Fix SM9 bugs

CMakeLists.txt

@@ -818,7 +818,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1071")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1072")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)

include/gmssl/version.h

@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1071"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1072"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);

src/sm9_enc.c

@@ -78,6 +78,10 @@ int sm9_kem_decrypt(const SM9_ENC_KEY *key, const char *id, size_t idlen, const
 	SM3_KDF_CTX kdf_ctx;
 
 	// B1: check C in G1
+	if (sm9_z256_point_is_on_curve(C) != 1) {
+		error_print();
+		return -1;
+	}
 	sm9_z256_point_to_uncompressed_octets(C, cbuf);
 
 	// B2: w = e(C, de);
@@ -111,6 +115,15 @@ int sm9_do_encrypt(const SM9_ENC_MASTER_KEY *mpk, const char *id, size_t idlen,
 	SM3_HMAC_CTX hmac_ctx;
 	uint8_t K[SM9_MAX_PLAINTEXT_SIZE + 32];
 
+	if (!mpk || !id || !idlen || !C1 || !c2 || !c3) {
+		error_print();
+		return -1;
+	}
+	if (inlen > SM9_MAX_PLAINTEXT_SIZE) {
+		error_print();
+		return -1;
+	}
+
 	if (sm9_kem_encrypt(mpk, id, idlen, sizeof(K), K, C1) != 1) {
 		error_print();
 		return -1;
@@ -245,6 +258,11 @@ int sm9_encrypt(const SM9_ENC_MASTER_KEY *mpk, const char *id, size_t idlen,
 	uint8_t c2[SM9_MAX_PLAINTEXT_SIZE];
 	uint8_t c3[SM3_HMAC_SIZE];
 
+	// FIXME: 检查应该放在哪一层？还是全检查？
+	if (!mpk || !id || !idlen  || !out || !outlen) {
+		error_print();
+		return -1;
+	}
 	if (inlen > SM9_MAX_PLAINTEXT_SIZE) {
 		error_print();
 		return -1;
@@ -270,6 +288,11 @@ int sm9_decrypt(const SM9_ENC_KEY *key, const char *id, size_t idlen,
 	size_t c2len;
 	const uint8_t *c3;
 
+	if (!key || !id || !idlen || !in || !inlen || !out || !outlen) {
+		error_print();
+		return -1;
+	}
+
 	if (sm9_ciphertext_from_der(&C1, &c2, &c2len, &c3, &in, &inlen) != 1
 		|| asn1_length_is_zero(inlen) != 1) {
 		error_print();

src/sm9_exch.c

@@ -32,8 +32,6 @@ int sm9_exch_step_1A(const SM9_EXCH_MASTER_KEY *mpk, const char *idB, size_t idB
 		error_print();
 		return -1;
 	}
-	// Only for testing
-	sm9_z256_from_hex(rA, "00005879DD1D51E175946F23B1B41E93BA31C584AE59A426EC1046A4D03B06C8");
 
 	// A3: RA = rA * Q
 	sm9_z256_point_mul(RA, rA, RA);
@@ -58,13 +56,12 @@ int sm9_exch_step_1B(const SM9_EXCH_MASTER_KEY *mpk, const char *idA, size_t idA
 
 	do {
 		// B2: rand rB in [1, N-1]
-		// FIXME: check rb != 0			
+		do {
-		if (sm9_z256_rand_range(rB, sm9_z256_order()) != 1) {
+			if (sm9_z256_rand_range(rB, sm9_z256_order()) != 1) {
-			error_print();
+				error_print();
-			return -1;
+				return -1;
-		}
+			}
-		// Only for testing
+		} while (sm9_z256_is_zero(rB));
-		sm9_z256_from_hex(rB, "00018B98C44BEF9F8537FB7D071B2C928B3BC65BD3D69E1EEE213564905634FE");
 
 		// B3: RB = rB * Q
 		sm9_z256_point_mul(RB, rB, RB);

src/sm9_sign.c

@@ -78,6 +78,10 @@ int sm9_signature_from_der(SM9_SIGNATURE *sig, const uint8_t **in, size_t *inlen
 int sm9_sign_init(SM9_SIGN_CTX *ctx)
 {
 	const uint8_t prefix[1] = { SM9_HASH2_PREFIX };
+	if (!ctx) {
+		error_print();
+		return -1;
+	}
 	sm3_init(&ctx->sm3_ctx);
 	sm3_update(&ctx->sm3_ctx, prefix, sizeof(prefix));
 	return 1;
@@ -85,6 +89,13 @@ int sm9_sign_init(SM9_SIGN_CTX *ctx)
 
 int sm9_sign_update(SM9_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
 {
+	if (!ctx || (!data && datalen)) {
+		error_print();
+		return -1;
+	}
+	if (!data || !datalen) {
+		return 1;
+	}
 	sm3_update(&ctx->sm3_ctx, data, datalen);
 	return 1;
 }
@@ -93,6 +104,11 @@ int sm9_sign_finish(SM9_SIGN_CTX *ctx, const SM9_SIGN_KEY *key, uint8_t *sig, si
 {
 	SM9_SIGNATURE signature;
 
+	if (!ctx || !key || !sig || !siglen) {
+		error_print();
+		return -1;
+	}
+
 	if (sm9_do_sign(key, &ctx->sm3_ctx, &signature) != 1) {
 		error_print();
 		return -1;
@@ -125,9 +141,6 @@ int sm9_do_sign(const SM9_SIGN_KEY *key, const SM3_CTX *sm3_ctx, SM9_SIGNATURE *
 			error_print();
 			return -1;
 		}
-		
-		// Only for testing
-		//sm9_z256_from_hex(r, "00033C8616B06704813203DFD00965022ED15975C662337AED648835DC4B1CBE");
 
 		// A3: w = g^r
 		sm9_z256_fp12_pow(g, g, r);
@@ -162,6 +175,10 @@ int sm9_do_sign(const SM9_SIGN_KEY *key, const SM3_CTX *sm3_ctx, SM9_SIGNATURE *
 int sm9_verify_init(SM9_SIGN_CTX *ctx)
 {
 	const uint8_t prefix[1] = { SM9_HASH2_PREFIX };
+	if (!ctx) {
+		error_print();
+		return -1;
+	}
 	sm3_init(&ctx->sm3_ctx);
 	sm3_update(&ctx->sm3_ctx, prefix, sizeof(prefix));
 	return 1;
@@ -169,6 +186,13 @@ int sm9_verify_init(SM9_SIGN_CTX *ctx)
 
 int sm9_verify_update(SM9_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
 {
+	if (!ctx || (!data && datalen)) {
+		error_print();
+		return -1;
+	}
+	if (!data || !datalen) {
+		return 1;
+	}
 	sm3_update(&ctx->sm3_ctx, data, datalen);
 	return 1;
 }
@@ -179,6 +203,11 @@ int sm9_verify_finish(SM9_SIGN_CTX *ctx, const uint8_t *sig, size_t siglen,
 	int ret;
 	SM9_SIGNATURE signature;
 
+	if (!ctx || !sig | !siglen || !mpk || !id || !idlen) {
+		error_print();
+		return -1;
+	}
+
 	if (sm9_signature_from_der(&signature, &sig, &siglen) != 1
 		|| asn1_length_is_zero(siglen) != 1) {
 		error_print();
@@ -210,8 +239,16 @@ int sm9_do_verify(const SM9_SIGN_MASTER_KEY *mpk, const char *id, size_t idlen,
 	uint8_t Ha[64];
 
 	// B1: check h in [1, N-1]
+	if (sm9_z256_is_zero(sig->h) || sm9_z256_cmp(sig->h, sm9_z256_order()) >= 0) {
+		error_print();
+		return -1;
+	}
 
 	// B2: check S in G1
+	if (sm9_z256_point_is_on_curve(&sig->S) != 1) {
+		error_print();
+		return -1;
+	}
 
 	// B3: g = e(P1, Ppubs)
 	sm9_z256_pairing(g, &mpk->Ppubs, sm9_z256_generator());

src/x509_key.c

@@ -25,6 +25,14 @@
 #include <gmssl/x509_key.h>
 
 
+/*
+TODO:
+	x509_sign_init/update/finish
+	x509_verify_init/update/finish
+	当使用ECDSA算法时，需要可选多个哈希函数
+	特别是很多CA证书，如icloud.com的证书链，其中CA证书使用的是ecdsa_secp256r1_sha384
+	因此需要x509_sign/verify_init接口中增加一个表示算法的参数
+*/
 
 int x509_key_set_sm2_key(X509_KEY *x509_key, const SM2_KEY *sm2_key)
 {