abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-19 19:33:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Clean TLS code

Browse Source
This commit is contained in:
Zhi Guan
2026-06-14 14:46:41 +08:00
parent ec5705ae29
commit 5312311bf3
2 changed files with 44 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
src/tls.c
View File

@@ -809,6 +809,42 @@ int tls_pre_master_secret_generate(uint8_t pre_master_secret[48], int protocol)
return 1; return 1;
} }
int tls_compute_verify_data(const DIGEST *digest, const uint8_t master_secret[48],
const char *label, const DIGEST_CTX *dgst_ctx, uint8_t verify_data[12])
{
const size_t master_secret_len = 48;
const size_t verify_data_len = 12;
DIGEST_CTX tmp_ctx;
uint8_t dgst[DIGEST_MAX_SIZE];
size_t dgstlen;
if (!digest || !master_secret || !label || !dgst_ctx || !verify_data) {
error_print();
return -1;
}
if (strcmp(label, "client finished") && strcmp(label, "server finished")) {
error_print();
return -1;
}
tmp_ctx = *dgst_ctx;
if (digest_finish(&tmp_ctx, dgst, &dgstlen) != 1) {
error_print();
return -1;
}
if (tls_prf(digest, master_secret, master_secret_len,
label, dgst, dgstlen, NULL, 0,
verify_data_len, verify_data) != 1) {
error_print();
return -1;
}
return 1;
}
// 用于设置CertificateRequest // 用于设置CertificateRequest
int tls_cert_type_from_oid(int oid) int tls_cert_type_from_oid(int oid)
{ {
@@ -832,63 +868,6 @@ int tls_cert_type_from_oid(int oid)
return 0; return 0;
} }
// 这两个函数没有对应的TLCP版本 这个现在已经有了ex版本了
int tls_sign_server_ecdh_params(const SM2_KEY *server_sign_key,
const uint8_t client_random[32], const uint8_t server_random[32],
int curve, const SM2_Z256_POINT *point, uint8_t *sig, size_t *siglen)
{
uint8_t server_ecdh_params[69];
SM2_SIGN_CTX sign_ctx;
if (!server_sign_key || !client_random || !server_random
|| curve != TLS_curve_sm2p256v1 || !point || !sig || !siglen) {
error_print();
return -1;
}
server_ecdh_params[0] = TLS_curve_type_named_curve;
server_ecdh_params[1] = (uint8_t)(curve >> 8);
server_ecdh_params[2] = (uint8_t)curve;
server_ecdh_params[3] = 65;
sm2_z256_point_to_uncompressed_octets(point, server_ecdh_params + 4);
sm2_sign_init(&sign_ctx, server_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
sm2_sign_update(&sign_ctx, client_random, 32);
sm2_sign_update(&sign_ctx, server_random, 32);
sm2_sign_update(&sign_ctx, server_ecdh_params, 69);
sm2_sign_finish(&sign_ctx, sig, siglen);
return 1;
}
int tls_verify_server_ecdh_params(const SM2_KEY *server_sign_key,
const uint8_t client_random[32], const uint8_t server_random[32],
int curve, const SM2_Z256_POINT *point, const uint8_t *sig, size_t siglen)
{
int ret;
uint8_t server_ecdh_params[69];
SM2_VERIFY_CTX verify_ctx;
if (!server_sign_key || !client_random || !server_random
|| curve != TLS_curve_sm2p256v1 || !point || !sig || !siglen
|| siglen > SM2_MAX_SIGNATURE_SIZE) {
error_print();
return -1;
}
server_ecdh_params[0] = TLS_curve_type_named_curve;
server_ecdh_params[1] = (uint8_t)(curve >> 8);
server_ecdh_params[2] = (uint8_t)(curve);
server_ecdh_params[3] = 65;
sm2_z256_point_to_uncompressed_octets(point, server_ecdh_params + 4);
sm2_verify_init(&verify_ctx, server_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
sm2_verify_update(&verify_ctx, client_random, 32);
sm2_verify_update(&verify_ctx, server_random, 32);
sm2_verify_update(&verify_ctx, server_ecdh_params, 69);
ret = sm2_verify_finish(&verify_ctx, sig, siglen);
if (ret != 1) error_print();
return ret;
}
int tls_record_set_handshake(uint8_t *record, size_t *recordlen, int tls_record_set_handshake(uint8_t *record, size_t *recordlen,
int type, const uint8_t *data, size_t datalen) int type, const uint8_t *data, size_t datalen)
{ {
@@ -1770,62 +1749,6 @@ int tls_type_is_in_list(int type, const int *list, size_t list_count)
} }
return 0; return 0;
} }
static const int tlcp_ciphers[] = {
TLS_cipher_ecc_sm4_cbc_sm3,
TLS_cipher_ecc_sm4_gcm_sm3,
TLS_cipher_ibc_sm4_cbc_sm3,
TLS_cipher_ibc_sm4_gcm_sm3,
};
static const int tls12_ciphers[] = {
TLS_cipher_ecdhe_sm4_cbc_sm3,
TLS_cipher_ecdhe_sm4_gcm_sm3,
TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256,
TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256,
#ifdef ENABLE_AES_CCM
TLS_cipher_aes_128_ccm_sha256,
#endif
};
static const int tls13_ciphers[] = {
TLS_cipher_sm4_gcm_sm3,
#ifdef ENABLE_SM4_CCM
TLS_cipher_sm4_ccm_sm3,
#endif
TLS_cipher_aes_128_gcm_sha256,
#ifdef ENABLE_AES_CCM
TLS_cipher_aes_128_ccm_sha256,
#endif
};
int tls_cipher_suite_match_protocol(int cipher, int protocol)
{
switch (protocol) {
case TLS_protocol_tlcp:
if (!tls_type_is_in_list(cipher, tlcp_ciphers, sizeof(tlcp_ciphers)/sizeof(tlcp_ciphers[0]))) {
return 0;
}
break;
case TLS_protocol_tls12:
if (!tls_type_is_in_list(cipher, tls12_ciphers, sizeof(tls12_ciphers)/sizeof(tls12_ciphers[0]))) {
return 0;
}
break;
case TLS_protocol_tls13:
if (!tls_type_is_in_list(cipher, tls13_ciphers, sizeof(tls13_ciphers)/sizeof(tls13_ciphers[0]))) {
return 0;
}
break;
default:
error_print();
return -1;
}
return 1;
}
/* /*
尽可能的发送数据直到发送完整的报文或者send 返回错误 尽可能的发送数据直到发送完整的报文或者send 返回错误
如果send 返回EAGAIN那么向上层返回WANT_WRITE 如果send 返回EAGAIN那么向上层返回WANT_WRITE
@@ -3949,32 +3872,3 @@ int tls_handshake_digest_print(FILE *fp, int fmt, int ind, const char *label, co
return 1; return 1;
} }
int tls_compute_verify_data(const DIGEST *digest, const uint8_t master_secret[48],
const char *label, const DIGEST_CTX *dgst_ctx, uint8_t verify_data[12])
{
const size_t master_secret_len = 48;
const size_t verify_data_len = 12;
DIGEST_CTX tmp_ctx;
uint8_t dgst[64];
size_t dgstlen;
if (!digest || !master_secret || !dgst_ctx || !verify_data) {
error_print();
return -1;
}
tmp_ctx = *dgst_ctx;
if (digest_finish(&tmp_ctx, dgst, &dgstlen) != 1) {
error_print();
return -1;
}
if (tls_prf(digest, master_secret, master_secret_len,
label, // "client finished" or "server finished",
dgst, dgstlen, NULL, 0,
verify_data_len, verify_data) != 1) {
error_print();
return -1;
}
return 1;
}

53
src/tls12.c
View File

@@ -3136,19 +3136,8 @@ int tls_send_client_finished(TLS_CONNECT *conn)
uint8_t local_verify_data[12]; uint8_t local_verify_data[12];
if (tls_compute_verify_data(conn->digest, conn->master_secret,
DIGEST_CTX tmp_ctx; "client finished", &conn->dgst_ctx, local_verify_data) != 1) {
uint8_t dgst[32];
size_t dgstlen;
tmp_ctx = conn->dgst_ctx;
digest_finish(&tmp_ctx, dgst, &dgstlen);
if (tls_prf(conn->digest,
conn->master_secret, 48,
"client finished", dgst, dgstlen, NULL, 0,
sizeof(local_verify_data), local_verify_data) != 1) {
error_print(); error_print();
tls_send_alert(conn, TLS_alert_internal_error); tls_send_alert(conn, TLS_alert_internal_error);
return -1; return -1;
@@ -3205,19 +3194,8 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
size_t verify_data_len; size_t verify_data_len;
uint8_t local_verify_data[12]; uint8_t local_verify_data[12];
DIGEST_CTX tmp_ctx; if (tls_compute_verify_data(conn->digest, conn->master_secret, "client finished",
uint8_t dgst[32]; &conn->dgst_ctx, local_verify_data) != 1) {
size_t dgstlen;
tmp_ctx = conn->dgst_ctx;
if (digest_finish(&tmp_ctx, dgst, &dgstlen) != 1) {
error_print();
return -1;
}
if (tls_prf(conn->digest, conn->master_secret, 48, "client finished", dgst, dgstlen, NULL, 0,
sizeof(local_verify_data), local_verify_data) != 1) {
error_print(); error_print();
tls_send_alert(conn, TLS_alert_internal_error); tls_send_alert(conn, TLS_alert_internal_error);
return -1; return -1;
@@ -3312,13 +3290,8 @@ int tls_send_server_finished(TLS_CONNECT *conn)
if (conn->recordlen == 0) { if (conn->recordlen == 0) {
if(conn->verbose) tls_trace("send server Finished\n"); if(conn->verbose) tls_trace("send server Finished\n");
uint8_t dgst[32]; if (tls_compute_verify_data(conn->digest, conn->master_secret,
size_t dgstlen; "server finished", &conn->dgst_ctx, local_verify_data) != 1) {
digest_finish(&conn->dgst_ctx, dgst, &dgstlen);
if (tls_prf(conn->digest, conn->master_secret, 48, "server finished", dgst, dgstlen, NULL, 0,
sizeof(local_verify_data), local_verify_data) != 1) {
error_print(); error_print();
return -1; return -1;
} }
@@ -3363,22 +3336,12 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
uint8_t finished_record[TLS_FINISHED_RECORD_BUF_SIZE]; uint8_t finished_record[TLS_FINISHED_RECORD_BUF_SIZE];
size_t finished_record_len; size_t finished_record_len;
uint8_t dgst[32];
size_t dgstlen;
const uint8_t *verify_data; const uint8_t *verify_data;
size_t verify_data_len; size_t verify_data_len;
uint8_t local_verify_data[12]; uint8_t local_verify_data[12];
if (tls_compute_verify_data(conn->digest, conn->master_secret,
"server finished", &conn->dgst_ctx, local_verify_data) != 1) {
if (digest_finish(&conn->dgst_ctx, dgst, &dgstlen) != 1) {
error_print();
return -1;
}
if (tls_prf(conn->digest, conn->master_secret, 48, "server finished",
dgst, dgstlen, NULL, 0,
sizeof(local_verify_data), local_verify_data) != 1) {
error_print(); error_print();
tls_send_alert(conn, TLS_alert_internal_error); tls_send_alert(conn, TLS_alert_internal_error);
return -1; return -1;