add CBC-MAC and GM OTP, not tested

2026-06-30 01:33:39 +08:00 · 2016-05-15 20:21:51 +02:00
parent 8c0439e7d6
commit 60d14da0cc
81 changed files with 2789 additions and 1401 deletions
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -26,7 +26,8 @@ LIBSRC=	\
 	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
 	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c t1_ext.c \
 	d1_meth.c   d1_srvr.c d1_clnt.c  d1_lib.c  d1_pkt.c \
-	d1_both.c d1_srtp.c \
+	d1_both.c   d1_srtp.c \
+	gm_meth.c   gm_srvr.c gm_clnt.c  gm_lib.c  gm_enc.c \
 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
 	ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
@@ -35,9 +36,10 @@ LIBOBJ= \
 	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
 	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
 	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
-	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o t1_ext.o \
-	d1_meth.o   d1_srvr.o d1_clnt.o  d1_lib.o  d1_pkt.o \
-	d1_both.o d1_srtp.o\
+	t1_meth.o  t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o t1_ext.o \
+	d1_meth.o  d1_srvr.o d1_clnt.o  d1_lib.o  d1_pkt.o \
+	d1_both.o  d1_srtp.o\
+	gm_meth.o  gm_srvr.o gm_clnt.o  gm_lib.o  gm_enc.o \
 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
 	ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
@@ -45,7 +47,7 @@ LIBOBJ= \

 SRC= $(LIBSRC)

-EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h srtp.h
+EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h gmssl1.h kssl.h srtp.h
 HEADER=	$(EXHEADER) ssl_locl.h kssl_lcl.h

 ALL=    $(GENERAL) $(SRC) $(HEADER)
--- a/ssl/gm_clnt.c
+++ b/ssl/gm_clnt.c
@@ -55,19 +55,17 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include <openssl/gmssl.h>
+#include <openssl/gmssl1.h>

-static const SSL_METHOD *gmssl_get_client_method(int ver)
+static const SSL_METHOD *gm1_get_client_method(int ver)
 {
-	if (ver == GMSSL1_1_VERSION) {
-		return GMSSLv1_1_client_method();
+	if (ver == GM1_VERSION) {
+		return GMSSLv1_client_method();
 	}
 	return NULL;
 }

-IMPLEMENT_gmssl_meth_func(GMSSL1_1_VERSION, GMSSLv1_1_client_method,
-                        ssl_undefined_function,
-                        ssl3_connect,
-                        gmssl_get_client_method, GMSSLv1_1_enc_data)
-
+IMPLEMENT_gm1_meth_func(GMSSLv1_client_method,
+			ssl_undefined_function,ssl3_connect,
+			gm1_get_client_method)

--- a/ssl/gm_enc.c
+++ b/ssl/gm_enc.c
@@ -57,9 +57,9 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include <openssl/gmssl.h>
-
+#include <openssl/gmssl1.h>

+/* convert error code to some byte can be encode */
 int gmssl_alert_code(int code)
 {
 	return tls1_alert_code(code);
--- a/ssl/gm_lib.c
+++ b/ssl/gm_lib.c
@@ -57,32 +57,103 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include <openssl/gmssl.h>
+#include <openssl/gmssl1.h>

-const char gmssl1_version_str[] - "GMSSLv1" OPENSSL_VERSION_PTEXT;
+const char gm1_version_str[] = "GMSSLv1" OPENSSL_VERSION_PTEXT;

 #define GM1_NUM_CIPHERS		(sizeof(gm1_ciphers)/sizeof(SSL_CIPHER))


-SSL3_ENC_METHOD GMSSLv1_1_enc_data = {
-	gmssl_enc,
-	gmssl_mac,
-	gmssl_setup_key_block,
-	gmssl_generate_master_secret,
-	gmssl_change_cipher_state,
-	gmssl_final_finish_mac,
-	GMSSL_FINISH_MAC_LENGTH,
-	gmssl_cert_verify_mac,
+SSL3_ENC_METHOD GMSSLv1_enc_data = {
+	tls1_enc,
+	tls1_mac,
+	tls1_setup_key_block,
+	tls1_generate_master_secret,
+	tls1_change_cipher_state,
+	tls1_final_finish_mac,
+	TLS1_FINISH_MAC_LENGTH,
+	tls1_cert_verify_mac,
 	TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
 	TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
-	tls1_alert_code,
+	tls1_alert_code, //FIXME: GMSSL has some extra code
 	tls1_export_keying_material,
-	0,
+	SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS /* | SSL_ENC_FLAG_SM3_PRF */
+		/* | SSL_ENC_FLAGS_GM1_CIPHERS */,
 	SSL3_HM_HEADER_LENGTH,
 	ssl3_set_handshake_header,
 	ssl3_handshake_write
 };

+/*
+struct {
+	ECParameters curve_params;
+	ECPoint pubkey;
+} ServerECDHEParams;
+
+IBCEncryptionKey: derived from server ID
+
+struct {
+	switch (KeyExchangeAlgorithm):
+	case ECDHE:
+		ServerECDHEParams params;
+		signed struct {
+			uint8 client_random[32];
+			uint8 server_random[32];
+			ServerECDHEParams params;
+		} signed_params;
+	case ECC:
+		signed struct {
+			uint8 client_random[32];
+			uint8 server_random[32];
+			uint8 server_enc_cert[];
+		} signed_params;
+	case IBSDH:
+		ServerIBSDHParams params;
+		signed struct {
+			uint8 client_random[32];
+			uint8 server_random[32];
+			ServerIBSDHParams params;
+		} signed_params;
+	case IBC:
+		ServerIBCParams params;
+		signed struct {
+			uint8 client_random[32];
+			uint8 server_random[32];
+			ServerIBCParams params;
+			uint8 IBCEncryptionKey[1024];
+		} signed_params;
+	case RSA:
+		signed struct {
+			uint8 client_random[32];
+			uint8 server_random[32];
+			uint8 server_enc_cert[];
+		} signed_params;
+	}
+} ServerKeyExchange;
+
+struct {
+	switch (KeyExchangeAlgorithm):
+	case ECDHE:
+		uint8 ClientECDHEParams[];
+	case IBSDH:
+		uint8 ClientIBSDHParams[];
+	case ECC:
+		uint8 ECCEncryptedPreMasterSecret[];
+	case IBE:
+		uint8 IBCEncryptedPreMasterSecret[];
+	case RSA:
+		uint8 RSAEncryptedPreMasterSecret[];
+	} exchangeKeys;
+} ClientKeyExchange;
+*/
+
+
+	
+
+
+
+
+

 /*
 * ECDHE_XXX is the same as ECDHE_ECDSA_XXX in TLS
@@ -90,13 +161,13 @@ SSL3_ENC_METHOD GMSSLv1_1_enc_data = {
 *	except that the ServerKeyExchange format is not null.
 */
 OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
-
+#if 1
 	/* Cipher 1 */
 	{
 		1,
 		GM1_TXT_ECDHE_SM1_SM3,
 		GM1_CK_ECDHE_SM1_SM3,
-		SSL_kEECDH,
+		SSL_kECDHE2,
 		SSL_aSM2,
 		SSL_SM1,
 		SSL_SM3,
@@ -112,8 +183,8 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		1,
 		GM1_TXT_ECC_SM1_SM3,
 		GM1_CK_ECC_SM1_SM3,
-		SSL_kECDHs,
-		SSL_aECDH,
+		SSL_kSM2,
+		SSL_aSM2,
 		SSL_SM1,
 		SSL_SM3,
 		SSL_GMV1,
@@ -129,7 +200,7 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		GM1_TXT_IBSDH_SM1_SM3,
 		GM1_CK_IBSDH_SM1_SM3,
 		SSL_kEECDH,
-		SSL_aSM9,
+		SSL_aSM2,
 		SSL_SM1,
 		SSL_SM3,
 		SSL_GMV1,
@@ -142,8 +213,8 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 	/* Cipher 4 */
 	{
 		1,
-		GM1_TXT_IBC_SM1_SHA1,
-		GM1_CK_IBC_SM1_SHA1,
+		GM1_TXT_IBC_SM1_SM3,
+		GM1_CK_IBC_SM1_SM3,
 		SSL_kECDHe,
 		SSL_aSM2,
 		SSL_SM1,
@@ -186,7 +257,7 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		128,
 		128,
 	},
-
+#endif

 	/* Cipher 7 */
 	{
@@ -220,14 +291,14 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		128,
 	},

-
+#if 1
 	/* Cipher 9 */
 	{
 		1,
 		GM1_TXT_IBSDH_SM4_SM3,
 		GM1_CK_IBSDH_SM4_SM3,
-		SSL_kEECDH,	/* ephemeral ECDH key exchange algorithm bits */
-		SSL_aSM2,	/* auth algor bits */
+		SSL_kIBSDH,
+		SSL_aSM2,
 		SSL_SM4,
 		SSL_SM3,
 		SSL_GMV1,
@@ -242,8 +313,8 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		1,
 		GM1_TXT_IBC_SM4_SM3,
 		GM1_CK_IBC_SM4_SM3,
-		SSL_kECDHe,	/* fixed ECDH key exchange algorithm bits */
-		SSL_aSM2,	/* auth algor bits */
+		SSL_kIBC,
+		SSL_aSM2,
 		SSL_SM4,
 		SSL_SM3,
 		SSL_GMV1,
@@ -252,7 +323,7 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		128,
 		128,
 	},
-
+#endif
 	/* Cipher 11 */
 	{
 		1,
@@ -274,8 +345,8 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		1,
 		GM1_TXT_RSA_SM4_SHA1,
 		GM1_CK_RSA_SM4_SHA1,
-		SSL_kEECDH,	/* ephemeral ECDH key exchange algorithm bits */
-		SSL_aSM2,	/* auth algor bits */
+		SSL_kEECDH,
+		SSL_aSM2,
 		SSL_SM4,
 		SSL_SM3,
 		SSL_GMV1,
@@ -285,5 +356,52 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = {
 		128,
 	},

+	/* Cipher 13 (GmSSL specific) */
+	{
+		1,
+		GM1_TXT_ECDHE_SM2_SM4_SM3,
+		GM1_CK_ECDHE_SM2_SM4_SM3,
+		SSL_kEECDH,
+		SSL_aSM2,
+		SSL_SM4,
+		SSL_SM3,
+		SSL_GMV1,
+		SSL_NOT_EXP|SSL_HIGH,
+		SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+		128,
+		128,
+	},
+
+	/* Cipher 14, (GmSSL Specific) */
+	{
+		1,
+		GM1_TXT_SM2_SM4_SM3,
+		GM1_CK_SM2_SM4_SM3,
+		SSL_kSM2,
+		SSL_aSM2,
+		SSL_SM4,
+		SSL_SM3,
+		SSL_GMV1,
+		SSL_NOT_EXP|SSL_HIGH,
+		SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+		128,
+		128,
+	}
+
 };

+int gm1_num_ciphers(void)
+{
+	return GM1_NUM_CIPHERS;
+}
+
+const SSL_CIPHER *gm1_get_cipher(unsigned int u)
+{
+	if (u < GM1_NUM_CIPHERS)
+		return (&(gm1_ciphers[GM1_NUM_CIPHERS - 1 - u]));
+	else
+		return NULL;
+}
+
+
+
--- a/ssl/gm_meth.c
+++ b/ssl/gm_meth.c
@@ -54,19 +54,17 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
-#include <openssl/gmssl.h>
+#include <openssl/gmssl1.h>

-static const SSL_METHOD *gmssl_get_method(int ver)
+static const SSL_METHOD *gm1_get_method(int ver)
 {
-	if (ver == GMSSL1_1_VERSION) {
-		return GMSSLv1_1_method();
+	if (ver == GM1_VERSION) {
+		return GMSSLv1_method();
 	}
 	return NULL;
 }

-IMPLEMENT_gmssl_meth_func(GMSSL1_1_VERSION, GMSSLv1_1_method,
-                        ssl3_accept,
-                        ssl3_connect,
-                        gmssl_get_method, GMSSLv1_1_enc_data)
-
+IMPLEMENT_gm1_meth_func(GMSSLv1_method,
+			ssl3_accept,ssl3_connect,
+			gm1_get_method)

--- a/ssl/gm_srvr.c
+++ b/ssl/gm_srvr.c
@@ -57,57 +57,17 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include <openssl/gmssl.h>
+#include <openssl/gmssl1.h>

-static const SSL_METHOD *gmssl_get_server_method(int ver)
+static const SSL_METHOD *gm1_get_server_method(int ver)
 {
-	if (ver == GMSSL1_1_VERSION) {
-		return GMSSLv1_1_server_method();
+	if (ver == GM1_VERSION) {
+		return GMSSLv1_server_method();
 	}
 	return NULL;
 }

-IMPLEMENT_gmssl_meth_func(GMSSL1_1_VERSION, GMSSLv1_1_server_method,
-                        ssl3_accept,
-                        ssl_undefined_function,
-                        gmssl_get_server_method, GMSSLv1_1_enc_data)
+IMPLEMENT_gm1_meth_func(GMSSLv1_server_method,
+			ssl3_accept,ssl_undefined_function,
+			gm1_get_server_method)

-int gm1_send_server_certificate(SSL *s)
-{
-
-    CERT_PKEY *cpk;
-
-    if (s->state == SSL3_ST_SW_CERT_A) {
-        cpk = ssl_get_server_send_pkey(s);
-        if (cpk == NULL) {
-            /* VRS: allow null cert if auth == KRB5 */
-            if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
-                (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
-                       ERR_R_INTERNAL_ERROR);
-                s->state = SSL_ST_ERR;
-                return (0);
-            }
-        }
-
-        if (!ssl3_output_cert_chain(s, cpk)) {
-            SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
-            s->state = SSL_ST_ERR;
-            return (0);
-        }
-        s->state = SSL3_ST_SW_CERT_B;
-    }
-
-    /* SSL3_ST_SW_CERT_B */
-    return ssl_do_write(s);
-}
-
-/*
-
-s3_srvr.c:s3_send_server_certificate
-	ssl_get_server_send_pkey
-	ssl3_output_cert_chain
-		ssl_add_cert_chain
-		ssl_set_handshake_header
-	ssl_do_write
-*/
--- a/ssl/gmssl1.h
+++ b/ssl/gmssl1.h
@@ -58,13 +58,15 @@
 extern "C" {
 #endif

-
+#if 0
 #define GM1_VERSION		0x0101
 #define GM1_VERSION_MAJOR	0x01
 #define GM1_VERSION_MINOR	0x01
-
-#define GMSSL1_1_VERSION	0x0101
-
+#else
+#define GM1_VERSION		0x0401
+#define GM1_VERSION_MAJOR	0x04
+#define GM1_VERSION_MINOR	0x01
+#endif

 #define GM1_get_version(s) \
 	((s->version >> 8) == GM1_VERSION_MAJOR ? s->version : 0)
@@ -74,31 +76,39 @@ extern "C" {


 /* from GM/T 0024-2014 Table 2 */
-#define GM1_CK_ECDHE_SM1_SM3	0x0300E001
-#define GM1_CK_ECC_SM1_SM3	0x0300E003
-#define GM1_CK_IBSDH_SM1_SM3	0x0300E005
-#define GM1_CK_IBC_SM1_SM3	0x0300E007
-#define GM1_CK_RSA_SM1_SM3	0x0300E009
-#define GM1_CK_RSA_SM1_SHA1	0x0300E00A
-#define GM1_CK_ECDHE_SM4_SM3	0x0300E011
-#define GM1_CK_ECC_SM4_SM3	0x0300E013
-#define GM1_CK_IBSDH_SM4_SM3	0x0300E015
-#define GM1_CK_IBC_SM4_SM3	0x0300E017
-#define GM1_CK_RSA_SM4_SM3	0x0300E019
-#define GM1_CK_RSA_SM4_SHA1	0x0300E01A
+#define GM1_CK_ECDHE_SM1_SM3		0x0300E001
+#define GM1_CK_ECC_SM1_SM3		0x0300E003
+#define GM1_CK_IBSDH_SM1_SM3		0x0300E005
+#define GM1_CK_IBC_SM1_SM3		0x0300E007
+#define GM1_CK_RSA_SM1_SM3		0x0300E009
+#define GM1_CK_RSA_SM1_SHA1		0x0300E00A
+#define GM1_CK_ECDHE_SM4_SM3		0x0300E011
+#define GM1_CK_ECC_SM4_SM3		0x0300E013
+#define GM1_CK_IBSDH_SM4_SM3		0x0300E015
+#define GM1_CK_IBC_SM4_SM3		0x0300E017
+#define GM1_CK_RSA_SM4_SM3		0x0300E019
+#define GM1_CK_RSA_SM4_SHA1		0x0300E01A
+/* GmSSL specific */
+#define GM1_CK_ECDHE_SM2_SM4_SM3 	0x0300E031
+#define GM1_CK_SM2_SM4_SM3		0x0300E033
+
+
+#define GM1_TXT_ECDHE_SM1_SM3		"ECDHE-SM1-SM3"
+#define GM1_TXT_ECC_SM1_SM3		"ECC-SM1-SM3"
+#define GM1_TXT_IBSDH_SM1_SM3		"IBSDH-SM1-SM3"
+#define GM1_TXT_IBC_SM1_SM3		"IBC-SM1-SM3"
+#define GM1_TXT_RSA_SM1_SM3		"RSA-SM1-SM3"
+#define GM1_TXT_RSA_SM1_SHA1		"RSA-SM1-SHA1"
+#define GM1_TXT_ECDHE_SM4_SM3		"ECDHE-SM4-SM3"
+#define GM1_TXT_ECC_SM4_SM3		"ECC-SM4-SM3"
+#define GM1_TXT_IBSDH_SM4_SM3		"IBSDH-SM4-SM3"
+#define GM1_TXT_IBC_SM4_SM3		"IBC-SM4-SM3"
+#define GM1_TXT_RSA_SM4_SM3		"RSA-SM4-SM3"
+#define GM1_TXT_RSA_SM4_SHA1		"RSA-SM4-SHA1"
+/* GmSSL specific */
+#define GM1_TXT_ECDHE_SM2_SM4_SM3	"ECDHE-SM2-SM4-SM3"
+#define GM1_TXT_SM2_SM4_SM3		"SM2-SM4-SM3"

-#define GM1_TXT_ECDHE_SM1_SM3	"ECDHE-SM1-SM3"
-#define GM1_TXT_ECC_SM1_SM3	"ECC-SM1-SM3"
-#define GM1_TXT_IBSDH_SM1_SM3	"IBSDH-SM1-SM3"
-#define GM1_TXT_IBC_SM1_SM3	"IBC-SM1-SM3"
-#define GM1_TXT_RSA_SM1_SM3	"RSA-SM1-SM3"
-#define GM1_TXT_RSA_SM1_SHA1	"RSA-SM1-SHA1"
-#define GM1_TXT_ECDHE_SM4_SM3	"ECDHE-SM4-SM3"
-#define GM1_TXT_ECC_SM4_SM3	"ECC-SM4-SM3"
-#define GM1_TXT_IBSDH_SM4_SM3	"IBSDH-SM4-SM3"
-#define GM1_TXT_IBC_SM4_SM3	"IBC-SM4-SM3"
-#define GM1_TXT_RSA_SM4_SM3	"RSA-SM4-SM3"
-#define GM1_TXT_RSA_SM4_SHA1	"RSA-SM4-SHA1"

 /* from GM/T 0024-2014 Table 1 */
 #define GM1_AD_UNSUPPORTED_SITE2SITE	200 /* fatal */
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1356,6 +1356,7 @@ int ssl3_get_server_certificate(SSL *s)
    return (ret);
 }

+//TODO: GMSSL modified server_send_key_exchange, so we need to check client_get_...
 int ssl3_get_key_exchange(SSL *s)
 {
 #ifndef OPENSSL_NO_RSA
@@ -2477,6 +2478,7 @@ int ssl3_send_client_key_exchange(SSL *s)

            q = p;
            /* Fix buf for TLS and beyond */
+//TODO: GMSSL version problem?
            if (s->version > SSL3_VERSION)
                p += 2;
            n = RSA_public_encrypt(sizeof tmp_buf,
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1699,10 +1699,9 @@ struct ssl_st {
 # include <openssl/dtls1.h>     /* Datagram TLS */
 # include <openssl/ssl23.h>
 # include <openssl/srtp.h>      /* Support for the use_srtp extension */
-
-#ifndef OPENSSL_NO_GMSSL
-#include <openssl/gmssl.h>
-#endif
+# ifndef OPENSSL_NO_GMSSL
+# include <openssl/gmssl1.h>
+# endif


 #ifdef  __cplusplus
@@ -2393,6 +2392,12 @@ const SSL_METHOD *DTLS_method(void); /* DTLS 1.0 and 1.2 */
 const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */
 const SSL_METHOD *DTLS_client_method(void); /* DTLS 1.0 and 1.2 */

+#ifndef OPENSSL_NO_GMSSL
+const SSL_METHOD *GMSSLv1_method(void);
+const SSL_METHOD *GMSSLv1_server_method(void);
+const SSL_METHOD *GMSSLv1_client_method(void);
+#endif
+
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);

 int SSL_do_handshake(SSL *s);
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -232,7 +232,7 @@ static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = {
    SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
    SSL_HANDSHAKE_MAC_SHA384,
 #ifndef OPENSSL_NO_GMSSL
-    SSL_HANDSHAKE_MAC_SM3
+    SSL_HANDSHAKE_MAC_SM3,
 #endif
 };

@@ -485,8 +485,7 @@ void ssl_load_ciphers(void)
 #ifndef OPENSSL_NO_GMSSL
    ssl_cipher_methods[SSL_ENC_SM4_IDX] = EVP_get_cipherbyname(SN_sms4_cbc);
    ssl_digest_methods[SSL_MD_SM3_IDX] = EVP_get_digestbyname(SN_sm3);
-    ssl_mac_secret_size[SSL_MD_SM3_IDX] =
-        EVP_MD_size(ssl_digest_methods[SSL_MD_SM3_IDX]);
+    ssl_mac_secret_size[SSL_MD_SM3_IDX] = EVP_MD_size(ssl_digest_methods[SSL_MD_SM3_IDX]);
 #endif
 }

@@ -1746,6 +1745,10 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        ver = "SSLv3";
    else if (alg_ssl & SSL_TLSV1_2)
        ver = "TLSv1.2";
+#ifndef OPENSSL_NO_GMSSL
+	else if (alg_ssl & SSL_GMV1)
+		ver = "GMSSLv1.1";
+#endif
    else
        ver = "unknown";

@@ -1783,6 +1786,23 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
    case SSL_kGOST:
        kx = "GOST";
        break;
+#ifndef OPENSSL_NO_GMSSL
+    case SSL_kECDHE2:
+        kx = "ECDHE2";
+        break;
+    case SSL_kECC:
+        kx = "ECC";
+        break;
+    case SSL_kIBSDH:
+        kx = "IBSDH";
+        break;
+    case SSL_kIBC:
+        kx = "GOST";
+        break;
+    case SSL_kSM2:
+        kx = "SM2";
+        break;
+#endif
    default:
        kx = "unknown";
    }
@@ -1821,6 +1841,11 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
    case SSL_aGOST01:
        au = "GOST01";
        break;
+#ifndef OPENSSL_NO_GMSSL
+    case SSL_aSM2:
+        au = "SM2";
+        break;
+#endif
    default:
        au = "unknown";
        break;
@@ -1903,9 +1928,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        mac = "GOST94";
        break;
 #ifndef OPENSSL_NO_GMSSL
-	case SSL_SM3:
-		mac = "SM3";
-		break;
+    case SSL_SM3:
+        mac = "SM3";
+        break;
 #endif
    default:
        mac = "unknown";
@@ -1942,8 +1967,8 @@ char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
    else if (i == 2)
        return ("SSLv2");
 #ifndef OPENSSL_NO_GMSSL
-	else if (i == 1)
-		return ("GMSSLv1");
+    else if (i == 1)
+        return ("GMSSLv1");
 #endif
    else
        return ("unknown");
@@ -2085,6 +2110,7 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp)
 }
 #endif
 /* For a cipher return the index corresponding to the certificate type */
+//FIXME: GMSSL: do we need change this?
 int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
 {
    unsigned long alg_k, alg_a;
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -263,6 +263,7 @@ int SSL_clear(SSL *s)
 }

 /** Used to change an SSL_CTXs default SSL method type */
+//TODO: GMSSL
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
 {
    STACK_OF(SSL_CIPHER) *sk;
@@ -874,6 +875,7 @@ int SSL_pending(const SSL *s)
    return (s->method->ssl_pending(s));
 }

+//FIXME: GMSSL: do we need more API for GMSSLv1.1?
 X509 *SSL_get_peer_certificate(const SSL *s)
 {
    X509 *r;
@@ -891,6 +893,7 @@ X509 *SSL_get_peer_certificate(const SSL *s)
    return (r);
 }

+//FIXME: GMSSL: do we need more API for GMSSLv1.1?
 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 {
    STACK_OF(X509) *r;
@@ -941,6 +944,7 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
 }

 /* Fix this so it checks all the valid key/cert options */
+//FIXME: GMSSL: do we need more API for GMSSLv1.1?
 int SSL_CTX_check_private_key(const SSL_CTX *ctx)
 {
    if ((ctx == NULL) ||
@@ -959,6 +963,7 @@ int SSL_CTX_check_private_key(const SSL_CTX *ctx)
 }

 /* Fix this function so that it takes an optional type parameter */
+//FIXME: GMSSL: do we need more API for GMSSLv1.1?
 int SSL_check_private_key(const SSL *ssl)
 {
    if (ssl == NULL) {
@@ -1095,6 +1100,7 @@ int SSL_renegotiate_pending(SSL *s)
    return (s->renegotiate != 0);
 }

+//FIXME: GMSSL: add GMSSLv1.1 specific functions here?
 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
 {
    long l;
@@ -1173,6 +1179,8 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
    return ctx->sessions;
 }

+//FIXME: GMSSL: add GMSSLv1.1 specific functions here?
+//The double cert should be added here, we might add the extra cert
 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 {
    long l;
@@ -2842,6 +2850,10 @@ const char *SSL_get_version(const SSL *s)
        return ("DTLSv1");
    else if (s->version == DTLS1_2_VERSION)
        return ("DTLSv1.2");
+#ifndef OPENSSL_NO_GMSSL
+    else if (s->version == GM1_VERSION)
+        return ("GMSSLv1.1");
+#endif
    else
        return ("unknown");
 }
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -311,9 +311,21 @@
 /* PSK */
 # define SSL_kPSK                0x00000100L
 /* GOST key exchange */
-# define SSL_kGOST       0x00000200L
+# define SSL_kGOST               0x00000200L
 /* SRP */
-# define SSL_kSRP        0x00000400L
+# define SSL_kSRP                0x00000400L
+# ifndef OPENSSL_NO_GMSSL
+/* GM/T 0024 ECDHE */
+# define SSL_kECDHE2             0x00000800L
+/* GM/T 0024 ECC */
+# define SSL_kECC                0x00001000L
+/* GM/T 0024 IBSDH */
+# define SSL_kIBSDH              0x00002000L
+/* GM/T 0024 IBC */
+# define SSL_kIBC                0x00004000L
+/* sm2encrypt cert */
+# define SSL_kSM2                0x00008000L
+# endif

 /* Bits for algorithm_auth (server authentication) */
 /* RSA auth */
@@ -333,11 +345,16 @@
 /* PSK auth */
 # define SSL_aPSK                0x00000080L
 /* GOST R 34.10-94 signature auth */
-# define SSL_aGOST94                             0x00000100L
+# define SSL_aGOST94             0x00000100L
 /* GOST R 34.10-2001 signature auth */
-# define SSL_aGOST01                     0x00000200L
+# define SSL_aGOST01             0x00000200L
 /* SRP auth */
 # define SSL_aSRP                0x00000400L
+# ifndef OPENSSL_NO_GMSSL
+/* GM/T 0024 ECDHE, ECC, IBSDH, IBC */
+# define SSL_aSM2                0x00000800L
+# endif
+

 /* Bits for algorithm_enc (symmetric encryption) */
 # define SSL_DES                 0x00000001L
@@ -355,7 +372,8 @@
 # define SSL_AES128GCM           0x00001000L
 # define SSL_AES256GCM           0x00002000L
 # ifndef OPENSSL_NO_GMSSL
-#  define SSL_SM4                0x00004000L
+# define SSL_SM4                 0x00004000L
+# define SSL_SM1                 0x00008000L
 # endif

 # define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
@@ -372,7 +390,7 @@
 /* Not a real MAC, just an indication it is part of cipher */
 # define SSL_AEAD                0x00000040L
 # ifndef OPENSSL_NO_GMSSL
-#  define SSL_SM3                 0x00000080L
+# define SSL_SM3                 0x00000080L
 # endif

 /* Bits for algorithm_ssl (protocol version) */
@@ -381,7 +399,7 @@
 # define SSL_TLSV1               SSL_SSLV3/* for now */
 # define SSL_TLSV1_2             0x00000004UL
 # ifndef OPENSSL_NO_GMSSL
-// #define SSL_GMV1              0x00000008UL
+# define SSL_GMV1                0x00000008UL
 # endif

 /* Bits for algorithm2 (handshake digests and other extra flags) */
@@ -391,9 +409,9 @@
 # define SSL_HANDSHAKE_MAC_GOST94 0x40
 # define SSL_HANDSHAKE_MAC_SHA256 0x80
 # define SSL_HANDSHAKE_MAC_SHA384 0x100
-#ifndef OPENSSL_NO_GMSSL
+# ifndef OPENSSL_NO_GMSSL
 # define SSL_HANDSHAKE_MAC_SM3 0x200
-#endif
+# endif
 # define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)

 /*
@@ -516,7 +534,12 @@
 # define SSL_PKEY_ECC            5
 # define SSL_PKEY_GOST94         6
 # define SSL_PKEY_GOST01         7
+# ifndef OPENSSL_NO_GMSSL
+# define SSL_PKEY_SM9            8
+# define SSL_PKEY_NUM            9
+# else
 # define SSL_PKEY_NUM            8
+# endif

 /*-
 * SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
@@ -863,14 +886,17 @@ extern SSL3_ENC_METHOD TLSv1_2_enc_data;
 extern SSL3_ENC_METHOD SSLv3_enc_data;
 extern SSL3_ENC_METHOD DTLSv1_enc_data;
 extern SSL3_ENC_METHOD DTLSv1_2_enc_data;
+# ifndef OPENSSL_NO_GMSSL
+extern SSL3_ENC_METHOD GMSSLv1_enc_data;
+# endif

-#ifndef OPENSSL_NO_GMSSL
-#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
-                                s_get_meth, enc_data) \
+# ifndef OPENSSL_NO_GMSSL
+# define IMPLEMENT_gm1_meth_func(func_name, s_accept, s_connect, \
+                                 s_get_meth) \
 const SSL_METHOD *func_name(void)  \
        { \
        static const SSL_METHOD func_name##_data= { \
-                version, \
+                GM1_VERSION, \
                tls1_new, \
                tls1_clear, \
                tls1_free, \
@@ -891,18 +917,18 @@ const SSL_METHOD *func_name(void)  \
                ssl3_get_cipher_by_char, \
                ssl3_put_cipher_by_char, \
                ssl3_pending, \
-                ssl3_num_ciphers, \
-                ssl3_get_cipher, \
+                gm1_num_ciphers, \
+                gm1_get_cipher, \
                s_get_meth, \
                tls1_default_timeout, \
-                &enc_data, \
+                &GMSSLv1_enc_data, \
                ssl_undefined_void_function, \
                ssl3_callback_ctrl, \
                ssl3_ctx_callback_ctrl, \
        }; \
        return &func_name##_data; \
        }
-#endif
+# endif /* GMSSL */

 # define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
                                s_get_meth, enc_data) \
@@ -1359,6 +1385,11 @@ void tls1_clear(SSL *s);
 long tls1_ctrl(SSL *s, int cmd, long larg, void *parg);
 long tls1_callback_ctrl(SSL *s, int cmd, void (*fp) (void));

+# ifndef OPENSSL_NO_GMSSL
+int gm1_num_ciphers(void);
+const SSL_CIPHER *gm1_get_cipher(unsigned int u);
+# endif
+
 int dtls1_new(SSL *s);
 int dtls1_accept(SSL *s);
 int dtls1_connect(SSL *s);
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -448,8 +448,8 @@ int ssl_get_new_session(SSL *s, int session)
            ss->ssl_version = DTLS1_2_VERSION;
            ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
 #ifndef OPENSSL_NO_GMSSL
-        } else if (s->version == GMSSL1_1_VERSION) {
-            ss->ssl_version = GMSSL1_1_VERSION;
+        } else if (s->version == GM1_VERSION) {
+            ss->ssl_version = GM1_VERSION;
            ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
 #endif
        } else {
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -129,7 +129,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
    else if (x->ssl_version == DTLS1_BAD_VER)
        s = "DTLSv1-bad";
 #ifndef OPENSSL_NO_GMSSL
-    else if (x->ssl_version == GMSSL1_1_VERSION)
+    else if (x->ssl_version == GM1_VERSION)
        s = "GMSSLv1.1";
 #endif
    else