mirror of
https://github.com/openharmony/third_party_openhitls.git
synced 2026-07-01 10:05:26 -04:00
feat:minimization for protocol
Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
committed by
Dongjianwei001
parent
546b9f8075
commit
ecf56f0776
@@ -266,7 +266,10 @@
|
||||
"opts": ["proto"]
|
||||
},
|
||||
"callback": {
|
||||
"feature_provider": null,
|
||||
"feature_provider": {
|
||||
"feature_provider_hard_coding":null,
|
||||
"feature_provider_dynamic":null
|
||||
},
|
||||
"callback_sal" :null,
|
||||
"callback_cert": {
|
||||
"deps": ["callback_sal"]
|
||||
@@ -309,7 +312,12 @@
|
||||
},
|
||||
"feature_key_update": null,
|
||||
"feature_flight": null,
|
||||
"feature_cert_mode": null,
|
||||
"feature_cert_mode": {
|
||||
"feature_cert_mode_client_verify": null,
|
||||
"feature_cert_mode_verify_peer": null
|
||||
},
|
||||
"feature_anti_replay": null,
|
||||
"feature_extended_master_secret": null,
|
||||
"feature_record_size_limit": null,
|
||||
"feature_kem": null,
|
||||
"feature_client_hello_cb": null,
|
||||
@@ -326,7 +334,14 @@
|
||||
"opts": [
|
||||
["host", "host_client", "host_server"],
|
||||
["uio_sctp", "uio_tcp", "uio_udp", "uio_plt"]
|
||||
]
|
||||
],
|
||||
"proto_dfx": {
|
||||
"proto_dfx_check": null,
|
||||
"proto_dfx_info": null,
|
||||
"proto_dfx_alert_number": null,
|
||||
"proto_dfx_server_prefer": null
|
||||
},
|
||||
"proto_close_state": null
|
||||
},
|
||||
"config": {
|
||||
"config_manual_dh": null,
|
||||
|
||||
@@ -101,6 +101,27 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#define HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#endif
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
|
||||
#define HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
|
||||
#undef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(HITLS_TLS_FEATURE_PROVIDER_DYNAMIC) || defined(HITLS_TLS_FEATURE_PROVIDER_HARD_CODING)
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER
|
||||
#define HITLS_TLS_FEATURE_PROVIDER
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(HITLS_TLS_FEATURE_PROVIDER)
|
||||
#ifdef HITLS_TLS_CALLBACK_SAL
|
||||
#undef HITLS_TLS_CALLBACK_SAL
|
||||
@@ -182,6 +203,12 @@
|
||||
#ifndef HITLS_TLS_FEATURE_CUSTOM_EXTENSION
|
||||
#define HITLS_TLS_FEATURE_CUSTOM_EXTENSION
|
||||
#endif
|
||||
#ifndef HITLS_TLS_FEATURE_ANTI_REPLAY
|
||||
#define HITLS_TLS_FEATURE_ANTI_REPLAY
|
||||
#endif
|
||||
#ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#endif
|
||||
#ifndef HITLS_TLS_FEATURE_REC_INBUFFER_SIZE
|
||||
#define HITLS_TLS_FEATURE_REC_INBUFFER_SIZE
|
||||
#endif
|
||||
@@ -206,6 +233,21 @@
|
||||
#define HITLS_PKI_X509_CRT_AUTH
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION
|
||||
#ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#endif
|
||||
#ifndef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
#define HITLS_TLS_PROTO_CLOSE_STATE
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_BSL_UIO_UDP
|
||||
#ifndef HITLS_TLS_FEATURE_ANTI_REPLAY
|
||||
#define HITLS_TLS_FEATURE_ANTI_REPLAY
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION
|
||||
#ifndef HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
#define HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
@@ -236,6 +278,26 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifndef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
#define HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
#endif
|
||||
#ifndef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
#define HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_TLCP11
|
||||
#ifndef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
#define HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if (defined(HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER) || defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) && \
|
||||
!defined(HITLS_TLS_FEATURE_CERT_MODE)
|
||||
#define HITLS_TLS_FEATURE_CERT_MODE
|
||||
#endif
|
||||
|
||||
#if defined(HITLS_TLS_FEATURE_MODE_FALL_BACK_SCSV) || defined(HITLS_TLS_FEATURE_MODE_AUTO_RETRY) || \
|
||||
defined(HITLS_TLS_FEATURE_MODE_ACCEPT_MOVING_WRITE_BUFFER) || defined(HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS)
|
||||
#ifndef HITLS_TLS_FEATURE_MODE
|
||||
@@ -285,6 +347,30 @@
|
||||
#ifndef HITLS_CRYPTO_EAL
|
||||
#define HITLS_CRYPTO_EAL
|
||||
#endif
|
||||
#ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#endif
|
||||
#ifndef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
#define HITLS_TLS_PROTO_CLOSE_STATE
|
||||
#endif
|
||||
#ifndef HITLS_TLS_PROTO_DFX
|
||||
#define HITLS_TLS_PROTO_DFX
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX
|
||||
#ifndef HITLS_TLS_PROTO_DFX_CHECK
|
||||
#define HITLS_TLS_PROTO_DFX_CHECK
|
||||
#endif
|
||||
#ifndef HITLS_TLS_PROTO_DFX_INFO
|
||||
#define HITLS_TLS_PROTO_DFX_INFO
|
||||
#endif
|
||||
#ifndef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
#define HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
#endif
|
||||
#ifndef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
#define HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
#endif
|
||||
#endif
|
||||
|
||||
// suite_cipher
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
#include "crypt_algid.h"
|
||||
#include "crypt_errno.h"
|
||||
#include "crypt_params_key.h"
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#include "hitls_crypt_type.h"
|
||||
#include "hitls_cert_type.h"
|
||||
#include "hitls_type.h"
|
||||
@@ -615,7 +615,7 @@ static void CRYPT_EAL_DefaultProvFree(void *provCtx)
|
||||
BSL_SAL_Free(provCtx);
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#define TLS_GROUP_PARAM_COUNT 11
|
||||
#define TLS_SIGN_SCHEME_PARAM_COUNT 18
|
||||
typedef struct {
|
||||
@@ -1267,13 +1267,13 @@ static int32_t CRYPT_EAL_DefaultProvGetCaps(void *provCtx, int32_t cmd, CRYPT_EA
|
||||
return CRYPT_NOT_SUPPORT;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
|
||||
static CRYPT_EAL_Func g_defEalProvOutFuncs[] = {
|
||||
{CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery},
|
||||
{CRYPT_EAL_PROVCB_FREE, CRYPT_EAL_DefaultProvFree},
|
||||
{CRYPT_EAL_PROVCB_CTRL, NULL},
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
{CRYPT_EAL_PROVCB_GETCAPS, CRYPT_EAL_DefaultProvGetCaps},
|
||||
#endif
|
||||
CRYPT_EAL_FUNC_END
|
||||
|
||||
@@ -279,10 +279,8 @@ void BSL_SAL_ClearFree(void *ptr, uint32_t size);
|
||||
|
||||
#define BSL_SAL_FREE(value_) \
|
||||
do { \
|
||||
if ((value_) != NULL) { \
|
||||
BSL_SAL_Free((void *)(value_)); \
|
||||
(value_) = NULL; \
|
||||
} \
|
||||
BSL_SAL_Free((void *)(value_)); \
|
||||
(value_) = NULL; \
|
||||
} while (0)
|
||||
|
||||
/**
|
||||
|
||||
@@ -545,10 +545,7 @@ class FeatureConfigParser:
|
||||
else:
|
||||
is_fea_contained = False
|
||||
while 'parent' in rel:
|
||||
if rel['parent'] in disables:
|
||||
raise Exception("The 'disables' features {} and 'enables' featrues {} conflict".format(fea, disables))
|
||||
|
||||
if rel['parent'] in features:
|
||||
if rel['parent'] in disables or rel['parent'] in features:
|
||||
is_fea_contained = True
|
||||
break
|
||||
rel = feas_info[rel['parent']]
|
||||
|
||||
@@ -149,12 +149,12 @@ static int32_t SetLinkConfig(uint16_t version, HITLS_KeyExchAlgo keyExAlgo, Link
|
||||
HITLS_CFG_SetCheckKeyUsage(linkPara->config, false);
|
||||
#endif /* HITLS_TLS_CONFIG_KEY_USAGE */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t ret = HITLS_CFG_SetClientVerifySupport(linkPara->config, true);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE */
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
if (keyExAlgo == HITLS_KEY_EXCH_DHE) {
|
||||
uint16_t cipherSuites[] = {HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256};
|
||||
HITLS_CFG_SetCipherSuites(linkPara->config, cipherSuites, sizeof(cipherSuites) / sizeof(uint16_t));
|
||||
|
||||
@@ -1193,47 +1193,32 @@ static int32_t PackNewSessionTicketMsg(FRAME_Type *type, const FRAME_NewSessionT
|
||||
static int32_t PackHsMsgBody(FRAME_Type *type, const FRAME_Msg *msg,
|
||||
uint8_t *buf, uint32_t bufLen, uint32_t *usedLen)
|
||||
{
|
||||
int32_t ret;
|
||||
|
||||
const FRAME_HsMsg *hsMsg = &(msg->body.hsMsg);
|
||||
|
||||
switch (type->handshakeType) {
|
||||
case CLIENT_HELLO:
|
||||
ret = PackClientHelloMsg(&(hsMsg->body.clientHello), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackClientHelloMsg(&(hsMsg->body.clientHello), buf, bufLen, usedLen);
|
||||
case SERVER_HELLO:
|
||||
ret = PackServerHelloMsg(&(hsMsg->body.serverHello), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackServerHelloMsg(&(hsMsg->body.serverHello), buf, bufLen, usedLen);
|
||||
case CERTIFICATE:
|
||||
ret = PackCertificateMsg(type, &(hsMsg->body.certificate), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackCertificateMsg(type, &(hsMsg->body.certificate), buf, bufLen, usedLen);
|
||||
case SERVER_KEY_EXCHANGE:
|
||||
ret = PackServerKeyExchangeMsg(type, &(hsMsg->body.serverKeyExchange), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackServerKeyExchangeMsg(type, &(hsMsg->body.serverKeyExchange), buf, bufLen, usedLen);
|
||||
case CERTIFICATE_REQUEST:
|
||||
ret = PackCertificateRequestMsg(type, &(hsMsg->body.certificateReq), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackCertificateRequestMsg(type, &(hsMsg->body.certificateReq), buf, bufLen, usedLen);
|
||||
case SERVER_HELLO_DONE:
|
||||
ret = PackServerHelloDoneMsg(&(hsMsg->body.serverHelloDone), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackServerHelloDoneMsg(&(hsMsg->body.serverHelloDone), buf, bufLen, usedLen);
|
||||
case CLIENT_KEY_EXCHANGE:
|
||||
ret = PackClientKeyExchangeMsg(type, &(hsMsg->body.clientKeyExchange), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackClientKeyExchangeMsg(type, &(hsMsg->body.clientKeyExchange), buf, bufLen, usedLen);
|
||||
case CERTIFICATE_VERIFY:
|
||||
ret = PackCertificateVerifyMsg(type, &(hsMsg->body.certificateVerify), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackCertificateVerifyMsg(type, &(hsMsg->body.certificateVerify), buf, bufLen, usedLen);
|
||||
case FINISHED:
|
||||
ret = PackFinishedMsg(&(hsMsg->body.finished), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackFinishedMsg(&(hsMsg->body.finished), buf, bufLen, usedLen);
|
||||
case NEW_SESSION_TICKET:
|
||||
ret = PackNewSessionTicketMsg(type, &(hsMsg->body.newSessionTicket), buf, bufLen, usedLen);
|
||||
break;
|
||||
return PackNewSessionTicketMsg(type, &(hsMsg->body.newSessionTicket), buf, bufLen, usedLen);
|
||||
default:
|
||||
ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
|
||||
break;
|
||||
return HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int32_t PackHandShakeMsg(FRAME_Type *type, const FRAME_Msg *msg,
|
||||
|
||||
@@ -510,12 +510,14 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg)
|
||||
ret = HITLS_CFG_SetVersion(outCfg, inCtxCfg->minVersion, inCtxCfg->maxVersion);
|
||||
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetVersion Error ERROR");
|
||||
}
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
if (inCtxCfg->SupportType == SERVER_CFG_SET_TRUE) {
|
||||
HITLS_CFG_SetCipherServerPreference(outCfg, true);
|
||||
}
|
||||
if (inCtxCfg->SupportType == SERVER_CFG_SET_FALSE) {
|
||||
HITLS_CFG_SetCipherServerPreference(outCfg, false);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
// Setting Renegotiation
|
||||
LOG_DEBUG("HiTLS Set Support Renegotiation is %d", inCtxCfg->isSupportRenegotiation);
|
||||
@@ -526,15 +528,16 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg)
|
||||
ret = HITLS_CFG_SetClientRenegotiateSupport(outCfg, inCtxCfg->allowClientRenegotiate);
|
||||
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetClientRenegotiateSupport ERROR");
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
// Whether to enable dual-ended verification
|
||||
LOG_DEBUG("HiTLS Set Support Client Verify is %d", inCtxCfg->isSupportClientVerify);
|
||||
ret = HITLS_CFG_SetClientVerifySupport(outCfg, inCtxCfg->isSupportClientVerify);
|
||||
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetClientVerifySupport ERROR");
|
||||
#endif
|
||||
LOG_DEBUG("HiTLS Set readAhead is %d", inCtxCfg->readAhead);
|
||||
ret = HITLS_CFG_SetReadAhead(outCfg, inCtxCfg->readAhead);
|
||||
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetReadAhead ERROR");
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
// Indicates whether to allow empty certificate list on the client.
|
||||
LOG_DEBUG("HiTLS Set Support Not Client Cert is %d", inCtxCfg->isSupportNoClientCert);
|
||||
ret = HITLS_CFG_SetNoClientCertSupport(outCfg, inCtxCfg->isSupportNoClientCert);
|
||||
@@ -721,7 +724,7 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg)
|
||||
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetKeyExchMode ERROR");
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
// Set whether to enable isSupportVerifyNone;
|
||||
LOG_DEBUG("HiTLS Set Support pha is %d", inCtxCfg->isSupportVerifyNone);
|
||||
ret = HITLS_CFG_SetVerifyNoneSupport(outCfg, inCtxCfg->isSupportVerifyNone);
|
||||
@@ -811,12 +814,14 @@ const BSL_UIO_Method *GetDefaultMethod(HILT_TransportType type)
|
||||
int HitlsSetSsl(void *ssl, HLT_Ssl_Config *sslConfig)
|
||||
{
|
||||
int ret;
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
if (sslConfig->SupportType == SERVER_CTX_SET_TRUE) {
|
||||
HITLS_SetCipherServerPreference((HITLS_Ctx *)ssl, true);
|
||||
}
|
||||
if (sslConfig->SupportType == SERVER_CTX_SET_FALSE) {
|
||||
HITLS_SetCipherServerPreference((HITLS_Ctx *)ssl, false);
|
||||
}
|
||||
#endif
|
||||
HILT_TransportType type = (sslConfig->connType == NONE_TYPE) ? SCTP : sslConfig->connType;
|
||||
|
||||
BSL_UIO *uio = BSL_UIO_New(GetDefaultMethod(type));
|
||||
|
||||
@@ -343,12 +343,14 @@ test_pkey()
|
||||
|
||||
test_tls()
|
||||
{
|
||||
include_path="-I${HITLS_ROOT_DIR}/testcode/script/mini_test_config"
|
||||
NO_LIB=""
|
||||
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=tlcp_feature test=base,asn1,base64,buffer,err,hash,init,list,log,obj,params,pem,tlv,sal,sal_mem,sal_lock,sal_str,sal_file,sal_thread,sal_net,sal_time,aes,bn,chacha20,cmac_aes,drbg_ctr,drbg_hash,ecc,ecdh,ecdsa,entropy,gcm,hkdf,hpke,mlkem,mldsa,sha256,sha384,sha512,slh_dsa,sm2,sm3,sm4,x25519,curve_nistp256,curve_nistp384,curve_nistp521,x509_crl_gen,x509_crl_parse,x509_csr_gen,x509_csr_parse,x509_crt_gen,x509_crt_parse,x509_vfy,tlcp linux add-options="-DHITLS_SEED_DRBG_INIT_RAND_ALG=CRYPT_RAND_SHA256" add-options="-DHITLS_CRYPTO_ENTROPY_DEVRANDOM" add-options="-DHITLS_CRYPTO_MLKEM_CMP" add-options="-DHITLS_CRYPTO_MLDSA_CMP"
|
||||
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=nokem_feature test=base linux
|
||||
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=mtu_feature test=mtu linux
|
||||
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=max_send_fragment_feature test=max_send_fragment linux
|
||||
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=ca_list_feature test=ca_list linux
|
||||
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=no_dfx_feature test=no_dfx compile-config=no_dfx_compile include-path="${include_path}" linux
|
||||
}
|
||||
|
||||
test_pki()
|
||||
|
||||
@@ -43,6 +43,7 @@ ENDIAN="little"
|
||||
ASAN_OPTIONS=""
|
||||
TLS_FLAG=""
|
||||
FEATURE_CONFIG_FILE=""
|
||||
COMPILE_CONFIG_FILE=""
|
||||
INCLUDE_PATH=""
|
||||
|
||||
print_usage() {
|
||||
@@ -129,6 +130,18 @@ parse_option()
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
"compile-config")
|
||||
if [ -n "$ASM_TYPE" ]; then
|
||||
COMPILE_CONFIG_FILE=$(find $HITLS_ROOT_DIR -name "${value}_${ASM_TYPE}.json" -type f | head -n 1)
|
||||
fi
|
||||
if [ -z "$COMPILE_CONFIG_FILE" ]; then
|
||||
COMPILE_CONFIG_FILE=$(find $HITLS_ROOT_DIR -name "${value}.json" -type f | head -n 1)
|
||||
fi
|
||||
if [ -z "$COMPILE_CONFIG_FILE" ]; then
|
||||
echo "Error: Cannot find compile config file '${value}.json' or '${value}.json' under $HITLS_ROOT_DIR"
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
"test")
|
||||
LIB_TYPE="static shared"
|
||||
TEST_FEATURE=$value
|
||||
@@ -247,6 +260,10 @@ mini_config()
|
||||
enables="--feature_config $MODIFIED_CONFIG_FILE"
|
||||
fi
|
||||
|
||||
if [ "$COMPILE_CONFIG_FILE" != "" ]; then
|
||||
enables="$enables --compile_config $COMPILE_CONFIG_FILE"
|
||||
fi
|
||||
|
||||
echo "python3 configure.py --lib_type $LIB_TYPE $enables --endian=$ENDIAN --bits=$BITS"
|
||||
python3 $HITLS_ROOT_DIR/configure.py --lib_type $LIB_TYPE $enables --endian=$ENDIAN --bits=$BITS
|
||||
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
/*
|
||||
* This file is part of the openHiTLS project.
|
||||
*
|
||||
* openHiTLS is licensed under the Mulan PSL v2.
|
||||
* You can use this software according to the terms and conditions of the Mulan PSL v2.
|
||||
* You may obtain a copy of Mulan PSL v2 at:
|
||||
*
|
||||
* http://license.coscl.org.cn/MulanPSL2
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
|
||||
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
|
||||
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
|
||||
* See the Mulan PSL v2 for more details.
|
||||
*/
|
||||
/* Derivation of configuration features.
|
||||
* The derivation type (rule) and sequence are as follows:
|
||||
* 1. Parent features derive child features.
|
||||
* 2. Derive the features of dependencies.
|
||||
* For example, if feature a depends on features b and c, you need to derive features b and c.
|
||||
* 3. Child features derive parent features.
|
||||
* The high-level interfaces of the crypto module is controlled by the parent feature macro,
|
||||
* if there is no parent feature, such interfaces will be unavailable.
|
||||
*/
|
||||
|
||||
#ifndef NODFX_CONFIG_H
|
||||
#define NODFX_CONFIG_H
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#undef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
#undef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX
|
||||
#undef HITLS_TLS_PROTO_DFX
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_CHECK
|
||||
#undef HITLS_TLS_PROTO_DFX_CHECK
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_INFO
|
||||
#undef HITLS_TLS_PROTO_DFX_INFO
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
#undef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
#undef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
#endif
|
||||
#endif /* NODFX_CONFIG_H */
|
||||
@@ -0,0 +1,135 @@
|
||||
{
|
||||
"compileFlag": {
|
||||
"common": {
|
||||
"CC_OPT_LEVEL": [
|
||||
"-D_FORTIFY_SOURCE=2",
|
||||
"-O2"
|
||||
],
|
||||
"CC_OVERALL_FLAGS": ["-pipe"],
|
||||
"CC_LANGUAGE_FLAGS": ["-fsigned-char"],
|
||||
"CC_CDG_FLAGS": ["-fno-common"],
|
||||
"CC_MD_DEPENDENT_FLAGS": [],
|
||||
"CC_OPT_FLAGS": [
|
||||
"-fno-strict-aliasing",
|
||||
"-fno-omit-frame-pointer"
|
||||
],
|
||||
"CC_SEC_FLAGS": [
|
||||
"-fPIC",
|
||||
"-fstack-protector-strong"
|
||||
],
|
||||
"CC_DEBUG_FLAGS": [],
|
||||
"CC_USER_DEFINE_FLAGS": [
|
||||
"-DHITLS_CONFIG_FILE='<hitls_nodfx_config.h>'",
|
||||
"-I${HiTLS_SOURCE_ROOT_DIR}/testcode/script/mini_test_config/"
|
||||
],
|
||||
"CC_WARN_FLAGS": [
|
||||
"-Werror",
|
||||
"-Wextra",
|
||||
"-Wcast-qual",
|
||||
"-Wall",
|
||||
"-Wfloat-equal",
|
||||
"-Wshadow",
|
||||
"-Wformat=2"
|
||||
],
|
||||
"CC_DEFINE_FLAGS": [
|
||||
"-DHITLS_CRYPTO_EAL_REPORT",
|
||||
"-DHITLS_CRYPTO_NIST_ECC_ACCELERATE",
|
||||
"-DHITLS_CRYPTO_BN_COMBA",
|
||||
"-DHITLS_CRYPTO_AES_PRECALC_TABLES",
|
||||
"-DHITLS_AARCH64_PACIASP",
|
||||
"-DHITLS_CRYPTO_SM2_PRECOMPUTE_512K_TBL"
|
||||
]
|
||||
},
|
||||
"gcc": {
|
||||
"CC_WARN_FLAGS_EXTRA": [
|
||||
"-Wdate-time",
|
||||
"-Wno-stringop-overread"
|
||||
],
|
||||
"CC_SEC_FLAGS_EXTRA": [
|
||||
"--param=ssp-buffer-size=4"
|
||||
]
|
||||
},
|
||||
"clang": {
|
||||
"CC_SEC_FLAGS_EXTRA": [
|
||||
"-Wno-unused-command-line-argument"
|
||||
]
|
||||
},
|
||||
"apple-clang": {
|
||||
"_inherit": "clang",
|
||||
"CC_SEC_FLAGS_REMOVE": [
|
||||
"--param=ssp-buffer-size=4"
|
||||
],
|
||||
"CC_DEFINE_FLAGS_REMOVE": [
|
||||
"-DHITLS_AARCH64_PACIASP"
|
||||
]
|
||||
}
|
||||
},
|
||||
"linkFlag": {
|
||||
"common": {
|
||||
"PUBLIC": [],
|
||||
"SHARED": [],
|
||||
"EXE": []
|
||||
},
|
||||
"gnu-ld": {
|
||||
"PUBLIC": [
|
||||
"-Wl,-z,noexecstack",
|
||||
"-Wl,-z,relro",
|
||||
"-Wl,-z,now",
|
||||
"-Wl,--build-id=none"
|
||||
],
|
||||
"SHARED": [
|
||||
"-shared"
|
||||
],
|
||||
"EXE": [
|
||||
"-pie"
|
||||
]
|
||||
},
|
||||
"ld64": {
|
||||
"PUBLIC": [
|
||||
"-Wl,-dead_strip"
|
||||
],
|
||||
"SHARED": [
|
||||
"-dynamiclib"
|
||||
],
|
||||
"EXE": [
|
||||
"-Wl,-pie"
|
||||
]
|
||||
},
|
||||
"lld": {
|
||||
"PUBLIC": [
|
||||
"-Wl,-z,noexecstack",
|
||||
"-Wl,-z,relro",
|
||||
"-Wl,-z,now",
|
||||
"-Wl,--build-id=none",
|
||||
"-Wl,--as-needed"
|
||||
],
|
||||
"SHARED": [
|
||||
"-shared"
|
||||
],
|
||||
"EXE": [
|
||||
"-pie"
|
||||
]
|
||||
},
|
||||
"gold": {
|
||||
"_inherit": "gnu-ld",
|
||||
"PUBLIC_EXTRA": [
|
||||
"-Wl,--threads",
|
||||
"-Wl,--thread-count=4"
|
||||
]
|
||||
}
|
||||
},
|
||||
"systemDefines": {
|
||||
"common": {},
|
||||
"linux": {
|
||||
"CC_DEFINE_FLAGS_EXTRA": [
|
||||
"-D_GNU_SOURCE"
|
||||
]
|
||||
},
|
||||
"darwin": {
|
||||
"CC_DEFINE_FLAGS_EXTRA": [
|
||||
"-D_DARWIN_C_SOURCE",
|
||||
"-DHITLS_CRYPTO_NO_AUXVAL"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,116 @@
|
||||
{
|
||||
"libType": [
|
||||
"static",
|
||||
"shared"
|
||||
],
|
||||
"libs": {
|
||||
"hitls_bsl": {
|
||||
"c": [
|
||||
"init",
|
||||
"sal",
|
||||
"sal_mem",
|
||||
"sal_lock",
|
||||
"log",
|
||||
"err",
|
||||
"hash",
|
||||
"sal_str",
|
||||
"sal_file",
|
||||
"uio_buffer",
|
||||
"uio_mem",
|
||||
"uio_plt",
|
||||
"uio_udp",
|
||||
"sal_thread",
|
||||
"sal_net",
|
||||
"sal_time",
|
||||
"tlv",
|
||||
"base64",
|
||||
"asn1",
|
||||
"buffer",
|
||||
"list",
|
||||
"obj",
|
||||
"params",
|
||||
"pem"
|
||||
]
|
||||
},
|
||||
"hitls_crypto": {
|
||||
"asm": [
|
||||
"bn",
|
||||
"chacha20",
|
||||
"chacha20poly1305",
|
||||
"aes",
|
||||
"gcm",
|
||||
"sha256",
|
||||
"sha384",
|
||||
"sha512",
|
||||
"bn_rand",
|
||||
"x25519",
|
||||
"curve_nistp256",
|
||||
"curve_nistp384",
|
||||
"curve_nistp521",
|
||||
"ecc",
|
||||
"curve_sm2",
|
||||
"sm3",
|
||||
"sm4"
|
||||
],
|
||||
"c": [
|
||||
"eal",
|
||||
"ealinit",
|
||||
"entropy",
|
||||
"drbg_hash",
|
||||
"sha256",
|
||||
"sha384",
|
||||
"sha512",
|
||||
"hkdf",
|
||||
"aes",
|
||||
"gcm",
|
||||
"chacha20",
|
||||
"hpke",
|
||||
"bn",
|
||||
"x25519",
|
||||
"curve_nistp256",
|
||||
"curve_nistp384",
|
||||
"curve_nistp521",
|
||||
"drbg_ctr",
|
||||
"cmac_aes",
|
||||
"ecdsa",
|
||||
"ecdh",
|
||||
"ecc",
|
||||
"mlkem",
|
||||
"mldsa",
|
||||
"slh_dsa",
|
||||
"cbc",
|
||||
"rsa",
|
||||
"sha1",
|
||||
"cipher",
|
||||
"pkey",
|
||||
"codecskey"
|
||||
]
|
||||
},
|
||||
"hitls_tls": {
|
||||
"c": [
|
||||
"callback_sal",
|
||||
"callback_cert",
|
||||
"callback_crypt",
|
||||
"config",
|
||||
"host",
|
||||
"maintain",
|
||||
"proto",
|
||||
"proto_dtls12",
|
||||
"proto_dtlcp11",
|
||||
"feature_mtu_query",
|
||||
"suite_ecdhe_rsa_with_aes_128_cbc_sha"
|
||||
]
|
||||
},
|
||||
"hitls_pki": {
|
||||
"c": [
|
||||
"info",
|
||||
"pkcs12",
|
||||
"x509"
|
||||
]
|
||||
}
|
||||
},
|
||||
"endian": "little",
|
||||
"bits": 64,
|
||||
"asmType": "no_asm",
|
||||
"system": "linux"
|
||||
}
|
||||
@@ -0,0 +1,133 @@
|
||||
/*
|
||||
* This file is part of the openHiTLS project.
|
||||
*
|
||||
* openHiTLS is licensed under the Mulan PSL v2.
|
||||
* You can use this software according to the terms and conditions of the Mulan PSL v2.
|
||||
* You may obtain a copy of Mulan PSL v2 at:
|
||||
*
|
||||
* http://license.coscl.org.cn/MulanPSL2
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
|
||||
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
|
||||
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
|
||||
* See the Mulan PSL v2 for more details.
|
||||
*/
|
||||
|
||||
/* BEGIN_HEADER */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/types.h>
|
||||
#include <regex.h>
|
||||
#include <pthread.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#include <sys/select.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include "securec.h"
|
||||
#include "bsl_sal.h"
|
||||
#include "sal_net.h"
|
||||
#include "frame_tls.h"
|
||||
#include "cert_callback.h"
|
||||
#include "hitls_config.h"
|
||||
#include "hitls_error.h"
|
||||
#include "bsl_errno.h"
|
||||
#include "bsl_uio.h"
|
||||
#include "frame_io.h"
|
||||
#include "uio_abstraction.h"
|
||||
#include "tls.h"
|
||||
#include "tls_config.h"
|
||||
#include "logger.h"
|
||||
#include "process.h"
|
||||
#include "hs_ctx.h"
|
||||
#include "hlt.h"
|
||||
#include "stub_utils.h"
|
||||
#include "hitls_type.h"
|
||||
#include "frame_link.h"
|
||||
#include "session_type.h"
|
||||
#include "common_func.h"
|
||||
#include "hitls_func.h"
|
||||
#include "hitls_cert_type.h"
|
||||
#include "parser_frame_msg.h"
|
||||
#include "recv_process.h"
|
||||
#include "simulate_io.h"
|
||||
#include "rec_wrapper.h"
|
||||
#include "cipher_suite.h"
|
||||
#include "alert.h"
|
||||
#include "conn_init.h"
|
||||
#include "pack.h"
|
||||
#include "send_process.h"
|
||||
#include "cert.h"
|
||||
#include "hitls_cert_reg.h"
|
||||
#include "hitls_crypt_type.h"
|
||||
#include "hs.h"
|
||||
#include "hs_state_recv.h"
|
||||
#include "app.h"
|
||||
#include "record.h"
|
||||
#include "rec_conn.h"
|
||||
#include "session.h"
|
||||
#include "frame_msg.h"
|
||||
#include "pack_frame_msg.h"
|
||||
#include "cert_mgr.h"
|
||||
#include "hs_extensions.h"
|
||||
#include "hlt_type.h"
|
||||
#include "sctp_channel.h"
|
||||
#include "hitls_crypt_init.h"
|
||||
#include "hitls_session.h"
|
||||
#include "bsl_log.h"
|
||||
#include "bsl_err.h"
|
||||
#include "hitls_crypt_reg.h"
|
||||
#include "crypt_errno.h"
|
||||
#include "bsl_list.h"
|
||||
#include "hitls_cert.h"
|
||||
#include "parse_extensions_client.c"
|
||||
#include "parse_extensions_server.c"
|
||||
#include "parse_server_hello.c"
|
||||
#include "parse_client_hello.c"
|
||||
/* END_HEADER */
|
||||
|
||||
/** @
|
||||
* @test UT_TLS_CM_NO_DFX_CONNECTION_TC001
|
||||
* @title Test no DFX macro connection.
|
||||
* @precon nan
|
||||
* @brief
|
||||
* 1. Start a TLS connection with out dfx macro. Expected result 1.
|
||||
* @expect 1. HITLS_SUCCES is returned
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
void UT_TLS_CM_NO_DFX_CONNECTION_TC001(void)
|
||||
{
|
||||
FRAME_Init();
|
||||
|
||||
HITLS_Config *config = NULL;
|
||||
FRAME_LinkObj *client = NULL;
|
||||
FRAME_LinkObj *server = NULL;
|
||||
|
||||
// Apply for and initialize the configuration file
|
||||
config = HITLS_CFG_NewDTLS12Config();
|
||||
client = FRAME_CreateLink(config, BSL_UIO_UDP);
|
||||
ASSERT_TRUE(client != NULL);
|
||||
server = FRAME_CreateLink(config, BSL_UIO_UDP);
|
||||
ASSERT_TRUE(server != NULL);
|
||||
HITLS_SetMtu(client->ssl, 16384);
|
||||
HITLS_SetMtu(server->ssl, 16384);
|
||||
|
||||
ASSERT_EQ(FRAME_CreateConnection(client, server, false, HS_STATE_BUTT), HITLS_SUCCESS);
|
||||
EXIT:
|
||||
HITLS_CFG_FreeConfig(config);
|
||||
FRAME_FreeLink(client);
|
||||
FRAME_FreeLink(server);
|
||||
}
|
||||
/* END_CASE */
|
||||
@@ -0,0 +1,2 @@
|
||||
UT_TLS_CM_NO_DFX_CONNECTION_TC001:
|
||||
UT_TLS_CM_NO_DFX_CONNECTION_TC001:
|
||||
@@ -5,13 +5,15 @@
|
||||
"base": ["test_suite_sdv_hlt_base_connect"],
|
||||
"mtu": ["test_suite_sdv_frame_mtu"],
|
||||
"max_send_fragment": ["test_suite_sdv_frame_max_send_fragment"],
|
||||
"ca_list": ["test_suite_sdv_frame_ca_list"]
|
||||
"ca_list": ["test_suite_sdv_frame_ca_list"],
|
||||
"no_dfx": ["test_suite_sdv_frame_no_dfx"]
|
||||
},
|
||||
"testSuiteCases": {
|
||||
"test_suite_sdv_hlt_tlcp_ciphersuite": [],
|
||||
"test_suite_sdv_hlt_base_connect": [],
|
||||
"test_suite_sdv_frame_mtu": [],
|
||||
"test_suite_sdv_frame_max_send_fragment": [],
|
||||
"test_suite_sdv_frame_ca_list": []
|
||||
"test_suite_sdv_frame_ca_list": [],
|
||||
"test_suite_sdv_frame_no_dfx": []
|
||||
}
|
||||
}
|
||||
@@ -251,6 +251,7 @@ int32_t ProcessPlainAlert(TLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen)
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
void ALERT_ClearWarnCount(TLS_Ctx *ctx, uint32_t recordType)
|
||||
{
|
||||
if (recordType != REC_TYPE_ALERT) {
|
||||
@@ -263,6 +264,7 @@ bool ALERT_HaveExceeded(TLS_Ctx *ctx, uint8_t threshold)
|
||||
ctx->alertCtx->warnCount += 1;
|
||||
return ctx->alertCtx->warnCount >= threshold;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_BSL_LOG
|
||||
int32_t ReturnAlertProcess(TLS_Ctx *ctx, int32_t err, uint32_t logId, const void *logStr,
|
||||
|
||||
@@ -61,7 +61,9 @@ static const char *GetStateString(uint32_t state)
|
||||
[CM_STATE_TRANSPORTING] = "Transporting",
|
||||
[CM_STATE_ALERTING] = "Alerting",
|
||||
[CM_STATE_ALERTED] = "Alerted",
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
[CM_STATE_CLOSED] = "Closed",
|
||||
#endif
|
||||
};
|
||||
/* Current status */
|
||||
return stateMachineStr[state];
|
||||
@@ -140,6 +142,7 @@ int32_t CommonEventInAlertingState(HITLS_Ctx *ctx)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
/* If the close_notify message is sent, the link must be disconnected */
|
||||
if (alertInfo.description == ALERT_CLOSE_NOTIFY) {
|
||||
if (ctx->userShutDown) {
|
||||
@@ -155,6 +158,7 @@ int32_t CommonEventInAlertingState(HITLS_Ctx *ctx)
|
||||
}
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Other warning alerts will not terminate the connection and the status will be restored to the previous status */
|
||||
ctx->state = ctx->preState;
|
||||
@@ -189,7 +193,7 @@ static int32_t AlertRecvProcess(HITLS_Ctx *ctx, const ALERT_Info *alertInfo)
|
||||
/* Other warning alerts will not be processed */
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
ctx->shutdownState |= HITLS_RECEIVED_SHUTDOWN;
|
||||
|
||||
/* In quiet disconnection mode, close_notify does not need to be sent */
|
||||
@@ -218,6 +222,9 @@ static int32_t AlertRecvProcess(HITLS_Ctx *ctx, const ALERT_Info *alertInfo)
|
||||
ChangeConnState(ctx, CM_STATE_ALERTED);
|
||||
}
|
||||
return HITLS_CM_LINK_CLOSED;
|
||||
#else
|
||||
return HITLS_CM_LINK_CLOSED;
|
||||
#endif
|
||||
}
|
||||
|
||||
int32_t AlertEventProcess(HITLS_Ctx *ctx)
|
||||
@@ -259,14 +266,14 @@ int32_t CommonEventInHandshakingState(HITLS_Ctx *ctx)
|
||||
/* The handshake fails, but no alert is received. Return the error code to the user */
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
|
||||
/* If there are multiple consecutive alerts, the link is abnormal and needs to be terminated. */
|
||||
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
alertRet = AlertEventProcess(ctx);
|
||||
return (alertRet == HITLS_SUCCESS) ? ret : alertRet;
|
||||
}
|
||||
|
||||
#endif
|
||||
alertRet = AlertEventProcess(ctx);
|
||||
if (alertRet != HITLS_SUCCESS) {
|
||||
/* If the alert message fails to be sent, return the error code to the user */
|
||||
@@ -527,14 +534,19 @@ static uint16_t FindPreference(const HITLS_Ctx *ctx, int32_t nmatch, bool *haveF
|
||||
uint32_t localGroupSize = ctx->config.tlsConfig.groupsSize;
|
||||
uint16_t *peerGroups = ctx->peerInfo.groups;
|
||||
uint16_t *localGroups = ctx->config.tlsConfig.groups;
|
||||
bool chooseServerPre = ctx->config.tlsConfig.isSupportServerPreference;
|
||||
uint16_t intersectionCnt = 0;
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
bool chooseServerPre = ctx->config.tlsConfig.isSupportServerPreference;
|
||||
preferGroupSize = (chooseServerPre == true) ? localGroupSize : peerGroupSize;
|
||||
secondPreferGroupSize = (chooseServerPre == true) ? peerGroupSize : localGroupSize;
|
||||
preferGroups = (chooseServerPre == true) ? localGroups : peerGroups;
|
||||
secondPreferGroups = (chooseServerPre == true) ? peerGroups : localGroups;
|
||||
|
||||
#else
|
||||
preferGroupSize = peerGroupSize;
|
||||
secondPreferGroupSize = localGroupSize;
|
||||
preferGroups = peerGroups;
|
||||
secondPreferGroups = localGroups;
|
||||
#endif
|
||||
for (uint32_t i = 0; i < preferGroupSize; i++) {
|
||||
for (uint32_t j = 0; j < secondPreferGroupSize; j++) {
|
||||
if (preferGroups[i] == secondPreferGroups[j]) {
|
||||
@@ -735,11 +747,12 @@ int32_t CommonEventInRenegotiationState(HITLS_Ctx *ctx)
|
||||
return ret;
|
||||
}
|
||||
InnerRenegotiationProcess(ctx);
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
|
||||
/* If multiple consecutive alerts exist, the link is abnormal and needs to be terminated */
|
||||
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
}
|
||||
|
||||
#endif
|
||||
int32_t alertRet = AlertEventProcess(ctx);
|
||||
if (alertRet != HITLS_SUCCESS) {
|
||||
if (alertRet != HITLS_CM_LINK_CLOSED) {
|
||||
|
||||
@@ -70,15 +70,16 @@ HITLS_Ctx *HITLS_New(HITLS_Config *config)
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16470, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc fail", 0, 0, 0, 0);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int32_t ret = CheckConfig(config);
|
||||
int32_t ret = HITLS_SUCCESS;
|
||||
#ifdef HITLS_TLS_PROTO_DFX_CHECK
|
||||
ret = CheckConfig(config);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16471, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"CheckConfig fail, ret %d", ret, 0, 0, 0);
|
||||
BSL_SAL_FREE(newCtx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#endif
|
||||
ret = DumpConfig(newCtx, config);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16472, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
@@ -666,7 +667,7 @@ int32_t HITLS_ClearChainCerts(HITLS_Ctx *ctx)
|
||||
return HITLS_CFG_ClearChainCerts(&(ctx->config.tlsConfig));
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t HITLS_SetClientVerifySupport(HITLS_Ctx *ctx, bool support)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -683,7 +684,7 @@ int32_t HITLS_SetNoClientCertSupport(HITLS_Ctx *ctx, bool support)
|
||||
|
||||
return HITLS_CFG_SetNoClientCertSupport(&(ctx->config.tlsConfig), support);
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
int32_t HITLS_SetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool support)
|
||||
{
|
||||
@@ -694,7 +695,7 @@ int32_t HITLS_SetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool support)
|
||||
return HITLS_CFG_SetPostHandshakeAuthSupport(&(ctx->config.tlsConfig), support);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
int32_t HITLS_SetVerifyNoneSupport(HITLS_Ctx *ctx, bool support)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -703,8 +704,8 @@ int32_t HITLS_SetVerifyNoneSupport(HITLS_Ctx *ctx, bool support)
|
||||
|
||||
return HITLS_CFG_SetVerifyNoneSupport(&(ctx->config.tlsConfig), support);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER */
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t HITLS_SetClientOnceVerifySupport(HITLS_Ctx *ctx, bool support)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
|
||||
+12
-4
@@ -195,6 +195,7 @@ HITLS_CERT_X509 *HITLS_GetPeerCertificate(const HITLS_Ctx *ctx)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
int32_t HITLS_SetQuietShutdown(HITLS_Ctx *ctx, int32_t mode)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -222,6 +223,7 @@ int32_t HITLS_GetQuietShutdown(const HITLS_Ctx *ctx, int32_t *mode)
|
||||
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
int32_t HITLS_GetRenegotiationState(const HITLS_Ctx *ctx, bool *isRenegotiationState)
|
||||
{
|
||||
@@ -245,6 +247,8 @@ int32_t HITLS_GetRwstate(const HITLS_Ctx *ctx, uint8_t *rwstate)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
int32_t HITLS_SetShutdownState(HITLS_Ctx *ctx, uint32_t mode)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -264,8 +268,9 @@ int32_t HITLS_GetShutdownState(const HITLS_Ctx *ctx, uint32_t *mode)
|
||||
*mode = ctx->shutdownState;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t HITLS_GetClientVerifySupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -283,7 +288,7 @@ int32_t HITLS_GetNoClientCertSupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
|
||||
return HITLS_CFG_GetNoClientCertSupport(&(ctx->config.tlsConfig), isSupport);
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
int32_t HITLS_GetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
@@ -295,7 +300,7 @@ int32_t HITLS_GetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
return HITLS_CFG_GetPostHandshakeAuthSupport(&(ctx->config.tlsConfig), isSupport);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
int32_t HITLS_GetVerifyNoneSupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -306,7 +311,7 @@ int32_t HITLS_GetVerifyNoneSupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t HITLS_GetClientOnceVerifySupport(HITLS_Ctx *ctx, bool *isSupport)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -394,6 +399,8 @@ int32_t HITLS_SetServerName(HITLS_Ctx *ctx, uint8_t *serverName, uint32_t server
|
||||
return HITLS_CFG_SetServerName(&(ctx->config.tlsConfig), serverName, serverNameStrlen);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
int32_t HITLS_SetCipherServerPreference(HITLS_Ctx *ctx, bool isSupport)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -411,6 +418,7 @@ int32_t HITLS_GetCipherServerPreference(const HITLS_Ctx *ctx, bool *isSupport)
|
||||
|
||||
return HITLS_CFG_GetCipherServerPreference(&(ctx->config.tlsConfig), isSupport);
|
||||
}
|
||||
#endif
|
||||
|
||||
int32_t HITLS_SetRenegotiationSupport(HITLS_Ctx *ctx, bool isSupport)
|
||||
{
|
||||
|
||||
@@ -105,6 +105,7 @@ static int32_t EstablishEventInRenegotiationState(HITLS_Ctx *ctx)
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
static int32_t CloseEventInRenegotiationState(HITLS_Ctx *ctx)
|
||||
{
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
@@ -130,6 +131,7 @@ static int32_t CloseEventInRenegotiationState(HITLS_Ctx *ctx)
|
||||
return HITLS_INTERNAL_EXCEPTION;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
static int32_t EstablishEventInAlertedState(HITLS_Ctx *ctx)
|
||||
{
|
||||
@@ -138,6 +140,7 @@ static int32_t EstablishEventInAlertedState(HITLS_Ctx *ctx)
|
||||
return HITLS_CM_LINK_FATAL_ALERTED;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
static int32_t EstablishEventInClosedState(HITLS_Ctx *ctx)
|
||||
{
|
||||
(void)ctx;
|
||||
@@ -253,6 +256,7 @@ static int32_t CloseEventInClosedState(HITLS_Ctx *ctx)
|
||||
ChangeConnState(ctx, CM_STATE_CLOSED);
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
// Check and process the CTX status before HITLS_Connect and HITLS_Accept.
|
||||
int32_t ProcessCtxState(HITLS_Ctx *ctx)
|
||||
@@ -363,7 +367,9 @@ int32_t HITLS_Connect(HITLS_Ctx *ctx)
|
||||
EstablishEventInRenegotiationState,
|
||||
NULL, // The alerting phase has been processed in the ProcessCtxState function
|
||||
EstablishEventInAlertedState,
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
EstablishEventInClosedState
|
||||
#endif
|
||||
};
|
||||
|
||||
ManageEventProcess proc = connectEventProcess[GetConnState(ctx)];
|
||||
@@ -397,7 +403,9 @@ int32_t HITLS_Accept(HITLS_Ctx *ctx)
|
||||
EstablishEventInRenegotiationState,
|
||||
NULL,
|
||||
EstablishEventInAlertedState,
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
EstablishEventInClosedState
|
||||
#endif
|
||||
};
|
||||
|
||||
ManageEventProcess proc = acceptEventProcess[GetConnState(ctx)];
|
||||
@@ -460,6 +468,7 @@ int32_t HITLS_Listen(HITLS_Ctx *ctx, BSL_SAL_SockAddr clientAddr)
|
||||
}
|
||||
#endif /* #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_BSL_UIO_ADDR) */
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
int32_t HITLS_Close(HITLS_Ctx *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
@@ -503,6 +512,13 @@ int32_t HITLS_Close(HITLS_Ctx *ctx)
|
||||
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#else /* HITLS_TLS_PROTO_CLOSE_STATE */
|
||||
int32_t HITLS_Close(HITLS_Ctx *ctx)
|
||||
{
|
||||
ALERT_Send(ctx, ALERT_LEVEL_WARNING, ALERT_CLOSE_NOTIFY);
|
||||
return ALERT_Flush(ctx);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_CLOSE_STATE */
|
||||
|
||||
int32_t HITLS_GetError(const HITLS_Ctx *ctx, int32_t ret)
|
||||
{
|
||||
@@ -629,7 +645,11 @@ int32_t HITLS_GetHandShakeState(const HITLS_Ctx *ctx, uint32_t *state)
|
||||
}
|
||||
}
|
||||
|
||||
if (ctx->state == CM_STATE_ALERTED || ctx->state == CM_STATE_CLOSED) {
|
||||
if (ctx->state == CM_STATE_ALERTED
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
|| ctx->state == CM_STATE_CLOSED
|
||||
#endif
|
||||
) {
|
||||
if (ctx->preState == CM_STATE_IDLE && ctx->hsCtx == NULL) {
|
||||
hsState = TLS_IDLE;
|
||||
} else if (ctx->hsCtx != NULL) {
|
||||
|
||||
@@ -35,7 +35,9 @@ int32_t ConnUnexpectedMsg(HITLS_Ctx *ctx, uint32_t msgType, const uint8_t *data,
|
||||
BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
|
||||
return HITLS_NULL_INPUT;
|
||||
}
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
ALERT_ClearWarnCount(ctx, msgType);
|
||||
#endif
|
||||
int32_t ret = HITLS_REC_NORMAL_RECV_UNEXPECT_MSG;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
if (isPlain) { // tls13
|
||||
@@ -85,7 +87,9 @@ int32_t CONN_Init(TLS_Ctx *ctx)
|
||||
ctx->method.sendCCS = CCS_Send;
|
||||
ctx->method.ctrlCCS = CCS_Ctrl;
|
||||
ctx->method.sendAlert = ALERT_Send;
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
ctx->method.clearAlert = ALERT_ClearWarnCount;
|
||||
#endif
|
||||
ctx->method.getAlertFlag = ALERT_GetFlag;
|
||||
ctx->method.unexpectedMsgProcessCb = ConnUnexpectedMsg;
|
||||
#ifdef HITLS_TLS_FEATURE_KEY_UPDATE
|
||||
|
||||
+28
-20
@@ -74,6 +74,7 @@ int32_t RecvUnexpectMsgInTransportingStateProcess(HITLS_Ctx *ctx)
|
||||
}
|
||||
static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
|
||||
{
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
/* If the version is TLS1.3, ignore the message */
|
||||
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16514, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
@@ -81,10 +82,9 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
return HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE;
|
||||
}
|
||||
|
||||
#endif
|
||||
/* If the message is not a renegotiation request, ignore the message */
|
||||
if ((ctx->isClient && (type == CLIENT_HELLO)) ||
|
||||
(!ctx->isClient && (type == HELLO_REQUEST))) {
|
||||
if ((ctx->isClient && (type == CLIENT_HELLO)) || (!ctx->isClient && (type == HELLO_REQUEST))) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16515, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"ignore the message", 0, 0, 0, 0);
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
@@ -111,7 +111,7 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
REC_RetransmitListClean(ctx->recCtx); /* dtls over udp scenario, the retransmission queue needs to be cleared */
|
||||
#endif
|
||||
@@ -129,9 +129,11 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
|
||||
} else {
|
||||
(void)HS_ChangeState(ctx, TRY_RECV_HELLO_REQUEST);
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_RENEGOTIATION */
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
static int32_t RecvKeyUpdatePreprocess(TLS_Ctx *ctx)
|
||||
{
|
||||
if (ctx->negotiatedInfo.version != HITLS_VERSION_TLS13) {
|
||||
@@ -194,6 +196,7 @@ static int32_t RecvNSTPreprocess(TLS_Ctx *ctx)
|
||||
ChangeConnState(ctx, CM_STATE_HANDSHAKING);
|
||||
return HS_ChangeState(ctx, TRY_RECV_NEW_SESSION_TICKET);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
static int32_t RecvPostFinishPreprocess(TLS_Ctx *ctx)
|
||||
@@ -255,32 +258,27 @@ static int32_t PreprocessUnexpectHsMsg(HITLS_Ctx *ctx)
|
||||
switch (hsCtx->msgBuf[0]) {
|
||||
case HELLO_REQUEST:
|
||||
case CLIENT_HELLO:
|
||||
ret = RecvRenegoReqPreprocess(ctx, hsCtx->msgBuf[0]);
|
||||
break;
|
||||
return RecvRenegoReqPreprocess(ctx, hsCtx->msgBuf[0]);
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
case KEY_UPDATE:
|
||||
ret = RecvKeyUpdatePreprocess(ctx);
|
||||
break;
|
||||
return RecvKeyUpdatePreprocess(ctx);
|
||||
case CERTIFICATE_REQUEST:
|
||||
ret = RecvCertReqPreprocess(ctx);
|
||||
break;
|
||||
return RecvCertReqPreprocess(ctx);
|
||||
case CERTIFICATE:
|
||||
ret = RecvCertPreprocess(ctx);
|
||||
break;
|
||||
return RecvCertPreprocess(ctx);
|
||||
case NEW_SESSION_TICKET:
|
||||
ret = RecvNSTPreprocess(ctx);
|
||||
break;
|
||||
return RecvNSTPreprocess(ctx);
|
||||
#endif
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
case FINISHED:
|
||||
ret = RecvPostFinishPreprocess(ctx);
|
||||
break;
|
||||
return RecvPostFinishPreprocess(ctx);
|
||||
#endif
|
||||
default:
|
||||
BSL_LOG_BINLOG_VARLEN(BINLOG_ID16529, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"Unexpected %s handshake state message.", HS_GetMsgTypeStr(hsCtx->msgBuf[0]));
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
ret = HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE;
|
||||
return HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void ConsumeHandshakeMessage(HITLS_Ctx *ctx)
|
||||
@@ -348,11 +346,12 @@ static int32_t ReadEventInTransportingState(HITLS_Ctx *ctx, uint8_t *data, uint3
|
||||
InnerRenegotiationProcess(ctx);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
|
||||
/* If multiple consecutive alerts exist, the link is abnormal and needs to be disconnected */
|
||||
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
}
|
||||
|
||||
#endif
|
||||
unexpectMsgRet = AlertEventProcess(ctx);
|
||||
if (unexpectMsgRet != HITLS_SUCCESS) {
|
||||
/* If the alert fails to be sent, a response is returned to the user for processing */
|
||||
@@ -360,7 +359,11 @@ static int32_t ReadEventInTransportingState(HITLS_Ctx *ctx, uint8_t *data, uint3
|
||||
}
|
||||
|
||||
/* If fatal alert or close_notify has been processed, the link must be disconnected */
|
||||
if (ctx->state == CM_STATE_ALERTED || ctx->state == CM_STATE_CLOSED) {
|
||||
if (ctx->state == CM_STATE_ALERTED
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
|| ctx->state == CM_STATE_CLOSED
|
||||
#endif
|
||||
) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
@@ -432,6 +435,7 @@ static int32_t ReadEventInAlertedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t b
|
||||
return HITLS_CM_LINK_FATAL_ALERTED;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
static int32_t ReadEventInClosedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint32_t *readLen)
|
||||
{
|
||||
// Non-closed state
|
||||
@@ -459,6 +463,8 @@ static int32_t ReadEventInClosedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t bu
|
||||
// Directly return to link closed.
|
||||
return HITLS_CM_LINK_CLOSED;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int32_t ReadProcess(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint32_t *readLen)
|
||||
{
|
||||
ReadEventProcess readEventProcess[CM_STATE_END] = {
|
||||
@@ -468,7 +474,9 @@ static int32_t ReadProcess(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint
|
||||
ReadEventInRenegotiationState,
|
||||
NULL,
|
||||
ReadEventInAlertedState,
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
ReadEventInClosedState
|
||||
#endif
|
||||
};
|
||||
|
||||
if ((GetConnState(ctx) >= CM_STATE_END) || (GetConnState(ctx) == CM_STATE_ALERTING)) {
|
||||
|
||||
@@ -68,12 +68,12 @@ static int32_t WriteEventInTransportingState(HITLS_Ctx *ctx, const uint8_t *data
|
||||
/* Failed to send a message but no alert is displayed */
|
||||
break;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
|
||||
/* If multiple consecutive alerts exist, the link is abnormal and needs to be disconnected */
|
||||
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
|
||||
}
|
||||
|
||||
#endif
|
||||
alertRet = AlertEventProcess(ctx);
|
||||
if (alertRet != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16546, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
@@ -149,6 +149,7 @@ static int32_t WriteEventInAlertedState(HITLS_Ctx *ctx, const uint8_t *data, uin
|
||||
return HITLS_CM_LINK_FATAL_ALERTED;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
static int32_t WriteEventInClosedState(HITLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen, uint32_t *writeLen)
|
||||
{
|
||||
if ((ctx->shutdownState & HITLS_SENT_SHUTDOWN) == 0) {
|
||||
@@ -171,6 +172,8 @@ static int32_t WriteEventInClosedState(HITLS_Ctx *ctx, const uint8_t *data, uint
|
||||
// Directly return a message indicating that the link status is abnormal.
|
||||
return HITLS_CM_LINK_CLOSED;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
int32_t CommonCheckPostHandshakeAuth(TLS_Ctx *ctx)
|
||||
{
|
||||
@@ -220,7 +223,9 @@ int32_t HITLS_Write(HITLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen, uint3
|
||||
WriteEventInRenegotiationState,
|
||||
NULL,
|
||||
WriteEventInAlertedState,
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
WriteEventInClosedState
|
||||
#endif
|
||||
};
|
||||
|
||||
if ((GetConnState(ctx) >= CM_STATE_END) || (GetConnState(ctx) == CM_STATE_ALERTING)) {
|
||||
|
||||
@@ -1533,60 +1533,169 @@ static const CipherSuiteInfo g_cipherSuiteList[] = {
|
||||
};
|
||||
|
||||
const CipherSuiteCertType g_cipherSuiteAndCertTypes[] = {
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA
|
||||
{ HITLS_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA
|
||||
{ HITLS_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA256
|
||||
{ HITLS_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA256
|
||||
{ HITLS_RSA_WITH_AES_256_CBC_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_GCM_SHA256
|
||||
{ HITLS_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_GCM_SHA384
|
||||
{ HITLS_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
{ HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
{ HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
{ HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
||||
{ HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
{ HITLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
{ HITLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
{ HITLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA
|
||||
{ HITLS_DHE_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA
|
||||
{ HITLS_DHE_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
{ HITLS_DHE_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256
|
||||
{ HITLS_DHE_RSA_WITH_AES_256_CBC_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
{ HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
{ HITLS_DHE_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CCM
|
||||
{ HITLS_DHE_RSA_WITH_AES_128_CCM, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CCM
|
||||
{ HITLS_DHE_RSA_WITH_AES_256_CCM, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CCM
|
||||
{ HITLS_RSA_WITH_AES_128_CCM, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CCM_8
|
||||
{ HITLS_RSA_WITH_AES_128_CCM_8, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CCM
|
||||
{ HITLS_RSA_WITH_AES_256_CCM, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CCM_8
|
||||
{ HITLS_RSA_WITH_AES_256_CCM_8, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
{ HITLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
{ HITLS_RSA_PSK_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA
|
||||
{ HITLS_RSA_PSK_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256
|
||||
{ HITLS_RSA_PSK_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384
|
||||
{ HITLS_RSA_PSK_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256
|
||||
{ HITLS_RSA_PSK_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384
|
||||
{ HITLS_RSA_PSK_WITH_AES_256_CBC_SHA384, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
|
||||
{ HITLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
{ HITLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_128_CCM, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM
|
||||
{ HITLS_ECDHE_ECDSA_WITH_AES_256_CCM, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA
|
||||
{ HITLS_DHE_DSS_WITH_AES_128_CBC_SHA, CERT_TYPE_DSS_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA
|
||||
{ HITLS_DHE_DSS_WITH_AES_256_CBC_SHA, CERT_TYPE_DSS_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||||
{ HITLS_DHE_DSS_WITH_AES_128_CBC_SHA256, CERT_TYPE_DSS_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||||
{ HITLS_DHE_DSS_WITH_AES_256_CBC_SHA256, CERT_TYPE_DSS_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_GCM_SHA256
|
||||
{ HITLS_DHE_DSS_WITH_AES_128_GCM_SHA256, CERT_TYPE_DSS_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_GCM_SHA384
|
||||
{ HITLS_DHE_DSS_WITH_AES_256_GCM_SHA384, CERT_TYPE_DSS_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3
|
||||
{ HITLS_ECDHE_SM4_CBC_SM3, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECC_SM4_CBC_SM3
|
||||
{ HITLS_ECC_SM4_CBC_SM3, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3
|
||||
{ HITLS_ECDHE_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECC_SM4_GCM_SM3
|
||||
{ HITLS_ECC_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_SM4_GCM_SM3
|
||||
{ HITLS_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_SM4_CCM_SM3
|
||||
{ HITLS_SM4_CCM_SM3, CERT_TYPE_ECDSA_SIGN },
|
||||
#endif
|
||||
{ 0, CERT_TYPE_UNKNOWN },
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -1776,6 +1885,7 @@ uint8_t CFG_GetCertTypeByCipherSuite(uint16_t cipherSuite)
|
||||
|
||||
return CERT_TYPE_UNKNOWN;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_CONFIG_CIPHER_SUITE
|
||||
/* Convert the supported version number to the corresponding character string */
|
||||
static const uint8_t* ProtocolToString(uint16_t version)
|
||||
|
||||
+18
-10
@@ -70,7 +70,7 @@ void CFG_CleanConfig(HITLS_Config *config)
|
||||
BSL_SAL_FREE(config->pointFormats);
|
||||
BSL_SAL_FREE(config->groups);
|
||||
BSL_SAL_FREE(config->signAlgorithms);
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#ifndef HITLS_TLS_CAP_NO_STR
|
||||
for (uint32_t i = 0; i < config->groupInfolen; i++) {
|
||||
BSL_SAL_FREE(config->groupInfo[i].name);
|
||||
@@ -87,7 +87,7 @@ void CFG_CleanConfig(HITLS_Config *config)
|
||||
BSL_SAL_FREE(config->sigSchemeInfo);
|
||||
config->sigSchemeInfoSize = 0;
|
||||
config->sigSchemeInfolen = 0;
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
|
||||
#if defined(HITLS_TLS_PROTO_TLS12) && defined(HITLS_TLS_FEATURE_PSK)
|
||||
BSL_SAL_FREE(config->pskIdentityHint);
|
||||
@@ -135,8 +135,12 @@ static void ShallowCopy(HITLS_Ctx *ctx, const HITLS_Config *srcConfig)
|
||||
destConfig->attrName = ATTRIBUTE_FROM_CONFIG(srcConfig);
|
||||
destConfig->minVersion = srcConfig->minVersion;
|
||||
destConfig->maxVersion = srcConfig->maxVersion;
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
destConfig->isQuietShutdown = srcConfig->isQuietShutdown;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
destConfig->isSupportServerPreference = srcConfig->isSupportServerPreference;
|
||||
#endif
|
||||
destConfig->maxCertList = srcConfig->maxCertList;
|
||||
destConfig->isSupportExtendedMasterSecret = srcConfig->isSupportExtendedMasterSecret;
|
||||
destConfig->emptyRecordsNum = srcConfig->emptyRecordsNum;
|
||||
@@ -182,17 +186,17 @@ static void ShallowCopy(HITLS_Ctx *ctx, const HITLS_Config *srcConfig)
|
||||
#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_SESSION)
|
||||
destConfig->isResumptionOnRenego = srcConfig->isResumptionOnRenego;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
destConfig->isSupportVerifyNone = srcConfig->isSupportVerifyNone;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
destConfig->isSupportClientVerify = srcConfig->isSupportClientVerify;
|
||||
destConfig->isSupportNoClientCert = srcConfig->isSupportNoClientCert;
|
||||
destConfig->isSupportVerifyNone = srcConfig->isSupportVerifyNone;
|
||||
destConfig->isSupportClientOnceVerify = srcConfig->isSupportClientOnceVerify;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
destConfig->isSupportSessionTicket = srcConfig->isSupportSessionTicket;
|
||||
#endif
|
||||
#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_CERT_MODE)
|
||||
destConfig->isSupportClientOnceVerify = srcConfig->isSupportClientOnceVerify;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
destConfig->isSupportPostHandshakeAuth = srcConfig->isSupportPostHandshakeAuth;
|
||||
#endif
|
||||
@@ -273,7 +277,7 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr
|
||||
}
|
||||
destConfig->groupsSize = srcConfig->groupsSize;
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
if (srcConfig->groupInfo != NULL) {
|
||||
#ifndef HITLS_TLS_CAP_NO_STR
|
||||
for (uint32_t i = 0; i < destConfig->groupInfolen; i++) {
|
||||
@@ -300,7 +304,7 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr
|
||||
#endif
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -329,7 +333,7 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C
|
||||
}
|
||||
destConfig->signAlgorithmsSize = srcConfig->signAlgorithmsSize;
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
if (srcConfig->sigSchemeInfo != NULL) {
|
||||
for (uint32_t i = 0; i < destConfig->sigSchemeInfolen; i++) {
|
||||
BSL_SAL_FREE(destConfig->sigSchemeInfo[i].name);
|
||||
@@ -1401,6 +1405,7 @@ int32_t HITLS_SetVersionForbid(HITLS_Ctx *ctx, uint32_t noVersion)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
int32_t HITLS_CFG_SetQuietShutdown(HITLS_Config *config, int32_t mode)
|
||||
{
|
||||
if (config == NULL) {
|
||||
@@ -1432,6 +1437,7 @@ int32_t HITLS_CFG_GetQuietShutdown(const HITLS_Config *config, int32_t *mode)
|
||||
*mode = (int32_t)config->isQuietShutdown;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
int32_t HITLS_CFG_SetEncryptThenMac(HITLS_Config *config, bool encryptThenMacType)
|
||||
{
|
||||
@@ -1465,6 +1471,7 @@ int32_t HITLS_CFG_GetEncryptThenMac(const HITLS_Config *config, bool *encryptThe
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
int32_t HITLS_CFG_SetCipherServerPreference(HITLS_Config *config, bool isSupport)
|
||||
{
|
||||
if (config == NULL) {
|
||||
@@ -1484,6 +1491,7 @@ int32_t HITLS_CFG_GetCipherServerPreference(const HITLS_Config *config, bool *is
|
||||
*isSupport = config->isSupportServerPreference;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HITLS_TLS_MAINTAIN_KEYLOG
|
||||
int32_t HITLS_CFG_SetKeyLogCb(HITLS_Config *config, HITLS_KeyLogCb callback)
|
||||
|
||||
@@ -714,7 +714,7 @@ int32_t HITLS_CFG_SetCertCb(HITLS_Config *config, HITLS_CertCb certCb, void *arg
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_CB */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
int32_t HITLS_CFG_SetVerifyNoneSupport(HITLS_Config *config, bool support)
|
||||
{
|
||||
if (config == NULL) {
|
||||
@@ -734,7 +734,9 @@ int32_t HITLS_CFG_GetVerifyNoneSupport(HITLS_Config *config, bool *isSupport)
|
||||
*isSupport = config->isSupportVerifyNone;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t HITLS_CFG_GetClientVerifySupport(HITLS_Config *config, bool *isSupport)
|
||||
{
|
||||
if (config == NULL || isSupport == NULL) {
|
||||
@@ -773,7 +775,7 @@ int32_t HITLS_CFG_SetNoClientCertSupport(HITLS_Config *config, bool support)
|
||||
config->isSupportNoClientCert = support;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
|
||||
static void HitlsTrustedCANodeFree(void *caNode)
|
||||
|
||||
@@ -44,7 +44,8 @@ static bool CFG_IsValidVersion(uint16_t version)
|
||||
}
|
||||
#endif /* HITLS_TLS_CONFIG_VERSION */
|
||||
|
||||
static bool HaveMatchSignAlg(const TLS_Config *config, HITLS_AuthAlgo authAlg, const uint16_t *signatureAlgorithms,
|
||||
#ifdef HITLS_TLS_PROTO_DFX_CHECK
|
||||
static bool HaveMatchSignAlg(const TLS_Config *config, HITLS_AuthAlgo authAlg, const uint16_t *signatureAlgorithms,
|
||||
uint32_t signatureAlgorithmsSize)
|
||||
{
|
||||
HITLS_SignAlgo signAlg = HITLS_SIGN_BUTT;
|
||||
@@ -193,6 +194,7 @@ static int32_t CheckGroup(const TLS_Config *config)
|
||||
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_DFX_CHECK */
|
||||
|
||||
#ifdef HITLS_TLS_CONFIG_VERSION
|
||||
int32_t CheckVersion(uint16_t minVersion, uint16_t maxVersion)
|
||||
@@ -232,6 +234,7 @@ int32_t CheckVersion(uint16_t minVersion, uint16_t maxVersion)
|
||||
}
|
||||
#endif /* HITLS_TLS_CONFIG_VERSION */
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_CHECK
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
static int32_t CheckCallbackFunc(const TLS_Config *config)
|
||||
{
|
||||
@@ -293,3 +296,4 @@ int32_t CheckConfig(const TLS_Config *config)
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_DFX_CHECK */
|
||||
@@ -43,75 +43,213 @@ uint16_t g_tlcpCipherSuites[] = {
|
||||
#endif
|
||||
|
||||
uint16_t g_tls12CipherSuites[] = {
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
HITLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_GCM_SHA384
|
||||
HITLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
HITLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
HITLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_GCM_SHA256
|
||||
HITLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_128_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_256_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
||||
HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CCM
|
||||
HITLS_DHE_RSA_WITH_AES_128_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CCM
|
||||
HITLS_DHE_RSA_WITH_AES_256_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256
|
||||
HITLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||||
HITLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
HITLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||||
HITLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA
|
||||
HITLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA
|
||||
HITLS_DHE_DSS_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA
|
||||
HITLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_GCM_SHA384
|
||||
HITLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384
|
||||
HITLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_GCM_SHA384
|
||||
HITLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA
|
||||
HITLS_DHE_DSS_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_GCM_SHA384
|
||||
HITLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_GCM_SHA384
|
||||
HITLS_PSK_WITH_AES_256_GCM_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_CHACHA20_POLY1305_SHA256
|
||||
HITLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_GCM_SHA256
|
||||
HITLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256
|
||||
HITLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_GCM_SHA256
|
||||
HITLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_GCM_SHA256
|
||||
HITLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_GCM_SHA256
|
||||
HITLS_PSK_WITH_AES_128_GCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CCM
|
||||
HITLS_PSK_WITH_AES_256_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA256
|
||||
HITLS_RSA_WITH_AES_256_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA256
|
||||
HITLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CCM_SHA256
|
||||
HITLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA384
|
||||
HITLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA
|
||||
HITLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384
|
||||
HITLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CCM
|
||||
HITLS_DHE_PSK_WITH_AES_128_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CCM
|
||||
HITLS_DHE_PSK_WITH_AES_256_CCM,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA384
|
||||
HITLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA
|
||||
HITLS_RSA_PSK_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA
|
||||
HITLS_DHE_PSK_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA
|
||||
HITLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CBC_SHA384
|
||||
HITLS_PSK_WITH_AES_256_CBC_SHA384,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CBC_SHA
|
||||
HITLS_PSK_WITH_AES_256_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
HITLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA
|
||||
HITLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256
|
||||
HITLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
HITLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
HITLS_RSA_PSK_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA
|
||||
HITLS_DHE_PSK_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA
|
||||
HITLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_CBC_SHA256
|
||||
HITLS_PSK_WITH_AES_128_CBC_SHA256,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_CBC_SHA
|
||||
HITLS_PSK_WITH_AES_128_CBC_SHA,
|
||||
#endif
|
||||
};
|
||||
|
||||
int32_t SetDefaultCipherSuite(HITLS_Config *config, const uint16_t *cipherSuites, uint32_t cipherSuiteSize)
|
||||
@@ -212,19 +350,20 @@ static void InitConfig(HITLS_Config *config)
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
config->isSupportDtlsCookieExchange = false;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
/** Set the certificate verification mode */
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
|
||||
config->isSupportVerifyNone = false;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
config->isSupportClientVerify = false;
|
||||
config->isSupportNoClientCert = true;
|
||||
config->isSupportVerifyNone = false;
|
||||
config->isSupportClientOnceVerify = false;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
config->isSupportPostHandshakeAuth = false;
|
||||
#endif
|
||||
#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_CERT_MODE)
|
||||
config->isSupportClientOnceVerify = false;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
config->isQuietShutdown = false;
|
||||
#endif
|
||||
config->maxCertList = HITLS_MAX_CERT_LIST_DEFAULT;
|
||||
config->isKeepPeerCert = true;
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
|
||||
@@ -472,7 +472,7 @@ int32_t HITLS_CFG_SetSessionRemoveCb(HITLS_Config *config, const HITLS_SessionRe
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_SESSION_CACHE_CB */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
int32_t HITLS_CFG_SetClientOnceVerifySupport(HITLS_Config *config, bool support)
|
||||
{
|
||||
if (config == NULL) {
|
||||
@@ -491,7 +491,7 @@ int32_t HITLS_CFG_GetClientOnceVerifySupport(HITLS_Config *config, bool *isSuppo
|
||||
*isSupport = config->isSupportClientOnceVerify;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE */
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_FLIGHT
|
||||
int32_t HITLS_CFG_SetFlightTransmitSwitch(HITLS_Config *config, bool isEnable)
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
#include "hitls_error.h"
|
||||
#include "crypt_algid.h"
|
||||
#include "config.h"
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#include "securec.h"
|
||||
#include "crypt_eal_provider.h"
|
||||
#include "crypt_params_key.h"
|
||||
@@ -45,12 +45,13 @@ static const uint16_t DEFAULT_GROUP_ID[] = {
|
||||
HITLS_FF_DHE_8192,
|
||||
};
|
||||
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#ifndef HITLS_TLS_CAP_NO_STR
|
||||
#define CONST_CAST(str) ((char *)(uintptr_t)(str))
|
||||
#else
|
||||
#define CONST_CAST(str) NULL
|
||||
#endif
|
||||
#endif /* HITLS_TLS_CAP_NO_STR */
|
||||
|
||||
static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
{
|
||||
CONST_CAST("x25519"),
|
||||
@@ -96,6 +97,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
},
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
#endif /* HITLS_TLS_FEATURE_KEM */
|
||||
#ifdef HITLS_CRYPTO_CURVE_NISTP256
|
||||
{
|
||||
CONST_CAST("secp256r1"),
|
||||
CRYPT_ECC_NISTP256, // CRYPT_ECC_NISTP256
|
||||
@@ -106,6 +108,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits
|
||||
false,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_NISTP256 */
|
||||
#ifdef HITLS_CRYPTO_CURVE_NISTP384
|
||||
{
|
||||
CONST_CAST("secp384r1"),
|
||||
CRYPT_ECC_NISTP384, // CRYPT_ECC_NISTP384
|
||||
@@ -116,6 +120,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits
|
||||
false,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_NISTP384 */
|
||||
#ifdef HITLS_CRYPTO_CURVE_NISTP521
|
||||
{
|
||||
CONST_CAST("secp521r1"),
|
||||
CRYPT_ECC_NISTP521, // CRYPT_ECC_NISTP521
|
||||
@@ -126,6 +132,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits
|
||||
false,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_NISTP521 */
|
||||
#ifdef HITLS_CRYPTO_CURVE_BP256R1
|
||||
{
|
||||
CONST_CAST("brainpoolP256r1"),
|
||||
CRYPT_ECC_BRAINPOOLP256R1, // CRYPT_ECC_BRAINPOOLP256R1
|
||||
@@ -136,6 +144,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits
|
||||
false,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_BP256R1 */
|
||||
#ifdef HITLS_CRYPTO_CURVE_BP384R1
|
||||
{
|
||||
CONST_CAST("brainpoolP384r1"),
|
||||
CRYPT_ECC_BRAINPOOLP384R1, // CRYPT_ECC_BRAINPOOLP384R1
|
||||
@@ -146,6 +156,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits
|
||||
false,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_BP384R1 */
|
||||
#ifdef HITLS_CRYPTO_CURVE_BP512R1
|
||||
{
|
||||
CONST_CAST("brainpoolP512r1"),
|
||||
CRYPT_ECC_BRAINPOOLP512R1, // CRYPT_ECC_BRAINPOOLP512R1
|
||||
@@ -156,6 +168,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits
|
||||
false,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_BP512R1 */
|
||||
#ifdef HITLS_TLS_FEATURE_SM_TLS13
|
||||
{
|
||||
"curveSm2",
|
||||
@@ -180,6 +193,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
false,
|
||||
},
|
||||
#endif
|
||||
#ifdef HITLS_CRYPTO_DH
|
||||
{
|
||||
CONST_CAST("ffdhe8192"),
|
||||
CRYPT_DH_RFC7919_8192, // CRYPT_DH_8192
|
||||
@@ -230,6 +244,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
|
||||
TLS13_VERSION_BIT, // versionBits
|
||||
false,
|
||||
}
|
||||
#endif /* HITLS_CRYPTO_DH */
|
||||
};
|
||||
|
||||
int32_t ConfigLoadGroupInfo(HITLS_Config *config)
|
||||
@@ -260,7 +275,7 @@ const TLS_GroupInfo *ConfigGetGroupInfoList(const HITLS_Config *config, uint32_t
|
||||
*size = sizeof(GROUP_INFO) / sizeof(GROUP_INFO[0]);
|
||||
return &GROUP_INFO[0];
|
||||
}
|
||||
#else
|
||||
#else /* #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
|
||||
static int32_t ProviderAddGroupInfo(const BSL_Param *params, void *args)
|
||||
{
|
||||
@@ -360,4 +375,4 @@ const TLS_GroupInfo *ConfigGetGroupInfoList(const HITLS_Config *config, uint32_t
|
||||
*size = config->groupInfolen;
|
||||
return config->groupInfo;
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
#include "cipher_suite.h"
|
||||
#include "config.h"
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#include "securec.h"
|
||||
#include "crypt_eal_provider.h"
|
||||
#include "crypt_params_key.h"
|
||||
@@ -85,81 +85,84 @@ static int32_t UpdateSignAlgorithmsArray(TLS_Config *config)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
#ifndef HITLS_TLS_CAP_NO_STR
|
||||
#define CONST_CAST(str) ((char *)(uintptr_t)(str))
|
||||
#else
|
||||
#define CONST_CAST(str) NULL
|
||||
#endif
|
||||
#endif /* HITLS_TLS_CAP_NO_STR */
|
||||
static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
#ifdef HITLS_CRYPTO_CURVE_NISTP521
|
||||
{
|
||||
CONST_CAST("ecdsa_secp521r1_sha512"),
|
||||
CERT_SIG_SCHEME_ECDSA_SECP521R1_SHA512,
|
||||
TLS_CERT_KEY_TYPE_ECDSA,
|
||||
CRYPT_ECC_NISTP521,
|
||||
BSL_CID_ECDSAWITHSHA512,
|
||||
HITLS_SIGN_ECDSA,
|
||||
HITLS_HASH_SHA_512,
|
||||
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_512,
|
||||
256,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_NISTP521 */
|
||||
#ifdef HITLS_CRYPTO_CURVE_NISTP384
|
||||
{
|
||||
CONST_CAST("ecdsa_secp384r1_sha384"),
|
||||
CERT_SIG_SCHEME_ECDSA_SECP384R1_SHA384,
|
||||
TLS_CERT_KEY_TYPE_ECDSA,
|
||||
CRYPT_ECC_NISTP384,
|
||||
BSL_CID_ECDSAWITHSHA384,
|
||||
HITLS_SIGN_ECDSA,
|
||||
HITLS_HASH_SHA_384,
|
||||
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_384,
|
||||
192,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_NISTP384 */
|
||||
{
|
||||
CONST_CAST("ed25519"),
|
||||
CERT_SIG_SCHEME_ED25519,
|
||||
TLS_CERT_KEY_TYPE_ED25519,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_ED25519,
|
||||
HITLS_SIGN_ED25519,
|
||||
HITLS_HASH_SHA_512,
|
||||
HITLS_SIGN_ED25519, HITLS_HASH_SHA_512,
|
||||
128,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#ifdef HITLS_CRYPTO_CURVE_NISTP256
|
||||
{
|
||||
CONST_CAST("ecdsa_secp256r1_sha256"),
|
||||
CERT_SIG_SCHEME_ECDSA_SECP256R1_SHA256,
|
||||
TLS_CERT_KEY_TYPE_ECDSA,
|
||||
CRYPT_ECC_NISTP256,
|
||||
BSL_CID_ECDSAWITHSHA256,
|
||||
HITLS_SIGN_ECDSA,
|
||||
HITLS_HASH_SHA_256,
|
||||
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_256,
|
||||
128,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_CURVE_NISTP256 */
|
||||
#ifdef HITLS_CRYPTO_SM2
|
||||
{
|
||||
CONST_CAST("sm2_sm3"),
|
||||
CERT_SIG_SCHEME_SM2_SM3,
|
||||
TLS_CERT_KEY_TYPE_SM2,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_SM2DSAWITHSM3,
|
||||
HITLS_SIGN_SM2,
|
||||
HITLS_HASH_SM3,
|
||||
HITLS_SIGN_SM2, HITLS_HASH_SM3,
|
||||
128,
|
||||
TLCP11_VERSION_BIT | DTLCP11_VERSION_BIT | TLS13_VERSION_BIT,
|
||||
TLCP11_VERSION_BIT | DTLCP11_VERSION_BIT | TLS13_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_SM2 */
|
||||
#ifdef HITLS_CRYPTO_RSA
|
||||
{
|
||||
CONST_CAST("rsa_pss_pss_sha512"),
|
||||
CERT_SIG_SCHEME_RSA_PSS_PSS_SHA512,
|
||||
TLS_CERT_KEY_TYPE_RSA_PSS,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_RSASSAPSS,
|
||||
HITLS_SIGN_RSA_PSS,
|
||||
HITLS_HASH_SHA_512,
|
||||
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_512,
|
||||
256,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
@@ -170,8 +173,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS_CERT_KEY_TYPE_RSA_PSS,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_RSASSAPSS,
|
||||
HITLS_SIGN_RSA_PSS,
|
||||
HITLS_HASH_SHA_384,
|
||||
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_384,
|
||||
192,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
@@ -182,8 +184,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS_CERT_KEY_TYPE_RSA_PSS,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_RSASSAPSS,
|
||||
HITLS_SIGN_RSA_PSS,
|
||||
HITLS_HASH_SHA_256,
|
||||
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_256,
|
||||
128,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
@@ -194,8 +195,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_RSASSAPSS,
|
||||
HITLS_SIGN_RSA_PSS,
|
||||
HITLS_HASH_SHA_512,
|
||||
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_512,
|
||||
256,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
@@ -206,8 +206,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_RSASSAPSS,
|
||||
HITLS_SIGN_RSA_PSS,
|
||||
HITLS_HASH_SHA_384,
|
||||
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_384,
|
||||
192,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
@@ -218,8 +217,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_RSASSAPSS,
|
||||
HITLS_SIGN_RSA_PSS,
|
||||
HITLS_HASH_SHA_256,
|
||||
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_256,
|
||||
128,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
@@ -230,108 +228,117 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_SHA512WITHRSAENCRYPTION,
|
||||
HITLS_SIGN_RSA_PKCS1_V15,
|
||||
HITLS_HASH_SHA_512,
|
||||
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_512,
|
||||
256,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_RSA */
|
||||
#ifdef HITLS_CRYPTO_DSA
|
||||
{
|
||||
CONST_CAST("dsa_sha512"),
|
||||
CERT_SIG_SCHEME_DSA_SHA512,
|
||||
TLS_CERT_KEY_TYPE_DSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_DSAWITHSHA512,
|
||||
HITLS_SIGN_DSA,
|
||||
HITLS_HASH_SHA_512,
|
||||
HITLS_SIGN_DSA, HITLS_HASH_SHA_512,
|
||||
256,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_DSA */
|
||||
#ifdef HITLS_CRYPTO_RSA
|
||||
{
|
||||
CONST_CAST("rsa_pkcs1_sha384"),
|
||||
CERT_SIG_SCHEME_RSA_PKCS1_SHA384,
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_SHA384WITHRSAENCRYPTION,
|
||||
HITLS_SIGN_RSA_PKCS1_V15,
|
||||
HITLS_HASH_SHA_384,
|
||||
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_384,
|
||||
192,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_RSA */
|
||||
#ifdef HITLS_CRYPTO_DSA
|
||||
{
|
||||
CONST_CAST("dsa_sha384"),
|
||||
CERT_SIG_SCHEME_DSA_SHA384,
|
||||
TLS_CERT_KEY_TYPE_DSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_DSAWITHSHA384,
|
||||
HITLS_SIGN_DSA,
|
||||
HITLS_HASH_SHA_384,
|
||||
HITLS_SIGN_DSA, HITLS_HASH_SHA_384,
|
||||
192,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_DSA */
|
||||
#ifdef HITLS_CRYPTO_RSA
|
||||
{
|
||||
CONST_CAST("rsa_pkcs1_sha256"),
|
||||
CERT_SIG_SCHEME_RSA_PKCS1_SHA256,
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_SHA256WITHRSAENCRYPTION,
|
||||
HITLS_SIGN_RSA_PKCS1_V15,
|
||||
HITLS_HASH_SHA_256,
|
||||
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_256,
|
||||
128,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS_VERSION_MASK | DTLS_VERSION_MASK,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_RSA */
|
||||
#ifdef HITLS_CRYPTO_DSA
|
||||
{
|
||||
CONST_CAST("dsa_sha256"),
|
||||
CERT_SIG_SCHEME_DSA_SHA256,
|
||||
TLS_CERT_KEY_TYPE_DSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_DSAWITHSHA256,
|
||||
HITLS_SIGN_DSA,
|
||||
HITLS_HASH_SHA_256,
|
||||
HITLS_SIGN_DSA, HITLS_HASH_SHA_256,
|
||||
128,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_DSA */
|
||||
#ifdef HITLS_CRYPTO_ECDSA
|
||||
{
|
||||
CONST_CAST("ecdsa_sha224"),
|
||||
CERT_SIG_SCHEME_ECDSA_SHA224,
|
||||
TLS_CERT_KEY_TYPE_ECDSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_ECDSAWITHSHA224,
|
||||
HITLS_SIGN_ECDSA,
|
||||
HITLS_HASH_SHA_224,
|
||||
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_224,
|
||||
112,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_ECDSA */
|
||||
#ifdef HITLS_CRYPTO_RSA
|
||||
{
|
||||
CONST_CAST("rsa_pkcs1_sha224"),
|
||||
CERT_SIG_SCHEME_RSA_PKCS1_SHA224,
|
||||
TLS_CERT_KEY_TYPE_RSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_SHA224WITHRSAENCRYPTION,
|
||||
HITLS_SIGN_RSA_PKCS1_V15,
|
||||
HITLS_HASH_SHA_224,
|
||||
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_224,
|
||||
112,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_RSA */
|
||||
#ifdef HITLS_CRYPTO_DSA
|
||||
{
|
||||
CONST_CAST("dsa_sha224"),
|
||||
CERT_SIG_SCHEME_DSA_SHA224,
|
||||
TLS_CERT_KEY_TYPE_DSA,
|
||||
CRYPT_PKEY_PARAID_MAX,
|
||||
BSL_CID_DSAWITHSHA224,
|
||||
HITLS_SIGN_DSA,
|
||||
HITLS_HASH_SHA_224,
|
||||
HITLS_SIGN_DSA, HITLS_HASH_SHA_224,
|
||||
112,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_DSA */
|
||||
#ifdef HITLS_CRYPTO_ECDSA
|
||||
{
|
||||
CONST_CAST("ecdsa_sha1"),
|
||||
CERT_SIG_SCHEME_ECDSA_SHA1,
|
||||
@@ -344,6 +351,8 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_ECDSA */
|
||||
#ifdef HITLS_CRYPTO_RSA
|
||||
{
|
||||
CONST_CAST("rsa_pkcs1_sha1"),
|
||||
CERT_SIG_SCHEME_RSA_PKCS1_SHA1,
|
||||
@@ -356,6 +365,8 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_RSA */
|
||||
#ifdef HITLS_CRYPTO_DSA
|
||||
{
|
||||
CONST_CAST("dsa_sha1"),
|
||||
CERT_SIG_SCHEME_DSA_SHA1,
|
||||
@@ -368,6 +379,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
|
||||
},
|
||||
#endif /* HITLS_CRYPTO_DSA */
|
||||
};
|
||||
|
||||
int32_t ConfigLoadSignatureSchemeInfo(HITLS_Config *config)
|
||||
@@ -394,7 +406,7 @@ const TLS_SigSchemeInfo *ConfigGetSignatureSchemeInfoList(const HITLS_Config *co
|
||||
return SIGNATURE_SCHEME_INFO;
|
||||
}
|
||||
|
||||
#else // HITLS_TLS_FEATURE_PROVIDER
|
||||
#else /* #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
|
||||
static int32_t PrepareSignSchemeStorage(TLS_Config *config, TLS_SigSchemeInfo **scheme)
|
||||
{
|
||||
@@ -578,4 +590,4 @@ const TLS_SigSchemeInfo *ConfigGetSignatureSchemeInfoList(const HITLS_Config *co
|
||||
return config->sigSchemeInfo;
|
||||
}
|
||||
|
||||
#endif
|
||||
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
|
||||
@@ -102,24 +102,61 @@ int32_t HITLS_CRYPT_RegisterBaseMethod(HITLS_CRYPT_BaseMethod *userCryptCallBack
|
||||
BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
|
||||
return HITLS_NULL_INPUT;
|
||||
}
|
||||
g_cryptBaseMethod.randBytes = userCryptCallBack->randBytes;
|
||||
g_cryptBaseMethod.hmacSize = userCryptCallBack->hmacSize;
|
||||
g_cryptBaseMethod.hmacInit = userCryptCallBack->hmacInit;
|
||||
g_cryptBaseMethod.hmacReinit = userCryptCallBack->hmacReinit;
|
||||
g_cryptBaseMethod.hmacFree = userCryptCallBack->hmacFree;
|
||||
g_cryptBaseMethod.hmacUpdate = userCryptCallBack->hmacUpdate;
|
||||
g_cryptBaseMethod.hmacFinal = userCryptCallBack->hmacFinal;
|
||||
g_cryptBaseMethod.hmac = userCryptCallBack->hmac;
|
||||
g_cryptBaseMethod.digestSize = userCryptCallBack->digestSize;
|
||||
g_cryptBaseMethod.digestInit = userCryptCallBack->digestInit;
|
||||
g_cryptBaseMethod.digestCopy = userCryptCallBack->digestCopy;
|
||||
g_cryptBaseMethod.digestFree = userCryptCallBack->digestFree;
|
||||
g_cryptBaseMethod.digestUpdate = userCryptCallBack->digestUpdate;
|
||||
g_cryptBaseMethod.digestFinal = userCryptCallBack->digestFinal;
|
||||
g_cryptBaseMethod.digest = userCryptCallBack->digest;
|
||||
g_cryptBaseMethod.encrypt = userCryptCallBack->encrypt;
|
||||
g_cryptBaseMethod.decrypt = userCryptCallBack->decrypt;
|
||||
g_cryptBaseMethod.cipherFree = userCryptCallBack->cipherFree;
|
||||
|
||||
if (userCryptCallBack->randBytes != NULL) {
|
||||
g_cryptBaseMethod.randBytes = userCryptCallBack->randBytes;
|
||||
}
|
||||
if (userCryptCallBack->hmacSize != NULL) {
|
||||
g_cryptBaseMethod.hmacSize = userCryptCallBack->hmacSize;
|
||||
}
|
||||
if (userCryptCallBack->hmacInit != NULL) {
|
||||
g_cryptBaseMethod.hmacInit = userCryptCallBack->hmacInit;
|
||||
}
|
||||
if (userCryptCallBack->hmacReinit != NULL) {
|
||||
g_cryptBaseMethod.hmacReinit = userCryptCallBack->hmacReinit;
|
||||
}
|
||||
if (userCryptCallBack->hmacFree != NULL) {
|
||||
g_cryptBaseMethod.hmacFree = userCryptCallBack->hmacFree;
|
||||
}
|
||||
if (userCryptCallBack->hmacUpdate != NULL) {
|
||||
g_cryptBaseMethod.hmacUpdate = userCryptCallBack->hmacUpdate;
|
||||
}
|
||||
if (userCryptCallBack->hmacFinal != NULL) {
|
||||
g_cryptBaseMethod.hmacFinal = userCryptCallBack->hmacFinal;
|
||||
}
|
||||
if (userCryptCallBack->hmac != NULL) {
|
||||
g_cryptBaseMethod.hmac = userCryptCallBack->hmac;
|
||||
}
|
||||
if (userCryptCallBack->digestSize != NULL) {
|
||||
g_cryptBaseMethod.digestSize = userCryptCallBack->digestSize;
|
||||
}
|
||||
if (userCryptCallBack->digestInit != NULL) {
|
||||
g_cryptBaseMethod.digestInit = userCryptCallBack->digestInit;
|
||||
}
|
||||
if (userCryptCallBack->digestCopy != NULL) {
|
||||
g_cryptBaseMethod.digestCopy = userCryptCallBack->digestCopy;
|
||||
}
|
||||
if (userCryptCallBack->digestFree != NULL) {
|
||||
g_cryptBaseMethod.digestFree = userCryptCallBack->digestFree;
|
||||
}
|
||||
if (userCryptCallBack->digestUpdate != NULL) {
|
||||
g_cryptBaseMethod.digestUpdate = userCryptCallBack->digestUpdate;
|
||||
}
|
||||
if (userCryptCallBack->digestFinal != NULL) {
|
||||
g_cryptBaseMethod.digestFinal = userCryptCallBack->digestFinal;
|
||||
}
|
||||
if (userCryptCallBack->digest != NULL) {
|
||||
g_cryptBaseMethod.digest = userCryptCallBack->digest;
|
||||
}
|
||||
if (userCryptCallBack->encrypt != NULL) {
|
||||
g_cryptBaseMethod.encrypt = userCryptCallBack->encrypt;
|
||||
}
|
||||
if (userCryptCallBack->decrypt != NULL) {
|
||||
g_cryptBaseMethod.decrypt = userCryptCallBack->decrypt;
|
||||
}
|
||||
if (userCryptCallBack->cipherFree != NULL) {
|
||||
g_cryptBaseMethod.cipherFree = userCryptCallBack->cipherFree;
|
||||
}
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
@@ -254,7 +254,6 @@ uint8_t *HS_PrepareSignDataTlcp(const TLS_Ctx *ctx, const uint8_t *partSignData,
|
||||
uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData,
|
||||
uint32_t partSignDataLen, uint32_t *signDataLen)
|
||||
{
|
||||
int32_t ret;
|
||||
/* Signature data: client random number + server random number + key exchange packet data/encryption certificate */
|
||||
uint32_t randomLen = HS_RANDOM_SIZE * 2u;
|
||||
uint32_t dataLen = randomLen + partSignDataLen;
|
||||
@@ -269,13 +268,7 @@ uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData,
|
||||
(void)memcpy_s(data, dataLen, ctx->hsCtx->clientRandom, HS_RANDOM_SIZE);
|
||||
(void)memcpy_s(&data[HS_RANDOM_SIZE], dataLen - HS_RANDOM_SIZE, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE);
|
||||
/* Copy key exchange packet data */
|
||||
ret = memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen);
|
||||
if (ret != EOK) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16814, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
|
||||
BSL_SAL_Free(data);
|
||||
BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
|
||||
return NULL;
|
||||
}
|
||||
(void)memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen);
|
||||
|
||||
*signDataLen = dataLen;
|
||||
return data;
|
||||
@@ -603,20 +596,16 @@ uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type)
|
||||
#endif
|
||||
case SERVER_HELLO:
|
||||
return HITLS_SERVER_HELLO_MAX_SIZE;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
case ENCRYPTED_EXTENSIONS:
|
||||
return HITLS_ENCRYPTED_EXTENSIONS_MAX_SIZE;
|
||||
case CERTIFICATE:
|
||||
if (ctx->config.tlsConfig.maxCertList == 0) {
|
||||
return HITLS_MAX_CERT_LIST_DEFAULT;
|
||||
}
|
||||
return ctx->config.tlsConfig.maxCertList;
|
||||
#endif
|
||||
case SERVER_KEY_EXCHANGE:
|
||||
return HITLS_SERVER_KEY_EXCH_MAX_SIZE;
|
||||
case CERTIFICATE:
|
||||
case CERTIFICATE_REQUEST:
|
||||
if (ctx->config.tlsConfig.maxCertList == 0) {
|
||||
return HITLS_MAX_CERT_LIST_DEFAULT;
|
||||
}
|
||||
return ctx->config.tlsConfig.maxCertList;
|
||||
return ctx->config.tlsConfig.maxCertList == 0 ? HITLS_MAX_CERT_LIST_DEFAULT
|
||||
: ctx->config.tlsConfig.maxCertList;
|
||||
case SERVER_HELLO_DONE:
|
||||
return HITLS_SERVER_HELLO_DONE_MAX_SIZE;
|
||||
case CLIENT_KEY_EXCHANGE:
|
||||
@@ -624,20 +613,27 @@ uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type)
|
||||
case CERTIFICATE_VERIFY:
|
||||
return REC_MAX_PLAIN_LENGTH;
|
||||
case NEW_SESSION_TICKET:
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
if (GET_VERSION_FROM_CTX(ctx) == HITLS_VERSION_TLS13) {
|
||||
return HITLS_SESSION_TICKET_MAX_SIZE_TLS13;
|
||||
}
|
||||
#endif
|
||||
return HITLS_SESSION_TICKET_MAX_SIZE_TLS12;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
case END_OF_EARLY_DATA:
|
||||
return HITLS_END_OF_EARLY_DATA_MAX_SIZE;
|
||||
#endif
|
||||
case FINISHED:
|
||||
return HITLS_FINISHED_MAX_SIZE;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
case KEY_UPDATE:
|
||||
return HITLS_KEY_UPDATE_MAX_SIZE;
|
||||
#endif
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
uint32_t HS_GetBinderLen(HITLS_Session *session, HITLS_HashAlgo *hashAlg)
|
||||
{
|
||||
|
||||
@@ -434,22 +434,25 @@ int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_
|
||||
{
|
||||
int32_t ret = HITLS_SUCCESS;
|
||||
const uint8_t masterSecretLabel[] = "master secret";
|
||||
const uint8_t exMasterSecretLabel[] = "extended master secret";
|
||||
uint8_t seed[HS_RANDOM_SIZE * 2] = {0}; // seed size is twice the random size
|
||||
uint32_t seedLen = sizeof(seed);
|
||||
bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret;
|
||||
|
||||
CRYPT_KeyDeriveParameters deriveInfo;
|
||||
deriveInfo.hashAlgo = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
|
||||
deriveInfo.secret = preMasterSecret;
|
||||
deriveInfo.secretLen = len;
|
||||
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
const uint8_t exMasterSecretLabel[] = "extended master secret";
|
||||
bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret;
|
||||
if (isExtendedMasterSecret) {
|
||||
deriveInfo.label = exMasterSecretLabel;
|
||||
deriveInfo.labelLen = sizeof(exMasterSecretLabel) - 1u;
|
||||
ret = VERIFY_CalcSessionHash(
|
||||
ctx->hsCtx->verifyCtx, seed, &seedLen); // Use session hash as seed for key deriviation
|
||||
} else {
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
deriveInfo.label = masterSecretLabel;
|
||||
deriveInfo.labelLen = sizeof(masterSecretLabel) - 1u;
|
||||
ret = HS_CombineRandom(ctx->hsCtx->clientRandom, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE, seed, seedLen);
|
||||
@@ -470,8 +473,7 @@ int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_
|
||||
return ret;
|
||||
}
|
||||
#ifdef HITLS_TLS_MAINTAIN_KEYLOG
|
||||
if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey,
|
||||
MASTER_SECRET_LEN) != HITLS_SUCCESS) {
|
||||
if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey, MASTER_SECRET_LEN) != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15336, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"failed to LogSecret, MASTER_SECRET_LABEL.", 0, 0, 0, 0);
|
||||
}
|
||||
|
||||
@@ -281,6 +281,7 @@ static int32_t CheckCookieWithPreMacKey(TLS_Ctx *ctx, const ClientHelloMsg *clie
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
|
||||
{
|
||||
uint8_t *cookie = ctx->negotiatedInfo.cookie;
|
||||
@@ -292,6 +293,7 @@ static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg
|
||||
}
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
|
||||
{
|
||||
@@ -309,10 +311,12 @@ int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *is
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
/* In the renegotiation scenario, the cookie stored in the negotiatedInfo is used for verification */
|
||||
if (ctx->negotiatedInfo.isRenegotiation) {
|
||||
return CheckCookieDuringRenegotiation(ctx, clientHello, isCookieValid);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* If the user's cookie validation callback is registered, use the user's callback interface */
|
||||
HITLS_AppVerifyCookieCb cookieCb = ctx->globalConfig->appVerifyCookieCb;
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
#if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
|
||||
static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt)
|
||||
{
|
||||
int32_t ret = HITLS_SUCCESS;
|
||||
int32_t ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
|
||||
switch (type) {
|
||||
#ifdef HITLS_TLS_HOST_SERVER
|
||||
case SERVER_HELLO:
|
||||
@@ -47,9 +47,11 @@ static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt)
|
||||
case SERVER_KEY_EXCHANGE:
|
||||
ret = PackServerKeyExchange(ctx, pkt);
|
||||
break;
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
case CERTIFICATE_REQUEST:
|
||||
ret = PackCertificateRequest(ctx, pkt);
|
||||
break;
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
case HELLO_REQUEST:
|
||||
case SERVER_HELLO_DONE:
|
||||
return HITLS_SUCCESS;
|
||||
@@ -77,7 +79,6 @@ static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt)
|
||||
ret = PackFinished(ctx, pkt);
|
||||
break;
|
||||
default:
|
||||
ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -105,9 +106,11 @@ static int32_t PackTls13HsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt
|
||||
case ENCRYPTED_EXTENSIONS:
|
||||
ret = PackEncryptedExtensions(ctx, pkt);
|
||||
break;
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
case CERTIFICATE_REQUEST:
|
||||
ret = Tls13PackCertificateRequest(ctx, pkt);
|
||||
break;
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
case NEW_SESSION_TICKET:
|
||||
ret = Tls13PackNewSessionTicket(ctx, pkt);
|
||||
break;
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
* See the Mulan PSL v2 for more details.
|
||||
*/
|
||||
#include "hitls_build.h"
|
||||
#ifdef HITLS_TLS_HOST_SERVER
|
||||
#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
|
||||
#include <stdint.h>
|
||||
#include <stdbool.h>
|
||||
#include "securec.h"
|
||||
@@ -118,6 +118,7 @@ static int32_t PackSignAlgorithms(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
#endif /* HITLS_TLS_PROTO_TLS12 || HITLS_TLS_PROTO_DTLS12 */
|
||||
|
||||
#if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
|
||||
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
|
||||
static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
{
|
||||
const TLS_Config *config = &(ctx->config.tlsConfig);
|
||||
@@ -126,7 +127,6 @@ static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
return PackAppendUint16ToBuf(pkt, 0);
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
|
||||
uint32_t caListLenPosition = 0u;
|
||||
int32_t ret = PackStartLengthField(pkt, sizeof(uint16_t), &caListLenPosition);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
@@ -141,9 +141,9 @@ static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
}
|
||||
|
||||
PackCloseUint16Field(pkt, caListLenPosition);
|
||||
#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */
|
||||
|
||||
int32_t PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
{
|
||||
@@ -161,12 +161,15 @@ int32_t PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
|
||||
ret = PackCALists(ctx, pkt);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
return HITLS_SUCCESS;
|
||||
#else
|
||||
return PackAppendUint16ToBuf(pkt, 0);
|
||||
#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
@@ -263,7 +266,7 @@ static int32_t PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
int32_t Tls13PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
static int32_t Tls13PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
{
|
||||
/* Start packing extensions length */
|
||||
uint32_t extensionsLenPosition = 0u;
|
||||
@@ -301,4 +304,4 @@ int32_t Tls13PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
#endif /* HITLS_TLS_HOST_SERVER */
|
||||
#endif /* HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
@@ -889,7 +889,9 @@ static int32_t PackClientExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
{ EXTENSION_MSG(HS_EX_TYPE_POST_HS_AUTH, isNeedPha, NULL) },
|
||||
#endif /* HITLS_TLS_FEATURE_PHA */
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
{ EXTENSION_MSG(HS_EX_TYPE_EXTENDED_MASTER_SECRET, true, NULL) },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ALPN
|
||||
{ EXTENSION_MSG(HS_EX_TYPE_APP_LAYER_PROTOCOLS, (tlsConfig->alpnList != NULL &&
|
||||
ctx->state == CM_STATE_HANDSHAKING), PackClientAlpnList) },
|
||||
@@ -931,7 +933,9 @@ static int32_t PackClientExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
ctx->hsCtx->extFlag.havePostHsAuth = isNeedPha;
|
||||
#endif /* HITLS_TLS_FEATURE_PHA */
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
ctx->hsCtx->extFlag.haveExtendedMasterSecret = true;
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ETM
|
||||
ctx->hsCtx->extFlag.haveEncryptThenMac = ctx->config.tlsConfig.isEncryptThenMac;
|
||||
#endif /* HITLS_TLS_FEATURE_ETM */
|
||||
@@ -1147,6 +1151,7 @@ static int32_t PackServerPreSharedKey(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
#if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
|
||||
static int32_t PackServerSecRenegoInfo(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
{
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
bool isRenegotiation = ctx->negotiatedInfo.isRenegotiation;
|
||||
const uint8_t *clientData = ctx->negotiatedInfo.clientVerifyData;
|
||||
uint32_t clientDataSize = ctx->negotiatedInfo.clientVerifyDataSize;
|
||||
@@ -1174,7 +1179,14 @@ static int32_t PackServerSecRenegoInfo(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
(void)PackAppendDataToBuf(pkt, clientData, clientDataSize);
|
||||
|
||||
(void)PackAppendDataToBuf(pkt, serverData, serverDataSize);
|
||||
|
||||
#else
|
||||
(void)ctx;
|
||||
int32_t ret = PackExtensionHeader(HS_EX_TYPE_RENEGOTIATION_INFO, sizeof(uint8_t), pkt);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
(void)PackAppendUint8ToBuf(pkt, 0);
|
||||
#endif
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) */
|
||||
@@ -1207,7 +1219,6 @@ static bool IsNeedServerPackEncryptThenMac(const TLS_Ctx *ctx)
|
||||
// Pack the empty extension of Server Hello
|
||||
static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
{
|
||||
int32_t ret = HITLS_SUCCESS;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
uint32_t version = GET_VERSION_FROM_CTX(ctx);
|
||||
bool isHrrKeyshare = IsHrrKeyShare(ctx);
|
||||
@@ -1233,7 +1244,9 @@ static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
{ EXTENSION_MSG(HS_EX_TYPE_SUPPORTED_VERSIONS, isTls13, PackServerSupportedVersion) },
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
{ EXTENSION_MSG(HS_EX_TYPE_EXTENDED_MASTER_SECRET, negoInfo->isExtendedMasterSecret, NULL) },
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ALPN
|
||||
{ .exMsgType = HS_EX_TYPE_APP_LAYER_PROTOCOLS,
|
||||
.needPack = (negoInfo->alpnSelected != NULL
|
||||
@@ -1274,19 +1287,14 @@ static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
|
||||
}
|
||||
|
||||
if (IsPackNeedCustomExtensions(CUSTOM_EXT_FROM_CTX(ctx), context)) {
|
||||
ret = PackCustomExtensions(ctx, pkt, context, NULL, 0);
|
||||
int32_t ret = PackCustomExtensions(ctx, pkt, context, NULL, 0);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CUSTOM_EXTENSION */
|
||||
|
||||
ret = PackExtensions(ctx, pkt, extMsgList, sizeof(extMsgList) / sizeof(extMsgList[0]));
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
return HITLS_SUCCESS;
|
||||
return PackExtensions(ctx, pkt, extMsgList, sizeof(extMsgList) / sizeof(extMsgList[0]));
|
||||
}
|
||||
|
||||
// Pack the Server Hello extension
|
||||
|
||||
@@ -86,13 +86,16 @@ static int32_t CheckServerKeyExchangeType(TLS_Ctx *ctx, const HS_MsgType msgType
|
||||
|
||||
static int32_t CheckCertificateRequestType(TLS_Ctx *ctx, const HS_MsgType msgType)
|
||||
{
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
uint32_t version = GET_VERSION_FROM_CTX(ctx);
|
||||
if (version == HITLS_VERSION_TLS13) {
|
||||
if (msgType == CERTIFICATE) {
|
||||
(void)HS_ChangeState(ctx, TRY_RECV_CERTIFICATE);
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
} else {
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
if (msgType == SERVER_HELLO_DONE) {
|
||||
(void)HS_ChangeState(ctx, TRY_RECV_SERVER_HELLO_DONE);
|
||||
return HITLS_SUCCESS;
|
||||
@@ -110,7 +113,9 @@ static const HsMsgTypeCheck g_checkHsMsgTypeList[] = {
|
||||
#ifdef HITLS_TLS_PROTO_DTLS12
|
||||
[TRY_RECV_HELLO_VERIFY_REQUEST] = {.msgType = HELLO_VERIFY_REQUEST, .checkCb = CheckHelloVerifyRequestType},
|
||||
#endif
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
[TRY_RECV_ENCRYPTED_EXTENSIONS] = {.msgType = ENCRYPTED_EXTENSIONS, .checkCb = NULL},
|
||||
#endif
|
||||
[TRY_RECV_CERTIFICATE] = {.msgType = CERTIFICATE, .checkCb = NULL},
|
||||
[TRY_RECV_SERVER_KEY_EXCHANGE] = {.msgType = SERVER_KEY_EXCHANGE, .checkCb = CheckServerKeyExchangeType},
|
||||
[TRY_RECV_CERTIFICATE_REQUEST] = {.msgType = CERTIFICATE_REQUEST, .checkCb = CheckCertificateRequestType},
|
||||
@@ -119,7 +124,9 @@ static const HsMsgTypeCheck g_checkHsMsgTypeList[] = {
|
||||
[TRY_RECV_CERTIFICATE_VERIFY] = {.msgType = CERTIFICATE_VERIFY, .checkCb = NULL},
|
||||
[TRY_RECV_NEW_SESSION_TICKET] = {.msgType = NEW_SESSION_TICKET, .checkCb = NULL},
|
||||
[TRY_RECV_FINISH] = {.msgType = FINISHED, .checkCb = NULL},
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
[TRY_RECV_KEY_UPDATE] = {.msgType = KEY_UPDATE, .checkCb = NULL},
|
||||
#endif
|
||||
[TRY_RECV_HELLO_REQUEST] = {.msgType = HELLO_REQUEST, .checkCb = NULL},
|
||||
};
|
||||
|
||||
@@ -281,8 +288,10 @@ static int32_t ParseHandShakeMsg(TLS_Ctx *ctx, const uint8_t *data, uint32_t len
|
||||
return ParseCertificate(ctx, data, len, hsMsg);
|
||||
case CLIENT_KEY_EXCHANGE:
|
||||
return ParseClientKeyExchange(ctx, data, len, hsMsg);
|
||||
#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
|
||||
case CERTIFICATE_VERIFY:
|
||||
return ParseCertificateVerify(ctx, data, len, hsMsg);
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
case NEW_SESSION_TICKET:
|
||||
return ParseNewSessionTicket(ctx, data, len, hsMsg);
|
||||
@@ -477,8 +486,11 @@ void HS_CleanMsg(HS_Msg *hsMsg)
|
||||
#endif /* HITLS_TLS_HOST_CLIENT */
|
||||
case CERTIFICATE:
|
||||
return CleanCertificate(&hsMsg->body.certificate);
|
||||
#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \
|
||||
defined(HITLS_TLS_PROTO_TLS13)
|
||||
case CERTIFICATE_VERIFY:
|
||||
return CleanCertificateVerify(&hsMsg->body.certificateVerify);
|
||||
#endif
|
||||
case FINISHED:
|
||||
return CleanFinished(&hsMsg->body.finished);
|
||||
case KEY_UPDATE:
|
||||
|
||||
@@ -13,7 +13,8 @@
|
||||
* See the Mulan PSL v2 for more details.
|
||||
*/
|
||||
#include "hitls_build.h"
|
||||
#if defined(HITLS_TLS_HOST_SERVER) || defined(HITLS_TLS_PROTO_TLS13)
|
||||
#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \
|
||||
defined(HITLS_TLS_PROTO_TLS13)
|
||||
#include "tls_binlog_id.h"
|
||||
#include "bsl_log.h"
|
||||
#include "bsl_log_internal.h"
|
||||
@@ -230,4 +231,4 @@ void CleanCertificateVerify(CertificateVerifyMsg *msg)
|
||||
|
||||
BSL_SAL_FREE(msg->sign);
|
||||
}
|
||||
#endif /* HITLS_TLS_HOST_CLIENT || HITLS_TLS_PROTO_TLS13 */
|
||||
#endif /* (HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) || HITLS_TLS_PROTO_TLS13 */
|
||||
@@ -143,6 +143,7 @@ static int32_t ParseServerSupportedVersions(ParsePacket *pkt, ServerHelloMsg *ms
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
// Parses the extended master secret sent by the serve
|
||||
static int32_t ParseServerExtMasterSecret(ParsePacket *pkt, ServerHelloMsg *msg)
|
||||
{
|
||||
@@ -150,6 +151,7 @@ static int32_t ParseServerExtMasterSecret(ParsePacket *pkt, ServerHelloMsg *msg)
|
||||
return ParseEmptyExtension(pkt->ctx, HS_EX_TYPE_EXTENDED_MASTER_SECRET, pkt->bufLen,
|
||||
&msg->haveExtendedMasterSecret);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ALPN
|
||||
int32_t ParseServerSelectedAlpnProtocol(
|
||||
ParsePacket *pkt, bool *haveSelectedAlpn, uint8_t **alpnSelected, uint16_t *alpnSelectedSize)
|
||||
@@ -313,8 +315,10 @@ static int32_t ParseServerExBody(TLS_Ctx *ctx, uint16_t extMsgType, const uint8_
|
||||
case HS_EX_TYPE_SERVER_NAME:
|
||||
return ParseServerServerName(&pkt, msg);
|
||||
#endif /* HITLS_TLS_FEATURE_SNI */
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
case HS_EX_TYPE_EXTENDED_MASTER_SECRET:
|
||||
return ParseServerExtMasterSecret(&pkt, msg);
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ALPN
|
||||
case HS_EX_TYPE_APP_LAYER_PROTOCOLS:
|
||||
return ParseServerSelectedAlpnProtocol(
|
||||
|
||||
@@ -171,11 +171,13 @@ static int32_t ParseClientPointFormats(ParsePacket *pkt, ClientHelloMsg *msg)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
static int32_t ParseClientExtMasterSecret(ParsePacket *pkt, ClientHelloMsg *msg)
|
||||
{
|
||||
return ParseEmptyExtension(pkt->ctx, HS_EX_TYPE_EXTENDED_MASTER_SECRET, pkt->bufLen,
|
||||
&msg->extension.flag.haveExtendedMasterSecret);
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_SNI
|
||||
static void SetRevMsgExtServernameInfo(ClientHelloMsg *msg, uint8_t serverNameType, uint8_t *serverName,
|
||||
uint16_t serverNameLen)
|
||||
@@ -844,8 +846,9 @@ static int32_t ParseClientExBody(TLS_Ctx *ctx, uint16_t extMsgType, const uint8_
|
||||
#ifdef HITLS_TLS_FEATURE_SNI
|
||||
{ .exMsgType = HS_EX_TYPE_SERVER_NAME, .parseFunc = ParseClientServerName},
|
||||
#endif /* HITLS_TLS_FEATURE_SNI */
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
{ .exMsgType = HS_EX_TYPE_EXTENDED_MASTER_SECRET, .parseFunc = ParseClientExtMasterSecret},
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ALPN
|
||||
{ .exMsgType = HS_EX_TYPE_APP_LAYER_PROTOCOLS, .parseFunc = ParseClientAlpnProposeList},
|
||||
#endif
|
||||
|
||||
@@ -346,7 +346,9 @@ int32_t ParseDhePara(ParsePacket *pkt, uint16_t *paraLen, uint8_t **para)
|
||||
static int32_t ParseServerDhe(ParsePacket *pkt, ServerKeyExchangeMsg *msg)
|
||||
{
|
||||
ServerDh *dh = &msg->keyEx.dh;
|
||||
#ifdef HITLS_BSL_LOG
|
||||
const char *logStr = BINGLOG_STR("parse dhe param or PubKey fail. ret %d");
|
||||
#endif
|
||||
TLS_Ctx *ctx = pkt->ctx;
|
||||
int32_t ret = ParseDhePara(pkt, &dh->plen, &dh->p);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
|
||||
@@ -99,10 +99,9 @@ static bool IsUnexpectedHandshaking(const TLS_Ctx *ctx)
|
||||
{
|
||||
return (ctx->state == CM_STATE_HANDSHAKING && ctx->preState == CM_STATE_TRANSPORTING);
|
||||
}
|
||||
|
||||
static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
|
||||
{
|
||||
uint32_t version = GET_VERSION_FROM_CTX(ctx);
|
||||
(void)version;
|
||||
switch (ctx->hsCtx->state) {
|
||||
#ifdef HITLS_TLS_HOST_SERVER
|
||||
case TRY_RECV_CLIENT_HELLO:
|
||||
@@ -118,8 +117,10 @@ static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
|
||||
#endif /* HITLS_TLS_PROTO_TLS_BASIC only for tls13 */
|
||||
case TRY_RECV_CLIENT_KEY_EXCHANGE:
|
||||
return ServerRecvClientKxProcess(ctx, hsMsg);
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
case TRY_RECV_CERTIFICATE_VERIFY:
|
||||
return ServerRecvClientCertVerifyProcess(ctx);
|
||||
#endif
|
||||
#endif /* HITLS_TLS_HOST_SERVER */
|
||||
#ifdef HITLS_TLS_HOST_CLIENT
|
||||
case TRY_RECV_CERTIFICATE_REQUEST:
|
||||
@@ -175,14 +176,17 @@ static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
|
||||
return HITLS_MSG_HANDLE_STATE_ILLEGAL;
|
||||
}
|
||||
|
||||
static int32_t ProcessReceivedHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
|
||||
{
|
||||
if (hsMsg->type == HELLO_REQUEST) {
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
if (ctx->hsCtx->state == TRY_RECV_HELLO_REQUEST) {
|
||||
ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */
|
||||
ctx->negotiatedInfo.renegotiationNum++;
|
||||
return HS_ChangeState(ctx, TRY_SEND_CLIENT_HELLO);
|
||||
}
|
||||
#endif
|
||||
/* The HelloRequest message should be ignored during the handshake. */
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -13,7 +13,8 @@
|
||||
* See the Mulan PSL v2 for more details.
|
||||
*/
|
||||
#include "hitls_build.h"
|
||||
#if defined(HITLS_TLS_HOST_SERVER) || defined(HITLS_TLS_PROTO_TLS13)
|
||||
#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \
|
||||
defined(HITLS_TLS_PROTO_TLS13)
|
||||
#include <stdint.h>
|
||||
#include "securec.h"
|
||||
#include "tls_binlog_id.h"
|
||||
@@ -81,4 +82,4 @@ int32_t Tls13RecvCertVerifyProcess(TLS_Ctx *ctx)
|
||||
return HS_ChangeState(ctx, TRY_RECV_FINISH);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
#endif /* HITLS_TLS_HOST_SERVER || HITLS_TLS_PROTO_TLS13 */
|
||||
#endif /* (HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) || HITLS_TLS_PROTO_TLS13 */
|
||||
@@ -328,6 +328,7 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
* the client MUST send a certificate message containing no certificates.
|
||||
*/
|
||||
if (certs->certCount == 0) {
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
/** Only the server allows the peer certificate to be empty */
|
||||
if ((ctx->isClient == false) &&
|
||||
(ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) {
|
||||
@@ -335,7 +336,7 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
"server recv empty cert", 0, 0, 0, 0);
|
||||
return HS_ChangeState(ctx, TRY_RECV_CLIENT_KEY_EXCHANGE);
|
||||
}
|
||||
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15724, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"peer certificate is needed!", 0, 0, 0, 0);
|
||||
@@ -357,7 +358,11 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
* fails to be verified */
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
if (!ctx->config.tlsConfig.isSupportVerifyNone) {
|
||||
#ifdef HITLS_TLS_PROTO_DFX_INFO
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, GetAlertfromX509Err(ctx->peerInfo.verifyResult));
|
||||
#else
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_CERTIFICATE);
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
@@ -402,6 +407,29 @@ static int32_t CertificateReqCtxCheck(TLS_Ctx *ctx, const CertificateMsg *certs)
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
static int32_t ProcessEmptyCert(TLS_Ctx *ctx)
|
||||
{
|
||||
if (ctx->isClient) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
|
||||
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID16126,
|
||||
"peer certificate is needed!", ALERT_DECODE_ERROR);
|
||||
}
|
||||
/** Only the server allows the peer certificate to be empty */
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
if ((ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) {
|
||||
int32_t ret = VERIFY_Tls13CalcVerifyData(ctx, true);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID15729,
|
||||
"server calculate client finished data error", ALERT_INTERNAL_ERROR);
|
||||
}
|
||||
return HS_ChangeState(ctx, TRY_RECV_FINISH);
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
|
||||
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID15727,
|
||||
"peer certificate is needed!", ALERT_CERTIFICATE_REQUIRED);
|
||||
}
|
||||
|
||||
int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
const CertificateMsg *certs = &msg->body.certificate;
|
||||
@@ -425,24 +453,7 @@ int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
* the client MUST send a certificate message containing no certificates.
|
||||
*/
|
||||
if (certs->certCount == 0) {
|
||||
if (ctx->isClient) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
|
||||
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID16126,
|
||||
"peer certificate is needed!", ALERT_DECODE_ERROR);
|
||||
}
|
||||
/** Only the server allows the peer certificate to be empty */
|
||||
if ((ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) {
|
||||
ret = VERIFY_Tls13CalcVerifyData(ctx, true);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID15729,
|
||||
"server calculate client finished data error", ALERT_INTERNAL_ERROR);
|
||||
}
|
||||
return HS_ChangeState(ctx, TRY_RECV_FINISH);
|
||||
}
|
||||
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
|
||||
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID15727,
|
||||
"peer certificate is needed!", ALERT_CERTIFICATE_REQUIRED);
|
||||
return ProcessEmptyCert(ctx);
|
||||
}
|
||||
|
||||
/** Process the obtained peer certificate */
|
||||
@@ -459,7 +470,11 @@ int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
if (!ctx->config.tlsConfig.isSupportVerifyNone) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17045, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"VerifyCertChain fail, ret = 0x%x.", (uint32_t)ret, 0, 0, 0);
|
||||
#ifdef HITLS_TLS_PROTO_DFX_INFO
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, GetAlertfromX509Err(ctx->peerInfo.verifyResult));
|
||||
#else
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_CERTIFICATE);
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -117,17 +117,21 @@ static uint16_t ServerSelectCurveId(const TLS_Ctx *ctx, const ClientHelloMsg *cl
|
||||
uint32_t normalGroupsSize = 0;
|
||||
uint16_t *perferenceGroups = NULL;
|
||||
uint16_t *normalGroups = NULL;
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
if (ctx->config.tlsConfig.isSupportServerPreference) {
|
||||
perferenceGroupsSize = ctx->config.tlsConfig.groupsSize;
|
||||
normalGroupsSize = clientHello->extension.content.supportedGroupsSize;
|
||||
perferenceGroups = ctx->config.tlsConfig.groups;
|
||||
normalGroups = clientHello->extension.content.supportedGroups;
|
||||
} else {
|
||||
#endif
|
||||
perferenceGroupsSize = clientHello->extension.content.supportedGroupsSize;
|
||||
normalGroupsSize = ctx->config.tlsConfig.groupsSize;
|
||||
perferenceGroups = clientHello->extension.content.supportedGroups;
|
||||
normalGroups = ctx->config.tlsConfig.groups;
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Find supported curves */
|
||||
for (uint32_t i = 0u; i < perferenceGroupsSize; i++) {
|
||||
@@ -463,23 +467,24 @@ int32_t ServerSelectCipherSuite(TLS_Ctx *ctx, const ClientHelloMsg *clientHello)
|
||||
/* Obtain server information */
|
||||
uint16_t *cfgCipherSuites = ctx->config.tlsConfig.cipherSuites;
|
||||
uint32_t cfgCipherSuitesSize = ctx->config.tlsConfig.cipherSuitesSize;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
|
||||
cfgCipherSuites = ctx->config.tlsConfig.tls13CipherSuites;
|
||||
cfgCipherSuitesSize = ctx->config.tlsConfig.tls13cipherSuitesSize;
|
||||
}
|
||||
|
||||
#endif
|
||||
const uint16_t *preferenceCipherSuites = clientHello->cipherSuites;
|
||||
uint16_t preferenceCipherSuitesSize = clientHello->cipherSuitesSize;
|
||||
const uint16_t *normalCipherSuites = cfgCipherSuites;
|
||||
uint16_t normalCipherSuitesSize = (uint16_t)cfgCipherSuitesSize;
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
|
||||
if (ctx->config.tlsConfig.isSupportServerPreference) {
|
||||
preferenceCipherSuites = cfgCipherSuites;
|
||||
preferenceCipherSuitesSize = (uint16_t)cfgCipherSuitesSize;
|
||||
normalCipherSuites = clientHello->cipherSuites;
|
||||
normalCipherSuitesSize = clientHello->cipherSuitesSize;
|
||||
}
|
||||
|
||||
#endif
|
||||
bool preferSha256 = false;
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
@@ -1034,10 +1039,12 @@ static int32_t ServerCheckResume(TLS_Ctx *ctx, const ClientHelloMsg *clientHello
|
||||
{
|
||||
ctx->negotiatedInfo.isResume = false;
|
||||
ctx->negotiatedInfo.isTicket = false;
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
/* If session resumption is not allowed in the renegotiation state, return */
|
||||
if (ctx->negotiatedInfo.isRenegotiation && !ctx->config.tlsConfig.isResumptionOnRenego) {
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
/* Create a null session handle */
|
||||
HITLS_Session *sess = NULL;
|
||||
uint32_t ticketBufSize = clientHello->extension.content.ticketSize;
|
||||
@@ -1146,6 +1153,7 @@ static int32_t ServerCheckAndProcessRenegoInfo(TLS_Ctx *ctx, const ClientHelloMs
|
||||
static int32_t ServerCheckEncryptThenMac(TLS_Ctx *ctx, const ClientHelloMsg *clientHello)
|
||||
{
|
||||
bool haveEncryptThenMac = clientHello->extension.flag.haveEncryptThenMac;
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
/* Renegotiation cannot be downgraded from EncryptThenMac to MacThenEncrypt */
|
||||
if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac && !haveEncryptThenMac) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR);
|
||||
@@ -1154,7 +1162,7 @@ static int32_t ServerCheckEncryptThenMac(TLS_Ctx *ctx, const ClientHelloMsg *cli
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
|
||||
return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR;
|
||||
}
|
||||
|
||||
#endif
|
||||
/* If EncryptThenMac is not configured, a success message is returned. */
|
||||
if (!ctx->config.tlsConfig.isEncryptThenMac) {
|
||||
return HITLS_SUCCESS;
|
||||
@@ -1197,6 +1205,7 @@ static int32_t ServerSelectCipherSuiteInfo(TLS_Ctx *ctx, const ClientHelloMsg *c
|
||||
|
||||
static int32_t ServerProcessClientHelloExt(TLS_Ctx *ctx, const ClientHelloMsg *clientHello)
|
||||
{
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
int32_t ret = HITLS_SUCCESS;
|
||||
(void)ret;
|
||||
(void)clientHello;
|
||||
@@ -1210,7 +1219,7 @@ static int32_t ServerProcessClientHelloExt(TLS_Ctx *ctx, const ClientHelloMsg *c
|
||||
return HITLS_MSG_HANDLE_INVALID_EXTENDED_MASTER_SECRET;
|
||||
}
|
||||
ctx->negotiatedInfo.isExtendedMasterSecret = clientHello->extension.flag.haveExtendedMasterSecret;
|
||||
|
||||
#endif
|
||||
return ProcessClientHelloExt(ctx, clientHello, false);
|
||||
}
|
||||
|
||||
@@ -1402,10 +1411,12 @@ int32_t Tls12ServerRecvClientHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg, bool
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
if (ctx->state == CM_STATE_RENEGOTIATION && !ctx->userRenego) {
|
||||
ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */
|
||||
ctx->negotiatedInfo.renegotiationNum++;
|
||||
}
|
||||
#endif
|
||||
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS_BASIC */
|
||||
@@ -1449,6 +1460,7 @@ static int32_t DtlsServerCheckAndProcessCookie(TLS_Ctx *ctx, const ClientHelloMs
|
||||
}
|
||||
/* If the cookie fails to be verified, send a hello verify request */
|
||||
if (!*isCookieValid) {
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
/* During DTLS renegotiation, if the cookie verification fails, an alert message is sent.
|
||||
If the cookie is empty, the hello verify request is sent */
|
||||
if ((clientHello->cookieLen != 0u) && (ctx->negotiatedInfo.isRenegotiation)) {
|
||||
@@ -1458,6 +1470,7 @@ static int32_t DtlsServerCheckAndProcessCookie(TLS_Ctx *ctx, const ClientHelloMs
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
|
||||
return HITLS_MSG_VERIFY_COOKIE_ERR;
|
||||
}
|
||||
#endif
|
||||
ret = PrepareDtlsCookie(ctx, clientHello);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
@@ -1515,10 +1528,12 @@ int32_t DtlsServerRecvClientHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
if (ctx->state == CM_STATE_RENEGOTIATION && !ctx->userRenego) {
|
||||
ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */
|
||||
ctx->negotiatedInfo.renegotiationNum++;
|
||||
}
|
||||
#endif
|
||||
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO);
|
||||
}
|
||||
#endif
|
||||
@@ -2344,13 +2359,13 @@ static int32_t Tls13ServerProcessClientHello(TLS_Ctx *ctx, HS_Msg *msg)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
#if defined(HITLS_TLS_FEATURE_PHA) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
|
||||
TLS_Config *tlsConfig = &ctx->config.tlsConfig;
|
||||
if (ctx->phaState == PHA_NONE && tlsConfig->isSupportClientVerify &&
|
||||
msg->body.clientHello.extension.flag.havePostHsAuth) {
|
||||
ctx->phaState = PHA_EXTENSION;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_PHA */
|
||||
#endif /* HITLS_TLS_FEATURE_PHA && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO);
|
||||
}
|
||||
|
||||
|
||||
@@ -215,7 +215,8 @@ int32_t HsSetSessionInfo(TLS_Ctx *ctx)
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_SESSION */
|
||||
|
||||
int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *verifyData, uint32_t verifyDataSize)
|
||||
static int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *verifyData,
|
||||
uint32_t verifyDataSize)
|
||||
{
|
||||
if ((finishedMsg->verifyDataSize == 0u) || (verifyDataSize == 0u)) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN);
|
||||
@@ -240,20 +241,19 @@ int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *v
|
||||
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#ifdef HITLS_TLS_HOST_CLIENT
|
||||
int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
|
||||
static int32_t RecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = 0;
|
||||
HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
|
||||
VerifyCtx *verifyCtx = hsCtx->verifyCtx;
|
||||
const FinishedMsg *finished = &msg->body.finished;
|
||||
uint8_t verifyData[MAX_DIGEST_SIZE] = {0};
|
||||
uint32_t verifyDataSize = MAX_DIGEST_SIZE;
|
||||
|
||||
ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize);
|
||||
int32_t ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15740, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"client get server finished verify data error.", 0, 0, 0, 0);
|
||||
"Get finished verify data error.", 0, 0, 0, 0);
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
|
||||
return ret;
|
||||
}
|
||||
@@ -261,12 +261,9 @@ int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
ret = CheckFinishedVerifyData(finished, verifyData, verifyDataSize);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15741, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"client verify server finished data error.", 0, 0, 0, 0);
|
||||
if (ret == HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN) {
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECODE_ERROR);
|
||||
} else {
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR);
|
||||
}
|
||||
"Verify finished data error.", 0, 0, 0, 0);
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL,
|
||||
(ret == HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN) ? ALERT_DECODE_ERROR : ALERT_DECRYPT_ERROR);
|
||||
return HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL;
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION
|
||||
@@ -278,14 +275,17 @@ int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
return ret;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_SESSION */
|
||||
/* CCS messages are not allowed to be received later. */
|
||||
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
|
||||
if (ctx->isClient) {
|
||||
/* CCS messages are not allowed to be received later. */
|
||||
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
|
||||
}
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#ifdef HITLS_TLS_HOST_CLIENT
|
||||
#ifdef HITLS_TLS_PROTO_TLS_BASIC
|
||||
int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = ClientRecvFinishedProcess(ctx, msg);
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -313,7 +313,7 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
return HS_ChangeState(ctx, TLS_CONNECTED);
|
||||
}
|
||||
#endif /* HITLS_BSL_UIO_UDP */
|
||||
int32_t ret = ClientRecvFinishedProcess(ctx, msg);
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -332,7 +332,7 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = ClientRecvFinishedProcess(ctx, msg);
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -363,51 +363,10 @@ int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
#endif /* HITLS_TLS_HOST_CLIENT */
|
||||
|
||||
#ifdef HITLS_TLS_HOST_SERVER
|
||||
|
||||
int32_t ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = 0;
|
||||
HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
|
||||
VerifyCtx *verifyCtx = hsCtx->verifyCtx;
|
||||
uint8_t verifyData[MAX_DIGEST_SIZE] = {0};
|
||||
uint32_t verifyDataSize = MAX_DIGEST_SIZE;
|
||||
const FinishedMsg *finished = &msg->body.finished;
|
||||
|
||||
ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15742, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"server get client finished verify data error.", 0, 0, 0, 0);
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = CheckFinishedVerifyData(finished, verifyData, verifyDataSize);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL);
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15743, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"server verify client finished data error.", 0, 0, 0, 0);
|
||||
if (ret == HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL) {
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR);
|
||||
} else {
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECODE_ERROR);
|
||||
}
|
||||
return HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL;
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION
|
||||
ret = HsSetSessionInfo(ctx);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15897, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"set session information failed.", 0, 0, 0, 0);
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
|
||||
return ret;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_SESSION */
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#ifdef HITLS_TLS_PROTO_TLS_BASIC
|
||||
int32_t Tls12ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = ServerRecvFinishedProcess(ctx, msg);
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -438,7 +397,7 @@ int32_t DtlsServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
return HS_ChangeState(ctx, TLS_CONNECTED);
|
||||
}
|
||||
#endif /* HITLS_BSL_UIO_UDP */
|
||||
int32_t ret = ServerRecvFinishedProcess(ctx, msg);
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -467,7 +426,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
|
||||
ctx->plainAlertForbid = true;
|
||||
|
||||
int32_t ret = ServerRecvFinishedProcess(ctx, msg);
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -490,7 +449,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
#if defined(HITLS_TLS_FEATURE_PHA) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
|
||||
if (ctx->phaState == PHA_EXTENSION && ctx->config.tlsConfig.isSupportClientVerify) {
|
||||
SAL_CRYPT_DigestFree(ctx->phaHash);
|
||||
ctx->phaHash = SAL_CRYPT_DigestCopy(ctx->hsCtx->verifyCtx->hashCtx);
|
||||
@@ -501,7 +460,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
return HITLS_CRYPT_ERR_DIGEST;
|
||||
}
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_PHA */
|
||||
#endif /* HITLS_TLS_FEATURE_PHA && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
/* When ticketNums is 0, no ticket is sent */
|
||||
|
||||
@@ -124,6 +124,7 @@ static int32_t ClientCheckServerName(TLS_Ctx *ctx, const ServerHelloMsg *serverH
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_SNI */
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
|
||||
{
|
||||
if ((!ctx->hsCtx->extFlag.haveExtendedMasterSecret) && serverHello->haveExtendedMasterSecret) {
|
||||
@@ -171,6 +172,7 @@ static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMs
|
||||
serverHello->haveExtendedMasterSecret);
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
static int32_t ClientCheckKeyShare(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
|
||||
{
|
||||
@@ -340,7 +342,7 @@ static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *ser
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
|
||||
return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
/* During renegotiation, EncryptThenMac cannot be converted to MacThenEncrypt */
|
||||
if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac &&
|
||||
!serverHello->haveEncryptThenMac) {
|
||||
@@ -350,7 +352,7 @@ static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *ser
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR);
|
||||
return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR;
|
||||
}
|
||||
|
||||
#endif
|
||||
/* This extension does not need to be negotiated for tls1.3 */
|
||||
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
|
||||
return HITLS_SUCCESS;
|
||||
@@ -413,7 +415,9 @@ static int32_t ClientCheckExtensionsFlag(TLS_Ctx *ctx, const ServerHelloMsg *ser
|
||||
#ifdef HITLS_TLS_FEATURE_SNI
|
||||
ClientCheckServerName,
|
||||
#endif /* HITLS_TLS_FEATURE_SNI */
|
||||
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
|
||||
ClientCheckExtendedMasterSecret,
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_ALPN
|
||||
ClientCheckNegotiatedAlpnOfServerHello,
|
||||
#endif /* HITLS_TLS_FEATURE_ALPN */
|
||||
@@ -899,25 +903,6 @@ static int32_t ClientCheckHrrKeyShareExtension(TLS_Ctx *ctx, const ServerHelloMs
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
/* If an implementation receives an extension
|
||||
* which it recognizes and which is not specified for the message in
|
||||
* which it appears, it MUST abort the handshake with an
|
||||
* "illegal_parameter" alert. */
|
||||
static int32_t ClientCheckHrrExtraExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
|
||||
{
|
||||
if (helloRetryRequest->haveServerName || helloRetryRequest->haveExtendedMasterSecret ||
|
||||
helloRetryRequest->havePointFormats || helloRetryRequest->haveSelectedAlpn ||
|
||||
helloRetryRequest->haveSelectedIdentity || helloRetryRequest->haveSecRenego || helloRetryRequest->haveTicket ||
|
||||
helloRetryRequest->haveEncryptThenMac) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17092, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"these extensions are not specified in the hrr message", 0, 0, 0, 0);
|
||||
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
|
||||
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
|
||||
return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
|
||||
}
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
static int32_t ClientCheckHrrCookieExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
|
||||
{
|
||||
if (helloRetryRequest->haveCookie == false) {
|
||||
@@ -946,11 +931,6 @@ static int32_t Tls13ClientCheckHrrExtension(TLS_Ctx *ctx, const ServerHelloMsg *
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Check whether there are redundant extensions */
|
||||
ret = ClientCheckHrrExtraExtension(ctx, helloRetryRequest);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Check the key share extension */
|
||||
ret = ClientCheckHrrCookieExtension(ctx, helloRetryRequest);
|
||||
|
||||
@@ -108,8 +108,10 @@ static int32_t ProcessSendHandshakeMsg(TLS_Ctx *ctx)
|
||||
return ServerSendServerHelloProcess(ctx);
|
||||
case TRY_SEND_SERVER_KEY_EXCHANGE:
|
||||
return ServerSendServerKeyExchangeProcess(ctx);
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
case TRY_SEND_CERTIFICATE_REQUEST:
|
||||
return ServerSendCertRequestProcess(ctx);
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
case TRY_SEND_SERVER_HELLO_DONE:
|
||||
return ServerSendServerHelloDoneProcess(ctx);
|
||||
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
|
||||
@@ -166,8 +168,10 @@ static int32_t Tls13ProcessSendHandshakeMsg(TLS_Ctx *ctx)
|
||||
return Tls13ServerSendServerHelloProcess(ctx);
|
||||
case TRY_SEND_ENCRYPTED_EXTENSIONS:
|
||||
return Tls13ServerSendEncryptedExtensionsProcess(ctx);
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
case TRY_SEND_CERTIFICATE_REQUEST:
|
||||
return Tls13ServerSendCertRequestProcess(ctx);
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
case TRY_SEND_NEW_SESSION_TICKET:
|
||||
return Tls13SendNewSessionTicketProcess(ctx);
|
||||
#endif /* HITLS_TLS_HOST_SERVER */
|
||||
@@ -198,9 +202,8 @@ static int32_t Tls13ProcessSendHandshakeMsg(TLS_Ctx *ctx)
|
||||
return Tls13SendKeyUpdateProcess(ctx);
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_STATE_ILLEGAL, BINLOG_ID17101, "Handshake state error");
|
||||
}
|
||||
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_STATE_ILLEGAL, BINLOG_ID17101, "Handshake state error");
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
int32_t HS_SendMsgProcess(TLS_Ctx *ctx)
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
* See the Mulan PSL v2 for more details.
|
||||
*/
|
||||
#include "hitls_build.h"
|
||||
#ifdef HITLS_TLS_HOST_SERVER
|
||||
#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
|
||||
#include "tls_binlog_id.h"
|
||||
#include "bsl_log_internal.h"
|
||||
#include "bsl_log.h"
|
||||
@@ -110,4 +110,4 @@ int32_t Tls13ServerSendCertRequestProcess(TLS_Ctx *ctx)
|
||||
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 */
|
||||
#endif /* HITLS_TLS_HOST_SERVER */
|
||||
#endif /* HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
@@ -63,6 +63,7 @@ int32_t SendCertificateProcess(TLS_Ctx *ctx)
|
||||
if (IsNeedServerKeyExchange(ctx) == true) {
|
||||
return HS_ChangeState(ctx, TRY_SEND_SERVER_KEY_EXCHANGE);
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
/* The server sends CertificateRequest only when the isSupportClientVerify mode is enabled */
|
||||
if (ctx->config.tlsConfig.isSupportClientVerify) {
|
||||
/* isSupportClientOnceVerify specifies whether the CR is sent only in the initial handshake phase. */
|
||||
@@ -72,6 +73,7 @@ int32_t SendCertificateProcess(TLS_Ctx *ctx)
|
||||
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
|
||||
}
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO_DONE);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
|
||||
|
||||
@@ -43,13 +43,13 @@
|
||||
static int32_t ClientPrepareSession(TLS_Ctx *ctx)
|
||||
{
|
||||
HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
|
||||
/* If the session cannot be resumed during renegotiation, delete the session */
|
||||
if (ctx->negotiatedInfo.isRenegotiation && !ctx->config.tlsConfig.isResumptionOnRenego) {
|
||||
HITLS_SESS_Free(ctx->session);
|
||||
ctx->session = NULL;
|
||||
}
|
||||
|
||||
#endif
|
||||
if (ctx->session != NULL) {
|
||||
uint64_t curTime = (uint64_t)BSL_SAL_CurrentSysTimeGet();
|
||||
if (!SESS_CheckValidity(ctx->session, curTime)) {
|
||||
|
||||
@@ -72,6 +72,7 @@ int32_t Tls13ServerSendEncryptedExtensionsProcess(TLS_Ctx *ctx)
|
||||
if (ctx->hsCtx->kxCtx->pskInfo13.psk != NULL) {
|
||||
return HS_ChangeState(ctx, TRY_SEND_FINISH);
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
/* The server sends a CertificateRequest message only when the VerifyPeer mode is enabled */
|
||||
if (ctx->config.tlsConfig.isSupportClientVerify
|
||||
#ifdef HITLS_TLS_FEATURE_PHA
|
||||
@@ -80,6 +81,7 @@ int32_t Tls13ServerSendEncryptedExtensionsProcess(TLS_Ctx *ctx)
|
||||
) {
|
||||
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS13 && HITLS_TLS_HOST_SERVER */
|
||||
@@ -287,7 +287,7 @@ int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx)
|
||||
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15750, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"server send keyExchange msg success.", 0, 0, 0, 0);
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
|
||||
/* Update the state machine. If the CertificateRequest message does not need to be sent, the system directly
|
||||
* switches to theSend_SERVER_HELLO_DONE state */
|
||||
if (ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_NULL &&
|
||||
@@ -298,6 +298,7 @@ int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx)
|
||||
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
|
||||
}
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
|
||||
/* Make sure the client will always send a certificate message, because ECDHE relies on the client's encrypted
|
||||
* certificate, even if the client does not require authentication (isSupportClientVerify equals false). */
|
||||
#ifdef HITLS_TLS_PROTO_TLCP11
|
||||
|
||||
@@ -165,7 +165,6 @@ bool CFG_GetSignParamBySchemes(const HITLS_Ctx *ctx, HITLS_SignHashAlgo scheme,
|
||||
*/
|
||||
uint8_t CFG_GetCertTypeByCipherSuite(uint16_t cipherSuite);
|
||||
|
||||
|
||||
/**
|
||||
* @brief get the group name of the ecdsa
|
||||
*
|
||||
|
||||
@@ -122,7 +122,9 @@ typedef enum {
|
||||
CM_STATE_RENEGOTIATION,
|
||||
CM_STATE_ALERTING,
|
||||
CM_STATE_ALERTED,
|
||||
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|
||||
CM_STATE_CLOSED,
|
||||
#endif
|
||||
CM_STATE_END
|
||||
} CM_State;
|
||||
|
||||
|
||||
@@ -121,7 +121,7 @@ typedef struct TlsConfig {
|
||||
BSL_SAL_RefCount references; /* reference count */
|
||||
HITLS_Lib_Ctx *libCtx; /* library context */
|
||||
const char *attrName; /* attrName */
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
TLS_GroupInfo *groupInfo;
|
||||
uint32_t groupInfolen;
|
||||
uint32_t groupInfoSize;
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
#include "hitls_build.h"
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
|
||||
#include "rec_anti_replay.h"
|
||||
|
||||
#define REC_SLID_WINDOW_SIZE 64
|
||||
@@ -66,4 +66,4 @@ void RecAntiReplayUpdate(RecSlidWindow *w, uint64_t seq)
|
||||
w->window |= 1;
|
||||
}
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP */
|
||||
#endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP && HITLS_TLS_FEATURE_ANTI_REPLAY */
|
||||
@@ -231,8 +231,6 @@ static int32_t RecordUnexpectedMsg(TLS_Ctx *ctx, RecBuf *decryptBuf, REC_Type re
|
||||
case REC_TYPE_APP:
|
||||
ret = RecBufListAddBuffer(ctx->recCtx->appRecList, decryptBuf);
|
||||
break;
|
||||
case REC_TYPE_CHANGE_CIPHER_SPEC:
|
||||
case REC_TYPE_ALERT:
|
||||
default:
|
||||
ret = ctx->method.unexpectedMsgProcessCb(ctx, recordType,
|
||||
decryptBuf->buf, decryptBuf->end, false);
|
||||
@@ -596,7 +594,7 @@ static uint8_t *GetUnprocessedMsg(RecCtx *recordCtx, REC_Type recordType, RecHdr
|
||||
return recordBody;
|
||||
}
|
||||
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
|
||||
static int32_t AntiReplay(TLS_Ctx *ctx, RecHdr *hdr)
|
||||
{
|
||||
/* In non-UDP scenarios, anti-replay check is not required */
|
||||
@@ -650,7 +648,7 @@ static int32_t DtlsGetRecord(TLS_Ctx *ctx, REC_Type recordType, RecHdr *hdr, uin
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
|
||||
ret = AntiReplay(ctx, hdr);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_SAL_FREE(*cachRecord);
|
||||
@@ -715,13 +713,15 @@ int32_t DtlsRecordRead(TLS_Ctx *ctx, REC_Type recordType, uint8_t *data, uint32_
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
#if defined(HITLS_BSL_UIO_UDP)
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
|
||||
/* In UDP scenarios, update the sliding window flag */
|
||||
if (BSL_UIO_GetUioChainTransportType(ctx->uio, BSL_UIO_UDP)) {
|
||||
RecAntiReplayUpdate(&GetReadConnState(ctx)->window, REC_SEQ_GET(hdr.epochSeq));
|
||||
}
|
||||
#endif
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
ctx->method.clearAlert(ctx, cryptMsg.type);
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS
|
||||
if ((ctx->config.tlsConfig.modeSupport & HITLS_MODE_RELEASE_BUFFERS) != 0 && (recordType == REC_TYPE_APP)) {
|
||||
RecTryFreeRecBuf(ctx, false);
|
||||
@@ -1047,7 +1047,9 @@ int32_t TlsRecordRead(TLS_Ctx *ctx, REC_Type recordType, uint8_t *data, uint32_t
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
|
||||
ctx->method.clearAlert(ctx, encryptedMsg.type);
|
||||
#endif
|
||||
#ifdef HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS
|
||||
if ((ctx->config.tlsConfig.modeSupport & HITLS_MODE_RELEASE_BUFFERS) != 0 && (recordType == REC_TYPE_APP)) {
|
||||
RecTryFreeRecBuf(ctx, false);
|
||||
|
||||
@@ -114,9 +114,11 @@ static uint32_t RecGetReadBufferSize(const TLS_Ctx *ctx)
|
||||
if (ctx->negotiatedInfo.recordSizeLimit != 0 &&
|
||||
ctx->negotiatedInfo.recordSizeLimit <= REC_MAX_PLAIN_TEXT_LENGTH) {
|
||||
recSize -= REC_MAX_PLAIN_TEXT_LENGTH - ctx->negotiatedInfo.recordSizeLimit;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
if (GET_VERSION_FROM_CTX(ctx) == HITLS_VERSION_TLS13) {
|
||||
recSize--;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return recSize;
|
||||
}
|
||||
@@ -134,9 +136,11 @@ static uint32_t RecGetWriteBufferSize(const TLS_Ctx *ctx)
|
||||
recSize -= REC_MAX_PLAIN_TEXT_LENGTH - maxSendFragment;
|
||||
if (ctx->negotiatedInfo.peerRecordSizeLimit != 0 && ctx->negotiatedInfo.peerRecordSizeLimit <= maxSendFragment) {
|
||||
recSize -= maxSendFragment - ctx->negotiatedInfo.peerRecordSizeLimit;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
|
||||
recSize--;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
RecCmpPmtu(ctx, &recSize);
|
||||
@@ -576,7 +580,7 @@ int32_t REC_ActivePendingState(TLS_Ctx *ctx, bool isOut)
|
||||
} else {
|
||||
++recordCtx->readEpoch;
|
||||
RecConnSetEpoch(states->currentState, recordCtx->readEpoch);
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
|
||||
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
|
||||
RecAntiReplayReset(&states->currentState->window);
|
||||
#endif
|
||||
}
|
||||
@@ -599,9 +603,11 @@ static uint32_t REC_GetRecordSizeLimitWriteLen(const TLS_Ctx *ctx)
|
||||
#endif
|
||||
if (ctx->negotiatedInfo.recordSizeLimit != 0 && ctx->negotiatedInfo.peerRecordSizeLimit <= defaultLen) {
|
||||
defaultLen = ctx->negotiatedInfo.peerRecordSizeLimit;
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
|
||||
defaultLen--;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return defaultLen;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user