first step of v2 final release

2026-06-29 17:23:38 +08:00 · 2017-11-05 21:00:36 +08:00
parent 480b9e8d88
commit 27bde477a5
395 changed files with 26341 additions and 31364 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -50,8 +50,12 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
-#include <openssl/md5.h>
-#include <openssl/dh.h>
+#ifndef OPENSSL_NO_MD5
+# include <openssl/md5.h>
+#endif
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
 #include <openssl/rand.h>

 #define SSL3_NUM_CIPHERS        OSSL_NELEM(ssl3_ciphers)
@@ -97,6 +101,284 @@ static SSL_CIPHER ssl3_ciphers[] = {
     0,
     0,
     },
+#ifndef OPENSSL_NO_GMTLS
+    /* GM/T 0024 ciphersuites
+     * SM2(ENC) and SM9(ENC) only allowed in GMTLS 1.1
+     */
+    {
+     1,
+     GMTLS_TXT_SM2DHE_WITH_SM1_SM3,
+     GMTLS_CK_SM2DHE_WITH_SM1_SM3,
+     SSL_kSM2DHE,
+     SSL_aSM2,
+     SSL_SM1,
+     SSL_SM3,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM2_WITH_SM1_SM3,
+     GMTLS_CK_SM2_WITH_SM1_SM3,
+     SSL_kSM2,
+     SSL_aSM2,
+     SSL_SM1,
+     SSL_SM3,
+     GMTLS_VERSION, GMTLS_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM9DHE_WITH_SM1_SM3,
+     GMTLS_CK_SM9DHE_WITH_SM1_SM3,
+     SSL_kSM9DHE,
+     SSL_aSM9,
+     SSL_SM1,
+     SSL_SM3,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM9_WITH_SM1_SM3,
+     GMTLS_CK_SM9_WITH_SM1_SM3,
+     SSL_kSM9,
+     SSL_aSM9,
+     SSL_SM1,
+     SSL_SM3,
+     GMTLS_VERSION, GMTLS_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_RSA_WITH_SM1_SM3,
+     GMTLS_CK_RSA_WITH_SM1_SM3,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_SM1,
+     SSL_SM3,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_RSA_WITH_SM1_SHA1,
+     GMTLS_CK_RSA_WITH_SM1_SHA1,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_SM1,
+     SSL_SHA1,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM2DHE_WITH_SMS4_SM3,
+     GMTLS_CK_SM2DHE_WITH_SMS4_SM3,
+     SSL_kSM2DHE,
+     SSL_aSM2,
+     SSL_SMS4,
+     SSL_SM3,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM2_WITH_SMS4_SM3,
+     GMTLS_CK_SM2_WITH_SMS4_SM3,
+     SSL_kSM2,
+     SSL_aSM2,
+     SSL_SMS4,
+     SSL_SM3,
+     GMTLS_VERSION, GMTLS_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM9DHE_WITH_SMS4_SM3,
+     GMTLS_CK_SM9DHE_WITH_SMS4_SM3,
+     SSL_kSM9DHE,
+     SSL_aSM9,
+     SSL_SMS4,
+     SSL_SM3,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_SM9_WITH_SMS4_SM3,
+     GMTLS_CK_SM9_WITH_SMS4_SM3,
+     SSL_kSM9,
+     SSL_aSM9,
+     SSL_SMS4,
+     SSL_SM3,
+     GMTLS_VERSION, GMTLS_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_RSA_WITH_SMS4_SM3,
+     GMTLS_CK_RSA_WITH_SMS4_SM3,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_SMS4,
+     SSL_SM3,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_RSA_WITH_SMS4_SHA1,
+     GMTLS_CK_RSA_WITH_SMS4_SHA1,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_SMS4,
+     SSL_SHA1,
+     GMTLS_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+
+    /* ECDHE-SM2-[SM1|SMS4|SSF33]-[SM3|SHA256] */
+    {
+     1,
+     GMTLS_TXT_ECDHE_SM2_WITH_SM1_SM3,
+     GMTLS_CK_ECDHE_SM2_WITH_SM1_SM3,
+     SSL_kECDHE,
+     SSL_aSM2,
+     SSL_SM1,
+     SSL_SM3,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_ECDHE_SM2_WITH_SMS4_SM3,
+     GMTLS_CK_ECDHE_SM2_WITH_SMS4_SM3,
+     SSL_kECDHE,
+     SSL_aSM2,
+     SSL_SMS4,
+     SSL_SM3,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_ECDHE_SM2_WITH_SSF33_SM3,
+     GMTLS_CK_ECDHE_SM2_WITH_SSF33_SM3,
+     SSL_kECDHE,
+     SSL_aSM2,
+     SSL_SSF33,
+     SSL_SM3,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_ECDHE_SM2_WITH_SM1_SHA256,
+     GMTLS_CK_ECDHE_SM2_WITH_SM1_SHA256,
+     SSL_kECDHE,
+     SSL_aSM2,
+     SSL_SM1,
+     SSL_SHA256,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_ECDHE_SM2_WITH_SMS4_SHA256,
+     GMTLS_CK_ECDHE_SM2_WITH_SMS4_SHA256,
+     SSL_kECDHE,
+     SSL_aSM2,
+     SSL_SMS4,
+     SSL_SHA256,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+    {
+     1,
+     GMTLS_TXT_ECDHE_SM2_WITH_SSF33_SHA256,
+     GMTLS_CK_ECDHE_SM2_WITH_SSF33_SHA256,
+     SSL_kECDHE,
+     SSL_aSM2,
+     SSL_SSF33,
+     SSL_SHA256,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_BAD_VER, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+     128,
+     128,
+     },
+
+#endif /* OPENSSL_NO_GMTLS */
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
    {
     1,
@@ -2734,6 +3016,7 @@ void ssl_sort_cipher_list(void)
          cipher_compare);
 }

+#ifndef OPENSSL_NO_SSL3_METHOD
 const SSL3_ENC_METHOD SSLv3_enc_data = {
    ssl3_enc,
    n_ssl3_mac,
@@ -2741,7 +3024,7 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
    ssl3_generate_master_secret,
    ssl3_change_cipher_state,
    ssl3_final_finish_mac,
-    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
+    16+20,//MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
    SSL3_MD_CLIENT_FINISHED_CONST, 4,
    SSL3_MD_SERVER_FINISHED_CONST, 4,
    ssl3_alert_code,
@@ -2753,6 +3036,7 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
    ssl3_set_handshake_header,
    ssl3_handshake_write
 };
+#endif

 long ssl3_default_timeout(void)
 {
@@ -4074,6 +4358,10 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey)

    pctx = EVP_PKEY_CTX_new(privkey, NULL);

+#ifndef OPENSSL_NO_GMTLS
+	// if the cipher is kSM2DHE, we need to ctrl
+#endif
+
    if (EVP_PKEY_derive_init(pctx) <= 0
        || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0
        || EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) {