diff --git a/.gitignore b/.gitignore index 679bc697..ee055abf 100644 --- a/.gitignore +++ b/.gitignore @@ -189,4 +189,12 @@ apps/gmssl /engines/e_sdf* /engines/e_gmi* +# apps +/apps/sm2.c +/apps/sdf.c +/apps/skf.c + include/openssl/srp.h + +/build.sh + diff --git a/Configure b/Configure index 4907c68f..8f29a087 100755 --- a/Configure +++ b/Configure @@ -482,6 +482,7 @@ our %disabled = ( # "what" => "comment" "skfeng" => "default", "sdfeng" => "default", "gmtls" => "default", + "java" => "default", #"engine" => "default", #"sm9" => "default", #"bfibe" => "default", diff --git a/apps/apps.h b/apps/apps.h index 926a6d62..e708b87d 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -320,6 +320,7 @@ typedef struct string_int_pair_st { # define OPT_FMT_TEXT (1L << 8) # define OPT_FMT_HTTP (1L << 9) # define OPT_FMT_PVK (1L << 10) +# define OPT_FMT_BINARY (1L << 11) # define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE) # define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME) # define OPT_FMT_ANY ( \ diff --git a/apps/opt.c b/apps/opt.c index f72ac64e..c0d98cd5 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -214,6 +214,12 @@ int opt_format(const char *s, unsigned long flags, int *result) return opt_format_error(s, flags); *result = FORMAT_TEXT; break; + case 'B': + case 'b': + if ((flags & OPT_FMT_BINARY) == 0) + return opt_format_error(s, flags); + *result = FORMAT_BINARY; + break; case 'N': case 'n': if ((flags & OPT_FMT_NSS) == 0) diff --git a/apps/s_server.c b/apps/s_server.c index f749b103..df781c64 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1338,13 +1338,13 @@ int s_server_main(int argc, char *argv[]) min_version = TLS1_VERSION; max_version = TLS1_VERSION; break; -#ifndef OPENSSL_NO_GMTLS case OPT_GMTLS: +#ifndef OPENSSL_NO_GMTLS meth = GMTLS_server_method(); //min_version = GMTLS_VERSION; //max_version = GMTLS_VERSION; - break; #endif + break; case OPT_DTLS: #ifndef OPENSSL_NO_DTLS meth = DTLS_server_method(); @@ -1501,11 +1501,8 @@ int s_server_main(int argc, char *argv[]) s_cert = load_cert(s_cert_file, s_cert_format, "server certificate file"); -fprintf(stderr, "%s %d: load_cert: %s\n", __FILE__, __LINE__, s_cert_file); - if (!s_cert) { ERR_print_errors(bio_err); -fprintf(stderr, "%s %d\n", __FILE__, __LINE__); goto end; } if (s_chain_file) { diff --git a/apps/speed.c b/apps/speed.c index d822d8b7..74ec9a8d 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -70,11 +70,10 @@ #ifndef OPENSSL_NO_MD5 # include #endif -#ifndef OPENSSL_NO_SM3 -# include -#endif #include -#include +#ifndef OPENSSL_NO_SHA +# include +#endif #ifndef OPENSSL_NO_RMD160 # include #endif @@ -96,9 +95,6 @@ #ifndef OPENSSL_NO_SEED # include #endif -#ifndef OPENSSL_NO_SMS4 -# include -#endif #ifndef OPENSSL_NO_BF # include #endif @@ -120,6 +116,12 @@ #ifndef OPENSSL_NO_SM2 # include #endif +#ifndef OPENSSL_NO_SM3 +# include +#endif +#ifndef OPENSSL_NO_SMS4 +# include +#endif #include #ifndef HAVE_FORK @@ -146,7 +148,7 @@ #define RSA_NUM 7 #define DSA_NUM 3 -#define EC_NUM 18 +#define EC_NUM 17 #define SM2_NUM 1 #define MAX_ECDH_SIZE 256 #define MISALIGN 64 @@ -184,6 +186,11 @@ typedef struct loopargs_st { #endif #ifndef OPENSSL_NO_SM2 EC_KEY *sm2[SM2_NUM]; + size_t cipherlen; +# if 0 + unsigned char *sm2dh_a; + unsigned char *sm2dh_b; +# endif #endif EVP_CIPHER_CTX *ctx; HMAC_CTX *hctx; @@ -193,7 +200,6 @@ typedef struct loopargs_st { #ifndef OPENSSL_NO_MD2 static int EVP_Digest_MD2_loop(void *args); #endif - #ifndef OPENSSL_NO_MDC2 static int EVP_Digest_MDC2_loop(void *args); #endif @@ -207,9 +213,11 @@ static int HMAC_loop(void *args); #ifndef OPENSSL_NO_SM3 static int SM3_loop(void *args); #endif +#ifndef OPENSSL_NO_SHA static int SHA1_loop(void *args); static int SHA256_loop(void *args); static int SHA512_loop(void *args); +#endif #ifndef OPENSSL_NO_WHIRLPOOL static int WHIRLPOOL_loop(void *args); #endif @@ -271,7 +279,8 @@ static const char *names[ALGOR_NUM] = { "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", "evp", "sha256", "sha512", "whirlpool", - "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash", "sm3", "sms4 cbc" + "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash", + "sm3", "sms4 cbc" }; static double results[ALGOR_NUM][SIZE_NUM]; @@ -509,10 +518,6 @@ static OPT_PAIR doit_choices[] = { {"seed-cbc", D_CBC_SEED}, {"seed", D_CBC_SEED}, #endif -#ifndef OPENSSL_NO_SMS4 - {"sms4-cbc", D_CBC_SMS4}, - {"sms4", D_CBC_SMS4}, -#endif #ifndef OPENSSL_NO_BF {"bf-cbc", D_CBC_BF}, {"blowfish", D_CBC_BF}, @@ -526,6 +531,10 @@ static OPT_PAIR doit_choices[] = { {"ghash", D_GHASH}, #ifndef OPENSSL_NO_SM3 {"sm3", D_SM3}, +#endif +#ifndef OPENSSL_NO_SMS4 + {"sms4-cbc", D_CBC_SMS4}, + {"sms4", D_CBC_SMS4}, #endif {NULL} }; @@ -579,7 +588,6 @@ static OPT_PAIR rsa_choices[] = { #define R_EC_B409 14 #define R_EC_B571 15 #define R_EC_X25519 16 -#define R_EC_PSM2 17 #ifndef OPENSSL_NO_EC static OPT_PAIR ecdsa_choices[] = { {"ecdsap160", R_EC_P160}, @@ -598,7 +606,6 @@ static OPT_PAIR ecdsa_choices[] = { {"ecdsab283", R_EC_B283}, {"ecdsab409", R_EC_B409}, {"ecdsab571", R_EC_B571}, - {"ecdsapsm2", R_EC_PSM2}, {NULL} }; @@ -619,19 +626,20 @@ static OPT_PAIR ecdh_choices[] = { {"ecdhb283", R_EC_B283}, {"ecdhb409", R_EC_B409}, {"ecdhb571", R_EC_B571}, - {"ecdhpsm2", R_EC_PSM2}, {"ecdhx25519", R_EC_X25519}, {NULL} }; #endif + +#define R_SM2_P256 0 #ifndef OPENSSL_NO_SM2 static OPT_PAIR sm2sign_choices[] = { - {"sm2sign", R_EC_PSM2}, + {"sm2sign", R_SM2_P256}, {NULL} }; static OPT_PAIR sm2enc_choices[] = { - {"sm2enc", R_EC_PSM2}, + {"sm2enc", R_SM2_P256}, {NULL} }; #endif @@ -1072,17 +1080,17 @@ static int DSA_verify_loop(void *args) #ifndef OPENSSL_NO_SM2 static long sm2sign_c[SM2_NUM][2]; + static int SM2_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **)args; unsigned char *buf = tempargs->buf; - EC_KEY **ecdsa = tempargs->ecdsa; - unsigned char *ecdsasig = tempargs->buf2; - unsigned int *ecdsasiglen = &tempargs->siglen; + EC_KEY **sm2 = tempargs->sm2; + unsigned char *sm2sig = tempargs->buf2; + unsigned int *sm2siglen = &tempargs->siglen; int ret, count; for (count = 0; COND(sm2sign_c[testnum][0]); count++) { - ret = SM2_sign(0, buf, 20, - ecdsasig, ecdsasiglen, ecdsa[testnum]); + ret = SM2_sign(0, buf, 32, sm2sig, sm2siglen, sm2[testnum]); if (ret == 0) { BIO_printf(bio_err, "SM2 sign failure\n"); ERR_print_errors(bio_err); @@ -1097,13 +1105,12 @@ static int SM2_verify_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **)args; unsigned char *buf = tempargs->buf; - EC_KEY **ecdsa = tempargs->ecdsa; - unsigned char *ecdsasig = tempargs->buf2; - unsigned int ecdsasiglen = tempargs->siglen; + EC_KEY **sm2 = tempargs->sm2; + unsigned char *sm2sig = tempargs->buf2; + unsigned int sm2siglen = tempargs->siglen; int ret, count; for (count = 0; COND(sm2sign_c[testnum][1]); count++) { - ret = SM2_verify(0, buf, 20, ecdsasig, ecdsasiglen, - ecdsa[testnum]); + ret = SM2_verify(0, buf, 32, sm2sig, sm2siglen, sm2[testnum]); if (ret != 1) { BIO_printf(bio_err, "SM2 verify failure\n"); ERR_print_errors(bio_err); @@ -1114,16 +1121,49 @@ static int SM2_verify_loop(void *args) return count; } +static long sm2enc_c[SM2_NUM][2]; static int SM2_encrypt_loop(void *args) { - return 0; + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + EC_KEY **sm2 = tempargs->sm2; + unsigned char *sm2cipher = tempargs->buf2; + size_t *sm2cipherlen = &tempargs->cipherlen; + int ret, count; + for (count = 0; COND(sm2enc_c[testnum][0]); count++) { + ret = SM2_encrypt(NID_sm3, buf, 32, sm2cipher, + sm2cipherlen, sm2[testnum]); + if (ret == 0) { + BIO_printf(bio_err, "SM2 sign failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; } static int SM2_decrypt_loop(void *args) { - return 0; + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + EC_KEY **sm2 = tempargs->sm2; + unsigned char *sm2cipher = tempargs->buf2; + size_t sm2cipherlen = tempargs->cipherlen; + int ret, count; + for (count = 0; COND(sm2enc_c[testnum][0]); count++) { + size_t len = sm2cipherlen; + ret = SM2_decrypt(NID_sm3, sm2cipher, sm2cipherlen, + buf, &len, sm2[testnum]); + if (ret == 0) { + BIO_printf(bio_err, "SM2 decrypt failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; } - #endif #ifndef OPENSSL_NO_EC @@ -1165,7 +1205,7 @@ static int ECDSA_verify_loop(void *args) ERR_print_errors(bio_err); count = -1; break; - } + } } return count; } @@ -1195,11 +1235,15 @@ static const size_t KDF1_SHA1_len = 20; static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen) { +# ifndef OPENSSL_NO_SHA if (*outlen < SHA_DIGEST_LENGTH) return NULL; *outlen = SHA_DIGEST_LENGTH; -# ifndef OPENSSL_NO_SHA return SHA1(in, inlen, out); +# else + *outlen = 20; + memcpy(out, in, 20); + return in; # endif } #endif /* OPENSSL_NO_EC */ @@ -1322,8 +1366,8 @@ static int run_benchmark(int async_jobs, continue; #endif - ret = ASYNC_start_job(&loopargs[i].inprogress_job, - loopargs[i].wait_ctx, &job_op_count, loop_function, + ret = ASYNC_start_job(&loopargs[i].inprogress_job, + loopargs[i].wait_ctx, &job_op_count, loop_function, (void *)(loopargs + i), sizeof(loopargs_t)); switch (ret) { case ASYNC_PAUSE: @@ -1459,16 +1503,6 @@ int speed_main(int argc, char **argv) static const unsigned int dsa_bits[DSA_NUM] = { 512, 1024, 2048 }; int dsa_doit[DSA_NUM] = { 0 }; #endif -#ifndef OPENSSL_NO_SM2 - static const unsigned int test_sm2_curves[SM2_NUM] = { - NID_sm2p256v1, - }; - static const char *test_sm2_curves_names[SM2_NUM] = { - "sm2p256v1", - }; - int sm2sign_doit[EC_NUM] = { 0 }; - int sm2enc_doit[EC_NUM] = { 0 }; -#endif #ifndef OPENSSL_NO_EC /* * We only test over the following curves as they are representative, To @@ -1485,8 +1519,7 @@ int speed_main(int argc, char **argv) NID_sect233r1, NID_sect283r1, NID_sect409r1, NID_sect571r1, /* Other */ - NID_sm2p256v1, - NID_X25519 + NID_X25519, }; static const char *test_curves_names[EC_NUM] = { /* Prime Curves */ @@ -1498,8 +1531,7 @@ int speed_main(int argc, char **argv) "nistb233", "nistb283", "nistb409", "nistb571", /* Other */ - "sm2p256v1", - "X25519" + "X25519", }; static const int test_curves_bits[EC_NUM] = { 160, 192, 224, @@ -1507,12 +1539,25 @@ int speed_main(int argc, char **argv) 163, 233, 283, 409, 571, 163, 233, 283, 409, - 571, 256, 253 /* X25519 */ + 571, 253 /* X25519 */, }; int ecdsa_doit[EC_NUM] = { 0 }; int ecdh_doit[EC_NUM] = { 0 }; -#endif /* ndef OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_SM2 + static const unsigned int test_sm2_curves[SM2_NUM] = { + NID_sm2p256v1, + }; + static const char *test_sm2_curves_names[SM2_NUM] = { + "sm2p256v1", + }; + static const int test_sm2_curves_bits[SM2_NUM] = { + 256, + }; + int sm2sign_doit[SM2_NUM] = { 0 }; + int sm2enc_doit[SM2_NUM] = { 0 }; +#endif prog = opt_init(argc, argv, speed_options); while ((o = opt_next()) != OPT_EOF) { @@ -1677,8 +1722,13 @@ int speed_main(int argc, char **argv) } #endif #ifndef OPENSSL_NO_SM2 + if (strcmp(*argv, "sm2") == 0) { + for (i = 0; i < SM2_NUM; i++) + sm2sign_doit[i] = sm2enc_doit[i] = 1; + continue; + } if (strcmp(*argv, "sm2sign") == 0) { - for (i = 0; i < EC_NUM; i++) + for (i = 0; i < SM2_NUM; i++) sm2sign_doit[i] = 1; continue; } @@ -1686,17 +1736,15 @@ int speed_main(int argc, char **argv) sm2sign_doit[i] = 2; continue; } - /* - if (strcmp(*argv, "ecdh") == 0) { - for (i = 0; i < EC_NUM; i++) - ecdh_doit[i] = 1; + if (strcmp(*argv, "sm2enc") == 0) { + for (i = 0; i < SM2_NUM; i++) + sm2enc_doit[i] = 1; continue; } - if (found(*argv, ecdh_choices, &i)) { - ecdh_doit[i] = 2; + if (found(*argv, sm2enc_choices, &i)) { + sm2enc_doit[i] = 2; continue; } - */ #endif BIO_printf(bio_err, "%s: Unknown algorithm %s\n", prog, *argv); goto end; @@ -1733,12 +1781,12 @@ int speed_main(int argc, char **argv) loopargs[i].secret_a = app_malloc(MAX_ECDH_SIZE, "ECDH secret a"); loopargs[i].secret_b = app_malloc(MAX_ECDH_SIZE, "ECDH secret b"); #endif -/* #ifndef OPENSSL_NO_SM2 - loopargs[i].secret_a = app_malloc(MAX_ECDH_SIZE, "ECDH secret a"); - loopargs[i].secret_b = app_malloc(MAX_ECDH_SIZE, "ECDH secret b"); -#endif +/* + loopargs[i].sm2dh_a = app_malloc(MAX_ECDH_SIZE, "SM2DH secret a"); + loopargs[i].sm2dh_b = app_malloc(MAX_ECDH_SIZE, "SM2DH secret b"); */ +#endif } #ifndef NO_FORK @@ -1967,6 +2015,12 @@ int speed_main(int argc, char **argv) } # endif +# ifndef OPENSSL_NO_SM2 + sm2sign_c[R_SM2_P256][0] = count / 1000 / 8; + sm2sign_c[R_SM2_P256][1] = count / 1000 / 8 / 2; + sm2enc_c[R_SM2_P256][0] = count / 1000 / 8; + sm2enc_c[R_SM2_P256][1] = count / 1000 / 8; +# endif # ifndef OPENSSL_NO_EC ecdsa_c[R_EC_P160][0] = count / 1000; ecdsa_c[R_EC_P160][1] = count / 1000 / 2; @@ -2876,6 +2930,180 @@ int speed_main(int argc, char **argv) } } #endif /* OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_SM2 + + if (RAND_status() != 1) { + RAND_seed(rnd_seed, sizeof rnd_seed); + } + for (testnum = 0; testnum < SM2_NUM; testnum++) { + int st = 1; + + if (!sm2sign_doit[testnum]) + continue; /* Ignore Curve */ + for (i = 0; i < loopargs_len; i++) { + loopargs[i].sm2[testnum] = EC_KEY_new_by_curve_name(test_sm2_curves[testnum]); + if (loopargs[i].sm2[testnum] == NULL) { + st = 0; + break; + } + } + if (st == 0) { + BIO_printf(bio_err, "SM2 failure.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + for (i = 0; i < loopargs_len; i++) { + EC_KEY_precompute_mult(loopargs[i].sm2[testnum], NULL); + /* Perform SM2 signature test */ + EC_KEY_generate_key(loopargs[i].sm2[testnum]); + st = SM2_sign(0, loopargs[i].buf, 32, loopargs[i].buf2, + &loopargs[i].siglen, loopargs[i].sm2[testnum]); + if (st == 0) + break; + } + if (st == 0) { + BIO_printf(bio_err, + "SM2 sign failure. No SM2 sign will be done.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + pkey_print_message("sign", "sm2", + sm2sign_c[testnum][0], + test_sm2_curves_bits[testnum], ECDSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, SM2_sign_loop, loopargs); + d = Time_F(STOP); + + BIO_printf(bio_err, + mr ? "+R7:%ld:%d:%.2f\n" : + "%ld %d bit SM2 signs in %.2fs \n", + count, test_sm2_curves_bits[testnum], d); + sm2sign_results[testnum][0] = d / (double)count; + rsa_count = count; + } + + /* Perform SM2 verification test */ + for (i = 0; i < loopargs_len; i++) { + st = SM2_verify(0, loopargs[i].buf, 32, loopargs[i].buf2, + loopargs[i].siglen, loopargs[i].sm2[testnum]); + if (st != 1) + break; + } + if (st != 1) { + BIO_printf(bio_err, + "SM2 verify failure. No SM2 verify will be done.\n"); + ERR_print_errors(bio_err); + sm2sign_doit[testnum] = 0; + } else { + pkey_print_message("verify", "sm2", + sm2sign_c[testnum][1], + test_sm2_curves_bits[testnum], ECDSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, SM2_verify_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R8:%ld:%d:%.2f\n" + : "%ld %d bit SM2 verify in %.2fs\n", + count, test_sm2_curves_bits[testnum], d); + sm2sign_results[testnum][1] = d / (double)count; + } + + if (rsa_count <= 1) { + /* if longer than 10s, don't do any more */ + for (testnum++; testnum < SM2_NUM; testnum++) + sm2sign_doit[testnum] = 0; + } + } + } + + + if (RAND_status() != 1) { + RAND_seed(rnd_seed, sizeof rnd_seed); + } + for (testnum = 0; testnum < SM2_NUM; testnum++) { + int st = 1; + + if (!sm2enc_doit[testnum]) + continue; + for (i = 0; i < loopargs_len; i++) { + loopargs[i].sm2[testnum] = EC_KEY_new_by_curve_name( + test_sm2_curves[testnum]); + if (loopargs[i].sm2[testnum] == NULL) { + st = 0; + break; + } + } + if (st == 0) { + BIO_printf(bio_err, "SM2 failure.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + for (i = 0; i < loopargs_len; i++) { + EC_KEY_precompute_mult(loopargs[i].sm2[testnum], NULL); + /* Perform SM2 encryption test */ + EC_KEY_generate_key(loopargs[i].sm2[testnum]); + st = SM2_encrypt(NID_sm3, loopargs[i].buf, 32, loopargs[i].buf2, + &loopargs[i].cipherlen, loopargs[i].sm2[testnum]); + if (st == 0) + break; + } + if (st == 0) { + BIO_printf(bio_err, + "SM2 encryption failure. No SM2 encryption will be done.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + pkey_print_message("encrypt", "sm2", + sm2enc_c[testnum][0], + test_sm2_curves_bits[testnum], ECDSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, SM2_encrypt_loop, loopargs); + d = Time_F(STOP); + + BIO_printf(bio_err, + mr ? "+R7:%ld:%d:%.2f\n" : + "%ld %d bit SM2 encrypt in %.2fs \n", + count, test_sm2_curves_bits[testnum], d); + sm2enc_results[testnum][0] = d / (double)count; + rsa_count = count; + } + + /* Perform SM2 verification test */ + for (i = 0; i < loopargs_len; i++) { + size_t len = loopargs[i].cipherlen; + st = SM2_decrypt(NID_sm3, loopargs[i].buf2, loopargs[i].cipherlen, + loopargs[i].buf, &len, loopargs[i].sm2[testnum]); + if (st == 0) + break; + } + if (st != 1) { + BIO_printf(bio_err, + "SM2 decrypt failure. No SM2 decrypt will be done.\n"); + ERR_print_errors(bio_err); + sm2enc_doit[testnum] = 0; + } else { + pkey_print_message("decrypt", "sm2", + sm2enc_c[testnum][1], + test_sm2_curves_bits[testnum], ECDSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, SM2_decrypt_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R8:%ld:%d:%.2f\n" + : "%ld %d bit SM2 decrypt in %.2fs\n", + count, test_sm2_curves_bits[testnum], d); + sm2enc_results[testnum][1] = d / (double)count; + } + + if (rsa_count <= 1) { + /* if longer than 10s, don't do any more */ + for (testnum++; testnum < SM2_NUM; testnum++) + sm2sign_doit[testnum] = 0; + } + } + } + +#endif /* OPENSSL_NO_SM2 */ #ifndef NO_FORK show_res: #endif @@ -2901,6 +3129,12 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_BF printf("%s ", BF_options()); +#endif +#ifndef OPENSSL_NO_SM3 + //printf("%s ", SM3_options()); +#endif +#ifndef OPENSSL_NO_SMS4 + //printf("%s ", SMS4_options()); #endif printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS)); } @@ -3010,6 +3244,50 @@ int speed_main(int argc, char **argv) test_curves_names[k], ecdh_results[k][0], 1.0 / ecdh_results[k][0]); } +#endif +#ifndef OPENSSL_NO_SM2 + testnum = 1; + for (k = 0; k < SM2_NUM; k++) { + if (!sm2sign_doit[k]) + continue; + if (testnum && !mr) { + printf("%30ssign verify sign/s verify/s\n", " "); + testnum = 0; + } + + if (mr) + printf("+F6:%u:%u:%f:%f\n", + k, test_sm2_curves_bits[k], + sm2sign_results[k][0], sm2sign_results[k][1]); + else + printf("%4u bit sm2 (%s) %8.4fs %8.4fs %8.1f %8.1f\n", + test_sm2_curves_bits[k], + test_sm2_curves_names[k], + sm2sign_results[k][0], sm2sign_results[k][1], + 1.0 / sm2sign_results[k][0], 1.0 / sm2sign_results[k][1]); + } + + testnum = 1; + for (k = 0; k < SM2_NUM; k++) { + if (!sm2enc_doit[k]) + continue; + if (testnum && !mr) { + printf("%30sencrypt decrypt enc/s dec/s\n", " "); + testnum = 0; + } + + if (mr) + printf("+F6:%u:%u:%f:%f\n", + k, test_sm2_curves_bits[k], + sm2enc_results[k][0], sm2enc_results[k][1]); + else + printf("%4u bit sm2 (%s) %8.4fs %8.4fs %8.1f %8.1f\n", + test_sm2_curves_bits[k], + test_sm2_curves_names[k], + sm2enc_results[k][0], sm2enc_results[k][1], + 1.0 / sm2enc_results[k][0], 1.0 / sm2enc_results[k][1]); + } + #endif ret = 0; @@ -3041,6 +3319,10 @@ int speed_main(int argc, char **argv) for (k = 0; k < SM2_NUM; k++) { EC_KEY_free(loopargs[i].sm2[k]); } +# if 0 + OPENSSL_free(loopargs[i].sm2dh_a); + OPENSSL_free(loopargs[i].sm2dh_b); +# endif #endif } @@ -3273,7 +3555,51 @@ static int do_multi(int multi) } # endif +# ifndef OPENSSL_NO_SM2 + else if (strncmp(buf, "+F6:", 4) == 0) { + int k; + double d; + p = buf + 4; + k = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + + d = atof(sstrsep(&p, sep)); + if (n) + sm2sign_results[k][0] = + 1 / (1 / sm2sign_results[k][0] + 1 / d); + else + sm2sign_results[k][0] = d; + + d = atof(sstrsep(&p, sep)); + if (n) + sm2sign_results[k][1] = + 1 / (1 / sm2sign_results[k][1] + 1 / d); + else + sm2sign_results[k][1] = d; + } else if (strncmp(buf, "+F7:", 4) == 0) { + int k; + double d; + + p = buf + 4; + k = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + + d = atof(sstrsep(&p, sep)); + if (n) + sm2enc_results[k][0] = + 1 / (1 / sm2enc_results[k][0] + 1 / d); + else + sm2enc_results[k][0] = d; + + d = atof(sstrsep(&p, sep)); + if (n) + sm2enc_results[k][1] = + 1 / (1 / sm2enc_results[k][1] + 1 / d); + else + sm2enc_results[k][1] = d; + } +# endif else if (strncmp(buf, "+H:", 3) == 0) { ; } else diff --git a/crypto/sm2/sm2_asn1.c b/crypto/sm2/sm2_asn1.c index cf88bfe0..f2f512c1 100644 --- a/crypto/sm2/sm2_asn1.c +++ b/crypto/sm2/sm2_asn1.c @@ -71,3 +71,4 @@ int SM2CiphertextValue_size(const EC_GROUP *group, int inlen) { return 1024; } + diff --git a/crypto/sm2/sm2_enc.c b/crypto/sm2/sm2_enc.c index 05e4f7bd..7b5cee27 100644 --- a/crypto/sm2/sm2_enc.c +++ b/crypto/sm2/sm2_enc.c @@ -230,36 +230,24 @@ end: int SM2_encrypt(int type, const unsigned char *in, size_t inlen, unsigned char *out, size_t *outlen, EC_KEY *ec_key) { - int ret = 0; - SM2CiphertextValue *cv = NULL; const EVP_MD *md; - int len; + SM2CiphertextValue *cv; if (!(md = EVP_get_digestbynid(type))) { SM2err(SM2_F_SM2_ENCRYPT, SM2_R_INVALID_DIGEST_ALGOR); + *outlen = 0; return 0; } + RAND_seed(in, inlen); if (!(cv = SM2_do_encrypt(md, in, inlen, ec_key))) { - SM2err(SM2_F_SM2_ENCRYPT, SM2_R_ENCRYPT_FAILURE); - goto end; + *outlen = 0; + return 0; } - if (!out) { - *outlen = i2d_SM2CiphertextValue(cv, NULL) + 96; - ret = 1; - } else if (*outlen < i2d_SM2CiphertextValue(cv, NULL) + 64) { - SM2err(SM2_F_SM2_ENCRYPT, SM2_R_BUFFER_TOO_SMALL); - ret = 0; - } else { - len = i2d_SM2CiphertextValue(cv, &out); - *outlen = len; - ret = 1; - } - -end: + *outlen = i2d_SM2CiphertextValue(cv, &out); SM2CiphertextValue_free(cv); - return ret; + return 1; } int SM2_decrypt(int type, const unsigned char *in, size_t inlen, @@ -273,14 +261,18 @@ int SM2_decrypt(int type, const unsigned char *in, size_t inlen, /* check arguments */ if (!(md = EVP_get_digestbynid(type))) { SM2err(SM2_F_SM2_DECRYPT, SM2_R_INVALID_DIGEST_ALGOR); + *outlen = 0; return 0; } + if (!in) { SM2err(SM2_F_SM2_DECRYPT, ERR_R_PASSED_NULL_PARAMETER); + *outlen = 0; return 0; } if (inlen <= 0 || inlen > INT_MAX) { SM2err(SM2_F_SM2_DECRYPT, SM2_R_INVALID_INPUT_LENGTH); + *outlen = 0; return 0; } @@ -300,11 +292,14 @@ int SM2_decrypt(int type, const unsigned char *in, size_t inlen, *outlen = ASN1_STRING_length(cv->ciphertext); ret = 1; goto end; - } else if (*outlen < ASN1_STRING_length(cv->ciphertext)) { + } + /* + else if (*outlen < ASN1_STRING_length(cv->ciphertext)) { SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL); ret = 0; goto end; } + */ /* do decrypt */ if (!SM2_do_decrypt(md, cv, out, outlen, ec_key)) { @@ -374,10 +369,12 @@ int SM2_do_decrypt(const EVP_MD *md, const SM2CiphertextValue *cv, *outlen = cv->ciphertext->length; return 1; } + /* if (*outlen < cv->ciphertext->length) { SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_BUFFER_TOO_SMALL); return 0; } + */ /* malloc */ point = EC_POINT_new(group); diff --git a/include/openssl/bio.h b/include/openssl/bio.h index fd93dc47..a1f52e54 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -450,22 +450,11 @@ int BIO_read_filename(BIO *b, const char *name); /* defined in evp.h */ /* #define BIO_set_md(b,md) BIO_ctrl(b,BIO_C_SET_MD,1,(char *)md) */ -# ifndef OPENSSL_NO_MACRO # define BIO_get_mem_data(b,pp) BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp) # define BIO_set_mem_buf(b,bm,c) BIO_ctrl(b,BIO_C_SET_BUF_MEM,c,(char *)bm) # define BIO_get_mem_ptr(b,pp) BIO_ctrl(b,BIO_C_GET_BUF_MEM_PTR,0,(char *)pp) # define BIO_set_mem_eof_return(b,v) \ BIO_ctrl(b,BIO_C_SET_BUF_MEM_EOF_RETURN,v,NULL) -# else - -long BIO_get_mem_data(BIO *b, char **pp); -long BIO_set_mem_buf(BIO *b, BUF_MEM *bm, int c); -long BIO_get_mem_ptr(BIO *b, BUF_MEM **pp); -long BIO_set_mem_eof_return(BIO *b, int v) - -BIO *BIO_new_mem_buf(const void *buf, int len); - -# endif /* For the BIO_f_buffer() type */ # define BIO_get_buffer_num_lines(b) BIO_ctrl(b,BIO_C_GET_BUFF_NUM_LINES,0,NULL) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1ff13f6d..32b646fd 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1518,6 +1518,7 @@ __owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid SSL *SSL_new(SSL_CTX *ctx); int SSL_up_ref(SSL *s); int SSL_is_dtls(const SSL *s); +int SSL_is_gmtls(const SSL *s); __owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 7fe94850..4e079034 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -285,7 +285,9 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* OPENSSL_NO_GMTLS */ +#ifndef OPENSSL_NO_SM2 /* ECDHE-SM2-[SM1|SMS4|SSF33]-[SM3|SHA256] */ { 1, @@ -377,8 +379,8 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* OPENSSL_NO_SM2 */ -#endif /* OPENSSL_NO_GMTLS */ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -3934,11 +3936,11 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, /* with PSK there must be server callback set */ if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL) continue; -#endif /* OPENSSL_NO_PSK */ +#endif /* OPENSSL_NO_PSK */ ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, + fprintf(stderr, "%d:[alg_k=%08lX:alg_a=%08lX:mask_k=%08lX:mask_a=%08lX]%p:%s\n", ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name); #endif diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 33ed30d0..7a22c6df 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -64,7 +64,7 @@ typedef struct { ASN1_OCTET_STRING *srp_username; #endif long flags; -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS X509 *peer_extra; #endif } SSL_SESSION_ASN1; @@ -93,7 +93,7 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = { ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12), #endif ASN1_EXP_OPT(SSL_SESSION_ASN1, flags, ZLONG, 13), -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS ASN1_EXP_OPT(SSL_SESSION_ASN1, peer_extra, X509, 14) #endif } static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1) @@ -207,7 +207,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) as.flags = in->flags; -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS as.peer_extra = in->peer_extra; #endif @@ -365,7 +365,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, /* Flags defaults to zero which is fine */ ret->flags = as->flags; -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS X509_free(ret->peer_extra); ret->peer_extra = as->peer_extra; as->peer_extra = NULL; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index b6b11645..4baecacb 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -504,7 +504,8 @@ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) { if (!s->server) { /* we are in the client */ - if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL)) + if (((s->version >> 8) == SSL3_VERSION_MAJOR || SSL_IS_GMTLS(s)) + && (s->s3 != NULL)) return (s->s3->tmp.ca_names); else return (NULL); @@ -765,45 +766,6 @@ int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) return 1; } -/* 输出双证书及CA证书链 */ -/* -static int ssl_add_sm2_certs(SSL *s, unsigned long *l) -{ - BUF_MEM *buf = s->init_buf; - CERT_PKEY *sign_cpk = &s->cert->pkeys[SSL_PKEY_SM2_SIGN]; - CERT_PKEY *enc_cpk = &s->cert->pkeys[SSL_PKEY_SM2_ENC]; - STACK_OF(X509) *extra_certs; - int i; - - if (!BUF_MEM_grow_clean(buf, 10)) { - fprintf(stderr, "----- %s() %s %d\n", __func__, __FILE__, __LINE__); - return 0; - } - if (sign_cpk->chain) - extra_certs = sign_cpk->chain; - else - extra_certs = s->ctx->extra_certs; - - if (!ssl_add_cert_to_buf(buf, l, sign_cpk->x509)) { - fprintf(stderr, "----- %s() %s %d\n", __func__, __FILE__, __LINE__); - return 0; - } - if (!ssl_add_cert_to_buf(buf, l, enc_cpk->x509)) { - fprintf(stderr, "----- %s() %s %d\n", __func__, __FILE__, __LINE__); - return 0; - } - - for (i = 0; i < sk_X509_num(extra_certs); i++) { - if (!ssl_add_cert_to_buf(buf, 1, sk_X509_value(extra_certs, i))) { - fprintf(stderr, "----- %s() %s %d\n", __func__, __FILE__, __LINE__); - return 0; - } - } - - return 1; -} -*/ - /* Add certificate chain to internal SSL BUF_MEM structure */ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) { diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 59e7a82b..efbd0e72 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -219,10 +219,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, /* GOST2012_512 */ EVP_PKEY_HMAC, -#ifndef OPENSSL_NO_GMTLS_METHOD /* MD5_SHA1, SHA224, SHA512, SM3 */ NID_undef, NID_undef, NID_undef, EVP_PKEY_HMAC -#endif }; static int ssl_mac_secret_size[SSL_MD_NUM_IDX]; @@ -466,9 +464,10 @@ void ssl_load_ciphers(void) #ifdef OPENSSL_NO_EC disabled_mkey_mask |= SSL_kECDHEPSK; disabled_auth_mask |= SSL_aECDSA; -# ifdef OPENSSL_NO_GMTLS_METHOD - /* do something */ -# endif +#endif +#ifdef OPENSSL_NO_SM2 + disabled_mkey_mask |= SSL_kSM2DHEPSK; + disabled_auth_mask |= SSL_aSM2; #endif #ifdef OPENSSL_NO_PSK disabled_mkey_mask |= SSL_PSK; @@ -667,9 +666,8 @@ const EVP_MD *ssl_handshake_md(SSL *s) const EVP_MD *ssl_prf_md(SSL *s) { -#ifndef OPENSSL_NO_GMTLS_METHOD - /* In GM/T 0024, PRF always use SM3 */ - if (s->version == GMTLS_VERSION) +#ifndef OPENSSL_NO_GMTLS + if (SSL_IS_GMTLS(s)) return EVP_sm3(); #endif return ssl_md(ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT); @@ -1580,11 +1578,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) const char *ver; const char *kx, *au, *enc, *mac; uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; -#ifndef OPENSSL_NO_GMTLS static const char *format = "%-30s %-10s Kx=%-8s Au=%-6s Enc=%-23s Mac=%-4s\n"; -#else - static const char *format = "%-23s %s Kx=%-4s Au=%-4s Enc=%-8s Mac=%-4s\n"; -#endif if (buf == NULL) { len = 128; @@ -1629,7 +1623,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kGOST: kx = "GOST"; break; -#ifndef OPENSSL_NO_GMTLS_METHOD case SSL_kSM2: kx = "SM2"; break; @@ -1645,7 +1638,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kSM9DHE: kx = "SM9DHE"; break; -#endif default: kx = "unknown"; } @@ -1676,14 +1668,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case (SSL_aGOST12 | SSL_aGOST01): au = "GOST12"; break; -#ifndef OPENSSL_NO_GMTLS_METHOD case SSL_aSM2: au = "SM2"; break; case SSL_aSM9: au = "SM9"; break; -#endif default: au = "unknown"; break; @@ -1748,7 +1738,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_CHACHA20POLY1305: enc = "CHACHA20/POLY1305(256)"; break; -#ifndef OPENSSL_NO_GMTLS_METHOD case SSL_SMS4: enc = "SMS4(128)"; break; @@ -1770,7 +1759,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_SSF33: enc = "SSF33(128)"; break; -#endif default: enc = "unknown"; break; @@ -1803,11 +1791,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_GOST12_512: mac = "GOST2012"; break; -#ifndef OPENSSL_NO_GMTLS_METHOD case SSL_SM3: mac = "SM3"; break; -#endif default: mac = "unknown"; break; @@ -2012,12 +1998,10 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) return SSL_PKEY_GOST_EC; else if (alg_a & SSL_aGOST01) return SSL_PKEY_GOST01; -#ifndef OPENSSL_NO_GMTLS_METHOD else if (alg_a & SSL_aSM2) return SSL_PKEY_SM2_SIGN; else if (alg_a & SSL_aSM9) - return -1; -#endif + return SSL_PKEY_SM9_SIGN; return -1; } diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index b6916807..ab43f4d2 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -282,11 +282,9 @@ static int protocol_from_string(const char *value) {"TLSv1", TLS1_VERSION}, {"TLSv1.1", TLS1_1_VERSION}, {"TLSv1.2", TLS1_2_VERSION}, -#ifndef OPENSSL_NO_GMTLS_VERSION - {"GMTLS", GMTLS_VERSION}, -#endif {"DTLSv1", DTLS1_VERSION}, - {"DTLSv1.2", DTLS1_2_VERSION} + {"DTLSv1.2", DTLS1_2_VERSION}, + {"GMTLS", GMTLS_VERSION} }; size_t i; size_t n = OSSL_NELEM(versions); @@ -529,9 +527,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_tls1", 0), SSL_CONF_CMD_SWITCH("no_tls1_1", 0), SSL_CONF_CMD_SWITCH("no_tls1_2", 0), -#ifndef OPENSSL_NO_GMTLS SSL_CONF_CMD_SWITCH("no_gmtls", 0), -#endif SSL_CONF_CMD_SWITCH("bugs", 0), SSL_CONF_CMD_SWITCH("no_comp", 0), SSL_CONF_CMD_SWITCH("comp", 0), @@ -589,9 +585,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ -#ifndef OPENSSL_NO_GMTLS_METHOD {SSL_OP_NO_GMTLS, 0}, /* no_gmtls */ -#endif {SSL_OP_ALL, 0}, /* bugs */ {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 8e3a2b74..67a50d0a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -678,6 +678,11 @@ int SSL_is_dtls(const SSL *s) return SSL_IS_DTLS(s) ? 1 : 0; } +int SSL_is_gmtls(const SSL *s) +{ + return SSL_IS_GMTLS(s) ? 1 : 0; +} + int SSL_up_ref(SSL *s) { int i; @@ -2655,7 +2660,7 @@ void ssl_set_masks(SSL *s) have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; #endif #ifndef OPENSSL_NO_SM2 - have_sm2_cert = pvalid[SSL_PKEY_SM2_SIGN] & CERT_PKEY_VALID; + have_sm2_cert = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID; #endif mask_k = 0; mask_a = 0; @@ -2712,13 +2717,18 @@ void ssl_set_masks(SSL *s) ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) ecdsa_ok = 0; - if (ecdsa_ok) + if (ecdsa_ok) { +fprintf(stderr, "%s %d\n", __FILE__, __LINE__); mask_a |= SSL_aECDSA; + mask_a |= SSL_aSM2;//先将就一下 + } } #endif #ifndef OPENSSL_NO_SM2 + //这个现在不好用啊! if (have_sm2_cert) { uint32_t ex_kusage; +fprintf(stderr, "%s %d\n", __FILE__, __LINE__); cpk = &c->pkeys[SSL_PKEY_SM2_SIGN]; x = cpk->x509; OPENSSL_assert(x); @@ -2874,7 +2884,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, } else if ((alg_a & SSL_aECDSA) && (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) idx = SSL_PKEY_ECC; -#ifndef OPENSSL_NO_GMTLS_SM2 +#ifndef OPENSSL_NO_SM2 else if ((alg_a & SSL_aSM2) && (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL)) idx = SSL_PKEY_SM2_SIGN; @@ -3156,10 +3166,8 @@ const char *ssl_protocol_to_string(int version) return "DTLSv1"; else if (version == DTLS1_2_VERSION) return "DTLSv1.2"; -#ifndef OPENSSL_NO_GMTLS_METHOD else if (version == GMTLS_VERSION) return "GMTLSv1.1"; -#endif else return ("unknown"); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index b37828f3..bee160fe 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -231,13 +231,11 @@ # define SSL_kECDHEPSK 0x00000080U # define SSL_kDHEPSK 0x00000100U -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_kSM2 0x00000200U -# define SSL_kSM2DHE 0x00000400U -# define SSL_kSM2PSK 0x00000800U -# define SSL_kSM9 0x00001000U -# define SSL_kSM9DHE 0x00002000U -# endif +# define SSL_kSM2 0x00000200U +# define SSL_kSM2DHE 0x00000400U +# define SSL_kSM2PSK 0x00000800U +# define SSL_kSM9 0x00001000U +# define SSL_kSM9DHE 0x00002000U /* all PSK */ @@ -260,11 +258,9 @@ # define SSL_aSRP 0x00000040U /* GOST R 34.10-2012 signature auth */ # define SSL_aGOST12 0x00000080U -# ifndef OPENSSL_NO_GMTLS_METHOD -/* SM2 */ +/* GMTLS */ # define SSL_aSM2 0x00000100U # define SSL_aSM9 0x00000200U -# endif /* Bits for algorithm_enc (symmetric encryption) */ # define SSL_DES 0x00000001U @@ -287,24 +283,20 @@ # define SSL_AES256CCM8 0x00020000U # define SSL_eGOST2814789CNT12 0x00040000U # define SSL_CHACHA20POLY1305 0x00080000U -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_SMS4 0x00100000U -# define SSL_SMS4GCM 0x00200000U -# define SSL_SMS4CCM 0x00400000U -# define SSL_SMS4CCM8 0x00800000U -# define SSL_ZUC 0x01000000U -# define SSL_SM1 0x02000000U -# define SSL_SSF33 0x04000000U -# endif +# define SSL_SMS4 0x00100000U +# define SSL_SMS4GCM 0x00200000U +# define SSL_SMS4CCM 0x00400000U +# define SSL_SMS4CCM8 0x00800000U +# define SSL_ZUC 0x01000000U +# define SSL_SM1 0x02000000U +# define SSL_SSF33 0x04000000U # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM) # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8) # define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM) # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) # define SSL_CHACHA20 (SSL_CHACHA20POLY1305) -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_SMS4ALL (SSL_SMS4 | SSL_SMS4GCM | SSL_SMS4CCM | SSL_SMS4CCM8) -# endif +# define SSL_SMS4ALL (SSL_SMS4 | SSL_SMS4GCM | SSL_SMS4CCM | SSL_SMS4CCM8) /* Bits for algorithm_mac (symmetric authentication) */ @@ -319,9 +311,7 @@ # define SSL_GOST12_256 0x00000080U # define SSL_GOST89MAC12 0x00000100U # define SSL_GOST12_512 0x00000200U -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_SM3 0x00000400U -# endif +# define SSL_SM3 0x00000400U /* * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make @@ -340,12 +330,8 @@ # define SSL_MD_MD5_SHA1_IDX 9 # define SSL_MD_SHA224_IDX 10 # define SSL_MD_SHA512_IDX 11 -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_MD_SM3_IDX 12 -# define SSL_MAX_DIGEST 13 -# else -# define SSL_MAX_DIGEST 12 -# endif +# define SSL_MD_SM3_IDX 12 +# define SSL_MAX_DIGEST 13 /* Bits for algorithm2 (handshake digests and other extra flags) */ @@ -358,9 +344,7 @@ # define SSL_HANDSHAKE_MAC_GOST12_256 SSL_MD_GOST12_256_IDX # define SSL_HANDSHAKE_MAC_GOST12_512 SSL_MD_GOST12_512_IDX # define SSL_HANDSHAKE_MAC_DEFAULT SSL_HANDSHAKE_MAC_MD5_SHA1 -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_HANDSHAKE_MAC_SM3 SSL_MD_SM3_IDX -# endif +# define SSL_HANDSHAKE_MAC_SM3 SSL_MD_SM3_IDX /* Bits 8-15 bits are PRF */ # define TLS1_PRF_DGST_SHIFT 8 @@ -370,10 +354,8 @@ # define TLS1_PRF_GOST94 (SSL_MD_GOST94_IDX << TLS1_PRF_DGST_SHIFT) # define TLS1_PRF_GOST12_256 (SSL_MD_GOST12_256_IDX << TLS1_PRF_DGST_SHIFT) # define TLS1_PRF_GOST12_512 (SSL_MD_GOST12_512_IDX << TLS1_PRF_DGST_SHIFT) -# define TLS1_PRF (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT) -# ifndef OPENSSL_NO_GMTLS_METHOD -# define TLS1_PRF_SM3 (SSL_MD_SM3_IDX << TLS1_PRF_DGST_SHIFT) -# endif +# define TLS1_PRF (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT) +# define TLS1_PRF_SM3 (SSL_MD_SM3_IDX << TLS1_PRF_DGST_SHIFT) /* * Stream MAC for GOST ciphersuites from cryptopro draft (currently this also @@ -443,14 +425,10 @@ # define SSL_PKEY_GOST01 4 # define SSL_PKEY_GOST12_256 5 # define SSL_PKEY_GOST12_512 6 -# ifndef OPENSSL_NO_GMTLS_METHOD -# define SSL_PKEY_SM2_ENC 7 -# define SSL_PKEY_SM2_SIGN 8 -# define SSL_PKEY_SM9 9 -# define SSL_PKEY_NUM 10 -# else -# define SSL_PKEY_NUM 7 -# endif +# define SSL_PKEY_SM2_ENC 7 +# define SSL_PKEY_SM2_SIGN 8 +# define SSL_PKEY_SM9_SIGN 9 +# define SSL_PKEY_NUM 10 /* * Pseudo-constant. GOST cipher suites can use different certs for 1 @@ -591,7 +569,7 @@ struct ssl_session_st { int not_resumable; /* This is the cert and type for the other end. */ X509 *peer; -# ifndef OPENSSL_NO_GMTLS_METHOD +# ifndef OPENSSL_NO_GMTLS X509 *peer_extra; char *peer_identity; CERT_SM9 ibe; @@ -1726,12 +1704,9 @@ __owur const SSL_METHOD *dtls_bad_ver_client_method(void); __owur const SSL_METHOD *dtlsv1_2_method(void); __owur const SSL_METHOD *dtlsv1_2_server_method(void); __owur const SSL_METHOD *dtlsv1_2_client_method(void); -#ifndef OPENSSL_NO_GMTLS_METHOD __owur const SSL_METHOD *gmtls_method(void); __owur const SSL_METHOD *gmtls_server_method(void); __owur const SSL_METHOD *gmtls_client_method(void); -#endif - extern const SSL3_ENC_METHOD TLSv1_enc_data; extern const SSL3_ENC_METHOD TLSv1_1_enc_data; @@ -1739,9 +1714,7 @@ extern const SSL3_ENC_METHOD TLSv1_2_enc_data; extern const SSL3_ENC_METHOD SSLv3_enc_data; extern const SSL3_ENC_METHOD DTLSv1_enc_data; extern const SSL3_ENC_METHOD DTLSv1_2_enc_data; -# ifndef OPENSSL_NO_GMTLS_METHOD extern const SSL3_ENC_METHOD GMTLS_enc_data; -# endif /* * Flags for SSL methods @@ -1750,9 +1723,8 @@ extern const SSL3_ENC_METHOD GMTLS_enc_data; # define SSL_METHOD_NO_SUITEB (1U<<1) -# ifndef OPENSSL_NO_GMTLS_METHOD -# define IMPLEMENT_gmtls_meth_func(flags, mask, func_name, s_accept, \ - s_connect, enc_data) \ +# define IMPLEMENT_gmtls_meth_func(flags, mask, func_name, s_accept, \ + s_connect, enc_data) \ const SSL_METHOD *func_name(void) \ { \ static const SSL_METHOD func_name##_data= { \ @@ -1788,7 +1760,6 @@ const SSL_METHOD *func_name(void) \ }; \ return &func_name##_data; \ } -# endif /* OPENSSL_NO_GMTLS_METHOD */ # define IMPLEMENT_tls_meth_func(version, flags, mask, func_name, s_accept, \ s_connect, enc_data) \ @@ -1828,15 +1799,6 @@ const SSL_METHOD *func_name(void) \ return &func_name##_data; \ } - - - - - - - - - # define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect) \ const SSL_METHOD *func_name(void) \ { \ @@ -2114,9 +2076,7 @@ __owur int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, int use_context); __owur int tls1_alert_code(int code); __owur int ssl3_alert_code(int code); -# ifndef OPENSSL_NO_GMTLS_METHOD __owur int gmtls_alert_code(int code); -# endif __owur int ssl_ok(SSL *s); # ifndef OPENSSL_NO_EC diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 140a0543..c1a01bd9 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -129,6 +129,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) return (0); } +#ifndef OPENSSL_NO_SM2 /* set private key even without keyUsage in cert */ if (i == SSL_PKEY_SM2_SIGN) { if (c->pkeys[SSL_PKEY_SM2_ENC].privatekey) @@ -140,6 +141,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) else i = SSL_PKEY_SM2_SIGN; } +#endif if (c->pkeys[i].x509 != NULL) { EVP_PKEY *pktmp; @@ -159,8 +161,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) /* * Don't check the public/private key, this is mostly for smart * cards. - * SM2和EC也可能是智能卡! - * */ if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6518c8b6..f6e64065 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -153,7 +153,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) if (src->peer != NULL) X509_up_ref(src->peer); -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS if (src->peer_extra != NULL) X509_up_ref(src->peer_extra); #endif @@ -764,7 +764,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); X509_free(ss->peer); -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS X509_free(ss->peer_extra); #endif sk_X509_pop_free(ss->peer_chain, X509_free); @@ -899,7 +899,7 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s) return s->peer; } -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS X509 *SSL_SESSION_get0_peer_extra(SSL_SESSION *s) { return s->peer_extra; diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 81db3fe1..1548c26d 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -286,7 +286,7 @@ const char *SSL_alert_desc_string(int value) return "BH"; case TLS1_AD_UNKNOWN_PSK_IDENTITY: return "UP"; -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS case GMTLS_AD_UNSUPPORTED_SITE2SITE: return "U2"; case GMTLS_AD_NO_AREA: @@ -370,7 +370,7 @@ const char *SSL_alert_desc_string_long(int value) return "unknown PSK identity"; case TLS1_AD_NO_APPLICATION_PROTOCOL: return "no application protocol"; -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS case GMTLS_AD_UNSUPPORTED_SITE2SITE: return "unsupported site2site"; case GMTLS_AD_NO_AREA: diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 07bc6438..9905692d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1,3 +1,51 @@ +/* ==================================================================== + * Copyright (c) 2014 - 2017 The GmSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the GmSSL Project. + * (http://gmssl.org/)" + * + * 4. The name "GmSSL Project" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * guanzhi1980@gmail.com. + * + * 5. Products derived from this software may not be called "GmSSL" + * nor may "GmSSL" appear in their names without prior written + * permission of the GmSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the GmSSL Project + * (http://gmssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ /* * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * @@ -60,13 +108,13 @@ #ifndef OPENSSL_NO_DH # include #endif +#ifndef OPENSSL_NO_SM2 +# include +#endif #include #ifndef OPENSSL_NO_ENGINE # include #endif -#ifndef OPENSSL_NO_SM2 -# include -#endif static ossl_inline int cert_req_allowed(SSL *s); static int key_exchange_expected(SSL *s); @@ -89,7 +137,6 @@ static ossl_inline int cert_req_allowed(SSL *s) || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) return 0; - /* gmtls ciphers always allow req */ return 1; } @@ -104,11 +151,10 @@ static int key_exchange_expected(SSL *s) { long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; -#ifndef OPENSSL_NO_GMTLS_METHOD - if (s->version == GMTLS_VERSION) +#ifndef OPENSSL_NO_GMTLS + if (SSL_IS_GMTLS(s)) return 1; #endif - /* * Can't skip server key exchange if this is an ephemeral * ciphersuite or for SRP @@ -649,9 +695,8 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) #ifndef OPENSSL_NO_GMTLS if (SSL_IS_GMTLS(s)) return tls_process_server_certificate(s, pkt); - else #endif - return tls_process_server_certificate(s, pkt); + return tls_process_server_certificate(s, pkt); case TLS_ST_CR_CERT_STATUS: return tls_process_cert_status(s, pkt); @@ -660,9 +705,8 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) #ifndef OPENSSL_NO_GMTLS if (SSL_IS_GMTLS(s)) return gmtls_process_server_key_exchange(s, pkt); - else #endif - return tls_process_server_key_exchange(s, pkt); + return tls_process_server_key_exchange(s, pkt); case TLS_ST_CR_CERT_REQ: return tls_process_certificate_request(s, pkt); @@ -1544,11 +1588,6 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) #endif } -//这个函数实际上就是从packet里面读取曲线参数,对方临时公钥 -//把这个临时公钥设置到s->s3->peer_tmp (在哪儿处理的?) -//然后再根据认证算法(s->s3->tmp.new_cipher->algorithm_auth 确定对方的签名算法(应该是证书中拿到的) -//最后从s->session->peer中取出对方的签名公钥,从pkey参数返回 -//这个函数并不去处理签名值,而是留给后续处理,因此sm2的话不提取任何数据,这个函数是无效的 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) { #ifndef OPENSSL_NO_EC @@ -1633,10 +1672,9 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) * ECParameters in the server key exchange message. We do support RSA * and ECDSA. */ - // 这里的s->session->peer 应该是在处理证书消息的时候设定的,要看看具体在哪儿 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) *pkey = X509_get0_pubkey(s->session->peer); -#ifndef OPENSSL_NO_GMTLS +#ifndef OPENSSL_NO_SM2 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSM2) *pkey = X509_get0_pubkey(s->session->peer); #endif @@ -2292,13 +2330,9 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) } q = *p; - /* Fix buf for TLS and beyond */ - if (s->version > SSL3_VERSION) + /* Fix buf for TLS, GMTLS and beyond */ + if (s->version > SSL3_VERSION || SSL_IS_GMTLS(s)) *p += 2; -#ifndef OPENSSL_NO_GMTLS_METHOD - if (s->version == GMTLS_VERSION) - *p += 2; -#endif pctx = EVP_PKEY_CTX_new(pkey, NULL); if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { @@ -2317,21 +2351,13 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) (*p)[1]++; if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0] = 0x70; - - // tmp_buf 没有定义,可能出现了编辑错误! # endif /* Fix buf for TLS and beyond */ - if (s->version > SSL3_VERSION) { + if (s->version > SSL3_VERSION || SSL_IS_GMTLS(s)) { s2n(*len, q); *len += 2; } -#ifndef OPENSSL_NO_GMTLS_METHOD - if (s->version == GMTLS_VERSION) { - s2n(*len, q); - *len += 2; - } -#endif s->s3->tmp.pms = pms; s->s3->tmp.pmslen = pmslen; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index dfb18caf..77edc054 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1,3 +1,51 @@ +/* ==================================================================== + * Copyright (c) 2014 - 2017 The GmSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the GmSSL Project. + * (http://gmssl.org/)" + * + * 4. The name "GmSSL Project" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * guanzhi1980@gmail.com. + * + * 5. Products derived from this software may not be called "GmSSL" + * nor may "GmSSL" appear in their names without prior written + * permission of the GmSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the GmSSL Project + * (http://gmssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ /* * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * @@ -230,8 +278,8 @@ static int send_server_key_exchange(SSL *s) { unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; -#ifndef OPENSSL_NO_GMTLS_METHOD - if (s->method->version == GMTLS_VERSION) +#ifndef OPENSSL_NO_GMTLS + if (SSL_IS_GMTLS(s)) return 1; #endif @@ -643,17 +691,15 @@ int ossl_statem_server_construct_message(SSL *s) #ifndef OPENSSL_NO_GMTLS if (SSL_IS_GMTLS(s)) return tls_construct_server_certificate(s) - else #endif - return tls_construct_server_certificate(s); + return tls_construct_server_certificate(s); case TLS_ST_SW_KEY_EXCH: #ifndef OPENSSL_NO_GMTLS if (SSL_IS_GMTLS(s)) return gmtls_construct_server_key_exchange(s) - else #endif - return tls_construct_server_key_exchange(s); + return tls_construct_server_key_exchange(s); case TLS_ST_SW_CERT_REQ: return tls_construct_certificate_request(s); @@ -760,20 +806,18 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) return tls_process_client_hello(s, pkt); case TLS_ST_SR_CERT: -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS if (SSL_IS_GMTLS(s)) return tls_process_client_certificate(s, pkt); - else #endif - return tls_process_client_certificate(s, pkt); + return tls_process_client_certificate(s, pkt); case TLS_ST_SR_KEY_EXCH: #ifndef OPENSSL_NO_GMTLS if (SSL_IS_GMTLS(s)) return gmtls_process_client_key_exchange(s, pkt); - else #endif - return tls_process_client_key_exchange(s, pkt); + return tls_process_client_key_exchange(s, pkt); case TLS_ST_SR_CERT_VRFY: return tls_process_cert_verify(s, pkt); @@ -984,7 +1028,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) { /* SSLv3/TLS */ s->client_version = version; -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS } else if (version == GMTLS_VERSION) { s->client_version = version; #endif @@ -1273,7 +1317,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } -#ifndef OPENSSL_NO_GMTLS_METHOD +#ifndef OPENSSL_NO_GMTLS if (!s->hit && (s->version == GMTLS_VERSION || s->version >= TLS1_VERSION) && s->tls_session_secret_cb) { #else @@ -1668,7 +1712,7 @@ int tls_construct_server_key_exchange(SSL *s) BUF_MEM *buf; EVP_MD_CTX *md_ctx = NULL; - if (!(md_ctx == EVP_MD_CTX_new())) { + if (!(md_ctx = EVP_MD_CTX_new())) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); al = SSL_AD_INTERNAL_ERROR; goto f_err; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 5cd94ecc..8f0bcba5 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -84,7 +84,6 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = { ssl3_handshake_write }; -#ifndef OPENSSL_NO_GMTLS_METHOD SSL3_ENC_METHOD const GMTLS_enc_data = { tls1_enc, tls1_mac, @@ -102,7 +101,6 @@ SSL3_ENC_METHOD const GMTLS_enc_data = { ssl3_set_handshake_header, ssl3_handshake_write }; -#endif long tls1_default_timeout(void) { @@ -179,9 +177,7 @@ static const tls_curve_info nid_list[] = { {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ -#ifndef OPENSSL_NO_GMTLS {NID_sm2p256v1, 128, TLS_CURVE_PRIME}, /* sm2p256v1 (30) */ -#endif }; static const unsigned char ecformats_default[] = { @@ -192,9 +188,7 @@ static const unsigned char ecformats_default[] = { /* The default curves */ static const unsigned char eccurves_default[] = { -#ifndef OPENSSL_NO_GMTLS - 0, 30, /* sm2p256v1 (30) */ -#endif + 0, 30, /* sm2p256v1 (30) */ 0, 29, /* X25519 (29) */ 0, 23, /* secp256r1 (23) */ 0, 25, /* secp521r1 (25) */ @@ -345,8 +339,8 @@ int tls1_shared_curve(SSL *s, int nmatch) size_t num_pref, num_supp, i, j; int k; -#ifndef OPENSSL_NO_GMTLS_METHOD - if (s->method->version == GMTLS_VERSION) +#ifndef OPENSSL_NO_GMTLS + if (SSL_IS_GMTLS(s)) return NID_sm2p256v1; #endif @@ -3005,13 +2999,8 @@ int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext, * If tickets disabled behave as if no ticket present to permit stateful * resumption. */ -#ifndef OPENSSL_NO_GMTLS_METHOD if ((s->version <= SSL3_VERSION) && (s->version != GMTLS_VERSION)) return 0; -#else - if ((s->version <= SSL3_VERSION)) - return 0; -#endif if (!PACKET_get_net_2(&local_ext, &i)) { retv = 0; diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 4e334f69..7be41762 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -61,12 +61,10 @@ static ssl_trace_tbl ssl_version_tbl[] = { {TLS1_VERSION, "TLS 1.0"}, {TLS1_1_VERSION, "TLS 1.1"}, {TLS1_2_VERSION, "TLS 1.2"}, -#ifndef OPENSSL_NO_GMTLS_VERSION - {GMTLS_VERSION, "GMTLS 1.1"}, -#endif {DTLS1_VERSION, "DTLS 1.0"}, {DTLS1_2_VERSION, "DTLS 1.2"}, - {DTLS1_BAD_VER, "DTLS 1.0 (bad)"} + {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}, + {GMTLS_VERSION, "GMTLS 1.1"} }; static ssl_trace_tbl ssl_content_tbl[] = { @@ -425,8 +423,7 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = { {0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305"}, {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305"}, {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305"}, -#ifndef OPENSSL_NO_GMTLS_METHOD -# if 1 /* GM/T 0024 official names */ +# if 0 /* GM/T 0024 official names */ {0xE001, "GMT_ECDHE_SM1_SM3"}, {0xE003, "GMT_ECC_SM1_SM3"}, {0xE005, "GMT_IBSDH_SM1_SM3"}, @@ -468,7 +465,6 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = { {0xE10A, "GMTLS_ECDHE_SM2_WITH_SMS4_GCM_SHA256"}, {0xE10B, "GMTLS_ECDHE_SM2_WITH_SMS4_CCM_SHA256"}, {0xE10C, "GMTLS_ECDHE_SM2_WITH_SMS4_CCM_8_SHA256"}, -#endif {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"}, @@ -539,9 +535,7 @@ static ssl_trace_tbl ssl_curve_tbl[] = { {27, "brainpoolP384r1"}, {28, "brainpoolP512r1"}, {29, "ecdh_x25519"}, -#ifndef OPENSSL_NO_GMTLS_METHOD - {30, "sm2p256v1"}, -#endif + {30, "sm2p256v1"}, {0xFF01, "arbitrary_explicit_prime_curves"}, {0xFF02, "arbitrary_explicit_char2_curves"} }; @@ -560,9 +554,7 @@ static ssl_trace_tbl ssl_md_tbl[] = { {TLSEXT_hash_sha256, "sha256"}, {TLSEXT_hash_sha384, "sha384"}, {TLSEXT_hash_sha512, "sha512"}, -#ifndef OPENSSL_NO_GMTLS_METHOD {TLSEXT_hash_sm3, "sm3"}, -#endif {TLSEXT_hash_gostr3411, "md_gost94"}, {TLSEXT_hash_gostr34112012_256, "md_gost2012_256"}, {TLSEXT_hash_gostr34112012_512, "md_gost2012_512"} @@ -573,9 +565,7 @@ static ssl_trace_tbl ssl_sig_tbl[] = { {TLSEXT_signature_rsa, "rsa"}, {TLSEXT_signature_dsa, "dsa"}, {TLSEXT_signature_ecdsa, "ecdsa"}, -#ifndef OPENSSL_NO_GMTLS_METHOD {TLSEXT_signature_sm2sign, "sm2sign"}, -#endif {TLSEXT_signature_gostr34102001, "gost2001"}, {TLSEXT_signature_gostr34102012_256, "gost2012_256"}, {TLSEXT_signature_gostr34102012_512, "gost2012_512"} @@ -599,9 +589,7 @@ static ssl_trace_tbl ssl_ctype_tbl[] = { {5, "rsa_ephemeral_dh"}, {6, "dss_ephemeral_dh"}, {20, "fortezza_dms"}, -#ifndef OPENSSL_NO_GMTLS_METHOD {7, "sm2_sign"}, -#endif {64, "ecdsa_sign"}, {65, "rsa_fixed_ecdh"}, {66, "ecdsa_fixed_ecdh"} @@ -958,7 +946,6 @@ static int ssl_get_keyex(const char **pname, SSL *ssl) *pname = "GOST"; return SSL_kGOST; } -#ifndef OPENSSL_NO_GMTLS if (alg_k & SSL_kSM2) { *pname = "SM2"; return SSL_kSM2; @@ -979,7 +966,6 @@ static int ssl_get_keyex(const char **pname, SSL *ssl) *pname = "SM9DHE"; return SSL_kSM9DHE; } -#endif *pname = "UNKNOWN"; return 0; } @@ -1023,7 +1009,6 @@ static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl, return 0; break; -#ifndef OPENSSL_NO_GMTLS case SSL_kSM2: case SSL_kSM9: if (!ssl_print_hexbuf(bio, indent + 2, @@ -1041,7 +1026,6 @@ static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl, if (!ssl_print_hexbuf(bio, indent + 2, "sm9_Yc", 1, &msg, &msglen)) return 0; break; -#endif } return !msglen; @@ -1083,10 +1067,8 @@ static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl, # ifndef OPENSSL_NO_EC case SSL_kECDHE: case SSL_kECDHEPSK: -# ifndef OPENSSL_NO_GMTLS case SSL_kSM2DHE: case SSL_kSM2PSK: -# endif if (msglen < 1) return 0; BIO_indent(bio, indent + 2, 80);