From 5312311bf3469b7fd13a812dcc99e21f818739c1 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Sun, 14 Jun 2026 14:46:41 +0800
Subject: [PATCH] Clean TLS code

---
 src/tls.c   | 178 +++++++++++-----------------------------------------
 src/tls12.c |  53 +++-------------
 2 files changed, 44 insertions(+), 187 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index 4234d833..9150c845 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -809,6 +809,42 @@ int tls_pre_master_secret_generate(uint8_t pre_master_secret[48], int protocol)
 	return 1;
 }
 
+int tls_compute_verify_data(const DIGEST *digest, const uint8_t master_secret[48],
+	const char *label, const DIGEST_CTX *dgst_ctx, uint8_t verify_data[12])
+{
+	const size_t master_secret_len = 48;
+	const size_t verify_data_len = 12;
+	DIGEST_CTX tmp_ctx;
+	uint8_t dgst[DIGEST_MAX_SIZE];
+	size_t dgstlen;
+
+	if (!digest || !master_secret || !label || !dgst_ctx || !verify_data) {
+		error_print();
+		return -1;
+	}
+	if (strcmp(label, "client finished") && strcmp(label, "server finished")) {
+		error_print();
+		return -1;
+	}
+
+	tmp_ctx = *dgst_ctx;
+
+	if (digest_finish(&tmp_ctx, dgst, &dgstlen) != 1) {
+		error_print();
+		return -1;
+	}
+	if (tls_prf(digest, master_secret, master_secret_len,
+		label, dgst, dgstlen, NULL, 0,
+		verify_data_len, verify_data) != 1) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
+
+
+
 // 用于设置CertificateRequest
 int tls_cert_type_from_oid(int oid)
 {
@@ -832,63 +868,6 @@ int tls_cert_type_from_oid(int oid)
 	return 0;
 }
 
-// 这两个函数没有对应的TLCP版本， 这个现在已经有了ex版本了
-int tls_sign_server_ecdh_params(const SM2_KEY *server_sign_key,
-	const uint8_t client_random[32], const uint8_t server_random[32],
-	int curve, const SM2_Z256_POINT *point, uint8_t *sig, size_t *siglen)
-{
-	uint8_t server_ecdh_params[69];
-	SM2_SIGN_CTX sign_ctx;
-
-	if (!server_sign_key || !client_random || !server_random
-		|| curve != TLS_curve_sm2p256v1 || !point || !sig || !siglen) {
-		error_print();
-		return -1;
-	}
-	server_ecdh_params[0] = TLS_curve_type_named_curve;
-	server_ecdh_params[1] = (uint8_t)(curve >> 8);
-	server_ecdh_params[2] = (uint8_t)curve;
-	server_ecdh_params[3] = 65;
-	sm2_z256_point_to_uncompressed_octets(point, server_ecdh_params + 4);
-
-	sm2_sign_init(&sign_ctx, server_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
-	sm2_sign_update(&sign_ctx, client_random, 32);
-	sm2_sign_update(&sign_ctx, server_random, 32);
-	sm2_sign_update(&sign_ctx, server_ecdh_params, 69);
-	sm2_sign_finish(&sign_ctx, sig, siglen);
-
-	return 1;
-}
-
-int tls_verify_server_ecdh_params(const SM2_KEY *server_sign_key,
-	const uint8_t client_random[32], const uint8_t server_random[32],
-	int curve, const SM2_Z256_POINT *point, const uint8_t *sig, size_t siglen)
-{
-	int ret;
-	uint8_t server_ecdh_params[69];
-	SM2_VERIFY_CTX verify_ctx;
-
-	if (!server_sign_key || !client_random || !server_random
-		|| curve != TLS_curve_sm2p256v1 || !point || !sig || !siglen
-		|| siglen > SM2_MAX_SIGNATURE_SIZE) {
-		error_print();
-		return -1;
-	}
-	server_ecdh_params[0] = TLS_curve_type_named_curve;
-	server_ecdh_params[1] = (uint8_t)(curve >> 8);
-	server_ecdh_params[2] = (uint8_t)(curve);
-	server_ecdh_params[3] = 65;
-	sm2_z256_point_to_uncompressed_octets(point, server_ecdh_params + 4);
-
-	sm2_verify_init(&verify_ctx, server_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
-	sm2_verify_update(&verify_ctx, client_random, 32);
-	sm2_verify_update(&verify_ctx, server_random, 32);
-	sm2_verify_update(&verify_ctx, server_ecdh_params, 69);
-	ret = sm2_verify_finish(&verify_ctx, sig, siglen);
-	if (ret != 1) error_print();
-	return ret;
-}
-
 int tls_record_set_handshake(uint8_t *record, size_t *recordlen,
 	int type, const uint8_t *data, size_t datalen)
 {
@@ -1770,62 +1749,6 @@ int tls_type_is_in_list(int type, const int *list, size_t list_count)
 	}
 	return 0;
 }
-
-
-
-static const int tlcp_ciphers[] = {
-	TLS_cipher_ecc_sm4_cbc_sm3,
-	TLS_cipher_ecc_sm4_gcm_sm3,
-	TLS_cipher_ibc_sm4_cbc_sm3,
-	TLS_cipher_ibc_sm4_gcm_sm3,
-};
-
-static const int tls12_ciphers[] = {
-	TLS_cipher_ecdhe_sm4_cbc_sm3,
-	TLS_cipher_ecdhe_sm4_gcm_sm3,
-	TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256,
-	TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256,
-#ifdef ENABLE_AES_CCM
-	TLS_cipher_aes_128_ccm_sha256,
-#endif
-};
-
-static const int tls13_ciphers[] = {
-	TLS_cipher_sm4_gcm_sm3,
-#ifdef ENABLE_SM4_CCM
-	TLS_cipher_sm4_ccm_sm3,
-#endif
-	TLS_cipher_aes_128_gcm_sha256,
-#ifdef ENABLE_AES_CCM
-	TLS_cipher_aes_128_ccm_sha256,
-#endif
-};
-
-int tls_cipher_suite_match_protocol(int cipher, int protocol)
-{
-	switch (protocol) {
-	case TLS_protocol_tlcp:
-		if (!tls_type_is_in_list(cipher, tlcp_ciphers, sizeof(tlcp_ciphers)/sizeof(tlcp_ciphers[0]))) {
-			return 0;
-		}
-		break;
-	case TLS_protocol_tls12:
-		if (!tls_type_is_in_list(cipher, tls12_ciphers, sizeof(tls12_ciphers)/sizeof(tls12_ciphers[0]))) {
-			return 0;
-		}
-		break;
-	case TLS_protocol_tls13:
-		if (!tls_type_is_in_list(cipher, tls13_ciphers, sizeof(tls13_ciphers)/sizeof(tls13_ciphers[0]))) {
-			return 0;
-		}
-		break;
-	default:
-		error_print();
-		return -1;
-	}
-	return 1;
-}
-
 /*
 尽可能的发送数据，直到发送完整的报文，或者send 返回错误
 如果send 返回EAGAIN，那么向上层返回WANT_WRITE
@@ -3949,32 +3872,3 @@ int tls_handshake_digest_print(FILE *fp, int fmt, int ind, const char *label, co
 
 	return 1;
 }
-
-int tls_compute_verify_data(const DIGEST *digest, const uint8_t master_secret[48],
-	const char *label, const DIGEST_CTX *dgst_ctx, uint8_t verify_data[12])
-{
-	const size_t master_secret_len = 48;
-	const size_t verify_data_len = 12;
-	DIGEST_CTX tmp_ctx;
-	uint8_t dgst[64];
-	size_t dgstlen;
-
-	if (!digest || !master_secret || !dgst_ctx || !verify_data) {
-		error_print();
-		return -1;
-	}
-	tmp_ctx = *dgst_ctx;
-
-	if (digest_finish(&tmp_ctx, dgst, &dgstlen) != 1) {
-		error_print();
-		return -1;
-	}
-	if (tls_prf(digest, master_secret, master_secret_len,
-		label, // "client finished" or "server finished",
-		dgst, dgstlen, NULL, 0,
-		verify_data_len, verify_data) != 1) {
-		error_print();
-		return -1;
-	}
-	return 1;
-}
diff --git a/src/tls12.c b/src/tls12.c
index 3d59a6de..b3931e79 100644
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -3136,19 +3136,8 @@ int tls_send_client_finished(TLS_CONNECT *conn)
 
 		uint8_t local_verify_data[12];
 
-
-		DIGEST_CTX tmp_ctx;
-		uint8_t dgst[32];
-		size_t dgstlen;
-
-		tmp_ctx = conn->dgst_ctx;
-
-		digest_finish(&tmp_ctx, dgst, &dgstlen);
-
-		if (tls_prf(conn->digest,
-			conn->master_secret, 48,
-			"client finished", dgst, dgstlen, NULL, 0,
-			sizeof(local_verify_data), local_verify_data) != 1) {
+		if (tls_compute_verify_data(conn->digest, conn->master_secret,
+			"client finished", &conn->dgst_ctx, local_verify_data) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
@@ -3205,19 +3194,8 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
 	size_t verify_data_len;
 	uint8_t local_verify_data[12];
 
-	DIGEST_CTX tmp_ctx;
-	uint8_t dgst[32];
-	size_t dgstlen;
-
-
-	tmp_ctx = conn->dgst_ctx;
-
-	if (digest_finish(&tmp_ctx, dgst, &dgstlen) != 1) {
-		error_print();
-		return -1;
-	}
-	if (tls_prf(conn->digest, conn->master_secret, 48, "client finished", dgst, dgstlen, NULL, 0,
-		sizeof(local_verify_data), local_verify_data) != 1) {
+	if (tls_compute_verify_data(conn->digest, conn->master_secret, "client finished",
+		&conn->dgst_ctx, local_verify_data) != 1) {
 		error_print();
 		tls_send_alert(conn, TLS_alert_internal_error);
 		return -1;
@@ -3312,13 +3290,8 @@ int tls_send_server_finished(TLS_CONNECT *conn)
 	if (conn->recordlen == 0) {
 		if(conn->verbose) tls_trace("send server Finished\n");
 
-		uint8_t dgst[32];
-		size_t dgstlen;
-
-		digest_finish(&conn->dgst_ctx, dgst, &dgstlen);
-
-		if (tls_prf(conn->digest, conn->master_secret, 48, "server finished", dgst, dgstlen, NULL, 0,
-			sizeof(local_verify_data), local_verify_data) != 1) {
+		if (tls_compute_verify_data(conn->digest, conn->master_secret,
+			"server finished", &conn->dgst_ctx, local_verify_data) != 1) {
 			error_print();
 			return -1;
 		}
@@ -3363,22 +3336,12 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
 	uint8_t finished_record[TLS_FINISHED_RECORD_BUF_SIZE];
 	size_t finished_record_len;
 
-	uint8_t dgst[32];
-	size_t dgstlen;
-
 	const uint8_t *verify_data;
 	size_t verify_data_len;
 	uint8_t local_verify_data[12];
 
-
-
-	if (digest_finish(&conn->dgst_ctx, dgst, &dgstlen) != 1) {
-		error_print();
-		return -1;
-	}
-	if (tls_prf(conn->digest, conn->master_secret, 48, "server finished",
-		dgst, dgstlen, NULL, 0,
-		sizeof(local_verify_data), local_verify_data) != 1) {
+	if (tls_compute_verify_data(conn->digest, conn->master_secret,
+		"server finished", &conn->dgst_ctx, local_verify_data) != 1) {
 		error_print();
 		tls_send_alert(conn, TLS_alert_internal_error);
 		return -1;