SMTC integrates with crypto card based on atf-slibce engine;add sdf, …

…TSAPI and etc.

DRBG set reseed interval and reseed_time_interval according to GM/T 0105-2021.

Modify of the integrity verification mechanism to SM2 signature.

App rand supports getting entropy from specified source.

Rename entropy rtc1 to rtcode, rtc2 to rtmem.

Add rtsock entropy source.

Support requesting entropy from specified entropy source.

Support atf-slibce engine.

Add sdf framework and partial APIs.

Add sdf app.

App speed add keygen for SM2 and GenerateKey with SDF.

Add TSAPI, mainly includes functions such as random number,

signature verification, encryption and decryption, etc.

.github/workflows/ci.yml

@@ -209,7 +209,7 @@ jobs:
     - name: modprobe tls
       run: sudo modprobe tls
     - name: config
-      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=getrandom,rtc && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=rtcode,rtmem,rtsock && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: make test
@@ -399,8 +399,11 @@ jobs:
         run: ./config enable-ntls enable-smtc enable-smtc-debug --strict-warnings && perl configdata.pm --dump
       - name: make
         run: make -s -j4
-      - name: make test
-        run: make test
+      - name: make test selected cases
+        run: |
+          make test TESTS="test_abort test_sanity test_symbol_presence test_test test_errstr test_internal_context \
+            test_internal_sm3 test_internal_sm4 test_smtc_rand_self_test test_mod test_mod_sm2 test_cli_smtc \
+            test_ntlssni test_tsapi test_sign_sm2 test_ntls"
       - name: make clean
         run: make clean
       - name: check dirty

.github/workflows/compiler-zoo.yml

@@ -76,8 +76,7 @@ jobs:
     - name: config
       run: |
         CC=${{ matrix.zoo.cc }} ./config --banner=Configured no-shared \
-            -Wall -Werror enable-ntls enable-smtc enable-smtc-debug \
-            --strict-warnings
+            -Wall -Werror enable-ntls --strict-warnings
 
     - name: config dump
       run: ./configdata.pm --dump

.github/workflows/run-checker-ci.yml

@@ -32,8 +32,6 @@ jobs:
           no-tls1_3,
           enable-trace enable-fips,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
           no-ts,
           no-ui,
         ]

.github/workflows/run-checker-daily.yml

@@ -114,8 +114,6 @@ jobs:
           enable-zlib-dynamic,
           no-zlib-dynamic,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
           enable-ec_elgamal enable-twisted_ec_elgamal,
           enable-bulletproofs,
           enable-bulletproofs enable-nizk enable-zkp-gadget enable-ec_elgamal enable-twisted_ec_elgamal,

.github/workflows/run-checker-merge.yml

@@ -27,8 +27,6 @@ jobs:
           enable-weak-ssl-ciphers,
           enable-zlib,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
         ]
     runs-on: ubuntu-latest
     steps:

CHANGES

@@ -4,6 +4,16 @@
 
  Changes between 8.4.0 and 8.5.0 [xx XXX xxxx]
 
+  *) SMTC Provider适配蚂蚁密码卡（atf_slibce）
+
+  *) 增加SDF框架和部分功能接口
+
+  *) 随机数熵源增加rtcode、rtmem和rtsock
+
+  *) speed支持测试SM2密钥对生成和SM4密钥对生成（SDF方式）
+
+  *) 增加TSAPI，支持常见密码学算法
+
   *) 修复CVE-2024-4603
 
   *) 修复CVE-2024-2511
@@ -24,8 +34,6 @@
 
   *) 修复CVE-2023-5678
 
-  *) 随机数熵源增加系统时间（RTC）方案
-
   *) 增加商用密码检测和认证Provider，包括身份认证、完整性验证、算法自测试、随机数自检、
      熵源健康测试；增加mod应用，包括生成SMTC配置、自测试功能
 

Configurations/00-base-templates.conf

@@ -50,13 +50,19 @@ my %targets=(
                 my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
                 push @defs, "ZLIB" unless $disabled{zlib};
                 push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
+
+                push @defs, "SDF_LIB" unless $disabled{"sdf-lib"};
+                push @defs, "SDF_LIB_SHARED" unless $disabled{"sdf-lib-dynamic"};
                 return [ @defs ];
             },
         includes        =>
             sub {
                 my @incs = ();
                 push @incs, $withargs{zlib_include}
                     if !$disabled{zlib} && $withargs{zlib_include};
+
+                push @incs, $withargs{sdf_include}
+                    if !$disabled{sdf_lib} && $withargs{sdf_include};
                 return [ @incs ];
             },
     },

Configure

@@ -271,9 +271,14 @@ $config{builddir} = abs2rel($blddir, $blddir);
 # echo -n 'holy hand grenade of antioch' | openssl sha256
 $config{FIPSKEY} =
     'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
-# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
-$config{SMTCKEY} =
-    '5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
+$config{SMTCPASSWD} = 'Tongsuo123';
+$config{SMTCPUBKEY} =
+'-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
+sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
+-----END PUBLIC KEY-----';
+$config{SMTCPUBKEY} =~ s|\n|\\n|g;
+
 
 # Collect reconfiguration information if needed
 my @argvcopy=@ARGV;
@@ -355,8 +360,6 @@ $config{tongsuo_prerelease} =
 $config{tongsuo_version} = "$config{tongsuo_major}.$config{tongsuo_minor}.$config{tongsuo_patch}";
 $config{tongsuo_full_version} = "$config{tongsuo_version}$config{tongsuo_prerelease}";
 
-$config{tongsuo_smtc_info} = $version{TONGSUO_SMTC_INFO};
-
 die "erroneous version information in VERSION.dat: ",
     "$config{version}, $config{shlib_version}\n"
     unless (defined $version{MAJOR}
@@ -404,6 +407,7 @@ my @dtls = qw(dtls1 dtls1_2);
 my @disablables = (
     "acvp-tests",
     "afalgeng",
+    "atf_slibce",
     "asan",
     "asm",
     "async",
@@ -474,6 +478,8 @@ my @disablables = (
     "smtc-debug",
     "scrypt",
     "sctp",
+    "sdf-lib",
+    "sdf-lib-dynamic",
     "secure-memory",
     "shared",
     "siphash",
@@ -588,8 +594,11 @@ our %disabled = ( # "what"         => "comment"
                   "zkp-gadget"          => "default",
                   "zkp-transcript"      => "default",
                   "bn-method"           => "default",
-                  "smtc"                 => "default",
-                  "smtc-debug"           => "default",
+                  "smtc"                => "default",
+                  "smtc-debug"          => "default",
+                  "atf_slibce"          => "default",
+                  "sdf-lib"             => "default",
+                  "sdf-lib-dynamic"     => "default",
                 );
 
 # Note: => pair form used for aesthetics, not to truly make a hash table
@@ -677,8 +686,8 @@ my @disable_cascades = (
 
     "deprecated-3.0"    => [ "engine", "srp" ],
     # SMTC does not support ct for now
-    # SMTC only support builtin module for now
-    sub { !$disabled{"smtc"}} => [ "ct", "module" ],
+    sub { !$disabled{"smtc"}} => [ "ct" ],
+    "sdf-lib"           => [ "sdf-lib-dynamic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version
@@ -796,7 +805,7 @@ my %cmdvars = ();               # Stores FOO='blah' type arguments
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtcode rtmem rtsock);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -914,6 +923,10 @@ while (@argvcopy)
                         {
                         delete $disabled{"zlib"};
                         }
+                elsif ($1 eq "sdf-lib-dynamic")
+                        {
+                        delete $disabled{"sdf-lib"};
+                        }
                 my $algo = $1;
                 delete $disabled{$algo};
 
@@ -1011,6 +1024,18 @@ while (@argvcopy)
                             push @seed_sources, $x;
                             }
                         }
+                elsif (/^--with-atf_slibce-lib=(.*)$/)
+                        {
+                        $withargs{atf_slibce_lib}=$1;
+                        }
+                elsif (/^--with-sdf-lib=(.*)$/)
+                        {
+                        $withargs{sdf_lib}=$1;
+                        }
+                elsif (/^--with-sdf-include=(.*)$/)
+                        {
+                        $withargs{sdf_include}=$1;
+                        }
                 elsif (/^--fips-key=(.*)$/)
                         {
                         $user{FIPSKEY}=lc($1);
@@ -1021,15 +1046,25 @@ while (@argvcopy)
                         die "FIPS key too long (64 bytes max)\n"
                            if length $1 > 64;
                         }
-                elsif (/^--smtc-key=(.*)$/)
+                elsif (/^--smtc-pubkey=(.*)$/)
                         {
-                        $user{SMTCKEY}=lc($1);
-                        die "Non-hex character in SMTC key\n"
-                           if $user{SMTCKEY} =~ /[^a-f0-9]/;
-                        die "SMTC key must have even number of characters\n"
-                           if length $1 & 1;
-                        die "SMTC key too long (64 bytes max)\n"
-                           if length $1 > 64;
+                        open my $fh, "<", $1 or die "Can't open $1: $!\n";
+                        $user{SMTCPUBKEY} = do { local $/; <$fh> };
+                        close $fh;
+                        chomp $user{SMTCPUBKEY};
+                        $user{SMTCPUBKEY} =~ s|\n|\\n|g;
+                        }
+                elsif (/^--smtc-passwd=(.*)$/)
+                        {
+                        $user{SMTCPASSWD} = $1;
+                        die "Invalid character in SMTC password (A-Z, a-z, 0-9)\n"
+                           if $user{SMTCPASSWD} =~ /[^A-Za-z0-9]/;
+                        die "Invalid SMTC password length (8 ~ 64 bytes)\n"
+                           if length $1 < 8 or length $1 > 64;
+                        }
+                elsif (/^--smtc-info=(.*)$/)
+                        {
+                        $config{tongsuo_smtc_info} = $1;
                         }
                 elsif (/^--banner=(.*)$/)
                         {

VERSION.dat

@@ -8,5 +8,4 @@ SHLIB_VERSION=3
 TONGSUO_MAJOR=8
 TONGSUO_MINOR=5
 TONGSUO_PATCH=0
-TONGSUO_PRE_RELEASE_TAG=dev
-TONGSUO_SMTC_INFO=
+TONGSUO_PRE_RELEASE_TAG=dev

apps/build.info

@@ -75,6 +75,10 @@ IF[{- !$disabled{'sm2_threshold'} -}]
   $OPENSSLSRC=$OPENSSLSRC sm2_threshold.c
 ENDIF
 
+IF[{- !$disabled{'sdf-lib'} -}]
+  $OPENSSLSRC=$OPENSSLSRC sdf.c
+ENDIF
+
 IF[{- !$disabled{apps} -}]
   PROGRAMS=openssl
   SOURCE[openssl]=$INITSRC $OPENSSLSRC