diff --git a/0001-revert-sm2-sign-and-verifysignature.patch b/0001-revert-sm2-sign-and-verifysignature.patch new file mode 100644 index 0000000000000000000000000000000000000000..b9d080dda8719cefafed6f73f2f84a307b15602b --- /dev/null +++ b/0001-revert-sm2-sign-and-verifysignature.patch @@ -0,0 +1,409 @@ +From fb1df19b95fe5987a17903b6ae11b02b2e3dd543 Mon Sep 17 00:00:00 2001 +From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> +Date: Thu, 5 Jan 2023 21:46:55 +0800 +Subject: [PATCH] revert: sm2 sign and verifysignature. + +commit 4b4e075858f36fd52334fd4656fe43ac9f4e5aef upstream. + +Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard, +sm2 only sign and verifysignature the digest in the tpm2. so keep pace +with tpm2 and remove the code. + +Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> +Change-Id: I574327e7ca0bf7089fc67d14b4bf87db4b555a68 +--- + lib/tpm2_alg_util.c | 93 ------------------------- + lib/tpm2_alg_util.h | 27 -------- + lib/tpm2_hash.c | 127 ----------------------------------- + lib/tpm2_hash.h | 49 -------------- + tools/tpm2_sign.c | 16 +---- + tools/tpm2_verifysignature.c | 16 +---- + 6 files changed, 4 insertions(+), 324 deletions(-) + +diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c +index 9b7f3d7..65739fc 100644 +--- a/lib/tpm2_alg_util.c ++++ b/lib/tpm2_alg_util.c +@@ -1145,96 +1145,3 @@ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle) { + Esys_Free(name); + return name_alg; + } +- +-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *id, size_t idlen, TPM2B_DIGEST *result) { +- +- TPMS_ALGORITHM_DETAIL_ECC *parameters = NULL; +- TPM2B_PUBLIC *public = NULL; +- TPM2B *id_input = NULL; +- TPM2B_DIGEST *tmp_digest = NULL; +- +- if (!id || !result) { +- return tool_rc_general_error; +- } +- +- /* 2-byte id length in bits */ +- if (strlen(id) != idlen) { +- LOG_ERR("invalid sm2 id!"); +- return tool_rc_general_error; +- } +- +- if (idlen > SM2_MAX_ID_LENGTH || idlen <= 0) { +- LOG_ERR("invalid id length!"); +- return tool_rc_general_error; +- } +- +- tool_rc rc = tpm2_geteccparameters(ectx, TPM2_ECC_SM2_P256, ¶meters, +- NULL, TPM2_ALG_NULL); +- if (rc != tool_rc_success) { +- LOG_ERR("Could not get ecc parameters!"); +- goto out; +- } +- +- rc = tpm2_readpublic(ectx, handle, &public, NULL, NULL); +- if (rc != tool_rc_success) { +- LOG_ERR("Could not read public!"); +- goto out; +- } +- +- UINT16 key_nbytes = parameters->keySize/8; +- if (public->publicArea.type != TPM2_ALG_ECC || +- public->publicArea.parameters.eccDetail.curveID != TPM2_ECC_SM2_P256 || +- public->publicArea.unique.ecc.x.size != key_nbytes || +- public->publicArea.unique.ecc.y.size != key_nbytes) { +- LOG_ERR("invalid sm2 public key!"); +- rc = tool_rc_general_error; +- goto out; +- } +- +- BYTE idbits[2]; +- idbits[0] = ((idlen * 8) >> 8) % 256; +- idbits[1] = (idlen * 8) % 256; +- +- UINT16 total_size = sizeof(idbits) + idlen + 6 * key_nbytes; +- +- id_input = (TPM2B *) calloc(1, sizeof(TPM2B) + total_size); +- if (id_input == NULL) { +- LOG_ERR("Could not calloc memory!"); +- rc = tool_rc_general_error; +- goto out; +- } +- +- id_input->size = total_size; +- +- UINT16 pos = 0; +- memcpy(id_input->buffer + pos, idbits, sizeof(idbits)); +- pos += sizeof(idbits); +- memcpy(id_input->buffer + pos, id, idlen); +- pos += idlen; +- memcpy(id_input->buffer + pos, parameters->a.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, parameters->b.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, parameters->gX.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, parameters->gY.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.x.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.y.buffer, key_nbytes); +- +- rc = tpm2_hash_compute_data(ectx, TPM2_ALG_SM3_256, TPM2_RH_OWNER, +- id_input->buffer, id_input->size, &tmp_digest, NULL); +- if (rc != tool_rc_success) { +- goto out; +- } +- +- *result = *tmp_digest; +- +-out: +- free(id_input); +- Esys_Free(public); +- Esys_Free(tmp_digest); +- Esys_Free(parameters); +- return rc; +-} +diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h +index 83cecb1..ae5e3fb 100644 +--- a/lib/tpm2_alg_util.h ++++ b/lib/tpm2_alg_util.h +@@ -239,31 +239,4 @@ bool tpm2_alg_util_is_sm4_size_valid(UINT16 size_in_bytes); + */ + TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle); + +-#define SM2_MAX_ID_BITS 65535 +-#define SM2_MAX_ID_LENGTH (SM2_MAX_ID_BITS/8) +-#define SM2_DEFAULT_ID_GMT09 "1234567812345678" +-#define SM2_DEFAULT_ID SM2_DEFAULT_ID_GMT09 +-#define SM2_DEFAULT_ID_LENGTH (sizeof(SM2_DEFAULT_ID) - 1) +- +-/** +- * Given an ESYS_TR handle to an object, retrieves ecc sm2 parameters +- * with making a geteccparameters call, retrieves the public key with +- * making a readpublic call, and compute id digest. +- * +- * @param ectx +- * The ESAPI context. +- * @param handle +- * The handle of the object to query. +- * @param id +- * sm2 id. +- * @param idlen +- * sm2 id length. +- * @param result +- * sm2 id digest output. +- * @return +- * tool_rc indicating status. +- */ +-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, +- const char *id, size_t idlen, TPM2B_DIGEST *result); +- + #endif /* LIB_TPM2_ALG_UTIL_H_ */ +diff --git a/lib/tpm2_hash.c b/lib/tpm2_hash.c +index c0ad2bc..a3c0dd7 100644 +--- a/lib/tpm2_hash.c ++++ b/lib/tpm2_hash.c +@@ -134,130 +134,3 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, + return tpm2_hash_common(ectx, halg, hierarchy, input, NULL, 0, result, + validation); + } +- +-static tool_rc tpm2_sm2_compute_msg_digest(ESYS_CONTEXT *ectx, +- TPMI_ALG_HASH halg, TPMI_RH_HIERARCHY hierarchy, FILE *infilep, +- BYTE *inbuffer, UINT16 inbuffer_len, TPM2B_DIGEST *z_digest, +- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { +- +- /* if we're using infilep, get file size */ +- bool use_left = true; +- unsigned long left = inbuffer_len; +- if (!!infilep) { +- /* Suppress error reporting with NULL path */ +- use_left = files_get_file_size(infilep, &left, NULL); +- } +- +- TPM2B_MAX_BUFFER buffer = {0}; +- if (z_digest->size <= BUFFER_SIZE(typeof(*z_digest), buffer)) { +- buffer.size = z_digest->size; +- memcpy(buffer.buffer, z_digest->buffer, z_digest->size); +- } else { +- return tool_rc_general_error; +- } +- +- /* +- * length is either unknown because the FILE * is a fifo, or it's too +- * big to do in a single hash call. Based on the size figure out the +- * chunks to loop over, if possible. This way we can call Complete with +- * data. +- */ +- TPMI_DH_OBJECT sequence_handle; +- TPM2B_AUTH null_auth = TPM2B_EMPTY_INIT; +- tool_rc rc = tpm2_hash_sequence_start(ectx, &null_auth, halg, &sequence_handle); +- if (rc != tool_rc_success) { +- return rc; +- } +- +- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); +- if (rc != tool_rc_success) { +- return rc; +- } +- /* If we know the file size, we decrement the amount read and terminate +- * the loop when 1 block is left, else we go till feof. +- */ +- bool done = false; +- if (use_left && left <= TPM2_MAX_DIGEST_BUFFER) { +- done = true; +- } else { +- done = false; +- } +- +- size_t bytes_read; +- while (!done) { +- /* if we're using infilep, read the file. Otherwise, directly +- copy into our local buffer. */ +- buffer.size = BUFFER_SIZE(typeof(buffer), buffer); +- if (!!infilep) { +- bytes_read = fread(buffer.buffer, 1, buffer.size, infilep); +- if (ferror(infilep)) { +- LOG_ERR("Error reading from input file"); +- return tool_rc_general_error; +- } else { +- buffer.size = bytes_read; +- } +- } else { +- memcpy(buffer.buffer, inbuffer, buffer.size); +- inbuffer = inbuffer + buffer.size; +- } +- +- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); +- if (rc != tool_rc_success) { +- return rc; +- } +- +- if (use_left) { +- left -= buffer.size; +- if (left <= TPM2_MAX_DIGEST_BUFFER) { +- done = true; +- continue; +- } +- } else if (!!infilep && feof(infilep)) { +- done = true; +- } +- } /* end file read/hash update loop */ +- +- /* if there is data left, get the last bit of data from the file or +- buffer or set the size to zero */ +- if (use_left) { +- buffer.size = left; +- if (!!infilep) { +- bool res = files_read_bytes(infilep, buffer.buffer, buffer.size); +- if (!res) { +- LOG_ERR("Error reading from input file."); +- return tool_rc_general_error; +- } +- } else { +- memcpy(buffer.buffer, inbuffer, buffer.size); +- } +- } else { +- buffer.size = 0; +- } +- +- return tpm2_sequence_complete(ectx, sequence_handle, +- &buffer, hierarchy, result, validation); +-} +- +-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, +- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { +- +- if (!buffer || !z) { +- return tool_rc_general_error; +- } +- +- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, NULL, buffer, length, +- z, result, validation); +-} +- +-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, +- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { +- +- if (!input || !z) { +- return tool_rc_general_error; +- } +- +- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, input, NULL, 0, z, +- result, validation); +-} +diff --git a/lib/tpm2_hash.h b/lib/tpm2_hash.h +index ac4729b..12e8e0b 100644 +--- a/lib/tpm2_hash.h ++++ b/lib/tpm2_hash.h +@@ -53,53 +53,4 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, + TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST **result, + TPMT_TK_HASHCHECK **validation); + +-/** +- * Hashes a BYTE array via the tpm. +- * @param context +- * The esapi context. +- * @param hash_alg +- * The hashing algorithm to use. +- * @param hierarchy +- * The hierarchy. +- * @param buffer +- * The data to hash. +- * @param length +- * The length of the data. +- * @param input +- * The sm2 id digest. +- * @param result +- * The digest result. +- * @param validation +- * The validation ticket. Note that some hierarchies don't produce a +- * validation ticket and thus size will be 0. +- * @return +- * A tool_rc indicating status. +- */ +-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, +- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); +- +-/** +- * Hashes a FILE * object via the tpm. +- * @param context +- * The esapi context. +- * @param hash_alg +- * The hashing algorithm to use. +- * @param hierarchy +- * The hierarchy. +- * @param input +- * The FILE object to hash. +- * @param input +- * The sm2 id digest. +- * @param result +- * The digest result. +- * @param validation +- * The validation ticket. Note that some hierarchies don't produce a +- * validation ticket and thus size will be 0. +- * @return +- * A tool_rc indicating status. +- */ +-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, +- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); + #endif /* SRC_TPM_HASH_H_ */ +diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c +index 7c7b3ce..77d7c2a 100644 +--- a/tools/tpm2_sign.c ++++ b/tools/tpm2_sign.c +@@ -140,20 +140,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { + return tool_rc_general_error; + } + +- if (ctx.in_scheme.scheme == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { +- TPM2B_DIGEST z_digest; +- rc = tpm2_alg_util_sm2_compute_id_digest(ectx, ctx.signing_key.object.tr_handle, +- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); +- if (rc != tool_rc_success) { +- LOG_ERR("Sign could not compute id digest"); +- } else { +- rc = tpm2_sm2_compute_msg_digest_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &z_digest, +- &ctx.digest, &temp_validation_ticket); +- } +- } else { +- rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, +- &temp_validation_ticket); +- } ++ rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, ++ &temp_validation_ticket); + if (input != stdin) { + fclose(input); + } +diff --git a/tools/tpm2_verifysignature.c b/tools/tpm2_verifysignature.c +index a0f7607..240165d 100644 +--- a/tools/tpm2_verifysignature.c ++++ b/tools/tpm2_verifysignature.c +@@ -158,20 +158,8 @@ static tool_rc init(ESYS_CONTEXT *context) { + goto err; + } + +- if (ctx.signature.sigAlg == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { +- TPM2B_DIGEST z_digest; +- tmp_rc = tpm2_alg_util_sm2_compute_id_digest(context, ctx.key_context_object.tr_handle, +- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); +- if (tmp_rc != tool_rc_success) { +- LOG_ERR("Verify could not compute id digest"); +- } else { +- tmp_rc = tpm2_sm2_compute_msg_digest_data(context, ctx.halg, TPM2_RH_NULL, +- msg->buffer, msg->size, &z_digest, &ctx.msg_hash, NULL); +- } +- } else { +- tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, +- msg->buffer, msg->size, &ctx.msg_hash, NULL); +- } ++ tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, ++ msg->buffer, msg->size, &ctx.msg_hash, NULL); + if (tmp_rc != tool_rc_success) { + rc = tmp_rc; + LOG_ERR("Compute message hash failed!"); +-- +2.17.1 + diff --git a/tpm2-tools.spec b/tpm2-tools.spec index 005acba71e4799f1d11c880db2b1d2dcb7f227ed..8c63723d2b574d873bd3aec35e17dc72223977d7 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: tpm2-tools Version: 5.5 @@ -9,6 +9,8 @@ License: BSD URL: https://github.com/tpm2-software/tpm2-tools Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: 0001-revert-sm2-sign-and-verifysignature.patch + BuildRequires: make BuildRequires: gcc-c++ BuildRequires: libtool @@ -61,5 +63,8 @@ Doc files for %{name} %doc docs/README.md docs/CHANGELOG.md %changelog +* Thu Dec 28 2023 chench -5.5-2 +- revert sm2 sign and verifysignature from upstream + * Tue Mar 21 2023 Chunmei Xu - 5.5-1 - init from upstream