From 2e0b145342adf959173f45c762ce513f4d328d11 Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Sat, 13 Jun 2026 08:04:20 +0800 Subject: [PATCH] Unify TLS capabilities --- CMakeLists.txt | 2 +- include/gmssl/version.h | 2 +- src/tlcp.c | 18 +++++-- src/tls.c | 103 ++++++++++++++++++++++++++++++++++------ src/tls12.c | 52 ++++++++++++-------- src/tls13.c | 28 +++++++++++ 6 files changed, 166 insertions(+), 39 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 35a480be..f5462bde 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -768,7 +768,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1017") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1018") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/version.h b/include/gmssl/version.h index ef1d88b4..2726e7bb 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -19,7 +19,7 @@ extern "C" { // Also update CPACK_PACKAGE_VERSION in CMakeLists.txt #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1017" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1018" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/src/tlcp.c b/src/tlcp.c index cc8348fe..102582b4 100644 --- a/src/tlcp.c +++ b/src/tlcp.c @@ -24,19 +24,31 @@ #include +const int tlcp_supported_groups[] = { + TLS_curve_sm2p256v1, +}; +const size_t tlcp_supported_groups_cnt = + sizeof(tlcp_supported_groups)/sizeof(tlcp_supported_groups[0]); -static const int tlcp_ciphers[] = { +const int tlcp_signature_algorithms[] = { + TLS_sig_sm2sig_sm3, +}; +const size_t tlcp_signature_algorithms_cnt = + sizeof(tlcp_signature_algorithms)/sizeof(tlcp_signature_algorithms[0]); + +const int tlcp_cipher_suites[] = { TLS_cipher_ecc_sm4_cbc_sm3, TLS_cipher_ecc_sm4_gcm_sm3, }; -static const size_t tlcp_ciphers_count = sizeof(tlcp_ciphers)/sizeof(tlcp_ciphers[0]); +const size_t tlcp_cipher_suites_cnt = + sizeof(tlcp_cipher_suites)/sizeof(tlcp_cipher_suites[0]); int tlcp_record_print(FILE *fp, int format, int indent, const uint8_t *record, size_t recordlen) { // 目前只支持TLCP的ECC公钥加密套件,因此不论用CBC/GCM哪个套件解析都是一样的 // 如果未来支持ECDHE套件,可以将函数改为宏,直接传入 (conn->cipher_suite << 8) - format |= tlcp_ciphers[0] << 8; + format |= tlcp_cipher_suites[0] << 8; return tls_record_print(fp, record, recordlen, format, indent); } diff --git a/src/tls.c b/src/tls.c index ca8758bc..e4c6b52a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -27,6 +27,26 @@ #include #include +extern const int tlcp_supported_groups[]; +extern const size_t tlcp_supported_groups_cnt; +extern const int tlcp_signature_algorithms[]; +extern const size_t tlcp_signature_algorithms_cnt; +extern const int tlcp_cipher_suites[]; +extern const size_t tlcp_cipher_suites_cnt; + +extern const int tls12_supported_groups[]; +extern const size_t tls12_supported_groups_cnt; +extern const int tls12_signature_algorithms[]; +extern const size_t tls12_signature_algorithms_cnt; +extern const int tls12_cipher_suites[]; +extern const size_t tls12_cipher_suites_cnt; + +extern const int tls13_supported_groups[]; +extern const size_t tls13_supported_groups_cnt; +extern const int tls13_signature_algorithms[]; +extern const size_t tls13_signature_algorithms_cnt; +extern const int tls13_cipher_suites[]; +extern const size_t tls13_cipher_suites_cnt; void tls_uint8_to_bytes(uint8_t a, uint8_t **out, size_t *outlen) { @@ -2530,6 +2550,8 @@ int tls_ctx_set_supported_versions(TLS_CTX *ctx, const int *versions, size_t ver int tls_ctx_set_cipher_suites(TLS_CTX *ctx, const int *cipher_suites, size_t cipher_suites_cnt) { + const int *supported_cipher_suites; + size_t supported_cipher_suites_cnt; size_t i; if (!ctx || !cipher_suites || !cipher_suites_cnt) { @@ -2541,13 +2563,32 @@ int tls_ctx_set_cipher_suites(TLS_CTX *ctx, const int *cipher_suites, size_t cip return -1; } + switch (ctx->protocol) { + case TLS_protocol_tlcp: + supported_cipher_suites = tlcp_cipher_suites; + supported_cipher_suites_cnt = tlcp_cipher_suites_cnt; + break; + case TLS_protocol_tls12: + supported_cipher_suites = tls12_cipher_suites; + supported_cipher_suites_cnt = tls12_cipher_suites_cnt; + break; + case TLS_protocol_tls13: + supported_cipher_suites = tls13_cipher_suites; + supported_cipher_suites_cnt = tls13_cipher_suites_cnt; + break; + default: + error_print(); + return -1; + } + for (i = 0; i < cipher_suites_cnt; i++) { - if (!tls_cipher_suite_name(cipher_suites[i])) { + if (!tls_type_is_in_list(cipher_suites[i], supported_cipher_suites, supported_cipher_suites_cnt)) { error_print(); return -1; } - ctx->cipher_suites[i] = cipher_suites[i]; } + + memcpy(ctx->cipher_suites, cipher_suites, cipher_suites_cnt * sizeof(cipher_suites[0])); ctx->cipher_suites_cnt = cipher_suites_cnt; return 1; @@ -2915,6 +2956,8 @@ int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chain int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_cnt) { + const int *supported_groups; + size_t supported_groups_cnt; size_t i; if (!ctx || !groups || !groups_cnt) { @@ -2926,17 +2969,32 @@ int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_ return -1; } + switch (ctx->protocol) { + case TLS_protocol_tlcp: + supported_groups = tlcp_supported_groups; + supported_groups_cnt = tlcp_supported_groups_cnt; + break; + case TLS_protocol_tls12: + supported_groups = tls12_supported_groups; + supported_groups_cnt = tls12_supported_groups_cnt; + break; + case TLS_protocol_tls13: + supported_groups = tls13_supported_groups; + supported_groups_cnt = tls13_supported_groups_cnt; + break; + default: + error_print(); + return -1; + } + for (i = 0; i < groups_cnt; i++) { - switch (groups[i]) { - case TLS_curve_sm2p256v1: - case TLS_curve_secp256r1: - break; - default: + if (!tls_type_is_in_list(groups[i], supported_groups, supported_groups_cnt)) { error_print(); return -1; } - ctx->supported_groups[i] = groups[i]; } + + memcpy(ctx->supported_groups, groups, groups_cnt * sizeof(groups[0])); ctx->supported_groups_cnt = groups_cnt; return 1; @@ -2946,6 +3004,8 @@ int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_ int tls_ctx_set_signature_algorithms(TLS_CTX *ctx, const int *sig_algs, size_t sig_algs_cnt) { + const int *supported_sig_algs; + size_t supported_sig_algs_cnt; size_t i; if (!ctx || !sig_algs || !sig_algs_cnt) { @@ -2957,17 +3017,32 @@ int tls_ctx_set_signature_algorithms(TLS_CTX *ctx, const int *sig_algs, size_t s return -1; } + switch (ctx->protocol) { + case TLS_protocol_tlcp: + supported_sig_algs = tlcp_signature_algorithms; + supported_sig_algs_cnt = tlcp_signature_algorithms_cnt; + break; + case TLS_protocol_tls12: + supported_sig_algs = tls12_signature_algorithms; + supported_sig_algs_cnt = tls12_signature_algorithms_cnt; + break; + case TLS_protocol_tls13: + supported_sig_algs = tls13_signature_algorithms; + supported_sig_algs_cnt = tls13_signature_algorithms_cnt; + break; + default: + error_print(); + return -1; + } + for (i = 0; i < sig_algs_cnt; i++) { - switch (sig_algs[i]) { - case TLS_sig_sm2sig_sm3: - case TLS_sig_ecdsa_secp256r1_sha256: - break; - default: + if (!tls_type_is_in_list(sig_algs[i], supported_sig_algs, supported_sig_algs_cnt)) { error_print(); return -1; } - ctx->signature_algorithms[i] = sig_algs[i]; } + + memcpy(ctx->signature_algorithms, sig_algs, sig_algs_cnt * sizeof(sig_algs[0])); ctx->signature_algorithms_cnt = sig_algs_cnt; return 1; diff --git a/src/tls12.c b/src/tls12.c index 99fb8c47..e1256b15 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -26,19 +26,41 @@ -static const int tls12_ciphers[] = { +const int tls12_supported_groups[] = { + TLS_curve_sm2p256v1, +#ifdef ENABLE_SECP256R1 + TLS_curve_secp256r1, +#endif +}; +const size_t tls12_supported_groups_cnt = + sizeof(tls12_supported_groups)/sizeof(tls12_supported_groups[0]); + +const int tls12_signature_algorithms[] = { + TLS_sig_sm2sig_sm3, +#if defined(ENABLE_SECP256R1) && defined(ENABLE_SHA2) + TLS_sig_ecdsa_secp256r1_sha256, +#endif +}; +const size_t tls12_signature_algorithms_cnt = + sizeof(tls12_signature_algorithms)/sizeof(tls12_signature_algorithms[0]); + +const int tls12_cipher_suites[] = { TLS_cipher_ecdhe_sm4_cbc_sm3, TLS_cipher_ecdhe_sm4_gcm_sm3, +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256, TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256, +#endif }; +const size_t tls12_cipher_suites_cnt = + sizeof(tls12_cipher_suites)/sizeof(tls12_cipher_suites[0]); int tls12_record_print(FILE *fp, const uint8_t *record, size_t recordlen, int format, int indent) { // 目前只支持TLCP的ECC公钥加密套件,因此不论用哪个套件解析都是一样的 // 如果未来支持ECDHE套件,可以将函数改为宏,直接传入 (conn->cipher_suite << 8) - format |= tls12_ciphers[0] << 8; // 应该是KeyExchange需要这个参数 + format |= tls12_cipher_suites[0] << 8; // 应该是KeyExchange需要这个参数 return tls_record_print(fp, record, recordlen, format, indent); } @@ -428,24 +450,6 @@ int tls_named_curve_from_oid(int oid) -// 这个是必选的 - -// 服务器通常推荐返回这个值 -const int supported_groups[] = { - TLS_curve_sm2p256v1, - TLS_curve_secp256r1, -}; -size_t supported_groups_cnt = sizeof(supported_groups)/sizeof(supported_groups[0]); - -// 仍旧是不可设置的 -const int signature_algors[] = { - TLS_sig_sm2sig_sm3, - TLS_sig_ecdsa_secp256r1_sha256, -}; -size_t signature_algors_cnt = sizeof(signature_algors)/sizeof(signature_algors[0]); - - - int tls_record_set_handshake_server_key_exchange(uint8_t *record, size_t *recordlen, const uint8_t *server_ecdh_params, size_t server_ecdh_params_len, uint16_t sig_alg, const uint8_t *sig, size_t siglen) @@ -951,11 +955,13 @@ static int tls12_cipher_suite_get(int cipher_suite, const BLOCK_CIPHER **cipher, *cipher = BLOCK_CIPHER_sm4(); *digest = DIGEST_sm3(); break; +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256: case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256: *cipher = BLOCK_CIPHER_aes128(); *digest = DIGEST_sha256(); break; +#endif default: error_print(); return -1; @@ -969,9 +975,11 @@ static int tls12_cipher_suite_match_cert_group(int cipher_suite, int cert_group) case TLS_cipher_ecdhe_sm4_cbc_sm3: case TLS_cipher_ecdhe_sm4_gcm_sm3: return cert_group == TLS_curve_sm2p256v1; +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256: case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256: return cert_group == TLS_curve_secp256r1; +#endif default: return 0; } @@ -993,11 +1001,13 @@ static int tls12_signature_scheme_match_cipher_suite(int sig_alg, int cipher_sui } break; case TLS_sig_ecdsa_secp256r1_sha256: +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) switch (cipher_suite) { case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256: case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256: return 1; } +#endif break; } return 0; @@ -1009,9 +1019,11 @@ static int tls12_key_exchange_group_match_cipher_suite(int group, int cipher_sui case TLS_cipher_ecdhe_sm4_cbc_sm3: case TLS_cipher_ecdhe_sm4_gcm_sm3: return group == TLS_curve_sm2p256v1; +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256: case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256: return group == TLS_curve_secp256r1; +#endif default: return 0; } diff --git a/src/tls13.c b/src/tls13.c index ab692c82..a160c9c3 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -28,6 +28,34 @@ #include +const int tls13_supported_groups[] = { + TLS_curve_sm2p256v1, +#ifdef ENABLE_SECP256R1 + TLS_curve_secp256r1, +#endif +}; +const size_t tls13_supported_groups_cnt = + sizeof(tls13_supported_groups)/sizeof(tls13_supported_groups[0]); + +const int tls13_signature_algorithms[] = { + TLS_sig_sm2sig_sm3, +#if defined(ENABLE_SECP256R1) && defined(ENABLE_SHA2) + TLS_sig_ecdsa_secp256r1_sha256, +#endif +}; +const size_t tls13_signature_algorithms_cnt = + sizeof(tls13_signature_algorithms)/sizeof(tls13_signature_algorithms[0]); + +const int tls13_cipher_suites[] = { + TLS_cipher_sm4_gcm_sm3, +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) + TLS_cipher_aes_128_gcm_sha256, +#endif +}; +const size_t tls13_cipher_suites_cnt = + sizeof(tls13_cipher_suites)/sizeof(tls13_cipher_suites[0]); + + int tls13_random_generate(uint8_t random[32])