that. And the option of including a given version that probably has many vulnerabilities and leaving it as is is not good either. All in all we should keep only the wrapper layers and the additional OpenSSL-supporting functions in OP-TEE. |
|
I guess one of the problems we have here is that we would like to show The main idea with this work package was to loosen up the hard Hervé's comment about keeping up-to-date with latest OpenSSL is indeed a Regards, |
|
On Fri, Oct 31, 2014 at 1:02 PM, Herve Sibert notifications@github.com
IANAL, but I think it would be enough to keep the LICENSE file in the
|
|
New, consolidated patch series pushed. All review comments have hopefully been addressed. |
|
Hi, I think Joakim's proposal to merge only the first patch is good as it allows to keep the main branch free of OpenSSL stuff.
By doing so, the openSSL branch will stay a proof-of-concept that we do not have to maintain and that can help those who are willing to re-integrate the latest OpenSSL version (or the latest revision of the same version). In the documentation for the main branch, we should just mention the existence of the openssl branch that integrates a given version of the openssl crypto lib instead of LTC, without further details. The details should be in the branch's documentation files so there is no doubt with the license terms. |
|
+1. What about jforissier@befcf6a It could be good to have them in the master branch. Regards, On 1 November 2014 01:08, Herve Sibert notifications@github.com wrote:
|
|
On Mon, Nov 3, 2014 at 8:27 AM, Pascal Brand (dev) <notifications@github.com
Agreed. The first one for instance may be helpful soon, when we make |
|
+1, yes let’s integrate these patches as well. Thank you Jérôme and Pascal ☺ From: Jérôme Forissier [mailto:notifications@github.com] On Mon, Nov 3, 2014 at 8:27 AM, Pascal Brand (dev) <notifications@github.com
Agreed. The first one for instance may be helpful soon, when we make — |
$ md5sum openssl-1.0.1i.tar.gz c8dc151a671b9b92ff3e4c118b174972 openssl-1.0.1i.tar.gz Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
This commit modifies CRYPTO_xts128_encrypt() so that tweak information is saved in the context for the next call. As a result, EVP_EncryptUpdate() or EVP_DecryptUpdate() can be called multiple times with partial buffers.
Prepare for building OpenSSL libcrypto. 1. Add the following to libutils: - isdigit(), isspace(), isalpha(), isalnum(), isxdigit(), isupper(), islower(), toupper(), tolower(): basic ASCII-only implementation - atoi(), sscanf() (stub!), strtoul(), strncmp(), strcpy(), strncpy(), strchr(), strcat() 2. Add abort() and time() to core/kernel. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Set the WITH_CRYPTO build option to 'openssl' to use the OpenSSL libcrypto
library for cryptographic services. When WITH_CRYPTO is not set, or set to
'tomcrypt', LibTomCrypt is used.
Usage example:
$ make CROSS_COMPILE=arm-linux-gnueabihf- \
PLATFORM=vexpress PLATFORM_FLAVOR=fvp \
WITH_CRYPTO=openssl
Tested with xtest (e7cda93) on Foundation_v8 (PLATFORM_FLAVOR=fvp) and QEMU
(PLATFORM_FLAVOR=qemu_virt).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
|
Rebased on 3d34e12 (i.e., what was merged into master). So here remains only the OpenSSL-specific stuff. |
|
Has been pushed on the branch |
ghost
closed this
This patch series implements the internal layer that allows the use of cryptographic libraries other than the default LibTomCrypt. It adds an OpenSSL implementation.
Add crypto provider internal APIis basically what was reviewed in PR Add crypto provider internal API. #35. It makes a clean separation between the crypto services (tee_svc_cryp.c) and the LibTomCrypt implementation.Import libcrypto source code from OpenSSL 1.0.1ibrings in some OpenSSL code undercore/lib/openssl. The code is committed unmodified, and is not built at this stage This commit can serve as a reference point when merging future versions of OpenSSL.OpenSSL: AES-XTS: allow multiple calls...is an enhancement needed for proper TEE_ALG_AES_XTS operations. It deals with encryption and decryption of partial buffers.libutils: add functions needed by OpenSSL...adds some standard functions that are required to build OpenSSL.Add support for $(lib-use-ld) and $(lib-ldflags)is a small addition to the OP-TEE build system. It is used in the next patch to avoid adding unused functions to the OpenSSL library (and thus reduce the final size of the TEE binary).