diff --git a/crypto/ffx/Makefile b/crypto/ffx/Makefile new file mode 100644 index 00000000..bcbf92a2 --- /dev/null +++ b/crypto/ffx/Makefile @@ -0,0 +1,76 @@ +# +# OpenSSL/crypto/ffx/Makefile +# + +DIR= ffx +TOP= ../.. +CC= cc +INCLUDES= +CFLAG=-g +MAKEFILE= Makefile +AR= ar r + +CFLAGS= $(INCLUDES) $(CFLAG) + +GENERAL=Makefile +TEST= +APPS= + +LIB=$(TOP)/libcrypto.a +LIBSRC=ffx.c +LIBOBJ=ffx.o + +SRC= $(LIBSRC) + +EXHEADER= ffx.h +HEADER= ../../include/openssl/modes.h $(EXHEADER) + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +links: + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) + @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) + +install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... + @headerlist="$(EXHEADER)"; for i in $$headerlist ; \ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + +tags: + ctags $(SRC) + +tests: + +lint: + lint -DLINT $(INCLUDES) $(SRC)>fluff + +depend: + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +dclean: + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new + mv -f Makefile.new $(MAKEFILE) + +clean: + rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + +# DO NOT DELETE THIS LINE -- make depend depends on it. + diff --git a/crypto/ffx/ffx.c b/crypto/ffx/ffx.c new file mode 100644 index 00000000..0b332af2 --- /dev/null +++ b/crypto/ffx/ffx.c @@ -0,0 +1,347 @@ +/* ==================================================================== + * Copyright (c) 2015 The GmSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the GmSSL Project. + * (http://gmssl.org/)" + * + * 4. The name "GmSSL Project" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * guanzhi1980@gmail.com. + * + * 5. Products derived from this software may not be called "GmSSL" + * nor may "GmSSL" appear in their names without prior written + * permission of the GmSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the GmSSL Project + * (http://gmssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + */ +/* + * Format-Preserve Encryption + * implementation of NIST 800-38G FF1 schemes + * + * FPE is used to encrypt strings such as credit card numbers and phone numbers + * the ciphertext is still in valid format, for example: + * FPE_encrypt("13810631266") == "98723498792" + * the output is still 11 digits + */ + + +#include +#include +#include +#include +#include +#include +#include +#include "ffx.h" + +#define FFX_MIN_DIGITS 6 +#define FFX_MAX_DIGITS 18 +#define FFX_MIN_TWEAKLEN 4 +#define FFX_MAX_TWEAKLEN 11 +#define FFX_NUM_ROUNDS 10 + + +static uint32_t modulo[] = { + 1, + 10, + 100, + 1000, + 10000, + 100000, + 1000000, + 10000000, + 100000000, + 1000000000, + 1000000000, +}; + +int FFX_init(FFX_CTX *ctx, int flag, const unsigned char *key, int keybits) +{ + ctx->flag = flag; + + if (AES_set_encrypt_key(key, keybits, &ctx->key) < 0) { + fprintf(stderr, "error: %s: %s: %d\n", __FUNCTION__, __FILE__, __LINE__); + return -1; + } + + return 0; +} + +void FFX_cleanup(FFX_CTX *ctx) +{ + memset(ctx, 0, sizeof(*ctx)); +} + +int FFX_encrypt(FFX_CTX *ctx, const char *in, size_t inlen, + const unsigned char *tweak, size_t tweaklen, char *out) +{ + int llen, rlen; + uint32_t lval, rval; + unsigned char pblock[16] = { + 0x01, 0x02, 0x01, 0x0a, 0x00, 0x00, 0x0a, 0xff, + 0xff, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00}; + unsigned char qblock[16]; + char lbuf[FFX_MAX_DIGITS/2 + 2]; + uint64_t yval; + int i; + + assert(out); + assert(in); + assert(tweak); + + if (inlen > strlen(in) || + inlen < FFX_MIN_DIGITS || inlen > FFX_MAX_DIGITS) { + fprintf(stderr, "%s: invalid digits length\n", __FUNCTION__); + return -1; + } + for (i = 0; i < inlen; i++) { + if (!isdigit(in[i])) { + fprintf(stderr, "%s: invalid digits format\n", __FUNCTION__); + return -1; + } + } + llen = inlen / 2; + rlen = inlen - llen; + + + if (tweaklen < FFX_MIN_TWEAKLEN || tweaklen > FFX_MAX_TWEAKLEN) { + fprintf(stderr, "%s: invalid tweak length\n", __FUNCTION__); + return -1; + } + + memcpy(lbuf, in, llen); + lbuf[llen] = 0; + lval = atoi(lbuf); + rval = atoi(in + llen); + + pblock[7] = llen & 0xff; + pblock[8] = inlen & 0xff; + pblock[12] = tweaklen & 0xff; + + AES_encrypt(pblock, pblock, &ctx->key); + + memset(qblock, 0, sizeof(qblock)); + memcpy(qblock, tweak, tweaklen); + + for (i = 0; i < FFX_NUM_ROUNDS; i += 2) { + + unsigned char rblock[16]; + int j; + + qblock[11] = i & 0xff; + memcpy(qblock + 12, &rval, sizeof(rval)); + for (j = 0; j < sizeof(rblock); j++) { + rblock[j] = pblock[j] ^ qblock[j]; + } + AES_encrypt(rblock, rblock, &ctx->key); + yval = *((uint64_t *)rblock) % modulo[llen]; + lval = (lval + yval) % modulo[llen]; + + qblock[11] = (i + 1) & 0xff; + memcpy(qblock + 12, &lval, sizeof(lval)); + for (j = 0; j < sizeof(rblock); j++) { + rblock[j] = pblock[j] ^ qblock[j]; + } + AES_encrypt(rblock, rblock, &ctx->key); + yval = *((uint64_t *)rblock) % modulo[rlen]; + rval = (rval + yval) % modulo[rlen]; + } + + memset(out, '0', inlen); + sprintf(lbuf, "%d", rval); + memcpy(out + rlen - strlen(lbuf), lbuf, strlen(lbuf)); + sprintf(lbuf, "%d", lval); + strcpy(out + inlen - strlen(lbuf), lbuf); + + return 0; +} + +int FFX_decrypt(FFX_CTX *ctx, const char *in, size_t inlen, + const unsigned char *tweak, size_t tweaklen, char *out) +{ + int llen, rlen; + uint32_t lval, rval; + unsigned char pblock[16] = { + 0x01, 0x02, 0x01, 0x0a, 0x00, 0x00, 0x0a, 0xff, + 0xff, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00}; + unsigned char qblock[16]; + char lbuf[FFX_MAX_DIGITS/2 + 2]; + uint64_t yval; + int i; + + assert(out); + assert(in); + assert(tweak); + + if (inlen > strlen(in) || + inlen < FFX_MIN_DIGITS || inlen > FFX_MAX_DIGITS) { + fprintf(stderr, "%s: invalid digits length\n", __FUNCTION__); + return -1; + } + for (i = 0; i < inlen; i++) { + if (!isdigit(in[i])) { + fprintf(stderr, "%s: invalid digits format\n", __FUNCTION__); + return -1; + } + } + rlen = inlen / 2; + llen = inlen - rlen; + + if (tweaklen < FFX_MIN_TWEAKLEN || tweaklen > FFX_MAX_TWEAKLEN) { + fprintf(stderr, "%s: invalid tweak length\n", __FUNCTION__); + return -1; + } + + memcpy(lbuf, in, llen); + lbuf[llen] = 0; + lval = atoi(lbuf); + rval = atoi(in + llen); + + pblock[7] = rlen & 0xff; + pblock[8] = inlen & 0xff; + pblock[12] = tweaklen & 0xff; + + AES_encrypt(pblock, pblock, &ctx->key); + + memset(qblock, 0, sizeof(qblock)); + memcpy(qblock, tweak, tweaklen); + + for (i = FFX_NUM_ROUNDS - 1; i > 0; i -= 2) { + + unsigned char rblock[16]; + int j; + + qblock[11] = i & 0xff; + memcpy(qblock + 12, &rval, sizeof(rval)); + for (j = 0; j < sizeof(rblock); j++) { + rblock[j] = pblock[j] ^ qblock[j]; + } + AES_encrypt(rblock, rblock, &ctx->key); + yval = *((uint64_t *)rblock) % modulo[llen]; + lval = (lval >= yval) ? (lval - yval) : lval + modulo[llen] - yval; + + qblock[11] = (i - 1) & 0xff; + memcpy(qblock + 12, &lval, sizeof(lval)); + for (j = 0; j < sizeof(rblock); j++) { + rblock[j] = pblock[j] ^ qblock[j]; + } + AES_encrypt(rblock, rblock, &ctx->key); + yval = *((uint64_t *)rblock) % modulo[rlen]; + rval = (rval >= yval) ? (rval - yval) : rval + modulo[rlen] - yval; + } + + memset(out, '0', inlen); + sprintf(lbuf, "%d", rval); + memcpy(out + rlen - strlen(lbuf), lbuf, strlen(lbuf)); + sprintf(lbuf, "%d", lval); + strcpy(out + inlen - strlen(lbuf), lbuf); + + return 0; +} + +static int test() +{ + char buf[100]; + char buf2[100]; + unsigned char key[32] = {0}; + unsigned char tweak[8] = { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38 }; + FFX_CTX ctx; + int r; + + ERR_load_crypto_strings(); + + if (FFX_init(&ctx, 0, key, sizeof(key) * 8) < 0) { + ERR_print_errors_fp(stderr); + fprintf(stderr, "%s: %d\n", __FILE__, __LINE__); + return -1; + } + + char *in = "99999999999999999"; + r = FFX_encrypt(&ctx, in, strlen(in), tweak, sizeof(tweak), buf); + + if (r < 0) { + printf("failed\n"); + return -1; + } + + printf("%s\n", buf); + printf("\n"); + + r = FFX_decrypt(&ctx, buf, strlen(buf), tweak, sizeof(tweak), buf2); + printf("%s\n", buf2); + + return 0; +} + +static int luhn_table[10] = {0, 2, 4, 6, 8, 1, 3, 5, 7, 9}; + +/* + * 7992739871, checksum = 3 + */ + +int FFX_compute_luhn(const char *in, size_t inlen) +{ + int r = 0; + int i; + + for (i = inlen - 1; i >= 0; i--) { + int a; + if (!isdigit(in[i])) { + fprintf(stderr, "%s: invalid digit string\n", __FUNCTION__); + return -2; + } + a = in[i] - '0'; + if (i % 2 != inlen % 2) + a = luhn_table[a]; + r += a; + } + + r = ((r * 9) % 10) + '0'; + return r; +} + +#if 0 +int luhn_test() +{ + char *digits = "7992739871"; + int r = compute_luhn(digits, strlen(digits)); + printf("%c", r); + return 0; +} +#endif + + + diff --git a/crypto/ffx/ffx.h b/crypto/ffx/ffx.h new file mode 100644 index 00000000..6c3f9d84 --- /dev/null +++ b/crypto/ffx/ffx.h @@ -0,0 +1,79 @@ +/* crypto/ffx/ffx.h */ +/* ==================================================================== + * Copyright (c) 2015 The GmSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the GmSSL Project. + * (http://gmssl.org/)" + * + * 4. The name "GmSSL Project" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * guanzhi1980@gmail.com. + * + * 5. Products derived from this software may not be called "GmSSL" + * nor may "GmSSL" appear in their names without prior written + * permission of the GmSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the GmSSL Project + * (http://gmssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + */ + +#ifndef HEADER_FFX_H +#define HEADER_FFX_H + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct { + int flag; + AES_KEY key; +} FFX_CTX; + +int FFX_init(FFX_CTX *ctx, int flag, const unsigned char *key, int keybits); +void FFX_cleanup(FFX_CTX *ctx); +int FFX_encrypt(FFX_CTX *ctx, const char *in, size_t inlen, + const unsigned char *tweak, size_t tweaklen, char *out); +int FFX_decrypt(FFX_CTX *ctx, const char *in, size_t inlen, + const unsigned char *tweak, size_t tweaklen, char *out); +int FFX_compute_luhn(const char *in, size_t inlen); + +#ifdef __cplusplus +} +#endif +#endif + diff --git a/doc/gmssl/sm2.pdf b/doc/gmssl/sm2.pdf new file mode 100644 index 00000000..2b9b4616 Binary files /dev/null and b/doc/gmssl/sm2.pdf differ diff --git a/engines/skf/e_skf.c b/engines/e_skf.c similarity index 99% rename from engines/skf/e_skf.c rename to engines/e_skf.c index aef1fcf2..8c5e44eb 100644 --- a/engines/skf/e_skf.c +++ b/engines/e_skf.c @@ -5,11 +5,12 @@ #include #include #include +#include #include #include #include #include -#include +#include #include "skf.h" #include "e_skf_err.h" diff --git a/engines/skf/e_skf.ec b/engines/e_skf.ec similarity index 100% rename from engines/skf/e_skf.ec rename to engines/e_skf.ec diff --git a/engines/skf/e_skf.h b/engines/e_skf.h similarity index 100% rename from engines/skf/e_skf.h rename to engines/e_skf.h diff --git a/engines/skf/e_skf_err.c b/engines/e_skf_err.c similarity index 100% rename from engines/skf/e_skf_err.c rename to engines/e_skf_err.c diff --git a/engines/skf/e_skf_err.h b/engines/e_skf_err.h similarity index 100% rename from engines/skf/e_skf_err.h rename to engines/e_skf_err.h diff --git a/engines/skf/skf.h b/engines/skf/skf.h index 53eaf8d5..c0d39e32 100644 --- a/engines/skf/skf.h +++ b/engines/skf/skf.h @@ -73,7 +73,7 @@ typedef HANDLE HCONTAINER; #endif #ifndef USER_TYPE -#define USER_TYPE 1 +#define USER_TYPE 1 #endif #define MAX_RSA_MODULUS_LEN 256 @@ -215,10 +215,10 @@ ULONG DEVAPI SKF_LockDev(DEVHANDLE hDev, ULONG ulTimeOut); ULONG DEVAPI SKF_UnlockDev(DEVHANDLE hDev); ULONG DEVAPI SKF_Transmit(DEVHANDLE hDev, - BYTE* pbCommand, + BYTE *pbCommand, ULONG ulCommandLen, - BYTE* pbData, - ULONG* pulDataLen); + BYTE *pbData, + ULONG *pulDataLen); ULONG DEVAPI SKF_ChangeDevAuthKey(DEVHANDLE hDev, BYTE *pbKeyValue, ULONG ulKeyLen); @@ -276,11 +276,11 @@ ULONG DEVAPI SKF_ReadFile(HAPPLICATION hApplication, LPSTR szFileName, ULONG ulOffset, ULONG ulSize, - BYTE * pbOutData, + BYTE *pbOutData, ULONG *pulOutLen); ULONG DEVAPI SKF_WriteFile(HAPPLICATION hApplication, LPSTR szFileName, - ULONG ulOffset, + ULONG ulOffset, BYTE *pbData, ULONG ulSize); @@ -300,11 +300,11 @@ ULONG DEVAPI SKF_GetContainerType(HCONTAINER hContainer, ULONG *pulContainerType); ULONG DEVAPI SKF_ImportCertificate(HCONTAINER hContainer, BOOL bSignFlag, - BYTE* pbCert, + BYTE *pbCert, ULONG ulCertLen); ULONG DEVAPI SKF_ExportCertificate(HCONTAINER hContainer, BOOL bSignFlag, - BYTE* pbCert, + BYTE *pbCert, ULONG *pulCertLen); ULONG DEVAPI SKF_GenRandom(DEVHANDLE hDev, @@ -324,33 +324,33 @@ ULONG DEVAPI SKF_ImportRSAKeyPair(HCONTAINER hContainer, ULONG ulEncryptedDataLen); ULONG DEVAPI SKF_RSASignData(HCONTAINER hContainer, BYTE *pbData, - ULONG ulDataLen, - BYTE *pbSignature, + ULONG ulDataLen, + BYTE *pbSignature, ULONG *pulSignLen); ULONG DEVAPI SKF_RSAVerify(DEVHANDLE hDev, - RSAPUBLICKEYBLOB* pRSAPubKeyBlob, - BYTE *pbData, - ULONG ulDataLen, + RSAPUBLICKEYBLOB *pRSAPubKeyBlob, + BYTE *pbData, + ULONG ulDataLen, BYTE *pbSignature, ULONG ulSignLen); ULONG DEVAPI SKF_RSAExportSessionKey(HCONTAINER hContainer, ULONG ulAlgId, RSAPUBLICKEYBLOB *pPubKey, BYTE *pbData, - ULONG *pulDataLen, + ULONG *pulDataLen, HANDLE *phSessionKey); ULONG DEVAPI SKF_ExtRSAPubKeyOperation(DEVHANDLE hDev, - RSAPUBLICKEYBLOB* pRSAPubKeyBlob, - BYTE* pbInput, + RSAPUBLICKEYBLOB *pRSAPubKeyBlob, + BYTE *pbInput, ULONG ulInputLen, - BYTE* pbOutput, - ULONG* pulOutputLen); + BYTE *pbOutput, + ULONG *pulOutputLen); ULONG DEVAPI SKF_ExtRSAPriKeyOperation(DEVHANDLE hDev, - RSAPRIVATEKEYBLOB* pRSAPriKeyBlob, - BYTE* pbInput, + RSAPRIVATEKEYBLOB *pRSAPriKeyBlob, + BYTE *pbInput, ULONG ulInputLen, - BYTE* pbOutput, - ULONG* pulOutputLen); + BYTE *pbOutput, + ULONG *pulOutputLen); ULONG DEVAPI SKF_GenECCKeyPair(HCONTAINER hContainer, ULONG ulAlgId, ECCPUBLICKEYBLOB *pBlob); @@ -358,13 +358,13 @@ ULONG DEVAPI SKF_ImportECCKeyPair(HCONTAINER hContainer, PENVELOPEDKEYBLOB pEnvelopedKeyBlob); ULONG DEVAPI SKF_ECCSignData(HCONTAINER hContainer, BYTE *pbData, - ULONG ulDataLen, + ULONG ulDataLen, PECCSIGNATUREBLOB pSignature); ULONG DEVAPI SKF_ECCVerify(DEVHANDLE hDev, ECCPUBLICKEYBLOB* pECCPubKeyBlob, BYTE *pbData, - ULONG ulDataLen, + ULONG ulDataLen, PECCSIGNATUREBLOB pSignature); ULONG DEVAPI SKF_ECCExportSessionKey(HCONTAINER hContainer, ULONG ulAlgId, @@ -372,61 +372,61 @@ ULONG DEVAPI SKF_ECCExportSessionKey(HCONTAINER hContainer, PECCCIPHERBLOB pData, HANDLE *phSessionKey); ULONG DEVAPI SKF_ExtECCEncrypt(DEVHANDLE hDev, - ECCPUBLICKEYBLOB* pECCPubKeyBlob, - BYTE* pbPlainText, - ULONG ulPlainTextLen, + ECCPUBLICKEYBLOB *pECCPubKeyBlob, + BYTE *pbPlainText, + ULONG ulPlainTextLen, PECCCIPHERBLOB pCipherText); ULONG DEVAPI SKF_ExtECCDecrypt(DEVHANDLE hDev, - ECCPRIVATEKEYBLOB* pECCPriKeyBlob, - PECCCIPHERBLOB pCipherText, - BYTE* pbPlainText, - ULONG* pulPlainTextLen); + ECCPRIVATEKEYBLOB *pECCPriKeyBlob, + PECCCIPHERBLOB pCipherText, + BYTE *pbPlainText, + ULONG *pulPlainTextLen); ULONG DEVAPI SKF_ExtECCSign(DEVHANDLE hDev, - ECCPRIVATEKEYBLOB* pECCPriKeyBlob, - BYTE* pbData, - ULONG ulDataLen, + ECCPRIVATEKEYBLOB *pECCPriKeyBlob, + BYTE *pbData, + ULONG ulDataLen, PECCSIGNATUREBLOB pSignature); ULONG DEVAPI SKF_ExtECCVerify(DEVHANDLE hDev, - ECCPUBLICKEYBLOB* pECCPubKeyBlob, - BYTE* pbData, - ULONG ulDataLen, + ECCPUBLICKEYBLOB *pECCPubKeyBlob, + BYTE *pbData, + ULONG ulDataLen, PECCSIGNATUREBLOB pSignature); ULONG DEVAPI SKF_GenerateAgreementDataWithECC(HCONTAINER hContainer, ULONG ulAlgId, - ECCPUBLICKEYBLOB* pTempECCPubKeyBlob, - BYTE* pbID, + ECCPUBLICKEYBLOB *pTempECCPubKeyBlob, + BYTE *pbID, ULONG ulIDLen, HANDLE *phAgreementHandle); ULONG DEVAPI SKF_GenerateAgreementDataAndKeyWithECC(HANDLE hContainer, ULONG ulAlgId, - ECCPUBLICKEYBLOB* pSponsorECCPubKeyBlob, - ECCPUBLICKEYBLOB* pSponsorTempECCPubKeyBlob, - ECCPUBLICKEYBLOB* pTempECCPubKeyBlob, - BYTE* pbID, - ULONG ulIDLen, - BYTE *pbSponsorID, + ECCPUBLICKEYBLOB *pSponsorECCPubKeyBlob, + ECCPUBLICKEYBLOB *pSponsorTempECCPubKeyBlob, + ECCPUBLICKEYBLOB *pTempECCPubKeyBlob, + BYTE *pbID, + ULONG ulIDLen, + BYTE *pbSponsorID, ULONG ulSponsorIDLen, HANDLE *phKeyHandle); ULONG DEVAPI SKF_GenerateKeyWithECC(HANDLE hAgreementHandle, - ECCPUBLICKEYBLOB* pECCPubKeyBlob, - ECCPUBLICKEYBLOB* pTempECCPubKeyBlob, - BYTE* pbID, - ULONG ulIDLen, + ECCPUBLICKEYBLOB *pECCPubKeyBlob, + ECCPUBLICKEYBLOB *pTempECCPubKeyBlob, + BYTE *pbID, + ULONG ulIDLen, HANDLE *phKeyHandle); ULONG DEVAPI SKF_ExportPublicKey(HCONTAINER hContainer, BOOL bSignFlag, - BYTE* pbBlob, - ULONG* pulBlobLen); + BYTE *pbBlob, + ULONG *pulBlobLen); ULONG DEVAPI SKF_ImportSessionKey(HCONTAINER hContainer, ULONG ulAlgId, BYTE *pbWrapedData, ULONG ulWrapedLen, HANDLE *phKey); ULONG DEVAPI SKF_SetSymmKey(DEVHANDLE hDev, - BYTE* pbKey, - ULONG ulAlgID, - HANDLE* phKey); -ULONG DEVAPI SKF_EncryptInit(HANDLE hKey, + BYTE *pbKey, + ULONG ulAlgID, + HANDLE *phKey); +ULONG DEVAPI SKF_EncryptInit(HANDLE hKey, BLOCKCIPHERPARAM EncryptParam); ULONG DEVAPI SKF_Encrypt(HANDLE hKey, BYTE *pbData, @@ -434,9 +434,9 @@ ULONG DEVAPI SKF_Encrypt(HANDLE hKey, BYTE *pbEncryptedData, ULONG *pulEncryptedLen); ULONG DEVAPI SKF_EncryptUpdate(HANDLE hKey, - BYTE * pbData, - ULONG ulDataLen, - BYTE *pbEncryptedData, + BYTE *pbData, + ULONG ulDataLen, + BYTE *pbEncryptedData, ULONG *pulEncryptedLen); ULONG DEVAPI SKF_EncryptFinal(HANDLE hKey, BYTE *pbEncryptedData, @@ -444,45 +444,45 @@ ULONG DEVAPI SKF_EncryptFinal(HANDLE hKey, ULONG DEVAPI SKF_DecryptInit(HANDLE hKey, BLOCKCIPHERPARAM DecryptParam); ULONG DEVAPI SKF_Decrypt(HANDLE hKey, - BYTE * pbEncryptedData, - ULONG ulEncryptedLen, - BYTE * pbData, - ULONG * pulDataLen); + BYTE *pbEncryptedData, + ULONG ulEncryptedLen, + BYTE *pbData, + ULONG *pulDataLen); ULONG DEVAPI SKF_DecryptUpdate(HANDLE hKey, - BYTE * pbEncryptedData, - ULONG ulEncryptedLen, - BYTE * pbData, - ULONG * pulDataLen); + BYTE *pbEncryptedData, + ULONG ulEncryptedLen, + BYTE *pbData, + ULONG *pulDataLen); ULONG DEVAPI SKF_DecryptFinal(HANDLE hKey, BYTE *pbDecryptedData, ULONG *pulDecryptedDataLen); ULONG DEVAPI SKF_DigestInit(DEVHANDLE hDev, ULONG ulAlgID, - ECCPUBLICKEYBLOB *pPubKey, - unsigned char *pucID, - ULONG ulIDLen, + ECCPUBLICKEYBLOB *pPubKey, + unsigned char *pucID, + ULONG ulIDLen, HANDLE *phHash); ULONG DEVAPI SKF_Digest(HANDLE hHash, BYTE *pbData, - ULONG ulDataLen, + ULONG ulDataLen, BYTE *pbHashData, ULONG *pulHashLen); ULONG DEVAPI SKF_DigestUpdate(HANDLE hHash, BYTE *pbData, - ULONG ulDataLen); + ULONG ulDataLen); ULONG DEVAPI SKF_DigestFinal(HANDLE hHash, BYTE *pHashData, - ULONG *pulHashLen); -ULONG DEVAPI SKF_MacInit(HANDLE hKey, - BLOCKCIPHERPARAM* pMacParam, + ULONG *pulHashLen); +ULONG DEVAPI SKF_MacInit(HANDLE hKey, + BLOCKCIPHERPARAM *pMacParam, HANDLE *phMac); ULONG DEVAPI SKF_Mac(HANDLE hMac, - BYTE* pbData, - ULONG ulDataLen, - BYTE *pbMacData, + BYTE *pbData, + ULONG ulDataLen, + BYTE *pbMacData, ULONG *pulMacLen); ULONG DEVAPI SKF_MacUpdate(HANDLE hMac, - BYTE * pbData, + BYTE *pbData, ULONG ulDataLen); ULONG DEVAPI SKF_MacFinal(HANDLE hMac, BYTE *pbMacData, diff --git a/engines/skf/skf_impl.c b/engines/skf/skf_impl.c index ba17ece5..704288f0 100644 --- a/engines/skf/skf_impl.c +++ b/engines/skf/skf_impl.c @@ -1,3 +1,4 @@ +#include #include #include "skf.h" diff --git a/engines/skf/skf_impl.o b/engines/skf/skf_impl.o new file mode 100644 index 00000000..890bb3e5 Binary files /dev/null and b/engines/skf/skf_impl.o differ diff --git a/ssl/gm_lib.c b/ssl/gm_lib.c index dba05bfa..563d9da8 100644 --- a/ssl/gm_lib.c +++ b/ssl/gm_lib.c @@ -59,6 +59,11 @@ #include #include +const char gmssl1_version_str[] - "GMSSLv1" OPENSSL_VERSION_PTEXT; + +#define GM1_NUM_CIPHERS (sizeof(gm1_ciphers)/sizeof(SSL_CIPHER)) + + SSL3_ENC_METHOD GMSSLv1_1_enc_data = { gmssl_enc, gmssl_mac, @@ -78,6 +83,12 @@ SSL3_ENC_METHOD GMSSLv1_1_enc_data = { ssl3_handshake_write }; + +/* + * ECDHE_XXX is the same as ECDHE_ECDSA_XXX in TLS + * ECC_XXX and RSA_XXX is similar with ECDH_ECDSA_XXX, ECDH_RSA_XXX, + * except that the ServerKeyExchange format is not null. + */ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { /* Cipher 1 */ @@ -85,15 +96,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_ECDHE_SM1_SM3, GM1_CK_ECDHE_SM1_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kEECDH, + SSL_aSM2, + SSL_SM1, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 2 */ @@ -101,15 +112,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_ECC_SM1_SM3, GM1_CK_ECC_SM1_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kECDHs, + SSL_aECDH, + SSL_SM1, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 3 */ @@ -117,15 +128,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_IBSDH_SM1_SM3, GM1_CK_IBSDH_SM1_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kEECDH, + SSL_aSM9, + SSL_SM1, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 4 */ @@ -133,15 +144,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_IBC_SM1_SHA1, GM1_CK_IBC_SM1_SHA1, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kECDHe, + SSL_aSM2, + SSL_SM1, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 5 */ @@ -149,15 +160,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_RSA_SM1_SM3, GM1_CK_RSA_SM1_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kEECDH, + SSL_aSM2, + SSL_SM1, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 6 */ @@ -165,15 +176,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_RSA_SM1_SHA1, GM1_CK_RSA_SM1_SHA1, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kEECDH, + SSL_aSM2, + SSL_SM1, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, @@ -182,15 +193,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_ECDHE_SM4_SM3, GM1_CK_ECDHE_SM4_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kEECDH, + SSL_aSM2, + SSL_SM4, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 8 */ @@ -198,15 +209,15 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_ECC_SM4_SM3, GM1_CK_ECC_SM4_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ + SSL_kECDHe, SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_SM4, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, @@ -217,13 +228,13 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { GM1_CK_IBSDH_SM4_SM3, SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_SM4, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 10 */ @@ -231,32 +242,31 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { 1, GM1_TXT_IBC_SM4_SM3, GM1_CK_IBC_SM4_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ + SSL_kECDHe, /* fixed ECDH key exchange algorithm bits */ SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_SM4, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, - /* Cipher 11 */ { 1, GM1_TXT_RSA_SM4_SM3, GM1_CK_RSA_SM4_SM3, - SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ - SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_kRSA, + SSL_aRSA, + SSL_SM4, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, /* Cipher 12 */ @@ -266,16 +276,14 @@ OPENSSL_GLOBAL SSL_CIPHER gm1_ciphers[] = { GM1_CK_RSA_SM4_SHA1, SSL_kEECDH, /* ephemeral ECDH key exchange algorithm bits */ SSL_aSM2, /* auth algor bits */ - SSL_SM1, /* symmetric encryption */ - SSL_SM3, /* symmetric authentication */ - SSL_GMV1_1, /* (major) protocol version */ - SSL_NOT_EXP | SSL_STRONG_NONE, /* strength and export flags */ - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, /* extra flags */ - 0, /* number of bits really used */ - 0, /* number of bits for algorithm */ + SSL_SM4, + SSL_SM3, + SSL_GMV1, + SSL_NOT_EXP | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, }; - - diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 999cb923..45fc7dec 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -61,7 +61,7 @@ #include #include "ssl_locl.h" -static int _SSL_library_init(void) +int SSL_library_init(void) { #ifndef OPENSSL_NO_DES @@ -137,6 +137,10 @@ static int _SSL_library_init(void) #ifndef OPENSSL_NO_ECDSA EVP_add_digest(EVP_ecdsa()); #endif +#ifndef OPENSSL_NO_GMSSL + EVP_add_cipher(EVP_sms4_cbc()); + EVP_add_digest(EVP_sm3()); +#endif /* If you want support for phased out ciphers, add the following */ #if 0 @@ -155,11 +159,3 @@ static int _SSL_library_init(void) return (1); } -int SSL_library_init(void) -{ - - EVP_add_cipher(EVP_sms4_cbc()); - EVP_add_digest(EVP_sm3()); - - return _SSL_library_init(); -} diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 13b2841f..cddc7cf1 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -214,11 +214,17 @@ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { */ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, - EVP_PKEY_HMAC, EVP_PKEY_HMAC + EVP_PKEY_HMAC, EVP_PKEY_HMAC, +#ifndef OPENSSL_NO_GMSSL + EVP_PKEY_HMAC +#endif }; static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { - 0, 0, 0, 0, 0, 0 + 0, 0, 0, 0, 0, 0, +#ifndef OPENSSL_NO_GMSSL + 0 +#endif }; static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = { @@ -477,10 +483,11 @@ void ssl_load_ciphers(void) EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); #ifndef OPENSSL_NO_GMSSL - ssl_cipher_methods[SSL_ENC_SM4_IDX] = EVP_get_cipherbyname(SN_sms4_cbc); - ssl_digest_methods[SSL_MD_SM3_IDX] = EVP_get_digestbyname(SN_sm3); + ssl_cipher_methods[SSL_ENC_SM4_IDX] = EVP_get_cipherbyname(SN_sms4_cbc); + ssl_digest_methods[SSL_MD_SM3_IDX] = EVP_get_digestbyname(SN_sm3); + ssl_mac_secret_size[SSL_MD_SM3_IDX] = + EVP_MD_size(ssl_digest_methods[SSL_MD_SM3_IDX]); #endif - } #ifndef OPENSSL_NO_COMP @@ -604,9 +611,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, i = SSL_ENC_AES256GCM_IDX; break; #ifndef OPENSSL_NO_GMSSL - case SSL_SM4: - i = SSL_ENC_SM4_IDX; - break; + case SSL_SM4: + i = SSL_ENC_SM4_IDX; + break; #endif default: i = -1; @@ -642,9 +649,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, i = SSL_MD_GOST89MAC_IDX; break; #ifndef OPENSSL_NO_GMSSL - case SSL_SM3: - i = SSL_MD_SM3_IDX; - break; + case SSL_SM3: + i = SSL_MD_SM3_IDX; + break; #endif default: i = -1; @@ -701,10 +708,10 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256"))) *enc = evp, *md = NULL; #ifndef OPENSSL_NO_GMSSL - else if (c->algorithm_enc == SSL_SM4 && - c->algorithm_mac == SSL_SM3 && - (evp = EVP_get_cipherbyname("SM4-CBC-HMAC_SM3"))) - *enc = evp, *md = NULL; + else if (c->algorithm_enc == SSL_SM4 && + c->algorithm_mac == SSL_SM3 && + (evp = EVP_get_cipherbyname("SM4-CBC-HMAC-SM3"))) + *enc = evp, *md = NULL; #endif return (1); } else diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 074aefeb..9c694de3 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -354,9 +354,9 @@ # define SSL_SEED 0x00000800L # define SSL_AES128GCM 0x00001000L # define SSL_AES256GCM 0x00002000L -#ifndef OPENSSL_NO_GMSSL -# define SSL_SM4 0x00004000L -#endif +# ifndef OPENSSL_NO_GMSSL +# define SSL_SM4 0x00004000L +# endif # define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) @@ -371,15 +371,18 @@ # define SSL_SHA384 0x00000020L /* Not a real MAC, just an indication it is part of cipher */ # define SSL_AEAD 0x00000040L -#ifndef OPENSSL_NO_GMSSL -# define SSL_SM3 0x00000080L -#endif +# ifndef OPENSSL_NO_GMSSL +# define SSL_SM3 0x00000080L +# endif /* Bits for algorithm_ssl (protocol version) */ # define SSL_SSLV2 0x00000001UL # define SSL_SSLV3 0x00000002UL # define SSL_TLSV1 SSL_SSLV3/* for now */ # define SSL_TLSV1_2 0x00000004UL +# ifndef OPENSSL_NO_GMSSL +// #define SSL_GMV1 0x00000008UL +# endif /* Bits for algorithm2 (handshake digests and other extra flags) */ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 07e7379a..aa021444 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -447,6 +447,12 @@ int ssl_get_new_session(SSL *s, int session) } else if (s->version == DTLS1_2_VERSION) { ss->ssl_version = DTLS1_2_VERSION; ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; +#ifndef OPENSSL_NO_GMSSL + } else if (s->version == GMSSL1_1_VERSION) { + ss->ssl_version = GMSSL1_1_VERSION; + ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; + } +#endif } else { SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_UNSUPPORTED_SSL_VERSION); SSL_SESSION_free(ss); diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 1343d021..3507cb5c 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -951,6 +951,26 @@ const char *SSL_alert_desc_string(int value) case TLS1_AD_UNKNOWN_PSK_IDENTITY: str = "UP"; break; +#ifndef OPENSSL_NO_GMSSL + case GM1_AD_UNSUPPORTED_SITE2SITE: + str = "U2"; + break; + case GM1_AD_NO_AREA: + str = "NA"; + break; + case GM1_AD_UNSUPPORTED_AREATYPE: + str = "AT"; + break; + case GM1_AD_BAD_IBCPARAM: + str = "BI"; + break; + case GM1_AD_UNSUPPORTED_IBCPARAM: + str = "UI"; + break; + case GM1_AD_IDENTITY_NEED: + str = "IN"; + break; +#endif default: str = "UK"; break; @@ -1054,24 +1074,24 @@ const char *SSL_alert_desc_string_long(int value) str = "unknown PSK identity"; break; #ifndef OPENSSL_NO_GMSSL - case GM1_AD_UNSUPPORTED_SITE2SITE: - str = "unsupported site2site"; - break; - case GM1_AD_NO_AREA: - str = "no area"; - break; - case GM1_AD_UNSUPPORTED_AREATYPE: - str = "unsupported areatype"; - break; - case GM1_AD_BAD_IBCPARAM: - str = "bad ibc parameters"; - break; - case GM1_AD_UNSUPPORTED_IBCPARAM: - str = "unsupported ibcparam"; - break; - case GM1_AD_IDENTITY_NEED: - str = "identity need"; - break; + case GM1_AD_UNSUPPORTED_SITE2SITE: + str = "unsupported site2site"; + break; + case GM1_AD_NO_AREA: + str = "no area"; + break; + case GM1_AD_UNSUPPORTED_AREATYPE: + str = "unsupported areatype"; + break; + case GM1_AD_BAD_IBCPARAM: + str = "bad ibc parameters"; + break; + case GM1_AD_UNSUPPORTED_IBCPARAM: + str = "unsupported ibc parameters"; + break; + case GM1_AD_IDENTITY_NEED: + str = "identity need"; + break; #endif default: str = "unknown"; diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 331bde8c..9a8a93ae 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -129,8 +129,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) else if (x->ssl_version == DTLS1_BAD_VER) s = "DTLSv1-bad"; #ifndef OPENSSL_NO_GMSSL - else if (x->ssl_version == GMSSL1_1_VERSION) - s = "GMSSLv1.1"; + else if (x->ssl_version == GMSSL1_1_VERSION) + s = "GMSSLv1.1"; #endif else s = "unknown";