[Acc] [PATCH 11/16] uadk_provider: adapt uadk_provider with tls 1.3

10 Feb 2026

From: lizhi <lizhi206@huawei.com>

Add support for OSSL_FUNC_PROVIDER_GET_CAPABILITIES to enable
TLS 1.3 compatibility.

Signed-off-by: lizhi <lizhi206@huawei.com>
---
 src/Makefile.am              |   1 +
 src/uadk_prov.h              |   3 +
 src/uadk_prov_capabilities.c | 224 +++++++++++++++++++++++++++++++++++
 src/uadk_prov_ecx.c          |  28 ++---
 src/uadk_prov_init.c         |   2 +-
 5 files changed, 238 insertions(+), 20 deletions(-)
 create mode 100644 src/uadk_prov_capabilities.c

diff --git a/src/Makefile.am b/src/Makefile.am
index 6b035cc..7c1e1c5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -61,6 +61,7 @@ uadk_engine_la_SOURCES+=v1/alg/ciphers/sec_ciphers.c \
 endif #WD_KAE
 
 uadk_provider_la_SOURCES=uadk_prov_init.c uadk_async.c uadk_utils.c \
+			 uadk_prov_capabilities.c\
 			 uadk_prov_digest.c uadk_prov_cipher.c \
 			 uadk_prov_rsa.c uadk_prov_rsa_kmgmt.c \
 			 uadk_prov_rsa_enc.c uadk_prov_rsa_sign.c \
diff --git a/src/uadk_prov.h b/src/uadk_prov.h
index 62a26fe..60031cb 100644
--- a/src/uadk_prov.h
+++ b/src/uadk_prov.h
@@ -17,6 +17,7 @@
  */
 #ifndef UADK_PROV_H
 #define UADK_PROV_H
+#include <openssl/bio.h>
 #include <openssl/core_dispatch.h>
 
 #define FUNC_MAX_NUM			32
@@ -45,6 +46,8 @@
 #define PROV_NAMES_SHA2_512_224 "SHA2-512/224:SHA-512/224:SHA512-224:2.16.840.1.101.3.4.2.5"
 #define PROV_NAMES_SHA2_512_256 "SHA2-512/256:SHA-512/256:SHA512-256:2.16.840.1.101.3.4.2.6"
 
+OSSL_FUNC_provider_get_capabilities_fn uadk_get_capabilities;
+
 enum HW_SYMM_ENC_DEV {
 	HW_SYMM_ENC_INVALID = 0x0,
 	HW_SYMM_ENC_V2 = 0x2,
diff --git a/src/uadk_prov_capabilities.c b/src/uadk_prov_capabilities.c
new file mode 100644
index 0000000..18d2903
--- /dev/null
+++ b/src/uadk_prov_capabilities.c
@@ -0,0 +1,224 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <assert.h>
+#include <string.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+/* For TLS1_VERSION etc */
+#include <openssl/prov_ssl.h>
+#include <openssl/params.h>
+#include "uadk_prov.h"
+
+# define OSSL_TLS_GROUP_ID_sect163k1		0x0001
+# define OSSL_TLS_GROUP_ID_sect163r1		0x0002
+# define OSSL_TLS_GROUP_ID_sect163r2		0x0003
+# define OSSL_TLS_GROUP_ID_sect193r1		0x0004
+# define OSSL_TLS_GROUP_ID_sect193r2		0x0005
+# define OSSL_TLS_GROUP_ID_sect233k1		0x0006
+# define OSSL_TLS_GROUP_ID_sect233r1		0x0007
+# define OSSL_TLS_GROUP_ID_sect239k1		0x0008
+# define OSSL_TLS_GROUP_ID_sect283k1		0x0009
+# define OSSL_TLS_GROUP_ID_sect283r1		0x000A
+# define OSSL_TLS_GROUP_ID_sect409k1		0x000B
+# define OSSL_TLS_GROUP_ID_sect409r1		0x000C
+# define OSSL_TLS_GROUP_ID_sect571k1		0x000D
+# define OSSL_TLS_GROUP_ID_sect571r1		0x000E
+# define OSSL_TLS_GROUP_ID_secp160k1		0x000F
+# define OSSL_TLS_GROUP_ID_secp160r1		0x0010
+# define OSSL_TLS_GROUP_ID_secp160r2		0x0011
+# define OSSL_TLS_GROUP_ID_secp192k1		0x0012
+# define OSSL_TLS_GROUP_ID_secp192r1		0x0013
+# define OSSL_TLS_GROUP_ID_secp224k1		0x0014
+# define OSSL_TLS_GROUP_ID_secp224r1		0x0015
+# define OSSL_TLS_GROUP_ID_secp256k1		0x0016
+# define OSSL_TLS_GROUP_ID_secp256r1		0x0017
+# define OSSL_TLS_GROUP_ID_secp384r1		0x0018
+# define OSSL_TLS_GROUP_ID_secp521r1		0x0019
+# define OSSL_TLS_GROUP_ID_brainpoolP256r1	0x001A
+# define OSSL_TLS_GROUP_ID_brainpoolP384r1	0x001B
+# define OSSL_TLS_GROUP_ID_brainpoolP512r1	0x001C
+# define OSSL_TLS_GROUP_ID_x25519		0x001D
+# define OSSL_TLS_GROUP_ID_x448			0x001E
+# define OSSL_TLS_GROUP_ID_ffdhe2048		0x0100
+# define OSSL_TLS_GROUP_ID_ffdhe3072		0x0101
+# define OSSL_TLS_GROUP_ID_ffdhe4096		0x0102
+# define OSSL_TLS_GROUP_ID_ffdhe6144		0x0103
+# define OSSL_TLS_GROUP_ID_ffdhe8192		0x0104
+# define OSSL_TLS_GROUP_ID_sm2			0x0029
+
+# if !defined(NTLS1_1_VERSION)
+/* NTLS version.
+ * OpenSSL3 doesn't support yet, define to pass the compile.
+ */
+#  define NTLS1_1_VERSION			0x0101
+# endif
+
+#define OSSL_NELEM(x)			(sizeof(x)/sizeof((x)[0]))
+
+struct tls_group_constants_st {
+	/* Group ID */
+	unsigned int group_id;
+	/* Bits of security */
+	unsigned int secbits;
+	/* Minimum TLS version, -1 unsupported */
+	int mintls;
+	/* Maximum TLS version (or 0 for undefined) */
+	int maxtls;
+	/* Minimum DTLS version, -1 unsupported */
+	int mindtls;
+	/* Maximum DTLS version (or 0 for undefined) */
+	int maxdtls;
+};
+
+static const struct tls_group_constants_st group_list[36] = {
+	{ OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
+	{ OSSL_TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
+	{ OSSL_TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
+	{ OSSL_TLS_GROUP_ID_brainpoolP256r1, 128, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_brainpoolP384r1, 192, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_brainpoolP512r1, 256, TLS1_VERSION, TLS1_2_VERSION,
+	DTLS1_VERSION, DTLS1_2_VERSION },
+	{ OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
+	{ OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
+	/* Security bit values as given by BN_security_bits() */
+	{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1 },
+	{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1 },
+	{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1 },
+	{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1 },
+	{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1 },
+	{ OSSL_TLS_GROUP_ID_sm2, 128, NTLS1_1_VERSION, 0, -1, -1 },
+};
+
+#define TLS_GROUP_ENTRY_COMMON(tlsname, realname, algorithm, idx) \
+	OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_NAME, \
+			tlsname, sizeof(tlsname)), \
+	OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL, \
+			realname, sizeof(realname)), \
+	OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_ALG, \
+			algorithm, sizeof(algorithm)), \
+	OSSL_PARAM_uint(OSSL_CAPABILITY_TLS_GROUP_ID, \
+			(unsigned int *)&group_list[idx].group_id)
+
+#define TLS_GROUP_ENTRY_TLS(idx) \
+	OSSL_PARAM_uint(OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS, \
+			(unsigned int *)&group_list[idx].secbits), \
+	OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MIN_TLS, \
+			(unsigned int *)&group_list[idx].mintls), \
+	OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_TLS, \
+			(unsigned int *)&group_list[idx].maxtls)
+
+#define TLS_GROUP_ENTRY_DTLS(idx) \
+	OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS, \
+			(unsigned int *)&group_list[idx].mindtls), \
+	OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS, \
+			(unsigned int *)&group_list[idx].maxdtls)
+
+#define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \
+{ \
+	TLS_GROUP_ENTRY_COMMON(tlsname, realname, algorithm, idx), \
+	TLS_GROUP_ENTRY_TLS(idx), \
+	TLS_GROUP_ENTRY_DTLS(idx), \
+	OSSL_PARAM_END \
+}
+
+static const OSSL_PARAM param_group_list[][10] = {
+	TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22),
+	 /* Alias of above */
+	TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22),
+	TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23),
+	 /* Alias of above */
+	TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23),
+	TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24),
+	 /* Alias of above */
+	TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24),
+
+	TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
+	TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
+
+	/* Security bit values for FFDHE groups are as per RFC 7919 */
+	TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 30),
+	TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 31),
+	TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 32),
+	/*
+	 * Note: uadk_provider doesn't support DH with 6144/8192-bit width,
+	 * but can fallback to software computation if needed.
+	 */
+	TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 33),
+	TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 34),
+
+	TLS_GROUP_ENTRY("curveSM2", "SM2", "SM2", 35),
+};
+
+static int tls_group_capability(OSSL_CALLBACK *cb, void *arg)
+{
+	size_t i;
+
+	for (i = 0; i < OSSL_NELEM(param_group_list); i++)
+		if (!cb(param_group_list[i], arg))
+			return UADK_P_FAIL;
+
+	return UADK_P_SUCCESS;
+}
+
+int uadk_get_capabilities(void *provctx, const char *capability,
+			  OSSL_CALLBACK *cb, void *arg)
+{
+	if (strcasecmp(capability, "TLS-GROUP") == 0)
+		return tls_group_capability(cb, arg);
+
+	/* We don't support this capability */
+	return UADK_P_FAIL;
+}
diff --git a/src/uadk_prov_ecx.c b/src/uadk_prov_ecx.c
index ebdfec4..243b977 100644
--- a/src/uadk_prov_ecx.c
+++ b/src/uadk_prov_ecx.c
@@ -299,18 +299,12 @@ static const OSSL_PARAM *uadk_keymgmt_x448_gen_settable_params(ossl_unused void
 
 static int uadk_keymgmt_x448_gen_set_template(void *genctx, void *templ)
 {
-	if (get_default_x448_keymgmt().gen_set_template == NULL)
-		return UADK_P_FAIL;
-
-	return get_default_x448_keymgmt().gen_set_template(genctx, templ);
+	return UADK_P_SUCCESS;
 }
 
 static const char *uadk_keymgmt_x448_query_operation_name(int operation_id)
 {
-	if (get_default_x448_keymgmt().query_operation_name == NULL)
-		return NULL;
-
-	return get_default_x448_keymgmt().query_operation_name(operation_id);
+	return "X448";
 }
 
 static int ossl_param_build_set_octet_string(OSSL_PARAM_BLD *bld, OSSL_PARAM *p, const char *key,
@@ -780,7 +774,7 @@ static int uadk_prov_ecx_keygen(PROV_ECX_KEYMGMT_CTX *gctx, ECX_KEY **ecx_key)
 		return UADK_P_FAIL;
 
 	*ecx_key = uadk_prov_ecx_create_prikey(gctx);
-	if (*ecx_key == NULL)
+	if (*ecx_key == NULL || !(gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR))
 		return UADK_P_FAIL;
 
 	ret = uadk_prov_ecx_keygen_init_iot(gctx->sess, &req);
@@ -895,7 +889,8 @@ static void *uadk_keymgmt_x448_gen(void *genctx, OSSL_CALLBACK *cb, void *cb_par
 	}
 
 	ret = uadk_prov_ecx_keygen(gctx, &ecx_key);
-	if (ret != UADK_P_SUCCESS) {
+	/* Blank key and UADK_P_FAIL in parameter generation is expected, not an error */
+	if (ret != UADK_P_SUCCESS && (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR)) {
 		UADK_ERR("failed to generate x448 key\n");
 		uadk_prov_ecx_free_sess(gctx->sess);
 		goto exe_soft;
@@ -1466,18 +1461,12 @@ static const OSSL_PARAM *uadk_keymgmt_x25519_gen_settable_params(ossl_unused voi
 
 static int uadk_keymgmt_x25519_gen_set_template(void *genctx, void *templ)
 {
-	if (get_default_x25519_keymgmt().gen_set_template == NULL)
-		return UADK_P_FAIL;
-
-	return get_default_x25519_keymgmt().gen_set_template(genctx, templ);
+	return UADK_P_SUCCESS;
 }
 
 static const char *uadk_keymgmt_x25519_query_operation_name(int operation_id)
 {
-	if (get_default_x25519_keymgmt().query_operation_name == NULL)
-		return NULL;
-
-	return get_default_x25519_keymgmt().query_operation_name(operation_id);
+	return "X25519";
 }
 
 static int uadk_keymgmt_x25519_get_params(void *key, OSSL_PARAM params[])
@@ -1544,7 +1533,8 @@ static void *uadk_keymgmt_x25519_gen(void *genctx, OSSL_CALLBACK *cb, void *cb_p
 	}
 
 	ret = uadk_prov_ecx_keygen(gctx, &ecx_key);
-	if (ret != UADK_P_SUCCESS) {
+	/* Blank key and UADK_P_FAIL in parameter generation is expected, not an error */
+	if (ret != UADK_P_SUCCESS && (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR)) {
 		UADK_ERR("failed to generate x25519 key\n");
 		uadk_prov_ecx_free_sess(gctx->sess);
 		goto exe_soft;
diff --git a/src/uadk_prov_init.c b/src/uadk_prov_init.c
index 92ecc68..03a3485 100644
--- a/src/uadk_prov_init.c
+++ b/src/uadk_prov_init.c
@@ -19,7 +19,6 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/bio.h>
 #include <openssl/core_dispatch.h>
 #include <openssl/core_names.h>
 #include <openssl/crypto.h>
@@ -843,6 +842,7 @@ static const OSSL_DISPATCH uadk_dispatch_table[] = {
 	{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))uadk_teardown },
 	{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))uadk_get_params },
 	{ OSSL_FUNC_PROVIDER_UNQUERY_OPERATION, (void (*)(void))uadk_unquery },
+	{ OSSL_FUNC_PROVIDER_GET_CAPABILITIES, (void (*)(void))uadk_get_capabilities},
 	{ 0, NULL }
 };
 
-- 
2.43.0

    

[Acc] [PATCH 11/16] uadk_provider: adapt uadk_provider with tls 1.3

ZongYu Wu