Skip to content

Commit 5c315bc

Browse files
b1gcatb1gcat
committed
1、解决TLS1.x的ECDH-SM2-SM3-SM4/SM2-SM3-SM4两种套件无法握手成功
2、暂去掉非SM算法的套件。
1 parent c7a611e commit 5c315bc

5 files changed

Lines changed: 55 additions & 36 deletions

File tree

ssl/s3_clnt.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1871,6 +1871,12 @@ int ssl3_get_key_exchange(SSL *s)
18711871
pkey =
18721872
X509_get_pubkey(s->session->
18731873
sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1874+
# endif
1875+
# ifndef NO_GMSSL
1876+
else if (alg_a & SSL_aSM2)
1877+
pkey =
1878+
X509_get_pubkey(s->session->
1879+
sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
18741880
# endif
18751881
/* else anonymous ECDH, so no certificate or pkey. */
18761882
EC_KEY_set_public_key(ecdh, srvr_ecpoint);

ssl/s3_lib.c

Lines changed: 33 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -163,7 +163,40 @@ const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
163163

164164
/* list of available SSLv3 ciphers (sorted by id) */
165165
OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
166+
# ifndef NO_GMSSL
167+
/* (GmSSL specific) */
168+
{
169+
1,
170+
GM1_TXT_ECDHE_SM2_SM4_SM3,
171+
GM1_CK_ECDHE_SM2_SM4_SM3,
172+
SSL_kEECDH,
173+
SSL_aSM2,
174+
SSL_SM4,
175+
SSL_SM3,
176+
SSL_TLSV1_2,
177+
SSL_NOT_EXP|SSL_HIGH,
178+
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
179+
128,
180+
128,
181+
},
166182

183+
/* (GmSSL Specific) */
184+
{
185+
1,
186+
GM1_TXT_SM2_SM4_SM3,
187+
GM1_CK_SM2_SM4_SM3,
188+
SSL_kSM2,
189+
SSL_aSM2,
190+
SSL_SM4,
191+
SSL_SM3,
192+
SSL_TLSV1_2,
193+
SSL_NOT_EXP|SSL_HIGH,
194+
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
195+
128,
196+
128,
197+
}
198+
# endif
199+
#if 0
167200
/* The RSA ciphers */
168201
/* Cipher 01 */
169202
{
@@ -2890,42 +2923,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
28902923
256,
28912924
256},
28922925
#endif
2893-
2894-
#ifndef NO_GMSSL
2895-
/* (GmSSL specific) */
2896-
{
2897-
1,
2898-
GM1_TXT_ECDHE_SM2_SM4_SM3,
2899-
GM1_CK_ECDHE_SM2_SM4_SM3,
2900-
SSL_kEECDH,
2901-
SSL_aSM2,
2902-
SSL_SM4,
2903-
SSL_SM3,
2904-
SSL_TLSV1_2,
2905-
SSL_NOT_EXP|SSL_HIGH,
2906-
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2907-
128,
2908-
128,
2909-
},
2910-
2911-
/* (GmSSL Specific) */
2912-
{
2913-
1,
2914-
GM1_TXT_SM2_SM4_SM3,
2915-
GM1_CK_SM2_SM4_SM3,
2916-
SSL_kSM2,
2917-
SSL_aSM2,
2918-
SSL_SM4,
2919-
SSL_SM3,
2920-
SSL_TLSV1_2,
2921-
SSL_NOT_EXP|SSL_HIGH,
2922-
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2923-
128,
2924-
128,
2925-
}
2926-
29272926
#endif
2928-
29292927
/* end of list */
29302928
};
29312929

ssl/ssl_ciph.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2128,7 +2128,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
21282128
* chosen.
21292129
*/
21302130
return SSL_PKEY_ECC;
2131-
} else if (alg_a & SSL_aECDSA)
2131+
}
2132+
# ifndef NO_GMSSL
2133+
else if (alg_a & SSL_aSM2)
2134+
return SSL_PKEY_ECC;
2135+
# endif
2136+
else if (alg_a & SSL_aECDSA)
21322137
return SSL_PKEY_ECC;
21332138
else if (alg_k & SSL_kDHr)
21342139
return SSL_PKEY_DH_RSA;

ssl/ssl_lib.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2413,6 +2413,12 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
24132413
mask_a |= SSL_aECDSA;
24142414
emask_a |= SSL_aECDSA;
24152415
}
2416+
# endif
2417+
# ifndef NO_GMSSL
2418+
mask_a |= SSL_aSM2;
2419+
emask_a |= SSL_aSM2;
2420+
mask_k |= SSL_kSM2;
2421+
emask_k |= SSL_kSM2;
24162422
# endif
24172423
}
24182424
#endif

ssl/t1_lib.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1026,6 +1026,10 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
10261026
tlsext_sigalg_ecdsa(md)
10271027

10281028
static unsigned char tls12_sigalgs[] = {
1029+
# ifndef NO_GMSSL
1030+
TLSEXT_hash_sm3,
1031+
TLSEXT_signature_sm2sign,
1032+
# endif
10291033
# ifndef OPENSSL_NO_SHA512
10301034
tlsext_sigalg(TLSEXT_hash_sha512)
10311035
tlsext_sigalg(TLSEXT_hash_sha384)

0 commit comments

Comments
 (0)