Unify TLS capabilities

CMakeLists.txt

@@ -768,7 +768,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1017")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1018")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)

include/gmssl/version.h

@@ -19,7 +19,7 @@ extern "C" {
 
 // Also update CPACK_PACKAGE_VERSION in CMakeLists.txt
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1017"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1018"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);

src/tlcp.c

@@ -24,19 +24,31 @@
 #include <gmssl/tls.h>
 
 
+const int tlcp_supported_groups[] = {
+	TLS_curve_sm2p256v1,
+};
+const size_t tlcp_supported_groups_cnt =
+	sizeof(tlcp_supported_groups)/sizeof(tlcp_supported_groups[0]);
 
-static const int tlcp_ciphers[] = {
+const int tlcp_signature_algorithms[] = {
+	TLS_sig_sm2sig_sm3,
+};
+const size_t tlcp_signature_algorithms_cnt =
+	sizeof(tlcp_signature_algorithms)/sizeof(tlcp_signature_algorithms[0]);
+
+const int tlcp_cipher_suites[] = {
 	TLS_cipher_ecc_sm4_cbc_sm3,
 	TLS_cipher_ecc_sm4_gcm_sm3,
 };
-static const size_t tlcp_ciphers_count = sizeof(tlcp_ciphers)/sizeof(tlcp_ciphers[0]);
+const size_t tlcp_cipher_suites_cnt =
+	sizeof(tlcp_cipher_suites)/sizeof(tlcp_cipher_suites[0]);
 
 
 int tlcp_record_print(FILE *fp, int format, int indent, const uint8_t *record, size_t recordlen)
 {
 	// 目前只支持TLCP的ECC公钥加密套件，因此不论用CBC/GCM哪个套件解析都是一样的
 	// 如果未来支持ECDHE套件，可以将函数改为宏，直接传入 (conn->cipher_suite << 8)
-	format |= tlcp_ciphers[0] << 8;
+	format |= tlcp_cipher_suites[0] << 8;
 	return tls_record_print(fp, record, recordlen, format, indent);
 }
 

src/tls.c

@@ -27,6 +27,26 @@
 #include <gmssl/pem.h>
 #include <gmssl/tls.h>
 
+extern const int tlcp_supported_groups[];
+extern const size_t tlcp_supported_groups_cnt;
+extern const int tlcp_signature_algorithms[];
+extern const size_t tlcp_signature_algorithms_cnt;
+extern const int tlcp_cipher_suites[];
+extern const size_t tlcp_cipher_suites_cnt;
+
+extern const int tls12_supported_groups[];
+extern const size_t tls12_supported_groups_cnt;
+extern const int tls12_signature_algorithms[];
+extern const size_t tls12_signature_algorithms_cnt;
+extern const int tls12_cipher_suites[];
+extern const size_t tls12_cipher_suites_cnt;
+
+extern const int tls13_supported_groups[];
+extern const size_t tls13_supported_groups_cnt;
+extern const int tls13_signature_algorithms[];
+extern const size_t tls13_signature_algorithms_cnt;
+extern const int tls13_cipher_suites[];
+extern const size_t tls13_cipher_suites_cnt;
 
 void tls_uint8_to_bytes(uint8_t a, uint8_t **out, size_t *outlen)
 {
@@ -2530,6 +2550,8 @@ int tls_ctx_set_supported_versions(TLS_CTX *ctx, const int *versions, size_t ver
 
 int tls_ctx_set_cipher_suites(TLS_CTX *ctx, const int *cipher_suites, size_t cipher_suites_cnt)
 {
+	const int *supported_cipher_suites;
+	size_t supported_cipher_suites_cnt;
 	size_t i;
 
 	if (!ctx || !cipher_suites || !cipher_suites_cnt) {
@@ -2541,13 +2563,32 @@ int tls_ctx_set_cipher_suites(TLS_CTX *ctx, const int *cipher_suites, size_t cip
 		return -1;
 	}
 
+	switch (ctx->protocol) {
+	case TLS_protocol_tlcp:
+		supported_cipher_suites = tlcp_cipher_suites;
+		supported_cipher_suites_cnt = tlcp_cipher_suites_cnt;
+		break;
+	case TLS_protocol_tls12:
+		supported_cipher_suites = tls12_cipher_suites;
+		supported_cipher_suites_cnt = tls12_cipher_suites_cnt;
+		break;
+	case TLS_protocol_tls13:
+		supported_cipher_suites = tls13_cipher_suites;
+		supported_cipher_suites_cnt = tls13_cipher_suites_cnt;
+		break;
+	default:
+		error_print();
+		return -1;
+	}
+
 	for (i = 0; i < cipher_suites_cnt; i++) {
-		if (!tls_cipher_suite_name(cipher_suites[i])) {
+		if (!tls_type_is_in_list(cipher_suites[i], supported_cipher_suites, supported_cipher_suites_cnt)) {
 			error_print();
 			return -1;
 		}
-		ctx->cipher_suites[i] = cipher_suites[i];
 	}
+
+	memcpy(ctx->cipher_suites, cipher_suites, cipher_suites_cnt * sizeof(cipher_suites[0]));
 	ctx->cipher_suites_cnt = cipher_suites_cnt;
 
 	return 1;
@@ -2915,6 +2956,8 @@ int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chain
 
 int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_cnt)
 {
+	const int *supported_groups;
+	size_t supported_groups_cnt;
 	size_t i;
 
 	if (!ctx || !groups || !groups_cnt) {
@@ -2926,17 +2969,32 @@ int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_
 		return -1;
 	}
 
+	switch (ctx->protocol) {
+	case TLS_protocol_tlcp:
+		supported_groups = tlcp_supported_groups;
+		supported_groups_cnt = tlcp_supported_groups_cnt;
+		break;
+	case TLS_protocol_tls12:
+		supported_groups = tls12_supported_groups;
+		supported_groups_cnt = tls12_supported_groups_cnt;
+		break;
+	case TLS_protocol_tls13:
+		supported_groups = tls13_supported_groups;
+		supported_groups_cnt = tls13_supported_groups_cnt;
+		break;
+	default:
+		error_print();
+		return -1;
+	}
+
 	for (i = 0; i < groups_cnt; i++) {
-		switch (groups[i]) {
-		case TLS_curve_sm2p256v1:
-		case TLS_curve_secp256r1:
-			break;
-		default:
+		if (!tls_type_is_in_list(groups[i], supported_groups, supported_groups_cnt)) {
 			error_print();
 			return -1;
 		}
-		ctx->supported_groups[i] = groups[i];
 	}
+
+	memcpy(ctx->supported_groups, groups, groups_cnt * sizeof(groups[0]));
 	ctx->supported_groups_cnt = groups_cnt;
 
 	return 1;
@@ -2946,6 +3004,8 @@ int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_
 
 int tls_ctx_set_signature_algorithms(TLS_CTX *ctx, const int *sig_algs, size_t sig_algs_cnt)
 {
+	const int *supported_sig_algs;
+	size_t supported_sig_algs_cnt;
 	size_t i;
 
 	if (!ctx || !sig_algs || !sig_algs_cnt) {
@@ -2957,17 +3017,32 @@ int tls_ctx_set_signature_algorithms(TLS_CTX *ctx, const int *sig_algs, size_t s
 		return -1;
 	}
 
+	switch (ctx->protocol) {
+	case TLS_protocol_tlcp:
+		supported_sig_algs = tlcp_signature_algorithms;
+		supported_sig_algs_cnt = tlcp_signature_algorithms_cnt;
+		break;
+	case TLS_protocol_tls12:
+		supported_sig_algs = tls12_signature_algorithms;
+		supported_sig_algs_cnt = tls12_signature_algorithms_cnt;
+		break;
+	case TLS_protocol_tls13:
+		supported_sig_algs = tls13_signature_algorithms;
+		supported_sig_algs_cnt = tls13_signature_algorithms_cnt;
+		break;
+	default:
+		error_print();
+		return -1;
+	}
+
 	for (i = 0; i < sig_algs_cnt; i++) {
-		switch (sig_algs[i]) {
-		case TLS_sig_sm2sig_sm3:
-		case TLS_sig_ecdsa_secp256r1_sha256:
-			break;
-		default:
+		if (!tls_type_is_in_list(sig_algs[i], supported_sig_algs, supported_sig_algs_cnt)) {
 			error_print();
 			return -1;
 		}
-		ctx->signature_algorithms[i] = sig_algs[i];
 	}
+
+	memcpy(ctx->signature_algorithms, sig_algs, sig_algs_cnt * sizeof(sig_algs[0]));
 	ctx->signature_algorithms_cnt = sig_algs_cnt;
 
 	return 1;

src/tls12.c

@@ -26,19 +26,41 @@
 
 
 
-static const int tls12_ciphers[] = {
+const int tls12_supported_groups[] = {
+	TLS_curve_sm2p256v1,
+#ifdef ENABLE_SECP256R1
+	TLS_curve_secp256r1,
+#endif
+};
+const size_t tls12_supported_groups_cnt =
+	sizeof(tls12_supported_groups)/sizeof(tls12_supported_groups[0]);
+
+const int tls12_signature_algorithms[] = {
+	TLS_sig_sm2sig_sm3,
+#if defined(ENABLE_SECP256R1) && defined(ENABLE_SHA2)
+	TLS_sig_ecdsa_secp256r1_sha256,
+#endif
+};
+const size_t tls12_signature_algorithms_cnt =
+	sizeof(tls12_signature_algorithms)/sizeof(tls12_signature_algorithms[0]);
+
+const int tls12_cipher_suites[] = {
 	TLS_cipher_ecdhe_sm4_cbc_sm3,
 	TLS_cipher_ecdhe_sm4_gcm_sm3,
+#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1)
 	TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256,
 	TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256,
+#endif
 };
+const size_t tls12_cipher_suites_cnt =
+	sizeof(tls12_cipher_suites)/sizeof(tls12_cipher_suites[0]);
 
 
 int tls12_record_print(FILE *fp, const uint8_t *record,  size_t recordlen, int format, int indent)
 {
 	// 目前只支持TLCP的ECC公钥加密套件，因此不论用哪个套件解析都是一样的
 	// 如果未来支持ECDHE套件，可以将函数改为宏，直接传入 (conn->cipher_suite << 8)
-	format |= tls12_ciphers[0] << 8; // 应该是KeyExchange需要这个参数			
+	format |= tls12_cipher_suites[0] << 8; // 应该是KeyExchange需要这个参数			
 	return tls_record_print(fp, record, recordlen, format, indent);
 }
 
@@ -428,24 +450,6 @@ int tls_named_curve_from_oid(int oid)
 
 
 
-// 这个是必选的
-
-// 服务器通常推荐返回这个值
-const int supported_groups[] = {
-	TLS_curve_sm2p256v1,
-	TLS_curve_secp256r1,
-};
-size_t supported_groups_cnt = sizeof(supported_groups)/sizeof(supported_groups[0]);
-
-// 仍旧是不可设置的
-const int signature_algors[] = {
-	TLS_sig_sm2sig_sm3,
-	TLS_sig_ecdsa_secp256r1_sha256,
-};
-size_t signature_algors_cnt = sizeof(signature_algors)/sizeof(signature_algors[0]);
-
-
-
 int tls_record_set_handshake_server_key_exchange(uint8_t *record, size_t *recordlen,
 	const uint8_t *server_ecdh_params, size_t server_ecdh_params_len,
 	uint16_t sig_alg, const uint8_t *sig, size_t siglen)
@@ -951,11 +955,13 @@ static int tls12_cipher_suite_get(int cipher_suite, const BLOCK_CIPHER **cipher,
 		*cipher = BLOCK_CIPHER_sm4();
 		*digest = DIGEST_sm3();
 		break;
+#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1)
 	case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256:
 	case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256:
 		*cipher = BLOCK_CIPHER_aes128();
 		*digest = DIGEST_sha256();
 		break;
+#endif
 	default:
 		error_print();
 		return -1;
@@ -969,9 +975,11 @@ static int tls12_cipher_suite_match_cert_group(int cipher_suite, int cert_group)
 	case TLS_cipher_ecdhe_sm4_cbc_sm3:
 	case TLS_cipher_ecdhe_sm4_gcm_sm3:
 		return cert_group == TLS_curve_sm2p256v1;
+#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1)
 	case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256:
 	case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256:
 		return cert_group == TLS_curve_secp256r1;
+#endif
 	default:
 		return 0;
 	}
@@ -993,11 +1001,13 @@ static int tls12_signature_scheme_match_cipher_suite(int sig_alg, int cipher_sui
 		}
 		break;
 	case TLS_sig_ecdsa_secp256r1_sha256:
+#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1)
 		switch (cipher_suite) {
 		case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256:
 		case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256:
 			return 1;
 		}
+#endif
 		break;
 	}
 	return 0;
@@ -1009,9 +1019,11 @@ static int tls12_key_exchange_group_match_cipher_suite(int group, int cipher_sui
 	case TLS_cipher_ecdhe_sm4_cbc_sm3:
 	case TLS_cipher_ecdhe_sm4_gcm_sm3:
 		return group == TLS_curve_sm2p256v1;
+#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1)
 	case TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256:
 	case TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256:
 		return group == TLS_curve_secp256r1;
+#endif
 	default:
 		return 0;
 	}

src/tls13.c

@@ -28,6 +28,34 @@
 #include <gmssl/endian.h>
 
 
+const int tls13_supported_groups[] = {
+	TLS_curve_sm2p256v1,
+#ifdef ENABLE_SECP256R1
+	TLS_curve_secp256r1,
+#endif
+};
+const size_t tls13_supported_groups_cnt =
+	sizeof(tls13_supported_groups)/sizeof(tls13_supported_groups[0]);
+
+const int tls13_signature_algorithms[] = {
+	TLS_sig_sm2sig_sm3,
+#if defined(ENABLE_SECP256R1) && defined(ENABLE_SHA2)
+	TLS_sig_ecdsa_secp256r1_sha256,
+#endif
+};
+const size_t tls13_signature_algorithms_cnt =
+	sizeof(tls13_signature_algorithms)/sizeof(tls13_signature_algorithms[0]);
+
+const int tls13_cipher_suites[] = {
+	TLS_cipher_sm4_gcm_sm3,
+#if defined(ENABLE_AES) && defined(ENABLE_SHA2)
+	TLS_cipher_aes_128_gcm_sha256,
+#endif
+};
+const size_t tls13_cipher_suites_cnt =
+	sizeof(tls13_cipher_suites)/sizeof(tls13_cipher_suites[0]);
+
+
 
 
 int tls13_random_generate(uint8_t random[32])