From 2758afbddf7d37770a0042a31559be05775aaa3d Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Tue, 16 Jun 2026 18:19:07 +0800 Subject: [PATCH] Clean TLS code --- CMakeLists.txt | 2 +- include/gmssl/version.h | 2 +- src/tlcp.c | 25 ++++++--------- src/tls.c | 18 ++--------- src/tls12.c | 68 +++++++++++++++++++---------------------- 5 files changed, 46 insertions(+), 69 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 62bb3718..d24c5e96 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -818,7 +818,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1062") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1063") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/version.h b/include/gmssl/version.h index 94c1da68..32156d86 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1062" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1063" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/src/tlcp.c b/src/tlcp.c index cce99bfd..a318525a 100644 --- a/src/tlcp.c +++ b/src/tlcp.c @@ -44,11 +44,6 @@ const size_t tlcp_cipher_suites_cnt = sizeof(tlcp_cipher_suites)/sizeof(tlcp_cipher_suites[0]); -int tlcp_record_print(FILE *fp, int fmt, int ind, const uint8_t *record, size_t recordlen) -{ - return tls_record_print(fp, fmt, ind, tlcp_cipher_suites[0], - record, recordlen); -} /* ServerKeyExchange @@ -495,7 +490,7 @@ int tlcp_send_client_hello(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -555,7 +550,7 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn) if (conn->verbose) tls_trace("recv ServerHello\n"); if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -764,7 +759,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn) if (conn->verbose) tls_trace("recv server Certificate\n"); if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -851,7 +846,7 @@ int tlcp_recv_server_key_exchange(TLS_CONNECT *conn) if(conn->verbose) tls_trace("recv ServerKeyExchange\n"); if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -940,7 +935,7 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn) if(conn->verbose) tls_trace("recv CertificateRequest\n"); if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tlcp_record_get_handshake_certificate_request(conn->record, &cert_types, &cert_types_len, &ca_names, &ca_names_len) != 1) { @@ -1025,7 +1020,7 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -1169,7 +1164,7 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn) return ret; } if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_protocol(conn->record) != conn->protocol) { @@ -1614,7 +1609,7 @@ int tlcp_send_server_key_exchange(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -1746,7 +1741,7 @@ int tlcp_send_certificate_request(TLS_CONNECT *conn) return -1; } if(conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { @@ -1795,7 +1790,7 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); diff --git a/src/tls.c b/src/tls.c index 6e0fe246..4a9f618d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2231,11 +2231,7 @@ int tls_send_alert(TLS_CONNECT *conn, int alert) return -1; } if (conn->verbose) { - if (conn->protocol == TLS_protocol_tls12) { - tls12_record_print(stderr, record, sizeof(record), 0, 0); - } else { - tls_record_trace(stderr, record, sizeof(record), 0, 0); - } + tls_record_print(stderr, 0, 0, conn->cipher_suite, record, sizeof(record)); } return 1; } @@ -2286,11 +2282,7 @@ int tls_send_warning(TLS_CONNECT *conn, int alert) return -1; } if (conn->verbose) { - if (conn->protocol == TLS_protocol_tls12) { - tls12_record_print(stderr, record, sizeof(record), 0, 0); - } else { - tls_record_trace(stderr, record, sizeof(record), 0, 0); - } + tls_record_print(stderr, 0, 0, conn->cipher_suite, record, sizeof(record)); } return 1; } @@ -2373,11 +2365,7 @@ int tls_decrypt_recv(TLS_CONNECT *conn) conn->datalen = tls_record_data_length(conn->databuf); if (conn->verbose) { - if (conn->protocol == TLS_protocol_tls12) { - tls12_record_print(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); - } else { - tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); - } + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->databuf, tls_record_length(conn->databuf)); } return 1; diff --git a/src/tls12.c b/src/tls12.c index 545cbd3f..43217e0d 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -56,12 +56,6 @@ const size_t tls12_cipher_suites_cnt = sizeof(tls12_cipher_suites)/sizeof(tls12_cipher_suites[0]); -int tls12_record_print(FILE *fp, const uint8_t *record, size_t recordlen, int fmt, int ind) -{ - return tls_record_print(fp, fmt, ind, tls12_cipher_suites[0], - record, recordlen); -} - int tls_named_curve_oid(int named_curve) { switch (named_curve) { @@ -393,7 +387,7 @@ int tls_send_client_hello(TLS_CONNECT *conn) } if (conn->verbose) - tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); // backup ClientHello memcpy(conn->plain_record, conn->record, conn->recordlen); @@ -943,7 +937,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn) } return ret; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_protocol(conn->record) != TLS_protocol_tls1) { error_print(); @@ -1333,7 +1327,7 @@ int tls_send_server_hello(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { @@ -1390,7 +1384,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn) return ret; } if (conn->verbose) - tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_protocol(conn->record) != conn->protocol) { error_print(); @@ -1566,7 +1560,7 @@ int tls_send_server_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if (conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if (conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -1613,7 +1607,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn) return ret; } if(conn->verbose) - tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_protocol(conn->record) != conn->protocol) { error_print(); @@ -1844,7 +1838,7 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -1976,7 +1970,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if ((ret = tls12_record_get_handshake_server_key_exchange(conn->record, @@ -2121,7 +2115,7 @@ int tls12_send_certificate_request(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -2183,7 +2177,7 @@ int tls12_recv_certificate_request(TLS_CONNECT *conn) if(conn->verbose) tls_trace(" no CertificateRequest\n"); return 0; // 表明对方没有发送预期的报文 } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls12_record_get_handshake_certificate_request(conn->record, @@ -2223,7 +2217,7 @@ int tls_send_server_hello_done(TLS_CONNECT *conn) if (conn->recordlen == 0) { tls_record_set_handshake_server_hello_done(conn->record, &conn->recordlen); - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { @@ -2269,7 +2263,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_get_handshake_server_hello_done(conn->record) != 1) { error_print(); @@ -2313,7 +2307,7 @@ int tls_send_client_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -2366,7 +2360,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_get_handshake_certificate(conn->record, conn->client_certs, &conn->client_certs_len) != 1) { error_print(); tls_send_alert(conn, TLS_alert_unexpected_message); @@ -2431,7 +2425,7 @@ int tls_send_client_key_exchange(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -2489,7 +2483,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -2567,7 +2561,7 @@ int tls_send_certificate_verify(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); @@ -2622,7 +2616,7 @@ int tls_recv_certificate_verify(TLS_CONNECT *conn) error_print(); return -1; } - if (conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if (conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); // get signature from certificate_verify if (tls_record_get_handshake_certificate_verify(conn->record, &sig, &siglen) != 1) { @@ -2675,7 +2669,7 @@ int tls_send_change_cipher_spec(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); } if ((ret = tls_send_record(conn)) != 1) { if (ret != TLS_ERROR_SEND_AGAIN) { @@ -2708,7 +2702,7 @@ int tls_recv_change_cipher_spec(TLS_CONNECT *conn) return -1; } if (conn->verbose) - tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (tls_record_get_change_cipher_spec(conn->record) != 1) { error_print(); @@ -2746,7 +2740,7 @@ int tls_send_client_finished(TLS_CONNECT *conn) return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->plain_record, conn->plain_recordlen); if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) { error_print(); @@ -2812,7 +2806,7 @@ int tls_recv_client_finished(TLS_CONNECT *conn) } return ret; } - //tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + //tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); if (conn->verbose >= 5) { format_bytes(stderr, 0, 0, "Finished", conn->record, conn->recordlen); @@ -2844,7 +2838,7 @@ int tls_recv_client_finished(TLS_CONNECT *conn) - if(conn->verbose) tls12_record_print(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->plain_record, conn->plain_recordlen); if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) { error_print(); @@ -2911,7 +2905,7 @@ int tls_send_server_finished(TLS_CONNECT *conn) tls12_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->plain_record, conn->plain_recordlen); if (tls_record_encrypt(conn->cipher_suite, &conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv, @@ -2985,7 +2979,7 @@ int tls_recv_server_finished(TLS_CONNECT *conn) return -1; } if(conn->verbose) - tls12_record_print(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->plain_record, conn->plain_recordlen); tls_seq_num_incr(conn->server_seq_num); @@ -3067,7 +3061,7 @@ int tls12_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentl error_print(); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->databuf, tls_record_length(conn->databuf)); switch (conn->cipher_suite) { case TLS_cipher_ecdhe_sm4_cbc_sm3: @@ -3118,7 +3112,7 @@ int tls12_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentl conn->record_offset = 0; conn->sentlen = inlen; conn->send_state = TLS_state_send_record; - if(conn->verbose) tls12_record_print(stderr, conn->record, recordlen, 0, 0); + if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, recordlen); } ret = tls_send_record(conn); @@ -3135,7 +3129,7 @@ int tls12_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentl return 1; } -static int tls12_send_encrypted_alert(TLS_CONNECT *conn, int level, int alert) +static int tls12_send_alert_ex(TLS_CONNECT *conn, int level, int alert) { const HMAC_CTX *hmac; const BLOCK_CIPHER_KEY *key; @@ -3187,7 +3181,7 @@ static int tls12_send_encrypted_alert(TLS_CONNECT *conn, int level, int alert) return -1; } if (conn->verbose) { - tls12_record_print(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->plain_record, conn->plain_recordlen); } if (tls_record_encrypt(conn->cipher_suite, hmac, key, iv, seq_num, @@ -3223,12 +3217,12 @@ static int tls12_send_encrypted_alert(TLS_CONNECT *conn, int level, int alert) int tls12_send_alert(TLS_CONNECT *conn, int alert) { - return tls12_send_encrypted_alert(conn, TLS_alert_level_fatal, alert); + return tls12_send_alert_ex(conn, TLS_alert_level_fatal, alert); } int tls12_send_warning(TLS_CONNECT *conn, int alert) { - return tls12_send_encrypted_alert(conn, TLS_alert_level_warning, alert); + return tls12_send_alert_ex(conn, TLS_alert_level_warning, alert); }