diff --git a/CMakeLists.txt b/CMakeLists.txt index b18fb3ae..bae0be19 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -831,7 +831,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1117") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1118") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h index a865d9f3..9f83c91c 100644 --- a/include/gmssl/tls.h +++ b/include/gmssl/tls.h @@ -811,7 +811,7 @@ enum { TLS_verbose_print_key = 5, }; -#define TLS_MAX_CIPHER_SUITES_COUNT 64 +#define TLS_MAX_CIPHER_SUITES 16 typedef struct { @@ -836,7 +836,7 @@ typedef struct { int protocol; - int cipher_suites[TLS_MAX_CIPHER_SUITES_COUNT]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt; uint8_t cert_chains[8192]; @@ -995,6 +995,9 @@ extern const size_t tls13_signature_algorithms_cnt; extern const int tls13_cipher_suites[]; extern const size_t tls13_cipher_suites_cnt; +extern const int tls_cipher_suites[]; +extern const size_t tls_cipher_suites_cnt; + int tls_ctx_init(TLS_CTX *ctx, int protocol, int is_client); diff --git a/include/gmssl/version.h b/include/gmssl/version.h index f2fcfbc8..a4cbf6fd 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1117" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1118" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/src/tlcp.c b/src/tlcp.c index 341a14ff..7ebbf341 100644 --- a/src/tlcp.c +++ b/src/tlcp.c @@ -1910,7 +1910,6 @@ int tlcp_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentle conn->record_offset = 0; conn->sentlen = inlen; conn->send_state = TLS_state_send_record; - if(conn->verbose) tls_encrypted_record_trace(stderr, conn->record, recordlen, 0, 0); } ret = tls_send_record(conn); diff --git a/src/tls.c b/src/tls.c index b0ce75b6..80e52b74 100644 --- a/src/tls.c +++ b/src/tls.c @@ -26,6 +26,33 @@ #include +const int tls_cipher_suites[] = { + TLS_cipher_ecc_sm4_cbc_sm3, + TLS_cipher_ecc_sm4_gcm_sm3, + TLS_cipher_ecdhe_sm4_cbc_sm3, + TLS_cipher_ecdhe_sm4_gcm_sm3, +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) + TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256, + TLS_cipher_ecdhe_ecdsa_with_aes_128_gcm_sha256, +#ifdef ENABLE_AES_CCM + TLS_cipher_ecdhe_ecdsa_with_aes_128_ccm, +#endif +#endif + TLS_cipher_sm4_gcm_sm3, +#ifdef ENABLE_SM4_CCM + TLS_cipher_sm4_ccm_sm3, +#endif +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) + TLS_cipher_aes_128_gcm_sha256, +#ifdef ENABLE_AES_CCM + TLS_cipher_aes_128_ccm_sha256, +#endif +#endif +}; +const size_t tls_cipher_suites_cnt = + sizeof(tls_cipher_suites)/sizeof(tls_cipher_suites[0]); + + void tls_uint8_to_bytes(uint8_t a, uint8_t **out, size_t *outlen) { if (out && *out) { @@ -1415,7 +1442,7 @@ int tls_record_set_handshake_client_hello(uint8_t *record, size_t *recordlen, return -1; } } - if (cipher_suites_count > TLS_MAX_CIPHER_SUITES_COUNT) { + if (cipher_suites_count > TLS_MAX_CIPHER_SUITES) { error_print(); return -1; } @@ -2356,11 +2383,7 @@ int tls_decrypt_recv(TLS_CONNECT *conn) conn->recv_state = 0; recordlen = conn->recordlen; if (conn->verbose) { - if (conn->protocol == TLS_protocol_tls12) { - tls_encrypted_record_print(stderr, record, recordlen, 0, 0); - } else { - tls_encrypted_record_trace(stderr, record, recordlen, 0, 0); - } + tls_trace("recv {Record}\n"); } if (conn->protocol == TLS_protocol_tls12) { @@ -2452,14 +2475,12 @@ static int tls12_tlcp_recv(TLS_CONNECT *conn, uint8_t *out, size_t outlen, size_ int alert; tls_record_get_alert(conn->databuf, &level, &alert); if (alert == TLS_alert_close_notify) { - if(conn->verbose) tls_trace("recv {Alert.close_notify}\n"); conn->close_notify_received = 1; conn->data = NULL; conn->datalen = 0; tls_clean_record(conn); return 0; } - if(conn->verbose) tls_trace("recv {Alert}\n"); conn->data = NULL; conn->datalen = 0; tls_clean_record(conn); @@ -2527,8 +2548,13 @@ static int tls12_send_close_notify(TLS_CONNECT *conn) if(conn->verbose) tls_trace("send {Alert.close_notify}\n"); + tls_record_set_protocol(conn->plain_record, conn->protocol); tls_record_set_alert(conn->plain_record, &conn->plain_recordlen, TLS_alert_level_warning, TLS_alert_close_notify); + if (conn->verbose) { + tls_record_print(stderr, 0, 0, conn->cipher_suite, + conn->plain_record, conn->plain_recordlen); + } if (tls_record_encrypt(conn->cipher_suite, hmac, key, iv, seq_num, conn->plain_record, conn->plain_recordlen, @@ -2580,8 +2606,13 @@ static int tls13_send_close_notify(TLS_CONNECT *conn) if(conn->verbose) tls_trace("send {Alert.close_notify}\n"); + tls_record_set_protocol(conn->plain_record, TLS_protocol_tls12); tls_record_set_alert(conn->plain_record, &conn->plain_recordlen, TLS_alert_level_warning, TLS_alert_close_notify); + if (conn->verbose) { + tls13_record_print(stderr, 0, 0, + conn->plain_record, conn->plain_recordlen); + } tls13_padding_len_rand(&padding_len); if (tls13_record_encrypt(conn->cipher_suite, key, iv, seq_num, conn->plain_record, conn->plain_recordlen, padding_len, conn->record, &conn->recordlen) != 1) { diff --git a/src/tls12.c b/src/tls12.c index 88d1299e..5783394c 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -938,7 +938,7 @@ int tls_send_client_hello(TLS_CONNECT *conn) uint8_t exts[TLS_MAX_EXTENSIONS_SIZE]; uint8_t *pexts = exts; size_t extslen = 0; - int cipher_suites[TLS_MAX_CIPHER_SUITES_COUNT + 1]; + int cipher_suites[TLS_MAX_CIPHER_SUITES + 1]; const int *client_cipher_suites = conn->ctx->cipher_suites; size_t client_cipher_suites_cnt = conn->ctx->cipher_suites_cnt; @@ -1924,9 +1924,6 @@ int tls_recv_server_finished(TLS_CONNECT *conn) } return ret; } - if(conn->verbose) - tls_trace("recv server {Finished}\n"); - if (tls_record_protocol(conn->record) != conn->protocol) { error_print(); tls12_send_alert(conn, TLS_alert_unexpected_message); @@ -2001,7 +1998,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn) const uint8_t *renegotiation_info = NULL; size_t renegotiation_info_len = 0; int empty_renegotiation_info_scsv = 0; - int common_cipher_suites[TLS_MAX_CIPHER_SUITES_COUNT]; + int common_cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t common_cipher_suites_cnt = 0; int common_supported_groups[32]; size_t common_supported_groups_cnt = 0; @@ -2913,16 +2910,12 @@ int tls_recv_client_finished(TLS_CONNECT *conn) return -1; } - // recv ClientFinished - if(conn->verbose) tls_trace("recv client {Finished}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); } return ret; } - //tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, conn->recordlen); - if (tls_record_protocol(conn->record) != conn->protocol) { error_print(); tls_send_alert(conn, TLS_alert_unexpected_message); @@ -3144,6 +3137,7 @@ int tls12_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentl error_print(); return -1; } + if(conn->verbose) tls_trace("send {ApplicationData}\n"); if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->databuf, tls_record_length(conn->databuf)); switch (conn->cipher_suite) { @@ -3195,7 +3189,6 @@ int tls12_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentl conn->record_offset = 0; conn->sentlen = inlen; conn->send_state = TLS_state_send_record; - if(conn->verbose) tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->record, recordlen); } ret = tls_send_record(conn); @@ -3263,6 +3256,9 @@ static int tls12_send_alert_ex(TLS_CONNECT *conn, int level, int alert) error_print(); return -1; } + if (conn->verbose) { + tls_trace("send {Alert}\n"); + } if (conn->verbose) { tls_record_print(stderr, 0, 0, conn->cipher_suite, conn->plain_record, conn->plain_recordlen); } @@ -3278,10 +3274,6 @@ static int tls12_send_alert_ex(TLS_CONNECT *conn, int level, int alert) tls_seq_num_incr(seq_num); conn->record_offset = 0; conn->send_state = TLS_state_send_record; - - if (conn->verbose) { - tls_encrypted_record_print(stderr, conn->record, conn->recordlen, 0, 0); - } } ret = tls_send_record(conn); diff --git a/src/tls13.c b/src/tls13.c index 45a0acb0..992af122 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1273,7 +1273,7 @@ int tls13_send(TLS_CONNECT *conn, const uint8_t *data, size_t datalen, size_t *s if(conn->verbose) tls_trace("send {ApplicationData}\n"); - tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen); + tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); } @@ -1511,7 +1511,6 @@ int tls13_do_recv(TLS_CONNECT *conn) return -1; } if (alert_description == TLS_alert_close_notify) { - if(conn->verbose) tls_trace("recv {Alert.close_notify}\n"); conn->close_notify_received = 1; conn->data = NULL; conn->datalen = 0; @@ -7233,7 +7232,7 @@ int tls13_recv_client_hello(TLS_CONNECT *conn) // * [server_name.host_name] // if (common_key_exchange_modes & TLS_KE_CERT_DHE) { - int common_cipher_suites[4]; + int common_cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t common_cipher_suites_cnt; if (!conn->ctx->cert_chains_len) { @@ -8831,8 +8830,6 @@ int tls13_send_client_key_update(TLS_CONNECT *conn, int request_update) // xxxxxxxx conn->record_offset = 0; - tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen); - tls13_update_client_application_secret(conn); tls13_generate_client_application_keys(conn); @@ -8881,7 +8878,6 @@ int tls13_send_server_key_update(TLS_CONNECT *conn, int request_update) error_print(); return -1; } - tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen); conn->record_offset = 0; diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c index 71269055..4443e7b8 100644 --- a/tools/tlcp_client.c +++ b/tools/tlcp_client.c @@ -208,7 +208,7 @@ int tlcp_client_main(int argc, char *argv[]) char *host = NULL; int port = 443; - int cipher_suites[4]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt = 0; int supported_groups[4]; size_t supported_groups_cnt = 0; diff --git a/tools/tlcp_server.c b/tools/tlcp_server.c index ad86ae9b..df423e28 100644 --- a/tools/tlcp_server.c +++ b/tools/tlcp_server.c @@ -145,7 +145,7 @@ int tlcp_server_main(int argc , char **argv) int ret = 1; char *prog = argv[0]; int port = 443; - int cipher_suites[4]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt = 0; char *certfiles[4]; size_t certfiles_cnt = 0; diff --git a/tools/tls12_client.c b/tools/tls12_client.c index d715a437..e43adbac 100644 --- a/tools/tls12_client.c +++ b/tools/tls12_client.c @@ -199,7 +199,7 @@ int tls12_client_main(int argc, char *argv[]) char *prog = argv[0]; char *host = NULL; int port = 443; - int cipher_suites[4]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt = 0; int supported_groups[4]; size_t supported_groups_cnt = 0; diff --git a/tools/tls12_server.c b/tools/tls12_server.c index 631c697a..ba46ae0f 100644 --- a/tools/tls12_server.c +++ b/tools/tls12_server.c @@ -134,7 +134,7 @@ int tls12_server_main(int argc , char **argv) int ret = 1; char *prog = argv[0]; int port = 443; - int cipher_suites[4]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt = 0; int supported_groups[4]; size_t supported_groups_cnt = 0; diff --git a/tools/tls13_client.c b/tools/tls13_client.c index 82669f9f..1632cd43 100644 --- a/tools/tls13_client.c +++ b/tools/tls13_client.c @@ -230,7 +230,7 @@ int tls13_client_main(int argc, char *argv[]) int port = 443; // cipher_suites - int cipher_suites[4]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt = 0; // CA certificates diff --git a/tools/tls13_server.c b/tools/tls13_server.c index 044ead3e..a7aec4e4 100644 --- a/tools/tls13_server.c +++ b/tools/tls13_server.c @@ -132,7 +132,7 @@ int tls13_server_main(int argc , char **argv) char buf[1600] = {0}; size_t len = sizeof(buf); - int cipher_suites[4]; + int cipher_suites[TLS_MAX_CIPHER_SUITES]; size_t cipher_suites_cnt = 0;