feat:minimization for protocol

Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
longparty
2026-01-09 14:55:11 +08:00
committed by Dongjianwei001
parent 546b9f8075
commit ecf56f0776
62 changed files with 1324 additions and 359 deletions
+18 -3
View File
@@ -266,7 +266,10 @@
"opts": ["proto"]
},
"callback": {
"feature_provider": null,
"feature_provider": {
"feature_provider_hard_coding":null,
"feature_provider_dynamic":null
},
"callback_sal" :null,
"callback_cert": {
"deps": ["callback_sal"]
@@ -309,7 +312,12 @@
},
"feature_key_update": null,
"feature_flight": null,
"feature_cert_mode": null,
"feature_cert_mode": {
"feature_cert_mode_client_verify": null,
"feature_cert_mode_verify_peer": null
},
"feature_anti_replay": null,
"feature_extended_master_secret": null,
"feature_record_size_limit": null,
"feature_kem": null,
"feature_client_hello_cb": null,
@@ -326,7 +334,14 @@
"opts": [
["host", "host_client", "host_server"],
["uio_sctp", "uio_tcp", "uio_udp", "uio_plt"]
]
],
"proto_dfx": {
"proto_dfx_check": null,
"proto_dfx_info": null,
"proto_dfx_alert_number": null,
"proto_dfx_server_prefer": null
},
"proto_close_state": null
},
"config": {
"config_manual_dh": null,
@@ -101,6 +101,27 @@
#endif
#endif
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#define HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#endif
#ifndef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
#define HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
#endif
#endif
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#ifdef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
#undef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING
#endif
#endif
#if defined(HITLS_TLS_FEATURE_PROVIDER_DYNAMIC) || defined(HITLS_TLS_FEATURE_PROVIDER_HARD_CODING)
#ifndef HITLS_TLS_FEATURE_PROVIDER
#define HITLS_TLS_FEATURE_PROVIDER
#endif
#endif
#if defined(HITLS_TLS_FEATURE_PROVIDER)
#ifdef HITLS_TLS_CALLBACK_SAL
#undef HITLS_TLS_CALLBACK_SAL
@@ -182,6 +203,12 @@
#ifndef HITLS_TLS_FEATURE_CUSTOM_EXTENSION
#define HITLS_TLS_FEATURE_CUSTOM_EXTENSION
#endif
#ifndef HITLS_TLS_FEATURE_ANTI_REPLAY
#define HITLS_TLS_FEATURE_ANTI_REPLAY
#endif
#ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#endif
#ifndef HITLS_TLS_FEATURE_REC_INBUFFER_SIZE
#define HITLS_TLS_FEATURE_REC_INBUFFER_SIZE
#endif
@@ -206,6 +233,21 @@
#define HITLS_PKI_X509_CRT_AUTH
#endif
#ifdef HITLS_TLS_FEATURE_SESSION
#ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#endif
#ifndef HITLS_TLS_PROTO_CLOSE_STATE
#define HITLS_TLS_PROTO_CLOSE_STATE
#endif
#endif
#ifdef HITLS_BSL_UIO_UDP
#ifndef HITLS_TLS_FEATURE_ANTI_REPLAY
#define HITLS_TLS_FEATURE_ANTI_REPLAY
#endif
#endif
#ifdef HITLS_TLS_FEATURE_SESSION
#ifndef HITLS_TLS_FEATURE_SESSION_TICKET
#define HITLS_TLS_FEATURE_SESSION_TICKET
@@ -236,6 +278,26 @@
#endif
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifndef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
#define HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
#endif
#ifndef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
#define HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
#endif
#endif
#ifdef HITLS_TLS_PROTO_TLCP11
#ifndef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
#define HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
#endif
#endif
#if (defined(HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER) || defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) && \
!defined(HITLS_TLS_FEATURE_CERT_MODE)
#define HITLS_TLS_FEATURE_CERT_MODE
#endif
#if defined(HITLS_TLS_FEATURE_MODE_FALL_BACK_SCSV) || defined(HITLS_TLS_FEATURE_MODE_AUTO_RETRY) || \
defined(HITLS_TLS_FEATURE_MODE_ACCEPT_MOVING_WRITE_BUFFER) || defined(HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS)
#ifndef HITLS_TLS_FEATURE_MODE
@@ -285,6 +347,30 @@
#ifndef HITLS_CRYPTO_EAL
#define HITLS_CRYPTO_EAL
#endif
#ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#endif
#ifndef HITLS_TLS_PROTO_CLOSE_STATE
#define HITLS_TLS_PROTO_CLOSE_STATE
#endif
#ifndef HITLS_TLS_PROTO_DFX
#define HITLS_TLS_PROTO_DFX
#endif
#endif
#ifdef HITLS_TLS_PROTO_DFX
#ifndef HITLS_TLS_PROTO_DFX_CHECK
#define HITLS_TLS_PROTO_DFX_CHECK
#endif
#ifndef HITLS_TLS_PROTO_DFX_INFO
#define HITLS_TLS_PROTO_DFX_INFO
#endif
#ifndef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
#define HITLS_TLS_PROTO_DFX_ALERT_NUMBER
#endif
#ifndef HITLS_TLS_PROTO_DFX_SERVER_PREFER
#define HITLS_TLS_PROTO_DFX_SERVER_PREFER
#endif
#endif
// suite_cipher
@@ -27,7 +27,7 @@
#include "crypt_algid.h"
#include "crypt_errno.h"
#include "crypt_params_key.h"
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#include "hitls_crypt_type.h"
#include "hitls_cert_type.h"
#include "hitls_type.h"
@@ -615,7 +615,7 @@ static void CRYPT_EAL_DefaultProvFree(void *provCtx)
BSL_SAL_Free(provCtx);
}
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#define TLS_GROUP_PARAM_COUNT 11
#define TLS_SIGN_SCHEME_PARAM_COUNT 18
typedef struct {
@@ -1267,13 +1267,13 @@ static int32_t CRYPT_EAL_DefaultProvGetCaps(void *provCtx, int32_t cmd, CRYPT_EA
return CRYPT_NOT_SUPPORT;
}
}
#endif
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
static CRYPT_EAL_Func g_defEalProvOutFuncs[] = {
{CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery},
{CRYPT_EAL_PROVCB_FREE, CRYPT_EAL_DefaultProvFree},
{CRYPT_EAL_PROVCB_CTRL, NULL},
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
{CRYPT_EAL_PROVCB_GETCAPS, CRYPT_EAL_DefaultProvGetCaps},
#endif
CRYPT_EAL_FUNC_END
+2 -4
View File
@@ -279,10 +279,8 @@ void BSL_SAL_ClearFree(void *ptr, uint32_t size);
#define BSL_SAL_FREE(value_) \
do { \
if ((value_) != NULL) { \
BSL_SAL_Free((void *)(value_)); \
(value_) = NULL; \
} \
BSL_SAL_Free((void *)(value_)); \
(value_) = NULL; \
} while (0)
/**
+1 -4
View File
@@ -545,10 +545,7 @@ class FeatureConfigParser:
else:
is_fea_contained = False
while 'parent' in rel:
if rel['parent'] in disables:
raise Exception("The 'disables' features {} and 'enables' featrues {} conflict".format(fea, disables))
if rel['parent'] in features:
if rel['parent'] in disables or rel['parent'] in features:
is_fea_contained = True
break
rel = feas_info[rel['parent']]
@@ -149,12 +149,12 @@ static int32_t SetLinkConfig(uint16_t version, HITLS_KeyExchAlgo keyExAlgo, Link
HITLS_CFG_SetCheckKeyUsage(linkPara->config, false);
#endif /* HITLS_TLS_CONFIG_KEY_USAGE */
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t ret = HITLS_CFG_SetClientVerifySupport(linkPara->config, true);
if (ret != HITLS_SUCCESS) {
return ret;
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE */
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
if (keyExAlgo == HITLS_KEY_EXCH_DHE) {
uint16_t cipherSuites[] = {HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256};
HITLS_CFG_SetCipherSuites(linkPara->config, cipherSuites, sizeof(cipherSuites) / sizeof(uint16_t));
+11 -26
View File
@@ -1193,47 +1193,32 @@ static int32_t PackNewSessionTicketMsg(FRAME_Type *type, const FRAME_NewSessionT
static int32_t PackHsMsgBody(FRAME_Type *type, const FRAME_Msg *msg,
uint8_t *buf, uint32_t bufLen, uint32_t *usedLen)
{
int32_t ret;
const FRAME_HsMsg *hsMsg = &(msg->body.hsMsg);
switch (type->handshakeType) {
case CLIENT_HELLO:
ret = PackClientHelloMsg(&(hsMsg->body.clientHello), buf, bufLen, usedLen);
break;
return PackClientHelloMsg(&(hsMsg->body.clientHello), buf, bufLen, usedLen);
case SERVER_HELLO:
ret = PackServerHelloMsg(&(hsMsg->body.serverHello), buf, bufLen, usedLen);
break;
return PackServerHelloMsg(&(hsMsg->body.serverHello), buf, bufLen, usedLen);
case CERTIFICATE:
ret = PackCertificateMsg(type, &(hsMsg->body.certificate), buf, bufLen, usedLen);
break;
return PackCertificateMsg(type, &(hsMsg->body.certificate), buf, bufLen, usedLen);
case SERVER_KEY_EXCHANGE:
ret = PackServerKeyExchangeMsg(type, &(hsMsg->body.serverKeyExchange), buf, bufLen, usedLen);
break;
return PackServerKeyExchangeMsg(type, &(hsMsg->body.serverKeyExchange), buf, bufLen, usedLen);
case CERTIFICATE_REQUEST:
ret = PackCertificateRequestMsg(type, &(hsMsg->body.certificateReq), buf, bufLen, usedLen);
break;
return PackCertificateRequestMsg(type, &(hsMsg->body.certificateReq), buf, bufLen, usedLen);
case SERVER_HELLO_DONE:
ret = PackServerHelloDoneMsg(&(hsMsg->body.serverHelloDone), buf, bufLen, usedLen);
break;
return PackServerHelloDoneMsg(&(hsMsg->body.serverHelloDone), buf, bufLen, usedLen);
case CLIENT_KEY_EXCHANGE:
ret = PackClientKeyExchangeMsg(type, &(hsMsg->body.clientKeyExchange), buf, bufLen, usedLen);
break;
return PackClientKeyExchangeMsg(type, &(hsMsg->body.clientKeyExchange), buf, bufLen, usedLen);
case CERTIFICATE_VERIFY:
ret = PackCertificateVerifyMsg(type, &(hsMsg->body.certificateVerify), buf, bufLen, usedLen);
break;
return PackCertificateVerifyMsg(type, &(hsMsg->body.certificateVerify), buf, bufLen, usedLen);
case FINISHED:
ret = PackFinishedMsg(&(hsMsg->body.finished), buf, bufLen, usedLen);
break;
return PackFinishedMsg(&(hsMsg->body.finished), buf, bufLen, usedLen);
case NEW_SESSION_TICKET:
ret = PackNewSessionTicketMsg(type, &(hsMsg->body.newSessionTicket), buf, bufLen, usedLen);
break;
return PackNewSessionTicketMsg(type, &(hsMsg->body.newSessionTicket), buf, bufLen, usedLen);
default:
ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
break;
return HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
}
return ret;
}
static int32_t PackHandShakeMsg(FRAME_Type *type, const FRAME_Msg *msg,
+8 -3
View File
@@ -510,12 +510,14 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg)
ret = HITLS_CFG_SetVersion(outCfg, inCtxCfg->minVersion, inCtxCfg->maxVersion);
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetVersion Error ERROR");
}
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
if (inCtxCfg->SupportType == SERVER_CFG_SET_TRUE) {
HITLS_CFG_SetCipherServerPreference(outCfg, true);
}
if (inCtxCfg->SupportType == SERVER_CFG_SET_FALSE) {
HITLS_CFG_SetCipherServerPreference(outCfg, false);
}
#endif
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
// Setting Renegotiation
LOG_DEBUG("HiTLS Set Support Renegotiation is %d", inCtxCfg->isSupportRenegotiation);
@@ -526,15 +528,16 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg)
ret = HITLS_CFG_SetClientRenegotiateSupport(outCfg, inCtxCfg->allowClientRenegotiate);
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetClientRenegotiateSupport ERROR");
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
// Whether to enable dual-ended verification
LOG_DEBUG("HiTLS Set Support Client Verify is %d", inCtxCfg->isSupportClientVerify);
ret = HITLS_CFG_SetClientVerifySupport(outCfg, inCtxCfg->isSupportClientVerify);
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetClientVerifySupport ERROR");
#endif
LOG_DEBUG("HiTLS Set readAhead is %d", inCtxCfg->readAhead);
ret = HITLS_CFG_SetReadAhead(outCfg, inCtxCfg->readAhead);
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetReadAhead ERROR");
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
// Indicates whether to allow empty certificate list on the client.
LOG_DEBUG("HiTLS Set Support Not Client Cert is %d", inCtxCfg->isSupportNoClientCert);
ret = HITLS_CFG_SetNoClientCertSupport(outCfg, inCtxCfg->isSupportNoClientCert);
@@ -721,7 +724,7 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg)
ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetKeyExchMode ERROR");
}
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
// Set whether to enable isSupportVerifyNone;
LOG_DEBUG("HiTLS Set Support pha is %d", inCtxCfg->isSupportVerifyNone);
ret = HITLS_CFG_SetVerifyNoneSupport(outCfg, inCtxCfg->isSupportVerifyNone);
@@ -811,12 +814,14 @@ const BSL_UIO_Method *GetDefaultMethod(HILT_TransportType type)
int HitlsSetSsl(void *ssl, HLT_Ssl_Config *sslConfig)
{
int ret;
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
if (sslConfig->SupportType == SERVER_CTX_SET_TRUE) {
HITLS_SetCipherServerPreference((HITLS_Ctx *)ssl, true);
}
if (sslConfig->SupportType == SERVER_CTX_SET_FALSE) {
HITLS_SetCipherServerPreference((HITLS_Ctx *)ssl, false);
}
#endif
HILT_TransportType type = (sslConfig->connType == NONE_TYPE) ? SCTP : sslConfig->connType;
BSL_UIO *uio = BSL_UIO_New(GetDefaultMethod(type));
+2
View File
@@ -343,12 +343,14 @@ test_pkey()
test_tls()
{
include_path="-I${HITLS_ROOT_DIR}/testcode/script/mini_test_config"
NO_LIB=""
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=tlcp_feature test=base,asn1,base64,buffer,err,hash,init,list,log,obj,params,pem,tlv,sal,sal_mem,sal_lock,sal_str,sal_file,sal_thread,sal_net,sal_time,aes,bn,chacha20,cmac_aes,drbg_ctr,drbg_hash,ecc,ecdh,ecdsa,entropy,gcm,hkdf,hpke,mlkem,mldsa,sha256,sha384,sha512,slh_dsa,sm2,sm3,sm4,x25519,curve_nistp256,curve_nistp384,curve_nistp521,x509_crl_gen,x509_crl_parse,x509_csr_gen,x509_csr_parse,x509_crt_gen,x509_crt_parse,x509_vfy,tlcp linux add-options="-DHITLS_SEED_DRBG_INIT_RAND_ALG=CRYPT_RAND_SHA256" add-options="-DHITLS_CRYPTO_ENTROPY_DEVRANDOM" add-options="-DHITLS_CRYPTO_MLKEM_CMP" add-options="-DHITLS_CRYPTO_MLDSA_CMP"
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=nokem_feature test=base linux
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=mtu_feature test=mtu linux
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=max_send_fragment_feature test=max_send_fragment linux
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=ca_list_feature test=ca_list linux
bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=no_dfx_feature test=no_dfx compile-config=no_dfx_compile include-path="${include_path}" linux
}
test_pki()
+17
View File
@@ -43,6 +43,7 @@ ENDIAN="little"
ASAN_OPTIONS=""
TLS_FLAG=""
FEATURE_CONFIG_FILE=""
COMPILE_CONFIG_FILE=""
INCLUDE_PATH=""
print_usage() {
@@ -129,6 +130,18 @@ parse_option()
exit 1
fi
;;
"compile-config")
if [ -n "$ASM_TYPE" ]; then
COMPILE_CONFIG_FILE=$(find $HITLS_ROOT_DIR -name "${value}_${ASM_TYPE}.json" -type f | head -n 1)
fi
if [ -z "$COMPILE_CONFIG_FILE" ]; then
COMPILE_CONFIG_FILE=$(find $HITLS_ROOT_DIR -name "${value}.json" -type f | head -n 1)
fi
if [ -z "$COMPILE_CONFIG_FILE" ]; then
echo "Error: Cannot find compile config file '${value}.json' or '${value}.json' under $HITLS_ROOT_DIR"
exit 1
fi
;;
"test")
LIB_TYPE="static shared"
TEST_FEATURE=$value
@@ -247,6 +260,10 @@ mini_config()
enables="--feature_config $MODIFIED_CONFIG_FILE"
fi
if [ "$COMPILE_CONFIG_FILE" != "" ]; then
enables="$enables --compile_config $COMPILE_CONFIG_FILE"
fi
echo "python3 configure.py --lib_type $LIB_TYPE $enables --endian=$ENDIAN --bits=$BITS"
python3 $HITLS_ROOT_DIR/configure.py --lib_type $LIB_TYPE $enables --endian=$ENDIAN --bits=$BITS
@@ -0,0 +1,55 @@
/*
* This file is part of the openHiTLS project.
*
* openHiTLS is licensed under the Mulan PSL v2.
* You can use this software according to the terms and conditions of the Mulan PSL v2.
* You may obtain a copy of Mulan PSL v2 at:
*
* http://license.coscl.org.cn/MulanPSL2
*
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
* See the Mulan PSL v2 for more details.
*/
/* Derivation of configuration features.
* The derivation type (rule) and sequence are as follows:
* 1. Parent features derive child features.
* 2. Derive the features of dependencies.
* For example, if feature a depends on features b and c, you need to derive features b and c.
* 3. Child features derive parent features.
* The high-level interfaces of the crypto module is controlled by the parent feature macro,
* if there is no parent feature, such interfaces will be unavailable.
*/
#ifndef NODFX_CONFIG_H
#define NODFX_CONFIG_H
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#undef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
#endif
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
#undef HITLS_TLS_PROTO_CLOSE_STATE
#endif
#ifdef HITLS_TLS_PROTO_DFX
#undef HITLS_TLS_PROTO_DFX
#endif
#ifdef HITLS_TLS_PROTO_DFX_CHECK
#undef HITLS_TLS_PROTO_DFX_CHECK
#endif
#ifdef HITLS_TLS_PROTO_DFX_INFO
#undef HITLS_TLS_PROTO_DFX_INFO
#endif
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
#undef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
#endif
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
#undef HITLS_TLS_PROTO_DFX_SERVER_PREFER
#endif
#endif /* NODFX_CONFIG_H */
@@ -0,0 +1,135 @@
{
"compileFlag": {
"common": {
"CC_OPT_LEVEL": [
"-D_FORTIFY_SOURCE=2",
"-O2"
],
"CC_OVERALL_FLAGS": ["-pipe"],
"CC_LANGUAGE_FLAGS": ["-fsigned-char"],
"CC_CDG_FLAGS": ["-fno-common"],
"CC_MD_DEPENDENT_FLAGS": [],
"CC_OPT_FLAGS": [
"-fno-strict-aliasing",
"-fno-omit-frame-pointer"
],
"CC_SEC_FLAGS": [
"-fPIC",
"-fstack-protector-strong"
],
"CC_DEBUG_FLAGS": [],
"CC_USER_DEFINE_FLAGS": [
"-DHITLS_CONFIG_FILE='<hitls_nodfx_config.h>'",
"-I${HiTLS_SOURCE_ROOT_DIR}/testcode/script/mini_test_config/"
],
"CC_WARN_FLAGS": [
"-Werror",
"-Wextra",
"-Wcast-qual",
"-Wall",
"-Wfloat-equal",
"-Wshadow",
"-Wformat=2"
],
"CC_DEFINE_FLAGS": [
"-DHITLS_CRYPTO_EAL_REPORT",
"-DHITLS_CRYPTO_NIST_ECC_ACCELERATE",
"-DHITLS_CRYPTO_BN_COMBA",
"-DHITLS_CRYPTO_AES_PRECALC_TABLES",
"-DHITLS_AARCH64_PACIASP",
"-DHITLS_CRYPTO_SM2_PRECOMPUTE_512K_TBL"
]
},
"gcc": {
"CC_WARN_FLAGS_EXTRA": [
"-Wdate-time",
"-Wno-stringop-overread"
],
"CC_SEC_FLAGS_EXTRA": [
"--param=ssp-buffer-size=4"
]
},
"clang": {
"CC_SEC_FLAGS_EXTRA": [
"-Wno-unused-command-line-argument"
]
},
"apple-clang": {
"_inherit": "clang",
"CC_SEC_FLAGS_REMOVE": [
"--param=ssp-buffer-size=4"
],
"CC_DEFINE_FLAGS_REMOVE": [
"-DHITLS_AARCH64_PACIASP"
]
}
},
"linkFlag": {
"common": {
"PUBLIC": [],
"SHARED": [],
"EXE": []
},
"gnu-ld": {
"PUBLIC": [
"-Wl,-z,noexecstack",
"-Wl,-z,relro",
"-Wl,-z,now",
"-Wl,--build-id=none"
],
"SHARED": [
"-shared"
],
"EXE": [
"-pie"
]
},
"ld64": {
"PUBLIC": [
"-Wl,-dead_strip"
],
"SHARED": [
"-dynamiclib"
],
"EXE": [
"-Wl,-pie"
]
},
"lld": {
"PUBLIC": [
"-Wl,-z,noexecstack",
"-Wl,-z,relro",
"-Wl,-z,now",
"-Wl,--build-id=none",
"-Wl,--as-needed"
],
"SHARED": [
"-shared"
],
"EXE": [
"-pie"
]
},
"gold": {
"_inherit": "gnu-ld",
"PUBLIC_EXTRA": [
"-Wl,--threads",
"-Wl,--thread-count=4"
]
}
},
"systemDefines": {
"common": {},
"linux": {
"CC_DEFINE_FLAGS_EXTRA": [
"-D_GNU_SOURCE"
]
},
"darwin": {
"CC_DEFINE_FLAGS_EXTRA": [
"-D_DARWIN_C_SOURCE",
"-DHITLS_CRYPTO_NO_AUXVAL"
]
}
}
}
@@ -0,0 +1,116 @@
{
"libType": [
"static",
"shared"
],
"libs": {
"hitls_bsl": {
"c": [
"init",
"sal",
"sal_mem",
"sal_lock",
"log",
"err",
"hash",
"sal_str",
"sal_file",
"uio_buffer",
"uio_mem",
"uio_plt",
"uio_udp",
"sal_thread",
"sal_net",
"sal_time",
"tlv",
"base64",
"asn1",
"buffer",
"list",
"obj",
"params",
"pem"
]
},
"hitls_crypto": {
"asm": [
"bn",
"chacha20",
"chacha20poly1305",
"aes",
"gcm",
"sha256",
"sha384",
"sha512",
"bn_rand",
"x25519",
"curve_nistp256",
"curve_nistp384",
"curve_nistp521",
"ecc",
"curve_sm2",
"sm3",
"sm4"
],
"c": [
"eal",
"ealinit",
"entropy",
"drbg_hash",
"sha256",
"sha384",
"sha512",
"hkdf",
"aes",
"gcm",
"chacha20",
"hpke",
"bn",
"x25519",
"curve_nistp256",
"curve_nistp384",
"curve_nistp521",
"drbg_ctr",
"cmac_aes",
"ecdsa",
"ecdh",
"ecc",
"mlkem",
"mldsa",
"slh_dsa",
"cbc",
"rsa",
"sha1",
"cipher",
"pkey",
"codecskey"
]
},
"hitls_tls": {
"c": [
"callback_sal",
"callback_cert",
"callback_crypt",
"config",
"host",
"maintain",
"proto",
"proto_dtls12",
"proto_dtlcp11",
"feature_mtu_query",
"suite_ecdhe_rsa_with_aes_128_cbc_sha"
]
},
"hitls_pki": {
"c": [
"info",
"pkcs12",
"x509"
]
}
},
"endian": "little",
"bits": 64,
"asmType": "no_asm",
"system": "linux"
}
@@ -0,0 +1,133 @@
/*
* This file is part of the openHiTLS project.
*
* openHiTLS is licensed under the Mulan PSL v2.
* You can use this software according to the terms and conditions of the Mulan PSL v2.
* You may obtain a copy of Mulan PSL v2 at:
*
* http://license.coscl.org.cn/MulanPSL2
*
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
* See the Mulan PSL v2 for more details.
*/
/* BEGIN_HEADER */
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdlib.h>
#include <time.h>
#include <stddef.h>
#include <sys/types.h>
#include <regex.h>
#include <pthread.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/ioctl.h>
#include "securec.h"
#include "bsl_sal.h"
#include "sal_net.h"
#include "frame_tls.h"
#include "cert_callback.h"
#include "hitls_config.h"
#include "hitls_error.h"
#include "bsl_errno.h"
#include "bsl_uio.h"
#include "frame_io.h"
#include "uio_abstraction.h"
#include "tls.h"
#include "tls_config.h"
#include "logger.h"
#include "process.h"
#include "hs_ctx.h"
#include "hlt.h"
#include "stub_utils.h"
#include "hitls_type.h"
#include "frame_link.h"
#include "session_type.h"
#include "common_func.h"
#include "hitls_func.h"
#include "hitls_cert_type.h"
#include "parser_frame_msg.h"
#include "recv_process.h"
#include "simulate_io.h"
#include "rec_wrapper.h"
#include "cipher_suite.h"
#include "alert.h"
#include "conn_init.h"
#include "pack.h"
#include "send_process.h"
#include "cert.h"
#include "hitls_cert_reg.h"
#include "hitls_crypt_type.h"
#include "hs.h"
#include "hs_state_recv.h"
#include "app.h"
#include "record.h"
#include "rec_conn.h"
#include "session.h"
#include "frame_msg.h"
#include "pack_frame_msg.h"
#include "cert_mgr.h"
#include "hs_extensions.h"
#include "hlt_type.h"
#include "sctp_channel.h"
#include "hitls_crypt_init.h"
#include "hitls_session.h"
#include "bsl_log.h"
#include "bsl_err.h"
#include "hitls_crypt_reg.h"
#include "crypt_errno.h"
#include "bsl_list.h"
#include "hitls_cert.h"
#include "parse_extensions_client.c"
#include "parse_extensions_server.c"
#include "parse_server_hello.c"
#include "parse_client_hello.c"
/* END_HEADER */
/** @
* @test UT_TLS_CM_NO_DFX_CONNECTION_TC001
* @title Test no DFX macro connection.
* @precon nan
* @brief
* 1. Start a TLS connection with out dfx macro. Expected result 1.
* @expect 1. HITLS_SUCCES is returned
@ */
/* BEGIN_CASE */
void UT_TLS_CM_NO_DFX_CONNECTION_TC001(void)
{
FRAME_Init();
HITLS_Config *config = NULL;
FRAME_LinkObj *client = NULL;
FRAME_LinkObj *server = NULL;
// Apply for and initialize the configuration file
config = HITLS_CFG_NewDTLS12Config();
client = FRAME_CreateLink(config, BSL_UIO_UDP);
ASSERT_TRUE(client != NULL);
server = FRAME_CreateLink(config, BSL_UIO_UDP);
ASSERT_TRUE(server != NULL);
HITLS_SetMtu(client->ssl, 16384);
HITLS_SetMtu(server->ssl, 16384);
ASSERT_EQ(FRAME_CreateConnection(client, server, false, HS_STATE_BUTT), HITLS_SUCCESS);
EXIT:
HITLS_CFG_FreeConfig(config);
FRAME_FreeLink(client);
FRAME_FreeLink(server);
}
/* END_CASE */
@@ -0,0 +1,2 @@
UT_TLS_CM_NO_DFX_CONNECTION_TC001:
UT_TLS_CM_NO_DFX_CONNECTION_TC001:
+4 -2
View File
@@ -5,13 +5,15 @@
"base": ["test_suite_sdv_hlt_base_connect"],
"mtu": ["test_suite_sdv_frame_mtu"],
"max_send_fragment": ["test_suite_sdv_frame_max_send_fragment"],
"ca_list": ["test_suite_sdv_frame_ca_list"]
"ca_list": ["test_suite_sdv_frame_ca_list"],
"no_dfx": ["test_suite_sdv_frame_no_dfx"]
},
"testSuiteCases": {
"test_suite_sdv_hlt_tlcp_ciphersuite": [],
"test_suite_sdv_hlt_base_connect": [],
"test_suite_sdv_frame_mtu": [],
"test_suite_sdv_frame_max_send_fragment": [],
"test_suite_sdv_frame_ca_list": []
"test_suite_sdv_frame_ca_list": [],
"test_suite_sdv_frame_no_dfx": []
}
}
+2
View File
@@ -251,6 +251,7 @@ int32_t ProcessPlainAlert(TLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen)
}
#endif /* HITLS_TLS_PROTO_TLS13 */
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
void ALERT_ClearWarnCount(TLS_Ctx *ctx, uint32_t recordType)
{
if (recordType != REC_TYPE_ALERT) {
@@ -263,6 +264,7 @@ bool ALERT_HaveExceeded(TLS_Ctx *ctx, uint8_t threshold)
ctx->alertCtx->warnCount += 1;
return ctx->alertCtx->warnCount >= threshold;
}
#endif
#ifdef HITLS_BSL_LOG
int32_t ReturnAlertProcess(TLS_Ctx *ctx, int32_t err, uint32_t logId, const void *logStr,
+20 -7
View File
@@ -61,7 +61,9 @@ static const char *GetStateString(uint32_t state)
[CM_STATE_TRANSPORTING] = "Transporting",
[CM_STATE_ALERTING] = "Alerting",
[CM_STATE_ALERTED] = "Alerted",
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
[CM_STATE_CLOSED] = "Closed",
#endif
};
/* Current status */
return stateMachineStr[state];
@@ -140,6 +142,7 @@ int32_t CommonEventInAlertingState(HITLS_Ctx *ctx)
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
/* If the close_notify message is sent, the link must be disconnected */
if (alertInfo.description == ALERT_CLOSE_NOTIFY) {
if (ctx->userShutDown) {
@@ -155,6 +158,7 @@ int32_t CommonEventInAlertingState(HITLS_Ctx *ctx)
}
return HITLS_SUCCESS;
}
#endif
/* Other warning alerts will not terminate the connection and the status will be restored to the previous status */
ctx->state = ctx->preState;
@@ -189,7 +193,7 @@ static int32_t AlertRecvProcess(HITLS_Ctx *ctx, const ALERT_Info *alertInfo)
/* Other warning alerts will not be processed */
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
ctx->shutdownState |= HITLS_RECEIVED_SHUTDOWN;
/* In quiet disconnection mode, close_notify does not need to be sent */
@@ -218,6 +222,9 @@ static int32_t AlertRecvProcess(HITLS_Ctx *ctx, const ALERT_Info *alertInfo)
ChangeConnState(ctx, CM_STATE_ALERTED);
}
return HITLS_CM_LINK_CLOSED;
#else
return HITLS_CM_LINK_CLOSED;
#endif
}
int32_t AlertEventProcess(HITLS_Ctx *ctx)
@@ -259,14 +266,14 @@ int32_t CommonEventInHandshakingState(HITLS_Ctx *ctx)
/* The handshake fails, but no alert is received. Return the error code to the user */
return ret;
}
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
/* If there are multiple consecutive alerts, the link is abnormal and needs to be terminated. */
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
alertRet = AlertEventProcess(ctx);
return (alertRet == HITLS_SUCCESS) ? ret : alertRet;
}
#endif
alertRet = AlertEventProcess(ctx);
if (alertRet != HITLS_SUCCESS) {
/* If the alert message fails to be sent, return the error code to the user */
@@ -527,14 +534,19 @@ static uint16_t FindPreference(const HITLS_Ctx *ctx, int32_t nmatch, bool *haveF
uint32_t localGroupSize = ctx->config.tlsConfig.groupsSize;
uint16_t *peerGroups = ctx->peerInfo.groups;
uint16_t *localGroups = ctx->config.tlsConfig.groups;
bool chooseServerPre = ctx->config.tlsConfig.isSupportServerPreference;
uint16_t intersectionCnt = 0;
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
bool chooseServerPre = ctx->config.tlsConfig.isSupportServerPreference;
preferGroupSize = (chooseServerPre == true) ? localGroupSize : peerGroupSize;
secondPreferGroupSize = (chooseServerPre == true) ? peerGroupSize : localGroupSize;
preferGroups = (chooseServerPre == true) ? localGroups : peerGroups;
secondPreferGroups = (chooseServerPre == true) ? peerGroups : localGroups;
#else
preferGroupSize = peerGroupSize;
secondPreferGroupSize = localGroupSize;
preferGroups = peerGroups;
secondPreferGroups = localGroups;
#endif
for (uint32_t i = 0; i < preferGroupSize; i++) {
for (uint32_t j = 0; j < secondPreferGroupSize; j++) {
if (preferGroups[i] == secondPreferGroups[j]) {
@@ -735,11 +747,12 @@ int32_t CommonEventInRenegotiationState(HITLS_Ctx *ctx)
return ret;
}
InnerRenegotiationProcess(ctx);
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
/* If multiple consecutive alerts exist, the link is abnormal and needs to be terminated */
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
}
#endif
int32_t alertRet = AlertEventProcess(ctx);
if (alertRet != HITLS_SUCCESS) {
if (alertRet != HITLS_CM_LINK_CLOSED) {
+9 -8
View File
@@ -70,15 +70,16 @@ HITLS_Ctx *HITLS_New(HITLS_Config *config)
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16470, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc fail", 0, 0, 0, 0);
return NULL;
}
int32_t ret = CheckConfig(config);
int32_t ret = HITLS_SUCCESS;
#ifdef HITLS_TLS_PROTO_DFX_CHECK
ret = CheckConfig(config);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16471, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"CheckConfig fail, ret %d", ret, 0, 0, 0);
BSL_SAL_FREE(newCtx);
return NULL;
}
#endif
ret = DumpConfig(newCtx, config);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16472, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
@@ -666,7 +667,7 @@ int32_t HITLS_ClearChainCerts(HITLS_Ctx *ctx)
return HITLS_CFG_ClearChainCerts(&(ctx->config.tlsConfig));
}
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t HITLS_SetClientVerifySupport(HITLS_Ctx *ctx, bool support)
{
if (ctx == NULL) {
@@ -683,7 +684,7 @@ int32_t HITLS_SetNoClientCertSupport(HITLS_Ctx *ctx, bool support)
return HITLS_CFG_SetNoClientCertSupport(&(ctx->config.tlsConfig), support);
}
#endif
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
#ifdef HITLS_TLS_FEATURE_PHA
int32_t HITLS_SetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool support)
{
@@ -694,7 +695,7 @@ int32_t HITLS_SetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool support)
return HITLS_CFG_SetPostHandshakeAuthSupport(&(ctx->config.tlsConfig), support);
}
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
int32_t HITLS_SetVerifyNoneSupport(HITLS_Ctx *ctx, bool support)
{
if (ctx == NULL) {
@@ -703,8 +704,8 @@ int32_t HITLS_SetVerifyNoneSupport(HITLS_Ctx *ctx, bool support)
return HITLS_CFG_SetVerifyNoneSupport(&(ctx->config.tlsConfig), support);
}
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#endif /* HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER */
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t HITLS_SetClientOnceVerifySupport(HITLS_Ctx *ctx, bool support)
{
if (ctx == NULL) {
+12 -4
View File
@@ -195,6 +195,7 @@ HITLS_CERT_X509 *HITLS_GetPeerCertificate(const HITLS_Ctx *ctx)
}
#endif
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
int32_t HITLS_SetQuietShutdown(HITLS_Ctx *ctx, int32_t mode)
{
if (ctx == NULL) {
@@ -222,6 +223,7 @@ int32_t HITLS_GetQuietShutdown(const HITLS_Ctx *ctx, int32_t *mode)
return HITLS_SUCCESS;
}
#endif
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
int32_t HITLS_GetRenegotiationState(const HITLS_Ctx *ctx, bool *isRenegotiationState)
{
@@ -245,6 +247,8 @@ int32_t HITLS_GetRwstate(const HITLS_Ctx *ctx, uint8_t *rwstate)
return HITLS_SUCCESS;
}
#endif
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
int32_t HITLS_SetShutdownState(HITLS_Ctx *ctx, uint32_t mode)
{
if (ctx == NULL) {
@@ -264,8 +268,9 @@ int32_t HITLS_GetShutdownState(const HITLS_Ctx *ctx, uint32_t *mode)
*mode = ctx->shutdownState;
return HITLS_SUCCESS;
}
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t HITLS_GetClientVerifySupport(HITLS_Ctx *ctx, bool *isSupport)
{
if (ctx == NULL) {
@@ -283,7 +288,7 @@ int32_t HITLS_GetNoClientCertSupport(HITLS_Ctx *ctx, bool *isSupport)
return HITLS_CFG_GetNoClientCertSupport(&(ctx->config.tlsConfig), isSupport);
}
#endif
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
#ifdef HITLS_TLS_FEATURE_PHA
int32_t HITLS_GetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool *isSupport)
@@ -295,7 +300,7 @@ int32_t HITLS_GetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool *isSupport)
return HITLS_CFG_GetPostHandshakeAuthSupport(&(ctx->config.tlsConfig), isSupport);
}
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
int32_t HITLS_GetVerifyNoneSupport(HITLS_Ctx *ctx, bool *isSupport)
{
if (ctx == NULL) {
@@ -306,7 +311,7 @@ int32_t HITLS_GetVerifyNoneSupport(HITLS_Ctx *ctx, bool *isSupport)
}
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t HITLS_GetClientOnceVerifySupport(HITLS_Ctx *ctx, bool *isSupport)
{
if (ctx == NULL) {
@@ -394,6 +399,8 @@ int32_t HITLS_SetServerName(HITLS_Ctx *ctx, uint8_t *serverName, uint32_t server
return HITLS_CFG_SetServerName(&(ctx->config.tlsConfig), serverName, serverNameStrlen);
}
#endif
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
int32_t HITLS_SetCipherServerPreference(HITLS_Ctx *ctx, bool isSupport)
{
if (ctx == NULL) {
@@ -411,6 +418,7 @@ int32_t HITLS_GetCipherServerPreference(const HITLS_Ctx *ctx, bool *isSupport)
return HITLS_CFG_GetCipherServerPreference(&(ctx->config.tlsConfig), isSupport);
}
#endif
int32_t HITLS_SetRenegotiationSupport(HITLS_Ctx *ctx, bool isSupport)
{
+21 -1
View File
@@ -105,6 +105,7 @@ static int32_t EstablishEventInRenegotiationState(HITLS_Ctx *ctx)
#endif
}
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
static int32_t CloseEventInRenegotiationState(HITLS_Ctx *ctx)
{
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
@@ -130,6 +131,7 @@ static int32_t CloseEventInRenegotiationState(HITLS_Ctx *ctx)
return HITLS_INTERNAL_EXCEPTION;
#endif
}
#endif
static int32_t EstablishEventInAlertedState(HITLS_Ctx *ctx)
{
@@ -138,6 +140,7 @@ static int32_t EstablishEventInAlertedState(HITLS_Ctx *ctx)
return HITLS_CM_LINK_FATAL_ALERTED;
}
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
static int32_t EstablishEventInClosedState(HITLS_Ctx *ctx)
{
(void)ctx;
@@ -253,6 +256,7 @@ static int32_t CloseEventInClosedState(HITLS_Ctx *ctx)
ChangeConnState(ctx, CM_STATE_CLOSED);
return HITLS_SUCCESS;
}
#endif
// Check and process the CTX status before HITLS_Connect and HITLS_Accept.
int32_t ProcessCtxState(HITLS_Ctx *ctx)
@@ -363,7 +367,9 @@ int32_t HITLS_Connect(HITLS_Ctx *ctx)
EstablishEventInRenegotiationState,
NULL, // The alerting phase has been processed in the ProcessCtxState function
EstablishEventInAlertedState,
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
EstablishEventInClosedState
#endif
};
ManageEventProcess proc = connectEventProcess[GetConnState(ctx)];
@@ -397,7 +403,9 @@ int32_t HITLS_Accept(HITLS_Ctx *ctx)
EstablishEventInRenegotiationState,
NULL,
EstablishEventInAlertedState,
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
EstablishEventInClosedState
#endif
};
ManageEventProcess proc = acceptEventProcess[GetConnState(ctx)];
@@ -460,6 +468,7 @@ int32_t HITLS_Listen(HITLS_Ctx *ctx, BSL_SAL_SockAddr clientAddr)
}
#endif /* #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_BSL_UIO_ADDR) */
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
int32_t HITLS_Close(HITLS_Ctx *ctx)
{
if (ctx == NULL) {
@@ -503,6 +512,13 @@ int32_t HITLS_Close(HITLS_Ctx *ctx)
return HITLS_SUCCESS;
}
#else /* HITLS_TLS_PROTO_CLOSE_STATE */
int32_t HITLS_Close(HITLS_Ctx *ctx)
{
ALERT_Send(ctx, ALERT_LEVEL_WARNING, ALERT_CLOSE_NOTIFY);
return ALERT_Flush(ctx);
}
#endif /* HITLS_TLS_PROTO_CLOSE_STATE */
int32_t HITLS_GetError(const HITLS_Ctx *ctx, int32_t ret)
{
@@ -629,7 +645,11 @@ int32_t HITLS_GetHandShakeState(const HITLS_Ctx *ctx, uint32_t *state)
}
}
if (ctx->state == CM_STATE_ALERTED || ctx->state == CM_STATE_CLOSED) {
if (ctx->state == CM_STATE_ALERTED
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|| ctx->state == CM_STATE_CLOSED
#endif
) {
if (ctx->preState == CM_STATE_IDLE && ctx->hsCtx == NULL) {
hsState = TLS_IDLE;
} else if (ctx->hsCtx != NULL) {
+4
View File
@@ -35,7 +35,9 @@ int32_t ConnUnexpectedMsg(HITLS_Ctx *ctx, uint32_t msgType, const uint8_t *data,
BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
return HITLS_NULL_INPUT;
}
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
ALERT_ClearWarnCount(ctx, msgType);
#endif
int32_t ret = HITLS_REC_NORMAL_RECV_UNEXPECT_MSG;
#ifdef HITLS_TLS_PROTO_TLS13
if (isPlain) { // tls13
@@ -85,7 +87,9 @@ int32_t CONN_Init(TLS_Ctx *ctx)
ctx->method.sendCCS = CCS_Send;
ctx->method.ctrlCCS = CCS_Ctrl;
ctx->method.sendAlert = ALERT_Send;
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
ctx->method.clearAlert = ALERT_ClearWarnCount;
#endif
ctx->method.getAlertFlag = ALERT_GetFlag;
ctx->method.unexpectedMsgProcessCb = ConnUnexpectedMsg;
#ifdef HITLS_TLS_FEATURE_KEY_UPDATE
+28 -20
View File
@@ -74,6 +74,7 @@ int32_t RecvUnexpectMsgInTransportingStateProcess(HITLS_Ctx *ctx)
}
static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
{
#ifdef HITLS_TLS_PROTO_TLS13
/* If the version is TLS1.3, ignore the message */
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16514, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
@@ -81,10 +82,9 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
return HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE;
}
#endif
/* If the message is not a renegotiation request, ignore the message */
if ((ctx->isClient && (type == CLIENT_HELLO)) ||
(!ctx->isClient && (type == HELLO_REQUEST))) {
if ((ctx->isClient && (type == CLIENT_HELLO)) || (!ctx->isClient && (type == HELLO_REQUEST))) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16515, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"ignore the message", 0, 0, 0, 0);
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
@@ -111,7 +111,7 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
return HITLS_SUCCESS;
}
}
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
REC_RetransmitListClean(ctx->recCtx); /* dtls over udp scenario, the retransmission queue needs to be cleared */
#endif
@@ -129,9 +129,11 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type)
} else {
(void)HS_ChangeState(ctx, TRY_RECV_HELLO_REQUEST);
}
#endif /* HITLS_TLS_FEATURE_RENEGOTIATION */
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_PROTO_TLS13
static int32_t RecvKeyUpdatePreprocess(TLS_Ctx *ctx)
{
if (ctx->negotiatedInfo.version != HITLS_VERSION_TLS13) {
@@ -194,6 +196,7 @@ static int32_t RecvNSTPreprocess(TLS_Ctx *ctx)
ChangeConnState(ctx, CM_STATE_HANDSHAKING);
return HS_ChangeState(ctx, TRY_RECV_NEW_SESSION_TICKET);
}
#endif /* HITLS_TLS_PROTO_TLS13 */
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
static int32_t RecvPostFinishPreprocess(TLS_Ctx *ctx)
@@ -255,32 +258,27 @@ static int32_t PreprocessUnexpectHsMsg(HITLS_Ctx *ctx)
switch (hsCtx->msgBuf[0]) {
case HELLO_REQUEST:
case CLIENT_HELLO:
ret = RecvRenegoReqPreprocess(ctx, hsCtx->msgBuf[0]);
break;
return RecvRenegoReqPreprocess(ctx, hsCtx->msgBuf[0]);
#ifdef HITLS_TLS_PROTO_TLS13
case KEY_UPDATE:
ret = RecvKeyUpdatePreprocess(ctx);
break;
return RecvKeyUpdatePreprocess(ctx);
case CERTIFICATE_REQUEST:
ret = RecvCertReqPreprocess(ctx);
break;
return RecvCertReqPreprocess(ctx);
case CERTIFICATE:
ret = RecvCertPreprocess(ctx);
break;
return RecvCertPreprocess(ctx);
case NEW_SESSION_TICKET:
ret = RecvNSTPreprocess(ctx);
break;
return RecvNSTPreprocess(ctx);
#endif
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
case FINISHED:
ret = RecvPostFinishPreprocess(ctx);
break;
return RecvPostFinishPreprocess(ctx);
#endif
default:
BSL_LOG_BINLOG_VARLEN(BINLOG_ID16529, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"Unexpected %s handshake state message.", HS_GetMsgTypeStr(hsCtx->msgBuf[0]));
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
ret = HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE;
return HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE;
}
return ret;
}
static void ConsumeHandshakeMessage(HITLS_Ctx *ctx)
@@ -348,11 +346,12 @@ static int32_t ReadEventInTransportingState(HITLS_Ctx *ctx, uint8_t *data, uint3
InnerRenegotiationProcess(ctx);
}
#endif
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
/* If multiple consecutive alerts exist, the link is abnormal and needs to be disconnected */
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
}
#endif
unexpectMsgRet = AlertEventProcess(ctx);
if (unexpectMsgRet != HITLS_SUCCESS) {
/* If the alert fails to be sent, a response is returned to the user for processing */
@@ -360,7 +359,11 @@ static int32_t ReadEventInTransportingState(HITLS_Ctx *ctx, uint8_t *data, uint3
}
/* If fatal alert or close_notify has been processed, the link must be disconnected */
if (ctx->state == CM_STATE_ALERTED || ctx->state == CM_STATE_CLOSED) {
if (ctx->state == CM_STATE_ALERTED
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
|| ctx->state == CM_STATE_CLOSED
#endif
) {
return ret;
}
}
@@ -432,6 +435,7 @@ static int32_t ReadEventInAlertedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t b
return HITLS_CM_LINK_FATAL_ALERTED;
}
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
static int32_t ReadEventInClosedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint32_t *readLen)
{
// Non-closed state
@@ -459,6 +463,8 @@ static int32_t ReadEventInClosedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t bu
// Directly return to link closed.
return HITLS_CM_LINK_CLOSED;
}
#endif
static int32_t ReadProcess(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint32_t *readLen)
{
ReadEventProcess readEventProcess[CM_STATE_END] = {
@@ -468,7 +474,9 @@ static int32_t ReadProcess(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint
ReadEventInRenegotiationState,
NULL,
ReadEventInAlertedState,
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
ReadEventInClosedState
#endif
};
if ((GetConnState(ctx) >= CM_STATE_END) || (GetConnState(ctx) == CM_STATE_ALERTING)) {
+7 -2
View File
@@ -68,12 +68,12 @@ static int32_t WriteEventInTransportingState(HITLS_Ctx *ctx, const uint8_t *data
/* Failed to send a message but no alert is displayed */
break;
}
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) {
/* If multiple consecutive alerts exist, the link is abnormal and needs to be disconnected */
ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
}
#endif
alertRet = AlertEventProcess(ctx);
if (alertRet != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16546, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
@@ -149,6 +149,7 @@ static int32_t WriteEventInAlertedState(HITLS_Ctx *ctx, const uint8_t *data, uin
return HITLS_CM_LINK_FATAL_ALERTED;
}
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
static int32_t WriteEventInClosedState(HITLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen, uint32_t *writeLen)
{
if ((ctx->shutdownState & HITLS_SENT_SHUTDOWN) == 0) {
@@ -171,6 +172,8 @@ static int32_t WriteEventInClosedState(HITLS_Ctx *ctx, const uint8_t *data, uint
// Directly return a message indicating that the link status is abnormal.
return HITLS_CM_LINK_CLOSED;
}
#endif
#ifdef HITLS_TLS_FEATURE_PHA
int32_t CommonCheckPostHandshakeAuth(TLS_Ctx *ctx)
{
@@ -220,7 +223,9 @@ int32_t HITLS_Write(HITLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen, uint3
WriteEventInRenegotiationState,
NULL,
WriteEventInAlertedState,
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
WriteEventInClosedState
#endif
};
if ((GetConnState(ctx) >= CM_STATE_END) || (GetConnState(ctx) == CM_STATE_ALERTING)) {
+110
View File
@@ -1533,60 +1533,169 @@ static const CipherSuiteInfo g_cipherSuiteList[] = {
};
const CipherSuiteCertType g_cipherSuiteAndCertTypes[] = {
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA
{ HITLS_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA
{ HITLS_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA256
{ HITLS_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA256
{ HITLS_RSA_WITH_AES_256_CBC_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_GCM_SHA256
{ HITLS_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_GCM_SHA384
{ HITLS_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA
{ HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA
{ HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{ HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{ HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256
{ HITLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{ HITLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
{ HITLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA
{ HITLS_DHE_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA
{ HITLS_DHE_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256
{ HITLS_DHE_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256
{ HITLS_DHE_RSA_WITH_AES_256_CBC_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256
{ HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384
{ HITLS_DHE_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CCM
{ HITLS_DHE_RSA_WITH_AES_128_CCM, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CCM
{ HITLS_DHE_RSA_WITH_AES_256_CCM, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CCM
{ HITLS_RSA_WITH_AES_128_CCM, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CCM_8
{ HITLS_RSA_WITH_AES_128_CCM_8, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CCM
{ HITLS_RSA_WITH_AES_256_CCM, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CCM_8
{ HITLS_RSA_WITH_AES_256_CCM_8, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
{ HITLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA
{ HITLS_RSA_PSK_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA
{ HITLS_RSA_PSK_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256
{ HITLS_RSA_PSK_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384
{ HITLS_RSA_PSK_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256
{ HITLS_RSA_PSK_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384
{ HITLS_RSA_PSK_WITH_AES_256_CBC_SHA384, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
{ HITLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
{ HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
{ HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
{ HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
{ HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
{ HITLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
{ HITLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
{ HITLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM
{ HITLS_ECDHE_ECDSA_WITH_AES_128_CCM, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM
{ HITLS_ECDHE_ECDSA_WITH_AES_256_CCM, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA
{ HITLS_DHE_DSS_WITH_AES_128_CBC_SHA, CERT_TYPE_DSS_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA
{ HITLS_DHE_DSS_WITH_AES_256_CBC_SHA, CERT_TYPE_DSS_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256
{ HITLS_DHE_DSS_WITH_AES_128_CBC_SHA256, CERT_TYPE_DSS_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA256
{ HITLS_DHE_DSS_WITH_AES_256_CBC_SHA256, CERT_TYPE_DSS_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_GCM_SHA256
{ HITLS_DHE_DSS_WITH_AES_128_GCM_SHA256, CERT_TYPE_DSS_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_GCM_SHA384
{ HITLS_DHE_DSS_WITH_AES_256_GCM_SHA384, CERT_TYPE_DSS_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3
{ HITLS_ECDHE_SM4_CBC_SM3, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECC_SM4_CBC_SM3
{ HITLS_ECC_SM4_CBC_SM3, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3
{ HITLS_ECDHE_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_ECC_SM4_GCM_SM3
{ HITLS_ECC_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_SM4_GCM_SM3
{ HITLS_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN },
#endif
#ifdef HITLS_TLS_SUITE_SM4_CCM_SM3
{ HITLS_SM4_CCM_SM3, CERT_TYPE_ECDSA_SIGN },
#endif
{ 0, CERT_TYPE_UNKNOWN },
};
/**
@@ -1776,6 +1885,7 @@ uint8_t CFG_GetCertTypeByCipherSuite(uint16_t cipherSuite)
return CERT_TYPE_UNKNOWN;
}
#ifdef HITLS_TLS_CONFIG_CIPHER_SUITE
/* Convert the supported version number to the corresponding character string */
static const uint8_t* ProtocolToString(uint16_t version)
+18 -10
View File
@@ -70,7 +70,7 @@ void CFG_CleanConfig(HITLS_Config *config)
BSL_SAL_FREE(config->pointFormats);
BSL_SAL_FREE(config->groups);
BSL_SAL_FREE(config->signAlgorithms);
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#ifndef HITLS_TLS_CAP_NO_STR
for (uint32_t i = 0; i < config->groupInfolen; i++) {
BSL_SAL_FREE(config->groupInfo[i].name);
@@ -87,7 +87,7 @@ void CFG_CleanConfig(HITLS_Config *config)
BSL_SAL_FREE(config->sigSchemeInfo);
config->sigSchemeInfoSize = 0;
config->sigSchemeInfolen = 0;
#endif
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
#if defined(HITLS_TLS_PROTO_TLS12) && defined(HITLS_TLS_FEATURE_PSK)
BSL_SAL_FREE(config->pskIdentityHint);
@@ -135,8 +135,12 @@ static void ShallowCopy(HITLS_Ctx *ctx, const HITLS_Config *srcConfig)
destConfig->attrName = ATTRIBUTE_FROM_CONFIG(srcConfig);
destConfig->minVersion = srcConfig->minVersion;
destConfig->maxVersion = srcConfig->maxVersion;
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
destConfig->isQuietShutdown = srcConfig->isQuietShutdown;
#endif
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
destConfig->isSupportServerPreference = srcConfig->isSupportServerPreference;
#endif
destConfig->maxCertList = srcConfig->maxCertList;
destConfig->isSupportExtendedMasterSecret = srcConfig->isSupportExtendedMasterSecret;
destConfig->emptyRecordsNum = srcConfig->emptyRecordsNum;
@@ -182,17 +186,17 @@ static void ShallowCopy(HITLS_Ctx *ctx, const HITLS_Config *srcConfig)
#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_SESSION)
destConfig->isResumptionOnRenego = srcConfig->isResumptionOnRenego;
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
destConfig->isSupportVerifyNone = srcConfig->isSupportVerifyNone;
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
destConfig->isSupportClientVerify = srcConfig->isSupportClientVerify;
destConfig->isSupportNoClientCert = srcConfig->isSupportNoClientCert;
destConfig->isSupportVerifyNone = srcConfig->isSupportVerifyNone;
destConfig->isSupportClientOnceVerify = srcConfig->isSupportClientOnceVerify;
#endif
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
destConfig->isSupportSessionTicket = srcConfig->isSupportSessionTicket;
#endif
#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_CERT_MODE)
destConfig->isSupportClientOnceVerify = srcConfig->isSupportClientOnceVerify;
#endif
#ifdef HITLS_TLS_FEATURE_PHA
destConfig->isSupportPostHandshakeAuth = srcConfig->isSupportPostHandshakeAuth;
#endif
@@ -273,7 +277,7 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr
}
destConfig->groupsSize = srcConfig->groupsSize;
}
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
if (srcConfig->groupInfo != NULL) {
#ifndef HITLS_TLS_CAP_NO_STR
for (uint32_t i = 0; i < destConfig->groupInfolen; i++) {
@@ -300,7 +304,7 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr
#endif
}
}
#endif
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
return HITLS_SUCCESS;
}
@@ -329,7 +333,7 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C
}
destConfig->signAlgorithmsSize = srcConfig->signAlgorithmsSize;
}
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
if (srcConfig->sigSchemeInfo != NULL) {
for (uint32_t i = 0; i < destConfig->sigSchemeInfolen; i++) {
BSL_SAL_FREE(destConfig->sigSchemeInfo[i].name);
@@ -1401,6 +1405,7 @@ int32_t HITLS_SetVersionForbid(HITLS_Ctx *ctx, uint32_t noVersion)
}
#endif
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
int32_t HITLS_CFG_SetQuietShutdown(HITLS_Config *config, int32_t mode)
{
if (config == NULL) {
@@ -1432,6 +1437,7 @@ int32_t HITLS_CFG_GetQuietShutdown(const HITLS_Config *config, int32_t *mode)
*mode = (int32_t)config->isQuietShutdown;
return HITLS_SUCCESS;
}
#endif
int32_t HITLS_CFG_SetEncryptThenMac(HITLS_Config *config, bool encryptThenMacType)
{
@@ -1465,6 +1471,7 @@ int32_t HITLS_CFG_GetEncryptThenMac(const HITLS_Config *config, bool *encryptThe
#endif
}
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
int32_t HITLS_CFG_SetCipherServerPreference(HITLS_Config *config, bool isSupport)
{
if (config == NULL) {
@@ -1484,6 +1491,7 @@ int32_t HITLS_CFG_GetCipherServerPreference(const HITLS_Config *config, bool *is
*isSupport = config->isSupportServerPreference;
return HITLS_SUCCESS;
}
#endif
#ifdef HITLS_TLS_MAINTAIN_KEYLOG
int32_t HITLS_CFG_SetKeyLogCb(HITLS_Config *config, HITLS_KeyLogCb callback)
+4 -2
View File
@@ -714,7 +714,7 @@ int32_t HITLS_CFG_SetCertCb(HITLS_Config *config, HITLS_CertCb certCb, void *arg
}
#endif /* HITLS_TLS_FEATURE_CERT_CB */
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
int32_t HITLS_CFG_SetVerifyNoneSupport(HITLS_Config *config, bool support)
{
if (config == NULL) {
@@ -734,7 +734,9 @@ int32_t HITLS_CFG_GetVerifyNoneSupport(HITLS_Config *config, bool *isSupport)
*isSupport = config->isSupportVerifyNone;
return HITLS_SUCCESS;
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER */
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t HITLS_CFG_GetClientVerifySupport(HITLS_Config *config, bool *isSupport)
{
if (config == NULL || isSupport == NULL) {
@@ -773,7 +775,7 @@ int32_t HITLS_CFG_SetNoClientCertSupport(HITLS_Config *config, bool support)
config->isSupportNoClientCert = support;
return HITLS_SUCCESS;
}
#endif
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
static void HitlsTrustedCANodeFree(void *caNode)
+5 -1
View File
@@ -44,7 +44,8 @@ static bool CFG_IsValidVersion(uint16_t version)
}
#endif /* HITLS_TLS_CONFIG_VERSION */
static bool HaveMatchSignAlg(const TLS_Config *config, HITLS_AuthAlgo authAlg, const uint16_t *signatureAlgorithms,
#ifdef HITLS_TLS_PROTO_DFX_CHECK
static bool HaveMatchSignAlg(const TLS_Config *config, HITLS_AuthAlgo authAlg, const uint16_t *signatureAlgorithms,
uint32_t signatureAlgorithmsSize)
{
HITLS_SignAlgo signAlg = HITLS_SIGN_BUTT;
@@ -193,6 +194,7 @@ static int32_t CheckGroup(const TLS_Config *config)
return HITLS_SUCCESS;
}
#endif /* HITLS_TLS_PROTO_DFX_CHECK */
#ifdef HITLS_TLS_CONFIG_VERSION
int32_t CheckVersion(uint16_t minVersion, uint16_t maxVersion)
@@ -232,6 +234,7 @@ int32_t CheckVersion(uint16_t minVersion, uint16_t maxVersion)
}
#endif /* HITLS_TLS_CONFIG_VERSION */
#ifdef HITLS_TLS_PROTO_DFX_CHECK
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
static int32_t CheckCallbackFunc(const TLS_Config *config)
{
@@ -293,3 +296,4 @@ int32_t CheckConfig(const TLS_Config *config)
#endif
return ret;
}
#endif /* HITLS_TLS_PROTO_DFX_CHECK */
+145 -6
View File
@@ -43,75 +43,213 @@ uint16_t g_tlcpCipherSuites[] = {
#endif
uint16_t g_tls12CipherSuites[] = {
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
HITLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384
HITLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_GCM_SHA384
HITLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384
HITLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
HITLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
HITLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
HITLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
HITLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HITLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_GCM_SHA256
HITLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256
HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM
HITLS_ECDHE_ECDSA_WITH_AES_128_CCM,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM
HITLS_ECDHE_ECDSA_WITH_AES_256_CCM,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384
HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CCM
HITLS_DHE_RSA_WITH_AES_128_CCM,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CCM
HITLS_DHE_RSA_WITH_AES_256_CCM,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256
HITLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA256
HITLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256
HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256
HITLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256
HITLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA
HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA
HITLS_DHE_RSA_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA
HITLS_DHE_DSS_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA
HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA
HITLS_DHE_RSA_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_GCM_SHA384
HITLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384
HITLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_GCM_SHA384
HITLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
HITLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
HITLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
HITLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA
HITLS_DHE_DSS_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_GCM_SHA384
HITLS_RSA_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_GCM_SHA384
HITLS_PSK_WITH_AES_256_GCM_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_CHACHA20_POLY1305_SHA256
HITLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_GCM_SHA256
HITLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256
HITLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_GCM_SHA256
HITLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_GCM_SHA256
HITLS_RSA_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_GCM_SHA256
HITLS_PSK_WITH_AES_128_GCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CCM
HITLS_PSK_WITH_AES_256_CCM,
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA256
HITLS_RSA_WITH_AES_256_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA256
HITLS_RSA_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CCM_SHA256
HITLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA384
HITLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA
HITLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384
HITLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CCM
HITLS_DHE_PSK_WITH_AES_128_CCM,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CCM
HITLS_DHE_PSK_WITH_AES_256_CCM,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA384
HITLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA
HITLS_RSA_PSK_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA
HITLS_DHE_PSK_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA
HITLS_RSA_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CBC_SHA384
HITLS_PSK_WITH_AES_256_CBC_SHA384,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CBC_SHA
HITLS_PSK_WITH_AES_256_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA256
HITLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA
HITLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256
HITLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA256
HITLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA
HITLS_RSA_PSK_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA
HITLS_DHE_PSK_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA
HITLS_RSA_WITH_AES_128_CBC_SHA,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_CBC_SHA256
HITLS_PSK_WITH_AES_128_CBC_SHA256,
#endif
#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_CBC_SHA
HITLS_PSK_WITH_AES_128_CBC_SHA,
#endif
};
int32_t SetDefaultCipherSuite(HITLS_Config *config, const uint16_t *cipherSuites, uint32_t cipherSuiteSize)
@@ -212,19 +350,20 @@ static void InitConfig(HITLS_Config *config)
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
config->isSupportDtlsCookieExchange = false;
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE
/** Set the certificate verification mode */
#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER
config->isSupportVerifyNone = false;
#endif
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
config->isSupportClientVerify = false;
config->isSupportNoClientCert = true;
config->isSupportVerifyNone = false;
config->isSupportClientOnceVerify = false;
#endif
#ifdef HITLS_TLS_FEATURE_PHA
config->isSupportPostHandshakeAuth = false;
#endif
#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_CERT_MODE)
config->isSupportClientOnceVerify = false;
#endif
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
config->isQuietShutdown = false;
#endif
config->maxCertList = HITLS_MAX_CERT_LIST_DEFAULT;
config->isKeepPeerCert = true;
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
+2 -2
View File
@@ -472,7 +472,7 @@ int32_t HITLS_CFG_SetSessionRemoveCb(HITLS_Config *config, const HITLS_SessionRe
}
#endif /* HITLS_TLS_FEATURE_SESSION_CACHE_CB */
#ifdef HITLS_TLS_FEATURE_CERT_MODE
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
int32_t HITLS_CFG_SetClientOnceVerifySupport(HITLS_Config *config, bool support)
{
if (config == NULL) {
@@ -491,7 +491,7 @@ int32_t HITLS_CFG_GetClientOnceVerifySupport(HITLS_Config *config, bool *isSuppo
*isSupport = config->isSupportClientOnceVerify;
return HITLS_SUCCESS;
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE */
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
#ifdef HITLS_TLS_FEATURE_FLIGHT
int32_t HITLS_CFG_SetFlightTransmitSwitch(HITLS_Config *config, bool isEnable)
+20 -5
View File
@@ -21,7 +21,7 @@
#include "hitls_error.h"
#include "crypt_algid.h"
#include "config.h"
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#include "securec.h"
#include "crypt_eal_provider.h"
#include "crypt_params_key.h"
@@ -45,12 +45,13 @@ static const uint16_t DEFAULT_GROUP_ID[] = {
HITLS_FF_DHE_8192,
};
#ifndef HITLS_TLS_FEATURE_PROVIDER
#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#ifndef HITLS_TLS_CAP_NO_STR
#define CONST_CAST(str) ((char *)(uintptr_t)(str))
#else
#define CONST_CAST(str) NULL
#endif
#endif /* HITLS_TLS_CAP_NO_STR */
static const TLS_GroupInfo GROUP_INFO[] = {
{
CONST_CAST("x25519"),
@@ -96,6 +97,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
},
#endif /* HITLS_TLS_PROTO_TLS13 */
#endif /* HITLS_TLS_FEATURE_KEM */
#ifdef HITLS_CRYPTO_CURVE_NISTP256
{
CONST_CAST("secp256r1"),
CRYPT_ECC_NISTP256, // CRYPT_ECC_NISTP256
@@ -106,6 +108,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits
false,
},
#endif /* HITLS_CRYPTO_CURVE_NISTP256 */
#ifdef HITLS_CRYPTO_CURVE_NISTP384
{
CONST_CAST("secp384r1"),
CRYPT_ECC_NISTP384, // CRYPT_ECC_NISTP384
@@ -116,6 +120,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits
false,
},
#endif /* HITLS_CRYPTO_CURVE_NISTP384 */
#ifdef HITLS_CRYPTO_CURVE_NISTP521
{
CONST_CAST("secp521r1"),
CRYPT_ECC_NISTP521, // CRYPT_ECC_NISTP521
@@ -126,6 +132,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits
false,
},
#endif /* HITLS_CRYPTO_CURVE_NISTP521 */
#ifdef HITLS_CRYPTO_CURVE_BP256R1
{
CONST_CAST("brainpoolP256r1"),
CRYPT_ECC_BRAINPOOLP256R1, // CRYPT_ECC_BRAINPOOLP256R1
@@ -136,6 +144,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits
false,
},
#endif /* HITLS_CRYPTO_CURVE_BP256R1 */
#ifdef HITLS_CRYPTO_CURVE_BP384R1
{
CONST_CAST("brainpoolP384r1"),
CRYPT_ECC_BRAINPOOLP384R1, // CRYPT_ECC_BRAINPOOLP384R1
@@ -146,6 +156,8 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits
false,
},
#endif /* HITLS_CRYPTO_CURVE_BP384R1 */
#ifdef HITLS_CRYPTO_CURVE_BP512R1
{
CONST_CAST("brainpoolP512r1"),
CRYPT_ECC_BRAINPOOLP512R1, // CRYPT_ECC_BRAINPOOLP512R1
@@ -156,6 +168,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits
false,
},
#endif /* HITLS_CRYPTO_CURVE_BP512R1 */
#ifdef HITLS_TLS_FEATURE_SM_TLS13
{
"curveSm2",
@@ -180,6 +193,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
false,
},
#endif
#ifdef HITLS_CRYPTO_DH
{
CONST_CAST("ffdhe8192"),
CRYPT_DH_RFC7919_8192, // CRYPT_DH_8192
@@ -230,6 +244,7 @@ static const TLS_GroupInfo GROUP_INFO[] = {
TLS13_VERSION_BIT, // versionBits
false,
}
#endif /* HITLS_CRYPTO_DH */
};
int32_t ConfigLoadGroupInfo(HITLS_Config *config)
@@ -260,7 +275,7 @@ const TLS_GroupInfo *ConfigGetGroupInfoList(const HITLS_Config *config, uint32_t
*size = sizeof(GROUP_INFO) / sizeof(GROUP_INFO[0]);
return &GROUP_INFO[0];
}
#else
#else /* #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
static int32_t ProviderAddGroupInfo(const BSL_Param *params, void *args)
{
@@ -360,4 +375,4 @@ const TLS_GroupInfo *ConfigGetGroupInfoList(const HITLS_Config *config, uint32_t
*size = config->groupInfolen;
return config->groupInfo;
}
#endif
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
+57 -45
View File
@@ -23,7 +23,7 @@
#include "cipher_suite.h"
#include "config.h"
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#include "securec.h"
#include "crypt_eal_provider.h"
#include "crypt_params_key.h"
@@ -85,81 +85,84 @@ static int32_t UpdateSignAlgorithmsArray(TLS_Config *config)
return HITLS_SUCCESS;
}
#ifndef HITLS_TLS_FEATURE_PROVIDER
#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
#ifndef HITLS_TLS_CAP_NO_STR
#define CONST_CAST(str) ((char *)(uintptr_t)(str))
#else
#define CONST_CAST(str) NULL
#endif
#endif /* HITLS_TLS_CAP_NO_STR */
static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
#ifdef HITLS_CRYPTO_CURVE_NISTP521
{
CONST_CAST("ecdsa_secp521r1_sha512"),
CERT_SIG_SCHEME_ECDSA_SECP521R1_SHA512,
TLS_CERT_KEY_TYPE_ECDSA,
CRYPT_ECC_NISTP521,
BSL_CID_ECDSAWITHSHA512,
HITLS_SIGN_ECDSA,
HITLS_HASH_SHA_512,
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_512,
256,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#endif /* HITLS_CRYPTO_CURVE_NISTP521 */
#ifdef HITLS_CRYPTO_CURVE_NISTP384
{
CONST_CAST("ecdsa_secp384r1_sha384"),
CERT_SIG_SCHEME_ECDSA_SECP384R1_SHA384,
TLS_CERT_KEY_TYPE_ECDSA,
CRYPT_ECC_NISTP384,
BSL_CID_ECDSAWITHSHA384,
HITLS_SIGN_ECDSA,
HITLS_HASH_SHA_384,
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_384,
192,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#endif /* HITLS_CRYPTO_CURVE_NISTP384 */
{
CONST_CAST("ed25519"),
CERT_SIG_SCHEME_ED25519,
TLS_CERT_KEY_TYPE_ED25519,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_ED25519,
HITLS_SIGN_ED25519,
HITLS_HASH_SHA_512,
HITLS_SIGN_ED25519, HITLS_HASH_SHA_512,
128,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#ifdef HITLS_CRYPTO_CURVE_NISTP256
{
CONST_CAST("ecdsa_secp256r1_sha256"),
CERT_SIG_SCHEME_ECDSA_SECP256R1_SHA256,
TLS_CERT_KEY_TYPE_ECDSA,
CRYPT_ECC_NISTP256,
BSL_CID_ECDSAWITHSHA256,
HITLS_SIGN_ECDSA,
HITLS_HASH_SHA_256,
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_256,
128,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#endif /* HITLS_CRYPTO_CURVE_NISTP256 */
#ifdef HITLS_CRYPTO_SM2
{
CONST_CAST("sm2_sm3"),
CERT_SIG_SCHEME_SM2_SM3,
TLS_CERT_KEY_TYPE_SM2,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_SM2DSAWITHSM3,
HITLS_SIGN_SM2,
HITLS_HASH_SM3,
HITLS_SIGN_SM2, HITLS_HASH_SM3,
128,
TLCP11_VERSION_BIT | DTLCP11_VERSION_BIT | TLS13_VERSION_BIT,
TLCP11_VERSION_BIT | DTLCP11_VERSION_BIT | TLS13_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_SM2 */
#ifdef HITLS_CRYPTO_RSA
{
CONST_CAST("rsa_pss_pss_sha512"),
CERT_SIG_SCHEME_RSA_PSS_PSS_SHA512,
TLS_CERT_KEY_TYPE_RSA_PSS,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_RSASSAPSS,
HITLS_SIGN_RSA_PSS,
HITLS_HASH_SHA_512,
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_512,
256,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
@@ -170,8 +173,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS_CERT_KEY_TYPE_RSA_PSS,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_RSASSAPSS,
HITLS_SIGN_RSA_PSS,
HITLS_HASH_SHA_384,
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_384,
192,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
@@ -182,8 +184,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS_CERT_KEY_TYPE_RSA_PSS,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_RSASSAPSS,
HITLS_SIGN_RSA_PSS,
HITLS_HASH_SHA_256,
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_256,
128,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
@@ -194,8 +195,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_RSASSAPSS,
HITLS_SIGN_RSA_PSS,
HITLS_HASH_SHA_512,
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_512,
256,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
@@ -206,8 +206,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_RSASSAPSS,
HITLS_SIGN_RSA_PSS,
HITLS_HASH_SHA_384,
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_384,
192,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
@@ -218,8 +217,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_RSASSAPSS,
HITLS_SIGN_RSA_PSS,
HITLS_HASH_SHA_256,
HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_256,
128,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
@@ -230,108 +228,117 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_SHA512WITHRSAENCRYPTION,
HITLS_SIGN_RSA_PKCS1_V15,
HITLS_HASH_SHA_512,
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_512,
256,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#endif /* HITLS_CRYPTO_RSA */
#ifdef HITLS_CRYPTO_DSA
{
CONST_CAST("dsa_sha512"),
CERT_SIG_SCHEME_DSA_SHA512,
TLS_CERT_KEY_TYPE_DSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_DSAWITHSHA512,
HITLS_SIGN_DSA,
HITLS_HASH_SHA_512,
HITLS_SIGN_DSA, HITLS_HASH_SHA_512,
256,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_DSA */
#ifdef HITLS_CRYPTO_RSA
{
CONST_CAST("rsa_pkcs1_sha384"),
CERT_SIG_SCHEME_RSA_PKCS1_SHA384,
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_SHA384WITHRSAENCRYPTION,
HITLS_SIGN_RSA_PKCS1_V15,
HITLS_HASH_SHA_384,
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_384,
192,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#endif /* HITLS_CRYPTO_RSA */
#ifdef HITLS_CRYPTO_DSA
{
CONST_CAST("dsa_sha384"),
CERT_SIG_SCHEME_DSA_SHA384,
TLS_CERT_KEY_TYPE_DSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_DSAWITHSHA384,
HITLS_SIGN_DSA,
HITLS_HASH_SHA_384,
HITLS_SIGN_DSA, HITLS_HASH_SHA_384,
192,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_DSA */
#ifdef HITLS_CRYPTO_RSA
{
CONST_CAST("rsa_pkcs1_sha256"),
CERT_SIG_SCHEME_RSA_PKCS1_SHA256,
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_SHA256WITHRSAENCRYPTION,
HITLS_SIGN_RSA_PKCS1_V15,
HITLS_HASH_SHA_256,
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_256,
128,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS_VERSION_MASK | DTLS_VERSION_MASK,
},
#endif /* HITLS_CRYPTO_RSA */
#ifdef HITLS_CRYPTO_DSA
{
CONST_CAST("dsa_sha256"),
CERT_SIG_SCHEME_DSA_SHA256,
TLS_CERT_KEY_TYPE_DSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_DSAWITHSHA256,
HITLS_SIGN_DSA,
HITLS_HASH_SHA_256,
HITLS_SIGN_DSA, HITLS_HASH_SHA_256,
128,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_DSA */
#ifdef HITLS_CRYPTO_ECDSA
{
CONST_CAST("ecdsa_sha224"),
CERT_SIG_SCHEME_ECDSA_SHA224,
TLS_CERT_KEY_TYPE_ECDSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_ECDSAWITHSHA224,
HITLS_SIGN_ECDSA,
HITLS_HASH_SHA_224,
HITLS_SIGN_ECDSA, HITLS_HASH_SHA_224,
112,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_ECDSA */
#ifdef HITLS_CRYPTO_RSA
{
CONST_CAST("rsa_pkcs1_sha224"),
CERT_SIG_SCHEME_RSA_PKCS1_SHA224,
TLS_CERT_KEY_TYPE_RSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_SHA224WITHRSAENCRYPTION,
HITLS_SIGN_RSA_PKCS1_V15,
HITLS_HASH_SHA_224,
HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_224,
112,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_RSA */
#ifdef HITLS_CRYPTO_DSA
{
CONST_CAST("dsa_sha224"),
CERT_SIG_SCHEME_DSA_SHA224,
TLS_CERT_KEY_TYPE_DSA,
CRYPT_PKEY_PARAID_MAX,
BSL_CID_DSAWITHSHA224,
HITLS_SIGN_DSA,
HITLS_HASH_SHA_224,
HITLS_SIGN_DSA, HITLS_HASH_SHA_224,
112,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_DSA */
#ifdef HITLS_CRYPTO_ECDSA
{
CONST_CAST("ecdsa_sha1"),
CERT_SIG_SCHEME_ECDSA_SHA1,
@@ -344,6 +351,8 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_ECDSA */
#ifdef HITLS_CRYPTO_RSA
{
CONST_CAST("rsa_pkcs1_sha1"),
CERT_SIG_SCHEME_RSA_PKCS1_SHA1,
@@ -356,6 +365,8 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_RSA */
#ifdef HITLS_CRYPTO_DSA
{
CONST_CAST("dsa_sha1"),
CERT_SIG_SCHEME_DSA_SHA1,
@@ -368,6 +379,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = {
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
TLS12_VERSION_BIT | DTLS12_VERSION_BIT,
},
#endif /* HITLS_CRYPTO_DSA */
};
int32_t ConfigLoadSignatureSchemeInfo(HITLS_Config *config)
@@ -394,7 +406,7 @@ const TLS_SigSchemeInfo *ConfigGetSignatureSchemeInfoList(const HITLS_Config *co
return SIGNATURE_SCHEME_INFO;
}
#else // HITLS_TLS_FEATURE_PROVIDER
#else /* #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
static int32_t PrepareSignSchemeStorage(TLS_Config *config, TLS_SigSchemeInfo **scheme)
{
@@ -578,4 +590,4 @@ const TLS_SigSchemeInfo *ConfigGetSignatureSchemeInfoList(const HITLS_Config *co
return config->sigSchemeInfo;
}
#endif
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
+55 -18
View File
@@ -102,24 +102,61 @@ int32_t HITLS_CRYPT_RegisterBaseMethod(HITLS_CRYPT_BaseMethod *userCryptCallBack
BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
return HITLS_NULL_INPUT;
}
g_cryptBaseMethod.randBytes = userCryptCallBack->randBytes;
g_cryptBaseMethod.hmacSize = userCryptCallBack->hmacSize;
g_cryptBaseMethod.hmacInit = userCryptCallBack->hmacInit;
g_cryptBaseMethod.hmacReinit = userCryptCallBack->hmacReinit;
g_cryptBaseMethod.hmacFree = userCryptCallBack->hmacFree;
g_cryptBaseMethod.hmacUpdate = userCryptCallBack->hmacUpdate;
g_cryptBaseMethod.hmacFinal = userCryptCallBack->hmacFinal;
g_cryptBaseMethod.hmac = userCryptCallBack->hmac;
g_cryptBaseMethod.digestSize = userCryptCallBack->digestSize;
g_cryptBaseMethod.digestInit = userCryptCallBack->digestInit;
g_cryptBaseMethod.digestCopy = userCryptCallBack->digestCopy;
g_cryptBaseMethod.digestFree = userCryptCallBack->digestFree;
g_cryptBaseMethod.digestUpdate = userCryptCallBack->digestUpdate;
g_cryptBaseMethod.digestFinal = userCryptCallBack->digestFinal;
g_cryptBaseMethod.digest = userCryptCallBack->digest;
g_cryptBaseMethod.encrypt = userCryptCallBack->encrypt;
g_cryptBaseMethod.decrypt = userCryptCallBack->decrypt;
g_cryptBaseMethod.cipherFree = userCryptCallBack->cipherFree;
if (userCryptCallBack->randBytes != NULL) {
g_cryptBaseMethod.randBytes = userCryptCallBack->randBytes;
}
if (userCryptCallBack->hmacSize != NULL) {
g_cryptBaseMethod.hmacSize = userCryptCallBack->hmacSize;
}
if (userCryptCallBack->hmacInit != NULL) {
g_cryptBaseMethod.hmacInit = userCryptCallBack->hmacInit;
}
if (userCryptCallBack->hmacReinit != NULL) {
g_cryptBaseMethod.hmacReinit = userCryptCallBack->hmacReinit;
}
if (userCryptCallBack->hmacFree != NULL) {
g_cryptBaseMethod.hmacFree = userCryptCallBack->hmacFree;
}
if (userCryptCallBack->hmacUpdate != NULL) {
g_cryptBaseMethod.hmacUpdate = userCryptCallBack->hmacUpdate;
}
if (userCryptCallBack->hmacFinal != NULL) {
g_cryptBaseMethod.hmacFinal = userCryptCallBack->hmacFinal;
}
if (userCryptCallBack->hmac != NULL) {
g_cryptBaseMethod.hmac = userCryptCallBack->hmac;
}
if (userCryptCallBack->digestSize != NULL) {
g_cryptBaseMethod.digestSize = userCryptCallBack->digestSize;
}
if (userCryptCallBack->digestInit != NULL) {
g_cryptBaseMethod.digestInit = userCryptCallBack->digestInit;
}
if (userCryptCallBack->digestCopy != NULL) {
g_cryptBaseMethod.digestCopy = userCryptCallBack->digestCopy;
}
if (userCryptCallBack->digestFree != NULL) {
g_cryptBaseMethod.digestFree = userCryptCallBack->digestFree;
}
if (userCryptCallBack->digestUpdate != NULL) {
g_cryptBaseMethod.digestUpdate = userCryptCallBack->digestUpdate;
}
if (userCryptCallBack->digestFinal != NULL) {
g_cryptBaseMethod.digestFinal = userCryptCallBack->digestFinal;
}
if (userCryptCallBack->digest != NULL) {
g_cryptBaseMethod.digest = userCryptCallBack->digest;
}
if (userCryptCallBack->encrypt != NULL) {
g_cryptBaseMethod.encrypt = userCryptCallBack->encrypt;
}
if (userCryptCallBack->decrypt != NULL) {
g_cryptBaseMethod.decrypt = userCryptCallBack->decrypt;
}
if (userCryptCallBack->cipherFree != NULL) {
g_cryptBaseMethod.cipherFree = userCryptCallBack->cipherFree;
}
return HITLS_SUCCESS;
}
+13 -17
View File
@@ -254,7 +254,6 @@ uint8_t *HS_PrepareSignDataTlcp(const TLS_Ctx *ctx, const uint8_t *partSignData,
uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData,
uint32_t partSignDataLen, uint32_t *signDataLen)
{
int32_t ret;
/* Signature data: client random number + server random number + key exchange packet data/encryption certificate */
uint32_t randomLen = HS_RANDOM_SIZE * 2u;
uint32_t dataLen = randomLen + partSignDataLen;
@@ -269,13 +268,7 @@ uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData,
(void)memcpy_s(data, dataLen, ctx->hsCtx->clientRandom, HS_RANDOM_SIZE);
(void)memcpy_s(&data[HS_RANDOM_SIZE], dataLen - HS_RANDOM_SIZE, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE);
/* Copy key exchange packet data */
ret = memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen);
if (ret != EOK) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16814, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
BSL_SAL_Free(data);
BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
return NULL;
}
(void)memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen);
*signDataLen = dataLen;
return data;
@@ -603,20 +596,16 @@ uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type)
#endif
case SERVER_HELLO:
return HITLS_SERVER_HELLO_MAX_SIZE;
#ifdef HITLS_TLS_PROTO_TLS13
case ENCRYPTED_EXTENSIONS:
return HITLS_ENCRYPTED_EXTENSIONS_MAX_SIZE;
case CERTIFICATE:
if (ctx->config.tlsConfig.maxCertList == 0) {
return HITLS_MAX_CERT_LIST_DEFAULT;
}
return ctx->config.tlsConfig.maxCertList;
#endif
case SERVER_KEY_EXCHANGE:
return HITLS_SERVER_KEY_EXCH_MAX_SIZE;
case CERTIFICATE:
case CERTIFICATE_REQUEST:
if (ctx->config.tlsConfig.maxCertList == 0) {
return HITLS_MAX_CERT_LIST_DEFAULT;
}
return ctx->config.tlsConfig.maxCertList;
return ctx->config.tlsConfig.maxCertList == 0 ? HITLS_MAX_CERT_LIST_DEFAULT
: ctx->config.tlsConfig.maxCertList;
case SERVER_HELLO_DONE:
return HITLS_SERVER_HELLO_DONE_MAX_SIZE;
case CLIENT_KEY_EXCHANGE:
@@ -624,20 +613,27 @@ uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type)
case CERTIFICATE_VERIFY:
return REC_MAX_PLAIN_LENGTH;
case NEW_SESSION_TICKET:
#ifdef HITLS_TLS_PROTO_TLS13
if (GET_VERSION_FROM_CTX(ctx) == HITLS_VERSION_TLS13) {
return HITLS_SESSION_TICKET_MAX_SIZE_TLS13;
}
#endif
return HITLS_SESSION_TICKET_MAX_SIZE_TLS12;
#ifdef HITLS_TLS_PROTO_TLS13
case END_OF_EARLY_DATA:
return HITLS_END_OF_EARLY_DATA_MAX_SIZE;
#endif
case FINISHED:
return HITLS_FINISHED_MAX_SIZE;
#ifdef HITLS_TLS_PROTO_TLS13
case KEY_UPDATE:
return HITLS_KEY_UPDATE_MAX_SIZE;
#endif
default:
return 0;
}
}
#ifdef HITLS_TLS_PROTO_TLS13
uint32_t HS_GetBinderLen(HITLS_Session *session, HITLS_HashAlgo *hashAlg)
{
+8 -6
View File
@@ -434,22 +434,25 @@ int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_
{
int32_t ret = HITLS_SUCCESS;
const uint8_t masterSecretLabel[] = "master secret";
const uint8_t exMasterSecretLabel[] = "extended master secret";
uint8_t seed[HS_RANDOM_SIZE * 2] = {0}; // seed size is twice the random size
uint32_t seedLen = sizeof(seed);
bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret;
CRYPT_KeyDeriveParameters deriveInfo;
deriveInfo.hashAlgo = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
deriveInfo.secret = preMasterSecret;
deriveInfo.secretLen = len;
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
const uint8_t exMasterSecretLabel[] = "extended master secret";
bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret;
if (isExtendedMasterSecret) {
deriveInfo.label = exMasterSecretLabel;
deriveInfo.labelLen = sizeof(exMasterSecretLabel) - 1u;
ret = VERIFY_CalcSessionHash(
ctx->hsCtx->verifyCtx, seed, &seedLen); // Use session hash as seed for key deriviation
} else {
} else
#endif
{
deriveInfo.label = masterSecretLabel;
deriveInfo.labelLen = sizeof(masterSecretLabel) - 1u;
ret = HS_CombineRandom(ctx->hsCtx->clientRandom, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE, seed, seedLen);
@@ -470,8 +473,7 @@ int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_
return ret;
}
#ifdef HITLS_TLS_MAINTAIN_KEYLOG
if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey,
MASTER_SECRET_LEN) != HITLS_SUCCESS) {
if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey, MASTER_SECRET_LEN) != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15336, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"failed to LogSecret, MASTER_SECRET_LABEL.", 0, 0, 0, 0);
}
+4
View File
@@ -281,6 +281,7 @@ static int32_t CheckCookieWithPreMacKey(TLS_Ctx *ctx, const ClientHelloMsg *clie
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
{
uint8_t *cookie = ctx->negotiatedInfo.cookie;
@@ -292,6 +293,7 @@ static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg
}
return HITLS_SUCCESS;
}
#endif
int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
{
@@ -309,10 +311,12 @@ int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *is
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
/* In the renegotiation scenario, the cookie stored in the negotiatedInfo is used for verification */
if (ctx->negotiatedInfo.isRenegotiation) {
return CheckCookieDuringRenegotiation(ctx, clientHello, isCookieValid);
}
#endif
/* If the user's cookie validation callback is registered, use the user's callback interface */
HITLS_AppVerifyCookieCb cookieCb = ctx->globalConfig->appVerifyCookieCb;
+5 -2
View File
@@ -33,7 +33,7 @@
#if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt)
{
int32_t ret = HITLS_SUCCESS;
int32_t ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
switch (type) {
#ifdef HITLS_TLS_HOST_SERVER
case SERVER_HELLO:
@@ -47,9 +47,11 @@ static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt)
case SERVER_KEY_EXCHANGE:
ret = PackServerKeyExchange(ctx, pkt);
break;
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
case CERTIFICATE_REQUEST:
ret = PackCertificateRequest(ctx, pkt);
break;
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
case HELLO_REQUEST:
case SERVER_HELLO_DONE:
return HITLS_SUCCESS;
@@ -77,7 +79,6 @@ static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt)
ret = PackFinished(ctx, pkt);
break;
default:
ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG;
break;
}
@@ -105,9 +106,11 @@ static int32_t PackTls13HsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt
case ENCRYPTED_EXTENSIONS:
ret = PackEncryptedExtensions(ctx, pkt);
break;
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
case CERTIFICATE_REQUEST:
ret = Tls13PackCertificateRequest(ctx, pkt);
break;
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
case NEW_SESSION_TICKET:
ret = Tls13PackNewSessionTicket(ctx, pkt);
break;
@@ -13,7 +13,7 @@
* See the Mulan PSL v2 for more details.
*/
#include "hitls_build.h"
#ifdef HITLS_TLS_HOST_SERVER
#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
#include <stdint.h>
#include <stdbool.h>
#include "securec.h"
@@ -118,6 +118,7 @@ static int32_t PackSignAlgorithms(const TLS_Ctx *ctx, PackPacket *pkt)
#endif /* HITLS_TLS_PROTO_TLS12 || HITLS_TLS_PROTO_DTLS12 */
#if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt)
{
const TLS_Config *config = &(ctx->config.tlsConfig);
@@ -126,7 +127,6 @@ static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt)
return PackAppendUint16ToBuf(pkt, 0);
}
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
uint32_t caListLenPosition = 0u;
int32_t ret = PackStartLengthField(pkt, sizeof(uint16_t), &caListLenPosition);
if (ret != HITLS_SUCCESS) {
@@ -141,9 +141,9 @@ static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt)
}
PackCloseUint16Field(pkt, caListLenPosition);
#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */
return HITLS_SUCCESS;
}
#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */
int32_t PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt)
{
@@ -161,12 +161,15 @@ int32_t PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt)
}
}
#endif
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
ret = PackCALists(ctx, pkt);
if (ret != HITLS_SUCCESS) {
return ret;
}
return HITLS_SUCCESS;
#else
return PackAppendUint16ToBuf(pkt, 0);
#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */
}
#endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
#ifdef HITLS_TLS_PROTO_TLS13
@@ -263,7 +266,7 @@ static int32_t PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
return HITLS_SUCCESS;
}
int32_t Tls13PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
static int32_t Tls13PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
{
/* Start packing extensions length */
uint32_t extensionsLenPosition = 0u;
@@ -301,4 +304,4 @@ int32_t Tls13PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt)
return HITLS_SUCCESS;
}
#endif /* HITLS_TLS_PROTO_TLS13 */
#endif /* HITLS_TLS_HOST_SERVER */
#endif /* HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
+17 -9
View File
@@ -889,7 +889,9 @@ static int32_t PackClientExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
{ EXTENSION_MSG(HS_EX_TYPE_POST_HS_AUTH, isNeedPha, NULL) },
#endif /* HITLS_TLS_FEATURE_PHA */
#endif /* HITLS_TLS_PROTO_TLS13 */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
{ EXTENSION_MSG(HS_EX_TYPE_EXTENDED_MASTER_SECRET, true, NULL) },
#endif
#ifdef HITLS_TLS_FEATURE_ALPN
{ EXTENSION_MSG(HS_EX_TYPE_APP_LAYER_PROTOCOLS, (tlsConfig->alpnList != NULL &&
ctx->state == CM_STATE_HANDSHAKING), PackClientAlpnList) },
@@ -931,7 +933,9 @@ static int32_t PackClientExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
#ifdef HITLS_TLS_FEATURE_PHA
ctx->hsCtx->extFlag.havePostHsAuth = isNeedPha;
#endif /* HITLS_TLS_FEATURE_PHA */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
ctx->hsCtx->extFlag.haveExtendedMasterSecret = true;
#endif
#ifdef HITLS_TLS_FEATURE_ETM
ctx->hsCtx->extFlag.haveEncryptThenMac = ctx->config.tlsConfig.isEncryptThenMac;
#endif /* HITLS_TLS_FEATURE_ETM */
@@ -1147,6 +1151,7 @@ static int32_t PackServerPreSharedKey(const TLS_Ctx *ctx, PackPacket *pkt)
#if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
static int32_t PackServerSecRenegoInfo(const TLS_Ctx *ctx, PackPacket *pkt)
{
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
bool isRenegotiation = ctx->negotiatedInfo.isRenegotiation;
const uint8_t *clientData = ctx->negotiatedInfo.clientVerifyData;
uint32_t clientDataSize = ctx->negotiatedInfo.clientVerifyDataSize;
@@ -1174,7 +1179,14 @@ static int32_t PackServerSecRenegoInfo(const TLS_Ctx *ctx, PackPacket *pkt)
(void)PackAppendDataToBuf(pkt, clientData, clientDataSize);
(void)PackAppendDataToBuf(pkt, serverData, serverDataSize);
#else
(void)ctx;
int32_t ret = PackExtensionHeader(HS_EX_TYPE_RENEGOTIATION_INFO, sizeof(uint8_t), pkt);
if (ret != HITLS_SUCCESS) {
return ret;
}
(void)PackAppendUint8ToBuf(pkt, 0);
#endif
return HITLS_SUCCESS;
}
#endif /* defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) */
@@ -1207,7 +1219,6 @@ static bool IsNeedServerPackEncryptThenMac(const TLS_Ctx *ctx)
// Pack the empty extension of Server Hello
static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
{
int32_t ret = HITLS_SUCCESS;
#ifdef HITLS_TLS_PROTO_TLS13
uint32_t version = GET_VERSION_FROM_CTX(ctx);
bool isHrrKeyshare = IsHrrKeyShare(ctx);
@@ -1233,7 +1244,9 @@ static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
#ifdef HITLS_TLS_PROTO_TLS13
{ EXTENSION_MSG(HS_EX_TYPE_SUPPORTED_VERSIONS, isTls13, PackServerSupportedVersion) },
#endif /* HITLS_TLS_PROTO_TLS13 */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
{ EXTENSION_MSG(HS_EX_TYPE_EXTENDED_MASTER_SECRET, negoInfo->isExtendedMasterSecret, NULL) },
#endif
#ifdef HITLS_TLS_FEATURE_ALPN
{ .exMsgType = HS_EX_TYPE_APP_LAYER_PROTOCOLS,
.needPack = (negoInfo->alpnSelected != NULL
@@ -1274,19 +1287,14 @@ static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt)
}
if (IsPackNeedCustomExtensions(CUSTOM_EXT_FROM_CTX(ctx), context)) {
ret = PackCustomExtensions(ctx, pkt, context, NULL, 0);
int32_t ret = PackCustomExtensions(ctx, pkt, context, NULL, 0);
if (ret != HITLS_SUCCESS) {
return ret;
}
}
#endif /* HITLS_TLS_FEATURE_CUSTOM_EXTENSION */
ret = PackExtensions(ctx, pkt, extMsgList, sizeof(extMsgList) / sizeof(extMsgList[0]));
if (ret != HITLS_SUCCESS) {
return ret;
}
return HITLS_SUCCESS;
return PackExtensions(ctx, pkt, extMsgList, sizeof(extMsgList) / sizeof(extMsgList[0]));
}
// Pack the Server Hello extension
+13 -1
View File
@@ -86,13 +86,16 @@ static int32_t CheckServerKeyExchangeType(TLS_Ctx *ctx, const HS_MsgType msgType
static int32_t CheckCertificateRequestType(TLS_Ctx *ctx, const HS_MsgType msgType)
{
#ifdef HITLS_TLS_PROTO_TLS13
uint32_t version = GET_VERSION_FROM_CTX(ctx);
if (version == HITLS_VERSION_TLS13) {
if (msgType == CERTIFICATE) {
(void)HS_ChangeState(ctx, TRY_RECV_CERTIFICATE);
return HITLS_SUCCESS;
}
} else {
} else
#endif
{
if (msgType == SERVER_HELLO_DONE) {
(void)HS_ChangeState(ctx, TRY_RECV_SERVER_HELLO_DONE);
return HITLS_SUCCESS;
@@ -110,7 +113,9 @@ static const HsMsgTypeCheck g_checkHsMsgTypeList[] = {
#ifdef HITLS_TLS_PROTO_DTLS12
[TRY_RECV_HELLO_VERIFY_REQUEST] = {.msgType = HELLO_VERIFY_REQUEST, .checkCb = CheckHelloVerifyRequestType},
#endif
#ifdef HITLS_TLS_PROTO_TLS13
[TRY_RECV_ENCRYPTED_EXTENSIONS] = {.msgType = ENCRYPTED_EXTENSIONS, .checkCb = NULL},
#endif
[TRY_RECV_CERTIFICATE] = {.msgType = CERTIFICATE, .checkCb = NULL},
[TRY_RECV_SERVER_KEY_EXCHANGE] = {.msgType = SERVER_KEY_EXCHANGE, .checkCb = CheckServerKeyExchangeType},
[TRY_RECV_CERTIFICATE_REQUEST] = {.msgType = CERTIFICATE_REQUEST, .checkCb = CheckCertificateRequestType},
@@ -119,7 +124,9 @@ static const HsMsgTypeCheck g_checkHsMsgTypeList[] = {
[TRY_RECV_CERTIFICATE_VERIFY] = {.msgType = CERTIFICATE_VERIFY, .checkCb = NULL},
[TRY_RECV_NEW_SESSION_TICKET] = {.msgType = NEW_SESSION_TICKET, .checkCb = NULL},
[TRY_RECV_FINISH] = {.msgType = FINISHED, .checkCb = NULL},
#ifdef HITLS_TLS_PROTO_TLS13
[TRY_RECV_KEY_UPDATE] = {.msgType = KEY_UPDATE, .checkCb = NULL},
#endif
[TRY_RECV_HELLO_REQUEST] = {.msgType = HELLO_REQUEST, .checkCb = NULL},
};
@@ -281,8 +288,10 @@ static int32_t ParseHandShakeMsg(TLS_Ctx *ctx, const uint8_t *data, uint32_t len
return ParseCertificate(ctx, data, len, hsMsg);
case CLIENT_KEY_EXCHANGE:
return ParseClientKeyExchange(ctx, data, len, hsMsg);
#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
case CERTIFICATE_VERIFY:
return ParseCertificateVerify(ctx, data, len, hsMsg);
#endif
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
case NEW_SESSION_TICKET:
return ParseNewSessionTicket(ctx, data, len, hsMsg);
@@ -477,8 +486,11 @@ void HS_CleanMsg(HS_Msg *hsMsg)
#endif /* HITLS_TLS_HOST_CLIENT */
case CERTIFICATE:
return CleanCertificate(&hsMsg->body.certificate);
#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \
defined(HITLS_TLS_PROTO_TLS13)
case CERTIFICATE_VERIFY:
return CleanCertificateVerify(&hsMsg->body.certificateVerify);
#endif
case FINISHED:
return CleanFinished(&hsMsg->body.finished);
case KEY_UPDATE:
@@ -13,7 +13,8 @@
* See the Mulan PSL v2 for more details.
*/
#include "hitls_build.h"
#if defined(HITLS_TLS_HOST_SERVER) || defined(HITLS_TLS_PROTO_TLS13)
#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \
defined(HITLS_TLS_PROTO_TLS13)
#include "tls_binlog_id.h"
#include "bsl_log.h"
#include "bsl_log_internal.h"
@@ -230,4 +231,4 @@ void CleanCertificateVerify(CertificateVerifyMsg *msg)
BSL_SAL_FREE(msg->sign);
}
#endif /* HITLS_TLS_HOST_CLIENT || HITLS_TLS_PROTO_TLS13 */
#endif /* (HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) || HITLS_TLS_PROTO_TLS13 */
@@ -143,6 +143,7 @@ static int32_t ParseServerSupportedVersions(ParsePacket *pkt, ServerHelloMsg *ms
}
#endif /* HITLS_TLS_PROTO_TLS13 */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
// Parses the extended master secret sent by the serve
static int32_t ParseServerExtMasterSecret(ParsePacket *pkt, ServerHelloMsg *msg)
{
@@ -150,6 +151,7 @@ static int32_t ParseServerExtMasterSecret(ParsePacket *pkt, ServerHelloMsg *msg)
return ParseEmptyExtension(pkt->ctx, HS_EX_TYPE_EXTENDED_MASTER_SECRET, pkt->bufLen,
&msg->haveExtendedMasterSecret);
}
#endif
#ifdef HITLS_TLS_FEATURE_ALPN
int32_t ParseServerSelectedAlpnProtocol(
ParsePacket *pkt, bool *haveSelectedAlpn, uint8_t **alpnSelected, uint16_t *alpnSelectedSize)
@@ -313,8 +315,10 @@ static int32_t ParseServerExBody(TLS_Ctx *ctx, uint16_t extMsgType, const uint8_
case HS_EX_TYPE_SERVER_NAME:
return ParseServerServerName(&pkt, msg);
#endif /* HITLS_TLS_FEATURE_SNI */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
case HS_EX_TYPE_EXTENDED_MASTER_SECRET:
return ParseServerExtMasterSecret(&pkt, msg);
#endif
#ifdef HITLS_TLS_FEATURE_ALPN
case HS_EX_TYPE_APP_LAYER_PROTOCOLS:
return ParseServerSelectedAlpnProtocol(
@@ -171,11 +171,13 @@ static int32_t ParseClientPointFormats(ParsePacket *pkt, ClientHelloMsg *msg)
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
static int32_t ParseClientExtMasterSecret(ParsePacket *pkt, ClientHelloMsg *msg)
{
return ParseEmptyExtension(pkt->ctx, HS_EX_TYPE_EXTENDED_MASTER_SECRET, pkt->bufLen,
&msg->extension.flag.haveExtendedMasterSecret);
}
#endif
#ifdef HITLS_TLS_FEATURE_SNI
static void SetRevMsgExtServernameInfo(ClientHelloMsg *msg, uint8_t serverNameType, uint8_t *serverName,
uint16_t serverNameLen)
@@ -844,8 +846,9 @@ static int32_t ParseClientExBody(TLS_Ctx *ctx, uint16_t extMsgType, const uint8_
#ifdef HITLS_TLS_FEATURE_SNI
{ .exMsgType = HS_EX_TYPE_SERVER_NAME, .parseFunc = ParseClientServerName},
#endif /* HITLS_TLS_FEATURE_SNI */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
{ .exMsgType = HS_EX_TYPE_EXTENDED_MASTER_SECRET, .parseFunc = ParseClientExtMasterSecret},
#endif
#ifdef HITLS_TLS_FEATURE_ALPN
{ .exMsgType = HS_EX_TYPE_APP_LAYER_PROTOCOLS, .parseFunc = ParseClientAlpnProposeList},
#endif
@@ -346,7 +346,9 @@ int32_t ParseDhePara(ParsePacket *pkt, uint16_t *paraLen, uint8_t **para)
static int32_t ParseServerDhe(ParsePacket *pkt, ServerKeyExchangeMsg *msg)
{
ServerDh *dh = &msg->keyEx.dh;
#ifdef HITLS_BSL_LOG
const char *logStr = BINGLOG_STR("parse dhe param or PubKey fail. ret %d");
#endif
TLS_Ctx *ctx = pkt->ctx;
int32_t ret = ParseDhePara(pkt, &dh->plen, &dh->p);
if (ret != HITLS_SUCCESS) {
+6 -2
View File
@@ -99,10 +99,9 @@ static bool IsUnexpectedHandshaking(const TLS_Ctx *ctx)
{
return (ctx->state == CM_STATE_HANDSHAKING && ctx->preState == CM_STATE_TRANSPORTING);
}
static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
{
uint32_t version = GET_VERSION_FROM_CTX(ctx);
(void)version;
switch (ctx->hsCtx->state) {
#ifdef HITLS_TLS_HOST_SERVER
case TRY_RECV_CLIENT_HELLO:
@@ -118,8 +117,10 @@ static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
#endif /* HITLS_TLS_PROTO_TLS_BASIC only for tls13 */
case TRY_RECV_CLIENT_KEY_EXCHANGE:
return ServerRecvClientKxProcess(ctx, hsMsg);
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
case TRY_RECV_CERTIFICATE_VERIFY:
return ServerRecvClientCertVerifyProcess(ctx);
#endif
#endif /* HITLS_TLS_HOST_SERVER */
#ifdef HITLS_TLS_HOST_CLIENT
case TRY_RECV_CERTIFICATE_REQUEST:
@@ -175,14 +176,17 @@ static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
return HITLS_MSG_HANDLE_STATE_ILLEGAL;
}
static int32_t ProcessReceivedHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg)
{
if (hsMsg->type == HELLO_REQUEST) {
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
if (ctx->hsCtx->state == TRY_RECV_HELLO_REQUEST) {
ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */
ctx->negotiatedInfo.renegotiationNum++;
return HS_ChangeState(ctx, TRY_SEND_CLIENT_HELLO);
}
#endif
/* The HelloRequest message should be ignored during the handshake. */
return HITLS_SUCCESS;
}
+3 -2
View File
@@ -13,7 +13,8 @@
* See the Mulan PSL v2 for more details.
*/
#include "hitls_build.h"
#if defined(HITLS_TLS_HOST_SERVER) || defined(HITLS_TLS_PROTO_TLS13)
#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \
defined(HITLS_TLS_PROTO_TLS13)
#include <stdint.h>
#include "securec.h"
#include "tls_binlog_id.h"
@@ -81,4 +82,4 @@ int32_t Tls13RecvCertVerifyProcess(TLS_Ctx *ctx)
return HS_ChangeState(ctx, TRY_RECV_FINISH);
}
#endif /* HITLS_TLS_PROTO_TLS13 */
#endif /* HITLS_TLS_HOST_SERVER || HITLS_TLS_PROTO_TLS13 */
#endif /* (HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) || HITLS_TLS_PROTO_TLS13 */
+34 -19
View File
@@ -328,6 +328,7 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
* the client MUST send a certificate message containing no certificates.
*/
if (certs->certCount == 0) {
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
/** Only the server allows the peer certificate to be empty */
if ((ctx->isClient == false) &&
(ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) {
@@ -335,7 +336,7 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
"server recv empty cert", 0, 0, 0, 0);
return HS_ChangeState(ctx, TRY_RECV_CLIENT_KEY_EXCHANGE);
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15724, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"peer certificate is needed!", 0, 0, 0, 0);
@@ -357,7 +358,11 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
* fails to be verified */
if (ret != HITLS_SUCCESS) {
if (!ctx->config.tlsConfig.isSupportVerifyNone) {
#ifdef HITLS_TLS_PROTO_DFX_INFO
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, GetAlertfromX509Err(ctx->peerInfo.verifyResult));
#else
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_CERTIFICATE);
#endif
return ret;
}
}
@@ -402,6 +407,29 @@ static int32_t CertificateReqCtxCheck(TLS_Ctx *ctx, const CertificateMsg *certs)
return HITLS_SUCCESS;
}
static int32_t ProcessEmptyCert(TLS_Ctx *ctx)
{
if (ctx->isClient) {
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID16126,
"peer certificate is needed!", ALERT_DECODE_ERROR);
}
/** Only the server allows the peer certificate to be empty */
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
if ((ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) {
int32_t ret = VERIFY_Tls13CalcVerifyData(ctx, true);
if (ret != HITLS_SUCCESS) {
return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID15729,
"server calculate client finished data error", ALERT_INTERNAL_ERROR);
}
return HS_ChangeState(ctx, TRY_RECV_FINISH);
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID15727,
"peer certificate is needed!", ALERT_CERTIFICATE_REQUIRED);
}
int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
const CertificateMsg *certs = &msg->body.certificate;
@@ -425,24 +453,7 @@ int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
* the client MUST send a certificate message containing no certificates.
*/
if (certs->certCount == 0) {
if (ctx->isClient) {
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID16126,
"peer certificate is needed!", ALERT_DECODE_ERROR);
}
/** Only the server allows the peer certificate to be empty */
if ((ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) {
ret = VERIFY_Tls13CalcVerifyData(ctx, true);
if (ret != HITLS_SUCCESS) {
return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID15729,
"server calculate client finished data error", ALERT_INTERNAL_ERROR);
}
return HS_ChangeState(ctx, TRY_RECV_FINISH);
}
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID15727,
"peer certificate is needed!", ALERT_CERTIFICATE_REQUIRED);
return ProcessEmptyCert(ctx);
}
/** Process the obtained peer certificate */
@@ -459,7 +470,11 @@ int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg)
if (!ctx->config.tlsConfig.isSupportVerifyNone) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17045, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"VerifyCertChain fail, ret = 0x%x.", (uint32_t)ret, 0, 0, 0);
#ifdef HITLS_TLS_PROTO_DFX_INFO
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, GetAlertfromX509Err(ctx->peerInfo.verifyResult));
#else
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_CERTIFICATE);
#endif
return ret;
}
}
+22 -7
View File
@@ -117,17 +117,21 @@ static uint16_t ServerSelectCurveId(const TLS_Ctx *ctx, const ClientHelloMsg *cl
uint32_t normalGroupsSize = 0;
uint16_t *perferenceGroups = NULL;
uint16_t *normalGroups = NULL;
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
if (ctx->config.tlsConfig.isSupportServerPreference) {
perferenceGroupsSize = ctx->config.tlsConfig.groupsSize;
normalGroupsSize = clientHello->extension.content.supportedGroupsSize;
perferenceGroups = ctx->config.tlsConfig.groups;
normalGroups = clientHello->extension.content.supportedGroups;
} else {
#endif
perferenceGroupsSize = clientHello->extension.content.supportedGroupsSize;
normalGroupsSize = ctx->config.tlsConfig.groupsSize;
perferenceGroups = clientHello->extension.content.supportedGroups;
normalGroups = ctx->config.tlsConfig.groups;
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
}
#endif
/* Find supported curves */
for (uint32_t i = 0u; i < perferenceGroupsSize; i++) {
@@ -463,23 +467,24 @@ int32_t ServerSelectCipherSuite(TLS_Ctx *ctx, const ClientHelloMsg *clientHello)
/* Obtain server information */
uint16_t *cfgCipherSuites = ctx->config.tlsConfig.cipherSuites;
uint32_t cfgCipherSuitesSize = ctx->config.tlsConfig.cipherSuitesSize;
#ifdef HITLS_TLS_PROTO_TLS13
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
cfgCipherSuites = ctx->config.tlsConfig.tls13CipherSuites;
cfgCipherSuitesSize = ctx->config.tlsConfig.tls13cipherSuitesSize;
}
#endif
const uint16_t *preferenceCipherSuites = clientHello->cipherSuites;
uint16_t preferenceCipherSuitesSize = clientHello->cipherSuitesSize;
const uint16_t *normalCipherSuites = cfgCipherSuites;
uint16_t normalCipherSuitesSize = (uint16_t)cfgCipherSuitesSize;
#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER
if (ctx->config.tlsConfig.isSupportServerPreference) {
preferenceCipherSuites = cfgCipherSuites;
preferenceCipherSuitesSize = (uint16_t)cfgCipherSuitesSize;
normalCipherSuites = clientHello->cipherSuites;
normalCipherSuitesSize = clientHello->cipherSuitesSize;
}
#endif
bool preferSha256 = false;
#ifdef HITLS_TLS_PROTO_TLS13
@@ -1034,10 +1039,12 @@ static int32_t ServerCheckResume(TLS_Ctx *ctx, const ClientHelloMsg *clientHello
{
ctx->negotiatedInfo.isResume = false;
ctx->negotiatedInfo.isTicket = false;
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
/* If session resumption is not allowed in the renegotiation state, return */
if (ctx->negotiatedInfo.isRenegotiation && !ctx->config.tlsConfig.isResumptionOnRenego) {
return HITLS_SUCCESS;
}
#endif
/* Create a null session handle */
HITLS_Session *sess = NULL;
uint32_t ticketBufSize = clientHello->extension.content.ticketSize;
@@ -1146,6 +1153,7 @@ static int32_t ServerCheckAndProcessRenegoInfo(TLS_Ctx *ctx, const ClientHelloMs
static int32_t ServerCheckEncryptThenMac(TLS_Ctx *ctx, const ClientHelloMsg *clientHello)
{
bool haveEncryptThenMac = clientHello->extension.flag.haveEncryptThenMac;
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
/* Renegotiation cannot be downgraded from EncryptThenMac to MacThenEncrypt */
if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac && !haveEncryptThenMac) {
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR);
@@ -1154,7 +1162,7 @@ static int32_t ServerCheckEncryptThenMac(TLS_Ctx *ctx, const ClientHelloMsg *cli
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR;
}
#endif
/* If EncryptThenMac is not configured, a success message is returned. */
if (!ctx->config.tlsConfig.isEncryptThenMac) {
return HITLS_SUCCESS;
@@ -1197,6 +1205,7 @@ static int32_t ServerSelectCipherSuiteInfo(TLS_Ctx *ctx, const ClientHelloMsg *c
static int32_t ServerProcessClientHelloExt(TLS_Ctx *ctx, const ClientHelloMsg *clientHello)
{
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
int32_t ret = HITLS_SUCCESS;
(void)ret;
(void)clientHello;
@@ -1210,7 +1219,7 @@ static int32_t ServerProcessClientHelloExt(TLS_Ctx *ctx, const ClientHelloMsg *c
return HITLS_MSG_HANDLE_INVALID_EXTENDED_MASTER_SECRET;
}
ctx->negotiatedInfo.isExtendedMasterSecret = clientHello->extension.flag.haveExtendedMasterSecret;
#endif
return ProcessClientHelloExt(ctx, clientHello, false);
}
@@ -1402,10 +1411,12 @@ int32_t Tls12ServerRecvClientHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg, bool
return ret;
}
}
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
if (ctx->state == CM_STATE_RENEGOTIATION && !ctx->userRenego) {
ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */
ctx->negotiatedInfo.renegotiationNum++;
}
#endif
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO);
}
#endif /* HITLS_TLS_PROTO_TLS_BASIC */
@@ -1449,6 +1460,7 @@ static int32_t DtlsServerCheckAndProcessCookie(TLS_Ctx *ctx, const ClientHelloMs
}
/* If the cookie fails to be verified, send a hello verify request */
if (!*isCookieValid) {
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
/* During DTLS renegotiation, if the cookie verification fails, an alert message is sent.
If the cookie is empty, the hello verify request is sent */
if ((clientHello->cookieLen != 0u) && (ctx->negotiatedInfo.isRenegotiation)) {
@@ -1458,6 +1470,7 @@ static int32_t DtlsServerCheckAndProcessCookie(TLS_Ctx *ctx, const ClientHelloMs
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
return HITLS_MSG_VERIFY_COOKIE_ERR;
}
#endif
ret = PrepareDtlsCookie(ctx, clientHello);
if (ret != HITLS_SUCCESS) {
return ret;
@@ -1515,10 +1528,12 @@ int32_t DtlsServerRecvClientHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg)
return ret;
}
}
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
if (ctx->state == CM_STATE_RENEGOTIATION && !ctx->userRenego) {
ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */
ctx->negotiatedInfo.renegotiationNum++;
}
#endif
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO);
}
#endif
@@ -2344,13 +2359,13 @@ static int32_t Tls13ServerProcessClientHello(TLS_Ctx *ctx, HS_Msg *msg)
return ret;
}
}
#ifdef HITLS_TLS_FEATURE_PHA
#if defined(HITLS_TLS_FEATURE_PHA) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
TLS_Config *tlsConfig = &ctx->config.tlsConfig;
if (ctx->phaState == PHA_NONE && tlsConfig->isSupportClientVerify &&
msg->body.clientHello.extension.flag.havePostHsAuth) {
ctx->phaState = PHA_EXTENSION;
}
#endif /* HITLS_TLS_FEATURE_PHA */
#endif /* HITLS_TLS_FEATURE_PHA && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO);
}
+22 -63
View File
@@ -215,7 +215,8 @@ int32_t HsSetSessionInfo(TLS_Ctx *ctx)
}
#endif /* HITLS_TLS_FEATURE_SESSION */
int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *verifyData, uint32_t verifyDataSize)
static int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *verifyData,
uint32_t verifyDataSize)
{
if ((finishedMsg->verifyDataSize == 0u) || (verifyDataSize == 0u)) {
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN);
@@ -240,20 +241,19 @@ int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *v
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_HOST_CLIENT
int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
static int32_t RecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = 0;
HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
VerifyCtx *verifyCtx = hsCtx->verifyCtx;
const FinishedMsg *finished = &msg->body.finished;
uint8_t verifyData[MAX_DIGEST_SIZE] = {0};
uint32_t verifyDataSize = MAX_DIGEST_SIZE;
ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize);
int32_t ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15740, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"client get server finished verify data error.", 0, 0, 0, 0);
"Get finished verify data error.", 0, 0, 0, 0);
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
return ret;
}
@@ -261,12 +261,9 @@ int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
ret = CheckFinishedVerifyData(finished, verifyData, verifyDataSize);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15741, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"client verify server finished data error.", 0, 0, 0, 0);
if (ret == HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN) {
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECODE_ERROR);
} else {
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR);
}
"Verify finished data error.", 0, 0, 0, 0);
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL,
(ret == HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN) ? ALERT_DECODE_ERROR : ALERT_DECRYPT_ERROR);
return HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL;
}
#ifdef HITLS_TLS_FEATURE_SESSION
@@ -278,14 +275,17 @@ int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
return ret;
}
#endif /* HITLS_TLS_FEATURE_SESSION */
/* CCS messages are not allowed to be received later. */
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
if (ctx->isClient) {
/* CCS messages are not allowed to be received later. */
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
}
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_HOST_CLIENT
#ifdef HITLS_TLS_PROTO_TLS_BASIC
int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = ClientRecvFinishedProcess(ctx, msg);
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -313,7 +313,7 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
return HS_ChangeState(ctx, TLS_CONNECTED);
}
#endif /* HITLS_BSL_UIO_UDP */
int32_t ret = ClientRecvFinishedProcess(ctx, msg);
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -332,7 +332,7 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
#ifdef HITLS_TLS_PROTO_TLS13
int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = ClientRecvFinishedProcess(ctx, msg);
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -363,51 +363,10 @@ int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
#endif /* HITLS_TLS_HOST_CLIENT */
#ifdef HITLS_TLS_HOST_SERVER
int32_t ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = 0;
HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
VerifyCtx *verifyCtx = hsCtx->verifyCtx;
uint8_t verifyData[MAX_DIGEST_SIZE] = {0};
uint32_t verifyDataSize = MAX_DIGEST_SIZE;
const FinishedMsg *finished = &msg->body.finished;
ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15742, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"server get client finished verify data error.", 0, 0, 0, 0);
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
return ret;
}
ret = CheckFinishedVerifyData(finished, verifyData, verifyDataSize);
if (ret != HITLS_SUCCESS) {
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL);
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15743, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"server verify client finished data error.", 0, 0, 0, 0);
if (ret == HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL) {
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR);
} else {
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECODE_ERROR);
}
return HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL;
}
#ifdef HITLS_TLS_FEATURE_SESSION
ret = HsSetSessionInfo(ctx);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15897, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"set session information failed.", 0, 0, 0, 0);
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
return ret;
}
#endif /* HITLS_TLS_FEATURE_SESSION */
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_PROTO_TLS_BASIC
int32_t Tls12ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = ServerRecvFinishedProcess(ctx, msg);
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -438,7 +397,7 @@ int32_t DtlsServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
return HS_ChangeState(ctx, TLS_CONNECTED);
}
#endif /* HITLS_BSL_UIO_UDP */
int32_t ret = ServerRecvFinishedProcess(ctx, msg);
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -467,7 +426,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
ctx->plainAlertForbid = true;
int32_t ret = ServerRecvFinishedProcess(ctx, msg);
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -490,7 +449,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
if (ret != HITLS_SUCCESS) {
return ret;
}
#ifdef HITLS_TLS_FEATURE_PHA
#if defined(HITLS_TLS_FEATURE_PHA) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
if (ctx->phaState == PHA_EXTENSION && ctx->config.tlsConfig.isSupportClientVerify) {
SAL_CRYPT_DigestFree(ctx->phaHash);
ctx->phaHash = SAL_CRYPT_DigestCopy(ctx->hsCtx->verifyCtx->hashCtx);
@@ -501,7 +460,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
return HITLS_CRYPT_ERR_DIGEST;
}
}
#endif /* HITLS_TLS_FEATURE_PHA */
#endif /* HITLS_TLS_FEATURE_PHA && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
}
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
/* When ticketNums is 0, no ticket is sent */
+6 -26
View File
@@ -124,6 +124,7 @@ static int32_t ClientCheckServerName(TLS_Ctx *ctx, const ServerHelloMsg *serverH
return HITLS_SUCCESS;
}
#endif /* HITLS_TLS_FEATURE_SNI */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
{
if ((!ctx->hsCtx->extFlag.haveExtendedMasterSecret) && serverHello->haveExtendedMasterSecret) {
@@ -171,6 +172,7 @@ static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMs
serverHello->haveExtendedMasterSecret);
return HITLS_SUCCESS;
}
#endif
#ifdef HITLS_TLS_PROTO_TLS13
static int32_t ClientCheckKeyShare(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
{
@@ -340,7 +342,7 @@ static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *ser
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
}
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
/* During renegotiation, EncryptThenMac cannot be converted to MacThenEncrypt */
if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac &&
!serverHello->haveEncryptThenMac) {
@@ -350,7 +352,7 @@ static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *ser
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR);
return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR;
}
#endif
/* This extension does not need to be negotiated for tls1.3 */
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
return HITLS_SUCCESS;
@@ -413,7 +415,9 @@ static int32_t ClientCheckExtensionsFlag(TLS_Ctx *ctx, const ServerHelloMsg *ser
#ifdef HITLS_TLS_FEATURE_SNI
ClientCheckServerName,
#endif /* HITLS_TLS_FEATURE_SNI */
#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET
ClientCheckExtendedMasterSecret,
#endif
#ifdef HITLS_TLS_FEATURE_ALPN
ClientCheckNegotiatedAlpnOfServerHello,
#endif /* HITLS_TLS_FEATURE_ALPN */
@@ -899,25 +903,6 @@ static int32_t ClientCheckHrrKeyShareExtension(TLS_Ctx *ctx, const ServerHelloMs
return HITLS_SUCCESS;
}
/* If an implementation receives an extension
* which it recognizes and which is not specified for the message in
* which it appears, it MUST abort the handshake with an
* "illegal_parameter" alert. */
static int32_t ClientCheckHrrExtraExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
{
if (helloRetryRequest->haveServerName || helloRetryRequest->haveExtendedMasterSecret ||
helloRetryRequest->havePointFormats || helloRetryRequest->haveSelectedAlpn ||
helloRetryRequest->haveSelectedIdentity || helloRetryRequest->haveSecRenego || helloRetryRequest->haveTicket ||
helloRetryRequest->haveEncryptThenMac) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17092, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"these extensions are not specified in the hrr message", 0, 0, 0, 0);
ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
}
return HITLS_SUCCESS;
}
static int32_t ClientCheckHrrCookieExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
{
if (helloRetryRequest->haveCookie == false) {
@@ -946,11 +931,6 @@ static int32_t Tls13ClientCheckHrrExtension(TLS_Ctx *ctx, const ServerHelloMsg *
return ret;
}
/* Check whether there are redundant extensions */
ret = ClientCheckHrrExtraExtension(ctx, helloRetryRequest);
if (ret != HITLS_SUCCESS) {
return ret;
}
/* Check the key share extension */
ret = ClientCheckHrrCookieExtension(ctx, helloRetryRequest);
+5 -2
View File
@@ -108,8 +108,10 @@ static int32_t ProcessSendHandshakeMsg(TLS_Ctx *ctx)
return ServerSendServerHelloProcess(ctx);
case TRY_SEND_SERVER_KEY_EXCHANGE:
return ServerSendServerKeyExchangeProcess(ctx);
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
case TRY_SEND_CERTIFICATE_REQUEST:
return ServerSendCertRequestProcess(ctx);
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
case TRY_SEND_SERVER_HELLO_DONE:
return ServerSendServerHelloDoneProcess(ctx);
#ifdef HITLS_TLS_FEATURE_SESSION_TICKET
@@ -166,8 +168,10 @@ static int32_t Tls13ProcessSendHandshakeMsg(TLS_Ctx *ctx)
return Tls13ServerSendServerHelloProcess(ctx);
case TRY_SEND_ENCRYPTED_EXTENSIONS:
return Tls13ServerSendEncryptedExtensionsProcess(ctx);
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
case TRY_SEND_CERTIFICATE_REQUEST:
return Tls13ServerSendCertRequestProcess(ctx);
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
case TRY_SEND_NEW_SESSION_TICKET:
return Tls13SendNewSessionTicketProcess(ctx);
#endif /* HITLS_TLS_HOST_SERVER */
@@ -198,9 +202,8 @@ static int32_t Tls13ProcessSendHandshakeMsg(TLS_Ctx *ctx)
return Tls13SendKeyUpdateProcess(ctx);
#endif
default:
break;
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_STATE_ILLEGAL, BINLOG_ID17101, "Handshake state error");
}
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_STATE_ILLEGAL, BINLOG_ID17101, "Handshake state error");
}
#endif /* HITLS_TLS_PROTO_TLS13 */
int32_t HS_SendMsgProcess(TLS_Ctx *ctx)
+2 -2
View File
@@ -13,7 +13,7 @@
* See the Mulan PSL v2 for more details.
*/
#include "hitls_build.h"
#ifdef HITLS_TLS_HOST_SERVER
#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)
#include "tls_binlog_id.h"
#include "bsl_log_internal.h"
#include "bsl_log.h"
@@ -110,4 +110,4 @@ int32_t Tls13ServerSendCertRequestProcess(TLS_Ctx *ctx)
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE);
}
#endif /* HITLS_TLS_PROTO_TLS13 */
#endif /* HITLS_TLS_HOST_SERVER */
#endif /* HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
@@ -63,6 +63,7 @@ int32_t SendCertificateProcess(TLS_Ctx *ctx)
if (IsNeedServerKeyExchange(ctx) == true) {
return HS_ChangeState(ctx, TRY_SEND_SERVER_KEY_EXCHANGE);
}
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
/* The server sends CertificateRequest only when the isSupportClientVerify mode is enabled */
if (ctx->config.tlsConfig.isSupportClientVerify) {
/* isSupportClientOnceVerify specifies whether the CR is sent only in the initial handshake phase. */
@@ -72,6 +73,7 @@ int32_t SendCertificateProcess(TLS_Ctx *ctx)
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
}
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO_DONE);
}
#endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
+2 -2
View File
@@ -43,13 +43,13 @@
static int32_t ClientPrepareSession(TLS_Ctx *ctx)
{
HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
#ifdef HITLS_TLS_FEATURE_RENEGOTIATION
/* If the session cannot be resumed during renegotiation, delete the session */
if (ctx->negotiatedInfo.isRenegotiation && !ctx->config.tlsConfig.isResumptionOnRenego) {
HITLS_SESS_Free(ctx->session);
ctx->session = NULL;
}
#endif
if (ctx->session != NULL) {
uint64_t curTime = (uint64_t)BSL_SAL_CurrentSysTimeGet();
if (!SESS_CheckValidity(ctx->session, curTime)) {
@@ -72,6 +72,7 @@ int32_t Tls13ServerSendEncryptedExtensionsProcess(TLS_Ctx *ctx)
if (ctx->hsCtx->kxCtx->pskInfo13.psk != NULL) {
return HS_ChangeState(ctx, TRY_SEND_FINISH);
}
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
/* The server sends a CertificateRequest message only when the VerifyPeer mode is enabled */
if (ctx->config.tlsConfig.isSupportClientVerify
#ifdef HITLS_TLS_FEATURE_PHA
@@ -80,6 +81,7 @@ int32_t Tls13ServerSendEncryptedExtensionsProcess(TLS_Ctx *ctx)
) {
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE);
}
#endif /* HITLS_TLS_PROTO_TLS13 && HITLS_TLS_HOST_SERVER */
@@ -287,7 +287,7 @@ int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx)
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15750, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
"server send keyExchange msg success.", 0, 0, 0, 0);
#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
/* Update the state machine. If the CertificateRequest message does not need to be sent, the system directly
* switches to theSend_SERVER_HELLO_DONE state */
if (ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_NULL &&
@@ -298,6 +298,7 @@ int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx)
return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
}
}
#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */
/* Make sure the client will always send a certificate message, because ECDHE relies on the client's encrypted
* certificate, even if the client does not require authentication (isSupportClientVerify equals false). */
#ifdef HITLS_TLS_PROTO_TLCP11
-1
View File
@@ -165,7 +165,6 @@ bool CFG_GetSignParamBySchemes(const HITLS_Ctx *ctx, HITLS_SignHashAlgo scheme,
*/
uint8_t CFG_GetCertTypeByCipherSuite(uint16_t cipherSuite);
/**
* @brief get the group name of the ecdsa
*
+2
View File
@@ -122,7 +122,9 @@ typedef enum {
CM_STATE_RENEGOTIATION,
CM_STATE_ALERTING,
CM_STATE_ALERTED,
#ifdef HITLS_TLS_PROTO_CLOSE_STATE
CM_STATE_CLOSED,
#endif
CM_STATE_END
} CM_State;
+1 -1
View File
@@ -121,7 +121,7 @@ typedef struct TlsConfig {
BSL_SAL_RefCount references; /* reference count */
HITLS_Lib_Ctx *libCtx; /* library context */
const char *attrName; /* attrName */
#ifdef HITLS_TLS_FEATURE_PROVIDER
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
TLS_GroupInfo *groupInfo;
uint32_t groupInfolen;
uint32_t groupInfoSize;
+2 -2
View File
@@ -14,7 +14,7 @@
*/
#include "hitls_build.h"
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
#include "rec_anti_replay.h"
#define REC_SLID_WINDOW_SIZE 64
@@ -66,4 +66,4 @@ void RecAntiReplayUpdate(RecSlidWindow *w, uint64_t seq)
w->window |= 1;
}
}
#endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP */
#endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP && HITLS_TLS_FEATURE_ANTI_REPLAY */
+7 -5
View File
@@ -231,8 +231,6 @@ static int32_t RecordUnexpectedMsg(TLS_Ctx *ctx, RecBuf *decryptBuf, REC_Type re
case REC_TYPE_APP:
ret = RecBufListAddBuffer(ctx->recCtx->appRecList, decryptBuf);
break;
case REC_TYPE_CHANGE_CIPHER_SPEC:
case REC_TYPE_ALERT:
default:
ret = ctx->method.unexpectedMsgProcessCb(ctx, recordType,
decryptBuf->buf, decryptBuf->end, false);
@@ -596,7 +594,7 @@ static uint8_t *GetUnprocessedMsg(RecCtx *recordCtx, REC_Type recordType, RecHdr
return recordBody;
}
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
static int32_t AntiReplay(TLS_Ctx *ctx, RecHdr *hdr)
{
/* In non-UDP scenarios, anti-replay check is not required */
@@ -650,7 +648,7 @@ static int32_t DtlsGetRecord(TLS_Ctx *ctx, REC_Type recordType, RecHdr *hdr, uin
return ret;
}
}
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
ret = AntiReplay(ctx, hdr);
if (ret != HITLS_SUCCESS) {
BSL_SAL_FREE(*cachRecord);
@@ -715,13 +713,15 @@ int32_t DtlsRecordRead(TLS_Ctx *ctx, REC_Type recordType, uint8_t *data, uint32_
if (ret != HITLS_SUCCESS) {
return ret;
}
#if defined(HITLS_BSL_UIO_UDP)
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
/* In UDP scenarios, update the sliding window flag */
if (BSL_UIO_GetUioChainTransportType(ctx->uio, BSL_UIO_UDP)) {
RecAntiReplayUpdate(&GetReadConnState(ctx)->window, REC_SEQ_GET(hdr.epochSeq));
}
#endif
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
ctx->method.clearAlert(ctx, cryptMsg.type);
#endif
#ifdef HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS
if ((ctx->config.tlsConfig.modeSupport & HITLS_MODE_RELEASE_BUFFERS) != 0 && (recordType == REC_TYPE_APP)) {
RecTryFreeRecBuf(ctx, false);
@@ -1047,7 +1047,9 @@ int32_t TlsRecordRead(TLS_Ctx *ctx, REC_Type recordType, uint8_t *data, uint32_t
if (ret != HITLS_SUCCESS) {
return ret;
}
#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER
ctx->method.clearAlert(ctx, encryptedMsg.type);
#endif
#ifdef HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS
if ((ctx->config.tlsConfig.modeSupport & HITLS_MODE_RELEASE_BUFFERS) != 0 && (recordType == REC_TYPE_APP)) {
RecTryFreeRecBuf(ctx, false);
+7 -1
View File
@@ -114,9 +114,11 @@ static uint32_t RecGetReadBufferSize(const TLS_Ctx *ctx)
if (ctx->negotiatedInfo.recordSizeLimit != 0 &&
ctx->negotiatedInfo.recordSizeLimit <= REC_MAX_PLAIN_TEXT_LENGTH) {
recSize -= REC_MAX_PLAIN_TEXT_LENGTH - ctx->negotiatedInfo.recordSizeLimit;
#ifdef HITLS_TLS_PROTO_TLS13
if (GET_VERSION_FROM_CTX(ctx) == HITLS_VERSION_TLS13) {
recSize--;
}
#endif
}
return recSize;
}
@@ -134,9 +136,11 @@ static uint32_t RecGetWriteBufferSize(const TLS_Ctx *ctx)
recSize -= REC_MAX_PLAIN_TEXT_LENGTH - maxSendFragment;
if (ctx->negotiatedInfo.peerRecordSizeLimit != 0 && ctx->negotiatedInfo.peerRecordSizeLimit <= maxSendFragment) {
recSize -= maxSendFragment - ctx->negotiatedInfo.peerRecordSizeLimit;
#ifdef HITLS_TLS_PROTO_TLS13
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
recSize--;
}
#endif
}
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
RecCmpPmtu(ctx, &recSize);
@@ -576,7 +580,7 @@ int32_t REC_ActivePendingState(TLS_Ctx *ctx, bool isOut)
} else {
++recordCtx->readEpoch;
RecConnSetEpoch(states->currentState, recordCtx->readEpoch);
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY)
RecAntiReplayReset(&states->currentState->window);
#endif
}
@@ -599,9 +603,11 @@ static uint32_t REC_GetRecordSizeLimitWriteLen(const TLS_Ctx *ctx)
#endif
if (ctx->negotiatedInfo.recordSizeLimit != 0 && ctx->negotiatedInfo.peerRecordSizeLimit <= defaultLen) {
defaultLen = ctx->negotiatedInfo.peerRecordSizeLimit;
#ifdef HITLS_TLS_PROTO_TLS13
if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
defaultLen--;
}
#endif
}
return defaultLen;
}