zpcprovider for sign/verify (ecdsa/eddsa)

CMakeLists.txt

@@ -95,6 +95,11 @@ find_package(json-c
     REQUIRED
 )
 
+find_package(OpenSSL
+    3.5.0
+    REQUIRED
+)
+
 add_definitions(
     -D_GNU_SOURCE
 )
@@ -137,6 +142,49 @@ install(
     DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
 )
 
+###########################################################
+# zpcprovider
+
+set(ZPCPROVIDER_SOURCES
+    src/provider.c
+    src/object.c
+)
+
+add_library(zpcprovider MODULE ${ZPCPROVIDER_SOURCES})
+set_target_properties(zpcprovider PROPERTIES PREFIX "")
+
+target_include_directories(zpcprovider PRIVATE src include ${OPENSSL_INCLUDE_DIR})
+target_link_libraries(zpcprovider PRIVATE OpenSSL::Crypto)
+
+install(
+    TARGETS zpcprovider
+    LIBRARY DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+)
+
+set(OPENSSL_CONF
+    ${CMAKE_BINARY_DIR}/openssl.cnf
+)
+set(OPENSSL_CONF_IN
+    ${CMAKE_SOURCE_DIR}/openssl.cnf.in
+)
+set(ZPCPROVIDER_MODULE
+    ${CMAKE_BINARY_DIR}/zpcprovider.so
+)
+configure_file(${OPENSSL_CONF_IN} ${OPENSSL_CONF} @ONLY)
+
+# install(
+#     FILES ${CMAKE_SOURCE_DIR}/man/zpcprovider.cnf.5
+#     DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+# )
+#
+# install(
+#     FILES ${CMAKE_SOURCE_DIR}/man/zpcprovider.7
+#     DESTINATION ${CMAKE_INSTALL_MANDIR}/man7
+# )
+
+###########################################################
+# Test
+
 option(BUILD_TEST OFF)
 
 if (BUILD_TEST)
@@ -420,6 +468,14 @@ target_include_directories(runtest PRIVATE include src ${GTEST_INCLUDE_DIR})
 include(GoogleTest)
 gtest_discover_tests(runtest)
 
+set (ZPCPROVIDER_TEST_SOURCES
+    test/tprovider.c
+)
+add_executable(runprovidertest ${ZPCPROVIDER_TEST_SOURCES})
+add_dependencies(runprovidertest zpcprovider)
+target_include_directories(runprovidertest PRIVATE src ${OPENSSL_INCLUDE_DIR})
+target_link_libraries(runprovidertest PRIVATE OpenSSL::Crypto)
+
 endif ()
 
 ###########################################################

CONTRIBUTING.md

@@ -1,30 +1,41 @@
 Contributing {#contrib}
 ===
 
-You can contribute to `libzpc` by submitting issues (feature requests, bug reports) or pull requests (code contributions) to the GitHub repository.
+You can contribute to `libzpc` by submitting issues (feature requests, bug
+reports) or pull requests (code contributions) to the GitHub repository.
 
 
 Bug reports
 ---
 
 When filing a bug report, please include all relevant information.
 
-In all cases include the `libzpc` version, operating system and kernel version used.
+In all cases include the `libzpc` version, operating system and kernel version
+used.
 
-Additionally, if it is a build error, include the toolchain version used. If it is a runtime error, include the crypto adapter config and processor model used.
+Additionally, if it is a build error, include the toolchain version used. If it
+is a runtime error, include the crypto adapter config and processor model used.
 
 Ideally, detailed steps on how to reproduce the issue would be included.
 
 
 Code contributions
 ---
 
-All code contributions are reviewed by the `libzpc` maintainers who reverve the right to accept or reject a pull request.
+All code contributions are reviewed by the `libzpc` maintainers who reverve the
+right to accept or reject a pull request.
 
-Please state clearly if your pull request changes the `libzpc` API or ABI, and if so, whether the changes are backward compatible.
+Please state clearly if your pull request changes the `libzpc` API or ABI, and
+if so, whether the changes are backward compatible.
 
-If your pull request resolves an issue, please put a `"Fixes #<issue number>"` line in the commit message. Ideally, the pull request would add a corresponding regression test.
+If your pull request resolves an issue, please put a `"Fixes #<issue number>"`
+line in the commit message. Ideally, the pull request would add a corresponding
+regression test.
 
 If your pull request adds a new feature, please add a corresponding unit test.
 
-The code base is formatted using the `indent` tool with the options specified in the enclosed `.indent.pro` file. All code contributions must not violate this coding style. When formatting `libzpc` code, you can use `indent` with the prescribed options by copying the file to your home directory or by setting the `INDENT_PROFILE` environment variable's value to name the file.
+The code base is formatted using the `indent` tool with the options specified in
+the enclosed `.indent.pro` file. All code contributions must not violate this
+coding style. When formatting `libzpc` code, you can use `indent` with the
+prescribed options by copying the file to your home directory or by setting the
+`INDENT_PROFILE` environment variable's value to name the file.

include/zpc/ecc_key.h

@@ -125,7 +125,7 @@ int zpc_ec_key_set_apqns(struct zpc_ec_key *key, const char *apqns[]);
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_import(struct zpc_ec_key *key, const unsigned char *seckey,
-					unsigned int seckeylen);
+					size_t seckeylen);
 
 /**
  * Import an EC clear-key pair. At least one of the key parts must be non-NULL.
@@ -150,8 +150,8 @@ int zpc_ec_key_import(struct zpc_ec_key *key, const unsigned char *seckey,
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_import_clear(struct zpc_ec_key *key,
-					const unsigned char *pubkey, unsigned int publen,
-					const unsigned char *privkey, unsigned int privlen);
+					const unsigned char *pubkey, size_t publen,
+					const unsigned char *privkey, size_t privlen);
 
 /**
  * Export an EC secure-key. Depending on the key type (CCA or EP11), the secure
@@ -166,7 +166,7 @@ int zpc_ec_key_import_clear(struct zpc_ec_key *key,
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_export(struct zpc_ec_key *key, unsigned char *seckey,
-					unsigned int *seckeylen);
+					size_t *seckeylen);
 
 /**
  * Export an EC public-key.
@@ -180,7 +180,7 @@ int zpc_ec_key_export(struct zpc_ec_key *key, unsigned char *seckey,
  */
 __attribute__((visibility("default")))
 int zpc_ec_key_export_public(struct zpc_ec_key *key, unsigned char *pubkey,
-					unsigned int *pubkeylen);
+					size_t *pubkeylen);
 
 /**
  * Generate an EC secure-key.

include/zpc/ecdsa_ctx.h

@@ -58,8 +58,8 @@ int zpc_ecdsa_ctx_set_key(struct zpc_ecdsa_ctx *ctx, struct zpc_ec_key *key);
  */
 __attribute__((visibility("default")))
 int zpc_ecdsa_sign(struct zpc_ecdsa_ctx *ctx,
-				const unsigned char *hash, unsigned int hash_len,
-				unsigned char *signature, unsigned int *sig_len);
+				const unsigned char *hash, size_t hash_len,
+				unsigned char *signature, size_t *sig_len);
 
 /**
  * Do an ECDSA verify operation.
@@ -72,8 +72,8 @@ int zpc_ecdsa_sign(struct zpc_ecdsa_ctx *ctx,
  */
 __attribute__((visibility("default")))
 int zpc_ecdsa_verify(struct zpc_ecdsa_ctx *ctx,
-				const unsigned char *hash, unsigned int hash_len,
-				const unsigned char *signature, unsigned int sig_len);
+				const unsigned char *hash, size_t hash_len,
+				const unsigned char *signature, size_t sig_len);
 
 /**
  * Free an ECDSA context.

openssl.cnf.in

@@ -0,0 +1,28 @@
+HOME = .
+
+# Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
+config_diagnostics = 1
+
+[openssl_init]
+providers = provider_sect
+alg_section = evp_properties
+
+[provider_sect]
+default = default_sect
+base = base_sect
+hbkzpc = hbkzpc_sect
+
+[evp_properties]
+
+[base_sect]
+activate = 1
+
+[default_sect]
+activate = 1
+
+[hbkzpc_sect]
+module = @ZPCPROVIDER_MODULE@
+identity = hbkzpc
+activate = 1

s390x-tc-debian.cmake

@@ -1,4 +1,5 @@
 set(CMAKE_SYSTEM_NAME Linux)
+set(CMAKE_SYSTEM_PROCESSOR s390x)
 
 set(CMAKE_C_COMPILER   s390x-linux-gnu-gcc)
 set(CMAKE_CXX_COMPILER s390x-linux-gnu-g++)

src/ecc_key.c

@@ -43,13 +43,13 @@ const u16 curve2pvsecret_type[] = {
 
 static void __ec_key_reset(struct zpc_ec_key *);
 static int ec_key_check_ep11_spki(const struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len);
+						const unsigned char *spki, size_t spki_len);
 static void ec_key_use_maced_spki_from_buf(struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len);
+						const unsigned char *spki, size_t spki_len);
 static int ec_key_use_raw_spki_from_buf(struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len);
+						const unsigned char *spki, size_t spki_len);
 static int ec_key_spki_has_valid_mkvp(const struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len);
+						const unsigned char *spki, size_t spki_len);
 static int ec_key_blob_has_valid_mkvp(struct zpc_ec_key *ec_key,
 						const unsigned char *buf);
 static int ec_key_blob_is_pkey_extractable(struct zpc_ec_key *ec_key,
@@ -492,7 +492,7 @@ int zpc_ec_key_set_apqns(struct zpc_ec_key *ec_key, const char *apqns[])
 
 int
 zpc_ec_key_export(struct zpc_ec_key *ec_key, unsigned char *buf,
-				unsigned int *buflen)
+				size_t *buflen)
 {
 	int rc, rv;
 
@@ -558,7 +558,7 @@ zpc_ec_key_export(struct zpc_ec_key *ec_key, unsigned char *buf,
 }
 
 int zpc_ec_key_export_public(struct zpc_ec_key *ec_key,
-						unsigned char *buf, unsigned int *buflen)
+						unsigned char *buf, size_t *buflen)
 {
 	int rc, rv;
 
@@ -613,7 +613,7 @@ int zpc_ec_key_export_public(struct zpc_ec_key *ec_key,
 }
 
 int zpc_ec_key_import(struct zpc_ec_key *ec_key, const unsigned char *buf,
-				unsigned int buflen)
+				size_t buflen)
 {
 	target_t target;
 	int rc, rv, seclen;
@@ -789,8 +789,8 @@ int zpc_ec_key_import(struct zpc_ec_key *ec_key, const unsigned char *buf,
 }
 
 int zpc_ec_key_import_clear(struct zpc_ec_key *ec_key, const unsigned char *pubkey,
-						unsigned int publen, const unsigned char *privkey,
-						unsigned int privlen)
+						size_t publen, const unsigned char *privkey,
+						size_t privlen)
 {
 	unsigned int flags;
 	int rc, rv;
@@ -1057,7 +1057,7 @@ int zpc_ec_key_generate(struct zpc_ec_key *ec_key)
 int zpc_ec_key_reencipher(struct zpc_ec_key *ec_key, unsigned int method)
 {
 	struct ec_key reenc;
-	unsigned int seckeylen;
+	size_t seckeylen;
 	target_t target;
 	int rv, rc = ZPC_ERROR_APQNSNOTSET;
 	size_t i;
@@ -1343,8 +1343,8 @@ int ec_key_pvsec2prot(struct zpc_ec_key *ec_key)
 }
 
 int ec_key_clr2sec(struct zpc_ec_key *ec_key, unsigned int flags,
-			const unsigned char *pubkey, unsigned int publen,
-			const unsigned char *privkey, unsigned int privlen)
+			const unsigned char *pubkey, size_t publen,
+			const unsigned char *privkey, size_t privlen)
 {
 	target_t target;
 	int rv, rc = ZPC_ERROR_APQNSNOTSET;
@@ -1400,7 +1400,7 @@ int ec_key_sec2prot(struct zpc_ec_key *ec_key, enum ec_key_sec sec)
 {
 	struct pkey_kblob2pkey3 io;
 	struct ec_key *key = NULL;
-	unsigned int keybuf_len;
+	size_t keybuf_len;
 	int rc, i;
 
 	assert(sec == EC_KEY_SEC_OLD || sec == EC_KEY_SEC_CUR);
@@ -1442,7 +1442,7 @@ int ec_key_sec2prot(struct zpc_ec_key *ec_key, enum ec_key_sec sec)
 }
 
 int ec_key_clr2prot(struct zpc_ec_key *ec_key, const unsigned char *privkey,
-					unsigned int privlen)
+					size_t privlen)
 {
 	struct pkey_kblob2pkey3 io;
 	unsigned char buf[sizeof(struct clearkeytoken) + 80];
@@ -1529,7 +1529,7 @@ int ec_key_spki_valid_for_pubkey(const struct zpc_ec_key *ec_key,
 }
 
 static int ec_key_check_ep11_spki(const struct zpc_ec_key *ec_key,
-							const unsigned char *spki, unsigned int spki_len)
+							const unsigned char *spki, size_t spki_len)
 {
 	if (spki_len > curve2macedspkilen[ec_key->curve] &&
 		spki_len < curve2rawspkilen[ec_key->curve])
@@ -1550,7 +1550,7 @@ static int ec_key_check_ep11_spki(const struct zpc_ec_key *ec_key,
 }
 
 static void ec_key_use_maced_spki_from_buf(struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len)
+						const unsigned char *spki, size_t spki_len)
 {
 	memcpy(ec_key->pub.spki, spki, spki_len);
 	ec_key->pub.spkilen = spki_len;
@@ -1563,7 +1563,7 @@ static void ec_key_use_maced_spki_from_buf(struct zpc_ec_key *ec_key,
 }
 
 static int ec_key_use_raw_spki_from_buf(struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len)
+						const unsigned char *spki, size_t spki_len)
 {
 	target_t target;
 	int rc = -EIO, rv;
@@ -1600,7 +1600,7 @@ static int ec_key_use_raw_spki_from_buf(struct zpc_ec_key *ec_key,
 }
 
 static int ec_key_spki_has_valid_mkvp(const struct zpc_ec_key *ec_key,
-						const unsigned char *spki, unsigned int spki_len)
+						const unsigned char *spki, size_t spki_len)
 {
 	(void)spki_len; /* suppress unused parm compiler warning */
 
@@ -1618,7 +1618,7 @@ static int ec_key_spki_has_valid_mkvp(const struct zpc_ec_key *ec_key,
 static int ec_key_blob_has_valid_mkvp(struct zpc_ec_key *ec_key, const unsigned char *buf)
 {
 	const unsigned char *mkvp;
-	unsigned int mkvp_len;
+	size_t mkvp_len;
 
 	if (ec_key->mkvp_set == 0)
 		return 1; /* cannot judge */

src/ecc_key_local.h

@@ -59,10 +59,10 @@ struct zpc_ec_key {
 };
 
 int ec_key_clr2sec(struct zpc_ec_key *ec_key, unsigned int flags,
-			const unsigned char *pubkey, unsigned int publen,
-			const unsigned char *privkey, unsigned int privlen);
+			const unsigned char *pubkey, size_t publen,
+			const unsigned char *privkey, size_t privlen);
 int ec_key_sec2prot(struct zpc_ec_key *, enum ec_key_sec sec);
 int ec_key_check(const struct zpc_ec_key *);
 int ec_key_clr2prot(struct zpc_ec_key *ec_key, const unsigned char *privkey,
-			unsigned int privlen);
+			size_t privlen);
 #endif