From 695a980c9fe1b085dd4f63f5a6552c2104455761 Mon Sep 17 00:00:00 2001 From: xuhuiyue Date: Wed, 11 Dec 2024 20:36:28 +0800 Subject: [PATCH] Update patch Signed-off-by: xuhuiyue (cherry picked from commit 1cae02f84d65c32a283141bf1a44c04e2df97c3b) --- 0001-provider_revise.patch | 107 ++ 0002-param_revise.patch | 27 + 0003-add-default-user-id-using-tlcp.patch | 45 + 0004-init-add-const.patch | 607 ++++++++ 0005-add-uio_mem-comment.patch | 25 + 0006-Rename-Refactor-some-code.patch | 1243 +++++++++++++++++ 0007-provider-document.patch | 966 +++++++++++++ 0008-fix-some-bugs.patch | 987 +++++++++++++ ...thub-action-for-openhitls-0.1-branch.patch | 1001 +++++++++++++ 0010-Rename-get-time-cmd.patch | 120 ++ ...ble-CBC-Padding-Oracle-vulnerability.patch | 374 +++++ openhitls.spec | 17 +- 12 files changed, 5518 insertions(+), 1 deletion(-) create mode 100644 0001-provider_revise.patch create mode 100644 0002-param_revise.patch create mode 100644 0003-add-default-user-id-using-tlcp.patch create mode 100644 0004-init-add-const.patch create mode 100644 0005-add-uio_mem-comment.patch create mode 100644 0006-Rename-Refactor-some-code.patch create mode 100644 0007-provider-document.patch create mode 100644 0008-fix-some-bugs.patch create mode 100644 0009-add-github-action-for-openhitls-0.1-branch.patch create mode 100644 0010-Rename-get-time-cmd.patch create mode 100644 0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch diff --git a/0001-provider_revise.patch b/0001-provider_revise.patch new file mode 100644 index 0000000..36b3ba1 --- /dev/null +++ b/0001-provider_revise.patch @@ -0,0 +1,107 @@ +From c6d38fb0fed60a8203afce7e90fdb9434d1d728e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com> +Date: Thu, 28 Nov 2024 17:56:09 +0800 +Subject: [PATCH 01/10] provider_revise + +--- + crypto/provider/src/mgr/crypt_provider.c | 2 +- + testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data | 2 +- + testcode/testdata/provider/provider_load_test1.c | 2 +- + testcode/testdata/provider/provider_load_test2.c | 2 +- + testcode/testdata/provider/provider_load_test_no_fullfunc.c | 2 +- + testcode/testdata/provider/provider_load_test_providerNoFree.c | 2 +- + testcode/testdata/provider/provider_load_test_providerNoInit.c | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/crypto/provider/src/mgr/crypt_provider.c b/crypto/provider/src/mgr/crypt_provider.c +index 29f7983..a1184dd 100644 +--- a/crypto/provider/src/mgr/crypt_provider.c ++++ b/crypto/provider/src/mgr/crypt_provider.c +@@ -29,7 +29,7 @@ + #include "crypt_provider.h" + + // Name of the dl initialization function +-#define PROVIDER_INIT_FUNC "CRYPT_EAL_ProviderInitcb" ++#define PROVIDER_INIT_FUNC "CRYPT_EAL_ProviderInit" + + // Maximum length of search path + #define DEFAULT_PROVIDER_PATH_LEN_MAX 4095 +diff --git a/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data b/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data +index ac72427..a89ed9e 100644 +--- a/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data ++++ b/testcode/sdv/testcase/bsl/sal/test_suite_sdv_sal_dl.data +@@ -1,5 +1,5 @@ + SDV_BSL_SAL_DL_FUNC_TC001 +-SDV_BSL_SAL_DL_FUNC_TC001:"../testdata/provider/path1/libprovider_load_test1.so":"../testdata/provider/path1/libprovider_load_test2.so":"../testdata/provider/path1/libprovider_load_test_no_init.so":"CRYPT_EAL_ProviderInitcb" ++SDV_BSL_SAL_DL_FUNC_TC001:"../testdata/provider/path1/libprovider_load_test1.so":"../testdata/provider/path1/libprovider_load_test2.so":"../testdata/provider/path1/libprovider_load_test_no_init.so":"CRYPT_EAL_ProviderInit" + + SDV_BSL_SAL_CONVERTER_NAME_TC001 #1 + SDV_BSL_SAL_CONVERTER_NAME_TC001:"provider_load_test1":1:"provider_load_test1.so" +diff --git a/testcode/testdata/provider/provider_load_test1.c b/testcode/testdata/provider/provider_load_test1.c +index 3f2792e..395b746 100644 +--- a/testcode/testdata/provider/provider_load_test1.c ++++ b/testcode/testdata/provider/provider_load_test1.c +@@ -200,7 +200,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = { + CRYPT_EAL_FUNC_END + }; + +-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, + BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) + { + CRYPT_RandSeedMethod entroy = {0}; +diff --git a/testcode/testdata/provider/provider_load_test2.c b/testcode/testdata/provider/provider_load_test2.c +index 2e29649..1aeb53c 100644 +--- a/testcode/testdata/provider/provider_load_test2.c ++++ b/testcode/testdata/provider/provider_load_test2.c +@@ -99,7 +99,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = { + CRYPT_EAL_FUNC_END + }; + +-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, + BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) + { + *outFuncs = defProvOutFuncs; +diff --git a/testcode/testdata/provider/provider_load_test_no_fullfunc.c b/testcode/testdata/provider/provider_load_test_no_fullfunc.c +index c1cd9d4..b081d76 100644 +--- a/testcode/testdata/provider/provider_load_test_no_fullfunc.c ++++ b/testcode/testdata/provider/provider_load_test_no_fullfunc.c +@@ -58,7 +58,7 @@ int32_t CRYPT_EAL_ProvCtrlCb(void *provCtx, int32_t cmd, void *val, uint32_t val + return 0; + } + +-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, + BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) + { + return 0; +diff --git a/testcode/testdata/provider/provider_load_test_providerNoFree.c b/testcode/testdata/provider/provider_load_test_providerNoFree.c +index dc3e68a..972e309 100644 +--- a/testcode/testdata/provider/provider_load_test_providerNoFree.c ++++ b/testcode/testdata/provider/provider_load_test_providerNoFree.c +@@ -200,7 +200,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = { + CRYPT_EAL_FUNC_END + }; + +-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, + BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) + { + *outFuncs = defProvOutFuncs; +diff --git a/testcode/testdata/provider/provider_load_test_providerNoInit.c b/testcode/testdata/provider/provider_load_test_providerNoInit.c +index e60d8d0..6588ec2 100644 +--- a/testcode/testdata/provider/provider_load_test_providerNoInit.c ++++ b/testcode/testdata/provider/provider_load_test_providerNoInit.c +@@ -200,7 +200,7 @@ static CRYPT_EAL_Func defProvOutFuncs[] = { + CRYPT_EAL_FUNC_END + }; + +-int32_t CRYPT_EAL_ProviderInitcb(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, + BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) + { + *outFuncs = defProvOutFuncs; +-- +2.42.0.windows.2 + diff --git a/0002-param_revise.patch b/0002-param_revise.patch new file mode 100644 index 0000000..ee438e8 --- /dev/null +++ b/0002-param_revise.patch @@ -0,0 +1,27 @@ +From bf7eaa89d82947e1ebf8920d9a3a14555386e875 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com> +Date: Thu, 28 Nov 2024 19:59:31 +0800 +Subject: [PATCH 02/10] param_revise + +--- + include/crypto/crypt_params_key.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/crypto/crypt_params_key.h b/include/crypto/crypt_params_key.h +index 417a919..d99cfe6 100644 +--- a/include/crypto/crypt_params_key.h ++++ b/include/crypto/crypt_params_key.h +@@ -99,8 +99,8 @@ extern "C" { + #define CRYPT_PARAM_RAND_SEED_CLEANNONCE (CRYPT_PARAM_RAND_BASE + 6) + + #define CRYPT_PARAM_CURVE25519_BASE 700 +-#define CRYPT_PARAM_CURVE25519_PUBKEY (CRYPT_PARAM_RAND_BASE + 1) +-#define CRYPT_PARAM_CURVE25519_PRVKEY (CRYPT_PARAM_RAND_BASE + 2) ++#define CRYPT_PARAM_CURVE25519_PUBKEY (CRYPT_PARAM_CURVE25519_BASE + 1) ++#define CRYPT_PARAM_CURVE25519_PRVKEY (CRYPT_PARAM_CURVE25519_BASE + 2) + + #ifdef __cplusplus + } +-- +2.42.0.windows.2 + diff --git a/0003-add-default-user-id-using-tlcp.patch b/0003-add-default-user-id-using-tlcp.patch new file mode 100644 index 0000000..8396c5b --- /dev/null +++ b/0003-add-default-user-id-using-tlcp.patch @@ -0,0 +1,45 @@ +From 5430cec97c1adae56b6b6c696f6c861ad4234cbb Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Fri, 29 Nov 2024 15:45:39 +0800 +Subject: [PATCH 03/10] add default user id using tlcp + +--- + tls/cert/hitls_x509_adapt/hitls_x509_crypto.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c b/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c +index 1755a37..11430ec 100644 +--- a/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c ++++ b/tls/cert/hitls_x509_adapt/hitls_x509_crypto.c +@@ -52,7 +52,7 @@ CRYPT_MD_AlgId GetCryptHashAlgFromCertHashAlg(HITLS_HashAlgo hashAlgo) + return CRYPT_MD_MAX; + } + +-static int32_t SetRsaEmsa(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAlgo, CRYPT_MD_AlgId mdAlgId) ++static int32_t SetPkeySignParam(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAlgo, CRYPT_MD_AlgId mdAlgId) + { + if (signAlgo == HITLS_SIGN_RSA_PKCS1_V15) { + int32_t pad = mdAlgId; +@@ -65,6 +65,10 @@ static int32_t SetRsaEmsa(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAlgo, CRYPT + {CRYPT_PARAM_RSA_SALTLEN, BSL_PARAM_TYPE_INT32, &saltLen, sizeof(saltLen), 0}, + BSL_PARAM_END}; + return CRYPT_EAL_PkeyCtrl(ctx, CRYPT_CTRL_SET_RSA_EMSA_PSS, pssParam, 0); ++ } else if (signAlgo == HITLS_SIGN_SM2) { ++ /* The default user id as specified in GM/T 0009-2012 */ ++ char sm2DefaultUserid[] = "1234567812345678"; ++ return CRYPT_EAL_PkeyCtrl(ctx, CRYPT_CTRL_SET_SM2_USER_ID, sm2DefaultUserid, strlen(sm2DefaultUserid)); + } + + return HITLS_SUCCESS; +@@ -78,7 +82,7 @@ static int32_t SignOrVerifySignPre(CRYPT_EAL_PkeyCtx *ctx, HITLS_SignAlgo signAl + BSL_ERR_PUSH_ERROR(HITLS_X509_ADAPT_ERR); + return HITLS_X509_ADAPT_ERR; + } +- return SetRsaEmsa(ctx, signAlgo, *mdAlgId); ++ return SetPkeySignParam(ctx, signAlgo, *mdAlgId); + } + + int32_t HITLS_X509_Adapt_CreateSign(HITLS_Ctx *ctx, HITLS_CERT_Key *key, HITLS_SignAlgo signAlgo, +-- +2.42.0.windows.2 + diff --git a/0004-init-add-const.patch b/0004-init-add-const.patch new file mode 100644 index 0000000..9e797c0 --- /dev/null +++ b/0004-init-add-const.patch @@ -0,0 +1,607 @@ +From 2c5f84885c9f107f943da46e1372bd9e4539e87d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com> +Date: Sat, 30 Nov 2024 18:15:19 +0800 +Subject: [PATCH 04/10] init add const + +--- + crypto/hmac/include/crypt_hmac.h | 2 +- + crypto/hmac/src/hmac.c | 2 +- + crypto/include/crypt_local_types.h | 6 +++--- + crypto/md5/include/crypt_md5.h | 2 +- + crypto/md5/src/md5.c | 2 +- + crypto/modes/include/crypt_modes_cbc.h | 2 +- + crypto/modes/include/crypt_modes_ccm.h | 2 +- + crypto/modes/include/crypt_modes_cfb.h | 2 +- + crypto/modes/include/crypt_modes_chacha20poly1305.h | 2 +- + crypto/modes/include/crypt_modes_ctr.h | 2 +- + crypto/modes/include/crypt_modes_ecb.h | 2 +- + crypto/modes/include/crypt_modes_gcm.h | 2 +- + crypto/modes/include/crypt_modes_ofb.h | 2 +- + crypto/modes/include/crypt_modes_xts.h | 2 +- + crypto/modes/src/modes_cbc.c | 2 +- + crypto/modes/src/modes_ccm.c | 2 +- + crypto/modes/src/modes_cfb.c | 2 +- + crypto/modes/src/modes_chacha20_poly1305.c | 2 +- + crypto/modes/src/modes_ctr.c | 2 +- + crypto/modes/src/modes_ecb.c | 2 +- + crypto/modes/src/modes_gcm.c | 2 +- + crypto/modes/src/modes_ofb.c | 2 +- + crypto/modes/src/modes_xts.c | 2 +- + crypto/sha1/include/crypt_sha1.h | 2 +- + crypto/sha1/src/sha1.c | 2 +- + crypto/sha2/include/crypt_sha2.h | 8 ++++---- + crypto/sha2/src/sha2_256.c | 4 ++-- + crypto/sha2/src/sha2_512.c | 4 ++-- + crypto/sha3/include/crypt_sha3.h | 12 ++++++------ + crypto/sha3/src/sha3.c | 12 ++++++------ + crypto/sm3/include/crypt_sm3.h | 2 +- + crypto/sm3/src/sm3_public.c | 2 +- + include/crypto/crypt_eal_implprovider.h | 6 +++--- + 33 files changed, 52 insertions(+), 52 deletions(-) + +diff --git a/crypto/hmac/include/crypt_hmac.h b/crypto/hmac/include/crypt_hmac.h +index 22e68dd..ecddd3c 100644 +--- a/crypto/hmac/include/crypt_hmac.h ++++ b/crypto/hmac/include/crypt_hmac.h +@@ -33,7 +33,7 @@ extern "C" { + typedef struct HMAC_Ctx CRYPT_HMAC_Ctx; + + CRYPT_HMAC_Ctx *CRYPT_HMAC_NewCtx(CRYPT_MAC_AlgId id); +-int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, BSL_Param *param); ++int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param); + int32_t CRYPT_HMAC_Update(CRYPT_HMAC_Ctx *ctx, const uint8_t *in, uint32_t len); + int32_t CRYPT_HMAC_Final(CRYPT_HMAC_Ctx *ctx, uint8_t *out, uint32_t *len); + void CRYPT_HMAC_Reinit(CRYPT_HMAC_Ctx *ctx); +diff --git a/crypto/hmac/src/hmac.c b/crypto/hmac/src/hmac.c +index e626659..10b294f 100644 +--- a/crypto/hmac/src/hmac.c ++++ b/crypto/hmac/src/hmac.c +@@ -93,7 +93,7 @@ static void HmacCleanseData(uint8_t *tmp, uint32_t tmpLen, uint8_t *ipad, uint32 + BSL_SAL_CleanseData(opad, opadLen); + } + +-int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, BSL_Param *param) ++int32_t CRYPT_HMAC_Init(CRYPT_HMAC_Ctx *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param) + { + if (ctx == NULL || ctx->method == NULL || (key == NULL && len != 0)) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +diff --git a/crypto/include/crypt_local_types.h b/crypto/include/crypt_local_types.h +index d4e1352..1ed48a1 100644 +--- a/crypto/include/crypt_local_types.h ++++ b/crypto/include/crypt_local_types.h +@@ -31,7 +31,7 @@ typedef int32_t (*GetLenFunc)(const void *ctx); + /* Prototype of the MD algorithm operation functions */ + typedef void* (*MdNewCtx)(void); + typedef void* (*MdProvNewCtx)(void *provCtx, int32_t algId); +-typedef int32_t (*MdInit)(void *data, BSL_Param *param); ++typedef int32_t (*MdInit)(void *data, const BSL_Param *param); + typedef int32_t (*MdUpdate)(void *data, const uint8_t *input, uint32_t len); + typedef int32_t (*MdFinal)(void *data, uint8_t *out, uint32_t *len); + typedef void (*MdDeinit)(void *data); +@@ -180,7 +180,7 @@ typedef enum { + typedef void *(*CipherNewCtx)(int32_t alg); + typedef void *(*CipherProvNewCtx)(void *provCtx, int32_t alg); + typedef int32_t (*CipherInitCtx)(void *ctx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + typedef int32_t (*CipherDeInitCtx)(void *ctx); + typedef int32_t (*CipherUpdate)(void *ctx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + typedef int32_t (*CipherFinal)(void *ctx, uint8_t *out, uint32_t *outLen); +@@ -233,7 +233,7 @@ typedef struct { + typedef void* (*MacNewCtx)(CRYPT_MAC_AlgId id); + typedef void* (*MacProvNewCtx)(void *provCtx, int32_t algId); + // Complete key initialization. +-typedef int32_t (*MacInit)(void *ctx, const uint8_t *key, uint32_t len, BSL_Param *param); ++typedef int32_t (*MacInit)(void *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param); + typedef int32_t (*MacUpdate)(void *ctx, const uint8_t *in, uint32_t len); + typedef int32_t (*MacFinal)(void *ctx, const uint8_t *out, uint32_t *len); + typedef void (*MacDeinit)(void *ctx); +diff --git a/crypto/md5/include/crypt_md5.h b/crypto/md5/include/crypt_md5.h +index 5c2b438..a206349 100644 +--- a/crypto/md5/include/crypt_md5.h ++++ b/crypto/md5/include/crypt_md5.h +@@ -58,7 +58,7 @@ void CRYPT_MD5_FreeCtx(CRYPT_MD5_Ctx *ctx); + * @retval #CRYPT_SUCCESS Initialization succeeded. + * @retval #CRYPT_NULL_INPUT Pointer ctx is NULL + */ +-int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, const BSL_Param *param); + + /** + * @ingroup MD5 +diff --git a/crypto/md5/src/md5.c b/crypto/md5/src/md5.c +index 22c51f0..a28fc01 100644 +--- a/crypto/md5/src/md5.c ++++ b/crypto/md5/src/md5.c +@@ -55,7 +55,7 @@ void CRYPT_MD5_FreeCtx(CRYPT_MD5_Ctx *ctx) + BSL_SAL_ClearFree(ctx, sizeof(CRYPT_MD5_Ctx)); + } + +-int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_MD5_Init(CRYPT_MD5_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +diff --git a/crypto/modes/include/crypt_modes_cbc.h b/crypto/modes/include/crypt_modes_cbc.h +index bf9890a..9bead46 100644 +--- a/crypto/modes/include/crypt_modes_cbc.h ++++ b/crypto/modes/include/crypt_modes_cbc.h +@@ -53,7 +53,7 @@ int32_t SM4_CBC_InitCtx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t k + + int32_t MODES_CBC_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + int32_t MODES_CBC_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + int32_t MODES_CBC_FinalEx(MODES_CipherCtx *modeCtx, uint8_t *out, uint32_t *outLen); + #ifdef __cplusplus + } +diff --git a/crypto/modes/include/crypt_modes_ccm.h b/crypto/modes/include/crypt_modes_ccm.h +index 43eff90..00b3db5 100644 +--- a/crypto/modes/include/crypt_modes_ccm.h ++++ b/crypto/modes/include/crypt_modes_ccm.h +@@ -32,7 +32,7 @@ typedef struct ModesCcmCtx MODES_CCM_Ctx; + // CCM mode universal implementation + MODES_CCM_Ctx *MODES_CCM_NewCtx(int32_t algId); + int32_t MODES_CCM_InitCtx(MODES_CCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_CCM_Update(MODES_CCM_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + int32_t MODES_CCM_Final(MODES_CCM_Ctx *modeCtx, uint8_t *out, uint32_t *outLen); +diff --git a/crypto/modes/include/crypt_modes_cfb.h b/crypto/modes/include/crypt_modes_cfb.h +index 8ff6f99..e421a57 100644 +--- a/crypto/modes/include/crypt_modes_cfb.h ++++ b/crypto/modes/include/crypt_modes_cfb.h +@@ -50,7 +50,7 @@ int32_t SM4_CFB_Update(MODES_CFB_Ctx *modeCtx, const uint8_t *in, uint32_t inLen + + + int32_t MODES_CFB_InitCtxEx(MODES_CFB_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + int32_t MODES_CFB_UpdateEx(MODES_CFB_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + + #ifdef __cplusplus +diff --git a/crypto/modes/include/crypt_modes_chacha20poly1305.h b/crypto/modes/include/crypt_modes_chacha20poly1305.h +index 8841c93..42ff76c 100644 +--- a/crypto/modes/include/crypt_modes_chacha20poly1305.h ++++ b/crypto/modes/include/crypt_modes_chacha20poly1305.h +@@ -32,7 +32,7 @@ typedef struct ModesChaChaCtx MODES_CHACHAPOLY_Ctx; + + MODES_CHACHAPOLY_Ctx *MODES_CHACHA20POLY1305_NewCtx(int32_t algId); + int32_t MODES_CHACHA20POLY1305_InitCtx(MODES_CHACHAPOLY_Ctx *modeCtx, const uint8_t *key, +- uint32_t keyLen, const uint8_t *iv, uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t keyLen, const uint8_t *iv, uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_CHACHA20POLY1305_Update(MODES_CHACHAPOLY_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, + uint8_t *out, uint32_t *outLen); +diff --git a/crypto/modes/include/crypt_modes_ctr.h b/crypto/modes/include/crypt_modes_ctr.h +index 989044f..5f64239 100644 +--- a/crypto/modes/include/crypt_modes_ctr.h ++++ b/crypto/modes/include/crypt_modes_ctr.h +@@ -48,7 +48,7 @@ int32_t SM4_CTR_InitCtx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t k + uint32_t ivLen, bool enc); + + int32_t MODES_CTR_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_CTR_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + +diff --git a/crypto/modes/include/crypt_modes_ecb.h b/crypto/modes/include/crypt_modes_ecb.h +index b906d25..a41d8dd 100644 +--- a/crypto/modes/include/crypt_modes_ecb.h ++++ b/crypto/modes/include/crypt_modes_ecb.h +@@ -50,7 +50,7 @@ int32_t SM4_ECB_Update(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inL + int32_t SM4_ECB_Final(MODES_CipherCtx *modeCtx, uint8_t *out, uint32_t *outLen); + + int32_t MODES_ECB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_ECB_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + int32_t MODES_ECB_FinalEx(MODES_CipherCtx *modeCtx, uint8_t *out, uint32_t *outLen); +diff --git a/crypto/modes/include/crypt_modes_gcm.h b/crypto/modes/include/crypt_modes_gcm.h +index f3aa95f..5212cb5 100644 +--- a/crypto/modes/include/crypt_modes_gcm.h ++++ b/crypto/modes/include/crypt_modes_gcm.h +@@ -49,7 +49,7 @@ int32_t SM4_GCM_InitCtx(MODES_GCM_Ctx *modeCtx, const uint8_t *key, uint32_t key + int32_t SM4_GCM_Update(MODES_GCM_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + + int32_t MODES_GCM_InitCtxEx(MODES_GCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_GCM_UpdateEx(MODES_GCM_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + +diff --git a/crypto/modes/include/crypt_modes_ofb.h b/crypto/modes/include/crypt_modes_ofb.h +index b346522..43ebfbf 100644 +--- a/crypto/modes/include/crypt_modes_ofb.h ++++ b/crypto/modes/include/crypt_modes_ofb.h +@@ -46,7 +46,7 @@ int32_t SM4_OFB_InitCtx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t k + int32_t SM4_OFB_Update(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + + int32_t MODES_OFB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_OFB_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + +diff --git a/crypto/modes/include/crypt_modes_xts.h b/crypto/modes/include/crypt_modes_xts.h +index d310048..9281262 100644 +--- a/crypto/modes/include/crypt_modes_xts.h ++++ b/crypto/modes/include/crypt_modes_xts.h +@@ -46,7 +46,7 @@ int32_t SM4_XTS_InitCtx(MODES_XTS_Ctx *modeCtx, const uint8_t *key, uint32_t key + uint32_t ivLen, bool enc); + + int32_t MODES_XTS_InitCtxEx(MODES_XTS_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc); ++ uint32_t ivLen, const BSL_Param *param, bool enc); + + int32_t MODES_XTS_UpdateEx(MODES_XTS_Ctx *modeCtx, const uint8_t *in, uint32_t inLen, uint8_t *out, uint32_t *outLen); + #ifdef __cplusplus +diff --git a/crypto/modes/src/modes_cbc.c b/crypto/modes/src/modes_cbc.c +index c4b2ba5..94a8cb2 100644 +--- a/crypto/modes/src/modes_cbc.c ++++ b/crypto/modes/src/modes_cbc.c +@@ -207,7 +207,7 @@ int32_t MODES_CBC_UpdateEx(MODES_CipherCtx *modeCtx, const uint8_t *in, uint32_t + } + } + int32_t MODES_CBC_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void)param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_ccm.c b/crypto/modes/src/modes_ccm.c +index dcc8e19..26320d9 100644 +--- a/crypto/modes/src/modes_ccm.c ++++ b/crypto/modes/src/modes_ccm.c +@@ -536,7 +536,7 @@ MODES_CCM_Ctx *MODES_CCM_NewCtx(int32_t algId) + } + + int32_t MODES_CCM_InitCtx(MODES_CCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void)param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_cfb.c b/crypto/modes/src/modes_cfb.c +index 87a95dd..8b14251 100644 +--- a/crypto/modes/src/modes_cfb.c ++++ b/crypto/modes/src/modes_cfb.c +@@ -404,7 +404,7 @@ void MODES_CFB_FreeCtx(MODES_CFB_Ctx *modeCtx) + } + + int32_t MODES_CFB_InitCtxEx(MODES_CFB_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void) param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_chacha20_poly1305.c b/crypto/modes/src/modes_chacha20_poly1305.c +index 3f12ffd..0ca6913 100644 +--- a/crypto/modes/src/modes_chacha20_poly1305.c ++++ b/crypto/modes/src/modes_chacha20_poly1305.c +@@ -346,7 +346,7 @@ MODES_CHACHAPOLY_Ctx *MODES_CHACHA20POLY1305_NewCtx(int32_t algId) + } + + int32_t MODES_CHACHA20POLY1305_InitCtx(MODES_CHACHAPOLY_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, +- const uint8_t *iv, uint32_t ivLen, BSL_Param *param, bool enc) ++ const uint8_t *iv, uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void)param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_ctr.c b/crypto/modes/src/modes_ctr.c +index 0841bc0..a6f72cb 100644 +--- a/crypto/modes/src/modes_ctr.c ++++ b/crypto/modes/src/modes_ctr.c +@@ -148,7 +148,7 @@ void MODES_CTR_FreeCtx(MODES_CipherCtx *modeCtx) + } + + int32_t MODES_CTR_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void)param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_ecb.c b/crypto/modes/src/modes_ecb.c +index 8129bc6..b7d23a0 100644 +--- a/crypto/modes/src/modes_ecb.c ++++ b/crypto/modes/src/modes_ecb.c +@@ -147,7 +147,7 @@ void MODES_ECB_FreeCtx(MODES_CipherCtx *modeCtx) + } + + int32_t MODES_ECB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void)param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_gcm.c b/crypto/modes/src/modes_gcm.c +index 79664b3..128fb50 100644 +--- a/crypto/modes/src/modes_gcm.c ++++ b/crypto/modes/src/modes_gcm.c +@@ -523,7 +523,7 @@ void MODES_GCM_FreeCtx(MODES_GCM_Ctx *modeCtx) + + + int32_t MODES_GCM_InitCtxEx(MODES_GCM_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void)param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_ofb.c b/crypto/modes/src/modes_ofb.c +index 5e9caff..c3131b2 100644 +--- a/crypto/modes/src/modes_ofb.c ++++ b/crypto/modes/src/modes_ofb.c +@@ -137,7 +137,7 @@ void MODES_OFB_FreeCtx(MODES_CipherCtx *modeCtx) + } + + int32_t MODES_OFB_InitCtxEx(MODES_CipherCtx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void) param; + if (modeCtx == NULL) { +diff --git a/crypto/modes/src/modes_xts.c b/crypto/modes/src/modes_xts.c +index 5e52196..0b55dd6 100644 +--- a/crypto/modes/src/modes_xts.c ++++ b/crypto/modes/src/modes_xts.c +@@ -438,7 +438,7 @@ void MODES_XTS_FreeCtx(MODES_XTS_Ctx *modeCtx) + + + int32_t MODES_XTS_InitCtxEx(MODES_XTS_Ctx *modeCtx, const uint8_t *key, uint32_t keyLen, const uint8_t *iv, +- uint32_t ivLen, BSL_Param *param, bool enc) ++ uint32_t ivLen, const BSL_Param *param, bool enc) + { + (void) param; + if (modeCtx == NULL) { +diff --git a/crypto/sha1/include/crypt_sha1.h b/crypto/sha1/include/crypt_sha1.h +index 1360d03..e5a89ff 100644 +--- a/crypto/sha1/include/crypt_sha1.h ++++ b/crypto/sha1/include/crypt_sha1.h +@@ -62,7 +62,7 @@ void CRYPT_SHA1_FreeCtx(CRYPT_SHA1_Ctx *ctx); + * @retval #CRYPT_SUCCESS initialization succeeded. + * @retval #CRYPT_NULL_INPUT Pointer ctx is NULL + */ +-int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, const BSL_Param *param); + + /** + * @ingroup SHA1 +diff --git a/crypto/sha1/src/sha1.c b/crypto/sha1/src/sha1.c +index fc619ee..265fab7 100644 +--- a/crypto/sha1/src/sha1.c ++++ b/crypto/sha1/src/sha1.c +@@ -57,7 +57,7 @@ void CRYPT_SHA1_FreeCtx(CRYPT_SHA1_Ctx *ctx) + /* e767 is because H is defined in SHA1 and MD5. + But the both the macros are different. So masked + this error */ +-int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA1_Init(CRYPT_SHA1_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +diff --git a/crypto/sha2/include/crypt_sha2.h b/crypto/sha2/include/crypt_sha2.h +index 7ebc447..20c476a 100644 +--- a/crypto/sha2/include/crypt_sha2.h ++++ b/crypto/sha2/include/crypt_sha2.h +@@ -94,7 +94,7 @@ void CRYPT_SHA2_224_FreeCtx(CRYPT_SHA2_224_Ctx *ctx); + * @retval #CRYPT_SUCCESS ctx is initialized + * @retval #CRYPT_NULL_INPUT ctx is NULL + */ +-int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, const BSL_Param *param); + + /** + * @defgroup CRYPT_SHA2_224_Update +@@ -196,7 +196,7 @@ void CRYPT_SHA2_256_FreeCtx(CRYPT_SHA2_256_Ctx *ctx); + * @retval #CRYPT_SUCCESS ctx is initialized + * @retval #CRYPT_NULL_INPUT ctx is NULL + */ +-int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, const BSL_Param *param); + + /** + * @defgroup CRYPT_SHA2_256_Update +@@ -299,7 +299,7 @@ void CRYPT_SHA2_384_FreeCtx(CRYPT_SHA2_384_Ctx *ctx); + * @retval #CRYPT_SUCCESS ctx is initialized + * @retval #CRYPT_NULL_INPUT ctx is NULL + */ +-int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, const BSL_Param *param); + + /** + * @ingroup LLF Low Level Functions +@@ -397,7 +397,7 @@ void CRYPT_SHA2_512_FreeCtx(CRYPT_SHA2_512_Ctx *ctx); + * @retval #CRYPT_SUCCESS ctx is initialized + * @retval #CRYPT_NULL_INPUT ctx is NULL + */ +-int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, const BSL_Param *param); + + /** + * @ingroup LLF Low Level Functions +diff --git a/crypto/sha2/src/sha2_256.c b/crypto/sha2/src/sha2_256.c +index 729e44a..db55f88 100644 +--- a/crypto/sha2/src/sha2_256.c ++++ b/crypto/sha2/src/sha2_256.c +@@ -48,7 +48,7 @@ void CRYPT_SHA2_256_FreeCtx(CRYPT_SHA2_256_Ctx *ctx) + BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_256_Ctx)); + } + +-int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA2_256_Init(CRYPT_SHA2_256_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +@@ -286,7 +286,7 @@ void CRYPT_SHA2_224_FreeCtx(CRYPT_SHA2_224_Ctx *ctx) + BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_224_Ctx)); + } + +-int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA2_224_Init(CRYPT_SHA2_224_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +diff --git a/crypto/sha2/src/sha2_512.c b/crypto/sha2/src/sha2_512.c +index d7db263..30379f1 100644 +--- a/crypto/sha2/src/sha2_512.c ++++ b/crypto/sha2/src/sha2_512.c +@@ -87,7 +87,7 @@ void CRYPT_SHA2_512_FreeCtx(CRYPT_SHA2_512_Ctx *ctx) + BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_512_Ctx)); + } + +-int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA2_512_Init(CRYPT_SHA2_512_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +@@ -284,7 +284,7 @@ void CRYPT_SHA2_384_FreeCtx(CRYPT_SHA2_384_Ctx *ctx) + BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SHA2_384_Ctx)); + } + +-int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA2_384_Init(CRYPT_SHA2_384_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +diff --git a/crypto/sha3/include/crypt_sha3.h b/crypto/sha3/include/crypt_sha3.h +index 7306a59..997de83 100644 +--- a/crypto/sha3/include/crypt_sha3.h ++++ b/crypto/sha3/include/crypt_sha3.h +@@ -87,15 +87,15 @@ void CRYPT_SHAKE256_FreeCtx(CRYPT_SHAKE256_Ctx* ctx); + // free context + + // Initialize the context +-int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, const BSL_Param *param); + +-int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, const BSL_Param *param); + +-int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, const BSL_Param *param); + +-int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, BSL_Param *param); +-int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, BSL_Param *param); +-int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, const BSL_Param *param); ++int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, const BSL_Param *param); ++int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, const BSL_Param *param); + + // Data update API + int32_t CRYPT_SHA3_224_Update(CRYPT_SHA3_224_Ctx *ctx, const uint8_t *in, uint32_t len); +diff --git a/crypto/sha3/src/sha3.c b/crypto/sha3/src/sha3.c +index aecddd2..b408be9 100644 +--- a/crypto/sha3/src/sha3.c ++++ b/crypto/sha3/src/sha3.c +@@ -214,42 +214,42 @@ void CRYPT_SHAKE256_FreeCtx(CRYPT_SHAKE256_Ctx* ctx) + CRYPT_SHA3_FreeCtx(ctx); + } + +-int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA3_224_Init(CRYPT_SHA3_224_Ctx *ctx, const BSL_Param *param) + { + (void) param; + // 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html + return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_224_DIGESTSIZE, CRYPT_SHA3_224_BLOCKSIZE, 0x06); + } + +-int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA3_256_Init(CRYPT_SHA3_256_Ctx *ctx, const BSL_Param *param) + { + (void) param; + // 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html + return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_256_DIGESTSIZE, CRYPT_SHA3_256_BLOCKSIZE, 0x06); + } + +-int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA3_384_Init(CRYPT_SHA3_384_Ctx *ctx, const BSL_Param *param) + { + (void) param; + // 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html + return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_384_DIGESTSIZE, CRYPT_SHA3_384_BLOCKSIZE, 0x06); + } + +-int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHA3_512_Init(CRYPT_SHA3_512_Ctx *ctx, const BSL_Param *param) + { + (void) param; + // 0x06 is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html + return CRYPT_SHA3_Init(ctx, CRYPT_SHA3_512_DIGESTSIZE, CRYPT_SHA3_512_BLOCKSIZE, 0x06); + } + +-int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHAKE128_Init(CRYPT_SHAKE128_Ctx *ctx, const BSL_Param *param) + { + (void) param; + // 0x1f is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html + return CRYPT_SHA3_Init(ctx, 0, CRYPT_SHAKE128_BLOCKSIZE, 0x1F); + } + +-int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SHAKE256_Init(CRYPT_SHAKE256_Ctx *ctx, const BSL_Param *param) + { + (void) param; + // 0x1f is SHA3 padding character, see https://keccak.team/keccak_specs_summary.html +diff --git a/crypto/sm3/include/crypt_sm3.h b/crypto/sm3/include/crypt_sm3.h +index 2a173c1..3c1f6ee 100644 +--- a/crypto/sm3/include/crypt_sm3.h ++++ b/crypto/sm3/include/crypt_sm3.h +@@ -60,7 +60,7 @@ void CRYPT_SM3_FreeCtx(CRYPT_SM3_Ctx *ctx); + * @retval #CRYPT_SUCCESS initialization succeeded. + * @retval #CRYPT_NULL_INPUT Pointer ctx is NULL + */ +-int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, BSL_Param *param); ++int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, const BSL_Param *param); + + /** + * @ingroup SM3 +diff --git a/crypto/sm3/src/sm3_public.c b/crypto/sm3/src/sm3_public.c +index 169f4b8..5a18820 100644 +--- a/crypto/sm3/src/sm3_public.c ++++ b/crypto/sm3/src/sm3_public.c +@@ -49,7 +49,7 @@ void CRYPT_SM3_FreeCtx(CRYPT_SM3_Ctx *ctx) + BSL_SAL_ClearFree(ctx, sizeof(CRYPT_SM3_Ctx)); + } + +-int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, BSL_Param *param) ++int32_t CRYPT_SM3_Init(CRYPT_SM3_Ctx *ctx, const BSL_Param *param) + { + if (ctx == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +diff --git a/include/crypto/crypt_eal_implprovider.h b/include/crypto/crypt_eal_implprovider.h +index d99c1c3..6d0377b 100644 +--- a/include/crypto/crypt_eal_implprovider.h ++++ b/include/crypto/crypt_eal_implprovider.h +@@ -109,7 +109,7 @@ typedef int32_t (*CRYPT_EAL_ImplProviderInit)(CRYPT_EAL_ProvMgrCtx *mgrCtx, BSL_ + + typedef void *(*CRYPT_EAL_ImplCipherNewCtx)(void *provCtx, int32_t algId); + typedef int32_t (*CRYPT_EAL_ImplCipherInitCtx)(void *ctx, const uint8_t *key, uint32_t keyLen, +- const uint8_t *iv, uint32_t ivLen, BSL_Param *param, bool enc); ++ const uint8_t *iv, uint32_t ivLen, const BSL_Param *param, bool enc); + typedef int32_t (*CRYPT_EAL_ImplCipherUpdate)(void *ctx, const uint8_t *in, uint32_t inLen, + uint8_t *out, uint32_t *outLen); + typedef int32_t (*CRYPT_EAL_ImplCipherFinal)(void *ctx, const uint8_t *in, uint32_t inLen, +@@ -198,7 +198,7 @@ typedef int32_t (*CRYPT_EAL_ImplPkeyExchCtrl)(void *ctx, int32_t cmd, void *val, + #define CRYPT_EAL_IMPLMD_FREECTX 8 + + typedef void *(*CRYPT_EAL_ImplMdNewCtx)(void *provCtx, int32_t algId); +-typedef int32_t (*CRYPT_EAL_ImplMdInitCtx)(void *ctx, BSL_Param *param); ++typedef int32_t (*CRYPT_EAL_ImplMdInitCtx)(void *ctx, const BSL_Param *param); + typedef int32_t (*CRYPT_EAL_ImplMdUpdate)(const void *ctx, const uint8_t *input, uint32_t len); + typedef int32_t (*CRYPT_EAL_ImplMdFinal)(const void *ctx, uint8_t *out, uint32_t *outLen); + typedef int32_t (*CRYPT_EAL_ImplMdDeInitCtx)(void *ctx); +@@ -217,7 +217,7 @@ typedef void (*CRYPT_EAL_ImplMdFreeCtx)(void *ctx); + #define CRYPT_EAL_IMPLMAC_FREECTX 8 + + typedef void *(*CRYPT_EAL_ImplMacNewCtx)(void *provCtx, int32_t algId); +-typedef int32_t (*CRYPT_EAL_ImplMacInit)(void *ctx, const uint8_t *key, uint32_t len, BSL_Param *param); ++typedef int32_t (*CRYPT_EAL_ImplMacInit)(void *ctx, const uint8_t *key, uint32_t len, const BSL_Param *param); + typedef int32_t (*CRYPT_EAL_ImplMacUpdate)(const void *ctx, const uint8_t *input, uint32_t len); + typedef int32_t (*CRYPT_EAL_ImplMacFinal)(const void *ctx, uint8_t *out, uint32_t *outLen); + typedef int32_t (*CRYPT_EAL_ImplMacDeInitCtx)(void *ctx); +-- +2.42.0.windows.2 + diff --git a/0005-add-uio_mem-comment.patch b/0005-add-uio_mem-comment.patch new file mode 100644 index 0000000..a7db27c --- /dev/null +++ b/0005-add-uio_mem-comment.patch @@ -0,0 +1,25 @@ +From 1534ca08d8b6e909604f9c71781bc7c28a4d95b5 Mon Sep 17 00:00:00 2001 +From: baoyi84930 +Date: Mon, 2 Dec 2024 17:32:06 +0800 +Subject: [PATCH 05/10] add uio_mem comment + +Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/90 +--- + config/macro_config/hitls_config_layer_bsl.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/config/macro_config/hitls_config_layer_bsl.h b/config/macro_config/hitls_config_layer_bsl.h +index ad8fbe8..5a20447 100644 +--- a/config/macro_config/hitls_config_layer_bsl.h ++++ b/config/macro_config/hitls_config_layer_bsl.h +@@ -54,6 +54,7 @@ + #endif + #endif + ++/* Derive the child-features of uio mem. */ + #if defined(HITLS_BSL_UIO_MEM) + #ifndef HITLS_BSL_SAL_MEM + #define HITLS_BSL_UIO_MEM +-- +2.42.0.windows.2 + diff --git a/0006-Rename-Refactor-some-code.patch b/0006-Rename-Refactor-some-code.patch new file mode 100644 index 0000000..74d5c2a --- /dev/null +++ b/0006-Rename-Refactor-some-code.patch @@ -0,0 +1,1243 @@ +From e025d7d94583fe2ab83b68358f1399ed5f834c21 Mon Sep 17 00:00:00 2001 +From: Ooohui +Date: Wed, 4 Dec 2024 17:34:42 +0800 +Subject: [PATCH 06/10] Rename/Refactor some code + +--- + bsl/sal/src/sal_dl.c | 14 +++--- + bsl/usrdata/src/usr_data.c | 2 +- + crypto/eal/src/eal_cipher.c | 2 +- + crypto/eal/src/eal_drbg_local.h | 2 +- + crypto/eal/src/eal_kdf.c | 2 +- + crypto/eal/src/eal_mac.c | 2 +- + crypto/eal/src/eal_md.c | 2 +- + crypto/eal/src/eal_pkey_gen.c | 11 ++--- + crypto/eal/src/eal_rand.c | 2 +- + crypto/eal/src/eal_rand_method.c | 2 +- + crypto/include/crypt_local_types.h | 2 - + crypto/provider/include/crypt_provider.h | 4 +- + crypto/provider/src/mgr/crypt_provider.c | 44 ++++++------------- + .../provider/src/mgr/crypt_provider_common.c | 17 ++++--- + .../provider/src/mgr/crypt_provider_compare.c | 7 ++- + .../provider/src/mgr/crypt_provider_local.h | 2 +- + include/bsl/bsl_sal.h | 14 +++--- + include/bsl/bsl_user_data.h | 2 +- + include/crypto/crypt_eal_implprovider.h | 5 +-- + include/crypto/crypt_eal_provider.h | 22 +++++----- + include/pki/hitls_pki.h | 29 ++++++------ + pki/pkcs12/src/hitls_pkcs12_common.c | 4 +- + pki/x509_cert/include/hitls_cert_local.h | 2 +- + pki/x509_cert/src/hitls_x509_cert.c | 4 +- + pki/x509_common/include/hitls_x509_local.h | 4 +- + pki/x509_common/src/hitls_x509_attrs.c | 4 +- + pki/x509_common/src/hitls_x509_common.c | 9 ++-- + pki/x509_common/src/hitls_x509_ctrl.c | 6 +-- + pki/x509_common/src/hitls_x509_ext.c | 3 +- + pki/x509_crl/include/hitls_crl_local.h | 2 +- + pki/x509_crl/src/hitls_x509_crl.c | 6 +-- + pki/x509_csr/src/hitls_x509_csr.c | 6 +-- + pki/x509_verify/src/hitls_x509_verify.c | 18 +++----- + testcode/framework/crypto/crypto_test_util.h | 2 +- + testcode/framework/include/test.h | 2 +- + testcode/framework/stub/stub_replace.h | 2 +- + .../tls/func_wrapper/src/rec_wrapper.c | 2 +- + .../framework/tls/resource/src/channel_res.c | 2 +- + testcode/framework/tls/resource/src/tls_res.c | 4 +- + .../test_suite_sdv_eal_provider_load.c | 30 ++++++------- + .../test_suite_sdv_eal_provider_load.data | 2 +- + .../hitls_x509_adapt/hitls_x509_cert_magr.c | 1 - + 42 files changed, 134 insertions(+), 170 deletions(-) + +diff --git a/bsl/sal/src/sal_dl.c b/bsl/sal/src/sal_dl.c +index b9b4006..876c15e 100644 +--- a/bsl/sal/src/sal_dl.c ++++ b/bsl/sal/src/sal_dl.c +@@ -35,7 +35,7 @@ static BSL_SAL_DlCallback g_dlCallback = {0}; + #define BSL_SAL_PATH_MAX 4095 + #define BSL_SAL_NAME_MAX 255 + +-int32_t BSL_SAL_LibNameFormat(BSL_SAL_ConverterCmd cmd, const char *fileName, char **name) ++int32_t BSL_SAL_LibNameFormat(BSL_SAL_LibFmtCmd cmd, const char *fileName, char **name) + { + if (fileName == NULL || name == NULL) { + BSL_ERR_PUSH_ERROR(BSL_SAL_ERR_BAD_PARAM); +@@ -53,23 +53,23 @@ int32_t BSL_SAL_LibNameFormat(BSL_SAL_ConverterCmd cmd, const char *fileName, ch + return BSL_MALLOC_FAIL; + } + switch (cmd) { +- case BSL_SAL_CONVERTER_SO: ++ case BSL_SAL_LIB_FMT_SO: + ret = snprintf_s(tempName, dlPathLen, dlPathLen, "%s.so", fileName); + break; +- case BSL_SAL_CONVERTER_LIBSO: ++ case BSL_SAL_LIB_FMT_LIBSO: + ret = snprintf_s(tempName, dlPathLen, dlPathLen, "lib%s.so", fileName); + break; +- case BSL_SAL_CONVERTER_LIBDLL: ++ case BSL_SAL_LIB_FMT_LIBDLL: + ret = snprintf_s(tempName, dlPathLen, dlPathLen, "lib%s.dll", fileName); + break; +- case BSL_SAL_CONVERTER_DLL: ++ case BSL_SAL_LIB_FMT_DLL: + ret = snprintf_s(tempName, dlPathLen, dlPathLen, "%s.dll", fileName); + break; +- case BSL_SAL_CONVERTER_OFF: ++ case BSL_SAL_LIB_FMT_OFF: + ret = snprintf_s(tempName, dlPathLen, dlPathLen, "%s", fileName); + break; + default: +- // Default to the first(BSL_SAL_CONVERTER_SO) conversion ++ // Default to the first(BSL_SAL_LIB_FMT_SO) conversion + BSL_SAL_Free(tempName); + BSL_ERR_PUSH_ERROR(BSL_SAL_ERR_BAD_PARAM); + return BSL_SAL_ERR_BAD_PARAM; +diff --git a/bsl/usrdata/src/usr_data.c b/bsl/usrdata/src/usr_data.c +index baa6144..8977819 100644 +--- a/bsl/usrdata/src/usr_data.c ++++ b/bsl/usrdata/src/usr_data.c +@@ -31,7 +31,7 @@ typedef struct { + + BSL_EX_CALLBACK g_exCallBack[BSL_MAX_EX_TYPE][BSL_MAX_EX_DATA]; + +-int BSL_USER_GetExDataNewIndex(int32_t index, int64_t argl, const void *argp, void *newFunc, void *dupFunc, ++int BSL_USER_GetExDataNewIndex(int32_t index, int64_t argl, const void *argp, const void *newFunc, const void *dupFunc, + void *freeFunc) + { + if (index < 0 || index >= BSL_MAX_EX_TYPE) { +diff --git a/crypto/eal/src/eal_cipher.c b/crypto/eal/src/eal_cipher.c +index 4dffd00..d232cfc 100644 +--- a/crypto/eal/src/eal_cipher.c ++++ b/crypto/eal/src/eal_cipher.c +@@ -128,7 +128,7 @@ CRYPT_EAL_CipherCtx *CRYPT_EAL_ProviderCipherNewCtx(CRYPT_EAL_LibCtx *libCtx, in + { + const CRYPT_EAL_Func *funcs = NULL; + void *provCtx = NULL; +- int32_t ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_SYMMCIPHER, algId, attrName, ++ int32_t ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_SYMMCIPHER, algId, attrName, + &funcs, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_CIPHER, algId, ret); +diff --git a/crypto/eal/src/eal_drbg_local.h b/crypto/eal/src/eal_drbg_local.h +index f4dab74..9476bfa 100644 +--- a/crypto/eal/src/eal_drbg_local.h ++++ b/crypto/eal/src/eal_drbg_local.h +@@ -51,7 +51,7 @@ typedef struct { + + const DrbgIdMap *GetDrbgIdMap(CRYPT_RAND_AlgId id); + +-EAL_RandUnitaryMethod* EAL_RandGetMethod(); ++EAL_RandUnitaryMethod* EAL_RandGetMethod(void); + + int32_t EAL_RandFindMethod(CRYPT_RAND_AlgId id, EAL_RandMethLookup *lu); + +diff --git a/crypto/eal/src/eal_kdf.c b/crypto/eal/src/eal_kdf.c +index 86edcff..5f73d25 100644 +--- a/crypto/eal/src/eal_kdf.c ++++ b/crypto/eal/src/eal_kdf.c +@@ -119,7 +119,7 @@ CRYPT_EAL_KdfCTX *CRYPT_EAL_ProviderKdfNewCtx(CRYPT_EAL_LibCtx *libCtx, int32_t + { + const CRYPT_EAL_Func *funcs = NULL; + void *provCtx = NULL; +- int32_t ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_KDF, algId, attrName, ++ int32_t ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_KDF, algId, attrName, + &funcs, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_KDF, algId, ret); +diff --git a/crypto/eal/src/eal_mac.c b/crypto/eal/src/eal_mac.c +index 0efaf08..ee4370a 100644 +--- a/crypto/eal/src/eal_mac.c ++++ b/crypto/eal/src/eal_mac.c +@@ -96,7 +96,7 @@ CRYPT_EAL_MacCtx *CRYPT_EAL_ProviderMacNewCtx(CRYPT_EAL_LibCtx *libCtx, int32_t + { + const CRYPT_EAL_Func *funcs = NULL; + void *provCtx = NULL; +- int32_t ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_MAC, algId, attrName, ++ int32_t ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_MAC, algId, attrName, + &funcs, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_MAC, algId, ret); +diff --git a/crypto/eal/src/eal_md.c b/crypto/eal/src/eal_md.c +index 58fa179..7eb61d6 100644 +--- a/crypto/eal/src/eal_md.c ++++ b/crypto/eal/src/eal_md.c +@@ -144,7 +144,7 @@ CRYPT_EAL_MdCTX *CRYPT_EAL_ProviderMdNewCtx(CRYPT_EAL_LibCtx *libCtx, int32_t al + { + const CRYPT_EAL_Func *funcs = NULL; + void *provCtx = NULL; +- int32_t ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, algId, attrName, ++ int32_t ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, algId, attrName, + &funcs, &provCtx); + if (ret != CRYPT_SUCCESS) { + BSL_ERR_PUSH_ERROR(ret); +diff --git a/crypto/eal/src/eal_pkey_gen.c b/crypto/eal/src/eal_pkey_gen.c +index 8b1af7c..d13e00f 100644 +--- a/crypto/eal/src/eal_pkey_gen.c ++++ b/crypto/eal/src/eal_pkey_gen.c +@@ -1044,9 +1044,6 @@ static int32_t CRYPT_EAL_SetSignMethod(const CRYPT_EAL_Func *funcSign, EAL_PkeyU + case CRYPT_EAL_IMPLPKEYSIGN_VERIFYDATA: + method->verifyData = funcSign[index].func; + break; +- case CRYPT_EAL_IMPLPKEYSIGN_RECOVER: +- method->recover = funcSign[index].func; +- break; + case CRYPT_EAL_IMPLPKEYSIGN_CTRL: + method->ctrl = funcSign[index].func; + break; +@@ -1106,14 +1103,14 @@ CRYPT_EAL_PkeyCtx *CRYPT_EAL_ProviderPkeyNewCtx(CRYPT_EAL_LibCtx *libCtx, int32_ + const CRYPT_EAL_Func *funcSign = NULL; + void *provCtx = NULL; + int32_t ret; +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_KEYMGMT, algId, attrName, ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_KEYMGMT, algId, attrName, + &funcsKeyMgmt, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_PKEY, algId, ret); + return NULL; + } + if ((pkeyOperType & CRYPT_EAL_PKEY_CIPHER_OPERATE) == CRYPT_EAL_PKEY_CIPHER_OPERATE) { +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_ASYMCIPHER, algId, attrName, ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_ASYMCIPHER, algId, attrName, + &funcsAsyCipher, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_PKEY, algId, ret); +@@ -1121,7 +1118,7 @@ CRYPT_EAL_PkeyCtx *CRYPT_EAL_ProviderPkeyNewCtx(CRYPT_EAL_LibCtx *libCtx, int32_ + } + } + if ((pkeyOperType & CRYPT_EAL_PKEY_EXCH_OPERATE) == CRYPT_EAL_PKEY_EXCH_OPERATE) { +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_KEYEXCH, algId, attrName, ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_KEYEXCH, algId, attrName, + &funcsExch, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_PKEY, algId, ret); +@@ -1129,7 +1126,7 @@ CRYPT_EAL_PkeyCtx *CRYPT_EAL_ProviderPkeyNewCtx(CRYPT_EAL_LibCtx *libCtx, int32_ + } + } + if ((pkeyOperType & CRYPT_EAL_PKEY_SIGN_OPERATE) == CRYPT_EAL_PKEY_SIGN_OPERATE) { +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_SIGN, algId, attrName, ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_SIGN, algId, attrName, + &funcSign, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_PKEY, algId, ret); +diff --git a/crypto/eal/src/eal_rand.c b/crypto/eal/src/eal_rand.c +index ddc0115..7bd7c5b 100644 +--- a/crypto/eal/src/eal_rand.c ++++ b/crypto/eal/src/eal_rand.c +@@ -357,7 +357,7 @@ static CRYPT_EAL_RndCtx *EAL_ProvRandInitDrbg(CRYPT_EAL_LibCtx *libCtx, CRYPT_RA + { + const CRYPT_EAL_Func *funcs = NULL; + void *provCtx = NULL; +- int32_t ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_RAND, id, attrName, ++ int32_t ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_RAND, id, attrName, + &funcs, &provCtx); + if (ret != CRYPT_SUCCESS) { + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_RAND, id, ret); +diff --git a/crypto/eal/src/eal_rand_method.c b/crypto/eal/src/eal_rand_method.c +index 41e4439..7cc3fd7 100644 +--- a/crypto/eal/src/eal_rand_method.c ++++ b/crypto/eal/src/eal_rand_method.c +@@ -89,7 +89,7 @@ const DrbgIdMap *GetDrbgIdMap(CRYPT_RAND_AlgId id) + return NULL; + } + +-EAL_RandUnitaryMethod* EAL_RandGetMethod() ++EAL_RandUnitaryMethod* EAL_RandGetMethod(void) + { + return &g_randMethod; + } +diff --git a/crypto/include/crypt_local_types.h b/crypto/include/crypt_local_types.h +index 1ed48a1..63faa45 100644 +--- a/crypto/include/crypt_local_types.h ++++ b/crypto/include/crypt_local_types.h +@@ -109,7 +109,6 @@ typedef int32_t (*PkeyCrypt)(const void *key, const uint8_t *data, uint32_t data + typedef int32_t (*PkeyCheck)(const void *prv, const void *pub); + typedef int32_t (*PkeyCmp)(const void *key1, const void *key2); + typedef int32_t (*PkeyGetSecBits)(const void *key); +-typedef int32_t (*PkeyRecover)(const void *ctx, uint8_t *sign, uint32_t signLen, uint8_t *data, uint32_t *dataLen); + /** + * @ingroup EAL + * +@@ -162,7 +161,6 @@ typedef struct EAL_PkeyUnitaryMethod { + PkeyCrypt decrypt; // Decrypt. + PkeyCheck check; // Check the consistency of the key pair. + PkeyCmp cmp; // Compare keys and parameters. +- PkeyRecover recover; + } EAL_PkeyUnitaryMethod; + /** + * @ingroup sym_algid +diff --git a/crypto/provider/include/crypt_provider.h b/crypto/provider/include/crypt_provider.h +index 2150fa7..5203814 100644 +--- a/crypto/provider/include/crypt_provider.h ++++ b/crypto/provider/include/crypt_provider.h +@@ -30,8 +30,8 @@ extern "C" { + // Maximum length of provider name + #define DEFAULT_PROVIDER_NAME_LEN_MAX 255 + +-int32_t CRYPT_EAL_InitPreDefinedProviders(); +-void CRYPT_EAL_FreePreDefinedProviders(); ++int32_t CRYPT_EAL_InitPreDefinedProviders(void); ++void CRYPT_EAL_FreePreDefinedProviders(void); + + int32_t CRYPT_EAL_DefaultProvInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, BSL_Param *param, + CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx); +diff --git a/crypto/provider/src/mgr/crypt_provider.c b/crypto/provider/src/mgr/crypt_provider.c +index a1184dd..9ba0808 100644 +--- a/crypto/provider/src/mgr/crypt_provider.c ++++ b/crypto/provider/src/mgr/crypt_provider.c +@@ -60,7 +60,6 @@ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx) + BSL_SAL_Free(libCtx); + } + +- + // Write a function to search for providers according to BSL_LIST_Search requirements, + // comparing the input providerName with the providerName in EAL_ProviderMgrCtx for an exact match + static int32_t ListCompareProvider(const void *a, const void *b) +@@ -109,12 +108,7 @@ static int32_t MountEalProviderMgrCtxParams(CRYPT_EAL_LibCtx *libCtx, void *hand + } + + // Call the initialization function +- ret = CRYPT_EAL_InitProviderMethod(ctx, param, ctx->provInitFunc); +- if (ret != CRYPT_SUCCESS) { +- return ret; +- } +- +- return CRYPT_SUCCESS; ++ return CRYPT_EAL_InitProviderMethod(ctx, param, ctx->provInitFunc); + } + + static int32_t CheckProviderLoaded(CRYPT_EAL_LibCtx *libCtx, +@@ -136,7 +130,7 @@ static int32_t CheckProviderLoaded(CRYPT_EAL_LibCtx *libCtx, + ret = BSL_SAL_AtomicUpReferences(&tempProviderMgr->ref, &tempCount); + if (ret != BSL_SUCCESS) { + BSL_ERR_PUSH_ERROR(ret); +- BSL_SAL_ThreadUnlock(libCtx->lock); ++ (void)BSL_SAL_ThreadUnlock(libCtx->lock); + return ret; + } + } +@@ -158,21 +152,18 @@ static int32_t AddProviderToList(CRYPT_EAL_LibCtx *libCtx, CRYPT_EAL_ProvMgrCtx + } + + ret = BSL_LIST_AddElement(libCtx->providers, providerMgr, BSL_LIST_POS_END); ++ (void)BSL_SAL_ThreadUnlock(libCtx->lock); + if (ret != BSL_SUCCESS) { +- BSL_SAL_ThreadUnlock(libCtx->lock); + BSL_ERR_PUSH_ERROR(ret); +- return ret; + } + +- (void)BSL_SAL_ThreadUnlock(libCtx->lock); +- +- return CRYPT_SUCCESS; ++ return ret; + } + + static bool IsEalPreDefinedProvider(const char *providerName) + { + const char *preProvider[] = {CRYPT_EAL_DEFAULT_PROVIDER}; +- for (size_t i = 0; i < sizeof(preProvider)/sizeof(preProvider[0]); i++) { ++ for (size_t i = 0; i < sizeof(preProvider) / sizeof(preProvider[0]); i++) { + if (strcmp(preProvider[i], providerName) == 0) { + return true; + } +@@ -235,7 +226,7 @@ static int32_t EalProviderMgrCtxNew(CRYPT_EAL_LibCtx *libCtx, char *providerName + } + + // Load provider dynamic library +-int32_t CRYPT_EAL_ProviderLoad(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd cmd, ++int32_t CRYPT_EAL_ProviderLoad(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_LibFmtCmd cmd, + const char *providerName, BSL_Param *param, CRYPT_EAL_ProvMgrCtx **mgrCtx) + { + if (providerName == NULL) { +@@ -250,11 +241,10 @@ int32_t CRYPT_EAL_ProviderLoad(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd cm + BSL_ERR_PUSH_ERROR(CRYPT_PROVIDER_INVALID_LIB_CTX); + return CRYPT_PROVIDER_INVALID_LIB_CTX; + } +- +- int32_t ret = CRYPT_SUCCESS; ++ + CRYPT_EAL_ProvMgrCtx *providerMgr = NULL; + char *providerFullName = NULL; +- ret = BSL_SAL_LibNameFormat(cmd, providerName, &providerFullName); ++ int32_t ret = BSL_SAL_LibNameFormat(cmd, providerName, &providerFullName); + if (ret != BSL_SUCCESS) { + BSL_ERR_PUSH_ERROR(ret); + return ret; +@@ -283,21 +273,19 @@ int32_t CRYPT_EAL_ProviderLoad(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd cm + } + // Create and initialize EAL_ProviderMgrCtx + ret = EalProviderMgrCtxNew(localCtx, providerFullName, param, &providerMgr); ++ BSL_SAL_Free(providerFullName); + if (ret != CRYPT_SUCCESS) { +- BSL_SAL_Free(providerFullName); + return ret; + } + + // Add provider to the list + ret = AddProviderToList(localCtx, providerMgr); + if (ret != CRYPT_SUCCESS) { +- BSL_SAL_Free(providerFullName); + CRYPT_EAL_ProviderMgrCtxFree(providerMgr); + providerMgr = NULL; + return ret; + } + +- BSL_SAL_Free(providerFullName); + if (mgrCtx != NULL) { + *mgrCtx = providerMgr; + } +@@ -319,8 +307,7 @@ static void RemoveAndFreeProvider(BslList *providers, CRYPT_EAL_ProvMgrCtx *prov + } + + // Unload provider +-int32_t CRYPT_EAL_ProviderUnload(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd cmd, +- const char *providerName) ++int32_t CRYPT_EAL_ProviderUnload(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_LibFmtCmd cmd, const char *providerName) + { + int32_t ret = CRYPT_SUCCESS; + CRYPT_EAL_ProvMgrCtx *providerMgr = NULL; +@@ -353,18 +340,17 @@ int32_t CRYPT_EAL_ProviderUnload(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd + } + providerMgr = + (CRYPT_EAL_ProvMgrCtx *)BSL_LIST_Search(localCtx->providers, providerFullName, ListCompareProvider, NULL); ++ BSL_SAL_FREE(providerFullName); + if (providerMgr == NULL) { +- BSL_SAL_ThreadUnlock(localCtx->lock); +- BSL_SAL_FREE(providerFullName); ++ (void)BSL_SAL_ThreadUnlock(localCtx->lock); + return CRYPT_SUCCESS; + } + // Decrease reference count + int refCount = 0; + ret = BSL_SAL_AtomicDownReferences(&providerMgr->ref, &refCount); + if (ret != BSL_SUCCESS) { +- BSL_SAL_FREE(providerFullName); + BSL_ERR_PUSH_ERROR(ret); +- BSL_SAL_ThreadUnlock(localCtx->lock); ++ (void)BSL_SAL_ThreadUnlock(localCtx->lock); + return ret; + } + +@@ -372,7 +358,6 @@ int32_t CRYPT_EAL_ProviderUnload(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd + RemoveAndFreeProvider(localCtx->providers, providerMgr); + } + (void)BSL_SAL_ThreadUnlock(localCtx->lock); +- BSL_SAL_FREE(providerFullName); + return CRYPT_SUCCESS; + } + +@@ -394,8 +379,7 @@ int32_t CRYPT_EAL_ProviderSetLoadPath(CRYPT_EAL_LibCtx *libCtx, const char *sear + + char *tempPath = NULL; + if (searchPath != NULL) { +- tempPath = BSL_SAL_Dump(searchPath, +- BSL_SAL_Strnlen(searchPath, DEFAULT_PROVIDER_PATH_LEN_MAX) + 1); ++ tempPath = BSL_SAL_Dump(searchPath, BSL_SAL_Strnlen(searchPath, DEFAULT_PROVIDER_PATH_LEN_MAX) + 1); + if (tempPath == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_MEM_ALLOC_FAIL); + return CRYPT_MEM_ALLOC_FAIL; +diff --git a/crypto/provider/src/mgr/crypt_provider_common.c b/crypto/provider/src/mgr/crypt_provider_common.c +index 1bb5d00..f583d7a 100644 +--- a/crypto/provider/src/mgr/crypt_provider_common.c ++++ b/crypto/provider/src/mgr/crypt_provider_common.c +@@ -30,7 +30,7 @@ CRYPT_EAL_LibCtx* CRYPT_EAL_GetGlobalLibCtx(void) + return g_libCtx; + } + +-int32_t CRYPT_EAL_ProviderGetFuncsFrom(CRYPT_EAL_LibCtx *libCtx, int32_t operaId, int32_t algId, ++int32_t CRYPT_EAL_ProviderGetFuncs(CRYPT_EAL_LibCtx *libCtx, int32_t operaId, int32_t algId, + const char *attribute, const CRYPT_EAL_Func **funcs, void **provCtx) + { + if (funcs == NULL) { +@@ -46,11 +46,9 @@ int32_t CRYPT_EAL_ProviderGetFuncsFrom(CRYPT_EAL_LibCtx *libCtx, int32_t operaId + BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); + return CRYPT_NULL_INPUT; + } +- if (attribute != NULL) { +- if (strlen(attribute) > (INT32_MAX/2)) { +- BSL_ERR_PUSH_ERROR(CRYPT_NULL_INPUT); +- return CRYPT_NULL_INPUT; +- } ++ if (attribute != NULL && strlen(attribute) > (INT32_MAX >> 1)) { ++ BSL_ERR_PUSH_ERROR(CRYPT_INVALID_ARG); ++ return CRYPT_INVALID_ARG; + } + + return CRYPT_EAL_CompareAlgAndAttr(localCtx, operaId, algId, attribute, funcs, provCtx); +@@ -135,7 +133,7 @@ int32_t CRYPT_EAL_InitProviderMethod(CRYPT_EAL_ProvMgrCtx *ctx, BSL_Param *param + return CRYPT_SUCCESS; + } + +-CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNewInternal() ++CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNewInternal(void) + { + CRYPT_EAL_LibCtx *libCtx = (CRYPT_EAL_LibCtx *)BSL_SAL_Calloc(1, sizeof(CRYPT_EAL_LibCtx)); + if (libCtx == NULL) { +@@ -170,6 +168,7 @@ void CRYPT_EAL_ProviderMgrCtxFree(CRYPT_EAL_ProvMgrCtx *ctx) + } + if (ctx->provFreeCb != NULL) { + ctx->provFreeCb(ctx->provCtx); ++ ctx->provCtx = NULL; + } + BSL_SAL_FREE(ctx->providerName); + BSL_SAL_FREE(ctx->providerPath); +@@ -222,7 +221,7 @@ int32_t CRYPT_EAL_LoadPreDefinedProvider(CRYPT_EAL_LibCtx *libCtx, const char* p + return ret; + } + +-int32_t CRYPT_EAL_InitPreDefinedProviders() ++int32_t CRYPT_EAL_InitPreDefinedProviders(void) + { + int32_t ret; + CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNewInternal(); +@@ -241,7 +240,7 @@ int32_t CRYPT_EAL_InitPreDefinedProviders() + return ret; + } + +-void CRYPT_EAL_FreePreDefinedProviders() ++void CRYPT_EAL_FreePreDefinedProviders(void) + { + CRYPT_EAL_LibCtx *libCtx = g_libCtx; + if (libCtx == NULL) { +diff --git a/crypto/provider/src/mgr/crypt_provider_compare.c b/crypto/provider/src/mgr/crypt_provider_compare.c +index 3345b92..3c4b405 100644 +--- a/crypto/provider/src/mgr/crypt_provider_compare.c ++++ b/crypto/provider/src/mgr/crypt_provider_compare.c +@@ -91,8 +91,8 @@ static void *ValueDupFunc(void *ptr, size_t size) + goto ERR; + } + +- newValue->judgeStr = BSL_SAL_Dump(srcValue->judgeStr, BSL_SAL_Strnlen(srcValue->judgeStr, UINT32_MAX)+1); +- newValue->valueStr = BSL_SAL_Dump(srcValue->valueStr, BSL_SAL_Strnlen(srcValue->valueStr, UINT32_MAX)+1); ++ newValue->judgeStr = BSL_SAL_Dump(srcValue->judgeStr, BSL_SAL_Strnlen(srcValue->judgeStr, UINT32_MAX) + 1); ++ newValue->valueStr = BSL_SAL_Dump(srcValue->valueStr, BSL_SAL_Strnlen(srcValue->valueStr, UINT32_MAX) + 1); + + if (newValue->judgeStr == NULL || newValue->valueStr == NULL) { + BSL_ERR_PUSH_ERROR(CRYPT_MEM_ALLOC_FAIL); +@@ -217,14 +217,13 @@ static int32_t GetAttributePositions(const char *attribute, int32_t start, int32 + + static int32_t ParseAttributeValue(const char *attribute, int32_t *startPos, char **key, AttributeValue **value) + { +- int32_t ret; + int32_t start = *startPos; + char *tempKey = NULL; + AttributeValue *tempValue = NULL; + + // Call the sub-function to get key-value pair positions + int32_t keyStart, keyEnd, judgeStart, judgeEnd, valueStart, valueEnd; +- ret = GetAttributePositions(attribute, start, &keyStart, &keyEnd, &judgeStart, &judgeEnd, &valueStart, &valueEnd); ++ int32_t ret = GetAttributePositions(attribute, start, &keyStart, &keyEnd, &judgeStart, &judgeEnd, &valueStart, &valueEnd); + if (ret != CRYPT_SUCCESS) { + return ret; + } +diff --git a/crypto/provider/src/mgr/crypt_provider_local.h b/crypto/provider/src/mgr/crypt_provider_local.h +index 408fc7d..18a370c 100644 +--- a/crypto/provider/src/mgr/crypt_provider_local.h ++++ b/crypto/provider/src/mgr/crypt_provider_local.h +@@ -56,7 +56,7 @@ struct EAL_ProviderMgrCtx { + + int32_t CRYPT_EAL_InitProviderMethod(CRYPT_EAL_ProvMgrCtx *ctx, BSL_Param *param, + CRYPT_EAL_ImplProviderInit providerInit); +-CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNewInternal(); ++CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNewInternal(void); + int32_t CRYPT_EAL_CompareAlgAndAttr(CRYPT_EAL_LibCtx *localCtx, int32_t operaId, + int32_t algId, const char *attribute, const CRYPT_EAL_Func **funcs, void **provCtx); + +diff --git a/include/bsl/bsl_sal.h b/include/bsl/bsl_sal.h +index baf1b34..0a94ec1 100644 +--- a/include/bsl/bsl_sal.h ++++ b/include/bsl/bsl_sal.h +@@ -1246,12 +1246,12 @@ int32_t BSL_SAL_GetFuncAddress(void *handle, const char *funcName, void **func); + + // Define command enumeration + typedef enum { +- BSL_SAL_CONVERTER_OFF = 0, /* Do not enable named conversion */ +- BSL_SAL_CONVERTER_SO = 1, +- BSL_SAL_CONVERTER_LIBSO = 2, +- BSL_SAL_CONVERTER_LIBDLL = 3, +- BSL_SAL_CONVERTER_DLL = 4 +-} BSL_SAL_ConverterCmd; ++ BSL_SAL_LIB_FMT_OFF = 0, /* Do not enable named conversion */ ++ BSL_SAL_LIB_FMT_SO = 1, ++ BSL_SAL_LIB_FMT_LIBSO = 2, ++ BSL_SAL_LIB_FMT_LIBDLL = 3, ++ BSL_SAL_LIB_FMT_DLL = 4 ++} BSL_SAL_LibFmtCmd; + + /** + * @ingroup bsl_sal +@@ -1266,7 +1266,7 @@ typedef enum { + * @retval If the operation is successful, BSL_OK is returned; + * Otherwise, an error code is returned. + */ +-int32_t BSL_SAL_LibNameFormat(BSL_SAL_ConverterCmd cmd, const char *fileName, char **name); ++int32_t BSL_SAL_LibNameFormat(BSL_SAL_LibFmtCmd cmd, const char *fileName, char **name); + + /** + * @ingroup bsl_sal +diff --git a/include/bsl/bsl_user_data.h b/include/bsl/bsl_user_data.h +index 608b0f6..df0d6e2 100644 +--- a/include/bsl/bsl_user_data.h ++++ b/include/bsl/bsl_user_data.h +@@ -55,7 +55,7 @@ int BSL_USER_SetExData(BSL_USER_ExData *ad, int32_t idx, void *val); + + void *BSL_USER_GetExData(const BSL_USER_ExData *ad, int32_t idx); + +-int BSL_USER_GetExDataNewIndex(int32_t index, int64_t argl, const void *argp, void *newFunc, void *dupFunc, ++int BSL_USER_GetExDataNewIndex(int32_t index, int64_t argl, const void *argp, const void *newFunc, const void *dupFunc, + void *freeFunc); + + void BSL_USER_FreeExDataIndex(int32_t index, void *obj, BSL_USER_ExData *ad); +diff --git a/include/crypto/crypt_eal_implprovider.h b/include/crypto/crypt_eal_implprovider.h +index 6d0377b..3cc7ef1 100644 +--- a/include/crypto/crypt_eal_implprovider.h ++++ b/include/crypto/crypt_eal_implprovider.h +@@ -154,8 +154,7 @@ typedef void (*CRYPT_EAL_ImplPkeyMgmtFreeCtx)(void *ctx); + #define CRYPT_EAL_IMPLPKEYSIGN_SIGNDATA 2 + #define CRYPT_EAL_IMPLPKEYSIGN_VERIFY 3 + #define CRYPT_EAL_IMPLPKEYSIGN_VERIFYDATA 4 +-#define CRYPT_EAL_IMPLPKEYSIGN_RECOVER 5 +-#define CRYPT_EAL_IMPLPKEYSIGN_CTRL 6 ++#define CRYPT_EAL_IMPLPKEYSIGN_CTRL 5 + + typedef int32_t (*CRYPT_EAL_ImplPkeySign)(const void *ctx, int32_t mdAlgId, const uint8_t *data, uint32_t dataLen, + uint8_t *sign, uint32_t *signLen); +@@ -165,8 +164,6 @@ typedef int32_t (*CRYPT_EAL_ImplPkeyVerify)(const void *ctx, int32_t mdAlgId, co + uint8_t *sign, uint32_t signLen); + typedef int32_t (*CRYPT_EAL_ImplPkeyVerifyData)(const void *ctx, const uint8_t *data, uint32_t dataLen, + uint8_t *sign, uint32_t signLen); +-typedef int32_t (*CRYPT_EAL_ImplPkeyRecover)(const void *ctx, const uint8_t *sign, uint32_t signLen, +- uint8_t *data, uint32_t *dataLen); + typedef int32_t (*CRYPT_EAL_ImplPkeyCtrl)(void *ctx, int32_t cmd, void *val, uint32_t valLen); + + // CRYPT_EAL_OPERAID_ASYMCIPHER +diff --git a/include/crypto/crypt_eal_provider.h b/include/crypto/crypt_eal_provider.h +index 068ee2f..c8e18bd 100644 +--- a/include/crypto/crypt_eal_provider.h ++++ b/include/crypto/crypt_eal_provider.h +@@ -66,17 +66,17 @@ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); + * @param cmd [IN] Command specifying the conversion format for the provider library name. + * This parameter is used to determine how the provider library name should be + * converted or formatted. Possible values are: +- * - BSL_SAL_CONVERTER_SO: Convert to .so format +- * - BSL_SAL_CONVERTER_LIBSO: Convert to lib*.so format +- * - BSL_SAL_CONVERTER_LIBDLL: Convert to lib*.dll format +- * - BSL_SAL_CONVERTER_DLL: Convert to .dll format ++ * - BSL_SAL_LIB_FMT_SO: Convert to .so format ++ * - BSL_SAL_LIB_FMT_LIBSO: Convert to lib*.so format ++ * - BSL_SAL_LIB_FMT_LIBDLL: Convert to lib*.dll format ++ * - BSL_SAL_LIB_FMT_DLL: Convert to .dll format + * The specific conversion is handled by the BSL_SAL_LibNameFormat function. + * @param mgrCtx [OUT] Provider context + * + * @retval #CRYPT_SUCCESS, if success. + * Other error codes see the crypt_errno.h + */ +-int32_t CRYPT_EAL_ProviderLoad(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_ConverterCmd cmd, ++int32_t CRYPT_EAL_ProviderLoad(CRYPT_EAL_LibCtx *libCtx, BSL_SAL_LibFmtCmd cmd, + const char *providerName, BSL_Param *param, CRYPT_EAL_ProvMgrCtx **mgrCtx); + + /** +@@ -101,17 +101,17 @@ int32_t CRYPT_EAL_ProviderCtrl(CRYPT_EAL_ProvMgrCtx *ctx, int32_t cmd, void *val + * @param cmd [IN] Command specifying the conversion format for the provider library name. + * This parameter is used to determine how the provider library name should be + * converted or formatted. Possible values are: +- * - BSL_SAL_CONVERTER_SO: Convert to .so format +- * - BSL_SAL_CONVERTER_LIBSO: Convert to lib*.so format +- * - BSL_SAL_CONVERTER_LIBDLL: Convert to lib*.dll format +- * - BSL_SAL_CONVERTER_DLL: Convert to .dll format ++ * - BSL_SAL_LIB_FMT_SO: Convert to .so format ++ * - BSL_SAL_LIB_FMT_LIBSO: Convert to lib*.so format ++ * - BSL_SAL_LIB_FMT_LIBDLL: Convert to lib*.dll format ++ * - BSL_SAL_LIB_FMT_DLL: Convert to .dll format + * The specific conversion is handled by the BSL_SAL_LibNameFormat function. + * @param providerName [IN] provider name + * + * @retval #CRYPT_SUCCESS, if success. + * Other error codes see the crypt_errno.h + */ +-int32_t CRYPT_EAL_ProviderUnload(CRYPT_EAL_LibCtx *libctx, BSL_SAL_ConverterCmd cmd, const char *providerName); ++int32_t CRYPT_EAL_ProviderUnload(CRYPT_EAL_LibCtx *libctx, BSL_SAL_LibFmtCmd cmd, const char *providerName); + + + /** +@@ -141,7 +141,7 @@ int32_t CRYPT_EAL_ProviderSetLoadPath(CRYPT_EAL_LibCtx *libCtx, const char *sear + * @retval #CRYPT_SUCCESS, if success. + * Other error codes see the crypt_errno.h + */ +-int32_t CRYPT_EAL_ProviderGetFuncsFrom(CRYPT_EAL_LibCtx *libCtx, int32_t operaId, int32_t algId, ++int32_t CRYPT_EAL_ProviderGetFuncs(CRYPT_EAL_LibCtx *libCtx, int32_t operaId, int32_t algId, + const char *attribute, const CRYPT_EAL_Func **funcs, void **provCtx); + + #ifdef __cplusplus +diff --git a/include/pki/hitls_pki.h b/include/pki/hitls_pki.h +index 1235978..a570e6d 100644 +--- a/include/pki/hitls_pki.h ++++ b/include/pki/hitls_pki.h +@@ -417,7 +417,7 @@ void HITLS_X509_ClearAuthorityKeyId(HITLS_X509_ExtAki *aki); + * @return #HITLS_X509_SUCCESS, success. + * Error codes can be found in hitls_pki_errno.h + */ +-int32_t HITLS_X509_CertParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_Cert **cert); ++int32_t HITLS_X509_CertParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Cert **cert); + + /** + * @ingroup pki +@@ -556,7 +556,7 @@ int32_t HITLS_X509_CrlCtrl(HITLS_X509_Crl *crl, int32_t cmd, void *val, int32_t + * @param crl [OUT] CRL after parse. + * @return Error code + */ +-int32_t HITLS_X509_CrlParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_Crl **crl); ++int32_t HITLS_X509_CrlParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Crl **crl); + + /** + * @ingroup pki +@@ -729,16 +729,17 @@ void HITLS_X509_StoreCtxFree(HITLS_X509_StoreCtx *storeCtx); + * @brief Generic function to process StoreCtx. + * + * @param storeCtx [IN] StoreCtx. +- * @param cmd [IN] HITLS_X509_Cmd data type +- * HITLS_X509_STORECTX_SET_PARAM_DEPTH int32_t +- * HITLS_X509_STORECTX_SET_PARAM_FLAGS int64_t +- * HITLS_X509_STORECTX_SET_TIME int64_t +- * HITLS_X509_STORECTX_SET_SECBITS uint32_t +- * HITLS_X509_STORECTX_CLR_PARAM_FLAGS int64_t +- * HITLS_X509_STORECTX_DEEP_COPY_SET_CA HITLS_X509_Cert +- * HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA HITLS_X509_Cert +- * HITLS_X509_STORECTX_SET_CRL HITLS_X509_Crl +- * HITLS_X509_STORECTX_REF_UP int ++ * @param cmd [IN] HITLS_X509_Cmd data type data length ++ * HITLS_X509_STORECTX_SET_PARAM_DEPTH int32_t sizeof(int32_t) ++ * HITLS_X509_STORECTX_SET_PARAM_FLAGS uint64_t sizeof(uint64_t) ++ * HITLS_X509_STORECTX_SET_TIME int64_t sizeof(int64_t) ++ * HITLS_X509_STORECTX_SET_SECBITS uint32_t sizeof(uint32_t) ++ * HITLS_X509_STORECTX_CLR_PARAM_FLAGS uint64_t sizeof(uint64_t) ++ * HITLS_X509_STORECTX_DEEP_COPY_SET_CA HITLS_X509_Cert - ++ * HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA HITLS_X509_Cert - ++ * HITLS_X509_STORECTX_SET_CRL HITLS_X509_Crl - ++ * HITLS_X509_STORECTX_REF_UP int sizeof(int) ++ * HITLS_X509_STORECTX_SET_VEY_SM2_USERID buffer > 0 + * @param val [IN/OUT] input and output value. + * @param valLen [IN] value length. + * @retval #HITLS_X509_SUCCESS, success. +@@ -857,7 +858,7 @@ int32_t HITLS_X509_CsrCtrl(HITLS_X509_Csr *csr, int32_t cmd, void *val, int32_t + * @retval #HITLS_X509_SUCCESS, success. + * Error codes can be found in hitls_pki_errno.h + */ +-int32_t HITLS_X509_CsrParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_Csr **csr); ++int32_t HITLS_X509_CsrParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Csr **csr); + + /** + * @ingroup pki +@@ -1022,7 +1023,7 @@ int32_t HITLS_PKCS12_Ctrl(HITLS_PKCS12 *p12, int32_t cmd, void *val, int32_t val + * @retval #HITLS_X509_SUCCESS, success. + * Error codes can be found in hitls_pki_errno.h + */ +-int32_t HITLS_PKCS12_ParseBuff(int32_t format, BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, ++int32_t HITLS_PKCS12_ParseBuff(int32_t format, const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, + HITLS_PKCS12 **p12, bool needMacVerify); + + /** +diff --git a/pki/pkcs12/src/hitls_pkcs12_common.c b/pki/pkcs12/src/hitls_pkcs12_common.c +index e748d1c..0f43793 100644 +--- a/pki/pkcs12/src/hitls_pkcs12_common.c ++++ b/pki/pkcs12/src/hitls_pkcs12_common.c +@@ -714,7 +714,7 @@ static int32_t ParseMacDataAndVerify(BSL_Buffer *initData, BSL_Buffer *macData, + return HITLS_X509_SUCCESS; + } + +-static int32_t ParseAsn1PKCS12(BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, ++static int32_t ParseAsn1PKCS12(const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, + HITLS_PKCS12 *p12, bool needMacVerify) + { + uint32_t version = 0; +@@ -763,7 +763,7 @@ static int32_t ParseAsn1PKCS12(BSL_Buffer *encode, const HITLS_PKCS12_PwdParam * + return HITLS_X509_SUCCESS; + } + +-int32_t HITLS_PKCS12_ParseBuff(int32_t format, BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, ++int32_t HITLS_PKCS12_ParseBuff(int32_t format, const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, + HITLS_PKCS12 **p12, bool needMacVerify) + { + if (encode == NULL || encode->data == NULL || encode->dataLen == 0 || +diff --git a/pki/x509_cert/include/hitls_cert_local.h b/pki/x509_cert/include/hitls_cert_local.h +index d2f3ed4..fcd3fa6 100644 +--- a/pki/x509_cert/include/hitls_cert_local.h ++++ b/pki/x509_cert/include/hitls_cert_local.h +@@ -64,7 +64,7 @@ typedef struct _HITLS_X509_Cert { + + int32_t HITLS_X509_CheckIssued(HITLS_X509_Cert *issue, HITLS_X509_Cert *subject, bool *res); + bool HITLS_X509_CertIsCA(HITLS_X509_Cert *cert); +-int32_t HITLS_X509_CertMulParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_List **certlist); ++int32_t HITLS_X509_CertMulParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_List **certlist); + + #ifdef __cplusplus + } +diff --git a/pki/x509_cert/src/hitls_x509_cert.c b/pki/x509_cert/src/hitls_x509_cert.c +index e09d031..707341b 100644 +--- a/pki/x509_cert/src/hitls_x509_cert.c ++++ b/pki/x509_cert/src/hitls_x509_cert.c +@@ -354,7 +354,7 @@ ERR: + } + + +-int32_t HITLS_X509_CertMulParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_List **certlist) ++int32_t HITLS_X509_CertMulParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_List **certlist) + { + int32_t ret; + if (encode == NULL || encode->data == NULL || encode->dataLen == 0 || certlist == NULL) { +@@ -382,7 +382,7 @@ int32_t HITLS_X509_CertMulParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X5 + return ret; + } + +-int32_t HITLS_X509_CertParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_Cert **cert) ++int32_t HITLS_X509_CertParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Cert **cert) + { + HITLS_X509_List *list = NULL; + if (cert == NULL || *cert != NULL) { +diff --git a/pki/x509_common/include/hitls_x509_local.h b/pki/x509_common/include/hitls_x509_local.h +index 8b6bc54..db5aa70 100644 +--- a/pki/x509_common/include/hitls_x509_local.h ++++ b/pki/x509_common/include/hitls_x509_local.h +@@ -201,7 +201,7 @@ int32_t HITLS_X509_AddListItemDefault(void *item, uint32_t len, BSL_ASN1_List *l + + int32_t HITLS_X509_ParseTime(BSL_ASN1_Buffer *before, BSL_ASN1_Buffer *after, HITLS_X509_ValidTime *time); + +-int32_t HITLS_X509_ParseX509(int32_t format, BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, ++int32_t HITLS_X509_ParseX509(int32_t format, const BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, + HITLS_X509_List *list); + int32_t HITLS_X509_CmpNameNode(BSL_ASN1_List *nameOri, BSL_ASN1_List *name); + +@@ -248,7 +248,7 @@ int32_t HITLS_X509_ExtReplace(HITLS_X509_Ext *dest, HITLS_X509_Ext *src); + + int32_t HITLS_X509_SetSerial(BSL_ASN1_Buffer *serial, const void *val, int32_t valLen); + +-int32_t HITLS_X509_GetSerial(BSL_ASN1_Buffer *serial, const void *val, int32_t valLen); ++int32_t HITLS_X509_GetSerial(BSL_ASN1_Buffer *serial, void *val, int32_t valLen); + + typedef int32_t (*EncodeExtCb)(void *, HITLS_X509_ExtEntry *, const void *); + +diff --git a/pki/x509_common/src/hitls_x509_attrs.c b/pki/x509_common/src/hitls_x509_attrs.c +index 221e7c7..94c153b 100644 +--- a/pki/x509_common/src/hitls_x509_attrs.c ++++ b/pki/x509_common/src/hitls_x509_attrs.c +@@ -225,9 +225,7 @@ int32_t HITLS_X509_ParseAttrList(BSL_ASN1_Buffer *attrBuff, HITLS_X509_Attrs *at + static int32_t CmpAttrEntryByCid(const void *attrEntry, const void *cid) + { + const HITLS_X509_AttrEntry *node = attrEntry; +- const BslCid *oid = cid; +- +- return node->cid == *(const BslCid *)oid ? 0 : 1; ++ return node->cid == *(const BslCid *)cid ? 0 : 1; + } + + typedef int32_t (*EncodeAttrCb)(HITLS_X509_Attrs *attributes, void *val, int32_t valLen, BSL_ASN1_Buffer *attrValue); +diff --git a/pki/x509_common/src/hitls_x509_common.c b/pki/x509_common/src/hitls_x509_common.c +index 1730c81..656239a 100644 +--- a/pki/x509_common/src/hitls_x509_common.c ++++ b/pki/x509_common/src/hitls_x509_common.c +@@ -350,7 +350,7 @@ static int32_t X509_ParseAndAddRes(BSL_Buffer *asn1Buf, X509_ParseFuncCbk *parse + return HITLS_X509_SUCCESS; + } + +-static int32_t HITLS_X509_ParseAsn1(BSL_Buffer *encode, X509_ParseFuncCbk *parsefun, HITLS_X509_List *list) ++static int32_t HITLS_X509_ParseAsn1(const BSL_Buffer *encode, X509_ParseFuncCbk *parsefun, HITLS_X509_List *list) + { + uint8_t *data = encode->data; + uint32_t dataLen = encode->dataLen; +@@ -376,7 +376,8 @@ static int32_t HITLS_X509_ParseAsn1(BSL_Buffer *encode, X509_ParseFuncCbk *parse + return HITLS_X509_SUCCESS; + } + +-static int32_t HITLS_X509_ParsePem(BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, HITLS_X509_List *list) ++static int32_t HITLS_X509_ParsePem(const BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, ++ HITLS_X509_List *list) + { + char *nextEncode = (char *)(encode->data); + uint32_t nextEncodeLen = encode->dataLen; +@@ -402,7 +403,7 @@ static int32_t HITLS_X509_ParsePem(BSL_Buffer *encode, bool isCert, X509_ParseFu + return HITLS_X509_SUCCESS; + } + +-static int32_t HITLS_X509_ParseUnknown(BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, ++static int32_t HITLS_X509_ParseUnknown(const BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, + HITLS_X509_List *list) + { + bool isPem = BSL_PEM_IsPemFormat((char *)(encode->data), encode->dataLen); +@@ -413,7 +414,7 @@ static int32_t HITLS_X509_ParseUnknown(BSL_Buffer *encode, bool isCert, X509_Par + } + } + +-int32_t HITLS_X509_ParseX509(int32_t format, BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, ++int32_t HITLS_X509_ParseX509(int32_t format, const BSL_Buffer *encode, bool isCert, X509_ParseFuncCbk *parsefun, + HITLS_X509_List *list) + { + switch (format) { +diff --git a/pki/x509_common/src/hitls_x509_ctrl.c b/pki/x509_common/src/hitls_x509_ctrl.c +index a04fbb8..cb509ef 100644 +--- a/pki/x509_common/src/hitls_x509_ctrl.c ++++ b/pki/x509_common/src/hitls_x509_ctrl.c +@@ -390,7 +390,7 @@ static int32_t X509AddDnNamesToList(BslList *list, BslList *dnNameList) + return ret; + } + +-BslList *HITLS_X509_DnListNew() ++BslList *HITLS_X509_DnListNew(void) + { + return BSL_LIST_New(sizeof(HITLS_X509_NameNode)); + } +@@ -455,7 +455,7 @@ int32_t HITLS_X509_SetSerial(BSL_ASN1_Buffer *serial, const void *val, int32_t v + return HITLS_X509_SUCCESS; + } + +-int32_t HITLS_X509_GetSerial(BSL_ASN1_Buffer *serial, const void *val, int32_t valLen) ++int32_t HITLS_X509_GetSerial(BSL_ASN1_Buffer *serial, void *val, int32_t valLen) + { + if (valLen != sizeof(BSL_Buffer)) { + BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); +@@ -465,7 +465,7 @@ int32_t HITLS_X509_GetSerial(BSL_ASN1_Buffer *serial, const void *val, int32_t v + BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); + return HITLS_X509_ERR_INVALID_PARAM; + } +- BSL_Buffer *buff = (BSL_Buffer *)(uintptr_t)val; ++ BSL_Buffer *buff = (BSL_Buffer *)val; + buff->data = serial->buff; + buff->dataLen = serial->len; + return HITLS_X509_SUCCESS; +diff --git a/pki/x509_common/src/hitls_x509_ext.c b/pki/x509_common/src/hitls_x509_ext.c +index f53eb6a..52d06b2 100644 +--- a/pki/x509_common/src/hitls_x509_ext.c ++++ b/pki/x509_common/src/hitls_x509_ext.c +@@ -783,8 +783,7 @@ static int32_t SetExtBCons(HITLS_X509_Ext *ext, HITLS_X509_ExtEntry *entry, cons + * pathLenConstraint INTEGER (0..MAX) OPTIONAL } + */ + BSL_ASN1_Buffer asns[] = { +- {BSL_ASN1_TAG_BOOLEAN, bCons->isCa ? sizeof(bool) : 0, +- bCons->isCa ? (uint8_t *)(uintptr_t)&bCons->isCa : NULL}, ++ {BSL_ASN1_TAG_BOOLEAN, bCons->isCa ? sizeof(bool) : 0, bCons->isCa ? (uint8_t *)(uintptr_t)&bCons->isCa : NULL}, + {BSL_ASN1_TAG_INTEGER, 0, NULL}, + }; + int32_t ret; +diff --git a/pki/x509_crl/include/hitls_crl_local.h b/pki/x509_crl/include/hitls_crl_local.h +index aff64df..90e8250 100644 +--- a/pki/x509_crl/include/hitls_crl_local.h ++++ b/pki/x509_crl/include/hitls_crl_local.h +@@ -72,7 +72,7 @@ typedef struct _HITLS_X509_Crl { + BSL_SAL_RefCount references; + } HITLS_X509_Crl; + +-int32_t HITLS_X509_CrlMulParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_List **crllist); ++int32_t HITLS_X509_CrlMulParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_List **crllist); + #ifdef __cplusplus + } + #endif +diff --git a/pki/x509_crl/src/hitls_x509_crl.c b/pki/x509_crl/src/hitls_x509_crl.c +index d7f7e9a..05d39c9 100644 +--- a/pki/x509_crl/src/hitls_x509_crl.c ++++ b/pki/x509_crl/src/hitls_x509_crl.c +@@ -134,7 +134,7 @@ void HITLS_X509_CrlFree(HITLS_X509_Crl *crl) + return; + } + +-HITLS_X509_Crl *HITLS_X509_CrlNew() ++HITLS_X509_Crl *HITLS_X509_CrlNew(void) + { + HITLS_X509_Crl *crl = NULL; + BSL_ASN1_List *issuerName = NULL; +@@ -811,7 +811,7 @@ ERR: + return ret; + } + +-int32_t HITLS_X509_CrlMulParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_List **crllist) ++int32_t HITLS_X509_CrlMulParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_List **crllist) + { + if (encode == NULL || encode->data == NULL || encode->dataLen == 0 || crllist == NULL) { + BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); +@@ -838,7 +838,7 @@ int32_t HITLS_X509_CrlMulParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X50 + return HITLS_X509_SUCCESS; + } + +-int32_t HITLS_X509_CrlParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_Crl **crl) ++int32_t HITLS_X509_CrlParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Crl **crl) + { + HITLS_X509_List *list = NULL; + if (crl == NULL || *crl != NULL) { +diff --git a/pki/x509_csr/src/hitls_x509_csr.c b/pki/x509_csr/src/hitls_x509_csr.c +index f35ced2..4fe7193 100644 +--- a/pki/x509_csr/src/hitls_x509_csr.c ++++ b/pki/x509_csr/src/hitls_x509_csr.c +@@ -245,7 +245,7 @@ ERR: + return ret; + } + +-static int32_t X509CsrAsn1Parse(bool isCopy, BSL_Buffer *encode, HITLS_X509_Csr *csr) ++static int32_t X509CsrAsn1Parse(bool isCopy, const BSL_Buffer *encode, HITLS_X509_Csr *csr) + { + uint8_t *data = encode->data; + uint32_t dataLen = encode->dataLen; +@@ -271,7 +271,7 @@ static int32_t X509CsrAsn1Parse(bool isCopy, BSL_Buffer *encode, HITLS_X509_Csr + return HITLS_X509_SUCCESS; + } + +-static int32_t X509CsrPemParse(BSL_Buffer *encode, HITLS_X509_Csr *csr) ++static int32_t X509CsrPemParse(const BSL_Buffer *encode, HITLS_X509_Csr *csr) + { + uint8_t *tmpBuf = encode->data; + uint32_t tmpBufLen = encode->dataLen; +@@ -292,7 +292,7 @@ static int32_t X509CsrPemParse(BSL_Buffer *encode, HITLS_X509_Csr *csr) + return ret; + } + +-int32_t HITLS_X509_CsrParseBuff(int32_t format, BSL_Buffer *encode, HITLS_X509_Csr **csr) ++int32_t HITLS_X509_CsrParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Csr **csr) + { + if (encode == NULL || csr == NULL || *csr != NULL || encode->data == NULL || encode->dataLen == 0) { + BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); +diff --git a/pki/x509_verify/src/hitls_x509_verify.c b/pki/x509_verify/src/hitls_x509_verify.c +index 3710f75..a9e7981 100644 +--- a/pki/x509_verify/src/hitls_x509_verify.c ++++ b/pki/x509_verify/src/hitls_x509_verify.c +@@ -219,12 +219,8 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce + return HITLS_X509_SUCCESS; + } + +-static int32_t X509_SetCA(HITLS_X509_StoreCtx *storeCtx, void *val, int32_t valLen, bool isCopy) ++static int32_t X509_SetCA(HITLS_X509_StoreCtx *storeCtx, void *val, bool isCopy) + { +- if (valLen != sizeof(HITLS_X509_Cert)) { +- BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); +- return HITLS_X509_ERR_INVALID_PARAM; +- } + int32_t ret = X509_CheckCert(storeCtx, val); + if (ret != HITLS_X509_SUCCESS) { + return ret; +@@ -259,12 +255,8 @@ static int32_t X509_CheckCRL(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Crl *crl) + return HITLS_X509_SUCCESS; + } + +-static int32_t X509_SetCRL(HITLS_X509_StoreCtx *storeCtx, void *val, int32_t valLen) ++static int32_t X509_SetCRL(HITLS_X509_StoreCtx *storeCtx, void *val) + { +- if (valLen != sizeof(HITLS_X509_Crl)) { +- BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); +- return HITLS_X509_ERR_INVALID_PARAM; +- } + int32_t ret = X509_CheckCRL(storeCtx, val); + if (ret != HITLS_X509_SUCCESS) { + return ret; +@@ -310,11 +302,11 @@ int32_t HITLS_X509_StoreCtxCtrl(HITLS_X509_StoreCtx *storeCtx, int32_t cmd, void + case HITLS_X509_STORECTX_CLR_PARAM_FLAGS: + return X509_ClearParamFlag(storeCtx, val, valLen); + case HITLS_X509_STORECTX_DEEP_COPY_SET_CA: +- return X509_SetCA(storeCtx, val, valLen, true); ++ return X509_SetCA(storeCtx, val, true); + case HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA: +- return X509_SetCA(storeCtx, val, valLen, false); ++ return X509_SetCA(storeCtx, val, false); + case HITLS_X509_STORECTX_SET_CRL: +- return X509_SetCRL(storeCtx, val, valLen); ++ return X509_SetCRL(storeCtx, val); + case HITLS_X509_STORECTX_REF_UP: + return X509_RefUp(storeCtx, val, valLen); + case HITLS_X509_STORECTX_SET_VEY_SM2_USERID: +diff --git a/testcode/framework/crypto/crypto_test_util.h b/testcode/framework/crypto/crypto_test_util.h +index cef149b..3d1383d 100644 +--- a/testcode/framework/crypto/crypto_test_util.h ++++ b/testcode/framework/crypto/crypto_test_util.h +@@ -34,7 +34,7 @@ bool IsDrbgHashAlgDisabled(int id); + + bool IsDrbgHmacAlgDisabled(int id); + +-int GetAvailableRandAlgId(); ++int GetAvailableRandAlgId(void); + + bool IsRandAlgDisabled(int id); + +diff --git a/testcode/framework/include/test.h b/testcode/framework/include/test.h +index 61d2ece..dc00fea 100644 +--- a/testcode/framework/include/test.h ++++ b/testcode/framework/include/test.h +@@ -129,7 +129,7 @@ typedef struct { + return; \ + } while (0) + +-extern int *GetJmpAddress(); ++extern int *GetJmpAddress(void); + #define SUB_PROC 1 + #define SUB_PROC_BEGIN(parentAction) if (fork() > 0) parentAction + #define SUB_PROC_END() *GetJmpAddress() = SUB_PROC; return +diff --git a/testcode/framework/stub/stub_replace.h b/testcode/framework/stub/stub_replace.h +index 2947127..19bcd6e 100644 +--- a/testcode/framework/stub/stub_replace.h ++++ b/testcode/framework/stub/stub_replace.h +@@ -46,7 +46,7 @@ typedef struct { + * Initialize the dynamic stub change function. Invoke the function once. + * return - 0:Success, non-zero:Error code + */ +-int STUB_Init(); ++int STUB_Init(void); + + /* + * Replaces the specified function with the specified stub function. +diff --git a/testcode/framework/tls/func_wrapper/src/rec_wrapper.c b/testcode/framework/tls/func_wrapper/src/rec_wrapper.c +index 8654b34..f1ba0f0 100644 +--- a/testcode/framework/tls/func_wrapper/src/rec_wrapper.c ++++ b/testcode/framework/tls/func_wrapper/src/rec_wrapper.c +@@ -160,7 +160,7 @@ void RegisterWrapper(RecWrapper wrapper) + g_recWrapper = wrapper; + } + +-void ClearWrapper() ++void ClearWrapper(void) + { + STUB_Reset(&g_stubRecFuncs); + g_enableWrapper = false; +diff --git a/testcode/framework/tls/resource/src/channel_res.c b/testcode/framework/tls/resource/src/channel_res.c +index 51bb3c9..e1dda81 100644 +--- a/testcode/framework/tls/resource/src/channel_res.c ++++ b/testcode/framework/tls/resource/src/channel_res.c +@@ -104,7 +104,7 @@ int InitControlChannelRes(char *srcDomainPath, int srcDomainPathLen, char *peerD + return ret; + } + +-ControlChannelRes *GetControlChannelRes() ++ControlChannelRes *GetControlChannelRes(void) + { + return &g_channelRes; + } +diff --git a/testcode/framework/tls/resource/src/tls_res.c b/testcode/framework/tls/resource/src/tls_res.c +index df42814..9a81d6b 100644 +--- a/testcode/framework/tls/resource/src/tls_res.c ++++ b/testcode/framework/tls/resource/src/tls_res.c +@@ -145,12 +145,12 @@ int InsertSslToList(void *ctx, void *ssl) + return InsertResToList(sslList, sslRes); + } + +-ResList *GetCtxList() ++ResList *GetCtxList(void) + { + return &g_ctxList; + } + +-ResList *GetSslList() ++ResList *GetSslList(void) + { + return &g_sslList; + } +diff --git a/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.c b/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.c +index dd9d337..f7f4771 100644 +--- a/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.c ++++ b/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.c +@@ -67,10 +67,10 @@ void SDV_CRYPTO_PROVIDER_LOAD_TC001(char *path, char *path2, char *test1, char * + ASSERT_EQ(ret, CRYPT_SUCCESS); + + // Test CRYPT_EAL_ProviderLoad +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_OFF, "default", NULL, NULL); ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_OFF, "default", NULL, NULL); + ASSERT_EQ(ret, CRYPT_SUCCESS); + // Test CRYPT_EAL_ProviderLoad +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_OFF, "default", NULL, NULL); ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_OFF, "default", NULL, NULL); + ASSERT_EQ(ret, CRYPT_SUCCESS); + + // Test loading the same provider consecutively +@@ -254,7 +254,7 @@ void SDV_CRYPTO_PROVIDER_LOAD_COMPARE_TC001(char *path, char *test1, char *test2 + const CRYPT_EAL_Func *funcs; + void *provCtx; + // Test if the corresponding funcs can be found based on the attribute +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, attribute, &funcs, &provCtx); ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, attribute, &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_SUCCESS); + ASSERT_TRUE(funcs != NULL); + CRYPT_EAL_ImplMdInitCtx mdInitCtx = (CRYPT_EAL_ImplMdInitCtx)(funcs[1].func); +@@ -305,40 +305,40 @@ void SDV_CRYPTO_PROVIDER_LOAD_COMPARE_TC002(char *path, char *test1, char *test2 + const CRYPT_EAL_Func *funcs; + void *provCtx; + // Demonstrate normal scenario +- ASSERT_EQ(CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider=test1", ++ ASSERT_EQ(CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider=test1", + &funcs, &provCtx), CRYPT_SUCCESS); + CRYPT_EAL_ImplMdInitCtx mdInitCtx = (CRYPT_EAL_ImplMdInitCtx)(funcs[1].func); + ASSERT_EQ(mdInitCtx(provCtx, NULL), RIGHT_RESULT); +- ASSERT_EQ(CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, ++ ASSERT_EQ(CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, + "provider=test1,provider!=test2", &funcs, &provCtx), CRYPT_SUCCESS); + mdInitCtx = (CRYPT_EAL_ImplMdInitCtx)(funcs[1].func); + ASSERT_EQ(mdInitCtx(provCtx, NULL), RIGHT_RESULT); + + // Test 1: Test when attribute is NULL +- ASSERT_EQ(CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx), ++ ASSERT_EQ(CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx), + CRYPT_SUCCESS); + mdInitCtx = (CRYPT_EAL_ImplMdInitCtx)(funcs[1].func); + ASSERT_EQ(mdInitCtx(provCtx, NULL), result); + funcs = provCtx = NULL; + + // Test 2: Test when no provider can meet the attribute requirements +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "n_atr=test3", &funcs, &provCtx); ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "n_atr=test3", &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_NOT_SUPPORT); + // Test 3: Test when both operaid and operaid are out of range +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, 0, CRYPT_MD_MD5, "provider=test1", &funcs, &provCtx); ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, 0, CRYPT_MD_MD5, "provider=test1", &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_NOT_SUPPORT); +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, 0, "provider=test1", &funcs, &provCtx); ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, 0, "provider=test1", &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_NOT_SUPPORT); + // Test 4: Test when attribute format is non-standard +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider", &funcs, &provCtx); ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider", &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_PROVIDER_ERR_ATTRIBUTE); +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider=test1provider!=test2", ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider=test1provider!=test2", + &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_NOT_SUPPORT); +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider!test2", ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "provider!test2", + &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_PROVIDER_ERR_ATTRIBUTE); +- ret = CRYPT_EAL_ProviderGetFuncsFrom(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "!=tesst2", &funcs, &provCtx); ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "!=tesst2", &funcs, &provCtx); + ASSERT_EQ(ret, CRYPT_PROVIDER_ERR_ATTRIBUTE); + + exit: +@@ -455,10 +455,10 @@ void SDV_CRYPTO_PROVIDER_LOAD_DEFAULT_TC001(char *path, char *test1, int cmd, He + ASSERT_EQ(ret, CRYPT_SUCCESS); + + // Test CRYPT_EAL_ProviderLoad +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_OFF, "default", NULL, NULL); ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_OFF, "default", NULL, NULL); + ASSERT_EQ(ret, CRYPT_SUCCESS); + // Test CRYPT_EAL_ProviderLoad +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_OFF, "default", NULL, NULL); ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_OFF, "default", NULL, NULL); + ASSERT_EQ(ret, CRYPT_SUCCESS); + + ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SHA224, "provider=default"); +diff --git a/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.data b/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.data +index 660e756..a0186e6 100644 +--- a/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.data ++++ b/testcode/sdv/testcase/crypto/provider/test_suite_sdv_eal_provider_load.data +@@ -3,7 +3,7 @@ SDV_CRYPTO_PROVIDER_LOAD_TC001:"../testdata/provider/path1":"../testdata/provide + SDV_CRYPTO_PROVIDER_LOAD_TC002 + SDV_CRYPTO_PROVIDER_LOAD_TC002: + SDV_CRYPTO_PROVIDER_LOAD_TC003 +-SDV_CRYPTO_PROVIDER_LOAD_TC003:"../testdata/provider/path1":BSL_SAL_CONVERTER_LIBSO:"provider_load_test1":"provider=test1,compare1=one,cpmpare3=three" ++SDV_CRYPTO_PROVIDER_LOAD_TC003:"../testdata/provider/path1":BSL_SAL_LIB_FMT_LIBSO:"provider_load_test1":"provider=test1,compare1=one,cpmpare3=three" + SDV_CRYPTO_PROVIDER_LOAD_COMPARE_TC001 #1 + SDV_CRYPTO_PROVIDER_LOAD_COMPARE_TC001:"../testdata/provider/path1":"provider_load_test1":"provider_load_test2":2:"provider=test1":1415926 + SDV_CRYPTO_PROVIDER_LOAD_COMPARE_TC001 #2 +diff --git a/tls/cert/hitls_x509_adapt/hitls_x509_cert_magr.c b/tls/cert/hitls_x509_adapt/hitls_x509_cert_magr.c +index ae410a7..a9649c0 100644 +--- a/tls/cert/hitls_x509_adapt/hitls_x509_cert_magr.c ++++ b/tls/cert/hitls_x509_adapt/hitls_x509_cert_magr.c +@@ -21,7 +21,6 @@ + #include "hitls_cert_type.h" + #include "hitls_type.h" + #include "hitls_pki.h" +-#include "hitls_cert_local.h" + #include "hitls_error.h" + #include "bsl_err_internal.h" + +-- +2.42.0.windows.2 + diff --git a/0007-provider-document.patch b/0007-provider-document.patch new file mode 100644 index 0000000..79d77a0 --- /dev/null +++ b/0007-provider-document.patch @@ -0,0 +1,966 @@ +From e8a6c4a6fce7409cd48433ed6441e000a4d0c5c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E7=A6=BB=E6=A0=87=E9=87=8F?= <875922464@qq.com> +Date: Fri, 6 Dec 2024 17:00:59 +0800 +Subject: [PATCH 07/10] provider document + +Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/92 +--- + .../4_provider Development Guide.md | 463 ++++++++++++++++++ + docs/index/index.md | 5 +- + ...00\345\217\221\346\214\207\345\215\227.md" | 458 +++++++++++++++++ + 3 files changed, 924 insertions(+), 2 deletions(-) + create mode 100644 docs/en/5_Developer Guide/4_provider Development Guide.md + create mode 100644 "docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" + +diff --git a/docs/en/5_Developer Guide/4_provider Development Guide.md b/docs/en/5_Developer Guide/4_provider Development Guide.md +new file mode 100644 +index 0000000..f750a4d +--- /dev/null ++++ b/docs/en/5_Developer Guide/4_provider Development Guide.md +@@ -0,0 +1,463 @@ ++# Provider Development Guide ++ ++This document serves as a development guide for OpenHiTLS providers, providing developers with interface introductions, key feature descriptions, and comprehensive usage examples. ++ ++## 1. Overview ++ ++The provider management framework in OpenHiTLS supports dynamic loading, management, and usage of cryptographic providers. Each "Provider" encapsulates a specific set of cryptographic operations and exposes them to external users through standardized interfaces. ++ ++### Core Concepts: ++- **Library Context (`CRYPT_EAL_LibCtx`)**: Manages the lifecycle and resources of all loaded providers. ++- **Provider Manager Context (`CRYPT_EAL_ProvMgrCtx`)**: Represents a single provider, including its loaded library handle and implemented functionalities. ++- **Functional Interfaces**: Standardized functions used for querying and invoking specific operations of providers. ++ ++--- ++ ++## 2. Interface Introduction ++ ++### 2.1 Library Context Management ++ ++#### **`CRYPT_EAL_LibCtxNew`** ++- **Description**: Creates a new library context for managing providers. ++- **Function Prototype**: ++ ```c ++ CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void); ++ ``` ++- **Return Value**: A pointer to the newly created library context. ++ ++#### **`CRYPT_EAL_LibCtxFree`** ++- **Description**: Frees the library context and releases all associated resources. ++- **Function Prototype**: ++ ```c ++ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context to be freed. ++ ++--- ++ ++### 2.2 Path Configuration ++ ++#### **`CRYPT_EAL_ProviderSetLoadPath`** ++- **Description**: Configures the path for loading providers. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderSetLoadPath( ++ CRYPT_EAL_LibCtx *libCtx, ++ const char *searchPath ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `searchPath`: The search path for providers. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++--- ++ ++### 2.3 Provider Loading and Unloading ++ ++#### **`CRYPT_EAL_ProviderLoad`** ++- **Description**: Dynamically loads a provider and initializes it. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderLoad( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName, ++ BSL_Param *param, ++ CRYPT_EAL_ProvMgrCtx **mgrCtx ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `cmd`: The command specifying the library format (e.g., `.so`, `lib*.so`). ++ - `providerName`: The name of the provider to load. ++ - `param`: Additional parameters for provider initialization. ++ - `mgrCtx`: Output pointer to the provider manager context. If not `NULL`, the manager context of the loaded provider will be returned upon successful loading. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++#### **`CRYPT_EAL_ProviderUnload`** ++- **Description**: Unloads the specified provider and releases associated resources. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderUnload( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `cmd`: The command specifying the library format. ++ - `providerName`: The name of the provider to unload. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++--- ++ ++### 2.4 Algorithm Query and Invocation ++ ++**EAL Layer Wrapper Interfaces**: ++ ++These interfaces wrap the provider's exposed APIs, automatically initializing algorithms after querying suitable algorithms. See the corresponding headers for each algorithm for more details. ++ ++- **Symmetric Interface: `CRYPT_EAL_ProviderCipherNewCtx`** ++- **Asymmetric Interface: `CRYPT_EAL_ProviderPkeyNewCtx`** ++- **KDF Interface: `CRYPT_EAL_ProviderKdfNewCtx`** ++- **MAC Interface: `CRYPT_EAL_ProviderMacNewCtx`** ++- **Message Digest Interface: `CRYPT_EAL_ProviderMdNewCtx`** ++- **Random Number Interfaces: `CRYPT_EAL_ProviderRandInitCtx`, `CRYPT_EAL_ProviderDrbgInitCtx`** ++ ++**Provider Layer Exposed Interfaces**: ++ ++#### **`CRYPT_EAL_ProviderGetFuncs`** ++- **Description**: Queries algorithms matching the criteria from all loaded providers. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderGetFuncs( ++ CRYPT_EAL_LibCtx *libCtx, ++ int32_t operaId, ++ int32_t algId, ++ const char *attribute, ++ const CRYPT_EAL_Func **funcs, ++ void **provCtx ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `operaId`: Algorithm category ID (see "crypt_eal_implprovider.h"). ++ - `algId`: Algorithm ID (see "crypt_eal_implprovider.h"). ++ - `attribute`: Attribute string for filtering providers. ++ - `funcs`: Output pointer to an array of algorithms. ++ - `provCtx`: Optional parameter. If not `NULL`, it retrieves the `provCtx` from the provider manager context where the algorithm resides. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++#### **`CRYPT_EAL_ProviderCtrl`** ++- **Description**: Controls the `provCtx` in the provider manager context. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderCtrl( ++ CRYPT_EAL_ProvMgrCtx *ctx, ++ int32_t cmd, ++ void *val, ++ uint32_t valLen ++ ); ++ ``` ++- **Parameters**: ++ - `ctx`: Provider manager context. ++ - `cmd`: Control command. ++ - `val`: The value associated with the command. ++ - `valLen`: The length of the value. ++ ++--- ++ ++## 3. Provider Management Module Usage Instructions ++ ++### 3.1 Loading and Unloading ++ ++- **Feature Descriptions**: ++ - Providers are uniquely identified by their names. Different providers must have unique names. Providers with the same name but located in different paths are treated as the same provider. ++ - The framework supports repeated loading and unloading of providers. Repeated loading does not create additional provider manager contexts. To remove a provider manager context from the library context, the number of unloads must match the number of loads. ++ - When releasing the library context, all loaded providers are automatically unloaded. ++ - The default provider loading path is empty. If no path is set, the framework searches for providers in various locations based on the runtime environment and the behavior of the `dlopen` function. ++ - Currently, OpenHiTLS's built-in algorithm library is loaded into a globally initialized library context during startup. If `libCtx` is `NULL` during provider loading, unloading, or searching, this global library context is used. ++ ++- **Usage Example**: ++ ```c ++ ... ++ // Create a library context ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ assert(libCtx != NULL); ++ ++ // Set the provider loading path ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // Load a provider ++ CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL; ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ++ ... ++ ++ // Unload the provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // Free the library context ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ... ++ ``` ++ ++--- ++ ++### 3.2 Attribute Query and Provider Scoring Mechanism ++ ++- **Attribute Mechanism**: ++ When querying algorithms, the framework first searches for algorithms matching the algorithm ID. If the search string is not `NULL`, it further selects the best-matching algorithm from all loaded providers based on the search string. ++ Provider algorithm attributes are composed of a `name` and a `value`, separated by `=`. Multiple attributes are separated by `,`. Within a provider, each algorithm can define one or more sets of attributes based on its implementation purpose. Even the same algorithm can have different implementations distinguished by attributes. ++ ++- **Provider Scoring Mechanism**: ++ Queries can consist of multiple query statements, separated by `,`. Within a statement, `name` and `value` are separated by the following **comparison characters**: ++ - `=`: Must be equal (mandatory condition). ++ - `!=`: Must not be equal (mandatory condition). ++ - `?`: Optional condition. If `value` matches, it is prioritized. Each match adds +1 to the score. ++ ++ Mandatory conditions must be satisfied. Among providers that meet the mandatory conditions, the framework selects the best match based on optional conditions. If there are multiple best matches, one is randomly selected. ++ Repeated conditions are allowed within query statements: ++ - Repeated mandatory conditions have no effect. ++ - Repeated optional conditions increase the score proportionally. ++ ++- **Usage Example**: ++ ```c ++ ... ++ // Query with a NULL attribute string, searching by algorithm ID ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // Query with a non-NULL attribute string, matching based on rules ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // Query with provider scoring mechanism ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // For actual use, it is recommended to use EAL layer wrapping interfaces for each algorithm, ++ // which automatically locate and initialize the algorithm. ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash"); ++ assert(ctx != NULL); ++ ... ++ ``` ++ ++--- ++ ++## 4. Provider Construction Instructions ++ ++This section describes the commands and function prototypes, which are fully defined in the `crypt_eal_implprovider.h` header file. ++ ++### 4.1 Initialization Function ++ ++For each provider, an initialization function named `CRYPT_EAL_ProviderInit` must be implemented. This function is called when loading the provider: ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderInit( ++ CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, ++ CRYPT_EAL_Func *capFuncs, ++ CRYPT_EAL_Func **outFuncs, ++ void **provCtx ++ ); ++ ``` ++ - **Parameters**: ++ - `mgrCtx`: [in] Provider manager context. ++ - `param`: [in] Additional parameters for provider initialization. ++ - `capFuncs`: [in] Algorithm array pointer provided by the management framework, allowing users to optionally use HITLS's default entropy source. ++ - `outFuncs`: [out] Array pointer for algorithms exposed by the provider. Details are described below. ++ - `provCtx`: [out] Provider-specific structure. If needed, private data can be saved in the provider manager context. Details on its operation are below (optional). ++ - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++- **Description of the `outFuncs` Array**: ++ This array is used to pass the three types of algorithm arrays provided by the provider. **The algorithm query function must be returned**, while the other two functions are optional: ++ - **Algorithm Query Function**: Used to retrieve the algorithm array provided by the provider based on the algorithm category during a search: ++ **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`** ++ - **Parameters**: ++ - `provCtx`: [in] Provider-specific structure (optional). ++ - `operaId`: [in] Algorithm category ID. ++ - `algInfos`: [out] Pointer to the array of all algorithms under the category. The array ends when the algorithm ID is 0. ++ - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ - **`provCtx` Control Function**: If the provider uses `provCtx`, this function is used for its control. It can be invoked using the `CRYPT_EAL_ProviderCtrl` function. ++ **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`** ++ - **Parameters**: Omitted. ++ - **Return Value**: Omitted. ++ - **`provCtx` Release Function**: If the provider uses `provCtx`, this function releases `provCtx`. It is called during resource release. ++ **`typedef void (*)(void *provCtx);`** ++ - **Parameters**: ++ - `provCtx`: [in] Provider-specific structure. ++ - **Return Value**: None. ++ ++--- ++ ++### 4.2 Provider Construction Example ++ ++- **Initialization Function Example**: ++```c ++static CRYPT_EAL_Func defProvOutFuncs[] = { ++ {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, ++ {CRYPT_EAL_PROVCB_FREE, NULL}, ++ {CRYPT_EAL_PROVCB_CTRL, NULL}, ++ CRYPT_EAL_FUNC_END ++}; ++ ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) ++{ ++ CRYPT_RandSeedMethod entroy = {0}; ++ CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL; ++ int32_t index = 0; ++ while (capFuncs[index].id != 0) { ++ switch (capFuncs[index].id) { ++ case CRYPT_EAL_CAP_GETENTROPY: ++ entroy.getEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANENTROPY: ++ entroy.cleanEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_GETNONCE: ++ entroy.getNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANNONCE: ++ entroy.cleanNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_MGRCTXCTRL: ++ mgrCtrl = capFuncs[index].func; ++ break; ++ default: ++ return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL; ++ } ++ index++; ++ } ++ void *seedCtx = NULL; ++ void *libCtx = NULL; ++ if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL || ++ entroy.cleanNonce == NULL || mgrCtrl == NULL) { ++ return CRYPT_NULL_INPUT; ++ } ++ int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ CRYPT_Data entropy = {NULL, 0}; ++ CRYPT_Range entropyRange = {32, 2147483632}; ++ ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange); ++ if (ret != CRYPT_SUCCESS) { ++ return CRYPT_DRBG_FAIL_GET_ENTROPY; ++ } ++ entroy.cleanEntropy(seedCtx, &entropy); ++ // check libCtx ++ if (param != NULL) { ++ if (param[0].value != libCtx) { ++ return CRYPT_INVALID_ARG; ++ } ++ } ++ *outFuncs = defProvOutFuncs; ++ return 0; ++} ++``` ++- **Algorithm query function example**: ++```c ++const CRYPT_EAL_Func defMdMd5[] = { ++ {CRYPT_EAL_IMPLMD_NEWCTX, ...}, ++ {CRYPT_EAL_IMPLMD_INITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_UPDATE, ...}, ++ {CRYPT_EAL_IMPLMD_FINAL, ...}, ++ {CRYPT_EAL_IMPLMD_DEINITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_DUPCTX, ...}, ++ {CRYPT_EAL_IMPLMD_CTRL, ...}, ++ {CRYPT_EAL_IMPLMD_FREECTX, ...}, ++ CRYPT_EAL_FUNC_END, ++}; ++ ++static const CRYPT_EAL_AlgInfo defMds[] = { ++ ... ++ {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"}, ++ ... ++ CRYPT_EAL_ALGINFO_END ++}; ++ ++static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos) ++{ ++ (void) provCtx; ++ int32_t ret = CRYPT_SUCCESS; ++ switch (operaId) { ++ ... ++ case CRYPT_EAL_OPERAID_HASH: ++ *algInfos = defMds; ++ break; ++ ... ++ default: ++ ret = CRYPT_NOT_SUPPORT; ++ break; ++ } ++ return ret; ++} ++``` ++ ++--- ++ ++## 5. Comprehensive Usage Example ++ ++```c ++#include "bsl_sal.h" ++#include "crypt_eal_provider.h" ++#include "crypt_eal_implprovider.h" ++#include "crypt_eal_md.h" ++ ++/* Using the SM3 algorithm */ ++ ++int main() { ++ ++------------------------------------------------------------------------------------------------------ ++ ++// Using the built-in HITLS algorithm library: ++ // Step 1: Directly initialize using EAL layer MD interface ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// Searching and initializing with a matching algorithm library in a third-party provider: ++ // Step 1: Create a library context ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ ASSERT_TRUE(libCtx != NULL); ++ ++ // Step 2: Set the provider loading path ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 3: Load the provider ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 4: Directly initialize using EAL layer MD interface ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// Mixed usage of third-party providers and HITLS libraries: ++ // Step 1: Set the provider loading path ++ int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 2: Load the provider ++ ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 3: Directly initialize using EAL layer MD interface ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// After initialization, a series of algorithm operations can be performed: ++ ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// If a library context was created or a third-party provider was loaded during initialization, they need to be released: ++ // Unload the provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Free the library context ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ++ return 0; ++} ++``` +\ No newline at end of file +diff --git a/docs/index/index.md b/docs/index/index.md +index 28ea2ae..412be81 100644 +--- a/docs/index/index.md ++++ b/docs/index/index.md +@@ -11,6 +11,7 @@ + | 7 | [加密完保应用开发指南](../zh/5_开发指南/1_加密完保应用开发指南.md) | [Encryption and Integrity Protection Application Development Guide](../en/5_Developer%20Guide/1_Encryption%20and%20Integrity%20Protection%20Application%20Development%20Guide.md) | + | 8 | [安全通信应用开发指南](../zh/5_开发指南/2_安全通信应用开发指南.md) | [Secure Communication Application Development Guide](../en/5_Developer%20Guide/2_Secure%20Communication%20Application%20Development%20Guide.md) | + | 9 | [API参考](../zh/5_开发指南/3_API参考.md) | [API Reference](../en/5_Developer%20Guide/3_API%20Reference.md) | +-| 10 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) | +-| 11 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) | ++| 10 | [provider开发指南](../zh/5_开发指南/4_provider开发指南.md) | [provider Development Guide](../en/5_Developer%20Guide/4_provider%20Development%20Guide.md) | ++| 11 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) | ++| 12 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) | + +diff --git "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" +new file mode 100644 +index 0000000..4ae2b56 +--- /dev/null ++++ "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" +@@ -0,0 +1,458 @@ ++# Provider 开发指南 ++ ++本文档是 OpenHiTLS Provider 的开发指南,为开发人员提供接口介绍、关键特性说明以及综合使用示例。 ++ ++## 1. 概述 ++ ++OpenHiTLS 的 Provider 管理框架支持动态加载、管理和使用加密 Provider。每个 "Provider" 封装了一组特定的加密操作,通过标准化接口向外部用户暴露。 ++ ++### 核心概念: ++- **库上下文(Library Context,`CRYPT_EAL_LibCtx`)**:用于管理所有加载的 Provider 的生命周期和资源。 ++- **Provider 管理上下文(Provider Manager Context,`CRYPT_EAL_ProvMgrCtx`)**:表示单个 Provider,包括其加载库句柄和功能实现。 ++- **功能接口(Functional Interfaces)**:标准化的函数,用于查询和调用 Provider 的具体操作。 ++ ++--- ++ ++## 2. 接口介绍 ++ ++### 2.1 库上下文管理 ++ ++#### **`CRYPT_EAL_LibCtxNew`** ++- **描述**:创建一个新的库上下文,用于管理 Provider。 ++- **函数原型**: ++ ```c ++ CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void); ++ ``` ++- **返回值**:指向新创建的库上下文的指针。 ++ ++#### **`CRYPT_EAL_LibCtxFree`** ++- **描述**:释放库上下文,并释放所有相关资源。 ++- **函数原型**: ++ ```c ++ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); ++ ``` ++- **参数**: ++ - `libCtx`:需要释放的库上下文。 ++ ++--- ++ ++### 2.2 路径配置 ++ ++#### **`CRYPT_EAL_ProviderSetLoadPath`** ++- **描述**:配置加载 Provider 的路径。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderSetLoadPath( ++ CRYPT_EAL_LibCtx *libCtx, ++ const char *searchPath ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `searchPath`:Provider 的搜索路径。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++--- ++ ++### 2.3 Provider 加载与卸载 ++ ++#### **`CRYPT_EAL_ProviderLoad`** ++- **描述**:动态加载一个 Provider,并完成初始化。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderLoad( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName, ++ BSL_Param *param, ++ CRYPT_EAL_ProvMgrCtx **mgrCtx ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `cmd`:指定库格式的命令(例如 `.so` 或 `lib*.so`)。 ++ - `providerName`:要加载的 Provider 名称。 ++ - `param`:初始化 Provider 时的附加参数。 ++ - `mgrCtx`:输出的 Provider 管理上下文指针,如果不为NULL,那么将会在加载成功后返回对应provider的管理上下文(CRYPT_EAL_ProvMgrCtx)。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++#### **`CRYPT_EAL_ProviderUnload`** ++- **描述**:卸载指定的 Provider,并释放相关资源。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderUnload( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `cmd`:指定库格式的命令。 ++ - `providerName`:要卸载的 Provider 名称。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++--- ++ ++### 2.4 算法查询与调用 ++ ++**eal层对外包装接口**: ++ ++该部分接口会包装provider对外接口,在查询到适配的算法后自动调用算法进行初始化工作,详见各类算法的对外头文件。 ++ ++- **对称接口:`CRYPT_EAL_ProviderCipherNewCtx`** ++- **非对称接口:`CRYPT_EAL_ProviderPkeyNewCtx`** ++- **kdf接口:`CRYPT_EAL_ProviderKdfNewCtx`** ++- **mac接口:`CRYPT_EAL_ProviderMacNewCtx`** ++- **md接口:`CRYPT_EAL_ProviderMdNewCtx`** ++- **随机数接口:`CRYPT_EAL_ProviderRandInitCtx`、`CRYPT_EAL_ProviderDrbgInitCtx`** ++ ++ ++**provider底层对外接口**: ++ ++#### **`CRYPT_EAL_ProviderGetFuncs`** ++- **描述**:从所有加载的provider中查询符合要求的算法。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderGetFuncs( ++ CRYPT_EAL_LibCtx *libCtx, ++ int32_t operaId, ++ int32_t algId, ++ const char *attribute, ++ const CRYPT_EAL_Func **funcs, ++ void **provCtx ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `operaId`:算法类别 ID(详见”crypt_eal_implprovider.h“文件)。 ++ - `algId`:算法 ID (详见”crypt_eal_implprovider.h“文件)。 ++ - `attribute`:用于筛选 Provider 的属性字符串。 ++ - `funcs`:输出的算法数组指针。 ++ - `provCtx`:可选参数,如果不为NULL会获得该算法所在provider管理上下文中的provCtx。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++#### **`CRYPT_EAL_ProviderCtrl`** ++- **描述**:控制 Provider 管理上下文中的provCtx。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderCtrl( ++ CRYPT_EAL_ProvMgrCtx *ctx, ++ int32_t cmd, ++ void *val, ++ uint32_t valLen ++ ); ++ ``` ++- **参数**: ++ - `ctx`:Provider 管理上下文。 ++ - `cmd`:控制命令。 ++ - `val`:与命令相关的值。 ++ - `valLen`:值的长度。 ++ ++--- ++ ++## 3. provider管理模块使用说明 ++ ++### 3.1 加载与卸载 ++ ++- **特性说明**: ++ - provider以名称为唯一标识符,不同的provider要求具有不同的名称,不同路径相同名称的provider会被视为相同的provider。 ++ - 支持重复加载和卸载provider,重复加载时并不会额外创建provider管理上下文,卸载的次数需要与加载的次数相同才能将库上下文中的provider管理上下文删除。 ++ - 在释放库上下文时,会自动卸载所有加载的provider。 ++ - 加载provider的路径默认为空,如果没有设置加载路径,那么将会根据运行环境中dlopen函数的当前特性从各个位置依次检索搜索provider。 ++ - 目前openhitls自带的算法库会被加载进一个启动时初始化的全局库上下文中,当加载、卸载以及查找provider时,如果传入的libCtx为NULL,那么会使用该全局库上下文。 ++- **使用示例**: ++ ```c ++ ... ++ // 创建库上下文 ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ assert(libCtx != NULL); ++ ++ // 设置 Provider 加载路径 ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // 加载 Provider ++ CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL; ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ++ ... ++ ++ // 卸载 Provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // 释放库上下文 ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ... ++ ``` ++ ++--- ++ ++### 3.2 属性查询和provider打分机制 ++ ++- **属性机制**: ++ 在查询算法时,首先会查找符合算法ID的算法数组,如果用户输入的查找字符串不为NULL,则还会根据查找字符串选择所有加载provider中最匹配的算法。 ++ 供查找的provider算法属性值由name和value组成,name和value之间用`=`分隔,多组属性之间用`,`分隔。在provider中,每个算法可以根据实现目的定义一组或多组属性,甚至同一个算法,可以有不同实现(通过属性区分)。 ++- **provider打分机制**: ++ 查询可以由多个查询语句组成,每个语句中之间用`,`分隔,语句中的name和value之间用以下`判断字符`分隔: ++ - `=`: 必须相等,属于强制条件。 ++ - `!=`: 必须不相等,属于强制条件。 ++ - `?`: 可选条件,如果value匹配,优先选择,每满足一个问号,得分会+1。 ++ ++ 查询时强制条件必须满足,在此基础上,根据可选条件选择最匹配的,如果最匹配实现有多个选择,随机返回一个。 ++ 查询时允许各组语句重复,强制条件重复对结果无影响。可选条件重复,相当于满足该条件的得分由1分变为重复个数的分数。 ++- **使用示例**: ++ ```c ++ ... ++ // 属性字符串可以为NILL,会根据算法ID查找 ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // 属性字符串不为NULL时,根据匹配规则查找 ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // 属性字符串涉及provider打分机制 ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // 实际使用时推荐使用eal层各类算法对外的包装接口,会自动进行查找算法并调用算法进行初始化等工作。 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash"); ++ assert(ctx != NULL); ++ ... ++ ``` ++ ++--- ++ ++## 4. provider构建说明 ++ ++该部分涉及的各类命令以及函数原型的完整内容定义在`crypt_eal_implprovider.h`头文件中。 ++ ++### 4.1 初始化函数 ++ ++对每个provider,需要实现名为`CRYPT_EAL_ProviderInit`的初始化函数,该初始化函数会在加载provider时被调用: ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderInit( ++ CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, ++ CRYPT_EAL_Func *capFuncs, ++ CRYPT_EAL_Func **outFuncs, ++ void **provCtx ++ ); ++ ``` ++ - **参数**: ++ - `mgrCtx`:[in] Provider 管理上下文。 ++ - `param`:[in] 初始化 Provider 时的附加参数。 ++ - `capFuncs`:[in] 由管理框架输入的算法数组指针,目前支持让用户可以选择使用HITLS提供的默认熵源。 ++ - `outFuncs`:[out] provider对外提供的算法数组指针,详情见下文。 ++ - `provCtx`:[out] provider私有结构体,如需要可用于在provider管理上下文中保存一些私有数据,操作详情见下文,可选。 ++ - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++- **`outFuncs`数组说明**: ++该数组用于传出provider对外提供的三种算法数组,其中**算法查询函数必须返回**,其他两个函数可选: ++ - **算法查询函数**:该函数用于在查找算法时,根据传入的算法类别,获取provider对外提供的整个算法类别的方法数组: ++ **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`** ++ - **参数**: ++ - `provCtx`:[in] provider私有结构体,可选。 ++ - `operaId`:[in] 算法类别ID。 ++ - `algInfos`:[out] 该算法类别下所有算法的数组指针,数组中当算法ID为0时表示结束。 ++ - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ - **provCtx控制函数**:如果provider使用了provCtx,则该函数用于对其进行控制,该函数可以通过`CRYPT_EAL_ProviderCtrl`函数进行调用。 ++ **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`** ++ - **参数**:略 ++ - **返回值**:略 ++ - **provCtx释放函数**:如果provider使用了provCtx,则该函数用于释放provCtx,该函数会在释放资源时被调用。 ++ **`typedef void (*)(void *provCtx);`** ++ - **参数**: ++ - ·`provCtx`:[in] provider私有结构体。 ++ - **返回值**:无。 ++ ++--- ++ ++### 4.2 provider构建示例 ++ ++- **初始化函数示例**: ++```c ++static CRYPT_EAL_Func defProvOutFuncs[] = { ++ {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, ++ {CRYPT_EAL_PROVCB_FREE, NULL}, ++ {CRYPT_EAL_PROVCB_CTRL, NULL}, ++ CRYPT_EAL_FUNC_END ++}; ++ ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) ++{ ++ CRYPT_RandSeedMethod entroy = {0}; ++ CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL; ++ int32_t index = 0; ++ while (capFuncs[index].id != 0) { ++ switch (capFuncs[index].id) { ++ case CRYPT_EAL_CAP_GETENTROPY: ++ entroy.getEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANENTROPY: ++ entroy.cleanEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_GETNONCE: ++ entroy.getNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANNONCE: ++ entroy.cleanNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_MGRCTXCTRL: ++ mgrCtrl = capFuncs[index].func; ++ break; ++ default: ++ return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL; ++ } ++ index++; ++ } ++ void *seedCtx = NULL; ++ void *libCtx = NULL; ++ if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL || ++ entroy.cleanNonce == NULL || mgrCtrl == NULL) { ++ return CRYPT_NULL_INPUT; ++ } ++ int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ CRYPT_Data entropy = {NULL, 0}; ++ CRYPT_Range entropyRange = {32, 2147483632}; ++ ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange); ++ if (ret != CRYPT_SUCCESS) { ++ return CRYPT_DRBG_FAIL_GET_ENTROPY; ++ } ++ entroy.cleanEntropy(seedCtx, &entropy); ++ // check libCtx ++ if (param != NULL) { ++ if (param[0].value != libCtx) { ++ return CRYPT_INVALID_ARG; ++ } ++ } ++ *outFuncs = defProvOutFuncs; ++ return 0; ++} ++``` ++- **算法查询函数示例**: ++```c ++const CRYPT_EAL_Func defMdMd5[] = { ++ {CRYPT_EAL_IMPLMD_NEWCTX, ...}, ++ {CRYPT_EAL_IMPLMD_INITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_UPDATE, ...}, ++ {CRYPT_EAL_IMPLMD_FINAL, ...}, ++ {CRYPT_EAL_IMPLMD_DEINITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_DUPCTX, ...}, ++ {CRYPT_EAL_IMPLMD_CTRL, ...}, ++ {CRYPT_EAL_IMPLMD_FREECTX, ...}, ++ CRYPT_EAL_FUNC_END, ++}; ++ ++static const CRYPT_EAL_AlgInfo defMds[] = { ++ ... ++ {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"}, ++ ... ++ CRYPT_EAL_ALGINFO_END ++}; ++ ++static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos) ++{ ++ (void) provCtx; ++ int32_t ret = CRYPT_SUCCESS; ++ switch (operaId) { ++ ... ++ case CRYPT_EAL_OPERAID_HASH: ++ *algInfos = defMds; ++ break; ++ ... ++ default: ++ ret = CRYPT_NOT_SUPPORT; ++ break; ++ } ++ return ret; ++} ++``` ++ ++--- ++ ++## 5. 综合使用示例 ++ ++```c ++#include "bsl_sal.h" ++#include "crypt_eal_provider.h" ++#include "crypt_eal_implprovider.h" ++#include "crypt_eal_md.h" ++ ++/* 调用SM3 算法 */ ++ ++int main() { ++ ++------------------------------------------------------------------------------------------------------ ++ ++// 调用hitls自带的算法库初始化方式: ++ // 步骤 1:调用eal层的md对外接口直接进行初始化 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// 在第三方provider中寻找匹配的算法库并初始化方式: ++ // 步骤 1:创建库上下文 ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ ASSERT_TRUE(libCtx != NULL); ++ ++ // 步骤 2:设置 Provider 加载路径 ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 3:加载 Provider ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 4:调用eal层的md对外接口直接进行初始化 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// 第三方provider和hitls提供的算法库混合使用的场景,寻找匹配的算法库并初始化方式: ++ // 步骤 1:设置 Provider 加载路径 ++ int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 2:加载 Provider ++ ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 3:调用eal层的md对外接口直接进行初始化 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// 初始化后可进行一系列的算法操作: ++ ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// 如果初始化时创建了库上下文或者加载了第三方provider,则需要进行释放 ++ // 卸载 Provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 释放库上下文 ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ++ return 0; ++} ++``` +\ No newline at end of file +-- +2.42.0.windows.2 + diff --git a/0008-fix-some-bugs.patch b/0008-fix-some-bugs.patch new file mode 100644 index 0000000..88b6199 --- /dev/null +++ b/0008-fix-some-bugs.patch @@ -0,0 +1,987 @@ +From 9139271bb2bf8d77bdf211ed57156c7794d5bb41 Mon Sep 17 00:00:00 2001 +From: zhengzeyang +Date: Fri, 6 Dec 2024 18:08:18 +0800 +Subject: [PATCH 08/10] fix some bugs. + +Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/93 +--- + crypto/eal/src/eal_md.c | 2 + + .../4_provider Development Guide.md | 463 ------------------ + docs/index/index.md | 5 +- + ...00\345\217\221\346\214\207\345\215\227.md" | 458 ----------------- + 4 files changed, 4 insertions(+), 924 deletions(-) + delete mode 100644 docs/en/5_Developer Guide/4_provider Development Guide.md + delete mode 100644 "docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" + +diff --git a/crypto/eal/src/eal_md.c b/crypto/eal/src/eal_md.c +index 7eb61d6..12ecf5f 100644 +--- a/crypto/eal/src/eal_md.c ++++ b/crypto/eal/src/eal_md.c +@@ -232,6 +232,7 @@ int32_t CRYPT_EAL_MdCopyCtx(CRYPT_EAL_MdCTX *to, const CRYPT_EAL_MdCTX *from) + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_MD, from->id, CRYPT_MEM_ALLOC_FAIL); + return CRYPT_MEM_ALLOC_FAIL; + } ++ to->isProvider = from->isProvider; + *(EAL_MdUnitaryMethod *)to->method = *from->method; + to->data = data; + to->state = from->state; +@@ -269,6 +270,7 @@ CRYPT_EAL_MdCTX *CRYPT_EAL_MdDupCtx(const CRYPT_EAL_MdCTX *ctx) + BSL_SAL_FREE(newCtx); + return NULL; + } ++ newCtx->isProvider = ctx->isProvider; + newCtx->method = method; + newCtx->state = ctx->state; + newCtx->id = ctx->id; +diff --git a/docs/en/5_Developer Guide/4_provider Development Guide.md b/docs/en/5_Developer Guide/4_provider Development Guide.md +deleted file mode 100644 +index f750a4d..0000000 +--- a/docs/en/5_Developer Guide/4_provider Development Guide.md ++++ /dev/null +@@ -1,463 +0,0 @@ +-# Provider Development Guide +- +-This document serves as a development guide for OpenHiTLS providers, providing developers with interface introductions, key feature descriptions, and comprehensive usage examples. +- +-## 1. Overview +- +-The provider management framework in OpenHiTLS supports dynamic loading, management, and usage of cryptographic providers. Each "Provider" encapsulates a specific set of cryptographic operations and exposes them to external users through standardized interfaces. +- +-### Core Concepts: +-- **Library Context (`CRYPT_EAL_LibCtx`)**: Manages the lifecycle and resources of all loaded providers. +-- **Provider Manager Context (`CRYPT_EAL_ProvMgrCtx`)**: Represents a single provider, including its loaded library handle and implemented functionalities. +-- **Functional Interfaces**: Standardized functions used for querying and invoking specific operations of providers. +- +---- +- +-## 2. Interface Introduction +- +-### 2.1 Library Context Management +- +-#### **`CRYPT_EAL_LibCtxNew`** +-- **Description**: Creates a new library context for managing providers. +-- **Function Prototype**: +- ```c +- CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void); +- ``` +-- **Return Value**: A pointer to the newly created library context. +- +-#### **`CRYPT_EAL_LibCtxFree`** +-- **Description**: Frees the library context and releases all associated resources. +-- **Function Prototype**: +- ```c +- void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); +- ``` +-- **Parameters**: +- - `libCtx`: The library context to be freed. +- +---- +- +-### 2.2 Path Configuration +- +-#### **`CRYPT_EAL_ProviderSetLoadPath`** +-- **Description**: Configures the path for loading providers. +-- **Function Prototype**: +- ```c +- int32_t CRYPT_EAL_ProviderSetLoadPath( +- CRYPT_EAL_LibCtx *libCtx, +- const char *searchPath +- ); +- ``` +-- **Parameters**: +- - `libCtx`: The library context. +- - `searchPath`: The search path for providers. +-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. +- +---- +- +-### 2.3 Provider Loading and Unloading +- +-#### **`CRYPT_EAL_ProviderLoad`** +-- **Description**: Dynamically loads a provider and initializes it. +-- **Function Prototype**: +- ```c +- int32_t CRYPT_EAL_ProviderLoad( +- CRYPT_EAL_LibCtx *libCtx, +- BSL_SAL_ConverterCmd cmd, +- const char *providerName, +- BSL_Param *param, +- CRYPT_EAL_ProvMgrCtx **mgrCtx +- ); +- ``` +-- **Parameters**: +- - `libCtx`: The library context. +- - `cmd`: The command specifying the library format (e.g., `.so`, `lib*.so`). +- - `providerName`: The name of the provider to load. +- - `param`: Additional parameters for provider initialization. +- - `mgrCtx`: Output pointer to the provider manager context. If not `NULL`, the manager context of the loaded provider will be returned upon successful loading. +-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. +- +-#### **`CRYPT_EAL_ProviderUnload`** +-- **Description**: Unloads the specified provider and releases associated resources. +-- **Function Prototype**: +- ```c +- int32_t CRYPT_EAL_ProviderUnload( +- CRYPT_EAL_LibCtx *libCtx, +- BSL_SAL_ConverterCmd cmd, +- const char *providerName +- ); +- ``` +-- **Parameters**: +- - `libCtx`: The library context. +- - `cmd`: The command specifying the library format. +- - `providerName`: The name of the provider to unload. +-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. +- +---- +- +-### 2.4 Algorithm Query and Invocation +- +-**EAL Layer Wrapper Interfaces**: +- +-These interfaces wrap the provider's exposed APIs, automatically initializing algorithms after querying suitable algorithms. See the corresponding headers for each algorithm for more details. +- +-- **Symmetric Interface: `CRYPT_EAL_ProviderCipherNewCtx`** +-- **Asymmetric Interface: `CRYPT_EAL_ProviderPkeyNewCtx`** +-- **KDF Interface: `CRYPT_EAL_ProviderKdfNewCtx`** +-- **MAC Interface: `CRYPT_EAL_ProviderMacNewCtx`** +-- **Message Digest Interface: `CRYPT_EAL_ProviderMdNewCtx`** +-- **Random Number Interfaces: `CRYPT_EAL_ProviderRandInitCtx`, `CRYPT_EAL_ProviderDrbgInitCtx`** +- +-**Provider Layer Exposed Interfaces**: +- +-#### **`CRYPT_EAL_ProviderGetFuncs`** +-- **Description**: Queries algorithms matching the criteria from all loaded providers. +-- **Function Prototype**: +- ```c +- int32_t CRYPT_EAL_ProviderGetFuncs( +- CRYPT_EAL_LibCtx *libCtx, +- int32_t operaId, +- int32_t algId, +- const char *attribute, +- const CRYPT_EAL_Func **funcs, +- void **provCtx +- ); +- ``` +-- **Parameters**: +- - `libCtx`: The library context. +- - `operaId`: Algorithm category ID (see "crypt_eal_implprovider.h"). +- - `algId`: Algorithm ID (see "crypt_eal_implprovider.h"). +- - `attribute`: Attribute string for filtering providers. +- - `funcs`: Output pointer to an array of algorithms. +- - `provCtx`: Optional parameter. If not `NULL`, it retrieves the `provCtx` from the provider manager context where the algorithm resides. +-- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. +- +-#### **`CRYPT_EAL_ProviderCtrl`** +-- **Description**: Controls the `provCtx` in the provider manager context. +-- **Function Prototype**: +- ```c +- int32_t CRYPT_EAL_ProviderCtrl( +- CRYPT_EAL_ProvMgrCtx *ctx, +- int32_t cmd, +- void *val, +- uint32_t valLen +- ); +- ``` +-- **Parameters**: +- - `ctx`: Provider manager context. +- - `cmd`: Control command. +- - `val`: The value associated with the command. +- - `valLen`: The length of the value. +- +---- +- +-## 3. Provider Management Module Usage Instructions +- +-### 3.1 Loading and Unloading +- +-- **Feature Descriptions**: +- - Providers are uniquely identified by their names. Different providers must have unique names. Providers with the same name but located in different paths are treated as the same provider. +- - The framework supports repeated loading and unloading of providers. Repeated loading does not create additional provider manager contexts. To remove a provider manager context from the library context, the number of unloads must match the number of loads. +- - When releasing the library context, all loaded providers are automatically unloaded. +- - The default provider loading path is empty. If no path is set, the framework searches for providers in various locations based on the runtime environment and the behavior of the `dlopen` function. +- - Currently, OpenHiTLS's built-in algorithm library is loaded into a globally initialized library context during startup. If `libCtx` is `NULL` during provider loading, unloading, or searching, this global library context is used. +- +-- **Usage Example**: +- ```c +- ... +- // Create a library context +- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); +- assert(libCtx != NULL); +- +- // Set the provider loading path +- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); +- assert(ret == CRYPT_SUCCESS); +- +- // Load a provider +- CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL; +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx); +- assert(ret == CRYPT_SUCCESS); +- +- ... +- +- // Unload the provider +- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); +- assert(ret == CRYPT_SUCCESS); +- +- // Free the library context +- CRYPT_EAL_LibCtxFree(libCtx); +- ... +- ``` +- +---- +- +-### 3.2 Attribute Query and Provider Scoring Mechanism +- +-- **Attribute Mechanism**: +- When querying algorithms, the framework first searches for algorithms matching the algorithm ID. If the search string is not `NULL`, it further selects the best-matching algorithm from all loaded providers based on the search string. +- Provider algorithm attributes are composed of a `name` and a `value`, separated by `=`. Multiple attributes are separated by `,`. Within a provider, each algorithm can define one or more sets of attributes based on its implementation purpose. Even the same algorithm can have different implementations distinguished by attributes. +- +-- **Provider Scoring Mechanism**: +- Queries can consist of multiple query statements, separated by `,`. Within a statement, `name` and `value` are separated by the following **comparison characters**: +- - `=`: Must be equal (mandatory condition). +- - `!=`: Must not be equal (mandatory condition). +- - `?`: Optional condition. If `value` matches, it is prioritized. Each match adds +1 to the score. +- +- Mandatory conditions must be satisfied. Among providers that meet the mandatory conditions, the framework selects the best match based on optional conditions. If there are multiple best matches, one is randomly selected. +- Repeated conditions are allowed within query statements: +- - Repeated mandatory conditions have no effect. +- - Repeated optional conditions increase the score proportionally. +- +-- **Usage Example**: +- ```c +- ... +- // Query with a NULL attribute string, searching by algorithm ID +- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx); +- assert(ret == CRYPT_SUCCESS); +- ... +- // Query with a non-NULL attribute string, matching based on rules +- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx); +- assert(ret == CRYPT_SUCCESS); +- ... +- // Query with provider scoring mechanism +- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx); +- assert(ret == CRYPT_SUCCESS); +- ... +- // For actual use, it is recommended to use EAL layer wrapping interfaces for each algorithm, +- // which automatically locate and initialize the algorithm. +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash"); +- assert(ctx != NULL); +- ... +- ``` +- +---- +- +-## 4. Provider Construction Instructions +- +-This section describes the commands and function prototypes, which are fully defined in the `crypt_eal_implprovider.h` header file. +- +-### 4.1 Initialization Function +- +-For each provider, an initialization function named `CRYPT_EAL_ProviderInit` must be implemented. This function is called when loading the provider: +-- **Function Prototype**: +- ```c +- int32_t CRYPT_EAL_ProviderInit( +- CRYPT_EAL_ProvMgrCtx *mgrCtx, +- BSL_Param *param, +- CRYPT_EAL_Func *capFuncs, +- CRYPT_EAL_Func **outFuncs, +- void **provCtx +- ); +- ``` +- - **Parameters**: +- - `mgrCtx`: [in] Provider manager context. +- - `param`: [in] Additional parameters for provider initialization. +- - `capFuncs`: [in] Algorithm array pointer provided by the management framework, allowing users to optionally use HITLS's default entropy source. +- - `outFuncs`: [out] Array pointer for algorithms exposed by the provider. Details are described below. +- - `provCtx`: [out] Provider-specific structure. If needed, private data can be saved in the provider manager context. Details on its operation are below (optional). +- - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. +- +-- **Description of the `outFuncs` Array**: +- This array is used to pass the three types of algorithm arrays provided by the provider. **The algorithm query function must be returned**, while the other two functions are optional: +- - **Algorithm Query Function**: Used to retrieve the algorithm array provided by the provider based on the algorithm category during a search: +- **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`** +- - **Parameters**: +- - `provCtx`: [in] Provider-specific structure (optional). +- - `operaId`: [in] Algorithm category ID. +- - `algInfos`: [out] Pointer to the array of all algorithms under the category. The array ends when the algorithm ID is 0. +- - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. +- - **`provCtx` Control Function**: If the provider uses `provCtx`, this function is used for its control. It can be invoked using the `CRYPT_EAL_ProviderCtrl` function. +- **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`** +- - **Parameters**: Omitted. +- - **Return Value**: Omitted. +- - **`provCtx` Release Function**: If the provider uses `provCtx`, this function releases `provCtx`. It is called during resource release. +- **`typedef void (*)(void *provCtx);`** +- - **Parameters**: +- - `provCtx`: [in] Provider-specific structure. +- - **Return Value**: None. +- +---- +- +-### 4.2 Provider Construction Example +- +-- **Initialization Function Example**: +-```c +-static CRYPT_EAL_Func defProvOutFuncs[] = { +- {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, +- {CRYPT_EAL_PROVCB_FREE, NULL}, +- {CRYPT_EAL_PROVCB_CTRL, NULL}, +- CRYPT_EAL_FUNC_END +-}; +- +-int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, +- BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) +-{ +- CRYPT_RandSeedMethod entroy = {0}; +- CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL; +- int32_t index = 0; +- while (capFuncs[index].id != 0) { +- switch (capFuncs[index].id) { +- case CRYPT_EAL_CAP_GETENTROPY: +- entroy.getEntropy = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_CLEANENTROPY: +- entroy.cleanEntropy = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_GETNONCE: +- entroy.getNonce = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_CLEANNONCE: +- entroy.cleanNonce = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_MGRCTXCTRL: +- mgrCtrl = capFuncs[index].func; +- break; +- default: +- return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL; +- } +- index++; +- } +- void *seedCtx = NULL; +- void *libCtx = NULL; +- if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL || +- entroy.cleanNonce == NULL || mgrCtrl == NULL) { +- return CRYPT_NULL_INPUT; +- } +- int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0); +- if (ret != CRYPT_SUCCESS) { +- return ret; +- } +- ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0); +- if (ret != CRYPT_SUCCESS) { +- return ret; +- } +- CRYPT_Data entropy = {NULL, 0}; +- CRYPT_Range entropyRange = {32, 2147483632}; +- ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange); +- if (ret != CRYPT_SUCCESS) { +- return CRYPT_DRBG_FAIL_GET_ENTROPY; +- } +- entroy.cleanEntropy(seedCtx, &entropy); +- // check libCtx +- if (param != NULL) { +- if (param[0].value != libCtx) { +- return CRYPT_INVALID_ARG; +- } +- } +- *outFuncs = defProvOutFuncs; +- return 0; +-} +-``` +-- **Algorithm query function example**: +-```c +-const CRYPT_EAL_Func defMdMd5[] = { +- {CRYPT_EAL_IMPLMD_NEWCTX, ...}, +- {CRYPT_EAL_IMPLMD_INITCTX, ...}, +- {CRYPT_EAL_IMPLMD_UPDATE, ...}, +- {CRYPT_EAL_IMPLMD_FINAL, ...}, +- {CRYPT_EAL_IMPLMD_DEINITCTX, ...}, +- {CRYPT_EAL_IMPLMD_DUPCTX, ...}, +- {CRYPT_EAL_IMPLMD_CTRL, ...}, +- {CRYPT_EAL_IMPLMD_FREECTX, ...}, +- CRYPT_EAL_FUNC_END, +-}; +- +-static const CRYPT_EAL_AlgInfo defMds[] = { +- ... +- {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"}, +- ... +- CRYPT_EAL_ALGINFO_END +-}; +- +-static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos) +-{ +- (void) provCtx; +- int32_t ret = CRYPT_SUCCESS; +- switch (operaId) { +- ... +- case CRYPT_EAL_OPERAID_HASH: +- *algInfos = defMds; +- break; +- ... +- default: +- ret = CRYPT_NOT_SUPPORT; +- break; +- } +- return ret; +-} +-``` +- +---- +- +-## 5. Comprehensive Usage Example +- +-```c +-#include "bsl_sal.h" +-#include "crypt_eal_provider.h" +-#include "crypt_eal_implprovider.h" +-#include "crypt_eal_md.h" +- +-/* Using the SM3 algorithm */ +- +-int main() { +- +------------------------------------------------------------------------------------------------------- +- +-// Using the built-in HITLS algorithm library: +- // Step 1: Directly initialize using EAL layer MD interface +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default"); +- ASSERT_TRUE(ctx != NULL); +- +------------------------------------------------ +- +-// Searching and initializing with a matching algorithm library in a third-party provider: +- // Step 1: Create a library context +- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); +- ASSERT_TRUE(libCtx != NULL); +- +- // Step 2: Set the provider loading path +- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // Step 3: Load the provider +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // Step 4: Directly initialize using EAL layer MD interface +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); +- ASSERT_TRUE(ctx != NULL); +- +------------------------------------------------ +- +-// Mixed usage of third-party providers and HITLS libraries: +- // Step 1: Set the provider loading path +- int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers"); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // Step 2: Load the provider +- ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // Step 3: Directly initialize using EAL layer MD interface +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); +- ASSERT_TRUE(ctx != NULL); +- +------------------------------------------------------------------------------------------------------- +- +-// After initialization, a series of algorithm operations can be performed: +- ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS); +- ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS); +- ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS); +- +------------------------------------------------------------------------------------------------------- +- +-// If a library context was created or a third-party provider was loaded during initialization, they need to be released: +- // Unload the provider +- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // Free the library context +- CRYPT_EAL_LibCtxFree(libCtx); +- +- return 0; +-} +-``` +\ No newline at end of file +diff --git a/docs/index/index.md b/docs/index/index.md +index 412be81..28ea2ae 100644 +--- a/docs/index/index.md ++++ b/docs/index/index.md +@@ -11,7 +11,6 @@ + | 7 | [加密完保应用开发指南](../zh/5_开发指南/1_加密完保应用开发指南.md) | [Encryption and Integrity Protection Application Development Guide](../en/5_Developer%20Guide/1_Encryption%20and%20Integrity%20Protection%20Application%20Development%20Guide.md) | + | 8 | [安全通信应用开发指南](../zh/5_开发指南/2_安全通信应用开发指南.md) | [Secure Communication Application Development Guide](../en/5_Developer%20Guide/2_Secure%20Communication%20Application%20Development%20Guide.md) | + | 9 | [API参考](../zh/5_开发指南/3_API参考.md) | [API Reference](../en/5_Developer%20Guide/3_API%20Reference.md) | +-| 10 | [provider开发指南](../zh/5_开发指南/4_provider开发指南.md) | [provider Development Guide](../en/5_Developer%20Guide/4_provider%20Development%20Guide.md) | +-| 11 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) | +-| 12 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) | ++| 10 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) | ++| 11 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) | + +diff --git "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" +deleted file mode 100644 +index 4ae2b56..0000000 +--- "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" ++++ /dev/null +@@ -1,458 +0,0 @@ +-# Provider 开发指南 +- +-本文档是 OpenHiTLS Provider 的开发指南,为开发人员提供接口介绍、关键特性说明以及综合使用示例。 +- +-## 1. 概述 +- +-OpenHiTLS 的 Provider 管理框架支持动态加载、管理和使用加密 Provider。每个 "Provider" 封装了一组特定的加密操作,通过标准化接口向外部用户暴露。 +- +-### 核心概念: +-- **库上下文(Library Context,`CRYPT_EAL_LibCtx`)**:用于管理所有加载的 Provider 的生命周期和资源。 +-- **Provider 管理上下文(Provider Manager Context,`CRYPT_EAL_ProvMgrCtx`)**:表示单个 Provider,包括其加载库句柄和功能实现。 +-- **功能接口(Functional Interfaces)**:标准化的函数,用于查询和调用 Provider 的具体操作。 +- +---- +- +-## 2. 接口介绍 +- +-### 2.1 库上下文管理 +- +-#### **`CRYPT_EAL_LibCtxNew`** +-- **描述**:创建一个新的库上下文,用于管理 Provider。 +-- **函数原型**: +- ```c +- CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void); +- ``` +-- **返回值**:指向新创建的库上下文的指针。 +- +-#### **`CRYPT_EAL_LibCtxFree`** +-- **描述**:释放库上下文,并释放所有相关资源。 +-- **函数原型**: +- ```c +- void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); +- ``` +-- **参数**: +- - `libCtx`:需要释放的库上下文。 +- +---- +- +-### 2.2 路径配置 +- +-#### **`CRYPT_EAL_ProviderSetLoadPath`** +-- **描述**:配置加载 Provider 的路径。 +-- **函数原型**: +- ```c +- int32_t CRYPT_EAL_ProviderSetLoadPath( +- CRYPT_EAL_LibCtx *libCtx, +- const char *searchPath +- ); +- ``` +-- **参数**: +- - `libCtx`:库上下文。 +- - `searchPath`:Provider 的搜索路径。 +-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 +- +---- +- +-### 2.3 Provider 加载与卸载 +- +-#### **`CRYPT_EAL_ProviderLoad`** +-- **描述**:动态加载一个 Provider,并完成初始化。 +-- **函数原型**: +- ```c +- int32_t CRYPT_EAL_ProviderLoad( +- CRYPT_EAL_LibCtx *libCtx, +- BSL_SAL_ConverterCmd cmd, +- const char *providerName, +- BSL_Param *param, +- CRYPT_EAL_ProvMgrCtx **mgrCtx +- ); +- ``` +-- **参数**: +- - `libCtx`:库上下文。 +- - `cmd`:指定库格式的命令(例如 `.so` 或 `lib*.so`)。 +- - `providerName`:要加载的 Provider 名称。 +- - `param`:初始化 Provider 时的附加参数。 +- - `mgrCtx`:输出的 Provider 管理上下文指针,如果不为NULL,那么将会在加载成功后返回对应provider的管理上下文(CRYPT_EAL_ProvMgrCtx)。 +-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 +- +-#### **`CRYPT_EAL_ProviderUnload`** +-- **描述**:卸载指定的 Provider,并释放相关资源。 +-- **函数原型**: +- ```c +- int32_t CRYPT_EAL_ProviderUnload( +- CRYPT_EAL_LibCtx *libCtx, +- BSL_SAL_ConverterCmd cmd, +- const char *providerName +- ); +- ``` +-- **参数**: +- - `libCtx`:库上下文。 +- - `cmd`:指定库格式的命令。 +- - `providerName`:要卸载的 Provider 名称。 +-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 +- +---- +- +-### 2.4 算法查询与调用 +- +-**eal层对外包装接口**: +- +-该部分接口会包装provider对外接口,在查询到适配的算法后自动调用算法进行初始化工作,详见各类算法的对外头文件。 +- +-- **对称接口:`CRYPT_EAL_ProviderCipherNewCtx`** +-- **非对称接口:`CRYPT_EAL_ProviderPkeyNewCtx`** +-- **kdf接口:`CRYPT_EAL_ProviderKdfNewCtx`** +-- **mac接口:`CRYPT_EAL_ProviderMacNewCtx`** +-- **md接口:`CRYPT_EAL_ProviderMdNewCtx`** +-- **随机数接口:`CRYPT_EAL_ProviderRandInitCtx`、`CRYPT_EAL_ProviderDrbgInitCtx`** +- +- +-**provider底层对外接口**: +- +-#### **`CRYPT_EAL_ProviderGetFuncs`** +-- **描述**:从所有加载的provider中查询符合要求的算法。 +-- **函数原型**: +- ```c +- int32_t CRYPT_EAL_ProviderGetFuncs( +- CRYPT_EAL_LibCtx *libCtx, +- int32_t operaId, +- int32_t algId, +- const char *attribute, +- const CRYPT_EAL_Func **funcs, +- void **provCtx +- ); +- ``` +-- **参数**: +- - `libCtx`:库上下文。 +- - `operaId`:算法类别 ID(详见”crypt_eal_implprovider.h“文件)。 +- - `algId`:算法 ID (详见”crypt_eal_implprovider.h“文件)。 +- - `attribute`:用于筛选 Provider 的属性字符串。 +- - `funcs`:输出的算法数组指针。 +- - `provCtx`:可选参数,如果不为NULL会获得该算法所在provider管理上下文中的provCtx。 +-- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 +- +-#### **`CRYPT_EAL_ProviderCtrl`** +-- **描述**:控制 Provider 管理上下文中的provCtx。 +-- **函数原型**: +- ```c +- int32_t CRYPT_EAL_ProviderCtrl( +- CRYPT_EAL_ProvMgrCtx *ctx, +- int32_t cmd, +- void *val, +- uint32_t valLen +- ); +- ``` +-- **参数**: +- - `ctx`:Provider 管理上下文。 +- - `cmd`:控制命令。 +- - `val`:与命令相关的值。 +- - `valLen`:值的长度。 +- +---- +- +-## 3. provider管理模块使用说明 +- +-### 3.1 加载与卸载 +- +-- **特性说明**: +- - provider以名称为唯一标识符,不同的provider要求具有不同的名称,不同路径相同名称的provider会被视为相同的provider。 +- - 支持重复加载和卸载provider,重复加载时并不会额外创建provider管理上下文,卸载的次数需要与加载的次数相同才能将库上下文中的provider管理上下文删除。 +- - 在释放库上下文时,会自动卸载所有加载的provider。 +- - 加载provider的路径默认为空,如果没有设置加载路径,那么将会根据运行环境中dlopen函数的当前特性从各个位置依次检索搜索provider。 +- - 目前openhitls自带的算法库会被加载进一个启动时初始化的全局库上下文中,当加载、卸载以及查找provider时,如果传入的libCtx为NULL,那么会使用该全局库上下文。 +-- **使用示例**: +- ```c +- ... +- // 创建库上下文 +- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); +- assert(libCtx != NULL); +- +- // 设置 Provider 加载路径 +- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); +- assert(ret == CRYPT_SUCCESS); +- +- // 加载 Provider +- CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL; +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx); +- assert(ret == CRYPT_SUCCESS); +- +- ... +- +- // 卸载 Provider +- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); +- assert(ret == CRYPT_SUCCESS); +- +- // 释放库上下文 +- CRYPT_EAL_LibCtxFree(libCtx); +- ... +- ``` +- +---- +- +-### 3.2 属性查询和provider打分机制 +- +-- **属性机制**: +- 在查询算法时,首先会查找符合算法ID的算法数组,如果用户输入的查找字符串不为NULL,则还会根据查找字符串选择所有加载provider中最匹配的算法。 +- 供查找的provider算法属性值由name和value组成,name和value之间用`=`分隔,多组属性之间用`,`分隔。在provider中,每个算法可以根据实现目的定义一组或多组属性,甚至同一个算法,可以有不同实现(通过属性区分)。 +-- **provider打分机制**: +- 查询可以由多个查询语句组成,每个语句中之间用`,`分隔,语句中的name和value之间用以下`判断字符`分隔: +- - `=`: 必须相等,属于强制条件。 +- - `!=`: 必须不相等,属于强制条件。 +- - `?`: 可选条件,如果value匹配,优先选择,每满足一个问号,得分会+1。 +- +- 查询时强制条件必须满足,在此基础上,根据可选条件选择最匹配的,如果最匹配实现有多个选择,随机返回一个。 +- 查询时允许各组语句重复,强制条件重复对结果无影响。可选条件重复,相当于满足该条件的得分由1分变为重复个数的分数。 +-- **使用示例**: +- ```c +- ... +- // 属性字符串可以为NILL,会根据算法ID查找 +- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx); +- assert(ret == CRYPT_SUCCESS); +- ... +- // 属性字符串不为NULL时,根据匹配规则查找 +- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx); +- assert(ret == CRYPT_SUCCESS); +- ... +- // 属性字符串涉及provider打分机制 +- ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx); +- assert(ret == CRYPT_SUCCESS); +- ... +- // 实际使用时推荐使用eal层各类算法对外的包装接口,会自动进行查找算法并调用算法进行初始化等工作。 +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash"); +- assert(ctx != NULL); +- ... +- ``` +- +---- +- +-## 4. provider构建说明 +- +-该部分涉及的各类命令以及函数原型的完整内容定义在`crypt_eal_implprovider.h`头文件中。 +- +-### 4.1 初始化函数 +- +-对每个provider,需要实现名为`CRYPT_EAL_ProviderInit`的初始化函数,该初始化函数会在加载provider时被调用: +-- **函数原型**: +- ```c +- int32_t CRYPT_EAL_ProviderInit( +- CRYPT_EAL_ProvMgrCtx *mgrCtx, +- BSL_Param *param, +- CRYPT_EAL_Func *capFuncs, +- CRYPT_EAL_Func **outFuncs, +- void **provCtx +- ); +- ``` +- - **参数**: +- - `mgrCtx`:[in] Provider 管理上下文。 +- - `param`:[in] 初始化 Provider 时的附加参数。 +- - `capFuncs`:[in] 由管理框架输入的算法数组指针,目前支持让用户可以选择使用HITLS提供的默认熵源。 +- - `outFuncs`:[out] provider对外提供的算法数组指针,详情见下文。 +- - `provCtx`:[out] provider私有结构体,如需要可用于在provider管理上下文中保存一些私有数据,操作详情见下文,可选。 +- - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 +- +-- **`outFuncs`数组说明**: +-该数组用于传出provider对外提供的三种算法数组,其中**算法查询函数必须返回**,其他两个函数可选: +- - **算法查询函数**:该函数用于在查找算法时,根据传入的算法类别,获取provider对外提供的整个算法类别的方法数组: +- **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`** +- - **参数**: +- - `provCtx`:[in] provider私有结构体,可选。 +- - `operaId`:[in] 算法类别ID。 +- - `algInfos`:[out] 该算法类别下所有算法的数组指针,数组中当算法ID为0时表示结束。 +- - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 +- - **provCtx控制函数**:如果provider使用了provCtx,则该函数用于对其进行控制,该函数可以通过`CRYPT_EAL_ProviderCtrl`函数进行调用。 +- **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`** +- - **参数**:略 +- - **返回值**:略 +- - **provCtx释放函数**:如果provider使用了provCtx,则该函数用于释放provCtx,该函数会在释放资源时被调用。 +- **`typedef void (*)(void *provCtx);`** +- - **参数**: +- - ·`provCtx`:[in] provider私有结构体。 +- - **返回值**:无。 +- +---- +- +-### 4.2 provider构建示例 +- +-- **初始化函数示例**: +-```c +-static CRYPT_EAL_Func defProvOutFuncs[] = { +- {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, +- {CRYPT_EAL_PROVCB_FREE, NULL}, +- {CRYPT_EAL_PROVCB_CTRL, NULL}, +- CRYPT_EAL_FUNC_END +-}; +- +-int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, +- BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) +-{ +- CRYPT_RandSeedMethod entroy = {0}; +- CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL; +- int32_t index = 0; +- while (capFuncs[index].id != 0) { +- switch (capFuncs[index].id) { +- case CRYPT_EAL_CAP_GETENTROPY: +- entroy.getEntropy = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_CLEANENTROPY: +- entroy.cleanEntropy = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_GETNONCE: +- entroy.getNonce = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_CLEANNONCE: +- entroy.cleanNonce = capFuncs[index].func; +- break; +- case CRYPT_EAL_CAP_MGRCTXCTRL: +- mgrCtrl = capFuncs[index].func; +- break; +- default: +- return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL; +- } +- index++; +- } +- void *seedCtx = NULL; +- void *libCtx = NULL; +- if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL || +- entroy.cleanNonce == NULL || mgrCtrl == NULL) { +- return CRYPT_NULL_INPUT; +- } +- int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0); +- if (ret != CRYPT_SUCCESS) { +- return ret; +- } +- ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0); +- if (ret != CRYPT_SUCCESS) { +- return ret; +- } +- CRYPT_Data entropy = {NULL, 0}; +- CRYPT_Range entropyRange = {32, 2147483632}; +- ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange); +- if (ret != CRYPT_SUCCESS) { +- return CRYPT_DRBG_FAIL_GET_ENTROPY; +- } +- entroy.cleanEntropy(seedCtx, &entropy); +- // check libCtx +- if (param != NULL) { +- if (param[0].value != libCtx) { +- return CRYPT_INVALID_ARG; +- } +- } +- *outFuncs = defProvOutFuncs; +- return 0; +-} +-``` +-- **算法查询函数示例**: +-```c +-const CRYPT_EAL_Func defMdMd5[] = { +- {CRYPT_EAL_IMPLMD_NEWCTX, ...}, +- {CRYPT_EAL_IMPLMD_INITCTX, ...}, +- {CRYPT_EAL_IMPLMD_UPDATE, ...}, +- {CRYPT_EAL_IMPLMD_FINAL, ...}, +- {CRYPT_EAL_IMPLMD_DEINITCTX, ...}, +- {CRYPT_EAL_IMPLMD_DUPCTX, ...}, +- {CRYPT_EAL_IMPLMD_CTRL, ...}, +- {CRYPT_EAL_IMPLMD_FREECTX, ...}, +- CRYPT_EAL_FUNC_END, +-}; +- +-static const CRYPT_EAL_AlgInfo defMds[] = { +- ... +- {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"}, +- ... +- CRYPT_EAL_ALGINFO_END +-}; +- +-static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos) +-{ +- (void) provCtx; +- int32_t ret = CRYPT_SUCCESS; +- switch (operaId) { +- ... +- case CRYPT_EAL_OPERAID_HASH: +- *algInfos = defMds; +- break; +- ... +- default: +- ret = CRYPT_NOT_SUPPORT; +- break; +- } +- return ret; +-} +-``` +- +---- +- +-## 5. 综合使用示例 +- +-```c +-#include "bsl_sal.h" +-#include "crypt_eal_provider.h" +-#include "crypt_eal_implprovider.h" +-#include "crypt_eal_md.h" +- +-/* 调用SM3 算法 */ +- +-int main() { +- +------------------------------------------------------------------------------------------------------- +- +-// 调用hitls自带的算法库初始化方式: +- // 步骤 1:调用eal层的md对外接口直接进行初始化 +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default"); +- ASSERT_TRUE(ctx != NULL); +- +------------------------------------------------ +- +-// 在第三方provider中寻找匹配的算法库并初始化方式: +- // 步骤 1:创建库上下文 +- CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); +- ASSERT_TRUE(libCtx != NULL); +- +- // 步骤 2:设置 Provider 加载路径 +- int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // 步骤 3:加载 Provider +- ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // 步骤 4:调用eal层的md对外接口直接进行初始化 +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); +- ASSERT_TRUE(ctx != NULL); +- +------------------------------------------------ +- +-// 第三方provider和hitls提供的算法库混合使用的场景,寻找匹配的算法库并初始化方式: +- // 步骤 1:设置 Provider 加载路径 +- int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers"); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // 步骤 2:加载 Provider +- ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // 步骤 3:调用eal层的md对外接口直接进行初始化 +- CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); +- ASSERT_TRUE(ctx != NULL); +- +------------------------------------------------------------------------------------------------------- +- +-// 初始化后可进行一系列的算法操作: +- ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS); +- ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS); +- ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS); +- +------------------------------------------------------------------------------------------------------- +- +-// 如果初始化时创建了库上下文或者加载了第三方provider,则需要进行释放 +- // 卸载 Provider +- ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); +- ASSERT_TRUE(ret == CRYPT_SUCCESS); +- +- // 释放库上下文 +- CRYPT_EAL_LibCtxFree(libCtx); +- +- return 0; +-} +-``` +\ No newline at end of file +-- +2.42.0.windows.2 + diff --git a/0009-add-github-action-for-openhitls-0.1-branch.patch b/0009-add-github-action-for-openhitls-0.1-branch.patch new file mode 100644 index 0000000..7c16e1f --- /dev/null +++ b/0009-add-github-action-for-openhitls-0.1-branch.patch @@ -0,0 +1,1001 @@ +From c049ec9279dbfdb128d3d5f8dc6755ed9eefb6ce Mon Sep 17 00:00:00 2001 +From: fly2x +Date: Sat, 7 Dec 2024 10:17:23 +0800 +Subject: [PATCH 09/10] add github action for openhitls-0.1 branch + +Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/94 +--- + .github/workflows/cmake-single-platform.yml | 2 +- + crypto/eal/src/eal_md.c | 2 - + .../4_provider Development Guide.md | 463 ++++++++++++++++++ + docs/index/index.md | 5 +- + ...00\345\217\221\346\214\207\345\215\227.md" | 458 +++++++++++++++++ + 5 files changed, 925 insertions(+), 5 deletions(-) + create mode 100644 docs/en/5_Developer Guide/4_provider Development Guide.md + create mode 100644 "docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" + +diff --git a/.github/workflows/cmake-single-platform.yml b/.github/workflows/cmake-single-platform.yml +index 470f3fd..d74295c 100644 +--- a/.github/workflows/cmake-single-platform.yml ++++ b/.github/workflows/cmake-single-platform.yml +@@ -4,7 +4,7 @@ name: CMake on a single platform + + on: + push: +- branches: [ "main" ] ++ branches: [ "main", "openhitls-0.1"] + pull_request: + branches: [ "main" ] + +diff --git a/crypto/eal/src/eal_md.c b/crypto/eal/src/eal_md.c +index 12ecf5f..7eb61d6 100644 +--- a/crypto/eal/src/eal_md.c ++++ b/crypto/eal/src/eal_md.c +@@ -232,7 +232,6 @@ int32_t CRYPT_EAL_MdCopyCtx(CRYPT_EAL_MdCTX *to, const CRYPT_EAL_MdCTX *from) + EAL_ERR_REPORT(CRYPT_EVENT_ERR, CRYPT_ALGO_MD, from->id, CRYPT_MEM_ALLOC_FAIL); + return CRYPT_MEM_ALLOC_FAIL; + } +- to->isProvider = from->isProvider; + *(EAL_MdUnitaryMethod *)to->method = *from->method; + to->data = data; + to->state = from->state; +@@ -270,7 +269,6 @@ CRYPT_EAL_MdCTX *CRYPT_EAL_MdDupCtx(const CRYPT_EAL_MdCTX *ctx) + BSL_SAL_FREE(newCtx); + return NULL; + } +- newCtx->isProvider = ctx->isProvider; + newCtx->method = method; + newCtx->state = ctx->state; + newCtx->id = ctx->id; +diff --git a/docs/en/5_Developer Guide/4_provider Development Guide.md b/docs/en/5_Developer Guide/4_provider Development Guide.md +new file mode 100644 +index 0000000..f750a4d +--- /dev/null ++++ b/docs/en/5_Developer Guide/4_provider Development Guide.md +@@ -0,0 +1,463 @@ ++# Provider Development Guide ++ ++This document serves as a development guide for OpenHiTLS providers, providing developers with interface introductions, key feature descriptions, and comprehensive usage examples. ++ ++## 1. Overview ++ ++The provider management framework in OpenHiTLS supports dynamic loading, management, and usage of cryptographic providers. Each "Provider" encapsulates a specific set of cryptographic operations and exposes them to external users through standardized interfaces. ++ ++### Core Concepts: ++- **Library Context (`CRYPT_EAL_LibCtx`)**: Manages the lifecycle and resources of all loaded providers. ++- **Provider Manager Context (`CRYPT_EAL_ProvMgrCtx`)**: Represents a single provider, including its loaded library handle and implemented functionalities. ++- **Functional Interfaces**: Standardized functions used for querying and invoking specific operations of providers. ++ ++--- ++ ++## 2. Interface Introduction ++ ++### 2.1 Library Context Management ++ ++#### **`CRYPT_EAL_LibCtxNew`** ++- **Description**: Creates a new library context for managing providers. ++- **Function Prototype**: ++ ```c ++ CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void); ++ ``` ++- **Return Value**: A pointer to the newly created library context. ++ ++#### **`CRYPT_EAL_LibCtxFree`** ++- **Description**: Frees the library context and releases all associated resources. ++- **Function Prototype**: ++ ```c ++ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context to be freed. ++ ++--- ++ ++### 2.2 Path Configuration ++ ++#### **`CRYPT_EAL_ProviderSetLoadPath`** ++- **Description**: Configures the path for loading providers. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderSetLoadPath( ++ CRYPT_EAL_LibCtx *libCtx, ++ const char *searchPath ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `searchPath`: The search path for providers. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++--- ++ ++### 2.3 Provider Loading and Unloading ++ ++#### **`CRYPT_EAL_ProviderLoad`** ++- **Description**: Dynamically loads a provider and initializes it. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderLoad( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName, ++ BSL_Param *param, ++ CRYPT_EAL_ProvMgrCtx **mgrCtx ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `cmd`: The command specifying the library format (e.g., `.so`, `lib*.so`). ++ - `providerName`: The name of the provider to load. ++ - `param`: Additional parameters for provider initialization. ++ - `mgrCtx`: Output pointer to the provider manager context. If not `NULL`, the manager context of the loaded provider will be returned upon successful loading. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++#### **`CRYPT_EAL_ProviderUnload`** ++- **Description**: Unloads the specified provider and releases associated resources. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderUnload( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `cmd`: The command specifying the library format. ++ - `providerName`: The name of the provider to unload. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++--- ++ ++### 2.4 Algorithm Query and Invocation ++ ++**EAL Layer Wrapper Interfaces**: ++ ++These interfaces wrap the provider's exposed APIs, automatically initializing algorithms after querying suitable algorithms. See the corresponding headers for each algorithm for more details. ++ ++- **Symmetric Interface: `CRYPT_EAL_ProviderCipherNewCtx`** ++- **Asymmetric Interface: `CRYPT_EAL_ProviderPkeyNewCtx`** ++- **KDF Interface: `CRYPT_EAL_ProviderKdfNewCtx`** ++- **MAC Interface: `CRYPT_EAL_ProviderMacNewCtx`** ++- **Message Digest Interface: `CRYPT_EAL_ProviderMdNewCtx`** ++- **Random Number Interfaces: `CRYPT_EAL_ProviderRandInitCtx`, `CRYPT_EAL_ProviderDrbgInitCtx`** ++ ++**Provider Layer Exposed Interfaces**: ++ ++#### **`CRYPT_EAL_ProviderGetFuncs`** ++- **Description**: Queries algorithms matching the criteria from all loaded providers. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderGetFuncs( ++ CRYPT_EAL_LibCtx *libCtx, ++ int32_t operaId, ++ int32_t algId, ++ const char *attribute, ++ const CRYPT_EAL_Func **funcs, ++ void **provCtx ++ ); ++ ``` ++- **Parameters**: ++ - `libCtx`: The library context. ++ - `operaId`: Algorithm category ID (see "crypt_eal_implprovider.h"). ++ - `algId`: Algorithm ID (see "crypt_eal_implprovider.h"). ++ - `attribute`: Attribute string for filtering providers. ++ - `funcs`: Output pointer to an array of algorithms. ++ - `provCtx`: Optional parameter. If not `NULL`, it retrieves the `provCtx` from the provider manager context where the algorithm resides. ++- **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++#### **`CRYPT_EAL_ProviderCtrl`** ++- **Description**: Controls the `provCtx` in the provider manager context. ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderCtrl( ++ CRYPT_EAL_ProvMgrCtx *ctx, ++ int32_t cmd, ++ void *val, ++ uint32_t valLen ++ ); ++ ``` ++- **Parameters**: ++ - `ctx`: Provider manager context. ++ - `cmd`: Control command. ++ - `val`: The value associated with the command. ++ - `valLen`: The length of the value. ++ ++--- ++ ++## 3. Provider Management Module Usage Instructions ++ ++### 3.1 Loading and Unloading ++ ++- **Feature Descriptions**: ++ - Providers are uniquely identified by their names. Different providers must have unique names. Providers with the same name but located in different paths are treated as the same provider. ++ - The framework supports repeated loading and unloading of providers. Repeated loading does not create additional provider manager contexts. To remove a provider manager context from the library context, the number of unloads must match the number of loads. ++ - When releasing the library context, all loaded providers are automatically unloaded. ++ - The default provider loading path is empty. If no path is set, the framework searches for providers in various locations based on the runtime environment and the behavior of the `dlopen` function. ++ - Currently, OpenHiTLS's built-in algorithm library is loaded into a globally initialized library context during startup. If `libCtx` is `NULL` during provider loading, unloading, or searching, this global library context is used. ++ ++- **Usage Example**: ++ ```c ++ ... ++ // Create a library context ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ assert(libCtx != NULL); ++ ++ // Set the provider loading path ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // Load a provider ++ CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL; ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ++ ... ++ ++ // Unload the provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // Free the library context ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ... ++ ``` ++ ++--- ++ ++### 3.2 Attribute Query and Provider Scoring Mechanism ++ ++- **Attribute Mechanism**: ++ When querying algorithms, the framework first searches for algorithms matching the algorithm ID. If the search string is not `NULL`, it further selects the best-matching algorithm from all loaded providers based on the search string. ++ Provider algorithm attributes are composed of a `name` and a `value`, separated by `=`. Multiple attributes are separated by `,`. Within a provider, each algorithm can define one or more sets of attributes based on its implementation purpose. Even the same algorithm can have different implementations distinguished by attributes. ++ ++- **Provider Scoring Mechanism**: ++ Queries can consist of multiple query statements, separated by `,`. Within a statement, `name` and `value` are separated by the following **comparison characters**: ++ - `=`: Must be equal (mandatory condition). ++ - `!=`: Must not be equal (mandatory condition). ++ - `?`: Optional condition. If `value` matches, it is prioritized. Each match adds +1 to the score. ++ ++ Mandatory conditions must be satisfied. Among providers that meet the mandatory conditions, the framework selects the best match based on optional conditions. If there are multiple best matches, one is randomly selected. ++ Repeated conditions are allowed within query statements: ++ - Repeated mandatory conditions have no effect. ++ - Repeated optional conditions increase the score proportionally. ++ ++- **Usage Example**: ++ ```c ++ ... ++ // Query with a NULL attribute string, searching by algorithm ID ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // Query with a non-NULL attribute string, matching based on rules ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // Query with provider scoring mechanism ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // For actual use, it is recommended to use EAL layer wrapping interfaces for each algorithm, ++ // which automatically locate and initialize the algorithm. ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash"); ++ assert(ctx != NULL); ++ ... ++ ``` ++ ++--- ++ ++## 4. Provider Construction Instructions ++ ++This section describes the commands and function prototypes, which are fully defined in the `crypt_eal_implprovider.h` header file. ++ ++### 4.1 Initialization Function ++ ++For each provider, an initialization function named `CRYPT_EAL_ProviderInit` must be implemented. This function is called when loading the provider: ++- **Function Prototype**: ++ ```c ++ int32_t CRYPT_EAL_ProviderInit( ++ CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, ++ CRYPT_EAL_Func *capFuncs, ++ CRYPT_EAL_Func **outFuncs, ++ void **provCtx ++ ); ++ ``` ++ - **Parameters**: ++ - `mgrCtx`: [in] Provider manager context. ++ - `param`: [in] Additional parameters for provider initialization. ++ - `capFuncs`: [in] Algorithm array pointer provided by the management framework, allowing users to optionally use HITLS's default entropy source. ++ - `outFuncs`: [out] Array pointer for algorithms exposed by the provider. Details are described below. ++ - `provCtx`: [out] Provider-specific structure. If needed, private data can be saved in the provider manager context. Details on its operation are below (optional). ++ - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ ++- **Description of the `outFuncs` Array**: ++ This array is used to pass the three types of algorithm arrays provided by the provider. **The algorithm query function must be returned**, while the other two functions are optional: ++ - **Algorithm Query Function**: Used to retrieve the algorithm array provided by the provider based on the algorithm category during a search: ++ **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`** ++ - **Parameters**: ++ - `provCtx`: [in] Provider-specific structure (optional). ++ - `operaId`: [in] Algorithm category ID. ++ - `algInfos`: [out] Pointer to the array of all algorithms under the category. The array ends when the algorithm ID is 0. ++ - **Return Value**: Returns `CRYPT_SUCCESS` on success, otherwise an error code. ++ - **`provCtx` Control Function**: If the provider uses `provCtx`, this function is used for its control. It can be invoked using the `CRYPT_EAL_ProviderCtrl` function. ++ **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`** ++ - **Parameters**: Omitted. ++ - **Return Value**: Omitted. ++ - **`provCtx` Release Function**: If the provider uses `provCtx`, this function releases `provCtx`. It is called during resource release. ++ **`typedef void (*)(void *provCtx);`** ++ - **Parameters**: ++ - `provCtx`: [in] Provider-specific structure. ++ - **Return Value**: None. ++ ++--- ++ ++### 4.2 Provider Construction Example ++ ++- **Initialization Function Example**: ++```c ++static CRYPT_EAL_Func defProvOutFuncs[] = { ++ {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, ++ {CRYPT_EAL_PROVCB_FREE, NULL}, ++ {CRYPT_EAL_PROVCB_CTRL, NULL}, ++ CRYPT_EAL_FUNC_END ++}; ++ ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) ++{ ++ CRYPT_RandSeedMethod entroy = {0}; ++ CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL; ++ int32_t index = 0; ++ while (capFuncs[index].id != 0) { ++ switch (capFuncs[index].id) { ++ case CRYPT_EAL_CAP_GETENTROPY: ++ entroy.getEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANENTROPY: ++ entroy.cleanEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_GETNONCE: ++ entroy.getNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANNONCE: ++ entroy.cleanNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_MGRCTXCTRL: ++ mgrCtrl = capFuncs[index].func; ++ break; ++ default: ++ return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL; ++ } ++ index++; ++ } ++ void *seedCtx = NULL; ++ void *libCtx = NULL; ++ if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL || ++ entroy.cleanNonce == NULL || mgrCtrl == NULL) { ++ return CRYPT_NULL_INPUT; ++ } ++ int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ CRYPT_Data entropy = {NULL, 0}; ++ CRYPT_Range entropyRange = {32, 2147483632}; ++ ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange); ++ if (ret != CRYPT_SUCCESS) { ++ return CRYPT_DRBG_FAIL_GET_ENTROPY; ++ } ++ entroy.cleanEntropy(seedCtx, &entropy); ++ // check libCtx ++ if (param != NULL) { ++ if (param[0].value != libCtx) { ++ return CRYPT_INVALID_ARG; ++ } ++ } ++ *outFuncs = defProvOutFuncs; ++ return 0; ++} ++``` ++- **Algorithm query function example**: ++```c ++const CRYPT_EAL_Func defMdMd5[] = { ++ {CRYPT_EAL_IMPLMD_NEWCTX, ...}, ++ {CRYPT_EAL_IMPLMD_INITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_UPDATE, ...}, ++ {CRYPT_EAL_IMPLMD_FINAL, ...}, ++ {CRYPT_EAL_IMPLMD_DEINITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_DUPCTX, ...}, ++ {CRYPT_EAL_IMPLMD_CTRL, ...}, ++ {CRYPT_EAL_IMPLMD_FREECTX, ...}, ++ CRYPT_EAL_FUNC_END, ++}; ++ ++static const CRYPT_EAL_AlgInfo defMds[] = { ++ ... ++ {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"}, ++ ... ++ CRYPT_EAL_ALGINFO_END ++}; ++ ++static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos) ++{ ++ (void) provCtx; ++ int32_t ret = CRYPT_SUCCESS; ++ switch (operaId) { ++ ... ++ case CRYPT_EAL_OPERAID_HASH: ++ *algInfos = defMds; ++ break; ++ ... ++ default: ++ ret = CRYPT_NOT_SUPPORT; ++ break; ++ } ++ return ret; ++} ++``` ++ ++--- ++ ++## 5. Comprehensive Usage Example ++ ++```c ++#include "bsl_sal.h" ++#include "crypt_eal_provider.h" ++#include "crypt_eal_implprovider.h" ++#include "crypt_eal_md.h" ++ ++/* Using the SM3 algorithm */ ++ ++int main() { ++ ++------------------------------------------------------------------------------------------------------ ++ ++// Using the built-in HITLS algorithm library: ++ // Step 1: Directly initialize using EAL layer MD interface ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// Searching and initializing with a matching algorithm library in a third-party provider: ++ // Step 1: Create a library context ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ ASSERT_TRUE(libCtx != NULL); ++ ++ // Step 2: Set the provider loading path ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 3: Load the provider ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 4: Directly initialize using EAL layer MD interface ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// Mixed usage of third-party providers and HITLS libraries: ++ // Step 1: Set the provider loading path ++ int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 2: Load the provider ++ ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Step 3: Directly initialize using EAL layer MD interface ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// After initialization, a series of algorithm operations can be performed: ++ ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// If a library context was created or a third-party provider was loaded during initialization, they need to be released: ++ // Unload the provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // Free the library context ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ++ return 0; ++} ++``` +\ No newline at end of file +diff --git a/docs/index/index.md b/docs/index/index.md +index 28ea2ae..412be81 100644 +--- a/docs/index/index.md ++++ b/docs/index/index.md +@@ -11,6 +11,7 @@ + | 7 | [加密完保应用开发指南](../zh/5_开发指南/1_加密完保应用开发指南.md) | [Encryption and Integrity Protection Application Development Guide](../en/5_Developer%20Guide/1_Encryption%20and%20Integrity%20Protection%20Application%20Development%20Guide.md) | + | 8 | [安全通信应用开发指南](../zh/5_开发指南/2_安全通信应用开发指南.md) | [Secure Communication Application Development Guide](../en/5_Developer%20Guide/2_Secure%20Communication%20Application%20Development%20Guide.md) | + | 9 | [API参考](../zh/5_开发指南/3_API参考.md) | [API Reference](../en/5_Developer%20Guide/3_API%20Reference.md) | +-| 10 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) | +-| 11 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) | ++| 10 | [provider开发指南](../zh/5_开发指南/4_provider开发指南.md) | [provider Development Guide](../en/5_Developer%20Guide/4_provider%20Development%20Guide.md) | ++| 11 | [术语列表](../zh/6_附录/1_术语列表.md) | [Terms](../en/6_Appendix/1_Terms.md) | ++| 12 | [修订记录](../zh/6_附录/2_修订记录.md) | [Change History](../en/6_Appendix/2_Change%20History.md) | + +diff --git "a/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" +new file mode 100644 +index 0000000..4ae2b56 +--- /dev/null ++++ "b/docs/zh/5_\345\274\200\345\217\221\346\214\207\345\215\227/4_provider\345\274\200\345\217\221\346\214\207\345\215\227.md" +@@ -0,0 +1,458 @@ ++# Provider 开发指南 ++ ++本文档是 OpenHiTLS Provider 的开发指南,为开发人员提供接口介绍、关键特性说明以及综合使用示例。 ++ ++## 1. 概述 ++ ++OpenHiTLS 的 Provider 管理框架支持动态加载、管理和使用加密 Provider。每个 "Provider" 封装了一组特定的加密操作,通过标准化接口向外部用户暴露。 ++ ++### 核心概念: ++- **库上下文(Library Context,`CRYPT_EAL_LibCtx`)**:用于管理所有加载的 Provider 的生命周期和资源。 ++- **Provider 管理上下文(Provider Manager Context,`CRYPT_EAL_ProvMgrCtx`)**:表示单个 Provider,包括其加载库句柄和功能实现。 ++- **功能接口(Functional Interfaces)**:标准化的函数,用于查询和调用 Provider 的具体操作。 ++ ++--- ++ ++## 2. 接口介绍 ++ ++### 2.1 库上下文管理 ++ ++#### **`CRYPT_EAL_LibCtxNew`** ++- **描述**:创建一个新的库上下文,用于管理 Provider。 ++- **函数原型**: ++ ```c ++ CRYPT_EAL_LibCtx *CRYPT_EAL_LibCtxNew(void); ++ ``` ++- **返回值**:指向新创建的库上下文的指针。 ++ ++#### **`CRYPT_EAL_LibCtxFree`** ++- **描述**:释放库上下文,并释放所有相关资源。 ++- **函数原型**: ++ ```c ++ void CRYPT_EAL_LibCtxFree(CRYPT_EAL_LibCtx *libCtx); ++ ``` ++- **参数**: ++ - `libCtx`:需要释放的库上下文。 ++ ++--- ++ ++### 2.2 路径配置 ++ ++#### **`CRYPT_EAL_ProviderSetLoadPath`** ++- **描述**:配置加载 Provider 的路径。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderSetLoadPath( ++ CRYPT_EAL_LibCtx *libCtx, ++ const char *searchPath ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `searchPath`:Provider 的搜索路径。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++--- ++ ++### 2.3 Provider 加载与卸载 ++ ++#### **`CRYPT_EAL_ProviderLoad`** ++- **描述**:动态加载一个 Provider,并完成初始化。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderLoad( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName, ++ BSL_Param *param, ++ CRYPT_EAL_ProvMgrCtx **mgrCtx ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `cmd`:指定库格式的命令(例如 `.so` 或 `lib*.so`)。 ++ - `providerName`:要加载的 Provider 名称。 ++ - `param`:初始化 Provider 时的附加参数。 ++ - `mgrCtx`:输出的 Provider 管理上下文指针,如果不为NULL,那么将会在加载成功后返回对应provider的管理上下文(CRYPT_EAL_ProvMgrCtx)。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++#### **`CRYPT_EAL_ProviderUnload`** ++- **描述**:卸载指定的 Provider,并释放相关资源。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderUnload( ++ CRYPT_EAL_LibCtx *libCtx, ++ BSL_SAL_ConverterCmd cmd, ++ const char *providerName ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `cmd`:指定库格式的命令。 ++ - `providerName`:要卸载的 Provider 名称。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++--- ++ ++### 2.4 算法查询与调用 ++ ++**eal层对外包装接口**: ++ ++该部分接口会包装provider对外接口,在查询到适配的算法后自动调用算法进行初始化工作,详见各类算法的对外头文件。 ++ ++- **对称接口:`CRYPT_EAL_ProviderCipherNewCtx`** ++- **非对称接口:`CRYPT_EAL_ProviderPkeyNewCtx`** ++- **kdf接口:`CRYPT_EAL_ProviderKdfNewCtx`** ++- **mac接口:`CRYPT_EAL_ProviderMacNewCtx`** ++- **md接口:`CRYPT_EAL_ProviderMdNewCtx`** ++- **随机数接口:`CRYPT_EAL_ProviderRandInitCtx`、`CRYPT_EAL_ProviderDrbgInitCtx`** ++ ++ ++**provider底层对外接口**: ++ ++#### **`CRYPT_EAL_ProviderGetFuncs`** ++- **描述**:从所有加载的provider中查询符合要求的算法。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderGetFuncs( ++ CRYPT_EAL_LibCtx *libCtx, ++ int32_t operaId, ++ int32_t algId, ++ const char *attribute, ++ const CRYPT_EAL_Func **funcs, ++ void **provCtx ++ ); ++ ``` ++- **参数**: ++ - `libCtx`:库上下文。 ++ - `operaId`:算法类别 ID(详见”crypt_eal_implprovider.h“文件)。 ++ - `algId`:算法 ID (详见”crypt_eal_implprovider.h“文件)。 ++ - `attribute`:用于筛选 Provider 的属性字符串。 ++ - `funcs`:输出的算法数组指针。 ++ - `provCtx`:可选参数,如果不为NULL会获得该算法所在provider管理上下文中的provCtx。 ++- **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++#### **`CRYPT_EAL_ProviderCtrl`** ++- **描述**:控制 Provider 管理上下文中的provCtx。 ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderCtrl( ++ CRYPT_EAL_ProvMgrCtx *ctx, ++ int32_t cmd, ++ void *val, ++ uint32_t valLen ++ ); ++ ``` ++- **参数**: ++ - `ctx`:Provider 管理上下文。 ++ - `cmd`:控制命令。 ++ - `val`:与命令相关的值。 ++ - `valLen`:值的长度。 ++ ++--- ++ ++## 3. provider管理模块使用说明 ++ ++### 3.1 加载与卸载 ++ ++- **特性说明**: ++ - provider以名称为唯一标识符,不同的provider要求具有不同的名称,不同路径相同名称的provider会被视为相同的provider。 ++ - 支持重复加载和卸载provider,重复加载时并不会额外创建provider管理上下文,卸载的次数需要与加载的次数相同才能将库上下文中的provider管理上下文删除。 ++ - 在释放库上下文时,会自动卸载所有加载的provider。 ++ - 加载provider的路径默认为空,如果没有设置加载路径,那么将会根据运行环境中dlopen函数的当前特性从各个位置依次检索搜索provider。 ++ - 目前openhitls自带的算法库会被加载进一个启动时初始化的全局库上下文中,当加载、卸载以及查找provider时,如果传入的libCtx为NULL,那么会使用该全局库上下文。 ++- **使用示例**: ++ ```c ++ ... ++ // 创建库上下文 ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ assert(libCtx != NULL); ++ ++ // 设置 Provider 加载路径 ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // 加载 Provider ++ CRYPT_EAL_ProvMgrCtx *mgrCtx = NULL; ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_CONVERTER_SO, "provider_name", NULL, &mgrCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ++ ... ++ ++ // 卸载 Provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ assert(ret == CRYPT_SUCCESS); ++ ++ // 释放库上下文 ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ... ++ ``` ++ ++--- ++ ++### 3.2 属性查询和provider打分机制 ++ ++- **属性机制**: ++ 在查询算法时,首先会查找符合算法ID的算法数组,如果用户输入的查找字符串不为NULL,则还会根据查找字符串选择所有加载provider中最匹配的算法。 ++ 供查找的provider算法属性值由name和value组成,name和value之间用`=`分隔,多组属性之间用`,`分隔。在provider中,每个算法可以根据实现目的定义一组或多组属性,甚至同一个算法,可以有不同实现(通过属性区分)。 ++- **provider打分机制**: ++ 查询可以由多个查询语句组成,每个语句中之间用`,`分隔,语句中的name和value之间用以下`判断字符`分隔: ++ - `=`: 必须相等,属于强制条件。 ++ - `!=`: 必须不相等,属于强制条件。 ++ - `?`: 可选条件,如果value匹配,优先选择,每满足一个问号,得分会+1。 ++ ++ 查询时强制条件必须满足,在此基础上,根据可选条件选择最匹配的,如果最匹配实现有多个选择,随机返回一个。 ++ 查询时允许各组语句重复,强制条件重复对结果无影响。可选条件重复,相当于满足该条件的得分由1分变为重复个数的分数。 ++- **使用示例**: ++ ```c ++ ... ++ // 属性字符串可以为NILL,会根据算法ID查找 ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, NULL, &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // 属性字符串不为NULL时,根据匹配规则查找 ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,type=hash,version=1.0", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // 属性字符串涉及provider打分机制 ++ ret = CRYPT_EAL_ProviderGetFuncs(libCtx, CRYPT_EAL_OPERAID_HASH, CRYPT_MD_MD5, "name=md5,feature?attr_good,feature?attr_good,feature?attr_bad", &funcs, &provCtx); ++ assert(ret == CRYPT_SUCCESS); ++ ... ++ // 实际使用时推荐使用eal层各类算法对外的包装接口,会自动进行查找算法并调用算法进行初始化等工作。 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_MD5, "provider=no_hitls,type=hash"); ++ assert(ctx != NULL); ++ ... ++ ``` ++ ++--- ++ ++## 4. provider构建说明 ++ ++该部分涉及的各类命令以及函数原型的完整内容定义在`crypt_eal_implprovider.h`头文件中。 ++ ++### 4.1 初始化函数 ++ ++对每个provider,需要实现名为`CRYPT_EAL_ProviderInit`的初始化函数,该初始化函数会在加载provider时被调用: ++- **函数原型**: ++ ```c ++ int32_t CRYPT_EAL_ProviderInit( ++ CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, ++ CRYPT_EAL_Func *capFuncs, ++ CRYPT_EAL_Func **outFuncs, ++ void **provCtx ++ ); ++ ``` ++ - **参数**: ++ - `mgrCtx`:[in] Provider 管理上下文。 ++ - `param`:[in] 初始化 Provider 时的附加参数。 ++ - `capFuncs`:[in] 由管理框架输入的算法数组指针,目前支持让用户可以选择使用HITLS提供的默认熵源。 ++ - `outFuncs`:[out] provider对外提供的算法数组指针,详情见下文。 ++ - `provCtx`:[out] provider私有结构体,如需要可用于在provider管理上下文中保存一些私有数据,操作详情见下文,可选。 ++ - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ ++- **`outFuncs`数组说明**: ++该数组用于传出provider对外提供的三种算法数组,其中**算法查询函数必须返回**,其他两个函数可选: ++ - **算法查询函数**:该函数用于在查找算法时,根据传入的算法类别,获取provider对外提供的整个算法类别的方法数组: ++ **`typedef int32_t (*)(void *provCtx, int32_t operaId, CRYPT_EAL_AlgInfo **algInfos);`** ++ - **参数**: ++ - `provCtx`:[in] provider私有结构体,可选。 ++ - `operaId`:[in] 算法类别ID。 ++ - `algInfos`:[out] 该算法类别下所有算法的数组指针,数组中当算法ID为0时表示结束。 ++ - **返回值**:成功返回 `CRYPT_SUCCESS`,否则返回错误代码。 ++ - **provCtx控制函数**:如果provider使用了provCtx,则该函数用于对其进行控制,该函数可以通过`CRYPT_EAL_ProviderCtrl`函数进行调用。 ++ **`typedef int32_t (*)(void *provCtx, int32_t cmd, void *val, uint32_t valLen);`** ++ - **参数**:略 ++ - **返回值**:略 ++ - **provCtx释放函数**:如果provider使用了provCtx,则该函数用于释放provCtx,该函数会在释放资源时被调用。 ++ **`typedef void (*)(void *provCtx);`** ++ - **参数**: ++ - ·`provCtx`:[in] provider私有结构体。 ++ - **返回值**:无。 ++ ++--- ++ ++### 4.2 provider构建示例 ++ ++- **初始化函数示例**: ++```c ++static CRYPT_EAL_Func defProvOutFuncs[] = { ++ {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, ++ {CRYPT_EAL_PROVCB_FREE, NULL}, ++ {CRYPT_EAL_PROVCB_CTRL, NULL}, ++ CRYPT_EAL_FUNC_END ++}; ++ ++int32_t CRYPT_EAL_ProviderInit(CRYPT_EAL_ProvMgrCtx *mgrCtx, ++ BSL_Param *param, CRYPT_EAL_Func *capFuncs, CRYPT_EAL_Func **outFuncs, void **provCtx) ++{ ++ CRYPT_RandSeedMethod entroy = {0}; ++ CRYPT_EAL_ProvMgrCtrlCb mgrCtrl = NULL; ++ int32_t index = 0; ++ while (capFuncs[index].id != 0) { ++ switch (capFuncs[index].id) { ++ case CRYPT_EAL_CAP_GETENTROPY: ++ entroy.getEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANENTROPY: ++ entroy.cleanEntropy = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_GETNONCE: ++ entroy.getNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_CLEANNONCE: ++ entroy.cleanNonce = capFuncs[index].func; ++ break; ++ case CRYPT_EAL_CAP_MGRCTXCTRL: ++ mgrCtrl = capFuncs[index].func; ++ break; ++ default: ++ return CRYPT_PROVIDER_ERR_UNEXPECTED_IMPL; ++ } ++ index++; ++ } ++ void *seedCtx = NULL; ++ void *libCtx = NULL; ++ if (entroy.getEntropy == NULL || entroy.cleanEntropy == NULL || entroy.getNonce == NULL || ++ entroy.cleanNonce == NULL || mgrCtrl == NULL) { ++ return CRYPT_NULL_INPUT; ++ } ++ int32_t ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETSEEDCTX, &seedCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ ret = mgrCtrl(mgrCtx, CRYPT_EAL_MGR_GETLIBCTX, &libCtx, 0); ++ if (ret != CRYPT_SUCCESS) { ++ return ret; ++ } ++ CRYPT_Data entropy = {NULL, 0}; ++ CRYPT_Range entropyRange = {32, 2147483632}; ++ ret = entroy.getEntropy(seedCtx, &entropy, 256, &entropyRange); ++ if (ret != CRYPT_SUCCESS) { ++ return CRYPT_DRBG_FAIL_GET_ENTROPY; ++ } ++ entroy.cleanEntropy(seedCtx, &entropy); ++ // check libCtx ++ if (param != NULL) { ++ if (param[0].value != libCtx) { ++ return CRYPT_INVALID_ARG; ++ } ++ } ++ *outFuncs = defProvOutFuncs; ++ return 0; ++} ++``` ++- **算法查询函数示例**: ++```c ++const CRYPT_EAL_Func defMdMd5[] = { ++ {CRYPT_EAL_IMPLMD_NEWCTX, ...}, ++ {CRYPT_EAL_IMPLMD_INITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_UPDATE, ...}, ++ {CRYPT_EAL_IMPLMD_FINAL, ...}, ++ {CRYPT_EAL_IMPLMD_DEINITCTX, ...}, ++ {CRYPT_EAL_IMPLMD_DUPCTX, ...}, ++ {CRYPT_EAL_IMPLMD_CTRL, ...}, ++ {CRYPT_EAL_IMPLMD_FREECTX, ...}, ++ CRYPT_EAL_FUNC_END, ++}; ++ ++static const CRYPT_EAL_AlgInfo defMds[] = { ++ ... ++ {CRYPT_MD_MD5, defMdMd5, "attr1=temp_attr1,attr2=temp_attr2"}, ++ ... ++ CRYPT_EAL_ALGINFO_END ++}; ++ ++static int32_t CRYPT_EAL_DefaultProvQuery(void *provCtx, int32_t operaId, const CRYPT_EAL_AlgInfo **algInfos) ++{ ++ (void) provCtx; ++ int32_t ret = CRYPT_SUCCESS; ++ switch (operaId) { ++ ... ++ case CRYPT_EAL_OPERAID_HASH: ++ *algInfos = defMds; ++ break; ++ ... ++ default: ++ ret = CRYPT_NOT_SUPPORT; ++ break; ++ } ++ return ret; ++} ++``` ++ ++--- ++ ++## 5. 综合使用示例 ++ ++```c ++#include "bsl_sal.h" ++#include "crypt_eal_provider.h" ++#include "crypt_eal_implprovider.h" ++#include "crypt_eal_md.h" ++ ++/* 调用SM3 算法 */ ++ ++int main() { ++ ++------------------------------------------------------------------------------------------------------ ++ ++// 调用hitls自带的算法库初始化方式: ++ // 步骤 1:调用eal层的md对外接口直接进行初始化 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "provider=default"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// 在第三方provider中寻找匹配的算法库并初始化方式: ++ // 步骤 1:创建库上下文 ++ CRYPT_EAL_LibCtx *libCtx = CRYPT_EAL_LibCtxNew(); ++ ASSERT_TRUE(libCtx != NULL); ++ ++ // 步骤 2:设置 Provider 加载路径 ++ int ret = CRYPT_EAL_ProviderSetLoadPath(libCtx, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 3:加载 Provider ++ ret = CRYPT_EAL_ProviderLoad(libCtx, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 4:调用eal层的md对外接口直接进行初始化 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(libCtx, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++----------------------------------------------- ++ ++// 第三方provider和hitls提供的算法库混合使用的场景,寻找匹配的算法库并初始化方式: ++ // 步骤 1:设置 Provider 加载路径 ++ int ret = CRYPT_EAL_ProviderSetLoadPath(NULL, "/path/to/providers"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 2:加载 Provider ++ ret = CRYPT_EAL_ProviderLoad(NULL, BSL_SAL_LIB_FMT_SO, "provider_name", NULL, NULL); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 步骤 3:调用eal层的md对外接口直接进行初始化 ++ CRYPT_EAL_MdCTX *ctx = CRYPT_EAL_ProviderMdNewCtx(NULL, CRYPT_MD_SM3, "attr1=temp_attr1,attr2=temp_attr2"); ++ ASSERT_TRUE(ctx != NULL); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// 初始化后可进行一系列的算法操作: ++ ASSERT_EQ(CRYPT_EAL_MdInit(ctx), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdUpdate(ctx, msg->x, msg->len), CRYPT_SUCCESS); ++ ASSERT_EQ(CRYPT_EAL_MdFinal(ctx, output, &outLen), CRYPT_SUCCESS); ++ ++------------------------------------------------------------------------------------------------------ ++ ++// 如果初始化时创建了库上下文或者加载了第三方provider,则需要进行释放 ++ // 卸载 Provider ++ ret = CRYPT_EAL_ProviderUnload(libCtx, BSL_SAL_CONVERTER_SO, "provider_name"); ++ ASSERT_TRUE(ret == CRYPT_SUCCESS); ++ ++ // 释放库上下文 ++ CRYPT_EAL_LibCtxFree(libCtx); ++ ++ return 0; ++} ++``` +\ No newline at end of file +-- +2.42.0.windows.2 + diff --git a/0010-Rename-get-time-cmd.patch b/0010-Rename-get-time-cmd.patch new file mode 100644 index 0000000..9fc9104 --- /dev/null +++ b/0010-Rename-get-time-cmd.patch @@ -0,0 +1,120 @@ +From 8c5c5defbf0f4b7536abfb41d6b1b6a24577672a Mon Sep 17 00:00:00 2001 +From: Ooohui +Date: Tue, 10 Dec 2024 20:39:42 +0800 +Subject: [PATCH 10/10] Rename get time cmd + +Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/97 +--- + include/pki/hitls_pki.h | 22 ++++++++++--------- + pki/x509_cert/src/hitls_x509_cert.c | 4 ++-- + .../pki/cert/test_suite_sdv_x509_cert.c | 4 ++-- + .../pki/common/test_suite_sdv_common.c | 4 ++-- + 4 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/include/pki/hitls_pki.h b/include/pki/hitls_pki.h +index a570e6d..de21f07 100644 +--- a/include/pki/hitls_pki.h ++++ b/include/pki/hitls_pki.h +@@ -77,8 +77,8 @@ typedef enum { + HITLS_X509_GET_SUBJECT_DN_STR, /** Get the subject distinguished name as a formatted string */ + HITLS_X509_GET_ISSUER_DN_STR, /** Get the issuer distinguished name as a formatted string */ + HITLS_X509_GET_SERIALNUM_STR, /** Get the serial number as a string */ +- HITLS_X509_GET_BEFORE_TIME, /** Get the validity start time as a string */ +- HITLS_X509_GET_AFTER_TIME, /** Get the validity end time as a string */ ++ HITLS_X509_GET_BEFORE_TIME_STR, /** Get the validity start time as a string */ ++ HITLS_X509_GET_AFTER_TIME_STR, /** Get the validity end time as a string */ + HITLS_X509_GET_SUBJECT_DN, /** Get the list of subject distinguished name components. + Note: The list is read-only and should not be modified. */ + HITLS_X509_GET_ISSUER_DN, /** Get the list of issuer distinguished name components. +@@ -86,6 +86,8 @@ typedef enum { + HITLS_X509_GET_VERSION, /** Get the version from cert or crl. */ + HITLS_X509_GET_REVOKELIST, /** Get the certficate revoke list from the crl. */ + HITLS_X509_GET_SERIALNUM, /** Get the serial number of the cert. */ ++ HITLS_X509_GET_BEFORE_TIME, /** Get the validity start time */ ++ HITLS_X509_GET_AFTER_TIME, /** Get the validity end time */ + + HITLS_X509_SET_VERSION = 0x0200, /** Set the version for the cert. */ + HITLS_X509_SET_SERIALNUM, /** Set the serial number for the cert, the length range is 1 to 20. */ +@@ -93,7 +95,7 @@ typedef enum { + HITLS_X509_SET_AFTER_TIME, /** Set the after time for the cert. */ + HITLS_X509_SET_PUBKEY, /** Set the public key for the cert/csr. */ + HITLS_X509_SET_SUBJECT_DN, /** Set the subject name list. */ +- HITLS_X509_SET_ISSUER_DN, /** Set the issuer name list. */ ++ HITLS_X509_SET_ISSUER_DN, /** Set the issuer name list. */ + HITLS_X509_SET_CSR_EXT, /** Replace the cert's ext with csr's */ + HITLS_X509_ADD_SUBJECT_NAME, /** Add the subject name for the cert/csr. */ + HITLS_X509_CRL_ADD_REVOKED_CERT, /** Add the revoke cert to crl. */ +@@ -103,13 +105,13 @@ typedef enum { + HITLS_X509_EXT_KU_CERTSIGN, /** Check if certificate signing usage is set in key usage extension */ + HITLS_X509_EXT_KU_KEYAGREEMENT, /** Check if key agreement usage is set in key usage extension */ + +- HITLS_X509_EXT_SET_SKI = 0x0400, /** Set the subject key identifier extension. */ +- HITLS_X509_EXT_SET_AKI, /** Set the authority key identifier extension. */ +- HITLS_X509_EXT_SET_KUSAGE, /** Set the key usage extension. */ +- HITLS_X509_EXT_SET_SAN, /** Set the subject alternative name extension. */ +- HITLS_X509_EXT_SET_BCONS, /** Set the basic constraints extension. */ +- HITLS_X509_EXT_SET_EXKUSAGE, /** Set the extended key usage extension. */ +- HITLS_X509_EXT_SET_CRLNUMBER, /** Set the crlnumber extension. */ ++ HITLS_X509_EXT_SET_SKI = 0x0400, /** Set the subject key identifier extension. */ ++ HITLS_X509_EXT_SET_AKI, /** Set the authority key identifier extension. */ ++ HITLS_X509_EXT_SET_KUSAGE, /** Set the key usage extension. */ ++ HITLS_X509_EXT_SET_SAN, /** Set the subject alternative name extension. */ ++ HITLS_X509_EXT_SET_BCONS, /** Set the basic constraints extension. */ ++ HITLS_X509_EXT_SET_EXKUSAGE, /** Set the extended key usage extension. */ ++ HITLS_X509_EXT_SET_CRLNUMBER, /** Set the crlnumber extension. */ + + HITLS_X509_EXT_GET_SKI = 0x0500, /** Get Subject Key Identifier from extensions. + Note: Kid is a shallow copy. */ +diff --git a/pki/x509_cert/src/hitls_x509_cert.c b/pki/x509_cert/src/hitls_x509_cert.c +index 707341b..38316c5 100644 +--- a/pki/x509_cert/src/hitls_x509_cert.c ++++ b/pki/x509_cert/src/hitls_x509_cert.c +@@ -616,9 +616,9 @@ static int32_t X509_CertGetCtrl(HITLS_X509_Cert *cert, int32_t cmd, void *val, i + return X509_GetSerialNumStr(cert, val); + case HITLS_X509_GET_SERIALNUM: + return HITLS_X509_GetSerial(&cert->tbs.serialNum, val, valLen); +- case HITLS_X509_GET_BEFORE_TIME: ++ case HITLS_X509_GET_BEFORE_TIME_STR: + return X509_GetAsn1BslTimeStr(cert, val, HITLS_X509_BEFORE_TIME); +- case HITLS_X509_GET_AFTER_TIME: ++ case HITLS_X509_GET_AFTER_TIME_STR: + return X509_GetAsn1BslTimeStr(cert, val, HITLS_X509_AFTER_TIME); + default: + BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM); +diff --git a/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c b/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c +index 51ae228..3d9dd6a 100644 +--- a/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c ++++ b/testcode/sdv/testcase/pki/cert/test_suite_sdv_x509_cert.c +@@ -483,12 +483,12 @@ void SDV_X509_CERT_CTRL_FUNC_TC002(char *path, char *expectedSerialNum, char *ex + ASSERT_EQ(serialNum.dataLen, strlen(expectedSerialNum)); + ASSERT_EQ(strcmp((char *)serialNum.data, expectedSerialNum), 0); + +- ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_BEFORE_TIME, &beforeTime, sizeof(BSL_Buffer)), 0); ++ ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_BEFORE_TIME_STR, &beforeTime, sizeof(BSL_Buffer)), 0); + ASSERT_NE(beforeTime.data, NULL); + ASSERT_EQ(beforeTime.dataLen, strlen(expectedBeforeTime)); + ASSERT_EQ(strcmp((char *)beforeTime.data, expectedBeforeTime), 0); + +- ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_AFTER_TIME, &afterTime, sizeof(BSL_Buffer)), 0); ++ ASSERT_EQ(HITLS_X509_CertCtrl(cert, HITLS_X509_GET_AFTER_TIME_STR, &afterTime, sizeof(BSL_Buffer)), 0); + ASSERT_NE(afterTime.data, NULL); + ASSERT_EQ (afterTime.dataLen, strlen(expectedAfterTime)); + ASSERT_EQ(strcmp((char *)afterTime.data, expectedAfterTime), 0); +diff --git a/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c b/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c +index 792ab2d..e741064 100644 +--- a/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c ++++ b/testcode/sdv/testcase/pki/common/test_suite_sdv_common.c +@@ -194,8 +194,8 @@ void SDV_HITLS_X509_CtrlCert_TC001(void) + ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_SUBJECT_DN_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); + ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_ISSUER_DN_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); + ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_SERIALNUM, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); +- ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_BEFORE_TIME, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); +- ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_AFTER_TIME, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); ++ ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_BEFORE_TIME_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); ++ ASSERT_EQ(HITLS_X509_CertCtrl(&cert, HITLS_X509_GET_AFTER_TIME_STR, NULL, 0), HITLS_X509_ERR_INVALID_PARAM); + exit: + BSL_GLOBAL_DeInit(); + } +-- +2.42.0.windows.2 + diff --git a/0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch b/0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch new file mode 100644 index 0000000..afa9ccb --- /dev/null +++ b/0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch @@ -0,0 +1,374 @@ +From 24bd3dc68ea74c196b308e5407e662e70e5e9183 Mon Sep 17 00:00:00 2001 +From: Liu-Ermeng +Date: Mon, 9 Dec 2024 22:28:12 -0800 +Subject: [PATCH] fix the possible CBC Padding Oracle vulnerability + +Let the padding check and the cacluation to be constant-time, when +using CBC ciphersuite and using MtE(Mac-then-Encrypted) mode, to +resist possible time side channel attacks. + +references: +https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/ +https://www.isg.rhul.ac.uk/tls/TLStiming.pdf +https://www.imperialviolet.org/2013/02/04/luckythirteen.html + +Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/95 +--- + bsl/include/bsl_bytes.h | 27 +++- + tls/record/src/rec_crypto_cbc.c | 227 ++++++++++++++++++++++++++------ + 2 files changed, 206 insertions(+), 48 deletions(-) + +diff --git a/bsl/include/bsl_bytes.h b/bsl/include/bsl_bytes.h +index 378c84e..aea84dd 100644 +--- a/bsl/include/bsl_bytes.h ++++ b/bsl/include/bsl_bytes.h +@@ -201,20 +201,20 @@ static inline void BSL_Uint64ToByte(uint64_t num, uint8_t *data) + } + + // if a's MSB is 0, output 0 +-// else if a' MSB is 1 output x00ffffffff ++// else if a' MSB is 1 output 0xffffffff + static inline uint32_t Uint32ConstTimeMsb(uint32_t a) + { + // 31 == (4 * 8 - 1) + return 0u - (a >> 31); + } + +-// if a is 0, output x00ffffffff, else output 0 ++// if a is 0, output 0xffffffff, else output 0 + static inline uint32_t Uint32ConstTimeIsZero(uint32_t a) + { + return Uint32ConstTimeMsb(~a & (a - 1)); + } + +-// if a == b, output x00ffffffff, else output 0 ++// if a == b, output 0xffffffff, else output 0 + static inline uint32_t Uint32ConstTimeEqual(uint32_t a, uint32_t b) + { + return Uint32ConstTimeIsZero(a ^ b); +@@ -232,24 +232,39 @@ static inline uint32_t Uint8ConstTimeSelect(uint32_t mask, uint8_t a, uint8_t b) + return (((mask) & a) | ((~mask) & b)) & 0xff; + } + +-// if a < b, output x00ffffffff, else output 0 ++// if a < b, output 0xffffffff, else output 0 + static inline uint32_t Uint32ConstTimeLt(uint32_t a, uint32_t b) + { + return Uint32ConstTimeMsb(a ^ ((a ^ b) | ((a - b) ^ a))); + } + +-// if a >= b, output x00ffffffff, else output 0 ++// if a >= b, output 0xffffffff, else output 0 + static inline uint32_t Uint32ConstTimeGe(uint32_t a, uint32_t b) + { + return ~Uint32ConstTimeLt(a, b); + } + +-// if a > b, output x00ffffffff, else output 0 ++// if a > b, output 0xffffffff, else output 0 + static inline uint32_t Uint32ConstTimeGt(uint32_t a, uint32_t b) + { + return Uint32ConstTimeLt(b, a); + } + ++static inline uint32_t Uint32ConstTimeLe(uint32_t a, uint32_t b) ++{ ++ return Uint32ConstTimeGe(b, a); ++} ++ ++// if a == b, return 0xffffffff, else return 0 ++static inline uint32_t ConstTimeMemcmp(uint8_t *a, uint8_t *b, uint32_t l) ++{ ++ uint8_t r = 0; ++ for (uint32_t i = 0; i < l; i++) { ++ r |= a[i] ^ b[i]; ++ } ++ return Uint32ConstTimeIsZero(r); ++} ++ + #ifdef __cplusplus + } + #endif /* __cplusplus */ +diff --git a/tls/record/src/rec_crypto_cbc.c b/tls/record/src/rec_crypto_cbc.c +index 18931b3..891bbd9 100644 +--- a/tls/record/src/rec_crypto_cbc.c ++++ b/tls/record/src/rec_crypto_cbc.c +@@ -27,6 +27,7 @@ + #include "rec_crypto_cbc.h" + + #define CBC_PADDING_LEN_TAG_SIZE 1u ++#define HMAC_MAX_BLEN 144 + + uint8_t RecConnGetCbcPaddingLen(uint8_t blockLen, uint32_t plaintextLen) + { +@@ -102,53 +103,200 @@ static int32_t RecConnCbcCheckCryptMsg(TLS_Ctx *ctx, const RecConnState *state, + return HITLS_SUCCESS; + } + +-static int32_t RecConnCbcCheckDecryptPadding(TLS_Ctx *ctx, const REC_TextInput *cryptMsg, uint8_t *data, +- uint32_t plaintextLen, uint32_t offset) ++static int32_t RecConnCbcDecCheckPaddingEtM(TLS_Ctx *ctx, const REC_TextInput *cryptMsg, uint8_t *plain, ++ uint32_t plainLen, uint32_t offset) + { + const RecConnState *state = ctx->recCtx->readStates.currentState; +- uint8_t mac[MAX_DIGEST_SIZE] = {0}; +- uint32_t macLen = MAX_DIGEST_SIZE; +- uint8_t paddingLen = data[plaintextLen - 1]; ++ uint8_t padLen = plain[plainLen - 1]; + +-#ifdef HITLS_TLS_FEATURE_ETM +- if (cryptMsg->isEncryptThenMac && (plaintextLen < paddingLen + CBC_PADDING_LEN_TAG_SIZE)) { ++ if (cryptMsg->isEncryptThenMac && (plainLen < padLen + CBC_PADDING_LEN_TAG_SIZE)) { + BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15399, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, + "record cbc mode decrypt error: ciphertext len = %u, plaintext len = %u, mac len = %u, padding len = %u.", +- cryptMsg->textLen - offset - state->suiteInfo->macLen, plaintextLen, state->suiteInfo->macLen, paddingLen); +- return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC); +- } +-#endif +- if ((plaintextLen < state->suiteInfo->macLen + paddingLen + CBC_PADDING_LEN_TAG_SIZE) +-#ifdef HITLS_TLS_FEATURE_ETM +- && !cryptMsg->isEncryptThenMac +-#endif +- ) { +- BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15928, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, +- "record cbc mode decrypt error: ciphertext len = %u, plaintext len = %u, mac len = %u, padding len = %u.", +- cryptMsg->textLen - offset, plaintextLen, state->suiteInfo->macLen, paddingLen); +- /* Anti-side channel attack: Calculate the MAC address even if the padding is incorrect */ +- (void)RecConnGenerateMac(state->suiteInfo, cryptMsg, mac, &macLen); ++ cryptMsg->textLen - offset - state->suiteInfo->macLen, plainLen, state->suiteInfo->macLen, padLen); + return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC); + } + +- for (uint32_t i = 1; i <= paddingLen; i++) { +- if (data[plaintextLen - 1 - i] != paddingLen) { ++ for (uint32_t i = 1; i <= padLen; i++) { ++ if (plain[plainLen - 1 - i] != padLen) { + BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15400, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, + "record cbc mode decrypt error: padding len = %u, %u-to-last padding data = %u.", +- paddingLen, i, data[plaintextLen - 1 - i], 0); +- /* Anti-side channel attack: Calculate the MAC address even if the padding is incorrect */ +-#ifdef HITLS_TLS_FEATURE_ETM +- if (!cryptMsg->isEncryptThenMac) +-#endif +- { +- (void)RecConnGenerateMac(state->suiteInfo, cryptMsg, mac, &macLen); +- } ++ padLen, i, plain[plainLen - 1 - i], 0); + return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC); + } + } + return HITLS_SUCCESS; + } + ++static uint32_t GetHashOfMac(HITLS_MacAlgo macAlgo) ++{ ++ switch (macAlgo) { ++ case HITLS_MAC_1: ++ return HITLS_HASH_SHA1; ++ case HITLS_MAC_256: ++ return HITLS_HASH_SHA_256; ++ case HITLS_MAC_224: ++ return HITLS_HASH_SHA_224; ++ case HITLS_MAC_384: ++ return HITLS_HASH_SHA_384; ++ case HITLS_MAC_512: ++ return HITLS_HASH_SHA_512; ++#ifdef HITLS_TLS_PROTO_TLCP11 ++ case HITLS_MAC_SM3: ++ return HITLS_HASH_SM3; ++#endif ++ default: ++ BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15388, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, ++ "CBC encrypt error: unsupport MAC algorithm = %u.", macAlgo, 0, 0, 0); ++ break; ++ } ++ return HITLS_HASH_BUTT; ++} ++ ++static uint32_t GetHmacBLen(HITLS_MacAlgo macAlgo) ++{ ++ switch (macAlgo) { ++ case HITLS_MAC_1: ++ case HITLS_MAC_224: ++ case HITLS_MAC_256: ++ case HITLS_MAC_SM3: ++ return 64; // Blen of upper hmac is 64. ++ case HITLS_MAC_384: ++ case HITLS_MAC_512: ++ return 128; // Blen of upper hmac is 128. ++ default: ++ // should never be here. ++ return 0; ++ } ++} ++ ++/** ++ * a constant-time implemenation of HMAC to prevent side-channel attacks ++ * reference: https://datatracker.ietf.org/doc/html/rfc2104#autoid-2 ++ */ ++ ++static int32_t ConstTimeHmac(RecConnSuitInfo *suiteInfo, HITLS_HASH_Ctx **hashCtx, uint32_t good, ++ const REC_TextInput *cryptMsg, uint8_t *data, uint32_t dataLen, uint8_t *mac, uint32_t *macLen) ++{ ++ HITLS_HASH_Ctx *obCtx = hashCtx[2]; ++ uint32_t padLen = data[dataLen - 1]; ++ padLen = Uint32ConstTimeSelect(good, padLen, 0); ++ uint32_t plainLen = dataLen - (suiteInfo->macLen + padLen + 1); ++ plainLen = Uint32ConstTimeSelect(good, plainLen, 0); ++ ++ uint32_t blen = GetHmacBLen(suiteInfo->macAlg); ++ uint8_t ipad[HMAC_MAX_BLEN] = {0}; ++ uint8_t opad[HMAC_MAX_BLEN * 2] = {0}; ++ uint8_t key[HMAC_MAX_BLEN] = {0}; ++ uint8_t ihash[MAX_DIGEST_SIZE] = {0}; ++ uint32_t ihashLen = sizeof(ihash); ++ (void)memcpy_s(key, sizeof(key), suiteInfo->macKey, suiteInfo->macKeyLen); ++ for (uint32_t i = 0; i < blen; i++) { ++ ipad[i] = key[i] ^ 0x36; ++ opad[i] = key[i] ^ 0x5c; ++ } ++ ++ // update K xor ipad ++ (void)SAL_CRYPT_DigestUpdate(hashCtx[0], ipad, blen); ++ // update the obscureHashCtx simultaneously ++ (void)SAL_CRYPT_DigestUpdate(obCtx, ipad, blen); ++ ++ /** ++ * constant-time update plaintext to resist lucky13 ++ * ref: https://www.isg.rhul.ac.uk/tls/TLStiming.pdf ++ */ ++ uint8_t header[13] = {0}; // seq + record type ++ uint32_t pos = 0; ++ (void)memcpy_s(header, sizeof(header), cryptMsg->seq, REC_CONN_SEQ_SIZE); ++ pos += REC_CONN_SEQ_SIZE; ++ header[pos++] = cryptMsg->type; ++ BSL_Uint16ToByte(cryptMsg->version, header + pos); ++ pos += sizeof(uint16_t); ++ BSL_Uint16ToByte((uint16_t)plainLen, header + pos); ++ (void)SAL_CRYPT_DigestUpdate(hashCtx[0], header, sizeof(header)); ++ (void)SAL_CRYPT_DigestUpdate(obCtx, header, sizeof(header)); ++ ++ uint32_t maxLen = dataLen - (suiteInfo->macLen + 1); ++ maxLen = Uint32ConstTimeSelect(good, maxLen, dataLen); ++ uint32_t flag = Uint32ConstTimeGt(maxLen, 256); // the value of 1 byte is up to 256 ++ uint32_t minLen = Uint32ConstTimeSelect(flag, maxLen - 256, 0); ++ pos = 0; ++ (void)SAL_CRYPT_DigestUpdate(hashCtx[0], data, minLen); ++ (void)SAL_CRYPT_DigestUpdate(obCtx, data, minLen); ++ pos += minLen; ++ for (uint32_t i = minLen; i < maxLen; i++) { ++ if (i < plainLen) { ++ SAL_CRYPT_DigestUpdate(hashCtx[0], data + i, 1); ++ } else { ++ SAL_CRYPT_DigestUpdate(obCtx, data + i, 1); ++ } ++ } ++ (void)SAL_CRYPT_DigestFinal(hashCtx[0], ihash, &ihashLen); ++ (void)memcpy_s(opad + blen, MAX_DIGEST_SIZE, ihash, ihashLen); ++ ++ // update (K xor opad) + ihash ++ (void)SAL_CRYPT_DigestUpdate(hashCtx[1], opad, blen + ihashLen); ++ (void)SAL_CRYPT_DigestFinal(hashCtx[1], mac, macLen); ++ ++ BSL_SAL_CleanseData(ipad, sizeof(ipad)); ++ BSL_SAL_CleanseData(opad, sizeof(opad)); ++ BSL_SAL_CleanseData(key, sizeof(key)); ++ ++ return HITLS_SUCCESS; ++} ++ ++static inline uint32_t ConstTimeSelectMemcmp(uint32_t good, uint8_t *a, uint8_t *b, uint32_t l) ++{ ++ uint8_t *t = (good == 0) ? b : a; ++ return ConstTimeMemcmp(t, b, l); ++} ++ ++static int32_t RecConnCbcDecMtECheckMacTls(TLS_Ctx *ctx, const REC_TextInput *cryptMsg, ++ uint8_t *plain, uint32_t plainLen) ++{ ++ const RecConnState *state = ctx->recCtx->readStates.currentState; ++ uint32_t hashAlg = GetHashOfMac(state->suiteInfo->macAlg); ++ if (hashAlg == HITLS_HASH_BUTT) { ++ return HITLS_CRYPT_ERR_HMAC; ++ } ++ ++ HITLS_HASH_Ctx *ihashCtx = NULL; ++ HITLS_HASH_Ctx *ohashCtx = NULL; ++ HITLS_HASH_Ctx *obscureHashCtx = NULL; ++ ihashCtx = SAL_CRYPT_DigestInit(hashAlg); ++ ohashCtx = SAL_CRYPT_DigestCopy(ihashCtx); ++ obscureHashCtx = SAL_CRYPT_DigestCopy(ihashCtx); ++ if (ihashCtx == NULL || ohashCtx == NULL || obscureHashCtx == NULL) { ++ SAL_CRYPT_DigestFree(ihashCtx); ++ SAL_CRYPT_DigestFree(ohashCtx); ++ SAL_CRYPT_DigestFree(obscureHashCtx); ++ return HITLS_REC_ERR_GENERATE_MAC; ++ } ++ ++ uint8_t mac[MAX_DIGEST_SIZE] = {0}; ++ uint32_t macLen = sizeof(mac); ++ uint8_t padLen = plain[plainLen - 1]; ++ ++ uint32_t good = Uint32ConstTimeGe(plainLen, state->suiteInfo->macLen + padLen + 1); ++ ++ // constant-time check padding bytes ++ for (uint32_t i = 1; i <= 255; i++) { ++ uint32_t mask = good & Uint32ConstTimeLe(i, padLen); ++ good &= Uint32ConstTimeEqual(plain[plainLen - 1 - (i & mask)], padLen); ++ } ++ ++ HITLS_HASH_Ctx *hashCtxs[3] = {ihashCtx, ohashCtx, obscureHashCtx}; ++ ConstTimeHmac(state->suiteInfo, hashCtxs, good, cryptMsg, plain, plainLen, mac, &macLen); ++ ++ // check mac ++ padLen = Uint32ConstTimeSelect(good, padLen, 0); ++ plainLen -= state->suiteInfo->macLen + padLen + 1; ++ good &= ConstTimeSelectMemcmp(good, &plain[plainLen], mac, macLen); ++ SAL_CRYPT_DigestFree(ihashCtx); ++ SAL_CRYPT_DigestFree(ohashCtx); ++ SAL_CRYPT_DigestFree(obscureHashCtx); ++ return ~good; ++} ++ + static int32_t RecConnCbcDecryptByMacThenEncrypt(TLS_Ctx *ctx, const RecConnState *state, const REC_TextInput *cryptMsg, + uint8_t *data, uint32_t *dataLen) + { +@@ -180,18 +328,13 @@ static int32_t RecConnCbcDecryptByMacThenEncrypt(TLS_Ctx *ctx, const RecConnStat + } + + /* Check padding and padding length */ +- ret = RecConnCbcCheckDecryptPadding(ctx, cryptMsg, data, plaintextLen, offset); ++ ret = RecConnCbcDecMtECheckMacTls(ctx, cryptMsg, data, plaintextLen); + if (ret != HITLS_SUCCESS) { + BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17244, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, +- "RecConnCbcCheckDecryptPadding fail", 0, 0, 0, 0); +- return ret; ++ "RecConnCbcDecMtECheckMacTls fail", 0, 0, 0, 0); ++ return RecordSendAlertMsg(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_RECORD_MAC); + } +- plaintextLen -= data[plaintextLen - 1] + CBC_PADDING_LEN_TAG_SIZE; +- +- /* Check MAC */ +- ret = RecConnCheckMac(ctx, state->suiteInfo, cryptMsg, data, plaintextLen); +- plaintextLen -= state->suiteInfo->macLen; +- *dataLen = plaintextLen; ++ *dataLen = plaintextLen - (state->suiteInfo->macLen + data[plaintextLen - 1] + CBC_PADDING_LEN_TAG_SIZE); + return ret; + } + +@@ -237,10 +380,10 @@ static int32_t RecConnCbcDecryptByEncryptThenMac(TLS_Ctx *ctx, const RecConnStat + + /* Check padding and padding length */ + uint8_t paddingLen = data[plaintextLen - 1]; +- ret = RecConnCbcCheckDecryptPadding(ctx, cryptMsg, data, plaintextLen, offset); ++ ret = RecConnCbcDecCheckPaddingEtM(ctx, cryptMsg, data, plaintextLen, offset); + if (ret != HITLS_SUCCESS) { + BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17247, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, +- "RecConnCbcCheckDecryptPadding fail", 0, 0, 0, 0); ++ "RecConnCbcDecCheckPaddingEtM fail", 0, 0, 0, 0); + return ret; + } + *dataLen = plaintextLen - paddingLen - CBC_PADDING_LEN_TAG_SIZE; +-- +2.42.0.windows.2 + diff --git a/openhitls.spec b/openhitls.spec index e288f5e..4ae26b7 100644 --- a/openhitls.spec +++ b/openhitls.spec @@ -5,10 +5,22 @@ Name: openhitls Summary: Cryptography and SSL/TLS Toolkit Version: 0.1.0 -Release: 2 +Release: 3 License: Mulan PSL V2 URL: https://www.openhitls.net/ Source0: https://raw.gitcode.com/openHiTLS/openHiTLS/archive/refs/heads/%{name}-%{version}.tar.gz +# Add all patch files in order +Patch0: 0001-provider_revise.patch +Patch1: 0002-param_revise.patch +Patch2: 0003-add-default-user-id-using-tlcp.patch +Patch3: 0004-init-add-const.patch +Patch4: 0005-add-uio_mem-comment.patch +Patch5: 0006-Rename-Refactor-some-code.patch +Patch6: 0007-provider-document.patch +Patch7: 0008-fix-some-bugs.patch +Patch8: 0009-add-github-action-for-openhitls-0.1-branch.patch +Patch9: 0010-Rename-get-time-cmd.patch +Patch10: 0011-fix-the-possible-CBC-Padding-Oracle-vulnerability.patch BuildRoot: %{_tmppath}/%{name}-v%{release}-build BuildRequires: gcc cmake make rpm libboundscheck @@ -95,6 +107,9 @@ sleep 1 %doc README-zh.md %changelog +* Wed Dec 11 2024 xuhuiyue - 0.1.0-3 +- Package update + * Wed Nov 27 2024 xuhuiyue - 0.1.0-2 - Package update -- Gitee