gmtls

http://www.gmbz.org.cn/main/bzlb.html

 

 

/* GM/T SSL-VPN CipherSuites */
# define GMTLS_CK_SM2DHE_WITH_SM1_SM3 0x0300E001
# define GMTLS_CK_SM2_WITH_SM1_SM3 0x0300E003
# define GMTLS_CK_SM9DHE_WITH_SM1_SM3 0x0300E005
# define GMTLS_CK_SM9_WITH_SM1_SM3 0x0300E007
# define GMTLS_CK_RSA_WITH_SM1_SM3 0x0300E009 /* reserved */
# define GMTLS_CK_RSA_WITH_SM1_SHA1 0x0300E00A /* reserved */
# define GMTLS_CK_SM2DHE_WITH_SMS4_SM3 0x0300E011
# define GMTLS_CK_SM2_WITH_SMS4_SM3 0x0300E013
# define GMTLS_CK_SM9DHE_WITH_SMS4_SM3 0x0300E015
# define GMTLS_CK_SM9_WITH_SMS4_SM3 0x0300E017
# define GMTLS_CK_RSA_WITH_SMS4_SM3 0x0300E019 /* reserved */
# define GMTLS_CK_RSA_WITH_SMS4_SHA1 0x0300E01A /* reserved */

 

/* from GM/T 0024-2014 Table 1 */
#define GMTLS_AD_UNSUPPORTED_SITE2SITE 200 /* fatal */
#define GMTLS_AD_NO_AREA 201
#define GMTLS_AD_UNSUPPORTED_AREATYPE 202
#define GMTLS_AD_BAD_IBCPARAM 203 /* fatal */
#define GMTLS_AD_UNSUPPORTED_IBCPARAM 204 /* fatal */
#define GMTLS_AD_IDENTITY_NEED 205 /* fatal */

 

int tls1_alert_code(int code)
{
switch (code) {
case SSL_AD_CLOSE_NOTIFY:
return (SSL3_AD_CLOSE_NOTIFY);
case SSL_AD_UNEXPECTED_MESSAGE:
return (SSL3_AD_UNEXPECTED_MESSAGE);
case SSL_AD_BAD_RECORD_MAC:
return (SSL3_AD_BAD_RECORD_MAC);
case SSL_AD_DECRYPTION_FAILED:
return (TLS1_AD_DECRYPTION_FAILED);
case SSL_AD_RECORD_OVERFLOW:
return (TLS1_AD_RECORD_OVERFLOW);
case SSL_AD_DECOMPRESSION_FAILURE:
return (SSL3_AD_DECOMPRESSION_FAILURE);
case SSL_AD_HANDSHAKE_FAILURE:
return (SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_NO_CERTIFICATE:
return (-1);
case SSL_AD_BAD_CERTIFICATE:
return (SSL3_AD_BAD_CERTIFICATE);
case SSL_AD_UNSUPPORTED_CERTIFICATE:
return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
case SSL_AD_CERTIFICATE_REVOKED:
return (SSL3_AD_CERTIFICATE_REVOKED);
case SSL_AD_CERTIFICATE_EXPIRED:
return (SSL3_AD_CERTIFICATE_EXPIRED);
case SSL_AD_CERTIFICATE_UNKNOWN:
return (SSL3_AD_CERTIFICATE_UNKNOWN);
case SSL_AD_ILLEGAL_PARAMETER:
return (SSL3_AD_ILLEGAL_PARAMETER);
case SSL_AD_UNKNOWN_CA:
return (TLS1_AD_UNKNOWN_CA);
case SSL_AD_ACCESS_DENIED:
return (TLS1_AD_ACCESS_DENIED);
case SSL_AD_DECODE_ERROR:
return (TLS1_AD_DECODE_ERROR);
case SSL_AD_DECRYPT_ERROR:
return (TLS1_AD_DECRYPT_ERROR);
case SSL_AD_EXPORT_RESTRICTION:
return (TLS1_AD_EXPORT_RESTRICTION);
case SSL_AD_PROTOCOL_VERSION:
return (TLS1_AD_PROTOCOL_VERSION);
case SSL_AD_INSUFFICIENT_SECURITY:
return (TLS1_AD_INSUFFICIENT_SECURITY);
case SSL_AD_INTERNAL_ERROR:
return (TLS1_AD_INTERNAL_ERROR);
case SSL_AD_USER_CANCELLED:
return (TLS1_AD_USER_CANCELLED);
case SSL_AD_NO_RENEGOTIATION:
return (TLS1_AD_NO_RENEGOTIATION);
case SSL_AD_UNSUPPORTED_EXTENSION:
return (TLS1_AD_UNSUPPORTED_EXTENSION);
case SSL_AD_CERTIFICATE_UNOBTAINABLE:
return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
case SSL_AD_UNRECOGNIZED_NAME:
return (TLS1_AD_UNRECOGNIZED_NAME);
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:
return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
case SSL_AD_INAPPROPRIATE_FALLBACK:
return (TLS1_AD_INAPPROPRIATE_FALLBACK);
case SSL_AD_NO_APPLICATION_PROTOCOL:
return (TLS1_AD_NO_APPLICATION_PROTOCOL);
default:
return (-1);
}
}

int gmtls_alert_code(int code)
{
switch (code) {
case SSL_AD_CLOSE_NOTIFY:
return (SSL3_AD_CLOSE_NOTIFY);
case SSL_AD_UNEXPECTED_MESSAGE:
return (SSL3_AD_UNEXPECTED_MESSAGE);
case SSL_AD_BAD_RECORD_MAC:
return (SSL3_AD_BAD_RECORD_MAC);
case SSL_AD_DECRYPTION_FAILED:
return (TLS1_AD_DECRYPTION_FAILED);
case SSL_AD_RECORD_OVERFLOW:
return (TLS1_AD_RECORD_OVERFLOW);
case SSL_AD_DECOMPRESSION_FAILURE:
return (SSL3_AD_DECOMPRESSION_FAILURE);
case SSL_AD_HANDSHAKE_FAILURE:
return (SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_BAD_CERTIFICATE:
return (SSL3_AD_BAD_CERTIFICATE);
case SSL_AD_UNSUPPORTED_CERTIFICATE:
return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
case SSL_AD_CERTIFICATE_REVOKED:
return (SSL3_AD_CERTIFICATE_REVOKED);
case SSL_AD_CERTIFICATE_EXPIRED:
return (SSL3_AD_CERTIFICATE_EXPIRED);
case SSL_AD_CERTIFICATE_UNKNOWN:
return (SSL3_AD_CERTIFICATE_UNKNOWN);
case SSL_AD_ILLEGAL_PARAMETER:
return (SSL3_AD_ILLEGAL_PARAMETER);
case SSL_AD_UNKNOWN_CA:
return (TLS1_AD_UNKNOWN_CA);
case SSL_AD_ACCESS_DENIED:
return (TLS1_AD_ACCESS_DENIED);
case SSL_AD_DECODE_ERROR:
return (TLS1_AD_DECODE_ERROR);
case SSL_AD_DECRYPT_ERROR:
return (TLS1_AD_DECRYPT_ERROR);
case SSL_AD_PROTOCOL_VERSION:
return (TLS1_AD_PROTOCOL_VERSION);
case SSL_AD_INSUFFICIENT_SECURITY:
return (TLS1_AD_INSUFFICIENT_SECURITY);
case SSL_AD_INTERNAL_ERROR:
return (TLS1_AD_INTERNAL_ERROR);
case SSL_AD_USER_CANCELLED:
return (TLS1_AD_USER_CANCELLED);
case SSL_AD_UNSUPPORTED_SITE2SITE:
return (GMTLS_AD_UNSUPPORTED_SITE2SITE);
case SSL_AD_NO_AREA:
return (GMTLS_AD_NO_AREA);
case SSL_AD_UNSUPPORTED_AREATYPE:
return (GMTLS_AD_UNSUPPORTED_AREATYPE);
case SSL_AD_BAD_IBCPARAM:
return (GMTLS_AD_BAD_IBCPARAM);
case SSL_AD_UNSUPPORTED_IBCPARAM:
return (GMTLS_AD_UNSUPPORTED_IBCPARAM);
case SSL_AD_IDENTITY_NEED:
return (GMTLS_AD_IDENTITY_NEED);
default:
return (-1);
}
}

 

 

int ossl_statem_server_construct_message(SSL *s)
{
OSSL_STATEM *st = &s->statem;

switch (st->hand_state) {
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
return dtls_construct_hello_verify_request(s);

case TLS_ST_SW_HELLO_REQ:
return tls_construct_hello_request(s);

case TLS_ST_SW_SRVR_HELLO:
return tls_construct_server_hello(s);

case TLS_ST_SW_CERT:
#ifndef OPENSSL_NO_GMTLS
if (SSL_IS_GMTLS(s))
return gmtls_construct_server_certificate(s);
#endif
return tls_construct_server_certificate(s);

case TLS_ST_SW_KEY_EXCH:
#ifndef OPENSSL_NO_GMTLS
if (SSL_IS_GMTLS(s))
return gmtls_construct_server_key_exchange(s);
#endif
return tls_construct_server_key_exchange(s);

case TLS_ST_SW_CERT_REQ:
return tls_construct_certificate_request(s);

case TLS_ST_SW_SRVR_DONE:
return tls_construct_server_done(s);

case TLS_ST_SW_SESSION_TICKET:
return tls_construct_new_session_ticket(s);

case TLS_ST_SW_CERT_STATUS:
return tls_construct_cert_status(s);

case TLS_ST_SW_CHANGE:
if (SSL_IS_DTLS(s))
return dtls_construct_change_cipher_spec(s);
else
return tls_construct_change_cipher_spec(s);

case TLS_ST_SW_FINISHED:
return tls_construct_finished(s,
s->method->
ssl3_enc->server_finished_label,
s->method->
ssl3_enc->server_finished_label_len);

default:
/* Shouldn't happen */
break;
}

return 0;
}

 

#define SM2_DEFAULT_ID_GMT09 "1234567812345678"

 

 

/* Bits for algorithm_mkey (key exchange algorithm) */
/* RSA key exchange */
# define SSL_kRSA 0x00000001U
/* tmp DH key no DH cert */
# define SSL_kDHE 0x00000002U
/* synonym */
# define SSL_kEDH SSL_kDHE
/* ephemeral ECDH */
# define SSL_kECDHE 0x00000004U
/* synonym */
# define SSL_kEECDH SSL_kECDHE
/* PSK */
# define SSL_kPSK 0x00000008U
/* GOST key exchange */
# define SSL_kGOST 0x00000010U
/* SRP */
# define SSL_kSRP 0x00000020U

# define SSL_kRSAPSK 0x00000040U
# define SSL_kECDHEPSK 0x00000080U
# define SSL_kDHEPSK 0x00000100U

# define SSL_kSM2 0x00000200U
# define SSL_kSM2DHE 0x00000400U
# define SSL_kSM2PSK 0x00000800U
# define SSL_kSM9 0x00001000U
# define SSL_kSM9DHE 0x00002000U

/* all PSK */

# define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK | SSL_kSM2PSK)

/* Bits for algorithm_auth (server authentication) */
/* RSA auth */
# define SSL_aRSA 0x00000001U
/* DSS auth */
# define SSL_aDSS 0x00000002U
/* no auth (i.e. use ADH or AECDH) */
# define SSL_aNULL 0x00000004U
/* ECDSA auth*/
# define SSL_aECDSA 0x00000008U
/* PSK auth */
# define SSL_aPSK 0x00000010U
/* GOST R 34.10-2001 signature auth */
# define SSL_aGOST01 0x00000020U
/* SRP auth */
# define SSL_aSRP 0x00000040U
/* GOST R 34.10-2012 signature auth */
# define SSL_aGOST12 0x00000080U
/* GMTLS */
# define SSL_aSM2 0x00000100U
# define SSL_aSM9 0x00000200U