├── .gitignore ├── CMakeLists.txt ├── DEVELOP.md ├── LICENSE ├── README.md ├── include └── openssl │ ├── asn1.h │ ├── bio.h │ ├── bn.h │ ├── conf.h │ ├── crypto.h │ ├── dh.h │ ├── err.h │ ├── evp.h │ ├── hmac.h │ ├── opensslv.h │ ├── pem.h │ ├── rand.h │ ├── rsa.h │ ├── ssl.h │ ├── symhacks.h │ ├── x509.h │ ├── x509_vfy.h │ └── x509v3.h ├── nginx └── nginx.conf ├── src ├── asn1.c ├── bio.c ├── crypto.c ├── dh.c ├── err.c ├── evp.c ├── pem.c ├── rand.c ├── ssl.c ├── x509.c └── x509_vfy.c └── tests └── sm3.c /.gitignore: -------------------------------------------------------------------------------- 1 | CMakeLists.txt.user 2 | CMakeCache.txt 3 | CMakeFiles 4 | CMakeScripts 5 | Testing 6 | Makefile 7 | cmake_install.cmake 8 | install_manifest.txt 9 | compile_commands.json 10 | CTestTestfile.cmake 11 | _deps 12 | build 13 | .DS_Store 14 | *.swp 15 | *.pem 16 | *.txt 17 | 18 | 19 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | if (CMAKE_VERSION VERSION_LESS "3.0") 2 | cmake_minimum_required(VERSION 2.8) 3 | else() 4 | cmake_minimum_required(VERSION 3.6) 5 | endif() 6 | 7 | project(OpenSSL-Compatible-Layer C) 8 | 9 | option(BUILD_SHARED_LIBS "Build using shared libraries" ON) 10 | 11 | include_directories(${PROJECT_SOURCE_DIR}/include /usr/local/include) 12 | link_directories(/usr/local/lib) 13 | 14 | set(crypto_src 15 | src/err.c 16 | src/bio.c 17 | src/evp.c 18 | src/rand.c 19 | src/asn1.c 20 | src/x509.c 21 | src/x509_vfy.c 22 | src/crypto.c 23 | src/pem.c 24 | src/dh.c 25 | ) 26 | 27 | add_library(crypto ${crypto_src}) 28 | target_link_libraries(crypto gmssl) 29 | 30 | set(ssl_src src/ssl.c) 31 | 32 | add_library(ssl ${ssl_src}) 33 | target_link_libraries(ssl crypto) 34 | 35 | install(TARGETS crypto ssl DESTINATION lib) 36 | install(DIRECTORY ${PROJECT_SOURCE_DIR}/include/openssl DESTINATION include) 37 | 38 | -------------------------------------------------------------------------------- /DEVELOP.md: -------------------------------------------------------------------------------- 1 | # GmSSL-OCL 开发文档 2 | 3 | ## 基本原则 4 | 5 | * 严格保持宏/函数类型。如果一个接口在OpenSSL是一个宏定义,那么在OCL中也保持宏定义。这是因为OpenSSL的应用可能会通过`#ifdef`判断某个宏是否定义来设置编译期间代码结构,如果将宏改为函数,那么会导致应用无法按照预期的方式编译代码分支。 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenSSL-Compatibility-Layer 2 | OpenSSL-Compatible-Layer 是 GmSSL 项目下的一个子项目,提供一个将 GmSSL 接口封装为 OpenSSL 兼容接口的层。该项目旨在为需要使用 GmSSL 加密功能但构建于 OpenSSL 之上的应用程序提供无缝集成,可以将基于OpenSSL的程序,在无需修改代码的情况下迁移至GmSSL,并自动调用GmSSL中的国密算法。 3 | 4 | ## 兼容性 5 | 6 | 下面是经过测试的兼容应用(及版本号),操作系统包括Ubuntu Server 22.04 LTS, CentOS 7.9, macOS 14.5 7 | 8 | * Nginx-1.16.1 9 | * Nginx-1.18.0 10 | * Nginx-1.20.2 11 | * Nginx-1.22.1 12 | * Nginx-1.24.0 13 | * Nginx-1.25.3 14 | 15 | ## 编译和安装 16 | 17 | 本项目依赖GmSSL主项目,需要首先安装GmSSL。 18 | 19 | OpenSSL-Compatible-Layer需要预先安装CMake和GCC编译工具链。下载 OpenSSL-Compatible-Layer 源代码并解压,进入源代码目录,执行 20 | 21 | ```bash 22 | mkdir build 23 | cd build 24 | cmake .. 25 | make 26 | sudo make install 27 | ``` 28 | 29 | 在安装完成后,会在`/usr/local/include`目录下创建`openssl`目录并安装OpenSSL同名的头文件,并且在`/usr/local/lib`目录下安装`libcrypto`和`libssl`两个和OpenSSL同名的库文件。 30 | 31 | ## 和Nginx集成 32 | 33 | ### 编译安装Nginx 34 | 35 | 首先应该确保GmSSL和OpenSSL-Compatible-Layer已经安装,并且保证默认的系统路径中的头文件和库文件的确来自OpenSSL-Compatible-Layer。如果默认系统路径是`/usr/local`,那么检查`/usr/local/include/openssl/opensslv.h`是否为OCL的版本,以及检查`/usr/local/lib/libcrypto.so`是否依赖`libgmssl`。 36 | 37 | 进入Nginx源码目录,执行 38 | 39 | ```bash 40 | ./configure --with-http_ssl_module --with-debug --without-http_rewrite_module 41 | ``` 42 | 43 | 注意,必须通过`--with-http_ssl_module`显式指定编译SSL模块。`--with-debug`是可选的,可以方便出现问题后查看打印的错误信息。如果系统默认没有安装PCRE,可以设置`--without-http_rewrite_module`避免配置错误。 44 | 45 | 配置完成后,编译并安装 46 | 47 | ```bash 48 | make 49 | sudo make install 50 | ``` 51 | 52 | Nginx的二进制程序、配置文件、日志文件等默认均安装在`/usr/loca/nginx`目录下,可以执行`sudo /usr/local/nginx/bin/nginx`来启动Nginx。在默认情况下Nginx并没有启用SSL功能,需要修改配置文件,并提供SSL需要的证书、密钥文件。 53 | 54 | ### 修改Nginx配置文件 55 | 56 | 修改Nginx的配置文件`/usr/local/nginx/conf/nginx.conf`,启用SSL 57 | 58 | ``` 59 | server { 60 | listen 4443 ssl; 61 | server_name localhost; 62 | 63 | ssl_certificate /usr/local/nginx/conf/tlcp_server_certs.pem; 64 | ssl_certificate_key /usr/local/nginx/conf/tlcp_server_keys.pem; 65 | ssl_password_file /usr/local/nginx/conf/tlcp_server_password.txt; 66 | ssl_ecdh_curve sm2p256v1; 67 | 68 | location / { 69 | root html; 70 | index index.html index.htm; 71 | } 72 | } 73 | ``` 74 | 75 | 其中`server_tlcp_certs.pem`是一个完整的服务器证书链,`server_tlcp_keys.pem`相对特殊,这里有两个PEM格式的私钥,分别是签名私钥和加密私钥,这两个私钥需要用相同的加密口令,并且口令存储在`server_password.txt`中。 76 | 77 | ### 生成服务器TLCP证书 78 | 79 | TLCP服务器的完整证书链是由服务器终端签名证书、服务器终端加密证书、中间CA证书以及根CA证书构成,在一个标准的证书链PEM文件中,其中的PEM数据是依次按照终端签名证书、终端加密证书、一个或多个中间CA证书的顺序前后排列的。终端签名证书和终端加密证书应该有完全相同的Subject名字,并且通过KeyUsage等属性进行区别。在TLCP协议中,服务器向客户端提供的证书链中不应包含最后的根CA证书。两个终端证书都是由同一个中间CA证书签名的,中间CA证书按顺序排列,前一个中间CA证书由后一个中间CA证书签名。最后一个中间CA证书应该由根CA证书签名。 80 | 81 | 下面的例子生成一个TLCP服务器证书链,这个证书链由服务器终端签名证书、服务器终端加密证书、一个中间CA证书和一个不存储在证书链中的根CA证书构成。按证书链相反的顺序生成。 82 | 83 | 首先,生成根CA证书的私钥,以及自签名的根CA证书。 84 | 85 | ```bash 86 | $ gmssl sm2keygen -pass P@ssw0rd -out rootcakey.pem 87 | $ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass P@ssw0rd -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca 88 | ``` 89 | 90 | 第二步,生成中间CA的私钥和证书请求文件(REQ),然后用根CA证书私钥对中间CA的REQ进行签名,生成中间CA证书。 91 | 92 | ```bash 93 | $ gmssl sm2keygen -pass P@ssw0rd -out cakey.pem 94 | $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass P@ssw0rd -out careq.pem 95 | $ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass P@ssw0rd -out cacert.pem -ca 96 | ``` 97 | 98 | 第三步,生成服务器终端签名证书的私钥、证书请求文件(REQ),用中间CA私钥签发终端签名证书。 99 | 100 | ```bash 101 | $ gmssl sm2keygen -pass P@ssw0rd -out signkey.pem 102 | $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass P@ssw0rd -out signreq.pem 103 | $ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out signcert.pem 104 | ``` 105 | 106 | 第四步,按第三步相同的方式生成终端加密证书,注意证书的Subject和签名证书保持一致,但是使用不同的`-key_usage`选项。注意在当前版本的GmSSL-OCL中,需要保证签名和加密私钥使用相同的口令。 107 | 108 | ```bash 109 | $ gmssl sm2keygen -pass P@ssw0rd -out enckey.pem 110 | $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass P@ssw0rd -out encreq 111 | $ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out enccert.pem 112 | ``` 113 | 114 | 第五步,将终端证书和中间CA证书写入服务器证书链PEM文件,将根CA证书提供给TLCP客户端。通过`gmssl certparse`可以打印证书链,检查生成的证书链内容是否正确。 115 | 116 | ```bash 117 | $ cat signcert.pem > tlcp_server_certs.pem 118 | $ cat enccert.pem >> tlcp_server_certs.pem 119 | $ cat cacert.pem >> tlcp_server_certs.pem 120 | $ gmssl certparse -in tlcp_server_certs.pem 121 | ``` 122 | 123 | 第六步,将终端签名私钥和加密私钥按顺序写入私钥PEM文件。 124 | 125 | ```bash 126 | $ cat signkey.pem > tlcp_server_keys.pem 127 | $ cat enckey.pem >> tlcp_server_keys.pem 128 | ``` 129 | 130 | 此时,服务器需要的TLCP证书链文件和私钥文件就准备好了。 131 | 132 | ### 安装服务器证书链和私钥文件 133 | 134 | 在安装完Nginx服务器后,需要将服务器证书链PEM文件、服务器私钥PEM文件和服务器私钥口令分别拷贝到`nginx.conf`配置文件中设置的路径中。其中口令字符串需要写入到`.txt`格式的口令文件中。 135 | 136 | ```bash 137 | $ cp tlcp_server_certs.pem /usr/local/nginx/conf/tlcp_server_certs.pem 138 | $ cp tlcp_server_keys.pem /usr/local/nginx/conf/tlcp_server_keys.pem 139 | $ echo P@ssw0rd > /usr/local/nginx/conf/tlcp_server_password.txt 140 | ``` 141 | 142 | ### 启动服务器并测试HTTPS 143 | 144 | 启动服务器 145 | 146 | ```bash 147 | cd /usr/local/nginx 148 | sudo ./sbin/nginx 149 | ``` 150 | 151 | 注意,如果找不到动态库,在 152 | 153 | 在macOS上,编译安装nginx之后需要执行 154 | 155 | ```bash 156 | sudo install_name_tool -add_rpath /usr/local/lib /usr/local/nginx/sbin/nginx 157 | ``` 158 | 159 | 然后可以用gmssl的命令行客户端进行验证,注意,客户端需要用于验证服务器的根CA证书,客户端证书和私钥,这些文件保存在`client`目录下。 160 | 161 | ```bash 162 | gmssl tlcp_client -get / -host localhost -port 4443 -cacert rootcacert.pem 163 | ``` 164 | 165 | 166 | 167 | ### 设置Nginx验证客户端证书 168 | 169 | 通常来说,公网网站通常是不验证客户端证书的,但是一些内部网站或者网络服务可以通过客户端证书来进行用户的强身份认证。 170 | 171 | 前面的Nginx配置文件中没有启用验证客户端证书功能,通过增加配置选项`ssl_verify_client`可以设置客户端证书验证功能是否启用。修改后的Nginx配置文件如下: 172 | 173 | ``` 174 | server { 175 | listen 4433 ssl; 176 | server_name localhost; 177 | 178 | ssl_certificate /usr/local/nginx/conf/tlcp_server_certs.pem; 179 | ssl_certificate_key /usr/local/nginx/conf/tlcp_server_keys.pem; 180 | ssl_password_file /usr/local/nginx/conf/tlcp_server_password.txt; 181 | ssl_ecdh_curve sm2p256v1; 182 | 183 | ssl_client_certificate /usr/local/nginx/conf/tlcp_client_verify_cacert.pem; 184 | ssl_verify_client on; 185 | ssl_verify_depth 4; 186 | 187 | location / { 188 | root html; 189 | index index.html index.htm; 190 | } 191 | } 192 | ``` 193 | 194 | 其中增加了`ssl_client_certificate`、`ssl_verify_client`和`ssl_verify_depth`选项。 195 | 196 | 其中`ssl_client_certificate`用于设置签发客户端证书的CA证书。 197 | 198 | 注意:这个配置中将端口号设置为`4433`,因为Nginx可以监听多个端口,因此服务器配置中可以分别监听一个无需客户端验证的端口4443,和一个客户端验证的4433。 199 | 200 | ### 生成客户端证书 201 | 202 | Web服务器证书是由知名CA及其下属CA签发的,根CA证书通常被浏览器等客户端终端内置安装。但是SSL的客户端证书不一定是由知名CA签名的,可能是由网站自己的CA签发或者其他CA签名,并且客户端证书的CA和服务器的CA通常不是相同的CA。但是这里为了演示,采用前面生成的中间CA签发客户端证书。 203 | 204 | 下面的例子展示了生成客户端私钥,以及签发客户端证书的过程。 205 | 206 | ```bash 207 | $ gmssl sm2keygen -pass 123456 -out clientkey.pem 208 | $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN TlcpClient -key clientkey.pem -pass 123456 -out clientreq.pem 209 | $ gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out clientcert.pem 210 | ``` 211 | 212 | 注意这里客户端证书的CA证书是服务器的中间CA证书`cacert.pem`,需要将这个证书作为客户端验证的CA证书安装到配置文件中指定的路径。 213 | 214 | ```bash 215 | $ sudo cp cacert.pem /usr/local/nginx/conf/tlcp_client_verify_cacert.pem 216 | ``` 217 | 218 | ### 测试带客户端验证的HTTPS 219 | 220 | 执行 221 | 222 | ```bash 223 | $ gmssl tlcp_client -get / -host localhost -port 4433 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 123456 224 | ``` 225 | 226 | ### 手工测试HTTP 227 | 228 | 去掉`tlcp_client`中的`-get /`参数,可以在终端下手动测试HTTP交互 229 | 230 | ``` 231 | $ gmssl tlcp_client -host localhost -port 4433 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 123456 232 | ``` 233 | 234 | 在gmssl命令行连接服务器之后需要发送三行消息 235 | 236 | ``` 237 | GET / HTTP/1.1 238 | Host: localhost 239 | 240 | ``` 241 | 242 | 然后可以看到Nginx返回的index.html。此时连接没有中断,可再次访问。 243 | 244 | 如果gmssl客户端发送的请求格式不正确,例如发送了`GET /`,那么Nginx-1.22仍然返回index.html,但是会shutdown SSL连接。 245 | -------------------------------------------------------------------------------- /include/openssl/asn1.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_ASN1_H 11 | #define OPENSSL_ASN1_H 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #ifdef __cplusplus 19 | extern "C" { 20 | #endif 21 | 22 | 23 | typedef struct { 24 | uint8_t *d; 25 | size_t dlen; 26 | } ASN1_INTEGER; 27 | 28 | int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a); 29 | 30 | 31 | typedef time_t ASN1_TIME; 32 | 33 | int ASN1_TIME_print(BIO *bio, const ASN1_TIME *tm); 34 | 35 | 36 | #ifdef __cplusplus 37 | } 38 | #endif 39 | #endif 40 | -------------------------------------------------------------------------------- /include/openssl/bio.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_BIO_H 11 | #define OPENSSL_BIO_H 12 | 13 | #include 14 | 15 | #ifdef __cplusplus 16 | extern "C" { 17 | #endif 18 | 19 | typedef void BIO_METHOD; 20 | 21 | const BIO_METHOD *BIO_s_mem(void); 22 | 23 | 24 | typedef FILE BIO; 25 | 26 | BIO *BIO_new(const BIO_METHOD *meth); 27 | BIO *BIO_new_mem_buf(const void *buf, int len); 28 | BIO *BIO_new_file(const char *filename, const char *mode); 29 | int BIO_read(BIO *bio, void *buf, int len); 30 | int BIO_write(BIO *bio, const void *buf, int len); 31 | int BIO_pending(BIO *bio); 32 | int BIO_reset(BIO *bio); 33 | int BIO_get_mem_data(BIO *bio, char **pp); 34 | int BIO_free(BIO *bio); 35 | 36 | 37 | #ifdef __cplusplus 38 | } 39 | #endif 40 | #endif 41 | -------------------------------------------------------------------------------- /include/openssl/bn.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_BN_H 11 | #define OPENSSL_BN_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | 20 | #ifdef __cplusplus 21 | } 22 | #endif 23 | #endif 24 | -------------------------------------------------------------------------------- /include/openssl/conf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_CONF_H 11 | #define OPENSSL_CONF_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | #define OPENSSL_NO_ENGINE 20 | #define OPENSSL_NO_OCSP 21 | 22 | 23 | #ifdef __cplusplus 24 | } 25 | #endif 26 | #endif 27 | -------------------------------------------------------------------------------- /include/openssl/crypto.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_CRYPTO_H 11 | #define OPENSSL_CRYPTO_H 12 | 13 | #include 14 | 15 | #ifdef __cplusplus 16 | extern "C" { 17 | #endif 18 | 19 | 20 | void OPENSSL_free(void *p); 21 | 22 | typedef struct { 23 | const char *appname; 24 | } OPENSSL_INIT_SETTINGS; 25 | 26 | #define OPENSSL_INIT_LOAD_CONFIG (0x00000040L) 27 | 28 | OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void); 29 | int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init, const char* name); 30 | void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init); 31 | 32 | 33 | typedef void CRYPTO_EX_DATA; 34 | 35 | typedef void CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp); 36 | typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp); 37 | typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, void **from_d, int idx, long argl, void *argp); 38 | 39 | 40 | #ifdef __cplusplus 41 | } 42 | #endif 43 | #endif 44 | -------------------------------------------------------------------------------- /include/openssl/dh.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_DH_H 11 | #define OPENSSL_DH_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | typedef struct { 20 | int a; 21 | } DH; 22 | 23 | void DH_free(DH *); 24 | 25 | 26 | 27 | #ifdef __cplusplus 28 | } 29 | #endif 30 | #endif 31 | -------------------------------------------------------------------------------- /include/openssl/err.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_ERR_H 11 | #define OPENSSL_ERR_H 12 | 13 | #include 14 | 15 | #ifdef __cplusplus 16 | extern "C" { 17 | #endif 18 | 19 | 20 | unsigned long ERR_get_error(void); 21 | unsigned long ERR_peek_error(void); 22 | unsigned long ERR_peek_last_error(void); 23 | unsigned long ERR_peek_error_data(const char **data, int *flags); 24 | unsigned long ERR_peek_error_line_data(const char **file, int *line, const char **data, int *flags); 25 | void ERR_error_string_n(unsigned long e, char *buf, size_t len); 26 | void ERR_clear_error(void); 27 | 28 | #define PEM_R_NO_START_LINE 1 29 | 30 | // from openssl/err.h 31 | #define ERR_LIB_NONE 1 32 | #define ERR_LIB_PEM 9 33 | 34 | int ERR_GET_LIB(unsigned long e); 35 | int ERR_GET_REASON(unsigned long e); 36 | 37 | // who use this? 38 | # define ERR_TXT_STRING 0x02 39 | 40 | 41 | 42 | #ifdef __cplusplus 43 | } 44 | #endif 45 | #endif 46 | -------------------------------------------------------------------------------- /include/openssl/evp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_EVP_H 11 | #define OPENSSL_EVP_H 12 | 13 | #include 14 | #include 15 | 16 | #ifdef __cplusplus 17 | extern "C" { 18 | #endif 19 | 20 | 21 | typedef void ENGINE; 22 | 23 | 24 | // make `const EVP_MD *` into `const char *` string 25 | typedef char EVP_MD; 26 | 27 | typedef SM3_DIGEST_CTX EVP_MD_CTX; 28 | 29 | 30 | #define EVP_MAX_MD_SIZE 64 31 | 32 | const EVP_MD *EVP_sm3(void); 33 | const EVP_MD *EVP_sha1(void); 34 | const EVP_MD *EVP_sha256(void); 35 | 36 | EVP_MD_CTX *EVP_MD_CTX_new(void); 37 | int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *engine); 38 | int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); 39 | int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,unsigned int *s); 40 | void EVP_MD_CTX_free(EVP_MD_CTX *ctx); 41 | 42 | #define EVP_MD_CTX_create() EVP_MD_CTX_new() 43 | #define EVP_MD_CTX_destroy(ctx) EVP_MD_CTX_free(ctx); 44 | 45 | 46 | 47 | 48 | typedef struct { 49 | SM2_KEY signkey; 50 | SM2_KEY kenckey; 51 | } EVP_PKEY; 52 | 53 | void EVP_PKEY_free(EVP_PKEY *key); 54 | 55 | 56 | 57 | 58 | #ifdef __cplusplus 59 | } 60 | #endif 61 | #endif 62 | -------------------------------------------------------------------------------- /include/openssl/hmac.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_HMAC_H 11 | #define OPENSSL_HMAC_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | 20 | #ifdef __cplusplus 21 | } 22 | #endif 23 | #endif 24 | -------------------------------------------------------------------------------- /include/openssl/opensslv.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_OPENSSLV_H 11 | #define OPENSSL_OPENSSLV_H 12 | 13 | #include 14 | 15 | #ifdef __cplusplus 16 | extern "C" { 17 | #endif 18 | 19 | 20 | #define GMSSL_OCL_VERSION_STR "GmSSL OCL 0.8.1" 21 | 22 | #define OPENSSL_VERSION_NUMBER 0x30000000L 23 | #define OPENSSL_VERSION_TEXT GMSSL_VERSION_STR 24 | #define OpenSSL_version(num) GMSSL_VERSION_STR 25 | #define SSLeay_version(num) GMSSL_VERSION_STR 26 | 27 | #ifdef __cplusplus 28 | } 29 | #endif 30 | #endif 31 | -------------------------------------------------------------------------------- /include/openssl/pem.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_PEM_H 11 | #define OPENSSL_PEM_H 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #ifdef __cplusplus 19 | extern "C" { 20 | #endif 21 | 22 | 23 | typedef int (pem_password_cb)(char *buf, int size, int rwflag, void *u); 24 | 25 | EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bio, EVP_PKEY **pkey, pem_password_cb *cb, void *pass); 26 | EVP_PKEY *PEM_read_bio_Parameters(BIO *bio, EVP_PKEY **pkey); 27 | 28 | X509 *PEM_read_bio_X509(BIO *bio, X509 **x509, pem_password_cb *cb, void *u); 29 | X509 *PEM_read_bio_X509_AUX(BIO *bio, X509 **x509, pem_password_cb *cb, void *u); 30 | int PEM_write_bio_X509(BIO *bio, X509 *x509); 31 | 32 | DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); 33 | 34 | 35 | #ifdef __cplusplus 36 | } 37 | #endif 38 | #endif 39 | -------------------------------------------------------------------------------- /include/openssl/rand.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_RAND_H 11 | #define OPENSSL_RAND_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | int RAND_bytes(unsigned char *buf, int nun); 20 | 21 | 22 | #ifdef __cplusplus 23 | } 24 | #endif 25 | #endif 26 | -------------------------------------------------------------------------------- /include/openssl/rsa.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_RSA_H 11 | #define OPENSSL_RSA_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | typedef struct { 20 | int a; 21 | } RSA; 22 | 23 | 24 | #ifdef __cplusplus 25 | } 26 | #endif 27 | #endif 28 | -------------------------------------------------------------------------------- /include/openssl/ssl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_SSL_H 11 | #define OPENSSL_SSL_H 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include 21 | 22 | #ifdef __cplusplus 23 | extern "C" { 24 | #endif 25 | 26 | 27 | int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); 28 | 29 | 30 | typedef void SSL_METHOD; 31 | 32 | const SSL_METHOD *SSLv23_method(void); 33 | 34 | 35 | typedef TLS_CTX SSL_CTX; 36 | typedef TLS_CONNECT SSL; 37 | 38 | // init TLS_CTX as 'server' by default 39 | SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); 40 | void SSL_CTX_free(SSL_CTX *ctx); 41 | 42 | int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509); 43 | 44 | 45 | int _SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); 46 | #define SSL_CTX_set0_chain(ctx,sk) _SSL_CTX_set0_chain(ctx,sk) 47 | 48 | 49 | int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); 50 | long SSL_CTX_get_timeout(SSL_CTX *ctx); 51 | 52 | // the origina `SSL_CTX_set1_group_list` is a macro of `SSL_CTX_ctrl` 53 | int _SSL_CTX_set1_group_list(SSL_CTX *ctx, char *list); 54 | #define SSL_CTX_set1_curves_list(ctx,list) SSL_CTX_set1_group_list(ctx,list) 55 | #define SSL_CTX_set1_group_list(ctx,list) _SSL_CTX_set1_group_list(ctx,list) 56 | 57 | 58 | 59 | // called by ngx_ssl_session_id_context 60 | STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 61 | 62 | 63 | // nginx-1.18 64 | long _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); 65 | #define SSL_CTX_set_tmp_dh(ctx,dh) _SSL_CTX_set_tmp_dh(ctx,dh) 66 | 67 | 68 | int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *pkey); // function 69 | 70 | 71 | int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 72 | int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg); 73 | void *SSL_CTX_get_ex_data(const SSL_CTX *d, int idx); 74 | 75 | 76 | typedef int SSL_SESSION; 77 | 78 | #define SSL_SESS_CACHE_OFF 0x0000 79 | #define SSL_SESS_CACHE_CLIENT 0x0001 80 | #define SSL_SESS_CACHE_SERVER 0x0002 81 | #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER) 82 | #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 83 | #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 84 | #define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 85 | #define SSL_SESS_CACHE_NO_INTERNAL (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE) 86 | #define SSL_SESS_CACHE_UPDATE_TIME 0x0400 87 | 88 | 89 | int SSL_set_session(SSL *ssl, SSL_SESSION *session); 90 | int SSL_session_reused(const SSL *ssl); 91 | SSL_SESSION *SSL_get1_session(SSL *ssl); 92 | SSL_SESSION *SSL_get0_session(const SSL *ssl); 93 | 94 | 95 | void SSL_SESSION_free(SSL_SESSION *session); 96 | const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len); 97 | int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); 98 | SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); 99 | 100 | 101 | 102 | 103 | #define SSL_SENT_SHUTDOWN 2 104 | #define SSL_RECEIVED_SHUTDOWN 1 105 | #define SSL_CB_ACCEPT_LOOP 1 106 | 107 | 108 | 109 | SSL *SSL_new(SSL_CTX *ctx); 110 | void SSL_free(SSL *ssl); 111 | int SSL_is_server(const SSL *ssl); 112 | const char *SSL_get_version(const SSL *ssl); 113 | const char *SSL_get_cipher_name(const SSL *s); 114 | char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); 115 | void SSL_set_connect_state(SSL *ssl); 116 | void SSL_set_accept_state(SSL *ssl); 117 | int SSL_set_fd(SSL *ssl, int fd); 118 | int SSL_do_handshake(SSL *ssl); 119 | int SSL_read(SSL *ssl, void *buf, int num); 120 | int SSL_write(SSL *ssl, const void *buf, int num); 121 | int SSL_in_init(const SSL *ssl); 122 | void SSL_set_quiet_shutdown(SSL *ssl, int mode); 123 | void SSL_set_shutdown(SSL *ssl, int mode); 124 | int SSL_get_shutdown(const SSL *ssl); 125 | int SSL_shutdown(SSL *ssl); 126 | int SSL_get_error(const SSL *ssl, int ret); 127 | 128 | int SSL_get_ex_new_index(long argl, void *argp, 129 | CRYPTO_EX_new *new_func, 130 | CRYPTO_EX_dup *dup_func, 131 | CRYPTO_EX_free *free_func); 132 | int SSL_set_ex_data(SSL *ssl, int idx, void *arg); 133 | void *SSL_get_ex_data(const SSL *ssl, int idx); 134 | 135 | 136 | 137 | # define SSL_ERROR_NONE 0 138 | # define SSL_ERROR_SSL 1 139 | # define SSL_ERROR_WANT_READ 2 140 | # define SSL_ERROR_WANT_WRITE 3 141 | # define SSL_ERROR_WANT_X509_LOOKUP 4 142 | # define SSL_ERROR_SYSCALL 5 143 | # define SSL_ERROR_ZERO_RETURN 6 144 | # define SSL_ERROR_WANT_CONNECT 7 145 | # define SSL_ERROR_WANT_ACCEPT 8 146 | # define SSL_ERROR_WANT_ASYNC 9 147 | # define SSL_ERROR_WANT_ASYNC_JOB 10 148 | # define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 149 | # define SSL_ERROR_WANT_RETRY_VERIFY 12 150 | 151 | 152 | long _SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, long mode); 153 | #define SSL_CTX_set_session_cache_mode(ctx,mode) _SSL_CTX_set_session_cache_mode(ctx,mode) 154 | int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len); // func 155 | void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(SSL *, SSL_SESSION *)); // func 156 | void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(SSL *, const unsigned char *, int, int *)); 157 | void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); 158 | 159 | long _SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t); 160 | #define SSL_CTX_sess_set_cache_size(ctx,t) _SSL_CTX_sess_set_cache_size(ctx,t) 161 | 162 | 163 | int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c); 164 | 165 | 166 | // Nginx use `SSL_CTX_set_info_callback` to change the SSL handshake buffer size 167 | // Nginx use SSL_get_rbio(ssl) != SSL_get_wbio(ssl) to check if current state is handshake 168 | // But GmSSL does not use FILE as SSL/TLS bio, nor GmSSL support caller-defined buffer size 169 | // So `SSL_CTX_set_info_callback` and `BIO_set_write_buffer_size` will do nothing 170 | // `SSL_get_rbio` and `SSL_get_wbio` will return NULL 171 | void SSL_CTX_set_info_callback(SSL_CTX *ctx, 172 | void (*callback) (const SSL *ssl, int type, int val)); 173 | BIO *SSL_get_rbio(const SSL *ssl); 174 | BIO *SSL_get_wbio(const SSL *ssl); 175 | long BIO_set_write_buffer_size(BIO *bio, long size); 176 | 177 | 178 | typedef void SSL_CIPHER; 179 | 180 | const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); 181 | char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); 182 | 183 | 184 | 185 | 186 | 187 | long SSL_CTX_set_timeout(SSL_CTX *ctx, long timeout_seconds); 188 | int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); 189 | 190 | 191 | // GmSSL OCL does not support options, only some SSL_OP_ options are listed here to make compile success 192 | #define SSL_OP_NO_COMPRESSION 1 193 | #define SSL_OP_NO_RENEGOTIATION 1 194 | 195 | #define SSL_OP_SINGLE_DH_USE 1 196 | #define SSL_OP_SINGLE_ECDH_USE 1 197 | 198 | #define SSL_OP_NO_SSLv2 1 199 | #define SSL_OP_NO_SSLv3 1 200 | #define SSL_OP_NO_TLSv1 1 201 | #define SSL_OP_NO_SSLv2 1 202 | #define SSL_OP_NO_SSLv3 1 203 | #define SSL_OP_NO_TLSv1 1 204 | 205 | #define SSL_OP_CIPHER_SERVER_PREFERENCE 1 206 | 207 | 208 | uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t options); 209 | uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options); 210 | uint64_t SSL_set_options(SSL *ssl, uint64_t options); 211 | uint64_t SSL_clear_options(SSL *ssl, uint64_t options); 212 | 213 | long SSL_CTX_set_mode(SSL_CTX *ctx, long mode); 214 | int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); 215 | int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); 216 | void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg); 217 | 218 | long SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); 219 | 220 | 221 | // client verify CA 222 | void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); 223 | int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); 224 | STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); 225 | void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); 226 | 227 | 228 | X509 *SSL_get1_peer_certificate(const SSL *ssl); 229 | #define SSL_get_peer_certificate(ssl) SSL_get1_peer_certificate(ssl) 230 | 231 | 232 | long SSL_get_verify_result(const SSL *ssl); 233 | 234 | 235 | 236 | # define SSL_VERIFY_NONE 0x00 237 | # define SSL_VERIFY_PEER 0x01 238 | # define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 239 | # define SSL_VERIFY_CLIENT_ONCE 0x04 240 | # define SSL_VERIFY_POST_HANDSHAKE 0x08 241 | 242 | int SSL_get_ex_data_X509_STORE_CTX_idx(void); 243 | 244 | 245 | 246 | typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); 247 | 248 | void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback); 249 | int SSL_CTX_get_verify_mode(const SSL_CTX *ctx); 250 | 251 | X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); 252 | 253 | 254 | #undef SSL_R_CERT_CB_ERROR 255 | 256 | int SSL_use_certificate(SSL *ssl, X509 *x509); 257 | int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); 258 | int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *sk); 259 | 260 | 261 | // from 262 | # define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291 263 | # define SSL_R_APP_DATA_IN_HANDSHAKE 100 264 | # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 265 | # define SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE 158 266 | # define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 267 | # define SSL_R_BAD_CIPHER 186 268 | # define SSL_R_BAD_DATA 390 269 | # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106 270 | # define SSL_R_BAD_DECOMPRESSION 107 271 | # define SSL_R_BAD_DH_VALUE 102 272 | # define SSL_R_BAD_DIGEST_LENGTH 111 273 | # define SSL_R_BAD_EARLY_DATA 233 274 | # define SSL_R_BAD_ECC_CERT 304 275 | # define SSL_R_BAD_ECPOINT 306 276 | # define SSL_R_BAD_EXTENSION 110 277 | # define SSL_R_BAD_HANDSHAKE_LENGTH 332 278 | # define SSL_R_BAD_HANDSHAKE_STATE 236 279 | # define SSL_R_BAD_HELLO_REQUEST 105 280 | # define SSL_R_BAD_HRR_VERSION 263 281 | # define SSL_R_BAD_KEY_SHARE 108 282 | # define SSL_R_BAD_KEY_UPDATE 122 283 | # define SSL_R_BAD_LEGACY_VERSION 292 284 | # define SSL_R_BAD_LENGTH 271 285 | # define SSL_R_BAD_PACKET 240 286 | # define SSL_R_BAD_PACKET_LENGTH 115 287 | # define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116 288 | # define SSL_R_BAD_PSK 219 289 | # define SSL_R_BAD_PSK_IDENTITY 114 290 | # define SSL_R_BAD_RECORD_TYPE 443 291 | # define SSL_R_BAD_RSA_ENCRYPT 119 292 | # define SSL_R_BAD_SIGNATURE 123 293 | # define SSL_R_BAD_SRP_A_LENGTH 347 294 | # define SSL_R_BAD_SRP_PARAMETERS 371 295 | # define SSL_R_BAD_SRTP_MKI_VALUE 352 296 | # define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353 297 | # define SSL_R_BAD_SSL_FILETYPE 124 298 | # define SSL_R_BAD_VALUE 384 299 | # define SSL_R_BAD_WRITE_RETRY 127 300 | # define SSL_R_BINDER_DOES_NOT_VERIFY 253 301 | # define SSL_R_BIO_NOT_SET 128 302 | # define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 303 | # define SSL_R_BN_LIB 130 304 | # define SSL_R_CALLBACK_FAILED 234 305 | # define SSL_R_CANNOT_CHANGE_CIPHER 109 306 | # define SSL_R_CANNOT_GET_GROUP_NAME 299 307 | # define SSL_R_CA_DN_LENGTH_MISMATCH 131 308 | # define SSL_R_CA_KEY_TOO_SMALL 397 309 | # define SSL_R_CA_MD_TOO_WEAK 398 310 | # define SSL_R_CCS_RECEIVED_EARLY 133 311 | # define SSL_R_CERTIFICATE_VERIFY_FAILED 134 312 | # define SSL_R_CERT_CB_ERROR 377 313 | # define SSL_R_CERT_LENGTH_MISMATCH 135 314 | # define SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED 218 315 | # define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 316 | # define SSL_R_CLIENTHELLO_TLSEXT 226 317 | # define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 318 | # define SSL_R_COMPRESSION_DISABLED 343 319 | # define SSL_R_COMPRESSION_FAILURE 141 320 | # define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307 321 | # define SSL_R_COMPRESSION_LIBRARY_ERROR 142 322 | # define SSL_R_CONNECTION_TYPE_NOT_SET 144 323 | # define SSL_R_CONTEXT_NOT_DANE_ENABLED 167 324 | # define SSL_R_COOKIE_GEN_CALLBACK_FAILURE 400 325 | # define SSL_R_COOKIE_MISMATCH 308 326 | # define SSL_R_COPY_PARAMETERS_FAILED 296 327 | # define SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED 206 328 | # define SSL_R_DANE_ALREADY_ENABLED 172 329 | # define SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL 173 330 | # define SSL_R_DANE_NOT_ENABLED 175 331 | # define SSL_R_DANE_TLSA_BAD_CERTIFICATE 180 332 | # define SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE 184 333 | # define SSL_R_DANE_TLSA_BAD_DATA_LENGTH 189 334 | # define SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH 192 335 | # define SSL_R_DANE_TLSA_BAD_MATCHING_TYPE 200 336 | # define SSL_R_DANE_TLSA_BAD_PUBLIC_KEY 201 337 | # define SSL_R_DANE_TLSA_BAD_SELECTOR 202 338 | # define SSL_R_DANE_TLSA_NULL_DATA 203 339 | # define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 340 | # define SSL_R_DATA_LENGTH_TOO_LONG 146 341 | # define SSL_R_DECRYPTION_FAILED 147 342 | # define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 343 | # define SSL_R_DH_KEY_TOO_SMALL 394 344 | # define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 345 | # define SSL_R_DIGEST_CHECK_FAILED 149 346 | # define SSL_R_DTLS_MESSAGE_TOO_BIG 334 347 | # define SSL_R_DUPLICATE_COMPRESSION_ID 309 348 | # define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318 349 | # define SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE 374 350 | # define SSL_R_EE_KEY_TOO_SMALL 399 351 | # define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354 352 | # define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 353 | # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 354 | # define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN 204 355 | # define SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE 194 356 | # define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 357 | # define SSL_R_EXTENSION_NOT_RECEIVED 279 358 | # define SSL_R_EXTRA_DATA_IN_MESSAGE 153 359 | # define SSL_R_EXT_LENGTH_MISMATCH 163 360 | # define SSL_R_FAILED_TO_INIT_ASYNC 405 361 | # define SSL_R_FRAGMENTED_CLIENT_HELLO 401 362 | # define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 363 | # define SSL_R_HTTPS_PROXY_REQUEST 155 364 | # define SSL_R_HTTP_REQUEST 156 365 | # define SSL_R_ILLEGAL_POINT_COMPRESSION 162 366 | # define SSL_R_ILLEGAL_SUITEB_DIGEST 380 367 | # define SSL_R_INAPPROPRIATE_FALLBACK 373 368 | # define SSL_R_INCONSISTENT_COMPRESSION 340 369 | # define SSL_R_INCONSISTENT_EARLY_DATA_ALPN 222 370 | # define SSL_R_INCONSISTENT_EARLY_DATA_SNI 231 371 | # define SSL_R_INCONSISTENT_EXTMS 104 372 | # define SSL_R_INSUFFICIENT_SECURITY 241 373 | # define SSL_R_INVALID_ALERT 205 374 | # define SSL_R_INVALID_CCS_MESSAGE 260 375 | # define SSL_R_INVALID_CERTIFICATE_OR_ALG 238 376 | # define SSL_R_INVALID_COMMAND 280 377 | # define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 378 | # define SSL_R_INVALID_CONFIG 283 379 | # define SSL_R_INVALID_CONFIGURATION_NAME 113 380 | # define SSL_R_INVALID_CONTEXT 282 381 | # define SSL_R_INVALID_CT_VALIDATION_TYPE 212 382 | # define SSL_R_INVALID_KEY_UPDATE_TYPE 120 383 | # define SSL_R_INVALID_MAX_EARLY_DATA 174 384 | # define SSL_R_INVALID_NULL_CMD_NAME 385 385 | # define SSL_R_INVALID_SEQUENCE_NUMBER 402 386 | # define SSL_R_INVALID_SERVERINFO_DATA 388 387 | # define SSL_R_INVALID_SESSION_ID 999 388 | # define SSL_R_INVALID_SRP_USERNAME 357 389 | # define SSL_R_INVALID_STATUS_RESPONSE 328 390 | # define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 391 | # define SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED 333 392 | # define SSL_R_LENGTH_MISMATCH 159 393 | # define SSL_R_LENGTH_TOO_LONG 404 394 | # define SSL_R_LENGTH_TOO_SHORT 160 395 | # define SSL_R_LIBRARY_BUG 274 396 | # define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 397 | # define SSL_R_MISSING_DSA_SIGNING_CERT 165 398 | # define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 399 | # define SSL_R_MISSING_FATAL 256 400 | # define SSL_R_MISSING_PARAMETERS 290 401 | # define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION 310 402 | # define SSL_R_MISSING_RSA_CERTIFICATE 168 403 | # define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 404 | # define SSL_R_MISSING_RSA_SIGNING_CERT 170 405 | # define SSL_R_MISSING_SIGALGS_EXTENSION 112 406 | # define SSL_R_MISSING_SIGNING_CERT 221 407 | # define SSL_R_MISSING_SRP_PARAM 358 408 | # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209 409 | # define SSL_R_MISSING_TMP_DH_KEY 171 410 | # define SSL_R_MISSING_TMP_ECDH_KEY 311 411 | # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293 412 | # define SSL_R_NOT_ON_RECORD_BOUNDARY 182 413 | # define SSL_R_NOT_REPLACING_CERTIFICATE 289 414 | # define SSL_R_NOT_SERVER 284 415 | # define SSL_R_NO_APPLICATION_PROTOCOL 235 416 | # define SSL_R_NO_CERTIFICATES_RETURNED 176 417 | # define SSL_R_NO_CERTIFICATE_ASSIGNED 177 418 | # define SSL_R_NO_CERTIFICATE_SET 179 419 | # define SSL_R_NO_CHANGE_FOLLOWING_HRR 214 420 | # define SSL_R_NO_CIPHERS_AVAILABLE 181 421 | # define SSL_R_NO_CIPHERS_SPECIFIED 183 422 | # define SSL_R_NO_CIPHER_MATCH 185 423 | # define SSL_R_NO_CLIENT_CERT_METHOD 331 424 | # define SSL_R_NO_COMPRESSION_SPECIFIED 187 425 | # define SSL_R_NO_COOKIE_CALLBACK_SET 287 426 | # define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330 427 | # define SSL_R_NO_METHOD_SPECIFIED 188 428 | # define SSL_R_NO_PEM_EXTENSIONS 389 429 | # define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 430 | # define SSL_R_NO_PROTOCOLS_AVAILABLE 191 431 | # define SSL_R_NO_RENEGOTIATION 339 432 | # define SSL_R_NO_REQUIRED_DIGEST 324 433 | # define SSL_R_NO_SHARED_CIPHER 193 434 | # define SSL_R_NO_SHARED_GROUPS 410 435 | # define SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS 376 436 | # define SSL_R_NO_SRTP_PROFILES 359 437 | # define SSL_R_NO_SUITABLE_DIGEST_ALGORITHM 297 438 | # define SSL_R_NO_SUITABLE_GROUPS 295 439 | # define SSL_R_NO_SUITABLE_KEY_SHARE 101 440 | # define SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM 118 441 | # define SSL_R_NO_VALID_SCTS 216 442 | # define SSL_R_NO_VERIFY_COOKIE_CALLBACK 403 443 | # define SSL_R_NULL_SSL_CTX 195 444 | # define SSL_R_NULL_SSL_METHOD_PASSED 196 445 | # define SSL_R_OCSP_CALLBACK_FAILURE 305 446 | # define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 447 | # define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344 448 | # define SSL_R_OVERFLOW_ERROR 237 449 | # define SSL_R_PACKET_LENGTH_TOO_LONG 198 450 | # define SSL_R_PARSE_TLSEXT 227 451 | # define SSL_R_PATH_TOO_LONG 270 452 | # define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 453 | # define SSL_R_PEM_NAME_BAD_PREFIX 391 454 | # define SSL_R_PEM_NAME_TOO_SHORT 392 455 | # define SSL_R_PIPELINE_FAILURE 406 456 | # define SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR 278 457 | # define SSL_R_PRIVATE_KEY_MISMATCH 288 458 | # define SSL_R_PROTOCOL_IS_SHUTDOWN 207 459 | # define SSL_R_PSK_IDENTITY_NOT_FOUND 223 460 | # define SSL_R_PSK_NO_CLIENT_CB 224 461 | # define SSL_R_PSK_NO_SERVER_CB 225 462 | # define SSL_R_READ_BIO_NOT_SET 211 463 | # define SSL_R_READ_TIMEOUT_EXPIRED 312 464 | # define SSL_R_RECORD_LENGTH_MISMATCH 213 465 | # define SSL_R_RECORD_TOO_SMALL 298 466 | # define SSL_R_RENEGOTIATE_EXT_TOO_LONG 335 467 | # define SSL_R_RENEGOTIATION_ENCODING_ERR 336 468 | # define SSL_R_RENEGOTIATION_MISMATCH 337 469 | # define SSL_R_REQUEST_PENDING 285 470 | # define SSL_R_REQUEST_SENT 286 471 | # define SSL_R_REQUIRED_CIPHER_MISSING 215 472 | # define SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING 342 473 | # define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 474 | # define SSL_R_SCT_VERIFICATION_FAILED 208 475 | # define SSL_R_SERVERHELLO_TLSEXT 275 476 | # define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 477 | # define SSL_R_SHUTDOWN_WHILE_IN_INIT 407 478 | # define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360 479 | # define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 480 | # define SSL_R_SRP_A_CALC 361 481 | # define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362 482 | # define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363 483 | # define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364 484 | # define SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH 232 485 | # define SSL_R_SSL3_EXT_INVALID_SERVERNAME 319 486 | # define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 320 487 | # define SSL_R_SSL3_SESSION_ID_TOO_LONG 300 488 | # define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 489 | # define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 490 | # define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 491 | # define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044 492 | # define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 493 | # define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 494 | # define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 495 | # define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 496 | # define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 497 | # define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 498 | # define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 499 | # define SSL_R_SSL_COMMAND_SECTION_EMPTY 117 500 | # define SSL_R_SSL_COMMAND_SECTION_NOT_FOUND 125 501 | # define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 502 | # define SSL_R_SSL_HANDSHAKE_FAILURE 229 503 | # define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 504 | # define SSL_R_SSL_NEGATIVE_LENGTH 372 505 | # define SSL_R_SSL_SECTION_EMPTY 126 506 | # define SSL_R_SSL_SECTION_NOT_FOUND 136 507 | # define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301 508 | # define SSL_R_SSL_SESSION_ID_CONFLICT 302 509 | # define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 510 | # define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303 511 | # define SSL_R_SSL_SESSION_ID_TOO_LONG 408 512 | # define SSL_R_SSL_SESSION_VERSION_MISMATCH 210 513 | # define SSL_R_STILL_IN_INIT 121 514 | # define SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 515 | # define SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109 516 | # define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 517 | # define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 518 | # define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 519 | # define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 520 | # define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 521 | # define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 522 | # define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 523 | # define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 524 | # define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 525 | # define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 526 | # define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 527 | # define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 528 | # define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 529 | # define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 530 | # define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 531 | # define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 532 | # define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 533 | # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 534 | # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367 535 | # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 536 | # define SSL_R_TOO_MANY_KEY_UPDATES 132 537 | # define SSL_R_TOO_MANY_WARN_ALERTS 409 538 | # define SSL_R_TOO_MUCH_EARLY_DATA 164 539 | # define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314 540 | # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 541 | # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 542 | # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 543 | # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 544 | # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 545 | # define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 546 | # define SSL_R_UNEXPECTED_MESSAGE 244 547 | # define SSL_R_UNEXPECTED_RECORD 245 548 | # define SSL_R_UNINITIALIZED 276 549 | # define SSL_R_UNKNOWN_ALERT_TYPE 246 550 | # define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 551 | # define SSL_R_UNKNOWN_CIPHER_RETURNED 248 552 | # define SSL_R_UNKNOWN_CIPHER_TYPE 249 553 | # define SSL_R_UNKNOWN_CMD_NAME 386 554 | # define SSL_R_UNKNOWN_COMMAND 139 555 | # define SSL_R_UNKNOWN_DIGEST 368 556 | # define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 557 | # define SSL_R_UNKNOWN_PKEY_TYPE 251 558 | # define SSL_R_UNKNOWN_PROTOCOL 252 559 | # define SSL_R_UNKNOWN_SSL_VERSION 254 560 | # define SSL_R_UNKNOWN_STATE 255 561 | # define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 562 | # define SSL_R_UNSOLICITED_EXTENSION 217 563 | # define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 564 | # define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315 565 | # define SSL_R_UNSUPPORTED_PROTOCOL 258 566 | # define SSL_R_UNSUPPORTED_SSL_VERSION 259 567 | # define SSL_R_UNSUPPORTED_STATUS_TYPE 329 568 | # define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 569 | # define SSL_R_VERSION_TOO_HIGH 166 570 | # define SSL_R_VERSION_TOO_LOW 396 571 | # define SSL_R_WRONG_CERTIFICATE_TYPE 383 572 | # define SSL_R_WRONG_CIPHER_RETURNED 261 573 | # define SSL_R_WRONG_CURVE 378 574 | # define SSL_R_WRONG_SIGNATURE_LENGTH 264 575 | # define SSL_R_WRONG_SIGNATURE_SIZE 265 576 | # define SSL_R_WRONG_SIGNATURE_TYPE 370 577 | # define SSL_R_WRONG_SSL_VERSION 266 578 | # define SSL_R_WRONG_VERSION_NUMBER 267 579 | # define SSL_R_X509_LIB 268 580 | # define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 581 | 582 | 583 | 584 | 585 | #ifdef __cplusplus 586 | } 587 | #endif 588 | #endif 589 | -------------------------------------------------------------------------------- /include/openssl/symhacks.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_SYMHACKS_H 11 | #define OPENSSL_SYMHACKS_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | 20 | #ifdef __cplusplus 21 | } 22 | #endif 23 | #endif 24 | -------------------------------------------------------------------------------- /include/openssl/x509.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_X509_H 11 | #define OPENSSL_X509_H 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #ifdef __cplusplus 20 | extern "C" { 21 | #endif 22 | 23 | 24 | #define X509_MAX_SIZE (64*1024) 25 | 26 | typedef struct { 27 | uint8_t *d; 28 | size_t dlen; 29 | } X509_NAME; 30 | 31 | int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, unsigned char *dgst, unsigned int *dgstlen); 32 | 33 | 34 | int X509_NAME_print_ex(BIO *bio, const X509_NAME *name, int indent, unsigned long flags); 35 | 36 | 37 | # define XN_FLAG_SEP_MASK (0xf << 16) 38 | # define XN_FLAG_COMPAT 0/* Traditional; use old X509_NAME_print */ 39 | # define XN_FLAG_SEP_COMMA_PLUS (1 << 16)/* RFC2253 ,+ */ 40 | # define XN_FLAG_SEP_CPLUS_SPC (2 << 16)/* ,+ spaced: more readable */ 41 | # define XN_FLAG_SEP_SPLUS_SPC (3 << 16)/* ;+ spaced */ 42 | # define XN_FLAG_SEP_MULTILINE (4 << 16)/* One line per field */ 43 | # define XN_FLAG_DN_REV (1 << 20)/* Reverse DN order */ 44 | # define XN_FLAG_FN_MASK (0x3 << 21) 45 | # define XN_FLAG_FN_SN 0/* Object short name */ 46 | # define XN_FLAG_FN_LN (1 << 21)/* Object long name */ 47 | # define XN_FLAG_FN_OID (2 << 21)/* Always use OIDs */ 48 | # define XN_FLAG_FN_NONE (3 << 21)/* No field names */ 49 | # define XN_FLAG_SPC_EQ (1 << 23)/* Put spaces round '=' */ 50 | # define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) 51 | # define XN_FLAG_FN_ALIGN (1 << 25)/* Align field names to 20 */ 52 | # define ASN1_STRFLGS_RFC2253 0 53 | # define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \ 54 | XN_FLAG_SEP_COMMA_PLUS | \ 55 | XN_FLAG_DN_REV | \ 56 | XN_FLAG_FN_SN | \ 57 | XN_FLAG_DUMP_UNKNOWN_FIELDS) 58 | # define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \ 59 | ASN1_STRFLGS_ESC_QUOTE | \ 60 | XN_FLAG_SEP_CPLUS_SPC | \ 61 | XN_FLAG_SPC_EQ | \ 62 | XN_FLAG_FN_SN) 63 | # define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \ 64 | ASN1_STRFLGS_ESC_MSB | \ 65 | XN_FLAG_SEP_MULTILINE | \ 66 | XN_FLAG_SPC_EQ | \ 67 | XN_FLAG_FN_LN | \ 68 | XN_FLAG_FN_ALIGN) 69 | 70 | 71 | 72 | char *X509_NAME_oneline(const X509_NAME *mame, char *buf, int buflen); 73 | 74 | 75 | #define STACK_OF(TYPE) STACK_OF_##TYPE 76 | 77 | 78 | #define STACK_OF_X509_NAME_MAX_NUM 16 79 | 80 | typedef struct { 81 | X509_NAME values[16]; 82 | int top; 83 | } STACK_OF_X509_NAME; 84 | 85 | int sk_X509_NAME_num(const STACK_OF(X509_NAME) *sk); 86 | X509_NAME *sk_X509_NAME_value(const STACK_OF(X509_NAME) *sk, int idx); 87 | 88 | 89 | typedef struct { 90 | uint8_t *d; 91 | size_t dlen; 92 | ASN1_INTEGER serial; 93 | X509_NAME issuer; 94 | time_t not_before; 95 | time_t not_after; 96 | X509_NAME subject; 97 | } X509; 98 | 99 | X509 *X509_new(void); 100 | void X509_free(X509 *x509); 101 | 102 | // `X509_get_serialNumber` return an internal pointer of `x509` and MUST NOT be freed. 103 | ASN1_INTEGER *X509_get_serialNumber(X509 *x509); 104 | 105 | // `X509_get_subject_name` return an internal pointer of `x509` and MUST NOT be freed. 106 | X509_NAME *X509_get_subject_name(const X509 *x509); 107 | 108 | // `X509_get_issuer_name` return an internal pointer of `x509` and MUST NOT be freed. 109 | X509_NAME *X509_get_issuer_name(const X509 *x509); 110 | 111 | // `X509_get0_notBefore` return an internal pointer of `x509` and MUST NOT be freed. 112 | const ASN1_TIME *X509_get0_notBefore(const X509 *x509); 113 | 114 | // `X509_get0_notAfter` return an internal pointer of `x509` and MUST NOT be freed. 115 | const ASN1_TIME *X509_get0_notAfter(const X509 *x509); 116 | 117 | int X509_check_host(X509 *x509, const char *name, size_t namelen, unsigned int flags, char **peername); 118 | 119 | 120 | int X509_digest(const X509 *x509, const EVP_MD *md, unsigned char *dgst, unsigned int *dgstlen); 121 | 122 | 123 | 124 | #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x01 125 | 126 | 127 | // Nginx use `ex_data` to save the DER raw_data or filename into `X509` object 128 | int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 129 | int X509_set_ex_data(X509 *x509, int idx, void *arg); 130 | void *X509_get_ex_data(const X509 *x509, int idx); 131 | 132 | 133 | const char *X509_verify_cert_error_string(long n); 134 | 135 | 136 | #define STACK_OF_X509_MAX_NUM 16 137 | 138 | typedef struct { 139 | X509 values[STACK_OF_X509_MAX_NUM]; 140 | int top; 141 | } STACK_OF_X509; 142 | 143 | STACK_OF(X509) *sk_X509_new_null(); 144 | 145 | 146 | 147 | int sk_X509_num(const STACK_OF(X509) *sk); 148 | 149 | int sk_X509_push(STACK_OF(X509) *sk, const X509 *x509); 150 | void sk_X509_pop_free(STACK_OF(X509) *sk, void (*func)(X509 *)); 151 | 152 | 153 | typedef void X509_STORE; 154 | typedef void X509_STORE_CTX; 155 | 156 | // used in ngx_ssl_verify_callback to save the verification info 157 | // If Nginx is not configured `--with-debug`, i.e. define `NGX_DEBUG`, these `X509_STORE_CTX_` functions will not called 158 | void *X509_STORE_CTX_get_ex_data(const X509_STORE_CTX *d, int idx); 159 | X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); 160 | int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); 161 | int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); 162 | 163 | 164 | 165 | #ifdef __cplusplus 166 | } 167 | #endif 168 | #endif 169 | -------------------------------------------------------------------------------- /include/openssl/x509_vfy.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_X509_VFY_H 11 | #define OPENSSL_X509_VFY_H 12 | 13 | #include 14 | 15 | #ifdef __cplusplus 16 | extern "C" { 17 | #endif 18 | 19 | 20 | typedef void X509_LOOKUP_METHOD; 21 | typedef void X509_LOOKUP; 22 | 23 | 24 | // from openssl/x509_vfy.h of openssl-3.1.4 25 | /* Certificate verify flags */ 26 | # ifndef OPENSSL_NO_DEPRECATED_1_1_0 27 | # define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */ 28 | # endif 29 | /* Use check time instead of current time */ 30 | # define X509_V_FLAG_USE_CHECK_TIME 0x2 31 | /* Lookup CRLs */ 32 | # define X509_V_FLAG_CRL_CHECK 0x4 33 | /* Lookup CRLs for whole chain */ 34 | # define X509_V_FLAG_CRL_CHECK_ALL 0x8 35 | /* Ignore unhandled critical extensions */ 36 | # define X509_V_FLAG_IGNORE_CRITICAL 0x10 37 | /* Disable workarounds for broken certificates */ 38 | # define X509_V_FLAG_X509_STRICT 0x20 39 | /* Enable proxy certificate validation */ 40 | # define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 41 | /* Enable policy checking */ 42 | # define X509_V_FLAG_POLICY_CHECK 0x80 43 | /* Policy variable require-explicit-policy */ 44 | # define X509_V_FLAG_EXPLICIT_POLICY 0x100 45 | /* Policy variable inhibit-any-policy */ 46 | # define X509_V_FLAG_INHIBIT_ANY 0x200 47 | /* Policy variable inhibit-policy-mapping */ 48 | # define X509_V_FLAG_INHIBIT_MAP 0x400 49 | /* Notify callback that policy is OK */ 50 | # define X509_V_FLAG_NOTIFY_POLICY 0x800 51 | /* Extended CRL features such as indirect CRLs, alternate CRL signing keys */ 52 | # define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 53 | /* Delta CRL support */ 54 | # define X509_V_FLAG_USE_DELTAS 0x2000 55 | /* Check self-signed CA signature */ 56 | # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 57 | /* Use trusted store first */ 58 | # define X509_V_FLAG_TRUSTED_FIRST 0x8000 59 | /* Suite B 128 bit only mode: not normally used */ 60 | # define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000 61 | /* Suite B 192 bit only mode */ 62 | # define X509_V_FLAG_SUITEB_192_LOS 0x20000 63 | /* Suite B 128 bit mode allowing 192 bit algorithms */ 64 | # define X509_V_FLAG_SUITEB_128_LOS 0x30000 65 | /* Allow partial chains if at least one certificate is in trusted store */ 66 | # define X509_V_FLAG_PARTIAL_CHAIN 0x80000 67 | /* 68 | * If the initial chain is not trusted, do not attempt to build an alternative 69 | * chain. Alternate chain checking was introduced in 1.1.0. Setting this flag 70 | * will force the behaviour to match that of previous versions. 71 | */ 72 | # define X509_V_FLAG_NO_ALT_CHAINS 0x100000 73 | /* Do not check certificate/CRL validity against current time */ 74 | # define X509_V_FLAG_NO_CHECK_TIME 0x200000 75 | 76 | # define X509_VP_FLAG_DEFAULT 0x1 77 | # define X509_VP_FLAG_OVERWRITE 0x2 78 | # define X509_VP_FLAG_RESET_FLAGS 0x4 79 | # define X509_VP_FLAG_LOCKED 0x8 80 | # define X509_VP_FLAG_ONCE 0x10 81 | 82 | /* Internal use: mask of policy related options */ 83 | # define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ 84 | | X509_V_FLAG_EXPLICIT_POLICY \ 85 | | X509_V_FLAG_INHIBIT_ANY \ 86 | | X509_V_FLAG_INHIBIT_MAP) 87 | 88 | 89 | int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store, X509_LOOKUP_METHOD *meth); 104 | X509_LOOKUP_METHOD *X509_LOOKUP_file(void); 105 | 106 | 107 | 108 | // `type` : 109 | # define X509_FILETYPE_PEM 1 110 | # define X509_FILETYPE_ASN1 2 111 | # define X509_FILETYPE_DEFAULT 3 112 | int X509_LOOKUP_load_file(X509_LOOKUP *ctx, char *name, long type); 113 | 114 | 115 | 116 | # define X509_V_OK 0 117 | # define X509_V_ERR_UNSPECIFIED 1 118 | # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 119 | # define X509_V_ERR_UNABLE_TO_GET_CRL 3 120 | # define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 121 | # define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 122 | # define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 123 | # define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 124 | # define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 125 | # define X509_V_ERR_CERT_NOT_YET_VALID 9 126 | # define X509_V_ERR_CERT_HAS_EXPIRED 10 127 | # define X509_V_ERR_CRL_NOT_YET_VALID 11 128 | # define X509_V_ERR_CRL_HAS_EXPIRED 12 129 | # define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 130 | # define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 131 | # define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 132 | # define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 133 | # define X509_V_ERR_OUT_OF_MEM 17 134 | # define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 135 | # define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 136 | # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 137 | # define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 138 | # define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 139 | # define X509_V_ERR_CERT_REVOKED 23 140 | # define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 24 141 | # define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 142 | # define X509_V_ERR_INVALID_PURPOSE 26 143 | # define X509_V_ERR_CERT_UNTRUSTED 27 144 | # define X509_V_ERR_CERT_REJECTED 28 145 | # define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 146 | # define X509_V_ERR_AKID_SKID_MISMATCH 30 147 | # define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 148 | # define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 149 | # define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 150 | # define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 151 | # define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 152 | # define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 153 | # define X509_V_ERR_INVALID_NON_CA 37 154 | # define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 155 | # define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 156 | # define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 157 | # define X509_V_ERR_INVALID_EXTENSION 41 158 | # define X509_V_ERR_INVALID_POLICY_EXTENSION 42 159 | # define X509_V_ERR_NO_EXPLICIT_POLICY 43 160 | # define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 161 | # define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 162 | # define X509_V_ERR_UNNESTED_RESOURCE 46 163 | # define X509_V_ERR_PERMITTED_VIOLATION 47 164 | # define X509_V_ERR_EXCLUDED_VIOLATION 48 165 | # define X509_V_ERR_SUBTREE_MINMAX 49 166 | # define X509_V_ERR_APPLICATION_VERIFICATION 50 167 | # define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 168 | # define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 169 | # define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 170 | # define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 171 | # define X509_V_ERR_PATH_LOOP 55 172 | # define X509_V_ERR_SUITE_B_INVALID_VERSION 56 173 | # define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 174 | # define X509_V_ERR_SUITE_B_INVALID_CURVE 58 175 | # define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 176 | # define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 177 | # define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 178 | # define X509_V_ERR_HOSTNAME_MISMATCH 62 179 | # define X509_V_ERR_EMAIL_MISMATCH 63 180 | # define X509_V_ERR_IP_ADDRESS_MISMATCH 64 181 | # define X509_V_ERR_DANE_NO_MATCH 65 182 | # define X509_V_ERR_EE_KEY_TOO_SMALL 66 183 | # define X509_V_ERR_CA_KEY_TOO_SMALL 67 184 | # define X509_V_ERR_CA_MD_TOO_WEAK 68 185 | # define X509_V_ERR_INVALID_CALL 69 186 | # define X509_V_ERR_STORE_LOOKUP 70 187 | # define X509_V_ERR_NO_VALID_SCTS 71 188 | # define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72 189 | # define X509_V_ERR_OCSP_VERIFY_NEEDED 73 190 | # define X509_V_ERR_OCSP_VERIFY_FAILED 74 191 | # define X509_V_ERR_OCSP_CERT_UNKNOWN 75 192 | # define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 76 193 | # define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 77 194 | # define X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY 78 195 | # define X509_V_ERR_INVALID_CA 79 196 | # define X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA 80 197 | # define X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN 81 198 | # define X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA 82 199 | # define X509_V_ERR_ISSUER_NAME_EMPTY 83 200 | # define X509_V_ERR_SUBJECT_NAME_EMPTY 84 201 | # define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85 202 | # define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86 203 | # define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87 204 | # define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL 88 205 | # define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89 206 | # define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90 207 | # define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91 208 | # define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92 209 | # define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93 210 | # define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 94 211 | 212 | 213 | #ifdef __cplusplus 214 | } 215 | #endif 216 | #endif 217 | -------------------------------------------------------------------------------- /include/openssl/x509v3.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #ifndef OPENSSL_X509V3_H 11 | #define OPENSSL_X509V3_H 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | 19 | 20 | #ifdef __cplusplus 21 | } 22 | #endif 23 | #endif 24 | -------------------------------------------------------------------------------- /nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes 1; 4 | 5 | daemon off; 6 | master_process off; 7 | 8 | events { 9 | worker_connections 1024; 10 | } 11 | 12 | 13 | http { 14 | include mime.types; 15 | default_type application/octet-stream; 16 | 17 | log_format detailed_ssl_format 18 | 'ssl_protocol $ssl_protocol\n' 19 | 'ssl_cipher $ssl_cipher\n' 20 | 'ssl_ciphers $ssl_ciphers\n' 21 | # 'ssl_curve $ssl_curve\n' 22 | 'ssl_curves $ssl_curves\n' 23 | 'ssl_client_cert $ssl_client_cert\n' 24 | 'ssl_client_raw_cert $ssl_client_raw_cert\n' 25 | 'ssl_client_escaped_cert $ssl_client_escaped_cert\n' 26 | 'ssl_session_id $ssl_session_id\n' 27 | 'ssl_session_reused $ssl_session_reused\n' 28 | 'ssl_client_s_dn $ssl_client_s_dn\n' 29 | 'ssl_client_i_dn $ssl_client_i_dn\n' 30 | 'ssl_client_s_dn_legacy $ssl_client_s_dn_legacy\n' 31 | 'ssl_client_i_dn_legacy $ssl_client_i_dn_legacy\n' 32 | 'ssl_client_serial $ssl_client_serial\n' 33 | 'ssl_client_fingerprint $ssl_client_fingerprint\n' 34 | 'ssl_client_verify $ssl_client_verify\n' 35 | 'ssl_client_v_start $ssl_client_v_start\n' 36 | 'ssl_client_v_end $ssl_client_v_end\n' 37 | #'ssl_client_v_remain $ssl_client_v_remain\n' # ssl_client_v_remain is not supported by GmSSL! 38 | '\n'; 39 | 40 | access_log /usr/local/nginx/logs/ssl_access.log detailed_ssl_format; 41 | 42 | #access_log logs/access.log main; 43 | error_log /dev/stdout info; 44 | 45 | sendfile on; 46 | #tcp_nopush on; 47 | 48 | #keepalive_timeout 0; 49 | keepalive_timeout 65; 50 | 51 | #gzip on; 52 | 53 | server { 54 | listen 8882; 55 | server_name localhost; 56 | 57 | #charset koi8-r; 58 | 59 | #access_log logs/host.access.log main; 60 | 61 | location / { 62 | root html; 63 | index index.html index.htm; 64 | } 65 | 66 | #error_page 404 /404.html; 67 | 68 | # redirect server error pages to the static page /50x.html 69 | # 70 | error_page 500 502 503 504 /50x.html; 71 | location = /50x.html { 72 | root html; 73 | } 74 | 75 | } 76 | 77 | # HTTPS server 78 | # 79 | server { 80 | listen 4443 ssl; 81 | server_name localhost; 82 | 83 | ssl_certificate /usr/local/nginx/conf/tlcp_server_certs.pem; 84 | ssl_certificate_key /usr/local/nginx/conf/tlcp_server_keys.pem; 85 | ssl_password_file /usr/local/nginx/conf/tlcp_server_password.txt; 86 | ssl_ecdh_curve sm2p256v1; 87 | 88 | location / { 89 | root html; 90 | index index.html index.htm; 91 | } 92 | } 93 | 94 | 95 | server { 96 | listen 4433 ssl; 97 | server_name localhost; 98 | 99 | ssl_certificate /usr/local/nginx/conf/tlcp_server_certs.pem; 100 | ssl_certificate_key /usr/local/nginx/conf/tlcp_server_keys.pem; 101 | ssl_password_file /usr/local/nginx/conf/tlcp_server_password.txt; 102 | ssl_ecdh_curve sm2p256v1; 103 | 104 | ssl_client_certificate /usr/local/nginx/conf/client_verify_cacert.pem; 105 | ssl_verify_client on; 106 | ssl_verify_depth 4; 107 | 108 | location / { 109 | root html; 110 | index index.html index.htm; 111 | } 112 | } 113 | 114 | 115 | 116 | 117 | } 118 | -------------------------------------------------------------------------------- /src/asn1.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | 18 | // `bio` is used as a buffer, caller first print `a` into `bio`, and than read from `bio` into buffer 19 | int i2a_ASN1_INTEGER(BIO *bio, const ASN1_INTEGER *a) 20 | { 21 | size_t i; 22 | 23 | if (!bio || !a) { 24 | error_print(); 25 | return 0; 26 | } 27 | 28 | for (i = 0; i < a->dlen; i++) { 29 | fprintf(bio, "%02x", a->d[i]); 30 | } 31 | return 1; 32 | } 33 | 34 | int ASN1_TIME_print(BIO *bio, const ASN1_TIME *tm) 35 | { 36 | if (!bio || !tm) { 37 | error_print(); 38 | return 0; 39 | } 40 | 41 | fprintf(bio, "%s", ctime(tm)); 42 | return 1; 43 | } 44 | -------------------------------------------------------------------------------- /src/bio.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | 18 | const BIO_METHOD *BIO_s_mem(void) 19 | { 20 | return NULL; 21 | } 22 | 23 | BIO *BIO_new(const BIO_METHOD *meth) 24 | { 25 | FILE *fp; 26 | 27 | if (!(fp = tmpfile())) { 28 | error_print(); 29 | return NULL; 30 | } 31 | return fp; 32 | } 33 | 34 | BIO *BIO_new_mem_buf(const void *buf, int len) 35 | { 36 | FILE *fp; 37 | 38 | if (!(fp = tmpfile())) { 39 | error_print(); 40 | return NULL; 41 | } 42 | return fp; 43 | } 44 | 45 | BIO *BIO_new_file(const char *filename, const char *mode) 46 | { 47 | FILE *fp; 48 | 49 | if (!(fp = fopen(filename, mode))) { 50 | error_print(); 51 | return NULL; 52 | } 53 | return fp; 54 | } 55 | 56 | int BIO_read(BIO *bio, void *buf, int len) 57 | { 58 | size_t n; 59 | 60 | n = fread(buf, 1, len, bio); 61 | 62 | return (int)n; 63 | } 64 | 65 | // BIO_write() returns -2 if the "write" operation is not implemented by the BIO or -1 on other errors. 66 | // Otherwise it returns the number of bytes written. This may be 0 if the BIO b is NULL or dlen <= 0. 67 | int BIO_write(BIO *bio, const void *buf, int len) 68 | { 69 | size_t n; 70 | 71 | n = fwrite(buf, 1, len, bio); 72 | 73 | return (int)n; 74 | } 75 | 76 | // `BIO_pending` return the pending data size in the internal buffer. 77 | // When `bio` is written, the `BIO_pending` result is the written size. 78 | // As `FILE *` in C lang share the same read/write pointer, `fread` can read nothing after `fwrite` 79 | // So this implementation rewind file ptr 80 | int BIO_pending(BIO *bio) 81 | { 82 | int ret; 83 | if (!bio) { 84 | error_print(); 85 | return -1; // from OpenSSL: BIO_pending() and BIO_wpending() return negative value or 0 on error. 86 | } 87 | 88 | ret = (int)ftell(bio); 89 | rewind(bio); 90 | return ret; 91 | } 92 | 93 | int BIO_reset(BIO *bio) 94 | { 95 | if (!bio) { 96 | error_print(); 97 | return 0; 98 | } 99 | rewind(bio); 100 | return 1; 101 | } 102 | 103 | int BIO_free(BIO *bio) 104 | { 105 | if (bio) { 106 | fclose(bio); 107 | } 108 | return 1; 109 | } 110 | 111 | // Nginx call `ASN1_TIME_print` to print not_before, not_after into `bio` 112 | // And then use `BIO_get_mem_data` to get the string ptr, and then parse the string with `ngx_parse_http_time` 113 | // But as in OCL the BIO is a FILE, so it can not return a buffer ptr. 114 | int BIO_get_mem_data(BIO *bio, char **pp) 115 | { 116 | if (!bio || !pp) { 117 | error_print(); 118 | return 0; 119 | } 120 | *(pp) = NULL; 121 | return 1; 122 | } 123 | 124 | -------------------------------------------------------------------------------- /src/crypto.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | 16 | void OPENSSL_free(void *p) 17 | { 18 | if (p) { 19 | free(p); 20 | } 21 | } 22 | 23 | OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void) 24 | { 25 | OPENSSL_INIT_SETTINGS *init = NULL; 26 | 27 | if (!(init = (OPENSSL_INIT_SETTINGS *)malloc(sizeof(*init)))) { 28 | error_print(); 29 | return NULL; 30 | } 31 | init->appname = NULL; 32 | return init; 33 | } 34 | 35 | int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init, const char *name) 36 | { 37 | if (!init || !name) { 38 | error_print(); 39 | return 0; 40 | } 41 | 42 | init->appname = name; 43 | return 1; 44 | } 45 | 46 | void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init) 47 | { 48 | if (init) { 49 | free(init); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /src/dh.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | 14 | 15 | void DH_free(DH *dh) 16 | { 17 | if (dh) { 18 | free(dh); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/err.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include "openssl/err.h" 15 | 16 | 17 | // 0 means no error 18 | unsigned long ERR_get_error(void) 19 | { 20 | return 0; 21 | } 22 | 23 | unsigned long ERR_peek_error(void) 24 | { 25 | return 0; 26 | } 27 | 28 | unsigned long ERR_peek_last_error(void) 29 | { 30 | return 0; 31 | } 32 | 33 | unsigned long ERR_peek_error_data(const char **data, int *flags) 34 | { 35 | if (data) *data = NULL; 36 | if (flags) *flags = 0; 37 | return 0; 38 | } 39 | 40 | unsigned long ERR_peek_error_line_data(const char **file, int *line, const char **data, int *flags) 41 | { 42 | if (file) *file = NULL; 43 | if (line) *line = 0; 44 | if (data) *data = NULL; 45 | if (flags) *flags = 0; 46 | return 0; 47 | } 48 | 49 | void ERR_error_string_n(unsigned long e, char *buf, size_t len) 50 | { 51 | buf[0] = 0; 52 | } 53 | 54 | void ERR_clear_error(void) 55 | { 56 | } 57 | 58 | // Nginx `PEM_read_bio_X509`, when `eof(bio)`, check this to clear error 59 | int ERR_GET_LIB(unsigned long e) 60 | { 61 | return ERR_LIB_PEM; 62 | } 63 | 64 | // Nginx `PEM_read_bio_X509`, when `eof(bio)`, check this to clear error 65 | int ERR_GET_REASON(unsigned long e) 66 | { 67 | return PEM_R_NO_START_LINE; 68 | } 69 | -------------------------------------------------------------------------------- /src/evp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | const EVP_MD *EVP_sha1(void) { 20 | return "sha1"; 21 | } 22 | 23 | const EVP_MD *EVP_sha256(void) { 24 | return "sha256"; 25 | } 26 | 27 | const EVP_MD *EVP_sm3(void) { 28 | return "sm3"; 29 | } 30 | 31 | EVP_MD_CTX *EVP_MD_CTX_new(void) 32 | { 33 | EVP_MD_CTX *md_ctx; 34 | 35 | if (!(md_ctx = (EVP_MD_CTX *)malloc(sizeof(*md_ctx)))) { 36 | error_print(); 37 | return NULL; 38 | } 39 | 40 | return md_ctx; 41 | } 42 | 43 | // Do we need to check if md is SM3 or SHA256? 44 | int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, ENGINE *engine) 45 | { 46 | if (sm3_digest_init(ctx, NULL, 0) != 1) { 47 | error_print(); 48 | return 0; 49 | } 50 | return 1; 51 | } 52 | 53 | int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt) 54 | { 55 | if (sm3_digest_update(ctx, d, cnt) != 1) { 56 | error_print(); 57 | return 0; 58 | } 59 | return 1; 60 | } 61 | 62 | int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *dgst, unsigned int *dgstlen) 63 | { 64 | if (sm3_digest_finish(ctx, dgst) != 1) { 65 | error_print(); 66 | return 0; 67 | } 68 | *dgstlen = 32; 69 | return 1; 70 | } 71 | 72 | void EVP_MD_CTX_free(EVP_MD_CTX *ctx) 73 | { 74 | if (ctx) { 75 | free(ctx); 76 | } 77 | } 78 | 79 | void EVP_PKEY_free(EVP_PKEY *pkey) 80 | { 81 | if (pkey) { 82 | gmssl_secure_clear(pkey, sizeof(EVP_PKEY)); 83 | free(pkey); 84 | } 85 | } 86 | 87 | 88 | 89 | -------------------------------------------------------------------------------- /src/pem.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | 21 | DH *PEM_read_bio_DHparams(BIO *bio, DH **dh, pem_password_cb *cb, void *u) 22 | { 23 | error_print(); 24 | return NULL; 25 | } 26 | 27 | EVP_PKEY *PEM_read_bio_Parameters(BIO *bio, EVP_PKEY **pkey) 28 | { 29 | error_print(); 30 | return NULL; 31 | } 32 | 33 | EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bio, EVP_PKEY **pp, pem_password_cb *cb, void *u) 34 | { 35 | EVP_PKEY *pkey = NULL; 36 | char pass[1024] = {0}; 37 | 38 | if (!bio || !cb || !u) { 39 | error_print(); 40 | return NULL; 41 | } 42 | 43 | cb(pass, sizeof(pass), 0, u); 44 | 45 | if (!(pkey = (EVP_PKEY *)malloc(sizeof(*pkey)))) { 46 | error_print(); 47 | return NULL; 48 | } 49 | 50 | if (sm2_private_key_info_decrypt_from_pem(&pkey->signkey, pass, bio) != 1) { 51 | error_print(); 52 | EVP_PKEY_free(pkey); 53 | return NULL; 54 | } 55 | if (sm2_private_key_info_decrypt_from_pem(&pkey->kenckey, pass, bio) != 1) { 56 | error_print(); 57 | EVP_PKEY_free(pkey); 58 | return NULL; 59 | } 60 | 61 | if (pp) { 62 | if (*pp) { 63 | EVP_PKEY_free(*pp); 64 | } 65 | *pp = pkey; 66 | } 67 | return pkey; 68 | } 69 | 70 | X509 *PEM_read_bio_X509(BIO *bio, X509 **pp, pem_password_cb *cb, void *u) 71 | { 72 | X509 *x509; 73 | int ret; 74 | 75 | if (!bio) { 76 | error_print(); 77 | return NULL; 78 | } 79 | 80 | if (!(x509 = X509_new())) { 81 | error_print(); 82 | return NULL; 83 | } 84 | if ((ret = x509_cert_from_pem(x509->d, &x509->dlen, X509_MAX_SIZE, bio)) != 1) { 85 | if (ret) { 86 | error_print(); 87 | } 88 | X509_free(x509); 89 | return NULL; 90 | } 91 | 92 | if (x509_cert_get_details(x509->d, x509->dlen, 93 | NULL, 94 | (const uint8_t **)&x509->serial.d, &x509->serial.dlen, 95 | NULL, 96 | (const uint8_t **)&x509->issuer.d, &x509->issuer.dlen, 97 | &x509->not_before, &x509->not_after, 98 | (const uint8_t **)&x509->subject.d, &x509->subject.dlen, 99 | NULL, 100 | NULL, NULL, 101 | NULL, NULL, 102 | NULL, NULL, 103 | NULL, 104 | NULL, NULL) != 1) { 105 | X509_free(x509); 106 | error_print(); 107 | return NULL; 108 | } 109 | 110 | if (pp) { 111 | if (*pp) { 112 | X509_free(*pp); 113 | } 114 | *pp = x509; 115 | } 116 | return x509; 117 | } 118 | 119 | // `PEM_read_bio_X509_AUX` do more checks than `PEM_read_bio_X509` 120 | X509 *PEM_read_bio_X509_AUX(BIO *bio, X509 **pp, pem_password_cb *cb, void *u) 121 | { 122 | X509 *x509; 123 | if (!(x509 = PEM_read_bio_X509(bio, pp, cb, u))) { 124 | error_print(); 125 | return NULL; 126 | } 127 | return x509; 128 | } 129 | 130 | int PEM_write_bio_X509(BIO *bio, X509 *x509) 131 | { 132 | if (!bio || !x509) { 133 | error_print(); 134 | return 0; 135 | } 136 | if (x509_cert_to_pem(x509->d, x509->dlen, bio) != 1) { 137 | error_print(); 138 | return 0; 139 | } 140 | return 1; 141 | } 142 | -------------------------------------------------------------------------------- /src/rand.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | int RAND_bytes(unsigned char *buf, int num) 20 | { 21 | if (!buf) { 22 | error_print(); 23 | return 0; 24 | } 25 | 26 | if (rand_bytes(buf, (size_t)num) != 1) { 27 | error_print(); 28 | return 0; 29 | } 30 | return 1; 31 | } 32 | -------------------------------------------------------------------------------- /src/ssl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | 20 | int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) 21 | { 22 | return 1; 23 | } 24 | 25 | // The default timeout of OpenSSL is 300s (5 minutes) 26 | // When a `SSL` is timeout, the SESSION data will be removed, client have to do a full Handshake with server. 27 | // GmSSL 3.1 does not support SSL_SESSION and timeout, so timeout is always 0 28 | long SSL_CTX_set_timeout(SSL_CTX *ctx, long timeout_seconds) 29 | { 30 | return 0; 31 | } 32 | 33 | long SSL_CTX_get_timeout(SSL_CTX *ctx) 34 | { 35 | return 0; 36 | } 37 | 38 | // a typical cipher list is ""HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";" 39 | // so we omit the input `str` 40 | int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 41 | { 42 | const int ciphers[] = { 43 | TLS_cipher_ecdhe_sm4_cbc_sm3, 44 | }; 45 | 46 | if (!ctx || !str) { 47 | error_print(); 48 | return 0; 49 | } 50 | 51 | if (tls_ctx_set_cipher_suites(ctx, ciphers, sizeof(ciphers)/sizeof(ciphers[0])) != 1) { 52 | error_print(); 53 | return 0; 54 | } 55 | 56 | return 1; 57 | } 58 | 59 | // GmSSL does not support options 60 | uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t options) 61 | { 62 | uint64_t bitmask = 0; 63 | return bitmask; 64 | } 65 | 66 | uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options) 67 | { 68 | uint64_t bitmask = 0; 69 | return bitmask; 70 | } 71 | 72 | uint64_t SSL_set_options(SSL *ssl, uint64_t options) 73 | { 74 | uint64_t bitmask = 0; 75 | return bitmask; 76 | } 77 | 78 | uint64_t SSL_clear_options(SSL *ssl, uint64_t options) 79 | { 80 | uint64_t bitmask = 0; 81 | return bitmask; 82 | } 83 | 84 | // GmSSL does not support different mode (such as SSL_MODE_ENABLE_PARTIAL_WRITE) 85 | long SSL_CTX_set_mode(SSL_CTX *ctx, long mode) 86 | { 87 | return 0; 88 | } 89 | 90 | int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) 91 | { 92 | return 1; 93 | } 94 | 95 | int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version) 96 | { 97 | return 1; 98 | } 99 | 100 | void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg) 101 | { 102 | } 103 | 104 | // `SSL_CTX_set_read_ahead` is useful in DTLS, GmSSL does not support read ahead 105 | long SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) 106 | { 107 | return 1; // How about return 0 ? 108 | } 109 | 110 | void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback) 111 | { 112 | } 113 | 114 | void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback) 115 | { 116 | } 117 | 118 | void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) 119 | { 120 | } 121 | 122 | void SSL_set_verify_depth(SSL *ssl, int depth) 123 | { 124 | } 125 | 126 | int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) 127 | { 128 | int verify_depth = 4; 129 | tls_ctx_set_ca_certificates(ctx, CAfile, verify_depth); 130 | return 1; 131 | } 132 | 133 | STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) 134 | { 135 | return (STACK_OF(X509_NAME) *)"Not implemented"; 136 | } 137 | 138 | void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list) 139 | { 140 | } 141 | 142 | // Nginx use `SSL_get1_peer_certificate` to get client_verify certificate 143 | // `SSL_get1_peer_certificate` works fine when caller is the server. 144 | // But if the caller is the client, `SSL_get1_peer_certificate` only returns the signing cert 145 | X509 *SSL_get1_peer_certificate(const SSL *ssl) 146 | { 147 | const uint8_t *certs; 148 | size_t certslen; 149 | const uint8_t *cert; 150 | size_t certlen; 151 | X509 *x509; 152 | 153 | if (ssl->is_client) { 154 | certs = ssl->server_certs; 155 | certslen = ssl->server_certs_len; 156 | } else { 157 | certs = ssl->client_certs; 158 | certslen = ssl->client_certs_len; 159 | } 160 | 161 | if (x509_cert_from_der(&cert, &certlen, &certs, &certslen) != 1) { 162 | error_print(); 163 | return NULL; 164 | } 165 | if (certlen > X509_MAX_SIZE) { 166 | error_print(); 167 | return NULL; 168 | } 169 | if (!(x509 = X509_new())) { 170 | error_print(); 171 | return NULL; 172 | } 173 | 174 | memcpy(x509->d, cert, certlen); 175 | x509->dlen = certlen; 176 | return x509; 177 | } 178 | 179 | // Sometimes even is handshake is success, `SSL_get_verify_result` still return error for some reasons 180 | // * SSL_CTX_set_verify use `SSL_VERIFY_NONE` 181 | // * The server hostname does not match the certificate subject 182 | // In Ngnix, `SSL_get_verify_result` is typically used with client_verify, so we assume GmSSL will handle 183 | // all the verification. We assume that is handshake is ok, verify result is ok 184 | long SSL_get_verify_result(const SSL *ssl) 185 | { 186 | return X509_V_OK; 187 | } 188 | 189 | const char *X509_verify_cert_error_string(long n) 190 | { 191 | if (n) { 192 | return "error"; 193 | } else { 194 | return "ok"; 195 | } 196 | } 197 | 198 | // TODO: sk_X509_NAME_new, push ... have not been implemented yet! 199 | STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) 200 | { 201 | if (!ctx) { 202 | error_print(); 203 | return NULL; 204 | } 205 | 206 | // TODO: parse ctx->cacerts, ctx->cacertslen to parse every CA certs 207 | // and then get subject, and push into STACK_OF(X509_NAME) 208 | 209 | return NULL; 210 | } 211 | 212 | // GmSSL 3.1 always verify peer's certificate 213 | int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) 214 | { 215 | return SSL_VERIFY_PEER; 216 | } 217 | 218 | const SSL_METHOD *SSLv23_method(void) 219 | { 220 | return NULL; 221 | } 222 | 223 | SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) 224 | { 225 | TLS_CTX *ctx; 226 | const int is_client = 0; 227 | 228 | if (!(ctx = (TLS_CTX *)malloc(sizeof(TLS_CTX)))) { 229 | error_print(); 230 | return NULL; 231 | } 232 | 233 | if (tls_ctx_init(ctx, TLS_protocol_tlcp, is_client) != 1) { 234 | error_print(); 235 | free(ctx); // try do free 236 | return NULL; 237 | } 238 | 239 | return ctx; 240 | } 241 | 242 | void SSL_CTX_free(SSL_CTX *ctx) 243 | { 244 | if (ctx) { 245 | gmssl_secure_clear(ctx, sizeof(*ctx)); 246 | free(ctx); 247 | } 248 | } 249 | 250 | int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509) 251 | { 252 | if (ctx->certs) { 253 | free(ctx->certs); 254 | } 255 | if (!(ctx->certs = (uint8_t *)malloc(x509->dlen))) { 256 | error_print(); 257 | return 0; 258 | } 259 | memcpy(ctx->certs, x509->d, x509->dlen); 260 | ctx->certslen = x509->dlen; 261 | return 1; 262 | } 263 | 264 | // `SSL_CTX_set0_chain` is a macro of `SSL_CTX_ctrl` in OpenSSL 265 | int _SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk) 266 | { 267 | size_t total_len = ctx->certslen; 268 | int i; 269 | 270 | if (!ctx || !sk) { 271 | error_print(); 272 | return 0; 273 | } 274 | 275 | for (i = 0; i < sk->top; i++) { 276 | total_len += sk->values[i].dlen; 277 | } 278 | 279 | if (!(ctx->certs = realloc(ctx->certs, total_len))) { 280 | error_print(); 281 | return 0; 282 | } 283 | 284 | for (i = 0; i < sk->top; i++) { 285 | memcpy(ctx->certs + ctx->certslen, sk->values[i].d, sk->values[i].dlen); 286 | ctx->certslen += sk->values[i].dlen; 287 | } 288 | 289 | return 1; 290 | } 291 | 292 | int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 293 | { 294 | if (!ctx || !pkey) { 295 | error_print(); 296 | return 0; 297 | } 298 | ctx->signkey = pkey->signkey; 299 | ctx->kenckey = pkey->kenckey; 300 | return 1; 301 | } 302 | 303 | // `SSL_CTX_set1_group_list` is a macro os `SSL_CTX_ctrl` in OpenSSL 304 | int _SSL_CTX_set1_group_list(SSL_CTX *ctx, char *list) 305 | { 306 | if (strcmp(list, "sm2p256v1") != 0) { 307 | error_print(); 308 | return 0; 309 | } 310 | return 1; 311 | } 312 | 313 | // `SSL_CTX_set_tmp_dh` is a macro os `SSL_CTX_ctrl` in OpenSSL 314 | long _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 315 | { 316 | return 0; 317 | } 318 | 319 | int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey) 320 | { 321 | return 0; 322 | } 323 | 324 | // OpenSSL use `X509_STORE` as the database of CA certificates 325 | X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) 326 | { 327 | return NULL; 328 | } 329 | 330 | int SSL_CTX_get_ex_new_index(long argl, void *argp, 331 | CRYPTO_EX_new *new_func, 332 | CRYPTO_EX_dup *dup_func, 333 | CRYPTO_EX_free *free_func) 334 | { 335 | return 1; 336 | } 337 | 338 | int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg) 339 | { 340 | return 1; 341 | } 342 | 343 | void *SSL_CTX_get_ex_data(const SSL_CTX *d, int idx) 344 | { 345 | return NULL; 346 | } 347 | 348 | long _SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, long mode) 349 | { 350 | return 0; 351 | } 352 | 353 | int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) 354 | { 355 | return 1; 356 | } 357 | 358 | void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(SSL *, SSL_SESSION *)) 359 | { 360 | } 361 | 362 | long _SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t) 363 | { 364 | return 1; 365 | } 366 | 367 | int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c) 368 | { 369 | return 1; 370 | } 371 | 372 | void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, 373 | SSL_SESSION *(*get_session_cb)(SSL *, const unsigned char *, int, int *)) 374 | { 375 | } 376 | 377 | void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, 378 | void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)) 379 | { 380 | } 381 | 382 | int SSL_session_reused(const SSL *ssl) 383 | { 384 | return 0; 385 | } 386 | 387 | int SSL_set_session(SSL *ssl, SSL_SESSION *session) 388 | { 389 | return 1; 390 | } 391 | 392 | SSL_SESSION *SSL_get1_session(SSL *ssl) 393 | { 394 | return NULL; 395 | } 396 | 397 | SSL_SESSION *SSL_get0_session(const SSL *ssl) 398 | { 399 | return NULL; 400 | } 401 | 402 | void SSL_SESSION_free(SSL_SESSION *session) 403 | { 404 | if (session) { 405 | free(session); 406 | } 407 | } 408 | 409 | const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) 410 | { 411 | return NULL; 412 | } 413 | 414 | int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 415 | { 416 | return 0; 417 | } 418 | 419 | SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) 420 | { 421 | return NULL; 422 | } 423 | 424 | SSL *SSL_new(SSL_CTX *ctx) 425 | { 426 | SSL *ssl; 427 | 428 | if (!(ssl = (SSL *)malloc(sizeof(*ssl)))) { 429 | error_print(); 430 | return NULL; 431 | } 432 | if (tls_init(ssl, ctx) != 1) { 433 | error_print(); 434 | free(ssl); //FIXME 435 | return NULL; 436 | } 437 | return ssl; 438 | } 439 | 440 | void SSL_free(SSL *ssl) 441 | { 442 | if (ssl) { 443 | gmssl_secure_clear(ssl, sizeof(*ssl)); 444 | free(ssl);//FIXME 445 | } 446 | } 447 | 448 | int SSL_is_server(const SSL *ssl) 449 | { 450 | if (ssl->is_client) { 451 | return 0; 452 | } else { 453 | return 1; 454 | } 455 | } 456 | 457 | const char *SSL_get_version(const SSL *ssl) 458 | { 459 | if (!ssl) { 460 | error_print(); 461 | return NULL; 462 | } 463 | return tls_protocol_name(ssl->protocol); 464 | } 465 | 466 | const char *SSL_get_cipher_name(const SSL *ssl) 467 | { 468 | if (!ssl) { 469 | error_print(); 470 | return NULL; 471 | } 472 | return tls_cipher_suite_name(ssl->cipher_suite); 473 | } 474 | 475 | char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int buflen) 476 | { 477 | if (!ssl) { 478 | error_print(); 479 | return NULL; 480 | } 481 | strncpy(buf, tls_cipher_suite_name(TLS_cipher_ecdhe_sm4_cbc_sm3), buflen); 482 | return buf; 483 | } 484 | 485 | void SSL_set_connect_state(SSL *ssl) 486 | { 487 | ssl->is_client = 1; 488 | } 489 | 490 | void SSL_set_accept_state(SSL *ssl) 491 | { 492 | ssl->is_client = 0; 493 | } 494 | 495 | int SSL_set_fd(SSL *ssl, int fd) 496 | { 497 | int opts; 498 | 499 | if (tls_set_socket(ssl, fd) != 1) { 500 | error_print(); 501 | return 0; 502 | } 503 | 504 | opts = fcntl(ssl->sock, F_GETFL, 0); 505 | opts &= ~O_NONBLOCK; 506 | fcntl(ssl->sock, F_SETFL, opts); 507 | 508 | return 1; 509 | } 510 | 511 | int SSL_do_handshake(SSL *ssl) 512 | { 513 | int opts; 514 | 515 | if (tls_do_handshake(ssl) != 1) { 516 | error_print(); 517 | return 0; 518 | } 519 | 520 | opts = fcntl(ssl->sock, F_GETFL, 0); 521 | opts |= O_NONBLOCK; 522 | fcntl(ssl->sock, F_SETFL, opts); 523 | 524 | return 1; 525 | } 526 | 527 | int SSL_read(SSL *ssl, void *buf, int num) 528 | { 529 | int ret; 530 | size_t outlen; 531 | 532 | ret = tls_recv(ssl, buf, num, &outlen); 533 | if (ret > 0) { 534 | return (int)outlen; 535 | } else if (ret == -EAGAIN) { 536 | return -2; 537 | } else { 538 | return ret; 539 | } 540 | } 541 | 542 | int SSL_write(SSL *ssl, const void *buf, int num) 543 | { 544 | int ret; 545 | size_t outlen; 546 | 547 | ret = tls_send(ssl, buf, num, &outlen); 548 | 549 | if (ret > 0) { 550 | return (int)outlen; 551 | } else if (ret == -EAGAIN) { 552 | return -3; 553 | } else { 554 | return ret; 555 | } 556 | } 557 | 558 | int SSL_in_init(const SSL *ssl) 559 | { 560 | return 0; 561 | } 562 | 563 | void SSL_set_quiet_shutdown(SSL *ssl, int mode) 564 | { 565 | } 566 | 567 | void SSL_set_shutdown(SSL *ssl, int mode) 568 | { 569 | } 570 | 571 | int SSL_get_ex_data_X509_STORE_CTX_idx(void) 572 | { 573 | return 0; 574 | } 575 | 576 | // OpenSSL return SSL_SENT_SHUTDOWN, SSL_RECEIVED_SHUTDOWN 577 | int SSL_get_shutdown(const SSL *ssl) 578 | { 579 | return 1; 580 | } 581 | 582 | int SSL_shutdown(SSL *ssl) 583 | { 584 | // when client Ctrl+c close connections, the socket is closed, so server shutdown will not return 1 585 | if (tls_shutdown(ssl) != 1) { 586 | error_print(); 587 | return 0; 588 | } 589 | return 1; 590 | } 591 | 592 | int SSL_get_ex_new_index(long argl, void *argp, 593 | CRYPTO_EX_new *new_func, 594 | CRYPTO_EX_dup *dup_func, 595 | CRYPTO_EX_free *free_func) 596 | { 597 | return 1; 598 | } 599 | 600 | int SSL_set_ex_data(SSL *ssl, int idx, void *arg) 601 | { 602 | return 1; 603 | } 604 | 605 | void *SSL_get_ex_data(const SSL *ssl, int idx) 606 | { 607 | return NULL; 608 | } 609 | 610 | int SSL_get_error(const SSL *ssl, int ret) 611 | { 612 | switch (ret) { 613 | case -2: return SSL_ERROR_WANT_READ; 614 | case -3: return SSL_ERROR_WANT_WRITE; 615 | } 616 | return SSL_ERROR_NONE; 617 | } 618 | 619 | void SSL_CTX_set_info_callback(SSL_CTX *ctx, 620 | void (*callback) (const SSL *ssl, int type, int val)) 621 | { 622 | } 623 | 624 | BIO *SSL_get_rbio(const SSL *ssl) 625 | { 626 | return NULL; 627 | } 628 | 629 | BIO *SSL_get_wbio(const SSL *ssl) 630 | { 631 | return NULL; 632 | } 633 | 634 | long BIO_set_write_buffer_size(BIO *bio, long size) 635 | { 636 | return 1; 637 | } 638 | 639 | const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) 640 | { 641 | return NULL; 642 | } 643 | 644 | char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size) 645 | { 646 | return "SSL_CIPHER_description()"; 647 | } 648 | 649 | int SSL_use_certificate(SSL *ssl, X509 *x509) 650 | { 651 | return 1; 652 | } 653 | 654 | int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 655 | { 656 | return 1; 657 | } 658 | 659 | int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *sk) 660 | { 661 | return 1; 662 | } 663 | -------------------------------------------------------------------------------- /src/x509.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | X509 *X509_new(void) 20 | { 21 | X509 *x509; 22 | 23 | if (!(x509 = (X509 *)malloc(sizeof(X509)))) { 24 | error_print(); 25 | return NULL; 26 | } 27 | memset(x509, 0, sizeof(X509)); 28 | 29 | if (!(x509->d = (uint8_t *)malloc(X509_MAX_SIZE))) { 30 | free(x509); 31 | error_print(); 32 | return NULL; 33 | } 34 | return x509; 35 | } 36 | 37 | void X509_free(X509 *x509) 38 | { 39 | if (x509) { 40 | if (x509->d) { 41 | free(x509->d); 42 | } 43 | free(x509); 44 | } 45 | } 46 | 47 | // `X509_get_serialNumber` return an internal pointer of `x509` and MUST NOT be freed. 48 | ASN1_INTEGER *X509_get_serialNumber(X509 *x509) 49 | { 50 | if (!x509) { 51 | error_print(); 52 | return NULL; 53 | } 54 | return &x509->serial; 55 | } 56 | 57 | // `X509_get_subject_name` return an internal pointer of `x509` and MUST NOT be freed. 58 | X509_NAME *X509_get_subject_name(const X509 *x509) 59 | { 60 | if (!x509) { 61 | error_print(); 62 | return NULL; 63 | } 64 | return (X509_NAME *)&x509->subject; 65 | } 66 | 67 | // `X509_get_issuer_name` return an internal pointer of `x509` and MUST NOT be freed. 68 | X509_NAME *X509_get_issuer_name(const X509 *x509) 69 | { 70 | if (!x509) { 71 | error_print(); 72 | return NULL; 73 | } 74 | return (X509_NAME *)&x509->issuer; 75 | } 76 | 77 | // `X509_get0_notBefore` return an internal pointer of `x509` and MUST NOT be freed. 78 | const ASN1_TIME *X509_get0_notBefore(const X509 *x509) 79 | { 80 | if (!x509) { 81 | error_print(); 82 | return NULL; 83 | } 84 | return &x509->not_before; 85 | } 86 | 87 | // `X509_get0_notAfter` return an internal pointer of `x509` and MUST NOT be freed. 88 | const ASN1_TIME *X509_get0_notAfter(const X509 *x509) 89 | { 90 | if (!x509) { 91 | error_print(); 92 | return NULL; 93 | } 94 | return &x509->not_after; 95 | } 96 | 97 | int X509_NAME_print_ex(BIO *bio, const X509_NAME *name, int indent, unsigned long flags) 98 | { 99 | x509_name_print(bio,0, indent, "X509_NAME", name->d, name->dlen); 100 | return 1; 101 | } 102 | 103 | // TODO: 104 | // `X509_NAME_oneline` return a string and might be freed by `OPENSSL_free` 105 | char *X509_NAME_oneline(const X509_NAME *mame, char *buf, int buflen) 106 | { 107 | if (!buf) { 108 | return strdup("X509_NAME_oneline() called"); 109 | } else { 110 | strncpy(buf, "X509_NAME_oneline() called", buflen); 111 | return buf; 112 | } 113 | } 114 | 115 | int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, unsigned char *dgst, unsigned int *dgstlen) 116 | { 117 | SM3_CTX sm3_ctx; 118 | 119 | if (!name || !dgst || !dgstlen) { 120 | error_print(); 121 | return 0; 122 | } 123 | if (!name->d || !name->dlen) { 124 | error_print(); 125 | return 0; 126 | } 127 | 128 | sm3_init(&sm3_ctx); 129 | sm3_update(&sm3_ctx, name->d, name->dlen); 130 | sm3_finish(&sm3_ctx, dgst); 131 | *dgstlen = 32; 132 | return 1; 133 | } 134 | 135 | void *X509_STORE_CTX_get_ex_data(const X509_STORE_CTX *ctx, int idx) 136 | { 137 | return NULL; 138 | } 139 | 140 | X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) 141 | { 142 | return NULL; 143 | } 144 | 145 | int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx) 146 | { 147 | return 0; 148 | } 149 | 150 | int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx) 151 | { 152 | return 0; 153 | } 154 | 155 | void *X509_get_ex_data(const X509 *x509, int idx) 156 | { 157 | return NULL; 158 | } 159 | 160 | int X509_check_host(X509 *x509, const char *name, size_t namelen, unsigned int flags, char **peername) 161 | { 162 | return 0; 163 | } 164 | 165 | int X509_digest(const X509 *x509, const EVP_MD *md, unsigned char *dgst, unsigned int *dgstlen) 166 | { 167 | SM3_CTX sm3_ctx; 168 | 169 | if (!x509 || !dgst || !dgstlen) { 170 | error_print(); 171 | return 0; 172 | } 173 | if (!x509->d || !x509->dlen) { 174 | error_print(); 175 | return 0; 176 | } 177 | 178 | sm3_init(&sm3_ctx); 179 | sm3_update(&sm3_ctx, x509->d, x509->dlen); 180 | sm3_finish(&sm3_ctx, dgst); 181 | *dgstlen = 32; 182 | return 1; 183 | } 184 | 185 | int X509_set_ex_data(X509 *d, int idx, void *arg) 186 | { 187 | return 1; 188 | } 189 | 190 | int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 191 | { 192 | return 1; 193 | } 194 | 195 | X509_NAME *sk_X509_NAME_value(const STACK_OF(X509_NAME) *sk, int idx) 196 | { 197 | return NULL; 198 | } 199 | 200 | int sk_X509_NAME_num(const STACK_OF(X509_NAME) *sk) 201 | { 202 | if (!sk) { 203 | error_print(); 204 | return 0; 205 | } 206 | return sk->top; 207 | } 208 | 209 | STACK_OF(X509) *sk_X509_new_null() 210 | { 211 | STACK_OF(X509) *sk; 212 | 213 | if (!(sk = (STACK_OF(X509) *)malloc(sizeof(*sk)))) { 214 | error_print(); 215 | return NULL; 216 | } 217 | 218 | sk->top = 0; 219 | return sk; 220 | } 221 | 222 | int sk_X509_num(const STACK_OF(X509) *sk) 223 | { 224 | if (!sk) { 225 | error_print(); 226 | return 0; 227 | } 228 | return sk->top; 229 | } 230 | 231 | int sk_X509_push(STACK_OF(X509) *sk, const X509 *x509) 232 | { 233 | if (!sk || !x509) { 234 | error_print(); 235 | return 0; 236 | } 237 | if (sk->top >= STACK_OF_X509_MAX_NUM) { 238 | error_print(); 239 | return 0; 240 | } 241 | 242 | sk->values[sk->top] = *x509; 243 | sk->top += 1; 244 | return 1; 245 | } 246 | 247 | void sk_X509_pop_free(STACK_OF(X509) *sk, void (*func)(X509 *)) 248 | { 249 | if (!sk) { 250 | error_print(); 251 | } 252 | if (sk->top > 0) { 253 | sk->top -= 1; 254 | } 255 | } 256 | -------------------------------------------------------------------------------- /src/x509_vfy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | 18 | X509_LOOKUP_METHOD *X509_LOOKUP_file(void) 19 | { 20 | return NULL; 21 | } 22 | 23 | int X509_LOOKUP_load_file(X509_LOOKUP *ctx, char *name, long type) 24 | { 25 | return 1; 26 | } 27 | 28 | X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store, X509_LOOKUP_METHOD *meth) 29 | { 30 | return NULL; 31 | } 32 | 33 | int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags) 34 | { 35 | return 1; 36 | } 37 | -------------------------------------------------------------------------------- /tests/sm3.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the License); you may 5 | * not use this file except in compliance with the License. 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | int main(void) 18 | { 19 | int ret = 1; 20 | EVP_MD_CTX *ctx = NULL; 21 | unsigned char dgst[EVP_MAX_MD_SIZE]; 22 | unsigned int dgstlen, i; 23 | 24 | if (!(ctx = EVP_MD_CTX_create())) { 25 | fprintf(stderr, "%s %d\n", __FILE__, __LINE__); 26 | goto end; 27 | } 28 | 29 | if (EVP_DigestInit_ex(ctx, EVP_sm3(), NULL) != 1) { 30 | goto end; 31 | } 32 | if (EVP_DigestUpdate(ctx, "abc", 3) != 1) { 33 | goto end; 34 | } 35 | if (EVP_DigestFinal_ex(ctx, dgst, &dgstlen) != 1) { 36 | goto end; 37 | } 38 | 39 | for (i = 0; i < dgstlen; i++) { 40 | printf("%02x", dgst[i]); 41 | } 42 | printf("\n"); 43 | 44 | ret = 0; 45 | end: 46 | EVP_MD_CTX_destroy(ctx); 47 | return ret; 48 | } 49 | --------------------------------------------------------------------------------