Skip to content

Commit

Permalink
SMTC integrates with crypto card based on atf-slibce engine;add sdf, …
Browse files Browse the repository at this point in the history 
…TSAPI and etc.

DRBG set reseed interval and reseed_time_interval according to GM/T 0105-2021.

Modify of the integrity verification mechanism to SM2 signature.

App rand supports getting entropy from specified source.

Rename entropy rtc1 to rtcode, rtc2 to rtmem.

Add rtsock entropy source.

Support requesting entropy from specified entropy source.

Support atf-slibce engine.

Add sdf framework and partial APIs.

Add sdf app.

App speed add keygen for SM2 and GenerateKey with SDF.

Add TSAPI, mainly includes functions such as random number,

signature verification, encryption and decryption, etc.
  • Loading branch information
@dongbeiouba
dongbeiouba committed Jun 11, 2024
1 parent 45a8a9d commit e2ba232
Show file tree
Hide file tree
Showing 78 changed files with 6,260 additions and 762 deletions.
6 changes: 6 additions & 0 deletions Configurations/00-base-templates.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,19 @@ my %targets=(
my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
push @defs, "ZLIB" unless $disabled{zlib};
push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};

push @defs, "SDF_LIB" unless $disabled{"sdf-lib"};
push @defs, "SDF_LIB_SHARED" unless $disabled{"sdf-lib-dynamic"};
return [ @defs ];
},
includes =>
sub {
my @incs = ();
push @incs, $withargs{zlib_include}
if !$disabled{zlib} && $withargs{zlib_include};

push @incs, $withargs{sdf_include}
if !$disabled{sdf_lib} && $withargs{sdf_include};
return [ @incs ];
},
},
Expand Down
68 changes: 52 additions & 16 deletions Configure
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,9 +271,14 @@ $config{builddir} = abs2rel($blddir, $blddir);
# echo -n 'holy hand grenade of antioch' | openssl sha256
$config{FIPSKEY} =
'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
$config{SMTCKEY} =
'5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
$config{SMTCPASSWD} = 'Tongsuo123';
$config{SMTCPUBKEY} =
'-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
-----END PUBLIC KEY-----';
$config{SMTCPUBKEY} =~ s|\n|\\n|g;


# Collect reconfiguration information if needed
my @argvcopy=@ARGV;
Expand Down Expand Up @@ -355,8 +360,6 @@ $config{tongsuo_prerelease} =
$config{tongsuo_version} = "$config{tongsuo_major}.$config{tongsuo_minor}.$config{tongsuo_patch}";
$config{tongsuo_full_version} = "$config{tongsuo_version}$config{tongsuo_prerelease}";

$config{tongsuo_smtc_info} = $version{TONGSUO_SMTC_INFO};

die "erroneous version information in VERSION.dat: ",
"$config{version}, $config{shlib_version}\n"
unless (defined $version{MAJOR}
Expand Down Expand Up @@ -404,6 +407,7 @@ my @dtls = qw(dtls1 dtls1_2);
my @disablables = (
"acvp-tests",
"afalgeng",
"atf_slibce",
"asan",
"asm",
"async",
Expand Down Expand Up @@ -474,6 +478,8 @@ my @disablables = (
"smtc-debug",
"scrypt",
"sctp",
"sdf-lib",
"sdf-lib-dynamic",
"secure-memory",
"shared",
"siphash",
Expand Down Expand Up @@ -588,8 +594,11 @@ our %disabled = ( # "what" => "comment"
"zkp-gadget" => "default",
"zkp-transcript" => "default",
"bn-method" => "default",
"smtc" => "default",
"smtc-debug" => "default",
"smtc" => "default",
"smtc-debug" => "default",
"atf_slibce" => "default",
"sdf-lib" => "default",
"sdf-lib-dynamic" => "default",
);

# Note: => pair form used for aesthetics, not to truly make a hash table
Expand Down Expand Up @@ -679,6 +688,7 @@ my @disable_cascades = (
# SMTC does not support ct for now
# SMTC only support builtin module for now
sub { !$disabled{"smtc"}} => [ "ct", "module" ],
"sdf-lib" => [ "sdf-lib-dynamic" ],
);

# Avoid protocol support holes. Also disable all versions below N, if version
Expand Down Expand Up @@ -796,7 +806,7 @@ my %cmdvars = (); # Stores FOO='blah' type arguments
my %unsupported_options = ();
my %deprecated_options = ();
# If you change this, update apps/version.c
my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtcode rtmem rtsock);
my @seed_sources = ();
while (@argvcopy)
{
Expand Down Expand Up @@ -914,6 +924,10 @@ while (@argvcopy)
{
delete $disabled{"zlib"};
}
elsif ($1 eq "sdf-lib-dynamic")
{
delete $disabled{"sdf-lib"};
}
my $algo = $1;
delete $disabled{$algo};

Expand Down Expand Up @@ -1011,6 +1025,18 @@ while (@argvcopy)
push @seed_sources, $x;
}
}
elsif (/^--with-atf_slibce-lib=(.*)$/)
{
$withargs{atf_slibce_lib}=$1;
}
elsif (/^--with-sdf-lib=(.*)$/)
{
$withargs{sdf_lib}=$1;
}
elsif (/^--with-sdf-include=(.*)$/)
{
$withargs{sdf_include}=$1;
}
elsif (/^--fips-key=(.*)$/)
{
$user{FIPSKEY}=lc($1);
Expand All @@ -1021,15 +1047,25 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
elsif (/^--smtc-key=(.*)$/)
elsif (/^--smtc-pubkey=(.*)$/)
{
$user{SMTCKEY}=lc($1);
die "Non-hex character in SMTC key\n"
if $user{SMTCKEY} =~ /[^a-f0-9]/;
die "SMTC key must have even number of characters\n"
if length $1 & 1;
die "SMTC key too long (64 bytes max)\n"
if length $1 > 64;
open my $fh, "<", $1 or die "Can't open $1: $!\n";
$user{SMTCPUBKEY} = do { local $/; <$fh> };
close $fh;
chomp $user{SMTCPUBKEY};
$user{SMTCPUBKEY} =~ s|\n|\\n|g;
}
elsif (/^--smtc-passwd=(.*)$/)
{
$user{SMTCPASSWD} = $1;
die "Invalid character in SMTC password (A-Z, a-z, 0-9)\n"
if $user{SMTCPASSWD} =~ /[^A-Za-z0-9]/;
die "Invalid SMTC password length (8 ~ 64 bytes)\n"
if length $1 < 8 or length $1 > 64;
}
elsif (/^--smtc-info=(.*)$/)
{
$config{tongsuo_smtc_info} = $1;
}
elsif (/^--banner=(.*)$/)
{
Expand Down
3 changes: 1 addition & 2 deletions VERSION.dat
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,4 @@ SHLIB_VERSION=3
TONGSUO_MAJOR=8
TONGSUO_MINOR=5
TONGSUO_PATCH=0
TONGSUO_PRE_RELEASE_TAG=dev
TONGSUO_SMTC_INFO=
TONGSUO_PRE_RELEASE_TAG=dev
2 changes: 1 addition & 1 deletion apps/build.info
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ $OPENSSLSRC=\
pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
spkac.c verify.c version.c x509.c rehash.c storeutl.c \
list.c info.c fipsinstall.c pkcs12.c
list.c info.c fipsinstall.c pkcs12.c sdf.c
IF[{- !$disabled{'ec'} -}]
$OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c
ENDIF
Expand Down
130 changes: 128 additions & 2 deletions apps/enc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include <openssl/x509.h>
#include <openssl/rand.h>
#include <openssl/pem.h>
#include <openssl/tsapi.h>
#ifndef OPENSSL_NO_COMP
# include <openssl/comp.h>
#endif
Expand All @@ -32,6 +33,11 @@

static int set_hex(const char *in, unsigned char *out, int size);
static void show_ciphers(const OBJ_NAME *name, void *bio_);
#ifdef NDEBUG
static int do_crypt_with_isk(const EVP_CIPHER *cipher, int enc,
const char *hkey, const char *hiv, const char *isk,
BIO *rbio, BIO *wbio);
#endif

struct doall_enc_ciphers {
BIO *bio;
Expand All @@ -44,7 +50,7 @@ typedef enum OPTION_choice {
OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, OPT_ISK,
OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;

Expand All @@ -62,6 +68,7 @@ const OPTIONS enc_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
{"isk", OPT_ISK, 's', "Internal private key, possibly in a hardware device"},

OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
Expand Down Expand Up @@ -112,7 +119,7 @@ int enc_main(int argc, char **argv)
EVP_CIPHER *cipher = NULL;
EVP_MD *dgst = NULL;
const char *digestname = NULL;
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p, *isk = NULL;
char *infile = NULL, *outfile = NULL, *prog;
char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
const char *ciphername = NULL;
Expand Down Expand Up @@ -253,6 +260,9 @@ int enc_main(int argc, char **argv)
case OPT_UPPER_K:
hkey = opt_arg();
break;
case OPT_ISK:
isk = opt_arg();
break;
case OPT_UPPER_S:
hsalt = opt_arg();
break;
Expand Down Expand Up @@ -534,6 +544,55 @@ int enc_main(int argc, char **argv)
BIO_printf(bio_err, "iv undefined\n");
goto end;
}

if (isk != NULL) {
#ifndef NDEBUG
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pisk = NULL;
size_t outlen;
char path[512];
BIO *bio_isk = NULL;
unsigned char *kk = NULL, *key1 = NULL;
char *hbuf = NULL;
long keylen;
snprintf(path, sizeof(path), "/tmp/.keys/%s.key", isk);

if ((bio_isk = BIO_new(BIO_s_file())) == NULL
|| BIO_read_filename(bio_isk, path) <= 0) {
BIO_printf(bio_err, "Error reading internal private key\n");
goto end;
}

pisk = PEM_read_bio_PrivateKey(bio_isk, NULL, NULL, NULL);
if (pisk == NULL)
goto end;

key1 = OPENSSL_hexstr2buf(hkey, &keylen);
if (key1 == NULL)
goto end;

pctx = EVP_PKEY_CTX_new(pisk, NULL);
if (EVP_PKEY_decrypt_init(pctx) <= 0
|| EVP_PKEY_decrypt(pctx, NULL, &outlen, key1, keylen) <= 0)
goto end;

kk = OPENSSL_malloc(outlen);
if (EVP_PKEY_decrypt(pctx, kk, &outlen, key1, keylen) <= 0)
goto end;

hbuf = OPENSSL_zalloc(outlen * 2 + 1);
if (!OPENSSL_buf2hexstr_ex(hbuf, outlen * 2 + 1, NULL, kk, outlen, '\0'))
goto end;
hkey = hbuf;
OPENSSL_free(kk);
#else
if (do_crypt_with_isk(cipher, enc, hkey, hiv, isk, rbio, wbio) == 1)
ret = 0;

goto end;
#endif
}

if (hkey != NULL) {
if (!set_hex(hkey, key, EVP_CIPHER_get_key_length(cipher))) {
BIO_printf(bio_err, "invalid hex key value\n");
Expand Down Expand Up @@ -696,3 +755,70 @@ static int set_hex(const char *in, unsigned char *out, int size)
}
return 1;
}

#ifdef NDEBUG
static int do_crypt_with_isk(const EVP_CIPHER *cipher, int enc,
const char *hkey, const char *hiv, const char *isk,
BIO *rbio, BIO *wbio)
{
int ok = 0, inl;
unsigned char *keybuf = NULL, *ivbuf = NULL;
long keylen, ivlen;
unsigned char inbuf[EVP_MAX_BLOCK_LENGTH];
unsigned char outbuf[EVP_MAX_BLOCK_LENGTH];
int blocksize = EVP_CIPHER_block_size(cipher);
size_t outlen;

if (hkey == NULL) {
BIO_printf(bio_err, "No hex key found\n");
goto end;
}

keybuf = OPENSSL_hexstr2buf(hkey, &keylen);
if (keybuf == NULL) {
BIO_printf(bio_err, "invalid hex key value\n");
goto end;
}

if (hiv == NULL) {
BIO_printf(bio_err, "No hex iv found\n");
goto end;
}

ivbuf = OPENSSL_hexstr2buf(hiv, &ivlen);
if (ivbuf == NULL) {
BIO_printf(bio_err, "invalid hex iv value\n");
goto end;
}

while (BIO_pending(rbio) || !BIO_eof(rbio)) {
inl = BIO_read(rbio, (char *)inbuf, blocksize);
if (inl <= 0)
break;

if (enc) {
if (TSAPI_encrypt_with_isk(EVP_CIPHER_get0_name(cipher), keybuf,
keylen, ivbuf, ivlen, isk, inbuf, inl,
outbuf, &outlen) != 1)
goto end;
} else {
if (TSAPI_decrypt_with_isk(EVP_CIPHER_get0_name(cipher), keybuf,
keylen, ivbuf, ivlen, isk, inbuf, inl,
outbuf, &outlen) != 1)
goto end;
}

if (BIO_write(wbio, (char *)outbuf, outlen) != (int)outlen) {
BIO_printf(bio_err, "error writing output file\n");
goto end;
}
}

ok = 1;
end:
OPENSSL_free(keybuf);
OPENSSL_free(ivbuf);

return ok;
}
#endif
Loading

0 comments on commit e2ba232

Please sign in to comment.