Failed to obtain the algorithms provided by my provider

[Gabin-Crn]

Hello everyone,

I need some help to try to fix my issue on my provider ! Since few weeks ago, I want to develop my own basic provider. Through the documentation, I can be able to build the below code. I get an active status during the initialization of it, however, when i'm trying to reach algorithms I choose in my provider, no once has been found ... Do you have any clue of this issue ?

Here are the following commands I used :

openssl list -providers

openssl list -provider-path /xxx/Provider/src/BasicProviderBuild_7.so -provider cipherprovider -all-algorithms

As you can see in the "Provided field" no once appears !!

Expected result :

Please, pay no attention to the provider's name

Here is my code :

And please, don't pay attention to my AES crypto functions, I know there aren't correct

#include <stdio.h>
#include <openssl/core.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/evp.h>
#include <openssl/proverr.h>

#define DBG_PRINT(...) fprintf(stderr, __VA_ARGS__)

struct provider_ctx_st {
    const OSSL_CORE_HANDLE *core_handle;
    OSSL_LIB_CTX *libctx;
};

static void provider_ctx_free(struct provider_ctx_st *ctx);

typedef struct {
    EVP_CIPHER_CTX *cipher_ctx;
} MYPROV_CIPHER_CTX;

static OSSL_FUNC_provider_teardown_fn aes_prov_teardown;
static OSSL_FUNC_provider_query_operation_fn aes_prov_query;
static OSSL_FUNC_provider_gettable_params_fn aes_prov_gettable_params;
static OSSL_FUNC_provider_get_params_fn aes_prov_get_params;

static OSSL_FUNC_cipher_newctx_fn aes256cbc_newctx;
static OSSL_FUNC_cipher_freectx_fn aes256cbc_freectx;
static OSSL_FUNC_cipher_update_fn aes256cbc_update;
static OSSL_FUNC_cipher_final_fn aes256cbc_final;

static void *aes256cbc_newctx(void *provctx) {
    MYPROV_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(MYPROV_CIPHER_CTX));
    if (ctx == NULL) {
        return NULL; 
    }
    ctx->cipher_ctx = EVP_CIPHER_CTX_new();
    return ctx;
}

int aes256cbc_encrypt_init(void *ctx, const unsigned char *key, const unsigned char *iv) {    
    MYPROV_CIPHER_CTX *myctx = (MYPROV_CIPHER_CTX *)ctx;
    if (!EVP_EncryptInit_ex(myctx->cipher_ctx, EVP_aes_256_cbc(), NULL, key, iv))
        return 0;
    
    return 1;
}

static int aes256cbc_update(void *ctx, unsigned char *out, size_t *outl, size_t outsize, const unsigned char *in, size_t inl) {
    printf("AES 256 CBC UPDATE LOAD\n");
    MYPROV_CIPHER_CTX *myctx = (MYPROV_CIPHER_CTX *)ctx;

    unsigned char *shifted_in = OPENSSL_malloc(inl);
    if (shifted_in == NULL) 
        return 0;

    for (size_t i = 0; i < inl; i++) {
        shifted_in[i] = in[i] >> 1; // Décalage de 1 bit
    }

    int ret = EVP_EncryptUpdate(myctx->cipher_ctx, out, (int *)outl, shifted_in, (int)inl);
    OPENSSL_free(shifted_in);
    return ret;
}    

static int aes256cbc_final(void *ctx, unsigned char *out, size_t *outl, size_t outsize) {
    MYPROV_CIPHER_CTX *myctx = (MYPROV_CIPHER_CTX *)ctx;
    return EVP_EncryptFinal_ex(myctx->cipher_ctx, out, (int *)outl);
}

static void aes256cbc_freectx(void *ctx) {
    MYPROV_CIPHER_CTX *myctx = (MYPROV_CIPHER_CTX *)ctx;
    EVP_CIPHER_CTX_free(myctx->cipher_ctx);
    OPENSSL_free(myctx);
}

const OSSL_DISPATCH aes256cbc_functions[] = {
    { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))aes256cbc_newctx }, 
    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes256cbc_encrypt_init },
    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes256cbc_update },
    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes256cbc_final },
    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes256cbc_freectx },
    {0, NULL}
};

const OSSL_ALGORITHM aes256cbc_algorithms[] = {
    { "AES-256-CBC", "provider=cipherprovider", aes256cbc_functions },
    { "RSA:rsaEncryption:1.2.840.113549.1.1.1",  "provider=cipherprovider", aes256cbc_functions },
    { NULL, NULL, NULL }
};

const OSSL_ALGORITHM *query_operation(void *provctx, int operation_id, int *no_cache) {
    *no_cache = 0;
    switch (operation_id) {
        case OSSL_OP_CIPHER:
            return aes256cbc_algorithms;
    }
    return NULL;
}

static void aes_prov_teardown(void *provctx) {
    struct provider_ctx_st *pctx = (struct provider_ctx_st *)provctx;

    DBG_PRINT("enter %s\n", __func__);
    if (pctx != NULL) {
        OSSL_LIB_CTX_free(pctx->libctx);
        provider_ctx_free(pctx);
    }
}

static const OSSL_PARAM aes_prov_param_types[] = {
    OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_NAME, NULL, 0),
    OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_VERSION, NULL, 0),
    OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO, NULL, 0),
    OSSL_PARAM_int(OSSL_PROV_PARAM_STATUS, NULL),
    OSSL_PARAM_END
};

static const OSSL_PARAM *aes_prov_gettable_params(void *provctx) {
    return aes_prov_param_types;
}

static int aes_prov_get_params(void *provctx, OSSL_PARAM params[]) {
    OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "AES Provider"))
        return 0;
    
    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "1.0"))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "rc0"))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
    if (p != NULL && !OSSL_PARAM_set_int(p, 1))
        return 0;

    return 1;
}

static void provider_ctx_free(struct provider_ctx_st *ctx) {
    OPENSSL_free(ctx);
}

static struct provider_ctx_st *provider_ctx_new(const OSSL_CORE_HANDLE *handle, OSSL_LIB_CTX *libctx) {
    struct provider_ctx_st *ctx;

    if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) {
        ctx->core_handle = handle;
        ctx->libctx = libctx;
    }

    return ctx;
}

static const OSSL_DISPATCH aes_prov_dispatch[] = {
    { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))aes_prov_teardown }, // Modification
    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation }, 
    { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))aes_prov_get_params },
    { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))aes_prov_gettable_params },
    { 0, NULL }
};

int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, void **provctx) {
    OSSL_LIB_CTX *libctx = NULL;

    if ((libctx = OSSL_LIB_CTX_new()) == NULL) {
        OSSL_LIB_CTX_free(libctx);
        return 0;
    }

    *provctx = provider_ctx_new(handle, libctx);
    if (*provctx == NULL) {
        OSSL_LIB_CTX_free(libctx);
        return 0;
    }

    *out = aes_prov_dispatch;
    return 1;
}

[mattcaswell]

This looks wrong:

    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))aes_prov_teardown },
    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation },

You have two inconsistent definitions for the query function.

[Gabin-Crn]

Oh yes ty ! i didn't see it, however I fixed it but same result :

[t8m]

Try to debug your code. Is the query_operation function called with OSSL_OP_CIPHER?

[Gabin-Crn]

I've been trying to debut it for 3 weeks now, and yes it is as you can see on this picture :

In my code, I displayed the number of OSSL_OL_CIPHER, it was the number 2, and I was seeing in one of openssl's .h files and yes the number 2 matched with OSSL_OP_CIPHER.

[mattcaswell]

There is actually a documentation issue here in OpenSSL.

The provider-cipher(7) man page says this:

A cipher algorithm implementation may not implement all of these functions.
In order to be a consistent set of functions there must at least be a complete
set of "encrypt" functions, or a complete set of "decrypt" functions, or a
single "cipher" function.
In all cases both the OSSL_FUNC_cipher_newctx and OSSL_FUNC_cipher_freectx functions must be
present.
All other functions are optional.

But this is not actually true. It appears there must be a "get_params" function too for the cipher. Otherwise things fail.

Internally, when we construct the EVP_CIPHER object, we attempt to query it in order to cache various constants:

openssl/crypto/evp/evp_enc.c

Lines 1693 to 1697 in 06aa41a

	if (!evp_cipher_cache_constants(cipher)) {
	EVP_CIPHER_free(cipher);
	ERR_raise(ERR_LIB_EVP, EVP_R_CACHE_CONSTANTS_FAILED);
	cipher = NULL;
	}

If the call to evp_cipher_cache_constants fails - then then whole fetch fails. Unfortunately that function returns a failure if the cipher is missing a get_params function.

It's not quite clear to me whether the correct solution is for that function not to fail if there is a missing get_params, or whether we should fix the documentation to specify the additional need for this function to be implemented.

Either way, the solution for you is to implement it.

[mattcaswell]

I've raised a bug report for this in #25801

[Gabin-Crn]

You are amazing !! I've just added this part of code and it's workss !! ty so much !!

static int aes256cbc_get_params(OSSL_PARAM params[]) {
    OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, 32))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, 16)) 
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, 16)) 
        return 0;

    return 1;
}

[paulidale]

It's a documentation error. I don't think it would be possible to "fix" evp_cipher_cache_constants(), too much code relies on knowing the various lengths for them to not be available.