Update some demos

demos/sdf/README.md

@@ -0,0 +1,14 @@
+# SDF Demos
+
+ - sdf-dev.sh        - open device
+ - sdf-sm1.sh        - encrypt/decrypt with sm1
+ - sdf-sm2enc.sh     - encypt with sm2
+ - sdf-sm2sign.sh    - sm2 sign/verify
+ - sdf-sm3.sh        - sm3 test
+ - sdf-sm4.sh        - sm4
+ - sdf-ssf33.sh      - ssf33
+ - sdf-ssl-server.sh - TLS 1.2 server
+ - sdf-zuc.sh        - zuc
+ - sdf.c             - sdf open device
+ - sdf.cnf           - configuration file for sdf engine
+

demos/sdf/sdf-dev.sh

@@ -0,0 +1,18 @@
+#!/bin/bash -x
+
+
+SO_PATH="./libsdf.so"
+
+echo "[Commands]"
+gmssl engine sdf -vvvv
+echo "[Capabilities]"
+gmssl engine sdf -c
+
+echo "[Change Device Label and Auth key]"
+gmssl engine sdf -pre SO_PATH:$SO_PATH -pre OPEN_DEV
+#gmssl engine sdf -pre SO_PATH:$SO_PATH -pre OPEN_DEV -pre OPEN_CONTAINER:1
+
+echo "[Import/Export File]"
+gmssl engine sdf -pre SO_PATH:$SO_PATH -pre IMPORT_FILE:localhost-signcer.pem
+
+

demos/sdf/sdf-sm1.sh

@@ -0,0 +1,16 @@
+#!/bin/bash -x
+
+#key=00000000000000000000000000000000
+#iv=00000000000000000000000000000000
+
+key=12345678123456781234567812345678
+iv=12345678123456781234567812345678
+plaintext="This is the plaintext message."
+
+# FIXME: sm1/ssf33 is unkonwn to enc command
+ciphertext=`echo $plaintext | sudo gmssl enc -sm1 -engine sdf -K $key -iv $iv -a`
+plaintext=`echo $ciphertext | sudo gmssl enc -sm1 -d -engine sdf -K $key -iv $iv -a`
+
+echo "Ciphertext: $ciphertext"
+echo "Plaintext: $plaintext"
+

demos/sdf/sdf-sm2enc.sh

@@ -0,0 +1,21 @@
+#!/bin/bash -x
+
+echo "######################################################################"
+echo "#                                                                    #"
+echo "#                Default PIN:  11111111                              #"
+echo "#                                                                    #"
+echo "######################################################################"
+
+echo "secret" | \
+  sudo gmssl pkeyutl -encrypt -engine sdf -keyform engine -inkey ecc_1.exch -out sm2ciphertext.der
+
+# export the public key of the default encrypt/keyexchagne SM2 private key
+# the default ID of the key container is `ecc_1.exch`
+sudo gmssl pkey -engine sdf -inform engine -in ecc_1.exch -pubout -out sm2enckey.pem
+
+echo "secret" | \
+  gmssl pkeyutl -encrypt -pkeyopt ec_scheme:sm2 -pkeyopt ec_encrypt_param:sm3 -pubin -inkey sm2enckey.pem -out sm2ciphertext2.der
+
+sudo gmssl pkeyutl -decrypt -engine sdf -keyform engine -inkey ecc_1.exch -in sm2ciphertext.der
+sudo gmssl pkeyutl -decrypt -engine sdf -keyform engine -inkey ecc_1.exch -in sm2ciphertext2.der
+

demos/sdf/sdf-sm2sign.sh

@@ -0,0 +1,20 @@
+#!/bin/bash -x
+#
+# FIXME: if App already exist, this script will fail.
+#
+
+
+VERBOSE=2
+SO_PATH="./libsdf.so"
+LABEL="MySKF"
+APPNAME="MyApp1"
+APPNAME2="MyApp2"
+
+echo "[Sign/Verify with SM2 Container]"
+echo "abc" | gmssl sm3 -binary | sudo gmssl pkeyutl -sign -pkeyopt ec_scheme:sm2 -engine sdf  -keyform engine -inkey ecc_1.sign -out sm2.sig
+echo "abc" | gmssl sm3 -binary | sudo gmssl pkeyutl -verify -pkeyopt ec_scheme:sm2 -engine sdf  -keyform engine -inkey ecc_1.sign -sigfile sm2.sig
+
+echo "[Verify with exported SM2 Verification Public Key]"
+sudo gmssl pkey -engine sdf -inform engine -in ecc_1.sign -pubout -out sm2vkey.pem
+echo "abc" | gmssl sm3 -binary | gmssl pkeyutl -verify -pkeyopt ec_scheme:sm2 -pubin -inkey sm2vkey.pem -sigfile sm2.sig
+

demos/sdf/sdf-sm3.sh

@@ -0,0 +1,3 @@
+#!/bin/bash -x
+
+echo -n abc | sudo gmssl dgst -sm3 -engine sdf -engine_impl # -r

demos/sdf/sdf-sm4.sh

@@ -0,0 +1,14 @@
+#!/bin/bash -x
+
+#key=00000000000000000000000000000000
+#iv=00000000000000000000000000000000
+
+key=12345678123456781234567812345678
+iv=12345678123456781234567812345678
+plaintext="This is the plaintext message."
+
+ciphertext=`echo $plaintext | sudo gmssl sms4 -K $key -iv $iv -a`
+
+echo $ciphertext
+echo $plaintext | sudo gmssl sms4 -engine sdf -K $key -iv $iv -a
+echo $ciphertext | sudo gmssl sms4 -d -engine sdf -K $key -iv $iv -a

demos/sdf/sdf-ssf33.sh

@@ -0,0 +1,16 @@
+#!/bin/bash -x
+
+#key=00000000000000000000000000000000
+#iv=00000000000000000000000000000000
+
+key=12345678123456781234567812345678
+iv=12345678123456781234567812345678
+plaintext="This is the plaintext message."
+
+# FIXME: sm1/ssf33 is unkonwn to enc command
+ciphertext=`echo $plaintext | sudo gmssl enc -sm1 -engine sdf -K $key -iv $iv -a`
+plaintext=`echo $ciphertext | sudo gmssl enc -sm1 -d -engine sdf -K $key -iv $iv -a`
+
+echo "Ciphertext: $ciphertext"
+echo "Plaintext: $plaintext"
+

demos/sdf/sdf-ssl-server.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# `-trace` option require `.config enable-ssl-trace`
+
+#trace="-trace"
+
+#sudo gmssl s_server -tls1_2 -unlink -port 443 -cipher SM2 -engine sdf -keyform ENGINE -key ecc_1.sign -cert localhost-signcer.pem  -msg -rev 
+sudo gmssl s_server -rev $trace -tls1_2 -unlink -port 4433 -cipher SM2  -engine sdf -keyform ENGINE -cert localhost.pem -key ecc_1.sign

demos/sdf/sdf-zuc.sh

@@ -0,0 +1,16 @@
+#!/bin/bash -x
+
+#key=00000000000000000000000000000000
+#iv=00000000000000000000000000000000
+
+key=12345678123456781234567812345678
+iv=12345678123456781234567812345678
+plaintext="This is the plaintext message."
+
+# FIXME: sm1/ssf33 is unkonwn to enc command
+ciphertext=`echo $plaintext | sudo gmssl enc -sm1 -engine sdf -K $key -iv $iv -a`
+plaintext=`echo $ciphertext | sudo gmssl enc -sm1 -d -engine sdf -K $key -iv $iv -a`
+
+echo "Ciphertext: $ciphertext"
+echo "Plaintext: $plaintext"
+

demos/sdf/sdf.cnf

@@ -0,0 +1,16 @@
+# conf file for gmssl sdf engine
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+sdf = sdf_section
+
+[sdf_section]
+engine_id = sdf
+SO_PATH = ./libswsds.so
+VENDOR = sansec
+OPEN_DEV =
+init = 1
+

demos/sm2/Makefile

@@ -1,15 +1,25 @@
 all:
-	gcc keygen.c -L /usr/local/lib -lcrypto -o keygen
-	gcc keygen.c -DENCRYPT_KEY -DNO_PROMPT -L /usr/local/lib -lcrypto -o keygen-enc
-	gcc keygen.c -DENCRYPT_KEY -L /usr/local/lib -lcrypto -o keygen-enc-prompt
+	gcc sm2-keygen.c -L /usr/local/lib -lcrypto -o sm2-keygen
+	gcc sm2-keygen.c -DENCRYPT_KEY -DNO_PROMPT -L /usr/local/lib -lcrypto -o sm2-keygen-enc
+	gcc sm2-keygen.c -DENCRYPT_KEY -L /usr/local/lib -lcrypto -o sm2-keygen-enc-prompt
+	gcc sm2-sign.c -L /usr/local/lib -lcrypto -o sm2-sign
+	gcc sm2-encrypt.c -L /usr/local/lib -lcrypto -o sm2-encrypt
 
 test:
-	./keygen
-	./keygen-enc
-	./keygen-enc-prompt
+	./sm2-keygen
+	echo
+	./sm2-keygen-enc
+	echo
+	#./sm2-keygen-enc-prompt
+	./sm2-sign
+	echo
+	./sm2-encrypt
+	echo
 
 clean:
 	rm -fr a.out
-	rm -fr keygen
-	rm -fr keygen-enc
-	rm -fr keygen-enc-prompt
+	rm -fr sm2-keygen
+	rm -fr sm2-keygen-enc
+	rm -fr sm2-keygen-enc-prompt
+	rm -fr sm2-sign
+	rm -fr sm2-encrypt

demos/sm2/sm2-encrypt.c

@@ -0,0 +1,75 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <libgen.h>
+#include <openssl/ec.h>
+#include <openssl/sm2.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/is_gmssl.h>
+
+
+int main(int argc, char **argv)
+{
+	int ret = -1;
+	EC_KEY *ec_key = NULL;
+	unsigned char key[64];
+	unsigned char cbuf[1024];
+	unsigned char pbuf[1024] = {0};
+	size_t clen = sizeof(cbuf);
+	size_t plen = sizeof(pbuf);
+	int i;
+
+	/* generate sm2 key pair */
+	if (!(ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1))
+		|| !EC_KEY_generate_key(ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	/* generate to be encrypted symmetric key
+	 * Notice: sm2 encrypt should only be used to encrypt short data
+	 */
+	if (!RAND_bytes(key, sizeof(key))) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	printf("M = ");
+	for (i = 0; i < sizeof(key); i++) {
+		printf("%02X", key[i]);
+	}
+	printf("\n");
+
+	/* sm2 encrypt, hash algorithm is required for KDF */
+	if (!SM2_encrypt(NID_sm3, key, sizeof(key), cbuf, &clen, ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	printf("C = ");
+	for (i = 0; i < clen; i++) {
+		printf("%02X", cbuf[i]);
+	}
+	printf("\n");
+
+	/* sm2 decrypt */
+	if (!SM2_decrypt(NID_sm3, cbuf, clen, pbuf, &plen, ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	printf("M' = ");
+	for (i = 0; i < plen; i++) {
+		printf("%02X", pbuf[i]);
+	}
+	printf("\n");
+
+	ret = 0;
+
+end:
+	EC_KEY_free(ec_key);
+	return ret;
+}

demos/sm2/sm2-sign.c

@@ -0,0 +1,65 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <libgen.h>
+#include <openssl/ec.h>
+#include <openssl/sm2.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/is_gmssl.h>
+
+
+int main(int argc, char **argv)
+{
+	int ret = -1;
+	EC_KEY *ec_key = NULL;
+	char *id = "Alice";
+	unsigned char msg[] = "This is the message to be signed";
+	unsigned char dgst[EVP_MAX_MD_SIZE];
+	size_t dgstlen = sizeof(dgst);
+	unsigned char sig[256];
+	unsigned int siglen = sizeof(sig);
+	int i;
+
+	if (!(ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1))
+		|| !EC_KEY_generate_key(ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	printf("M = %s\n", (char *)msg);
+	printf("ID = %s\n", id);
+
+	if (!SM2_compute_message_digest(EVP_sm3(), EVP_sm3(), msg, sizeof(msg),
+		id, strlen(id), dgst, &dgstlen, ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	printf("H(Z||M) = ");
+	for (i = 0; i < dgstlen; i++) {
+		printf("%02X", dgst[i]);
+	}
+	printf("\n");
+
+	if (!SM2_sign(NID_undef, dgst, dgstlen, sig, &siglen, ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	printf("Signature = ");
+	for (i = 0; i < siglen; i++) {
+		printf("%02X", sig[i]);
+	}
+	printf("\n");
+
+	if (1 != SM2_verify(NID_undef, dgst, dgstlen, sig, siglen, ec_key)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	printf("Verification Success!\n");
+
+	ret = 0;
+
+end:
+	EC_KEY_free(ec_key);
+	return ret;
+}

demos/sm4/Makefile

@@ -1,11 +1,14 @@
 all:
 	gcc sms4.c -L /usr/local/lib -lcrypto -o sms4
 	gcc sms4.c -DUSE_RANDOM -L /usr/local/lib -lcrypto -o sms4rnd
+	gcc sms4evp.c -DMSG_LEN=20 -L /usr/local/lib -lcrypto -o sms4evp
 
 test:
 	./sms4
 	./sms4rnd
+	./sms4evp
 
 clean:
 	rm -fr sms4
 	rm -fr sms4rnd
+	rm -fr sms4evp

demos/sm4/sms4.c

@@ -61,6 +61,16 @@
 #include <openssl/is_gmssl.h>
 
 
+static void print_buf(const char *s, const unsigned char *buf, size_t buflen)
+{
+	int i;
+	printf("%s = ", s);
+	for (i = 0; i < buflen; i++) {
+		printf("%02X", buf[i]);
+	}
+	printf("\n");
+}
+
 int main(int argc, char **argv)
 {
 	sms4_key_t sms4;
@@ -76,17 +86,8 @@ int main(int argc, char **argv)
 	}
 #endif
 
-	printf("key              = ");
-	for (i = 0; i < sizeof(key); i++) {
-		printf("%02X", key[i]);
-	}
-	printf("\n");
-
-	printf("plaintext block  = ");
-	for (i = 0; i < sizeof(block); i++) {
-		printf("%02X", block[i]);
-	}
-	printf("\n");
+	print_buf("key", key, sizeof(key));
+	print_buf("plaintext block", block, sizeof(block));
 
 	/* expand key for encryption */
 	sms4_set_encrypt_key(&sms4, key);
@@ -94,11 +95,7 @@ int main(int argc, char **argv)
 	/* encrypt a block */
 	sms4_encrypt(block, block, &sms4);
 
-	printf("ciphertext block = ");
-	for (i = 0; i < sizeof(block); i++) {
-		printf("%02X", block[i]);
-	}
-	printf("\n");
+	print_buf("ciphertext block", block, sizeof(block));
 
 	/* expand key for decryption */
 	sms4_set_decrypt_key(&sms4, key);
@@ -106,11 +103,7 @@ int main(int argc, char **argv)
 	/* decrypt a block */
 	sms4_decrypt(block, block, &sms4);
 
-	printf("decrypted block  = ");
-	for (i = 0; i < sizeof(block); i++) {
-		printf("%02X", block[i]);
-	}
-	printf("\n");
+	print_buf("decrypted block", block, sizeof(block));
 
 	return 0;
 }

demos/sm4/sms4evp.c

@@ -0,0 +1,155 @@
+/* ====================================================================
+ * Copyright (c) 2014 - 2018 The GmSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+/*
+ * This sm4 demo use the EVP API.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <libgen.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/sms4.h>
+#include <openssl/is_gmssl.h>
+
+static void print_buf(const char *s, const unsigned char *buf, size_t buflen)
+{
+	int i;
+	printf("%s = ", s);
+	for (i = 0; i < buflen; i++) {
+		printf("%02X", buf[i]);
+	}
+	printf("\n");
+}
+
+int main(int argc, char **argv)
+{
+	int ret = -1;
+	EVP_CIPHER_CTX *ctx = NULL;
+	const EVP_CIPHER *cipher = EVP_sms4_cbc();
+	unsigned char key[SMS4_KEY_LENGTH] = {0};
+	unsigned char iv[SMS4_IV_LENGTH] = {0};
+	unsigned char msg[MSG_LEN];
+	unsigned char cbuf[sizeof(msg) + SMS4_BLOCK_SIZE];
+	unsigned char pbuf[sizeof(cbuf)];
+	unsigned int clen, plen;
+	int len;
+
+	/* generate random key/iv/msg */
+	if (!RAND_bytes(key, sizeof(key))
+		|| !RAND_bytes(iv, sizeof(iv))
+		|| !RAND_bytes(msg, sizeof(msg))) {
+		ERR_print_errors_fp(stderr);
+		return -1;
+	}
+
+	print_buf("key", key, sizeof(key));
+	print_buf("iv", iv, sizeof(iv));
+	print_buf("msg", msg, sizeof(msg));
+
+	/* create encrypt/decrypt context */
+	if (!(ctx = EVP_CIPHER_CTX_new())) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+
+	/* encrypt */
+	if (!EVP_EncryptInit(ctx, cipher, key, iv)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	clen = 0;
+
+	if (!EVP_EncryptUpdate(ctx, cbuf, &len, msg, sizeof(msg))) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	clen += len;
+
+	if (!EVP_EncryptFinal(ctx, cbuf + len, &len)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	clen += len;
+
+	print_buf("ciphertext", cbuf, clen);
+
+	/* decrypt */
+	if (!EVP_DecryptInit(ctx, cipher, key, iv)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+
+	plen = 0;
+
+	if (!EVP_DecryptUpdate(ctx, pbuf, &len, cbuf, clen)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	plen += len;
+
+	if (!EVP_DecryptFinal(ctx, pbuf + len, &len)) {
+		ERR_print_errors_fp(stderr);
+		goto end;
+	}
+	plen += len;
+
+	print_buf("decrypted", pbuf, plen);
+
+	ret = 0;
+
+end:
+	EVP_CIPHER_CTX_free(ctx);
+	return ret;
+}