mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-30 01:33:39 +08:00
Update TLS 1.2
This commit is contained in:
Zhi Guan
62
src/tlcp.c
62
src/tlcp.c
@@ -68,7 +68,7 @@
|
||||
#include <gmssl/tls.h>
|
||||
|
||||
|
||||
static const int tlcp_ciphers[] = { TLCP_cipher_ecc_sm4_cbc_sm3 };
|
||||
static const int tlcp_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3 };
|
||||
static const size_t tlcp_ciphers_count = sizeof(tlcp_ciphers)/sizeof(tlcp_ciphers[0]);
|
||||
|
||||
int tlcp_record_print(FILE *fp, const uint8_t *record, size_t recordlen, int format, int indent)
|
||||
@@ -94,7 +94,7 @@ int tlcp_record_set_handshake_server_key_exchange_pke(uint8_t *record, size_t *r
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_record_version(record) != TLS_version_tlcp) {
|
||||
if (tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -125,7 +125,7 @@ int tlcp_record_get_handshake_server_key_exchange_pke(const uint8_t *record,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_record_version(record) != TLS_version_tlcp) {
|
||||
if (tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -168,7 +168,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
|
||||
uint8_t client_random[32];
|
||||
uint8_t server_random[32];
|
||||
int version;
|
||||
int protocol;
|
||||
int cipher_suite;
|
||||
const uint8_t *random;
|
||||
const uint8_t *session_id;
|
||||
@@ -206,8 +206,8 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
|
||||
|
||||
// 初始化记录缓冲
|
||||
tls_record_set_version(record, TLS_version_tlcp);
|
||||
tls_record_set_version(finished_record, TLS_version_tlcp);
|
||||
tls_record_set_protocol(record, TLS_protocol_tlcp);
|
||||
tls_record_set_protocol(finished_record, TLS_protocol_tlcp);
|
||||
|
||||
// 准备Finished Context(和ClientVerify)
|
||||
sm3_init(&sm3_ctx);
|
||||
@@ -218,7 +218,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
// send ClientHello
|
||||
tls_random_generate(client_random);
|
||||
if (tls_record_set_handshake_client_hello(record, &recordlen,
|
||||
TLS_version_tlcp, client_random, NULL, 0,
|
||||
TLS_protocol_tlcp, client_random, NULL, 0,
|
||||
tlcp_ciphers, tlcp_ciphers_count, NULL, 0) != 1) {
|
||||
error_print();
|
||||
goto end;
|
||||
@@ -241,19 +241,19 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
goto end;
|
||||
}
|
||||
tlcp_record_trace(stderr, record, recordlen, 0, 0);
|
||||
if (tls_record_version(record) != TLS_version_tlcp) {
|
||||
if (tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_protocol_version);
|
||||
goto end;
|
||||
}
|
||||
if (tls_record_get_handshake_server_hello(record,
|
||||
&version, &random, &session_id, &session_id_len, &cipher_suite,
|
||||
&protocol, &random, &session_id, &session_id_len, &cipher_suite,
|
||||
&exts, &exts_len) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
}
|
||||
if (version != TLS_version_tlcp) {
|
||||
if (protocol != TLS_protocol_tlcp) {
|
||||
tls_send_alert(conn, TLS_alert_protocol_version);
|
||||
error_print();
|
||||
goto end;
|
||||
@@ -278,7 +278,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
// recv ServerCertificate
|
||||
tls_trace("recv ServerCertificate\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -306,15 +306,15 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
// recv ServerKeyExchange
|
||||
tls_trace("recv ServerKeyExchange\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
}
|
||||
tlcp_record_trace(stderr, record, recordlen, 0, 0);
|
||||
if (tlcp_record_get_handshake_server_key_exchange_pke(record, &sig, &siglen) != 1) {
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
}
|
||||
sm3_update(&sm3_ctx, record + 5, recordlen - 5);
|
||||
@@ -349,7 +349,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
|
||||
// recv CertificateRequest or ServerHelloDone
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp
|
||||
|| tls_record_get_handshake(record, &handshake_type, &cp, &len) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
@@ -386,7 +386,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
|
||||
// recv ServerHelloDone
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -427,7 +427,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
|
||||
// generate MASTER_SECRET
|
||||
tls_trace("generate secrets\n");
|
||||
if (tls_pre_master_secret_generate(pre_master_secret, TLS_version_tlcp) != 1
|
||||
if (tls_pre_master_secret_generate(pre_master_secret, TLS_protocol_tlcp) != 1
|
||||
|| tls_prf(pre_master_secret, 48, "master secret",
|
||||
client_random, 32, server_random, 32,
|
||||
48, conn->master_secret) != 1
|
||||
@@ -532,7 +532,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
// [ChangeCipherSpec]
|
||||
tls_trace("recv [ChangeCipherSpec]\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -547,7 +547,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
// Finished
|
||||
tls_trace("recv Finished\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -592,7 +592,7 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
tls_trace("Connection established!\n");
|
||||
|
||||
|
||||
conn->version = TLS_version_tlcp;
|
||||
conn->protocol = TLS_protocol_tlcp;
|
||||
conn->cipher_suite = cipher_suite;
|
||||
|
||||
ret = 1;
|
||||
@@ -612,12 +612,12 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
uint8_t *record = conn->record;
|
||||
uint8_t finished_record[TLS_FINISHED_RECORD_BUF_SIZE]; // 解密可能导致前面的record被覆盖
|
||||
size_t recordlen, finished_record_len;
|
||||
const int server_ciphers[] = { TLCP_cipher_ecc_sm4_cbc_sm3 }; // 未来应该支持GCM/CBC两个套件
|
||||
const int server_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3 }; // 未来应该支持GCM/CBC两个套件
|
||||
|
||||
// ClientHello, ServerHello
|
||||
uint8_t client_random[32];
|
||||
uint8_t server_random[32];
|
||||
int version;
|
||||
int protocol;
|
||||
const uint8_t *random;
|
||||
const uint8_t *session_id; // TLCP服务器忽略客户端SessionID,也不主动设置SessionID
|
||||
size_t session_id_len;
|
||||
@@ -678,20 +678,20 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
goto end;
|
||||
}
|
||||
tlcp_record_trace(stderr, record, recordlen, 0, 0);
|
||||
if (tls_record_version(record) != TLS_version_tlcp) {
|
||||
if (tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_protocol_version);
|
||||
goto end;
|
||||
}
|
||||
if (tls_record_get_handshake_client_hello(record,
|
||||
&version, &random, &session_id, &session_id_len,
|
||||
&protocol, &random, &session_id, &session_id_len,
|
||||
&client_ciphers, &client_ciphers_len,
|
||||
&exts, &exts_len) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
}
|
||||
if (version != TLS_version_tlcp) {
|
||||
if (protocol != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_protocol_version);
|
||||
goto end;
|
||||
@@ -719,7 +719,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
tls_trace("send ServerHello\n");
|
||||
tls_random_generate(server_random);
|
||||
if (tls_record_set_handshake_server_hello(record, &recordlen,
|
||||
TLS_version_tlcp, server_random, NULL, 0,
|
||||
TLS_protocol_tlcp, server_random, NULL, 0,
|
||||
conn->cipher_suite, NULL, 0) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_internal_error);
|
||||
@@ -827,7 +827,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
if (conn->ca_certs_len) {
|
||||
tls_trace("recv ClientCertificate\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -851,7 +851,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
// ClientKeyExchange
|
||||
tls_trace("recv ClientKeyExchange\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -881,7 +881,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
if (client_verify) {
|
||||
tls_trace("recv CertificateVerify\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
error_print();
|
||||
goto end;
|
||||
@@ -932,7 +932,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
// recv [ChangeCipherSpec]
|
||||
tls_trace("recv [ChangeCipherSpec]\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -947,7 +947,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
// recv ClientFinished
|
||||
tls_trace("recv Finished\n");
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_version(record) != TLS_version_tlcp) {
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
goto end;
|
||||
@@ -1035,7 +1035,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
goto end;
|
||||
}
|
||||
|
||||
conn->version = TLS_version_tlcp;
|
||||
conn->protocol = TLS_protocol_tlcp;
|
||||
|
||||
tls_trace("Connection Established!\n\n");
|
||||
ret = 1;
|
||||
|
||||
95
src/tls.c
95
src/tls.c
@@ -268,14 +268,14 @@ int tls_record_set_type(uint8_t *record, int type)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_record_set_version(uint8_t *record, int version)
|
||||
int tls_record_set_protocol(uint8_t *record, int protocol)
|
||||
{
|
||||
if (!tls_version_text(version)) {
|
||||
if (!tls_protocol_name(protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
record[1] = version >> 8;
|
||||
record[2] = version;
|
||||
record[1] = protocol >> 8;
|
||||
record[2] = protocol;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -528,14 +528,14 @@ int tls_prf(const uint8_t *secret, size_t secretlen, const char *label,
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_pre_master_secret_generate(uint8_t pre_master_secret[48], int version)
|
||||
int tls_pre_master_secret_generate(uint8_t pre_master_secret[48], int protocol)
|
||||
{
|
||||
if (!tls_version_text(version)) {
|
||||
if (!tls_protocol_name(protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
pre_master_secret[0] = version >> 8;
|
||||
pre_master_secret[1] = version;
|
||||
pre_master_secret[0] = protocol >> 8;
|
||||
pre_master_secret[1] = protocol;
|
||||
if (rand_bytes(pre_master_secret + 2, 46) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -566,6 +566,7 @@ int tls_cert_type_from_oid(int oid)
|
||||
return 0;
|
||||
}
|
||||
|
||||
// 这两个函数没有对应的TLCP版本
|
||||
int tls_sign_server_ecdh_params(const SM2_KEY *server_sign_key,
|
||||
const uint8_t client_random[32], const uint8_t server_random[32],
|
||||
int curve, const SM2_POINT *point, uint8_t *sig, size_t *siglen)
|
||||
@@ -637,7 +638,7 @@ int tls_record_set_handshake(uint8_t *record, size_t *recordlen,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!tls_version_text(tls_record_version(record))) {
|
||||
if (!tls_protocol_name(tls_record_protocol(record))) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -671,7 +672,7 @@ int tls_record_get_handshake(const uint8_t *record,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_version_text(tls_record_version(record))) {
|
||||
if (!tls_protocol_name(tls_record_protocol(record))) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -718,7 +719,7 @@ int tls_record_get_handshake(const uint8_t *record,
|
||||
}
|
||||
|
||||
int tls_record_set_handshake_client_hello(uint8_t *record, size_t *recordlen,
|
||||
int version, const uint8_t random[32],
|
||||
int protocol, const uint8_t random[32],
|
||||
const uint8_t *session_id, size_t session_id_len,
|
||||
const int *cipher_suites, size_t cipher_suites_count,
|
||||
const uint8_t *exts, size_t exts_len)
|
||||
@@ -752,11 +753,11 @@ int tls_record_set_handshake_client_hello(uint8_t *record, size_t *recordlen,
|
||||
p = tls_handshake_data(tls_record_data(record));
|
||||
len = 0;
|
||||
|
||||
if (!tls_version_text(version)) {
|
||||
if (!tls_protocol_name(protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
tls_uint16_to_bytes((uint16_t)version, &p, &len);
|
||||
tls_uint16_to_bytes((uint16_t)protocol, &p, &len);
|
||||
tls_array_to_bytes(random, 32, &p, &len);
|
||||
tls_uint8array_to_bytes(session_id, session_id_len, &p, &len);
|
||||
tls_uint16_to_bytes(cipher_suites_count * 2, &p, &len);
|
||||
@@ -772,7 +773,7 @@ int tls_record_set_handshake_client_hello(uint8_t *record, size_t *recordlen,
|
||||
tls_uint8_to_bytes((uint8_t)TLS_compression_null, &p, &len);
|
||||
if (exts) {
|
||||
size_t tmp_len = len;
|
||||
if (version < TLS_version_tls12) {
|
||||
if (protocol < TLS_protocol_tls12) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -791,7 +792,7 @@ int tls_record_set_handshake_client_hello(uint8_t *record, size_t *recordlen,
|
||||
}
|
||||
|
||||
int tls_record_get_handshake_client_hello(const uint8_t *record,
|
||||
int *version, const uint8_t **random,
|
||||
int *protocol, const uint8_t **random,
|
||||
const uint8_t **session_id, size_t *session_id_len,
|
||||
const uint8_t **cipher_suites, size_t *cipher_suites_len,
|
||||
const uint8_t **exts, size_t *exts_len)
|
||||
@@ -803,7 +804,7 @@ int tls_record_get_handshake_client_hello(const uint8_t *record,
|
||||
const uint8_t *comp_meths;
|
||||
size_t comp_meths_len;
|
||||
|
||||
if (!record || !version || !random
|
||||
if (!record || !protocol || !random
|
||||
|| !session_id || !session_id_len
|
||||
|| !cipher_suites || !cipher_suites_len
|
||||
|| !exts || !exts_len) {
|
||||
@@ -827,11 +828,11 @@ int tls_record_get_handshake_client_hello(const uint8_t *record,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!tls_version_text(ver)) {
|
||||
if (!tls_protocol_name(ver)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*version = ver;
|
||||
*protocol = ver;
|
||||
|
||||
if (*session_id) {
|
||||
if (*session_id_len == 0
|
||||
@@ -872,7 +873,7 @@ int tls_record_get_handshake_client_hello(const uint8_t *record,
|
||||
}
|
||||
|
||||
int tls_record_set_handshake_server_hello(uint8_t *record, size_t *recordlen,
|
||||
int version, const uint8_t random[32],
|
||||
int protocol, const uint8_t random[32],
|
||||
const uint8_t *session_id, size_t session_id_len, int cipher_suite,
|
||||
const uint8_t *exts, size_t exts_len)
|
||||
{
|
||||
@@ -892,7 +893,7 @@ int tls_record_set_handshake_server_hello(uint8_t *record, size_t *recordlen,
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
if (!tls_version_text(version)) {
|
||||
if (!tls_protocol_name(protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -904,13 +905,13 @@ int tls_record_set_handshake_server_hello(uint8_t *record, size_t *recordlen,
|
||||
p = tls_handshake_data(tls_record_data(record));
|
||||
len = 0;
|
||||
|
||||
tls_uint16_to_bytes((uint16_t)version, &p, &len);
|
||||
tls_uint16_to_bytes((uint16_t)protocol, &p, &len);
|
||||
tls_array_to_bytes(random, 32, &p, &len);
|
||||
tls_uint8array_to_bytes(session_id, session_id_len, &p, &len);
|
||||
tls_uint16_to_bytes((uint16_t)cipher_suite, &p, &len);
|
||||
tls_uint8_to_bytes((uint8_t)TLS_compression_null, &p, &len);
|
||||
if (exts) {
|
||||
if (version < TLS_version_tls12) {
|
||||
if (protocol < TLS_protocol_tls12) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -924,7 +925,7 @@ int tls_record_set_handshake_server_hello(uint8_t *record, size_t *recordlen,
|
||||
}
|
||||
|
||||
int tls_record_get_handshake_server_hello(const uint8_t *record,
|
||||
int *version, const uint8_t **random, const uint8_t **session_id, size_t *session_id_len,
|
||||
int *protocol, const uint8_t **random, const uint8_t **session_id, size_t *session_id_len,
|
||||
int *cipher_suite, const uint8_t **exts, size_t *exts_len)
|
||||
{
|
||||
int type;
|
||||
@@ -934,7 +935,7 @@ int tls_record_get_handshake_server_hello(const uint8_t *record,
|
||||
uint16_t cipher;
|
||||
uint8_t comp_meth;
|
||||
|
||||
if (!record || !version || !random || !session_id || !session_id_len
|
||||
if (!record || !protocol || !random || !session_id || !session_id_len
|
||||
|| !cipher_suite || !exts || !exts_len) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -956,15 +957,15 @@ int tls_record_get_handshake_server_hello(const uint8_t *record,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!tls_version_text(ver)) {
|
||||
if (!tls_protocol_name(ver)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (ver < tls_record_version(record)) {
|
||||
if (ver < tls_record_protocol(record)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*version = ver;
|
||||
*protocol = ver;
|
||||
|
||||
if (*session_id) {
|
||||
if (*session_id == 0
|
||||
@@ -1522,7 +1523,7 @@ int tls_record_do_recv(uint8_t *record, size_t *recordlen, int sock)
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_version_text(tls_record_version(record))) {
|
||||
if (!tls_protocol_name(tls_record_protocol(record))) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1571,7 +1572,7 @@ retry:
|
||||
uint8_t alert_record[TLS_ALERT_RECORD_SIZE];
|
||||
size_t alert_record_len;
|
||||
tls_record_set_type(alert_record, TLS_record_alert);
|
||||
tls_record_set_version(alert_record, tls_record_version(record));
|
||||
tls_record_set_protocol(alert_record, tls_record_protocol(record));
|
||||
tls_record_set_alert(alert_record, &alert_record_len, TLS_alert_level_fatal, TLS_alert_close_notify);
|
||||
|
||||
tls_trace("send Alert close_notifiy\n");
|
||||
@@ -1619,7 +1620,7 @@ int tls_send_alert(TLS_CONNECT *conn, int alert)
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
tls_record_set_version(record, conn->version);
|
||||
tls_record_set_protocol(record, conn->protocol);
|
||||
tls_record_set_alert(record, &recordlen, TLS_alert_level_fatal, alert);
|
||||
|
||||
if (tls_record_send(record, sizeof(record), conn->sock) != 1) {
|
||||
@@ -1661,7 +1662,7 @@ int tls_send_warning(TLS_CONNECT *conn, int alert)
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
tls_record_set_version(record, conn->version);
|
||||
tls_record_set_protocol(record, conn->protocol);
|
||||
tls_record_set_alert(record, &recordlen, TLS_alert_level_warning, alert);
|
||||
|
||||
if (tls_record_send(record, sizeof(record), conn->sock) != 1) {
|
||||
@@ -1709,7 +1710,7 @@ int tls_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentlen
|
||||
tls_trace("send ApplicationData\n");
|
||||
|
||||
if (tls_record_set_type(record, TLS_record_application_data) != 1
|
||||
|| tls_record_set_version(record, conn->version) != 1
|
||||
|| tls_record_set_protocol(record, conn->protocol) != 1
|
||||
|| tls_record_set_length(record, inlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -2021,7 +2022,7 @@ void tls_ctx_cleanup(TLS_CTX *ctx)
|
||||
}
|
||||
}
|
||||
|
||||
int tls_ctx_init(TLS_CTX *ctx, int protocol_version, int is_client)
|
||||
int tls_ctx_init(TLS_CTX *ctx, int protocol, int is_client)
|
||||
{
|
||||
if (!ctx) {
|
||||
error_print();
|
||||
@@ -2029,11 +2030,11 @@ int tls_ctx_init(TLS_CTX *ctx, int protocol_version, int is_client)
|
||||
}
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
|
||||
switch (protocol_version) {
|
||||
case TLS_version_tlcp:
|
||||
case TLS_version_tls12:
|
||||
case TLS_version_tls13:
|
||||
ctx->protocol_version = protocol_version;
|
||||
switch (protocol) {
|
||||
case TLS_protocol_tlcp:
|
||||
case TLS_protocol_tls12:
|
||||
case TLS_protocol_tls13:
|
||||
ctx->protocol = protocol;
|
||||
break;
|
||||
default:
|
||||
error_print();
|
||||
@@ -2078,7 +2079,7 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_version_text(ctx->protocol_version)) {
|
||||
if (!tls_protocol_name(ctx->protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -2115,7 +2116,7 @@ int tls_ctx_set_certificate_and_key(TLS_CTX *ctx, const char *chainfile,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_version_text(ctx->protocol_version)) {
|
||||
if (!tls_protocol_name(ctx->protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -2178,7 +2179,7 @@ int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chain
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_version_text(ctx->protocol_version)) {
|
||||
if (!tls_protocol_name(ctx->protocol)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -2243,7 +2244,7 @@ int tls_init(TLS_CONNECT *conn, const TLS_CTX *ctx)
|
||||
size_t i;
|
||||
memset(conn, 0, sizeof(*conn));
|
||||
|
||||
conn->version = ctx->protocol_version;
|
||||
conn->protocol = ctx->protocol;
|
||||
conn->is_client = ctx->is_client;
|
||||
for (i = 0; i < ctx->cipher_suites_cnt; i++) {
|
||||
conn->cipher_suites[i] = ctx->cipher_suites[i];
|
||||
@@ -2302,15 +2303,15 @@ int tls_set_socket(TLS_CONNECT *conn, int sock)
|
||||
|
||||
int tls_do_handshake(TLS_CONNECT *conn)
|
||||
{
|
||||
switch (conn->version) {
|
||||
case TLS_version_tlcp:
|
||||
switch (conn->protocol) {
|
||||
case TLS_protocol_tlcp:
|
||||
if (conn->is_client) return tlcp_do_connect(conn);
|
||||
else return tlcp_do_accept(conn);
|
||||
/*
|
||||
case TLS_version_tls12:
|
||||
case TLS_protocol_tls12:
|
||||
if (conn->is_client) return tls12_do_connect(conn);
|
||||
else return tls12_do_accept(conn);
|
||||
case TLS_version_tls13:
|
||||
/*
|
||||
case TLS_protocol_tls13:
|
||||
if (conn->is_client) return tls13_do_connect(conn);
|
||||
else return tls13_do_accept(conn);
|
||||
*/
|
||||
|
||||
1110
src/tls12.c
1110
src/tls12.c
File diff suppressed because it is too large
Load Diff
470
src/tls_ext.c
Normal file
470
src/tls_ext.c
Normal file
@@ -0,0 +1,470 @@
|
||||
/*
|
||||
* Copyright (c) 2021 - 2021 The GmSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the GmSSL Project.
|
||||
* (http://gmssl.org/)"
|
||||
*
|
||||
* 4. The name "GmSSL Project" must not be used to endorse or promote
|
||||
* products derived from this software without prior written
|
||||
* permission. For written permission, please contact
|
||||
* guanzhi1980@gmail.com.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "GmSSL"
|
||||
* nor may "GmSSL" appear in their names without prior written
|
||||
* permission of the GmSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the GmSSL Project
|
||||
* (http://gmssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
|
||||
#include <time.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/types.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <gmssl/rand.h>
|
||||
#include <gmssl/x509.h>
|
||||
#include <gmssl/error.h>
|
||||
#include <gmssl/sm2.h>
|
||||
#include <gmssl/sm3.h>
|
||||
#include <gmssl/sm4.h>
|
||||
#include <gmssl/pem.h>
|
||||
#include <gmssl/tls.h>
|
||||
|
||||
|
||||
#define TLS_EXTENSION_HEADER_SIZE 4
|
||||
|
||||
#if 0
|
||||
|
||||
int tls_exts_add(uint8_t *exts, size_t *extslen, size_t maxlen,
|
||||
int type, const uint8_t *data, size_t datalen)
|
||||
{
|
||||
if (!exts || !extslen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (datalen > TLS_MAX_PLAINTEXT_SIZE
|
||||
|| *extslen + TLS_EXTENSION_HEADER_SIZE + datalen > maxlen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
exts += *extslen;
|
||||
tls_uint16_to_bytes(type, &exts, extslen);
|
||||
tls_uint16array_to_bytes(data, datalen, &exts, extslen);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
int tls_exts_add_ec_point_formats(uint8_t *exts, size_t *extslen, size_t maxlen,
|
||||
const int *formats, size_t formats_cnt)
|
||||
{
|
||||
int type = TLS_extension_ec_point_formats;
|
||||
size_t datalen = tls_uint8_size() + tls_uint8_size() * formats_cnt;
|
||||
size_t i;
|
||||
|
||||
if (!exts || !extslen || !formats || !formats_cnt) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (formats_cnt > 256) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (*extslen + TLS_EXTENSION_HEADER_SIZE + datalen > maxlen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
exts += *extslen;
|
||||
tls_uint16_to_bytes(type, &exts, extslen);
|
||||
tls_uint16_to_bytes(datalen, &exts, extslen);
|
||||
tls_uint8_to_bytes(tls_uint8_size() * formats_cnt, &exts, extslen);
|
||||
for (i = 0; i < formats_cnt; i++) {
|
||||
if (!tls_ec_point_format_name(formats[i])) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
tls_uint8_to_bytes(formats[i], &exts, extslen);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
#define TLS_MAX_SUPPORTED_GROUPS_COUNT 64
|
||||
|
||||
int tls_exts_add_supported_groups(uint8_t *exts, size_t *extslen, size_t maxlen,
|
||||
const int *curves, size_t curves_cnt)
|
||||
{
|
||||
int type = TLS_extension_supported_groups;
|
||||
size_t datalen = tls_uint16_size() + tls_uint16_size() * curves_cnt;
|
||||
size_t i;
|
||||
|
||||
if (!exts || !extslen || !curves || !curves_cnt) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (curves_cnt > TLS_MAX_SUPPORTED_GROUPS_COUNT) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (*extslen + TLS_EXTENSION_HEADER_SIZE + datalen > maxlen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
exts += *extslen;
|
||||
tls_uint16_to_bytes(type, &exts, extslen);
|
||||
tls_uint16_to_bytes(datalen, &exts, extslen);
|
||||
tls_uint16_to_bytes(tls_uint16_size() * curves_cnt, &exts, extslen);
|
||||
for (i = 0; i < curves_cnt; i++) {
|
||||
tls_uint16_to_bytes(curves[i], &exts, extslen);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
#define TLS_MAX_SIGNATURE_ALGORS_COUNT 64
|
||||
|
||||
int tls_exts_add_signature_algors(uint8_t *exts, size_t *extslen, size_t maxlen,
|
||||
const int *algs, size_t algs_cnt)
|
||||
{
|
||||
int type = TLS_extension_signature_algorithms;
|
||||
size_t datalen = tls_uint16_size() + tls_uint16_size() * algs_cnt;
|
||||
size_t i;
|
||||
|
||||
if (!exts || !extslen || !algs || !algs_cnt) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (algs_cnt > TLS_MAX_SIGNATURE_ALGORS_COUNT) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (*extslen + TLS_EXTENSION_HEADER_SIZE + datalen > maxlen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
exts += *extslen;
|
||||
tls_uint16_to_bytes(type, &exts, extslen);
|
||||
tls_uint16_to_bytes(datalen, &exts, extslen);
|
||||
tls_uint16_to_bytes(tls_uint16_size() * algs_cnt, &exts, extslen);
|
||||
for (i = 0; i < algs_cnt; i++) {
|
||||
tls_uint16_to_bytes(algs[i], &exts, extslen);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_client_ec_point_formats(const uint8_t *data, size_t datalen,
|
||||
uint8_t *exts, size_t *extslen, size_t maxlen)
|
||||
{
|
||||
int shared_formats[] = { TLS_point_uncompressed };
|
||||
size_t shared_formats_cnt = 0;
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
|
||||
if (!data || !datalen || !exts || !extslen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_uint8array_from_bytes(&p, &len, &data, &datalen) != 1
|
||||
|| tls_length_is_zero(datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
while (len) {
|
||||
uint8_t format;
|
||||
if (tls_uint8_from_bytes(&format, &p, &len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_ec_point_format_name(format)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (format == shared_formats[0]) {
|
||||
shared_formats_cnt = 1;
|
||||
}
|
||||
}
|
||||
if (tls_exts_add_ec_point_formats(exts, extslen, maxlen, shared_formats, shared_formats_cnt) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_server_ec_point_formats(const uint8_t *data, size_t datalen)
|
||||
{
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
uint8_t format;
|
||||
|
||||
if (tls_uint8array_from_bytes(&p, &len, &data, &datalen) != 1
|
||||
|| tls_length_is_zero(datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_uint8_from_bytes(&format, &p, &len) != 1
|
||||
|| tls_length_is_zero(len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (format != TLS_point_uncompressed) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_client_signature_algors(const uint8_t *data, size_t datalen,
|
||||
uint8_t *exts, size_t *extslen, size_t maxlen)
|
||||
{
|
||||
int shared_algs[1] = { TLS_sig_sm2sig_sm3 };
|
||||
size_t shared_algs_cnt = 0;
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
|
||||
if (!data || !datalen || !exts || !extslen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_uint16array_from_bytes(&p, &len, &data, &datalen) != 1
|
||||
|| tls_length_is_zero(datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
while (len) {
|
||||
uint16_t alg;
|
||||
if (tls_uint16_from_bytes(&alg, &p, &len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_signature_scheme_name(alg)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (alg == shared_algs[0]) {
|
||||
shared_algs_cnt = 1;
|
||||
}
|
||||
}
|
||||
if (tls_exts_add_signature_algors(exts, extslen, maxlen, shared_algs, shared_algs_cnt) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_server_signature_algors(const uint8_t *data, size_t datalen)
|
||||
{
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
uint16_t alg;
|
||||
|
||||
if (tls_uint16array_from_bytes(&p, &len, &data, &datalen) != 1
|
||||
|| tls_length_is_zero(datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_uint16_from_bytes(&alg, &p, &len) != 1
|
||||
|| tls_length_is_zero(len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (alg != TLS_sig_sm2sig_sm3) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_client_supported_groups(const uint8_t *data, size_t datalen, uint8_t *exts, size_t *extslen, size_t maxlen)
|
||||
{
|
||||
int shared_curves[1] = { TLS_curve_sm2p256v1 };
|
||||
size_t shared_curves_cnt = 0;
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
|
||||
if (!data || !datalen || !exts || !extslen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_uint16array_from_bytes(&p, &len, &data, &datalen) != 1
|
||||
|| tls_length_is_zero(datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
while (len) {
|
||||
uint16_t curve;
|
||||
if (tls_uint16_from_bytes(&curve, &p, &len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (!tls_named_curve_name(curve)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (curve == shared_curves[0]) {
|
||||
shared_curves_cnt = 1;
|
||||
}
|
||||
}
|
||||
if (tls_exts_add_supported_groups(exts, extslen, maxlen, shared_curves, shared_curves_cnt) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_server_supported_groups(const uint8_t *data, size_t datalen)
|
||||
{
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
uint16_t curve;
|
||||
|
||||
if (tls_uint16array_from_bytes(&p, &len, &data, &datalen) != 1
|
||||
|| tls_length_is_zero(datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_uint16_from_bytes(&curve, &p, &len) != 1
|
||||
|| tls_length_is_zero(len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (curve != TLS_curve_sm2p256v1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_ext_from_bytes(int *type, const uint8_t **data, size_t *datalen, const uint8_t **in, size_t *inlen)
|
||||
{
|
||||
uint16_t ext_type;
|
||||
if (tls_uint16_from_bytes(&ext_type, in, inlen) != 1
|
||||
|| tls_uint16array_from_bytes(data, datalen, in, inlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*type = ext_type;
|
||||
if (!tls_extension_name(ext_type)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_client_exts(const uint8_t *exts, size_t extslen, uint8_t *out, size_t *outlen, size_t maxlen)
|
||||
{
|
||||
int type;
|
||||
const uint8_t *data;
|
||||
size_t datalen;
|
||||
|
||||
while (extslen) {
|
||||
if (tls_ext_from_bytes(&type, &data, &datalen, &exts, &extslen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
switch (type) {
|
||||
case TLS_extension_ec_point_formats:
|
||||
if (tls_process_client_ec_point_formats(data, datalen, out, outlen, maxlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case TLS_extension_signature_algorithms:
|
||||
if (tls_process_client_signature_algors(data, datalen, out, outlen, maxlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case TLS_extension_supported_groups:
|
||||
if (tls_process_client_supported_groups(data, datalen, out, outlen, maxlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls_process_server_exts(const uint8_t *exts, size_t extslen,
|
||||
int *ec_point_format, int *supported_group, int *signature_algor)
|
||||
{
|
||||
int type;
|
||||
const uint8_t *data;
|
||||
size_t datalen;
|
||||
|
||||
*ec_point_format = -1;
|
||||
*supported_group = -1;
|
||||
*signature_algor = -1;
|
||||
|
||||
while (extslen) {
|
||||
if (tls_ext_from_bytes(&type, &data, &datalen, &exts, &extslen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
switch (type) {
|
||||
case TLS_extension_ec_point_formats:
|
||||
if (tls_process_server_ec_point_formats(data, datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*ec_point_format = TLS_point_uncompressed;
|
||||
break;
|
||||
case TLS_extension_signature_algorithms:
|
||||
if (tls_process_server_signature_algors(data, datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*supported_group = TLS_curve_sm2p256v1;
|
||||
break;
|
||||
case TLS_extension_supported_groups:
|
||||
if (tls_process_server_supported_groups(data, datalen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*signature_algor = TLS_sig_sm2sig_sm3;
|
||||
break;
|
||||
default:
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
109
src/tls_trace.c
109
src/tls_trace.c
@@ -67,18 +67,18 @@ const char *tls_record_type_name(int type)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const char *tls_version_text(int version)
|
||||
const char *tls_protocol_name(int protocol)
|
||||
{
|
||||
switch(version) {
|
||||
case TLS_version_tlcp: return "TLCP";
|
||||
case TLS_version_ssl2: return "SSL 2.0";
|
||||
case TLS_version_ssl3: return "SSL 3.0";
|
||||
case TLS_version_tls1: return "TLS 1.0";
|
||||
case TLS_version_tls11: return "TLS 1.1";
|
||||
case TLS_version_tls12: return "TLS 1.2";
|
||||
case TLS_version_tls13: return "TLS 1.3";
|
||||
case TLS_version_dtls1: return "DTLS 1.0";
|
||||
case TLS_version_dtls12: return "DTLS 1.2";
|
||||
switch(protocol) {
|
||||
case TLS_protocol_tlcp: return "TLCP";
|
||||
case TLS_protocol_ssl2: return "SSL2.0";
|
||||
case TLS_protocol_ssl3: return "SSL3.0";
|
||||
case TLS_protocol_tls1: return "TLS1.0";
|
||||
case TLS_protocol_tls11: return "TLS1.1";
|
||||
case TLS_protocol_tls12: return "TLS1.2";
|
||||
case TLS_protocol_tls13: return "TLS1.3";
|
||||
case TLS_protocol_dtls1: return "DTLS1.0";
|
||||
case TLS_protocol_dtls12: return "DTLS1.2";
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -86,23 +86,19 @@ const char *tls_version_text(int version)
|
||||
const char *tls_cipher_suite_name(int cipher)
|
||||
{
|
||||
switch (cipher) {
|
||||
case TLCP_cipher_ecdhe_sm4_cbc_sm3: return "TLCP_ECDHE_SM4_CBC_SM3";
|
||||
case TLCP_cipher_ecdhe_sm4_gcm_sm3: return "TLCP_ECDHE_SM4_GCM_SM3";
|
||||
case TLCP_cipher_ecc_sm4_cbc_sm3: return "TLCP_ECC_SM4_CBC_SM3";
|
||||
case TLCP_cipher_ecc_sm4_gcm_sm3: return "TLCP_ECC_SM4_GCM_SM3";
|
||||
case TLCP_cipher_ibsdh_sm4_cbc_sm3: return "TLCP_IBSDH_SM4_CBC_SM3";
|
||||
case TLCP_cipher_ibsdh_sm4_gcm_sm3: return "TLCP_IBSDH_SM4_GCM_SM3";
|
||||
case TLCP_cipher_ibc_sm4_cbc_sm3: return "TLCP_IBC_SM4_CBC_SM3";
|
||||
case TLCP_cipher_ibc_sm4_gcm_sm3: return "TLCP_IBC_SM4_GCM_SM3";
|
||||
case TLCP_cipher_rsa_sm4_cbc_sm3: return "TLCP_RSA_SM4_CBC_SM3";
|
||||
case TLCP_cipher_rsa_sm4_gcm_sm3: return "TLCP_RSA_SM4_GCM_SM3";
|
||||
case TLCP_cipher_rsa_sm4_cbc_sha256: return "TLCP_RSA_SM4_CBC_SHA256";
|
||||
case TLCP_cipher_rsa_sm4_gcm_sha256: return "TLCP_RSA_SM4_GCM_SHA256";
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_sm3: return "GMSSL_ECDHE_SM2_WITH_SM4_SM3";
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_gcm_sm3: return "GMSSL_ECDHE_SM2_WITH_SM4_GCM_SM3";
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_ccm_sm3: return "GMSSL_ECDHE_SM2_WITH_SM4_CCM_SM3";
|
||||
case GMSSL_cipher_ecdhe_sm2_with_zuc_sm3: return "GMSSL_ECDHE_SM2_WITH_ZUC_SM3";
|
||||
case TLS_cipher_empty_renegotiation_info_scsv: return "TLS_EMPTY_RENEGOTIATION_INFO_SCSV";
|
||||
case TLS_cipher_ecdhe_sm4_cbc_sm3: return "ECDHE_SM4_CBC_SM3";
|
||||
case TLS_cipher_ecdhe_sm4_gcm_sm3: return "ECDHE_SM4_GCM_SM3";
|
||||
case TLS_cipher_ecc_sm4_cbc_sm3: return "ECC_SM4_CBC_SM3";
|
||||
case TLS_cipher_ecc_sm4_gcm_sm3: return "ECC_SM4_GCM_SM3";
|
||||
case TLS_cipher_ibsdh_sm4_cbc_sm3: return "IBSDH_SM4_CBC_SM3";
|
||||
case TLS_cipher_ibsdh_sm4_gcm_sm3: return "IBSDH_SM4_GCM_SM3";
|
||||
case TLS_cipher_ibc_sm4_cbc_sm3: return "IBC_SM4_CBC_SM3";
|
||||
case TLS_cipher_ibc_sm4_gcm_sm3: return "IBC_SM4_GCM_SM3";
|
||||
case TLS_cipher_rsa_sm4_cbc_sm3: return "RSA_SM4_CBC_SM3";
|
||||
case TLS_cipher_rsa_sm4_gcm_sm3: return "RSA_SM4_GCM_SM3";
|
||||
case TLS_cipher_rsa_sm4_cbc_sha256: return "RSA_SM4_CBC_SHA256";
|
||||
case TLS_cipher_rsa_sm4_gcm_sha256: return "RSA_SM4_GCM_SHA256";
|
||||
case TLS_cipher_empty_renegotiation_info_scsv: return "EMPTY_RENEGOTIATION_INFO_SCSV";
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -160,7 +156,7 @@ const char *tls_extension_name(int ext)
|
||||
case TLS_extension_supported_ekt_ciphers: return "supported_ekt_ciphers";
|
||||
case TLS_extension_pre_shared_key: return "pre_shared_key";
|
||||
case TLS_extension_early_data: return "early_data";
|
||||
case TLS_extension_supported_versions: return "supported_versions";
|
||||
case TLS_extension_supported_protocols: return "supported_protocols";
|
||||
case TLS_extension_cookie: return "cookie";
|
||||
case TLS_extension_psk_key_exchange_modes: return "psk_key_exchange_modes";
|
||||
case TLS_extension_certificate_authorities: return "certificate_authorities";
|
||||
@@ -362,10 +358,10 @@ int tls_random_print(FILE *fp, const uint8_t random[32], int format, int indent)
|
||||
|
||||
int tls_pre_master_secret_print(FILE *fp, const uint8_t pre_master_secret[48], int format, int indent)
|
||||
{
|
||||
int version = ((int)pre_master_secret[0] << 8) | pre_master_secret[1];
|
||||
int protocol = ((int)pre_master_secret[0] << 8) | pre_master_secret[1];
|
||||
format_print(fp, format, indent, "PreMasterSecret\n");
|
||||
indent += 4;
|
||||
format_print(fp, format, indent, "version : %s\n", tls_version_text(version));
|
||||
format_print(fp, format, indent, "protocol : %s\n", tls_protocol_name(protocol));
|
||||
format_bytes(fp, format, indent, "pre_master_secret", pre_master_secret, 48);
|
||||
return 1;
|
||||
}
|
||||
@@ -389,7 +385,7 @@ int tls_extension_print(FILE *fp, int type, const uint8_t *data, size_t datalen,
|
||||
while (len) {
|
||||
uint16_t curve;
|
||||
tls_uint16_from_bytes(&curve, &p, &len);
|
||||
format_print(fp, format, indent, "%s (0x%04x)\n",
|
||||
format_print(fp, format, indent, "%s (%d)\n",
|
||||
tls_named_curve_name(curve), curve);
|
||||
}
|
||||
break;
|
||||
@@ -436,7 +432,7 @@ int tls_extension_print(FILE *fp, int type, const uint8_t *data, size_t datalen,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
format_print(fp, format, indent, "group: %s\n", tls_named_curve_name(group));
|
||||
format_print(fp, format, indent, "group: %s (%d)\n", tls_named_curve_name(group), group);
|
||||
format_bytes(fp, format, indent, "key_exchange", key_exch, key_exch_len);
|
||||
}
|
||||
break;
|
||||
@@ -483,7 +479,7 @@ int tls_hello_request_print(FILE *fp, const uint8_t *data, size_t datalen, int f
|
||||
int tls_client_hello_print(FILE *fp, const uint8_t *data, size_t datalen, int format, int indent)
|
||||
{
|
||||
int ret = -1;
|
||||
uint16_t version;
|
||||
uint16_t protocol;
|
||||
const uint8_t *random;
|
||||
const uint8_t *session_id;
|
||||
const uint8_t *cipher_suites;
|
||||
@@ -493,9 +489,9 @@ int tls_client_hello_print(FILE *fp, const uint8_t *data, size_t datalen, int fo
|
||||
size_t i;
|
||||
|
||||
format_print(fp, format, indent, "ClientHello\n"); indent += 4;
|
||||
if (tls_uint16_from_bytes((uint16_t *)&version, &data, &datalen) != 1) goto end;
|
||||
if (tls_uint16_from_bytes((uint16_t *)&protocol, &data, &datalen) != 1) goto end;
|
||||
format_print(fp, format, indent, "Version: %s (%d.%d)\n",
|
||||
tls_version_text(version), version >> 8, version & 0xff);
|
||||
tls_protocol_name(protocol), protocol >> 8, protocol & 0xff);
|
||||
if (tls_array_from_bytes(&random, 32, &data, &datalen) != 1) goto end;
|
||||
tls_random_print(fp, random, format, indent);
|
||||
if (tls_uint8array_from_bytes(&session_id, &session_id_len, &data, &datalen) != 1) goto end;
|
||||
@@ -534,7 +530,7 @@ end:
|
||||
int tls_server_hello_print(FILE *fp, const uint8_t *data, size_t datalen, int format, int indent)
|
||||
{
|
||||
int ret = -1;
|
||||
uint16_t version;
|
||||
uint16_t protocol;
|
||||
const uint8_t *random;
|
||||
const uint8_t *session_id;
|
||||
uint16_t cipher_suite;
|
||||
@@ -544,9 +540,9 @@ int tls_server_hello_print(FILE *fp, const uint8_t *data, size_t datalen, int fo
|
||||
size_t i;
|
||||
|
||||
format_print(fp, format, indent, "ServerHello\n"); indent += 4;
|
||||
if (tls_uint16_from_bytes(&version, &data, &datalen) != 1) goto bad;
|
||||
if (tls_uint16_from_bytes(&protocol, &data, &datalen) != 1) goto bad;
|
||||
format_print(fp, format, indent, "Version: %s (%d.%d)\n",
|
||||
tls_version_text(version), version >> 8, version & 0xff);
|
||||
tls_protocol_name(protocol), protocol >> 8, protocol & 0xff);
|
||||
if (tls_array_from_bytes(&random, 32, &data, &datalen) != 1) goto bad;
|
||||
tls_random_print(fp, random, format, indent);
|
||||
if (tls_uint8array_from_bytes(&session_id, &session_id_len, &data, &datalen) != 1) goto bad;
|
||||
@@ -617,7 +613,7 @@ int tls_server_key_exchange_ecdhe_print(FILE *fp, const uint8_t *data, size_t da
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
format_print(fp, format, indent + 8, "named_curve: %s (04%04x)\n",
|
||||
format_print(fp, format, indent + 8, "named_curve: %s (%d)\n",
|
||||
tls_named_curve_name(curve), curve);
|
||||
if (tls_uint8array_from_bytes(&octets, &octetslen, &data, &datalen) != 1) {
|
||||
error_print();
|
||||
@@ -628,7 +624,7 @@ int tls_server_key_exchange_ecdhe_print(FILE *fp, const uint8_t *data, size_t da
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
format_print(fp, format, indent, "SignatureScheme: %s (04%04x)\n",
|
||||
format_print(fp, format, indent, "SignatureScheme: %s (0x%04x)\n",
|
||||
tls_signature_scheme_name(sig_alg), sig_alg);
|
||||
if (tls_uint16array_from_bytes(&sig, &siglen, &data, &datalen) != 1) {
|
||||
error_print();
|
||||
@@ -647,18 +643,15 @@ int tls_server_key_exchange_print(FILE *fp, const uint8_t *data, size_t datalen,
|
||||
int cipher_suite = (format >> 8) & 0xffff;
|
||||
|
||||
switch (cipher_suite) {
|
||||
case TLCP_cipher_ecc_sm4_cbc_sm3:
|
||||
case TLCP_cipher_ecc_sm4_gcm_sm3:
|
||||
case TLS_cipher_ecc_sm4_cbc_sm3:
|
||||
case TLS_cipher_ecc_sm4_gcm_sm3:
|
||||
if (tlcp_server_key_exchange_pke_print(fp, data, datalen, format, indent) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case TLCP_cipher_ecdhe_sm4_cbc_sm3:
|
||||
case TLCP_cipher_ecdhe_sm4_gcm_sm3:
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_sm3:
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_gcm_sm3:
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_ccm_sm3:
|
||||
case TLS_cipher_ecdhe_sm4_cbc_sm3:
|
||||
case TLS_cipher_ecdhe_sm4_gcm_sm3:
|
||||
if (tls_server_key_exchange_ecdhe_print(fp, data, datalen, format, indent) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -707,7 +700,8 @@ int tls_certificate_request_print(FILE *fp, const uint8_t *data, size_t datalen,
|
||||
if (tls_uint8array_from_bytes(&cert_types, &cert_types_len, &data, &datalen) != 1) goto bad;
|
||||
format_print(fp, format, indent, "cert_types\n");
|
||||
while (cert_types_len--) {
|
||||
format_print(fp, format, indent + 4, "%s\n", tls_cert_type_name(*cert_types++));
|
||||
int cert_type = *cert_types++;
|
||||
format_print(fp, format, indent + 4, "%s (%d)\n", tls_cert_type_name(cert_type), cert_type);
|
||||
}
|
||||
if (tls_uint16array_from_bytes(&ca_names, &ca_names_len, &data, &datalen) != 1) goto bad;
|
||||
tls_certificate_subjects_print(fp, format, indent, "CAnames", ca_names, ca_names_len);
|
||||
@@ -764,18 +758,15 @@ int tls_client_key_exchange_print(FILE *fp, const uint8_t *data, size_t datalen,
|
||||
{
|
||||
int cipher_suite = (format >> 8) & 0xffff;
|
||||
switch (cipher_suite) {
|
||||
case TLCP_cipher_ecc_sm4_cbc_sm3:
|
||||
case TLCP_cipher_ecc_sm4_gcm_sm3:
|
||||
case TLS_cipher_ecc_sm4_cbc_sm3:
|
||||
case TLS_cipher_ecc_sm4_gcm_sm3:
|
||||
if (tls_client_key_exchange_pke_print(fp, data, datalen, format, indent) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case TLCP_cipher_ecdhe_sm4_cbc_sm3:
|
||||
case TLCP_cipher_ecdhe_sm4_gcm_sm3:
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_sm3:
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_gcm_sm3:
|
||||
case GMSSL_cipher_ecdhe_sm2_with_sm4_ccm_sm3:
|
||||
case TLS_cipher_ecdhe_sm4_cbc_sm3:
|
||||
case TLS_cipher_ecdhe_sm4_gcm_sm3:
|
||||
if (tls_client_key_exchange_ecdhe_print(fp, data, datalen, format, indent) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -904,16 +895,16 @@ int tls_record_print(FILE *fp, const uint8_t *record, size_t recordlen, int for
|
||||
{
|
||||
const uint8_t *data;
|
||||
size_t datalen;
|
||||
int version;
|
||||
int protocol;
|
||||
|
||||
if (!fp || !record || recordlen < 5) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
version = tls_record_version(record);
|
||||
protocol = tls_record_protocol(record);
|
||||
format_print(fp, format, indent, "Record\n"); indent += 4;
|
||||
format_print(fp, format, indent, "ContentType: %s (%d)\n", tls_record_type_name(record[0]), record[0]);
|
||||
format_print(fp, format, indent, "Version: %s (%d.%d)\n", tls_version_text(version), version >> 8, version & 0xff);
|
||||
format_print(fp, format, indent, "Version: %s (%d.%d)\n", tls_protocol_name(protocol), protocol >> 8, protocol & 0xff);
|
||||
format_print(fp, format, indent, "Length: %d\n", tls_record_data_length(record));
|
||||
|
||||
data = tls_record_data(record);
|
||||
|
||||
Reference in New Issue
Block a user