Skip to content

Commit

Permalink
add SM2 and SM3 support
Browse files Browse the repository at this point in the history
  • Loading branch information
gotthardp committed Dec 15, 2024
1 parent ac3f5c9 commit 211279b
Show file tree
Hide file tree
Showing 9 changed files with 14 additions and 8 deletions.
3 changes: 2 additions & 1 deletion .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ task:
TPM2TOOLS_TCTI: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
TPM2OPENSSL_TCTI: ${TPM2TOOLS_TCTI}
IBMSWTPM_VER: rev183-2024-08-02
TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"

install_packages_script: |
pkg install -y bash wget gmake libtool pkgconf automake autoconf autoconf-archive \
Expand All @@ -25,6 +25,7 @@ task:
wget --no-verbose https://github.com/kgoldman/ibmswtpm2/archive/refs/tags/$IBMSWTPM_VER.tar.gz
tar xfz rev183-2024-08-02.tar.gz
cd ibmswtpm2-$IBMSWTPM_VER/src
sed -i '' -e 's/-DTPM_NUVOTON/-DTPM_NUVOTON -DALG_SM3_256=1/g' makefile
sed -i '' -e 's/gcc/clang/g' makefile
sed -i '' -e 's/-Wall //g' makefile
sed -i '' -e 's/-Werror //g' makefile
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/clang-asan-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
env:
IBMSWTPM_VER: rev183-2024-08-02
# sha1 is not tested by default because Fedora 41+ does not support it
TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"

jobs:
build:
Expand All @@ -26,6 +26,7 @@ jobs:
run: |
curl -Ls https://github.com/kgoldman/ibmswtpm2/archive/refs/tags/$IBMSWTPM_VER.tar.gz | tar xz
cd ibmswtpm2-$IBMSWTPM_VER/src
sed -i 's/#define ALG_SM3_256.*/#define ALG_SM3_256 ALG_YES/' TpmProfile.h
make
- name: Build openssl
Expand All @@ -40,7 +41,7 @@ jobs:
no-filenames no-fips no-fips-securitychecks no-gost no-idea \
no-ktls no-makedepend no-md4 no-multiblock \
no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rfc3779 \
no-rmd160 no-seed no-siphash no-siv no-sm3 no-sm4 \
no-rmd160 no-seed no-siphash no-siv no-sm4 \
no-srtp no-ssl3-method no-tests no-ts no-whirlpool
make build_sw
sudo make install_sw install_ssldirs
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/gcc-distcheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
env:
IBMSWTPM_VER: rev183-2024-08-02
# sha1 is not tested by default because Fedora 41+ does not support it
TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"

jobs:
build:
Expand All @@ -19,6 +19,7 @@ jobs:
run: |
curl -Ls https://github.com/kgoldman/ibmswtpm2/archive/refs/tags/$IBMSWTPM_VER.tar.gz | tar xz
cd ibmswtpm2-$IBMSWTPM_VER/src
sed -i 's/#define ALG_SM3_256.*/#define ALG_SM3_256 ALG_YES/' TpmProfile.h
make
- name: Configure tpm2-openssl
Expand Down
1 change: 1 addition & 0 deletions docs/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
## [1.3.0] - 2024-xx-yy
### Added
- Added support for RSA-OAEP decryption.
- Added support for SM2 curves and SM3 hashes.
- Added Parent to textual information printed by 'openssl pkey -text'.
### Fixed
- Fixed multi-threaded operation, preventing the 'Esys called in bad sequence'
Expand Down
2 changes: 2 additions & 0 deletions src/tpm2-provider-types.c
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ static const hash_names_t hashes[] = {
{ "SHA512", TPM2_ALG_SHA512 },
{ "SHA-512", TPM2_ALG_SHA512 },
{ "SHA2-512", TPM2_ALG_SHA512 },
{ "SM3", TPM2_ALG_SM3_256 },
{ NULL, TPM2_ALG_ERROR }
};

Expand Down Expand Up @@ -126,6 +127,7 @@ static const curve_nids_t curves[] = {
{ NID_X9_62_prime256v1, TPM2_ECC_NIST_P256 },
{ NID_secp384r1, TPM2_ECC_NIST_P384 },
{ NID_secp521r1, TPM2_ECC_NIST_P521 },
{ NID_sm2, TPM2_ECC_SM2_P256 },
{ NID_undef, TPM2_ECC_NONE }
};

Expand Down
2 changes: 1 addition & 1 deletion test/digest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ set -eufx

echo -n "abcde12345abcde12345" > testdata

for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
# skip unsupported algorithms
tpm2_getcap algorithms | grep $HASH || continue

Expand Down
2 changes: 1 addition & 1 deletion test/ecdsa_genpkey_sign_rawin.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub

# check various digests
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
# skip unsupported algorithms
tpm2_getcap algorithms | grep $HASH || continue

Expand Down
2 changes: 1 addition & 1 deletion test/rsa_genpkey_sign_rawin.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub

# check default scheme with various digests
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
# skip unsupported algorithms
tpm2_getcap algorithms | grep $HASH || continue

Expand Down
2 changes: 1 addition & 1 deletion test/rsapss_genpkey_sign_rawin.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ set -eufx
echo -n "abcde12345abcde12345" > testdata

# check default scheme with various digests
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
# skip unsupported algorithms
tpm2_getcap algorithms | grep $HASH || continue

Expand Down

0 comments on commit 211279b

Please sign in to comment.