mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-13 08:23:50 +08:00
tls12 with sm2 cert
This commit is contained in:
Zhi Guan
18
apps/s_cb.c
18
apps/s_cb.c
@@ -188,9 +188,9 @@ static STRINT_PAIR cert_type_list[] = {
|
|||||||
{"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
|
{"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
|
||||||
{"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
|
{"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
|
||||||
{"GOST01 Sign", TLS_CT_GOST01_SIGN},
|
{"GOST01 Sign", TLS_CT_GOST01_SIGN},
|
||||||
#ifndef OPENSSL_NO_GMTLS
|
|
||||||
{"SM2 sign", TLS_CT_SM2_SIGN},
|
{"SM2 sign", TLS_CT_SM2_SIGN},
|
||||||
#endif
|
{"SM2 fixed key exchange", TLS_CT_SM2_FIXED_EXCH},
|
||||||
|
{"SM2 encrypt", TLS_CT_SM2_ENC},
|
||||||
{NULL}
|
{NULL}
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -250,6 +250,8 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
|
|||||||
sstr = "DSA";
|
sstr = "DSA";
|
||||||
else if (sign_nid == EVP_PKEY_EC)
|
else if (sign_nid == EVP_PKEY_EC)
|
||||||
sstr = "ECDSA";
|
sstr = "ECDSA";
|
||||||
|
else if (sign_nid == NID_sm2sign)
|
||||||
|
sstr = "SM2";
|
||||||
if (sstr)
|
if (sstr)
|
||||||
BIO_printf(out, "%s+", sstr);
|
BIO_printf(out, "%s+", sstr);
|
||||||
else
|
else
|
||||||
@@ -458,6 +460,7 @@ static STRINT_PAIR ssl_versions[] = {
|
|||||||
{"TLS 1.2", TLS1_2_VERSION},
|
{"TLS 1.2", TLS1_2_VERSION},
|
||||||
{"DTLS 1.0", DTLS1_VERSION},
|
{"DTLS 1.0", DTLS1_VERSION},
|
||||||
{"DTLS 1.0 (bad)", DTLS1_BAD_VER},
|
{"DTLS 1.0 (bad)", DTLS1_BAD_VER},
|
||||||
|
{"GMTLS 1.1", GMTLS_VERSION},
|
||||||
{NULL}
|
{NULL}
|
||||||
};
|
};
|
||||||
static STRINT_PAIR alert_types[] = {
|
static STRINT_PAIR alert_types[] = {
|
||||||
@@ -490,6 +493,14 @@ static STRINT_PAIR alert_types[] = {
|
|||||||
{" bad_certificate_status_response", 113},
|
{" bad_certificate_status_response", 113},
|
||||||
{" bad_certificate_hash_value", 114},
|
{" bad_certificate_hash_value", 114},
|
||||||
{" unknown_psk_identity", 115},
|
{" unknown_psk_identity", 115},
|
||||||
|
#ifndef OPENSSL_NO_GMTLS
|
||||||
|
{" unsupported_site2site", 200},
|
||||||
|
{" no_area", 201},
|
||||||
|
{" unsupported_areatype", 202},
|
||||||
|
{" bad_ibcparam", 203},
|
||||||
|
{" unsupported_ibcparam", 204},
|
||||||
|
{"identity_need", 205},
|
||||||
|
#endif
|
||||||
{NULL}
|
{NULL}
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -1307,6 +1318,9 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
|
|||||||
case TLSEXT_signature_ecdsa:
|
case TLSEXT_signature_ecdsa:
|
||||||
sname = "ECDSA";
|
sname = "ECDSA";
|
||||||
break;
|
break;
|
||||||
|
case TLSEXT_signature_sm2sign:
|
||||||
|
sname = "SM2";
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
BIO_puts(sdb->out, OBJ_nid2sn(nid));
|
BIO_puts(sdb->out, OBJ_nid2sn(nid));
|
||||||
|
|||||||
@@ -3267,7 +3267,8 @@ static EC_NIST_NAME nist_curves[] = {
|
|||||||
{"P-224", NID_secp224r1},
|
{"P-224", NID_secp224r1},
|
||||||
{"P-256", NID_X9_62_prime256v1},
|
{"P-256", NID_X9_62_prime256v1},
|
||||||
{"P-384", NID_secp384r1},
|
{"P-384", NID_secp384r1},
|
||||||
{"P-521", NID_secp521r1}
|
{"P-521", NID_secp521r1},
|
||||||
|
{"SM2", NID_sm2p256v1}
|
||||||
};
|
};
|
||||||
|
|
||||||
const char *EC_curve_nid2nist(int nid)
|
const char *EC_curve_nid2nist(int nid)
|
||||||
|
|||||||
@@ -223,7 +223,8 @@ extern "C" {
|
|||||||
|
|
||||||
|
|
||||||
# define TLS_CT_SM2_SIGN 240
|
# define TLS_CT_SM2_SIGN 240
|
||||||
# define TLS_CT_SM2_FIXED_ECDH 241
|
# define TLS_CT_SM2_FIXED_EXCH 241
|
||||||
|
# define TLS_CT_SM2_ENC 242
|
||||||
|
|
||||||
|
|
||||||
/* from GM/T 0024-2014 Table 1 */
|
/* from GM/T 0024-2014 Table 1 */
|
||||||
|
|||||||
@@ -1719,9 +1719,7 @@ MSG_PROCESS_RETURN tls_process_server_key_exchange(SSL *s, PACKET *pkt)
|
|||||||
} else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
|
} else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
|
||||||
if (!tls_process_ske_dhe(s, pkt, &pkey, &al))
|
if (!tls_process_ske_dhe(s, pkt, &pkey, &al))
|
||||||
goto err;
|
goto err;
|
||||||
} else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK |
|
} else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK | SSL_kSM2DHE | SSL_kSM2PSK)) {
|
||||||
SSL_kSM2DHE | SSL_kSM2PSK
|
|
||||||
)) {
|
|
||||||
if (!tls_process_ske_ecdhe(s, pkt, &pkey, &al))
|
if (!tls_process_ske_ecdhe(s, pkt, &pkey, &al))
|
||||||
goto err;
|
goto err;
|
||||||
} else if (alg_k) {
|
} else if (alg_k) {
|
||||||
@@ -1768,11 +1766,17 @@ MSG_PROCESS_RETURN tls_process_server_key_exchange(SSL *s, PACKET *pkt)
|
|||||||
#ifdef SSL_DEBUG
|
#ifdef SSL_DEBUG
|
||||||
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
|
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
|
||||||
#endif
|
#endif
|
||||||
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_SHA)
|
#ifndef OPENSSL_NO_RSA
|
||||||
} else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
|
} else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
|
||||||
|
# if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_SHA)
|
||||||
md = EVP_md5_sha1();
|
md = EVP_md5_sha1();
|
||||||
|
# elif !defined(OPENSSL_NO_SM3)
|
||||||
|
md = EVP_sm3();
|
||||||
|
# else
|
||||||
|
should_not_happen!!
|
||||||
# endif
|
# endif
|
||||||
#ifndef OPENSSL_NO_GMTLS_METHOD
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_GMTLS
|
||||||
} else if (s->method->version == GMTLS_VERSION
|
} else if (s->method->version == GMTLS_VERSION
|
||||||
&& s->s3->tmp.new_cipher->algorithm_mac & SSL_SM3) {
|
&& s->s3->tmp.new_cipher->algorithm_mac & SSL_SM3) {
|
||||||
md = EVP_sm3();
|
md = EVP_sm3();
|
||||||
|
|||||||
@@ -106,7 +106,7 @@
|
|||||||
#include <openssl/hmac.h>
|
#include <openssl/hmac.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#ifndef OPENSSL_NO_GMTLS
|
#ifndef OPENSSL_NO_SM2
|
||||||
# include <openssl/sm2.h>
|
# include <openssl/sm2.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -2021,7 +2021,7 @@ int tls_construct_server_key_exchange(SSL *s)
|
|||||||
goto f_err;
|
goto f_err;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_GMTLS
|
#ifndef OPENSSL_NO_SM2
|
||||||
if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSM2) {
|
if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSM2) {
|
||||||
unsigned char z[EVP_MAX_MD_SIZE];
|
unsigned char z[EVP_MAX_MD_SIZE];
|
||||||
size_t zlen = sizeof(z);
|
size_t zlen = sizeof(z);
|
||||||
|
|||||||
19
ssl/t1_lib.c
19
ssl/t1_lib.c
@@ -3262,12 +3262,14 @@ static const tls12_lookup tls12_sig[] = {
|
|||||||
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
||||||
{EVP_PKEY_DSA, TLSEXT_signature_dsa},
|
{EVP_PKEY_DSA, TLSEXT_signature_dsa},
|
||||||
{EVP_PKEY_EC, TLSEXT_signature_ecdsa},
|
{EVP_PKEY_EC, TLSEXT_signature_ecdsa},
|
||||||
{EVP_PKEY_EC, TLSEXT_signature_sm2sign},
|
{NID_sm2sign, TLSEXT_signature_sm2sign},
|
||||||
|
//{EVP_PKEY_EC, TLSEXT_signature_sm2sign},
|
||||||
{NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
|
{NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
|
||||||
{NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
|
{NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
|
||||||
{NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
|
{NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* tls12_find_id() not find sm2sign */
|
||||||
static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
|
static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
@@ -3651,8 +3653,10 @@ int tls1_process_sigalgs(SSL *s)
|
|||||||
pmd[SSL_PKEY_ECC] = EVP_get_digestbynid(NID_sha1);
|
pmd[SSL_PKEY_ECC] = EVP_get_digestbynid(NID_sha1);
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_SM2
|
#ifndef OPENSSL_NO_SM2
|
||||||
if (pmd[SSL_PKEY_SM2] == NULL)
|
if (pmd[SSL_PKEY_SM2] == NULL) {
|
||||||
pmd[SSL_PKEY_SM2] = EVP_get_digestbynid(NID_sm3);
|
pmd[SSL_PKEY_SM2] = EVP_get_digestbynid(NID_sm3);
|
||||||
|
pmd[SSL_PKEY_SM2_ENC] = EVP_get_digestbynid(NID_sm3);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_GOST
|
#ifndef OPENSSL_NO_GOST
|
||||||
if (pmd[SSL_PKEY_GOST01] == NULL)
|
if (pmd[SSL_PKEY_GOST01] == NULL)
|
||||||
@@ -3797,6 +3801,10 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
|
|||||||
for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
|
for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
|
||||||
rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
|
rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
|
||||||
rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
|
rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
|
||||||
|
#ifndef OPENSSL_NO_SM2
|
||||||
|
if (rsign == TLSEXT_signature_ecdsa && rhash == TLSEXT_hash_sm3)
|
||||||
|
rsign = TLSEXT_signature_sm2sign;
|
||||||
|
#endif
|
||||||
|
|
||||||
if (rhash == -1 || rsign == -1)
|
if (rhash == -1 || rsign == -1)
|
||||||
goto err;
|
goto err;
|
||||||
@@ -3945,16 +3953,16 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
|
|||||||
default_nid = NID_ecdsa_with_SHA1;
|
default_nid = NID_ecdsa_with_SHA1;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_SM2
|
|
||||||
case SSL_PKEY_SM2_ENC:
|
case SSL_PKEY_SM2_ENC:
|
||||||
rsign = TLSEXT_signature_sm2sign;
|
rsign = TLSEXT_signature_sm2sign;
|
||||||
default_nid = NID_sm2sign_with_sm3;
|
default_nid = NID_sm2sign_with_sm3;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case SSL_PKEY_SM2:
|
case SSL_PKEY_SM2:
|
||||||
rsign = TLSEXT_signature_sm2sign;
|
rsign = TLSEXT_signature_sm2sign;
|
||||||
default_nid = NID_sm2sign_with_sm3;
|
default_nid = NID_sm2sign_with_sm3;
|
||||||
break;
|
break;
|
||||||
#endif
|
|
||||||
case SSL_PKEY_GOST01:
|
case SSL_PKEY_GOST01:
|
||||||
rsign = TLSEXT_signature_gostr34102001;
|
rsign = TLSEXT_signature_gostr34102001;
|
||||||
default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
|
default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
|
||||||
@@ -4047,6 +4055,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
|
|||||||
break;
|
break;
|
||||||
case EVP_PKEY_EC:
|
case EVP_PKEY_EC:
|
||||||
check_type = TLS_CT_ECDSA_SIGN;
|
check_type = TLS_CT_ECDSA_SIGN;
|
||||||
|
//FIXME: do we need to do sth?
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (check_type) {
|
if (check_type) {
|
||||||
@@ -4133,6 +4142,8 @@ void tls1_set_cert_validity(SSL *s)
|
|||||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
|
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
|
||||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
|
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
|
||||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_SM2);
|
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_SM2);
|
||||||
|
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_SM2_ENC);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* User level utiity function to check a chain is suitable */
|
/* User level utiity function to check a chain is suitable */
|
||||||
|
|||||||
Reference in New Issue
Block a user