Merge branch 'Tongsuo-Project:master' into master

Tongsuo-Project · Nov 23, 2023 · 1b4e242 · 1b4e242
2 parents 5778598 + 35ae1cc
commit 1b4e242
Show file tree

Hide file tree

Showing 25 changed files with 400 additions and 101 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -185,7 +185,7 @@ jobs:
     - name: modprobe tls
       run: sudo modprobe tls
     - name: config
-      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips enable-ntls enable-optimize-chacha-choose enable-status enable-crypto-mdebug-count enable-cert-compression enable-delegated-credential enable-bn-method --with-rand-seed=getrandom,rtc && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: make test
@@ -256,7 +256,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: config
-        run: CC=clang ./config --strict-warnings enable-ssl-trace enable-zlib enable-zlib-dynamic enable-fips enable-ec_elgamal enable-twisted_ec_elgamal enable-paillier && perl configdata.pm --dump
+        run: CC=clang ./config --strict-warnings enable-ssl-trace enable-zlib enable-zlib-dynamic enable-ec_elgamal enable-twisted_ec_elgamal enable-paillier && perl configdata.pm --dump
       - name: make
         run: make -s -j4
       - name: make test
@@ -378,16 +378,14 @@ jobs:
       - name: check dirty
         run: test $(git status --porcelain | wc -l) -eq "0"
 
-  zkp-test:
+  zkp-build-test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - name: config
         run: CC=clang ./config --strict-warnings --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY enable-ec_elgamal enable-twisted_ec_elgamal enable-bulletproofs enable-nizk enable-zkp-gadget && perl configdata.pm --dump
       - name: make
         run: make -s -j4
-      - name: make test
-        run: make test
       - name: make clean
         run: make clean
       - name: check dirty

diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
@@ -116,6 +116,9 @@ jobs:
           enable-ntls,
           enable-smtc enable-smtc-debug,
           enable-ntls enable-smtc enable-smtc-debug,
+          enable-ec_elgamal enable-twisted_ec_elgamal,
+          enable-bulletproofs,
+          enable-bulletproofs enable-nizk enable-zkp-gadget enable-ec_elgamal enable-twisted_ec_elgamal,
           -DOPENSSL_NO_BUILTIN_OVERFLOW_CHECKING
         ]
     runs-on: ubuntu-latest

diff --git a/CHANGES b/CHANGES
@@ -4,6 +4,8 @@
 
  Changes between 8.4.0 and 8.5.0 [xx XXX xxxx]
 
+  *) 随机数熵源增加系统时间（RTC）方案
+
   *) 增加商用密码检测和认证Provider，包括身份认证、完整性验证、算法自测试、随机数自检、
      熵源健康测试；增加mod应用，包括生成SMTC配置、自测试功能
 

diff --git a/Configure b/Configure
@@ -793,7 +793,7 @@ my %cmdvars = ();               # Stores FOO='blah' type arguments
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom rtc);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -1125,6 +1125,13 @@ if (!defined($disabled{'ec_elgamal'})) {
     $config{api}=$apitable->{"1.1.1"};
 }
 
+if (!defined($disabled{'twisted_ec_elgamal'})) {
+    die "twisted_ec_elgamal only supports api with 1.1.1\n"
+        if ($config{api} && $config{api} != $apitable->{"1.1.1"});
+    die "twisted_ec_elgamal depends on ec_elgamal\n"
+        if (defined($disabled{'ec_elgamal'}));
+}
+
 if (!defined($disabled{'bulletproofs'})) {
     die "bulletproofs only supports api with 1.1.1\n"
         if ($config{api} && $config{api} != $apitable->{"1.1.1"});

diff --git a/README.md b/README.md
@@ -47,6 +47,8 @@
 * [Angie](https://angie.software/en/), Angie是一个可以替换掉NGINX的新型Web服务器，我们建议使用铜锁的用户优先选择Angie (We highly recommend you to replace NGINX with Angie to enable Tongsuo's functionality)
 * Apache APISIX
 * Tengine
+* [g3proxy](https://github.com/bytedance/g3/tree/master/g3proxy)，正向代理&基础反向代理
+* [g3bench](https://github.com/bytedance/g3/tree/master/g3bench)，HTTPS/H2/TLS握手等压测
 
 商业应用 (Commercial Application)
 

diff --git a/crypto/ec/ec_elgamal_crypt.c b/crypto/ec/ec_elgamal_crypt.c
@@ -9,66 +9,11 @@
 
 #include "ec_elgamal.h"
 #include <openssl/err.h>
-#include <openssl/sha.h>
 #include <string.h>
 
 DEFINE_STACK_OF(EC_KEY)
 DEFINE_STACK_OF(EC_POINT)
 
-#define HASH_TO_EC_POINT_TRY_COUNT  1000
-
-/*
- * Functions for convert string to ec_point on the elliptic curve.
- * This implementation belongs to the ad-hoc method, but it is also the
- * recommended implementation in the mcl library, the google open source project
- * and the cryptography conference paper.
- *  \param  group   underlying EC_GROUP object
- *  \param  r       EC_POINT object for the result
- *  \param  str     string pointer
- *  \param  len     length of the string
- *  \return 1 on success and 0 if an error occurred
- */
-int EC_POINT_from_string(const EC_GROUP *group, EC_POINT *r,
-                         const unsigned char *str, size_t len)
-{
-    int ret = 0, i = 0;
-    unsigned char hash_res[SHA256_DIGEST_LENGTH];
-    unsigned char *p = (unsigned char *)str;
-    BN_CTX *bn_ctx = NULL;
-    BIGNUM *x;
-
-    memset(hash_res, 0, sizeof(hash_res));
-
-    if ((bn_ctx = BN_CTX_new_ex(group->libctx)) == NULL)
-        goto end;
-
-    BN_CTX_start(bn_ctx);
-    if ((x = BN_CTX_get(bn_ctx)) == NULL)
-        goto end;
-
-    do {
-        if (!SHA256(p, len, hash_res))
-            goto end;
-
-        BN_bin2bn(hash_res, SHA256_DIGEST_LENGTH, x);
-
-        p  = &hash_res[0];
-        len = sizeof(hash_res);
-
-        if(EC_POINT_set_compressed_coordinates(group, r, x, 0, bn_ctx) == 1) {
-            ret = 1;
-            break;
-        }
-
-        ERR_clear_error();
-    } while (i++ < HASH_TO_EC_POINT_TRY_COUNT);
-
-end:
-    BN_CTX_end(bn_ctx);
-    BN_CTX_free(bn_ctx);
-    return ret;
-}
-
 /** Creates a new EC_ELGAMAL_CTX object
  *  \param  key      EC_KEY to use
  *  \param  h        EC_POINT object pointer

diff --git a/crypto/ec/ec_elgamal_encode.c b/crypto/ec/ec_elgamal_encode.c
@@ -492,7 +492,7 @@ size_t EC_ELGAMAL_MR_CIPHERTEXT_encode(EC_ELGAMAL_MR_CTX *ctx, unsigned char *ou
 int EC_ELGAMAL_MR_CIPHERTEXT_decode(EC_ELGAMAL_MR_CTX *ctx, EC_ELGAMAL_MR_CIPHERTEXT *r,
                                     unsigned char *in, size_t size)
 {
-    int ret = 0, len;
+    int ret = 0, len = 0;
     size_t point_len;
     unsigned char *p = in, zero[128];
     BN_CTX *bn_ctx = NULL;

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
@@ -24,6 +24,8 @@
 #include "internal/nelem.h"
 #include "ec_local.h"
 
+#define HASH_TO_EC_POINT_TRY_COUNT  1000
+
 /* functions for EC_GROUP objects */
 
 EC_GROUP *ossl_ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -978,6 +980,60 @@ EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group)
     return t;
 }
 
+#ifndef FIPS_MODULE
+/*
+ * Functions for convert string to ec_point on the elliptic curve.
+ * This implementation belongs to the ad-hoc method, but it is also the
+ * recommended implementation in the mcl library, the google open source project
+ * and the cryptography conference paper.
+ *  \param  group   underlying EC_GROUP object
+ *  \param  r       EC_POINT object for the result
+ *  \param  str     string pointer
+ *  \param  len     length of the string
+ *  \return 1 on success and 0 if an error occurred
+ */
+int EC_POINT_from_string(const EC_GROUP *group, EC_POINT *r,
+                         const unsigned char *str, size_t len)
+{
+    int ret = 0, i = 0;
+    unsigned char hash_res[SHA256_DIGEST_LENGTH];
+    unsigned char *p = (unsigned char *)str;
+    BN_CTX *bn_ctx = NULL;
+    BIGNUM *x;
+
+    memset(hash_res, 0, sizeof(hash_res));
+
+    if ((bn_ctx = BN_CTX_new_ex(group->libctx)) == NULL)
+        goto end;
+
+    BN_CTX_start(bn_ctx);
+    if ((x = BN_CTX_get(bn_ctx)) == NULL)
+        goto end;
+
+    do {
+        if (!SHA256(p, len, hash_res))
+            goto end;
+
+        BN_bin2bn(hash_res, SHA256_DIGEST_LENGTH, x);
+
+        p  = &hash_res[0];
+        len = sizeof(hash_res);
+
+        if(EC_POINT_set_compressed_coordinates(group, r, x, 0, bn_ctx) == 1) {
+            ret = 1;
+            break;
+        }
+
+        ERR_clear_error();
+    } while (i++ < HASH_TO_EC_POINT_TRY_COUNT);
+
+end:
+    BN_CTX_end(bn_ctx);
+    BN_CTX_free(bn_ctx);
+    return ret;
+}
+#endif
+
 #ifndef OPENSSL_NO_DEPRECATED_3_0
 const EC_METHOD *EC_POINT_method_of(const EC_POINT *point)
 {

diff --git a/crypto/info.c b/crypto/info.c
@@ -151,6 +151,9 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings)
 #endif
 #ifdef OPENSSL_RAND_SEED_OS
         add_seeds_string("os-specific");
+#endif
+#ifdef OPENSSL_RAND_SEED_RTC
+        add_seeds_string("real-time-clock");
 #endif
         seed_sources = seeds;
     }

diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -810,7 +810,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name,
 {
     BIO *tmp = *header;
     char *linebuf, *p;
-    int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0;
+    int len, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0;
     /* 0 if not seen (yet), 1 if reading header, 2 if finished header */
     enum header_status got_header = MAYBE_HEADER;
     unsigned int flags_mask;
@@ -824,7 +824,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name,
         return 0;
     }
 
-    for (line = 0; ; line++) {
+    while(1) {
         flags_mask = ~0u;
         len = BIO_gets(bp, linebuf, LINESIZE);
         if (len <= 0) {

diff --git a/crypto/txt_db/txt_db.c b/crypto/txt_db/txt_db.c
@@ -21,7 +21,6 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
 {
     TXT_DB *ret = NULL;
     int esc = 0;
-    long ln = 0;
     int i, add, n;
     int size = BUFSIZE;
     int offset = 0;
@@ -61,7 +60,6 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
         }
         buf->data[offset] = '\0';
         BIO_gets(in, &(buf->data[offset]), size - offset);
-        ln++;
         if (buf->data[offset] == '\0')
             break;
         if ((offset == 0) && (buf->data[0] == '#'))
@@ -80,7 +78,6 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
         p += add;
         n = 0;
         pp[n++] = p;
-        i = 0;
         f = buf->data;
 
         esc = 0;

diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -499,9 +499,7 @@ int X509_NAME_set(X509_NAME **xn, const X509_NAME *name)
 int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
 {
     char *s, *c, *b;
-    int l, i;
-
-    l = 80 - 2 - obase;
+    int i;
 
     b = X509_NAME_oneline(name, NULL, 0);
     if (b == NULL)
@@ -527,12 +525,10 @@ int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
                 if (BIO_write(bp, ", ", 2) != 2)
                     goto err;
             }
-            l--;
         }
         if (*s == '\0')
             break;
         s++;
-        l--;
     }
 
     OPENSSL_free(b);

diff --git a/crypto/zkp/common/zkp_util.h b/crypto/zkp/common/zkp_util.h
@@ -117,5 +117,3 @@ STACK_OF(EC_POINT) *zkp_stack_of_point_decode(const unsigned char *in, int *len,
 # endif
 
 #endif
-
-
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
@@ -661,6 +661,19 @@ int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src);
  */
 EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group);
 
+#ifndef FIPS_MODULE
+/*
+ * Functions for convert string to ec_point on the elliptic curve.
+ *  \param  group   underlying EC_GROUP object
+ *  \param  r       EC_POINT object for the result
+ *  \param  str     string pointer
+ *  \param  len     length of the string
+ *  \return 1 on success and 0 if an error occurred
+ */
+int EC_POINT_from_string(const EC_GROUP *group, EC_POINT *r,
+                         const unsigned char *str, size_t len);
+#endif
+
 /** Sets a point to infinity (neutral element)
  *  \param  group  underlying EC_GROUP object
  *  \param  point  EC_POINT to set to infinity
@@ -2050,17 +2063,6 @@ size_t EC_ELGAMAL_MR_CIPHERTEXT_encode(EC_ELGAMAL_MR_CTX *ctx, unsigned char *ou
 int EC_ELGAMAL_MR_CIPHERTEXT_decode(EC_ELGAMAL_MR_CTX *ctx, EC_ELGAMAL_MR_CIPHERTEXT *r,
                                     unsigned char *in, size_t size);
 
-/*
- * Functions for convert string to ec_point on the elliptic curve.
- *  \param  group   underlying EC_GROUP object
- *  \param  r       EC_POINT object for the result
- *  \param  str     string pointer
- *  \param  len     length of the string
- *  \return 1 on success and 0 if an error occurred
- */
-int EC_POINT_from_string(const EC_GROUP *group, EC_POINT *r,
-                         const unsigned char *str, size_t len);
-
 #  endif
 
 # endif
Original file line number	Diff line number	Diff line change
Expand Up		@@ -117,5 +117,3 @@ STACK_OF(EC_POINT) zkp_stack_of_point_decode(const unsigned char in, int *len,
		# endif

		#endif