diff --git a/CMakeLists.txt b/CMakeLists.txt index 10a2a46e..4ed48051 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -818,7 +818,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1064") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1065") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/version.h b/include/gmssl/version.h index c0d7deb8..50ddfa4c 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1064" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1065" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/src/tlcp.c b/src/tlcp.c index a318525a..a6591e4c 100644 --- a/src/tlcp.c +++ b/src/tlcp.c @@ -1773,6 +1773,8 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn) int ret; const uint8_t *enced_pms; size_t enced_pms_len; + uint8_t pre_master_secret[SM2_MAX_PLAINTEXT_SIZE]; + size_t pre_master_secret_len; X509_KEY *enc_key; if ((ret = tls_recv_record(conn)) != 1) { @@ -1828,11 +1830,21 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn) return -1; } if (sm2_decrypt(&enc_key->u.sm2_key, enced_pms, enced_pms_len, - conn->pre_master_secret, &conn->pre_master_secret_len) != 1) { + pre_master_secret, &pre_master_secret_len) != 1) { error_print(); tls_send_alert(conn, TLS_alert_decrypt_error); return -1; } + if (pre_master_secret_len != 48) { + gmssl_secure_clear(pre_master_secret, pre_master_secret_len); + error_print(); + tls_send_alert(conn, TLS_alert_illegal_parameter); + return -1; + } + memcpy(conn->pre_master_secret, pre_master_secret, pre_master_secret_len); + conn->pre_master_secret_len = pre_master_secret_len; + gmssl_secure_clear(pre_master_secret, pre_master_secret_len); + if (tlcp_check_pre_master_secret(conn) != 1) { error_print(); tls_send_alert(conn, TLS_alert_illegal_parameter);