update gmapi

crypto/objects/objects.txt

@@ -1611,5 +1611,3 @@ ibcs1 3 4		: r-ate-pairing
 sm-scheme 1000		: cpk
 sm-scheme 1001		: paillier
 
-
-

crypto/saf/saf_app.c

@@ -98,6 +98,7 @@ int SAF_Finalize(
 
 	if (app->engine) {
 		ENGINE_finish(app->engine);
+		ENGINE_free(app->engine);
 	}
 
 	OPENSSL_free(app);

crypto/saf/saf_cert.c

@@ -54,7 +54,7 @@
 #include <openssl/conf.h>
 #include <openssl/gmsaf.h>
 #include "saf_lcl.h"
-
+#include "../../apps/apps.h"
 
 /* 7.2.2 */
 int SAF_AddTrustedRootCaCertificate(
@@ -62,7 +62,42 @@ int SAF_AddTrustedRootCaCertificate(
 	unsigned char *pucCertificate,
 	unsigned int uiCertificateLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	X509 *x509 = NULL;
+	BIO *bio = NULL;
+
+	if (!hAppHandle || !pucCertificate) {
+		SAFerr(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (uiCertificateLen <= 0 || uiCertificateLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!(bio = BIO_new_file(app->rootcacerts, "a"))) {
+		SAFerr(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE, ERR_R_BIO_LIB);
+		goto end;
+	}
+
+	if (!(x509 = d2i_X509(NULL, &pucCertificate, uiCertificateLen))) {
+		SAFerr(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	if (!PEM_write_bio_X509(bio, x509)) {
+		SAFerr(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE, ERR_R_PEM_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
+
+end:
+	X509_free(x509);
+	BIO_free(bio);
+	return ret;
 }
 
 /* 7.2.3 */
@@ -70,8 +105,26 @@ int SAF_GetRootCaCertificateCount(
 	void *hAppHandle,
 	unsigned int *puiCount)
 {
-	*puiCount = 0;
+	int ret = SAR_UnknownErr;
-	return SAR_Ok;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	STACK_OF(X509) *certs = NULL;
+
+	if (!hAppHandle || !puiCount) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATECOUNT, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!load_certs(app->rootcacerts, &certs, FORMAT_PEM, NULL, "root ca certificates")) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATECOUNT, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	*puiCount = sk_X509_num(certs);
+	ret = SAR_Ok;
+
+end:
+	sk_X509_free(certs);
+	return ret;
 }
 
 /* 7.2.4 */
@@ -81,7 +134,44 @@ int SAF_GetRootCaCertificate(
 	unsigned char *pucCertificate,
 	unsigned int *puiCertificateLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	STACK_OF(X509) *certs = NULL;
+	X509 *x509;
+	int len;
+
+	if (!hAppHandle || !pucCertificate || !puiCertificateLen) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!load_certs(app->rootcacerts, &certs, FORMAT_PEM, NULL,
+		"root ca certificates")) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	if (!(x509 = sk_X509_value(certs, uiIndex))) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATE, SAF_R_INVALID_INDEX);
+		goto end;
+	}
+
+	if (*puiCertificateLen < i2d_X509(x509, NULL)) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATE, SAF_R_BUFFER_TOO_SMALL);
+		ret = SAR_IndataLenErr;
+		goto end;
+	}
+
+	if ((len = i2d_X509(x509, pucCertificate)) <= 0) {
+		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATE, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	*puiCertificateLen = len;
+	ret = SAR_Ok;
+end:
+	sk_X509_free(certs);
+	return ret;
 }
 
 /* 7.2.5 */
@@ -89,16 +179,91 @@ int SAF_RemoveRootCaCertificate(
 	void *hAppHandle,
 	unsigned int uiIndex)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	STACK_OF(X509) *certs = NULL;
+	X509 *x509 = NULL;
+	BIO *bio = NULL;
+	int i, err = 0;
+
+	if (!hAppHandle) {
+		SAFerr(SAF_F_SAF_REMOVEROOTCACERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!load_certs(app->rootcacerts, &certs, FORMAT_PEM, NULL, "root ca certificates")) {
+		SAFerr(SAF_F_SAF_REMOVEROOTCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	if (!(bio = BIO_new_file(app->rootcacerts, "w"))) {
+		SAFerr(SAF_F_SAF_REMOVEROOTCACERTIFICATE, ERR_R_BIO_LIB);
+		goto end;
+	}
+
+	if (!(x509 = sk_X509_delete(certs, uiIndex))) {
+		SAFerr(SAF_F_SAF_REMOVEROOTCACERTIFICATE, SAF_R_INVALID_INDEX);
+		goto end;
+	}
+
+	for (i = 0; i < sk_X509_num(certs); i++) {
+		if (!PEM_write_bio_X509(bio, sk_X509_value(certs, i))) {
+			SAFerr(SAF_F_SAF_REMOVEROOTCACERTIFICATE, ERR_R_PEM_LIB);
+			err++;
+		}
+	}
+
+	ret = SAR_Ok;
+
+end:
+	X509_free(x509);
+	sk_X509_free(certs);
+	BIO_free(bio);
+	return ret;
 }
 
 /* 7.2.6 */
 int SAF_AddCaCertificate(
 	void *hAppHandle,
 	unsigned char *pucCertificate,
-	unsigned int *puiCertificateLen)
+	unsigned int uiCertificateLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	X509 *x509 = NULL;
+	BIO *bio = NULL;
+
+	if (!hAppHandle || !pucCertificate) {
+		SAFerr(SAF_F_SAF_ADDCACERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (uiCertificateLen <= 0 || uiCertificateLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_ADDCACERTIFICATE, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!(bio = BIO_new_file(app->cacerts, "a"))) {
+		SAFerr(SAF_F_SAF_ADDCACERTIFICATE, ERR_R_BIO_LIB);
+		goto end;
+	}
+
+	if (!(x509 = d2i_X509(NULL, &pucCertificate, uiCertificateLen))) {
+		SAFerr(SAF_F_SAF_ADDCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	if (!PEM_write_bio_X509(bio, x509)) {
+		SAFerr(SAF_F_SAF_ADDCACERTIFICATE, ERR_R_PEM_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
+
+end:
+	X509_free(x509);
+	BIO_free(bio);
+	return ret;
 }
 
 /* 7.2.7 */
@@ -106,7 +271,26 @@ int SAF_GetCaCertificateCount(
 	void *hAppHandle,
 	unsigned int *puiCount)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	STACK_OF(X509) *certs = NULL;
+
+	if (!hAppHandle || !puiCount) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATECOUNT, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!load_certs(app->cacerts, &certs, FORMAT_PEM, NULL, "ca certificates")) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATECOUNT, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	*puiCount = sk_X509_num(certs);
+	ret = SAR_Ok;
+
+end:
+	sk_X509_free(certs);
+	return ret;
 }
 
 /* 7.2.8 */
@@ -116,7 +300,43 @@ int SAF_GetCaCertificate(
 	unsigned char *pucCertificate,
 	unsigned int *puiCertificateLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	STACK_OF(X509) *certs = NULL;
+	X509 *x509;
+	int len;
+
+	if (!hAppHandle || !pucCertificate || !puiCertificateLen) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!load_certs(app->cacerts, &certs, FORMAT_PEM, NULL, "ca certificates")) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	if (!(x509 = sk_X509_value(certs, uiIndex))) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATE, SAF_R_INVALID_INDEX);
+		goto end;
+	}
+
+	if (*puiCertificateLen < i2d_X509(x509, NULL)) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATE, SAF_R_BUFFER_TOO_SMALL);
+		ret = SAR_IndataLenErr;
+		goto end;
+	}
+
+	if ((len = i2d_X509(x509, pucCertificate)) <= 0) {
+		SAFerr(SAF_F_SAF_GETCACERTIFICATE, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	*puiCertificateLen = len;
+	ret = SAR_Ok;
+end:
+	sk_X509_free(certs);
+	return ret;
 }
 
 /* 7.2.9 */
@@ -124,7 +344,47 @@ int SAF_RemoveCaCertificate(
 	void *hAppHandle,
 	unsigned int uiIndex)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	STACK_OF(X509) *certs = NULL;
+	X509 *x509 = NULL;
+	BIO *bio = NULL;
+	int i, err = 0;
+
+	if (!hAppHandle) {
+		SAFerr(SAF_F_SAF_REMOVECACERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!load_certs(app->cacerts, &certs, FORMAT_PEM, NULL, "ca certificates")) {
+		SAFerr(SAF_F_SAF_REMOVECACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
+		goto end;
+	}
+
+	if (!(bio = BIO_new_file(app->rootcacerts, "w"))) {
+		SAFerr(SAF_F_SAF_REMOVECACERTIFICATE, ERR_R_BIO_LIB);
+		goto end;
+	}
+
+	if (!(x509 = sk_X509_delete(certs, uiIndex))) {
+		SAFerr(SAF_F_SAF_REMOVECACERTIFICATE, SAF_R_INVALID_INDEX);
+		goto end;
+	}
+
+	for (i = 0; i < sk_X509_num(certs); i++) {
+		if (!PEM_write_bio_X509(bio, sk_X509_value(certs, i))) {
+			SAFerr(SAF_F_SAF_REMOVECACERTIFICATE, ERR_R_PEM_LIB);
+			err++;
+		}
+	}
+
+	ret = SAR_Ok;
+
+end:
+	X509_free(x509);
+	sk_X509_free(certs);
+	BIO_free(bio);
+	return ret;
 }
 
 /* 7.2.10 */
@@ -133,6 +393,8 @@ int SAF_AddCrl(
 	unsigned char *pucDerCrl,
 	unsigned int uiDerCrlLen)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -142,6 +404,8 @@ int SAF_VerifyCertificate(
 	unsigned char *pucUsrCertificate,
 	unsigned int uiUsrCertificateLen)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -153,6 +417,8 @@ int SAF_VerifyCertificateByCrl(
 	unsigned char *pucDerCrl,
 	unsigned int uiDerCrlLen)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -179,6 +445,8 @@ int SAF_GetCertFromLdap(
 	unsigned char *pucOutCert,
 	unsigned int *puiOutCertLen)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -204,6 +472,8 @@ int SAF_GetCertificateInfo(
 	unsigned char *pucInfo,
 	unsigned int *puiInfoLen)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -218,6 +488,8 @@ int SAF_GetExtTypeInfo(
 	unsigned char *pucInfo,
 	unsigned int *puiInfoLen)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -226,6 +498,8 @@ int SAF_EnumCertificates(
 	void *hAppHandle,
 	SGD_USR_CERT_ENUMLIST *usrCerts)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -234,6 +508,8 @@ int SAF_EnumKeyContainerInfo(
 	void *hAppHandle,
 	SGD_KEYCONTAINERINFO_ENUMLIST *keyContainerInfo)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -242,6 +518,8 @@ int SAF_EnumCertificatesFree(
 	void *hAppHandle,
 	SGD_USR_CERT_ENUMLIST *usrCerts)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
 
@@ -250,5 +528,7 @@ int SAF_EnumKeyContainerInfoFree(
 	void *hAppHandle,
 	SGD_KEYCONTAINERINFO_ENUMLIST *keyContainerInfo)
 {
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

crypto/saf/saf_err.c

@@ -19,6 +19,9 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_SAF,0,reason)
 
 static ERR_STRING_DATA SAF_str_functs[] = {
+    {ERR_FUNC(SAF_F_SAF_ADDCACERTIFICATE), "SAF_AddCaCertificate"},
+    {ERR_FUNC(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE),
+     "SAF_AddTrustedRootCaCertificate"},
     {ERR_FUNC(SAF_F_SAF_BASE64_CREATEBASE64OBJ),
      "SAF_Base64_CreateBase64Obj"},
     {ERR_FUNC(SAF_F_SAF_BASE64_DECODE), "SAF_Base64_Decode"},
@@ -28,7 +31,9 @@ static ERR_STRING_DATA SAF_str_functs[] = {
     {ERR_FUNC(SAF_F_SAF_BASE64_ENCODEFINAL), "SAF_Base64_EncodeFinal"},
     {ERR_FUNC(SAF_F_SAF_BASE64_ENCODEUPDATE), "SAF_Base64_EncodeUpdate"},
     {ERR_FUNC(SAF_F_SAF_CHANGEPIN), "SAF_ChangePin"},
+    {ERR_FUNC(SAF_F_SAF_CREATEHASHOBJ), "SAF_CreateHashObj"},
     {ERR_FUNC(SAF_F_SAF_CREATESYMMKEYOBJ), "SAF_CreateSymmKeyObj"},
+    {ERR_FUNC(SAF_F_SAF_DESTROYHASHOBJ), "SAF_DestroyHashObj"},
     {ERR_FUNC(SAF_F_SAF_ECCPUBLICKEYENC), "SAF_EccPublicKeyEnc"},
     {ERR_FUNC(SAF_F_SAF_ECCPUBLICKEYENCBYCERT), "SAF_EccPublicKeyEncByCert"},
     {ERR_FUNC(SAF_F_SAF_ECCSIGN), "SAF_EccSign"},
@@ -38,23 +43,35 @@ static ERR_STRING_DATA SAF_str_functs[] = {
     {ERR_FUNC(SAF_F_SAF_GENERATEKEYWITHEPK), "SAF_GenerateKeyWithEPK"},
     {ERR_FUNC(SAF_F_SAF_GENRANDOM), "SAF_GenRandom"},
     {ERR_FUNC(SAF_F_SAF_GENRSAKEYPAIR), "SAF_GenRsaKeyPair"},
+    {ERR_FUNC(SAF_F_SAF_GETCACERTIFICATE), "SAF_GetCaCertificate"},
+    {ERR_FUNC(SAF_F_SAF_GETCACERTIFICATECOUNT), "SAF_GetCaCertificateCount"},
     {ERR_FUNC(SAF_F_SAF_GETECCPUBLICKEY), "SAF_GetEccPublicKey"},
+    {ERR_FUNC(SAF_F_SAF_GETROOTCACERTIFICATE), "SAF_GetRootCaCertificate"},
+    {ERR_FUNC(SAF_F_SAF_GETROOTCACERTIFICATECOUNT),
+     "SAF_GetRootCaCertificateCount"},
     {ERR_FUNC(SAF_F_SAF_GETRSAPUBLICKEY), "SAF_GetRsaPublicKey"},
     {ERR_FUNC(SAF_F_SAF_GETVERSION), "SAF_GetVersion"},
-    {ERR_FUNC(SAF_F_SAF_IMPORTENCEDKEY), "SAF_ImportEncedKey"},
+    {ERR_FUNC(SAF_F_SAF_HASH), "SAF_Hash"},
+    {ERR_FUNC(SAF_F_SAF_HASHFINAL), "SAF_HashFinal"},
+    {ERR_FUNC(SAF_F_SAF_HASHUPDATE), "SAF_HashUpdate"},
     {ERR_FUNC(SAF_F_SAF_INITIALIZE), "SAF_Initialize"},
+    {ERR_FUNC(SAF_F_SAF_KEY_NEW), "SAF_KEY_new"},
     {ERR_FUNC(SAF_F_SAF_LOGIN), "SAF_Login"},
     {ERR_FUNC(SAF_F_SAF_LOGOUT), "SAF_Logout"},
     {ERR_FUNC(SAF_F_SAF_MACFINAL), "SAF_MacFinal"},
     {ERR_FUNC(SAF_F_SAF_MACUPDATE), "SAF_MacUpdate"},
     {ERR_FUNC(SAF_F_SAF_PKCS7_ENCODEENVELOPEDDATA),
      "SAF_Pkcs7_EncodeEnvelopedData"},
+    {ERR_FUNC(SAF_F_SAF_REMOVECACERTIFICATE), "SAF_RemoveCaCertificate"},
+    {ERR_FUNC(SAF_F_SAF_REMOVEROOTCACERTIFICATE),
+     "SAF_RemoveRootCaCertificate"},
     {ERR_FUNC(SAF_F_SAF_RSASIGN), "SAF_RsaSign"},
     {ERR_FUNC(SAF_F_SAF_RSAVERIFYSIGN), "SAF_RsaVerifySign"},
     {ERR_FUNC(SAF_F_SAF_SYMMDECRYPTFINAL), "SAF_SymmDecryptFinal"},
     {ERR_FUNC(SAF_F_SAF_SYMMDECRYPTUPDATE), "SAF_SymmDecryptUpdate"},
     {ERR_FUNC(SAF_F_SAF_SYMMENCRYPTFINAL), "SAF_SymmEncryptFinal"},
     {ERR_FUNC(SAF_F_SAF_SYMMENCRYPTUPDATE), "SAF_SymmEncryptUpdate"},
+    {ERR_FUNC(SAF_F_SAF_SYMMKEYOBJ_DUP), "SAF_SYMMKEYOBJ_dup"},
     {ERR_FUNC(SAF_F_SAF_VERIFYSIGNBYCERT), "SAF_VerifySignByCert"},
     {0, NULL}
 };
@@ -65,18 +82,19 @@ static ERR_STRING_DATA SAF_str_reasons[] = {
     {ERR_REASON(SAF_R_DECRYPT_NOT_INITIALIZED), "decrypt not initialized"},
     {ERR_REASON(SAF_R_ENCRYPT_KEY_FAILURE), "encrypt key failure"},
     {ERR_REASON(SAF_R_ENCRYPT_NOT_INITIALIED), "encrypt not initialied"},
-    {ERR_REASON(SAF_R_GEN_RANDOM), "gen random"},
     {ERR_REASON(SAF_R_GEN_RANDOM_FAILURE), "gen random failure"},
     {ERR_REASON(SAF_R_INT_OVERFLOW), "int overflow"},
     {ERR_REASON(SAF_R_INVALID_ALGOR), "invalid algor"},
     {ERR_REASON(SAF_R_INVALID_CERTIFICATE), "invalid certificate"},
-    {ERR_REASON(SAF_R_INVALID_CONTEXT), "invalid context"},
     {ERR_REASON(SAF_R_INVALID_HANDLE), "invalid handle"},
+    {ERR_REASON(SAF_R_INVALID_INDEX), "invalid index"},
     {ERR_REASON(SAF_R_INVALID_INPUT_LENGTH), "invalid input length"},
     {ERR_REASON(SAF_R_INVALID_KEY_HANDLE), "invalid key handle"},
     {ERR_REASON(SAF_R_INVALID_KEY_LENGTH), "invalid key length"},
     {ERR_REASON(SAF_R_INVALID_KEY_USAGE), "invalid key usage"},
     {ERR_REASON(SAF_R_INVALID_LENGTH), "invalid length"},
+    {ERR_REASON(SAF_R_INVALID_PUBLIC_KEY), "invalid public key"},
+    {ERR_REASON(SAF_R_LOAD_CERTS_FAILURE), "load certs failure"},
     {ERR_REASON(SAF_R_MAC_FAILURE), "mac failure"},
     {ERR_REASON(SAF_R_NOT_SUPPORTED), "not supported"},
     {ERR_REASON(SAF_R_OPERATION_NOT_INITIALIZED),

crypto/saf/saf_hash.c

@@ -52,6 +52,7 @@
 #include <stdlib.h>
 #include <openssl/evp.h>
 #include <openssl/gmsaf.h>
+#include <openssl/gmapi.h>
 #include "saf_lcl.h"
 
 /* 7.3.12 */
@@ -60,31 +61,84 @@ int SAF_CreateHashObj(void **phHashObj,
 	unsigned char *pucPublicKey,
 	unsigned int uiPublicKeyLen,
 	unsigned char *pucID,
-	unsigned int ulIDLen)
+	unsigned int uiIDLen)
 {
 	int ret = SAR_UnknownErr;
 	const EVP_MD *md;
 	EVP_MD_CTX *ctx = NULL;
+	EVP_PKEY *pkey = NULL;
+
+	if (!phHashObj) {
+		SAFerr(SAF_F_SAF_CREATEHASHOBJ, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
 
 	if (!(md = EVP_get_digestbysgd(uiAlgoType))) {
+		SAFerr(SAF_F_SAF_CREATEHASHOBJ, SAF_R_INVALID_ALGOR);
 		return SAR_AlgoTypeErr;
 	}
 
 	if (!(ctx = EVP_MD_CTX_new())) {
-		return 0;
+		SAFerr(SAF_F_SAF_CREATEHASHOBJ, ERR_R_MALLOC_FAILURE);
+		goto end;
 	}
 
-	if (!EVP_DigestInit(ctx, md)) {
+	/* limitation of the SAF hashing:
-		return 0;
+	 * can not specify an engine, only use the default implementation
+	 */
+	if (!EVP_DigestInit_ex(ctx, md, NULL)) {
+		SAFerr(SAF_F_SAF_CREATEHASHOBJ, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	if (pucPublicKey) {
+		unsigned char dgst[EVP_MAX_MD_SIZE];
+		size_t dgstlen = sizeof(dgst);
+
+		if (!pucID) {
+			SAFerr(SAF_F_SAF_CREATEHASHOBJ, ERR_R_PASSED_NULL_PARAMETER);
+			ret = SAR_IndataErr;
+			goto end;
+		}
+
+		if (uiIDLen <= 0 || uiIDLen > SM2_MAX_ID_LENGTH
+			|| strlen((char *)pucID) != uiIDLen
+			|| uiPublicKeyLen <= 0 || uiPublicKeyLen > INT_MAX) {
+			SAFerr(SAF_F_SAF_CREATEHASHOBJ, SAF_R_INVALID_INPUT_LENGTH);
+			ret = SAR_IndataLenErr;
+			goto end;
+		}
+
+		if (!(pkey = d2i_PUBKEY(NULL, (const unsigned char **)&pucPublicKey, (long)uiPublicKeyLen))
+			|| EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
+			SAFerr(SAF_F_SAF_CREATEHASHOBJ, SAF_R_INVALID_PUBLIC_KEY);
+			ret = SAR_IndataErr;
+			goto end;
+		}
+
+		if (!SM2_compute_id_digest(md, (char *)pucID, uiIDLen, dgst, &dgstlen,
+			EVP_PKEY_get0_EC_KEY(pkey))) {
+			SAFerr(SAF_F_SAF_CREATEHASHOBJ, ERR_R_EC_LIB);
+			goto end;
+		}
+
+		if (!EVP_DigestUpdate(ctx, dgst, dgstlen)) {
+			SAFerr(SAF_F_SAF_CREATEHASHOBJ, ERR_R_EVP_LIB);
+			goto end;
+		}
 	}
 
 	*phHashObj = ctx;
+	ctx = NULL;
+
+	ret = SAR_Ok;
 
 end:
 	if (ret != SAR_Ok) {
-		EVP_MD_CTX_free(ctx);
 		*phHashObj = NULL;
 	}
+	EVP_MD_CTX_free(ctx);
+	EVP_PKEY_free(pkey);
 	return ret;
 }
 
@@ -92,6 +146,10 @@ end:
 int SAF_DestroyHashObj(
 	void *phHashObj)
 {
+	if (!phHashObj) {
+		SAFerr(SAF_F_SAF_DESTROYHASHOBJ, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
 	EVP_MD_CTX_free((EVP_MD_CTX *)phHashObj);
 	return SAR_Ok;
 }
@@ -102,9 +160,21 @@ int SAF_HashUpdate(
 	const unsigned char *pucInData,
 	unsigned int uiInDataLen)
 {
-	if (!EVP_DigestUpdate((EVP_MD_CTX *)phHashObj, pucInData, (size_t)uiInDataLen)) {
+	if (!phHashObj || pucInData) {
+		SAFerr(SAF_F_SAF_HASHUPDATE, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (uiInDataLen <= 0 || uiInDataLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_HASHUPDATE, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!EVP_DigestUpdate((EVP_MD_CTX *)phHashObj, pucInData, uiInDataLen)) {
+		SAFerr(SAF_F_SAF_HASHUPDATE, ERR_R_EVP_LIB);
 		return SAR_HashErr;
 	}
+
 	return SAR_Ok;
 }
 
@@ -113,9 +183,21 @@ int SAF_HashFinal(void *phHashObj,
 	unsigned char *pucOutData,
 	unsigned int *uiOutDataLen)
 {
-	if (!EVP_DigestFinal((EVP_MD_CTX *)phHashObj, pucOutData, uiOutDataLen)) {
+	if (!phHashObj || !pucOutData || !uiOutDataLen) {
+		SAFerr(SAF_F_SAF_HASHFINAL, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (*uiOutDataLen < EVP_MAX_MD_SIZE) {
+		SAFerr(SAF_F_SAF_HASHFINAL, SAF_R_BUFFER_TOO_SMALL);
+		return SAR_IndataLenErr;
+	}
+
+	if (!EVP_DigestFinal_ex((EVP_MD_CTX *)phHashObj, pucOutData, uiOutDataLen)) {
+		SAFerr(SAF_F_SAF_HASHFINAL, ERR_R_EVP_LIB);
 		return SAR_HashErr;
 	}
+
 	return SAR_Ok;
 }
 
@@ -127,21 +209,50 @@ int SAF_Hash(
 	unsigned char *pucPublicKey,
 	unsigned int uiPublicKeyLen,
 	unsigned char *pubID,
-	unsigned int ulIDLen,
+	unsigned int uiIDLen,
 	unsigned char *pucOutData,
 	unsigned int *puiOutDataLen)
 {
-	const EVP_MD *md;
+	int ret;
-	size_t siz;
+	void *hHashObj = NULL;
 
-	if (!(md = EVP_get_digestbysgd(uiAlgoType))) {
+	if ((ret = SAF_CreateHashObj(
-		return SAR_AlgoTypeErr;
+		&hHashObj,
+		uiAlgoType,
+		pucPublicKey,
+		uiPublicKeyLen,
+		pubID,
+		uiIDLen)) != SAR_Ok) {
+		SAFerr(SAF_F_SAF_HASH, ERR_R_SAF_LIB);
+		return ret;
 	}
 
-	siz = (size_t)uiInDataLen;
+	if ((ret = SAF_HashUpdate(
-	if (!EVP_Digest(pucInData, siz, pucOutData, puiOutDataLen, md, NULL)) {
+		hHashObj,
-		return SAR_HashErr;
+		pucInData,
+		uiInDataLen)) != SAR_Ok) {
+		SAFerr(SAF_F_SAF_HASH, ERR_R_SAF_LIB);
+		goto err;
+	}
+
+	if ((ret = SAF_HashFinal(
+		hHashObj,
+		pucOutData,
+		puiOutDataLen)) != SAR_Ok) {
+		SAFerr(SAF_F_SAF_HASH, ERR_R_SAF_LIB);
+		goto err;
+	}
+
+	if ((ret = SAF_DestroyHashObj(
+		hHashObj)) != SAR_Ok) {
+		SAFerr(SAF_F_SAF_HASH, ERR_R_SAF_LIB);
+		return ret;
 	}
 
 	return SAR_Ok;
+
+err:
+	/* keep the first error */
+	(void)SAF_DestroyHashObj(hHashObj);
+	return ret;
 }

crypto/saf/saf_keyhandle.c

@@ -51,6 +51,7 @@
 #include <openssl/evp.h>
 #include <openssl/gmsaf.h>
 #include <openssl/gmapi.h>
+#include <openssl/crypto.h>
 #include "saf_lcl.h"
 
 /* 7.3.31 */
@@ -82,26 +83,6 @@ int SAF_GenerateKeyWithEPK(
 		return SAR_IndataLenErr;
 	}
 
-/*
- 65 typedef struct {
- 66         SAF_APP *app;
- 67         unsigned char *pucContainerName;
- 68         unsigned int uiContainerLen;
- 69         unsigned char *pucIV;
- 70         unsigned int uiIVLen;
- 71         unsigned int uiEncOrDec;
- 72         unsigned int uiCryptoAlgID;
- 73 } SAF_SYMMKEYOBJ;
- 74 
- 75 typedef struct {
- 76         SAF_SYMMKEYOBJ *hSymmKeyObj;
- 77         unsigned char key[64];
- 78         int keylen;
- 79         EVP_CIPHER_CTX *cipher_ctx;
- 80         CMAC_CTX *cmac_ctx;
- 81 } SAF_KEY;
-*/
-
 	outlen = (size_t)*puiSymmKeyLen;
 	if (!(cipher = EVP_get_cipherbysgd(obj->uiCryptoAlgID))
 		|| !RAND_bytes(keybuf, EVP_CIPHER_key_length(cipher))
@@ -128,6 +109,87 @@ end:
 	return ret;
 }
 
+/*
+ 65 typedef struct {
+ 66         SAF_APP *app;
+ 67         unsigned char *pucContainerName;
+ 68         unsigned int uiContainerLen;
+ 69         unsigned char *pucIV;
+ 70         unsigned int uiIVLen;
+ 71         unsigned int uiEncOrDec;
+ 72         unsigned int uiCryptoAlgID;
+ 73 } SAF_SYMMKEYOBJ;
+ 74 
+ 75 typedef struct {
+ 76         SAF_SYMMKEYOBJ *hSymmKeyObj;
+ 77         unsigned char key[64];
+ 78         int keylen;
+ 79         EVP_CIPHER_CTX *cipher_ctx;
+ 80         CMAC_CTX *cmac_ctx;
+ 81 } SAF_KEY;
+*/
+
+SAF_KEY *SAF_KEY_new(const SAF_SYMMKEYOBJ *hSymmKeyObj)
+{
+	SAF_KEY *ret = NULL;
+	SAF_KEY *key = NULL;
+
+	if (!(key = OPENSSL_zalloc(sizeof(*key)))
+		|| !(key->hSymmKeyObj = SAF_SYMMKEYOBJ_dup(hSymmKeyObj))) {
+		SAFerr(SAF_F_SAF_KEY_NEW, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	ret = key;
+	key = NULL;
+
+end:
+	SAF_KEY_free(key);
+	return ret;
+}
+
+void SAF_KEY_free(SAF_KEY *key)
+{
+	if (key) {
+		SAF_SYMMKEYOBJ_free(key->hSymmKeyObj);
+	}
+	OPENSSL_clear_free(key, sizeof(*key));
+}
+
+SAF_SYMMKEYOBJ *SAF_SYMMKEYOBJ_dup(const SAF_SYMMKEYOBJ *a)
+{
+	SAF_SYMMKEYOBJ *ret = NULL;
+	SAF_SYMMKEYOBJ *obj = NULL;
+
+	if (!(obj = OPENSSL_zalloc(sizeof(*obj)))
+		|| !(obj->pucContainerName = OPENSSL_memdup(a->pucContainerName, a->uiContainerLen))
+		|| !(obj->pucIV = OPENSSL_memdup(a->pucIV, a->uiIVLen))) {
+		SAFerr(SAF_F_SAF_SYMMKEYOBJ_DUP, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	obj->uiContainerLen = a->uiContainerLen;
+	obj->uiIVLen = a->uiIVLen;
+	obj->uiEncOrDec = a->uiEncOrDec;
+	obj->uiCryptoAlgID = a->uiCryptoAlgID;
+
+	ret = obj;
+	obj = NULL;
+
+end:
+	SAF_SYMMKEYOBJ_free(obj);
+	return ret;
+}
+
+void SAF_SYMMKEYOBJ_free(SAF_SYMMKEYOBJ *obj)
+{
+	if (obj) {
+		OPENSSL_free(obj->pucContainerName);
+		OPENSSL_free(obj->pucIV);
+		OPENSSL_free(obj);
+	}
+}
+
 /* 7.3.32 */
 int SAF_ImportEncedKey(
 	void *hSymmKeyObj,
@@ -135,8 +197,23 @@ int SAF_ImportEncedKey(
 	unsigned int uiSymmKeyLen,
 	void **phKeyHandle)
 {
-	SAFerr(SAF_F_SAF_IMPORTENCEDKEY, SAF_R_NOT_SUPPORTED);
+	SAF_KEY *hkey = NULL;
-	return SAR_NotSupportYetErr;
+	SAF_SYMMKEYOBJ *hobj = (SAF_SYMMKEYOBJ *)hSymmKeyObj;
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *pctx = NULL;
+	char key_id[1024];
+
+	snprintf(key_id, sizeof(key_id), "%s.enc", hobj->pucContainerName);
+
+	if (!(pkey = ENGINE_load_private_key(hobj->app->engine, key_id, NULL, NULL))
+		|| !(pctx = EVP_PKEY_CTX_new(pkey, hobj->app->engine))
+		|| EVP_PKEY_decrypt_init(pctx) <= 0
+		|| EVP_PKEY_decrypt(pctx, hkey->key, &hkey->keylen, pucSymmKey, uiSymmKeyLen) <= 0) {
+		goto end;
+	}
+
+end:
+	return 0;
 }
 
 /* 7.3.37 */

crypto/saf/saf_lcl.h

@@ -55,6 +55,8 @@
 
 typedef struct saf_app_st {
 	ENGINE *engine;
+	char *rootcacerts;
+	char *cacerts;
 } SAF_APP;
 
 typedef struct {
@@ -80,5 +82,8 @@ typedef struct {
 	CMAC_CTX *cmac_ctx;
 } SAF_KEY;
 
+SAF_KEY *SAF_KEY_new(const SAF_SYMMKEYOBJ *obj);
+void SAF_KEY_free(SAF_KEY *key);
+
 SAF_SYMMKEYOBJ *SAF_SYMMKEYOBJ_dup(const SAF_SYMMKEYOBJ *a);
 void SAF_SYMMKEYOBJ_free(SAF_SYMMKEYOBJ *a);

crypto/sdf/sdf_meth.c

@@ -56,8 +56,6 @@ SDF_METHOD *SDF_METHOD_load_library(const char *so_path)
 	SDF_METHOD *ret = NULL;
 	SDF_METHOD *sdf = NULL;
 	DSO *dso = NULL;
-	void *func;
-	int i;
 
 	if (!(dso = DSO_load(NULL, so_path, NULL, 0))) {
 		goto end;

crypto/skf/skf_lib.c

@@ -67,6 +67,7 @@ ULONG SKF_LoadLibrary(const char *so_path)
 ULONG SKF_UnloadLibrary(void)
 {
 	skf_method = NULL;
+	return 0;
 }
 
 

crypto/sms4/sms4_enc_avx2.c

@@ -0,0 +1,149 @@
+/* ====================================================================
+ * Copyright (c) 2014 - 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+
+#include <immintrin.h>
+#include <openssl/sms4.h>
+#include "sms4_lcl.h"
+
+static __m256i mask_ffff;
+static __m256i vindex_0s;
+static __m256i vindex_4i;
+static __m256i vindex_swap;
+static __m256i vindex_read;
+
+
+void sms4_avx2_encrypt_init(sms4_key_t *key)
+{
+	mask_ffff = _mm256_set1_epi32(0xffff);
+	vindex_0s = _mm256_set1_epi32(0);
+	vindex_4i = _mm256_setr_epi32(0,4,8,12,16,20,24,28);
+	vindex_read = _mm256_setr_epi32(0,8,16,24,1,9,17,25);
+	vindex_swap = _mm256_setr_epi8(
+		3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12,
+		3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12
+	);
+	sms4_init_sbox32();
+}
+
+#define GET_BLKS(x0, x1, x2, x3, in)					\
+	t0 = _mm256_i32gather_epi32((int *)(in+4*0), vindex_4i, 4);	\
+	t1 = _mm256_i32gather_epi32((int *)(in+4*1), vindex_4i, 4);	\
+	t2 = _mm256_i32gather_epi32((int *)(in+4*2), vindex_4i, 4);	\
+	t3 = _mm256_i32gather_epi32((int *)(in+4*3), vindex_4i, 4);	\
+	x0 = _mm256_shuffle_epi8(t0, vindex_swap);			\
+	x1 = _mm256_shuffle_epi8(t1, vindex_swap);			\
+	x2 = _mm256_shuffle_epi8(t2, vindex_swap);			\
+	x3 = _mm256_shuffle_epi8(t3, vindex_swap)
+
+#define PUT_BLKS(out, x0, x1, x2, x3)					\
+	t0 = _mm256_shuffle_epi8(x0, vindex_swap);			\
+	t1 = _mm256_shuffle_epi8(x1, vindex_swap);			\
+	t2 = _mm256_shuffle_epi8(x2, vindex_swap);			\
+	t3 = _mm256_shuffle_epi8(x3, vindex_swap);			\
+	_mm256_storeu_si256((__m256i *)(out+32*0), t0);			\
+	_mm256_storeu_si256((__m256i *)(out+32*1), t1);			\
+	_mm256_storeu_si256((__m256i *)(out+32*2), t2);			\
+	_mm256_storeu_si256((__m256i *)(out+32*3), t3);			\
+	x0 = _mm256_i32gather_epi32((int *)(in+32*0), vindex_read, 4);	\
+	x1 = _mm256_i32gather_epi32((int *)(in+32*1), vindex_read, 4);	\
+	x2 = _mm256_i32gather_epi32((int *)(in+32*2), vindex_read, 4);	\
+	x3 = _mm256_i32gather_epi32((int *)(in+32*3), vindex_read, 4);	\
+	_mm256_storeu_si256((__m256i *)(out+2*0), x0);			\
+	_mm256_storeu_si256((__m256i *)(out+2*1), x1);			\
+	_mm256_storeu_si256((__m256i *)(out+2*2), x2);			\
+	_mm256_storeu_si256((__m256i *)(out+2*3), x3)
+
+#define S(x0, t0, t1, t2)					\
+	t0 = _mm256_and_si256(x0, mask_ffff);			\
+	t1 = _mm256_i32gather_epi32(SBOX32L, t0, 4);		\
+	t0 = _mm256_srli_epi32(x0, 16);				\
+	t2 = _mm256_i32gather_epi32(SBOX32H, t0, 4);		\
+	x0 = _mm256_xor_si256(t1, t2)
+
+#define ROT(r0, x0, i, t0, t1)					\
+	t0 = _mm256_slli_epi32(x0, i);				\
+	t1 = _mm256_srli_epi32(x0,32-i);			\
+	r0 = _mm256_xor_si256(t0, t1)
+
+#define L(x0, t0, t1, t2, t3, t4)				\
+	ROT(t0, x0,  2, t2, t3);				\
+	ROT(t1, x0, 10, t2, t3);				\
+	t4 = _mm256_xor_si256(t0, t1);				\
+	ROT(t0, x0, 18, t2, t3);				\
+	ROT(t1, x0, 24, t2, t3);				\
+	t3 = _mm256_xor_si256(t0, t1);				\
+	t2 = _mm256_xor_si256(x0, t3);				\
+	x0 = _mm256_xor_si256(t2, t4)
+
+#define ROUND(x0, x1, x2, x3, x4, i)				\
+	t0 = _mm256_i32gather_epi32(rk+i, vindex_0s, 4);	\
+	t1 = _mm256_xor_si256(x1, x2);				\
+	t2 = _mm256_xor_si256(x3, t0);				\
+	t0 = _mm256_xor_si256(t1, t2);				\
+	S(t0, x4, t1, t2);					\
+	L(t0, x4, t1, t2, t3, t4);				\
+	x4 = _mm256_xor_si256(x0, t0);
+
+
+void sms4_avx2_encrypt_8blocks(const unsigned char *in, unsigned char *out, const sms4_key_t *key)
+{
+	const int *rk = (int *)key->rk;
+	__m256i x0, x1, x2, x3, x4;
+	__m256i t0, t1, t2, t3, t4;
+	GET_BLKS(x0, x1, x2, x3, in);
+	ROUNDS(x0, x1, x2, x3, x4);
+	PUT_BLKS(out, x0, x4, x3, x2);
+}
+
+void sms4_avx2_encrypt_16blocks(const unsigned char *in, unsigned char *out, const sms4_key_t *key)
+{
+	sms4_encrypt_8blocks(key, in, out);
+	sms4_encrypt_8blocks(key, in + 16*8, out + 16*8);
+}

crypto/sms4/sms4_enc_knc.c

@@ -0,0 +1,159 @@
+/* ====================================================================
+ * Copyright (c) 2014 - 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+
+#include <stdint.h>
+#include <zmmintrin.h>
+#include <openssl/sms4.h>
+#include "sms4_lcl.h"
+
+
+static __m512i mask_ff00;
+static __m512i mask_ffff;
+static __m512i mask_ff0000;
+static __m512i vindex_0s;
+static __m512i vindex_4i;
+
+
+void sms4_knc_encrypt_init(sms4_key_t *key)
+{
+	uint64_t value[sizeof(__m512i)/sizeof(uint64_t)];
+	int *p = (int *)value;
+
+	for (i = 0; i < 16; i++)
+		p[i] = 0xff00;
+	mask_ff00 = _mm512_load_epi32(value);
+
+	for (i = 0; i < 16; i++)
+		p[i] = 0xffff;
+	mask_ffff = _mm512_load_epi32(value);
+
+	for (i = 0; i < 16; i++)
+		p[i] = 0xff0000;
+	mask_ff0000 = _mm512_load_epi32(value);
+
+	for (i = 0; i < 16; i++)
+		p[i] = 0;
+	vindex_0s = _mm512_load_epi32(value);
+
+	for (i = 0; i < 16; i++)
+		p[i] = 4 * i;
+	vindex_4i = _mm512_load_epi32(value);
+
+	sms4_init_sbox32();
+}
+
+#define SWAP32(x)						\
+	t0 = _mm512_slli_epi32(x, 24);				\
+	t1 = _mm512_srli_epi32(x, 24);				\
+	t2 = _mm512_or_epi32(t0, t1);				\
+	t0 = _mm512_slli_epi32(x, 8);				\
+	t1 = _mm512_and_epi32(t0, mask_ff0000);			\
+	t0 = _mm512_or_epi32(t2, t1);				\
+	t1 = _mm512_srli_epi32(x, 8);				\
+	t2 = _mm512_and_epi32(t1, mask_ff00);			\
+	x  = _mm512_or_epi32(t0, t2)
+
+#define GET_BLKS(x0, x1, x2, x3, in)				\
+	x0 = _mm512_i32gather_epi32(vindex_4i, in+4*0, 4);	\
+	x1 = _mm512_i32gather_epi32(vindex_4i, in+4*1, 4);	\
+	x2 = _mm512_i32gather_epi32(vindex_4i, in+4*2, 4);	\
+	x3 = _mm512_i32gather_epi32(vindex_4i, in+4*3, 4);	\
+	SWAP32(x0); SWAP32(x1); SWAP32(x2); SWAP32(x3)
+
+#define PUT_BLKS(out, x0, x1, x2, x3)				\
+	SWAP32(x0); SWAP32(x1); SWAP32(x2); SWAP32(x3);		\
+	_mm512_i32scatter_epi32(out+4*0, vindex_4i, x0, 4);	\
+	_mm512_i32scatter_epi32(out+4*1, vindex_4i, x1, 4);	\
+	_mm512_i32scatter_epi32(out+4*2, vindex_4i, x2, 4);	\
+	_mm512_i32scatter_epi32(out+4*3, vindex_4i, x3, 4)
+
+#define S(x0, t0, t1, t2)					\
+	t0 = _mm512_and_epi32(x0, mask_ffff);			\
+	t1 = _mm512_i32gather_epi32(t0, SBOX32L, 4);		\
+	t0 = _mm512_srli_epi32(x0, 16);				\
+	t2 = _mm512_i32gather_epi32(t0, SBOX32H, 4);		\
+	x0 = _mm512_xor_epi32(t1, t2)
+
+#define ROT(r0, x0, i, t0, t1)					\
+	t0 = _mm512_slli_epi32(x0, i);				\
+	t1 = _mm512_srli_epi32(x0, 32-i);			\
+	r0 = _mm512_xor_epi32(t0, t1)
+
+#define L(x0, t0, t1, t2, t3, t4)				\
+	ROT(t0, x0,  2, t2, t3);				\
+	ROT(t1, x0, 10, t2, t3);				\
+	t4 = _mm512_xor_epi32(t0, t1);				\
+	ROT(t0, x0, 18, t2, t3);				\
+	ROT(t1, x0, 24, t2, t3);				\
+	t3 = _mm512_xor_epi32(t0, t1);				\
+	t2 = _mm512_xor_epi32(x0, t3);				\
+	x0 = _mm512_xor_epi32(t2, t4)
+
+#define ROUND(x0, x1, x2, x3, x4, i)				\
+	t0 = _mm512_i32gather_epi32(vindex_0s, rk+i*4, 4);	\
+	t1 = _mm512_xor_epi32(x1, x2);				\
+	t2 = _mm512_xor_epi32(x3, t0);				\
+	t0 = _mm512_xor_epi32(t1, t2);				\
+	S(t0, x4, t1, t2);					\
+	L(t0, x4, t1, t2, t3, t4);				\
+	x4 = _mm512_xor_epi32(x0, t0)
+
+
+void sms4_knc_encrypt_16blocks(sms4_key_t *key, const unsigned char *in, unsigned char *out)
+{
+	int *rk = (int *)key->rk;
+	__m512i x0, x1, x2, x3, x4;
+	__m512i t0, t1, t2, t3, t4;
+
+	GET_BLKS(x0, x1, x2, x3, in);
+	ROUNDS(x0, x1, x2, x3, x4, ROUND);
+	PUT_BLKS(out, x2, x3, x4, x0);
+}
+

engines/e_avx2.c

@@ -57,22 +57,12 @@
 static const char *avx2_id = "avx2";
 static const char *avx2_name = "ENGINE with Intel AVX2 Intructions";
 
-#define SDF_CMD_STRING		ENGINE_CMD_BASE
+#define SDF_CMD_CPUID		ENGINE_CMD_BASE
-#define SDF_CMD_NUMERIC		(ENGINE_CMD_BASE + 1)
-#define SDF_CMD_NO_INPUT	(ENGINE_CMD_BASE + 2)
 
 static const ENGINE_CMD_DEFN avx2_cmd_defns[] = {
-	{SDF_CMD_STRING,
+	{SDF_CMD_CPUID,
-	 "STRING",
+	 "CPUID",
-	 "Specifies the path to the vendor's SDF shared library",
+	 "Show CPUID",
-	 ENGINE_CMD_FLAG_STRING},
-	{SDF_CMD_NUMERIC,
-	 "NUMERIC",
-	 "Connect SKF device with device name",
-	 ENGINE_CMD_FLAG_NUMERIC},
-	{SDF_CMD_NO_INPUT,
-	 "NO_INPUT",
-	 "Example NO_INPUT",
 	 ENGINE_CMD_FLAG_NO_INPUT},
 	{0, NULL, NULL, 0},
 };
@@ -80,14 +70,8 @@ static const ENGINE_CMD_DEFN avx2_cmd_defns[] = {
 static int avx2_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 {
 	switch (cmd) {
-	case SDF_CMD_STRING:
+	case SDF_CMD_CPUID:
-		printf("cmd = %s\n", (char *)p);
+		printf("not implemented\n");
-		break;
-	case SDF_CMD_NUMERIC:
-		printf("cmd = %d\n", (int)i);
-		break;
-	case SDF_CMD_NO_INPUT:
-		printf("cmd = (null)\n");
 		break;
 	default:
 		printf("unknown cmd\n");

engines/e_sdf.c

@@ -0,0 +1,299 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include <openssl/engine.h>
+
+
+static const SDF_METHOD *sdf_meth;
+
+static const char *sdf_id = "sdf";
+static const char *sdf_name = "ENGINE connect to SDF Devices";
+
+#define SDF_CMD_SO_PATH		ENGINE_CMD_BASE
+
+static const ENGINE_CMD_DEFN sdf_cmd_defns[] = {
+	{SDF_CMD_SO_PATH,
+	 "SO_PATH",
+	 "Specifies the path to the vendor's SDF shared library",
+	 ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0},
+};
+
+static int sdf_load_library(const char *so_path)
+{
+	sdf_meth = SDF_METHOD_load_library(so_path);
+	return 1;
+}
+
+static int sdf_open_device()
+{
+	int rv;
+	if ((rv = sdf_meth->OpenDevice(&hDevice)) != SDR_OK) {
+		ESDFerr(ESDF_F_SDF_OPEN_DEVICE, ESDF_R_OPEN_DEVICE_FAILURE);
+		fprintf(stderr, "so_path: %s\n", SDF_GetErrorString(rv));
+		return 0;
+	}
+	if ((rv = sdf_meth->OpenSession(hDevice, &hSession)) != SDR_OK) {
+		ESDFerr(ESDF_F_SDF_OPEN_DEVICE, ESDF_R_OPEN_SESSION_FAILURE);
+		fprintf(stderr, "so_path: %s\n", SDF_GetErrorString(rv));
+		return 0;
+	}
+
+	return 1;
+}
+
+static int sdf_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+{
+	switch (cmd) {
+	case SDF_CMD_SO_PATH:
+		so_path = (char *)p;
+		sdf_load_library(so_path);
+		break;
+	default:
+		printf("unknown cmd\n");
+		return 0;
+	}
+	return 1;
+}
+
+static int sdf_ec_idx = -1;
+static const EC_KEY_METHOD *sdf_ec_method = NULL;
+
+static ECDSA_SIG *sdf_ec_sign_sig(const unsigned char *dgst, int dgstlen,
+	const BIGNUM *kinv, const BIGNUM *r,
+	EC_KEY *ec_key)
+{
+	unsigned int key_index;
+	ECCSignature sigbuf;
+
+	rv = sdf_meth->InternalSign_ECC(
+		hSession,
+		key_index,
+		dgst,
+		dgstlen,
+		&sigbuf);
+
+	return ret;
+}
+
+const EC_KEY_METHOD *sdf_get_ec_method(void)
+{
+	EC_KEY_METHOD *ret = NULL;
+
+	if (sdf_ec_method) {
+		return sdf_ec_method;
+	}
+
+	if (!(ret = EC_KEY_METHOD_new(EC_KEY_OpenSSL()))) {
+		return NULL;
+	}
+
+	EC_KEY_METHOD_set_sign(ret, NULL, NULL, sdf_ec_sign_sig);
+
+	sdf_ec_method = ret;
+	return ret;
+}
+
+static EVP_PKEY *sdf_load_privkey(ENGINE *e, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data)
+{
+	UI *ui = NULL;
+	char buf1[256];
+	char buf2[256];
+	int r;
+	char *password;
+	ECCrefPublicKey keybuf;
+
+	ui = UI_new_method(ui_method);
+
+	if ((r = UI_add_input_string(ui, "> ", 0, buf1, 0, sizeof(buf1)-1)) < 0) {
+		goto end;
+	}
+	if (UI_process(ui) < 0) {
+	}
+
+	password = UI_get0_result(ui, 0);
+
+
+	sdf_meth->GetPrivateKeyAccessRight(
+		hSession,
+		key_index,
+		password,
+		strlen(password));
+
+	sdf_meth->ExportSignPublicKey_ECC(
+		hSession,
+		key_index,
+		&keybuf);
+
+	ec_key = EC_KEY_new_by_ECCrefPublicKey(&keybuf);
+
+	EVP_PKEY_set0_EC(ret, ec_key);
+
+	return NULL;
+}
+
+static EVP_PKEY *sdf_load_pubkey(ENGINE *e, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data)
+{
+	EVP_PKEY *ret = NULL;
+	int rv;
+
+	unsigned int index;
+	int is_sign_key;
+	RSArefPublicKey publicKey;
+
+	parse_key_id(key_id, &index, &is_sign_key);
+
+	rv = SDF_OpenSession(hDevice, &hSession);
+
+	if (is_sign_key) {
+		rv = SDF_ExportSignPublicKey_RSA(hSession, index, &publicKey);
+	} else {
+		rv = SDF_ExportEncPublicKey_RSA(hSession, index, &publicKey);
+	}
+
+	return NULL;
+}
+
+static int sdf_destroy(ENGINE *e)
+{
+	return 1;
+}
+
+static void *hDevice = NULL;
+static void *hSession = NULL;
+
+static int sdf_init(ENGINE *e)
+{
+	sdf_meth = NULL;
+	return 1;
+}
+
+static int sdf_finish(ENGINE *e)
+{
+	if (hSession) {
+		sdf_meth->CloseSession(hSession);
+		hSession = NULL;
+	}
+
+	if (hDevice) {
+		sdf_meth->CloseDevice(hDevice);
+	}
+	return 1;
+}
+
+static int bind_sdf(ENGINE *e)
+{
+	if (!ENGINE_set_id(e, sdf_id)
+		|| !ENGINE_set_name(e, sdf_name)
+		|| !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
+		|| !ENGINE_set_cmd_defns(e, sdf_cmd_defns)
+		|| !ENGINE_set_ctrl_function(e, sdf_ctrl)
+		|| !ENGINE_set_init_function(e, sdf_init)
+		|| !ENGINE_set_finish_function(e, sdf_finish)
+		|| !ENGINE_set_destroy_function(e, sdf_destroy)
+		|| !ENGINE_set_load_privkey_function(e, sdf_load_privkey)
+		|| !ENGINE_set_load_pubkey_function(e, sdf_load_pubkey)
+		|| !ENGINE_set_EC(e, sdf_get_ec_method())) {
+		return 0;
+	}
+
+	return 1;
+}
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_helper(ENGINE *e, const char *id)
+{
+	if (id && strcmp(id, sdf_id) != 0) {
+		return 0;
+	}
+	if (!bind_sdf(e)) {
+		return 0;
+	}
+	return 1;
+}
+
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+
+#else
+
+static ENGINE *engine_sdf(void)
+{
+	ENGINE *ret = NULL;
+	if (!(ret = ENGINE_new())) {
+		return NULL;
+	}
+	if (!bind_sdf(ret)) {
+		ENGINE_free(ret);
+		return NULL;
+	}
+	return ret;
+}
+
+void engine_load_sdf_int(void)
+{
+	ENGINE *eng = NULL;
+	if (!(eng = engine_sdf())) {
+		return;
+	}
+	ENGINE_add(eng);
+	ENGINE_free(eng);
+	ERR_clear_error();
+}
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

engines/e_sdf.ec

@@ -0,0 +1 @@
+L       ESDF    e_sdf_err.h e_sdf_err.c

engines/e_sdf_err.c

@@ -0,0 +1,86 @@
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_sdf_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+# define ERR_FUNC(func) ERR_PACK(0,func,0)
+# define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA ESDF_str_functs[] = {
+    {ERR_FUNC(ESDF_F_SDF_OPEN_DEVICE), "sdf_open_device"},
+    {ERR_FUNC(ESDF_F_SDF_RAND_BYTES), "sdf_rand_bytes"},
+    {0, NULL}
+};
+
+static ERR_STRING_DATA ESDF_str_reasons[] = {
+    {ERR_REASON(ESDF_R_OPEN_DEVICE_FAILURE), "open device failure"},
+    {ERR_REASON(ESDF_R_OPEN_SESSION_FAILURE), "open session failure"},
+    {ERR_REASON(ESDF_R_OPERATION_FAILURE), "operation failure"},
+    {0, NULL}
+};
+
+#endif
+
+#ifdef ESDF_LIB_NAME
+static ERR_STRING_DATA ESDF_lib_name[] = {
+    {0, ESDF_LIB_NAME},
+    {0, NULL}
+};
+#endif
+
+static int ESDF_lib_error_code = 0;
+static int ESDF_error_init = 1;
+
+static int ERR_load_ESDF_strings(void)
+{
+    if (ESDF_lib_error_code == 0)
+        ESDF_lib_error_code = ERR_get_next_error_library();
+
+    if (ESDF_error_init) {
+        ESDF_error_init = 0;
+#ifndef OPENSSL_NO_ERR
+        ERR_load_strings(ESDF_lib_error_code, ESDF_str_functs);
+        ERR_load_strings(ESDF_lib_error_code, ESDF_str_reasons);
+#endif
+
+#ifdef ESDF_LIB_NAME
+        ESDF_lib_name->error = ERR_PACK(ESDF_lib_error_code, 0, 0);
+        ERR_load_strings(0, ESDF_lib_name);
+#endif
+    }
+    return 1;
+}
+
+static void ERR_unload_ESDF_strings(void)
+{
+    if (ESDF_error_init == 0) {
+#ifndef OPENSSL_NO_ERR
+        ERR_unload_strings(ESDF_lib_error_code, ESDF_str_functs);
+        ERR_unload_strings(ESDF_lib_error_code, ESDF_str_reasons);
+#endif
+
+#ifdef ESDF_LIB_NAME
+        ERR_unload_strings(0, ESDF_lib_name);
+#endif
+        ESDF_error_init = 1;
+    }
+}
+
+static void ERR_ESDF_error(int function, int reason, char *file, int line)
+{
+    if (ESDF_lib_error_code == 0)
+        ESDF_lib_error_code = ERR_get_next_error_library();
+    ERR_PUT_error(ESDF_lib_error_code, function, reason, file, line);
+}

engines/e_sdf_err.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_ESDF_ERR_H
+# define HEADER_ESDF_ERR_H
+
+# ifdef  __cplusplus
+extern "C" {
+# endif
+
+/* BEGIN ERROR CODES */
+/*
+ * The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+static int ERR_load_ESDF_strings(void);
+static void ERR_unload_ESDF_strings(void);
+static void ERR_ESDF_error(int function, int reason, char *file, int line);
+# define ESDFerr(f,r) ERR_ESDF_error((f),(r),OPENSSL_FILE,OPENSSL_LINE)
+
+/* Error codes for the ESDF functions. */
+
+/* Function codes. */
+# define ESDF_F_SDF_OPEN_DEVICE                           100
+# define ESDF_F_SDF_RAND_BYTES                            101
+
+/* Reason codes. */
+# define ESDF_R_OPEN_DEVICE_FAILURE                       100
+# define ESDF_R_OPEN_SESSION_FAILURE                      101
+# define ESDF_R_OPERATION_FAILURE                         102
+
+# ifdef  __cplusplus
+}
+# endif
+#endif

engines/e_skf.c

@@ -0,0 +1,293 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include <openssl/engine.h>
+
+
+static const SDF_METHOD *sdf_meth;
+
+static const char *sdf_id = "sdf";
+static const char *sdf_name = "ENGINE connect to SDF Devices";
+
+#define SDF_CMD_SO_PATH		ENGINE_CMD_BASE
+
+static const ENGINE_CMD_DEFN sdf_cmd_defns[] = {
+	{SDF_CMD_SO_PATH,
+	 "SO_PATH",
+	 "Specifies the path to the vendor's SDF shared library",
+	 ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0},
+};
+
+static int sdf_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+{
+	switch (cmd) {
+	case SDF_CMD_SO_PATH:
+		so_path = (char *)p;
+		sdf_load_library(so_path);
+		break;
+	default:
+		printf("unknown cmd\n");
+		return 0;
+	}
+	return 1;
+}
+
+static int sdf_rand_bytes(unsigned char *out, int outlen)
+{
+	if (sdf_meth->GenerateRandom) {
+		if ((sdf_meth->GenerateRandom(hSession, out, outlen)) != SDR_OK) {
+			ESDFerr(ESDF_F_SDF_RAND_BYTES, ESDF_R_OPERATION_FAILURE);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+static int sdf_rand_status(void)
+{
+	return 1;
+}
+
+static RAND_METHOD sdf_rand_method = {
+	NULL,
+	sdf_rand_bytes,
+	NULL,
+	NULL,
+	sdf_rand_bytes,
+	sdf_rand_status,
+};
+
+const RAND_METHOD *sdf_get_rand_method(void)
+{
+	return &sdf_rand_method;
+}
+
+static int sdf_ec_idx = -1;
+static const EC_KEY_METHOD *sdf_ec_method = NULL;
+
+static int sdf_ec_sign(int type, const unsigned char *dgst, int dgstlen,
+	unsigned char *sig, unsigned int *siglen,
+	const BIGNUM *kinv, const BIGNUM *r,
+	EC_KEY *ec_key)
+{
+	printf(" call %s()\n", __func__);
+	return 1;
+}
+
+static int sdf_ec_sign_setup(EC_KEY *ec_key, BN_CTX *ctx,
+	BIGNUM **kinvp, BIGNUM **rp)
+{
+	printf(" call %s()\n", __func__);
+	return 1;
+}
+
+static ECDSA_SIG *sdf_ec_sign_sig(const unsigned char *dgst, int dgstlen,
+	const BIGNUM *kinv, const BIGNUM *r,
+	EC_KEY *ec_key)
+{
+	ECDSA_SIG *ret = ECDSA_SIG_new();
+	printf(" call %s()\n", __func__);
+	return ret;
+}
+
+const EC_KEY_METHOD *sdf_get_ec_method(void)
+{
+	EC_KEY_METHOD *ret = NULL;
+
+	if (sdf_ec_method) {
+		return sdf_ec_method;
+	}
+
+	if (!(ret = EC_KEY_METHOD_new(EC_KEY_OpenSSL()))) {
+		return NULL;
+	}
+
+	EC_KEY_METHOD_set_sign(ret, sdf_ec_sign, sdf_ec_sign_setup, sdf_ec_sign_sig);
+
+	sdf_ec_method = ret;
+	return ret;
+}
+
+static EVP_PKEY *sdf_load_privkey(ENGINE *e, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data)
+{
+	UI *ui = NULL;
+	char buf1[256];
+	char buf2[256];
+	int r;
+
+	ui = UI_new_method(ui_method);
+
+	r = UI_add_input_string(ui, "> ", 0, buf1, 0, sizeof(buf1)-1);
+	assert(r >= 0);
+	r = UI_process(ui);
+	assert(r >= 0);
+
+	printf("password = %s\n", UI_get0_result(ui, 0));
+
+	printf("%s\n", __func__);
+	return NULL;
+}
+
+static EVP_PKEY *sdf_load_pubkey(ENGINE *e, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data)
+{
+	unsigned int index;
+	int is_sign_key;
+	RSArefPublicKey publicKey;
+
+	parse_key_id(key_id, &index, &is_sign_key);
+
+	rv = SDF_OpenSession(hDevice, &hSession);
+
+	if (is_sign_key) {
+		rv = SDF_ExportSignPublicKey_RSA(hSession, index, &publicKey);
+	} else {
+		rv = SDF_ExportEncPublicKey_RSA(hSession, index, &publicKey);
+	}
+
+	printf("%s\n", __func__);
+	return NULL;
+}
+
+/****************************************************************************/
+
+static int sdf_destroy(ENGINE *e)
+{
+	return 1;
+}
+
+static void *hDevice = NULL;
+static void *hSession = NULL;
+
+static int sdf_init(ENGINE *e)
+{
+	int rv;
+	rv = sdf_meth->OpenDevice(&hDevice);
+	rv = sdf_meth->OpenSession(hDevice, &hSession);
+	return 1;
+}
+
+static int sdf_finish(ENGINE *e)
+{
+	sdf_meth->CloseSession(hSession);
+	sdf_meth->CloseDevice(hDevice);
+	return 1;
+}
+
+static int bind_sdf(ENGINE *e)
+{
+	if (!ENGINE_set_id(e, sdf_id)
+		|| !ENGINE_set_name(e, sdf_name)
+		|| !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
+		|| !ENGINE_set_cmd_defns(e, sdf_cmd_defns)
+		|| !ENGINE_set_ctrl_function(e, sdf_ctrl)
+		|| !ENGINE_set_init_function(e, sdf_init)
+		|| !ENGINE_set_finish_function(e, sdf_finish)
+		|| !ENGINE_set_destroy_function(e, sdf_destroy)
+		|| !ENGINE_set_load_privkey_function(e, sdf_load_privkey)
+		|| !ENGINE_set_load_pubkey_function(e, sdf_load_pubkey)
+		|| !ENGINE_set_RAND(e, sdf_get_rand_method())
+		|| !ENGINE_set_EC(e, sdf_get_ec_method())) {
+		return 0;
+	}
+
+	return 1;
+}
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_helper(ENGINE *e, const char *id)
+{
+	if (id && strcmp(id, sdf_id) != 0) {
+		return 0;
+	}
+	if (!bind_sdf(e)) {
+		return 0;
+	}
+	return 1;
+}
+
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+
+#else
+
+static ENGINE *engine_sdf(void)
+{
+	ENGINE *ret = NULL;
+	if (!(ret = ENGINE_new())) {
+		return NULL;
+	}
+	if (!bind_sdf(ret)) {
+		ENGINE_free(ret);
+		return NULL;
+	}
+	return ret;
+}
+
+void engine_load_sdf_int(void)
+{
+	ENGINE *eng = NULL;
+	if (!(eng = engine_sdf())) {
+		return;
+	}
+	ENGINE_add(eng);
+	ENGINE_free(eng);
+	ERR_clear_error();
+}
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

engines/e_skf.ec

@@ -0,0 +1 @@
+L       ESKF    e_skf_err.h e_skf_err.c

include/openssl/gmsaf.h

@@ -73,64 +73,79 @@ int ERR_load_SAF_strings(void);
 /* Error codes for the SAF functions. */
 
 /* Function codes. */
-# define SAF_F_SAF_BASE64_CREATEBASE64OBJ                 100
+# define SAF_F_SAF_ADDCACERTIFICATE                       100
-# define SAF_F_SAF_BASE64_DECODE                          101
+# define SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE            101
-# define SAF_F_SAF_BASE64_DECODEFINAL                     102
+# define SAF_F_SAF_BASE64_CREATEBASE64OBJ                 102
-# define SAF_F_SAF_BASE64_DECODEUPDATE                    103
+# define SAF_F_SAF_BASE64_DECODE                          103
-# define SAF_F_SAF_BASE64_ENCODE                          104
+# define SAF_F_SAF_BASE64_DECODEFINAL                     104
-# define SAF_F_SAF_BASE64_ENCODEFINAL                     105
+# define SAF_F_SAF_BASE64_DECODEUPDATE                    105
-# define SAF_F_SAF_BASE64_ENCODEUPDATE                    106
+# define SAF_F_SAF_BASE64_ENCODE                          106
-# define SAF_F_SAF_CHANGEPIN                              107
+# define SAF_F_SAF_BASE64_ENCODEFINAL                     107
-# define SAF_F_SAF_CREATESYMMKEYOBJ                       108
+# define SAF_F_SAF_BASE64_ENCODEUPDATE                    108
-# define SAF_F_SAF_ECCPUBLICKEYENC                        109
+# define SAF_F_SAF_CHANGEPIN                              109
-# define SAF_F_SAF_ECCPUBLICKEYENCBYCERT                  110
+# define SAF_F_SAF_CREATEHASHOBJ                          110
-# define SAF_F_SAF_ECCSIGN                                111
+# define SAF_F_SAF_CREATESYMMKEYOBJ                       111
-# define SAF_F_SAF_ECCVERIFYSIGN                          112
+# define SAF_F_SAF_DESTROYHASHOBJ                         112
-# define SAF_F_SAF_ECCVERIFYSIGNBYCERT                    113
+# define SAF_F_SAF_ECCPUBLICKEYENC                        113
-# define SAF_F_SAF_GENECCKEYPAIR                          114
+# define SAF_F_SAF_ECCPUBLICKEYENCBYCERT                  114
-# define SAF_F_SAF_GENERATEKEYWITHEPK                     115
+# define SAF_F_SAF_ECCSIGN                                115
-# define SAF_F_SAF_GENRANDOM                              116
+# define SAF_F_SAF_ECCVERIFYSIGN                          116
-# define SAF_F_SAF_GENRSAKEYPAIR                          117
+# define SAF_F_SAF_ECCVERIFYSIGNBYCERT                    117
-# define SAF_F_SAF_GETECCPUBLICKEY                        118
+# define SAF_F_SAF_GENECCKEYPAIR                          118
-# define SAF_F_SAF_GETRSAPUBLICKEY                        119
+# define SAF_F_SAF_GENERATEKEYWITHEPK                     119
-# define SAF_F_SAF_GETVERSION                             120
+# define SAF_F_SAF_GENRANDOM                              120
-# define SAF_F_SAF_IMPORTENCEDKEY                         121
+# define SAF_F_SAF_GENRSAKEYPAIR                          121
-# define SAF_F_SAF_INITIALIZE                             122
+# define SAF_F_SAF_GETCACERTIFICATE                       122
-# define SAF_F_SAF_LOGIN                                  123
+# define SAF_F_SAF_GETCACERTIFICATECOUNT                  123
-# define SAF_F_SAF_LOGOUT                                 124
+# define SAF_F_SAF_GETECCPUBLICKEY                        124
-# define SAF_F_SAF_MACFINAL                               125
+# define SAF_F_SAF_GETROOTCACERTIFICATE                   125
-# define SAF_F_SAF_MACUPDATE                              126
+# define SAF_F_SAF_GETROOTCACERTIFICATECOUNT              126
-# define SAF_F_SAF_PKCS7_ENCODEENVELOPEDDATA              127
+# define SAF_F_SAF_GETRSAPUBLICKEY                        127
-# define SAF_F_SAF_RSASIGN                                128
+# define SAF_F_SAF_GETVERSION                             128
-# define SAF_F_SAF_RSAVERIFYSIGN                          129
+# define SAF_F_SAF_HASH                                   129
-# define SAF_F_SAF_SYMMDECRYPTFINAL                       133
+# define SAF_F_SAF_HASHFINAL                              130
-# define SAF_F_SAF_SYMMDECRYPTUPDATE                      130
+# define SAF_F_SAF_HASHUPDATE                             131
-# define SAF_F_SAF_SYMMENCRYPTFINAL                       134
+# define SAF_F_SAF_INITIALIZE                             132
-# define SAF_F_SAF_SYMMENCRYPTUPDATE                      131
+# define SAF_F_SAF_KEY_NEW                                133
-# define SAF_F_SAF_VERIFYSIGNBYCERT                       132
+# define SAF_F_SAF_LOGIN                                  134
+# define SAF_F_SAF_LOGOUT                                 135
+# define SAF_F_SAF_MACFINAL                               136
+# define SAF_F_SAF_MACUPDATE                              137
+# define SAF_F_SAF_PKCS7_ENCODEENVELOPEDDATA              138
+# define SAF_F_SAF_REMOVECACERTIFICATE                    139
+# define SAF_F_SAF_REMOVEROOTCACERTIFICATE                140
+# define SAF_F_SAF_RSASIGN                                141
+# define SAF_F_SAF_RSAVERIFYSIGN                          142
+# define SAF_F_SAF_SYMMDECRYPTFINAL                       143
+# define SAF_F_SAF_SYMMDECRYPTUPDATE                      144
+# define SAF_F_SAF_SYMMENCRYPTFINAL                       145
+# define SAF_F_SAF_SYMMENCRYPTUPDATE                      146
+# define SAF_F_SAF_SYMMKEYOBJ_DUP                         147
+# define SAF_F_SAF_VERIFYSIGNBYCERT                       148
 
 /* Reason codes. */
 # define SAF_R_BUFFER_TOO_SMALL                           100
 # define SAF_R_CMAC_FAILURE                               101
-# define SAF_R_DECRYPT_NOT_INITIALIZED                    118
+# define SAF_R_DECRYPT_NOT_INITIALIZED                    102
-# define SAF_R_ENCRYPT_KEY_FAILURE                        102
+# define SAF_R_ENCRYPT_KEY_FAILURE                        103
-# define SAF_R_ENCRYPT_NOT_INITIALIED                     119
+# define SAF_R_ENCRYPT_NOT_INITIALIED                     104
-# define SAF_R_GEN_RANDOM                                 103
+# define SAF_R_GEN_RANDOM_FAILURE                         105
-# define SAF_R_GEN_RANDOM_FAILURE                         104
+# define SAF_R_INT_OVERFLOW                               106
-# define SAF_R_INT_OVERFLOW                               105
+# define SAF_R_INVALID_ALGOR                              107
-# define SAF_R_INVALID_ALGOR                              106
+# define SAF_R_INVALID_CERTIFICATE                        108
-# define SAF_R_INVALID_CERTIFICATE                        107
-# define SAF_R_INVALID_CONTEXT                            108
 # define SAF_R_INVALID_HANDLE                             109
-# define SAF_R_INVALID_INPUT_LENGTH                       110
+# define SAF_R_INVALID_INDEX                              110
-# define SAF_R_INVALID_KEY_HANDLE                         120
+# define SAF_R_INVALID_INPUT_LENGTH                       111
-# define SAF_R_INVALID_KEY_LENGTH                         111
+# define SAF_R_INVALID_KEY_HANDLE                         112
-# define SAF_R_INVALID_KEY_USAGE                          112
+# define SAF_R_INVALID_KEY_LENGTH                         113
-# define SAF_R_INVALID_LENGTH                             113
+# define SAF_R_INVALID_KEY_USAGE                          114
-# define SAF_R_MAC_FAILURE                                114
+# define SAF_R_INVALID_LENGTH                             115
-# define SAF_R_NOT_SUPPORTED                              115
+# define SAF_R_INVALID_PUBLIC_KEY                         116
-# define SAF_R_OPERATION_NOT_INITIALIZED                  116
+# define SAF_R_LOAD_CERTS_FAILURE                         117
-# define SAF_R_UNSUPPORTED_ALGOR                          117
+# define SAF_R_MAC_FAILURE                                118
+# define SAF_R_NOT_SUPPORTED                              119
+# define SAF_R_OPERATION_NOT_INITIALIZED                  120
+# define SAF_R_UNSUPPORTED_ALGOR                          121
 
 # ifdef  __cplusplus
 }

include/openssl/saf.h

@@ -155,7 +155,7 @@ int SAF_RemoveRootCaCertificate(
 int SAF_AddCaCertificate(
 	void *hAppHandle,
 	unsigned char *pucCertificate,
-	unsigned int *puiCertificateLen);
+	unsigned int uiCertificateLen);
 
 int SAF_GetCaCertificateCount(
 	void *hAppHandle,

include/openssl/sms4.h

@@ -98,6 +98,14 @@ int sms4_unwrap_key(sms4_key_t *key, const unsigned char *iv,
 	unsigned char *out, const unsigned char *in, unsigned int inlen);
 
 
+void sms4_avx2_encrypt_init(sms4_key_t *key);
+void sms4_avx2_encrypt_8blocks(const unsigned char *in, unsigned char *out, const sms4_key_t *key);
+void sms4_avx2_encrypt_16blocks(const unsigned char *in, unsigned char *out, const sms4_key_t *key);
+
+void sms4_knc_encrypt_init(sms4_key_t *key);
+void sms4_knc_encrypt_8blocks(const unsigned char *in, unsigned char *out, const sms4_key_t *key);
+void sms4_knc_encrypt_16blocks(const unsigned char *in, unsigned char *out, const sms4_key_t *key);
+
 
 #define SMS4_EDE_KEY_LENGTH	32