dongbeiouba
diff --git a/‎Configurations/00-base-templates.conf
+6 b/‎Configurations/00-base-templates.conf
+6
diff --git a/‎Configure
+52-16 b/‎Configure
+52-16
diff --git a/‎VERSION.dat
+1-2 b/‎VERSION.dat
+1-2
diff --git a/‎apps/build.info
+1-1 b/‎apps/build.info
+1-1
diff --git a/‎apps/enc.c
+128-2 b/‎apps/enc.c
+128-2
@@ -50,13 +50,19 @@ my %targets=(
                 my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
                 push @defs, "ZLIB" unless $disabled{zlib};
                 push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
+
+                push @defs, "SDF_LIB" unless $disabled{"sdf-lib"};
+                push @defs, "SDF_LIB_SHARED" unless $disabled{"sdf-lib-dynamic"};
                 return [ @defs ];
             },
         includes        =>
             sub {
                 my @incs = ();
                 push @incs, $withargs{zlib_include}
                     if !$disabled{zlib} && $withargs{zlib_include};
+
+                push @incs, $withargs{sdf_include}
+                    if !$disabled{sdf_lib} && $withargs{sdf_include};
                 return [ @incs ];
             },
     },
 
@@ -271,9 +271,14 @@ $config{builddir} = abs2rel($blddir, $blddir);
 # echo -n 'holy hand grenade of antioch' | openssl sha256
 $config{FIPSKEY} =
     'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
-# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
-$config{SMTCKEY} =
-    '5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
+$config{SMTCPASSWD} = 'Tongsuo123';
+$config{SMTCPUBKEY} =
+'-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
+sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
+-----END PUBLIC KEY-----';
+$config{SMTCPUBKEY} =~ s|\n|\\n|g;
+
 
 # Collect reconfiguration information if needed
 my @argvcopy=@ARGV;
@@ -355,8 +360,6 @@ $config{tongsuo_prerelease} =
 $config{tongsuo_version} = "$config{tongsuo_major}.$config{tongsuo_minor}.$config{tongsuo_patch}";
 $config{tongsuo_full_version} = "$config{tongsuo_version}$config{tongsuo_prerelease}";
 
-$config{tongsuo_smtc_info} = $version{TONGSUO_SMTC_INFO};
-
 die "erroneous version information in VERSION.dat: ",
     "$config{version}, $config{shlib_version}\n"
     unless (defined $version{MAJOR}
@@ -404,6 +407,7 @@ my @dtls = qw(dtls1 dtls1_2);
 my @disablables = (
     "acvp-tests",
     "afalgeng",
+    "atf_slibce",
     "asan",
     "asm",
     "async",
@@ -474,6 +478,8 @@ my @disablables = (
     "smtc-debug",
     "scrypt",
     "sctp",
+    "sdf-lib",
+    "sdf-lib-dynamic",
     "secure-memory",
     "shared",
     "siphash",
@@ -588,8 +594,11 @@ our %disabled = ( # "what"         => "comment"
                   "zkp-gadget"          => "default",
                   "zkp-transcript"      => "default",
                   "bn-method"           => "default",
-                  "smtc"                 => "default",
-                  "smtc-debug"           => "default",
+                  "smtc"                => "default",
+                  "smtc-debug"          => "default",
+                  "atf_slibce"          => "default",
+                  "sdf-lib"             => "default",
+                  "sdf-lib-dynamic"     => "default",
                 );
 
 # Note: => pair form used for aesthetics, not to truly make a hash table
@@ -679,6 +688,7 @@ my @disable_cascades = (
     # SMTC does not support ct for now
     # SMTC only support builtin module for now
     sub { !$disabled{"smtc"}} => [ "ct", "module" ],
+    "sdf-lib"           => [ "sdf-lib-dynamic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version
@@ -796,7 +806,7 @@ my %cmdvars = ();               # Stores FOO='blah' type arguments
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtcode rtmem rtsock);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -914,6 +924,10 @@ while (@argvcopy)
                         {
                         delete $disabled{"zlib"};
                         }
+                elsif ($1 eq "sdf-lib-dynamic")
+                        {
+                        delete $disabled{"sdf-lib"};
+                        }
                 my $algo = $1;
                 delete $disabled{$algo};
 
@@ -1011,6 +1025,18 @@ while (@argvcopy)
                             push @seed_sources, $x;
                             }
                         }
+                elsif (/^--with-atf_slibce-lib=(.*)$/)
+                        {
+                        $withargs{atf_slibce_lib}=$1;
+                        }
+                elsif (/^--with-sdf-lib=(.*)$/)
+                        {
+                        $withargs{sdf_lib}=$1;
+                        }
+                elsif (/^--with-sdf-include=(.*)$/)
+                        {
+                        $withargs{sdf_include}=$1;
+                        }
                 elsif (/^--fips-key=(.*)$/)
                         {
                         $user{FIPSKEY}=lc($1);
@@ -1021,15 +1047,25 @@ while (@argvcopy)
                         die "FIPS key too long (64 bytes max)\n"
                            if length $1 > 64;
                         }
-                elsif (/^--smtc-key=(.*)$/)
+                elsif (/^--smtc-pubkey=(.*)$/)
                         {
-                        $user{SMTCKEY}=lc($1);
-                        die "Non-hex character in SMTC key\n"
-                           if $user{SMTCKEY} =~ /[^a-f0-9]/;
-                        die "SMTC key must have even number of characters\n"
-                           if length $1 & 1;
-                        die "SMTC key too long (64 bytes max)\n"
-                           if length $1 > 64;
+                        open my $fh, "<", $1 or die "Can't open $1: $!\n";
+                        $user{SMTCPUBKEY} = do { local $/; <$fh> };
+                        close $fh;
+                        chomp $user{SMTCPUBKEY};
+                        $user{SMTCPUBKEY} =~ s|\n|\\n|g;
+                        }
+                elsif (/^--smtc-passwd=(.*)$/)
+                        {
+                        $user{SMTCPASSWD} = $1;
+                        die "Invalid character in SMTC password (A-Z, a-z, 0-9)\n"
+                           if $user{SMTCPASSWD} =~ /[^A-Za-z0-9]/;
+                        die "Invalid SMTC password length (8 ~ 64 bytes)\n"
+                           if length $1 < 8 or length $1 > 64;
+                        }
+                elsif (/^--smtc-info=(.*)$/)
+                        {
+                        $config{tongsuo_smtc_info} = $1;
                         }
                 elsif (/^--banner=(.*)$/)
                         {
 
@@ -8,5 +8,4 @@ SHLIB_VERSION=3
 TONGSUO_MAJOR=8
 TONGSUO_MINOR=5
 TONGSUO_PATCH=0
-TONGSUO_PRE_RELEASE_TAG=dev
-TONGSUO_SMTC_INFO=
+TONGSUO_PRE_RELEASE_TAG=dev
@@ -15,7 +15,7 @@ $OPENSSLSRC=\
         pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
         s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
         spkac.c verify.c version.c x509.c rehash.c storeutl.c \
-        list.c info.c fipsinstall.c pkcs12.c
+        list.c info.c fipsinstall.c pkcs12.c sdf.c
 IF[{- !$disabled{'ec'} -}]
   $OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c
 ENDIF
 
@@ -20,6 +20,7 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 #include <openssl/pem.h>
+#include <openssl/tsapi.h>
 #ifndef OPENSSL_NO_COMP
 # include <openssl/comp.h>
 #endif
@@ -32,6 +33,11 @@
 
 static int set_hex(const char *in, unsigned char *out, int size);
 static void show_ciphers(const OBJ_NAME *name, void *bio_);
+#ifdef NDEBUG
+static int do_crypt_with_isk(const EVP_CIPHER *cipher, int enc,
+                             const char *hkey, const char *hiv, const char *isk,
+                             BIO *rbio, BIO *wbio);
+#endif
 
 struct doall_enc_ciphers {
     BIO *bio;
@@ -44,7 +50,7 @@ typedef enum OPTION_choice {
     OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
     OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
     OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
-    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
+    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, OPT_ISK,
     OPT_R_ENUM, OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -62,6 +68,7 @@ const OPTIONS enc_options[] = {
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+    {"isk", OPT_ISK, 's', "Internal private key, possibly in a hardware device"},
 
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input file"},
@@ -112,7 +119,7 @@ int enc_main(int argc, char **argv)
     EVP_CIPHER *cipher = NULL;
     EVP_MD *dgst = NULL;
     const char *digestname = NULL;
-    char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
+    char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p, *isk = NULL;
     char *infile = NULL, *outfile = NULL, *prog;
     char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
     const char *ciphername = NULL;
@@ -253,6 +260,9 @@ int enc_main(int argc, char **argv)
         case OPT_UPPER_K:
             hkey = opt_arg();
             break;
+        case OPT_ISK:
+            isk = opt_arg();
+            break;
         case OPT_UPPER_S:
             hsalt = opt_arg();
             break;
@@ -534,6 +544,55 @@ int enc_main(int argc, char **argv)
             BIO_printf(bio_err, "iv undefined\n");
             goto end;
         }
+
+        if (isk != NULL) {
+#ifndef NDEBUG
+            EVP_PKEY_CTX *pctx = NULL;
+            EVP_PKEY *pisk = NULL;
+            size_t outlen;
+            char path[512];
+            BIO *bio_isk = NULL;
+            unsigned char *kk = NULL, *key1 = NULL;
+            char *hbuf = NULL;
+            long keylen;
+            snprintf(path, sizeof(path), "/tmp/.keys/%s.key", isk);
+
+            if ((bio_isk = BIO_new(BIO_s_file())) == NULL
+                || BIO_read_filename(bio_isk, path) <= 0) {
+                BIO_printf(bio_err, "Error reading internal private key\n");
+                goto end;
+            }
+
+            pisk = PEM_read_bio_PrivateKey(bio_isk, NULL, NULL, NULL);
+            if (pisk == NULL)
+                goto end;
+            
+            key1 = OPENSSL_hexstr2buf(hkey, &keylen);
+            if (key1 == NULL)
+                goto end;
+
+            pctx = EVP_PKEY_CTX_new(pisk, NULL);
+            if (EVP_PKEY_decrypt_init(pctx) <= 0
+                || EVP_PKEY_decrypt(pctx, NULL, &outlen, key1, keylen) <= 0)
+                goto end;
+            
+            kk = OPENSSL_malloc(outlen);
+            if (EVP_PKEY_decrypt(pctx, kk, &outlen, key1, keylen) <= 0)
+                goto end;
+            
+            hbuf = OPENSSL_zalloc(outlen * 2 + 1);
+            if (!OPENSSL_buf2hexstr_ex(hbuf, outlen * 2 + 1, NULL, kk, outlen, '\0'))
+                goto end;
+            hkey = hbuf;
+            OPENSSL_free(kk);
+#else
+            if (do_crypt_with_isk(cipher, enc, hkey, hiv, isk, rbio, wbio) == 1)
+                ret = 0;
+            
+            goto end;
+#endif
+        }
+
         if (hkey != NULL) {
             if (!set_hex(hkey, key, EVP_CIPHER_get_key_length(cipher))) {
                 BIO_printf(bio_err, "invalid hex key value\n");
@@ -696,3 +755,70 @@ static int set_hex(const char *in, unsigned char *out, int size)
     }
     return 1;
 }
+
+#ifdef NDEBUG
+static int do_crypt_with_isk(const EVP_CIPHER *cipher, int enc,
+                             const char *hkey, const char *hiv, const char *isk,
+                             BIO *rbio, BIO *wbio)
+{
+    int ok = 0, inl;
+    unsigned char *keybuf = NULL, *ivbuf = NULL;
+    long keylen, ivlen;
+    unsigned char inbuf[EVP_MAX_BLOCK_LENGTH];
+    unsigned char outbuf[EVP_MAX_BLOCK_LENGTH];
+    int blocksize = EVP_CIPHER_block_size(cipher);
+    size_t outlen;
+
+    if (hkey == NULL) {
+        BIO_printf(bio_err, "No hex key found\n");
+        goto end;
+    }
+
+    keybuf = OPENSSL_hexstr2buf(hkey, &keylen);
+    if (keybuf == NULL) {
+        BIO_printf(bio_err, "invalid hex key value\n");
+        goto end;
+    }
+
+    if (hiv == NULL) {
+        BIO_printf(bio_err, "No hex iv found\n");
+        goto end;
+    }
+
+    ivbuf = OPENSSL_hexstr2buf(hiv, &ivlen);
+    if (ivbuf == NULL) {
+        BIO_printf(bio_err, "invalid hex iv value\n");
+        goto end;
+    }
+
+    while (BIO_pending(rbio) || !BIO_eof(rbio)) {
+        inl = BIO_read(rbio, (char *)inbuf, blocksize);
+        if (inl <= 0)
+            break;
+
+        if (enc) {
+            if (TSAPI_encrypt_with_isk(EVP_CIPHER_get0_name(cipher), keybuf,
+                                       keylen, ivbuf, ivlen, isk, inbuf, inl,
+                                       outbuf, &outlen) != 1)
+                goto end;
+        } else {
+            if (TSAPI_decrypt_with_isk(EVP_CIPHER_get0_name(cipher), keybuf,
+                                       keylen, ivbuf, ivlen, isk, inbuf, inl,
+                                       outbuf, &outlen) != 1)
+                goto end;
+        }
+
+        if (BIO_write(wbio, (char *)outbuf, outlen) != (int)outlen) {
+            BIO_printf(bio_err, "error writing output file\n");
+            goto end;
+        }
+    }
+
+    ok = 1;
+end:
+    OPENSSL_free(keybuf);
+    OPENSSL_free(ivbuf);
+
+    return ok;
+}
+#endif