Add SM2 signature algorithm to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12536)
author: Paul Yang <kaishen.yy@antfin.com> 2020-03-04 23:49:43 +0800
committer: Matt Caswell <matt@openssl.org> 2020-09-22 08:18:09 +0100
commit: d0b79f8631c0f522c514175be4e4fbe984cf8f6c (patch)
tree: 4606888f35caaf5c2d6646ac4da4d98d75ab5d56 /providers
parent: 7ee511d093758360ed421e420cc29d9aaf11f143 (diff)
11 files changed, 742 insertions, 53 deletions
diff --git a/providers/common/der/SM2.asn1 b/providers/common/der/SM2.asn1
new file mode 100644
index 0000000000..f90e11f04a
--- /dev/null
+++ b/providers/common/der/SM2.asn1
@@ -0,0 +1,11 @@
+oscca  OBJECT IDENTIFIER ::= { iso(1) member-body(2) cn(156) 10197 }
+
+sm-scheme OBJECT IDENTIFIER ::= { oscca 1 }
+
+-- OID for SM2 signatures with SM3
+
+sm2-with-SM3 OBJECT IDENTIFIER ::= { sm-scheme 501 }
+
+-- Named Elliptic Curves of SM2
+
+curveSM2 OBJECT IDENTIFIER ::= { sm-scheme 301 }
diff --git a/providers/common/der/build.info b/providers/common/der/build.info
index 60c0d8e66c..ae5f1612ee 100644
--- a/providers/common/der/build.info
+++ b/providers/common/der/build.info
@@ -74,6 +74,19 @@ DEPEND[${DER_WRAP_GEN/.c/.o}]=$DER_WRAP_H
 GENERATE[$DER_WRAP_H]=der_wrap.h.in
 DEPEND[$DER_WRAP_H]=oids_to_c.pm
 
+#----- SM2
+$DER_SM2_H=../include/prov/der_sm2.h
+$DER_SM2_GEN=der_sm2_gen.c
+$DER_SM2_AUX=der_sm2_key.c der_sm2_sig.c
+
+GENERATE[$DER_SM2_GEN]=der_sm2_gen.c.in
+DEPEND[$DER_SM2_GEN]=oids_to_c.pm
+
+DEPEND[${DER_SM2_AUX/.c/.o}]=$DER_SM2_H $DER_EC_H
+DEPEND[${DER_SM2_GEN/.c/.o}]=$DER_SM2_H
+GENERATE[$DER_SM2_H]=der_sm2.h.in
+DEPEND[$DER_SM2_H]=oids_to_c.pm
+
 #----- Conclusion
 
 # TODO(3.0) $COMMON should go to libcommon.a, but this currently leads
@@ -84,7 +97,8 @@ $COMMON=\
         $DER_DSA_GEN $DER_DSA_AUX \
         $DER_EC_GEN $DER_EC_AUX \
         $DER_DIGESTS_GEN \
-        $DER_WRAP_GEN
+        $DER_WRAP_GEN \
+        $DER_SM2_GEN $DER_SM2_AUX
 
 IF[{- !$disabled{ec} -}]
   $COMMON = $COMMON $DER_ECX_GEN $DER_ECX_AUX
diff --git a/providers/common/der/der_sm2.h.in b/providers/common/der/der_sm2.h.in
new file mode 100644
index 0000000000..406ddf2b16
--- /dev/null
+++ b/providers/common/der/der_sm2.h.in
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/der.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/SM2.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_H });
+-}
+
+/* Subject Public Key Info */
+int DER_w_algorithmIdentifier_SM2(WPACKET *pkt, int cont, EC_KEY *ec);
+/* Signature */
+int DER_w_algorithmIdentifier_SM2_with_MD(WPACKET *pkt, int cont,
+                                          EC_KEY *ec, int mdnid);
diff --git a/providers/common/der/der_sm2_gen.c.in b/providers/common/der/der_sm2_gen.c.in
new file mode 100644
index 0000000000..fc3c4461df
--- /dev/null
+++ b/providers/common/der/der_sm2_gen.c.in
@@ -0,0 +1,17 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "prov/der_sm2.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/SM2.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_C });
+-}
diff --git a/providers/common/der/der_sm2_key.c b/providers/common/der/der_sm2_key.c
new file mode 100644
index 0000000000..daf2072c9e
--- /dev/null
+++ b/providers/common/der/der_sm2_key.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/obj_mac.h>
+#include "internal/packet.h"
+#include "prov/der_ec.h"
+#include "prov/der_sm2.h"
+
+int DER_w_algorithmIdentifier_SM2(WPACKET *pkt, int cont, EC_KEY *ec)
+{
+    return DER_w_begin_sequence(pkt, cont)
+        /* No parameters (yet?) */
+        /* It seems SM2 identifier is the same to id_ecPublidKey */
+        && DER_w_precompiled(pkt, -1, der_oid_id_ecPublicKey,
+                             sizeof(der_oid_id_ecPublicKey))
+        && DER_w_end_sequence(pkt, cont);
+}
diff --git a/providers/common/der/der_sm2_sig.c b/providers/common/der/der_sm2_sig.c
new file mode 100644
index 0000000000..a35755065e
--- /dev/null
+++ b/providers/common/der/der_sm2_sig.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/obj_mac.h>
+#include "internal/packet.h"
+#include "prov/der_sm2.h"
+
+/* Aliases so we can have a uniform MD_CASE */
+#define der_oid_id_sm2_with_sm3   der_oid_sm2_with_SM3
+
+#define MD_CASE(name)                                                   \
+    case NID_##name:                                                    \
+        precompiled = der_oid_id_sm2_with_##name;                     \
+        precompiled_sz = sizeof(der_oid_id_sm2_with_##name);          \
+        break;
+
+int DER_w_algorithmIdentifier_SM2_with_MD(WPACKET *pkt, int cont,
+                                          EC_KEY *ec, int mdnid)
+{
+    const unsigned char *precompiled = NULL;
+    size_t precompiled_sz = 0;
+
+    switch (mdnid) {
+        MD_CASE(sm3);
+    default:
+        return 0;
+    }
+
+    return DER_w_begin_sequence(pkt, cont)
+        /* No parameters (yet?) */
+        && DER_w_precompiled(pkt, -1, precompiled, precompiled_sz)
+        && DER_w_end_sequence(pkt, cont);
+}
diff --git a/providers/defltprov.c b/providers/defltprov.c
index fabb56bfec..8564ddd5ca 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -364,6 +364,9 @@ static const OSSL_ALGORITHM deflt_signature[] = {
     { "ED25519:Ed25519", "provider=default", ed25519_signature_functions },
     { "ED448:Ed448", "provider=default", ed448_signature_functions },
     { "ECDSA", "provider=default", ecdsa_signature_functions },
+# ifndef OPENSSL_NO_SM2
+    { "SM2", "provider=default", sm2_signature_functions },
+# endif
 #endif
     { "HMAC", "provider=default", mac_legacy_hmac_signature_functions },
     { "SIPHASH", "provider=default", mac_legacy_siphash_signature_functions },
@@ -413,6 +416,7 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
 #endif
 #ifndef OPENSSL_NO_CMAC
     { "CMAC", "provider=default", cmac_legacy_keymgmt_functions },
+#endif
 #ifndef OPENSSL_NO_SM2
     { "SM2", "provider=default", sm2_keymgmt_functions },
 #endif
diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h
index 748ccf46fb..b67b4c7361 100644
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -303,6 +303,7 @@ extern const OSSL_DISPATCH mac_legacy_hmac_signature_functions[];
 extern const OSSL_DISPATCH mac_legacy_siphash_signature_functions[];
 extern const OSSL_DISPATCH mac_legacy_poly1305_signature_functions[];
 extern const OSSL_DISPATCH mac_legacy_cmac_signature_functions[];
+extern const OSSL_DISPATCH sm2_signature_functions[];
 
 /* Asym Cipher */
 extern const OSSL_DISPATCH rsa_asym_cipher_functions[];
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 07cba1962e..b57151a084 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -337,7 +337,8 @@ static int ec_match(const void *keydata1, const void *keydata2, int selection)
 }
 
 static
-int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
+int common_import(void *keydata, int selection, const OSSL_PARAM params[],
+                  int sm2_curve)
 {
     EC_KEY *ec = keydata;
     const EC_GROUP *ecg = NULL;
@@ -368,6 +369,14 @@ int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
         ok = ok && ec_group_fromdata(ec, params);
 
+    /*
+     * sm2_curve: import the keys or domparams only on SM2 Curve
+     * !sm2_curve: import the keys or domparams only not on SM2 Curve
+     */
+    if ((ecg = EC_KEY_get0_group(ec)) == NULL
+            || (sm2_curve ^ (EC_GROUP_get_curve_name(ecg) == NID_sm2)))
+        return 0;
+
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
         int include_private =
             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
@@ -380,58 +389,17 @@ int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
     return ok;
 }
 
+static
+int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
+{
+    return common_import(keydata, selection, params, 0);
+}
+
 #ifndef OPENSSL_NO_SM2
 static
 int sm2_import(void *keydata, int selection, const OSSL_PARAM params[])
 {
-    EC_KEY *ec = keydata;
-    const EC_GROUP *ecg = NULL;
-    int ok = 1;
-
-    if (ec == NULL)
-        return 0;
-
-    /*
-     * In this implementation, we can export/import only keydata in the
-     * following combinations:
-     *   - domain parameters only
-     *   - public key with associated domain parameters (+optional other params)
-     *   - private key with associated public key and domain parameters
-     *         (+optional other params)
-     *
-     * This means:
-     *   - domain parameters must always be requested
-     *   - private key must be requested alongside public key
-     *   - other parameters must be requested only alongside a key
-     */
-    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
-        return 0;
-    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
-            && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
-        return 0;
-    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
-            && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
-        return 0;
-
-    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
-        ok = ok && ec_key_domparams_fromdata(ec, params);
-
-    /* import the keys or domparams only on SM2 Curve */
-    if ((ecg = EC_KEY_get0_group(ec)) == NULL
-            || EC_GROUP_get_curve_name(ecg) != NID_sm2) {
-        return 0;
-    }
-
-    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
-        int include_private =
-            selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
-
-        ok = ok && ec_key_fromdata(ec, params, include_private);
-    }
-    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
-        ok = ok && ec_key_otherparams_fromdata(ec, params);
-
-    return ok;
+    return common_import(keydata, selection, params, 1);
 }
 #endif
 
@@ -857,7 +825,7 @@ static const OSSL_PARAM sm2_known_gettable_params[] = {
 };
 
 static
-const OSSL_PARAM *sm2_gettable_params(void)
+const OSSL_PARAM *sm2_gettable_params(ossl_unused void *provctx)
 {
     return sm2_known_gettable_params;
 }
@@ -868,7 +836,7 @@ static const OSSL_PARAM sm2_known_settable_params[] = {
 };
 
 static
-const OSSL_PARAM *sm2_settable_params(void)
+const OSSL_PARAM *sm2_settable_params(ossl_unused void *provctx)
 {
     return sm2_known_settable_params;
 }
@@ -1184,8 +1152,21 @@ static void *sm2_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
         || (ec = EC_KEY_new_with_libctx(gctx->libctx, NULL)) == NULL)
         return NULL;
 
+    if (gctx->gen_group == NULL) {
+        if (!ec_gen_set_group_from_params(gctx))
+            goto err;
+    } else {
+        if (gctx->encoding) {
+            int flags = ec_encoding_name2id(gctx->encoding);
+            if (flags < 0)
+                goto err;
+            EC_GROUP_set_asn1_flag(gctx->gen_group, flags);
+        }
+    }
+
     /* We must always assign a group, no matter what */
     ret = ec_gen_assign_group(ec, gctx->gen_group);
+
     /* Whether you want it or not, you get a keypair, not just one half */
     if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
         /*
@@ -1198,7 +1179,9 @@ static void *sm2_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
 
     if (ret)
         return ec;
-
+err:
+    /* Something went wrong, throw the key away */
+    EC_KEY_free(ec);
     return NULL;
 }
 #endif
diff --git a/providers/implementations/signature/build.info b/providers/implementations/signature/build.info
index b06f6e5c79..84c5d905b2 100644
--- a/providers/implementations/signature/build.info
+++ b/providers/implementations/signature/build.info
@@ -3,6 +3,7 @@
 
 $DSA_GOAL=../../libimplementations.a
 $EC_GOAL=../../libimplementations.a
+$SM2SIG_GOAL=../../libimplementations.a
 
 IF[{- !$disabled{dsa} -}]
   SOURCE[$DSA_GOAL]=dsa.c
@@ -12,6 +13,10 @@ IF[{- !$disabled{ec} -}]
   SOURCE[$EC_GOAL]=eddsa.c ecdsa.c
 ENDIF
 
+IF[{- !$disabled{sm2} -}]
+  SOURCE[$SM2SIG_GOAL]=sm2sig.c
+ENDIF
+
 SOURCE[../../libfips.a]=rsa.c
 SOURCE[../../libnonfips.a]=rsa.c
 
@@ -19,6 +24,7 @@ DEPEND[rsa.o]=../../common/include/prov/der_rsa.h
 DEPEND[dsa.o]=../../common/include/prov/der_dsa.h
 DEPEND[ecdsa.o]=../../common/include/prov/der_ec.h
 DEPEND[eddsa.o]=../../common/include/prov/der_ecx.h
+DEPEND[sm2sig.o]=../../common/include/prov/der_sm2.h
 
 SOURCE[../../libfips.a]=mac_legacy.c
 SOURCE[../../libnonfips.a]=mac_legacy.c
diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c
new file mode 100644
index 0000000000..0e35fb4739
--- /dev/null
+++ b/providers/implementations/signature/sm2sig.c
@@ -0,0 +1,568 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * ECDSA low level APIs are deprecated for public use, but still ok for
+ * internal use - SM2 implemetation uses ECDSA_size() function.
+ */
+#include "internal/deprecated.h"
+
+#include <string.h> /* memcpy */
+#include <openssl/crypto.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/dsa.h>
+#include <openssl/params.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include "internal/nelem.h"
+#include "internal/sizes.h"
+#include "internal/cryptlib.h"
+#include "prov/providercommonerr.h"
+#include "prov/implementations.h"
+#include "prov/provider_ctx.h"
+#include "crypto/ec.h"
+#include "crypto/sm2.h"
+#include "prov/der_sm2.h"
+
+static OSSL_FUNC_signature_newctx_fn sm2sig_newctx;
+static OSSL_FUNC_signature_sign_init_fn sm2sig_signature_init;
+static OSSL_FUNC_signature_verify_init_fn sm2sig_signature_init;
+static OSSL_FUNC_signature_sign_fn sm2sig_sign;
+static OSSL_FUNC_signature_verify_fn sm2sig_verify;
+static OSSL_FUNC_signature_digest_sign_init_fn sm2sig_digest_signverify_init;
+static OSSL_FUNC_signature_digest_sign_update_fn sm2sig_digest_signverify_update;
+static OSSL_FUNC_signature_digest_sign_final_fn sm2sig_digest_sign_final;
+static OSSL_FUNC_signature_digest_verify_init_fn sm2sig_digest_signverify_init;
+static OSSL_FUNC_signature_digest_verify_update_fn sm2sig_digest_signverify_update;
+static OSSL_FUNC_signature_digest_verify_final_fn sm2sig_digest_verify_final;
+static OSSL_FUNC_signature_freectx_fn sm2sig_freectx;
+static OSSL_FUNC_signature_dupctx_fn sm2sig_dupctx;
+static OSSL_FUNC_signature_get_ctx_params_fn sm2sig_get_ctx_params;
+static OSSL_FUNC_signature_gettable_ctx_params_fn sm2sig_gettable_ctx_params;
+static OSSL_FUNC_signature_set_ctx_params_fn sm2sig_set_ctx_params;
+static OSSL_FUNC_signature_settable_ctx_params_fn sm2sig_settable_ctx_params;
+static OSSL_FUNC_signature_get_ctx_md_params_fn sm2sig_get_ctx_md_params;
+static OSSL_FUNC_signature_gettable_ctx_md_params_fn sm2sig_gettable_ctx_md_params;
+static OSSL_FUNC_signature_set_ctx_md_params_fn sm2sig_set_ctx_md_params;
+static OSSL_FUNC_signature_settable_ctx_md_params_fn sm2sig_settable_ctx_md_params;
+
+/*
+ * What's passed as an actual key is defined by the KEYMGMT interface.
+ * We happen to know that our KEYMGMT simply passes EC structures, so
+ * we use that here too.
+ */
+typedef struct {
+    OPENSSL_CTX *libctx;
+    char *propq;
+    EC_KEY *ec;
+
+    /*
+     * Flag to determine if the hash function can be changed (1) or not (0)
+     * Because it's dangerous to change during a DigestSign or DigestVerify
+     * operation, this flag is cleared by their Init function, and set again
+     * by their Final function.
+     */
+    unsigned int flag_allow_md : 1;
+    /*
+     * Flag to termine if the 'z' digest needs to be computed and fed to the
+     * hash function.
+     * This flag should be set on initialization and the compuation should
+     * be performed only once, on first update.
+     */
+    unsigned int flag_compute_z_digest : 1;
+
+    char mdname[OSSL_MAX_NAME_SIZE];
+
+    /* The Algorithm Identifier of the combined signature algorithm */
+    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
+    unsigned char *aid;
+    size_t  aid_len;
+
+    /* main digest */
+    EVP_MD *md;
+    EVP_MD_CTX *mdctx;
+    size_t mdsize;
+
+    /* SM2 ID used for calculating the Z value */
+    unsigned char *id;
+    size_t id_len;
+} PROV_SM2_CTX;
+
+/* TODO: it seems SM2 doesn't need this */
+static int sm2sig_get_md_nid(const EVP_MD *md)
+{
+    /*
+     * Because the EC library deals with NIDs, we need to translate.
+     * We do so using EVP_MD_is_a(), and therefore need a name to NID
+     * map.
+     */
+    static const OSSL_ITEM name_to_nid[] = {
+        { NID_sm3,   OSSL_DIGEST_NAME_SM3 },
+    };
+    size_t i;
+    int mdnid = NID_undef;
+
+    if (md == NULL)
+        goto end;
+
+    for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
+        if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
+            mdnid = (int)name_to_nid[i].id;
+            break;
+        }
+    }
+
+    if (mdnid == NID_undef)
+        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
+
+ end:
+    return mdnid;
+}
+
+static void *sm2sig_newctx(void *provctx, const char *propq)
+{
+    PROV_SM2_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_SM2_CTX));
+
+    if (ctx == NULL)
+        return NULL;
+
+    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
+    if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
+        OPENSSL_free(ctx);
+        ctx = NULL;
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+    }
+    /* don't allow to change MD, and in fact there is no such need */
+    ctx->flag_allow_md = 0;
+    return ctx;
+}
+
+static int sm2sig_signature_init(void *vpsm2ctx, void *ec)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec))
+        return 0;
+    EC_KEY_free(psm2ctx->ec);
+    psm2ctx->ec = ec;
+    return 1;
+}
+
+static int sm2sig_sign(void *vpsm2ctx, unsigned char *sig, size_t *siglen,
+                       size_t sigsize, const unsigned char *tbs, size_t tbslen)
+{
+    PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    int ret;
+    unsigned int sltmp;
+    /* SM2 uses ECDSA_size as well */
+    size_t ecsize = ECDSA_size(ctx->ec);
+
+    if (sig == NULL) {
+        *siglen = ecsize;
+        return 1;
+    }
+
+    if (sigsize < (size_t)ecsize)
+        return 0;
+
+    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
+        return 0;
+
+    ret = sm2_internal_sign(tbs, tbslen, sig, &sltmp, ctx->ec);
+    if (ret <= 0)
+        return 0;
+
+    *siglen = sltmp;
+    return 1;
+}
+
+static int sm2sig_verify(void *vpsm2ctx, const unsigned char *sig, size_t siglen,
+                         const unsigned char *tbs, size_t tbslen)
+{
+    PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
+        return 0;
+
+    return sm2_internal_verify(tbs, tbslen, sig, siglen, ctx->ec);
+}
+
+static void free_md(PROV_SM2_CTX *ctx)
+{
+    EVP_MD_CTX_free(ctx->mdctx);
+    EVP_MD_free(ctx->md);
+    ctx->mdctx = NULL;
+    ctx->md = NULL;
+    ctx->mdsize = 0;
+}
+
+static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
+                                         void *ec)
+{
+    PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    int md_nid = NID_undef;
+    WPACKET pkt;
+    int ret = 0;
+
+    free_md(ctx);
+
+    if (!sm2sig_signature_init(vpsm2ctx, ec))
+        return ret;
+
+    ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
+    if ((md_nid = sm2sig_get_md_nid(ctx->md)) == NID_undef)
+        goto error;
+
+    ctx->mdsize = EVP_MD_size(ctx->md);
+    ctx->mdctx = EVP_MD_CTX_new();
+    if (ctx->mdctx == NULL)
+        goto error;
+
+    /*
+     * TODO(3.0) Should we care about DER writing errors?
+     * All it really means is that for some reason, there's no
+     * AlgorithmIdentifier to be had, but the operation itself is
+     * still valid, just as long as it's not used to construct
+     * anything that needs an AlgorithmIdentifier.
+     */
+    ctx->aid_len = 0;
+    if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
+        && DER_w_algorithmIdentifier_SM2_with_MD(&pkt, -1, ctx->ec, md_nid)
+        && WPACKET_finish(&pkt)) {
+        WPACKET_get_total_written(&pkt, &ctx->aid_len);
+        ctx->aid = WPACKET_get_curr(&pkt);
+    }
+    WPACKET_cleanup(&pkt);
+
+    if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
+        goto error;
+
+    ctx->flag_compute_z_digest = 1;
+
+    ret = 1;
+
+ error:
+    if (!ret)
+        free_md(ctx);
+    return ret;
+}
+
+static int sm2sig_compute_z_digest(PROV_SM2_CTX *ctx)
+{
+    uint8_t *z = NULL;
+    int ret = 1;
+
+    if (ctx->flag_compute_z_digest) {
+        /* Only do this once */
+        ctx->flag_compute_z_digest = 0;
+
+        if ((z = OPENSSL_zalloc(ctx->mdsize)) == NULL
+            /* get hashed prefix 'z' of tbs message */
+            || !sm2_compute_z_digest(z, ctx->md, ctx->id, ctx->id_len, ctx->ec)
+            || !EVP_DigestUpdate(ctx->mdctx, z, ctx->mdsize))
+            ret = 0;
+        OPENSSL_free(z);
+    }
+
+    return ret;
+}
+
+int sm2sig_digest_signverify_update(void *vpsm2ctx, const unsigned char *data,
+                                    size_t datalen)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx == NULL || psm2ctx->mdctx == NULL)
+        return 0;
+
+    return sm2sig_compute_z_digest(psm2ctx)
+        && EVP_DigestUpdate(psm2ctx->mdctx, data, datalen);
+}
+
+int sm2sig_digest_sign_final(void *vpsm2ctx, unsigned char *sig, size_t *siglen,
+                             size_t sigsize)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    unsigned char digest[EVP_MAX_MD_SIZE];
+    unsigned int dlen = 0;
+
+    if (psm2ctx == NULL || psm2ctx->mdctx == NULL)
+        return 0;
+
+    /*
+     * If sig is NULL then we're just finding out the sig size. Other fields
+     * are ignored. Defer to sm2sig_sign.
+     */
+    if (sig != NULL) {
+        if (!(sm2sig_compute_z_digest(psm2ctx)
+              && EVP_DigestFinal_ex(psm2ctx->mdctx, digest, &dlen)))
+            return 0;
+    }
+
+    return sm2sig_sign(vpsm2ctx, sig, siglen, sigsize, digest, (size_t)dlen);
+}
+
+
+int sm2sig_digest_verify_final(void *vpsm2ctx, const unsigned char *sig,
+                               size_t siglen)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    unsigned char digest[EVP_MAX_MD_SIZE];
+    unsigned int dlen = 0;
+
+    if (psm2ctx == NULL || psm2ctx->mdctx == NULL)
+        return 0;
+
+    /* SM2 always use SM3 so it's not possible to exceed the limit */
+    if (!(sm2sig_compute_z_digest(psm2ctx)
+          && EVP_DigestFinal_ex(psm2ctx->mdctx, digest, &dlen)))
+        return 0;
+
+    return sm2sig_verify(vpsm2ctx, sig, siglen, digest, (size_t)dlen);
+}
+
+static void sm2sig_freectx(void *vpsm2ctx)
+{
+    PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    free_md(ctx);
+    EC_KEY_free(ctx->ec);
+    OPENSSL_free(ctx->id);
+    OPENSSL_free(ctx);
+}
+
+static void *sm2sig_dupctx(void *vpsm2ctx)
+{
+    PROV_SM2_CTX *srcctx = (PROV_SM2_CTX *)vpsm2ctx;
+    PROV_SM2_CTX *dstctx;
+
+    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
+    if (dstctx == NULL)
+        return NULL;
+
+    *dstctx = *srcctx;
+    dstctx->ec = NULL;
+    dstctx->md = NULL;
+    dstctx->mdctx = NULL;
+
+    if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
+        goto err;
+    dstctx->ec = srcctx->ec;
+
+    if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
+        goto err;
+    dstctx->md = srcctx->md;
+
+    if (srcctx->mdctx != NULL) {
+        dstctx->mdctx = EVP_MD_CTX_new();
+        if (dstctx->mdctx == NULL
+                || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
+            goto err;
+    }
+
+    if (srcctx->id != NULL) {
+        dstctx->id = OPENSSL_malloc(srcctx->id_len);
+        if (dstctx->id == NULL)
+            goto err;
+        dstctx->id_len = srcctx->id_len;
+        memcpy(dstctx->id, srcctx->id, srcctx->id_len);
+    }
+
+    return dstctx;
+ err:
+    sm2sig_freectx(dstctx);
+    return NULL;
+}
+
+static int sm2sig_get_ctx_params(void *vpsm2ctx, OSSL_PARAM *params)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    OSSL_PARAM *p;
+
+    if (psm2ctx == NULL || params == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
+    if (p != NULL
+        && !OSSL_PARAM_set_octet_string(p, psm2ctx->aid, psm2ctx->aid_len))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, psm2ctx->mdsize))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
+    if (p != NULL && !OSSL_PARAM_set_utf8_string(p, psm2ctx->md == NULL
+                                                    ? psm2ctx->mdname
+                                                    : EVP_MD_name(psm2ctx->md)))
+        return 0;
+
+    return 1;
+}
+
+static const OSSL_PARAM known_gettable_ctx_params[] = {
+    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
+    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *sm2sig_gettable_ctx_params(ossl_unused void *provctx)
+{
+    return known_gettable_ctx_params;
+}
+
+static int sm2sig_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[])
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    const OSSL_PARAM *p;
+    char *mdname;
+
+    if (psm2ctx == NULL || params == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DIST_ID);
+    if (p != NULL) {
+        void *tmp_id = NULL;
+        size_t tmp_idlen;
+
+        /*
+         * If the 'z' digest has already been computed, the ID is set too late
+         */
+        if (!psm2ctx->flag_compute_z_digest)
+            return 0;
+
+        if (!OSSL_PARAM_get_octet_string(p, &tmp_id, 0, &tmp_idlen))
+            return 0;
+        OPENSSL_free(psm2ctx->id);
+        psm2ctx->id = tmp_id;
+        psm2ctx->id_len = tmp_idlen;
+    }
+
+    if (psm2ctx->md != NULL) {
+        /*
+         * You cannot set the digest name/size when doing a DigestSign or
+         * DigestVerify.
+         */
+        return 1;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
+    if (p != NULL && !OSSL_PARAM_get_size_t(p, &psm2ctx->mdsize))
+        return 0;
+
+    /*
+     * We never actually use the mdname, but we do support getting it later.
+     * This can be useful for applications that want to know the MD that they
+     * previously set.
+     */
+    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
+    mdname = psm2ctx->mdname;
+    if (p != NULL
+            && !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(psm2ctx->mdname)))
+        return 0;
+
+    return 1;
+}
+
+static const OSSL_PARAM known_settable_ctx_params[] = {
+    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_DIST_ID, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *sm2sig_settable_ctx_params(ossl_unused void *provctx)
+{
+    /*
+     * TODO(3.0): Should this function return a different set of settable ctx
+     * params if the ctx is being used for a DigestSign/DigestVerify? In that
+     * case it is not allowed to set the digest size/digest name because the
+     * digest is explicitly set as part of the init.
+     */
+    return known_settable_ctx_params;
+}
+
+static int sm2sig_get_ctx_md_params(void *vpsm2ctx, OSSL_PARAM *params)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx->mdctx == NULL)
+        return 0;
+
+    return EVP_MD_CTX_get_params(psm2ctx->mdctx, params);
+}
+
+static const OSSL_PARAM *sm2sig_gettable_ctx_md_params(void *vpsm2ctx)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx->md == NULL)
+        return 0;
+
+    return EVP_MD_gettable_ctx_params(psm2ctx->md);
+}
+
+static int sm2sig_set_ctx_md_params(void *vpsm2ctx, const OSSL_PARAM params[])
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx->mdctx == NULL)
+        return 0;
+
+    return EVP_MD_CTX_set_params(psm2ctx->mdctx, params);
+}
+
+static const OSSL_PARAM *sm2sig_settable_ctx_md_params(void *vpsm2ctx)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx->md == NULL)
+        return 0;
+
+    return EVP_MD_settable_ctx_params(psm2ctx->md);
+}
+
+const OSSL_DISPATCH sm2_signature_functions[] = {
+    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))sm2sig_newctx },
+    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))sm2sig_signature_init },
+    { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))sm2sig_sign },
+    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))sm2sig_signature_init },
+    { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))sm2sig_verify },
+    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
+      (void (*)(void))sm2sig_
author	Paul Yang <kaishen.yy@antfin.com>	2020-03-04 23:49:43 +0800
committer	Matt Caswell <matt@openssl.org>	2020-09-22 08:18:09 +0100
commit	d0b79f8631c0f522c514175be4e4fbe984cf8f6c (patch)
tree	4606888f35caaf5c2d6646ac4da4d98d75ab5d56 /providers
parent	7ee511d093758360ed421e420cc29d9aaf11f143 (diff)