From 94559723f692bf31e8901d90b80f49565463a3d5 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 15 Dec 2024 14:45:53 +0100
Subject: [PATCH] add SM2 and SM3 support

---
 .cirrus.yml                            | 2 +-
 .github/workflows/clang-asan-check.yml | 2 +-
 .github/workflows/gcc-distcheck.yml    | 2 +-
 docs/CHANGELOG.md                      | 1 +
 src/tpm2-provider-types.c              | 2 ++
 test/digest.sh                         | 2 +-
 test/ecdsa_genpkey_sign_rawin.sh       | 2 +-
 test/rsa_genpkey_sign_rawin.sh         | 2 +-
 test/rsapss_genpkey_sign_rawin.sh      | 2 +-
 9 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 197a379..8b8c380 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -8,7 +8,7 @@ task:
     TPM2TOOLS_TCTI: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
     TPM2OPENSSL_TCTI: ${TPM2TOOLS_TCTI}
     IBMSWTPM_VER: rev183-2024-08-02
-    TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+    TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
   install_packages_script: |
     pkg install -y bash wget gmake libtool pkgconf automake autoconf autoconf-archive \
diff --git a/.github/workflows/clang-asan-check.yml b/.github/workflows/clang-asan-check.yml
index 33d4b50..6e3196e 100644
--- a/.github/workflows/clang-asan-check.yml
+++ b/.github/workflows/clang-asan-check.yml
@@ -8,7 +8,7 @@ on:
 env:
   IBMSWTPM_VER: rev183-2024-08-02
   # sha1 is not tested by default because Fedora 41+ does not support it
-  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
 jobs:
   build:
diff --git a/.github/workflows/gcc-distcheck.yml b/.github/workflows/gcc-distcheck.yml
index 4ede0c6..51f3759 100644
--- a/.github/workflows/gcc-distcheck.yml
+++ b/.github/workflows/gcc-distcheck.yml
@@ -4,7 +4,7 @@ on:
 env:
   IBMSWTPM_VER: rev183-2024-08-02
   # sha1 is not tested by default because Fedora 41+ does not support it
-  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
 jobs:
   build:
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 98f3e88..0450e05 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 ## [1.3.0] - 2024-xx-yy
 ### Added
 - Added support for RSA-OAEP decryption.
+- Added support for SM2 curves and SM3 hashes.
 - Added Parent to textual information printed by 'openssl pkey -text'.
 ### Fixed
 - Fixed multi-threaded operation, preventing the 'Esys called in bad sequence'
diff --git a/src/tpm2-provider-types.c b/src/tpm2-provider-types.c
index 22d0e3e..5000c7c 100644
--- a/src/tpm2-provider-types.c
+++ b/src/tpm2-provider-types.c
@@ -30,6 +30,7 @@ static const hash_names_t hashes[] = {
     { "SHA512", TPM2_ALG_SHA512 },
     { "SHA-512", TPM2_ALG_SHA512 },
     { "SHA2-512", TPM2_ALG_SHA512 },
+    { "SM3", TPM2_ALG_SM3_256 },
     { NULL, TPM2_ALG_ERROR }
 };
 
@@ -126,6 +127,7 @@ static const curve_nids_t curves[] = {
     { NID_X9_62_prime256v1, TPM2_ECC_NIST_P256 },
     { NID_secp384r1, TPM2_ECC_NIST_P384 },
     { NID_secp521r1, TPM2_ECC_NIST_P521 },
+    { NID_sm2, TPM2_ECC_SM2_P256 },
     { NID_undef, TPM2_ECC_NONE }
 };
 
diff --git a/test/digest.sh b/test/digest.sh
index 9d5a26b..13bd52d 100755
--- a/test/digest.sh
+++ b/test/digest.sh
@@ -4,7 +4,7 @@ set -eufx
 
 echo -n "abcde12345abcde12345" > testdata
 
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 
diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh
index 7266049..cb5602c 100755
--- a/test/ecdsa_genpkey_sign_rawin.sh
+++ b/test/ecdsa_genpkey_sign_rawin.sh
@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
 openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
 
 # check various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 
diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh
index f2b9a94..98937bc 100755
--- a/test/rsa_genpkey_sign_rawin.sh
+++ b/test/rsa_genpkey_sign_rawin.sh
@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
 openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
 
 # check default scheme with various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 
diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh
index 99f8d63..4bd0283 100755
--- a/test/rsapss_genpkey_sign_rawin.sh
+++ b/test/rsapss_genpkey_sign_rawin.sh
@@ -5,7 +5,7 @@ set -eufx
 echo -n "abcde12345abcde12345" > testdata
 
 # check default scheme with various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue