abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-13 16:33:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

update ssl

Browse Source
This commit is contained in:
Zhi Guan
2017-11-29 20:01:07 +08:00
parent d249929e81
commit 7be7ce60dc
4 changed files with 47 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/ssl_cert.c
View File

@@ -840,13 +840,19 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
/* output the first certificate, for GMTLS it is sign cert */ /* output the first certificate, for GMTLS it is sign cert */
if (chain_count) { if (chain_count) {
x = sk_X509_value(chain, 0); x = sk_X509_value(chain, 0);
if (SSL_IS_GMTLS(s)) {
if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
X509_STORE_CTX_free(xs_ctx);
return 0;
}
}
if (!ssl_add_cert_to_buf(buf, l, x)) { if (!ssl_add_cert_to_buf(buf, l, x)) {
X509_STORE_CTX_free(xs_ctx);
return 0; return 0;
} }
} }
if (s->version == GMTLS_VERSION) { if (SSL_IS_GMTLS(s)) {
/* 我们还应该检查cpk的类型 */ x = s->cert->pkeys[SSL_PKEY_SM2_ENC].x509;
x = s->cert->pkeys[SSL_PKEY_SM2_ENC].x509;
if (!ssl_add_cert_to_buf(buf, l, x)) { if (!ssl_add_cert_to_buf(buf, l, x)) {
return 0; return 0;
} }

21
ssl/ssl_lib.c
View File

@@ -2642,7 +2642,7 @@ void ssl_set_masks(SSL *s)
X509 *x = NULL; X509 *x = NULL;
#endif #endif
#ifndef OPENSSL_NO_SM2 #ifndef OPENSSL_NO_SM2
int have_sm2_cert, sm2sign_ok; int sm2_enc, sm2_sign;
#endif #endif
if (c == NULL) if (c == NULL)
return; return;
@@ -2660,7 +2660,8 @@ void ssl_set_masks(SSL *s)
have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
#endif #endif
#ifndef OPENSSL_NO_SM2 #ifndef OPENSSL_NO_SM2
have_sm2_cert = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID; sm2_enc = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID;
sm2_sign = pvalid[SSL_PKEY_SM2_SIGN] & CERT_PKEY_SIGN;
#endif #endif
mask_k = 0; mask_k = 0;
mask_a = 0; mask_a = 0;
@@ -2725,10 +2726,15 @@ fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
} }
#endif #endif
#ifndef OPENSSL_NO_SM2 #ifndef OPENSSL_NO_SM2
//这个现在不好用啊! if (sm2_enc) {
if (have_sm2_cert) { mask_k |= SSL_kSM2;
}
if (sm2_sign) {
mask_a |= SSL_aSM2;
}
/*
{
uint32_t ex_kusage; uint32_t ex_kusage;
fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
cpk = &c->pkeys[SSL_PKEY_SM2_SIGN]; cpk = &c->pkeys[SSL_PKEY_SM2_SIGN];
x = cpk->x509; x = cpk->x509;
OPENSSL_assert(x); OPENSSL_assert(x);
@@ -2739,6 +2745,7 @@ fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
if (sm2sign_ok) if (sm2sign_ok)
mask_a |= SSL_aSM2; mask_a |= SSL_aSM2;
} }
*/
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
@@ -2886,8 +2893,10 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
idx = SSL_PKEY_ECC; idx = SSL_PKEY_ECC;
#ifndef OPENSSL_NO_SM2 #ifndef OPENSSL_NO_SM2
else if ((alg_a & SSL_aSM2) && else if ((alg_a & SSL_aSM2) &&
(c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL)) (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL)) {
idx = SSL_PKEY_SM2_SIGN; idx = SSL_PKEY_SM2_SIGN;
fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
}
#endif #endif
if (idx == -1) { if (idx == -1) {
SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);

4
ssl/ssl_locl.h
View File

@@ -425,8 +425,8 @@
# define SSL_PKEY_GOST01 4 # define SSL_PKEY_GOST01 4
# define SSL_PKEY_GOST12_256 5 # define SSL_PKEY_GOST12_256 5
# define SSL_PKEY_GOST12_512 6 # define SSL_PKEY_GOST12_512 6
# define SSL_PKEY_SM2_ENC 7 # define SSL_PKEY_SM2 7
# define SSL_PKEY_SM2_SIGN 8 # define SSL_PKEY_SM2_ENC 8
# define SSL_PKEY_SM9_SIGN 9 # define SSL_PKEY_SM9_SIGN 9
# define SSL_PKEY_NUM 10 # define SSL_PKEY_NUM 10

43
ssl/statem/statem_lib.c
View File

@@ -22,9 +22,7 @@
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/x509.h> #include <openssl/x509.h>
#ifndef OPENSSL_NO_GMTLS
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#endif
/* /*
* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
@@ -517,6 +515,23 @@ int tls_get_message_body(SSL *s, unsigned long *len)
return 1; return 1;
} }
#ifndef OPENSSL_NO_SM2
static int ssl_cert_type_ecc(const X509 *x, const EVP_PKEY *pk)
{
if (x && X509_get_signature_nid(x) == NID_sm2sign) {
if (X509_get_key_usage((X509 *)x) & X509v3_KU_DIGITAL_SIGNATURE)
return SSL_PKEY_SM2;
else
return SSL_PKEY_SM2_ENC;
}
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
(EC_KEY *)EVP_PKEY_get0(pk))) == NID_sm2p256v1) {
return SSL_PKEY_SM2;
}
return SSL_PKEY_ECC;
}
#endif
int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
{ {
if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL) if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL)
@@ -531,27 +546,11 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
return SSL_PKEY_DSA_SIGN; return SSL_PKEY_DSA_SIGN;
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
case EVP_PKEY_EC: case EVP_PKEY_EC:
#ifndef OPENSSL_NO_GMTLS # ifndef OPENSSL_NO_SM2
/* return ssl_cert_type_ecc(x, pk);
在use_cert时调用方提供证书因此可以根据keyUsage选择公钥类型 # else
但是use_key时没有证书因此这个函数只能做一个猜测
如果这两者并不一致时,就出现错误了!
*/
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
(EC_KEY *)EVP_PKEY_get0(pk))) == NID_sm2p256v1) {
if (x) {
if (X509_get_key_usage((X509 *)x) & X509v3_KU_DIGITAL_SIGNATURE) {
return SSL_PKEY_SM2_SIGN;
} else {
return SSL_PKEY_SM2_ENC;
}
} else
{
return SSL_PKEY_SM2_SIGN;
}
}
#endif
return SSL_PKEY_ECC; return SSL_PKEY_ECC;
# endif
#endif #endif
#ifndef OPENSSL_NO_GOST #ifndef OPENSSL_NO_GOST
case NID_id_GostR3410_2001: case NID_id_GostR3410_2001: