packages/openhitls
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update patch

Browse Source 
Signed-off-by: xuhuiyue <xuhuiyue@huawei.com>
(cherry picked from commit 1cae02f84d65c32a283141bf1a44c04e2df97c3b)
This commit is contained in:
xuhuiyue 2024-12-11 20:36:28 +08:00 committed by openeuler-sync-bot
parent 92f26b3b65
commit 695a980c9f
12 changed files with 5518 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
0001-provider_revise.patch Normal file
View File

@ -0,0 +1,107 @@
From c6d38fb0fed60a8203afce7e90fdb9434d1d728e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com>
Date: Thu, 28 Nov 2024 17:56:09 +0800
Subject: [PATCH 01/10] provider_revise
---
crypto/provider/src/mgr/crypt_provider.c | 2 +-
testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data | 2 +-
testcode/testdata/provider/provider_load_test1.c | 2 +-
testcode/testdata/provider/provider_load_test2.c | 2 +-
testcode/testdata/provider/provider_load_test_no_fullfunc.c | 2 +-
testcode/testdata/provider/provider_load_test_providerNoFree.c | 2 +-
testcode/testdata/provider/provider_load_test_providerNoInit.c | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/crypto/provider/src/mgr/crypt_provider.c b/crypto/provider/src/mgr/crypt_provider.c
index 29f7983..a1184dd 100644
--- a/crypto/provider/src/mgr/crypt_provider.c
+++ b/crypto/provider/src/mgr/crypt_provider.c
@@ -29,7 +29,7 @@
#include "crypt_provider.h"
// Name of the dl initialization function
-#define PROVIDER_INIT_FUNC "CRYPT_EAL_ProviderInitcb"
+#define PROVIDER_INIT_FUNC "CRYPT_EAL_ProviderInit"
// Maximum length of search path
#define DEFAULT_PROVIDER_PATH_LEN_MAX 4095
diff --git a/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data b/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data
index ac72427..a89ed9e 100644
--- a/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data
+++ b/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data
@@ -1,5 +1,5 @@
SDV_BSL_SAL_DL_FUNC_TC001
-SDV_BSL_SAL_DL_FUNC_TC001:"../testdata/provider/path1/libprovider_load_test1.so":"../testdata/provider/path1/libprovider_load_test2.so":"../testdata/provider/path1/libprovider_load_test_no_init.so":"CRYPT_EAL_ProviderInitcb"
+SDV_BSL_SAL_DL_FUNC_TC001:"../testdata/provider/path1/libprovider_load_test1.so":"../testdata/provider/path1/libprovider_load_test2.so":"../testdata/provider/path1/libprovider_load_test_no_init.so":"CRYPT_EAL_ProviderInit"
SDV_BSL_SAL_CONVERTER_NAME_TC001 #1
SDV_BSL_SAL_CONVERTER_NAME_TC001:"provider_load_test1":1:"provider_load_test1.so"
diff --git a/testcode/testdata/provider/provider_load_test1.c b/testcode/testdata/provider/provider_load_test1.c
index 3f2792e..395b746 100644
--- a/testcode/testdata/provider/provider_load_test1.c
+++ b/testcode/testdata/provider/provider_load_test1.c
@@ -200,7 +200,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = {
CRYPT_EAL_FUNC_END
};
-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
{
CRYPT_RandSeedMethod entroy = {0};
diff --git a/testcode/testdata/provider/provider_load_test2.c b/testcode/testdata/provider/provider_load_test2.c
index 2e29649..1aeb53c 100644
--- a/testcode/testdata/provider/provider_load_test2.c
+++ b/testcode/testdata/provider/provider_load_test2.c
@@ -99,7 +99,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = {
CRYPT_EAL_FUNC_END
};
-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
{
*outFuncs = defProvOutFuncs;
diff --git a/testcode/testdata/provider/provider_load_test_no_fullfunc.c b/testcode/testdata/provider/provider_load_test_no_fullfunc.c
index c1cd9d4..b081d76 100644
--- a/testcode/testdata/provider/provider_load_test_no_fullfunc.c
+++ b/testcode/testdata/provider/provider_load_test_no_fullfunc.c
@@ -58,7 +58,7 @@ int32_t CRYPT_EAL_ProvCtrlCb(void *provCtx, int32_t cmd, void *val, uint32_t val
return 0;
}
-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
{
return 0;
diff --git a/testcode/testdata/provider/provider_load_test_providerNoFree.c b/testcode/testdata/provider/provider_load_test_providerNoFree.c
index dc3e68a..972e309 100644
--- a/testcode/testdata/provider/provider_load_test_providerNoFree.c
+++ b/testcode/testdata/provider/provider_load_test_providerNoFree.c
@@ -200,7 +200,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = {
CRYPT_EAL_FUNC_END
};
-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
{
*outFuncs = defProvOutFuncs;
diff --git a/testcode/testdata/provider/provider_load_test_providerNoInit.c b/testcode/testdata/provider/provider_load_test_providerNoInit.c
index e60d8d0..6588ec2 100644
--- a/testcode/testdata/provider/provider_load_test_providerNoInit.c
+++ b/testcode/testdata/provider/provider_load_test_providerNoInit.c
@@ -200,7 +200,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = {
CRYPT_EAL_FUNC_END
};
-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
{
*outFuncs = defProvOutFuncs;
--
2.42.0.windows.2

27
0002-param_revise.patch Normal file
View File

@ -0,0 +1,27 @@
From bf7eaa89d82947e1ebf8920d9a3a14555386e875 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com>
Date: Thu, 28 Nov 2024 19:59:31 +0800
Subject: [PATCH 02/10] param_revise
---
include/crypto/crypt_params_key.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/crypto/crypt_params_key.h b/include/crypto/crypt_params_key.h
index 417a919..d99cfe6 100644
--- a/include/crypto/crypt_params_key.h
+++ b/include/crypto/crypt_params_key.h
@@ -99,8 +99,8 @@ extern "C" {
#define CRYPT_PARAM_RAND_SEED_CLEANNONCE (CRYPT_PARAM_RAND_BASE + 6)
#define CRYPT_PARAM_CURVE25519_BASE 700
-#define CRYPT_PARAM_CURVE25519_PUBKEY (CRYPT_PARAM_RAND_BASE + 1)
-#define CRYPT_PARAM_CURVE25519_PRVKEY (CRYPT_PARAM_RAND_BASE + 2)
+#define CRYPT_PARAM_CURVE25519_PUBKEY (CRYPT_PARAM_CURVE25519_BASE + 1)
+#define CRYPT_PARAM_CURVE25519_PRVKEY (CRYPT_PARAM_CURVE25519_BASE + 2)
#ifdef __cplusplus
}
--
2.42.0.windows.2

45
0003-add-default-user-id-using-tlcp.patch Normal file
View File

@ -0,0 +1,45 @@
From 5430cec97c1adae56b6b6c696f6c861ad4234cbb Mon Sep 17 00:00:00 2001
From: JerryDevis <liudan144@huawei.com>
Date: Fri, 29 Nov 2024 15:45:39 +0800
Subject: [PATCH 03/10] add default user id using tlcp
---
tls/cert/hitls_x509_adapt/hitls_x509_crypto.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c b/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c
index 1755a37..11430ec 100644
--- a/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c
+++ b/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c
@@ -52,7 +52,7 @@ CRYPT_MD_AlgId GetCryptHashAlgFromCertHashAlg(HITLS_HashAlgo hashAlgo)
return CRYPT_MD_MAX;
}
-static int32_t SetRsaEmsa(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAlgo, CRYPT_MD_AlgId mdAlgId)
+static int32_t SetPkeySignParam(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAlgo, CRYPT_MD_AlgId mdAlgId)
{
if (signAlgo == HITLS_SIGN_RSA_PKCS1_V15) {
int32_t pad = mdAlgId;
@@ -65,6 +65,10 @@ static int32_t SetRsaEmsa(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAlgo, CRYPT
{CRYPT_PARAM_RSA_SALTLEN, BSL_PARAM_TYPE_INT32, &saltLen, sizeof(saltLen), 0},
BSL_PARAM_END};
return CRYPT_EAL_PkeyCtrl(ctx, CRYPT_CTRL_SET_RSA_EMSA_PSS, pssParam, 0);
+ } else if (signAlgo == HITLS_SIGN_SM2) {
+ /* The default user id as specified in GM/T 0009-2012 */
+ char sm2DefaultUserid[] = "1234567812345678";
+ return CRYPT_EAL_PkeyCtrl(ctx, CRYPT_CTRL_SET_SM2_USER_ID, sm2DefaultUserid, strlen(sm2DefaultUserid));
}
return HITLS_SUCCESS;
@@ -78,7 +82,7 @@ static int32_t SignOrVerifySignPre(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAl
BSL_ERR_PUSH_ERROR(HITLS_X509_ADAPT_ERR);
return HITLS_X509_ADAPT_ERR;
}
- return SetRsaEmsa(ctx, signAlgo, *mdAlgId);
+ return SetPkeySignParam(ctx, signAlgo, *mdAlgId);
}
int32_t HITLS_X509_Adapt_CreateSign(HITLS_Ctx *ctx, HITLS_CERT_Key *key, HITLS_SignAlgo signAlgo,
--
2.42.0.windows.2

607
0004-init-add-const.patch Normal file
View File

@ -0,0 +1,607 @@
From 2c5f84885c9f107f943da46e1372bd9e4539e87d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com>
Date: Sat, 30 Nov 2024 18:15:19 +0800
Subject: [PATCH 04/10] init add const
---
crypto/hmac/include/crypt_hmac.h | 2 +-
crypto/hmac/src/hmac.c | 2 +-
crypto/include/crypt_local_types.h | 6 +++---
crypto/md5/include/crypt_md5.h | 2 +-
crypto/md5/src/md5.c | 2 +-
crypto/modes/include/crypt_modes_cbc.h | 2 +-
crypto/modes/include/crypt_modes_ccm.h | 2 +-
crypto/modes/include/crypt_modes_cfb.h | 2 +-
crypto/modes/include/crypt_modes_chacha20poly1305.h | 2 +-
crypto/modes/include/crypt_modes_ctr.h | 2 +-
crypto/modes/include/crypt_modes_ecb.h | 2 +-
crypto/modes/include/crypt_modes_gcm.h | 2 +-
crypto/modes/include/crypt_modes_ofb.h | 2 +-
crypto/modes/include/crypt_modes_xts.h | 2 +-
crypto/modes/src/modes_cbc.c | 2 +-
crypto/modes/src/modes_ccm.c | 2 +-
crypto/modes/src/modes_cfb.c | 2 +-
crypto/modes/src/modes_chacha20_poly1305.c | 2 +-
crypto/modes/src/modes_ctr.c | 2 +-
crypto/modes/src/modes_ecb.c | 2 +-
crypto/modes/src/modes_gcm.c | 2 +-
crypto/modes/src/modes_ofb.c | 2 +-
crypto/modes/src/modes_xts.c | 2 +-
crypto/sha1/include/crypt_sha1.h | 2 +-
crypto/sha1/src/sha1.c | 2 +-
crypto/sha2/include/crypt_sha2.h | 8 ++++----
crypto/sha2/src/sha2_256.c | 4 ++--
crypto/sha2/src/sha2_512.c | 4 ++--
crypto/sha3/include/crypt_sha3.h | 12 ++++++------
crypto/sha3/src/sha3.c | 12 ++++++------
crypto/sm3/include/crypt_sm3.h | 2 +-
crypto/sm3/src/sm3_public.c | 2 +-
include/crypto/crypt_eal_implprovider.h | 6 +++---
33 files changed, 52 insertions(+), 52 deletions(-)
diff --git a/crypto/hmac/include/crypt_hmac.h b/crypto/hmac/include/crypt_hmac.h
index 22e68dd..ecddd3c 100644
--- a/crypto/hmac/include/crypt_hmac.h
+++ b/crypto/hmac/include/crypt_hmac.h
@@ -33,7 +33,7 @@ extern "C" {
typedef struct HMAC_Ctx CRYPT_HMAC_Ctx;
CRYPT_HMAC_Ctx *CRYPT_HMAC_NewCtx(CRYPT_MAC_AlgId id);
-int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, BSL_Param *param);
+int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param);
int32_t CRYPT_HMAC_Update(CRYPT_HMAC_Ctx *ctx, const uint8_t *in, uint32_t len);
int32_t CRYPT_HMAC_Final(CRYPT_HMAC_Ctx *ctx, uint8_t *out, uint32_t *len);
void CRYPT_HMAC_Reinit(CRYPT_HMAC_Ctx *ctx);
diff --git a/crypto/hmac/src/hmac.c b/crypto/hmac/src/hmac.c
index e626659..10b294f 100644
--- a/crypto/hmac/src/hmac.c
+++ b/crypto/hmac/src/hmac.c
@@ -93,7 +93,7 @@ static void HmacCleanseData(uint8_t *tmp, uint32_t tmpLen, uint8_t *ipad, uint32
BSL_SAL_CleanseData(opad, opadLen);
}
-int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, BSL_Param *param)
+int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param)
{
if (ctx == NULL || ctx->method == NULL || (key == NULL && len != 0)) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
diff --git a/crypto/include/crypt_local_types.h b/crypto/include/crypt_local_types.h
index d4e1352..1ed48a1 100644
--- a/crypto/include/crypt_local_types.h
+++ b/crypto/include/crypt_local_types.h
@@ -31,7 +31,7 @@ typedef int32_t (*GetLenFunc)(const void *ctx);
/* Prototype of the MD algorithm operation functions */
typedef void* (*MdNewCtx)(void);
typedef void* (*MdProvNewCtx)(void *provCtx, int32_t algId);
-typedef int32_t (*MdInit)(void *data, BSL_Param *param);
+typedef int32_t (*MdInit)(void *data, const BSL_Param *param);
typedef int32_t (*MdUpdate)(void *data, const uint8_t *input, uint32_t len);
typedef int32_t (*MdFinal)(void *data, uint8_t *out, uint32_t *len);
typedef void (*MdDeinit)(void *data);
@@ -180,7 +180,7 @@ typedef enum {
typedef void *(*CipherNewCtx)(int32_t alg);
typedef void *(*CipherProvNewCtx)(void *provCtx, int32_t alg);
typedef int32_t (*CipherInitCtx)(void *ctx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
typedef int32_t (*CipherDeInitCtx)(void *ctx);
typedef int32_t (*CipherUpdate)(void *ctx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
typedef int32_t (*CipherFinal)(void *ctx, uint8_t *out, uint32_t *outLen);
@@ -233,7 +233,7 @@ typedef struct {
typedef void* (*MacNewCtx)(CRYPT_MAC_AlgId id);
typedef void* (*MacProvNewCtx)(void *provCtx, int32_t algId);
// Complete key initialization.
-typedef int32_t (*MacInit)(void *ctx, const uint8_t *key, uint32_t len, BSL_Param *param);
+typedef int32_t (*MacInit)(void *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param);
typedef int32_t (*MacUpdate)(void *ctx, const uint8_t *in, uint32_t len);
typedef int32_t (*MacFinal)(void *ctx, const uint8_t *out, uint32_t *len);
typedef void (*MacDeinit)(void *ctx);
diff --git a/crypto/md5/include/crypt_md5.h b/crypto/md5/include/crypt_md5.h
index 5c2b438..a206349 100644
--- a/crypto/md5/include/crypt_md5.h
+++ b/crypto/md5/include/crypt_md5.h
@@ -58,7 +58,7 @@ void CRYPT_MD5_FreeCtx(CRYPT_MD5_Ctx *ctx);
* @retval #CRYPT_SUCCESS Initialization succeeded.
* @retval #CRYPT_NULL_INPUT Pointer ctx is NULL
*/
-int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, const BSL_Param *param);
/**
* @ingroup MD5
diff --git a/crypto/md5/src/md5.c b/crypto/md5/src/md5.c
index 22c51f0..a28fc01 100644
--- a/crypto/md5/src/md5.c
+++ b/crypto/md5/src/md5.c
@@ -55,7 +55,7 @@ void CRYPT_MD5_FreeCtx(CRYPT_MD5_Ctx *ctx)
BSL_SAL_ClearFree(ctx, sizeof(CRYPT_MD5_Ctx));
}
-int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
diff --git a/crypto/modes/include/crypt_modes_cbc.h b/crypto/modes/include/crypt_modes_cbc.h
index bf9890a..9bead46 100644
--- a/crypto/modes/include/crypt_modes_cbc.h
+++ b/crypto/modes/include/crypt_modes_cbc.h
@@ -53,7 +53,7 @@ int32_t SM4_CBC_InitCtx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t k
int32_t MODES_CBC_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
int32_t MODES_CBC_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_CBC_FinalEx(MODES_CipherCtx *modeCtx, uint8_t *out, uint32_t *outLen);
#ifdef __cplusplus
}
diff --git a/crypto/modes/include/crypt_modes_ccm.h b/crypto/modes/include/crypt_modes_ccm.h
index 43eff90..00b3db5 100644
--- a/crypto/modes/include/crypt_modes_ccm.h
+++ b/crypto/modes/include/crypt_modes_ccm.h
@@ -32,7 +32,7 @@ typedef struct ModesCcmCtx MODES_CCM_Ctx;
// CCM mode universal implementation
MODES_CCM_Ctx *MODES_CCM_NewCtx(int32_t algId);
int32_t MODES_CCM_InitCtx(MODES_CCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_CCM_Update(MODES_CCM_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
int32_t MODES_CCM_Final(MODES_CCM_Ctx *modeCtx, uint8_t *out, uint32_t *outLen);
diff --git a/crypto/modes/include/crypt_modes_cfb.h b/crypto/modes/include/crypt_modes_cfb.h
index 8ff6f99..e421a57 100644
--- a/crypto/modes/include/crypt_modes_cfb.h
+++ b/crypto/modes/include/crypt_modes_cfb.h
@@ -50,7 +50,7 @@ int32_t SM4_CFB_Update(MODES_CFB_Ctx *modeCtx, const uint8_t *in, uint32_t inLen
int32_t MODES_CFB_InitCtxEx(MODES_CFB_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_CFB_UpdateEx(MODES_CFB_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
#ifdef __cplusplus
diff --git a/crypto/modes/include/crypt_modes_chacha20poly1305.h b/crypto/modes/include/crypt_modes_chacha20poly1305.h
index 8841c93..42ff76c 100644
--- a/crypto/modes/include/crypt_modes_chacha20poly1305.h
+++ b/crypto/modes/include/crypt_modes_chacha20poly1305.h
@@ -32,7 +32,7 @@ typedef struct ModesChaChaCtx MODES_CHACHAPOLY_Ctx;
MODES_CHACHAPOLY_Ctx *MODES_CHACHA20POLY1305_NewCtx(int32_t algId);
int32_t MODES_CHACHA20POLY1305_InitCtx(MODES_CHACHAPOLY_Ctx *modeCtx, const uint8_t *key,
- uint32_t keyLen, const uint8_t *iv, uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t keyLen, const uint8_t *iv, uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_CHACHA20POLY1305_Update(MODES_CHACHAPOLY_Ctx *modeCtx, const uint8_t *in, uint32_t inLen,
uint8_t *out, uint32_t *outLen);
diff --git a/crypto/modes/include/crypt_modes_ctr.h b/crypto/modes/include/crypt_modes_ctr.h
index 989044f..5f64239 100644
--- a/crypto/modes/include/crypt_modes_ctr.h
+++ b/crypto/modes/include/crypt_modes_ctr.h
@@ -48,7 +48,7 @@ int32_t SM4_CTR_InitCtx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t k
uint32_t ivLen, bool enc);
int32_t MODES_CTR_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_CTR_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
diff --git a/crypto/modes/include/crypt_modes_ecb.h b/crypto/modes/include/crypt_modes_ecb.h
index b906d25..a41d8dd 100644
--- a/crypto/modes/include/crypt_modes_ecb.h
+++ b/crypto/modes/include/crypt_modes_ecb.h
@@ -50,7 +50,7 @@ int32_t SM4_ECB_Update(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inL
int32_t SM4_ECB_Final(MODES_CipherCtx *modeCtx, uint8_t *out, uint32_t *outLen);
int32_t MODES_ECB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_ECB_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
int32_t MODES_ECB_FinalEx(MODES_CipherCtx *modeCtx, uint8_t *out, uint32_t *outLen);
diff --git a/crypto/modes/include/crypt_modes_gcm.h b/crypto/modes/include/crypt_modes_gcm.h
index f3aa95f..5212cb5 100644
--- a/crypto/modes/include/crypt_modes_gcm.h
+++ b/crypto/modes/include/crypt_modes_gcm.h
@@ -49,7 +49,7 @@ int32_t SM4_GCM_InitCtx(MODES_GCM_Ctx *modeCtx, const uint8_t *key, uint32_t key
int32_t SM4_GCM_Update(MODES_GCM_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
int32_t MODES_GCM_InitCtxEx(MODES_GCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_GCM_UpdateEx(MODES_GCM_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
diff --git a/crypto/modes/include/crypt_modes_ofb.h b/crypto/modes/include/crypt_modes_ofb.h
index b346522..43ebfbf 100644
--- a/crypto/modes/include/crypt_modes_ofb.h
+++ b/crypto/modes/include/crypt_modes_ofb.h
@@ -46,7 +46,7 @@ int32_t SM4_OFB_InitCtx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t k
int32_t SM4_OFB_Update(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
int32_t MODES_OFB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_OFB_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
diff --git a/crypto/modes/include/crypt_modes_xts.h b/crypto/modes/include/crypt_modes_xts.h
index d310048..9281262 100644
--- a/crypto/modes/include/crypt_modes_xts.h
+++ b/crypto/modes/include/crypt_modes_xts.h
@@ -46,7 +46,7 @@ int32_t SM4_XTS_InitCtx(MODES_XTS_Ctx *modeCtx, const uint8_t *key, uint32_t key
uint32_t ivLen, bool enc);
int32_t MODES_XTS_InitCtxEx(MODES_XTS_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc);
+ uint32_t ivLen, const BSL_Param *param, bool enc);
int32_t MODES_XTS_UpdateEx(MODES_XTS_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen);
#ifdef __cplusplus
diff --git a/crypto/modes/src/modes_cbc.c b/crypto/modes/src/modes_cbc.c
index c4b2ba5..94a8cb2 100644
--- a/crypto/modes/src/modes_cbc.c
+++ b/crypto/modes/src/modes_cbc.c
@@ -207,7 +207,7 @@ int32_t MODES_CBC_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t
}
}
int32_t MODES_CBC_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void)param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_ccm.c b/crypto/modes/src/modes_ccm.c
index dcc8e19..26320d9 100644
--- a/crypto/modes/src/modes_ccm.c
+++ b/crypto/modes/src/modes_ccm.c
@@ -536,7 +536,7 @@ MODES_CCM_Ctx *MODES_CCM_NewCtx(int32_t algId)
}
int32_t MODES_CCM_InitCtx(MODES_CCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void)param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_cfb.c b/crypto/modes/src/modes_cfb.c
index 87a95dd..8b14251 100644
--- a/crypto/modes/src/modes_cfb.c
+++ b/crypto/modes/src/modes_cfb.c
@@ -404,7 +404,7 @@ void MODES_CFB_FreeCtx(MODES_CFB_Ctx *modeCtx)
}
int32_t MODES_CFB_InitCtxEx(MODES_CFB_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void) param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_chacha20_poly1305.c b/crypto/modes/src/modes_chacha20_poly1305.c
index 3f12ffd..0ca6913 100644
--- a/crypto/modes/src/modes_chacha20_poly1305.c
+++ b/crypto/modes/src/modes_chacha20_poly1305.c
@@ -346,7 +346,7 @@ MODES_CHACHAPOLY_Ctx *MODES_CHACHA20POLY1305_NewCtx(int32_t algId)
}
int32_t MODES_CHACHA20POLY1305_InitCtx(MODES_CHACHAPOLY_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen,
- const uint8_t *iv, uint32_t ivLen, BSL_Param *param, bool enc)
+ const uint8_t *iv, uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void)param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_ctr.c b/crypto/modes/src/modes_ctr.c
index 0841bc0..a6f72cb 100644
--- a/crypto/modes/src/modes_ctr.c
+++ b/crypto/modes/src/modes_ctr.c
@@ -148,7 +148,7 @@ void MODES_CTR_FreeCtx(MODES_CipherCtx *modeCtx)
}
int32_t MODES_CTR_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void)param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_ecb.c b/crypto/modes/src/modes_ecb.c
index 8129bc6..b7d23a0 100644
--- a/crypto/modes/src/modes_ecb.c
+++ b/crypto/modes/src/modes_ecb.c
@@ -147,7 +147,7 @@ void MODES_ECB_FreeCtx(MODES_CipherCtx *modeCtx)
}
int32_t MODES_ECB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void)param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_gcm.c b/crypto/modes/src/modes_gcm.c
index 79664b3..128fb50 100644
--- a/crypto/modes/src/modes_gcm.c
+++ b/crypto/modes/src/modes_gcm.c
@@ -523,7 +523,7 @@ void MODES_GCM_FreeCtx(MODES_GCM_Ctx *modeCtx)
int32_t MODES_GCM_InitCtxEx(MODES_GCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void)param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_ofb.c b/crypto/modes/src/modes_ofb.c
index 5e9caff..c3131b2 100644
--- a/crypto/modes/src/modes_ofb.c
+++ b/crypto/modes/src/modes_ofb.c
@@ -137,7 +137,7 @@ void MODES_OFB_FreeCtx(MODES_CipherCtx *modeCtx)
}
int32_t MODES_OFB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void) param;
if (modeCtx == NULL) {
diff --git a/crypto/modes/src/modes_xts.c b/crypto/modes/src/modes_xts.c
index 5e52196..0b55dd6 100644
--- a/crypto/modes/src/modes_xts.c
+++ b/crypto/modes/src/modes_xts.c
@@ -438,7 +438,7 @@ void MODES_XTS_FreeCtx(MODES_XTS_Ctx *modeCtx)
int32_t MODES_XTS_InitCtxEx(MODES_XTS_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv,
- uint32_t ivLen, BSL_Param *param, bool enc)
+ uint32_t ivLen, const BSL_Param *param, bool enc)
{
(void) param;
if (modeCtx == NULL) {
diff --git a/crypto/sha1/include/crypt_sha1.h b/crypto/sha1/include/crypt_sha1.h
index 1360d03..e5a89ff 100644
--- a/crypto/sha1/include/crypt_sha1.h
+++ b/crypto/sha1/include/crypt_sha1.h
@@ -62,7 +62,7 @@ void CRYPT_SHA1_FreeCtx(CRYPT_SHA1_Ctx *ctx);
* @retval #CRYPT_SUCCESS initialization succeeded.
* @retval #CRYPT_NULL_INPUT Pointer ctx is NULL
*/
-int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, const BSL_Param *param);
/**
* @ingroup SHA1
diff --git a/crypto/sha1/src/sha1.c b/crypto/sha1/src/sha1.c
index fc619ee..265fab7 100644
--- a/crypto/sha1/src/sha1.c
+++ b/crypto/sha1/src/sha1.c
@@ -57,7 +57,7 @@ void CRYPT_SHA1_FreeCtx(CRYPT_SHA1_Ctx *ctx)
/* e767 is because H is defined in SHA1 and MD5.
But the both the macros are different. So masked
this error */
-int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
diff --git a/crypto/sha2/include/crypt_sha2.h b/crypto/sha2/include/crypt_sha2.h
index 7ebc447..20c476a 100644
--- a/crypto/sha2/include/crypt_sha2.h
+++ b/crypto/sha2/include/crypt_sha2.h
@@ -94,7 +94,7 @@ void CRYPT_SHA2_224_FreeCtx(CRYPT_SHA2_224_Ctx *ctx);
* @retval #CRYPT_SUCCESS ctx is initialized
* @retval #CRYPT_NULL_INPUT ctx is NULL
*/
-int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, const BSL_Param *param);
/**
* @defgroup CRYPT_SHA2_224_Update
@@ -196,7 +196,7 @@ void CRYPT_SHA2_256_FreeCtx(CRYPT_SHA2_256_Ctx *ctx);
* @retval #CRYPT_SUCCESS ctx is initialized
* @retval #CRYPT_NULL_INPUT ctx is NULL
*/
-int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, const BSL_Param *param);
/**
* @defgroup CRYPT_SHA2_256_Update
@@ -299,7 +299,7 @@ void CRYPT_SHA2_384_FreeCtx(CRYPT_SHA2_384_Ctx *ctx);
* @retval #CRYPT_SUCCESS ctx is initialized
* @retval #CRYPT_NULL_INPUT ctx is NULL
*/
-int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, const BSL_Param *param);
/**
* @ingroup LLF Low Level Functions
@@ -397,7 +397,7 @@ void CRYPT_SHA2_512_FreeCtx(CRYPT_SHA2_512_Ctx *ctx);
* @retval #CRYPT_SUCCESS ctx is initialized
* @retval #CRYPT_NULL_INPUT ctx is NULL
*/
-int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, const BSL_Param *param);
/**
* @ingroup LLF Low Level Functions
diff --git a/crypto/sha2/src/sha2_256.c b/crypto/sha2/src/sha2_256.c
index 729e44a..db55f88 100644
--- a/crypto/sha2/src/sha2_256.c
+++ b/crypto/sha2/src/sha2_256.c
@@ -48,7 +48,7 @@ void CRYPT_SHA2_256_FreeCtx(CRYPT_SHA2_256_Ctx *ctx)
BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_256_Ctx));
}
-int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
@@ -286,7 +286,7 @@ void CRYPT_SHA2_224_FreeCtx(CRYPT_SHA2_224_Ctx *ctx)
BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_224_Ctx));
}
-int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
diff --git a/crypto/sha2/src/sha2_512.c b/crypto/sha2/src/sha2_512.c
index d7db263..30379f1 100644
--- a/crypto/sha2/src/sha2_512.c
+++ b/crypto/sha2/src/sha2_512.c
@@ -87,7 +87,7 @@ void CRYPT_SHA2_512_FreeCtx(CRYPT_SHA2_512_Ctx *ctx)
BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_512_Ctx));
}
-int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
@@ -284,7 +284,7 @@ void CRYPT_SHA2_384_FreeCtx(CRYPT_SHA2_384_Ctx *ctx)
BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_384_Ctx));
}
-int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
diff --git a/crypto/sha3/include/crypt_sha3.h b/crypto/sha3/include/crypt_sha3.h
index 7306a59..997de83 100644
--- a/crypto/sha3/include/crypt_sha3.h
+++ b/crypto/sha3/include/crypt_sha3.h
@@ -87,15 +87,15 @@ void CRYPT_SHAKE256_FreeCtx(CRYPT_SHAKE256_Ctx* ctx);
// free context
// Initialize the context
-int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, const BSL_Param *param);
-int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, const BSL_Param *param);
-int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, const BSL_Param *param);
-int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, BSL_Param *param);
-int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, BSL_Param *param);
-int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, const BSL_Param *param);
+int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, const BSL_Param *param);
+int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, const BSL_Param *param);
// Data update API
int32_t CRYPT_SHA3_224_Update(CRYPT_SHA3_224_Ctx *ctx, const uint8_t *in, uint32_t len);
diff --git a/crypto/sha3/src/sha3.c b/crypto/sha3/src/sha3.c
index aecddd2..b408be9 100644
--- a/crypto/sha3/src/sha3.c
+++ b/crypto/sha3/src/sha3.c
@@ -214,42 +214,42 @@ void CRYPT_SHAKE256_FreeCtx(CRYPT_SHAKE256_Ctx* ctx)
CRYPT_SHA3_FreeCtx(ctx);
}
-int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, const BSL_Param *param)
{
(void) param;
// 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html
return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_224_DIGESTSIZE, CRYPT_SHA3_224_BLOCKSIZE, 0x06);
}
-int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, const BSL_Param *param)
{
(void) param;
// 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html
return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_256_DIGESTSIZE, CRYPT_SHA3_256_BLOCKSIZE, 0x06);
}
-int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, const BSL_Param *param)
{
(void) param;
// 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html
return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_384_DIGESTSIZE, CRYPT_SHA3_384_BLOCKSIZE, 0x06);
}
-int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, const BSL_Param *param)
{
(void) param;
// 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html
return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_512_DIGESTSIZE, CRYPT_SHA3_512_BLOCKSIZE, 0x06);
}
-int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, const BSL_Param *param)
{
(void) param;
// 0x1f is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html
return CRYPT_SHA3_Init(ctx, 0, CRYPT_SHAKE128_BLOCKSIZE, 0x1F);
}
-int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, const BSL_Param *param)
{
(void) param;
// 0x1f is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html
diff --git a/crypto/sm3/include/crypt_sm3.h b/crypto/sm3/include/crypt_sm3.h
index 2a173c1..3c1f6ee 100644
--- a/crypto/sm3/include/crypt_sm3.h
+++ b/crypto/sm3/include/crypt_sm3.h
@@ -60,7 +60,7 @@ void CRYPT_SM3_FreeCtx(CRYPT_SM3_Ctx *ctx);
* @retval #CRYPT_SUCCESS initialization succeeded.
* @retval #CRYPT_NULL_INPUT Pointer ctx is NULL
*/
-int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, BSL_Param *param);
+int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, const BSL_Param *param);
/**
* @ingroup SM3
diff --git a/crypto/sm3/src/sm3_public.c b/crypto/sm3/src/sm3_public.c
index 169f4b8..5a18820 100644
--- a/crypto/sm3/src/sm3_public.c
+++ b/crypto/sm3/src/sm3_public.c
@@ -49,7 +49,7 @@ void CRYPT_SM3_FreeCtx(CRYPT_SM3_Ctx *ctx)
BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SM3_Ctx));
}
-int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, BSL_Param *param)
+int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, const BSL_Param *param)
{
if (ctx == NULL) {
BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT);
diff --git a/include/crypto/crypt_eal_implprovider.h b/include/crypto/crypt_eal_implprovider.h
index d99c1c3..6d0377b 100644
--- a/include/crypto/crypt_eal_implprovider.h
+++ b/include/crypto/crypt_eal_implprovider.h
@@ -109,7 +109,7 @@ typedef int32_t (*CRYPT_EAL_ImplProviderInit)(CRYPT_EAL_ProvMgrCtx *mgrCtx, BSL_
typedef void *(*CRYPT_EAL_ImplCipherNewCtx)(void *provCtx, int32_t algId);
typedef int32_t (*CRYPT_EAL_ImplCipherInitCtx)(void *ctx, const uint8_t *key, uint32_t keyLen,
- const uint8_t *iv, uint32_t ivLen, BSL_Param *param, bool enc);
+ const uint8_t *iv, uint32_t ivLen, const BSL_Param *param, bool enc);
typedef int32_t (*CRYPT_EAL_ImplCipherUpdate)(void *ctx, const uint8_t *in, uint32_t inLen,
uint8_t *out, uint32_t *outLen);
typedef int32_t (*CRYPT_EAL_ImplCipherFinal)(void *ctx, const uint8_t *in, uint32_t inLen,
@@ -198,7 +198,7 @@ typedef int32_t (*CRYPT_EAL_ImplPkeyExchCtrl)(void *ctx, int32_t cmd, void *val,
#define CRYPT_EAL_IMPLMD_FREECTX 8
typedef void *(*CRYPT_EAL_ImplMdNewCtx)(void *provCtx, int32_t algId);
-typedef int32_t (*CRYPT_EAL_ImplMdInitCtx)(void *ctx, BSL_Param *param);
+typedef int32_t (*CRYPT_EAL_ImplMdInitCtx)(void *ctx, const BSL_Param *param);
typedef int32_t (*CRYPT_EAL_ImplMdUpdate)(const void *ctx, const uint8_t *input, uint32_t len);
typedef int32_t (*CRYPT_EAL_ImplMdFinal)(const void *ctx, uint8_t *out, uint32_t *outLen);
typedef int32_t (*CRYPT_EAL_ImplMdDeInitCtx)(void *ctx);
@@ -217,7 +217,7 @@ typedef void (*CRYPT_EAL_ImplMdFreeCtx)(void *ctx);
#define CRYPT_EAL_IMPLMAC_FREECTX 8
typedef void *(*CRYPT_EAL_ImplMacNewCtx)(void *provCtx, int32_t algId);
-typedef int32_t (*CRYPT_EAL_ImplMacInit)(void *ctx, const uint8_t *key, uint32_t len, BSL_Param *param);
+typedef int32_t (*CRYPT_EAL_ImplMacInit)(void *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param);
typedef int32_t (*CRYPT_EAL_ImplMacUpdate)(const void *ctx, const uint8_t *input, uint32_t len);
typedef int32_t (*CRYPT_EAL_ImplMacFinal)(const void *ctx, uint8_t *out, uint32_t *outLen);
typedef int32_t (*CRYPT_EAL_ImplMacDeInitCtx)(void *ctx);
--
2.42.0.windows.2

25
0005-add-uio_mem-comment.patch Normal file
View File

@ -0,0 +1,25 @@
From 1534ca08d8b6e909604f9c71781bc7c28a4d95b5 Mon Sep 17 00:00:00 2001
From: baoyi84930 <zhangcheng170@huawei.com>
Date: Mon, 2 Dec 2024 17:32:06 +0800
Subject: [PATCH 05/10] add uio_mem comment
Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/90
---
config/macro_config/hitls_config_layer_bsl.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/macro_config/hitls_config_layer_bsl.h b/config/macro_config/hitls_config_layer_bsl.h
index ad8fbe8..5a20447 100644
--- a/config/macro_config/hitls_config_layer_bsl.h
+++ b/config/macro_config/hitls_config_layer_bsl.h
@@ -54,6 +54,7 @@
#endif
#endif
+/* Derive the child-features of uio mem. */
#if defined(HITLS_BSL_UIO_MEM)
#ifndef HITLS_BSL_SAL_MEM
#define HITLS_BSL_UIO_MEM
--
2.42.0.windows.2

1243
0006-Rename-Refactor-some-code.patch Normal file
View File

File diff suppressed because it is too large Load Diff

966
0007-provider-document.patch Normal file
View File

@ -0,0 +1,966 @@
From e8a6c4a6fce7409cd48433ed6441e000a4d0c5c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com>
Date: Fri, 6 Dec 2024 17:00:59 +0800
Subject: [PATCH 07/10] provider document
Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/92
---
.../4_provider Development Guide.md | 463 ++++++++++++++++++
docs/index/index.md | 5 +-
...00\345\217\221\346\214\207\345\215\227.md" | 458 +++++++++++++++++
3 files changed, 924 insertions(+), 2 deletions(-)
create mode 100644 docs/en/5_Developer Guide/4_provider Development Guide.md
create mode 100644 "docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md"
diff --git a/docs/en/5_Developer Guide/4_provider Development Guide.md b/docs/en/5_Developer Guide/4_provider Development Guide.md
new file mode 100644
index 0000000..f750a4d
--- /dev/null
+++ b/docs/en/5_Developer Guide/4_provider Development Guide.md
@@ -0,0 +1,463 @@
+# Provider Development Guide
+
+This document serves as a development guide for OpenHiTLS providers, providing developers with interface introductions, key feature descriptions, and comprehensive usage examples.
+
+## 1. Overview
+
+The provider management framework in OpenHiTLS supports dynamic loading, management, and usage of cryptographic providers. Each "Provider" encapsulates a specific set of cryptographic operations and exposes them to external users through standardized interfaces.
+
+### Core Concepts:
+- **Library Context (`CRYPT_EAL_LibCtx`)**: Manages the lifecycle and resources of all loaded providers.
+- **Provider Manager Context (`CRYPT_EAL_ProvMgrCtx`)**: Represents a single provider, including its loaded library handle and implemented functionalities.
+- **Functional Interfaces**: Standardized functions used for querying and invoking specific operations of providers.
+
+---
+
+## 2. Interface Introduction
+
+### 2.1 Library Context Management
+
+#### **`CRYPT_EAL_LibCtxNew`**
+- **Description**: Creates a new library context for managing providers.
+- **Function Prototype**:
+ ```c
+ CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void);
+ ```
+- **Return Value**: A pointer to the newly created library context.
+
+#### **`CRYPT_EAL_LibCtxFree`**
+- **Description**: Frees the library context and releases all associated resources.
+- **Function Prototype**:
+ ```c
+ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx);
+ ```
+- **Parameters**:
+ - `libCtx`: The library context to be freed.
+
+---
+
+### 2.2 Path Configuration
+
+#### **`CRYPT_EAL_ProviderSetLoadPath`**
+- **Description**: Configures the path for loading providers.
+- **Function Prototype**:
+ ```c
+ int32_t CRYPT_EAL_ProviderSetLoadPath(
+ CRYPT_EAL_LibCtx *libCtx,
+ const char *searchPath
+ );
+ ```
+- **Parameters**:
+ - `libCtx`: The library context.
+ - `searchPath`: The search path for providers.
+- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
+
+---
+
+### 2.3 Provider Loading and Unloading
+
+#### **`CRYPT_EAL_ProviderLoad`**
+- **Description**: Dynamically loads a provider and initializes it.
+- **Function Prototype**:
+ ```c
+ int32_t CRYPT_EAL_ProviderLoad(
+ CRYPT_EAL_LibCtx *libCtx,
+ BSL_SAL_ConverterCmd cmd,
+ const char *providerName,
+ BSL_Param *param,
+ CRYPT_EAL_ProvMgrCtx **mgrCtx
+ );
+ ```
+- **Parameters**:
+ - `libCtx`: The library context.
+ - `cmd`: The command specifying the library format (e.g., `.so`, `lib*.so`).
+ - `providerName`: The name of the provider to load.
+ - `param`: Additional parameters for provider initialization.
+ - `mgrCtx`: Output pointer to the provider manager context. If not `NULL`, the manager context of the loaded provider will be returned upon successful loading.
+- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
+
+#### **`CRYPT_EAL_ProviderUnload`**
+- **Description**: Unloads the specified provider and releases associated resources.
+- **Function Prototype**:
+ ```c
+ int32_t CRYPT_EAL_ProviderUnload(
+ CRYPT_EAL_LibCtx *libCtx,
+ BSL_SAL_ConverterCmd cmd,
+ const char *providerName
+ );
+ ```
+- **Parameters**:
+ - `libCtx`: The library context.
+ - `cmd`: The command specifying the library format.
+ - `providerName`: The name of the provider to unload.
+- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
+
+---
+
+### 2.4 Algorithm Query and Invocation
+
+**EAL Layer Wrapper Interfaces**:
+
+These interfaces wrap the provider's exposed APIs, automatically initializing algorithms after querying suitable algorithms. See the corresponding headers for each algorithm for more details.
+
+- **Symmetric Interface: `CRYPT_EAL_ProviderCipherNewCtx`**
+- **Asymmetric Interface: `CRYPT_EAL_ProviderPkeyNewCtx`**
+- **KDF Interface: `CRYPT_EAL_ProviderKdfNewCtx`**
+- **MAC Interface: `CRYPT_EAL_ProviderMacNewCtx`**
+- **Message Digest Interface: `CRYPT_EAL_ProviderMdNewCtx`**
+- **Random Number Interfaces: `CRYPT_EAL_ProviderRandInitCtx`, `CRYPT_EAL_ProviderDrbgInitCtx`**
+
+**Provider Layer Exposed Interfaces**:
+
+#### **`CRYPT_EAL_ProviderGetFuncs`**
+- **Description**: Queries algorithms matching the criteria from all loaded providers.
+- **Function Prototype**:
+ ```c
+ int32_t CRYPT_EAL_ProviderGetFuncs(
+ CRYPT_EAL_LibCtx *libCtx,
+ int32_t operaId,
+ int32_t algId,
+ const char *attribute,
+ const CRYPT_EAL_Func **funcs,
+ void **provCtx
+ );
+ ```
+- **Parameters**:
+ - `libCtx`: The library context.
+ - `operaId`: Algorithm category ID (see "crypt_eal_implprovider.h").
+ - `algId`: Algorithm ID (see "crypt_eal_implprovider.h").
+ - `attribute`: Attribute string for filtering providers.
+ - `funcs`: Output pointer to an array of algorithms.
+ - `provCtx`: Optional parameter. If not `NULL`, it retrieves the `provCtx` from the provider manager context where the algorithm resides.
+- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
+
+#### **`CRYPT_EAL_ProviderCtrl`**
+- **Description**: Controls the `provCtx` in the provider manager context.
+- **Function Prototype**:
+ ```c
+ int32_t CRYPT_EAL_ProviderCtrl(
+ CRYPT_EAL_ProvMgrCtx *ctx,
+ int32_t cmd,
+ void *val,
+ uint32_t valLen
+ );
+ ```
+- **Parameters**:
+ - `ctx`: Provider manager context.
+ - `cmd`: Control command.
+ - `val`: The value associated with the command.
+ - `valLen`: The length of the value.
+
+---
+
+## 3. Provider Management Module Usage Instructions
+
+### 3.1 Loading and Unloading
+
+- **Feature Descriptions**:
+ - Providers are uniquely identified by their names. Different providers must have unique names. Providers with the same name but located in different paths are treated as the same provider.
+ - The framework supports repeated loading and unloading of providers. Repeated loading does not create additional provider manager contexts. To remove a provider manager context from the library context, the number of unloads must match the number of loads.
+ - When releasing the library context, all loaded providers are automatically unloaded.
+ - The default provider loading path is empty. If no path is set, the framework searches for providers in various locations based on the runtime environment and the behavior of the `dlopen` function.
+ - Currently, OpenHiTLS's built-in algorithm library is loaded into a globally initialized library context during startup. If `libCtx` is `NULL` during provider loading, unloading, or searching, this global library context is used.
+
+- **Usage Example**:
+ ```c
+ ...
+ // Create a library context
+ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
+ assert(libCtx != NULL);
+
+ // Set the provider loading path
+ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
+ assert(ret == CRYPT_SUCCESS);
+
+ // Load a provider
+ CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL;
+ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx);
+ assert(ret == CRYPT_SUCCESS);
+
+ ...
+
+ // Unload the provider
+ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
+ assert(ret == CRYPT_SUCCESS);
+
+ // Free the library context
+ CRYPT_EAL_LibCtxFree(libCtx);
+ ...
+ ```
+
+---
+
+### 3.2 Attribute Query and Provider Scoring Mechanism
+
+- **Attribute Mechanism**:
+ When querying algorithms, the framework first searches for algorithms matching the algorithm ID. If the search string is not `NULL`, it further selects the best-matching algorithm from all loaded providers based on the search string.
+ Provider algorithm attributes are composed of a `name` and a `value`, separated by `=`. Multiple attributes are separated by `,`. Within a provider, each algorithm can define one or more sets of attributes based on its implementation purpose. Even the same algorithm can have different implementations distinguished by attributes.
+
+- **Provider Scoring Mechanism**:
+ Queries can consist of multiple query statements, separated by `,`. Within a statement, `name` and `value` are separated by the following **comparison characters**:
+ - `=`: Must be equal (mandatory condition).
+ - `!=`: Must not be equal (mandatory condition).
+ - `?`: Optional condition. If `value` matches, it is prioritized. Each match adds +1 to the score.
+
+ Mandatory conditions must be satisfied. Among providers that meet the mandatory conditions, the framework selects the best match based on optional conditions. If there are multiple best matches, one is randomly selected.
+ Repeated conditions are allowed within query statements:
+ - Repeated mandatory conditions have no effect.
+ - Repeated optional conditions increase the score proportionally.
+
+- **Usage Example**:
+ ```c
+ ...
+ // Query with a NULL attribute string, searching by algorithm ID
+ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx);
+ assert(ret == CRYPT_SUCCESS);
+ ...
+ // Query with a non-NULL attribute string, matching based on rules
+ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx);
+ assert(ret == CRYPT_SUCCESS);
+ ...
+ // Query with provider scoring mechanism
+ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx);
+ assert(ret == CRYPT_SUCCESS);
+ ...
+ // For actual use, it is recommended to use EAL layer wrapping interfaces for each algorithm,
+ // which automatically locate and initialize the algorithm.
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash");
+ assert(ctx != NULL);
+ ...
+ ```
+
+---
+
+## 4. Provider Construction Instructions
+
+This section describes the commands and function prototypes, which are fully defined in the `crypt_eal_implprovider.h` header file.
+
+### 4.1 Initialization Function
+
+For each provider, an initialization function named `CRYPT_EAL_ProviderInit` must be implemented. This function is called when loading the provider:
+- **Function Prototype**:
+ ```c
+ int32_t CRYPT_EAL_ProviderInit(
+ CRYPT_EAL_ProvMgrCtx *mgrCtx,
+ BSL_Param *param,
+ CRYPT_EAL_Func *capFuncs,
+ CRYPT_EAL_Func **outFuncs,
+ void **provCtx
+ );
+ ```
+ - **Parameters**:
+ - `mgrCtx`: [in] Provider manager context.
+ - `param`: [in] Additional parameters for provider initialization.
+ - `capFuncs`: [in] Algorithm array pointer provided by the management framework, allowing users to optionally use HITLS's default entropy source.
+ - `outFuncs`: [out] Array pointer for algorithms exposed by the provider. Details are described below.
+ - `provCtx`: [out] Provider-specific structure. If needed, private data can be saved in the provider manager context. Details on its operation are below (optional).
+ - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
+
+- **Description of the `outFuncs` Array**:
+ This array is used to pass the three types of algorithm arrays provided by the provider. **The algorithm query function must be returned**, while the other two functions are optional:
+ - **Algorithm Query Function**: Used to retrieve the algorithm array provided by the provider based on the algorithm category during a search:
+ **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`**
+ - **Parameters**:
+ - `provCtx`: [in] Provider-specific structure (optional).
+ - `operaId`: [in] Algorithm category ID.
+ - `algInfos`: [out] Pointer to the array of all algorithms under the category. The array ends when the algorithm ID is 0.
+ - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
+ - **`provCtx` Control Function**: If the provider uses `provCtx`, this function is used for its control. It can be invoked using the `CRYPT_EAL_ProviderCtrl` function.
+ **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`**
+ - **Parameters**: Omitted.
+ - **Return Value**: Omitted.
+ - **`provCtx` Release Function**: If the provider uses `provCtx`, this function releases `provCtx`. It is called during resource release.
+ **`typedef void (*)(void *provCtx);`**
+ - **Parameters**:
+ - `provCtx`: [in] Provider-specific structure.
+ - **Return Value**: None.
+
+---
+
+### 4.2 Provider Construction Example
+
+- **Initialization Function Example**:
+```c
+static CRYPT_EAL_Func defProvOutFuncs[] = {
+ {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery},
+ {CRYPT_EAL_PROVCB_FREE, NULL},
+ {CRYPT_EAL_PROVCB_CTRL, NULL},
+ CRYPT_EAL_FUNC_END
+};
+
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+ BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
+{
+ CRYPT_RandSeedMethod entroy = {0};
+ CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL;
+ int32_t index = 0;
+ while (capFuncs[index].id != 0) {
+ switch (capFuncs[index].id) {
+ case CRYPT_EAL_CAP_GETENTROPY:
+ entroy.getEntropy = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_CLEANENTROPY:
+ entroy.cleanEntropy = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_GETNONCE:
+ entroy.getNonce = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_CLEANNONCE:
+ entroy.cleanNonce = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_MGRCTXCTRL:
+ mgrCtrl = capFuncs[index].func;
+ break;
+ default:
+ return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL;
+ }
+ index++;
+ }
+ void *seedCtx = NULL;
+ void *libCtx = NULL;
+ if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL ||
+ entroy.cleanNonce == NULL || mgrCtrl == NULL) {
+ return CRYPT_NULL_INPUT;
+ }
+ int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0);
+ if (ret != CRYPT_SUCCESS) {
+ return ret;
+ }
+ ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0);
+ if (ret != CRYPT_SUCCESS) {
+ return ret;
+ }
+ CRYPT_Data entropy = {NULL, 0};
+ CRYPT_Range entropyRange = {32, 2147483632};
+ ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange);
+ if (ret != CRYPT_SUCCESS) {
+ return CRYPT_DRBG_FAIL_GET_ENTROPY;
+ }
+ entroy.cleanEntropy(seedCtx, &entropy);
+ // check libCtx
+ if (param != NULL) {
+ if (param[0].value != libCtx) {
+ return CRYPT_INVALID_ARG;
+ }
+ }
+ *outFuncs = defProvOutFuncs;
+ return 0;
+}
+```
+- **Algorithm query function example**:
+```c
+const CRYPT_EAL_Func defMdMd5[] = {
+ {CRYPT_EAL_IMPLMD_NEWCTX, ...},
+ {CRYPT_EAL_IMPLMD_INITCTX, ...},
+ {CRYPT_EAL_IMPLMD_UPDATE, ...},
+ {CRYPT_EAL_IMPLMD_FINAL, ...},
+ {CRYPT_EAL_IMPLMD_DEINITCTX, ...},
+ {CRYPT_EAL_IMPLMD_DUPCTX, ...},
+ {CRYPT_EAL_IMPLMD_CTRL, ...},
+ {CRYPT_EAL_IMPLMD_FREECTX, ...},
+ CRYPT_EAL_FUNC_END,
+};
+
+static const CRYPT_EAL_AlgInfo defMds[] = {
+ ...
+ {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"},
+ ...
+ CRYPT_EAL_ALGINFO_END
+};
+
+static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos)
+{
+ (void) provCtx;
+ int32_t ret = CRYPT_SUCCESS;
+ switch (operaId) {
+ ...
+ case CRYPT_EAL_OPERAID_HASH:
+ *algInfos = defMds;
+ break;
+ ...
+ default:
+ ret = CRYPT_NOT_SUPPORT;
+ break;
+ }
+ return ret;
+}
+```
+
+---
+
+## 5. Comprehensive Usage Example
+
+```c
+#include "bsl_sal.h"
+#include "crypt_eal_provider.h"
+#include "crypt_eal_implprovider.h"
+#include "crypt_eal_md.h"
+
+/* Using the SM3 algorithm */
+
+int main() {
+
+------------------------------------------------------------------------------------------------------
+
+// Using the built-in HITLS algorithm library:
+ // Step 1: Directly initialize using EAL layer MD interface
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default");
+ ASSERT_TRUE(ctx != NULL);
+
+-----------------------------------------------
+
+// Searching and initializing with a matching algorithm library in a third-party provider:
+ // Step 1: Create a library context
+ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
+ ASSERT_TRUE(libCtx != NULL);
+
+ // Step 2: Set the provider loading path
+ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // Step 3: Load the provider
+ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // Step 4: Directly initialize using EAL layer MD interface
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
+ ASSERT_TRUE(ctx != NULL);
+
+-----------------------------------------------
+
+// Mixed usage of third-party providers and HITLS libraries:
+ // Step 1: Set the provider loading path
+ int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers");
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // Step 2: Load the provider
+ ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // Step 3: Directly initialize using EAL layer MD interface
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
+ ASSERT_TRUE(ctx != NULL);
+
+------------------------------------------------------------------------------------------------------
+
+// After initialization, a series of algorithm operations can be performed:
+ ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS);
+ ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS);
+ ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS);
+
+------------------------------------------------------------------------------------------------------
+
+// If a library context was created or a third-party provider was loaded during initialization, they need to be released:
+ // Unload the provider
+ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // Free the library context
+ CRYPT_EAL_LibCtxFree(libCtx);
+
+ return 0;
+}
+```
\ No newline at end of file
diff --git a/docs/index/index.md b/docs/index/index.md
index 28ea2ae..412be81 100644
--- a/docs/index/index.md
+++ b/docs/index/index.md
@@ -11,6 +11,7 @@
| 7 | [加密完保应用开发指南](../zh/5_开发指南/1_加密完保应用开发指南.md) | [Encryption and Integrity Protection Application Development Guide](../en/5_Developer%20Guide/1_Encryption%20and%20Integrity%20Protection%20Application%20Development%20Guide.md) |
| 8 | [安全通信应用开发指南](../zh/5_开发指南/2_安全通信应用开发指南.md) | [Secure Communication Application Development Guide](../en/5_Developer%20Guide/2_Secure%20Communication%20Application%20Development%20Guide.md) |
| 9 | [API参考](../zh/5_开发指南/3_API参考.md) | [API Reference](../en/5_Developer%20Guide/3_API%20Reference.md) |
-| 10 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) |
-| 11 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) |
+| 10 | [provider开发指南](../zh/5_开发指南/4_provider开发指南.md) | [provider Development Guide](../en/5_Developer%20Guide/4_provider%20Development%20Guide.md) |
+| 11 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) |
+| 12 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) |
diff --git "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md"
new file mode 100644
index 0000000..4ae2b56
--- /dev/null
+++ "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md"
@@ -0,0 +1,458 @@
+# Provider 开发指南
+
+本文档是 OpenHiTLS Provider 的开发指南,为开发人员提供接口介绍、关键特性说明以及综合使用示例。
+
+## 1. 概述
+
+OpenHiTLS 的 Provider 管理框架支持动态加载、管理和使用加密 Provider。每个 "Provider" 封装了一组特定的加密操作,通过标准化接口向外部用户暴露。
+
+### 核心概念:
+- **库上下文Library Context`CRYPT_EAL_LibCtx`**:用于管理所有加载的 Provider 的生命周期和资源。
+- **Provider 管理上下文Provider Manager Context`CRYPT_EAL_ProvMgrCtx`**:表示单个 Provider包括其加载库句柄和功能实现。
+- **功能接口Functional Interfaces**:标准化的函数,用于查询和调用 Provider 的具体操作。
+
+---
+
+## 2. 接口介绍
+
+### 2.1 库上下文管理
+
+#### **`CRYPT_EAL_LibCtxNew`**
+- **描述**:创建一个新的库上下文,用于管理 Provider。
+- **函数原型**
+ ```c
+ CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void);
+ ```
+- **返回值**:指向新创建的库上下文的指针。
+
+#### **`CRYPT_EAL_LibCtxFree`**
+- **描述**:释放库上下文,并释放所有相关资源。
+- **函数原型**
+ ```c
+ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx);
+ ```
+- **参数**
+ - `libCtx`:需要释放的库上下文。
+
+---
+
+### 2.2 路径配置
+
+#### **`CRYPT_EAL_ProviderSetLoadPath`**
+- **描述**:配置加载 Provider 的路径。
+- **函数原型**
+ ```c
+ int32_t CRYPT_EAL_ProviderSetLoadPath(
+ CRYPT_EAL_LibCtx *libCtx,
+ const char *searchPath
+ );
+ ```
+- **参数**
+ - `libCtx`:库上下文。
+ - `searchPath`Provider 的搜索路径。
+- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
+
+---
+
+### 2.3 Provider 加载与卸载
+
+#### **`CRYPT_EAL_ProviderLoad`**
+- **描述**:动态加载一个 Provider并完成初始化。
+- **函数原型**
+ ```c
+ int32_t CRYPT_EAL_ProviderLoad(
+ CRYPT_EAL_LibCtx *libCtx,
+ BSL_SAL_ConverterCmd cmd,
+ const char *providerName,
+ BSL_Param *param,
+ CRYPT_EAL_ProvMgrCtx **mgrCtx
+ );
+ ```
+- **参数**
+ - `libCtx`:库上下文。
+ - `cmd`:指定库格式的命令(例如 `.so` 或 `lib*.so`)。
+ - `providerName`:要加载的 Provider 名称。
+ - `param`:初始化 Provider 时的附加参数。
+ - `mgrCtx`:输出的 Provider 管理上下文指针如果不为NULL那么将会在加载成功后返回对应provider的管理上下文CRYPT_EAL_ProvMgrCtx
+- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
+
+#### **`CRYPT_EAL_ProviderUnload`**
+- **描述**:卸载指定的 Provider并释放相关资源。
+- **函数原型**
+ ```c
+ int32_t CRYPT_EAL_ProviderUnload(
+ CRYPT_EAL_LibCtx *libCtx,
+ BSL_SAL_ConverterCmd cmd,
+ const char *providerName
+ );
+ ```
+- **参数**
+ - `libCtx`:库上下文。
+ - `cmd`:指定库格式的命令。
+ - `providerName`:要卸载的 Provider 名称。
+- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
+
+---
+
+### 2.4 算法查询与调用
+
+**eal层对外包装接口**
+
+该部分接口会包装provider对外接口在查询到适配的算法后自动调用算法进行初始化工作详见各类算法的对外头文件。
+
+- **对称接口:`CRYPT_EAL_ProviderCipherNewCtx`**
+- **非对称接口:`CRYPT_EAL_ProviderPkeyNewCtx`**
+- **kdf接口`CRYPT_EAL_ProviderKdfNewCtx`**
+- **mac接口`CRYPT_EAL_ProviderMacNewCtx`**
+- **md接口`CRYPT_EAL_ProviderMdNewCtx`**
+- **随机数接口:`CRYPT_EAL_ProviderRandInitCtx`、`CRYPT_EAL_ProviderDrbgInitCtx`**
+
+
+**provider底层对外接口**
+
+#### **`CRYPT_EAL_ProviderGetFuncs`**
+- **描述**从所有加载的provider中查询符合要求的算法。
+- **函数原型**
+ ```c
+ int32_t CRYPT_EAL_ProviderGetFuncs(
+ CRYPT_EAL_LibCtx *libCtx,
+ int32_t operaId,
+ int32_t algId,
+ const char *attribute,
+ const CRYPT_EAL_Func **funcs,
+ void **provCtx
+ );
+ ```
+- **参数**
+ - `libCtx`:库上下文。
+ - `operaId`:算法类别 ID详见”crypt_eal_implprovider.h“文件
+ - `algId`:算法 ID 详见”crypt_eal_implprovider.h“文件
+ - `attribute`:用于筛选 Provider 的属性字符串。
+ - `funcs`:输出的算法数组指针。
+ - `provCtx`可选参数如果不为NULL会获得该算法所在provider管理上下文中的provCtx。
+- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
+
+#### **`CRYPT_EAL_ProviderCtrl`**
+- **描述**:控制 Provider 管理上下文中的provCtx。
+- **函数原型**
+ ```c
+ int32_t CRYPT_EAL_ProviderCtrl(
+ CRYPT_EAL_ProvMgrCtx *ctx,
+ int32_t cmd,
+ void *val,
+ uint32_t valLen
+ );
+ ```
+- **参数**
+ - `ctx`Provider 管理上下文。
+ - `cmd`:控制命令。
+ - `val`:与命令相关的值。
+ - `valLen`:值的长度。
+
+---
+
+## 3. provider管理模块使用说明
+
+### 3.1 加载与卸载
+
+- **特性说明**
+ - provider以名称为唯一标识符不同的provider要求具有不同的名称不同路径相同名称的provider会被视为相同的provider。
+ - 支持重复加载和卸载provider重复加载时并不会额外创建provider管理上下文卸载的次数需要与加载的次数相同才能将库上下文中的provider管理上下文删除。
+ - 在释放库上下文时会自动卸载所有加载的provider。
+ - 加载provider的路径默认为空如果没有设置加载路径那么将会根据运行环境中dlopen函数的当前特性从各个位置依次检索搜索provider。
+ - 目前openhitls自带的算法库会被加载进一个启动时初始化的全局库上下文中当加载、卸载以及查找provider时如果传入的libCtx为NULL那么会使用该全局库上下文。
+- **使用示例**
+ ```c
+ ...
+ // 创建库上下文
+ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
+ assert(libCtx != NULL);
+
+ // 设置 Provider 加载路径
+ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
+ assert(ret == CRYPT_SUCCESS);
+
+ // 加载 Provider
+ CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL;
+ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx);
+ assert(ret == CRYPT_SUCCESS);
+
+ ...
+
+ // 卸载 Provider
+ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
+ assert(ret == CRYPT_SUCCESS);
+
+ // 释放库上下文
+ CRYPT_EAL_LibCtxFree(libCtx);
+ ...
+ ```
+
+---
+
+### 3.2 属性查询和provider打分机制
+
+- **属性机制**
+ 在查询算法时首先会查找符合算法ID的算法数组如果用户输入的查找字符串不为NULL则还会根据查找字符串选择所有加载provider中最匹配的算法。
+ 供查找的provider算法属性值由name和value组成name和value之间用`=`分隔,多组属性之间用`,`分隔。在provider中每个算法可以根据实现目的定义一组或多组属性甚至同一个算法可以有不同实现通过属性区分
+- **provider打分机制**
+ 查询可以由多个查询语句组成,每个语句中之间用`,`分隔语句中的name和value之间用以下`判断字符`分隔:
+ - `=`: 必须相等,属于强制条件。
+ - `!=`: 必须不相等,属于强制条件。
+ - ``: 可选条件如果value匹配优先选择每满足一个问号得分会+1。
+
+ 查询时强制条件必须满足,在此基础上,根据可选条件选择最匹配的,如果最匹配实现有多个选择,随机返回一个。
+ 查询时允许各组语句重复强制条件重复对结果无影响。可选条件重复相当于满足该条件的得分由1分变为重复个数的分数。
+- **使用示例**
+ ```c
+ ...
+ // 属性字符串可以为NILL会根据算法ID查找
+ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx);
+ assert(ret == CRYPT_SUCCESS);
+ ...
+ // 属性字符串不为NULL时根据匹配规则查找
+ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx);
+ assert(ret == CRYPT_SUCCESS);
+ ...
+ // 属性字符串涉及provider打分机制
+ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx);
+ assert(ret == CRYPT_SUCCESS);
+ ...
+ // 实际使用时推荐使用eal层各类算法对外的包装接口,会自动进行查找算法并调用算法进行初始化等工作。
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash");
+ assert(ctx != NULL);
+ ...
+ ```
+
+---
+
+## 4. provider构建说明
+
+该部分涉及的各类命令以及函数原型的完整内容定义在`crypt_eal_implprovider.h`头文件中。
+
+### 4.1 初始化函数
+
+对每个provider需要实现名为`CRYPT_EAL_ProviderInit`的初始化函数该初始化函数会在加载provider时被调用
+- **函数原型**
+ ```c
+ int32_t CRYPT_EAL_ProviderInit(
+ CRYPT_EAL_ProvMgrCtx *mgrCtx,
+ BSL_Param *param,
+ CRYPT_EAL_Func *capFuncs,
+ CRYPT_EAL_Func **outFuncs,
+ void **provCtx
+ );
+ ```
+ - **参数**
+ - `mgrCtx`[in] Provider 管理上下文。
+ - `param`[in] 初始化 Provider 时的附加参数。
+ - `capFuncs`[in] 由管理框架输入的算法数组指针目前支持让用户可以选择使用HITLS提供的默认熵源。
+ - `outFuncs`[out] provider对外提供的算法数组指针详情见下文。
+ - `provCtx`[out] provider私有结构体如需要可用于在provider管理上下文中保存一些私有数据操作详情见下文可选。
+ - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
+
+- **`outFuncs`数组说明**
+该数组用于传出provider对外提供的三种算法数组其中**算法查询函数必须返回**,其他两个函数可选:
+ - **算法查询函数**该函数用于在查找算法时根据传入的算法类别获取provider对外提供的整个算法类别的方法数组:
+ **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`**
+ - **参数**
+ - `provCtx`[in] provider私有结构体可选。
+ - `operaId`[in] 算法类别ID。
+ - `algInfos`[out] 该算法类别下所有算法的数组指针数组中当算法ID为0时表示结束。
+ - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
+ - **provCtx控制函数**如果provider使用了provCtx,则该函数用于对其进行控制,该函数可以通过`CRYPT_EAL_ProviderCtrl`函数进行调用。
+ **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`**
+ - **参数**:略
+ - **返回值**:略
+ - **provCtx释放函数**如果provider使用了provCtx,则该函数用于释放provCtx该函数会在释放资源时被调用。
+ **`typedef void (*)(void *provCtx);`**
+ - **参数**
+ - ·`provCtx`[in] provider私有结构体。
+ - **返回值**:无。
+
+---
+
+### 4.2 provider构建示例
+
+- **初始化函数示例**
+```c
+static CRYPT_EAL_Func defProvOutFuncs[] = {
+ {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery},
+ {CRYPT_EAL_PROVCB_FREE, NULL},
+ {CRYPT_EAL_PROVCB_CTRL, NULL},
+ CRYPT_EAL_FUNC_END
+};
+
+int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
+ BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
+{
+ CRYPT_RandSeedMethod entroy = {0};
+ CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL;
+ int32_t index = 0;
+ while (capFuncs[index].id != 0) {
+ switch (capFuncs[index].id) {
+ case CRYPT_EAL_CAP_GETENTROPY:
+ entroy.getEntropy = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_CLEANENTROPY:
+ entroy.cleanEntropy = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_GETNONCE:
+ entroy.getNonce = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_CLEANNONCE:
+ entroy.cleanNonce = capFuncs[index].func;
+ break;
+ case CRYPT_EAL_CAP_MGRCTXCTRL:
+ mgrCtrl = capFuncs[index].func;
+ break;
+ default:
+ return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL;
+ }
+ index++;
+ }
+ void *seedCtx = NULL;
+ void *libCtx = NULL;
+ if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL ||
+ entroy.cleanNonce == NULL || mgrCtrl == NULL) {
+ return CRYPT_NULL_INPUT;
+ }
+ int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0);
+ if (ret != CRYPT_SUCCESS) {
+ return ret;
+ }
+ ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0);
+ if (ret != CRYPT_SUCCESS) {
+ return ret;
+ }
+ CRYPT_Data entropy = {NULL, 0};
+ CRYPT_Range entropyRange = {32, 2147483632};
+ ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange);
+ if (ret != CRYPT_SUCCESS) {
+ return CRYPT_DRBG_FAIL_GET_ENTROPY;
+ }
+ entroy.cleanEntropy(seedCtx, &entropy);
+ // check libCtx
+ if (param != NULL) {
+ if (param[0].value != libCtx) {
+ return CRYPT_INVALID_ARG;
+ }
+ }
+ *outFuncs = defProvOutFuncs;
+ return 0;
+}
+```
+- **算法查询函数示例**
+```c
+const CRYPT_EAL_Func defMdMd5[] = {
+ {CRYPT_EAL_IMPLMD_NEWCTX, ...},
+ {CRYPT_EAL_IMPLMD_INITCTX, ...},
+ {CRYPT_EAL_IMPLMD_UPDATE, ...},
+ {CRYPT_EAL_IMPLMD_FINAL, ...},
+ {CRYPT_EAL_IMPLMD_DEINITCTX, ...},
+ {CRYPT_EAL_IMPLMD_DUPCTX, ...},
+ {CRYPT_EAL_IMPLMD_CTRL, ...},
+ {CRYPT_EAL_IMPLMD_FREECTX, ...},
+ CRYPT_EAL_FUNC_END,
+};
+
+static const CRYPT_EAL_AlgInfo defMds[] = {
+ ...
+ {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"},
+ ...
+ CRYPT_EAL_ALGINFO_END
+};
+
+static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos)
+{
+ (void) provCtx;
+ int32_t ret = CRYPT_SUCCESS;
+ switch (operaId) {
+ ...
+ case CRYPT_EAL_OPERAID_HASH:
+ *algInfos = defMds;
+ break;
+ ...
+ default:
+ ret = CRYPT_NOT_SUPPORT;
+ break;
+ }
+ return ret;
+}
+```
+
+---
+
+## 5. 综合使用示例
+
+```c
+#include "bsl_sal.h"
+#include "crypt_eal_provider.h"
+#include "crypt_eal_implprovider.h"
+#include "crypt_eal_md.h"
+
+/* 调用SM3 算法 */
+
+int main() {
+
+------------------------------------------------------------------------------------------------------
+
+// 调用hitls自带的算法库初始化方式
+ // 步骤 1调用eal层的md对外接口直接进行初始化
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default");
+ ASSERT_TRUE(ctx != NULL);
+
+-----------------------------------------------
+
+// 在第三方provider中寻找匹配的算法库并初始化方式
+ // 步骤 1创建库上下文
+ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
+ ASSERT_TRUE(libCtx != NULL);
+
+ // 步骤 2设置 Provider 加载路径
+ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // 步骤 3加载 Provider
+ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // 步骤 4调用eal层的md对外接口直接进行初始化
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
+ ASSERT_TRUE(ctx != NULL);
+
+-----------------------------------------------
+
+// 第三方provider和hitls提供的算法库混合使用的场景寻找匹配的算法库并初始化方式
+ // 步骤 1设置 Provider 加载路径
+ int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers");
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // 步骤 2加载 Provider
+ ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // 步骤 3调用eal层的md对外接口直接进行初始化
+ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
+ ASSERT_TRUE(ctx != NULL);
+
+------------------------------------------------------------------------------------------------------
+
+// 初始化后可进行一系列的算法操作:
+ ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS);
+ ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS);
+ ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS);
+
+------------------------------------------------------------------------------------------------------
+
+// 如果初始化时创建了库上下文或者加载了第三方provider,则需要进行释放
+ // 卸载 Provider
+ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
+ ASSERT_TRUE(ret == CRYPT_SUCCESS);
+
+ // 释放库上下文
+ CRYPT_EAL_LibCtxFree(libCtx);
+
+ return 0;
+}
+```
\ No newline at end of file
--
2.42.0.windows.2

987
0008-fix-some-bugs.patch Normal file
View File

@ -0,0 +1,987 @@
From 9139271bb2bf8d77bdf211ed57156c7794d5bb41 Mon Sep 17 00:00:00 2001
From: zhengzeyang <zhengzeyang@huawei.com>
Date: Fri, 6 Dec 2024 18:08:18 +0800
Subject: [PATCH 08/10] fix some bugs.
Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/93
---
crypto/eal/src/eal_md.c | 2 +
.../4_provider Development Guide.md | 463 ------------------
docs/index/index.md | 5 +-
...00\345\217\221\346\214\207\345\215\227.md" | 458 -----------------
4 files changed, 4 insertions(+), 924 deletions(-)
delete mode 100644 docs/en/5_Developer Guide/4_provider Development Guide.md
delete mode 100644 "docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md"
diff --git a/crypto/eal/src/eal_md.c b/crypto/eal/src/eal_md.c
index 7eb61d6..12ecf5f 100644
--- a/crypto/eal/src/eal_md.c
+++ b/crypto/eal/src/eal_md.c
@@ -232,6 +232,7 @@ int32_t CRYPT_EAL_MdCopyCtx(CRYPT_EAL_MdCTX *to, const CRYPT_EAL_MdCTX *from)
EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_MD, from->id, CRYPT_MEM_ALLOC_FAIL);
return CRYPT_MEM_ALLOC_FAIL;
}
+ to->isProvider = from->isProvider;
*(EAL_MdUnitaryMethod *)to->method = *from->method;
to->data = data;
to->state = from->state;
@@ -269,6 +270,7 @@ CRYPT_EAL_MdCTX *CRYPT_EAL_MdDupCtx(const CRYPT_EAL_MdCTX *ctx)
BSL_SAL_FREE(newCtx);
return NULL;
}
+ newCtx->isProvider = ctx->isProvider;
newCtx->method = method;
newCtx->state = ctx->state;
newCtx->id = ctx->id;
diff --git a/docs/en/5_Developer Guide/4_provider Development Guide.md b/docs/en/5_Developer Guide/4_provider Development Guide.md
deleted file mode 100644
index f750a4d..0000000
--- a/docs/en/5_Developer Guide/4_provider Development Guide.md
+++ /dev/null
@@ -1,463 +0,0 @@
-# Provider Development Guide
-
-This document serves as a development guide for OpenHiTLS providers, providing developers with interface introductions, key feature descriptions, and comprehensive usage examples.
-
-## 1. Overview
-
-The provider management framework in OpenHiTLS supports dynamic loading, management, and usage of cryptographic providers. Each "Provider" encapsulates a specific set of cryptographic operations and exposes them to external users through standardized interfaces.
-
-### Core Concepts:
-- **Library Context (`CRYPT_EAL_LibCtx`)**: Manages the lifecycle and resources of all loaded providers.
-- **Provider Manager Context (`CRYPT_EAL_ProvMgrCtx`)**: Represents a single provider, including its loaded library handle and implemented functionalities.
-- **Functional Interfaces**: Standardized functions used for querying and invoking specific operations of providers.
-
----
-
-## 2. Interface Introduction
-
-### 2.1 Library Context Management
-
-#### **`CRYPT_EAL_LibCtxNew`**
-- **Description**: Creates a new library context for managing providers.
-- **Function Prototype**:
- ```c
- CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void);
- ```
-- **Return Value**: A pointer to the newly created library context.
-
-#### **`CRYPT_EAL_LibCtxFree`**
-- **Description**: Frees the library context and releases all associated resources.
-- **Function Prototype**:
- ```c
- void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx);
- ```
-- **Parameters**:
- - `libCtx`: The library context to be freed.
-
----
-
-### 2.2 Path Configuration
-
-#### **`CRYPT_EAL_ProviderSetLoadPath`**
-- **Description**: Configures the path for loading providers.
-- **Function Prototype**:
- ```c
- int32_t CRYPT_EAL_ProviderSetLoadPath(
- CRYPT_EAL_LibCtx *libCtx,
- const char *searchPath
- );
- ```
-- **Parameters**:
- - `libCtx`: The library context.
- - `searchPath`: The search path for providers.
-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
-
----
-
-### 2.3 Provider Loading and Unloading
-
-#### **`CRYPT_EAL_ProviderLoad`**
-- **Description**: Dynamically loads a provider and initializes it.
-- **Function Prototype**:
- ```c
- int32_t CRYPT_EAL_ProviderLoad(
- CRYPT_EAL_LibCtx *libCtx,
- BSL_SAL_ConverterCmd cmd,
- const char *providerName,
- BSL_Param *param,
- CRYPT_EAL_ProvMgrCtx **mgrCtx
- );
- ```
-- **Parameters**:
- - `libCtx`: The library context.
- - `cmd`: The command specifying the library format (e.g., `.so`, `lib*.so`).
- - `providerName`: The name of the provider to load.
- - `param`: Additional parameters for provider initialization.
- - `mgrCtx`: Output pointer to the provider manager context. If not `NULL`, the manager context of the loaded provider will be returned upon successful loading.
-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
-
-#### **`CRYPT_EAL_ProviderUnload`**
-- **Description**: Unloads the specified provider and releases associated resources.
-- **Function Prototype**:
- ```c
- int32_t CRYPT_EAL_ProviderUnload(
- CRYPT_EAL_LibCtx *libCtx,
- BSL_SAL_ConverterCmd cmd,
- const char *providerName
- );
- ```
-- **Parameters**:
- - `libCtx`: The library context.
- - `cmd`: The command specifying the library format.
- - `providerName`: The name of the provider to unload.
-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
-
----
-
-### 2.4 Algorithm Query and Invocation
-
-**EAL Layer Wrapper Interfaces**:
-
-These interfaces wrap the provider's exposed APIs, automatically initializing algorithms after querying suitable algorithms. See the corresponding headers for each algorithm for more details.
-
-- **Symmetric Interface: `CRYPT_EAL_ProviderCipherNewCtx`**
-- **Asymmetric Interface: `CRYPT_EAL_ProviderPkeyNewCtx`**
-- **KDF Interface: `CRYPT_EAL_ProviderKdfNewCtx`**
-- **MAC Interface: `CRYPT_EAL_ProviderMacNewCtx`**
-- **Message Digest Interface: `CRYPT_EAL_ProviderMdNewCtx`**
-- **Random Number Interfaces: `CRYPT_EAL_ProviderRandInitCtx`, `CRYPT_EAL_ProviderDrbgInitCtx`**
-
-**Provider Layer Exposed Interfaces**:
-
-#### **`CRYPT_EAL_ProviderGetFuncs`**
-- **Description**: Queries algorithms matching the criteria from all loaded providers.
-- **Function Prototype**:
- ```c
- int32_t CRYPT_EAL_ProviderGetFuncs(
- CRYPT_EAL_LibCtx *libCtx,
- int32_t operaId,
- int32_t algId,
- const char *attribute,
- const CRYPT_EAL_Func **funcs,
- void **provCtx
- );
- ```
-- **Parameters**:
- - `libCtx`: The library context.
- - `operaId`: Algorithm category ID (see "crypt_eal_implprovider.h").
- - `algId`: Algorithm ID (see "crypt_eal_implprovider.h").
- - `attribute`: Attribute string for filtering providers.
- - `funcs`: Output pointer to an array of algorithms.
- - `provCtx`: Optional parameter. If not `NULL`, it retrieves the `provCtx` from the provider manager context where the algorithm resides.
-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
-
-#### **`CRYPT_EAL_ProviderCtrl`**
-- **Description**: Controls the `provCtx` in the provider manager context.
-- **Function Prototype**:
- ```c
- int32_t CRYPT_EAL_ProviderCtrl(
- CRYPT_EAL_ProvMgrCtx *ctx,
- int32_t cmd,
- void *val,
- uint32_t valLen
- );
- ```
-- **Parameters**:
- - `ctx`: Provider manager context.
- - `cmd`: Control command.
- - `val`: The value associated with the command.
- - `valLen`: The length of the value.
-
----
-
-## 3. Provider Management Module Usage Instructions
-
-### 3.1 Loading and Unloading
-
-- **Feature Descriptions**:
- - Providers are uniquely identified by their names. Different providers must have unique names. Providers with the same name but located in different paths are treated as the same provider.
- - The framework supports repeated loading and unloading of providers. Repeated loading does not create additional provider manager contexts. To remove a provider manager context from the library context, the number of unloads must match the number of loads.
- - When releasing the library context, all loaded providers are automatically unloaded.
- - The default provider loading path is empty. If no path is set, the framework searches for providers in various locations based on the runtime environment and the behavior of the `dlopen` function.
- - Currently, OpenHiTLS's built-in algorithm library is loaded into a globally initialized library context during startup. If `libCtx` is `NULL` during provider loading, unloading, or searching, this global library context is used.
-
-- **Usage Example**:
- ```c
- ...
- // Create a library context
- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
- assert(libCtx != NULL);
-
- // Set the provider loading path
- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
- assert(ret == CRYPT_SUCCESS);
-
- // Load a provider
- CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL;
- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx);
- assert(ret == CRYPT_SUCCESS);
-
- ...
-
- // Unload the provider
- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
- assert(ret == CRYPT_SUCCESS);
-
- // Free the library context
- CRYPT_EAL_LibCtxFree(libCtx);
- ...
- ```
-
----
-
-### 3.2 Attribute Query and Provider Scoring Mechanism
-
-- **Attribute Mechanism**:
- When querying algorithms, the framework first searches for algorithms matching the algorithm ID. If the search string is not `NULL`, it further selects the best-matching algorithm from all loaded providers based on the search string.
- Provider algorithm attributes are composed of a `name` and a `value`, separated by `=`. Multiple attributes are separated by `,`. Within a provider, each algorithm can define one or more sets of attributes based on its implementation purpose. Even the same algorithm can have different implementations distinguished by attributes.
-
-- **Provider Scoring Mechanism**:
- Queries can consist of multiple query statements, separated by `,`. Within a statement, `name` and `value` are separated by the following **comparison characters**:
- - `=`: Must be equal (mandatory condition).
- - `!=`: Must not be equal (mandatory condition).
- - `?`: Optional condition. If `value` matches, it is prioritized. Each match adds +1 to the score.
-
- Mandatory conditions must be satisfied. Among providers that meet the mandatory conditions, the framework selects the best match based on optional conditions. If there are multiple best matches, one is randomly selected.
- Repeated conditions are allowed within query statements:
- - Repeated mandatory conditions have no effect.
- - Repeated optional conditions increase the score proportionally.
-
-- **Usage Example**:
- ```c
- ...
- // Query with a NULL attribute string, searching by algorithm ID
- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx);
- assert(ret == CRYPT_SUCCESS);
- ...
- // Query with a non-NULL attribute string, matching based on rules
- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx);
- assert(ret == CRYPT_SUCCESS);
- ...
- // Query with provider scoring mechanism
- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx);
- assert(ret == CRYPT_SUCCESS);
- ...
- // For actual use, it is recommended to use EAL layer wrapping interfaces for each algorithm,
- // which automatically locate and initialize the algorithm.
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash");
- assert(ctx != NULL);
- ...
- ```
-
----
-
-## 4. Provider Construction Instructions
-
-This section describes the commands and function prototypes, which are fully defined in the `crypt_eal_implprovider.h` header file.
-
-### 4.1 Initialization Function
-
-For each provider, an initialization function named `CRYPT_EAL_ProviderInit` must be implemented. This function is called when loading the provider:
-- **Function Prototype**:
- ```c
- int32_t CRYPT_EAL_ProviderInit(
- CRYPT_EAL_ProvMgrCtx *mgrCtx,
- BSL_Param *param,
- CRYPT_EAL_Func *capFuncs,
- CRYPT_EAL_Func **outFuncs,
- void **provCtx
- );
- ```
- - **Parameters**:
- - `mgrCtx`: [in] Provider manager context.
- - `param`: [in] Additional parameters for provider initialization.
- - `capFuncs`: [in] Algorithm array pointer provided by the management framework, allowing users to optionally use HITLS's default entropy source.
- - `outFuncs`: [out] Array pointer for algorithms exposed by the provider. Details are described below.
- - `provCtx`: [out] Provider-specific structure. If needed, private data can be saved in the provider manager context. Details on its operation are below (optional).
- - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
-
-- **Description of the `outFuncs` Array**:
- This array is used to pass the three types of algorithm arrays provided by the provider. **The algorithm query function must be returned**, while the other two functions are optional:
- - **Algorithm Query Function**: Used to retrieve the algorithm array provided by the provider based on the algorithm category during a search:
- **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`**
- - **Parameters**:
- - `provCtx`: [in] Provider-specific structure (optional).
- - `operaId`: [in] Algorithm category ID.
- - `algInfos`: [out] Pointer to the array of all algorithms under the category. The array ends when the algorithm ID is 0.
- - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code.
- - **`provCtx` Control Function**: If the provider uses `provCtx`, this function is used for its control. It can be invoked using the `CRYPT_EAL_ProviderCtrl` function.
- **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`**
- - **Parameters**: Omitted.
- - **Return Value**: Omitted.
- - **`provCtx` Release Function**: If the provider uses `provCtx`, this function releases `provCtx`. It is called during resource release.
- **`typedef void (*)(void *provCtx);`**
- - **Parameters**:
- - `provCtx`: [in] Provider-specific structure.
- - **Return Value**: None.
-
----
-
-### 4.2 Provider Construction Example
-
-- **Initialization Function Example**:
-```c
-static CRYPT_EAL_Func defProvOutFuncs[] = {
- {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery},
- {CRYPT_EAL_PROVCB_FREE, NULL},
- {CRYPT_EAL_PROVCB_CTRL, NULL},
- CRYPT_EAL_FUNC_END
-};
-
-int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
- BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
-{
- CRYPT_RandSeedMethod entroy = {0};
- CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL;
- int32_t index = 0;
- while (capFuncs[index].id != 0) {
- switch (capFuncs[index].id) {
- case CRYPT_EAL_CAP_GETENTROPY:
- entroy.getEntropy = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_CLEANENTROPY:
- entroy.cleanEntropy = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_GETNONCE:
- entroy.getNonce = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_CLEANNONCE:
- entroy.cleanNonce = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_MGRCTXCTRL:
- mgrCtrl = capFuncs[index].func;
- break;
- default:
- return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL;
- }
- index++;
- }
- void *seedCtx = NULL;
- void *libCtx = NULL;
- if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL ||
- entroy.cleanNonce == NULL || mgrCtrl == NULL) {
- return CRYPT_NULL_INPUT;
- }
- int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0);
- if (ret != CRYPT_SUCCESS) {
- return ret;
- }
- ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0);
- if (ret != CRYPT_SUCCESS) {
- return ret;
- }
- CRYPT_Data entropy = {NULL, 0};
- CRYPT_Range entropyRange = {32, 2147483632};
- ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange);
- if (ret != CRYPT_SUCCESS) {
- return CRYPT_DRBG_FAIL_GET_ENTROPY;
- }
- entroy.cleanEntropy(seedCtx, &entropy);
- // check libCtx
- if (param != NULL) {
- if (param[0].value != libCtx) {
- return CRYPT_INVALID_ARG;
- }
- }
- *outFuncs = defProvOutFuncs;
- return 0;
-}
-```
-- **Algorithm query function example**:
-```c
-const CRYPT_EAL_Func defMdMd5[] = {
- {CRYPT_EAL_IMPLMD_NEWCTX, ...},
- {CRYPT_EAL_IMPLMD_INITCTX, ...},
- {CRYPT_EAL_IMPLMD_UPDATE, ...},
- {CRYPT_EAL_IMPLMD_FINAL, ...},
- {CRYPT_EAL_IMPLMD_DEINITCTX, ...},
- {CRYPT_EAL_IMPLMD_DUPCTX, ...},
- {CRYPT_EAL_IMPLMD_CTRL, ...},
- {CRYPT_EAL_IMPLMD_FREECTX, ...},
- CRYPT_EAL_FUNC_END,
-};
-
-static const CRYPT_EAL_AlgInfo defMds[] = {
- ...
- {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"},
- ...
- CRYPT_EAL_ALGINFO_END
-};
-
-static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos)
-{
- (void) provCtx;
- int32_t ret = CRYPT_SUCCESS;
- switch (operaId) {
- ...
- case CRYPT_EAL_OPERAID_HASH:
- *algInfos = defMds;
- break;
- ...
- default:
- ret = CRYPT_NOT_SUPPORT;
- break;
- }
- return ret;
-}
-```
-
----
-
-## 5. Comprehensive Usage Example
-
-```c
-#include "bsl_sal.h"
-#include "crypt_eal_provider.h"
-#include "crypt_eal_implprovider.h"
-#include "crypt_eal_md.h"
-
-/* Using the SM3 algorithm */
-
-int main() {
-
-------------------------------------------------------------------------------------------------------
-
-// Using the built-in HITLS algorithm library:
- // Step 1: Directly initialize using EAL layer MD interface
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default");
- ASSERT_TRUE(ctx != NULL);
-
------------------------------------------------
-
-// Searching and initializing with a matching algorithm library in a third-party provider:
- // Step 1: Create a library context
- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
- ASSERT_TRUE(libCtx != NULL);
-
- // Step 2: Set the provider loading path
- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // Step 3: Load the provider
- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // Step 4: Directly initialize using EAL layer MD interface
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
- ASSERT_TRUE(ctx != NULL);
-
------------------------------------------------
-
-// Mixed usage of third-party providers and HITLS libraries:
- // Step 1: Set the provider loading path
- int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers");
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // Step 2: Load the provider
- ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // Step 3: Directly initialize using EAL layer MD interface
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
- ASSERT_TRUE(ctx != NULL);
-
-------------------------------------------------------------------------------------------------------
-
-// After initialization, a series of algorithm operations can be performed:
- ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS);
- ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS);
- ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS);
-
-------------------------------------------------------------------------------------------------------
-
-// If a library context was created or a third-party provider was loaded during initialization, they need to be released:
- // Unload the provider
- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // Free the library context
- CRYPT_EAL_LibCtxFree(libCtx);
-
- return 0;
-}
-```
\ No newline at end of file
diff --git a/docs/index/index.md b/docs/index/index.md
index 412be81..28ea2ae 100644
--- a/docs/index/index.md
+++ b/docs/index/index.md
@@ -11,7 +11,6 @@
| 7 | [加密完保应用开发指南](../zh/5_开发指南/1_加密完保应用开发指南.md) | [Encryption and Integrity Protection Application Development Guide](../en/5_Developer%20Guide/1_Encryption%20and%20Integrity%20Protection%20Application%20Development%20Guide.md) |
| 8 | [安全通信应用开发指南](../zh/5_开发指南/2_安全通信应用开发指南.md) | [Secure Communication Application Development Guide](../en/5_Developer%20Guide/2_Secure%20Communication%20Application%20Development%20Guide.md) |
| 9 | [API参考](../zh/5_开发指南/3_API参考.md) | [API Reference](../en/5_Developer%20Guide/3_API%20Reference.md) |
-| 10 | [provider开发指南](../zh/5_开发指南/4_provider开发指南.md) | [provider Development Guide](../en/5_Developer%20Guide/4_provider%20Development%20Guide.md) |
-| 11 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) |
-| 12 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) |
+| 10 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) |
+| 11 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) |
diff --git "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md"
deleted file mode 100644
index 4ae2b56..0000000
--- "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md"
+++ /dev/null
@@ -1,458 +0,0 @@
-# Provider 开发指南
-
-本文档是 OpenHiTLS Provider 的开发指南,为开发人员提供接口介绍、关键特性说明以及综合使用示例。
-
-## 1. 概述
-
-OpenHiTLS 的 Provider 管理框架支持动态加载、管理和使用加密 Provider。每个 "Provider" 封装了一组特定的加密操作,通过标准化接口向外部用户暴露。
-
-### 核心概念:
-- **库上下文Library Context`CRYPT_EAL_LibCtx`**:用于管理所有加载的 Provider 的生命周期和资源。
-- **Provider 管理上下文Provider Manager Context`CRYPT_EAL_ProvMgrCtx`**:表示单个 Provider包括其加载库句柄和功能实现。
-- **功能接口Functional Interfaces**:标准化的函数,用于查询和调用 Provider 的具体操作。
-
----
-
-## 2. 接口介绍
-
-### 2.1 库上下文管理
-
-#### **`CRYPT_EAL_LibCtxNew`**
-- **描述**:创建一个新的库上下文,用于管理 Provider。
-- **函数原型**
- ```c
- CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void);
- ```
-- **返回值**:指向新创建的库上下文的指针。
-
-#### **`CRYPT_EAL_LibCtxFree`**
-- **描述**:释放库上下文,并释放所有相关资源。
-- **函数原型**
- ```c
- void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx);
- ```
-- **参数**
- - `libCtx`:需要释放的库上下文。
-
----
-
-### 2.2 路径配置
-
-#### **`CRYPT_EAL_ProviderSetLoadPath`**
-- **描述**:配置加载 Provider 的路径。
-- **函数原型**
- ```c
- int32_t CRYPT_EAL_ProviderSetLoadPath(
- CRYPT_EAL_LibCtx *libCtx,
- const char *searchPath
- );
- ```
-- **参数**
- - `libCtx`:库上下文。
- - `searchPath`Provider 的搜索路径。
-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
-
----
-
-### 2.3 Provider 加载与卸载
-
-#### **`CRYPT_EAL_ProviderLoad`**
-- **描述**:动态加载一个 Provider并完成初始化。
-- **函数原型**
- ```c
- int32_t CRYPT_EAL_ProviderLoad(
- CRYPT_EAL_LibCtx *libCtx,
- BSL_SAL_ConverterCmd cmd,
- const char *providerName,
- BSL_Param *param,
- CRYPT_EAL_ProvMgrCtx **mgrCtx
- );
- ```
-- **参数**
- - `libCtx`:库上下文。
- - `cmd`:指定库格式的命令(例如 `.so` 或 `lib*.so`)。
- - `providerName`:要加载的 Provider 名称。
- - `param`:初始化 Provider 时的附加参数。
- - `mgrCtx`:输出的 Provider 管理上下文指针如果不为NULL那么将会在加载成功后返回对应provider的管理上下文CRYPT_EAL_ProvMgrCtx
-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
-
-#### **`CRYPT_EAL_ProviderUnload`**
-- **描述**:卸载指定的 Provider并释放相关资源。
-- **函数原型**
- ```c
- int32_t CRYPT_EAL_ProviderUnload(
- CRYPT_EAL_LibCtx *libCtx,
- BSL_SAL_ConverterCmd cmd,
- const char *providerName
- );
- ```
-- **参数**
- - `libCtx`:库上下文。
- - `cmd`:指定库格式的命令。
- - `providerName`:要卸载的 Provider 名称。
-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
-
----
-
-### 2.4 算法查询与调用
-
-**eal层对外包装接口**
-
-该部分接口会包装provider对外接口在查询到适配的算法后自动调用算法进行初始化工作详见各类算法的对外头文件。
-
-- **对称接口:`CRYPT_EAL_ProviderCipherNewCtx`**
-- **非对称接口:`CRYPT_EAL_ProviderPkeyNewCtx`**
-- **kdf接口`CRYPT_EAL_ProviderKdfNewCtx`**
-- **mac接口`CRYPT_EAL_ProviderMacNewCtx`**
-- **md接口`CRYPT_EAL_ProviderMdNewCtx`**
-- **随机数接口:`CRYPT_EAL_ProviderRandInitCtx`、`CRYPT_EAL_ProviderDrbgInitCtx`**
-
-
-**provider底层对外接口**
-
-#### **`CRYPT_EAL_ProviderGetFuncs`**
-- **描述**从所有加载的provider中查询符合要求的算法。
-- **函数原型**
- ```c
- int32_t CRYPT_EAL_ProviderGetFuncs(
- CRYPT_EAL_LibCtx *libCtx,
- int32_t operaId,
- int32_t algId,
- const char *attribute,
- const CRYPT_EAL_Func **funcs,
- void **provCtx
- );
- ```
-- **参数**
- - `libCtx`:库上下文。
- - `operaId`:算法类别 ID详见”crypt_eal_implprovider.h“文件
- - `algId`:算法 ID 详见”crypt_eal_implprovider.h“文件
- - `attribute`:用于筛选 Provider 的属性字符串。
- - `funcs`:输出的算法数组指针。
- - `provCtx`可选参数如果不为NULL会获得该算法所在provider管理上下文中的provCtx。
-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
-
-#### **`CRYPT_EAL_ProviderCtrl`**
-- **描述**:控制 Provider 管理上下文中的provCtx。
-- **函数原型**
- ```c
- int32_t CRYPT_EAL_ProviderCtrl(
- CRYPT_EAL_ProvMgrCtx *ctx,
- int32_t cmd,
- void *val,
- uint32_t valLen
- );
- ```
-- **参数**
- - `ctx`Provider 管理上下文。
- - `cmd`:控制命令。
- - `val`:与命令相关的值。
- - `valLen`:值的长度。
-
----
-
-## 3. provider管理模块使用说明
-
-### 3.1 加载与卸载
-
-- **特性说明**
- - provider以名称为唯一标识符不同的provider要求具有不同的名称不同路径相同名称的provider会被视为相同的provider。
- - 支持重复加载和卸载provider重复加载时并不会额外创建provider管理上下文卸载的次数需要与加载的次数相同才能将库上下文中的provider管理上下文删除。
- - 在释放库上下文时会自动卸载所有加载的provider。
- - 加载provider的路径默认为空如果没有设置加载路径那么将会根据运行环境中dlopen函数的当前特性从各个位置依次检索搜索provider。
- - 目前openhitls自带的算法库会被加载进一个启动时初始化的全局库上下文中当加载、卸载以及查找provider时如果传入的libCtx为NULL那么会使用该全局库上下文。
-- **使用示例**
- ```c
- ...
- // 创建库上下文
- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
- assert(libCtx != NULL);
-
- // 设置 Provider 加载路径
- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
- assert(ret == CRYPT_SUCCESS);
-
- // 加载 Provider
- CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL;
- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx);
- assert(ret == CRYPT_SUCCESS);
-
- ...
-
- // 卸载 Provider
- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
- assert(ret == CRYPT_SUCCESS);
-
- // 释放库上下文
- CRYPT_EAL_LibCtxFree(libCtx);
- ...
- ```
-
----
-
-### 3.2 属性查询和provider打分机制
-
-- **属性机制**
- 在查询算法时首先会查找符合算法ID的算法数组如果用户输入的查找字符串不为NULL则还会根据查找字符串选择所有加载provider中最匹配的算法。
- 供查找的provider算法属性值由name和value组成name和value之间用`=`分隔,多组属性之间用`,`分隔。在provider中每个算法可以根据实现目的定义一组或多组属性甚至同一个算法可以有不同实现通过属性区分
-- **provider打分机制**
- 查询可以由多个查询语句组成,每个语句中之间用`,`分隔语句中的name和value之间用以下`判断字符`分隔:
- - `=`: 必须相等,属于强制条件。
- - `!=`: 必须不相等,属于强制条件。
- - ``: 可选条件如果value匹配优先选择每满足一个问号得分会+1。
-
- 查询时强制条件必须满足,在此基础上,根据可选条件选择最匹配的,如果最匹配实现有多个选择,随机返回一个。
- 查询时允许各组语句重复强制条件重复对结果无影响。可选条件重复相当于满足该条件的得分由1分变为重复个数的分数。
-- **使用示例**
- ```c
- ...
- // 属性字符串可以为NILL会根据算法ID查找
- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx);
- assert(ret == CRYPT_SUCCESS);
- ...
- // 属性字符串不为NULL时根据匹配规则查找
- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx);
- assert(ret == CRYPT_SUCCESS);
- ...
- // 属性字符串涉及provider打分机制
- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx);
- assert(ret == CRYPT_SUCCESS);
- ...
- // 实际使用时推荐使用eal层各类算法对外的包装接口,会自动进行查找算法并调用算法进行初始化等工作。
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash");
- assert(ctx != NULL);
- ...
- ```
-
----
-
-## 4. provider构建说明
-
-该部分涉及的各类命令以及函数原型的完整内容定义在`crypt_eal_implprovider.h`头文件中。
-
-### 4.1 初始化函数
-
-对每个provider需要实现名为`CRYPT_EAL_ProviderInit`的初始化函数该初始化函数会在加载provider时被调用
-- **函数原型**
- ```c
- int32_t CRYPT_EAL_ProviderInit(
- CRYPT_EAL_ProvMgrCtx *mgrCtx,
- BSL_Param *param,
- CRYPT_EAL_Func *capFuncs,
- CRYPT_EAL_Func **outFuncs,
- void **provCtx
- );
- ```
- - **参数**
- - `mgrCtx`[in] Provider 管理上下文。
- - `param`[in] 初始化 Provider 时的附加参数。
- - `capFuncs`[in] 由管理框架输入的算法数组指针目前支持让用户可以选择使用HITLS提供的默认熵源。
- - `outFuncs`[out] provider对外提供的算法数组指针详情见下文。
- - `provCtx`[out] provider私有结构体如需要可用于在provider管理上下文中保存一些私有数据操作详情见下文可选。
- - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
-
-- **`outFuncs`数组说明**
-该数组用于传出provider对外提供的三种算法数组其中**算法查询函数必须返回**,其他两个函数可选:
- - **算法查询函数**该函数用于在查找算法时根据传入的算法类别获取provider对外提供的整个算法类别的方法数组:
- **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`**
- - **参数**
- - `provCtx`[in] provider私有结构体可选。
- - `operaId`[in] 算法类别ID。
- - `algInfos`[out] 该算法类别下所有算法的数组指针数组中当算法ID为0时表示结束。
- - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。
- - **provCtx控制函数**如果provider使用了provCtx,则该函数用于对其进行控制,该函数可以通过`CRYPT_EAL_ProviderCtrl`函数进行调用。
- **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`**
- - **参数**:略
- - **返回值**:略
- - **provCtx释放函数**如果provider使用了provCtx,则该函数用于释放provCtx该函数会在释放资源时被调用。
- **`typedef void (*)(void *provCtx);`**
- - **参数**
- - ·`provCtx`[in] provider私有结构体。
- - **返回值**:无。
-
----
-
-### 4.2 provider构建示例
-
-- **初始化函数示例**
-```c
-static CRYPT_EAL_Func defProvOutFuncs[] = {
- {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery},
- {CRYPT_EAL_PROVCB_FREE, NULL},
- {CRYPT_EAL_PROVCB_CTRL, NULL},
- CRYPT_EAL_FUNC_END
-};
-
-int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx,
- BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx)
-{
- CRYPT_RandSeedMethod entroy = {0};
- CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL;
- int32_t index = 0;
- while (capFuncs[index].id != 0) {
- switch (capFuncs[index].id) {
- case CRYPT_EAL_CAP_GETENTROPY:
- entroy.getEntropy = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_CLEANENTROPY:
- entroy.cleanEntropy = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_GETNONCE:
- entroy.getNonce = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_CLEANNONCE:
- entroy.cleanNonce = capFuncs[index].func;
- break;
- case CRYPT_EAL_CAP_MGRCTXCTRL:
- mgrCtrl = capFuncs[index].func;
- break;
- default:
- return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL;
- }
- index++;
- }
- void *seedCtx = NULL;
- void *libCtx = NULL;
- if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL ||
- entroy.cleanNonce == NULL || mgrCtrl == NULL) {
- return CRYPT_NULL_INPUT;
- }
- int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0);
- if (ret != CRYPT_SUCCESS) {
- return ret;
- }
- ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0);
- if (ret != CRYPT_SUCCESS) {
- return ret;
- }
- CRYPT_Data entropy = {NULL, 0};
- CRYPT_Range entropyRange = {32, 2147483632};
- ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange);
- if (ret != CRYPT_SUCCESS) {
- return CRYPT_DRBG_FAIL_GET_ENTROPY;
- }
- entroy.cleanEntropy(seedCtx, &entropy);
- // check libCtx
- if (param != NULL) {
- if (param[0].value != libCtx) {
- return CRYPT_INVALID_ARG;
- }
- }
- *outFuncs = defProvOutFuncs;
- return 0;
-}
-```
-- **算法查询函数示例**
-```c
-const CRYPT_EAL_Func defMdMd5[] = {
- {CRYPT_EAL_IMPLMD_NEWCTX, ...},
- {CRYPT_EAL_IMPLMD_INITCTX, ...},
- {CRYPT_EAL_IMPLMD_UPDATE, ...},
- {CRYPT_EAL_IMPLMD_FINAL, ...},
- {CRYPT_EAL_IMPLMD_DEINITCTX, ...},
- {CRYPT_EAL_IMPLMD_DUPCTX, ...},
- {CRYPT_EAL_IMPLMD_CTRL, ...},
- {CRYPT_EAL_IMPLMD_FREECTX, ...},
- CRYPT_EAL_FUNC_END,
-};
-
-static const CRYPT_EAL_AlgInfo defMds[] = {
- ...
- {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"},
- ...
- CRYPT_EAL_ALGINFO_END
-};
-
-static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos)
-{
- (void) provCtx;
- int32_t ret = CRYPT_SUCCESS;
- switch (operaId) {
- ...
- case CRYPT_EAL_OPERAID_HASH:
- *algInfos = defMds;
- break;
- ...
- default:
- ret = CRYPT_NOT_SUPPORT;
- break;
- }
- return ret;
-}
-```
-
----
-
-## 5. 综合使用示例
-
-```c
-#include "bsl_sal.h"
-#include "crypt_eal_provider.h"
-#include "crypt_eal_implprovider.h"
-#include "crypt_eal_md.h"
-
-/* 调用SM3 算法 */
-
-int main() {
-
-------------------------------------------------------------------------------------------------------
-
-// 调用hitls自带的算法库初始化方式
- // 步骤 1调用eal层的md对外接口直接进行初始化
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default");
- ASSERT_TRUE(ctx != NULL);
-
------------------------------------------------
-
-// 在第三方provider中寻找匹配的算法库并初始化方式
- // 步骤 1创建库上下文
- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew();
- ASSERT_TRUE(libCtx != NULL);
-
- // 步骤 2设置 Provider 加载路径
- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers");
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // 步骤 3加载 Provider
- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // 步骤 4调用eal层的md对外接口直接进行初始化
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
- ASSERT_TRUE(ctx != NULL);
-
------------------------------------------------
-
-// 第三方provider和hitls提供的算法库混合使用的场景寻找匹配的算法库并初始化方式
- // 步骤 1设置 Provider 加载路径
- int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers");
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // 步骤 2加载 Provider
- ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL);
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // 步骤 3调用eal层的md对外接口直接进行初始化
- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2");
- ASSERT_TRUE(ctx != NULL);
-
-------------------------------------------------------------------------------------------------------
-
-// 初始化后可进行一系列的算法操作:
- ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS);
- ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS);
- ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS);
-
-------------------------------------------------------------------------------------------------------
-
-// 如果初始化时创建了库上下文或者加载了第三方provider,则需要进行释放
- // 卸载 Provider
- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name");
- ASSERT_TRUE(ret == CRYPT_SUCCESS);
-
- // 释放库上下文
- CRYPT_EAL_LibCtxFree(libCtx);
-
- return 0;
-}
-```
\ No newline at end of file
--
2.42.0.windows.2

1001
0009-add-github-action-for-openhitls-0.1-branch.patch Normal file
View File

File diff suppressed because it is too large Load Diff

120
0010-Rename-get-time-cmd.patch Normal file
View File

@ -0,0 +1,120 @@
From 8c5c5defbf0f4b7536abfb41d6b1b6a24577672a Mon Sep 17 00:00:00 2001
From: Ooohui <zhanghui160@huawei.com>
Date: Tue, 10 Dec 2024 20:39:42 +0800
Subject: [PATCH 10/10] Rename get time cmd
Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/97
---
include/pki/hitls_pki.h | 22 ++++++++++---------
pki/x509_cert/src/hitls_x509_cert.c | 4 ++--
.../pki/cert/test_suite_sdv_x509_cert.c | 4 ++--
.../pki/common/test_suite_sdv_common.c | 4 ++--
4 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/include/pki/hitls_pki.h b/include/pki/hitls_pki.h
index a570e6d..de21f07 100644
--- a/include/pki/hitls_pki.h
+++ b/include/pki/hitls_pki.h
@@ -77,8 +77,8 @@ typedef enum {
HITLS_X509_GET_SUBJECT_DN_STR, /** Get the subject distinguished name as a formatted string */
HITLS_X509_GET_ISSUER_DN_STR, /** Get the issuer distinguished name as a formatted string */
HITLS_X509_GET_SERIALNUM_STR, /** Get the serial number as a string */
- HITLS_X509_GET_BEFORE_TIME, /** Get the validity start time as a string */
- HITLS_X509_GET_AFTER_TIME, /** Get the validity end time as a string */
+ HITLS_X509_GET_BEFORE_TIME_STR, /** Get the validity start time as a string */
+ HITLS_X509_GET_AFTER_TIME_STR, /** Get the validity end time as a string */
HITLS_X509_GET_SUBJECT_DN, /** Get the list of subject distinguished name components.
Note: The list is read-only and should not be modified. */
HITLS_X509_GET_ISSUER_DN, /** Get the list of issuer distinguished name components.
@@ -86,6 +86,8 @@ typedef enum {
HITLS_X509_GET_VERSION, /** Get the version from cert or crl. */
HITLS_X509_GET_REVOKELIST, /** Get the certficate revoke list from the crl. */
HITLS_X509_GET_SERIALNUM, /** Get the serial number of the cert. */
+ HITLS_X509_GET_BEFORE_TIME, /** Get the validity start time */
+ HITLS_X509_GET_AFTER_TIME, /** Get the validity end time */
HITLS_X509_SET_VERSION = 0x0200, /** Set the version for the cert. */
HITLS_X509_SET_SERIALNUM, /** Set the serial number for the cert, the length range is 1 to 20. */
@@ -93,7 +95,7 @@ typedef enum {
HITLS_X509_SET_AFTER_TIME, /** Set the after time for the cert. */
HITLS_X509_SET_PUBKEY, /** Set the public key for the cert/csr. */
HITLS_X509_SET_SUBJECT_DN, /** Set the subject name list. */
- HITLS_X509_SET_ISSUER_DN, /** Set the issuer name list. */
+ HITLS_X509_SET_ISSUER_DN, /** Set the issuer name list. */
HITLS_X509_SET_CSR_EXT, /** Replace the cert's ext with csr's */
HITLS_X509_ADD_SUBJECT_NAME, /** Add the subject name for the cert/csr. */
HITLS_X509_CRL_ADD_REVOKED_CERT, /** Add the revoke cert to crl. */
@@ -103,13 +105,13 @@ typedef enum {
HITLS_X509_EXT_KU_CERTSIGN, /** Check if certificate signing usage is set in key usage extension */
HITLS_X509_EXT_KU_KEYAGREEMENT, /** Check if key agreement usage is set in key usage extension */
- HITLS_X509_EXT_SET_SKI = 0x0400, /** Set the subject key identifier extension. */
- HITLS_X509_EXT_SET_AKI, /** Set the authority key identifier extension. */
- HITLS_X509_EXT_SET_KUSAGE, /** Set the key usage extension. */
- HITLS_X509_EXT_SET_SAN, /** Set the subject alternative name extension. */
- HITLS_X509_EXT_SET_BCONS, /** Set the basic constraints extension. */
- HITLS_X509_EXT_SET_EXKUSAGE, /** Set the extended key usage extension. */
- HITLS_X509_EXT_SET_CRLNUMBER, /** Set the crlnumber extension. */
+ HITLS_X509_EXT_SET_SKI = 0x0400, /** Set the subject key identifier extension. */
+ HITLS_X509_EXT_SET_AKI, /** Set the authority key identifier extension. */
+ HITLS_X509_EXT_SET_KUSAGE, /** Set the key usage extension. */
+ HITLS_X509_EXT_SET_SAN, /** Set the subject alternative name extension. */
+ HITLS_X509_EXT_SET_BCONS, /** Set the basic constraints extension. */
+ HITLS_X509_EXT_SET_EXKUSAGE, /** Set the extended key usage extension. */
+ HITLS_X509_EXT_SET_CRLNUMBER, /** Set the crlnumber extension. */
HITLS_X509_EXT_GET_SKI = 0x0500, /** Get Subject Key Identifier from extensions.
Note: Kid is a shallow copy. */
diff --git a/pki/x509_cert/src/hitls_x509_cert.c b/pki/x509_cert/src/hitls_x509_cert.c
index 707341b..38316c5 100644
--- a/pki/x509_cert/src/hitls_x509_cert.c
+++ b/pki/x509_cert/src/hitls_x509_cert.c
@@ -616,9 +616,9 @@ static int32_t X509_CertGetCtrl(HITLS_X509_Cert *cert, int32_t cmd, void *val, i
return X509_GetSerialNumStr(cert, val);
case HITLS_X509_GET_SERIALNUM:
return HITLS_X509_GetSerial(&cert->tbs.serialNum, val, valLen);
- case HITLS_X509_GET_BEFORE_TIME:
+ case HITLS_X509_GET_BEFORE_TIME_STR:
return X509_GetAsn1BslTimeStr(cert, val, HITLS_X509_BEFORE_TIME);
- case HITLS_X509_GET_AFTER_TIME:
+ case HITLS_X509_GET_AFTER_TIME_STR:
return X509_GetAsn1BslTimeStr(cert, val, HITLS_X509_AFTER_TIME);
default:
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
diff --git a/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c b/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c
index 51ae228..3d9dd6a 100644
--- a/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c
+++ b/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c
@@ -483,12 +483,12 @@ void SDV_X509_CERT_CTRL_FUNC_TC002(char *path, char *expectedSerialNum, char *ex
ASSERT_EQ(serialNum.dataLen, strlen(expectedSerialNum));
ASSERT_EQ(strcmp((char *)serialNum.data, expectedSerialNum), 0);
- ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_BEFORE_TIME, &beforeTime, sizeof(BSL_Buffer)), 0);
+ ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_BEFORE_TIME_STR, &beforeTime, sizeof(BSL_Buffer)), 0);
ASSERT_NE(beforeTime.data, NULL);
ASSERT_EQ(beforeTime.dataLen, strlen(expectedBeforeTime));
ASSERT_EQ(strcmp((char *)beforeTime.data, expectedBeforeTime), 0);
- ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_AFTER_TIME, &afterTime, sizeof(BSL_Buffer)), 0);
+ ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_AFTER_TIME_STR, &afterTime, sizeof(BSL_Buffer)), 0);
ASSERT_NE(afterTime.data, NULL);
ASSERT_EQ (afterTime.dataLen, strlen(expectedAfterTime));
ASSERT_EQ(strcmp((char *)afterTime.data, expectedAfterTime), 0);
diff --git a/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c b/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c
index 792ab2d..e741064 100644
--- a/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c
+++ b/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c
@@ -194,8 +194,8 @@ void SDV_HITLS_X509_CtrlCert_TC001(void)
ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_SUBJECT_DN_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_ISSUER_DN_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_SERIALNUM, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
- ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_BEFORE_TIME, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
- ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_AFTER_TIME, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
+ ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_BEFORE_TIME_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
+ ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_AFTER_TIME_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM);
exit:
BSL_GLOBAL_DeInit();
}
--
2.42.0.windows.2

374
0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch Normal file
View File

@ -0,0 +1,374 @@
From 24bd3dc68ea74c196b308e5407e662e70e5e9183 Mon Sep 17 00:00:00 2001
From: Liu-Ermeng <liuermeng2@huawei.com>
Date: Mon, 9 Dec 2024 22:28:12 -0800
Subject: [PATCH] fix the possible CBC Padding Oracle vulnerability
Let the padding check and the cacluation to be constant-time, when
using CBC ciphersuite and using MtE(Mac-then-Encrypted) mode, to
resist possible time side channel attacks.
references:
https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
https://www.isg.rhul.ac.uk/tls/TLStiming.pdf
https://www.imperialviolet.org/2013/02/04/luckythirteen.html
Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/95
---
bsl/include/bsl_bytes.h | 27 +++-
tls/record/src/rec_crypto_cbc.c | 227 ++++++++++++++++++++++++++------
2 files changed, 206 insertions(+), 48 deletions(-)
diff --git a/bsl/include/bsl_bytes.h b/bsl/include/bsl_bytes.h
index 378c84e..aea84dd 100644
--- a/bsl/include/bsl_bytes.h
+++ b/bsl/include/bsl_bytes.h
@@ -201,20 +201,20 @@ static inline void BSL_Uint64ToByte(uint64_t num, uint8_t *data)
}
// if a's MSB is 0, output 0
-// else if a' MSB is 1 output x00ffffffff
+// else if a' MSB is 1 output 0xffffffff
static inline uint32_t Uint32ConstTimeMsb(uint32_t a)
{
// 31 == (4 * 8 - 1)
return 0u - (a >> 31);
}
-// if a is 0, output x00ffffffff, else output 0
+// if a is 0, output 0xffffffff, else output 0
static inline uint32_t Uint32ConstTimeIsZero(uint32_t a)
{
return Uint32ConstTimeMsb(~a & (a - 1));
}
-// if a == b, output x00ffffffff, else output 0
+// if a == b, output 0xffffffff, else output 0
static inline uint32_t Uint32ConstTimeEqual(uint32_t a, uint32_t b)
{
return Uint32ConstTimeIsZero(a ^ b);
@@ -232,24 +232,39 @@ static inline uint32_t Uint8ConstTimeSelect(uint32_t mask, uint8_t a, uint8_t b)
return (((mask) & a) | ((~mask) & b)) & 0xff;
}
-// if a < b, output x00ffffffff, else output 0
+// if a < b, output 0xffffffff, else output 0
static inline uint32_t Uint32ConstTimeLt(uint32_t a, uint32_t b)
{
return Uint32ConstTimeMsb(a ^ ((a ^ b) | ((a - b) ^ a)));
}
-// if a >= b, output x00ffffffff, else output 0
+// if a >= b, output 0xffffffff, else output 0
static inline uint32_t Uint32ConstTimeGe(uint32_t a, uint32_t b)
{
return ~Uint32ConstTimeLt(a, b);
}
-// if a > b, output x00ffffffff, else output 0
+// if a > b, output 0xffffffff, else output 0
static inline uint32_t Uint32ConstTimeGt(uint32_t a, uint32_t b)
{
return Uint32ConstTimeLt(b, a);
}
+static inline uint32_t Uint32ConstTimeLe(uint32_t a, uint32_t b)
+{
+ return Uint32ConstTimeGe(b, a);
+}
+
+// if a == b, return 0xffffffff, else return 0
+static inline uint32_t ConstTimeMemcmp(uint8_t *a, uint8_t *b, uint32_t l)
+{
+ uint8_t r = 0;
+ for (uint32_t i = 0; i < l; i++) {
+ r |= a[i] ^ b[i];
+ }
+ return Uint32ConstTimeIsZero(r);
+}
+
#ifdef __cplusplus
}
#endif /* __cplusplus */
diff --git a/tls/record/src/rec_crypto_cbc.c b/tls/record/src/rec_crypto_cbc.c
index 18931b3..891bbd9 100644
--- a/tls/record/src/rec_crypto_cbc.c
+++ b/tls/record/src/rec_crypto_cbc.c
@@ -27,6 +27,7 @@
#include "rec_crypto_cbc.h"
#define CBC_PADDING_LEN_TAG_SIZE 1u
+#define HMAC_MAX_BLEN 144
uint8_t RecConnGetCbcPaddingLen(uint8_t blockLen, uint32_t plaintextLen)
{
@@ -102,53 +103,200 @@ static int32_t RecConnCbcCheckCryptMsg(TLS_Ctx *ctx, const RecConnState *state,
return HITLS_SUCCESS;
}
-static int32_t RecConnCbcCheckDecryptPadding(TLS_Ctx *ctx, const REC_TextInput *cryptMsg, uint8_t *data,
- uint32_t plaintextLen, uint32_t offset)
+static int32_t RecConnCbcDecCheckPaddingEtM(TLS_Ctx *ctx, const REC_TextInput *cryptMsg, uint8_t *plain,
+ uint32_t plainLen, uint32_t offset)
{
const RecConnState *state = ctx->recCtx->readStates.currentState;
- uint8_t mac[MAX_DIGEST_SIZE] = {0};
- uint32_t macLen = MAX_DIGEST_SIZE;
- uint8_t paddingLen = data[plaintextLen - 1];
+ uint8_t padLen = plain[plainLen - 1];
-#ifdef HITLS_TLS_FEATURE_ETM
- if (cryptMsg->isEncryptThenMac && (plaintextLen < paddingLen + CBC_PADDING_LEN_TAG_SIZE)) {
+ if (cryptMsg->isEncryptThenMac && (plainLen < padLen + CBC_PADDING_LEN_TAG_SIZE)) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15399, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"record cbc mode decrypt error: ciphertext len = %u, plaintext len = %u, mac len = %u, padding len = %u.",
- cryptMsg->textLen - offset - state->suiteInfo->macLen, plaintextLen, state->suiteInfo->macLen, paddingLen);
- return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC);
- }
-#endif
- if ((plaintextLen < state->suiteInfo->macLen + paddingLen + CBC_PADDING_LEN_TAG_SIZE)
-#ifdef HITLS_TLS_FEATURE_ETM
- && !cryptMsg->isEncryptThenMac
-#endif
- ) {
- BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15928, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
- "record cbc mode decrypt error: ciphertext len = %u, plaintext len = %u, mac len = %u, padding len = %u.",
- cryptMsg->textLen - offset, plaintextLen, state->suiteInfo->macLen, paddingLen);
- /* Anti-side channel attack: Calculate the MAC address even if the padding is incorrect */
- (void)RecConnGenerateMac(state->suiteInfo, cryptMsg, mac, &macLen);
+ cryptMsg->textLen - offset - state->suiteInfo->macLen, plainLen, state->suiteInfo->macLen, padLen);
return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC);
}
- for (uint32_t i = 1; i <= paddingLen; i++) {
- if (data[plaintextLen - 1 - i] != paddingLen) {
+ for (uint32_t i = 1; i <= padLen; i++) {
+ if (plain[plainLen - 1 - i] != padLen) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15400, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"record cbc mode decrypt error: padding len = %u, %u-to-last padding data = %u.",
- paddingLen, i, data[plaintextLen - 1 - i], 0);
- /* Anti-side channel attack: Calculate the MAC address even if the padding is incorrect */
-#ifdef HITLS_TLS_FEATURE_ETM
- if (!cryptMsg->isEncryptThenMac)
-#endif
- {
- (void)RecConnGenerateMac(state->suiteInfo, cryptMsg, mac, &macLen);
- }
+ padLen, i, plain[plainLen - 1 - i], 0);
return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC);
}
}
return HITLS_SUCCESS;
}
+static uint32_t GetHashOfMac(HITLS_MacAlgo macAlgo)
+{
+ switch (macAlgo) {
+ case HITLS_MAC_1:
+ return HITLS_HASH_SHA1;
+ case HITLS_MAC_256:
+ return HITLS_HASH_SHA_256;
+ case HITLS_MAC_224:
+ return HITLS_HASH_SHA_224;
+ case HITLS_MAC_384:
+ return HITLS_HASH_SHA_384;
+ case HITLS_MAC_512:
+ return HITLS_HASH_SHA_512;
+#ifdef HITLS_TLS_PROTO_TLCP11
+ case HITLS_MAC_SM3:
+ return HITLS_HASH_SM3;
+#endif
+ default:
+ BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15388, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
+ "CBC encrypt error: unsupport MAC algorithm = %u.", macAlgo, 0, 0, 0);
+ break;
+ }
+ return HITLS_HASH_BUTT;
+}
+
+static uint32_t GetHmacBLen(HITLS_MacAlgo macAlgo)
+{
+ switch (macAlgo) {
+ case HITLS_MAC_1:
+ case HITLS_MAC_224:
+ case HITLS_MAC_256:
+ case HITLS_MAC_SM3:
+ return 64; // Blen of upper hmac is 64.
+ case HITLS_MAC_384:
+ case HITLS_MAC_512:
+ return 128; // Blen of upper hmac is 128.
+ default:
+ // should never be here.
+ return 0;
+ }
+}
+
+/**
+ * a constant-time implemenation of HMAC to prevent side-channel attacks
+ * reference: https://datatracker.ietf.org/doc/html/rfc2104#autoid-2
+ */
+
+static int32_t ConstTimeHmac(RecConnSuitInfo *suiteInfo, HITLS_HASH_Ctx **hashCtx, uint32_t good,
+ const REC_TextInput *cryptMsg, uint8_t *data, uint32_t dataLen, uint8_t *mac, uint32_t *macLen)
+{
+ HITLS_HASH_Ctx *obCtx = hashCtx[2];
+ uint32_t padLen = data[dataLen - 1];
+ padLen = Uint32ConstTimeSelect(good, padLen, 0);
+ uint32_t plainLen = dataLen - (suiteInfo->macLen + padLen + 1);
+ plainLen = Uint32ConstTimeSelect(good, plainLen, 0);
+
+ uint32_t blen = GetHmacBLen(suiteInfo->macAlg);
+ uint8_t ipad[HMAC_MAX_BLEN] = {0};
+ uint8_t opad[HMAC_MAX_BLEN * 2] = {0};
+ uint8_t key[HMAC_MAX_BLEN] = {0};
+ uint8_t ihash[MAX_DIGEST_SIZE] = {0};
+ uint32_t ihashLen = sizeof(ihash);
+ (void)memcpy_s(key, sizeof(key), suiteInfo->macKey, suiteInfo->macKeyLen);
+ for (uint32_t i = 0; i < blen; i++) {
+ ipad[i] = key[i] ^ 0x36;
+ opad[i] = key[i] ^ 0x5c;
+ }
+
+ // update K xor ipad
+ (void)SAL_CRYPT_DigestUpdate(hashCtx[0], ipad, blen);
+ // update the obscureHashCtx simultaneously
+ (void)SAL_CRYPT_DigestUpdate(obCtx, ipad, blen);
+
+ /**
+ * constant-time update plaintext to resist lucky13
+ * ref: https://www.isg.rhul.ac.uk/tls/TLStiming.pdf
+ */
+ uint8_t header[13] = {0}; // seq + record type
+ uint32_t pos = 0;
+ (void)memcpy_s(header, sizeof(header), cryptMsg->seq, REC_CONN_SEQ_SIZE);
+ pos += REC_CONN_SEQ_SIZE;
+ header[pos++] = cryptMsg->type;
+ BSL_Uint16ToByte(cryptMsg->version, header + pos);
+ pos += sizeof(uint16_t);
+ BSL_Uint16ToByte((uint16_t)plainLen, header + pos);
+ (void)SAL_CRYPT_DigestUpdate(hashCtx[0], header, sizeof(header));
+ (void)SAL_CRYPT_DigestUpdate(obCtx, header, sizeof(header));
+
+ uint32_t maxLen = dataLen - (suiteInfo->macLen + 1);
+ maxLen = Uint32ConstTimeSelect(good, maxLen, dataLen);
+ uint32_t flag = Uint32ConstTimeGt(maxLen, 256); // the value of 1 byte is up to 256
+ uint32_t minLen = Uint32ConstTimeSelect(flag, maxLen - 256, 0);
+ pos = 0;
+ (void)SAL_CRYPT_DigestUpdate(hashCtx[0], data, minLen);
+ (void)SAL_CRYPT_DigestUpdate(obCtx, data, minLen);
+ pos += minLen;
+ for (uint32_t i = minLen; i < maxLen; i++) {
+ if (i < plainLen) {
+ SAL_CRYPT_DigestUpdate(hashCtx[0], data + i, 1);
+ } else {
+ SAL_CRYPT_DigestUpdate(obCtx, data + i, 1);
+ }
+ }
+ (void)SAL_CRYPT_DigestFinal(hashCtx[0], ihash, &ihashLen);
+ (void)memcpy_s(opad + blen, MAX_DIGEST_SIZE, ihash, ihashLen);
+
+ // update (K xor opad) + ihash
+ (void)SAL_CRYPT_DigestUpdate(hashCtx[1], opad, blen + ihashLen);
+ (void)SAL_CRYPT_DigestFinal(hashCtx[1], mac, macLen);
+
+ BSL_SAL_CleanseData(ipad, sizeof(ipad));
+ BSL_SAL_CleanseData(opad, sizeof(opad));
+ BSL_SAL_CleanseData(key, sizeof(key));
+
+ return HITLS_SUCCESS;
+}
+
+static inline uint32_t ConstTimeSelectMemcmp(uint32_t good, uint8_t *a, uint8_t *b, uint32_t l)
+{
+ uint8_t *t = (good == 0) ? b : a;
+ return ConstTimeMemcmp(t, b, l);
+}
+
+static int32_t RecConnCbcDecMtECheckMacTls(TLS_Ctx *ctx, const REC_TextInput *cryptMsg,
+ uint8_t *plain, uint32_t plainLen)
+{
+ const RecConnState *state = ctx->recCtx->readStates.currentState;
+ uint32_t hashAlg = GetHashOfMac(state->suiteInfo->macAlg);
+ if (hashAlg == HITLS_HASH_BUTT) {
+ return HITLS_CRYPT_ERR_HMAC;
+ }
+
+ HITLS_HASH_Ctx *ihashCtx = NULL;
+ HITLS_HASH_Ctx *ohashCtx = NULL;
+ HITLS_HASH_Ctx *obscureHashCtx = NULL;
+ ihashCtx = SAL_CRYPT_DigestInit(hashAlg);
+ ohashCtx = SAL_CRYPT_DigestCopy(ihashCtx);
+ obscureHashCtx = SAL_CRYPT_DigestCopy(ihashCtx);
+ if (ihashCtx == NULL || ohashCtx == NULL || obscureHashCtx == NULL) {
+ SAL_CRYPT_DigestFree(ihashCtx);
+ SAL_CRYPT_DigestFree(ohashCtx);
+ SAL_CRYPT_DigestFree(obscureHashCtx);
+ return HITLS_REC_ERR_GENERATE_MAC;
+ }
+
+ uint8_t mac[MAX_DIGEST_SIZE] = {0};
+ uint32_t macLen = sizeof(mac);
+ uint8_t padLen = plain[plainLen - 1];
+
+ uint32_t good = Uint32ConstTimeGe(plainLen, state->suiteInfo->macLen + padLen + 1);
+
+ // constant-time check padding bytes
+ for (uint32_t i = 1; i <= 255; i++) {
+ uint32_t mask = good & Uint32ConstTimeLe(i, padLen);
+ good &= Uint32ConstTimeEqual(plain[plainLen - 1 - (i & mask)], padLen);
+ }
+
+ HITLS_HASH_Ctx *hashCtxs[3] = {ihashCtx, ohashCtx, obscureHashCtx};
+ ConstTimeHmac(state->suiteInfo, hashCtxs, good, cryptMsg, plain, plainLen, mac, &macLen);
+
+ // check mac
+ padLen = Uint32ConstTimeSelect(good, padLen, 0);
+ plainLen -= state->suiteInfo->macLen + padLen + 1;
+ good &= ConstTimeSelectMemcmp(good, &plain[plainLen], mac, macLen);
+ SAL_CRYPT_DigestFree(ihashCtx);
+ SAL_CRYPT_DigestFree(ohashCtx);
+ SAL_CRYPT_DigestFree(obscureHashCtx);
+ return ~good;
+}
+
static int32_t RecConnCbcDecryptByMacThenEncrypt(TLS_Ctx *ctx, const RecConnState *state, const REC_TextInput *cryptMsg,
uint8_t *data, uint32_t *dataLen)
{
@@ -180,18 +328,13 @@ static int32_t RecConnCbcDecryptByMacThenEncrypt(TLS_Ctx *ctx, const RecConnStat
}
/* Check padding and padding length */
- ret = RecConnCbcCheckDecryptPadding(ctx, cryptMsg, data, plaintextLen, offset);
+ ret = RecConnCbcDecMtECheckMacTls(ctx, cryptMsg, data, plaintextLen);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17244, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
- "RecConnCbcCheckDecryptPadding fail", 0, 0, 0, 0);
- return ret;
+ "RecConnCbcDecMtECheckMacTls fail", 0, 0, 0, 0);
+ return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC);
}
- plaintextLen -= data[plaintextLen - 1] + CBC_PADDING_LEN_TAG_SIZE;
-
- /* Check MAC */
- ret = RecConnCheckMac(ctx, state->suiteInfo, cryptMsg, data, plaintextLen);
- plaintextLen -= state->suiteInfo->macLen;
- *dataLen = plaintextLen;
+ *dataLen = plaintextLen - (state->suiteInfo->macLen + data[plaintextLen - 1] + CBC_PADDING_LEN_TAG_SIZE);
return ret;
}
@@ -237,10 +380,10 @@ static int32_t RecConnCbcDecryptByEncryptThenMac(TLS_Ctx *ctx, const RecConnStat
/* Check padding and padding length */
uint8_t paddingLen = data[plaintextLen - 1];
- ret = RecConnCbcCheckDecryptPadding(ctx, cryptMsg, data, plaintextLen, offset);
+ ret = RecConnCbcDecCheckPaddingEtM(ctx, cryptMsg, data, plaintextLen, offset);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17247, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
- "RecConnCbcCheckDecryptPadding fail", 0, 0, 0, 0);
+ "RecConnCbcDecCheckPaddingEtM fail", 0, 0, 0, 0);
return ret;
}
*dataLen = plaintextLen - paddingLen - CBC_PADDING_LEN_TAG_SIZE;
--
2.42.0.windows.2

17
openhitls.spec
View File

@ -5,10 +5,22 @@
Name: openhitls Name: openhitls
Summary: Cryptography and SSL/TLS Toolkit Summary: Cryptography and SSL/TLS Toolkit
Version: 0.1.0 Version: 0.1.0
Release: 2 Release: 3
License: Mulan PSL V2 License: Mulan PSL V2
URL: https://www.openhitls.net/ URL: https://www.openhitls.net/
Source0: https://raw.gitcode.com/openHiTLS/openHiTLS/archive/refs/heads/%{name}-%{version}.tar.gz Source0: https://raw.gitcode.com/openHiTLS/openHiTLS/archive/refs/heads/%{name}-%{version}.tar.gz
# Add all patch files in order
Patch0: 0001-provider_revise.patch
Patch1: 0002-param_revise.patch
Patch2: 0003-add-default-user-id-using-tlcp.patch
Patch3: 0004-init-add-const.patch
Patch4: 0005-add-uio_mem-comment.patch
Patch5: 0006-Rename-Refactor-some-code.patch
Patch6: 0007-provider-document.patch
Patch7: 0008-fix-some-bugs.patch
Patch8: 0009-add-github-action-for-openhitls-0.1-branch.patch
Patch9: 0010-Rename-get-time-cmd.patch
Patch10: 0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch
BuildRoot: %{_tmppath}/%{name}-v%{release}-build BuildRoot: %{_tmppath}/%{name}-v%{release}-build
BuildRequires: gcc cmake make rpm libboundscheck BuildRequires: gcc cmake make rpm libboundscheck
@ -95,6 +107,9 @@ sleep 1
%doc README-zh.md %doc README-zh.md
%changelog %changelog
* Wed Dec 11 2024 xuhuiyue <xuhuiyue@huawei.com> - 0.1.0-3
- Package update
* Wed Nov 27 2024 xuhuiyue <xuhuiyue@huawei.com> - 0.1.0-2 * Wed Nov 27 2024 xuhuiyue <xuhuiyue@huawei.com> - 0.1.0-2
- Package update - Package update