Rewrite TLS 1.2 as a state machine

include/gmssl/lms.h

@@ -226,7 +226,7 @@ typedef struct {
 	LMS_PUBLIC_KEY lms_public_key;
 } HSS_PUBLIC_KEY;
 
-#define HSS_PUBLIC_KEY_SIZE (4 + LMS_PUBLIC_KEY_SIZE)
+#define HSS_PUBLIC_KEY_SIZE (4 + LMS_PUBLIC_KEY_SIZE) // = 60 bytes
 
 typedef struct HSS_KEY_st HSS_KEY;
 

include/gmssl/secp256r1_key.h

@@ -49,6 +49,12 @@ int secp256r1_private_key_info_decrypt_from_der(SECP256R1_KEY *ec_key,
 	const uint8_t **attrs, size_t *attrs_len,
 	const char *pass, const uint8_t **in, size_t *inlen);
 
+int secp256r1_private_key_info_encrypt_to_pem(const SECP256R1_KEY *key, const char *pass, FILE *fp);
+int secp256r1_private_key_info_decrypt_from_pem(SECP256R1_KEY *key, const char *pass, FILE *fp);
+
+int secp256r1_do_ecdh(const SECP256R1_KEY *key, const SECP256R1_KEY *pub, uint8_t out[32]);
+int secp256r1_ecdh(const SECP256R1_KEY *key, const uint8_t uncompressed_point[65], uint8_t out[32]);
+
 
 #ifdef __cplusplus
 }

include/gmssl/sm2.h

@@ -249,9 +249,9 @@ enum {
 int sm2_do_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, SM2_CIPHERTEXT *out);
 int sm2_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, uint8_t *out, size_t *outlen);
 
-
-int sm2_do_ecdh(const SM2_KEY *key, const SM2_Z256_POINT *peer_public, SM2_Z256_POINT *out);
-int sm2_ecdh(const SM2_KEY *key, const uint8_t *peer_public, size_t peer_public_len, uint8_t out[64]);
+// ECDH in TLS, SECG SEC1, NIST SP800-56A
+int sm2_do_ecdh(const SM2_KEY *key, const SM2_KEY *peer_key, uint8_t out[32]);
+int sm2_ecdh(const SM2_KEY *key, const uint8_t uncompressed_point[65], uint8_t out[32]);
 
 
 typedef struct {

include/gmssl/sphincs.h

@@ -314,7 +314,7 @@ typedef struct {
 	sphincs_hash128_t root;
 } SPHINCS_PUBLIC_KEY;
 
-#define SPHINCS_PUBLIC_KEY_SIZE sizeof(SPHINCS_PUBLIC_KEY)
+#define SPHINCS_PUBLIC_KEY_SIZE sizeof(SPHINCS_PUBLIC_KEY) // = 32 bytes
 
 typedef struct {
 	SPHINCS_PUBLIC_KEY public_key;
@@ -356,7 +356,8 @@ typedef struct {
 	SPHINCS_KEY key;
 } SPHINCS_SIGN_CTX;
 
-int sphincs_sign_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, int randomize);
+// when optional_random is NULL, sphincs use public_key.seed, generate deterministic signature
+int sphincs_sign_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const sphincs_hash128_t optional_random);
 int sphincs_sign_init(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key);
 int sphincs_sign_prepare(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);

include/gmssl/tls.h

@@ -20,6 +20,7 @@
 #include <gmssl/digest.h>
 #include <gmssl/block_cipher.h>
 #include <gmssl/socket.h>
+#include <gmssl/x509_key.h>
 
 
 #ifdef __cplusplus
@@ -95,6 +96,8 @@ typedef enum {
 	TLS_cipher_aes_128_ccm_sha256		= 0x1304,
 	TLS_cipher_aes_128_ccm_8_sha256		= 0x1305,
 
+	TLS_cipher_ecdhe_ecdsa_with_aes_128_cbc_sha256 = 0xc023,
+
 	TLS_cipher_empty_renegotiation_info_scsv = 0x00ff,
 } TLS_CIPHER_SUITE;
 
@@ -269,7 +272,8 @@ typedef enum {
 	TLS_curve_sm2p256v1			= 41, // GmSSLv2: 30
 } TLS_NAMED_CURVE;
 
-const char *tls_curve_name(int curve);
+const char *tls_named_curve_name(int named_curve);
+int tls_named_curve_oid(int named_curve);
 
 
 typedef enum {
@@ -299,6 +303,7 @@ typedef enum {
 } TLS_SIGNATURE_SCHEME;
 
 const char *tls_signature_scheme_name(int scheme);
+int tls_signature_scheme_match_cipher_suite(int sig_alg, int cipher_suite); 
 
 
 typedef enum {
@@ -605,6 +610,21 @@ typedef enum {
 	TLS_client_verify_client_key_exchange	= 7,
 } TLS_CLIENT_VERIFY_INDEX;
 
+
+/*
+SM2验签要求首先提供Z值，Z值需要公钥
+而在客户端提供 client_certificate 之前，服务器都不知道客户端的公钥
+因此没有办法获得客户端的公钥
+直到客户端发出client_certificate之后，才能够启动验证
+
+现在的实现缓冲了所有被签名的握手消息
+
+由于除了ClientHello之外，其他所有的消息实际上都是服务器发出的
+因此服务器只需要缓存ClientHello即可
+
+实际上只有SM2签名才需要这么复杂！
+*/
+
 typedef struct {
 	TLS_CLIENT_VERIFY_INDEX index;
 	uint8_t *handshake[8]; // Record data only, no record header
@@ -680,8 +700,10 @@ typedef struct {
 	size_t cacertslen;
 	uint8_t *certs;
 	size_t certslen;
-	SM2_KEY signkey;
-	SM2_KEY kenckey;
+
+	X509_KEY signkey;
+	X509_KEY kenckey;
+
 	int verify_depth;
 
 	int quiet;
@@ -704,9 +726,25 @@ void tls_ctx_cleanup(TLS_CTX *ctx);
 #define TLS_MAX_VERIFY_DEPTH		5
 
 
+
+#define SSL_ERROR_WANT_READ		-1001 // 是否考虑把这两个错误以0的方式返回去
+#define SSL_ERROR_WANT_WRITE		-1002 // 同上
+#define SSL_ERROR_ZERO_RETURN		-1003
+#define SSL_ERROR_SYSCALL		-1004
+
+
+#define TLS_ERROR_RECV_AGAIN		-1000	// SSL_ERROR_WANT_READ
+#define TLS_ERROR_SEND_AGAIN		-1001	// SSL_ERROR_WANT_WRITE
+#define TLS_ERROR_TCP_CLOSED		-1002	// SSL_ERROR_ZERO_RETURN
+#define TLS_ERROR_SYSCALL		-1003	// SSL_ERROR_SYSCALL
+
+
+
 typedef struct {
 	int protocol;
 	int is_client;
+
+
 	int cipher_suites[TLS_MAX_CIPHER_SUITES_COUNT];
 	size_t cipher_suites_cnt;
 	tls_socket_t sock;
@@ -716,6 +754,11 @@ typedef struct {
 
 
 	uint8_t record[TLS_MAX_RECORD_SIZE];
+	size_t record_offset; // offset of processed record
+
+	int record_state;
+
+	size_t recordlen;
 
 	uint8_t databuf[TLS_MAX_RECORD_SIZE];
 	uint8_t *data;
@@ -731,11 +774,10 @@ typedef struct {
 	uint8_t ca_certs[2048];
 	size_t ca_certs_len;
 
-	SM2_KEY sign_key;
-	SM2_KEY kenc_key;
+	X509_KEY sign_key;
+	X509_KEY kenc_key;
 
 	int verify_result;
-
 	uint8_t master_secret[48];
 	uint8_t key_block[96];
 
@@ -753,10 +795,38 @@ typedef struct {
 
 	int quiet;
 
+
 	// handshake state for state machine
 	int state;
 	SM3_CTX sm3_ctx;
 	SM2_SIGN_CTX sign_ctx;
+	TLS_CLIENT_VERIFY_CTX client_verify_ctx;
+	uint8_t client_random[32];
+	uint8_t server_random[32];
+	uint8_t server_exts[512]; // TODO
+	size_t server_exts_len;
+
+
+	// 在TLS中，密钥交换的密钥是不在证书中的？
+	uint16_t sig_alg;
+
+	// TLS中客户端和服务器端可以使用不同的签名算法，但是最好是一致的
+	// 这个算法是由cipher_suite和服务器证书决定的（其中是服务器AUTH算法）
+	// 但是客户端的签名算法不是由cipher_suite决定
+	uint16_t server_sig_alg;
+
+
+
+	uint16_t ecdh_named_curve;
+
+	X509_KEY ecdh_key;
+	uint8_t peer_ecdh_point[65];
+	size_t peer_ecdh_point_len;
+
+	int client_certificate_verify; // 是否验证客户端证书
+
+	int verify_depth; // 这个可能没有被设置				
+
 } TLS_CONNECT;
 
 

include/gmssl/x509_key.h

@@ -19,11 +19,11 @@
 #include <gmssl/oid.h>
 #include <gmssl/asn1.h>
 #include <gmssl/sm2.h>
-#include <gmssl/secp256r1_key.h>
 #include <gmssl/ecdsa.h>
 #include <gmssl/lms.h>
 #include <gmssl/xmss.h>
 #include <gmssl/sphincs.h>
+#include <gmssl/secp256r1_key.h>
 
 
 #ifdef __cplusplus
@@ -31,18 +31,6 @@ extern "C" {
 #endif
 
 
-/*
-   Supported public key type OIDs
-	* OID_ec_public_key
-	* OID_rsa_encryption
-	* OID_lms_hashsig
-	* OID_hss_lms_hashsig
-	* OID_xmss_hashsig
-	* OID_xmssmt_hashsig
-	* OID_sphincs_hashsig
-
-
-*/
 typedef struct {
 	int algor;
 	int algor_param;
@@ -55,67 +43,115 @@ typedef struct {
 		SPHINCS_KEY sphincs_key;
 		SECP256R1_KEY secp256r1_key;
 	} u;
+	const char *signer_id;
+	size_t signer_idlen;
 } X509_KEY;
 
-
 int x509_key_set_sm2_key(X509_KEY *x509_key, const SM2_KEY *sm2_key);
-int x509_key_set_secp256r1_key(X509_KEY *x509_key, const SECP256R1_KEY *secp256r1_key);
 int x509_key_set_lms_key(X509_KEY *x509_key, const LMS_KEY *lms_key);
 int x509_key_set_hss_key(X509_KEY *x509_key, const HSS_KEY *hss_key);
 int x509_key_set_xmss_key(X509_KEY *x509_key, const XMSS_KEY *xmss_key);
 int x509_key_set_xmssmt_key(X509_KEY *x509_key, const XMSSMT_KEY *xmssmt_key);
 int x509_key_set_sphincs_key(X509_KEY *x509_key, const SPHINCS_KEY *sphincs_key);
+int x509_key_set_secp256r1_key(X509_KEY *x509_key, const SECP256R1_KEY *secp256r1_key);
 
+// hss_key_generate need lms_types[] as input, encode lms_types[] into (int)algor_param
+int x509_algor_param_from_lms_types(int *algor_param, const int *lms_types, size_t num);
+int x509_algor_param_to_lms_types(int algor_param, int lms_types[5], size_t *num);
+
+/*
+   algor:			algor_param:
+   -------------------------------------------------------------------------
+   OID_ec_public_key		OID_sm2 or OID_secp256r1
+   OID_lms_hashsig		lms_type
+   OID_hss_lms_hashsig		x509_algor_param_from_lms_types(lms_types[])
+   OID_xmsss_hashsig		xmss_type
+   OID_xmsssmt_hashsig		xmssmt_type
+   OID_sphincs_hashsig		OID_undef
+*/
 int x509_key_generate(X509_KEY *key, int algor, int algor_param);
 int x509_private_key_from_file(X509_KEY *key, int algor, const char *pass, FILE *fp);
-int x509_public_key_digest(const X509_KEY *key, uint8_t dgst[32]);
-int x509_public_key_equ(const X509_KEY *key, const X509_KEY *pub);
-int x509_public_key_equ(const X509_KEY *key, const X509_KEY *pub);
 void x509_key_cleanup(X509_KEY *key);
 
 
-/*
-SubjectPublicKeyInfo  ::=  SEQUENCE  {
-	algorithm            AlgorithmIdentifier,
-	subjectPublicKey     BIT STRING  }
+// SM2_PUBLIC_KEY_SIZE = 65
+// LMS_PUBLIC_KEY_SIZE = 56
+// HSS_PUBLIC_KEY_SIZE = 60
+// XMSS_PUBLIC_KEY_SIZE = 68
+// XMSSMT_PUBLIC_KEY_SIZE = 68
+// SPHINCS_PUBLIC_KEY_SIZE = 32
+// SECP256R1_PUBLIC_KEY_SIZE = 65
+#define X509_PUBLIC_KEY_MAX_SIZE 68
+int x509_public_key_to_bytes(const X509_KEY *key, uint8_t **out, size_t *outlen);
+int x509_public_key_digest(const X509_KEY *key, uint8_t dgst[32]);
+int x509_public_key_equ(const X509_KEY *key, const X509_KEY *pub);
+int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X509_KEY *key);
+int x509_private_key_print(FILE *fp, int fmt, int ind, const char *label, const X509_KEY *key);
 
-algorithm.algorithm = OID_ec_public_key;
-algorithm.parameters = OID_sm2;
-subjectPublicKey = ECPoint
-*/
+// X.509 SubjectPublicKeyInfo
 int x509_public_key_info_to_der(const X509_KEY *key, uint8_t **out, size_t *outlen);
 int x509_public_key_info_from_der(X509_KEY *key, const uint8_t **in, size_t *inlen);
 int x509_public_key_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
-int x509_private_key_print(FILE *fp, int fmt, int ind, const char *label, const X509_KEY *key);
-int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X509_KEY *key);
+
+// ECPrivateKey when key->algor == OID_ec_public_key
+int ec_private_key_to_der(const X509_KEY *key, int encode_params, int encode_pubkey, uint8_t **out, size_t *outlen);
+int ec_private_key_from_der(X509_KEY *key, int opt_curve, const uint8_t **in, size_t *inlen);
+
+// 没有打印的函数！
+
+// PKCS #8 PrivateKeyInfo
+// PrivateKeyInfo.algor.parameters has the named_curve
+// so omit the optional ECPrivateKey params(named_curve) a nd omit the public_key
+#define X509_ENCODE_EC_PRIVATE_KEY_PARAMS 1
+#define X509_ENCODE_EC_PRIVATE_KEY_PUBKEY 1
+int x509_private_key_info_to_der(const X509_KEY *key, uint8_t **out, size_t *outlen);
+int x509_private_key_info_from_der(X509_KEY *key, const uint8_t **attrs, size_t *attrslen,
+	const uint8_t **in, size_t *inlen);
+// 没有打印的函数
+
+// PKCS #8 EncryptedPrivateKeyInfo
+#define PKCS8_ENCED_PRIVATE_KEY_INFO_ITER 65536
+int x509_private_key_info_encrypt_to_der(const X509_KEY *x509_key, const char *pass,
+	uint8_t **out, size_t *outlen);
+int x509_private_key_info_decrypt_from_der(X509_KEY *x509_key,
+	const uint8_t **attrs, size_t *attrs_len,
+	const char *pass, const uint8_t **in, size_t *inlen);
+
+// require stdio
+int x509_private_key_info_encrypt_to_pem(const X509_KEY *key, const char *pass, FILE *fp);
+int x509_private_key_info_decrypt_from_pem(X509_KEY *key, const uint8_t **attrs, size_t *attrslen, const char *pass, FILE *fp);
 
 
-typedef union {
-	SM2_POINT sm2;
-	HSS_PUBLIC_KEY hss;
-	XMSS_PUBLIC_KEY xmss;
-	XMSSMT_PUBLIC_KEY xmssmt;
-} X509_PUBLIC_KEY;
-
-#define X509_PUBLIC_KEY_MAX_SIZE sizeof(X509_PUBLIC_KEY)
+// SM2_SIGNATURE_MAX_SIZE = 72
+// LMS_SIGNATURE_MAX_SIZE = 1932
+// HSS_SIGNATURE_MAX_SIZE = ?
+// XMSS_SIGNATURE_MAX_SIZE = 2820
+// XMSSMT_SIGNATURE_MAX_SIZE >= 27688 ?
+// SPHINCS_SIGNATURE_SIZE = ?
+// ECDSA_SIGNATURE_MAX_SIZE = 72
 
 typedef union {
 	uint8_t sm2_sig[SM2_MAX_SIGNATURE_SIZE];
+	LMS_SIGNATURE lms_sig;
 	HSS_SIGNATURE hss_sig;
 	XMSS_SIGNATURE xmss_sig;
 	XMSSMT_SIGNATURE xmssmt_sig;
+	SPHINCS_SIGNATURE sphincs_sig;
+	uint8_t ecdsa_sig[SM2_MAX_SIGNATURE_SIZE];
 } X509_SIGNATURE;
 
+// FIXME: give sizeof to a number
 #define X509_SIGNATURE_MAX_SIZE	sizeof(X509_SIGNATURE)
 
 typedef struct {
 	union {
 		SM2_SIGN_CTX sm2_sign_ctx;
-		ECDSA_SIGN_CTX ecdsa_sign_ctx;
 		SM2_VERIFY_CTX sm2_verify_ctx;
 		HSS_SIGN_CTX hss_sign_ctx;
 		XMSS_SIGN_CTX xmss_sign_ctx;
 		XMSSMT_SIGN_CTX xmssmt_sign_ctx;
+		SPHINCS_SIGN_CTX sphincs_sign_ctx;
+		ECDSA_SIGN_CTX ecdsa_sign_ctx;
 	} u;
 	int sign_algor;
 	uint8_t sig[X509_SIGNATURE_MAX_SIZE];
@@ -123,19 +159,37 @@ typedef struct {
 } X509_SIGN_CTX;
 
 
+/*
+   algor:
+	OID_sm2sign_with_sm3
+	OID_ecdss_with_sha256
+	OID_lms_hashsig
+	OID_hss_lms_hashsig
+	OID_xmss_hashsig
+	OID_xmssmt_hashsig
+	OID_sphincs_hashsig
+*/
 int x509_key_get_sign_algor(const X509_KEY *key, int *algor);
 int x509_key_get_signature_size(const X509_KEY *key, size_t *siglen);
 
-int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const char *signer_id, size_t signer_idlen);
+// args, argslen:
+//	sm2	SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH
+//		TLS13_SM2_ID, TLS13_SM2_ID_LENGTH
+//	sphincs	optiona_random, 16
+int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t argslen);
 int x509_sign_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int x509_sign_finish(X509_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen);
-int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key,
-	const char *signer_id, size_t signer_idlen, // 这里可能要去掉这个功能
+int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, size_t argslen,
 	const uint8_t *sig, size_t siglen);
 int x509_verify_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int x509_verify_finish(X509_SIGN_CTX *ctx);
+void x509_sign_ctx_cleanup(X509_SIGN_CTX *ctx);
 
 
+// ECDH for key->algor == OID_ec_public_key
+int x509_key_do_exchange(const X509_KEY *key, const X509_KEY *peer_pub, uint8_t *out, size_t *outlen);
+int x509_key_exchange(const X509_KEY *key, const uint8_t *peer_pub, size_t peer_publen, uint8_t *out, size_t *outlen);
+
 
 #ifdef __cplusplus
 }