Use SM2 and SM3 algorithms in TLS 1.3 as required in RFC 8998

Check signature_algorithms, signature_algorithms_cert and key_share
extensions according to RFC 8998.
Replace draft-yang-tls-tls13-sm-suites-* to RFC 8998.

Author: dongbeiouba

CHANGES.BabaSSL

@@ -35,7 +35,7 @@
 
   *) Fix up problems of CVE-2019-1551
 
-  *) Support TLS1.3-GM ciphersuite, see https://datatracker.ietf.org/doc/draft-yang-tls-tls13-sm-suites/ for more information
+  *) Support TLS1.3-GM cipher suite, see https://datatracker.ietf.org/doc/html/rfc8998 for more information
 
   *) Support global session cache, asynchronous session lookup
 

apps/speed.c

@@ -3381,7 +3381,7 @@ int speed_main(int argc, char **argv)
             }
             /*
              * No need to allow user to set an explicit ID here, just use
-             * the one defined in the 'draft-yang-tls-tl13-sm-suites' I-D.
+             * the one defined in the RFC 8998.
              */
             if (EVP_PKEY_CTX_set1_id(sm2_pctx, SM2_ID, SM2_ID_LEN) != 1) {
                 st = 0;

crypto/err/openssl.txt

@@ -1,4 +1,4 @@
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2982,6 +2982,8 @@ SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE:143:\
 	at least TLS 1.0 needed in FIPS mode
 SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\
 	at least (D)TLS 1.2 needed in Suite B mode
+SSL_R_BAD_CERTIFICATE_SIGNATURE_TYPE:295:bad certificate signature type
+SSL_R_BAD_CERTIFICATE_USAGE:296:bad certificate usage
 SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec
 SSL_R_BAD_CIPHER:186:bad cipher
 SSL_R_BAD_DATA:390:bad data

crypto/evp/evp_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -247,10 +247,10 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     "operation not supported for this keytype"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
     "operaton not initialized"},
-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
-    "parameter too large"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
     "output would overflow"},
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
+    "parameter too large"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
     "partially overlapping buffers"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},

include/openssl/evperr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -184,8 +184,8 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
 # define EVP_R_OPERATON_NOT_INITIALIZED                   151
-# define EVP_R_PARAMETER_TOO_LARGE                        187
 # define EVP_R_OUTPUT_WOULD_OVERFLOW                      184
+# define EVP_R_PARAMETER_TOO_LARGE                        187
 # define EVP_R_PARTIALLY_OVERLAPPING                      162
 # define EVP_R_PBKDF2_ERROR                               181
 # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179

include/openssl/kdferr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -22,11 +22,11 @@ int ERR_load_KDF_strings(void);
  * KDF function codes.
  */
 # define KDF_F_HKDF_EXTRACT                               112
-# define KDF_F_KDF_CIPHER2CTRL                            134
 # define KDF_F_KBKDF_CTRL                                 144
 # define KDF_F_KBKDF_CTRL_STR                             145
 # define KDF_F_KBKDF_DERIVE                               146
 # define KDF_F_KBKDF_NEW                                  147
+# define KDF_F_KDF_CIPHER2CTRL                            134
 # define KDF_F_KDF_HKDF_DERIVE                            113
 # define KDF_F_KDF_HKDF_NEW                               114
 # define KDF_F_KDF_HKDF_SIZE                              115

include/openssl/sslerr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -699,6 +699,8 @@ int ERR_load_SSL_strings(void);
 # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
 # define SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE       143
 # define SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE     158
+# define SSL_R_BAD_CERTIFICATE_SIGNATURE_TYPE             295
+# define SSL_R_BAD_CERTIFICATE_USAGE                      296
 # define SSL_R_BAD_CHANGE_CIPHER_SPEC                     103
 # define SSL_R_BAD_CIPHER                                 186
 # define SSL_R_BAD_DATA                                   390

include/openssl/tls1.h

@@ -223,7 +223,7 @@ extern "C" {
 # define TLSEXT_curve_P_256                              23
 # define TLSEXT_curve_P_384                              24
 
-/* define in draft-yang-tls-tls13-sm-suites-01 */
+/* defined in RFC 8998 */
 # ifndef OPENSSL_NO_SM2
 #  define TLSEXT_curve_SM2                               41
 # endif

ssl/s3_lib.c

@@ -114,7 +114,7 @@ static SSL_CIPHER tls13_ciphers[] = {
     },
 #if (!defined OPENSSL_NO_SM2) && (!defined OPENSSL_NO_SM3) \
     && (!defined OPENSSL_NO_SM4)
- /* Cipher 0x00C6 and 0x00C7, Reference to draft-yang-tls-sm-suites-01*/
+ /* Cipher 0x00C6 and 0x00C7, Reference to RFC 8998 */
        {
         1,
         TLS1_3_RFC_SM4_GCM_SM3,
@@ -4120,7 +4120,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
 #ifndef OPENSSL_NO_SM2
         /*
-         * draft-yang-tls-tls13-sm-suites-02 demand that server can use
+         * RFC 8998 demand that server can use
          * "TLS_SM4_GCM_SM3" and "TLS_SM4_CCM_SM3" with sm2 cert only
          */
         if (s->enable_sm_tls13_strict) {

ssl/ssl_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -289,6 +289,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_WRITE_BYTES, 0), "ssl3_write_bytes"},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_WRITE_PENDING, 0), "ssl3_write_pending"},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_CHAIN, 0), "ssl_add_cert_chain"},
+    {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_CHAIN_NTLS, 0),
+     "ssl_add_cert_chain_ntls"},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_COMPRESSION_ALG, 0),
      "SSL_add_cert_compression_alg"},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_TO_BUF, 0), ""},
@@ -1205,6 +1207,10 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
     "at least TLS 1.0 needed in FIPS mode"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE),
     "at least (D)TLS 1.2 needed in Suite B mode"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CERTIFICATE_SIGNATURE_TYPE),
+    "bad certificate signature type"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CERTIFICATE_USAGE),
+    "bad certificate usage"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC),
     "bad change cipher spec"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CIPHER), "bad cipher"},

ssl/ssl_local.h

@@ -1136,7 +1136,7 @@ struct ssl_ctx_st {
 
 #ifndef OPENSSL_NO_SM2
     /*
-     * tag of determining whether we should strict follow draft-yang-tls-tls13-sm-suites,
+     * tag of determining whether we should strict follow RFC 8998,
      * when this tag set to 1, we will reject "TLS_SM4_GCM_SM3" and "TLS_SM4_CCM_SM3"
      * without sm2 cert at server. This tag set to 0 default
      */
@@ -1619,7 +1619,7 @@ struct ssl_st {
 
 #ifndef OPENSSL_NO_SM2
     /*
-     * tag of determining whether we should strict follow draft-yang-tls-tls13-sm-suites,
+     * tag of determining whether we should strict follow RFC 8998,
      * when this tag set to 1, we will reject "TLS_SM4_GCM_SM3" and "TLS_SM4_CCM_SM3"
      * without sm2 cert at server. This tag set to 0 default
      */

ssl/statem/statem_clnt.c

@@ -22,6 +22,7 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/engine.h>
+#include <openssl/x509v3.h>
 #include <internal/cryptlib.h>
 
 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
@@ -1728,6 +1729,28 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
         goto err;
     }
 
+#ifndef OPENSSL_NO_SM2
+    /*
+     * To use the cipher suites TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3,
+     * RFC 8998 demand that:
+     * For the key_share extension, a KeyShareEntry with SM2-related
+     * values MUST be added.
+     */
+    if (SSL_IS_TLS13(s) && s->enable_sm_tls13_strict == 1) {
+        const SSL_CIPHER *cipher = s->s3->tmp.new_cipher;
+
+        if (cipher->id == TLS1_3_CK_SM4_GCM_SM3
+            || cipher->id == TLS1_3_CK_SM4_CCM_SM3) {
+            if (s->s3->group_id != TLSEXT_curve_SM2) {
+                SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+                         SSL_F_TLS_PROCESS_SERVER_HELLO,
+                         SSL_R_BAD_KEY_SHARE);
+                goto err;
+            }
+        }
+    }
+#endif
+
 #ifndef OPENSSL_NO_SCTP
     if (SSL_IS_DTLS(s) && s->hit) {
         unsigned char sctpauthkey[64];
@@ -2030,6 +2053,48 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
             goto err;
         }
     }
+
+#ifndef OPENSSL_NO_SM2
+    /*
+     * RFC 8998 requires that
+     * The public key in the certificate MUST be a valid SM2 public key.
+     * The signature algorithm used by the CA to sign the current
+     * certificate MUST be "sm2sig_sm3".
+     * The certificate MUST be capable of signing; e.g., the digitalSignature
+     * bit of X.509's Key Usage extension is set.
+     */
+    if (SSL_IS_TLS13(s) && s->enable_sm_tls13_strict == 1) {
+        const SSL_CIPHER *cipher = s->s3->tmp.new_cipher;
+
+        if (cipher->id == TLS1_3_CK_SM4_GCM_SM3
+            || cipher->id == TLS1_3_CK_SM4_CCM_SM3) {
+            if (EVP_PKEY_id(pkey) != EVP_PKEY_SM2) {
+                x = NULL;
+                SSLfatal(s, SSL_AD_BAD_CERTIFICATE,
+                         SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
+                         SSL_R_WRONG_CERTIFICATE_TYPE);
+                goto err;
+            }
+
+            if (X509_get_signature_nid(x) != NID_SM2_with_SM3) {
+                x = NULL;
+                SSLfatal(s, SSL_AD_BAD_CERTIFICATE,
+                         SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
+                         SSL_R_BAD_CERTIFICATE_SIGNATURE_TYPE);
+                goto err;
+            }
+
+            if ((X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE) == 0) {
+                x = NULL;
+                SSLfatal(s, SSL_AD_BAD_CERTIFICATE,
+                         SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
+                         SSL_R_BAD_CERTIFICATE_USAGE);
+                goto err;
+            }
+        }
+    }
+#endif
+
     s->session->peer_type = certidx;
 
     X509_free(s->session->peer);
@@ -2587,6 +2652,41 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
             return MSG_PROCESS_ERROR;
         }
         OPENSSL_free(rawexts);
+#ifndef OPENSSL_NO_SM2
+        /*
+         * RFC 8998 requires that
+         * if the server chooses TLS_SM4_GCM_SM3 or TLS_SM4_CCM_SM3,
+         * the only valid signature algorithm present in
+         * "signature_algorithms" extension MUST be "sm2sig_sm3".
+         */
+        if (s->enable_sm_tls13_strict == 1) {
+            const SSL_CIPHER *cipher = s->s3->tmp.new_cipher;
+
+            if (cipher->id == TLS1_3_CK_SM4_GCM_SM3
+                || cipher->id == TLS1_3_CK_SM4_CCM_SM3) {
+
+                if (s->s3->tmp.peer_sigalgslen > 0
+                    && (s->s3->tmp.peer_sigalgslen != 1
+                    || s->s3->tmp.peer_sigalgs[0] != TLSEXT_SIGALG_sm2sig_sm3))
+                {
+                    SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+                             SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
+                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+                    return MSG_PROCESS_ERROR;
+                }
+
+                if (s->s3->tmp.peer_cert_sigalgslen > 0
+                    && (s->s3->tmp.peer_cert_sigalgslen != 1
+                        || s->s3->tmp.peer_cert_sigalgs[0] != TLSEXT_SIGALG_sm2sig_sm3))
+                {
+                    SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+                             SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
+                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+                    return MSG_PROCESS_ERROR;
+                }
+            }
+        }
+#endif
         if (!tls1_process_sigalgs(s)) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,

ssl/statem/statem_local.h

@@ -34,8 +34,7 @@
 
 #ifndef OPENSSL_NO_SM2
 /*
- *standard handshake sm2-id and cert verify id is defined
- * in IETF draft-yang-tls-tls13-sm-suites-01
+ * standard handshake sm2-id and cert verify id is defined in RFC 8998
  */
 # define HANDSHAKE_SM2_ID "TLSv1.3+GM+Cipher+Suite"
 # define HANDSHAKE_SM2_ID_LEN sizeof(HANDSHAKE_SM2_ID) - 1