LibreSSL 3.7.x doesn't have NID_sm2
Closed this issue · 3 comments
When building tpm2-tss it fails since NID_sm2 is not implemented.
This is easy to workaround by hiding the case.
#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
case TPM2_ECC_SM2_P256:
curveId = NID_sm2;
key_size = 32;
break;
#endif
Are there good reasons why LibreSSL should implement this in the future?
I made WIP upstream PR here. tpm2-software/tpm2-tss#2380
SM2 is a digital signature algorithm specified by China:
https://datatracker.ietf.org/doc/html/draft-shen-sm2-ecdsa-02
LibreSSL has code to support this, however it needs further work before it could be enabled (and unfortunately that is currently low on the list of priorities).
Instead of using OPENSSL_VERSION_NUMBER or LIBRESSL_VERSION_NUMBER, I would suggest that code use
#ifdef NID_sm2 - that way it will automatically start working if/when LibreSSL exposes the algorithm (and stops if OpenSSL/LibreSSL removes it for some reason).
Thanks for the information and suggestion. I made a new PR for tpm2-tss with just this change. tpm2-software/tpm2-tss#2602
I will leave this issue open for now as a way to track the SM2 support, but I am fine with it being a low priority.