From 6a6a3f048ddd1f3938748fcf5fd784a1a80bb8e3 Mon Sep 17 00:00:00 2001 From: chench Date: Thu, 28 Dec 2023 21:08:57 +0800 Subject: [PATCH] revert: sm2 sign and verifysignature commit 4b4e075858f36fd52334fd4656fe43ac9f4e5aef upstream. Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard, sm2 only sign and verifysignature the digest in the tpm2. so keep pace with tpm2 and remove the code. Signed-off-by: chench --- ...-revert-sm2-sign-and-verifysignature.patch | 409 ++++++++++++++++++ tpm2-tools.spec | 7 +- 2 files changed, 415 insertions(+), 1 deletion(-) create mode 100644 0001-revert-sm2-sign-and-verifysignature.patch diff --git a/0001-revert-sm2-sign-and-verifysignature.patch b/0001-revert-sm2-sign-and-verifysignature.patch new file mode 100644 index 0000000..b9d080d --- /dev/null +++ b/0001-revert-sm2-sign-and-verifysignature.patch @@ -0,0 +1,409 @@ +From fb1df19b95fe5987a17903b6ae11b02b2e3dd543 Mon Sep 17 00:00:00 2001 +From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> +Date: Thu, 5 Jan 2023 21:46:55 +0800 +Subject: [PATCH] revert: sm2 sign and verifysignature. + +commit 4b4e075858f36fd52334fd4656fe43ac9f4e5aef upstream. + +Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard, +sm2 only sign and verifysignature the digest in the tpm2. so keep pace +with tpm2 and remove the code. + +Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> +Change-Id: I574327e7ca0bf7089fc67d14b4bf87db4b555a68 +--- + lib/tpm2_alg_util.c | 93 ------------------------- + lib/tpm2_alg_util.h | 27 -------- + lib/tpm2_hash.c | 127 ----------------------------------- + lib/tpm2_hash.h | 49 -------------- + tools/tpm2_sign.c | 16 +---- + tools/tpm2_verifysignature.c | 16 +---- + 6 files changed, 4 insertions(+), 324 deletions(-) + +diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c +index 9b7f3d7..65739fc 100644 +--- a/lib/tpm2_alg_util.c ++++ b/lib/tpm2_alg_util.c +@@ -1145,96 +1145,3 @@ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle) { + Esys_Free(name); + return name_alg; + } +- +-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *id, size_t idlen, TPM2B_DIGEST *result) { +- +- TPMS_ALGORITHM_DETAIL_ECC *parameters = NULL; +- TPM2B_PUBLIC *public = NULL; +- TPM2B *id_input = NULL; +- TPM2B_DIGEST *tmp_digest = NULL; +- +- if (!id || !result) { +- return tool_rc_general_error; +- } +- +- /* 2-byte id length in bits */ +- if (strlen(id) != idlen) { +- LOG_ERR("invalid sm2 id!"); +- return tool_rc_general_error; +- } +- +- if (idlen > SM2_MAX_ID_LENGTH || idlen <= 0) { +- LOG_ERR("invalid id length!"); +- return tool_rc_general_error; +- } +- +- tool_rc rc = tpm2_geteccparameters(ectx, TPM2_ECC_SM2_P256, ¶meters, +- NULL, TPM2_ALG_NULL); +- if (rc != tool_rc_success) { +- LOG_ERR("Could not get ecc parameters!"); +- goto out; +- } +- +- rc = tpm2_readpublic(ectx, handle, &public, NULL, NULL); +- if (rc != tool_rc_success) { +- LOG_ERR("Could not read public!"); +- goto out; +- } +- +- UINT16 key_nbytes = parameters->keySize/8; +- if (public->publicArea.type != TPM2_ALG_ECC || +- public->publicArea.parameters.eccDetail.curveID != TPM2_ECC_SM2_P256 || +- public->publicArea.unique.ecc.x.size != key_nbytes || +- public->publicArea.unique.ecc.y.size != key_nbytes) { +- LOG_ERR("invalid sm2 public key!"); +- rc = tool_rc_general_error; +- goto out; +- } +- +- BYTE idbits[2]; +- idbits[0] = ((idlen * 8) >> 8) % 256; +- idbits[1] = (idlen * 8) % 256; +- +- UINT16 total_size = sizeof(idbits) + idlen + 6 * key_nbytes; +- +- id_input = (TPM2B *) calloc(1, sizeof(TPM2B) + total_size); +- if (id_input == NULL) { +- LOG_ERR("Could not calloc memory!"); +- rc = tool_rc_general_error; +- goto out; +- } +- +- id_input->size = total_size; +- +- UINT16 pos = 0; +- memcpy(id_input->buffer + pos, idbits, sizeof(idbits)); +- pos += sizeof(idbits); +- memcpy(id_input->buffer + pos, id, idlen); +- pos += idlen; +- memcpy(id_input->buffer + pos, parameters->a.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, parameters->b.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, parameters->gX.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, parameters->gY.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.x.buffer, key_nbytes); +- pos += key_nbytes; +- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.y.buffer, key_nbytes); +- +- rc = tpm2_hash_compute_data(ectx, TPM2_ALG_SM3_256, TPM2_RH_OWNER, +- id_input->buffer, id_input->size, &tmp_digest, NULL); +- if (rc != tool_rc_success) { +- goto out; +- } +- +- *result = *tmp_digest; +- +-out: +- free(id_input); +- Esys_Free(public); +- Esys_Free(tmp_digest); +- Esys_Free(parameters); +- return rc; +-} +diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h +index 83cecb1..ae5e3fb 100644 +--- a/lib/tpm2_alg_util.h ++++ b/lib/tpm2_alg_util.h +@@ -239,31 +239,4 @@ bool tpm2_alg_util_is_sm4_size_valid(UINT16 size_in_bytes); + */ + TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle); + +-#define SM2_MAX_ID_BITS 65535 +-#define SM2_MAX_ID_LENGTH (SM2_MAX_ID_BITS/8) +-#define SM2_DEFAULT_ID_GMT09 "1234567812345678" +-#define SM2_DEFAULT_ID SM2_DEFAULT_ID_GMT09 +-#define SM2_DEFAULT_ID_LENGTH (sizeof(SM2_DEFAULT_ID) - 1) +- +-/** +- * Given an ESYS_TR handle to an object, retrieves ecc sm2 parameters +- * with making a geteccparameters call, retrieves the public key with +- * making a readpublic call, and compute id digest. +- * +- * @param ectx +- * The ESAPI context. +- * @param handle +- * The handle of the object to query. +- * @param id +- * sm2 id. +- * @param idlen +- * sm2 id length. +- * @param result +- * sm2 id digest output. +- * @return +- * tool_rc indicating status. +- */ +-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, +- const char *id, size_t idlen, TPM2B_DIGEST *result); +- + #endif /* LIB_TPM2_ALG_UTIL_H_ */ +diff --git a/lib/tpm2_hash.c b/lib/tpm2_hash.c +index c0ad2bc..a3c0dd7 100644 +--- a/lib/tpm2_hash.c ++++ b/lib/tpm2_hash.c +@@ -134,130 +134,3 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, + return tpm2_hash_common(ectx, halg, hierarchy, input, NULL, 0, result, + validation); + } +- +-static tool_rc tpm2_sm2_compute_msg_digest(ESYS_CONTEXT *ectx, +- TPMI_ALG_HASH halg, TPMI_RH_HIERARCHY hierarchy, FILE *infilep, +- BYTE *inbuffer, UINT16 inbuffer_len, TPM2B_DIGEST *z_digest, +- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { +- +- /* if we're using infilep, get file size */ +- bool use_left = true; +- unsigned long left = inbuffer_len; +- if (!!infilep) { +- /* Suppress error reporting with NULL path */ +- use_left = files_get_file_size(infilep, &left, NULL); +- } +- +- TPM2B_MAX_BUFFER buffer = {0}; +- if (z_digest->size <= BUFFER_SIZE(typeof(*z_digest), buffer)) { +- buffer.size = z_digest->size; +- memcpy(buffer.buffer, z_digest->buffer, z_digest->size); +- } else { +- return tool_rc_general_error; +- } +- +- /* +- * length is either unknown because the FILE * is a fifo, or it's too +- * big to do in a single hash call. Based on the size figure out the +- * chunks to loop over, if possible. This way we can call Complete with +- * data. +- */ +- TPMI_DH_OBJECT sequence_handle; +- TPM2B_AUTH null_auth = TPM2B_EMPTY_INIT; +- tool_rc rc = tpm2_hash_sequence_start(ectx, &null_auth, halg, &sequence_handle); +- if (rc != tool_rc_success) { +- return rc; +- } +- +- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); +- if (rc != tool_rc_success) { +- return rc; +- } +- /* If we know the file size, we decrement the amount read and terminate +- * the loop when 1 block is left, else we go till feof. +- */ +- bool done = false; +- if (use_left && left <= TPM2_MAX_DIGEST_BUFFER) { +- done = true; +- } else { +- done = false; +- } +- +- size_t bytes_read; +- while (!done) { +- /* if we're using infilep, read the file. Otherwise, directly +- copy into our local buffer. */ +- buffer.size = BUFFER_SIZE(typeof(buffer), buffer); +- if (!!infilep) { +- bytes_read = fread(buffer.buffer, 1, buffer.size, infilep); +- if (ferror(infilep)) { +- LOG_ERR("Error reading from input file"); +- return tool_rc_general_error; +- } else { +- buffer.size = bytes_read; +- } +- } else { +- memcpy(buffer.buffer, inbuffer, buffer.size); +- inbuffer = inbuffer + buffer.size; +- } +- +- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); +- if (rc != tool_rc_success) { +- return rc; +- } +- +- if (use_left) { +- left -= buffer.size; +- if (left <= TPM2_MAX_DIGEST_BUFFER) { +- done = true; +- continue; +- } +- } else if (!!infilep && feof(infilep)) { +- done = true; +- } +- } /* end file read/hash update loop */ +- +- /* if there is data left, get the last bit of data from the file or +- buffer or set the size to zero */ +- if (use_left) { +- buffer.size = left; +- if (!!infilep) { +- bool res = files_read_bytes(infilep, buffer.buffer, buffer.size); +- if (!res) { +- LOG_ERR("Error reading from input file."); +- return tool_rc_general_error; +- } +- } else { +- memcpy(buffer.buffer, inbuffer, buffer.size); +- } +- } else { +- buffer.size = 0; +- } +- +- return tpm2_sequence_complete(ectx, sequence_handle, +- &buffer, hierarchy, result, validation); +-} +- +-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, +- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { +- +- if (!buffer || !z) { +- return tool_rc_general_error; +- } +- +- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, NULL, buffer, length, +- z, result, validation); +-} +- +-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, +- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { +- +- if (!input || !z) { +- return tool_rc_general_error; +- } +- +- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, input, NULL, 0, z, +- result, validation); +-} +diff --git a/lib/tpm2_hash.h b/lib/tpm2_hash.h +index ac4729b..12e8e0b 100644 +--- a/lib/tpm2_hash.h ++++ b/lib/tpm2_hash.h +@@ -53,53 +53,4 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, + TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST **result, + TPMT_TK_HASHCHECK **validation); + +-/** +- * Hashes a BYTE array via the tpm. +- * @param context +- * The esapi context. +- * @param hash_alg +- * The hashing algorithm to use. +- * @param hierarchy +- * The hierarchy. +- * @param buffer +- * The data to hash. +- * @param length +- * The length of the data. +- * @param input +- * The sm2 id digest. +- * @param result +- * The digest result. +- * @param validation +- * The validation ticket. Note that some hierarchies don't produce a +- * validation ticket and thus size will be 0. +- * @return +- * A tool_rc indicating status. +- */ +-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, +- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); +- +-/** +- * Hashes a FILE * object via the tpm. +- * @param context +- * The esapi context. +- * @param hash_alg +- * The hashing algorithm to use. +- * @param hierarchy +- * The hierarchy. +- * @param input +- * The FILE object to hash. +- * @param input +- * The sm2 id digest. +- * @param result +- * The digest result. +- * @param validation +- * The validation ticket. Note that some hierarchies don't produce a +- * validation ticket and thus size will be 0. +- * @return +- * A tool_rc indicating status. +- */ +-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, +- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, +- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); + #endif /* SRC_TPM_HASH_H_ */ +diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c +index 7c7b3ce..77d7c2a 100644 +--- a/tools/tpm2_sign.c ++++ b/tools/tpm2_sign.c +@@ -140,20 +140,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { + return tool_rc_general_error; + } + +- if (ctx.in_scheme.scheme == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { +- TPM2B_DIGEST z_digest; +- rc = tpm2_alg_util_sm2_compute_id_digest(ectx, ctx.signing_key.object.tr_handle, +- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); +- if (rc != tool_rc_success) { +- LOG_ERR("Sign could not compute id digest"); +- } else { +- rc = tpm2_sm2_compute_msg_digest_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &z_digest, +- &ctx.digest, &temp_validation_ticket); +- } +- } else { +- rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, +- &temp_validation_ticket); +- } ++ rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, ++ &temp_validation_ticket); + if (input != stdin) { + fclose(input); + } +diff --git a/tools/tpm2_verifysignature.c b/tools/tpm2_verifysignature.c +index a0f7607..240165d 100644 +--- a/tools/tpm2_verifysignature.c ++++ b/tools/tpm2_verifysignature.c +@@ -158,20 +158,8 @@ static tool_rc init(ESYS_CONTEXT *context) { + goto err; + } + +- if (ctx.signature.sigAlg == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { +- TPM2B_DIGEST z_digest; +- tmp_rc = tpm2_alg_util_sm2_compute_id_digest(context, ctx.key_context_object.tr_handle, +- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); +- if (tmp_rc != tool_rc_success) { +- LOG_ERR("Verify could not compute id digest"); +- } else { +- tmp_rc = tpm2_sm2_compute_msg_digest_data(context, ctx.halg, TPM2_RH_NULL, +- msg->buffer, msg->size, &z_digest, &ctx.msg_hash, NULL); +- } +- } else { +- tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, +- msg->buffer, msg->size, &ctx.msg_hash, NULL); +- } ++ tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, ++ msg->buffer, msg->size, &ctx.msg_hash, NULL); + if (tmp_rc != tool_rc_success) { + rc = tmp_rc; + LOG_ERR("Compute message hash failed!"); +-- +2.17.1 + diff --git a/tpm2-tools.spec b/tpm2-tools.spec index 005acba..8c63723 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: tpm2-tools Version: 5.5 @@ -9,6 +9,8 @@ License: BSD URL: https://github.com/tpm2-software/tpm2-tools Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: 0001-revert-sm2-sign-and-verifysignature.patch + BuildRequires: make BuildRequires: gcc-c++ BuildRequires: libtool @@ -61,5 +63,8 @@ Doc files for %{name} %doc docs/README.md docs/CHANGELOG.md %changelog +* Thu Dec 28 2023 chench -5.5-2 +- revert sm2 sign and verifysignature from upstream + * Tue Mar 21 2023 Chunmei Xu - 5.5-1 - init from upstream -- Gitee