abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-19 19:33:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Clean TLCP code

Browse Source
This commit is contained in:
Zhi Guan
2026-06-16 18:01:54 +08:00
parent 171c88bb4c
commit 6da7e1056a
4 changed files with 49 additions and 490 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -818,7 +818,7 @@ endif()
#
set(CPACK_PACKAGE_NAME "GmSSL")
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1061")
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1062")
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
set(CPACK_NSIS_MODIFY_PATH ON)
include(CPack)

2
include/gmssl/version.h
View File

@@ -18,7 +18,7 @@ extern "C" {
#define GMSSL_VERSION_NUM 30200
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1061"
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1062"
int gmssl_version_num(void);
const char *gmssl_version_str(void);

469
src/tlcp.c
View File

@@ -746,6 +746,8 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn)
return 1;
}
// 这个必须要独立的因为TLCP的是双证书这个双证书是从对方读取的
int tlcp_recv_server_certificate(TLS_CONNECT *conn)
{
int ret;
@@ -981,92 +983,6 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn)
return 1;
}
int tlcp_recv_server_hello_done(TLS_CONNECT *conn)
{
int ret;
if(conn->verbose) tls_trace("recv ServerHelloDone\n");
if ((ret = tls_recv_record(conn)) != 1) {
if (ret != TLS_ERROR_RECV_AGAIN) {
error_print();
}
return ret;
}
if (tls_record_protocol(conn->record) != TLS_protocol_tlcp) {
error_print();
tls_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
if (tls_record_get_handshake_server_hello_done(conn->record) != 1) {
error_print();
tls_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
error_print();
return -1;
}
if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
return 1;
}
int tlcp_send_client_certificate(TLS_CONNECT *conn)
{
int ret;
if (conn->client_certs_len == 0) {
error_print();
return -1;
}
if (conn->recordlen == 0) {
if (conn->verbose)
tls_trace("send client Certificate\n");
if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen,
conn->cert_chain, conn->cert_chain_len) != 1) {
error_print();
tls_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
error_print();
return -1;
}
if (conn->verbose)
tls_handshake_digest_print(stderr, 0, 0, "client Certificate", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
}
if ((ret = tls_send_record(conn)) != 1) {
if (ret != TLS_ERROR_SEND_AGAIN) {
error_print();
}
return ret;
}
return 1;
}
int tlcp_send_client_key_exchange(TLS_CONNECT *conn)
{
int ret;
@@ -1137,191 +1053,6 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn)
return 1;
}
int tlcp_send_certificate_verify(TLS_CONNECT *conn)
{
int ret;
uint8_t sig[SM2_MAX_SIGNATURE_SIZE];
size_t siglen;
if (conn->verbose)
tls_trace("send CertificateVerify\n");
if (conn->recordlen == 0) {
X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1];
X509_SIGN_CTX sign_ctx;
if (x509_sign_init(&sign_ctx, sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
|| x509_sign_update(&sign_ctx, conn->transcript, conn->transcript_len) != 1
|| x509_sign_finish(&sign_ctx, sig, &siglen) != 1) {
gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
error_print();
return -1;
}
gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
if (tls_record_set_handshake_certificate_verify(conn->record, &conn->recordlen, sig, siglen) != 1) {
error_print();
tls_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
error_print();
return -1;
}
if (conn->verbose)
tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
}
if ((ret = tls_send_record(conn)) != 1) {
if (ret != TLS_ERROR_SEND_AGAIN) {
error_print();
}
return ret;
}
return 1;
}
int tlcp_send_client_finished(TLS_CONNECT *conn)
{
int ret;
if (conn->recordlen == 0) {
uint8_t verify_data[12];
if (conn->verbose)
tls_trace("send client {Finished}\n");
if (tls_compute_verify_data(conn->digest, conn->master_secret, "client finished", &conn->dgst_ctx, verify_data) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
tls_record_set_protocol(conn->plain_record, conn->protocol);
if (tls_record_set_handshake_finished(conn->plain_record, &conn->plain_recordlen,
verify_data, sizeof(verify_data)) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) {
error_print();
return -1;
}
if (conn->verbose)
tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->plain_record) != 1) {
error_print();
return -1;
}
if (tls_record_encrypt(conn->cipher_suite,
&conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv,
conn->client_seq_num, conn->plain_record, conn->plain_recordlen,
conn->record, &conn->recordlen) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
tls_seq_num_incr(conn->client_seq_num);
}
if ((ret = tls_send_record(conn)) != 1) {
if (ret != TLS_ERROR_SEND_AGAIN) {
error_print();
}
return ret;
}
return 1;
}
int tlcp_recv_server_finished(TLS_CONNECT *conn)
{
int ret;
uint8_t sm3_hash[32];
const uint8_t *verify_data;
size_t verify_data_len;
uint8_t local_verify_data[12];
if ((ret = tls_recv_record(conn)) != 1) {
if (ret != TLS_ERROR_RECV_AGAIN) {
error_print();
}
return ret;
}
if(conn->verbose)
tls_trace("recv server {Finished}\n");
if (conn->verbose)
tls_encrypted_record_print(stderr, conn->record, conn->recordlen, 0, 0);
if (tls_record_protocol(conn->record) != TLS_protocol_tlcp) {
error_print();
tls12_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (tls_record_decrypt(conn->cipher_suite,
&conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv,
conn->server_seq_num, conn->record, conn->recordlen,
conn->plain_record, &conn->plain_recordlen) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_bad_record_mac);
return -1;
}
tls_seq_num_incr(conn->server_seq_num);
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
// no more digest_update
if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (verify_data_len != sizeof(local_verify_data)) {
error_print();
tls12_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (tls_compute_verify_data(conn->digest, conn->master_secret, "server finished", &conn->dgst_ctx, local_verify_data) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
memset(&conn->dgst_ctx, 0, sizeof(conn->dgst_ctx));
if (memcmp(verify_data, local_verify_data, sizeof(local_verify_data)) != 0) {
error_print();
tls12_send_alert(conn, TLS_alert_decrypt_error);
return -1;
}
return 1;
}
// Server
static int tlcp_cert_chains_select(TLS_CONNECT *conn,
@@ -1823,52 +1554,9 @@ int tlcp_send_server_hello(TLS_CONNECT *conn)
return 1;
}
int tlcp_send_server_certificate(TLS_CONNECT *conn)
{
int ret;
if(conn->verbose) tls_trace("send ServerCertificate\n");
if (conn->recordlen == 0) {
if (!conn->cert_chain || !conn->cert_chain_len) {
error_print();
tls_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen,
conn->cert_chain, conn->cert_chain_len) != 1) {
error_print();
tls_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
error_print();
return -1;
}
if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
}
if ((ret = tls_send_record(conn)) != 1) {
if (ret != TLS_ERROR_SEND_AGAIN) {
error_print();
}
return ret;
}
if (conn->client_certificate_verify) {
tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5);
}
return 1;
}
// TLCP的ServerKeyExchange 需要对服务器的证书签名
// 这是一个明显的不同,因此还是独立比较好
int tlcp_send_server_key_exchange(TLS_CONNECT *conn)
{
@@ -2024,6 +1712,8 @@ int tlcp_check_pre_master_secret(TLS_CONNECT *conn)
return 1;
}
int tlcp_send_certificate_request(TLS_CONNECT *conn)
{
int ret;
@@ -2163,135 +1853,6 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn)
return 1;
}
int tlcp_recv_certificate_verify(TLS_CONNECT *conn)
{
int ret;
if ((ret = tls_recv_certificate_verify(conn)) != 1) {
error_print();
return ret;
}
return 1;
}
int tlcp_recv_client_finished(TLS_CONNECT *conn)
{
int ret;
const uint8_t *verify_data;
size_t verify_data_len;
uint8_t local_verify_data[12];
if (tls_compute_verify_data(conn->digest, conn->master_secret, "client finished",
&conn->dgst_ctx, local_verify_data) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if(conn->verbose) tls_trace("recv client {Finished}\n");
if ((ret = tls_recv_record(conn)) != 1) {
if (ret != TLS_ERROR_RECV_AGAIN) {
error_print();
}
return ret;
}
if (tls_record_protocol(conn->record) != conn->protocol) {
error_print();
tls12_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (tls_record_decrypt(conn->cipher_suite,
&conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv,
conn->client_seq_num, conn->record, conn->recordlen,
conn->plain_record, &conn->plain_recordlen) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_bad_record_mac);
return -1;
}
tls_seq_num_incr(conn->client_seq_num);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_unexpected_message);
return -1;
}
if (verify_data_len != sizeof(local_verify_data)
|| memcmp(verify_data, local_verify_data, sizeof(local_verify_data)) != 0) {
error_print();
tls12_send_alert(conn, TLS_alert_decrypt_error);
return -1;
}
if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) {
error_print();
return -1;
}
if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
return 1;
}
int tlcp_send_server_finished(TLS_CONNECT *conn)
{
int ret;
uint8_t verify_data[12];
if (conn->recordlen == 0) {
if(conn->verbose) tls_trace("send server {Finished}\n");
if (tls_compute_verify_data(conn->digest, conn->master_secret, "server finished",
&conn->dgst_ctx, verify_data) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
tls_record_set_protocol(conn->plain_record, conn->protocol);
if (tls_record_set_handshake_finished(conn->plain_record, &conn->plain_recordlen,
verify_data, sizeof(verify_data)) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
if (tls_update_transcript(conn, conn->plain_record) != 1) {
error_print();
return -1;
}
if (tls_record_encrypt(conn->cipher_suite,
&conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv,
conn->server_seq_num, conn->plain_record, conn->plain_recordlen,
conn->record, &conn->recordlen) != 1) {
error_print();
tls12_send_alert(conn, TLS_alert_internal_error);
return -1;
}
tls_seq_num_incr(conn->server_seq_num);
}
if ((ret = tls_send_record(conn)) != 1) {
if (ret != TLS_ERROR_SEND_AGAIN) {
error_print();
}
return ret;
}
return 1;
}
int tlcp_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentlen)
{
const HMAC_CTX *hmac_ctx;
@@ -2459,14 +2020,14 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn)
break;
case TLS_state_server_hello_done:
ret = tlcp_recv_server_hello_done(conn);
ret = tls_recv_server_hello_done(conn);
if (conn->client_certificate_verify)
next_state = TLS_state_client_certificate;
else next_state = TLS_state_client_key_exchange;
break;
case TLS_state_client_certificate:
ret = tlcp_send_client_certificate(conn);
ret = tls_send_client_certificate(conn);
next_state = TLS_state_client_key_exchange;
break;
@@ -2478,7 +2039,7 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn)
break;
case TLS_state_certificate_verify:
ret = tlcp_send_certificate_verify(conn);
ret = tls_send_certificate_verify(conn);
next_state = TLS_state_client_change_cipher_spec;
break;
@@ -2488,7 +2049,7 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn)
break;
case TLS_state_client_finished:
ret = tlcp_send_client_finished(conn);
ret = tls_send_client_finished(conn);
next_state = TLS_state_server_change_cipher_spec;
break;
@@ -2498,7 +2059,7 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn)
break;
case TLS_state_server_finished:
ret = tlcp_recv_server_finished(conn);
ret = tls_recv_server_finished(conn);
next_state = TLS_state_handshake_over;
break;
@@ -2543,7 +2104,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn)
break;
case TLS_state_server_certificate:
ret = tlcp_send_server_certificate(conn);
ret = tls_send_server_certificate(conn);
next_state = TLS_state_server_key_exchange;
break;
@@ -2579,7 +2140,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn)
break;
case TLS_state_certificate_verify:
ret = tlcp_recv_certificate_verify(conn);
ret = tls_recv_certificate_verify(conn);
next_state = TLS_state_client_change_cipher_spec;
break;
@@ -2589,7 +2150,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn)
break;
case TLS_state_client_finished:
ret = tlcp_recv_client_finished(conn);
ret = tls_recv_client_finished(conn);
next_state = TLS_state_server_change_cipher_spec;
break;
@@ -2599,7 +2160,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn)
break;
case TLS_state_server_finished:
ret = tlcp_send_server_finished(conn);
ret = tls_send_server_finished(conn);
next_state = TLS_state_handshake_over;
break;

66
src/tls12.c
View File

@@ -1553,14 +1553,11 @@ int tls_recv_server_hello(TLS_CONNECT *conn)
return 1;
}
// TLS12 发送的是常规的证书链
// TLCP SM2 发送的是SM2的双证书链但是在数据格式上没有区别
// TLCP SM9 发送的是服务器的ID和SM9公开参数这个格式是不同的但是存储上可能也是一样的
// 我不确定SM2和SM9的格式是否是相容的
int tls_send_server_certificate(TLS_CONNECT *conn)
{
int ret;
if(conn->verbose) tls_trace("send ServerCertificate\n");
if (conn->verbose) tls_trace("send ServerCertificate\n");
if (conn->recordlen == 0) {
if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen,
@@ -1569,18 +1566,17 @@ int tls_send_server_certificate(TLS_CONNECT *conn)
tls_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0);
if (conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0);
if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
error_print();
return -1;
}
if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
if (conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
}
if ((ret = tls_send_record(conn)) != 1) {
@@ -1590,9 +1586,6 @@ int tls_send_server_certificate(TLS_CONNECT *conn)
return ret;
}
if (conn->client_certificate_verify) {
tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5);
}
return 1;
}
@@ -1863,11 +1856,8 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn)
error_print();
return -1;
}
}
if ((ret = tls_send_record(conn)) != 1) {
if (ret != TLS_ERROR_SEND_AGAIN) {
error_print();
@@ -1875,11 +1865,6 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn)
return ret;
}
//sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5);
if (conn->client_certificate_verify) {
tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5);
}
return 1;
}
@@ -2105,7 +2090,6 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn)
return 1;
}
int tls12_send_certificate_request(TLS_CONNECT *conn)
{
int ret;
@@ -2157,9 +2141,6 @@ int tls12_send_certificate_request(TLS_CONNECT *conn)
return ret;
}
//sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5);
tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5);
return 1;
}
@@ -2551,37 +2532,55 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn)
}
int tls_send_certificate_verify(TLS_CONNECT *conn)
{
int ret;
uint8_t sig[SM2_MAX_SIGNATURE_SIZE];
size_t siglen;
if(conn->verbose) tls_trace("send CertificateVerify\n");
if (!conn->client_certificate_verify) {
error_print();
return -1;
}
if (conn->verbose)
tls_trace("send CertificateVerify\n");
if (conn->recordlen == 0) {
if (sm2_sign_finish(&conn->sign_ctx, sig, &siglen) != 1) {
X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1];
X509_SIGN_CTX sign_ctx;
const uint8_t *signer_id = NULL;
size_t signer_idlen = 0;
if (sign_key->algor == OID_ec_public_key && sign_key->algor_param == OID_sm2) {
signer_id = (uint8_t *)SM2_DEFAULT_ID;
signer_idlen = SM2_DEFAULT_ID_LENGTH;
}
if (x509_sign_init(&sign_ctx, sign_key, signer_id, signer_idlen) != 1
|| x509_sign_update(&sign_ctx, conn->transcript, conn->transcript_len) != 1
|| x509_sign_finish(&sign_ctx, sig, &siglen) != 1) {
gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
error_print();
return -1;
}
gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
if (tls_record_set_handshake_certificate_verify(conn->record, &conn->recordlen, sig, siglen) != 1) {
error_print();
tls_send_alert(conn, TLS_alert_internal_error);
return -1;
}
if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0);
if (conn->verbose)
tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
error_print();
return -1;
}
if (conn->verbose)
tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
if (tls_update_transcript(conn, conn->record) != 1) {
error_print();
return -1;
}
}
if ((ret = tls_send_record(conn)) != 1) {
@@ -2591,7 +2590,6 @@ int tls_send_certificate_verify(TLS_CONNECT *conn)
return ret;
}
//sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5);
return 1;
}