Linaro · patch-king · Dec 16, 2025 · Dec 18, 2025 · Dec 18, 2025 · Dec 16, 2025
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -62,8 +62,11 @@ endif #WD_KAE
 
 uadk_provider_la_SOURCES=uadk_prov_init.c uadk_async.c uadk_utils.c \
 			 uadk_prov_digest.c uadk_prov_cipher.c \
-			 uadk_prov_rsa.c uadk_prov_dh.c \
-			 uadk_prov_bio.c uadk_prov_der_writer.c uadk_prov_packet.c \
+			 uadk_prov_rsa.c uadk_prov_rsa_kmgmt.c \
+			 uadk_prov_rsa_enc.c uadk_prov_rsa_sign.c \
+			 uadk_prov_rsa_utils.c \
+			 uadk_prov_dh.c uadk_prov_bio.c \
+			 uadk_prov_der_writer.c uadk_prov_packet.c \
 			 uadk_prov_pkey.c uadk_prov_sm2.c \
 			 uadk_prov_ffc.c uadk_prov_aead.c \
 			 uadk_prov_ec_kmgmt.c uadk_prov_ecdh_exch.c \
@@ -74,3 +77,5 @@ uadk_provider_la_LDFLAGS=-module -version-number $(VERSION)
 uadk_provider_la_LIBADD=$(WD_LIBS) -lpthread
 uadk_provider_la_CFLAGS=$(WD_CFLAGS) $(libcrypto_CFLAGS)
 uadk_provider_la_CFLAGS+=-DOPENSSL_SUPPRESS_DEPRECATED
+uadk_provider_la_CFLAGS+=-fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \
+			-O2 -ftrapv -Wl,-z,relro,-z,now -Wl,-s
diff --git a/src/uadk_ecx.c b/src/uadk_ecx.c
@@ -35,11 +35,157 @@
 #define UADK_E_SUCCESS		1
 #define UADK_E_FAIL		0
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+enum ECX_KEY_TYPE {
+	ECX_KEY_TYPE_X25519,
+	ECX_KEY_TYPE_X448,
+	ECX_KEY_TYPE_ED25519,
+	ECX_KEY_TYPE_ED448
+};
+
+struct ecx_key {
+	OSSL_LIB_CTX *libctx;
+	char *propq;
+	unsigned int haspubkey:1;
+	unsigned char pubkey[ECX_MAX_KEYLEN];
+	unsigned char *privkey;
+	size_t keylen;
+	enum ECX_KEY_TYPE type;
+	int references;
+	CRYPTO_RWLOCK *lock;
+};
+
+struct evp_pkey_ctx_st {
+	/* Actual operation */
+	int operation;
+
+	/*
+	 * Library context, property query, keytype and keymgmt associated with
+	 * this context
+	 */
+	OSSL_LIB_CTX *libctx;
+	char *propquery;
+	const char *keytype;
+	/* If |pkey| below is set, this field is always a reference to its keymgmt */
+	EVP_KEYMGMT *keymgmt;
+
+	union {
+		struct {
+			void *genctx;
+		} keymgmt;
+
+		struct {
+			EVP_KEYEXCH *exchange;
+			/*
+			 * Opaque ctx returned from a providers exchange algorithm
+			 * implementation OSSL_FUNC_keyexch_newctx()
+			 */
+			void *algctx;
+		} kex;
+
+		struct {
+			EVP_SIGNATURE *signature;
+			/*
+			 * Opaque ctx returned from a providers signature algorithm
+			 * implementation OSSL_FUNC_signature_newctx()
+			 */
+			void *algctx;
+		} sig;
+
+		struct {
+			EVP_ASYM_CIPHER *cipher;
+			/*
+			 * Opaque ctx returned from a providers asymmetric cipher algorithm
+			 * implementation OSSL_FUNC_asym_cipher_newctx()
+			 */
+			void *algctx;
+		} ciph;
+		struct {
+			EVP_KEM *kem;
+			/*
+			 * Opaque ctx returned from a providers KEM algorithm
+			 * implementation OSSL_FUNC_kem_newctx()
+			 */
+			void *algctx;
+		} encap;
+	} op;
+
+	/*
+	 * Cached parameters. Inits of operations that depend on these should
+	 * call evp_pkey_ctx_use_delayed_data() when the operation has been set
+	 * up properly.
+	 */
+	struct {
+		/* Distinguishing Identifier, ISO/IEC 15946-3, FIPS 196 */
+		char *dist_id_name; /* The name used with EVP_PKEY_CTX_ctrl_str() */
+		void *dist_id;      /* The distinguishing ID itself */
+		size_t dist_id_len; /* The length of the distinguishing ID */
+
+		/* Indicators of what has been set.  Keep them together! */
+		unsigned int dist_id_set : 1;
+	} cached_parameters;
+
+	/* Application specific data, usually used by the callback */
+	void *app_data;
+	/* Keygen callback */
+	EVP_PKEY_gen_cb *pkey_gencb;
+	/* implementation specific keygen data */
+	int *keygen_info;
+	int keygen_info_count;
+
+	/* Legacy fields below */
+
+	/* EVP_PKEY identity */
+	int legacy_keytype;
+	/* Method associated with this operation */
+	const EVP_PKEY_METHOD *pmeth;
+	/* Engine that implements this method or NULL if builtin */
+	ENGINE *engine;
+	/* Key: may be NULL */
+	EVP_PKEY *pkey;
+	/* Peer key for key agreement, may be NULL */
+	EVP_PKEY *peerkey;
+	/* Algorithm specific data */
+	void *data;
+	/* Indicator if digest_custom needs to be called */
+	unsigned int flag_call_digest_custom:1;
+	/*
+	 * Used to support taking custody of memory in the case of a provider being
+	 * used with the deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() API. This
+	 * member should NOT be used for any other purpose and should be removed
+	 * when said deprecated API is excised completely.
+	 */
+	BIGNUM *rsa_pubexp;
+};
+#else
 struct ecx_key {
 	unsigned char pubkey[ECX_MAX_KEYLEN];
 	unsigned char *privkey;
 };
 
+struct evp_pkey_ctx_st {
+	/* Method associated with this operation */
+	const EVP_PKEY_METHOD *pmeth;
+	/* Engine that implements this method or NULL if builtin */
+	ENGINE *engine;
+	/* Key: may be NULL */
+	EVP_PKEY *pkey;
+	/* Peer key for key agreement, may be NULL */
+	EVP_PKEY *peerkey;
+	/* Actual operation */
+	int operation;
+	/* Algorithm specific data */
+	void *data;
+	/* Application specific data */
+	void *app_data;
+	/* Keygen callback */
+	EVP_PKEY_gen_cb *pkey_gencb;
+	/* implementation specific keygen data */
+	int *keygen_info;
+	int keygen_info_count;
+};
+#endif
+
 struct ecx_ctx {
 	handle_t sess;
 	__u32 key_size;
@@ -151,12 +297,12 @@ static int x448_init(EVP_PKEY_CTX *ctx)
 
 static int ecx_get_nid(EVP_PKEY_CTX *ctx)
 {
-	const EVP_PKEY_METHOD **pmeth_from_ctx;
+	const EVP_PKEY_METHOD *pmeth_from_ctx;
 	int nid;
 
-	pmeth_from_ctx = (const EVP_PKEY_METHOD **)ctx;
+	pmeth_from_ctx = (const EVP_PKEY_METHOD *)(ctx->pmeth);
 
-	EVP_PKEY_meth_get0_info(&nid, NULL, *pmeth_from_ctx);
+	EVP_PKEY_meth_get0_info(&nid, NULL, pmeth_from_ctx);
 	if (nid != EVP_PKEY_X25519 && nid != EVP_PKEY_X448)
 		return UADK_E_FAIL;
 

diff --git a/src/uadk_pkey.c b/src/uadk_pkey.c
@@ -34,7 +34,9 @@ static int g_ecc_support_state[ECC_TYPE];
 
 static int pkey_nids[] = {
 	EVP_PKEY_EC,
+#if OPENSSL_VERSION_NUMBER < 0x30000000
 	EVP_PKEY_SM2,
+#endif
 	EVP_PKEY_X25519,
 	EVP_PKEY_X448
 };

diff --git a/src/uadk_pkey.h b/src/uadk_pkey.h
@@ -75,13 +75,10 @@ int uadk_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
 int uadk_init_ecc(void);
 const EVP_PKEY_METHOD *get_openssl_pkey_meth(int nid);
 int uadk_sm2_create_pmeth(struct uadk_pkey_meth *pkey_meth);
-void uadk_sm2_delete_pmeth(struct uadk_pkey_meth *pkey_meth);
 int uadk_ec_create_pmeth(struct uadk_pkey_meth *pkey_meth);
 void uadk_ec_delete_meth(void);
 int uadk_x448_create_pmeth(struct uadk_pkey_meth *pkey_meth);
-void uadk_x448_delete_pmeth(struct uadk_pkey_meth *pkey_meth);
 int uadk_x25519_create_pmeth(struct uadk_pkey_meth *pkey_meth);
-void uadk_x25519_delete_pmeth(struct uadk_pkey_meth *pkey_meth);
 int uadk_bind_ec(ENGINE *e);
 int uadk_e_ecc_get_numa_id(void);
 int uadk_e_ecc_get_support_state(int alg_tag);

diff --git a/src/uadk_prov.h b/src/uadk_prov.h
@@ -26,12 +26,13 @@
 #define UADK_INIT_SUCCESS		1
 #define UADK_INIT_FAIL			2
 #define UADK_DEVICE_ERROR		3
-#define HW_SEC_V2			2
-#define HW_SEC_V3			3
 #define POLL_ERROR			(-1)
 #define PROV_SEND_MAX_CNT		90000000
 #define PROV_RECV_MAX_CNT		60000000
 #define PROV_SCH_RECV_MAX_CNT		60000
+#define UADK_P_SUCCESS			1
+#define UADK_P_FAIL			0
+#define UADK_DO_SOFT			(-0xE0)
 
 /* Copy openssl/providers/implementations/include/prov/names.h */
 #define PROV_NAMES_MD5 "MD5:SSL3-MD5:1.2.840.113549.2.5"
@@ -44,6 +45,12 @@
 #define PROV_NAMES_SHA2_512_224 "SHA2-512/224:SHA-512/224:SHA512-224:2.16.840.1.101.3.4.2.5"
 #define PROV_NAMES_SHA2_512_256 "SHA2-512/256:SHA-512/256:SHA512-256:2.16.840.1.101.3.4.2.6"
 
+enum HW_SYMM_ENC_DEV {
+	HW_SYMM_ENC_INVALID = 0x0,
+	HW_SYMM_ENC_V2 = 0x2,
+	HW_SYMM_ENC_V3 = 0x3
+};
+
 typedef int CRYPTO_REF_COUNT;
 
 struct ossl_provider_st {

diff --git a/src/uadk_prov_aead.c b/src/uadk_prov_aead.c
@@ -54,7 +54,6 @@
 #define PROV_CIPHER_FLAG_CUSTOM_IV	0x0002
 #define AEAD_FLAGS			(PROV_CIPHER_FLAG_AEAD | PROV_CIPHER_FLAG_CUSTOM_IV)
 
-#define UADK_DO_SOFT			(-0xE0)
 #define UADK_DO_HW			(-0xF0)
 #define UADK_AEAD_DEF_CTXS		2
 #define UADK_AEAD_OP_NUM		1

diff --git a/src/uadk_prov_cipher.c b/src/uadk_prov_cipher.c
@@ -30,7 +30,6 @@
 #include "uadk_prov.h"
 #include "uadk_utils.h"
 
-#define UADK_DO_SOFT		(-0xE0)
 #define UADK_DO_HW		(-0xF0)
 #define CTX_SYNC_ENC		0
 #define CTX_SYNC_DEC		1
@@ -42,9 +41,6 @@
 #define ALG_NAME_SIZE		128
 #define GENERIC_BLOCK_SIZE	16
 
-#define UADK_P_SUCCESS		1
-#define UADK_P_FAIL		0
-
 /* Internal flags that can be queried */
 #define PROV_CIPHER_FLAG_AEAD			0x0001
 #define PROV_CIPHER_FLAG_CUSTOM_IV		0x0002
@@ -104,6 +100,7 @@ struct cipher_prov {
 	int pid;
 };
 static struct cipher_prov prov;
+static enum HW_SYMM_ENC_DEV g_hw_symm_enc_dev;
 static pthread_mutex_t cipher_mutex = PTHREAD_MUTEX_INITIALIZER;
 
 struct cipher_priv_ctx {
@@ -1342,22 +1339,25 @@ static void uadk_prov_cipher_freectx(void *ctx)
 int uadk_prov_cipher_version(void)
 {
 	struct uacce_dev *dev;
-	int ver;
+
+	if (g_hw_symm_enc_dev != HW_SYMM_ENC_INVALID)
+		return g_hw_symm_enc_dev;
 
 	dev = uadk_get_accel_dev("cipher");
 	if (!dev) {
 		UADK_ERR("no cipher device available!\n");
-		return 0;
+		g_hw_symm_enc_dev = HW_SYMM_ENC_INVALID;
+		return g_hw_symm_enc_dev;
 	}
 
 	if (!strcmp(dev->api, "hisi_qm_v2"))
-		ver = HW_SEC_V2;
+		g_hw_symm_enc_dev = HW_SYMM_ENC_V2;
 	else
-		ver = HW_SEC_V3;
+		g_hw_symm_enc_dev = HW_SYMM_ENC_V3;
 
 	free(dev);
 
-	return ver;
+	return g_hw_symm_enc_dev;
 }
 
 #define UADK_CIPHER_DESCR(nm, blk_size, key_len, iv_len,			\