From: lizhi <lizhi206@huawei.com> Add support for OSSL_FUNC_PROVIDER_GET_CAPABILITIES to enable TLS 1.3 compatibility. Signed-off-by: lizhi <lizhi206@huawei.com> --- src/Makefile.am | 1 + src/uadk_prov.h | 3 + src/uadk_prov_capabilities.c | 224 +++++++++++++++++++++++++++++++++++ src/uadk_prov_ecx.c | 28 ++--- src/uadk_prov_init.c | 2 +- 5 files changed, 238 insertions(+), 20 deletions(-) create mode 100644 src/uadk_prov_capabilities.c diff --git a/src/Makefile.am b/src/Makefile.am index 6b035cc..7c1e1c5 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -61,6 +61,7 @@ uadk_engine_la_SOURCES+=v1/alg/ciphers/sec_ciphers.c \ endif #WD_KAE uadk_provider_la_SOURCES=uadk_prov_init.c uadk_async.c uadk_utils.c \ + uadk_prov_capabilities.c\ uadk_prov_digest.c uadk_prov_cipher.c \ uadk_prov_rsa.c uadk_prov_rsa_kmgmt.c \ uadk_prov_rsa_enc.c uadk_prov_rsa_sign.c \ diff --git a/src/uadk_prov.h b/src/uadk_prov.h index 62a26fe..60031cb 100644 --- a/src/uadk_prov.h +++ b/src/uadk_prov.h @@ -17,6 +17,7 @@ */ #ifndef UADK_PROV_H #define UADK_PROV_H +#include <openssl/bio.h> #include <openssl/core_dispatch.h> #define FUNC_MAX_NUM 32 @@ -45,6 +46,8 @@ #define PROV_NAMES_SHA2_512_224 "SHA2-512/224:SHA-512/224:SHA512-224:2.16.840.1.101.3.4.2.5" #define PROV_NAMES_SHA2_512_256 "SHA2-512/256:SHA-512/256:SHA512-256:2.16.840.1.101.3.4.2.6" +OSSL_FUNC_provider_get_capabilities_fn uadk_get_capabilities; + enum HW_SYMM_ENC_DEV { HW_SYMM_ENC_INVALID = 0x0, HW_SYMM_ENC_V2 = 0x2, diff --git a/src/uadk_prov_capabilities.c b/src/uadk_prov_capabilities.c new file mode 100644 index 0000000..18d2903 --- /dev/null +++ b/src/uadk_prov_capabilities.c @@ -0,0 +1,224 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#include <assert.h> +#include <string.h> +#include <openssl/core_dispatch.h> +#include <openssl/core_names.h> +/* For TLS1_VERSION etc */ +#include <openssl/prov_ssl.h> +#include <openssl/params.h> +#include "uadk_prov.h" + +# define OSSL_TLS_GROUP_ID_sect163k1 0x0001 +# define OSSL_TLS_GROUP_ID_sect163r1 0x0002 +# define OSSL_TLS_GROUP_ID_sect163r2 0x0003 +# define OSSL_TLS_GROUP_ID_sect193r1 0x0004 +# define OSSL_TLS_GROUP_ID_sect193r2 0x0005 +# define OSSL_TLS_GROUP_ID_sect233k1 0x0006 +# define OSSL_TLS_GROUP_ID_sect233r1 0x0007 +# define OSSL_TLS_GROUP_ID_sect239k1 0x0008 +# define OSSL_TLS_GROUP_ID_sect283k1 0x0009 +# define OSSL_TLS_GROUP_ID_sect283r1 0x000A +# define OSSL_TLS_GROUP_ID_sect409k1 0x000B +# define OSSL_TLS_GROUP_ID_sect409r1 0x000C +# define OSSL_TLS_GROUP_ID_sect571k1 0x000D +# define OSSL_TLS_GROUP_ID_sect571r1 0x000E +# define OSSL_TLS_GROUP_ID_secp160k1 0x000F +# define OSSL_TLS_GROUP_ID_secp160r1 0x0010 +# define OSSL_TLS_GROUP_ID_secp160r2 0x0011 +# define OSSL_TLS_GROUP_ID_secp192k1 0x0012 +# define OSSL_TLS_GROUP_ID_secp192r1 0x0013 +# define OSSL_TLS_GROUP_ID_secp224k1 0x0014 +# define OSSL_TLS_GROUP_ID_secp224r1 0x0015 +# define OSSL_TLS_GROUP_ID_secp256k1 0x0016 +# define OSSL_TLS_GROUP_ID_secp256r1 0x0017 +# define OSSL_TLS_GROUP_ID_secp384r1 0x0018 +# define OSSL_TLS_GROUP_ID_secp521r1 0x0019 +# define OSSL_TLS_GROUP_ID_brainpoolP256r1 0x001A +# define OSSL_TLS_GROUP_ID_brainpoolP384r1 0x001B +# define OSSL_TLS_GROUP_ID_brainpoolP512r1 0x001C +# define OSSL_TLS_GROUP_ID_x25519 0x001D +# define OSSL_TLS_GROUP_ID_x448 0x001E +# define OSSL_TLS_GROUP_ID_ffdhe2048 0x0100 +# define OSSL_TLS_GROUP_ID_ffdhe3072 0x0101 +# define OSSL_TLS_GROUP_ID_ffdhe4096 0x0102 +# define OSSL_TLS_GROUP_ID_ffdhe6144 0x0103 +# define OSSL_TLS_GROUP_ID_ffdhe8192 0x0104 +# define OSSL_TLS_GROUP_ID_sm2 0x0029 + +# if !defined(NTLS1_1_VERSION) +/* NTLS version. + * OpenSSL3 doesn't support yet, define to pass the compile. + */ +# define NTLS1_1_VERSION 0x0101 +# endif + +#define OSSL_NELEM(x) (sizeof(x)/sizeof((x)[0])) + +struct tls_group_constants_st { + /* Group ID */ + unsigned int group_id; + /* Bits of security */ + unsigned int secbits; + /* Minimum TLS version, -1 unsupported */ + int mintls; + /* Maximum TLS version (or 0 for undefined) */ + int maxtls; + /* Minimum DTLS version, -1 unsupported */ + int mindtls; + /* Maximum DTLS version (or 0 for undefined) */ + int maxdtls; +}; + +static const struct tls_group_constants_st group_list[36] = { + { OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_brainpoolP256r1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_brainpoolP384r1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_brainpoolP512r1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + /* Security bit values as given by BN_security_bits() */ + { OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_sm2, 128, NTLS1_1_VERSION, 0, -1, -1 }, +}; + +#define TLS_GROUP_ENTRY_COMMON(tlsname, realname, algorithm, idx) \ + OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_NAME, \ + tlsname, sizeof(tlsname)), \ + OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL, \ + realname, sizeof(realname)), \ + OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_ALG, \ + algorithm, sizeof(algorithm)), \ + OSSL_PARAM_uint(OSSL_CAPABILITY_TLS_GROUP_ID, \ + (unsigned int *)&group_list[idx].group_id) + +#define TLS_GROUP_ENTRY_TLS(idx) \ + OSSL_PARAM_uint(OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS, \ + (unsigned int *)&group_list[idx].secbits), \ + OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MIN_TLS, \ + (unsigned int *)&group_list[idx].mintls), \ + OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_TLS, \ + (unsigned int *)&group_list[idx].maxtls) + +#define TLS_GROUP_ENTRY_DTLS(idx) \ + OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS, \ + (unsigned int *)&group_list[idx].mindtls), \ + OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS, \ + (unsigned int *)&group_list[idx].maxdtls) + +#define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \ +{ \ + TLS_GROUP_ENTRY_COMMON(tlsname, realname, algorithm, idx), \ + TLS_GROUP_ENTRY_TLS(idx), \ + TLS_GROUP_ENTRY_DTLS(idx), \ + OSSL_PARAM_END \ +} + +static const OSSL_PARAM param_group_list[][10] = { + TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22), + /* Alias of above */ + TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), + TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23), + /* Alias of above */ + TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), + TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24), + /* Alias of above */ + TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), + + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), + + /* Security bit values for FFDHE groups are as per RFC 7919 */ + TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 30), + TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 31), + TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 32), + /* + * Note: uadk_provider doesn't support DH with 6144/8192-bit width, + * but can fallback to software computation if needed. + */ + TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 33), + TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 34), + + TLS_GROUP_ENTRY("curveSM2", "SM2", "SM2", 35), +}; + +static int tls_group_capability(OSSL_CALLBACK *cb, void *arg) +{ + size_t i; + + for (i = 0; i < OSSL_NELEM(param_group_list); i++) + if (!cb(param_group_list[i], arg)) + return UADK_P_FAIL; + + return UADK_P_SUCCESS; +} + +int uadk_get_capabilities(void *provctx, const char *capability, + OSSL_CALLBACK *cb, void *arg) +{ + if (strcasecmp(capability, "TLS-GROUP") == 0) + return tls_group_capability(cb, arg); + + /* We don't support this capability */ + return UADK_P_FAIL; +} diff --git a/src/uadk_prov_ecx.c b/src/uadk_prov_ecx.c index ebdfec4..243b977 100644 --- a/src/uadk_prov_ecx.c +++ b/src/uadk_prov_ecx.c @@ -299,18 +299,12 @@ static const OSSL_PARAM *uadk_keymgmt_x448_gen_settable_params(ossl_unused void static int uadk_keymgmt_x448_gen_set_template(void *genctx, void *templ) { - if (get_default_x448_keymgmt().gen_set_template == NULL) - return UADK_P_FAIL; - - return get_default_x448_keymgmt().gen_set_template(genctx, templ); + return UADK_P_SUCCESS; } static const char *uadk_keymgmt_x448_query_operation_name(int operation_id) { - if (get_default_x448_keymgmt().query_operation_name == NULL) - return NULL; - - return get_default_x448_keymgmt().query_operation_name(operation_id); + return "X448"; } static int ossl_param_build_set_octet_string(OSSL_PARAM_BLD *bld, OSSL_PARAM *p, const char *key, @@ -780,7 +774,7 @@ static int uadk_prov_ecx_keygen(PROV_ECX_KEYMGMT_CTX *gctx, ECX_KEY **ecx_key) return UADK_P_FAIL; *ecx_key = uadk_prov_ecx_create_prikey(gctx); - if (*ecx_key == NULL) + if (*ecx_key == NULL || !(gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR)) return UADK_P_FAIL; ret = uadk_prov_ecx_keygen_init_iot(gctx->sess, &req); @@ -895,7 +889,8 @@ static void *uadk_keymgmt_x448_gen(void *genctx, OSSL_CALLBACK *cb, void *cb_par } ret = uadk_prov_ecx_keygen(gctx, &ecx_key); - if (ret != UADK_P_SUCCESS) { + /* Blank key and UADK_P_FAIL in parameter generation is expected, not an error */ + if (ret != UADK_P_SUCCESS && (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR)) { UADK_ERR("failed to generate x448 key\n"); uadk_prov_ecx_free_sess(gctx->sess); goto exe_soft; @@ -1466,18 +1461,12 @@ static const OSSL_PARAM *uadk_keymgmt_x25519_gen_settable_params(ossl_unused voi static int uadk_keymgmt_x25519_gen_set_template(void *genctx, void *templ) { - if (get_default_x25519_keymgmt().gen_set_template == NULL) - return UADK_P_FAIL; - - return get_default_x25519_keymgmt().gen_set_template(genctx, templ); + return UADK_P_SUCCESS; } static const char *uadk_keymgmt_x25519_query_operation_name(int operation_id) { - if (get_default_x25519_keymgmt().query_operation_name == NULL) - return NULL; - - return get_default_x25519_keymgmt().query_operation_name(operation_id); + return "X25519"; } static int uadk_keymgmt_x25519_get_params(void *key, OSSL_PARAM params[]) @@ -1544,7 +1533,8 @@ static void *uadk_keymgmt_x25519_gen(void *genctx, OSSL_CALLBACK *cb, void *cb_p } ret = uadk_prov_ecx_keygen(gctx, &ecx_key); - if (ret != UADK_P_SUCCESS) { + /* Blank key and UADK_P_FAIL in parameter generation is expected, not an error */ + if (ret != UADK_P_SUCCESS && (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR)) { UADK_ERR("failed to generate x25519 key\n"); uadk_prov_ecx_free_sess(gctx->sess); goto exe_soft; diff --git a/src/uadk_prov_init.c b/src/uadk_prov_init.c index 92ecc68..03a3485 100644 --- a/src/uadk_prov_init.c +++ b/src/uadk_prov_init.c @@ -19,7 +19,6 @@ #include <stdio.h> #include <string.h> -#include <openssl/bio.h> #include <openssl/core_dispatch.h> #include <openssl/core_names.h> #include <openssl/crypto.h> @@ -843,6 +842,7 @@ static const OSSL_DISPATCH uadk_dispatch_table[] = { { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))uadk_teardown }, { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))uadk_get_params }, { OSSL_FUNC_PROVIDER_UNQUERY_OPERATION, (void (*)(void))uadk_unquery }, + { OSSL_FUNC_PROVIDER_GET_CAPABILITIES, (void (*)(void))uadk_get_capabilities}, { 0, NULL } }; -- 2.43.0