Merge pull request #510 from dongbeiouba/fix/491

修复TLS 1.3使用商密套件时未严格遵循RFC 8998问题

ssl/ssl_conf.c

@@ -864,6 +864,38 @@ static int cmd_Enable_sign_by_dc(SSL_CONF_CTX *cctx, const char *value)
 }
 #endif
 
+#ifndef OPENSSL_NO_SSL_TRACE
+static void trace_cb(int write_p, int version, int content_type,
+                     const void *buf, size_t msglen, SSL *ssl, void *arg)
+{
+    BIO *bio = NULL;
+    if (arg == NULL) {
+        bio = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+        if (bio == NULL)
+            return;
+
+        arg = bio;
+    }
+
+    SSL_trace(write_p, version, content_type, buf, msglen, ssl, arg);
+
+    BIO_free(bio);
+}
+
+static int cmd_Trace(SSL_CONF_CTX *cctx, const char *value)
+{
+    if (strcmp(value, "on") == 0) {
+        if (cctx->ctx)
+            SSL_CTX_set_msg_callback(cctx->ctx, trace_cb);
+
+        if (cctx->ssl)
+            SSL_set_msg_callback(cctx->ssl, trace_cb);
+    }
+
+    return 1;
+}
+#endif
+
 typedef struct {
     int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
     const char *str_file;
@@ -986,6 +1018,9 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
     SSL_CONF_CMD_STRING(Enable_verify_peer_by_dc, "Enable_verify_peer_by_dc", 0),
     SSL_CONF_CMD_STRING(Enable_sign_by_dc, "Enable_sign_by_dc", 0),
 #endif
+#ifndef OPENSSL_NO_SSL_TRACE
+    SSL_CONF_CMD_STRING(Trace, "Trace", 0),
+#endif
 };
 
 /* Supported switches: must match order of switches in ssl_conf_cmds */

ssl/t1_lib.c

@@ -1475,6 +1475,25 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
     if (pkeyid == -1)
         return -1;
     if (SSL_IS_TLS13(s)) {
+#ifndef OPENSSL_NO_SM2
+        /*
+         * RFC 8998 requires that if TLS_SM4_GCM_SM3 or TLS_SM4_CCM_SM3 was
+         * choosen, the only valid signature algorithm MUST be "sm2sig_sm3".
+         */
+        if (s->enable_sm_tls13_strict == 1) {
+            const SSL_CIPHER *cipher = s->s3.tmp.new_cipher;
+
+            if (cipher != NULL && (cipher->id == TLS1_3_CK_SM4_GCM_SM3
+                || cipher->id == TLS1_3_CK_SM4_CCM_SM3)) {
+                if (sig != TLSEXT_SIGALG_sm2sig_sm3) {
+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+                             SSL_R_WRONG_SIGNATURE_TYPE);
+                    return 0;
+                }
+            }
+        }
+#endif
+
         /* Disallow DSA for TLS 1.3 */
         if (pkeyid == EVP_PKEY_DSA) {
             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
@@ -3192,6 +3211,25 @@ static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
                 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
             continue;
 
+#ifndef OPENSSL_NO_SM2
+        /*
+         * RFC 8998 requires that
+         * if the server chooses TLS_SM4_GCM_SM3 or TLS_SM4_CCM_SM3,
+         * the only valid signature algorithm present in
+         * "signature_algorithms" extension MUST be "sm2sig_sm3".
+         */
+        if (SSL_IS_TLS13(s) && s->enable_sm_tls13_strict == 1 && s->server) {
+            const SSL_CIPHER *cipher = s->s3.tmp.new_cipher;
+
+            if (cipher != NULL &&
+                (cipher->id == TLS1_3_CK_SM4_GCM_SM3
+                    || cipher->id == TLS1_3_CK_SM4_CCM_SM3)) {
+                if (lu->sigalg != TLSEXT_SIGALG_sm2sig_sm3)
+                    continue;
+            }
+        }
+#endif
+
         tmppkey = (pkey != NULL) ? pkey
                                  : s->cert->pkeys[lu->sig_idx].privatekey;
 

ssl/t1_trce.c

@@ -311,6 +311,8 @@ static const ssl_trace_tbl ssl_ciphers_tbl[] = {
     {0x1305, "TLS_AES_128_CCM_8_SHA256"},
     {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
     {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
+    {0x00C6, "TLS_SM4_GCM_SM3"},
+    {0x00C7, "TLS_SM4_CCM_SM3"},
 #ifndef OPENSSL_NO_NTLS
     {0xE011, "ECDHE_SM4_CBC_SM3"},
     {0xE051, "ECDHE_SM4_GCM_SM3"},

test/helpers/ssl_test_ctx.c

@@ -163,6 +163,7 @@ static const test_enum ssl_alerts[] = {
     {"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL},
     {"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED},
     {"CertificateExpired", SSL_AD_CERTIFICATE_EXPIRED},
+    {"IllegalParameter", SSL_AD_ILLEGAL_PARAMETER},
 };
 
 __owur static int parse_alert(int *alert, const char *value)

test/ssl-tests/30-tls13-sm.cnf

@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 21
+num_tests = 23
 
 test-0 = 0-test ciphersuites TLS_SM4_GCM_SM3
 test-1 = 1-test series of ciphersuites includes TLS_SM4_GCM_SM3
@@ -23,6 +23,8 @@ test-17 = 17-test client success when enable sm_tls13_strict with SM2 key_share
 test-18 = 18-test client should fail when enable sm_tls13_strict with ecdsa cert and TLS_SM4_GCM_SM3 cipher
 test-19 = 19-test client auth fail when enable sm_tls13_strict, CertificateRequest with other signature algorithms except sm2sig_sm3
 test-20 = 20-test client auth success when both enable sm_tls13_strict
+test-21 = 21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3
+test-22 = 22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3
 # ===========================================================
 
 [0-test ciphersuites TLS_SM4_GCM_SM3]
@@ -680,3 +682,85 @@ ExpectedHRR = Yes
 ExpectedResult = Success
 
 
+# ===========================================================
+
+[21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3]
+ssl_conf = 21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-ssl
+
+[21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-ssl]
+server = 21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-server
+client = 21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-client
+
+[21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Ciphersuites = TLS_SM4_GCM_SM3
+Enable_sm_tls13_strict = on
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+SM2.Certificate = ${ENV::TEST_CERTS_DIR}/sm2-leaf.crt
+SM2.PrivateKey = ${ENV::TEST_CERTS_DIR}/sm2-leaf.key
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/sm2-root-cert.pem
+VerifyMode = Require
+
+[21-test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/sm2-first-crt.pem
+CipherString = DEFAULT
+Ciphersuites = TLS_SM4_GCM_SM3
+Enable_sm_tls13_strict = on
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/sm2-first-key.pem
+SignatureAlgorithms = rsa_pss_rsae_sha256:sm2sig_sm3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/sm2-chain-ca.crt
+VerifyMode = Peer
+
+[test-21]
+ExpectedCipher = TLS_SM4_GCM_SM3
+ExpectedResult = Success
+ExpectedServerCertType = SM2
+
+
+# ===========================================================
+
+[22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3]
+ssl_conf = 22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-ssl
+
+[22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-ssl]
+server = 22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-server
+client = 22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-client
+
+[22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/sm2-leaf.crt
+CipherString = DEFAULT
+Ciphersuites = TLS_SM4_GCM_SM3
+Enable_sm_tls13_strict = off
+Groups = SM2
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/sm2-leaf.key
+SignatureAlgorithms = rsa_pss_rsae_sha256:sm2sig_sm3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/sm2-root-cert.pem
+VerifyMode = Require
+
+[22-test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3-client]
+CipherString = DEFAULT
+Ciphersuites = TLS_SM4_GCM_SM3
+Enable_sm_tls13_strict = on
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+SM2.Certificate = ${ENV::TEST_CERTS_DIR}/sm2-first-crt.pem
+SM2.PrivateKey = ${ENV::TEST_CERTS_DIR}/sm2-first-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/sm2-chain-ca.crt
+VerifyMode = Peer
+
+[test-22]
+ExpectedClientAlert = IllegalParameter
+ExpectedResult = ClientFail
+
+

test/ssl-tests/30-tls13-sm.cnf.in

@@ -475,4 +475,66 @@ our @tests = (
             "ExpectedHRR" => "Yes",
         },
     },
+
+    {
+        name => "test sm_tls13_strict server with sm2 and rsa certs, client signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3",
+        server => {
+            "MinProtocol" => "TLSv1.3",
+            "MaxProtocol" => "TLSv1.3",
+            "Ciphersuites" => "TLS_SM4_GCM_SM3",
+            "SM2.Certificate" => test_pem("sm2-leaf.crt"),
+            "SM2.PrivateKey" => test_pem("sm2-leaf.key"),
+            "RSA.Certificate" => test_pem("servercert.pem"),
+            "RSA.PrivateKey"  => test_pem("serverkey.pem"),
+            "Enable_sm_tls13_strict" => "on",
+            "VerifyMode" => "Require",
+            "VerifyCAFile" => test_pem("sm2-root-cert.pem"),
+        },
+        client => {
+            "MinProtocol" => "TLSv1.3",
+            "MaxProtocol" => "TLSv1.3",
+            "Ciphersuites" => "TLS_SM4_GCM_SM3",
+            "SignatureAlgorithms" => "rsa_pss_rsae_sha256:sm2sig_sm3",
+            "Enable_sm_tls13_strict" => "on",
+            "VerifyCAFile" => test_pem("sm2-chain-ca.crt"),
+            "Certificate" => test_pem("sm2-first-crt.pem"),
+            "PrivateKey" => test_pem("sm2-first-key.pem"),
+        },
+        test   => {
+            "ExpectedResult" => "Success",
+            "ExpectedCipher" => "TLS_SM4_GCM_SM3",
+            "ExpectedServerCertType" =>, "SM2",
+        },
+    },
+
+    {
+        name => "test sm_tls13_strict client with sm2 and rsa certs, server signature_algorithms with rsa_pss_rsae_sha256 and sm2sig_sm3",
+        server => {
+            "MinProtocol" => "TLSv1.3",
+            "MaxProtocol" => "TLSv1.3",
+            "Ciphersuites" => "TLS_SM4_GCM_SM3",
+            "SignatureAlgorithms" => "rsa_pss_rsae_sha256:sm2sig_sm3",
+            "Groups" => "SM2",
+            "Certificate" => test_pem("sm2-leaf.crt"),
+            "PrivateKey" => test_pem("sm2-leaf.key"),
+            "Enable_sm_tls13_strict" => "off",
+            "VerifyMode" => "Require",
+            "VerifyCAFile" => test_pem("sm2-root-cert.pem"),
+        },
+        client => {
+            "MinProtocol" => "TLSv1.3",
+            "MaxProtocol" => "TLSv1.3",
+            "Ciphersuites" => "TLS_SM4_GCM_SM3",
+            "Enable_sm_tls13_strict" => "on",
+            "SM2.Certificate" => test_pem("sm2-first-crt.pem"),
+            "SM2.PrivateKey" => test_pem("sm2-first-key.pem"),
+            "RSA.Certificate" => test_pem("ee-client-chain.pem"),
+            "RSA.PrivateKey"  =>  test_pem("ee-key.pem"),
+            "VerifyCAFile" => test_pem("sm2-chain-ca.crt"),
+        },
+        test   => {
+            "ExpectedResult" => "ClientFail",
+            "ExpectedClientAlert" => "IllegalParameter",
+        },
+    },
 );