add SM2 and SM3 support

.cirrus.yml

@@ -8,7 +8,7 @@ task:
     TPM2TOOLS_TCTI: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
     TPM2OPENSSL_TCTI: ${TPM2TOOLS_TCTI}
     IBMSWTPM_VER: rev183-2024-08-02
-    TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+    TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
   install_packages_script: |
     pkg install -y bash wget gmake libtool pkgconf automake autoconf autoconf-archive \

.github/workflows/clang-asan-check.yml

@@ -8,7 +8,7 @@ on:
 env:
   IBMSWTPM_VER: rev183-2024-08-02
   # sha1 is not tested by default because Fedora 41+ does not support it
-  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
 jobs:
   build:

.github/workflows/gcc-distcheck.yml

@@ -4,7 +4,7 @@ on:
 env:
   IBMSWTPM_VER: rev183-2024-08-02
   # sha1 is not tested by default because Fedora 41+ does not support it
-  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
 jobs:
   build:

docs/CHANGELOG.md

@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 ## [1.3.0] - 2024-xx-yy
 ### Added
 - Added support for RSA-OAEP decryption.
+- Added support for SM2 curves and SM3 hashes.
 - Added Parent to textual information printed by 'openssl pkey -text'.
 ### Fixed
 - Fixed multi-threaded operation, preventing the 'Esys called in bad sequence'

src/tpm2-provider-types.c

@@ -30,6 +30,7 @@ static const hash_names_t hashes[] = {
     { "SHA512", TPM2_ALG_SHA512 },
     { "SHA-512", TPM2_ALG_SHA512 },
     { "SHA2-512", TPM2_ALG_SHA512 },
+    { "SM3", TPM2_ALG_SM3_256 },
     { NULL, TPM2_ALG_ERROR }
 };
 
@@ -126,6 +127,7 @@ static const curve_nids_t curves[] = {
     { NID_X9_62_prime256v1, TPM2_ECC_NIST_P256 },
     { NID_secp384r1, TPM2_ECC_NIST_P384 },
     { NID_secp521r1, TPM2_ECC_NIST_P521 },
+    { NID_sm2, TPM2_ECC_SM2_P256 },
     { NID_undef, TPM2_ECC_NONE }
 };
 

test/digest.sh

@@ -4,7 +4,7 @@ set -eufx
 
 echo -n "abcde12345abcde12345" > testdata
 
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 

test/ecdsa_genpkey_sign_rawin.sh

@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
 openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
 
 # check various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 

test/rsa_genpkey_sign_rawin.sh

@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
 openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
 
 # check default scheme with various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 

test/rsapss_genpkey_sign_rawin.sh

@@ -5,7 +5,7 @@ set -eufx
 echo -n "abcde12345abcde12345" > testdata
 
 # check default scheme with various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue