This commit is contained in:
Zhi Guan
2017-04-14 15:31:35 +08:00
parent 7fa961cd6f
commit eb21e9d572
76 changed files with 3249 additions and 2961 deletions

266
ssl/methods_gmtls.c Normal file
View File

@@ -0,0 +1,266 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
/*-
* TLS/SSLv3 methods
*/
IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_method,
ossl_statem_accept,
ossl_statem_connect, TLSv1_2_enc_data)
#ifndef OPENSSL_NO_TLS1_2_METHOD
IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
tlsv1_2_method,
ossl_statem_accept,
ossl_statem_connect, TLSv1_2_enc_data)
#endif
#ifndef OPENSSL_NO_TLS1_1_METHOD
IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
tlsv1_1_method,
ossl_statem_accept,
ossl_statem_connect, TLSv1_1_enc_data)
#endif
#ifndef OPENSSL_NO_TLS1_METHOD
IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
tlsv1_method,
ossl_statem_accept, ossl_statem_connect, TLSv1_enc_data)
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
IMPLEMENT_ssl3_meth_func(sslv3_method, ossl_statem_accept, ossl_statem_connect)
#endif
/*-
* TLS/SSLv3 server methods
*/
IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_server_method,
ossl_statem_accept,
ssl_undefined_function, TLSv1_2_enc_data)
#ifndef OPENSSL_NO_TLS1_2_METHOD
IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
tlsv1_2_server_method,
ossl_statem_accept,
ssl_undefined_function, TLSv1_2_enc_data)
#endif
#ifndef OPENSSL_NO_TLS1_1_METHOD
IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
tlsv1_1_server_method,
ossl_statem_accept,
ssl_undefined_function, TLSv1_1_enc_data)
#endif
#ifndef OPENSSL_NO_TLS1_METHOD
IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
tlsv1_server_method,
ossl_statem_accept,
ssl_undefined_function, TLSv1_enc_data)
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
IMPLEMENT_ssl3_meth_func(sslv3_server_method,
ossl_statem_accept, ssl_undefined_function)
#endif
/*-
* TLS/SSLv3 client methods
*/
IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_client_method,
ssl_undefined_function,
ossl_statem_connect, TLSv1_2_enc_data)
#ifndef OPENSSL_NO_TLS1_2_METHOD
IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
tlsv1_2_client_method,
ssl_undefined_function,
ossl_statem_connect, TLSv1_2_enc_data)
#endif
#ifndef OPENSSL_NO_TLS1_1_METHOD
IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
tlsv1_1_client_method,
ssl_undefined_function,
ossl_statem_connect, TLSv1_1_enc_data)
#endif
#ifndef OPENSSL_NO_TLS1_METHOD
IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
tlsv1_client_method,
ssl_undefined_function,
ossl_statem_connect, TLSv1_enc_data)
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
IMPLEMENT_ssl3_meth_func(sslv3_client_method,
ssl_undefined_function, ossl_statem_connect)
#endif
/*-
* DTLS methods
*/
#ifndef OPENSSL_NO_DTLS1_METHOD
IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
dtlsv1_method,
ossl_statem_accept,
ossl_statem_connect, DTLSv1_enc_data)
#endif
#ifndef OPENSSL_NO_DTLS1_2_METHOD
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
dtlsv1_2_method,
ossl_statem_accept,
ossl_statem_connect, DTLSv1_2_enc_data)
#endif
IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
DTLS_method,
ossl_statem_accept,
ossl_statem_connect, DTLSv1_2_enc_data)
/*-
* DTLS server methods
*/
#ifndef OPENSSL_NO_DTLS1_METHOD
IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
dtlsv1_server_method,
ossl_statem_accept,
ssl_undefined_function, DTLSv1_enc_data)
#endif
#ifndef OPENSSL_NO_DTLS1_2_METHOD
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
dtlsv1_2_server_method,
ossl_statem_accept,
ssl_undefined_function, DTLSv1_2_enc_data)
#endif
IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
DTLS_server_method,
ossl_statem_accept,
ssl_undefined_function, DTLSv1_2_enc_data)
/*-
* DTLS client methods
*/
#ifndef OPENSSL_NO_DTLS1_METHOD
IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
dtlsv1_client_method,
ssl_undefined_function,
ossl_statem_connect, DTLSv1_enc_data)
IMPLEMENT_dtls1_meth_func(DTLS1_BAD_VER, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
dtls_bad_ver_client_method,
ssl_undefined_function,
ossl_statem_connect, DTLSv1_enc_data)
#endif
#ifndef OPENSSL_NO_DTLS1_2_METHOD
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
dtlsv1_2_client_method,
ssl_undefined_function,
ossl_statem_connect, DTLSv1_2_enc_data)
#endif
IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
DTLS_client_method,
ssl_undefined_function,
ossl_statem_connect, DTLSv1_2_enc_data)
#if OPENSSL_API_COMPAT < 0x10100000L
# ifndef OPENSSL_NO_TLS1_2_METHOD
const SSL_METHOD *TLSv1_2_method(void)
{
return tlsv1_2_method();
}
const SSL_METHOD *TLSv1_2_server_method(void)
{
return tlsv1_2_server_method();
}
const SSL_METHOD *TLSv1_2_client_method(void)
{
return tlsv1_2_client_method();
}
# endif
# ifndef OPENSSL_NO_TLS1_1_METHOD
const SSL_METHOD *TLSv1_1_method(void)
{
return tlsv1_1_method();
}
const SSL_METHOD *TLSv1_1_server_method(void)
{
return tlsv1_1_server_method();
}
const SSL_METHOD *TLSv1_1_client_method(void)
{
return tlsv1_1_client_method();
}
# endif
# ifndef OPENSSL_NO_TLS1_METHOD
const SSL_METHOD *TLSv1_method(void)
{
return tlsv1_method();
}
const SSL_METHOD *TLSv1_server_method(void)
{
return tlsv1_server_method();
}
const SSL_METHOD *TLSv1_client_method(void)
{
return tlsv1_client_method();
}
# endif
# ifndef OPENSSL_NO_SSL3_METHOD
const SSL_METHOD *SSLv3_method(void)
{
return sslv3_method();
}
const SSL_METHOD *SSLv3_server_method(void)
{
return sslv3_server_method();
}
const SSL_METHOD *SSLv3_client_method(void)
{
return sslv3_client_method();
}
# endif
# ifndef OPENSSL_NO_DTLS1_2_METHOD
const SSL_METHOD *DTLSv1_2_method(void)
{
return dtlsv1_2_method();
}
const SSL_METHOD *DTLSv1_2_server_method(void)
{
return dtlsv1_2_server_method();
}
const SSL_METHOD *DTLSv1_2_client_method(void)
{
return dtlsv1_2_client_method();
}
# endif
# ifndef OPENSSL_NO_DTLS1_METHOD
const SSL_METHOD *DTLSv1_method(void)
{
return dtlsv1_method();
}
const SSL_METHOD *DTLSv1_server_method(void)
{
return dtlsv1_server_method();
}
const SSL_METHOD *DTLSv1_client_method(void)
{
return dtlsv1_client_method();
}
# endif
#endif

View File

@@ -68,7 +68,15 @@
#define SSL_ENC_AES256CCM8_IDX 17
#define SSL_ENC_GOST8912_IDX 18
#define SSL_ENC_CHACHA_IDX 19
#define SSL_ENC_NUM_IDX 20
#define SSL_ENC_SMS4_IDX 20
#define SSL_ENC_SMS4GCM_IDX 21
#define SSL_ENC_SMS4CCM_IDX 22
#define SSL_ENC_SMS4CCM8_IDX 23
#define SSL_ENC_ZUC_IDX 24
#define SSL_ENC_SM1_IDX 25
#define SSL_ENC_SSF33_IDX 26
#define SSL_ENC_NUM_IDX 27
/* NB: make sure indices in these tables match values above */
@@ -97,13 +105,20 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
{SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */
{SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */
{SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */
{SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX */
{SSL_CHACHA20POLY1305, NID_chacha20_poly1305},
{SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX 18 */
{SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
{SSL_SMS4, NID_sms4_cbc}, /* SSL_ENC_SMS4_IDX 20 */
{SSL_SMS4GCM, NID_sms4_gcm}, /* SSL_ENC_SMS4GCM_IDX 21 */
{SSL_SMS4CCM, NID_sms4_ccm}, /* SSL_ENC_SMS4CCM_IDX 22 */
{SSL_SMS4CCM8, NID_sms4_ccm}, /* SSL_ENC_SMS4CCM8_IDX 23 */
{SSL_ZUC, NID_zuc}, /* SSL_ENC_ZUC_IDX 24 */
{SSL_SM1, NID_sm1_cbc}, /* SSL_ENC_SM1_IDX 25 */
{SSL_SSF33, NID_ssf33_cbc}, /* SSL_ENC_SSF33_IDX 26 */
};
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
};
#define SSL_COMP_NULL_IDX 0
@@ -136,11 +151,13 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
{SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
{0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */
{0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */
{0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */
{0, NID_sha512}, /* SSL_MD_SHA512_IDX 11 */
{SSL_SM3, NID_sm3}, /* SSL_MD_SM3_IDX 12 */
};
static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL
};
/* *INDENT-OFF* */
@@ -153,7 +170,8 @@ static const ssl_cipher_table ssl_cipher_table_kx[] = {
{SSL_kRSAPSK, NID_kx_rsa_psk},
{SSL_kPSK, NID_kx_psk},
{SSL_kSRP, NID_kx_srp},
{SSL_kGOST, NID_kx_gost}
{SSL_kGOST, NID_kx_gost},
{SSL_kSM2, NID_kx_sm2},
};
static const ssl_cipher_table ssl_cipher_table_auth[] = {
@@ -164,7 +182,8 @@ static const ssl_cipher_table ssl_cipher_table_auth[] = {
{SSL_aGOST01, NID_auth_gost01},
{SSL_aGOST12, NID_auth_gost12},
{SSL_aSRP, NID_auth_srp},
{SSL_aNULL, NID_auth_null}
{SSL_aNULL, NID_auth_null},
{SSL_aSM2, NID_auth_sm2},
};
/* *INDENT-ON* */
@@ -195,6 +214,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
/* GOST2012_512 */
EVP_PKEY_HMAC,
/* SM3 */
EVP_PKEY_HMAC,
};
static int ssl_mac_secret_size[SSL_MD_NUM_IDX];
@@ -404,9 +425,10 @@ void ssl_load_ciphers(void)
}
}
/* Make sure we can access MD5 and SHA1 */
OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
disabled_mkey_mask = 0;
disabled_auth_mask = 0;
@@ -423,6 +445,9 @@ void ssl_load_ciphers(void)
#ifdef OPENSSL_NO_EC
disabled_mkey_mask |= SSL_kECDHEPSK;
disabled_auth_mask |= SSL_aECDSA;
# ifdef OPENSSL_NO_GMTLS
/* do something */
# endif
#endif
#ifdef OPENSSL_NO_PSK
disabled_mkey_mask |= SSL_PSK;
@@ -1573,6 +1598,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case SSL_kGOST:
kx = "GOST";
break;
case SSL_kSM2:
kx = "SM2";
break;
default:
kx = "unknown";
}
@@ -1603,6 +1631,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case (SSL_aGOST12 | SSL_aGOST01):
au = "GOST12";
break;
case SSL_aSM2:
au = "SM2";
break;
default:
au = "unknown";
break;
@@ -1667,6 +1698,27 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case SSL_CHACHA20POLY1305:
enc = "CHACHA20/POLY1305(256)";
break;
case SSL_SMS4:
enc = "SMS4(128)";
break;
case SSL_SMS4GCM:
enc = "SMS4GCM(128)";
break;
case SSL_SMS4CCM:
enc = "SMS4CCM(128)";
break;
case SSL_SMS4CCM8:
enc = "SMS4CCM8(128)";
break;
case SSL_ZUC:
enc = "ZUC(128)";
break;
case SSL_SM1:
enc = "SM1(128)";
break;
case SSL_SSF33:
enc = "SSF33(128)";
break;
default:
enc = "unknown";
break;
@@ -1699,6 +1751,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case SSL_GOST12_512:
mac = "GOST2012";
break;
case SSL_SM3:
mac = "SM3";
break;
default:
mac = "unknown";
break;
@@ -1714,7 +1769,7 @@ const char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
if (c == NULL)
return "(NONE)";
/*
/*
* Backwards-compatibility crutch. In almost all contexts we report TLS
* 1.0 as "TLSv1", but for ciphers we report "TLSv1.0".
*/
@@ -1903,6 +1958,8 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
return SSL_PKEY_GOST_EC;
else if (alg_a & SSL_aGOST01)
return SSL_PKEY_GOST01;
else if (alg_a & SSL_aSM2)
return SSL_PKEY_ECC;
return -1;
}

View File

@@ -223,10 +223,12 @@
# define SSL_kRSAPSK 0x00000040U
# define SSL_kECDHEPSK 0x00000080U
# define SSL_kDHEPSK 0x00000100U
# define SSL_kSM2 0x00000200U
# define SSL_kSM2PSK 0x00000400U
/* all PSK */
# define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK)
# define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK | SSL_kSM2PSK)
/* Bits for algorithm_auth (server authentication) */
/* RSA auth */
@@ -245,6 +247,8 @@
# define SSL_aSRP 0x00000040U
/* GOST R 34.10-2012 signature auth */
# define SSL_aGOST12 0x00000080U
/* SM2 */
# define SSL_aSM2 0x00000100U
/* Bits for algorithm_enc (symmetric encryption) */
# define SSL_DES 0x00000001U
@@ -267,19 +271,27 @@
# define SSL_AES256CCM8 0x00020000U
# define SSL_eGOST2814789CNT12 0x00040000U
# define SSL_CHACHA20POLY1305 0x00080000U
# define SSL_SMS4 0x00100000U
# define SSL_SMS4GCM 0x00200000U
# define SSL_SMS4CCM 0x00400000U
# define SSL_SMS4CCM8 0x00800000U
# define SSL_ZUC 0x01000000U
# define SSL_SM1 0x02000000U
# define SSL_SSF33 0x04000000U
# define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
# define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
# define SSL_SMS4ALL (SSL_SMS4 | SSL_SMS4GCM | SSL_SMS4CCM | SSL_SMS4CCM8)
/* Bits for algorithm_mac (symmetric authentication) */
# define SSL_MD5 0x00000001U
# define SSL_SHA1 0x00000002U
# define SSL_GOST94 0x00000004U
# define SSL_GOST89MAC 0x00000008U
# define SSL_GOST94 0x00000004U
# define SSL_GOST89MAC 0x00000008U
# define SSL_SHA256 0x00000010U
# define SSL_SHA384 0x00000020U
/* Not a real MAC, just an indication it is part of cipher */
@@ -287,6 +299,7 @@
# define SSL_GOST12_256 0x00000080U
# define SSL_GOST89MAC12 0x00000100U
# define SSL_GOST12_512 0x00000200U
# define SSL_SM3 0x00000400U
/*
* When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
@@ -305,7 +318,8 @@
# define SSL_MD_MD5_SHA1_IDX 9
# define SSL_MD_SHA224_IDX 10
# define SSL_MD_SHA512_IDX 11
# define SSL_MAX_DIGEST 12
# define SSL_MD_SM3_IDX 12
# define SSL_MAX_DIGEST 13
/* Bits for algorithm2 (handshake digests and other extra flags) */
@@ -317,7 +331,8 @@
# define SSL_HANDSHAKE_MAC_GOST94 SSL_MD_GOST94_IDX
# define SSL_HANDSHAKE_MAC_GOST12_256 SSL_MD_GOST12_256_IDX
# define SSL_HANDSHAKE_MAC_GOST12_512 SSL_MD_GOST12_512_IDX
# define SSL_HANDSHAKE_MAC_DEFAULT SSL_HANDSHAKE_MAC_MD5_SHA1
# define SSL_HANDSHAKE_MAC_SM3 SSL_MD_SM3_IDX
# define SSL_HANDSHAKE_MAC_DEFAULT SSL_HANDSHAKE_MAC_MD5_SHA1
/* Bits 8-15 bits are PRF */
# define TLS1_PRF_DGST_SHIFT 8
@@ -327,6 +342,7 @@
# define TLS1_PRF_GOST94 (SSL_MD_GOST94_IDX << TLS1_PRF_DGST_SHIFT)
# define TLS1_PRF_GOST12_256 (SSL_MD_GOST12_256_IDX << TLS1_PRF_DGST_SHIFT)
# define TLS1_PRF_GOST12_512 (SSL_MD_GOST12_512_IDX << TLS1_PRF_DGST_SHIFT)
# define TLS1_PRF_SM3 (SSL_MD_SM3_IDX << TLS1_PRF_DGST_SHIFT)
# define TLS1_PRF (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT)
/*

View File

@@ -0,0 +1 @@

View File

@@ -639,6 +639,13 @@ typedef struct {
#endif
static const version_info tls_version_table[] = {
/*
#ifndef OPENSSL_NO_GMTLS
{GMTLS_VERSION, gmtls_client_method, gmtls_server_method},
#else
{GMTLS_VERSION, NULL, NULL},
#endif
*/
#ifndef OPENSSL_NO_TLS1_2
{TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
#else
@@ -667,6 +674,13 @@ static const version_info tls_version_table[] = {
#endif
static const version_info dtls_version_table[] = {
/*
#ifndef OPENSSL_NO_GMTLS
{GMTLS_VERSION, gmdtls_client_method, gmdtls_server_method},
#else
{GMTLS_VERSION, NULL, NULL},
#endif
*/
#ifndef OPENSSL_NO_DTLS1_2
{DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
#else