Skip to content

Commit

Permalink
SMTC改进
Browse files Browse the repository at this point in the history 
根据GM/T 0105-2021设置参数值.
完整性验证机制采用SM2签名.
  • Loading branch information
@dongbeiouba
dongbeiouba committed Mar 12, 2024
1 parent 8ad48a8 commit 1dbbec0
Show file tree
Hide file tree
Showing 21 changed files with 467 additions and 293 deletions.
24 changes: 13 additions & 11 deletions Configure
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,9 +271,13 @@ $config{builddir} = abs2rel($blddir, $blddir);
# echo -n 'holy hand grenade of antioch' | openssl sha256
$config{FIPSKEY} =
'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
$config{SMTCKEY} =
'5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
$config{SMTCPUBKEY} =
'-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
-----END PUBLIC KEY-----';
$config{SMTCPUBKEY} =~ s|\n|\\n|g;


# Collect reconfiguration information if needed
my @argvcopy=@ARGV;
Expand Down Expand Up @@ -1021,15 +1025,13 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
elsif (/^--smtc-key=(.*)$/)
elsif (/^--smtc-pubkey=(.*)$/)
{
$user{SMTCKEY}=lc($1);
die "Non-hex character in SMTC key\n"
if $user{SMTCKEY} =~ /[^a-f0-9]/;
die "SMTC key must have even number of characters\n"
if length $1 & 1;
die "SMTC key too long (64 bytes max)\n"
if length $1 > 64;
open my $fh, "<", $1 or die "Can't open $1: $!\n";
$user{SMTCPUBKEY} = <$fh>;
close $fh;
chomp $user{SMTCPUBKEY};
$user{SMTCPUBKEY} =~ s|\n|\\n|g;
}
elsif (/^--banner=(.*)$/)
{
Expand Down
223 changes: 82 additions & 141 deletions apps/mod.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,11 @@
typedef struct {
const char *section;
const char *module_path;
#ifndef OPENSSL_NO_SMTC_DEBUG
int verify_pass;
#endif
int show_selftest;
unsigned char admin_salt[SM3_DIGEST_LENGTH];
unsigned char admin_pass[SM3_DIGEST_LENGTH];
unsigned char module_mac[EVP_MAX_MD_SIZE];
size_t module_mac_len;
unsigned char *sig;
size_t siglen;
} SMTC_CONF;

typedef enum OPTION_choice {
Expand All @@ -45,11 +42,11 @@ typedef enum OPTION_choice {
OPT_MODULE,
OPT_PROV_NAME,
OPT_SECTION_NAME,
OPT_OUT,
OPT_SIGFILE,
OPT_NEW,
OPT_CONFIG,
OPT_SHOW_SELFTEST,
#ifndef OPENSSL_NO_SMTC_DEBUG
OPT_NO_PASS,
#endif
OPT_PASS,
OPT_R_ENUM
} OPTION_CHOICE;

Expand All @@ -63,12 +60,13 @@ const OPTIONS mod_options[] = {
OPT_SECTION_NAME,
's',
"SMTC Provider config section name (optional)"},
{"show_selftest", OPT_SHOW_SELFTEST, '-', "Show self test"},
#ifndef OPENSSL_NO_SMTC_DEBUG
{"no_pass", OPT_NO_PASS, '-', "Do not setup password"},
#endif
{"show_selftest", OPT_SHOW_SELFTEST, '-', "Show self test"},
{"pass", OPT_PASS, '-', "Setup password"},
OPT_SECTION("Input"),
{"config", OPT_CONFIG, '>', "Config file"},
{"sigfile", OPT_SIGFILE, '<', "Signature file"},
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output config file, used when generating"},
{"new", OPT_NEW, '>', "Output config file, used when generating"},

{NULL}};

Expand Down Expand Up @@ -97,29 +95,6 @@ static int setup_password(unsigned char *admin_salt, unsigned char *admin_pass)
return ret;
}

static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
unsigned char *out, size_t *out_len)
{
int ret = 0;
int i;
size_t outsz = *out_len;

if (!EVP_MAC_init(ctx, NULL, 0, NULL))
goto err;
if (EVP_MAC_CTX_get_mac_size(ctx) > outsz)
goto end;
while ((i = BIO_read(in, (char *)tmp, BUFSIZE)) != 0) {
if (i < 0 || !EVP_MAC_update(ctx, tmp, i))
goto err;
}
end:
if (!EVP_MAC_final(ctx, out, out_len, outsz))
goto err;
ret = 1;
err:
return ret;
}

static int write_config_header(BIO *out, const char *prov_name,
const char *section)
{
Expand Down Expand Up @@ -156,8 +131,8 @@ static int write_config_smtc_section(BIO *out, SMTC_CONF *sc)
|| BIO_printf(out, "activate = 1\n") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_SMTC_PARAM_MODULE_PATH,
sc->module_path) <= 0
|| !print_hex(out, OSSL_PROV_SMTC_PARAM_MODULE_MAC, sc->module_mac,
sc->module_mac_len))
|| !print_hex(out, OSSL_PROV_SMTC_PARAM_MODULE_SIG, sc->sig,
sc->siglen))
goto end;

if (sc->show_selftest) {
Expand All @@ -170,21 +145,11 @@ static int write_config_smtc_section(BIO *out, SMTC_CONF *sc)
goto end;
}

#ifndef OPENSSL_NO_SMTC_DEBUG
if (sc->verify_pass == 0) {
if (BIO_printf(out, "%s = 0\n", OSSL_PROV_SMTC_PARAM_MODULE_VERIFY_PASS)
<= 0)
goto end;
} else {
#endif
if (!print_hex(out, OSSL_PROV_SMTC_PARAM_ADMIN_SALT, sc->admin_salt,
sizeof(sc->admin_salt))
|| !print_hex(out, OSSL_PROV_SMTC_PARAM_ADMIN_PASS,
sc->admin_pass, sizeof(sc->admin_pass)))
if (!print_hex(out, OSSL_PROV_SMTC_PARAM_ADMIN_SALT, sc->admin_salt,
sizeof(sc->admin_salt))
|| !print_hex(out, OSSL_PROV_SMTC_PARAM_ADMIN_PASS,
sc->admin_pass, sizeof(sc->admin_pass)))
goto end;
#ifndef OPENSSL_NO_SMTC_DEBUG
}
#endif

ret = 1;
end:
Expand Down Expand Up @@ -220,32 +185,24 @@ static CONF *generate_config_and_load(const char *prov_name, SMTC_CONF *sc)
int mod_main(int argc, char **argv)
{
int ret = 1;
#ifndef OPENSSL_NO_SMTC_DEBUG
int no_pass = 0;
#endif
int new = 0, pass = 0;
char *prog;
unsigned char *sig = NULL;
size_t siglen = 0;
const char *sigfile = NULL;
OPTION_CHOICE o;
int self_test = 0;
BIO *module_bio = NULL, *fout = NULL;
char *out_fname = NULL;
EVP_MAC *mac = NULL;
const char *mac_name = "HMAC";
const char *prov_name = "smtc";
const char *prov_name = "smtc", *conf_file = NULL;
SMTC_CONF sc = {
.section = "smtc_sect",
.show_selftest = 0,
#ifndef OPENSSL_NO_SMTC_DEBUG
.verify_pass = 1,
#endif
.admin_salt = SMTC_ADMIN_DEFAULT_SALT,
.admin_pass = SMTC_ADMIN_DEFAULT_PASS_HASH
};
STACK_OF(OPENSSL_STRING) *opts = NULL;
unsigned char *read_buffer = NULL;
EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL;
CONF *conf = NULL;

if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;

prog = opt_init(argc, argv, mod_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
Expand Down Expand Up @@ -273,13 +230,17 @@ int mod_main(int argc, char **argv)
case OPT_SHOW_SELFTEST:
sc.show_selftest = 1;
break;
#ifndef OPENSSL_NO_SMTC_DEBUG
case OPT_NO_PASS:
no_pass = 1;
sc.verify_pass = 0;
case OPT_PASS:
pass = 1;
break;
#endif
case OPT_OUT:
case OPT_SIGFILE:
sigfile = opt_arg();
break;
case OPT_CONFIG:
conf_file = opt_arg();
break;
case OPT_NEW:
new = 1;
out_fname = opt_arg();
break;
case OPT_R_CASES:
Expand Down Expand Up @@ -315,98 +276,78 @@ int mod_main(int argc, char **argv)
}
}

#ifndef OPENSSL_NO_SMTC_DEBUG
if (!no_pass)
#endif
if (!setup_password(sc.admin_salt, sc.admin_pass))
if (new) {
if (sigfile == NULL) {
BIO_printf(bio_err, "No signature file specified\n");
goto end;
}

if (sc.module_path == NULL)
goto opthelp;

if (!sk_OPENSSL_STRING_push(opts, "digest:SM3"))
goto end;
if (!sk_OPENSSL_STRING_push(opts, "hexkey:" SMTC_KEY_STRING))
goto end;

module_bio = bio_open_default(sc.module_path, 'r', FORMAT_BINARY);
if (module_bio == NULL) {
BIO_printf(bio_err, "Failed to open module file\n");
goto end;
}

read_buffer = app_malloc(BUFSIZE, "I/O buffer");
if (read_buffer == NULL)
goto end;
BIO *sigbio = BIO_new_file(sigfile, "rb");

mac = EVP_MAC_fetch(app_get0_libctx(), mac_name, app_get0_propq());
if (mac == NULL) {
BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name);
goto end;
}

ctx = EVP_MAC_CTX_new(mac);
if (ctx == NULL) {
BIO_printf(bio_err, "Unable to create MAC CTX for module check\n");
goto end;
}
if (sigbio == NULL) {
BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
goto end;
}
siglen = bio_to_mem(&sig, 4096, sigbio);
BIO_free(sigbio);
if (siglen < 0) {
BIO_printf(bio_err, "Error reading signature data\n");
goto end;
}
sc.sig = sig;
sc.siglen = siglen;

if (opts != NULL) {
int ok = 1;
OSSL_PARAM *params
= app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
if (sc.module_path == NULL)
goto opthelp;

if (params == NULL)
conf = generate_config_and_load(prov_name, &sc);
if (conf == NULL)
goto end;

if (!EVP_MAC_CTX_set_params(ctx, params)) {
BIO_printf(bio_err, "MAC parameter error\n");
ERR_print_errors(bio_err);
ok = 0;
fout = out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
if (fout == NULL) {
BIO_printf(bio_err, "Failed to open file\n");
goto end;
}
app_params_free(params);
if (!ok)
if (!write_config_smtc_section(fout, &sc))
goto end;
}

ctx2 = EVP_MAC_CTX_dup(ctx);
if (ctx2 == NULL) {
BIO_printf(bio_err, "Unable to create MAC CTX for install indicator\n");
BIO_printf(bio_err, "INSTALL PASSED\n");

ret = 0;
goto end;
}

sc.module_mac_len = sizeof(sc.module_mac);
if (!do_mac(ctx, read_buffer, module_bio, sc.module_mac, &sc.module_mac_len))
goto end;
if (conf_file != NULL) {
fout = bio_open_default(conf_file, 'a', FORMAT_TEXT);
if (fout == NULL) {
BIO_printf(bio_err, "Failed to open config %s\n", conf_file);
goto end;
}

conf = generate_config_and_load(prov_name, &sc);
if (conf == NULL)
goto end;
if (pass) {
if (!setup_password(sc.admin_salt, sc.admin_pass))
goto end;

fout = out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
if (fout == NULL) {
BIO_printf(bio_err, "Failed to open file\n");
goto end;
if (!print_hex(fout, OSSL_PROV_SMTC_PARAM_ADMIN_SALT,
sc.admin_salt,
sizeof(sc.admin_salt))
|| !print_hex(fout, OSSL_PROV_SMTC_PARAM_ADMIN_PASS,
sc.admin_pass, sizeof(sc.admin_pass)))
goto end;
}
}
if (!write_config_smtc_section(fout, &sc))
goto end;

BIO_printf(bio_err, "INSTALL PASSED\n");

ret = 0;
end:
if (ret == 1)
ERR_print_errors(bio_err);

cleanup:
OPENSSL_free(sig);
BIO_free(fout);
BIO_free(module_bio);
sk_OPENSSL_STRING_free(opts);
EVP_MAC_free(mac);
EVP_MAC_CTX_free(ctx2);
EVP_MAC_CTX_free(ctx);
OPENSSL_free(read_buffer);
if (conf != NULL) {
NCONF_free(conf);
CONF_modules_unload(1);
Expand Down
Loading

0 comments on commit 1dbbec0

Please sign in to comment.