From ef7d3f72d94fa5b11b8f6c1a7862eeee0278267f Mon Sep 17 00:00:00 2001
From: cliven <quanguanyu@qq.com>
Date: Mon, 21 Feb 2022 22:16:36 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E4=BA=86=E8=B7=B3=E8=BF=87?=
 =?UTF-8?q?=E8=AF=81=E4=B9=A6=E5=9F=9F=E5=90=8D=E5=8C=B9=E9=85=8D=E7=9A=84?=
 =?UTF-8?q?=E9=A2=9D=E5=A4=96=E9=85=8D=E7=BD=AE=20=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E4=BA=86=E6=8A=A5=E8=AD=A6=E5=8D=8F=E8=AE=AE=E4=B8=AD=E6=96=87?=
 =?UTF-8?q?=20=E4=BF=AE=E5=A4=8D=E4=BA=86=E5=9B=BD=E5=AF=86SM2=E6=83=85?=
 =?UTF-8?q?=E5=86=B5=E4=B8=8B=E9=80=9A=E8=BF=87=E6=9E=84=E9=80=A0=E6=96=B9?=
 =?UTF-8?q?=E6=B3=95=E6=8F=90=E4=BE=9B=E8=AF=81=E4=B9=A6=20=E5=A2=9E?=
 =?UTF-8?q?=E5=8A=A0=E4=BA=86=E5=AF=B9=E4=BA=8E=E8=AF=B7=E6=B1=82=E7=9A=84?=
 =?UTF-8?q?=E7=89=88=E6=9C=AC=E5=8F=B7=E7=9A=84=E6=A3=80=E6=9F=A5=EF=BC=8C?=
 =?UTF-8?q?=E5=9C=A8=E8=AF=BB=E5=8F=96clientHello=E6=97=B6=E5=A4=84?=
 =?UTF-8?q?=E7=90=86=E5=B9=B6=E6=8A=A5=E9=94=99=20=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E4=BA=86=E6=8F=A1=E6=89=8B=E4=BD=BF=E7=94=A8=E7=9A=84=E6=97=B6?=
 =?UTF-8?q?=E9=92=9F=E6=B7=BB=E5=8A=A0=E7=89=88=E6=9C=AC=E5=8F=B7=20?=
 =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E4=BA=86GMSSL=E6=A8=A1=E5=BC=8F=E4=B8=8B?=
 =?UTF-8?q?=E6=95=B0=E6=8D=AE=E5=86=99=E5=85=A5=E5=88=86=E7=89=871?=
 =?UTF-8?q?=E5=AD=97=E8=8A=82=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 gmtls/alert.go                      | 65 +++++++++++++++++++++++------
 gmtls/auto_handshake_server.go      | 15 ++++---
 gmtls/common.go                     |  4 ++
 gmtls/conn.go                       |  2 +-
 gmtls/gm_handshake_client_double.go |  4 ++
 gmtls/gm_handshake_server_double.go | 31 +++++++++++---
 gmtls/handshake_client.go           |  3 ++
 7 files changed, 97 insertions(+), 27 deletions(-)

diff --git a/gmtls/alert.go b/gmtls/alert.go
index 5ca584f1..9a475518 100644
--- a/gmtls/alert.go
+++ b/gmtls/alert.go
@@ -51,12 +51,12 @@ const (
 	alertNoRenegotiation        alert = 100
 	alertNoApplicationProtocol  alert = 120
 	//GMT0024
-	alertUnspporttedSite2Site   alert = 200
-	alertNoArea                 alert = 201
-	alertUnspportedAreaType     alert = 202
-	alertBadIBCParam            alert = 203
-	alertUnspportedIBCParam     alert = 204
-	alertIdentityNeed           alert = 205
+	alertUnspporttedSite2Site alert = 200
+	alertNoArea               alert = 201
+	alertUnspportedAreaType   alert = 202
+	alertBadIBCParam          alert = 203
+	alertUnspportedIBCParam   alert = 204
+	alertIdentityNeed         alert = 205
 )
 
 var alertText = map[alert]string{
@@ -85,12 +85,44 @@ var alertText = map[alert]string{
 	alertNoRenegotiation:        "no renegotiation",
 	alertNoApplicationProtocol:  "no application protocol",
 	//GMT0024
-	alertUnspporttedSite2Site:   "不支持site2site",
-	alertNoArea              :   "没有保护域",
-	alertUnspportedAreaType  :   "不支持的保护域类型",
-	alertBadIBCParam         :   "接收到一个无效的ibc公共参数",
-	alertUnspportedIBCParam  :   "不支持ibc参数中定义的信息",
-	alertIdentityNeed        :   "缺少对方的ibc标识",
+	alertUnspporttedSite2Site: "不支持site2site",
+	alertNoArea:               "没有保护域",
+	alertUnspportedAreaType:   "不支持的保护域类型",
+	alertBadIBCParam:          "接收到一个无效的ibc公共参数",
+	alertUnspportedIBCParam:   "不支持ibc参数中定义的信息",
+	alertIdentityNeed:         "缺少对方的ibc标识",
+}
+
+// 错误中文描述
+var alertText_CN = map[alert]string{
+	alertCloseNotify:            "关闭通知",
+	alertUnexpectedMessage:      "接收到一个不符合上下文关系的消息",
+	alertBadRecordMAC:           "MAC校验错误或解密错误",
+	alertDecryptionFailed:       "解密失败",
+	alertRecordOverflow:         "报文过长",
+	alertDecompressionFailure:   "解压缩失败",
+	alertHandshakeFailure:       "协商失败",
+	alertBadCertificate:         "证书破坏",
+	alertUnsupportedCertificate: "不支持证书类型",
+	alertCertificateRevoked:     "证书被撤销",
+	alertCertificateExpired:     "证书过期或未生效",
+	alertCertificateUnknown:     "未知证书错误",
+	alertIllegalParameter:       "非法参数",
+	alertUnknownCA:              "根证书不可信",
+	alertAccessDenied:           "拒绝访问",
+	alertDecodeError:            "消息解码失败",
+	alertDecryptError:           "消息解密失败",
+	alertProtocolVersion:        "版本不匹配",
+	alertInsufficientSecurity:   "安全性不足",
+	alertInternalError:          "内部错误",
+	alertUserCanceled:           "用户取消操作",
+	alertNoRenegotiation:        "拒绝重新协商",
+	alertUnspporttedSite2Site:   "不支持 site2site",
+	alertNoArea:                 "没有保护域",
+	alertUnspportedAreaType:     "不支持的保护域类型",
+	alertBadIBCParam:            "接收到一个无效的ibc公共参数",
+	alertUnspportedIBCParam:     "不支持ibc公共参数中定义的信息",
+	alertIdentityNeed:           "缺少对方的ibc标识",
 }
 
 func (e alert) String() string {
@@ -104,3 +136,12 @@ func (e alert) String() string {
 func (e alert) Error() string {
 	return e.String()
 }
+
+// AlertDespCN 报警消息中文意义
+func AlertDespCN(e uint8) string {
+	s, ok := alertText_CN[alert(e)]
+	if ok {
+		return s
+	}
+	return "报警(" + strconv.Itoa(int(e)) + ")"
+}
diff --git a/gmtls/auto_handshake_server.go b/gmtls/auto_handshake_server.go
index eac3ab12..3a3dd8fc 100644
--- a/gmtls/auto_handshake_server.go
+++ b/gmtls/auto_handshake_server.go
@@ -121,7 +121,7 @@ func processClientHelloGM(c *Conn, hs *serverHandshakeStateGM) (isResume bool, e
 	}
 	// Edit: 根据 GMT 0024 6.4.4.1.1 Client Hello 消息 b) random 描述
 	// 客户端产生的随机信息，其内容包括时钟和随机数。
-	gmtRandom(&(hs.hello.random))
+	gmtRandom(hs.hello.random)
 
 	if len(hs.clientHello.secureRenegotiation) != 0 {
 		_ = c.sendAlert(alertHandshakeFailure)
@@ -158,7 +158,7 @@ func processClientHelloGM(c *Conn, hs *serverHandshakeStateGM) (isResume bool, e
 		_ = c.sendAlert(alertInternalError)
 		return false, err
 	}
-	encCert, err := c.config.GetKECertificate(hs.clientHelloInfo())
+	encCert, err := c.config.getEKCertificate(hs.clientHelloInfo())
 	if err != nil {
 		_ = c.sendAlert(alertInternalError)
 		return false, err
@@ -522,12 +522,11 @@ func runServerHandshake(c *Conn, hs *serverHandshakeState, isResume bool) error
 }
 
 // 国密类型的随机数 4 byte unix time 28 byte random
-func gmtRandom(raw *[]byte) uint32 {
-	rd := *raw
+func gmtRandom(raw []byte) uint32 {
 	unixTime := time.Now().Unix()
-	rd[0] = uint8(unixTime >> 24)
-	rd[1] = uint8(unixTime >> 16)
-	rd[2] = uint8(unixTime >> 8)
-	rd[3] = uint8(unixTime)
+	raw[0] = uint8(unixTime >> 24)
+	raw[1] = uint8(unixTime >> 16)
+	raw[2] = uint8(unixTime >> 8)
+	raw[3] = uint8(unixTime)
 	return uint32(unixTime)
 }
diff --git a/gmtls/common.go b/gmtls/common.go
index f02c243a..fdc5333b 100644
--- a/gmtls/common.go
+++ b/gmtls/common.go
@@ -476,6 +476,9 @@ type Config struct {
 	// This should be used only for testing.
 	InsecureSkipVerify bool
 
+	// 跳过证书与域名的验证
+	SkipServerNameVerify bool
+
 	// CipherSuites is a list of supported cipher suites. If CipherSuites
 	// is nil, TLS uses a list of suites supported by the implementation.
 	CipherSuites []uint16
@@ -613,6 +616,7 @@ func (c *Config) Clone() *Config {
 		Renegotiation:               c.Renegotiation,
 		KeyLogWriter:                c.KeyLogWriter,
 		sessionTicketKeys:           sessionTicketKeys,
+		SkipServerNameVerify:        c.SkipServerNameVerify,
 	}
 }
 
diff --git a/gmtls/conn.go b/gmtls/conn.go
index ac3f99a5..4731b92d 100644
--- a/gmtls/conn.go
+++ b/gmtls/conn.go
@@ -1080,7 +1080,7 @@ func (c *Conn) Write(b []byte) (int, error) {
 	// https://www.imperialviolet.org/2012/01/15/beastfollowup.html
 
 	var m int
-	if len(b) > 1 && c.vers <= VersionTLS10 {
+	if len(b) > 1 && c.vers <= VersionTLS10 && c.vers != VersionGMSSL {
 		if _, ok := c.out.cipher.(cipher.BlockMode); ok {
 			n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1])
 			if err != nil {
diff --git a/gmtls/gm_handshake_client_double.go b/gmtls/gm_handshake_client_double.go
index 0346e7b5..1fce139c 100644
--- a/gmtls/gm_handshake_client_double.go
+++ b/gmtls/gm_handshake_client_double.go
@@ -231,6 +231,10 @@ func (hs *clientHandshakeStateGM) doFullHandshake() error {
 				DNSName:       c.config.ServerName,
 				Intermediates: x509.NewCertPool(),
 			}
+			if c.config.SkipServerNameVerify {
+				opts.DNSName = ""
+			}
+
 			if opts.Roots == nil {
 				opts.Roots = x509.NewCertPool()
 			}
diff --git a/gmtls/gm_handshake_server_double.go b/gmtls/gm_handshake_server_double.go
index 52341537..0f00dad2 100644
--- a/gmtls/gm_handshake_server_double.go
+++ b/gmtls/gm_handshake_server_double.go
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !single_cert
 // +build !single_cert
 
 package gmtls
@@ -135,11 +136,12 @@ func (hs *serverHandshakeStateGM) readClientHello() (isResume bool, err error) {
 		}
 	}
 
-	c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)
-	if !ok {
+	c.vers = hs.clientHello.vers
+	if hs.clientHello.vers != VersionGMSSL {
 		c.sendAlert(alertProtocolVersion)
-		return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
+		return false, fmt.Errorf("tlcp: only support tclp version 0x0101,but get protocol version of %x", hs.clientHello.vers)
 	}
+
 	c.haveVers = true
 
 	hs.hello = new(serverHelloMsg)
@@ -165,6 +167,8 @@ func (hs *serverHandshakeStateGM) readClientHello() (isResume bool, err error) {
 		c.sendAlert(alertInternalError)
 		return false, err
 	}
+	// 客户端产生的随机信息，其内容包括时钟和随机数。
+	gmtRandom(hs.hello.random)
 
 	if len(hs.clientHello.secureRenegotiation) != 0 {
 		c.sendAlert(alertHandshakeFailure)
@@ -193,9 +197,24 @@ func (hs *serverHandshakeStateGM) readClientHello() (isResume bool, err error) {
 		}
 	}
 
-	// just for test
-	c.config.getCertificate(hs.clientHelloInfo())
-	hs.cert = c.config.Certificates
+	if len(c.config.Certificates) < 2 {
+		var sigCert, encCert *Certificate
+		// 当证书数量不足时，通过配置提供的证书获取方法获取密钥对
+		sigCert, err = c.config.getCertificate(hs.clientHelloInfo())
+		if err != nil {
+			_ = c.sendAlert(alertInternalError)
+			return false, err
+		}
+		encCert, err = c.config.getEKCertificate(hs.clientHelloInfo())
+		if err != nil {
+			_ = c.sendAlert(alertInternalError)
+			return false, err
+		}
+		// 第1张证书为 签名证书、第2张为加密证书（用于密钥交换）
+		hs.cert = []Certificate{*sigCert, *encCert}
+	} else {
+		hs.cert = c.config.Certificates
+	}
 
 	// GMT0024
 	if len(hs.cert) < 2 {
diff --git a/gmtls/handshake_client.go b/gmtls/handshake_client.go
index 414878a2..d4a3de11 100644
--- a/gmtls/handshake_client.go
+++ b/gmtls/handshake_client.go
@@ -363,6 +363,9 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 				DNSName:       c.config.ServerName,
 				Intermediates: x509.NewCertPool(),
 			}
+			if c.config.SkipServerNameVerify {
+				opts.DNSName = ""
+			}
 
 			for i, cert := range certs {
 				if i == 0 {