TLS1.3无法设置SM4GCMSM3套件

[WendyWjt]

您好，我使用了如下代码进行 ctx 设置：

(修改了 test\ssl_test_ctx_test.c，因此保留了 ifdef 块)

#ifdef OPENSSL_NO_SM2
    TEST_note("SM2 is disabled.");
#else
    TEST_note("SM");    
    printf("?? %p, %s\n", TLS_DEFAULT_CIPHERSUITES, TLS_DEFAULT_CIPHERSUITES);

    SSL_CTX* ctx = SSL_CTX_new(TLS_client_method());
    printf("set version tls13: %ld\n", SSL_CTX_set_max_proto_version(ctx, 0x0304));
    printf("set tls12 and below ciphers: %d\n", SSL_CTX_set_cipher_list(ctx, SM4_CIPHERSUITES));
    printf("set tls13 and below ciphers: %d\n", SSL_CTX_set_ciphersuites(ctx, "TLS_SM4_GCM_SM3"));
    printf("Set SM4 cipher suites: %p, %s\n", SM4_CIPHERSUITES, SM4_CIPHERSUITES);

返回值为0：

# SM
?? 0x409ca8, TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_SM4_GCM_SM3:TLS_SM4_CCM_SM3
set version tls13: 1
set tls12 and below ciphers: 0
set tls13 and below ciphers: 0

使用 gdb 断点，发现在 ssl3_get_cipher_by_std_name 函数中，alltabs 的密码套不包括 TLS_SM4_GCM_SM3：

Breakpoint 2, ssl3_get_cipher_by_std_name (stdname=0x7fffffffe0f0 "TLS_SM4_GCM_SM3") at ssl/s3_lib.c:4075
4075	        s2n(pmslen, t);
(gdb) n
4076	        if (alg_k & SSL_kPSK)
(gdb) p c
$1 = (SSL_CIPHER *) 0x0
(gdb) p alltabs
$2 = {0x0, 0x61ef20}
(gdb) s
4077	            memset(t, 0, pmslen);
(gdb) s
4080	        t += pmslen;
(gdb) s
4081	        s2n(psklen, t);
(gdb) p alltabs
$3 = {0x7ffff7dcee80 <tls13_ciphers>, 0x7ffff7dcf020 <ssl3_ciphers>}
(gdb) p alltabs[0][3]->name
$4 = 0x7ffff7ba9a63 "TLS_AES_128_CCM_SHA256"
(gdb) p alltabs[0][3]
$5 = {valid = 1, name = 0x7ffff7ba9a63 "TLS_AES_128_CCM_SHA256", stdname = 0x7ffff7ba9a63 "TLS_AES_128_CCM_SHA256", id = 50336516, algorithm_mkey = 0, algorithm_auth = 0, 
  algorithm_enc = 16384, algorithm_mac = 64, min_tls = 772, max_tls = 772, min_dtls = 0, max_dtls = 0, algo_strength = 40, algorithm2 = 4, strength_bits = 128, alg_bits = 128}
(gdb) p alltabs[0][5]
$6 = {valid = 0, name = 0x0, stdname = 0x1 <error: Cannot access memory at address 0x1>, id = 4156201619, algorithm_mkey = 32767, algorithm_auth = 4156201628, algorithm_enc = 32767, 
  algorithm_mac = 50331649, min_tls = 1, max_tls = 1, min_dtls = 32, max_dtls = 1, algo_strength = 768, algorithm2 = 771, strength_bits = 256, alg_bits = 65277}
(gdb) p alltabs[0][4]
$7 = {valid = 1, name = 0x7ffff7ba9a7a "TLS_AES_128_CCM_8_SHA256", stdname = 0x7ffff7ba9a7a "TLS_AES_128_CCM_8_SHA256", id = 50336517, algorithm_mkey = 0, algorithm_auth = 0, 
  algorithm_enc = 65536, algorithm_mac = 64, min_tls = 772, max_tls = 772, min_dtls = 0, max_dtls = 0, algo_strength = 40, algorithm2 = 4, strength_bits = 128, alg_bits = 128}

编译选项为 ./config --debug -g -Og。

但是进了 ifdef 块，同时编译时没有禁用 SM 相关的算法，alltabs 判断时应当包括 TLS_SM4_GCM_SM3 算法套。单独跑了关于国密的测试，也显示并没有禁用 SM3 和 SM4。可以请教一下要怎么样将密码套设置进 ctx 吗？

[InfoHunter]

Ping @dongbeiouba

[wa5i]

这是我本地的测试结果，是可以设置成功的：

另外，你的 ssl3_get_cipher_by_std_name 代码和 master 代码不一样，是不是代码比较老了，你用 master 分支的代码再试试：