From cf9b04c735c6e2b1d300db0fa2cc0ff25d3e695b Mon Sep 17 00:00:00 2001 From: "tassl@tass.com.cn" Date: Sun, 7 Jun 2020 13:35:14 +0800 Subject: [PATCH] update to tassl-1.1.1b_v1.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit update by TASS Gujq, 璇﹁tassl_demo/README. --- README | 3 + apps/apps.h | 4 + apps/opt.c | 6 + apps/pkcs7.c | 594 +++++++++++++++++++++++++++++++++++- crypto/asn1/charmap.h | 2 +- crypto/ec/ec_curve.c | 2 +- crypto/ec/ec_pmeth.c | 18 +- crypto/engine/eng_err.c | 2 + crypto/engine/eng_int.h | 1 + crypto/engine/eng_pkey.c | 31 ++ crypto/err/openssl.txt | 1 + crypto/objects/obj_dat.h | 53 +++- crypto/objects/obj_mac.num | 11 + crypto/objects/objects.txt | 22 +- include/openssl/engine.h | 6 +- include/openssl/engineerr.h | 1 + include/openssl/obj_mac.h | 39 +++ include/openssl/opensslv.h | 2 +- ssl/s3_lib.c | 22 +- ssl/statem/statem_clnt.c | 65 +++- ssl/statem/statem_lib.c | 9 +- ssl/t1_lib.c | 6 + tassl_demo/README.txt | 7 + util/libcrypto.num | 2 + 24 files changed, 874 insertions(+), 35 deletions(-) diff --git a/README b/README index d002322..ad4d2e5 100644 --- a/README +++ b/README @@ -91,3 +91,6 @@ are potentially subject to such restrictions you should seek competent professional legal advice before attempting to develop or distribute cryptographic code. + + + ./Configure linux-x86_64 --prefix=/root/tasshsm_engine/tassl --shared diff --git a/apps/apps.h b/apps/apps.h index d9eb650..b697ad9 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -594,6 +594,10 @@ void store_setup_crl_download(X509_STORE *st); # define FORMAT_HTTP 13 /* Download using HTTP */ # define FORMAT_NSS 14 /* NSS keylog format */ +#ifndef OPENSSL_NO_CNSM +# define FORMAT_BASE64_GM009_7_4 20 /* GM009-2014 7.4 sm2 base64 format */ +#endif + # define EXT_COPY_NONE 0 # define EXT_COPY_ADD 1 # define EXT_COPY_ALL 2 diff --git a/apps/opt.c b/apps/opt.c index 6668565..e3a25b2 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -199,6 +199,12 @@ int opt_format(const char *s, unsigned long flags, int *result) switch (*s) { default: return 0; + + case 'G': + case 'g': + *result = FORMAT_BASE64_GM009_7_4; + return 1; + case 'D': case 'd': if ((flags & OPT_FMT_PEMDER) == 0) diff --git a/apps/pkcs7.c b/apps/pkcs7.c index c3e9f5c..a35794d 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -22,7 +22,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_IN_SIGN_KEY, OPT_IN_SIGN_KEY_INDEX, OPT_IN_ENC_KEY_INDEX, OPT_NOOUT, OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE } OPTION_CHOICE; @@ -30,6 +30,9 @@ const OPTIONS pkcs7_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"in", OPT_IN, '<', "Input file"}, + {"in_sign_key", OPT_IN_SIGN_KEY, '<', "Input the SM2 signature private key file generated by tasscard engine"}, + {"in_sign_key_index", OPT_IN_SIGN_KEY_INDEX, 's', "Input the SM2 signature private key index generated by tasscard engine"}, + {"in_enc_key_index", OPT_IN_ENC_KEY_INDEX, 's', "Input the SM2 encrypt private key index imported to store in tasscard engine"}, {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"out", OPT_OUT, '>', "Output file"}, {"noout", OPT_NOOUT, '-', "Don't output encoded data"}, @@ -43,11 +46,389 @@ const OPTIONS pkcs7_options[] = { {NULL} }; +#ifndef OPENSSL_NO_CNSM +int derlen_to_bytenum(int der_len, unsigned char A[5]) +{ + int bytenum = 5; + + if( (der_len / 65536) > 255) + { + bytenum = 5; + A[0] = 0x84; + A[1] = (unsigned char)(der_len / (65536 * 256)); + A[2] = (unsigned char)( (der_len % (65536 * 256)) / 65535); + A[3] = (unsigned char)( (der_len % 66536) / 256); + A[4] = (unsigned char)( (der_len % 65536) % 256); + } + else if( (der_len / 256) > 255) + { + bytenum = 4; + A[0] = 0x83; + A[1] = (unsigned char)(der_len / 65536); + A[2] = (unsigned char)( (der_len % 65536) / 256); + A[3] = (unsigned char)( (der_len % 65536) % 256); + } + else if(der_len > 255) + { + bytenum = 3; + A[0] = 0x82; + A[1] = (unsigned char)(der_len / 256); + A[2] = (unsigned char)(der_len % 256); + } + else if(der_len > 127) + { + bytenum = 2; + A[0] = 0x81; + A[1] = (unsigned char)(der_len); + } + else + { + bytenum = 1; + A[0] = (unsigned char)(der_len); + } + return(bytenum); +} + + + +int bytenum_to_derlen(unsigned char *bytes, int *lenlength, int *len) +{ + if(bytes[0] > 0x84) + return -2; + + switch(bytes[0]) + { + case 0x81: + *lenlength = 2; + *len = bytes[1]; + break; + + case 0x82: + *lenlength = 3; + *len = bytes[1] * 256 + bytes[2]; + break; + + default: + *lenlength = 1; + *len = bytes[0]; + } + return 0; +} + + +int static dder_integer(unsigned char *der, unsigned char **ppinteger, int *contentlen, int *totallen) +{ + int lencodelen, offset, integerlen, dr; + + if(der[0] != 0x02) + return -1; + dr = bytenum_to_derlen(der + 1, &lencodelen, &integerlen); + if(dr != 0) + return dr; + offset = 1 + lencodelen; + *totallen = 1 + lencodelen + integerlen; + if(der[offset] == 0x00) + { + integerlen--; + offset++; + } + *ppinteger = der + offset; + *contentlen = integerlen; + return 0; +} + + +//解字符串Der +int static dder_strstr(unsigned char *der, unsigned char **ppoctstr, int *contentlen, int *totallen) +{ + int lencodelen, offset, octectstrlen, dr; + + if(der[0] != 0x04 && der[0] != 0x80 && der[0] != 0x06 && der[0] != 0x05 && der[0] != 0x03) + return -1; + dr = bytenum_to_derlen(der+1,&lencodelen,&octectstrlen); + if(dr != 0) + return dr; + offset = 1+lencodelen; + *totallen = 1+lencodelen+octectstrlen; + *ppoctstr = der+offset; + *contentlen = octectstrlen; + return 0; +} + +EC_KEY *calculate_sm2_key(const char *privkey_bin_string) +{ + EC_KEY *ec_key = NULL; + EC_POINT *pubkey = NULL; + BIGNUM *privkey = NULL; + EC_GROUP *group = NULL; + + group = EC_GROUP_new_by_curve_name(NID_sm2); + if (group == NULL) + { + BIO_printf(bio_err, "Error Of Create curve of SM2\n"); + goto err; + } + + if((privkey = BN_bin2bn((const unsigned char*)privkey_bin_string, 32, NULL)) == NULL){ + BIO_printf(bio_err, "bin2bn fail!\n"); + goto err; + } + if ((pubkey = EC_POINT_new(group)) == NULL) goto err; + if (!ec_key) + { + ec_key = EC_KEY_new(); + if (!ec_key) goto err; + if (!EC_KEY_set_group(ec_key, group)) + { + EC_KEY_free(ec_key); + ec_key = NULL; + goto err; + } + } + + if (!EC_POINT_mul(group, pubkey, privkey, NULL, NULL, NULL)) + { + EC_KEY_free(ec_key); + ec_key = NULL; + goto err; + } + + if (!EC_KEY_set_private_key(ec_key, privkey) || !EC_KEY_set_public_key(ec_key, pubkey)) + { + EC_KEY_free(ec_key); + ec_key = NULL; + goto err; + } + +err: + if (privkey) BN_free(privkey); + if (pubkey) EC_POINT_free(pubkey); + if(group) EC_GROUP_free(group); + + return ec_key; +} + + + +//解析国密SM2双证私钥文件 +int DDer_SM2Prikey_ByDoubleFile( unsigned char *DerBuf, int DerBufLen, int *iAlgflg, unsigned char **pucSymkeyCiph, int *iSymLen, unsigned char **pucSM2keyCiph, int *iEccLen ) +{ + unsigned char *p = DerBuf, *tmp = NULL; + int rv; + unsigned char pucSm2EncOid[] = {0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x82, 0x2D, 0x03}; + unsigned char pucSm1Oid[] = {0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x66}; + + + int lencodelen, len, unitlen, iTmpLen; + + /****************************************************************总集合****************************************/ + if( p[0] != 0x30 ) + return 1; + p += 1; + //解析总编码长度并校验 + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + if(1 + lencodelen + len != DerBufLen ) + return 2; + p += lencodelen; + + //版本号 - 仅解析不存储 + rv = dder_integer( p, &tmp, &iTmpLen, &unitlen ); + if( rv ) + return rv; + p += unitlen; + + /*********************对称密钥密文集合*****************/ + //二级集合长度 + if( p[0] != 0x31 ) + return 3; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen; + + //三级集合长度 + if( p[0] != 0x30 ) + return 4; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen; + + //版本号 - 仅解析不存储 + tmp = NULL; + rv = dder_integer( p, &tmp, &iTmpLen, &unitlen ); + if( rv ) + return rv; + p += unitlen; + + //跳过不处理 + if( p[0] != 0x30 ) + return 5; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen+len; + + //SM2加密OID + if( p[0] != 0x30 ) + return 6; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen; + + //比对sm2encrypt-oid: 1.2.156.10197.1.301.3 + tmp = NULL; + rv = dder_strstr( p, &tmp, &iTmpLen, &unitlen ); + if( rv != 0 ) + return rv; + + if( memcmp( pucSm2EncOid, tmp, iTmpLen ) ) + { + printf("SM2 Enc OID Is Failed."); + return 7; + } + + p += unitlen; + /* Log_Trace1("tmp", tmp, iTmpLen); */ + + //对称密钥密文 + rv = dder_strstr( p, pucSymkeyCiph, iSymLen, &unitlen ); + if( rv != 0 ) + return rv; + p += unitlen; + + /********************************** 忽略该集合 ****************************/ + if( p[0] != 0x31 ) + return 9; + rv = bytenum_to_derlen( &p[1], &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen+len+1; + + /******************************** SM2私钥密文 ***************************/ + if( p[0] != 0x30 ) + return 10; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen; + + //oid忽略 + tmp = NULL; + rv = dder_strstr( p, &tmp, &iTmpLen, &unitlen ); + if( rv != 0 ) + return rv; + p += unitlen; + + if( p[0] != 0x30 ) + return 11; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen; + + //比对对称加密算法OID + tmp = NULL; + rv = dder_strstr( p, &tmp, &iTmpLen, &unitlen ); + if( rv != 0 ) + return rv; + + /* unsigned char pucSm4Oid[] = {0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x66} */ + if( memcmp( tmp, pucSm1Oid, iTmpLen ) == 0 ) + { + *iAlgflg = 1; + } + else{ + *iAlgflg = 2; + } + + p += unitlen; + + //sm2私钥密文 + rv = dder_strstr( p, pucSM2keyCiph, iEccLen, &unitlen ); + if( rv != 0 ) + return rv; + p += unitlen; + + /**************************************该集合忽略***********************************/ + if( p[0] != 0xA0 ) + return 12; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen + len; + + /**************************************该集合忽略***********************************/ + if( p[0] != 0x31 ) + return 13; + p += 1; + rv = bytenum_to_derlen( p, &lencodelen, &len); + if(rv != 0) + return rv; + p += lencodelen + len; + + if( (int)(p-DerBuf) != DerBufLen ) + return 14; + + return 0; +} + +int b2s(char *bin, char *outs) +{ + int i = 0; + char tmpbuf[4]; + int iRet = 0; + char *ptr = bin; + for(i = 0; i=0 && atoi(in_sign_key_index) <=64){ + printf("do nothing, use the card ENGINE_convert_private_key do all the parse!\n"); + }else{ + memcpy(t_buf, in_buf+15, 2); //3079 + iSymLen = *(unsigned char *)(t_buf+1); //the t_buf[1] bytes len, like 0x79. + memcpy(t_buf+2, in_buf+15+2, iSymLen); + + iSymLen += 2; //add the head of 0x3079 + pucSymkeyCiph = t_buf; + + iEccLen = 64; + pucSM2keyCiph = (unsigned char *)in_buf + in_len - 64; //get the last 64 bytes as the ciphered enc private key + } + + }else{ + in_len -= 20; //jump the header of sequence: 3082049D 060A2A811CCF550601040204 A082048D + + if( 0 != DDer_SM2Prikey_ByDoubleFile((unsigned char *)in_buf + 20, in_len, &iAlgflg, &pucSymkeyCiph, &iSymLen, &pucSM2keyCiph, &iEccLen )){ + BIO_printf(bio_err, "DDer_SM2Prikey_ByDoubleFile fail!\n"); + goto end; + } + } + if(atoi(in_sign_key_index)>=0 && atoi(in_sign_key_index) <=64){ + + }else{ + /* 11111-Parse the ciphered sm4 key by the sm2 sign private key */ + if(infile_sign_key != NULL){ + in_sign_key = bio_open_default(infile_sign_key, 'r', informat); + if (in_sign_key == NULL) + goto end; + pkey_dec = PEM_read_bio_PrivateKey(in_sign_key, NULL, NULL, NULL); + }else if(in_sign_key_index != NULL){ + pkey_dec = ENGINE_load_private_key(e, in_sign_key_index, NULL, NULL); + } + + pctx_dec = EVP_PKEY_CTX_new_pkey_id(pkey_dec, NID_sm2, NULL); + if (!pctx_dec) + { + BIO_printf(bio_err, "Create EVP_PKEY_CTX dec Error.\n"); + goto end; + } + + if (EVP_PKEY_decrypt_init(pctx_dec) != 1) + { + BIO_printf(bio_err, "Error Of EVP_PKEY_decrypt_init dec.\n"); + goto end; + } + + /*Calculate Cipher Text Length*/ + if (EVP_PKEY_decrypt(pctx_dec, NULL, &outlen_dec, pucSymkeyCiph, iSymLen) != 1) + { + BIO_printf(bio_err, "Error Of len EVP_PKEY_decrypt use the sign key to dec the symkeycipher.\n"); + goto end; + } + + out_dec = OPENSSL_malloc(outlen_dec+1); + if (!out_dec) + { + BIO_printf(bio_err, "Error Of Alloc dec memory.\n"); + goto end; + } + + if (EVP_PKEY_decrypt(pctx_dec, out_dec, &outlen_dec, pucSymkeyCiph, iSymLen) != 1) + { + BIO_printf(bio_err, "Error Of EVP_PKEY_decrypt use the sign key to dec the symkeycipher.\n"); + goto end; + } + out_dec[outlen_dec] = '\0'; + + + /* 22222-Use the plain sm4 key to dec the sm2 enc key */ + //unsigned char key[] = "0123456789"; + if((ctx = EVP_CIPHER_CTX_new()) == NULL){ + BIO_printf(bio_err, "ctx new fail!\n"); + goto end; + } + + + EVP_CIPHER_CTX_init(ctx); + EVP_CipherInit_ex(ctx, EVP_sm4_ecb(), NULL, out_dec, NULL, 0); + + EVP_CIPHER_CTX_set_padding(ctx, 0); + + if(!EVP_CipherUpdate(ctx, ucSM2key_enc, &outlen, pucSM2keyCiph, iEccLen)) + { + BIO_printf(bio_err, "EVP_CipherUpdate fail!\n"); + goto end; + } + + if(!EVP_DecryptFinal_ex(ctx, ucSM2key_enc + outlen, &tmplen)) + { + BIO_printf(bio_err, "EVP_EncryptFinal_ex fail!\n"); + goto end; + } + outlen += tmplen; + + + EVP_CIPHER_CTX_cleanup(ctx); + } + + + /* 33333-write the enc key to outfile*/ + if(e){ + if(atoi(in_enc_key_index)>=0 && atoi(in_enc_key_index) <=64){ //input the enc key index, import the enc key to tasscard + //use the in_buf[in_len] store the in_sign_key_index + in_buf[in_len] = atoi(in_sign_key_index); + ENGINE_convert_private_key(e, (const char *)in_buf, in_len, NULL, in_enc_key_index); + }else{ + ENGINE_convert_private_key(e, (const char *)ucSM2key_enc+32, 32, (unsigned char *)outfile, NULL); + } + } + + else{ + EC_KEY *ec_key = NULL; + BIO *mem_b = NULL; + ec_key = calculate_sm2_key((const char *)ucSM2key_enc+32); + if(ec_key == NULL){ + BIO_printf(bio_err,"calculate_sm2_key fail, may be you forget specifies the -engine when using a signed key generated by tasscard engine!\n", outfile); + goto end; + } + + if(outfile != NULL){ + mem_b=BIO_new_file(outfile,"w"); + if(mem_b == NULL){ + BIO_printf(bio_err,"open key_outfile %s fail!\n", outfile); + goto end; + } + }else{ + mem_b= BIO_new_fp(stdout, BIO_NOCLOSE); + if(mem_b == NULL){ + BIO_printf(bio_err,"open stderr fail!\n"); + goto end; + } + } + + ret= PEM_write_bio_ECPrivateKey(mem_b, ec_key, NULL, NULL, 0, NULL, NULL); + if(ret!=1) + { + goto end; + } + if(mem_b) BIO_free(mem_b); + if(ec_key) EC_KEY_free(ec_key); + } + + ret = 0; + goto end; + + + } +#endif + if (informat == FORMAT_ASN1) p7 = d2i_PKCS7_bio(in, NULL); else @@ -128,12 +699,14 @@ int pkcs7_main(int argc, char **argv) i = OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: + case NID_pkcs7_sm2_signed: if (p7->d.sign != NULL) { certs = p7->d.sign->cert; crls = p7->d.sign->crl; } break; case NID_pkcs7_signedAndEnveloped: + case NID_pkcs7_sm2_signedAndEnveloped: if (p7->d.signed_and_enveloped != NULL) { certs = p7->d.signed_and_enveloped->cert; crls = p7->d.signed_and_enveloped->crl; @@ -189,10 +762,25 @@ int pkcs7_main(int argc, char **argv) } } ret = 0; - end: + +end: PKCS7_free(p7); release_engine(e); +#ifndef OPENSSL_NO_CNSM + if(b64) + BIO_free(b64); + BIO_free(in_sign_key); + if(pctx_dec) + EVP_PKEY_CTX_free(pctx_dec); + if(ctx) + EVP_CIPHER_CTX_free(ctx); + if(out_dec) + OPENSSL_free(out_dec); + if(pkey_dec) + EVP_PKEY_free(pkey_dec); +#endif BIO_free(in); BIO_free_all(out); + return ret; } diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index f15d72d..cac354c 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index bb1ce19..0936c7b 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -3119,7 +3119,7 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) size_t i; EC_GROUP *ret = NULL; - if (nid <= 0) + if (nid < 0) return NULL; for (i = 0; i < curve_list_length; i++) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 123fb70..6a631ce 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -236,13 +236,22 @@ static int pkey_ec_sm2dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, } outlen = *keylen; -#ifdef TASSL_DEBUG +#ifdef GU_DEBUG unsigned char *self_pub = NULL; + unsigned char self_priv[64] = {0}; unsigned char *self_tmp_pub = NULL; + unsigned char self_tmp_priv[64] = {0}; unsigned char *peer_pub = NULL; unsigned char *peer_tmp_pub = NULL; int i = 0; + printf("self_priv:"); + EC_KEY_priv2oct(ctx->pkey->pkey.ec, self_priv, 64); + for(i=0; i<32; i++){ + printf("%02X", *(self_priv+i)); + } + printf("\n"); + printf("self_pub:"); EC_KEY_key2buf(ctx->pkey->pkey.ec, EC_KEY_get_conv_form(ctx->pkey->pkey.ec), &self_pub, NULL); for(i=0; i<65; i++){ @@ -250,6 +259,13 @@ static int pkey_ec_sm2dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, } printf("\n"); + printf("self_tmp_priv:"); + EC_KEY_priv2oct(dctx->self_ecdhe_key, self_tmp_priv, 64); + for(i=0; i<32; i++){ + printf("%02X", *(self_tmp_priv+i)); + } + printf("\n"); + printf("self_tmp_pub:"); EC_KEY_key2buf(dctx->self_ecdhe_key, EC_KEY_get_conv_form(dctx->self_ecdhe_key), &self_tmp_pub, NULL); for(i=0; i<65; i++){ diff --git a/crypto/engine/eng_err.c b/crypto/engine/eng_err.c index 2a1ed32..0ff7434 100644 --- a/crypto/engine/eng_err.c +++ b/crypto/engine/eng_err.c @@ -25,6 +25,8 @@ static const ERR_STRING_DATA ENGINE_str_functs[] = { {ERR_PACK(ERR_LIB_ENGINE, ENGINE_F_ENGINE_BY_ID, 0), "ENGINE_by_id"}, {ERR_PACK(ERR_LIB_ENGINE, ENGINE_F_ENGINE_CMD_IS_EXECUTABLE, 0), "ENGINE_cmd_is_executable"}, + {ERR_PACK(ERR_LIB_ENGINE, ENGINE_F_ENGINE_CONVERT_PRIVATE_KEY, 0), + "ENGINE_convert_private_key"}, {ERR_PACK(ERR_LIB_ENGINE, ENGINE_F_ENGINE_CTRL, 0), "ENGINE_ctrl"}, {ERR_PACK(ERR_LIB_ENGINE, ENGINE_F_ENGINE_CTRL_CMD, 0), "ENGINE_ctrl_cmd"}, {ERR_PACK(ERR_LIB_ENGINE, ENGINE_F_ENGINE_CTRL_CMD_STRING, 0), diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h index e6a7517..ee4d3b9 100644 --- a/crypto/engine/eng_int.h +++ b/crypto/engine/eng_int.h @@ -149,6 +149,7 @@ struct engine_st { int tass_flags; //0=plain premaster key input 1=cipher premasterkey input ENGINE_SSL_GEN_MASTER_PTR ssl_generate_master_secret; ENGINE_TLS1_GEN_KEY_BLOCK_PTR tls1_generate_key_block; + ENGINE_CONVERT_KEY_PTR convert_privkey; #endif const ENGINE_CMD_DEFN *cmd_defns; int flags; diff --git a/crypto/engine/eng_pkey.c b/crypto/engine/eng_pkey.c index 893f479..05d1213 100644 --- a/crypto/engine/eng_pkey.c +++ b/crypto/engine/eng_pkey.c @@ -48,6 +48,13 @@ int ENGINE_set_tls1_generate_key_block_function(ENGINE *e, e->tls1_generate_key_block = tls1_gen_key_block_f; return 1; } + +int ENGINE_set_convert_privkey_function(ENGINE *e, + ENGINE_CONVERT_KEY_PTR convertpriv_f) +{ + e->convert_privkey = convertpriv_f; + return 1; +} #endif ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e) @@ -206,4 +213,28 @@ int ENGINE_tls1_generate_key_block(ENGINE *e, SSL *s, unsigned char *km, size_t return e->tls1_generate_key_block(e, s, km, num); } +int ENGINE_convert_private_key(ENGINE *e, const char *pri, size_t pri_len, unsigned char *out_file, void *callback_data) +{ + + if (e == NULL) { + ENGINEerr(ENGINE_F_ENGINE_CONVERT_PRIVATE_KEY, + ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + /*CRYPTO_THREAD_write_lock(global_engine_lock); + if (e->funct_ref == 0) { + CRYPTO_THREAD_unlock(global_engine_lock); + ENGINEerr(ENGINE_F_ENGINE_CONVERT_PRIVATE_KEY, + ENGINE_R_NOT_INITIALISED); + return 0; + } + CRYPTO_THREAD_unlock(global_engine_lock);*/ + if (!e->convert_privkey) { + ENGINEerr(ENGINE_F_ENGINE_CONVERT_PRIVATE_KEY, + ENGINE_R_NO_LOAD_FUNCTION); + return 0; + } + return e->convert_privkey(e, pri, pri_len, out_file, callback_data); +} + #endif \ No newline at end of file diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 07dc680..485f36f 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -681,6 +681,7 @@ ENGINE_F_DYNAMIC_SET_DATA_CTX:183:dynamic_set_data_ctx ENGINE_F_ENGINE_ADD:105:ENGINE_add ENGINE_F_ENGINE_BY_ID:106:ENGINE_by_id ENGINE_F_ENGINE_CMD_IS_EXECUTABLE:170:ENGINE_cmd_is_executable +ENGINE_F_ENGINE_CONVERT_PRIVATE_KEY:203:ENGINE_convert_private_key ENGINE_F_ENGINE_CTRL:142:ENGINE_ctrl ENGINE_F_ENGINE_CTRL_CMD:178:ENGINE_ctrl_cmd ENGINE_F_ENGINE_CTRL_CMD_STRING:171:ENGINE_ctrl_cmd_string diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index ba71ce6..31fa631 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7770] = { +static const unsigned char so[7845] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1077,9 +1077,17 @@ static const unsigned char so[7770] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0C, /* [ 7745] OBJ_hmacWithSHA512_224 */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7761] OBJ_sm3WithSM2Sign */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06, /* [ 7769] OBJ_sm_pkcs */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02, /* [ 7775] OBJ_sm_pkcs7 */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02,0x01, /* [ 7784] OBJ_pkcs7_sm2_data */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02,0x02, /* [ 7794] OBJ_pkcs7_sm2_signed */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02,0x03, /* [ 7804] OBJ_pkcs7_sm2_enveloped */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02,0x04, /* [ 7814] OBJ_pkcs7_sm2_signedAndEnveloped */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02,0x05, /* [ 7824] OBJ_pkcs7_sm2_encryptedData */ + 0x2A,0x81,0x1C,0xCF,0x55,0x06,0x01,0x04,0x02,0x06, /* [ 7834] OBJ_pkcs7_sm2_keyAgreementInfo */ }; -#define NUM_NID 1196 +#define NUM_NID 1207 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2277,9 +2285,20 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, {"SM2-SM3", "sm3WithSM2Sign", NID_sm3WithSM2Sign, 8, &so[7761]}, + {"sm-pkcs", "sm-pkcs", NID_sm_pkcs, 6, &so[7769]}, + {"sm-pkcs7", "china pkcs7 series", NID_sm_pkcs7, 9, &so[7775]}, + {"pkcs7_sm2_data", "pkcs7_sm2_data", NID_pkcs7_sm2_data, 10, &so[7784]}, + {"pkcs7_sm2_signed", "pkcs7_sm2_signed", NID_pkcs7_sm2_signed, 10, &so[7794]}, + {"pkcs7_sm2_enveloped", "pkcs7_sm2_enveloped", NID_pkcs7_sm2_enveloped, 10, &so[7804]}, + { NULL, NULL, NID_undef }, + { NULL, NULL, NID_undef }, + { NULL, NULL, NID_undef }, + {"pkcs7_sm2_signedAndEnveloped", "pkcs7_sm2_signedAndEnveloped", NID_pkcs7_sm2_signedAndEnveloped, 10, &so[7814]}, + {"pkcs7_sm2_encryptedData", "pkcs7_sm2_encryptedData", NID_pkcs7_sm2_encryptedData, 10, &so[7824]}, + {"pkcs7_sm2_keyAgreementInfo", "pkcs7_sm2_keyAgreementInfo", NID_pkcs7_sm2_keyAgreementInfo, 10, &so[7834]}, }; -#define NUM_SN 1187 +#define NUM_SN 1195 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -3184,6 +3203,12 @@ static const unsigned int sn_objs[NUM_SN] = { 23, /* "pkcs7-envelopedData" */ 24, /* "pkcs7-signedAndEnvelopedData" */ 22, /* "pkcs7-signedData" */ + 1198, /* "pkcs7_sm2_data" */ + 1205, /* "pkcs7_sm2_encryptedData" */ + 1200, /* "pkcs7_sm2_enveloped" */ + 1206, /* "pkcs7_sm2_keyAgreementInfo" */ + 1199, /* "pkcs7_sm2_signed" */ + 1204, /* "pkcs7_sm2_signedAndEnveloped" */ 151, /* "pkcs8ShroudedKeyBag" */ 47, /* "pkcs9" */ 401, /* "policyConstraints" */ @@ -3406,6 +3431,8 @@ static const unsigned int sn_objs[NUM_SN] = { 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ + 1196, /* "sm-pkcs" */ + 1197, /* "sm-pkcs7" */ 1142, /* "sm-scheme" */ 387, /* "snmpv2" */ 660, /* "street" */ @@ -3470,7 +3497,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1187 +#define NUM_LN 1195 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -3851,6 +3878,7 @@ static const unsigned int ln_objs[NUM_LN] = { 1018, /* "chacha20-poly1305" */ 54, /* "challengePassword" */ 407, /* "characteristic-two-field" */ + 1197, /* "china pkcs7 series" */ 395, /* "clearance" */ 633, /* "cleartext track 2" */ 894, /* "cmac" */ @@ -4359,6 +4387,12 @@ static const unsigned int ln_objs[NUM_LN] = { 23, /* "pkcs7-envelopedData" */ 24, /* "pkcs7-signedAndEnvelopedData" */ 22, /* "pkcs7-signedData" */ + 1198, /* "pkcs7_sm2_data" */ + 1205, /* "pkcs7_sm2_encryptedData" */ + 1200, /* "pkcs7_sm2_enveloped" */ + 1206, /* "pkcs7_sm2_keyAgreementInfo" */ + 1199, /* "pkcs7_sm2_signed" */ + 1204, /* "pkcs7_sm2_signedAndEnveloped" */ 151, /* "pkcs8ShroudedKeyBag" */ 47, /* "pkcs9" */ 1061, /* "poly1305" */ @@ -4601,6 +4635,7 @@ static const unsigned int ln_objs[NUM_LN] = { 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ 1062, /* "siphash" */ + 1196, /* "sm-pkcs" */ 1142, /* "sm-scheme" */ 1172, /* "sm2" */ 1143, /* "sm3" */ @@ -4661,7 +4696,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1072 +#define NUM_OBJ 1080 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -4990,6 +5025,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 745, /* OBJ_wap_wsg_idm_ecid_wtls12 2 23 43 1 4 12 */ 804, /* OBJ_whirlpool 1 0 10118 3 0 55 */ 1142, /* OBJ_sm_scheme 1 2 156 10197 1 */ + 1196, /* OBJ_sm_pkcs 1 2 156 10197 6 */ 773, /* OBJ_kisa 1 2 410 200004 */ 807, /* OBJ_id_GostR3411_94_with_GostR3410_2001 1 2 643 2 2 3 */ 808, /* OBJ_id_GostR3411_94_with_GostR3410_94 1 2 643 2 2 4 */ @@ -5343,6 +5379,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 439, /* OBJ_pilotAttributeSyntax 0 9 2342 19200300 100 3 */ 440, /* OBJ_pilotObjectClass 0 9 2342 19200300 100 4 */ 441, /* OBJ_pilotGroups 0 9 2342 19200300 100 10 */ + 1197, /* OBJ_sm_pkcs7 1 2 156 10197 6 1 4 2 */ 1065, /* OBJ_aria_128_ecb 1 2 410 200046 1 1 1 */ 1066, /* OBJ_aria_128_cbc 1 2 410 200046 1 1 2 */ 1067, /* OBJ_aria_128_cfb128 1 2 410 200046 1 1 3 */ @@ -5602,6 +5639,12 @@ static const unsigned int obj_objs[NUM_OBJ] = { 455, /* OBJ_pilotOrganization 0 9 2342 19200300 100 4 20 */ 456, /* OBJ_pilotDSA 0 9 2342 19200300 100 4 21 */ 457, /* OBJ_qualityLabelledData 0 9 2342 19200300 100 4 22 */ + 1198, /* OBJ_pkcs7_sm2_data 1 2 156 10197 6 1 4 2 1 */ + 1199, /* OBJ_pkcs7_sm2_signed 1 2 156 10197 6 1 4 2 2 */ + 1200, /* OBJ_pkcs7_sm2_enveloped 1 2 156 10197 6 1 4 2 3 */ + 1204, /* OBJ_pkcs7_sm2_signedAndEnveloped 1 2 156 10197 6 1 4 2 4 */ + 1205, /* OBJ_pkcs7_sm2_encryptedData 1 2 156 10197 6 1 4 2 5 */ + 1206, /* OBJ_pkcs7_sm2_keyAgreementInfo 1 2 156 10197 6 1 4 2 6 */ 1152, /* OBJ_dstu28147 1 2 804 2 1 1 1 1 1 1 */ 1156, /* OBJ_hmacWithDstu34311 1 2 804 2 1 1 1 1 1 2 */ 1157, /* OBJ_dstu34311 1 2 804 2 1 1 1 1 2 1 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index c470e5a..d09ac4b 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1193,3 +1193,14 @@ magma_mac 1192 hmacWithSHA512_224 1193 hmacWithSHA512_256 1194 sm3WithSM2Sign 1195 +sm_pkcs 1196 +sm_pkcs7 1197 +pkcs7_sm2_data 1198 +pkcs7_sm2_signed 1199 +pkcs7_sm2_enveloped 1200 +pkcs7_sm2_signedandenveloped 1201 +pkcs7_sm2_encrypteddata 1202 +pkcs7_sm2_keyagreementinfo 1203 +pkcs7_sm2_signedAndEnveloped 1204 +pkcs7_sm2_encryptedData 1205 +pkcs7_sm2_keyAgreementInfo 1206 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index df2a9ec..ed5ee28 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -39,6 +39,8 @@ X9-57 4 : X9cm : X9.57 CM ? member-body 156 : ISO-CN : ISO CN Member Body ISO-CN 10197 : oscca oscca 1 : sm-scheme +oscca 6 : sm-pkcs + !Cname dsa X9cm 1 : DSA : dsaEncryption @@ -380,13 +382,23 @@ rsadsi 2 5 : MD5 : md5 rsadsi 2 6 : : hmacWithMD5 rsadsi 2 7 : : hmacWithSHA1 -sm-scheme 301 : SM2 : sm2 +sm-scheme 301 : SM2 : sm2 + +sm-scheme 401 : SM3 : sm3 +sm-scheme 501 : SM2-SM3 : sm3WithSM2Sign +sm-scheme 504 : RSA-SM3 : sm3WithRSAEncryption + + +sm-pkcs 1 4 2 : sm-pkcs7 : china pkcs7 series + +sm-pkcs7 1 : pkcs7_sm2_data : pkcs7_sm2_data +sm-pkcs7 2 : pkcs7_sm2_signed : pkcs7_sm2_signed +sm-pkcs7 3 : pkcs7_sm2_enveloped : pkcs7_sm2_enveloped +sm-pkcs7 4 : pkcs7_sm2_signedAndEnveloped : pkcs7_sm2_signedAndEnveloped +sm-pkcs7 5 : pkcs7_sm2_encryptedData : pkcs7_sm2_encryptedData +sm-pkcs7 6 : pkcs7_sm2_keyAgreementInfo : pkcs7_sm2_keyAgreementInfo -sm-scheme 401 : SM3 : sm3 -sm-scheme 501 : SM2-SM3 : sm3WithSM2Sign -sm-scheme 504 : RSA-SM3 : sm3WithRSAEncryption -# From RFC4231 rsadsi 2 8 : : hmacWithSHA224 rsadsi 2 9 : : hmacWithSHA256 rsadsi 2 10 : : hmacWithSHA384 diff --git a/include/openssl/engine.h b/include/openssl/engine.h index 698bc09..b3cb34b 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -275,6 +275,7 @@ typedef int (*ENGINE_SSL_CLIENT_CERT_PTR) (ENGINE *, SSL *ssl, #ifndef OPENSSL_NO_CNSM typedef int (*ENGINE_SSL_GEN_MASTER_PTR) (ENGINE *e, SSL *s, unsigned char *pms, size_t pmslen, int free_pms); typedef int (*ENGINE_TLS1_GEN_KEY_BLOCK_PTR) (ENGINE *e, SSL *s, unsigned char *km, size_t num); +typedef int (*ENGINE_CONVERT_KEY_PTR)(ENGINE *e, const char *pri_32_hex, size_t pri_32_hex_len, unsigned char *out_cipher_priv_key_file, void *callback_data); #endif /*- @@ -487,7 +488,9 @@ int ENGINE_set_load_privkey_function(ENGINE *e, int ENGINE_set_ssl_generate_master_secret_function(ENGINE *e, ENGINE_SSL_GEN_MASTER_PTR genmaster_f); int ENGINE_set_tls1_generate_key_block_function(ENGINE *e, - ENGINE_TLS1_GEN_KEY_BLOCK_PTR genkeyblk_f); + ENGINE_TLS1_GEN_KEY_BLOCK_PTR genkeyblk_f); +int ENGINE_set_convert_privkey_function(ENGINE *e, + ENGINE_CONVERT_KEY_PTR convertpriv_f); #endif int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f); @@ -605,6 +608,7 @@ int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s, #ifndef OPENSSL_NO_CNSM int ENGINE_ssl_generate_master_secret(ENGINE *e, SSL *s, unsigned char *pms, size_t pmslen, int free_pms); int ENGINE_tls1_generate_key_block(ENGINE *e, SSL *s, unsigned char *km, size_t num); +int ENGINE_convert_private_key(ENGINE *e, const char *pri, size_t pri_len, unsigned char *out_file, void *callback_data); #endif /* diff --git a/include/openssl/engineerr.h b/include/openssl/engineerr.h index 2fb7c30..3425d94 100644 --- a/include/openssl/engineerr.h +++ b/include/openssl/engineerr.h @@ -31,6 +31,7 @@ int ERR_load_ENGINE_strings(void); # define ENGINE_F_ENGINE_ADD 105 # define ENGINE_F_ENGINE_BY_ID 106 # define ENGINE_F_ENGINE_CMD_IS_EXECUTABLE 170 +# define ENGINE_F_ENGINE_CONVERT_PRIVATE_KEY 203 # define ENGINE_F_ENGINE_CTRL 142 # define ENGINE_F_ENGINE_CTRL_CMD 178 # define ENGINE_F_ENGINE_CTRL_CMD_STRING 171 diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 4d620f4..af2c2a1 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -122,6 +122,10 @@ #define NID_sm_scheme 1142 #define OBJ_sm_scheme OBJ_oscca,1L +#define SN_sm_pkcs "sm-pkcs" +#define NID_sm_pkcs 1196 +#define OBJ_sm_pkcs OBJ_oscca,6L + #define SN_dsa "DSA" #define LN_dsa "dsaEncryption" #define NID_dsa 116 @@ -1184,6 +1188,41 @@ #define NID_sm3WithRSAEncryption 1144 #define OBJ_sm3WithRSAEncryption OBJ_sm_scheme,504L +#define SN_sm_pkcs7 "sm-pkcs7" +#define LN_sm_pkcs7 "china pkcs7 series" +#define NID_sm_pkcs7 1197 +#define OBJ_sm_pkcs7 OBJ_sm_pkcs,1L,4L,2L + +#define SN_pkcs7_sm2_data "pkcs7_sm2_data" +#define LN_pkcs7_sm2_data "pkcs7_sm2_data" +#define NID_pkcs7_sm2_data 1198 +#define OBJ_pkcs7_sm2_data OBJ_sm_pkcs7,1L + +#define SN_pkcs7_sm2_signed "pkcs7_sm2_signed" +#define LN_pkcs7_sm2_signed "pkcs7_sm2_signed" +#define NID_pkcs7_sm2_signed 1199 +#define OBJ_pkcs7_sm2_signed OBJ_sm_pkcs7,2L + +#define SN_pkcs7_sm2_enveloped "pkcs7_sm2_enveloped" +#define LN_pkcs7_sm2_enveloped "pkcs7_sm2_enveloped" +#define NID_pkcs7_sm2_enveloped 1200 +#define OBJ_pkcs7_sm2_enveloped OBJ_sm_pkcs7,3L + +#define SN_pkcs7_sm2_signedAndEnveloped "pkcs7_sm2_signedAndEnveloped" +#define LN_pkcs7_sm2_signedAndEnveloped "pkcs7_sm2_signedAndEnveloped" +#define NID_pkcs7_sm2_signedAndEnveloped 1204 +#define OBJ_pkcs7_sm2_signedAndEnveloped OBJ_sm_pkcs7,4L + +#define SN_pkcs7_sm2_encryptedData "pkcs7_sm2_encryptedData" +#define LN_pkcs7_sm2_encryptedData "pkcs7_sm2_encryptedData" +#define NID_pkcs7_sm2_encryptedData 1205 +#define OBJ_pkcs7_sm2_encryptedData OBJ_sm_pkcs7,5L + +#define SN_pkcs7_sm2_keyAgreementInfo "pkcs7_sm2_keyAgreementInfo" +#define LN_pkcs7_sm2_keyAgreementInfo "pkcs7_sm2_keyAgreementInfo" +#define NID_pkcs7_sm2_keyAgreementInfo 1206 +#define OBJ_pkcs7_sm2_keyAgreementInfo OBJ_sm_pkcs7,6L + #define LN_hmacWithSHA224 "hmacWithSHA224" #define NID_hmacWithSHA224 798 #define OBJ_hmacWithSHA224 OBJ_rsadsi,2L,8L diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index b5b012f..191444b 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ # define OPENSSL_VERSION_NUMBER 0x1010102fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b Tassl 1.2 28 Mar 2020" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b Tassl 1.3 25 May 2020" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 678a6d3..55d263e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -19,6 +19,9 @@ #include #include #include "internal/cryptlib.h" +#ifndef OPENSSL_NO_CNSM +#include +#endif #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) @@ -5010,7 +5013,7 @@ struct evp_pkey_ctx_st { int ssl_derive_SM2(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) { - int rv = 0; + int rv = 0,i= 0; unsigned char *pms = NULL; size_t pmslen = 0; EVP_PKEY_CTX *pctx = NULL; @@ -5031,8 +5034,14 @@ int ssl_derive_SM2(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) ERR_R_INTERNAL_ERROR); goto err; } - - srvr_pub_pkey = X509_get_pubkey(sk_X509_value(s->session->peer_chain, sk_X509_num(s->session->peer_chain)-1)); + + /*查找第一个数据加密功能的证书,作为加密证书使用,跟排列顺序无关*/ + for(i=0; isession->peer_chain); i++){ + if((X509_get_extension_flags(sk_X509_value(s->session->peer_chain, i)) & EXFLAG_KUSAGE) && (X509_get_key_usage(sk_X509_value(s->session->peer_chain, i)) & X509v3_KU_DATA_ENCIPHERMENT)) + break; + } + + srvr_pub_pkey = X509_get_pubkey(sk_X509_value(s->session->peer_chain, i)); if ((srvr_pub_pkey == NULL) || (EVP_PKEY_id(srvr_pub_pkey) != EVP_PKEY_EC) || (EVP_PKEY_get0_EC_KEY(srvr_pub_pkey) == NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE_SM2, @@ -5046,7 +5055,12 @@ int ssl_derive_SM2(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) dctx = (EC_PKEY_CTX *)EVP_PKEY_CTX_get_data(pctx); /* First : Set the server tag */ - dctx->server = s->server; +#ifdef STD_ZAZB + dctx->server = s->server; //国密标准定义ZAZB +#else + dctx->server = !s->server; //国密局默认顺序ZBZA +#endif + dctx->peer_ecdhe_key = EVP_PKEY_get0_EC_KEY(pubkey); dctx->self_ecdhe_key = EVP_PKEY_get0_EC_KEY(privkey); dctx->kdf_md = md; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 750c388..fe84ced 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -23,6 +23,7 @@ #include #include #include +#include static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); @@ -2219,6 +2220,8 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) SSL_R_LENGTH_TOO_SHORT); return 0; } + if(curve_id == 0) + curve_id = 249; //if none curve id ,set it to sm2 249 defined by tass /* * Check curve is named curve type and one of our preferences, if not * server has sent an invalid curve. @@ -2271,6 +2274,9 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) { +#ifndef OPENSSL_NO_CNSM + int i = 0; +#endif long alg_k; EVP_PKEY *pkey = NULL; EVP_MD_CTX *md_ctx = NULL; @@ -2340,7 +2346,15 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) if (!sm2_certs) goto err; sm2_certs_len = 0; - if (!ssl_add_cert_to_buf(sm2_certs, &sm2_certs_len, sk_X509_value(s->session->peer_chain, sk_X509_num(s->session->peer_chain)-1))) + + /*查找第一个数据加密功能的证书,作为加密证书使用,跟排列顺序无关*/ + for(i=0; isession->peer_chain); i++){ + + if((X509_get_extension_flags(sk_X509_value(s->session->peer_chain, i)) & EXFLAG_KUSAGE) && (X509_get_key_usage(sk_X509_value(s->session->peer_chain, i)) & X509v3_KU_DATA_ENCIPHERMENT)) + break; + } + + if (!ssl_add_cert_to_buf(sm2_certs, &sm2_certs_len, sk_X509_value(s->session->peer_chain, i))) goto err; #endif } else if (alg_k) { @@ -3144,6 +3158,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) #ifndef OPENSSL_NO_CNSM static int tls_construct_cke_sm2ecc(SSL *s, WPACKET *pkt) { + int i = 0; unsigned char *encdata = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = NULL; @@ -3159,8 +3174,14 @@ static int tls_construct_cke_sm2ecc(SSL *s, WPACKET *pkt) ERR_R_INTERNAL_ERROR); return 0; } - - pkey = X509_get0_pubkey(sk_X509_value(s->session->peer_chain, sk_X509_num(s->session->peer_chain)-1)); //get the cert_chain last one ,the enc cert in the last of cert_chain + + /*查找第一个数据加密功能的证书,作为加密证书使用,跟排列顺序无关*/ + for(i=0; isession->peer_chain); i++){ + if((X509_get_extension_flags(sk_X509_value(s->session->peer_chain, i)) & EXFLAG_KUSAGE) && (X509_get_key_usage(sk_X509_value(s->session->peer_chain, i)) & X509v3_KU_DATA_ENCIPHERMENT)) + break; + } + + pkey = X509_get0_pubkey(sk_X509_value(s->session->peer_chain, i)); //get the cert_chain last one ,the enc cert in the last of cert_chain if (EVP_PKEY_get0_EC_KEY(pkey) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SM2ECC, ERR_R_INTERNAL_ERROR); @@ -3248,6 +3269,8 @@ static int tls_construct_cke_sm2dh(SSL *s, WPACKET *pkt) EVP_PKEY *ckey = NULL, *skey = NULL; int ret = 0; uint16_t curve_id = 0; + ENGINE *e_tmp = NULL; + EVP_PKEY_CTX *pctx = NULL; skey = s->s3->peer_tmp; if (skey == NULL) { @@ -3255,11 +3278,26 @@ static int tls_construct_cke_sm2dh(SSL *s, WPACKET *pkt) ERR_R_INTERNAL_ERROR); return 0; } - - ckey = ssl_generate_pkey(skey); - if (ckey == NULL) { + /*签名私钥使用引擎时,使用引擎产生临时秘钥对*/ + if(s->cert->pkeys[SSL_PKEY_ECC].privatekey) + e_tmp = EVP_PKEY_pmeth_engine(s->cert->pkeys[SSL_PKEY_ECC].privatekey); + else{ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SM2DH, - ERR_R_MALLOC_FAILURE); + ERR_R_INTERNAL_ERROR); + goto err; + } + + ckey = EVP_PKEY_new(); + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SM2, e_tmp); + + EVP_PKEY_keygen_init(pctx); + EVP_PKEY_CTX_set_sm2_paramgen_curve_nid(pctx, NID_sm2); + EVP_PKEY_CTX_set_ec_param_enc(pctx, OPENSSL_EC_NAMED_CURVE); + + if(!EVP_PKEY_keygen(pctx, &ckey)) + { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SM2DH, + ERR_R_INTERNAL_ERROR); goto err; } @@ -3276,8 +3314,13 @@ static int tls_construct_cke_sm2dh(SSL *s, WPACKET *pkt) ERR_R_EC_LIB); goto err; } - - curve_id = tls1_nid2group_id(NID_sm2); + + /* 国密局检测用的是00,有的厂商用的也是00,所以默认用00 */ +#ifdef STD_CURVE_ID + curve_id = tls1_nid2group_id(NID_sm2); +#else + curve_id = 0; +#endif if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE) || !WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_put_bytes_u8(pkt, curve_id) @@ -3639,13 +3682,13 @@ int tls_client_key_exchange_post_work(SSL *s) goto err; } #ifndef OPENSSL_NO_CNSM - //濡傛灉姝sl鐨勭閽ュ姞杞戒簡sm4寮曟搸锛屽垯浣跨敤寮曟搸杩涜masterkey璁$畻 + //如果此ssl的私钥加载了sm4引擎,则使用引擎进行masterkey计算 local_evp_ptr = s->cert->pkeys[SSL_PKEY_ECC_ENC].privatekey; if(local_evp_ptr) local_e_sm2 = EVP_PKEY_pmeth_engine(local_evp_ptr); local_e_sm4 = ENGINE_get_cipher_engine(NID_sm4_cbc); if(local_evp_ptr && local_e_sm4){ - if(s->s3 && s->s3->tmp.new_cipher && s->s3->tmp.new_cipher->id == TLS1_CK_ECDHE_WITH_SM4_SM3){ //ECDHE-SM4-SM2濂椾欢骞朵笖鍔犺浇浜哠M2寮曟搸锛屽垯浣跨敤瀵嗘枃premasterkey浣滀负杈撳叆 + if(s->s3 && s->s3->tmp.new_cipher && s->s3->tmp.new_cipher->id == TLS1_CK_ECDHE_WITH_SM4_SM3){ //ECDHE-SM4-SM2套件并且加载了SM2引擎,则使用密文premasterkey作为输入 if(local_e_sm2) ENGINE_set_tass_flags(local_e_sm4, TASS_FLAG_PRE_MASTER_KEY_CIPHER); } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 8bb5a03..1bb2195 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -265,8 +265,9 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) #ifndef OPENSSL_NO_CNSM - md_ctx = EVP_MD_CTX_new(); + if(s->s3->tmp.new_cipher->id == TLS1_CK_ECC_WITH_SM4_SM3 || s->s3->tmp.new_cipher->id == TLS1_CK_ECDHE_WITH_SM4_SM3 ){ + md_ctx = EVP_MD_CTX_new(); EVP_DigestInit(md_ctx, EVP_sm3()); EVP_DigestUpdate(md_ctx, (const void *)hdata, hdatalen); EVP_DigestFinal(md_ctx, cert_verify_md, (unsigned int *)&hdatalen); @@ -490,10 +491,11 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) #ifndef OPENSSL_NO_CNSM - md_ctx = EVP_MD_CTX_new(); + if(s->s3->tmp.new_cipher->id == TLS1_CK_ECC_WITH_SM4_SM3 || s->s3->tmp.new_cipher->id == TLS1_CK_ECDHE_WITH_SM4_SM3){ + md_ctx = EVP_MD_CTX_new(); EVP_DigestInit(md_ctx, EVP_sm3()); EVP_DigestUpdate(md_ctx, (const void *)hdata, hdatalen); EVP_DigestFinal(md_ctx, cert_verify_md, (unsigned int *)&hdatalen); @@ -1893,6 +1895,9 @@ static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) *dgrd = DOWNGRADE_TO_1_2; } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION +#ifndef OPENSSL_NO_CNSM + && vers != SM1_1_VERSION +#endif /* * We need to ensure that a server that disables TLSv1.2 * (creating a hole between TLSv1.3 and TLSv1.1) can still diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d59369c..95f9aa9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -617,6 +617,12 @@ uint16_t tls1_shared_group(SSL *s, int nmatch) return reserve_sm2_curve_id; #endif +#ifndef OPENSSL_NO_CNSM + if(num_pref == 0 && s->s3 && s->s3->tmp.new_cipher && s->s3->tmp.new_cipher->id == TLS1_CK_ECDHE_WITH_SM4_SM3){ //鏈夋椂妫娴嬪鎴风鏍规湰涓嶅彂閫佹敮鎸佺殑鏇茬嚎鏍囪瘑锛屾鏃堕粯璁ょ敤249浣滀负SM2鏇茬嚎浣滀负鍏变韩鏇茬嚎 + return 249; + } +#endif + if (nmatch == -1) return k; /* Out of range (nmatch > k). */ diff --git a/tassl_demo/README.txt b/tassl_demo/README.txt index 39ed55b..2bcc0cb 100644 --- a/tassl_demo/README.txt +++ b/tassl_demo/README.txt @@ -1,5 +1,12 @@ +20200526_V_1.3: +1:浼樺寲鍙栧姞瀵嗚瘉涔︾殑閫昏緫锛屽湪璇佷功鏍堜腑鏌ユ壘绗竴涓叿鏈夋暟鎹姞瀵嗙殑鐢ㄩ旂殑璇佷功浣滀负鍔犲瘑璇佷功銆 +2:灞忚斀鎺夊綋鍥藉瘑鐗堟湰涓0x0101鏃讹紝涓嶈杩涜downgrade锛岄槻姝sl_fill_hello_random()闅忔満鏁扮殑鏈鍚8瀛楄妭琚~鍏呬负鍥哄畾鍊笺 +3:榛樿鐨剆m2 curve_id涓00锛 濡傛灉鐢249鍒欐潯浠剁紪璇 -DSTD_CURVE_ID; 榛樿鐨剆m2绉橀挜鍗忓晢鐢╖B+ZA鐨勯『搴忥紝濡傛灉闇瑕侀鍊掞紝鏉′欢缂栬瘧-DSTD_ZAZB. +4.淇敼tls_construct_cke_sm2dh()涓紝浣跨敤绛惧悕绉侀挜鐨勫紩鎿庢潵浜х敓涓存椂绉橀挜瀵癸紝濡傛灉涓嶅瓨鍦紝鍒欎娇鐢ㄨ蒋绠楁硶浜х敓銆 + 20200328_V_1.2: 1:璋冩暣鍙橀噺澹版槑浣嶇疆锛屾敮鎸乄indows涓64浣嶇紪璇戙 +2:鏀寔鍥藉瘑淇″皝杞崲鍒板崱鍔犲瘑鐨勫瘑鏂囩閽ヨ緭鍑. 20200315_V_1.1: 1:璺熸柊鍏充簬tasscard_engine鐨勮皟鐢ㄩ昏緫锛屾敮鎸佸崟鐙皟鐢╯m2鍜宻m4绯诲垪绠楁硶銆 diff --git a/util/libcrypto.num b/util/libcrypto.num index ebe65ef..fdd7662 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4604,3 +4604,5 @@ ENGINE_tls1_generate_key_block 4557 1_1_1b EXIST::FUNCTION:CNSM,ENGINE ENGINE_set_tls1_generate_key_block_function 4558 1_1_1b EXIST::FUNCTION:CNSM,ENGINE ENGINE_set_tass_flags 4559 1_1_1b EXIST::FUNCTION:CNSM,ENGINE ENGINE_get_tass_flags 4560 1_1_1b EXIST::FUNCTION:CNSM,ENGINE +ENGINE_convert_private_key 4561 1_1_1b EXIST::FUNCTION:CNSM,ENGINE +ENGINE_set_convert_privkey_function 4562 1_1_1b EXIST::FUNCTION:CNSM,ENGINE