Merge pull request #640 from dongbeiouba/improve/smtc

SMTC integrates with atf-slibce engine,add sdf,TSAPI and etc

.github/workflows/ci.yml

@@ -209,7 +209,7 @@ jobs:
     - name: modprobe tls
       run: sudo modprobe tls
     - name: config
-      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=getrandom,rtc && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=rtcode,rtmem,rtsock && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: make test
@@ -399,8 +399,11 @@ jobs:
         run: ./config enable-ntls enable-smtc enable-smtc-debug --strict-warnings && perl configdata.pm --dump
       - name: make
         run: make -s -j4
-      - name: make test
-        run: make test
+      - name: make test selected cases
+        run: |
+          make test TESTS="test_abort test_sanity test_symbol_presence test_test test_errstr test_internal_context \
+            test_internal_sm3 test_internal_sm4 test_smtc_rand_self_test test_mod test_mod_sm2 test_cli_smtc \
+            test_ntlssni test_tsapi test_sign_sm2 test_ntls"
       - name: make clean
         run: make clean
       - name: check dirty

.github/workflows/compiler-zoo.yml

@@ -76,8 +76,7 @@ jobs:
     - name: config
       run: |
         CC=${{ matrix.zoo.cc }} ./config --banner=Configured no-shared \
-            -Wall -Werror enable-ntls enable-smtc enable-smtc-debug \
-            --strict-warnings
+            -Wall -Werror enable-ntls --strict-warnings
 
     - name: config dump
       run: ./configdata.pm --dump

.github/workflows/run-checker-ci.yml

@@ -32,8 +32,6 @@ jobs:
           no-tls1_3,
           enable-trace enable-fips,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
           no-ts,
           no-ui,
         ]

.github/workflows/run-checker-daily.yml

@@ -114,8 +114,6 @@ jobs:
           enable-zlib-dynamic,
           no-zlib-dynamic,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
           enable-ec_elgamal enable-twisted_ec_elgamal,
           enable-bulletproofs,
           enable-bulletproofs enable-nizk enable-zkp-gadget enable-ec_elgamal enable-twisted_ec_elgamal,

.github/workflows/run-checker-merge.yml

@@ -27,8 +27,6 @@ jobs:
           enable-weak-ssl-ciphers,
           enable-zlib,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
         ]
     runs-on: ubuntu-latest
     steps:

CHANGES

@@ -4,6 +4,16 @@
 
  Changes between 8.4.0 and 8.5.0 [xx XXX xxxx]
 
+  *) SMTC Provider适配蚂蚁密码卡（atf_slibce）
+
+  *) 增加SDF框架和部分功能接口
+
+  *) 随机数熵源增加rtcode、rtmem和rtsock
+
+  *) speed支持测试SM2密钥对生成和SM4密钥对生成（SDF方式）
+
+  *) 增加TSAPI，支持常见密码学算法
+
   *) 修复CVE-2024-5535
 
   *) 修复CVE-2024-4741
@@ -28,8 +38,6 @@
 
   *) 修复CVE-2023-5678
 
-  *) 随机数熵源增加系统时间（RTC）方案
-
   *) 增加商用密码检测和认证Provider，包括身份认证、完整性验证、算法自测试、随机数自检、
      熵源健康测试；增加mod应用，包括生成SMTC配置、自测试功能
 

Configurations/00-base-templates.conf

@@ -50,13 +50,19 @@ my %targets=(
                 my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
                 push @defs, "ZLIB" unless $disabled{zlib};
                 push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
+
+                push @defs, "SDF_LIB" unless $disabled{"sdf-lib"};
+                push @defs, "SDF_LIB_SHARED" unless $disabled{"sdf-lib-dynamic"};
                 return [ @defs ];
             },
         includes        =>
             sub {
                 my @incs = ();
                 push @incs, $withargs{zlib_include}
                     if !$disabled{zlib} && $withargs{zlib_include};
+
+                push @incs, $withargs{sdf_include}
+                    if !$disabled{sdf_lib} && $withargs{sdf_include};
                 return [ @incs ];
             },
     },

Configure

@@ -271,9 +271,14 @@ $config{builddir} = abs2rel($blddir, $blddir);
 # echo -n 'holy hand grenade of antioch' | openssl sha256
 $config{FIPSKEY} =
     'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
-# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
-$config{SMTCKEY} =
-    '5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
+$config{SMTCPASSWD} = 'Tongsuo123';
+$config{SMTCPUBKEY} =
+'-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
+sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
+-----END PUBLIC KEY-----';
+$config{SMTCPUBKEY} =~ s|\n|\\n|g;
+
 
 # Collect reconfiguration information if needed
 my @argvcopy=@ARGV;
@@ -355,8 +360,6 @@ $config{tongsuo_prerelease} =
 $config{tongsuo_version} = "$config{tongsuo_major}.$config{tongsuo_minor}.$config{tongsuo_patch}";
 $config{tongsuo_full_version} = "$config{tongsuo_version}$config{tongsuo_prerelease}";
 
-$config{tongsuo_smtc_info} = $version{TONGSUO_SMTC_INFO};
-
 die "erroneous version information in VERSION.dat: ",
     "$config{version}, $config{shlib_version}\n"
     unless (defined $version{MAJOR}
@@ -404,6 +407,7 @@ my @dtls = qw(dtls1 dtls1_2);
 my @disablables = (
     "acvp-tests",
     "afalgeng",
+    "atf_slibce",
     "asan",
     "asm",
     "async",
@@ -474,6 +478,8 @@ my @disablables = (
     "smtc-debug",
     "scrypt",
     "sctp",
+    "sdf-lib",
+    "sdf-lib-dynamic",
     "secure-memory",
     "shared",
     "siphash",
@@ -605,6 +611,9 @@ our %disabled = ( # "what"         => "comment"
                   "ripemd"              => "default", # RIPEMD has been removed
                   "seed"                => "default", # SEED has been removed
                   "whirlpool"           => "default", # Whirlpool has been removed
+                  "atf_slibce"          => "default",
+                  "sdf-lib"             => "default",
+                  "sdf-lib-dynamic"     => "default",
                 );
 
 # Note: => pair form used for aesthetics, not to truly make a hash table
@@ -692,8 +701,8 @@ my @disable_cascades = (
 
     "deprecated-3.0"    => [ "engine", "srp" ],
     # SMTC does not support ct for now
-    # SMTC only support builtin module for now
-    sub { !$disabled{"smtc"}} => [ "ct", "module" ],
+    sub { !$disabled{"smtc"}} => [ "ct" ],
+    "sdf-lib"           => [ "sdf-lib-dynamic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version
@@ -811,7 +820,7 @@ my %cmdvars = ();               # Stores FOO='blah' type arguments
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtcode rtmem rtsock);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -929,6 +938,10 @@ while (@argvcopy)
                         {
                         delete $disabled{"zlib"};
                         }
+                elsif ($1 eq "sdf-lib-dynamic")
+                        {
+                        delete $disabled{"sdf-lib"};
+                        }
                 my $algo = $1;
                 delete $disabled{$algo};
 
@@ -1026,6 +1039,18 @@ while (@argvcopy)
                             push @seed_sources, $x;
                             }
                         }
+                elsif (/^--with-atf_slibce-lib=(.*)$/)
+                        {
+                        $withargs{atf_slibce_lib}=$1;
+                        }
+                elsif (/^--with-sdf-lib=(.*)$/)
+                        {
+                        $withargs{sdf_lib}=$1;
+                        }
+                elsif (/^--with-sdf-include=(.*)$/)
+                        {
+                        $withargs{sdf_include}=$1;
+                        }
                 elsif (/^--fips-key=(.*)$/)
                         {
                         $user{FIPSKEY}=lc($1);
@@ -1036,15 +1061,25 @@ while (@argvcopy)
                         die "FIPS key too long (64 bytes max)\n"
                            if length $1 > 64;
                         }
-                elsif (/^--smtc-key=(.*)$/)
+                elsif (/^--smtc-pubkey=(.*)$/)
                         {
-                        $user{SMTCKEY}=lc($1);
-                        die "Non-hex character in SMTC key\n"
-                           if $user{SMTCKEY} =~ /[^a-f0-9]/;
-                        die "SMTC key must have even number of characters\n"
-                           if length $1 & 1;
-                        die "SMTC key too long (64 bytes max)\n"
-                           if length $1 > 64;
+                        open my $fh, "<", $1 or die "Can't open $1: $!\n";
+                        $user{SMTCPUBKEY} = do { local $/; <$fh> };
+                        close $fh;
+                        chomp $user{SMTCPUBKEY};
+                        $user{SMTCPUBKEY} =~ s|\n|\\n|g;
+                        }
+                elsif (/^--smtc-passwd=(.*)$/)
+                        {
+                        $user{SMTCPASSWD} = $1;
+                        die "Invalid character in SMTC password (A-Z, a-z, 0-9)\n"
+                           if $user{SMTCPASSWD} =~ /[^A-Za-z0-9]/;
+                        die "Invalid SMTC password length (8 ~ 64 bytes)\n"
+                           if length $1 < 8 or length $1 > 64;
+                        }
+                elsif (/^--smtc-info=(.*)$/)
+                        {
+                        $config{tongsuo_smtc_info} = $1;
                         }
                 elsif (/^--banner=(.*)$/)
                         {

VERSION.dat

@@ -8,5 +8,4 @@ SHLIB_VERSION=3
 TONGSUO_MAJOR=8
 TONGSUO_MINOR=5
 TONGSUO_PATCH=0
-TONGSUO_PRE_RELEASE_TAG=dev
-TONGSUO_SMTC_INFO=
+TONGSUO_PRE_RELEASE_TAG=dev

apps/build.info

@@ -75,6 +75,10 @@ IF[{- !$disabled{'sm2_threshold'} -}]
   $OPENSSLSRC=$OPENSSLSRC sm2_threshold.c
 ENDIF
 
+IF[{- !$disabled{'sdf-lib'} -}]
+  $OPENSSLSRC=$OPENSSLSRC sdf.c
+ENDIF
+
 IF[{- !$disabled{apps} -}]
   PROGRAMS=openssl
   SOURCE[openssl]=$INITSRC $OPENSSLSRC