TLS, SM2: fixes to get SM handshakes working

Pass around the algorithm id from the private key so that the WOLFSSL or
WOLFSSL_CTX get the correct key format set.
Use different verification context when self-signed certificate with SM2
and SM3 signature but public key OID is ECC.

Author: SparkiDev

src/ssl_load.c

@@ -116,13 +116,14 @@
  * @param [in, out] info    Info for encryption.
  * @param [in]      heap    Dynamic memory allocation hint.
  * @param [out]     der     Holds DER encoded data.
+ * @param [out]     algId   Algorithm identifier for private keys.
  * @return  0 on success.
  * @return  NOT_COMPILED_IN when format is PEM and PEM not supported.
  * @return  ASN_PARSE_E when format is ASN.1 and invalid DER encoding.
  * @return  MEMORY_E when dynamic memory allocation fails.
  */
 static int DataToDerBuffer(const unsigned char* buff, word32 len, int format,
-    int type, EncryptedInfo* info, void* heap, DerBuffer** der)
+    int type, EncryptedInfo* info, void* heap, DerBuffer** der, int* algId)
 {
     int ret;
 
@@ -131,7 +132,7 @@ static int DataToDerBuffer(const unsigned char* buff, word32 len, int format,
     /* Data in buffer has PEM format - extract DER data. */
     if (format == WOLFSSL_FILETYPE_PEM) {
     #ifdef WOLFSSL_PEM_TO_DER
-        ret = PemToDer(buff, len, type, der, heap, info, NULL);
+        ret = PemToDer(buff, len, type, der, heap, info, algId);
         if (ret != 0) {
             FreeDer(der);
         }
@@ -341,7 +342,7 @@ static int ProcessUserChain(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
 
             /* Get a certificate as DER. */
             ret = DataToDerBuffer(buff + consumed, (word32)(sz - consumed),
-                format, type, info, heap, &part);
+                format, type, info, heap, &part, NULL);
             if (ret == 0) {
                 /* Process the user certificate. */
                 ret = ProcessUserCert(ctx->cm, &part, type, verify,
@@ -604,6 +605,12 @@ static int ProcessBufferTryDecodeEcc(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
             idx = 0;
             ret = wc_EccPublicKeyDecode(der->buffer, &idx, key, der->length);
         }
+    #endif
+    #ifdef WOLFSSL_SM2
+        if (*keyFormat == SM2k) {
+            ret = wc_ecc_set_curve(key, WOLFSSL_SM2_KEY_BITS / 8,
+                ECC_SM2P256V1);
+        }
     #endif
         if (ret == 0) {
             /* Get the minimum ECC key size from SSL or SSL context object. */
@@ -1317,52 +1324,53 @@ static void ProcessBufferPrivKeyHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
  * @param [in]      heap    Dynamic memory allocation hint.
  * @param [in]      type    Type of data:
  *                            PRIVATEKEY_TYPE or ALT_PRIVATEKEY_TYPE.
+ * @param [in]      algId   Algorithm id of key.
  * @return  0 on success.
  * @return  WOLFSSL_BAD_FILE when not able to decode.
  */
 static int ProcessBufferPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
-    DerBuffer* der, int format, EncryptedInfo* info, void* heap, int type)
+    DerBuffer* der, int format, EncryptedInfo* info, void* heap, int type,
+    int algId)
 {
     int ret;
-    int keyFormat = 0;
 #if (defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)) || \
      defined(HAVE_PKCS8)
-    word32 algId = 0;
+    word32 p8AlgId = 0;
 #endif
 
     (void)info;
     (void)format;
 
 #ifdef HAVE_PKCS8
     /* Try and remove PKCS8 header and get algorithm id. */
-    ret = ToTraditional_ex(der->buffer, der->length, &algId);
+    ret = ToTraditional_ex(der->buffer, der->length, &p8AlgId);
     if (ret > 0) {
         /* Header stripped inline. */
         der->length = ret;
-        keyFormat = algId;
+        algId = p8AlgId;
     }
 #endif
 
     /* Put the data into the SSL or SSL context object. */
     ProcessBufferPrivKeyHandleDer(ctx, ssl, &der, type);
     /* Try to decode the DER data. */
-    ret = ProcessBufferTryDecode(ctx, ssl, der, &keyFormat, heap, type);
+    ret = ProcessBufferTryDecode(ctx, ssl, der, &algId, heap, type);
 
 #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
     /* If private key type PKCS8 header wasn't already removed (algId == 0). */
-    if (((ret != 0) || (keyFormat == 0)) && (format != WOLFSSL_FILETYPE_PEM) &&
+    if (((ret != 0) || (algId == 0)) && (format != WOLFSSL_FILETYPE_PEM) &&
             (info->passwd_cb != NULL) && (algId == 0)) {
         /* Try to decrypt DER data as a PKCS#8 private key. */
         ret = ProcessBufferPrivPkcs8Dec(info, der, heap);
         if (ret >= 0) {
             /* Try to decode decrypted data.  */
-            ret = ProcessBufferTryDecode(ctx, ssl, der, &keyFormat, heap, type);
+            ret = ProcessBufferTryDecode(ctx, ssl, der, &algId, heap, type);
         }
     }
 #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */
 
-    /* Check if we were able to determine key format. */
-    if ((ret == 0) && (keyFormat == 0)) {
+    /* Check if we were able to determine algorithm id. */
+    if ((ret == 0) && (algId == 0)) {
     #ifdef OPENSSL_EXTRA
         /* Decryption password is probably wrong. */
         if (info->passwd_cb) {
@@ -2265,6 +2273,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
 #else
     EncryptedInfo  info[1];
 #endif
+    int           algId = 0;
 
     WOLFSSL_ENTER("ProcessBuffer");
 
@@ -2306,7 +2315,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
     #endif
 
         /* Get the DER data for a private key or certificate. */
-        ret = DataToDerBuffer(buff, (word32)sz, format, type, info, heap, &der);
+        ret = DataToDerBuffer(buff, (word32)sz, format, type, info, heap, &der,
+            &algId);
         if (used != NULL) {
             /* Update to amount used/consumed. */
             *used = info->consumed;
@@ -2321,7 +2331,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
 
     if ((ret == 0) && IS_PRIVKEY_TYPE(type)) {
         /* Process the private key. */
-        ret = ProcessBufferPrivateKey(ctx, ssl, der, format, info, heap, type);
+        ret = ProcessBufferPrivateKey(ctx, ssl, der, format, info, heap, type,
+            algId);
     #ifdef WOLFSSL_SMALL_STACK
         /* Info no longer needed - keep max memory usage down. */
         XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO);

wolfcrypt/benchmark/benchmark.c

@@ -5536,7 +5536,7 @@ void bench_sm4_gcm(void)
 #endif
 
 #ifdef WOLFSSL_SM4_CCM
-void bench_sm4_ccm()
+void bench_sm4_ccm(void)
 {
     wc_Sm4 enc;
     double start;

wolfcrypt/src/asn.c

@@ -23790,13 +23790,19 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
         if (cert->ca) {
             if (verify == VERIFY || verify == VERIFY_OCSP ||
                                                  verify == VERIFY_SKIP_DATE) {
+                word32 keyOID = cert->ca->keyOID;
+            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+                if (cert->selfSigned && (cert->signatureOID == CTC_SM3wSM2)) {
+                    keyOID = SM2k;
+                }
+            #endif
                 /* try to confirm/verify signature */
                 if ((ret = ConfirmSignature(&cert->sigCtx,
                         cert->source + cert->certBegin,
                         cert->sigIndex - cert->certBegin,
                         cert->ca->publicKey, cert->ca->pubKeySize,
-                        cert->ca->keyOID, cert->signature,
-                        cert->sigLength, cert->signatureOID,
+                        keyOID, cert->signature, cert->sigLength,
+                        cert->signatureOID,
                     #ifdef WC_RSA_PSS
                         cert->source + cert->sigParamsIndex,
                         cert->sigParamsLength,

wolfcrypt/src/port/arm/armv8-aes.c

@@ -1532,6 +1532,7 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c,
         "USHR v7.2d, v7.2d, #56 \n"
 
         "# AAD \n"
+        "CBZ %[a], 20f \n"
         "CBZ %w[aSz], 20f \n"
         "MOV w12, %w[aSz] \n"
 
@@ -1702,6 +1703,7 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c,
 
         "20: \n"
         "# Cipher Text \n"
+        "CBZ %[c], 120f \n"
         "CBZ %w[cSz], 120f \n"
         "MOV w12, %w[cSz] \n"
 

wolfcrypt/test/test.c

@@ -29740,21 +29740,19 @@ static wc_test_ret_t ecc_test_custom_curves(WC_RNG* rng)
 #ifdef WOLFSSL_SM2
 #ifdef HAVE_ECC_VERIFY
 #if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_CUSTOM_CURVES)
-    #ifdef WOLFSSL_SM2
-        #ifdef HAVE_OID_ENCODING
-            #define CODED_SM2P256V1    {1,2,156,10197,1,301}
-            #define CODED_SM2P256V1_SZ 6
-        #else
-            #define CODED_SM2P256V1 {0x06,0x08,0x2A,0x81,0x1C,0xCF,0x55,0x01,0x82,0x2D}
-            #define CODED_SM2P256V1_SZ 10
-        #endif
-        #ifndef WOLFSSL_ECC_CURVE_STATIC
-            static const ecc_oid_t ecc_oid_sm2p256v1[] = CODED_SM2P256V1;
-        #else
-            #define ecc_oid_sm2p256v1 CODED_SM2P256V1
-        #endif
-        #define ecc_oid_sm2p256v1_sz CODED_SM2P256V1_SZ
-    #endif /* WOLFSSL_SM2 */
+    #ifdef HAVE_OID_ENCODING
+        #define CODED_SM2P256V1    {1,2,156,10197,1,301}
+        #define CODED_SM2P256V1_SZ 6
+    #else
+        #define CODED_SM2P256V1 {0x06,0x08,0x2A,0x81,0x1C,0xCF,0x55,0x01,0x82,0x2D}
+        #define CODED_SM2P256V1_SZ 10
+    #endif
+    #ifndef WOLFSSL_ECC_CURVE_STATIC
+        static const ecc_oid_t ecc_oid_sm2p256v1[] = CODED_SM2P256V1;
+    #else
+        #define ecc_oid_sm2p256v1 CODED_SM2P256V1
+    #endif
+    #define ecc_oid_sm2p256v1_sz CODED_SM2P256V1_SZ
     #define ECC_SM2P256V1_TEST 102
 static int test_sm2_verify_caseA2(void)
 {
@@ -29931,9 +29929,7 @@ static int ecc_sm2_test_curve(WC_RNG* rng, int testVerifyCount)
     WC_DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
     WC_DECLARE_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
     int     i;
-#ifdef HAVE_ECC_VERIFY
     int     verify;
-#endif /* HAVE_ECC_VERIFY */
 #endif /* HAVE_ECC_SIGN */
     int     ret;
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
@@ -30129,7 +30125,6 @@ static int ecc_sm2_test_curve(WC_RNG* rng, int testVerifyCount)
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
 
-#ifdef HAVE_ECC_VERIFY
     for (i = 0; i < testVerifyCount; i++) {
         verify = 0;
         ret = wc_ecc_sm2_verify_hash(sig, x, digest, ECC_DIGEST_SIZE, &verify,
@@ -30139,7 +30134,6 @@ static int ecc_sm2_test_curve(WC_RNG* rng, int testVerifyCount)
         if (verify != 1)
             ERROR_OUT(WC_TEST_RET_ENC_NC, done);
     }
-#endif /* HAVE_ECC_VERIFY */
 #endif /* ECC_SHAMIR */
 
     /* test DSA sign hash with sequence (0,1,2,3,4,...) */
@@ -30152,7 +30146,6 @@ static int ecc_sm2_test_curve(WC_RNG* rng, int testVerifyCount)
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
 
-#ifdef HAVE_ECC_VERIFY
     for (i = 0; i < testVerifyCount; i++) {
         verify = 0;
         ret = wc_ecc_sm2_verify_hash(sig, x, digest, ECC_DIGEST_SIZE, &verify,
@@ -30162,7 +30155,6 @@ static int ecc_sm2_test_curve(WC_RNG* rng, int testVerifyCount)
         if (verify != 1)
             ERROR_OUT(WC_TEST_RET_ENC_NC, done);
     }
-#endif /* HAVE_ECC_VERIFY */
 #endif /* HAVE_ECC_SIGN */
 #endif /* !ECC_TIMING_RESISTANT || (ECC_TIMING_RESISTANT && !WC_NO_RNG) */