Skip to content

Commit

Permalink
SMTC改进
Browse files Browse the repository at this point in the history 
根据GM/T 0105-2021设置参数值.
完整性验证机制采用SM2签名.
SMTC随机数获取熵后,使用扩展函数sm3_df().
rand app supports get entropy from specified source.
Rename rtc1 to rtcode, rtc2 to rtmem.
Support acquiring entropy from specified entropy source.
imporve self_test_drbg, test instantiate, reseed and generate.
Support atf-slibce engine.
Add sdf framework and few APIs.
Add sdf app.
Speed app add Keygen(SM2) and SDF(GenerateKey).
Add TSAPI.
  • Loading branch information
@dongbeiouba
dongbeiouba committed Jun 10, 2024
1 parent 8ad48a8 commit feae4bc
Show file tree
Hide file tree
Showing 78 changed files with 6,028 additions and 761 deletions.
6 changes: 6 additions & 0 deletions Configurations/00-base-templates.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,19 @@ my %targets=(
my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
push @defs, "ZLIB" unless $disabled{zlib};
push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};

push @defs, "SDF_LIB" unless $disabled{"sdf-lib"};
push @defs, "SDF_LIB_SHARED" unless $disabled{"sdf-lib-dynamic"};
return [ @defs ];
},
includes =>
sub {
my @incs = ();
push @incs, $withargs{zlib_include}
if !$disabled{zlib} && $withargs{zlib_include};

push @incs, $withargs{sdf_include}
if !$disabled{sdf_lib} && $withargs{sdf_include};
return [ @incs ];
},
},
Expand Down
68 changes: 52 additions & 16 deletions Configure
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,9 +271,14 @@ $config{builddir} = abs2rel($blddir, $blddir);
# echo -n 'holy hand grenade of antioch' | openssl sha256
$config{FIPSKEY} =
'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
$config{SMTCKEY} =
'5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
$config{SMTCPASSWD} = 'Tongsuo123';
$config{SMTCPUBKEY} =
'-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
-----END PUBLIC KEY-----';
$config{SMTCPUBKEY} =~ s|\n|\\n|g;


# Collect reconfiguration information if needed
my @argvcopy=@ARGV;
Expand Down Expand Up @@ -355,8 +360,6 @@ $config{tongsuo_prerelease} =
$config{tongsuo_version} = "$config{tongsuo_major}.$config{tongsuo_minor}.$config{tongsuo_patch}";
$config{tongsuo_full_version} = "$config{tongsuo_version}$config{tongsuo_prerelease}";

$config{tongsuo_smtc_info} = $version{TONGSUO_SMTC_INFO};

die "erroneous version information in VERSION.dat: ",
"$config{version}, $config{shlib_version}\n"
unless (defined $version{MAJOR}
Expand Down Expand Up @@ -404,6 +407,7 @@ my @dtls = qw(dtls1 dtls1_2);
my @disablables = (
"acvp-tests",
"afalgeng",
"atf_slibce",
"asan",
"asm",
"async",
Expand Down Expand Up @@ -474,6 +478,8 @@ my @disablables = (
"smtc-debug",
"scrypt",
"sctp",
"sdf-lib",
"sdf-lib-dynamic",
"secure-memory",
"shared",
"siphash",
Expand Down Expand Up @@ -588,8 +594,11 @@ our %disabled = ( # "what" => "comment"
"zkp-gadget" => "default",
"zkp-transcript" => "default",
"bn-method" => "default",
"smtc" => "default",
"smtc-debug" => "default",
"smtc" => "default",
"smtc-debug" => "default",
"atf_slibce" => "default",
"sdf-lib" => "default",
"sdf-lib-dynamic" => "default",
);

# Note: => pair form used for aesthetics, not to truly make a hash table
Expand Down Expand Up @@ -679,6 +688,7 @@ my @disable_cascades = (
# SMTC does not support ct for now
# SMTC only support builtin module for now
sub { !$disabled{"smtc"}} => [ "ct", "module" ],
"sdf-lib" => [ "sdf-lib-dynamic" ],
);

# Avoid protocol support holes. Also disable all versions below N, if version
Expand Down Expand Up @@ -796,7 +806,7 @@ my %cmdvars = (); # Stores FOO='blah' type arguments
my %unsupported_options = ();
my %deprecated_options = ();
# If you change this, update apps/version.c
my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtcode rtmem rtsock);
my @seed_sources = ();
while (@argvcopy)
{
Expand Down Expand Up @@ -914,6 +924,10 @@ while (@argvcopy)
{
delete $disabled{"zlib"};
}
elsif ($1 eq "sdf-lib-dynamic")
{
delete $disabled{"sdf-lib"};
}
my $algo = $1;
delete $disabled{$algo};

Expand Down Expand Up @@ -1011,6 +1025,18 @@ while (@argvcopy)
push @seed_sources, $x;
}
}
elsif (/^--with-atf_slibce-lib=(.*)$/)
{
$withargs{atf_slibce_lib}=$1;
}
elsif (/^--with-sdf-lib=(.*)$/)
{
$withargs{sdf_lib}=$1;
}
elsif (/^--with-sdf-include=(.*)$/)
{
$withargs{sdf_include}=$1;
}
elsif (/^--fips-key=(.*)$/)
{
$user{FIPSKEY}=lc($1);
Expand All @@ -1021,15 +1047,25 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
elsif (/^--smtc-key=(.*)$/)
elsif (/^--smtc-pubkey=(.*)$/)
{
$user{SMTCKEY}=lc($1);
die "Non-hex character in SMTC key\n"
if $user{SMTCKEY} =~ /[^a-f0-9]/;
die "SMTC key must have even number of characters\n"
if length $1 & 1;
die "SMTC key too long (64 bytes max)\n"
if length $1 > 64;
open my $fh, "<", $1 or die "Can't open $1: $!\n";
$user{SMTCPUBKEY} = do { local $/; <$fh> };
close $fh;
chomp $user{SMTCPUBKEY};
$user{SMTCPUBKEY} =~ s|\n|\\n|g;
}
elsif (/^--smtc-passwd=(.*)$/)
{
$user{SMTCPASSWD} = $1;
die "Invalid character in SMTC password (A-Z, a-z, 0-9)\n"
if $user{SMTCPASSWD} =~ /[^A-Za-z0-9]/;
die "Invalid SMTC password length (8 ~ 64 bytes)\n"
if length $1 < 8 or length $1 > 64;
}
elsif (/^--smtc-info=(.*)$/)
{
$config{tongsuo_smtc_info} = $1;
}
elsif (/^--banner=(.*)$/)
{
Expand Down
3 changes: 1 addition & 2 deletions VERSION.dat
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,4 @@ SHLIB_VERSION=3
TONGSUO_MAJOR=8
TONGSUO_MINOR=5
TONGSUO_PATCH=0
TONGSUO_PRE_RELEASE_TAG=dev
TONGSUO_SMTC_INFO=
TONGSUO_PRE_RELEASE_TAG=dev
2 changes: 1 addition & 1 deletion apps/build.info
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ $OPENSSLSRC=\
pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
spkac.c verify.c version.c x509.c rehash.c storeutl.c \
list.c info.c fipsinstall.c pkcs12.c
list.c info.c fipsinstall.c pkcs12.c sdf.c
IF[{- !$disabled{'ec'} -}]
$OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c
ENDIF
Expand Down
130 changes: 128 additions & 2 deletions apps/enc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include <openssl/x509.h>
#include <openssl/rand.h>
#include <openssl/pem.h>
#include <openssl/tsapi.h>
#ifndef OPENSSL_NO_COMP
# include <openssl/comp.h>
#endif
Expand All @@ -32,6 +33,11 @@

static int set_hex(const char *in, unsigned char *out, int size);
static void show_ciphers(const OBJ_NAME *name, void *bio_);
#ifdef NDEBUG
static int do_crypt_with_isk(const EVP_CIPHER *cipher, int enc,
const char *hkey, const char *hiv, const char *isk,
BIO *rbio, BIO *wbio);
#endif

struct doall_enc_ciphers {
BIO *bio;
Expand All @@ -44,7 +50,7 @@ typedef enum OPTION_choice {
OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, OPT_ISK,
OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;

Expand All @@ -62,6 +68,7 @@ const OPTIONS enc_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
{"isk", OPT_ISK, 's', "Internal private key, possibly in a hardware device"},

OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
Expand Down Expand Up @@ -112,7 +119,7 @@ int enc_main(int argc, char **argv)
EVP_CIPHER *cipher = NULL;
EVP_MD *dgst = NULL;
const char *digestname = NULL;
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p, *isk = NULL;
char *infile = NULL, *outfile = NULL, *prog;
char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
const char *ciphername = NULL;
Expand Down Expand Up @@ -253,6 +260,9 @@ int enc_main(int argc, char **argv)
case OPT_UPPER_K:
hkey = opt_arg();
break;
case OPT_ISK:
isk = opt_arg();
break;
case OPT_UPPER_S:
hsalt = opt_arg();
break;
Expand Down Expand Up @@ -534,6 +544,55 @@ int enc_main(int argc, char **argv)
BIO_printf(bio_err, "iv undefined\n");
goto end;
}

if (isk != NULL) {
#ifndef NDEBUG
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pisk = NULL;
size_t outlen;
char path[512];
BIO *bio_isk = NULL;
unsigned char *kk = NULL, *key1 = NULL;
char *hbuf = NULL;
long keylen;
snprintf(path, sizeof(path), "/tmp/.keys/%s.key", isk);

if ((bio_isk = BIO_new(BIO_s_file())) == NULL
|| BIO_read_filename(bio_isk, path) <= 0) {
BIO_printf(bio_err, "Error reading internal private key\n");
goto end;
}

pisk = PEM_read_bio_PrivateKey(bio_isk, NULL, NULL, NULL);
if (pisk == NULL)
goto end;

key1 = OPENSSL_hexstr2buf(hkey, &keylen);
if (key1 == NULL)
goto end;

pctx = EVP_PKEY_CTX_new(pisk, NULL);
if (EVP_PKEY_decrypt_init(pctx) <= 0
|| EVP_PKEY_decrypt(pctx, NULL, &outlen, key1, keylen) <= 0)
goto end;

kk = OPENSSL_malloc(outlen);
if (EVP_PKEY_decrypt(pctx, kk, &outlen, key1, keylen) <= 0)
goto end;

hbuf = OPENSSL_zalloc(outlen * 2 + 1);
if (!OPENSSL_buf2hexstr_ex(hbuf, outlen * 2 + 1, NULL, kk, outlen, '\0'))
goto end;
hkey = hbuf;
OPENSSL_free(kk);
#else
if (do_crypt_with_isk(cipher, enc, hkey, hiv, isk, rbio, wbio) == 1)
ret = 0;

goto end;
#endif
}

if (hkey != NULL) {
if (!set_hex(hkey, key, EVP_CIPHER_get_key_length(cipher))) {
BIO_printf(bio_err, "invalid hex key value\n");
Expand Down Expand Up @@ -696,3 +755,70 @@ static int set_hex(const char *in, unsigned char *out, int size)
}
return 1;
}

#ifdef NDEBUG
static int do_crypt_with_isk(const EVP_CIPHER *cipher, int enc,
const char *hkey, const char *hiv, const char *isk,
BIO *rbio, BIO *wbio)
{
int ok = 0, inl;
unsigned char *keybuf = NULL, *ivbuf = NULL;
long keylen, ivlen;
unsigned char inbuf[EVP_MAX_BLOCK_LENGTH];
unsigned char outbuf[EVP_MAX_BLOCK_LENGTH];
int blocksize = EVP_CIPHER_block_size(cipher);
size_t outlen;

if (hkey == NULL) {
BIO_printf(bio_err, "No hex key found\n");
goto end;
}

keybuf = OPENSSL_hexstr2buf(hkey, &keylen);
if (keybuf == NULL) {
BIO_printf(bio_err, "invalid hex key value\n");
goto end;
}

if (hiv == NULL) {
BIO_printf(bio_err, "No hex iv found\n");
goto end;
}

ivbuf = OPENSSL_hexstr2buf(hiv, &ivlen);
if (ivbuf == NULL) {
BIO_printf(bio_err, "invalid hex iv value\n");
goto end;
}

while (BIO_pending(rbio) || !BIO_eof(rbio)) {
inl = BIO_read(rbio, (char *)inbuf, blocksize);
if (inl <= 0)
break;

if (enc) {
if (TSAPI_encrypt_with_isk(EVP_CIPHER_get0_name(cipher), keybuf,
keylen, ivbuf, ivlen, isk, inbuf, inl,
outbuf, &outlen) != 1)
goto end;
} else {
if (TSAPI_decrypt_with_isk(EVP_CIPHER_get0_name(cipher), keybuf,
keylen, ivbuf, ivlen, isk, inbuf, inl,
outbuf, &outlen) != 1)
goto end;
}

if (BIO_write(wbio, (char *)outbuf, outlen) != (int)outlen) {
BIO_printf(bio_err, "error writing output file\n");
goto end;
}
}

ok = 1;
end:
OPENSSL_free(keybuf);
OPENSSL_free(ivbuf);

return ok;
}
#endif
Loading

0 comments on commit feae4bc

Please sign in to comment.