packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bugfix for SM2 certificate chain verify

Browse Source
This commit is contained in:
Huaxin Lu 2022-11-11 12:16:25 +08:00
parent a4a25552fe
commit aa056b2188
3 changed files with 70 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
Feature-shim-cryptlib-support-sm2-signature-verify.patch
View File

@ -1,7 +1,7 @@
From 9137b68d161ccb95b1019c4885d0519ebbf4678a Mon Sep 17 00:00:00 2001
From df8dab733a8795e896acfd459b2b9adc9607e831 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Mon, 7 Nov 2022 11:46:33 +0800
Subject: [PATCH 4/5] shim cryptlib support sm2 signature verify
Subject: [PATCH 1/2] shim cryptlib support sm2 signature verify
Co-authored-by: Yusong Gao <gaoyusong2@huawei.com>
Signed-off-by: Yusong Gao <gaoyusong2@huawei.com>
@ -12,9 +12,9 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Cryptlib/Include/openssl/ec.h | 20 ++
Cryptlib/Include/openssl/ecdsa.h | 7 +
Cryptlib/Include/openssl/err.h | 6 +
Cryptlib/Include/openssl/evp.h | 25 +++
Cryptlib/Include/openssl/evp.h | 27 ++-
Cryptlib/Include/openssl/obj_mac.h | 33 +++
Cryptlib/Include/openssl/opensslconf.h | 8 +-
Cryptlib/Include/openssl/opensslconf.h | 7 +-
Cryptlib/Include/openssl/x509.h | 7 +
Cryptlib/Library/BaseCryptLib.h | 111 ++++++++++
Cryptlib/Makefile | 6 +
@ -27,7 +27,7 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Cryptlib/OpenSSL/crypto/err/err.c | 1 +
Cryptlib/OpenSSL/crypto/evp/c_alld.c | 3 +
Cryptlib/OpenSSL/crypto/evp/digest.c | 62 +++++-
Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 5 +
Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 24 +++
Cryptlib/OpenSSL/crypto/evp/evp_locl.h | 10 +
Cryptlib/OpenSSL/crypto/evp/m_sigver.c | 17 ++
Cryptlib/OpenSSL/crypto/evp/p_lib.c | 44 ++++
@ -37,14 +37,14 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Cryptlib/OpenSSL/crypto/objects/obj_dat.h | 46 +++-
Cryptlib/OpenSSL/crypto/objects/obj_xref.h | 2 +
Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c | 34 ++-
Cryptlib/OpenSSL/crypto/x509/x_all.c | 142 +++++++++++++
Cryptlib/OpenSSL/crypto/x509/x_all.c | 145 +++++++++++++
Cryptlib/Pk/CryptPkcs7Verify.c | 5 +
32 files changed, 997 insertions(+), 38 deletions(-)
32 files changed, 1020 insertions(+), 38 deletions(-)
create mode 100644 Cryptlib/Hash/CryptSm3.c
diff --git a/Cryptlib/Hash/CryptSm3.c b/Cryptlib/Hash/CryptSm3.c
new file mode 100644
index 0000000..c522365
index 0000000..84d7acc
--- /dev/null
+++ b/Cryptlib/Hash/CryptSm3.c
@@ -0,0 +1,231 @@
@ -271,7 +271,7 @@ index 0000000..c522365
+ //
+ // OpenSSL SM3 Hash Computation.
+ //
+
+
+ SM3_CTX c;
+ sm3_init(&c);
+ sm3_update(&c, Data, DataSize);
@ -433,7 +433,7 @@ index 5a01980..c8286e1 100644
/*
* 99 is the maximum possible ERR_R_... code, higher values are reserved for
diff --git a/Cryptlib/Include/openssl/evp.h b/Cryptlib/Include/openssl/evp.h
index 376f260..4e1d9bb 100644
index 376f260..26e8f04 100644
--- a/Cryptlib/Include/openssl/evp.h
+++ b/Cryptlib/Include/openssl/evp.h
@@ -115,6 +115,7 @@
@ -457,16 +457,17 @@ index 376f260..4e1d9bb 100644
/*
* Type needs to be a bit field Sub-type needs to be for variations on the
* method, as in, can it do arbitrary encryption....
@@ -526,6 +533,8 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
@@ -526,6 +533,9 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
# define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e))
# define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e))
+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
+void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx);
+
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
# define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e))
int EVP_CIPHER_block_size(const EVP_CIPHER *cipher);
@@ -583,6 +592,9 @@ int EVP_Cipher(EVP_CIPHER_CTX *c,
@@ -583,6 +593,9 @@ int EVP_Cipher(EVP_CIPHER_CTX *c,
# define EVP_delete_digest_alias(alias) \
OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS);
@ -476,7 +477,7 @@ index 376f260..4e1d9bb 100644
void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
EVP_MD_CTX *EVP_MD_CTX_create(void);
@@ -666,6 +678,10 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -666,6 +679,10 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx,
const unsigned char *sig, size_t siglen);
@ -487,7 +488,7 @@ index 376f260..4e1d9bb 100644
int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
const unsigned char *ek, int ekl, const unsigned char *iv,
EVP_PKEY *priv);
@@ -741,6 +757,9 @@ const EVP_MD *EVP_ripemd160(void);
@@ -741,6 +758,9 @@ const EVP_MD *EVP_ripemd160(void);
# ifndef OPENSSL_NO_WHIRLPOOL
const EVP_MD *EVP_whirlpool(void);
# endif
@ -497,7 +498,7 @@ index 376f260..4e1d9bb 100644
const EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */
# ifndef OPENSSL_NO_DES
const EVP_CIPHER *EVP_des_ecb(void);
@@ -954,10 +973,15 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey);
@@ -954,10 +974,15 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey);
int EVP_PKEY_bits(EVP_PKEY *pkey);
int EVP_PKEY_size(EVP_PKEY *pkey);
int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
@ -513,7 +514,7 @@ index 376f260..4e1d9bb 100644
# ifndef OPENSSL_NO_RSA
struct rsa_st;
int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
@@ -976,6 +1000,7 @@ struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
@@ -976,6 +1001,7 @@ struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
# ifndef OPENSSL_NO_EC
struct ec_key_st;
int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key);
@ -521,6 +522,14 @@ index 376f260..4e1d9bb 100644
struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
# endif
@@ -1268,7 +1294,6 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
-void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx);
diff --git a/Cryptlib/Include/openssl/obj_mac.h b/Cryptlib/Include/openssl/obj_mac.h
index 779c309..91b75e0 100644
--- a/Cryptlib/Include/openssl/obj_mac.h
@ -563,18 +572,10 @@ index 779c309..91b75e0 100644
+#define NID_SM2_with_SM3 964
+#define OBJ_SM2_with_SM3 OBJ_sm_scheme,501L
diff --git a/Cryptlib/Include/openssl/opensslconf.h b/Cryptlib/Include/openssl/opensslconf.h
index 4a36e9f..6f19ce6 100644
index 4a36e9f..12ec552 100644
--- a/Cryptlib/Include/openssl/opensslconf.h
+++ b/Cryptlib/Include/openssl/opensslconf.h
@@ -10,7 +10,6 @@ extern "C" {
#endif
#ifndef OPENSSL_DOING_MAKEDEPEND
-
#ifndef OPENSSL_NO_BF
# define OPENSSL_NO_BF
#endif
@@ -41,8 +40,8 @@ extern "C" {
@@ -41,8 +41,8 @@ extern "C" {
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
# define OPENSSL_NO_DYNAMIC_ENGINE
#endif
@ -585,7 +586,7 @@ index 4a36e9f..6f19ce6 100644
#endif
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
@@ -50,9 +49,6 @@ extern "C" {
@@ -50,9 +50,6 @@ extern "C" {
#ifndef OPENSSL_NO_ECDH
# define OPENSSL_NO_ECDH
#endif
@ -750,7 +751,7 @@ index 2df8bd2..a7fea2c 100644
// MAC (Message Authentication Code) Primitive
//=====================================================================================
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 89fd5cd..7885a1a 100644
index 89fd5cd..c95a960 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -66,6 +66,12 @@ OBJS = Hash/CryptMd4Null.o \
@ -767,7 +768,7 @@ index 89fd5cd..7885a1a 100644
libcryptlib.a: $(OBJS)
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 795f471..32fb235 100644
index 795f471..4923ac3 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -459,7 +459,43 @@ OBJS = crypto/cryptlib.o \
@ -1074,10 +1075,10 @@ index 4db1796..ffc03ef 100644
}
}
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
index 7e0bab9..5945494 100644
index 7e0bab9..24da25d 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
@@ -389,3 +389,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
@@ -389,3 +389,27 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
{
return (ctx->flags & flags);
}
@ -1086,6 +1087,25 @@ index 7e0bab9..5945494 100644
+{
+ return ctx->md_data;
+}
+
+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx)
+{
+ /*
+ * it's reasonable to set NULL pctx (a.k.a clear the ctx->pctx), so
+ * we have to deal with the cleanup job here.
+ */
+ if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
+ EVP_PKEY_CTX_free(ctx->pctx);
+
+ ctx->pctx = pctx;
+
+ if (pctx != NULL) {
+ /* make sure pctx is not freed when destroying EVP_MD_CTX */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+ } else {
+ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+ }
+}
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h b/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
index 2bb709a..1d179ef 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
@ -1642,10 +1662,10 @@ index dd6c73f..846fcf8 100644
return (ret);
}
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c
index 0f26c54..0228582 100644
index 0f26c54..59a41e3 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_all.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x_all.c
@@ -71,16 +71,158 @@
@@ -71,16 +71,161 @@
# include <openssl/dsa.h>
#endif
@ -1660,7 +1680,7 @@ index 0f26c54..0228582 100644
+{
+ X509 *x = NULL;
+ X509_REQ *r = NULL;
+ EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = NULL;
+ unsigned char *buf_in = NULL;
+ int ret = -1, inl = 0;
+ size_t inll = 0;
@ -1694,17 +1714,20 @@ index 0f26c54..0228582 100644
+ return -1;
+ }
+
+ EVP_MD_CTX_init(&ctx);
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ /* Check public key OID matches public key type */
+ if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id) {
+ goto err;
+ }
+
+ if (!EVP_PKEY_set_type(pkey, EVP_PKEY_SM2)) {
+ if (!EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)) {
+ ret = 0;
+ goto err;
+ }
+
+ pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (pctx == NULL) {
+ ret = 0;
@ -1716,9 +1739,9 @@ index 0f26c54..0228582 100644
+ ret = 0;
+ goto err;
+ }
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+
+ if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) {
+ EVP_MD_CTX_set_pkey_ctx(ctx, pctx);
+ if (!EVP_DigestVerifyInit(ctx, NULL, type, NULL, pkey)) {
+ ret = 0;
+ goto err;
+ }
@ -1735,7 +1758,7 @@ index 0f26c54..0228582 100644
+ }
+ inll = inl;
+
+ ret = EVP_DigestVerify(&ctx, signature->data,
+ ret = EVP_DigestVerify(ctx, signature->data,
+ (size_t)signature->length, buf_in, inl);
+ if (ret <= 0) {
+ goto err;
@ -1743,7 +1766,7 @@ index 0f26c54..0228582 100644
+ ret = 1;
+ err:
+ OPENSSL_cleanse(buf_in, inll);
+ EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_CTX_free(pctx);
+ return ret;
+}

6
Feature-shim-support-sm2-and-sm3-algorithm.patch
View File

@ -1,7 +1,7 @@
From 946a1e8e7fc05b8c5bfd522ba806eeea3e0344d6 Mon Sep 17 00:00:00 2001
From e1f5fc87be6581b63550218d991c713ad0f23113 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Mon, 7 Nov 2022 11:47:42 +0800
Subject: [PATCH] shim support sm2 and sm3 algorithm
Subject: [PATCH 2/2] shim support sm2 and sm3 algorithm
Co-authored-by: Yusong Gao <gaoyusong2@huawei.com>
Signed-off-by: Yusong Gao <gaoyusong2@huawei.com>
@ -104,7 +104,7 @@ index e97b29c..7a4f356 100644
typedef struct {
diff --git a/pe.c b/pe.c
index ba3e2bb..37b08a3 100644
index ba3e2bb..f48d635 100644
--- a/pe.c
+++ b/pe.c
@@ -297,13 +297,24 @@ get_section_vma_by_name (char *name, size_t namesz,

5
shim.spec
View File

@ -22,7 +22,7 @@
Name: shim
Version: 15.6
Release: 5
Release: 6
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -144,6 +144,9 @@ cd ..
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-6
- Bugfix for SM2 certificate chain verify
* Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-5
- Bugfix for SMx feature