update ssl

2026-06-13 16:33:50 +08:00 · 2017-11-29 20:01:07 +08:00
parent d249929e81
commit 7be7ce60dc
4 changed files with 47 additions and 33 deletions
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -840,12 +840,18 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
        /* output the first certificate, for GMTLS it is sign cert */
        if (chain_count) {
            x = sk_X509_value(chain, 0);
+            if (SSL_IS_GMTLS(s)) {
+                if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
+                    X509_STORE_CTX_free(xs_ctx);
+                    return 0;
+                }
+            }
            if (!ssl_add_cert_to_buf(buf, l, x)) {
+                X509_STORE_CTX_free(xs_ctx);
                return 0;
            }
        }
-        if (s->version == GMTLS_VERSION) {
-            /* 我们还应该检查cpk的类型 */
+        if (SSL_IS_GMTLS(s)) {
            x = s->cert->pkeys[SSL_PKEY_SM2_ENC].x509;
            if (!ssl_add_cert_to_buf(buf, l, x)) {
                return 0;
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2642,7 +2642,7 @@ void ssl_set_masks(SSL *s)
    X509 *x = NULL;
 #endif
 #ifndef OPENSSL_NO_SM2
-    int have_sm2_cert, sm2sign_ok;
+    int sm2_enc, sm2_sign;
 #endif
    if (c == NULL)
        return;
@@ -2660,7 +2660,8 @@ void ssl_set_masks(SSL *s)
    have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
 #endif
 #ifndef OPENSSL_NO_SM2
-    have_sm2_cert = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID;
+    sm2_enc = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID;
+    sm2_sign = pvalid[SSL_PKEY_SM2_SIGN] & CERT_PKEY_SIGN;
 #endif
    mask_k = 0;
    mask_a = 0;
@@ -2725,10 +2726,15 @@ fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
    }
 #endif
 #ifndef OPENSSL_NO_SM2
-    //这个现在不好用啊！
-    if (have_sm2_cert) {
+    if (sm2_enc) {
+        mask_k |= SSL_kSM2;
+    }
+    if (sm2_sign) {
+        mask_a |= SSL_aSM2;
+    }
+/*
+    {
        uint32_t ex_kusage;
-fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
        cpk = &c->pkeys[SSL_PKEY_SM2_SIGN];
        x = cpk->x509;
 	OPENSSL_assert(x);
@@ -2739,6 +2745,7 @@ fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
        if (sm2sign_ok)
            mask_a |= SSL_aSM2;
    }
+*/
 #endif

 #ifndef OPENSSL_NO_EC
@@ -2886,8 +2893,10 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
        idx = SSL_PKEY_ECC;
 #ifndef OPENSSL_NO_SM2
    else if ((alg_a & SSL_aSM2) &&
-              (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL))
+              (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL)) {
        idx = SSL_PKEY_SM2_SIGN;
+fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
+    }
 #endif
    if (idx == -1) {
        SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -425,8 +425,8 @@
 # define SSL_PKEY_GOST01         4
 # define SSL_PKEY_GOST12_256     5
 # define SSL_PKEY_GOST12_512     6
-# define SSL_PKEY_SM2_ENC        7
-# define SSL_PKEY_SM2_SIGN       8
+# define SSL_PKEY_SM2            7
+# define SSL_PKEY_SM2_ENC        8
 # define SSL_PKEY_SM9_SIGN       9
 # define SSL_PKEY_NUM           10

--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -22,9 +22,7 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#ifndef OPENSSL_NO_GMTLS
 #include <openssl/x509v3.h>
-#endif

 /*
 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
@@ -517,6 +515,23 @@ int tls_get_message_body(SSL *s, unsigned long *len)
    return 1;
 }

+#ifndef OPENSSL_NO_SM2
+static int ssl_cert_type_ecc(const X509 *x, const EVP_PKEY *pk)
+{
+    if (x && X509_get_signature_nid(x) == NID_sm2sign) {
+        if (X509_get_key_usage((X509 *)x) & X509v3_KU_DIGITAL_SIGNATURE)
+            return SSL_PKEY_SM2;
+        else
+            return SSL_PKEY_SM2_ENC;
+    }
+    if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
+        (EC_KEY *)EVP_PKEY_get0(pk))) == NID_sm2p256v1) {
+        return SSL_PKEY_SM2;
+    }
+    return SSL_PKEY_ECC;
+}
+#endif
+
 int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
 {
    if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL)
@@ -531,27 +546,11 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
        return SSL_PKEY_DSA_SIGN;
 #ifndef OPENSSL_NO_EC
    case EVP_PKEY_EC:
-#ifndef OPENSSL_NO_GMTLS
-/*			
-在use_cert时，调用方提供证书，因此可以根据keyUsage选择公钥类型
-但是use_key时，没有证书，因此这个函数只能做一个猜测
-如果这两者并不一致时，就出现错误了！
-*/
-        if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
-            (EC_KEY *)EVP_PKEY_get0(pk))) == NID_sm2p256v1) {
-            if (x) {
-                if (X509_get_key_usage((X509 *)x) & X509v3_KU_DIGITAL_SIGNATURE) {
-                    return SSL_PKEY_SM2_SIGN;
-                } else {
-                    return SSL_PKEY_SM2_ENC;
-                }
-            } else
-            {
-                return SSL_PKEY_SM2_SIGN;
-            }
-        }
-#endif
+# ifndef OPENSSL_NO_SM2
+        return ssl_cert_type_ecc(x, pk);
+# else
        return SSL_PKEY_ECC;
+# endif
 #endif
 #ifndef OPENSSL_NO_GOST
    case NID_id_GostR3410_2001: