Merge fc7a05443a into 39ea2b6865

test-ec: Skip SM2 key import test if SM2 is disabled
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28106) (cherry picked from commit 981d6776a3)
2025-07-31 06:49:55 +01:00 · 2025-07-28 13:22:53 +02:00 · 2025-07-26 11:36:28 +02:00 · 2025-07-26 11:36:26 +02:00 · 2025-07-25 12:07:52 +02:00 · 2025-07-25 09:46:27 +10:00
20 changed files with 107 additions and 31 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1 @@
+/.github/workflows/ @quarckster
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -114,7 +114,7 @@ jobs:
    steps:
    - uses: actions/checkout@v4
    - name: config
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
      with:
        operating_system: freebsd
        version: "13.4"
@ -123,21 +123,21 @@ jobs:
          sudo pkg install -y gcc perl5
          ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
    - name: config dump
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
      with:
        operating_system: freebsd
        version: "13.4"
        shutdown_vm: false
        run: ./configdata.pm --dump
    - name: make
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
      with:
        operating_system: freebsd
        version: "13.4"
        shutdown_vm: false
        run: make -j4
    - name: make test
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
      with:
        operating_system: freebsd
        version: "13.4"
@ -388,7 +388,7 @@ jobs:
        sudo apt-get update
        sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
    - name: install cpanm and Test2::V0 for gost_engine testing
-      uses: perl-actions/install-with-cpanm@stable
+      uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1.7
      with:
        install: Test2::V0
    - name: setup hostname workaround
@ -422,7 +422,7 @@ jobs:
      uses: actions/setup-python@v5.3.0
      with:
        python-version: ${{ matrix.PYTHON }}
-    - uses: dtolnay/rust-toolchain@master
+    - uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4
      with:
        toolchain: ${{ matrix.RUST }}
    - name: test external pyca
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@ -37,7 +37,7 @@ jobs:
    - name: generate coverage info
      run: lcov -d . -c -o ./lcov.info
    - name: Coveralls upload
-      uses: coverallsapp/github-action@v2.3.2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b #v2.3.6
      with:
        github-token: ${{ secrets.github_token }}
        path-to-lcov: ./lcov.info
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -28,14 +28,14 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
-    - uses: ilammy/msvc-dev-cmd@v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 #v1.13.0
      with:
        arch: ${{ matrix.platform.arch }}
    - name: install nasm
      run: |
        choco install nasm ${{ matrix.platform.arch == 'win32' && '--x86' || '' }}
        "C:\Program Files${{ matrix.platform.arch == 'win32' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - uses: shogo82148/actions-setup-perl@v1
+    - uses: shogo82148/actions-setup-perl@49c14f24551d2de3bf56fb107a869c3760b1875e #v1.33.0
    - name: prepare the build directory
      run: mkdir _build
    - name: config
@ -65,8 +65,8 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
-    - uses: ilammy/msvc-dev-cmd@v1
-    - uses: shogo82148/actions-setup-perl@v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 #v1.13.0
+    - uses: shogo82148/actions-setup-perl@49c14f24551d2de3bf56fb107a869c3760b1875e #v1.33.0
    - name: prepare the build directory
      run: mkdir _build
    - name: config
@ -89,8 +89,8 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
-    - uses: ilammy/msvc-dev-cmd@v1
-    - uses: shogo82148/actions-setup-perl@v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 #v1.13.0
+    - uses: shogo82148/actions-setup-perl@49c14f24551d2de3bf56fb107a869c3760b1875e #v1.33.0
    - name: prepare the build directory
      run: mkdir _build
    - name: config
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@ -243,9 +243,17 @@ int ecparam_main(int argc, char **argv)
            goto end;
        }
    } else {
-        params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters");
-        if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC"))
+        params_key = load_keyparams_suppress(infile, informat, 1, "EC",
+                                             "EC parameters", 1);
+        if (params_key == NULL)
+            params_key = load_keyparams_suppress(infile, informat, 1, "SM2",
+                                                 "SM2 parameters", 1);
+
+        if (params_key == NULL) {
+            BIO_printf(bio_err, "Unable to load parameters from %s\n", infile);
            goto end;
+        }
+
        if (point_format
            && !EVP_PKEY_set_utf8_string_param(
                    params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
--- a/crypto/sm2/sm2_sign.c
+++ b/crypto/sm2/sm2_sign.c
@ -217,6 +217,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
    BIGNUM *tmp = NULL;
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);

+    if (dA == NULL) {
+        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY);
+        goto done;
+    }
    kG = EC_POINT_new(group);
    ctx = BN_CTX_new_ex(libctx);
    if (kG == NULL || ctx == NULL) {
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@ -410,12 +410,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
    if (ctx->loader != NULL)
        OSSL_TRACE(STORE, "Loading next object\n");

-    if (ctx->cached_info != NULL
-        && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
-        sk_OSSL_STORE_INFO_free(ctx->cached_info);
-        ctx->cached_info = NULL;
-    }
-
    if (ctx->cached_info != NULL) {
        v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
    } else {
@ -491,14 +485,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx)

 int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
 {
-    int ret = 1;
+    int ret = 0;

-    if (ctx->fetched_loader != NULL)
-        ret = ctx->loader->p_eof(ctx->loader_ctx);
+    if (ctx->cached_info != NULL
+        && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
+        sk_OSSL_STORE_INFO_free(ctx->cached_info);
+        ctx->cached_info = NULL;
+    }
+
+    if (ctx->cached_info == NULL) {
+        ret = 1;
+        if (ctx->fetched_loader != NULL)
+            ret = ctx->loader->p_eof(ctx->loader_ctx);
 #ifndef OPENSSL_NO_DEPRECATED_3_0
-    if (ctx->fetched_loader == NULL)
-        ret = ctx->loader->eof(ctx->loader_ctx);
+        if (ctx->fetched_loader == NULL)
+            ret = ctx->loader->eof(ctx->loader_ctx);
 #endif
+    }
    return ret != 0;
 }

--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@ -54,6 +54,8 @@ extern "C" {
 # define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
 # define PEM_STRING_PARAMETERS   "PARAMETERS"
 # define PEM_STRING_CMS          "CMS"
+# define PEM_STRING_SM2PRIVATEKEY "SM2 PRIVATE KEY"
+# define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS"

 # define PEM_TYPE_ENCRYPTED      10
 # define PEM_TYPE_MIC_ONLY       20
--- a/providers/decoders.inc
+++ b/providers/decoders.inc
@ -69,6 +69,7 @@ DECODER_w_structure("X448", der, SubjectPublicKeyInfo, x448, yes),
 # ifndef OPENSSL_NO_SM2
 DECODER_w_structure("SM2", der, PrivateKeyInfo, sm2, no),
 DECODER_w_structure("SM2", der, SubjectPublicKeyInfo, sm2, no),
+DECODER_w_structure("SM2", der, type_specific_no_pub, sm2, no),
 # endif
 #endif
 DECODER_w_structure("RSA", der, PrivateKeyInfo, rsa, yes),
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@ -806,6 +806,7 @@ MAKE_DECODER("ED448", ed448, ecx, SubjectPublicKeyInfo);
 # ifndef OPENSSL_NO_SM2
 MAKE_DECODER("SM2", sm2, ec, PrivateKeyInfo);
 MAKE_DECODER("SM2", sm2, ec, SubjectPublicKeyInfo);
+MAKE_DECODER("SM2", sm2, sm2, type_specific_no_pub);
 # endif
 #endif
 MAKE_DECODER("RSA", rsa, rsa, PrivateKeyInfo);
--- a/providers/implementations/encode_decode/decode_pem2der.c
+++ b/providers/implementations/encode_decode/decode_pem2der.c
@ -119,6 +119,8 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
        { PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" },
        { PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" },
        { PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" },
+        { PEM_STRING_SM2PRIVATEKEY, OSSL_OBJECT_PKEY, "SM2", "type-specific" },
+        { PEM_STRING_SM2PARAMETERS, OSSL_OBJECT_PKEY, "SM2", "type-specific" },
        { PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" },
        { PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" },

--- a/providers/implementations/encode_decode/encode_key2text.c
+++ b/providers/implementations/encode_decode/encode_key2text.c
@ -513,7 +513,8 @@ static int ec_to_text(BIO *out, const void *key, int selection)
    else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
        type_label = "Public-Key";
    else if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
-        type_label = "EC-Parameters";
+        if (EC_GROUP_get_curve_name(group) != NID_sm2)
+            type_label = "EC-Parameters";

    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
        const BIGNUM *priv_key = EC_KEY_get0_private_key(ec);
@ -539,8 +540,9 @@ static int ec_to_text(BIO *out, const void *key, int selection)
            goto err;
    }

-    if (BIO_printf(out, "%s: (%d bit)\n", type_label,
-                   EC_GROUP_order_bits(group)) <= 0)
+    if (type_label != NULL
+        && BIO_printf(out, "%s: (%d bit)\n", type_label,
+                      EC_GROUP_order_bits(group)) <= 0)
        goto err;
    if (priv != NULL
        && !print_labeled_buf(out, "priv:", priv, priv_len))
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@ -498,6 +498,7 @@ extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_ed448_decoder_functi
 #ifndef OPENSSL_NO_SM2
 extern const OSSL_DISPATCH ossl_PrivateKeyInfo_der_to_sm2_decoder_functions[];
 extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_sm2_decoder_functions[];
+extern const OSSL_DISPATCH ossl_type_specific_no_pub_der_to_sm2_decoder_functions[];
 #endif

 extern const OSSL_DISPATCH ossl_PrivateKeyInfo_der_to_rsa_decoder_functions[];
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@ -18,7 +18,7 @@ setup("test_ec");

 plan skip_all => 'EC is not supported in this build' if disabled('ec');

-plan tests => 15;
+plan tests => 16;

 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);

@ -33,6 +33,16 @@ subtest 'EC conversions -- private key' => sub {
    tconversion( -type => 'ec', -prefix => 'ec-priv',
                 -in => srctop_file("test","testec-p256.pem") );
 };
+
+SKIP: {
+    skip "SM2 is not supported by this OpenSSL build", 1
+        if disabled("sm2");
+    subtest 'EC conversions -- private key' => sub {
+        tconversion( -type => 'ec', -prefix => 'sm2-priv',
+                     -in => srctop_file("test","testec-sm2.pem") );
+    };
+}
+
 subtest 'EC conversions -- private key PKCS#8' => sub {
    tconversion( -type => 'ec', -prefix => 'ec-pkcs8',
                 -in => srctop_file("test","testec-p256.pem"),
--- a/test/recipes/15-test_ecparam.t
+++ b/test/recipes/15-test_ecparam.t
@ -25,6 +25,10 @@ my @valid = glob(data_file("valid", "*.pem"));
 my @noncanon = glob(data_file("noncanon", "*.pem"));
 my @invalid = glob(data_file("invalid", "*.pem"));

+if (disabled("sm2")) {
+    @valid = grep { !/sm2-.*\.pem/} @valid;
+}
+
 plan tests => 12;

 sub checkload {
--- a/test/recipes/15-test_ecparam_data/valid/sm2-explicit.pem
+++ b/test/recipes/15-test_ecparam_data/valid/sm2-explicit.pem
@ -0,0 +1,7 @@
+-----BEGIN SM2 PARAMETERS-----
+MIHgAgEBMCwGByqGSM49AQECIQD////+/////////////////////wAAAAD/////
+/////zBEBCD////+/////////////////////wAAAAD//////////AQgKOn6np2f
+XjRNWp5Lz2UJp/OXifUVq4+S3by9QU2UDpMEQQQyxK4sHxmBGV+ZBEZqOcmUj+ML
+v/JmC+FxWkWJM0x0x7w3NqL09necWb3O42tpIVPQqYd8xipHQALfMuUhOfCgAiEA
+/////v///////////////3ID32shxgUrU7v0CTnVQSMCAQE=
+-----END SM2 PARAMETERS-----
--- a/test/recipes/15-test_ecparam_data/valid/sm2-named.pem
+++ b/test/recipes/15-test_ecparam_data/valid/sm2-named.pem
@ -0,0 +1,3 @@
+-----BEGIN SM2 PARAMETERS-----
+BggqgRzPVQGCLQ==
+-----END SM2 PARAMETERS-----
--- a/test/recipes/90-test_store_cases.t
+++ b/test/recipes/90-test_store_cases.t
@ -18,9 +18,10 @@ use OpenSSL::Test::Utils;
 my $test_name = "test_store_cases";
 setup($test_name);

-plan tests => 2;
+plan tests => 3;

 my $stderr;
+my @stdout;

 # The case of the garbage PKCS#12 DER file where a passphrase was
 # prompted for.  That should not have happened.
@ -34,3 +35,24 @@ open DATA, $stderr;
 close DATA;
 ok(scalar @match > 0 ? 0 : 1,
   "checking that storeutl didn't ask for a passphrase");
+
+ SKIP: {
+     skip "The objects in test-BER.p12 contain EC keys, which is disabled in this build", 1
+         if disabled("ec");
+     skip "test-BER.p12 has contents encrypted with DES-EDE3-CBC, which is disabled in this build", 1
+         if disabled("des");
+
+     # The case with a BER-encoded PKCS#12 file, using infinite + EOC
+     # constructs.  There was a bug with those in OpenSSL 3.0 and newer,
+     # where OSSL_STORE_load() (and by consequence, 'openssl storeutl')
+     # only extracted the first available object from that file and
+     # ignored the rest.
+     # Our test file has a total of four objects, and this should be
+     # reflected in the total that 'openssl storeutl' outputs
+     @stdout = run(app(['openssl', 'storeutl', '-passin', 'pass:12345',
+                        data_file('test-BER.p12')]),
+                   capture => 1);
+     @stdout = map { my $x = $_; $x =~ s/\R$//; $x } @stdout; # Better chomp
+     ok((grep { $_ eq 'Total found: 4' } @stdout),
+        "Checking that 'openssl storeutl' with test-BER.p12 returns 4 objects");
+}
--- a/test/recipes/90-test_store_cases_data/test-BER.p12
+++ b/test/recipes/90-test_store_cases_data/test-BER.p12
--- a/test/testec-sm2.pem
+++ b/test/testec-sm2.pem
@ -0,0 +1,5 @@
+-----BEGIN SM2 PRIVATE KEY-----
+MHcCAQEEIKPB7gEYKGAwAkz0MfGwQm0BXclgzvSTxQG9bm4RCAxXoAoGCCqBHM9V
+AYItoUQDQgAE+FuibOpfjVfj716O3LglhK4HzjUR82mgn8kTZinQsEafw3FFZzZJ
+vwHIGHUsSKxVTRIEs+BICQDBg99OA3VU/Q==
+-----END SM2 PRIVATE KEY-----