1、解决TLS1.x的ECDH-SM2-SM3-SM4/SM2-SM3-SM4两种套件无法握手成功

2、暂去掉非SM算法的套件。
2026-05-07 00:46:17 +08:00 · 2016-08-22 17:44:54 +08:00
parent c7a611e916
commit 5c315bca3f
5 changed files with 55 additions and 36 deletions
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1871,6 +1871,12 @@ int ssl3_get_key_exchange(SSL *s)
            pkey =
                X509_get_pubkey(s->session->
                                sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
+# endif
+# ifndef NO_GMSSL
+        else if (alg_a & SSL_aSM2)
+            pkey =
+                X509_get_pubkey(s->session->
+                                sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
 # endif
        /* else anonymous ECDH, so no certificate or pkey. */
        EC_KEY_set_public_key(ecdh, srvr_ecpoint);
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -163,7 +163,40 @@ const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;

 /* list of available SSLv3 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+# ifndef NO_GMSSL
+	/* (GmSSL specific) */
+	{
+		1,
+		GM1_TXT_ECDHE_SM2_SM4_SM3,
+		GM1_CK_ECDHE_SM2_SM4_SM3,
+		SSL_kEECDH,
+		SSL_aSM2,
+		SSL_SM4,
+		SSL_SM3,
+		SSL_TLSV1_2,
+		SSL_NOT_EXP|SSL_HIGH,
+		SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+		128,
+		128,
+	},

+	/* (GmSSL Specific) */
+	{
+		1,
+		GM1_TXT_SM2_SM4_SM3,
+		GM1_CK_SM2_SM4_SM3,
+		SSL_kSM2,
+		SSL_aSM2,
+		SSL_SM4,
+		SSL_SM3,
+		SSL_TLSV1_2,
+		SSL_NOT_EXP|SSL_HIGH,
+		SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+		128,
+		128,
+	}
+# endif
+#if 0
 /* The RSA ciphers */
 /* Cipher 01 */
    {
@@ -2890,42 +2923,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
     256,
     256},
 #endif
-
-#ifndef NO_GMSSL
-	/* (GmSSL specific) */
-	{
-		1,
-		GM1_TXT_ECDHE_SM2_SM4_SM3,
-		GM1_CK_ECDHE_SM2_SM4_SM3,
-		SSL_kEECDH,
-		SSL_aSM2,
-		SSL_SM4,
-		SSL_SM3,
-		SSL_TLSV1_2,
-		SSL_NOT_EXP|SSL_HIGH,
-		SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		128,
-		128,
-	},
-
-	/* (GmSSL Specific) */
-	{
-		1,
-		GM1_TXT_SM2_SM4_SM3,
-		GM1_CK_SM2_SM4_SM3,
-		SSL_kSM2,
-		SSL_aSM2,
-		SSL_SM4,
-		SSL_SM3,
-		SSL_TLSV1_2,
-		SSL_NOT_EXP|SSL_HIGH,
-		SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		128,
-		128,
-	}
-
 #endif
-
 /* end of list */
 };

--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2128,7 +2128,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
         * chosen.
         */
        return SSL_PKEY_ECC;
-    } else if (alg_a & SSL_aECDSA)
+    } 
+# ifndef NO_GMSSL
+    else if (alg_a & SSL_aSM2)
+        return SSL_PKEY_ECC;
+# endif
+    else if (alg_a & SSL_aECDSA)
        return SSL_PKEY_ECC;
    else if (alg_k & SSL_kDHr)
        return SSL_PKEY_DH_RSA;
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2413,6 +2413,12 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
            mask_a |= SSL_aECDSA;
            emask_a |= SSL_aECDSA;
        }
+# endif
+# ifndef NO_GMSSL
+            mask_a |= SSL_aSM2;
+            emask_a |= SSL_aSM2;
+            mask_k |= SSL_kSM2;
+            emask_k |= SSL_kSM2;	
 # endif
    }
 #endif
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1026,6 +1026,10 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
                tlsext_sigalg_ecdsa(md)

 static unsigned char tls12_sigalgs[] = {
+# ifndef NO_GMSSL
+        TLSEXT_hash_sm3,
+        TLSEXT_signature_sm2sign,
+# endif
 # ifndef OPENSSL_NO_SHA512
    tlsext_sigalg(TLSEXT_hash_sha512)
        tlsext_sigalg(TLSEXT_hash_sha384)