/** @file | |
UEFI Openssl provider implementation. | |
Copyright (c) 2022, Intel Corporation. All rights reserved.<BR> | |
SPDX-License-Identifier: BSD-2-Clause-Patent | |
**/ | |
#include <string.h> | |
#include <stdio.h> | |
#include <openssl/opensslconf.h> | |
#include <openssl/core.h> | |
#include <openssl/core_dispatch.h> | |
#include <openssl/core_names.h> | |
#include <openssl/params.h> | |
#include "prov/bio.h" | |
#include "prov/provider_ctx.h" | |
#include "prov/providercommon.h" | |
#include "prov/implementations.h" | |
#include "prov/names.h" | |
#include "prov/provider_util.h" | |
#include "prov/seeding.h" | |
#include "internal/nelem.h" | |
#include "provider_local.h" | |
OSSL_provider_init_fn ossl_uefi_provider_init; | |
const OSSL_PROVIDER_INFO ossl_predefined_providers[] = { | |
{ "default", NULL, ossl_uefi_provider_init, NULL, 1 }, | |
{ NULL, NULL, NULL, NULL, 0 } | |
}; | |
/* | |
* Forward declarations to ensure that interface functions are correctly | |
* defined. | |
*/ | |
static OSSL_FUNC_provider_gettable_params_fn deflt_gettable_params; | |
static OSSL_FUNC_provider_get_params_fn deflt_get_params; | |
static OSSL_FUNC_provider_query_operation_fn deflt_query; | |
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=default", FUNC }, CHECK } | |
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) | |
/* Functions provided by the core */ | |
static OSSL_FUNC_core_gettable_params_fn *c_gettable_params = NULL; | |
static OSSL_FUNC_core_get_params_fn *c_get_params = NULL; | |
/* Parameters we provide to the core */ | |
static const OSSL_PARAM deflt_param_types[] = { | |
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), | |
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), | |
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), | |
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), | |
OSSL_PARAM_END | |
}; | |
static const OSSL_PARAM *deflt_gettable_params(void *provctx) | |
{ | |
return deflt_param_types; | |
} | |
static int deflt_get_params(void *provctx, OSSL_PARAM params[]) | |
{ | |
OSSL_PARAM *p; | |
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); | |
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL Default Provider")) | |
return 0; | |
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); | |
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) | |
return 0; | |
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); | |
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) | |
return 0; | |
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); | |
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) | |
return 0; | |
return 1; | |
} | |
/* | |
* For the algorithm names, we use the following formula for our primary | |
* names: | |
* | |
* ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?] | |
* | |
* VERSION is only present if there are multiple versions of | |
* an alg (MD2, MD4, MD5). It may be omitted if there is only | |
* one version (if a subsequent version is released in the future, | |
* we can always change the canonical name, and add the old name | |
* as an alias). | |
* | |
* SUBNAME may be present where we are combining multiple | |
* algorithms together, e.g. MD5-SHA1. | |
* | |
* SIZE is only present if multiple versions of an algorithm exist | |
* with different sizes (e.g. AES-128-CBC, AES-256-CBC) | |
* | |
* MODE is only present where applicable. | |
* | |
* We add diverse other names where applicable, such as the names that | |
* NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names | |
* we have used historically. | |
* | |
* Algorithm names are case insensitive, but we use all caps in our "canonical" | |
* names for consistency. | |
*/ | |
static const OSSL_ALGORITHM deflt_digests[] = { | |
/* Our primary name:NIST name[:our older names] */ | |
{ PROV_NAMES_SHA1, "provider=default", ossl_sha1_functions }, | |
{ PROV_NAMES_SHA2_224, "provider=default", ossl_sha224_functions }, | |
{ PROV_NAMES_SHA2_256, "provider=default", ossl_sha256_functions }, | |
{ PROV_NAMES_SHA2_384, "provider=default", ossl_sha384_functions }, | |
{ PROV_NAMES_SHA2_512, "provider=default", ossl_sha512_functions }, | |
#ifndef OPENSSL_NO_SM3 | |
{ PROV_NAMES_SM3, "provider=default", ossl_sm3_functions }, | |
#endif /* OPENSSL_NO_SM3 */ | |
#ifndef OPENSSL_NO_MD5 | |
{ PROV_NAMES_MD5, "provider=default", ossl_md5_functions }, | |
#endif /* OPENSSL_NO_MD5 */ | |
{ PROV_NAMES_NULL, "provider=default", ossl_nullmd_functions }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { | |
ALG(PROV_NAMES_NULL, ossl_null_functions), | |
ALG(PROV_NAMES_AES_256_ECB, ossl_aes256ecb_functions), | |
ALG(PROV_NAMES_AES_192_ECB, ossl_aes192ecb_functions), | |
ALG(PROV_NAMES_AES_128_ECB, ossl_aes128ecb_functions), | |
ALG(PROV_NAMES_AES_256_CBC, ossl_aes256cbc_functions), | |
ALG(PROV_NAMES_AES_192_CBC, ossl_aes192cbc_functions), | |
ALG(PROV_NAMES_AES_128_CBC, ossl_aes128cbc_functions), | |
ALG(PROV_NAMES_AES_256_CTR, ossl_aes256ctr_functions), | |
ALG(PROV_NAMES_AES_192_CTR, ossl_aes192ctr_functions), | |
ALG(PROV_NAMES_AES_128_CTR, ossl_aes128ctr_functions), | |
ALG(PROV_NAMES_AES_256_GCM, ossl_aes256gcm_functions), | |
ALG(PROV_NAMES_AES_192_GCM, ossl_aes192gcm_functions), | |
ALG(PROV_NAMES_AES_128_GCM, ossl_aes128gcm_functions), | |
ALGC ( | |
PROV_NAMES_AES_128_CBC_HMAC_SHA256, | |
ossl_aes128cbc_hmac_sha256_functions, | |
ossl_cipher_capable_aes_cbc_hmac_sha256 | |
), | |
ALGC ( | |
PROV_NAMES_AES_256_CBC_HMAC_SHA256, | |
ossl_aes256cbc_hmac_sha256_functions, | |
ossl_cipher_capable_aes_cbc_hmac_sha256 | |
), | |
{ { NULL, NULL, NULL }, NULL } | |
}; | |
static OSSL_ALGORITHM exported_ciphers[OSSL_NELEM(deflt_ciphers)]; | |
static const OSSL_ALGORITHM deflt_macs[] = { | |
{ PROV_NAMES_HMAC, "provider=default", ossl_hmac_functions }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_kdfs[] = { | |
{ PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_functions }, | |
{ PROV_NAMES_SSKDF, "provider=default", ossl_kdf_sskdf_functions }, | |
{ PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions }, | |
{ PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions }, | |
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_keyexch[] = { | |
#ifndef OPENSSL_NO_DH | |
{ PROV_NAMES_DH, "provider=default", ossl_dh_keyexch_functions }, | |
#endif | |
#ifndef OPENSSL_NO_EC | |
{ PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions }, | |
#endif | |
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_keyexch_functions }, | |
{ PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_keyexch_functions }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_rands[] = { | |
{ PROV_NAMES_CTR_DRBG, "provider=default", ossl_drbg_ctr_functions }, | |
{ PROV_NAMES_HASH_DRBG, "provider=default", ossl_drbg_hash_functions }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_signature[] = { | |
{ PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions }, | |
#ifndef OPENSSL_NO_EC | |
{ PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions }, | |
#endif | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_asym_cipher[] = { | |
{ PROV_NAMES_RSA, "provider=default", ossl_rsa_asym_cipher_functions }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_keymgmt[] = { | |
#ifndef OPENSSL_NO_DH | |
{ PROV_NAMES_DH, "provider=default", ossl_dh_keymgmt_functions, | |
PROV_DESCS_DH }, | |
{ PROV_NAMES_DHX, "provider=default", ossl_dhx_keymgmt_functions, | |
PROV_DESCS_DHX }, | |
#endif | |
{ PROV_NAMES_RSA, "provider=default", ossl_rsa_keymgmt_functions, | |
PROV_DESCS_RSA }, | |
{ PROV_NAMES_RSA_PSS, "provider=default", ossl_rsapss_keymgmt_functions, | |
PROV_DESCS_RSA_PSS }, | |
#ifndef OPENSSL_NO_EC | |
{ PROV_NAMES_EC, "provider=default", ossl_ec_keymgmt_functions, | |
PROV_DESCS_EC }, | |
#endif | |
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_keymgmt_functions, | |
PROV_DESCS_TLS1_PRF_SIGN }, | |
{ PROV_NAMES_HKDF, "provider=default", ossl_kdf_keymgmt_functions, | |
PROV_DESCS_HKDF_SIGN }, | |
{ NULL, NULL, NULL } | |
}; | |
static const OSSL_ALGORITHM deflt_decoder[] = { | |
#define DECODER_PROVIDER "default" | |
#include "decoders.inc" | |
{ NULL, NULL, NULL } | |
#undef DECODER_PROVIDER | |
}; | |
static const OSSL_ALGORITHM *deflt_query(void *provctx, int operation_id, | |
int *no_cache) | |
{ | |
*no_cache = 0; | |
switch (operation_id) { | |
case OSSL_OP_DIGEST: | |
return deflt_digests; | |
case OSSL_OP_CIPHER: | |
return exported_ciphers; | |
case OSSL_OP_MAC: | |
return deflt_macs; | |
case OSSL_OP_KDF: | |
return deflt_kdfs; | |
case OSSL_OP_RAND: | |
return deflt_rands; | |
case OSSL_OP_KEYMGMT: | |
return deflt_keymgmt; | |
case OSSL_OP_KEYEXCH: | |
return deflt_keyexch; | |
case OSSL_OP_SIGNATURE: | |
return deflt_signature; | |
case OSSL_OP_ASYM_CIPHER: | |
return deflt_asym_cipher; | |
case OSSL_OP_DECODER: | |
return deflt_decoder; | |
} | |
return NULL; | |
} | |
static void deflt_teardown(void *provctx) | |
{ | |
BIO_meth_free(ossl_prov_ctx_get0_core_bio_method(provctx)); | |
ossl_prov_ctx_free(provctx); | |
} | |
/* Functions we provide to the core */ | |
static const OSSL_DISPATCH deflt_dispatch_table[] = { | |
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))deflt_teardown }, | |
{ OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))deflt_gettable_params }, | |
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))deflt_get_params }, | |
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))deflt_query }, | |
{ OSSL_FUNC_PROVIDER_GET_CAPABILITIES, | |
(void (*)(void))ossl_prov_get_capabilities }, | |
{ 0, NULL } | |
}; | |
OSSL_provider_init_fn ossl_uefi_provider_init; | |
int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle, | |
const OSSL_DISPATCH *in, | |
const OSSL_DISPATCH **out, | |
void **provctx) | |
{ | |
OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL; | |
BIO_METHOD *corebiometh; | |
if (!ossl_prov_bio_from_dispatch(in) | |
|| !ossl_prov_seeding_from_dispatch(in)) | |
return 0; | |
for (; in->function_id != 0; in++) { | |
switch (in->function_id) { | |
case OSSL_FUNC_CORE_GETTABLE_PARAMS: | |
c_gettable_params = OSSL_FUNC_core_gettable_params(in); | |
break; | |
case OSSL_FUNC_CORE_GET_PARAMS: | |
c_get_params = OSSL_FUNC_core_get_params(in); | |
break; | |
case OSSL_FUNC_CORE_GET_LIBCTX: | |
c_get_libctx = OSSL_FUNC_core_get_libctx(in); | |
break; | |
default: | |
/* Just ignore anything we don't understand */ | |
break; | |
} | |
} | |
if (c_get_libctx == NULL) | |
return 0; | |
/* | |
* We want to make sure that all calls from this provider that requires | |
* a library context use the same context as the one used to call our | |
* functions. We do that by passing it along in the provider context. | |
* | |
* This only works for built-in providers. Most providers should | |
* create their own library context. | |
*/ | |
if ((*provctx = ossl_prov_ctx_new()) == NULL | |
|| (corebiometh = ossl_bio_prov_init_bio_method()) == NULL) { | |
ossl_prov_ctx_free(*provctx); | |
*provctx = NULL; | |
return 0; | |
} | |
ossl_prov_ctx_set0_libctx(*provctx, | |
(OSSL_LIB_CTX *)c_get_libctx(handle)); | |
ossl_prov_ctx_set0_handle(*provctx, handle); | |
ossl_prov_ctx_set0_core_bio_method(*provctx, corebiometh); | |
*out = deflt_dispatch_table; | |
ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers); | |
return 1; | |
} |