SMTC integrates with crypto card based on atf-slibce engine;add sdf, …

…TSAPI and etc.

DRBG set reseed interval and reseed_time_interval according to GM/T 0105-2021.

Modify of the integrity verification mechanism to SM2 signature.

App rand supports getting entropy from specified source.

Rename entropy rtc1 to rtcode, rtc2 to rtmem.

Add rtsock entropy source.

Support requesting entropy from specified entropy source.

Support atf-slibce engine.

Add sdf framework and partial APIs.

Add sdf app.

App speed add keygen for SM2 and GenerateKey with SDF.

Add TSAPI, mainly includes functions such as random number,

signature verification, encryption and decryption, etc.

.github/workflows/ci.yml

@@ -209,7 +209,7 @@ jobs:
     - name: modprobe tls
       run: sudo modprobe tls
     - name: config
-      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=getrandom,rtc && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=rtcode,rtmem,rtsock && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: make test

.github/workflows/compiler-zoo.yml

@@ -76,8 +76,7 @@ jobs:
     - name: config
       run: |
         CC=${{ matrix.zoo.cc }} ./config --banner=Configured no-shared \
-            -Wall -Werror enable-ntls enable-smtc enable-smtc-debug \
-            --strict-warnings
+            -Wall -Werror enable-ntls --strict-warnings
 
     - name: config dump
       run: ./configdata.pm --dump

.github/workflows/run-checker-ci.yml

@@ -32,8 +32,6 @@ jobs:
           no-tls1_3,
           enable-trace enable-fips,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
           no-ts,
           no-ui,
         ]

.github/workflows/run-checker-daily.yml

@@ -114,8 +114,6 @@ jobs:
           enable-zlib-dynamic,
           no-zlib-dynamic,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
           enable-ec_elgamal enable-twisted_ec_elgamal,
           enable-bulletproofs,
           enable-bulletproofs enable-nizk enable-zkp-gadget enable-ec_elgamal enable-twisted_ec_elgamal,

.github/workflows/run-checker-merge.yml

@@ -27,8 +27,6 @@ jobs:
           enable-weak-ssl-ciphers,
           enable-zlib,
           enable-ntls,
-          enable-smtc enable-smtc-debug,
-          enable-ntls enable-smtc enable-smtc-debug,
         ]
     runs-on: ubuntu-latest
     steps:

Configurations/00-base-templates.conf

@@ -50,13 +50,19 @@ my %targets=(
                 my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
                 push @defs, "ZLIB" unless $disabled{zlib};
                 push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
+
+                push @defs, "SDF_LIB" unless $disabled{"sdf-lib"};
+                push @defs, "SDF_LIB_SHARED" unless $disabled{"sdf-lib-dynamic"};
                 return [ @defs ];
             },
         includes        =>
             sub {
                 my @incs = ();
                 push @incs, $withargs{zlib_include}
                     if !$disabled{zlib} && $withargs{zlib_include};
+
+                push @incs, $withargs{sdf_include}
+                    if !$disabled{sdf_lib} && $withargs{sdf_include};
                 return [ @incs ];
             },
     },

Configure

@@ -271,9 +271,14 @@ $config{builddir} = abs2rel($blddir, $blddir);
 # echo -n 'holy hand grenade of antioch' | openssl sha256
 $config{FIPSKEY} =
     'f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813';
-# echo -n "Tongsuo in hand, no worries about compliance" | tongsuo sm3
-$config{SMTCKEY} =
-    '5b3d9ad84fd72961e63f27a3d5da2bb663e2ed9c7b761b8ad6d041ebc68f5098';
+$config{SMTCPASSWD} = 'Tongsuo123';
+$config{SMTCPUBKEY} =
+'-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAERjiZ5ubxrnOZnjhvqvuJ5UcdRI64
+sBEVwF0UztQK9eYzqOsFEm0PKkCjoYkdmiZ+Und0agHk94eFKhtUYsu0bw==
+-----END PUBLIC KEY-----';
+$config{SMTCPUBKEY} =~ s|\n|\\n|g;
+
 
 # Collect reconfiguration information if needed
 my @argvcopy=@ARGV;
@@ -355,8 +360,6 @@ $config{tongsuo_prerelease} =
 $config{tongsuo_version} = "$config{tongsuo_major}.$config{tongsuo_minor}.$config{tongsuo_patch}";
 $config{tongsuo_full_version} = "$config{tongsuo_version}$config{tongsuo_prerelease}";
 
-$config{tongsuo_smtc_info} = $version{TONGSUO_SMTC_INFO};
-
 die "erroneous version information in VERSION.dat: ",
     "$config{version}, $config{shlib_version}\n"
     unless (defined $version{MAJOR}
@@ -404,6 +407,7 @@ my @dtls = qw(dtls1 dtls1_2);
 my @disablables = (
     "acvp-tests",
     "afalgeng",
+    "atf_slibce",
     "asan",
     "asm",
     "async",
@@ -474,6 +478,8 @@ my @disablables = (
     "smtc-debug",
     "scrypt",
     "sctp",
+    "sdf-lib",
+    "sdf-lib-dynamic",
     "secure-memory",
     "shared",
     "siphash",
@@ -588,8 +594,11 @@ our %disabled = ( # "what"         => "comment"
                   "zkp-gadget"          => "default",
                   "zkp-transcript"      => "default",
                   "bn-method"           => "default",
-                  "smtc"                 => "default",
-                  "smtc-debug"           => "default",
+                  "smtc"                => "default",
+                  "smtc-debug"          => "default",
+                  "atf_slibce"          => "default",
+                  "sdf-lib"             => "default",
+                  "sdf-lib-dynamic"     => "default",
                 );
 
 # Note: => pair form used for aesthetics, not to truly make a hash table
@@ -679,6 +688,7 @@ my @disable_cascades = (
     # SMTC does not support ct for now
     # SMTC only support builtin module for now
     sub { !$disabled{"smtc"}} => [ "ct", "module" ],
+    "sdf-lib"           => [ "sdf-lib-dynamic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version
@@ -796,7 +806,7 @@ my %cmdvars = ();               # Stores FOO='blah' type arguments
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtcode rtmem rtsock);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -914,6 +924,10 @@ while (@argvcopy)
                         {
                         delete $disabled{"zlib"};
                         }
+                elsif ($1 eq "sdf-lib-dynamic")
+                        {
+                        delete $disabled{"sdf-lib"};
+                        }
                 my $algo = $1;
                 delete $disabled{$algo};
 
@@ -1011,6 +1025,18 @@ while (@argvcopy)
                             push @seed_sources, $x;
                             }
                         }
+                elsif (/^--with-atf_slibce-lib=(.*)$/)
+                        {
+                        $withargs{atf_slibce_lib}=$1;
+                        }
+                elsif (/^--with-sdf-lib=(.*)$/)
+                        {
+                        $withargs{sdf_lib}=$1;
+                        }
+                elsif (/^--with-sdf-include=(.*)$/)
+                        {
+                        $withargs{sdf_include}=$1;
+                        }
                 elsif (/^--fips-key=(.*)$/)
                         {
                         $user{FIPSKEY}=lc($1);
@@ -1021,15 +1047,25 @@ while (@argvcopy)
                         die "FIPS key too long (64 bytes max)\n"
                            if length $1 > 64;
                         }
-                elsif (/^--smtc-key=(.*)$/)
+                elsif (/^--smtc-pubkey=(.*)$/)
                         {
-                        $user{SMTCKEY}=lc($1);
-                        die "Non-hex character in SMTC key\n"
-                           if $user{SMTCKEY} =~ /[^a-f0-9]/;
-                        die "SMTC key must have even number of characters\n"
-                           if length $1 & 1;
-                        die "SMTC key too long (64 bytes max)\n"
-                           if length $1 > 64;
+                        open my $fh, "<", $1 or die "Can't open $1: $!\n";
+                        $user{SMTCPUBKEY} = do { local $/; <$fh> };
+                        close $fh;
+                        chomp $user{SMTCPUBKEY};
+                        $user{SMTCPUBKEY} =~ s|\n|\\n|g;
+                        }
+                elsif (/^--smtc-passwd=(.*)$/)
+                        {
+                        $user{SMTCPASSWD} = $1;
+                        die "Invalid character in SMTC password (A-Z, a-z, 0-9)\n"
+                           if $user{SMTCPASSWD} =~ /[^A-Za-z0-9]/;
+                        die "Invalid SMTC password length (8 ~ 64 bytes)\n"
+                           if length $1 < 8 or length $1 > 64;
+                        }
+                elsif (/^--smtc-info=(.*)$/)
+                        {
+                        $config{tongsuo_smtc_info} = $1;
                         }
                 elsif (/^--banner=(.*)$/)
                         {

VERSION.dat

@@ -8,5 +8,4 @@ SHLIB_VERSION=3
 TONGSUO_MAJOR=8
 TONGSUO_MINOR=5
 TONGSUO_PATCH=0
-TONGSUO_PRE_RELEASE_TAG=dev
-TONGSUO_SMTC_INFO=
+TONGSUO_PRE_RELEASE_TAG=dev

apps/build.info

@@ -85,6 +85,10 @@ IF[{- !$disabled{apps} -}]
     DEFINE[openssl]=SMTC_MODULE
   ENDIF
 
+  IF[{- !$disabled{'sdf_lib'} -}]
+    $OPENSSLSRC=$OPENSSLSRC sdf.c
+  ENDIF
+
   # The nocheck attribute is picked up by progs.pl as a signal not to look
   # at that file; some systems may have locked it as the output file, and
   # therefore don't allow it to be read at the same time, making progs.pl

apps/enc.c

@@ -534,6 +534,7 @@ int enc_main(int argc, char **argv)
             BIO_printf(bio_err, "iv undefined\n");
             goto end;
         }
+
         if (hkey != NULL) {
             if (!set_hex(hkey, key, EVP_CIPHER_get_key_length(cipher))) {
                 BIO_printf(bio_err, "invalid hex key value\n");