Issue 65: Bring patches from amlogic and realtek into secapi2-adapter (rdkcentral#66)

Reason for change: Bring patches to secapi2-adapter, including adding SecCipher_ProcessOpaqueWithMapAndHandle.
Risks: None
Priority: P1

Author: harindhu007

include/sec_security.h

@@ -997,6 +997,9 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand
         SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE numEncryptedBlocks,
         SEC_SIZE numClearBlocks, Sec_OpaqueBufferHandle** opaqueBufferHandle, SEC_SIZE* bytesWritten);
 
+Sec_Result SecCipher_ProcessOpaqueWithMapAndHandle(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, uint32_t secureBufferHandle,
+        SEC_BYTE* input, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE* bytesWritten);
+
 #ifdef __cplusplus
 }
 #endif

include/sec_security_datatype.h

@@ -444,6 +444,13 @@ typedef enum {
     SEC_KEYUSAGE_NUM
 } Sec_KeyUsage;
 
+/**
+ * @brief Sample size
+ */
+typedef enum {
+    SEC_SAMPLE_SIZE = 1
+} Sec_SampleSize;
+
 typedef struct {
     char keyId[40];
     SEC_BYTE rights[SEC_KEYOUTPUTRIGHT_NUM];

src/sec_adapter_cipher.c

@@ -988,9 +988,10 @@ Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BY
     sample.out = &out_buffer;
     sample.in = &in_buffer;
 
-    sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) 1, &sample);
+    sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) SEC_SAMPLE_SIZE, &sample);
     SEC_FREE(subsample_lengths);
     if (status != SA_STATUS_OK) {
+        SEC_LOG_ERROR("Failed process encryption");
         SecOpaqueBuffer_Free(*opaqueBufferHandle);
         *opaqueBufferHandle = NULL;
         *bytesWritten = 0;
@@ -1082,7 +1083,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand
     sample.out = &out_buffer;
     sample.in = &in_buffer;
 
-    sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) 1, &sample);
+    sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) SEC_SAMPLE_SIZE, &sample);
     SEC_FREE(subsample_lengths);
     if (status != SA_STATUS_OK) {
         SecOpaqueBuffer_Free(*opaqueBufferHandle);
@@ -1095,6 +1096,111 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand
     return SEC_RESULT_SUCCESS;
 }
 
+Sec_Result SecCipher_ProcessOpaqueWithMapAndHandle(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, uint32_t secureBufferHandle,
+        SEC_BYTE* input, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE* bytesWritten) {
+
+    if (cipherHandle == NULL) {
+        SEC_LOG_ERROR("NULL cipherHandle");
+        return SEC_RESULT_FAILURE;
+    }
+
+    if (iv == NULL) {
+        SEC_LOG_ERROR("NULL iv");
+        return SEC_RESULT_FAILURE;
+    }
+
+    if (secureBufferHandle == 0) {
+        SEC_LOG_ERROR("Buffer Handle is 0");
+        return SEC_RESULT_FAILURE;
+    }
+
+    if (map == NULL) {
+        SEC_LOG_ERROR("NULL map");
+        return SEC_RESULT_FAILURE;
+    }
+
+    if (bytesWritten == NULL) {
+        SEC_LOG_ERROR("NULL bytesWritten");
+        return SEC_RESULT_FAILURE;
+    }
+
+    // wrap in a secapi2 adapter buffer
+    Sec_OpaqueBufferHandle* opaqueBufferHandle = NULL;
+    Sec_Result result = SecOpaqueBuffer_Create(&opaqueBufferHandle, (void*)(uintptr_t) secureBufferHandle, inputSize);
+    if (result != SEC_RESULT_SUCCESS) {
+        SEC_LOG_ERROR("SecOpaqueBuffer_Create failed with preallocated memory: %" PRIu32 "", secureBufferHandle);
+        return SEC_RESULT_FAILURE;
+    }
+
+    sa_subsample_length* subsample_lengths = malloc(mapLength * sizeof(sa_subsample_length));
+    for (size_t i = 0; i < mapLength; i++) {
+        subsample_lengths[i].bytes_of_clear_data = map[i].clear;
+        subsample_lengths[i].bytes_of_protected_data = map[i].encrypted;
+    }
+
+    sa_buffer out_buffer;
+    out_buffer.buffer_type = SA_BUFFER_TYPE_SVP;
+    out_buffer.context.svp.offset = 0;
+    out_buffer.context.svp.buffer = get_svp_buffer(cipherHandle->processorHandle, opaqueBufferHandle);
+    if (out_buffer.context.svp.buffer == INVALID_HANDLE) {
+        free(subsample_lengths);
+        SEC_LOG_ERROR("Failed create buffer from handle: %" PRIu32 "", secureBufferHandle);
+
+        // Memory is pre-allocated elsewhere so we don't wan't to free it, just
+        // release our handle to it.
+        Sec_ProtectedMemHandle* h = NULL;
+        SecOpaqueBuffer_Release(opaqueBufferHandle, &h);
+        opaqueBufferHandle = NULL;
+        *bytesWritten = 0;
+        return SEC_RESULT_FAILURE;
+    }
+
+    sa_buffer in_buffer;
+    in_buffer.buffer_type = SA_BUFFER_TYPE_CLEAR;
+    in_buffer.context.clear.buffer = input;
+    in_buffer.context.clear.length = inputSize;
+    in_buffer.context.clear.offset = 0;
+
+    sa_sample sample;
+    sample.iv = iv;
+    sample.iv_length = SEC_AES_BLOCK_SIZE;
+    sample.crypt_byte_block = 0;
+    sample.skip_byte_block = 0;
+    sample.subsample_count = mapLength;
+    sample.subsample_lengths = subsample_lengths;
+    sample.context = cipherHandle->cipher.context;
+    sample.out = &out_buffer;
+    sample.in = &in_buffer;
+
+    sa_status status = sa_invoke(cipherHandle->processorHandle, SA_PROCESS_COMMON_ENCRYPTION, (size_t) SEC_SAMPLE_SIZE, &sample);
+    free(subsample_lengths);
+
+    if (status != SA_STATUS_OK) {
+        SEC_LOG_ERROR("Failed process encryption");
+        // Memory is pre-allocated elsewhere so we don't wan't to free it, just
+        // release our handle to it.
+        Sec_ProtectedMemHandle* h = NULL;
+        SecOpaqueBuffer_Release(opaqueBufferHandle, &h);
+
+        *bytesWritten = 0;
+        CHECK_STATUS(status)
+    }
+    else
+    {
+        // Higher layers will use the pre-allocated memory directly, not our buffer.
+        Sec_ProtectedMemHandle* h = NULL;
+        const Sec_Result r = SecOpaqueBuffer_Release(opaqueBufferHandle, &h);
+
+        if (r != SEC_RESULT_SUCCESS)
+        {
+            SEC_LOG_ERROR("Failed to release buffer from pre-allocated memory");
+        }
+    }
+
+    *bytesWritten = out_buffer.context.svp.offset;
+    return SEC_RESULT_SUCCESS;
+}
+
 Sec_Result get_cipher_algorithm(const Sec_CipherAlgorithm algorithm, SEC_BOOL is_unwrap,
         sa_cipher_algorithm* cipher_algorithm, void** parameters, void* iv, SEC_SIZE key_length, SEC_SIZE key_offset) {
     *parameters = NULL;

src/sec_adapter_engine.c

@@ -1,5 +1,5 @@
 /**
-* Copyright 2020-2023 Comcast Cable Communications Management, LLC
+* Copyright 2020-2025 Comcast Cable Communications Management, LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -29,6 +29,8 @@ static SEC_BOOL g_sec_openssl_inited = SEC_FALSE;
 static RSA_METHOD* rsa_method = NULL;
 #endif
 
+static ENGINE* engine = NULL;
+
 static void Sec_ShutdownOpenSSL() {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     if (rsa_method != NULL) {
@@ -37,11 +39,10 @@ static void Sec_ShutdownOpenSSL() {
     }
 #endif
 
-    ENGINE* engine = ENGINE_by_id(SECAPI_ENGINE_ID);
     if (engine != NULL) {
-        ENGINE_remove(engine);
         ENGINE_finish(engine);
         ENGINE_free(engine);
+        engine = NULL;
     }
 }
 
@@ -62,7 +63,7 @@ static int Sec_OpenSSLPrivSign(int type, const unsigned char* m, unsigned int m_
             SEC_LOG_ERROR("Unknown type %d", type);
             return -1;
     }
-
+    SEC_PRINT("Calling Sec_OpenSSLPrivSign with %s", OPENSSL_VERSION_TEXT);
     keyHandle = (Sec_KeyHandle*) RSA_get_app_data(rsa);
     if (keyHandle == NULL) {
         SEC_LOG_ERROR("NULL keyHandle encountered");
@@ -96,6 +97,7 @@ static int Sec_OpenSSLPubVerify(int type, const unsigned char* m, unsigned int m
             return -1;
     }
 
+    SEC_PRINT("Calling Sec_OpenSSLPubVerify with %s", OPENSSL_VERSION_TEXT);
     keyHandle = (Sec_KeyHandle*) RSA_get_app_data(rsa);
     if (keyHandle == NULL) {
         SEC_LOG_ERROR("NULL keyHandle encountered");
@@ -129,6 +131,7 @@ static int Sec_OpenSSLPubEncrypt(int flen, const unsigned char* from, unsigned c
             return -1;
     }
 
+    SEC_PRINT("Calling Sec_OpenSSLPubEncrypt with %s", OPENSSL_VERSION_TEXT);
     keyHandle = (Sec_KeyHandle*) RSA_get_app_data(rsa);
     if (keyHandle == NULL) {
         SEC_LOG_ERROR("NULL keyHandle encountered");
@@ -162,6 +165,7 @@ static int Sec_OpenSSLPrivDecrypt(int flen, const unsigned char* from, unsigned
             return -1;
     }
 
+    SEC_PRINT("Calling Sec_OpenSSLPrivDecrypt with %s", OPENSSL_VERSION_TEXT);
     keyHandle = (Sec_KeyHandle*) RSA_get_app_data(rsa);
     if (keyHandle == NULL) {
         SEC_LOG_ERROR("NULL keyHandle encountered");
@@ -199,7 +203,8 @@ static RSA_METHOD g_sec_openssl_rsamethod = {
 #endif
 
 static void ENGINE_load_securityapi(void) {
-    ENGINE* engine = ENGINE_new();
+    engine = ENGINE_new();
+    SEC_PRINT("*****ENGINE_load_securityapi***** \n");
     if (engine == NULL) {
         SEC_LOG_ERROR("ENGINE_new failed");
         return;
@@ -208,28 +213,34 @@ static void ENGINE_load_securityapi(void) {
     if (!ENGINE_set_id(engine, SECAPI_ENGINE_ID)) {
         SEC_LOG_ERROR("ENGINE_set_id failed");
         ENGINE_free(engine);
+        engine = NULL;
         return;
     }
     if (!ENGINE_set_name(engine, "SecurityApi engine")) {
         SEC_LOG_ERROR("ENGINE_set_name failed");
         ENGINE_free(engine);
+        engine = NULL;
         return;
     }
 
     if (!ENGINE_init(engine)) {
         SEC_LOG_ERROR("ENGINE_init failed");
         ENGINE_free(engine);
+        engine = NULL;
         return;
     }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
+    SEC_PRINT("******Calling ENGINE_set_RSA 1 **** \n");
     if (!ENGINE_set_RSA(engine, &g_sec_openssl_rsamethod)) {
 #else
     if (rsa_method == NULL) {
+        SEC_PRINT("*****Sec_InitOpenSSL creating RSA method****** \n");
         rsa_method = RSA_meth_new("securityapi RSA method", RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY);
         if (rsa_method == NULL) {
             SEC_LOG_ERROR("RSA_meth_new failed");
             ENGINE_free(engine);
+	    engine = NULL;
             return;
         }
 
@@ -238,26 +249,27 @@ static void ENGINE_load_securityapi(void) {
         RSA_meth_set_sign(rsa_method, Sec_OpenSSLPrivSign);
         RSA_meth_set_verify(rsa_method, Sec_OpenSSLPubVerify);
     }
-
+ 
+    SEC_PRINT("*****Calling ENGINE_set_RSA 2***** \n");
     if (!ENGINE_set_RSA(engine, rsa_method)) {
 #endif
-        ENGINE_remove(engine);
         ENGINE_free(engine);
+        engine = NULL;
         return;
     }
 
-    ENGINE_add(engine);
-    ENGINE_free(engine);
     ERR_clear_error();
 }
 
 void Sec_InitOpenSSL() {
     static pthread_mutex_t init_openssl_mutex = PTHREAD_MUTEX_INITIALIZER;
 
     pthread_mutex_lock(&init_openssl_mutex);
+    SEC_PRINT("***** Sec_InitOpenSSL****** \n");
 
     if (g_sec_openssl_inited != SEC_TRUE) {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
+        SEC_PRINT("*****Sec_InitOpenSSL OpenSSL < 1.1.0****** \n");
         ERR_load_crypto_strings();
         OpenSSL_add_all_algorithms();
         OpenSSL_add_all_ciphers();
@@ -276,9 +288,9 @@ void Sec_InitOpenSSL() {
 
             ENGINE_set_default(engine, ENGINE_METHOD_ALL);
             ENGINE_free(engine);
+            engine = NULL;
         }
 
-        ENGINE_load_securityapi();
 
         if (atexit(Sec_ShutdownOpenSSL) != 0) {
             SEC_LOG_ERROR("atexit failed");
@@ -288,6 +300,10 @@ void Sec_InitOpenSSL() {
         g_sec_openssl_inited = SEC_TRUE;
     }
 
+    if (engine == NULL) {
+        ENGINE_load_securityapi();
+    }
+
     pthread_mutex_unlock(&init_openssl_mutex);
 }
 
@@ -300,21 +316,19 @@ RSA* SecKey_ToEngineRSA(Sec_KeyHandle* keyHandle) {
     Sec_RSARawPublicKey pubKey;
     RSA* rsa = NULL;
 
-    ENGINE* engine = ENGINE_by_id(SECAPI_ENGINE_ID);
     if (engine == NULL) {
         SEC_LOG_ERROR("ENGINE_by_id failed");
+        SEC_LOG_ERROR("engine not initialized");
         return NULL;
     }
 
     if (SEC_RESULT_SUCCESS != SecKey_ExtractRSAPublicKey(keyHandle, &pubKey)) {
-        ENGINE_free(engine);
         SEC_LOG_ERROR("SecKey_ExtractRSAPublicKey failed");
         return NULL;
     }
 
     rsa = RSA_new_method(engine);
     if (rsa == NULL) {
-        ENGINE_free(engine);
         SEC_LOG_ERROR("RSA_new_method failed");
         return NULL;
     }
@@ -327,30 +341,27 @@ RSA* SecKey_ToEngineRSA(Sec_KeyHandle* keyHandle) {
             BN_bin2bn(pubKey.e, 4, NULL), NULL);
 #endif
 
+    SEC_PRINT("Calling SecKey_ToEngineRSA with %s", OPENSSL_VERSION_TEXT);
     RSA_set_app_data(rsa, keyHandle);
-    ENGINE_free(engine);
     return rsa;
 }
 
 RSA* SecKey_ToEngineRSAWithCert(Sec_KeyHandle* keyHandle, Sec_CertificateHandle* certificateHandle) {
     Sec_RSARawPublicKey pubKey;
     RSA* rsa = NULL;
 
-    ENGINE* engine = ENGINE_by_id(SECAPI_ENGINE_ID);
     if (engine == NULL) {
         SEC_LOG_ERROR("ENGINE_by_id failed");
         return NULL;
     }
 
     if (SEC_RESULT_SUCCESS != SecCertificate_ExtractRSAPublicKey(certificateHandle, &pubKey)) {
-        ENGINE_free(engine);
         SEC_LOG_ERROR("SecKey_ExtractRSAPublicKey failed");
         return NULL;
     }
 
     rsa = RSA_new_method(engine);
     if (rsa == NULL) {
-        ENGINE_free(engine);
         SEC_LOG_ERROR("RSA_new_method failed");
         return NULL;
     }
@@ -362,9 +373,7 @@ RSA* SecKey_ToEngineRSAWithCert(Sec_KeyHandle* keyHandle, Sec_CertificateHandle*
     RSA_set0_key(rsa, BN_bin2bn(pubKey.n, (int) Sec_BEBytesToUint32(pubKey.modulus_len_be), NULL),
             BN_bin2bn(pubKey.e, 4, NULL), NULL);
 #endif
-
     RSA_set_app_data(rsa, keyHandle);
-    ENGINE_free(engine);
     return rsa;
 }