From 83c5ff2ffb81efd45e60cdadbb6c3e63570f0da3 Mon Sep 17 00:00:00 2001
From: cliven <quanguanyu@qq.com>
Date: Thu, 4 Jun 2020 14:33:19 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E4=BA=86ECC=5FSM4=5FSM3?=
 =?UTF-8?q?=E5=A5=97=E4=BB=B6=E5=9C=A8=E7=A7=98=E9=92=A5=E4=BA=A4=E6=8D=A2?=
 =?UTF-8?q?=E8=BF=87=E7=A8=8B=E4=B8=AD=E7=9A=84=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. 签名使用SM2默认ID：1234567812345678，而不是证书使用者。
2. 修复了被签名的加密证书长度问题，证书有一个3Byte用于容纳长度的空间。在服务端的秘钥交换过程少了3Byte。
---
 ssl/statem/statem_gmtls.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/ssl/statem/statem_gmtls.c b/ssl/statem/statem_gmtls.c
index 513bd5b7..b9944eb9 100644
--- a/ssl/statem/statem_gmtls.c
+++ b/ssl/statem/statem_gmtls.c
@@ -281,7 +281,7 @@ static int gmtls_process_sm9_params(SSL *s, PACKET *pkt, int *al, int ibe)
 	if (!(sm9->params = d2i_SM9PublicParameters(NULL, &p,
 		PACKET_remaining(&params)))) {
 		*al = SSL_AD_DECODE_ERROR;
-		SSLerr(SSL_F_GMTLS_PROCESS_SM9_PARAMS, ERR_R_INTERNAL_ERROR);// rename this error		
+		SSLerr(SSL_F_GMTLS_PROCESS_SM9_PARAMS, ERR_R_INTERNAL_ERROR);// rename this error
 		return 0;
 	}
 	/* check there is no remaining data */
@@ -525,8 +525,8 @@ static int gmtls_construct_ske_sm2dhe(SSL *s, unsigned char **p, int *l, int *al
         s2n(siglen, d);
 	d += siglen;
 
-	*l += d - *p;		
-	*p = d;			
+	*l += d - *p;
+	*p = d;
 	*al = -1;
 	ret = 1;
 
@@ -599,7 +599,7 @@ static int gmtls_process_ske_sm2dhe(SSL *s, PACKET *pkt, int *al)
 	}
 
 	// s->s3->peer_tmp need to be free-ed when error happed?
-			
+
 
 	/* get ECDHEParams length */
 	paramslen = PACKET_data(pkt) - ecparams;
@@ -745,10 +745,11 @@ static int gmtls_construct_ske_sm2(SSL *s, unsigned char **p, int *l, int *al)
 		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2, ERR_R_EVP_LIB);
 		goto end;
 	}
-	if (!(id = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0))) {
-		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2, ERR_R_EVP_LIB);
-		goto end;
-	}
+//	if (!(id = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0))) {
+//		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2, ERR_R_EVP_LIB);
+//		goto end;
+//	}
+    id = SM2_DEFAULT_ID;
 	zlen = sizeof(z);
 	if (!SM2_compute_id_digest(EVP_sm3(), id, strlen(id), z, &zlen,
 		EVP_PKEY_get0_EC_KEY(pkey))) {
@@ -776,7 +777,7 @@ static int gmtls_construct_ske_sm2(SSL *s, unsigned char **p, int *l, int *al)
 			SSL3_RANDOM_SIZE) <= 0
 		|| EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
 			SSL3_RANDOM_SIZE) <= 0
-		|| EVP_SignUpdate(md_ctx, buf, n) <= 0) {
+		|| EVP_SignUpdate(md_ctx, buf, n+3) <= 0) {
 		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2, ERR_R_EVP_LIB);
 		goto end;
 	}
@@ -802,7 +803,7 @@ static int gmtls_construct_ske_sm2(SSL *s, unsigned char **p, int *l, int *al)
 end:
 	OPENSSL_free(buf);
 	EVP_MD_CTX_free(md_ctx);
-	OPENSSL_free(id);
+	// OPENSSL_free(id);
 	return ret;
 }
 
@@ -865,10 +866,11 @@ static int gmtls_process_ske_sm2(SSL *s, PACKET *pkt, int *al)
 	}
 
 	/* prepare sm2 z value */
-	if (!(id = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0))) {
-		SSLerr(SSL_F_GMTLS_PROCESS_SKE_SM2, ERR_R_EVP_LIB);
-		goto end;
-	}
+//	if (!(id = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0))) {
+//		SSLerr(SSL_F_GMTLS_PROCESS_SKE_SM2, ERR_R_EVP_LIB);
+//		goto end;
+//	}
+    id = SM2_DEFAULT_ID;
 	zlen = sizeof(z);
 	if (!SM2_compute_id_digest(EVP_sm3(), id, strlen(id), z, &zlen,
 		EVP_PKEY_get0_EC_KEY(pkey))) {
@@ -885,7 +887,7 @@ static int gmtls_process_ske_sm2(SSL *s, PACKET *pkt, int *al)
 			SSL3_RANDOM_SIZE) <= 0
 		|| EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
 			SSL3_RANDOM_SIZE) <= 0
-		|| EVP_VerifyUpdate(md_ctx, buf, n) <= 0) {
+		|| EVP_VerifyUpdate(md_ctx, buf, n+3) <= 0) {
 		SSLerr(SSL_F_GMTLS_PROCESS_SKE_SM2, ERR_R_EVP_LIB);
 		goto end;
 	}
@@ -903,7 +905,7 @@ static int gmtls_process_ske_sm2(SSL *s, PACKET *pkt, int *al)
 end:
 	OPENSSL_free(buf);
 	EVP_MD_CTX_free(md_ctx);
-	OPENSSL_free(id);
+	// OPENSSL_free(id);
 	return ret;
 }
 
@@ -2185,8 +2187,8 @@ int gmtls_construct_client_key_exchange(SSL *s)
 err:
 	if (al != -1)
 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
-	OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);				
-	s->s3->tmp.pms = NULL;				
+	OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
+	s->s3->tmp.pms = NULL;
 	ossl_statem_set_error(s);
 	return 0;
 }

From 1d495efebbdfcb557b9cdca20ed85a9aaf984549 Mon Sep 17 00:00:00 2001
From: cliven <quanguanyu@qq.com>
Date: Thu, 4 Jun 2020 15:55:11 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E4=BB=8EBUG=E7=9A=84=E5=8F=91=E7=94=9F?=
 =?UTF-8?q?=E5=A4=84=E4=BF=AE=E6=94=B9=E4=BA=86=E8=AF=81=E4=B9=A6=E9=95=BF?=
 =?UTF-8?q?=E5=BA=A6=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ssl/statem/statem_gmtls.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/ssl/statem/statem_gmtls.c b/ssl/statem/statem_gmtls.c
index b9944eb9..ee853457 100644
--- a/ssl/statem/statem_gmtls.c
+++ b/ssl/statem/statem_gmtls.c
@@ -492,10 +492,11 @@ static int gmtls_construct_ske_sm2dhe(SSL *s, unsigned char **p, int *l, int *al
 		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2DHE, ERR_R_EVP_LIB);
 		goto end;
 	}
-	if (!(id = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0))) {
-		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2DHE, ERR_R_EVP_LIB);
-		goto end;
-	}
+//	if (!(id = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0))) {
+//		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2DHE, ERR_R_EVP_LIB);
+//		goto end;
+//	}
+    id = SM2_DEFAULT_ID;
 	zlen = sizeof(z);
 	if (!SM2_compute_id_digest(EVP_sm3(), id, strlen(id), z, &zlen,
 		EVP_PKEY_get0_EC_KEY(pkey))) {
@@ -626,11 +627,12 @@ static int gmtls_process_ske_sm2dhe(SSL *s, PACKET *pkt, int *al)
 	}
 
 	/* prepare sm2 z value */
-	if (!(id = X509_NAME_oneline(
-		X509_get_subject_name(s->session->peer), NULL, 0))) {
-		SSLerr(SSL_F_GMTLS_PROCESS_SKE_SM2DHE, ERR_R_EVP_LIB);
-		goto end;
-	}
+//	if (!(id = X509_NAME_oneline(
+//		X509_get_subject_name(s->session->peer), NULL, 0))) {
+//		SSLerr(SSL_F_GMTLS_PROCESS_SKE_SM2DHE, ERR_R_EVP_LIB);
+//		goto end;
+//	}
+    id = SM2_DEFAULT_ID;
 	zlen = sizeof(z);
 	if (!SM2_compute_id_digest(EVP_sm3(), id, strlen(id), z, &zlen,
 		EVP_PKEY_get0_EC_KEY(pkey))) {
@@ -696,7 +698,7 @@ static unsigned char *gmtls_new_cert_packet(X509 *x, int *l)
 
 	p = ret;
 	l2n3(n, p);
-	*l = n;
+	*l = n+3;
 
 end:
 	return ret;
@@ -777,7 +779,7 @@ static int gmtls_construct_ske_sm2(SSL *s, unsigned char **p, int *l, int *al)
 			SSL3_RANDOM_SIZE) <= 0
 		|| EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
 			SSL3_RANDOM_SIZE) <= 0
-		|| EVP_SignUpdate(md_ctx, buf, n+3) <= 0) {
+		|| EVP_SignUpdate(md_ctx, buf, n) <= 0) {
 		SSLerr(SSL_F_GMTLS_CONSTRUCT_SKE_SM2, ERR_R_EVP_LIB);
 		goto end;
 	}
@@ -887,7 +889,7 @@ static int gmtls_process_ske_sm2(SSL *s, PACKET *pkt, int *al)
 			SSL3_RANDOM_SIZE) <= 0
 		|| EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
 			SSL3_RANDOM_SIZE) <= 0
-		|| EVP_VerifyUpdate(md_ctx, buf, n+3) <= 0) {
+		|| EVP_VerifyUpdate(md_ctx, buf, n) <= 0) {
 		SSLerr(SSL_F_GMTLS_PROCESS_SKE_SM2, ERR_R_EVP_LIB);
 		goto end;
 	}