Merge pull request #567 from dongbeiouba/feature/sm2_threshold

Support SM2 two-party threshold signature

.github/workflows/ci.yml

@@ -391,3 +391,17 @@ jobs:
       - name: check dirty
         run: test $(git status --porcelain | wc -l) -eq "0"
 
+  sm2-threshold-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: config
+        run: CC=clang ./config --strict-warnings --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY enable-sm2_threshold && perl configdata.pm --dump
+      - name: make
+        run: make -s -j4
+      - name: make test
+        run: make test
+      - name: make clean
+        run: make clean
+      - name: check dirty
+        run: test $(git status --porcelain | wc -l) -eq "0"

.github/workflows/coveralls.yml

@@ -22,7 +22,13 @@ jobs:
       run: |
         sudo apt-get -yq install lcov
     - name: config
-      run: CC=gcc ./config --banner=Configured --debug --coverage no-asm enable-rc5 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-ec_sm2p_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-ntls enable-cert-compression enable-delegated-credential enable-status enable-ec_elgamal enable-paillier
+      run: |
+        CC=gcc ./config --banner=Configured --debug --coverage no-asm enable-rc5 enable-ssl3 enable-nextprotoneg \
+            enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-ec_sm2p_64_gcc_128 \
+            no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
+            enable-ntls enable-cert-compression enable-delegated-credential enable-status enable-ec_elgamal \
+            enable-paillier enable-sm2_threshold
+
     - name: config dump
       run: ./configdata.pm --dump
     - name: make

.github/workflows/run-checker-daily.yml

@@ -119,6 +119,7 @@ jobs:
           enable-ec_elgamal enable-twisted_ec_elgamal,
           enable-bulletproofs,
           enable-bulletproofs enable-nizk enable-zkp-gadget enable-ec_elgamal enable-twisted_ec_elgamal,
+          enable-sm2_threshold,
           -DOPENSSL_NO_BUILTIN_OVERFLOW_CHECKING
         ]
     runs-on: ubuntu-latest

.github/workflows/static-analysis.yml

@@ -1,4 +1,11 @@
-# Copyright 2023 The Tongsuo Project Authors. All Rights Reserved.
+# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# Copyright 2023-2024 The Tongsuo Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -27,7 +34,12 @@ jobs:
              --post-data "token=${{ secrets.COVERITY_TOKEN }}&project=Tongsuo-Project%2FTongsuo" \
              --progress=dot:giga -O coverity_tool.tgz
     - name: config
-      run: CC=gcc ./config --banner=Configured --debug enable-ntls enable-smtc enable-smtc-debug enable-rc5 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests enable-ec_elgamal enable-twisted_ec_elgamal enable-paillier enable-cert-compression enable-delegated-credential enable-bn-method enable-bulletproofs enable-nizk enable-zkp-gadget -DPEDANTIC
+      run: |
+        CC=gcc ./config --banner=Configured --debug enable-ntls enable-smtc enable-smtc-debug enable-rc5 enable-ssl3 \
+        enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared \
+        enable-buildtest-c++ enable-external-tests enable-ec_elgamal enable-twisted_ec_elgamal enable-paillier \
+        enable-cert-compression enable-delegated-credential enable-bn-method enable-bulletproofs enable-nizk \
+        enable-zkp-gadget enable-sm2_threshold -DPEDANTIC
     - name: config dump
       run: ./configdata.pm --dump
     - name: tool install

CHANGES

@@ -4,6 +4,8 @@
 
  Changes between 8.4.0 and 8.5.0 [xx XXX xxxx]
 
+  *) 增加SM2两方门限签名算法 [with work originated from FullyRobert]
+
   *) 修复CVE-2023-4807
 
   *) 修复CVE-2023-5363

Configure

@@ -479,6 +479,7 @@ my @disablables = (
     "siphash",
     "siv",
     "sm2",
+    "sm2_threshold",
     "sm3",
     "sm4",
     "zuc",
@@ -566,6 +567,7 @@ our %disabled = ( # "what"         => "comment"
                   "ntls"                => "default",
                   "rc5"                 => "default",
                   "sctp"                => "default",
+                  "sm2_threshold"       => "default",
                   "ssl3"                => "default",
                   "ssl3-method"         => "default",
                   "trace"               => "default",
@@ -615,6 +617,7 @@ my @disable_cascades = (
     "ssl3-method"       => [ "ssl3" ],
     "zlib"              => [ "zlib-dynamic" ],
     "ec"                => [ "ec2m", "ecdsa", "ecdh", "sm2" ],
+    "sm2"               => [ "sm2_threshold" ],
     "ec_elgamal"        => [ "twisted_ec_elgamal" ],
     "dgram"             => [ "dtls", "sctp" ],
     "sock"              => [ "dgram" ],
@@ -1166,6 +1169,12 @@ if (!defined($disabled{'bn-method'})) {
     $config{api}=$apitable->{"1.1.1"};
 }
 
+if (!defined($disabled{'sm2_threshold'})) {
+    die "sm2_threshold only supports api with 1.1.1\n"
+        if ($config{api} && $config{api} != $apitable->{"1.1.1"});
+    $config{api}=$apitable->{"1.1.1"};
+}
+
 if (keys %deprecated_options)
         {
         warn "***** Deprecated options: ",

apps/build.info

@@ -71,6 +71,10 @@ IF[{- !$disabled{'smtc'} -}]
   $OPENSSLSRC=$OPENSSLSRC mod.c
 ENDIF
 
+IF[{- !$disabled{'sm2_threshold'} -}]
+  $OPENSSLSRC=$OPENSSLSRC sm2_threshold.c
+ENDIF
+
 IF[{- !$disabled{apps} -}]
   PROGRAMS=openssl
   SOURCE[openssl]=$INITSRC $OPENSSLSRC