abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-07 08:56:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

update ssl

Browse Source
This commit is contained in:
Zhi Guan
2017-11-30 00:04:10 +08:00
parent 5bdb3e20ff
commit f53c6b1cfd
7 changed files with 43 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ssl/ssl_cert.c
View File

@@ -842,6 +842,7 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
x = sk_X509_value(chain, 0);
if (SSL_IS_GMTLS(s)) {
if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
/* FIXME: should we return some errors ? */
X509_STORE_CTX_free(xs_ctx);
return 0;
}
@@ -1062,20 +1063,16 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH
#ifndef OPENSSL_NO_GMTLS
| SSL_kSM2DHE | SSL_kSM9DHE
#endif
)))
if (level >= 3 && !(c->algorithm_mkey &
(SSL_kEDH | SSL_kEECDH | SSL_kSM2DHE | SSL_kSM9DHE)))
return 0;
break;
}
case SSL_SECOP_VERSION:
if (!SSL_IS_DTLS(s)) {
#ifndef OPENSSL_NO_GMTLS_METHOD
/* GMTLSv1.1 not allowed at level 3 */
if (nid == GMTLS_VERSION && level >= 3)
return 0;
#endif
/* SSLv3 not allowed at level 2 */
if (nid <= SSL3_VERSION && level >= 2)
return 0;

12
ssl/ssl_ciph.c
View File

@@ -444,10 +444,14 @@ void ssl_load_ciphers(void)
}
}
/* Make sure we can access MD5 and SHA1 */
#ifndef OPENSSL_NO_MD5
/* If we disable TLS 1, MD5 and SHA1 */
OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
#endif
#ifndef OPENSSL_NO_SHA
/* If we disable TLS 1, MD5 and SHA1 */
OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
#endif
disabled_mkey_mask = 0;
disabled_auth_mask = 0;
@@ -1999,9 +2003,9 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
else if (alg_a & SSL_aGOST01)
return SSL_PKEY_GOST01;
else if (alg_a & SSL_aSM2)
return SSL_PKEY_SM2_SIGN;
return SSL_PKEY_SM2;
else if (alg_a & SSL_aSM9)
return SSL_PKEY_SM9_SIGN;
return SSL_PKEY_SM9;
return -1;
}

7
ssl/ssl_lib.c
View File

@@ -2660,8 +2660,9 @@ void ssl_set_masks(SSL *s)
have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
#endif
#ifndef OPENSSL_NO_SM2
sm2_enc = pvalid[SSL_PKEY_SM2_ENC] & CERT_PKEY_VALID;
sm2_sign = pvalid[SSL_PKEY_SM2_SIGN] & CERT_PKEY_SIGN;
sm2_sign = pvalid[SSL_PKEY_SM2] & CERT_PKEY_SIGN;
#endif
mask_k = 0;
mask_a = 0;
@@ -2893,8 +2894,8 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
idx = SSL_PKEY_ECC;
#ifndef OPENSSL_NO_SM2
else if ((alg_a & SSL_aSM2) &&
(c->pkeys[SSL_PKEY_SM2_SIGN].privatekey != NULL)) {
idx = SSL_PKEY_SM2_SIGN;
(c->pkeys[SSL_PKEY_SM2].privatekey != NULL)) {
idx = SSL_PKEY_SM2;
fprintf(stderr, "%s %d\n", __FILE__, __LINE__);
}
#endif

2
ssl/ssl_locl.h
View File

@@ -427,7 +427,7 @@
# define SSL_PKEY_GOST12_512 6
# define SSL_PKEY_SM2 7
# define SSL_PKEY_SM2_ENC 8
# define SSL_PKEY_SM9_SIGN 9
# define SSL_PKEY_SM9 9
# define SSL_PKEY_NUM 10
/*

15
ssl/ssl_rsa.c
View File

@@ -129,18 +129,9 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
return (0);
}
#ifndef OPENSSL_NO_SM2
/* set private key even without keyUsage in cert */
if (i == SSL_PKEY_SM2_SIGN) {
if (c->pkeys[SSL_PKEY_SM2_ENC].privatekey)
i = SSL_PKEY_SM2_SIGN;
else if (c->pkeys[SSL_PKEY_SM2_SIGN].privatekey)
i = SSL_PKEY_SM2_ENC;
else if (c->pkeys[SSL_PKEY_SM2_ENC].x509)
i = SSL_PKEY_SM2_ENC;
else
i = SSL_PKEY_SM2_SIGN;
}
#ifndef OPENSSL_NO_GMTLS
if (i == SSL_PKEY_SM2 && c->pkeys[SSL_PKEY_SM2_ENC].x509)
i = SSL_PKEY_SM2_ENC;
#endif
if (c->pkeys[i].x509 != NULL) {

2
ssl/statem/statem_clnt.c
View File

@@ -2957,7 +2957,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
#ifndef OPENSSL_NO_EC
idx = s->session->peer_type;
if ((idx == SSL_PKEY_ECC) || (idx == SSL_PKEY_SM2_SIGN)) { /* GMTLS */
if ((idx == SSL_PKEY_ECC) || (idx == SSL_PKEY_SM2)) { /* GMTLS */
if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {
/* check failed */
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);

53
ssl/t1_lib.c
View File

@@ -716,18 +716,20 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
tlsext_sigalg_ecdsa(md)
static const unsigned char tls12_sigalgs[] = {
#ifndef OPENSSL_NO_SM2
TLSEXT_hash_sm3, TLSEXT_signature_sm2sign,
#endif
#ifndef OPENSSL_NO_SHA
tlsext_sigalg(TLSEXT_hash_sha512)
tlsext_sigalg(TLSEXT_hash_sha384)
tlsext_sigalg(TLSEXT_hash_sha256)
tlsext_sigalg(TLSEXT_hash_sha224)
tlsext_sigalg(TLSEXT_hash_sha1)
#endif
#ifndef OPENSSL_NO_GOST
TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512,
#endif
#ifndef OPENSSL_NO_SM2
TLSEXT_hash_sm3, TLSEXT_signature_sm2sign,
#endif
};
@@ -2750,8 +2752,8 @@ void ssl_set_default_md(SSL *s)
#ifndef OPENSSL_NO_EC
pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
#endif
#ifndef OPENSSL_NO_GMTSL
pmd[SSL_PKEY_SM2_SIGN] = ssl_md(SSL_MD_SM3_IDX);
#ifndef OPENSSL_NO_SM2
pmd[SSL_PKEY_SM2] = ssl_md(SSL_MD_SM3_IDX);
pmd[SSL_PKEY_SM2_ENC] = ssl_md(SSL_MD_SM3_IDX);
#endif
#ifndef OPENSSL_NO_GOST
@@ -3253,19 +3255,14 @@ static const tls12_lookup tls12_md[] = {
{NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
{NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
{NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
#ifndef OPENSSL_NO_SM3
{NID_sm3, TLSEXT_hash_sm3},
#endif
};
static const tls12_lookup tls12_sig[] = {
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
{EVP_PKEY_DSA, TLSEXT_signature_dsa},
#ifndef OPENSSL_NO_SM2
{EVP_PKEY_EC, TLSEXT_signature_sm2sign},
#else
{EVP_PKEY_EC, TLSEXT_signature_ecdsa},
#endif
{EVP_PKEY_EC, TLSEXT_signature_sm2sign},
{NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
{NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
{NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
@@ -3302,7 +3299,6 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
sig_id = tls12_get_sigid(pk);
if (sig_id == -1)
return 0;
printf("%s %d: md_id = %d, sig_id = %d\n", __FILE__, __LINE__, md_id, sig_id);
p[0] = (unsigned char)md_id;
p[1] = (unsigned char)sig_id;
return 1;
@@ -3310,6 +3306,12 @@ printf("%s %d: md_id = %d, sig_id = %d\n", __FILE__, __LINE__, md_id, sig_id);
int tls12_get_sigid(const EVP_PKEY *pk)
{
#ifndef OPENSSL_NO_SM2
/* tls12_find_id() can not find TLSEXT_signature_sm2sign with EVP_PKEY_EC */
if (EVP_PKEY_id(pk) == EVP_PKEY_EC && EC_GROUP_get_curve_name(
EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY((EVP_PKEY *)pk))) == NID_sm2p256v1)
return TLSEXT_signature_sm2sign;
#endif
return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
}
@@ -3332,9 +3334,7 @@ static const tls12_hash_info tls12_md_info[] = {
TLSEXT_hash_gostr34112012_256},
{NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
TLSEXT_hash_gostr34112012_512},
#ifndef OPENSSL_NO_SM3
{NID_sm3, 128, SSL_MD_SM3_IDX, TLSEXT_hash_sm3},
#endif
};
static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
@@ -3379,7 +3379,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
#endif
# ifndef OPENSSL_NO_SM2
case TLSEXT_signature_sm2sign:
return SSL_PKEY_SM2_SIGN;
return SSL_PKEY_SM2;
# endif
#ifndef OPENSSL_NO_GOST
case TLSEXT_signature_gostr34102001:
@@ -3444,9 +3444,8 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
const unsigned char *sigalgs;
size_t i, sigalgslen;
int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
#ifndef OPENSSL_NO_SM2
int have_sm2sign = 0;
#endif
/*
* Now go through all signature algorithms seeing if we support any for
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
@@ -3478,7 +3477,6 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
if (!have_sm2sign && tls12_sigalg_allowed(s, op, sigalgs))
have_sm2sign = 1;
break;
// SM9
#endif
}
}
@@ -3488,10 +3486,8 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
*pmask_a |= SSL_aDSS;
if (!have_ecdsa)
*pmask_a |= SSL_aECDSA;
#ifndef OPENSSL_NO_SM2
if (!have_sm2sign)
*pmask_a |= SSL_aSM2;
#endif
}
size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
@@ -3642,7 +3638,6 @@ int tls1_process_sigalgs(SSL *s)
*/
#ifndef OPENSSL_NO_DSA
if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
//pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
pmd[SSL_PKEY_DSA_SIGN] = EVP_get_digestbynid(NID_sha1);
#endif
#ifndef OPENSSL_NO_RSA
@@ -3656,8 +3651,8 @@ int tls1_process_sigalgs(SSL *s)
pmd[SSL_PKEY_ECC] = EVP_get_digestbynid(NID_sha1);
#endif
#ifndef OPENSSL_NO_SM2
if (pmd[SSL_PKEY_SM2_SIGN] == NULL)
pmd[SSL_PKEY_SM2_SIGN] = EVP_get_digestbynid(NID_sm3);
if (pmd[SSL_PKEY_SM2] == NULL)
pmd[SSL_PKEY_SM2] = EVP_get_digestbynid(NID_sm3);
#endif
#ifndef OPENSSL_NO_GOST
if (pmd[SSL_PKEY_GOST01] == NULL)
@@ -3951,13 +3946,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
break;
#ifndef OPENSSL_NO_SM2
case SSL_PKEY_SM2_ENC:
case SSL_PKEY_SM2_ENC:
rsign = TLSEXT_signature_sm2sign;
default_nid = NID_sm2sign_with_sm3;
break;
#endif
#ifndef OPENSSL_NO_SM2
case SSL_PKEY_SM2_SIGN:
case SSL_PKEY_SM2:
rsign = TLSEXT_signature_sm2sign;
default_nid = NID_sm2sign_with_sm3;
break;
@@ -4139,9 +4132,7 @@ void tls1_set_cert_validity(SSL *s)
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
#ifndef OPENSSL_NO_SM2
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_SM2_SIGN);
#endif
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_SM2);
}
/* User level utiity function to check a chain is suitable */