diff --git a/config/json/feature.json b/config/json/feature.json index 4616bdba..10f090b5 100644 --- a/config/json/feature.json +++ b/config/json/feature.json @@ -266,7 +266,10 @@ "opts": ["proto"] }, "callback": { - "feature_provider": null, + "feature_provider": { + "feature_provider_hard_coding":null, + "feature_provider_dynamic":null + }, "callback_sal" :null, "callback_cert": { "deps": ["callback_sal"] @@ -309,7 +312,12 @@ }, "feature_key_update": null, "feature_flight": null, - "feature_cert_mode": null, + "feature_cert_mode": { + "feature_cert_mode_client_verify": null, + "feature_cert_mode_verify_peer": null + }, + "feature_anti_replay": null, + "feature_extended_master_secret": null, "feature_record_size_limit": null, "feature_kem": null, "feature_client_hello_cb": null, @@ -326,7 +334,14 @@ "opts": [ ["host", "host_client", "host_server"], ["uio_sctp", "uio_tcp", "uio_udp", "uio_plt"] - ] + ], + "proto_dfx": { + "proto_dfx_check": null, + "proto_dfx_info": null, + "proto_dfx_alert_number": null, + "proto_dfx_server_prefer": null + }, + "proto_close_state": null }, "config": { "config_manual_dh": null, diff --git a/config/macro_config/hitls_config_layer_tls.h b/config/macro_config/hitls_config_layer_tls.h index 67280492..d13dd986 100644 --- a/config/macro_config/hitls_config_layer_tls.h +++ b/config/macro_config/hitls_config_layer_tls.h @@ -101,6 +101,27 @@ #endif #endif +#ifdef HITLS_TLS_FEATURE_PROVIDER + #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC + #define HITLS_TLS_FEATURE_PROVIDER_DYNAMIC + #endif + #ifndef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING + #define HITLS_TLS_FEATURE_PROVIDER_HARD_CODING + #endif +#endif + +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC + #ifdef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING + #undef HITLS_TLS_FEATURE_PROVIDER_HARD_CODING + #endif +#endif + +#if defined(HITLS_TLS_FEATURE_PROVIDER_DYNAMIC) || defined(HITLS_TLS_FEATURE_PROVIDER_HARD_CODING) + #ifndef HITLS_TLS_FEATURE_PROVIDER + #define HITLS_TLS_FEATURE_PROVIDER + #endif +#endif + #if defined(HITLS_TLS_FEATURE_PROVIDER) #ifdef HITLS_TLS_CALLBACK_SAL #undef HITLS_TLS_CALLBACK_SAL @@ -182,6 +203,12 @@ #ifndef HITLS_TLS_FEATURE_CUSTOM_EXTENSION #define HITLS_TLS_FEATURE_CUSTOM_EXTENSION #endif + #ifndef HITLS_TLS_FEATURE_ANTI_REPLAY + #define HITLS_TLS_FEATURE_ANTI_REPLAY + #endif + #ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #endif #ifndef HITLS_TLS_FEATURE_REC_INBUFFER_SIZE #define HITLS_TLS_FEATURE_REC_INBUFFER_SIZE #endif @@ -206,6 +233,21 @@ #define HITLS_PKI_X509_CRT_AUTH #endif +#ifdef HITLS_TLS_FEATURE_SESSION + #ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #endif + #ifndef HITLS_TLS_PROTO_CLOSE_STATE + #define HITLS_TLS_PROTO_CLOSE_STATE + #endif +#endif + +#ifdef HITLS_BSL_UIO_UDP + #ifndef HITLS_TLS_FEATURE_ANTI_REPLAY + #define HITLS_TLS_FEATURE_ANTI_REPLAY + #endif +#endif + #ifdef HITLS_TLS_FEATURE_SESSION #ifndef HITLS_TLS_FEATURE_SESSION_TICKET #define HITLS_TLS_FEATURE_SESSION_TICKET @@ -236,6 +278,26 @@ #endif #endif +#ifdef HITLS_TLS_FEATURE_CERT_MODE + #ifndef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER + #define HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER + #endif + #ifndef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY + #define HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY + #endif +#endif + +#ifdef HITLS_TLS_PROTO_TLCP11 + #ifndef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY + #define HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY + #endif +#endif + +#if (defined(HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER) || defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) && \ + !defined(HITLS_TLS_FEATURE_CERT_MODE) + #define HITLS_TLS_FEATURE_CERT_MODE +#endif + #if defined(HITLS_TLS_FEATURE_MODE_FALL_BACK_SCSV) || defined(HITLS_TLS_FEATURE_MODE_AUTO_RETRY) || \ defined(HITLS_TLS_FEATURE_MODE_ACCEPT_MOVING_WRITE_BUFFER) || defined(HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS) #ifndef HITLS_TLS_FEATURE_MODE @@ -285,6 +347,30 @@ #ifndef HITLS_CRYPTO_EAL #define HITLS_CRYPTO_EAL #endif + #ifndef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #define HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #endif + #ifndef HITLS_TLS_PROTO_CLOSE_STATE + #define HITLS_TLS_PROTO_CLOSE_STATE + #endif + #ifndef HITLS_TLS_PROTO_DFX + #define HITLS_TLS_PROTO_DFX + #endif +#endif + +#ifdef HITLS_TLS_PROTO_DFX + #ifndef HITLS_TLS_PROTO_DFX_CHECK + #define HITLS_TLS_PROTO_DFX_CHECK + #endif + #ifndef HITLS_TLS_PROTO_DFX_INFO + #define HITLS_TLS_PROTO_DFX_INFO + #endif + #ifndef HITLS_TLS_PROTO_DFX_ALERT_NUMBER + #define HITLS_TLS_PROTO_DFX_ALERT_NUMBER + #endif + #ifndef HITLS_TLS_PROTO_DFX_SERVER_PREFER + #define HITLS_TLS_PROTO_DFX_SERVER_PREFER + #endif #endif // suite_cipher diff --git a/crypto/provider/src/default/crypt_default_provider.c b/crypto/provider/src/default/crypt_default_provider.c index c532c4f2..b72b8e48 100644 --- a/crypto/provider/src/default/crypt_default_provider.c +++ b/crypto/provider/src/default/crypt_default_provider.c @@ -27,7 +27,7 @@ #include "crypt_algid.h" #include "crypt_errno.h" #include "crypt_params_key.h" -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #include "hitls_crypt_type.h" #include "hitls_cert_type.h" #include "hitls_type.h" @@ -615,7 +615,7 @@ static void CRYPT_EAL_DefaultProvFree(void *provCtx) BSL_SAL_Free(provCtx); } -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #define TLS_GROUP_PARAM_COUNT 11 #define TLS_SIGN_SCHEME_PARAM_COUNT 18 typedef struct { @@ -1267,13 +1267,13 @@ static int32_t CRYPT_EAL_DefaultProvGetCaps(void *provCtx, int32_t cmd, CRYPT_EA return CRYPT_NOT_SUPPORT; } } -#endif +#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ static CRYPT_EAL_Func g_defEalProvOutFuncs[] = { {CRYPT_EAL_PROVCB_QUERY, CRYPT_EAL_DefaultProvQuery}, {CRYPT_EAL_PROVCB_FREE, CRYPT_EAL_DefaultProvFree}, {CRYPT_EAL_PROVCB_CTRL, NULL}, -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC {CRYPT_EAL_PROVCB_GETCAPS, CRYPT_EAL_DefaultProvGetCaps}, #endif CRYPT_EAL_FUNC_END diff --git a/include/bsl/bsl_sal.h b/include/bsl/bsl_sal.h index 2e24b5a1..014a1de7 100644 --- a/include/bsl/bsl_sal.h +++ b/include/bsl/bsl_sal.h @@ -279,10 +279,8 @@ void BSL_SAL_ClearFree(void *ptr, uint32_t size); #define BSL_SAL_FREE(value_) \ do { \ - if ((value_) != NULL) { \ - BSL_SAL_Free((void *)(value_)); \ - (value_) = NULL; \ - } \ + BSL_SAL_Free((void *)(value_)); \ + (value_) = NULL; \ } while (0) /** diff --git a/script/config_parser.py b/script/config_parser.py index 24b11204..631e0476 100644 --- a/script/config_parser.py +++ b/script/config_parser.py @@ -545,10 +545,7 @@ class FeatureConfigParser: else: is_fea_contained = False while 'parent' in rel: - if rel['parent'] in disables: - raise Exception("The 'disables' features {} and 'enables' featrues {} conflict".format(fea, disables)) - - if rel['parent'] in features: + if rel['parent'] in disables or rel['parent'] in features: is_fea_contained = True break rel = feas_info[rel['parent']] diff --git a/testcode/framework/tls/msg/src/frame_msg_method.c b/testcode/framework/tls/msg/src/frame_msg_method.c index 74cc2ade..06d4c4e5 100644 --- a/testcode/framework/tls/msg/src/frame_msg_method.c +++ b/testcode/framework/tls/msg/src/frame_msg_method.c @@ -149,12 +149,12 @@ static int32_t SetLinkConfig(uint16_t version, HITLS_KeyExchAlgo keyExAlgo, Link HITLS_CFG_SetCheckKeyUsage(linkPara->config, false); #endif /* HITLS_TLS_CONFIG_KEY_USAGE */ -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t ret = HITLS_CFG_SetClientVerifySupport(linkPara->config, true); if (ret != HITLS_SUCCESS) { return ret; } -#endif /* HITLS_TLS_FEATURE_CERT_MODE */ +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ if (keyExAlgo == HITLS_KEY_EXCH_DHE) { uint16_t cipherSuites[] = {HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256}; HITLS_CFG_SetCipherSuites(linkPara->config, cipherSuites, sizeof(cipherSuites) / sizeof(uint16_t)); diff --git a/testcode/framework/tls/msg/src/frame_pack_msg.c b/testcode/framework/tls/msg/src/frame_pack_msg.c index a38ba438..46a8b8df 100644 --- a/testcode/framework/tls/msg/src/frame_pack_msg.c +++ b/testcode/framework/tls/msg/src/frame_pack_msg.c @@ -1193,47 +1193,32 @@ static int32_t PackNewSessionTicketMsg(FRAME_Type *type, const FRAME_NewSessionT static int32_t PackHsMsgBody(FRAME_Type *type, const FRAME_Msg *msg, uint8_t *buf, uint32_t bufLen, uint32_t *usedLen) { - int32_t ret; - const FRAME_HsMsg *hsMsg = &(msg->body.hsMsg); switch (type->handshakeType) { case CLIENT_HELLO: - ret = PackClientHelloMsg(&(hsMsg->body.clientHello), buf, bufLen, usedLen); - break; + return PackClientHelloMsg(&(hsMsg->body.clientHello), buf, bufLen, usedLen); case SERVER_HELLO: - ret = PackServerHelloMsg(&(hsMsg->body.serverHello), buf, bufLen, usedLen); - break; + return PackServerHelloMsg(&(hsMsg->body.serverHello), buf, bufLen, usedLen); case CERTIFICATE: - ret = PackCertificateMsg(type, &(hsMsg->body.certificate), buf, bufLen, usedLen); - break; + return PackCertificateMsg(type, &(hsMsg->body.certificate), buf, bufLen, usedLen); case SERVER_KEY_EXCHANGE: - ret = PackServerKeyExchangeMsg(type, &(hsMsg->body.serverKeyExchange), buf, bufLen, usedLen); - break; + return PackServerKeyExchangeMsg(type, &(hsMsg->body.serverKeyExchange), buf, bufLen, usedLen); case CERTIFICATE_REQUEST: - ret = PackCertificateRequestMsg(type, &(hsMsg->body.certificateReq), buf, bufLen, usedLen); - break; + return PackCertificateRequestMsg(type, &(hsMsg->body.certificateReq), buf, bufLen, usedLen); case SERVER_HELLO_DONE: - ret = PackServerHelloDoneMsg(&(hsMsg->body.serverHelloDone), buf, bufLen, usedLen); - break; + return PackServerHelloDoneMsg(&(hsMsg->body.serverHelloDone), buf, bufLen, usedLen); case CLIENT_KEY_EXCHANGE: - ret = PackClientKeyExchangeMsg(type, &(hsMsg->body.clientKeyExchange), buf, bufLen, usedLen); - break; + return PackClientKeyExchangeMsg(type, &(hsMsg->body.clientKeyExchange), buf, bufLen, usedLen); case CERTIFICATE_VERIFY: - ret = PackCertificateVerifyMsg(type, &(hsMsg->body.certificateVerify), buf, bufLen, usedLen); - break; + return PackCertificateVerifyMsg(type, &(hsMsg->body.certificateVerify), buf, bufLen, usedLen); case FINISHED: - ret = PackFinishedMsg(&(hsMsg->body.finished), buf, bufLen, usedLen); - break; + return PackFinishedMsg(&(hsMsg->body.finished), buf, bufLen, usedLen); case NEW_SESSION_TICKET: - ret = PackNewSessionTicketMsg(type, &(hsMsg->body.newSessionTicket), buf, bufLen, usedLen); - break; + return PackNewSessionTicketMsg(type, &(hsMsg->body.newSessionTicket), buf, bufLen, usedLen); default: - ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG; - break; + return HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG; } - - return ret; } static int32_t PackHandShakeMsg(FRAME_Type *type, const FRAME_Msg *msg, diff --git a/testcode/framework/tls/rpc/src/hitls_func.c b/testcode/framework/tls/rpc/src/hitls_func.c index 7be68098..f50c09de 100644 --- a/testcode/framework/tls/rpc/src/hitls_func.c +++ b/testcode/framework/tls/rpc/src/hitls_func.c @@ -510,12 +510,14 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg) ret = HITLS_CFG_SetVersion(outCfg, inCtxCfg->minVersion, inCtxCfg->maxVersion); ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetVersion Error ERROR"); } +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER if (inCtxCfg->SupportType == SERVER_CFG_SET_TRUE) { HITLS_CFG_SetCipherServerPreference(outCfg, true); } if (inCtxCfg->SupportType == SERVER_CFG_SET_FALSE) { HITLS_CFG_SetCipherServerPreference(outCfg, false); } +#endif #ifdef HITLS_TLS_FEATURE_RENEGOTIATION // Setting Renegotiation LOG_DEBUG("HiTLS Set Support Renegotiation is %d", inCtxCfg->isSupportRenegotiation); @@ -526,15 +528,16 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg) ret = HITLS_CFG_SetClientRenegotiateSupport(outCfg, inCtxCfg->allowClientRenegotiate); ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetClientRenegotiateSupport ERROR"); #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY // Whether to enable dual-ended verification LOG_DEBUG("HiTLS Set Support Client Verify is %d", inCtxCfg->isSupportClientVerify); ret = HITLS_CFG_SetClientVerifySupport(outCfg, inCtxCfg->isSupportClientVerify); ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetClientVerifySupport ERROR"); +#endif LOG_DEBUG("HiTLS Set readAhead is %d", inCtxCfg->readAhead); ret = HITLS_CFG_SetReadAhead(outCfg, inCtxCfg->readAhead); ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetReadAhead ERROR"); - +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY // Indicates whether to allow empty certificate list on the client. LOG_DEBUG("HiTLS Set Support Not Client Cert is %d", inCtxCfg->isSupportNoClientCert); ret = HITLS_CFG_SetNoClientCertSupport(outCfg, inCtxCfg->isSupportNoClientCert); @@ -721,7 +724,7 @@ int HitlsSetCtx(HITLS_Config *outCfg, HLT_Ctx_Config *inCtxCfg) ASSERT_RETURN(ret == SUCCESS, "HITLS_CFG_SetKeyExchMode ERROR"); } #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER // Set whether to enable isSupportVerifyNone; LOG_DEBUG("HiTLS Set Support pha is %d", inCtxCfg->isSupportVerifyNone); ret = HITLS_CFG_SetVerifyNoneSupport(outCfg, inCtxCfg->isSupportVerifyNone); @@ -811,12 +814,14 @@ const BSL_UIO_Method *GetDefaultMethod(HILT_TransportType type) int HitlsSetSsl(void *ssl, HLT_Ssl_Config *sslConfig) { int ret; +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER if (sslConfig->SupportType == SERVER_CTX_SET_TRUE) { HITLS_SetCipherServerPreference((HITLS_Ctx *)ssl, true); } if (sslConfig->SupportType == SERVER_CTX_SET_FALSE) { HITLS_SetCipherServerPreference((HITLS_Ctx *)ssl, false); } +#endif HILT_TransportType type = (sslConfig->connType == NONE_TYPE) ? SCTP : sslConfig->connType; BSL_UIO *uio = BSL_UIO_New(GetDefaultMethod(type)); diff --git a/testcode/script/all_mini_test.sh b/testcode/script/all_mini_test.sh index f13fd131..b859a18c 100755 --- a/testcode/script/all_mini_test.sh +++ b/testcode/script/all_mini_test.sh @@ -343,12 +343,14 @@ test_pkey() test_tls() { + include_path="-I${HITLS_ROOT_DIR}/testcode/script/mini_test_config" NO_LIB="" bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=tlcp_feature test=base,asn1,base64,buffer,err,hash,init,list,log,obj,params,pem,tlv,sal,sal_mem,sal_lock,sal_str,sal_file,sal_thread,sal_net,sal_time,aes,bn,chacha20,cmac_aes,drbg_ctr,drbg_hash,ecc,ecdh,ecdsa,entropy,gcm,hkdf,hpke,mlkem,mldsa,sha256,sha384,sha512,slh_dsa,sm2,sm3,sm4,x25519,curve_nistp256,curve_nistp384,curve_nistp521,x509_crl_gen,x509_crl_parse,x509_csr_gen,x509_csr_parse,x509_crt_gen,x509_crt_parse,x509_vfy,tlcp linux add-options="-DHITLS_SEED_DRBG_INIT_RAND_ALG=CRYPT_RAND_SHA256" add-options="-DHITLS_CRYPTO_ENTROPY_DEVRANDOM" add-options="-DHITLS_CRYPTO_MLKEM_CMP" add-options="-DHITLS_CRYPTO_MLDSA_CMP" bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=nokem_feature test=base linux bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=mtu_feature test=mtu linux bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=max_send_fragment_feature test=max_send_fragment linux bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=ca_list_feature test=ca_list linux + bash mini_build_test.sh $COMMON_PARAM $NO_LIB feature-config=no_dfx_feature test=no_dfx compile-config=no_dfx_compile include-path="${include_path}" linux } test_pki() diff --git a/testcode/script/mini_build_test.sh b/testcode/script/mini_build_test.sh index 6f2cd65e..eac3ab61 100755 --- a/testcode/script/mini_build_test.sh +++ b/testcode/script/mini_build_test.sh @@ -43,6 +43,7 @@ ENDIAN="little" ASAN_OPTIONS="" TLS_FLAG="" FEATURE_CONFIG_FILE="" +COMPILE_CONFIG_FILE="" INCLUDE_PATH="" print_usage() { @@ -129,6 +130,18 @@ parse_option() exit 1 fi ;; + "compile-config") + if [ -n "$ASM_TYPE" ]; then + COMPILE_CONFIG_FILE=$(find $HITLS_ROOT_DIR -name "${value}_${ASM_TYPE}.json" -type f | head -n 1) + fi + if [ -z "$COMPILE_CONFIG_FILE" ]; then + COMPILE_CONFIG_FILE=$(find $HITLS_ROOT_DIR -name "${value}.json" -type f | head -n 1) + fi + if [ -z "$COMPILE_CONFIG_FILE" ]; then + echo "Error: Cannot find compile config file '${value}.json' or '${value}.json' under $HITLS_ROOT_DIR" + exit 1 + fi + ;; "test") LIB_TYPE="static shared" TEST_FEATURE=$value @@ -247,6 +260,10 @@ mini_config() enables="--feature_config $MODIFIED_CONFIG_FILE" fi + if [ "$COMPILE_CONFIG_FILE" != "" ]; then + enables="$enables --compile_config $COMPILE_CONFIG_FILE" + fi + echo "python3 configure.py --lib_type $LIB_TYPE $enables --endian=$ENDIAN --bits=$BITS" python3 $HITLS_ROOT_DIR/configure.py --lib_type $LIB_TYPE $enables --endian=$ENDIAN --bits=$BITS diff --git a/testcode/script/mini_test_config/hitls_nodfx_config.h b/testcode/script/mini_test_config/hitls_nodfx_config.h new file mode 100644 index 00000000..249acc0b --- /dev/null +++ b/testcode/script/mini_test_config/hitls_nodfx_config.h @@ -0,0 +1,55 @@ +/* + * This file is part of the openHiTLS project. + * + * openHiTLS is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * + * http://license.coscl.org.cn/MulanPSL2 + * + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + */ +/* Derivation of configuration features. + * The derivation type (rule) and sequence are as follows: + * 1. Parent features derive child features. + * 2. Derive the features of dependencies. + * For example, if feature a depends on features b and c, you need to derive features b and c. + * 3. Child features derive parent features. + * The high-level interfaces of the crypto module is controlled by the parent feature macro, + * if there is no parent feature, such interfaces will be unavailable. + */ + +#ifndef NODFX_CONFIG_H +#define NODFX_CONFIG_H + +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + #undef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET +#endif + +#ifdef HITLS_TLS_PROTO_CLOSE_STATE + #undef HITLS_TLS_PROTO_CLOSE_STATE +#endif + +#ifdef HITLS_TLS_PROTO_DFX + #undef HITLS_TLS_PROTO_DFX +#endif + +#ifdef HITLS_TLS_PROTO_DFX_CHECK + #undef HITLS_TLS_PROTO_DFX_CHECK +#endif + +#ifdef HITLS_TLS_PROTO_DFX_INFO + #undef HITLS_TLS_PROTO_DFX_INFO +#endif + +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER + #undef HITLS_TLS_PROTO_DFX_ALERT_NUMBER +#endif + +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER + #undef HITLS_TLS_PROTO_DFX_SERVER_PREFER +#endif +#endif /* NODFX_CONFIG_H */ \ No newline at end of file diff --git a/testcode/script/mini_test_config/no_dfx_compile.json b/testcode/script/mini_test_config/no_dfx_compile.json new file mode 100644 index 00000000..902de656 --- /dev/null +++ b/testcode/script/mini_test_config/no_dfx_compile.json @@ -0,0 +1,135 @@ +{ + "compileFlag": { + "common": { + "CC_OPT_LEVEL": [ + "-D_FORTIFY_SOURCE=2", + "-O2" + ], + "CC_OVERALL_FLAGS": ["-pipe"], + "CC_LANGUAGE_FLAGS": ["-fsigned-char"], + "CC_CDG_FLAGS": ["-fno-common"], + "CC_MD_DEPENDENT_FLAGS": [], + "CC_OPT_FLAGS": [ + "-fno-strict-aliasing", + "-fno-omit-frame-pointer" + ], + "CC_SEC_FLAGS": [ + "-fPIC", + "-fstack-protector-strong" + ], + "CC_DEBUG_FLAGS": [], + "CC_USER_DEFINE_FLAGS": [ + "-DHITLS_CONFIG_FILE=''", + "-I${HiTLS_SOURCE_ROOT_DIR}/testcode/script/mini_test_config/" + ], + "CC_WARN_FLAGS": [ + "-Werror", + "-Wextra", + "-Wcast-qual", + "-Wall", + "-Wfloat-equal", + "-Wshadow", + "-Wformat=2" + ], + "CC_DEFINE_FLAGS": [ + "-DHITLS_CRYPTO_EAL_REPORT", + "-DHITLS_CRYPTO_NIST_ECC_ACCELERATE", + "-DHITLS_CRYPTO_BN_COMBA", + "-DHITLS_CRYPTO_AES_PRECALC_TABLES", + "-DHITLS_AARCH64_PACIASP", + "-DHITLS_CRYPTO_SM2_PRECOMPUTE_512K_TBL" + ] + }, + "gcc": { + "CC_WARN_FLAGS_EXTRA": [ + "-Wdate-time", + "-Wno-stringop-overread" + ], + "CC_SEC_FLAGS_EXTRA": [ + "--param=ssp-buffer-size=4" + ] + }, + "clang": { + "CC_SEC_FLAGS_EXTRA": [ + "-Wno-unused-command-line-argument" + ] + }, + "apple-clang": { + "_inherit": "clang", + "CC_SEC_FLAGS_REMOVE": [ + "--param=ssp-buffer-size=4" + ], + "CC_DEFINE_FLAGS_REMOVE": [ + "-DHITLS_AARCH64_PACIASP" + ] + } + }, + "linkFlag": { + "common": { + "PUBLIC": [], + "SHARED": [], + "EXE": [] + }, + "gnu-ld": { + "PUBLIC": [ + "-Wl,-z,noexecstack", + "-Wl,-z,relro", + "-Wl,-z,now", + "-Wl,--build-id=none" + ], + "SHARED": [ + "-shared" + ], + "EXE": [ + "-pie" + ] + }, + "ld64": { + "PUBLIC": [ + "-Wl,-dead_strip" + ], + "SHARED": [ + "-dynamiclib" + ], + "EXE": [ + "-Wl,-pie" + ] + }, + "lld": { + "PUBLIC": [ + "-Wl,-z,noexecstack", + "-Wl,-z,relro", + "-Wl,-z,now", + "-Wl,--build-id=none", + "-Wl,--as-needed" + ], + "SHARED": [ + "-shared" + ], + "EXE": [ + "-pie" + ] + }, + "gold": { + "_inherit": "gnu-ld", + "PUBLIC_EXTRA": [ + "-Wl,--threads", + "-Wl,--thread-count=4" + ] + } + }, + "systemDefines": { + "common": {}, + "linux": { + "CC_DEFINE_FLAGS_EXTRA": [ + "-D_GNU_SOURCE" + ] + }, + "darwin": { + "CC_DEFINE_FLAGS_EXTRA": [ + "-D_DARWIN_C_SOURCE", + "-DHITLS_CRYPTO_NO_AUXVAL" + ] + } + } +} diff --git a/testcode/script/mini_test_config/no_dfx_feature.json b/testcode/script/mini_test_config/no_dfx_feature.json new file mode 100644 index 00000000..e9e2bf6b --- /dev/null +++ b/testcode/script/mini_test_config/no_dfx_feature.json @@ -0,0 +1,116 @@ +{ + "libType": [ + "static", + "shared" + ], + "libs": { + "hitls_bsl": { + "c": [ + "init", + "sal", + "sal_mem", + "sal_lock", + "log", + "err", + "hash", + "sal_str", + "sal_file", + "uio_buffer", + "uio_mem", + "uio_plt", + "uio_udp", + "sal_thread", + "sal_net", + "sal_time", + "tlv", + "base64", + "asn1", + "buffer", + "list", + "obj", + "params", + "pem" + ] + }, + "hitls_crypto": { + "asm": [ + "bn", + "chacha20", + "chacha20poly1305", + "aes", + "gcm", + "sha256", + "sha384", + "sha512", + "bn_rand", + "x25519", + "curve_nistp256", + "curve_nistp384", + "curve_nistp521", + "ecc", + "curve_sm2", + "sm3", + "sm4" + ], + "c": [ + "eal", + "ealinit", + "entropy", + "drbg_hash", + "sha256", + "sha384", + "sha512", + "hkdf", + "aes", + "gcm", + "chacha20", + "hpke", + "bn", + "x25519", + "curve_nistp256", + "curve_nistp384", + "curve_nistp521", + "drbg_ctr", + "cmac_aes", + "ecdsa", + "ecdh", + "ecc", + "mlkem", + "mldsa", + "slh_dsa", + "cbc", + "rsa", + "sha1", + "cipher", + "pkey", + "codecskey" + ] + }, + "hitls_tls": { + "c": [ + "callback_sal", + "callback_cert", + "callback_crypt", + "config", + "host", + "maintain", + "proto", + "proto_dtls12", + "proto_dtlcp11", + "feature_mtu_query", + "suite_ecdhe_rsa_with_aes_128_cbc_sha" + ] + }, + "hitls_pki": { + "c": [ + "info", + "pkcs12", + "x509" + ] + } + }, + "endian": "little", + "bits": 64, + "asmType": "no_asm", + "system": "linux" +} \ No newline at end of file diff --git a/testcode/sdv/testcase/tls/feature/test_suite_sdv_frame_no_dfx.c b/testcode/sdv/testcase/tls/feature/test_suite_sdv_frame_no_dfx.c new file mode 100644 index 00000000..b17fdecb --- /dev/null +++ b/testcode/sdv/testcase/tls/feature/test_suite_sdv_frame_no_dfx.c @@ -0,0 +1,133 @@ +/* + * This file is part of the openHiTLS project. + * + * openHiTLS is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * + * http://license.coscl.org.cn/MulanPSL2 + * + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + */ + +/* BEGIN_HEADER */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "securec.h" +#include "bsl_sal.h" +#include "sal_net.h" +#include "frame_tls.h" +#include "cert_callback.h" +#include "hitls_config.h" +#include "hitls_error.h" +#include "bsl_errno.h" +#include "bsl_uio.h" +#include "frame_io.h" +#include "uio_abstraction.h" +#include "tls.h" +#include "tls_config.h" +#include "logger.h" +#include "process.h" +#include "hs_ctx.h" +#include "hlt.h" +#include "stub_utils.h" +#include "hitls_type.h" +#include "frame_link.h" +#include "session_type.h" +#include "common_func.h" +#include "hitls_func.h" +#include "hitls_cert_type.h" +#include "parser_frame_msg.h" +#include "recv_process.h" +#include "simulate_io.h" +#include "rec_wrapper.h" +#include "cipher_suite.h" +#include "alert.h" +#include "conn_init.h" +#include "pack.h" +#include "send_process.h" +#include "cert.h" +#include "hitls_cert_reg.h" +#include "hitls_crypt_type.h" +#include "hs.h" +#include "hs_state_recv.h" +#include "app.h" +#include "record.h" +#include "rec_conn.h" +#include "session.h" +#include "frame_msg.h" +#include "pack_frame_msg.h" +#include "cert_mgr.h" +#include "hs_extensions.h" +#include "hlt_type.h" +#include "sctp_channel.h" +#include "hitls_crypt_init.h" +#include "hitls_session.h" +#include "bsl_log.h" +#include "bsl_err.h" +#include "hitls_crypt_reg.h" +#include "crypt_errno.h" +#include "bsl_list.h" +#include "hitls_cert.h" +#include "parse_extensions_client.c" +#include "parse_extensions_server.c" +#include "parse_server_hello.c" +#include "parse_client_hello.c" +/* END_HEADER */ + +/** @ +* @test UT_TLS_CM_NO_DFX_CONNECTION_TC001 +* @title Test no DFX macro connection. +* @precon nan +* @brief +* 1. Start a TLS connection with out dfx macro. Expected result 1. +* @expect 1. HITLS_SUCCES is returned +@ */ +/* BEGIN_CASE */ +void UT_TLS_CM_NO_DFX_CONNECTION_TC001(void) +{ + FRAME_Init(); + + HITLS_Config *config = NULL; + FRAME_LinkObj *client = NULL; + FRAME_LinkObj *server = NULL; + + // Apply for and initialize the configuration file + config = HITLS_CFG_NewDTLS12Config(); + client = FRAME_CreateLink(config, BSL_UIO_UDP); + ASSERT_TRUE(client != NULL); + server = FRAME_CreateLink(config, BSL_UIO_UDP); + ASSERT_TRUE(server != NULL); + HITLS_SetMtu(client->ssl, 16384); + HITLS_SetMtu(server->ssl, 16384); + + ASSERT_EQ(FRAME_CreateConnection(client, server, false, HS_STATE_BUTT), HITLS_SUCCESS); +EXIT: + HITLS_CFG_FreeConfig(config); + FRAME_FreeLink(client); + FRAME_FreeLink(server); +} +/* END_CASE */ \ No newline at end of file diff --git a/testcode/sdv/testcase/tls/feature/test_suite_sdv_frame_no_dfx.data b/testcode/sdv/testcase/tls/feature/test_suite_sdv_frame_no_dfx.data new file mode 100644 index 00000000..e93221a5 --- /dev/null +++ b/testcode/sdv/testcase/tls/feature/test_suite_sdv_frame_no_dfx.data @@ -0,0 +1,2 @@ +UT_TLS_CM_NO_DFX_CONNECTION_TC001: +UT_TLS_CM_NO_DFX_CONNECTION_TC001: \ No newline at end of file diff --git a/testcode/test_config/tls_test_config.json b/testcode/test_config/tls_test_config.json index 58c48827..44ca72ca 100644 --- a/testcode/test_config/tls_test_config.json +++ b/testcode/test_config/tls_test_config.json @@ -5,13 +5,15 @@ "base": ["test_suite_sdv_hlt_base_connect"], "mtu": ["test_suite_sdv_frame_mtu"], "max_send_fragment": ["test_suite_sdv_frame_max_send_fragment"], - "ca_list": ["test_suite_sdv_frame_ca_list"] + "ca_list": ["test_suite_sdv_frame_ca_list"], + "no_dfx": ["test_suite_sdv_frame_no_dfx"] }, "testSuiteCases": { "test_suite_sdv_hlt_tlcp_ciphersuite": [], "test_suite_sdv_hlt_base_connect": [], "test_suite_sdv_frame_mtu": [], "test_suite_sdv_frame_max_send_fragment": [], - "test_suite_sdv_frame_ca_list": [] + "test_suite_sdv_frame_ca_list": [], + "test_suite_sdv_frame_no_dfx": [] } } \ No newline at end of file diff --git a/tls/alert/src/alert.c b/tls/alert/src/alert.c index 922eb3c5..efd97ea8 100644 --- a/tls/alert/src/alert.c +++ b/tls/alert/src/alert.c @@ -251,6 +251,7 @@ int32_t ProcessPlainAlert(TLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen) } #endif /* HITLS_TLS_PROTO_TLS13 */ +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER void ALERT_ClearWarnCount(TLS_Ctx *ctx, uint32_t recordType) { if (recordType != REC_TYPE_ALERT) { @@ -263,6 +264,7 @@ bool ALERT_HaveExceeded(TLS_Ctx *ctx, uint8_t threshold) ctx->alertCtx->warnCount += 1; return ctx->alertCtx->warnCount >= threshold; } +#endif #ifdef HITLS_BSL_LOG int32_t ReturnAlertProcess(TLS_Ctx *ctx, int32_t err, uint32_t logId, const void *logStr, diff --git a/tls/cm/src/conn_common.c b/tls/cm/src/conn_common.c index 2a6eb2ce..6bd6ab79 100644 --- a/tls/cm/src/conn_common.c +++ b/tls/cm/src/conn_common.c @@ -61,7 +61,9 @@ static const char *GetStateString(uint32_t state) [CM_STATE_TRANSPORTING] = "Transporting", [CM_STATE_ALERTING] = "Alerting", [CM_STATE_ALERTED] = "Alerted", +#ifdef HITLS_TLS_PROTO_CLOSE_STATE [CM_STATE_CLOSED] = "Closed", +#endif }; /* Current status */ return stateMachineStr[state]; @@ -140,6 +142,7 @@ int32_t CommonEventInAlertingState(HITLS_Ctx *ctx) return HITLS_SUCCESS; } +#ifdef HITLS_TLS_PROTO_CLOSE_STATE /* If the close_notify message is sent, the link must be disconnected */ if (alertInfo.description == ALERT_CLOSE_NOTIFY) { if (ctx->userShutDown) { @@ -155,6 +158,7 @@ int32_t CommonEventInAlertingState(HITLS_Ctx *ctx) } return HITLS_SUCCESS; } +#endif /* Other warning alerts will not terminate the connection and the status will be restored to the previous status */ ctx->state = ctx->preState; @@ -189,7 +193,7 @@ static int32_t AlertRecvProcess(HITLS_Ctx *ctx, const ALERT_Info *alertInfo) /* Other warning alerts will not be processed */ return HITLS_SUCCESS; } - +#ifdef HITLS_TLS_PROTO_CLOSE_STATE ctx->shutdownState |= HITLS_RECEIVED_SHUTDOWN; /* In quiet disconnection mode, close_notify does not need to be sent */ @@ -218,6 +222,9 @@ static int32_t AlertRecvProcess(HITLS_Ctx *ctx, const ALERT_Info *alertInfo) ChangeConnState(ctx, CM_STATE_ALERTED); } return HITLS_CM_LINK_CLOSED; +#else + return HITLS_CM_LINK_CLOSED; +#endif } int32_t AlertEventProcess(HITLS_Ctx *ctx) @@ -259,14 +266,14 @@ int32_t CommonEventInHandshakingState(HITLS_Ctx *ctx) /* The handshake fails, but no alert is received. Return the error code to the user */ return ret; } - +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) { /* If there are multiple consecutive alerts, the link is abnormal and needs to be terminated. */ ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); alertRet = AlertEventProcess(ctx); return (alertRet == HITLS_SUCCESS) ? ret : alertRet; } - +#endif alertRet = AlertEventProcess(ctx); if (alertRet != HITLS_SUCCESS) { /* If the alert message fails to be sent, return the error code to the user */ @@ -527,14 +534,19 @@ static uint16_t FindPreference(const HITLS_Ctx *ctx, int32_t nmatch, bool *haveF uint32_t localGroupSize = ctx->config.tlsConfig.groupsSize; uint16_t *peerGroups = ctx->peerInfo.groups; uint16_t *localGroups = ctx->config.tlsConfig.groups; - bool chooseServerPre = ctx->config.tlsConfig.isSupportServerPreference; uint16_t intersectionCnt = 0; - +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER + bool chooseServerPre = ctx->config.tlsConfig.isSupportServerPreference; preferGroupSize = (chooseServerPre == true) ? localGroupSize : peerGroupSize; secondPreferGroupSize = (chooseServerPre == true) ? peerGroupSize : localGroupSize; preferGroups = (chooseServerPre == true) ? localGroups : peerGroups; secondPreferGroups = (chooseServerPre == true) ? peerGroups : localGroups; - +#else + preferGroupSize = peerGroupSize; + secondPreferGroupSize = localGroupSize; + preferGroups = peerGroups; + secondPreferGroups = localGroups; +#endif for (uint32_t i = 0; i < preferGroupSize; i++) { for (uint32_t j = 0; j < secondPreferGroupSize; j++) { if (preferGroups[i] == secondPreferGroups[j]) { @@ -735,11 +747,12 @@ int32_t CommonEventInRenegotiationState(HITLS_Ctx *ctx) return ret; } InnerRenegotiationProcess(ctx); +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) { /* If multiple consecutive alerts exist, the link is abnormal and needs to be terminated */ ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); } - +#endif int32_t alertRet = AlertEventProcess(ctx); if (alertRet != HITLS_SUCCESS) { if (alertRet != HITLS_CM_LINK_CLOSED) { diff --git a/tls/cm/src/conn_create.c b/tls/cm/src/conn_create.c index 2b188b4c..cfbdc4c7 100644 --- a/tls/cm/src/conn_create.c +++ b/tls/cm/src/conn_create.c @@ -70,15 +70,16 @@ HITLS_Ctx *HITLS_New(HITLS_Config *config) BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16470, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc fail", 0, 0, 0, 0); return NULL; } - - int32_t ret = CheckConfig(config); + int32_t ret = HITLS_SUCCESS; +#ifdef HITLS_TLS_PROTO_DFX_CHECK + ret = CheckConfig(config); if (ret != HITLS_SUCCESS) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16471, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "CheckConfig fail, ret %d", ret, 0, 0, 0); BSL_SAL_FREE(newCtx); return NULL; } - +#endif ret = DumpConfig(newCtx, config); if (ret != HITLS_SUCCESS) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16472, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, @@ -666,7 +667,7 @@ int32_t HITLS_ClearChainCerts(HITLS_Ctx *ctx) return HITLS_CFG_ClearChainCerts(&(ctx->config.tlsConfig)); } -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t HITLS_SetClientVerifySupport(HITLS_Ctx *ctx, bool support) { if (ctx == NULL) { @@ -683,7 +684,7 @@ int32_t HITLS_SetNoClientCertSupport(HITLS_Ctx *ctx, bool support) return HITLS_CFG_SetNoClientCertSupport(&(ctx->config.tlsConfig), support); } -#endif +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ #ifdef HITLS_TLS_FEATURE_PHA int32_t HITLS_SetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool support) { @@ -694,7 +695,7 @@ int32_t HITLS_SetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool support) return HITLS_CFG_SetPostHandshakeAuthSupport(&(ctx->config.tlsConfig), support); } #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER int32_t HITLS_SetVerifyNoneSupport(HITLS_Ctx *ctx, bool support) { if (ctx == NULL) { @@ -703,8 +704,8 @@ int32_t HITLS_SetVerifyNoneSupport(HITLS_Ctx *ctx, bool support) return HITLS_CFG_SetVerifyNoneSupport(&(ctx->config.tlsConfig), support); } -#endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#endif /* HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER */ +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t HITLS_SetClientOnceVerifySupport(HITLS_Ctx *ctx, bool support) { if (ctx == NULL) { diff --git a/tls/cm/src/conn_ctrl.c b/tls/cm/src/conn_ctrl.c index 318700ef..abf3587b 100644 --- a/tls/cm/src/conn_ctrl.c +++ b/tls/cm/src/conn_ctrl.c @@ -195,6 +195,7 @@ HITLS_CERT_X509 *HITLS_GetPeerCertificate(const HITLS_Ctx *ctx) } #endif +#ifdef HITLS_TLS_PROTO_CLOSE_STATE int32_t HITLS_SetQuietShutdown(HITLS_Ctx *ctx, int32_t mode) { if (ctx == NULL) { @@ -222,6 +223,7 @@ int32_t HITLS_GetQuietShutdown(const HITLS_Ctx *ctx, int32_t *mode) return HITLS_SUCCESS; } +#endif #ifdef HITLS_TLS_FEATURE_RENEGOTIATION int32_t HITLS_GetRenegotiationState(const HITLS_Ctx *ctx, bool *isRenegotiationState) { @@ -245,6 +247,8 @@ int32_t HITLS_GetRwstate(const HITLS_Ctx *ctx, uint8_t *rwstate) return HITLS_SUCCESS; } #endif + +#ifdef HITLS_TLS_PROTO_CLOSE_STATE int32_t HITLS_SetShutdownState(HITLS_Ctx *ctx, uint32_t mode) { if (ctx == NULL) { @@ -264,8 +268,9 @@ int32_t HITLS_GetShutdownState(const HITLS_Ctx *ctx, uint32_t *mode) *mode = ctx->shutdownState; return HITLS_SUCCESS; } +#endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t HITLS_GetClientVerifySupport(HITLS_Ctx *ctx, bool *isSupport) { if (ctx == NULL) { @@ -283,7 +288,7 @@ int32_t HITLS_GetNoClientCertSupport(HITLS_Ctx *ctx, bool *isSupport) return HITLS_CFG_GetNoClientCertSupport(&(ctx->config.tlsConfig), isSupport); } -#endif +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ #ifdef HITLS_TLS_FEATURE_PHA int32_t HITLS_GetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool *isSupport) @@ -295,7 +300,7 @@ int32_t HITLS_GetPostHandshakeAuthSupport(HITLS_Ctx *ctx, bool *isSupport) return HITLS_CFG_GetPostHandshakeAuthSupport(&(ctx->config.tlsConfig), isSupport); } #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER int32_t HITLS_GetVerifyNoneSupport(HITLS_Ctx *ctx, bool *isSupport) { if (ctx == NULL) { @@ -306,7 +311,7 @@ int32_t HITLS_GetVerifyNoneSupport(HITLS_Ctx *ctx, bool *isSupport) } #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t HITLS_GetClientOnceVerifySupport(HITLS_Ctx *ctx, bool *isSupport) { if (ctx == NULL) { @@ -394,6 +399,8 @@ int32_t HITLS_SetServerName(HITLS_Ctx *ctx, uint8_t *serverName, uint32_t server return HITLS_CFG_SetServerName(&(ctx->config.tlsConfig), serverName, serverNameStrlen); } #endif + +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER int32_t HITLS_SetCipherServerPreference(HITLS_Ctx *ctx, bool isSupport) { if (ctx == NULL) { @@ -411,6 +418,7 @@ int32_t HITLS_GetCipherServerPreference(const HITLS_Ctx *ctx, bool *isSupport) return HITLS_CFG_GetCipherServerPreference(&(ctx->config.tlsConfig), isSupport); } +#endif int32_t HITLS_SetRenegotiationSupport(HITLS_Ctx *ctx, bool isSupport) { diff --git a/tls/cm/src/conn_establish.c b/tls/cm/src/conn_establish.c index 2649252e..11592b39 100644 --- a/tls/cm/src/conn_establish.c +++ b/tls/cm/src/conn_establish.c @@ -105,6 +105,7 @@ static int32_t EstablishEventInRenegotiationState(HITLS_Ctx *ctx) #endif } +#ifdef HITLS_TLS_PROTO_CLOSE_STATE static int32_t CloseEventInRenegotiationState(HITLS_Ctx *ctx) { #ifdef HITLS_TLS_FEATURE_RENEGOTIATION @@ -130,6 +131,7 @@ static int32_t CloseEventInRenegotiationState(HITLS_Ctx *ctx) return HITLS_INTERNAL_EXCEPTION; #endif } +#endif static int32_t EstablishEventInAlertedState(HITLS_Ctx *ctx) { @@ -138,6 +140,7 @@ static int32_t EstablishEventInAlertedState(HITLS_Ctx *ctx) return HITLS_CM_LINK_FATAL_ALERTED; } +#ifdef HITLS_TLS_PROTO_CLOSE_STATE static int32_t EstablishEventInClosedState(HITLS_Ctx *ctx) { (void)ctx; @@ -253,6 +256,7 @@ static int32_t CloseEventInClosedState(HITLS_Ctx *ctx) ChangeConnState(ctx, CM_STATE_CLOSED); return HITLS_SUCCESS; } +#endif // Check and process the CTX status before HITLS_Connect and HITLS_Accept. int32_t ProcessCtxState(HITLS_Ctx *ctx) @@ -363,7 +367,9 @@ int32_t HITLS_Connect(HITLS_Ctx *ctx) EstablishEventInRenegotiationState, NULL, // The alerting phase has been processed in the ProcessCtxState function EstablishEventInAlertedState, +#ifdef HITLS_TLS_PROTO_CLOSE_STATE EstablishEventInClosedState +#endif }; ManageEventProcess proc = connectEventProcess[GetConnState(ctx)]; @@ -397,7 +403,9 @@ int32_t HITLS_Accept(HITLS_Ctx *ctx) EstablishEventInRenegotiationState, NULL, EstablishEventInAlertedState, +#ifdef HITLS_TLS_PROTO_CLOSE_STATE EstablishEventInClosedState +#endif }; ManageEventProcess proc = acceptEventProcess[GetConnState(ctx)]; @@ -460,6 +468,7 @@ int32_t HITLS_Listen(HITLS_Ctx *ctx, BSL_SAL_SockAddr clientAddr) } #endif /* #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_BSL_UIO_ADDR) */ +#ifdef HITLS_TLS_PROTO_CLOSE_STATE int32_t HITLS_Close(HITLS_Ctx *ctx) { if (ctx == NULL) { @@ -503,6 +512,13 @@ int32_t HITLS_Close(HITLS_Ctx *ctx) return HITLS_SUCCESS; } +#else /* HITLS_TLS_PROTO_CLOSE_STATE */ +int32_t HITLS_Close(HITLS_Ctx *ctx) +{ + ALERT_Send(ctx, ALERT_LEVEL_WARNING, ALERT_CLOSE_NOTIFY); + return ALERT_Flush(ctx); +} +#endif /* HITLS_TLS_PROTO_CLOSE_STATE */ int32_t HITLS_GetError(const HITLS_Ctx *ctx, int32_t ret) { @@ -629,7 +645,11 @@ int32_t HITLS_GetHandShakeState(const HITLS_Ctx *ctx, uint32_t *state) } } - if (ctx->state == CM_STATE_ALERTED || ctx->state == CM_STATE_CLOSED) { + if (ctx->state == CM_STATE_ALERTED +#ifdef HITLS_TLS_PROTO_CLOSE_STATE + || ctx->state == CM_STATE_CLOSED +#endif + ) { if (ctx->preState == CM_STATE_IDLE && ctx->hsCtx == NULL) { hsState = TLS_IDLE; } else if (ctx->hsCtx != NULL) { diff --git a/tls/cm/src/conn_init.c b/tls/cm/src/conn_init.c index e9ade211..564b4bdd 100644 --- a/tls/cm/src/conn_init.c +++ b/tls/cm/src/conn_init.c @@ -35,7 +35,9 @@ int32_t ConnUnexpectedMsg(HITLS_Ctx *ctx, uint32_t msgType, const uint8_t *data, BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT); return HITLS_NULL_INPUT; } +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER ALERT_ClearWarnCount(ctx, msgType); +#endif int32_t ret = HITLS_REC_NORMAL_RECV_UNEXPECT_MSG; #ifdef HITLS_TLS_PROTO_TLS13 if (isPlain) { // tls13 @@ -85,7 +87,9 @@ int32_t CONN_Init(TLS_Ctx *ctx) ctx->method.sendCCS = CCS_Send; ctx->method.ctrlCCS = CCS_Ctrl; ctx->method.sendAlert = ALERT_Send; +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER ctx->method.clearAlert = ALERT_ClearWarnCount; +#endif ctx->method.getAlertFlag = ALERT_GetFlag; ctx->method.unexpectedMsgProcessCb = ConnUnexpectedMsg; #ifdef HITLS_TLS_FEATURE_KEY_UPDATE diff --git a/tls/cm/src/conn_read.c b/tls/cm/src/conn_read.c index cdd96ad7..809340b9 100644 --- a/tls/cm/src/conn_read.c +++ b/tls/cm/src/conn_read.c @@ -74,6 +74,7 @@ int32_t RecvUnexpectMsgInTransportingStateProcess(HITLS_Ctx *ctx) } static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type) { +#ifdef HITLS_TLS_PROTO_TLS13 /* If the version is TLS1.3, ignore the message */ if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16514, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, @@ -81,10 +82,9 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type) ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); return HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE; } - +#endif /* If the message is not a renegotiation request, ignore the message */ - if ((ctx->isClient && (type == CLIENT_HELLO)) || - (!ctx->isClient && (type == HELLO_REQUEST))) { + if ((ctx->isClient && (type == CLIENT_HELLO)) || (!ctx->isClient && (type == HELLO_REQUEST))) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16515, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "ignore the message", 0, 0, 0, 0); ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); @@ -111,7 +111,7 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type) return HITLS_SUCCESS; } } - +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) REC_RetransmitListClean(ctx->recCtx); /* dtls over udp scenario, the retransmission queue needs to be cleared */ #endif @@ -129,9 +129,11 @@ static int32_t RecvRenegoReqPreprocess(TLS_Ctx *ctx, uint8_t type) } else { (void)HS_ChangeState(ctx, TRY_RECV_HELLO_REQUEST); } +#endif /* HITLS_TLS_FEATURE_RENEGOTIATION */ return HITLS_SUCCESS; } +#ifdef HITLS_TLS_PROTO_TLS13 static int32_t RecvKeyUpdatePreprocess(TLS_Ctx *ctx) { if (ctx->negotiatedInfo.version != HITLS_VERSION_TLS13) { @@ -194,6 +196,7 @@ static int32_t RecvNSTPreprocess(TLS_Ctx *ctx) ChangeConnState(ctx, CM_STATE_HANDSHAKING); return HS_ChangeState(ctx, TRY_RECV_NEW_SESSION_TICKET); } +#endif /* HITLS_TLS_PROTO_TLS13 */ #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) static int32_t RecvPostFinishPreprocess(TLS_Ctx *ctx) @@ -255,32 +258,27 @@ static int32_t PreprocessUnexpectHsMsg(HITLS_Ctx *ctx) switch (hsCtx->msgBuf[0]) { case HELLO_REQUEST: case CLIENT_HELLO: - ret = RecvRenegoReqPreprocess(ctx, hsCtx->msgBuf[0]); - break; + return RecvRenegoReqPreprocess(ctx, hsCtx->msgBuf[0]); +#ifdef HITLS_TLS_PROTO_TLS13 case KEY_UPDATE: - ret = RecvKeyUpdatePreprocess(ctx); - break; + return RecvKeyUpdatePreprocess(ctx); case CERTIFICATE_REQUEST: - ret = RecvCertReqPreprocess(ctx); - break; + return RecvCertReqPreprocess(ctx); case CERTIFICATE: - ret = RecvCertPreprocess(ctx); - break; + return RecvCertPreprocess(ctx); case NEW_SESSION_TICKET: - ret = RecvNSTPreprocess(ctx); - break; + return RecvNSTPreprocess(ctx); +#endif #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) case FINISHED: - ret = RecvPostFinishPreprocess(ctx); - break; + return RecvPostFinishPreprocess(ctx); #endif default: BSL_LOG_BINLOG_VARLEN(BINLOG_ID16529, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Unexpected %s handshake state message.", HS_GetMsgTypeStr(hsCtx->msgBuf[0])); ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); - ret = HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE; + return HITLS_MSG_HANDLE_UNEXPECTED_MESSAGE; } - return ret; } static void ConsumeHandshakeMessage(HITLS_Ctx *ctx) @@ -348,11 +346,12 @@ static int32_t ReadEventInTransportingState(HITLS_Ctx *ctx, uint8_t *data, uint3 InnerRenegotiationProcess(ctx); } #endif +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) { /* If multiple consecutive alerts exist, the link is abnormal and needs to be disconnected */ ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); } - +#endif unexpectMsgRet = AlertEventProcess(ctx); if (unexpectMsgRet != HITLS_SUCCESS) { /* If the alert fails to be sent, a response is returned to the user for processing */ @@ -360,7 +359,11 @@ static int32_t ReadEventInTransportingState(HITLS_Ctx *ctx, uint8_t *data, uint3 } /* If fatal alert or close_notify has been processed, the link must be disconnected */ - if (ctx->state == CM_STATE_ALERTED || ctx->state == CM_STATE_CLOSED) { + if (ctx->state == CM_STATE_ALERTED +#ifdef HITLS_TLS_PROTO_CLOSE_STATE + || ctx->state == CM_STATE_CLOSED +#endif + ) { return ret; } } @@ -432,6 +435,7 @@ static int32_t ReadEventInAlertedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t b return HITLS_CM_LINK_FATAL_ALERTED; } +#ifdef HITLS_TLS_PROTO_CLOSE_STATE static int32_t ReadEventInClosedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint32_t *readLen) { // Non-closed state @@ -459,6 +463,8 @@ static int32_t ReadEventInClosedState(HITLS_Ctx *ctx, uint8_t *data, uint32_t bu // Directly return to link closed. return HITLS_CM_LINK_CLOSED; } +#endif + static int32_t ReadProcess(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint32_t *readLen) { ReadEventProcess readEventProcess[CM_STATE_END] = { @@ -468,7 +474,9 @@ static int32_t ReadProcess(HITLS_Ctx *ctx, uint8_t *data, uint32_t bufSize, uint ReadEventInRenegotiationState, NULL, ReadEventInAlertedState, +#ifdef HITLS_TLS_PROTO_CLOSE_STATE ReadEventInClosedState +#endif }; if ((GetConnState(ctx) >= CM_STATE_END) || (GetConnState(ctx) == CM_STATE_ALERTING)) { diff --git a/tls/cm/src/conn_write.c b/tls/cm/src/conn_write.c index b513ba00..611c9432 100644 --- a/tls/cm/src/conn_write.c +++ b/tls/cm/src/conn_write.c @@ -68,12 +68,12 @@ static int32_t WriteEventInTransportingState(HITLS_Ctx *ctx, const uint8_t *data /* Failed to send a message but no alert is displayed */ break; } - +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER if (ALERT_HaveExceeded(ctx, MAX_ALERT_COUNT)) { /* If multiple consecutive alerts exist, the link is abnormal and needs to be disconnected */ ALERT_Send(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE); } - +#endif alertRet = AlertEventProcess(ctx); if (alertRet != HITLS_SUCCESS) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16546, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, @@ -149,6 +149,7 @@ static int32_t WriteEventInAlertedState(HITLS_Ctx *ctx, const uint8_t *data, uin return HITLS_CM_LINK_FATAL_ALERTED; } +#ifdef HITLS_TLS_PROTO_CLOSE_STATE static int32_t WriteEventInClosedState(HITLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen, uint32_t *writeLen) { if ((ctx->shutdownState & HITLS_SENT_SHUTDOWN) == 0) { @@ -171,6 +172,8 @@ static int32_t WriteEventInClosedState(HITLS_Ctx *ctx, const uint8_t *data, uint // Directly return a message indicating that the link status is abnormal. return HITLS_CM_LINK_CLOSED; } +#endif + #ifdef HITLS_TLS_FEATURE_PHA int32_t CommonCheckPostHandshakeAuth(TLS_Ctx *ctx) { @@ -220,7 +223,9 @@ int32_t HITLS_Write(HITLS_Ctx *ctx, const uint8_t *data, uint32_t dataLen, uint3 WriteEventInRenegotiationState, NULL, WriteEventInAlertedState, +#ifdef HITLS_TLS_PROTO_CLOSE_STATE WriteEventInClosedState +#endif }; if ((GetConnState(ctx) >= CM_STATE_END) || (GetConnState(ctx) == CM_STATE_ALERTING)) { diff --git a/tls/config/src/cipher_suite.c b/tls/config/src/cipher_suite.c index 33e3d30c..05b77134 100644 --- a/tls/config/src/cipher_suite.c +++ b/tls/config/src/cipher_suite.c @@ -1533,60 +1533,169 @@ static const CipherSuiteInfo g_cipherSuiteList[] = { }; const CipherSuiteCertType g_cipherSuiteAndCertTypes[] = { +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA { HITLS_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA { HITLS_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA256 { HITLS_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA256 { HITLS_RSA_WITH_AES_256_CBC_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_GCM_SHA256 { HITLS_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_GCM_SHA384 { HITLS_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA { HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA { HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256 { HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384 { HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { HITLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384 { HITLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { HITLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA { HITLS_DHE_RSA_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA { HITLS_DHE_RSA_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256 { HITLS_DHE_RSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256 { HITLS_DHE_RSA_WITH_AES_256_CBC_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256 { HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384 { HITLS_DHE_RSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CCM { HITLS_DHE_RSA_WITH_AES_128_CCM, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CCM { HITLS_DHE_RSA_WITH_AES_256_CCM, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CCM { HITLS_RSA_WITH_AES_128_CCM, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CCM_8 { HITLS_RSA_WITH_AES_128_CCM_8, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CCM { HITLS_RSA_WITH_AES_256_CCM, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CCM_8 { HITLS_RSA_WITH_AES_256_CCM_8, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { HITLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA { HITLS_RSA_PSK_WITH_AES_128_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA { HITLS_RSA_PSK_WITH_AES_256_CBC_SHA, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256 { HITLS_RSA_PSK_WITH_AES_128_GCM_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384 { HITLS_RSA_PSK_WITH_AES_256_GCM_SHA384, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256 { HITLS_RSA_PSK_WITH_AES_128_CBC_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384 { HITLS_RSA_PSK_WITH_AES_256_CBC_SHA384, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 { HITLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_RSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 { HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 { HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { HITLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 { HITLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 { HITLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM { HITLS_ECDHE_ECDSA_WITH_AES_128_CCM, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM { HITLS_ECDHE_ECDSA_WITH_AES_256_CCM, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA { HITLS_DHE_DSS_WITH_AES_128_CBC_SHA, CERT_TYPE_DSS_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA { HITLS_DHE_DSS_WITH_AES_256_CBC_SHA, CERT_TYPE_DSS_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256 { HITLS_DHE_DSS_WITH_AES_128_CBC_SHA256, CERT_TYPE_DSS_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA256 { HITLS_DHE_DSS_WITH_AES_256_CBC_SHA256, CERT_TYPE_DSS_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_GCM_SHA256 { HITLS_DHE_DSS_WITH_AES_128_GCM_SHA256, CERT_TYPE_DSS_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_GCM_SHA384 { HITLS_DHE_DSS_WITH_AES_256_GCM_SHA384, CERT_TYPE_DSS_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 { HITLS_ECDHE_SM4_CBC_SM3, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECC_SM4_CBC_SM3 { HITLS_ECC_SM4_CBC_SM3, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 { HITLS_ECDHE_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_ECC_SM4_GCM_SM3 { HITLS_ECC_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_SM4_GCM_SM3 { HITLS_SM4_GCM_SM3, CERT_TYPE_ECDSA_SIGN }, +#endif +#ifdef HITLS_TLS_SUITE_SM4_CCM_SM3 { HITLS_SM4_CCM_SM3, CERT_TYPE_ECDSA_SIGN }, +#endif + { 0, CERT_TYPE_UNKNOWN }, }; /** @@ -1776,6 +1885,7 @@ uint8_t CFG_GetCertTypeByCipherSuite(uint16_t cipherSuite) return CERT_TYPE_UNKNOWN; } + #ifdef HITLS_TLS_CONFIG_CIPHER_SUITE /* Convert the supported version number to the corresponding character string */ static const uint8_t* ProtocolToString(uint16_t version) diff --git a/tls/config/src/config.c b/tls/config/src/config.c index cc106ea8..dba066fd 100644 --- a/tls/config/src/config.c +++ b/tls/config/src/config.c @@ -70,7 +70,7 @@ void CFG_CleanConfig(HITLS_Config *config) BSL_SAL_FREE(config->pointFormats); BSL_SAL_FREE(config->groups); BSL_SAL_FREE(config->signAlgorithms); -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #ifndef HITLS_TLS_CAP_NO_STR for (uint32_t i = 0; i < config->groupInfolen; i++) { BSL_SAL_FREE(config->groupInfo[i].name); @@ -87,7 +87,7 @@ void CFG_CleanConfig(HITLS_Config *config) BSL_SAL_FREE(config->sigSchemeInfo); config->sigSchemeInfoSize = 0; config->sigSchemeInfolen = 0; -#endif +#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ #if defined(HITLS_TLS_PROTO_TLS12) && defined(HITLS_TLS_FEATURE_PSK) BSL_SAL_FREE(config->pskIdentityHint); @@ -135,8 +135,12 @@ static void ShallowCopy(HITLS_Ctx *ctx, const HITLS_Config *srcConfig) destConfig->attrName = ATTRIBUTE_FROM_CONFIG(srcConfig); destConfig->minVersion = srcConfig->minVersion; destConfig->maxVersion = srcConfig->maxVersion; +#ifdef HITLS_TLS_PROTO_CLOSE_STATE destConfig->isQuietShutdown = srcConfig->isQuietShutdown; +#endif +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER destConfig->isSupportServerPreference = srcConfig->isSupportServerPreference; +#endif destConfig->maxCertList = srcConfig->maxCertList; destConfig->isSupportExtendedMasterSecret = srcConfig->isSupportExtendedMasterSecret; destConfig->emptyRecordsNum = srcConfig->emptyRecordsNum; @@ -182,17 +186,17 @@ static void ShallowCopy(HITLS_Ctx *ctx, const HITLS_Config *srcConfig) #if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_SESSION) destConfig->isResumptionOnRenego = srcConfig->isResumptionOnRenego; #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER + destConfig->isSupportVerifyNone = srcConfig->isSupportVerifyNone; +#endif +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY destConfig->isSupportClientVerify = srcConfig->isSupportClientVerify; destConfig->isSupportNoClientCert = srcConfig->isSupportNoClientCert; - destConfig->isSupportVerifyNone = srcConfig->isSupportVerifyNone; + destConfig->isSupportClientOnceVerify = srcConfig->isSupportClientOnceVerify; #endif #ifdef HITLS_TLS_FEATURE_SESSION_TICKET destConfig->isSupportSessionTicket = srcConfig->isSupportSessionTicket; #endif -#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_CERT_MODE) - destConfig->isSupportClientOnceVerify = srcConfig->isSupportClientOnceVerify; -#endif #ifdef HITLS_TLS_FEATURE_PHA destConfig->isSupportPostHandshakeAuth = srcConfig->isSupportPostHandshakeAuth; #endif @@ -273,7 +277,7 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr } destConfig->groupsSize = srcConfig->groupsSize; } -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC if (srcConfig->groupInfo != NULL) { #ifndef HITLS_TLS_CAP_NO_STR for (uint32_t i = 0; i < destConfig->groupInfolen; i++) { @@ -300,7 +304,7 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr #endif } } -#endif +#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ return HITLS_SUCCESS; } @@ -329,7 +333,7 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C } destConfig->signAlgorithmsSize = srcConfig->signAlgorithmsSize; } -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC if (srcConfig->sigSchemeInfo != NULL) { for (uint32_t i = 0; i < destConfig->sigSchemeInfolen; i++) { BSL_SAL_FREE(destConfig->sigSchemeInfo[i].name); @@ -1401,6 +1405,7 @@ int32_t HITLS_SetVersionForbid(HITLS_Ctx *ctx, uint32_t noVersion) } #endif +#ifdef HITLS_TLS_PROTO_CLOSE_STATE int32_t HITLS_CFG_SetQuietShutdown(HITLS_Config *config, int32_t mode) { if (config == NULL) { @@ -1432,6 +1437,7 @@ int32_t HITLS_CFG_GetQuietShutdown(const HITLS_Config *config, int32_t *mode) *mode = (int32_t)config->isQuietShutdown; return HITLS_SUCCESS; } +#endif int32_t HITLS_CFG_SetEncryptThenMac(HITLS_Config *config, bool encryptThenMacType) { @@ -1465,6 +1471,7 @@ int32_t HITLS_CFG_GetEncryptThenMac(const HITLS_Config *config, bool *encryptThe #endif } +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER int32_t HITLS_CFG_SetCipherServerPreference(HITLS_Config *config, bool isSupport) { if (config == NULL) { @@ -1484,6 +1491,7 @@ int32_t HITLS_CFG_GetCipherServerPreference(const HITLS_Config *config, bool *is *isSupport = config->isSupportServerPreference; return HITLS_SUCCESS; } +#endif #ifdef HITLS_TLS_MAINTAIN_KEYLOG int32_t HITLS_CFG_SetKeyLogCb(HITLS_Config *config, HITLS_KeyLogCb callback) diff --git a/tls/config/src/config_cert.c b/tls/config/src/config_cert.c index c321f607..a29590af 100644 --- a/tls/config/src/config_cert.c +++ b/tls/config/src/config_cert.c @@ -714,7 +714,7 @@ int32_t HITLS_CFG_SetCertCb(HITLS_Config *config, HITLS_CertCb certCb, void *arg } #endif /* HITLS_TLS_FEATURE_CERT_CB */ -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER int32_t HITLS_CFG_SetVerifyNoneSupport(HITLS_Config *config, bool support) { if (config == NULL) { @@ -734,7 +734,9 @@ int32_t HITLS_CFG_GetVerifyNoneSupport(HITLS_Config *config, bool *isSupport) *isSupport = config->isSupportVerifyNone; return HITLS_SUCCESS; } +#endif /* HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER */ +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t HITLS_CFG_GetClientVerifySupport(HITLS_Config *config, bool *isSupport) { if (config == NULL || isSupport == NULL) { @@ -773,7 +775,7 @@ int32_t HITLS_CFG_SetNoClientCertSupport(HITLS_Config *config, bool support) config->isSupportNoClientCert = support; return HITLS_SUCCESS; } -#endif +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ #ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES static void HitlsTrustedCANodeFree(void *caNode) diff --git a/tls/config/src/config_check.c b/tls/config/src/config_check.c index 96aaef8b..38197030 100644 --- a/tls/config/src/config_check.c +++ b/tls/config/src/config_check.c @@ -44,7 +44,8 @@ static bool CFG_IsValidVersion(uint16_t version) } #endif /* HITLS_TLS_CONFIG_VERSION */ -static bool HaveMatchSignAlg(const TLS_Config *config, HITLS_AuthAlgo authAlg, const uint16_t *signatureAlgorithms, +#ifdef HITLS_TLS_PROTO_DFX_CHECK +static bool HaveMatchSignAlg(const TLS_Config *config, HITLS_AuthAlgo authAlg, const uint16_t *signatureAlgorithms, uint32_t signatureAlgorithmsSize) { HITLS_SignAlgo signAlg = HITLS_SIGN_BUTT; @@ -193,6 +194,7 @@ static int32_t CheckGroup(const TLS_Config *config) return HITLS_SUCCESS; } +#endif /* HITLS_TLS_PROTO_DFX_CHECK */ #ifdef HITLS_TLS_CONFIG_VERSION int32_t CheckVersion(uint16_t minVersion, uint16_t maxVersion) @@ -232,6 +234,7 @@ int32_t CheckVersion(uint16_t minVersion, uint16_t maxVersion) } #endif /* HITLS_TLS_CONFIG_VERSION */ +#ifdef HITLS_TLS_PROTO_DFX_CHECK #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) static int32_t CheckCallbackFunc(const TLS_Config *config) { @@ -293,3 +296,4 @@ int32_t CheckConfig(const TLS_Config *config) #endif return ret; } +#endif /* HITLS_TLS_PROTO_DFX_CHECK */ \ No newline at end of file diff --git a/tls/config/src/config_default.c b/tls/config/src/config_default.c index 2af5fdb4..61b88032 100644 --- a/tls/config/src/config_default.c +++ b/tls/config/src/config_default.c @@ -43,75 +43,213 @@ uint16_t g_tlcpCipherSuites[] = { #endif uint16_t g_tls12CipherSuites[] = { +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 HITLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384 HITLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_GCM_SHA384 HITLS_DHE_DSS_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384 HITLS_DHE_RSA_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 HITLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 HITLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 HITLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 HITLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256 HITLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_GCM_SHA256 HITLS_DHE_DSS_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256 HITLS_DHE_RSA_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM HITLS_ECDHE_ECDSA_WITH_AES_128_CCM, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM HITLS_ECDHE_ECDSA_WITH_AES_256_CCM, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384 HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CCM HITLS_DHE_RSA_WITH_AES_128_CCM, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CCM HITLS_DHE_RSA_WITH_AES_256_CCM, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256 HITLS_DHE_RSA_WITH_AES_256_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA256 HITLS_DHE_DSS_WITH_AES_256_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256 HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256 HITLS_DHE_RSA_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256 HITLS_DHE_DSS_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA HITLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA HITLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA HITLS_DHE_RSA_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_256_CBC_SHA HITLS_DHE_DSS_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA HITLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA HITLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA HITLS_DHE_RSA_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_GCM_SHA384 HITLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384 HITLS_RSA_PSK_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_GCM_SHA384 HITLS_DHE_PSK_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 HITLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 HITLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 HITLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA HITLS_DHE_DSS_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_GCM_SHA384 HITLS_RSA_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_GCM_SHA384 HITLS_PSK_WITH_AES_256_GCM_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_CHACHA20_POLY1305_SHA256 HITLS_PSK_WITH_CHACHA20_POLY1305_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_GCM_SHA256 HITLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256 HITLS_RSA_PSK_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_GCM_SHA256 HITLS_DHE_PSK_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_GCM_SHA256 HITLS_RSA_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_GCM_SHA256 HITLS_PSK_WITH_AES_128_GCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CCM HITLS_PSK_WITH_AES_256_CCM, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA256 HITLS_RSA_WITH_AES_256_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA256 HITLS_RSA_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CCM_SHA256 HITLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA384 HITLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA HITLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384 HITLS_RSA_PSK_WITH_AES_256_CBC_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CCM HITLS_DHE_PSK_WITH_AES_128_CCM, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CCM HITLS_DHE_PSK_WITH_AES_256_CCM, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA384 HITLS_DHE_PSK_WITH_AES_256_CBC_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA HITLS_RSA_PSK_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA HITLS_DHE_PSK_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_256_CBC_SHA HITLS_RSA_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CBC_SHA384 HITLS_PSK_WITH_AES_256_CBC_SHA384, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_256_CBC_SHA HITLS_PSK_WITH_AES_256_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA256 HITLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA HITLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256 HITLS_RSA_PSK_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA256 HITLS_DHE_PSK_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA HITLS_RSA_PSK_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA HITLS_DHE_PSK_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_RSA_WITH_AES_128_CBC_SHA HITLS_RSA_WITH_AES_128_CBC_SHA, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_CBC_SHA256 HITLS_PSK_WITH_AES_128_CBC_SHA256, +#endif +#ifdef HITLS_TLS_SUITE_PSK_WITH_AES_128_CBC_SHA HITLS_PSK_WITH_AES_128_CBC_SHA, +#endif }; int32_t SetDefaultCipherSuite(HITLS_Config *config, const uint16_t *cipherSuites, uint32_t cipherSuiteSize) @@ -212,19 +350,20 @@ static void InitConfig(HITLS_Config *config) #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) config->isSupportDtlsCookieExchange = false; #endif -#ifdef HITLS_TLS_FEATURE_CERT_MODE - /** Set the certificate verification mode */ +#ifdef HITLS_TLS_FEATURE_CERT_MODE_VERIFY_PEER + config->isSupportVerifyNone = false; +#endif +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY config->isSupportClientVerify = false; config->isSupportNoClientCert = true; - config->isSupportVerifyNone = false; + config->isSupportClientOnceVerify = false; #endif #ifdef HITLS_TLS_FEATURE_PHA config->isSupportPostHandshakeAuth = false; #endif -#if defined(HITLS_TLS_FEATURE_RENEGOTIATION) && defined(HITLS_TLS_FEATURE_CERT_MODE) - config->isSupportClientOnceVerify = false; -#endif +#ifdef HITLS_TLS_PROTO_CLOSE_STATE config->isQuietShutdown = false; +#endif config->maxCertList = HITLS_MAX_CERT_LIST_DEFAULT; config->isKeepPeerCert = true; #ifdef HITLS_TLS_FEATURE_SESSION_TICKET diff --git a/tls/config/src/config_feature.c b/tls/config/src/config_feature.c index f53eacdc..b4d59d36 100644 --- a/tls/config/src/config_feature.c +++ b/tls/config/src/config_feature.c @@ -472,7 +472,7 @@ int32_t HITLS_CFG_SetSessionRemoveCb(HITLS_Config *config, const HITLS_SessionRe } #endif /* HITLS_TLS_FEATURE_SESSION_CACHE_CB */ -#ifdef HITLS_TLS_FEATURE_CERT_MODE +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY int32_t HITLS_CFG_SetClientOnceVerifySupport(HITLS_Config *config, bool support) { if (config == NULL) { @@ -491,7 +491,7 @@ int32_t HITLS_CFG_GetClientOnceVerifySupport(HITLS_Config *config, bool *isSuppo *isSupport = config->isSupportClientOnceVerify; return HITLS_SUCCESS; } -#endif /* HITLS_TLS_FEATURE_CERT_MODE */ +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ #ifdef HITLS_TLS_FEATURE_FLIGHT int32_t HITLS_CFG_SetFlightTransmitSwitch(HITLS_Config *config, bool isEnable) diff --git a/tls/config/src/config_group.c b/tls/config/src/config_group.c index 1c3d8c23..eac1e82b 100644 --- a/tls/config/src/config_group.c +++ b/tls/config/src/config_group.c @@ -21,7 +21,7 @@ #include "hitls_error.h" #include "crypt_algid.h" #include "config.h" -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #include "securec.h" #include "crypt_eal_provider.h" #include "crypt_params_key.h" @@ -45,12 +45,13 @@ static const uint16_t DEFAULT_GROUP_ID[] = { HITLS_FF_DHE_8192, }; -#ifndef HITLS_TLS_FEATURE_PROVIDER +#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #ifndef HITLS_TLS_CAP_NO_STR #define CONST_CAST(str) ((char *)(uintptr_t)(str)) #else #define CONST_CAST(str) NULL -#endif +#endif /* HITLS_TLS_CAP_NO_STR */ + static const TLS_GroupInfo GROUP_INFO[] = { { CONST_CAST("x25519"), @@ -96,6 +97,7 @@ static const TLS_GroupInfo GROUP_INFO[] = { }, #endif /* HITLS_TLS_PROTO_TLS13 */ #endif /* HITLS_TLS_FEATURE_KEM */ +#ifdef HITLS_CRYPTO_CURVE_NISTP256 { CONST_CAST("secp256r1"), CRYPT_ECC_NISTP256, // CRYPT_ECC_NISTP256 @@ -106,6 +108,8 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits false, }, +#endif /* HITLS_CRYPTO_CURVE_NISTP256 */ +#ifdef HITLS_CRYPTO_CURVE_NISTP384 { CONST_CAST("secp384r1"), CRYPT_ECC_NISTP384, // CRYPT_ECC_NISTP384 @@ -116,6 +120,8 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits false, }, +#endif /* HITLS_CRYPTO_CURVE_NISTP384 */ +#ifdef HITLS_CRYPTO_CURVE_NISTP521 { CONST_CAST("secp521r1"), CRYPT_ECC_NISTP521, // CRYPT_ECC_NISTP521 @@ -126,6 +132,8 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS_VERSION_MASK | DTLS_VERSION_MASK, // versionBits false, }, +#endif /* HITLS_CRYPTO_CURVE_NISTP521 */ +#ifdef HITLS_CRYPTO_CURVE_BP256R1 { CONST_CAST("brainpoolP256r1"), CRYPT_ECC_BRAINPOOLP256R1, // CRYPT_ECC_BRAINPOOLP256R1 @@ -136,6 +144,8 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits false, }, +#endif /* HITLS_CRYPTO_CURVE_BP256R1 */ +#ifdef HITLS_CRYPTO_CURVE_BP384R1 { CONST_CAST("brainpoolP384r1"), CRYPT_ECC_BRAINPOOLP384R1, // CRYPT_ECC_BRAINPOOLP384R1 @@ -146,6 +156,8 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits false, }, +#endif /* HITLS_CRYPTO_CURVE_BP384R1 */ +#ifdef HITLS_CRYPTO_CURVE_BP512R1 { CONST_CAST("brainpoolP512r1"), CRYPT_ECC_BRAINPOOLP512R1, // CRYPT_ECC_BRAINPOOLP512R1 @@ -156,6 +168,7 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS10_VERSION_BIT | TLS11_VERSION_BIT | TLS12_VERSION_BIT | DTLS_VERSION_MASK, // versionBits false, }, +#endif /* HITLS_CRYPTO_CURVE_BP512R1 */ #ifdef HITLS_TLS_FEATURE_SM_TLS13 { "curveSm2", @@ -180,6 +193,7 @@ static const TLS_GroupInfo GROUP_INFO[] = { false, }, #endif +#ifdef HITLS_CRYPTO_DH { CONST_CAST("ffdhe8192"), CRYPT_DH_RFC7919_8192, // CRYPT_DH_8192 @@ -230,6 +244,7 @@ static const TLS_GroupInfo GROUP_INFO[] = { TLS13_VERSION_BIT, // versionBits false, } +#endif /* HITLS_CRYPTO_DH */ }; int32_t ConfigLoadGroupInfo(HITLS_Config *config) @@ -260,7 +275,7 @@ const TLS_GroupInfo *ConfigGetGroupInfoList(const HITLS_Config *config, uint32_t *size = sizeof(GROUP_INFO) / sizeof(GROUP_INFO[0]); return &GROUP_INFO[0]; } -#else +#else /* #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ static int32_t ProviderAddGroupInfo(const BSL_Param *params, void *args) { @@ -360,4 +375,4 @@ const TLS_GroupInfo *ConfigGetGroupInfoList(const HITLS_Config *config, uint32_t *size = config->groupInfolen; return config->groupInfo; } -#endif +#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ diff --git a/tls/config/src/config_sign.c b/tls/config/src/config_sign.c index 5408b958..c4f3f37e 100644 --- a/tls/config/src/config_sign.c +++ b/tls/config/src/config_sign.c @@ -23,7 +23,7 @@ #include "cipher_suite.h" #include "config.h" -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #include "securec.h" #include "crypt_eal_provider.h" #include "crypt_params_key.h" @@ -85,81 +85,84 @@ static int32_t UpdateSignAlgorithmsArray(TLS_Config *config) return HITLS_SUCCESS; } -#ifndef HITLS_TLS_FEATURE_PROVIDER +#ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC #ifndef HITLS_TLS_CAP_NO_STR #define CONST_CAST(str) ((char *)(uintptr_t)(str)) #else #define CONST_CAST(str) NULL -#endif +#endif /* HITLS_TLS_CAP_NO_STR */ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { +#ifdef HITLS_CRYPTO_CURVE_NISTP521 { CONST_CAST("ecdsa_secp521r1_sha512"), CERT_SIG_SCHEME_ECDSA_SECP521R1_SHA512, TLS_CERT_KEY_TYPE_ECDSA, CRYPT_ECC_NISTP521, BSL_CID_ECDSAWITHSHA512, - HITLS_SIGN_ECDSA, - HITLS_HASH_SHA_512, + HITLS_SIGN_ECDSA, HITLS_HASH_SHA_512, 256, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#endif /* HITLS_CRYPTO_CURVE_NISTP521 */ +#ifdef HITLS_CRYPTO_CURVE_NISTP384 { CONST_CAST("ecdsa_secp384r1_sha384"), CERT_SIG_SCHEME_ECDSA_SECP384R1_SHA384, TLS_CERT_KEY_TYPE_ECDSA, CRYPT_ECC_NISTP384, BSL_CID_ECDSAWITHSHA384, - HITLS_SIGN_ECDSA, - HITLS_HASH_SHA_384, + HITLS_SIGN_ECDSA, HITLS_HASH_SHA_384, 192, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#endif /* HITLS_CRYPTO_CURVE_NISTP384 */ { CONST_CAST("ed25519"), CERT_SIG_SCHEME_ED25519, TLS_CERT_KEY_TYPE_ED25519, CRYPT_PKEY_PARAID_MAX, BSL_CID_ED25519, - HITLS_SIGN_ED25519, - HITLS_HASH_SHA_512, + HITLS_SIGN_ED25519, HITLS_HASH_SHA_512, 128, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#ifdef HITLS_CRYPTO_CURVE_NISTP256 { CONST_CAST("ecdsa_secp256r1_sha256"), CERT_SIG_SCHEME_ECDSA_SECP256R1_SHA256, TLS_CERT_KEY_TYPE_ECDSA, CRYPT_ECC_NISTP256, BSL_CID_ECDSAWITHSHA256, - HITLS_SIGN_ECDSA, - HITLS_HASH_SHA_256, + HITLS_SIGN_ECDSA, HITLS_HASH_SHA_256, 128, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#endif /* HITLS_CRYPTO_CURVE_NISTP256 */ +#ifdef HITLS_CRYPTO_SM2 { CONST_CAST("sm2_sm3"), CERT_SIG_SCHEME_SM2_SM3, TLS_CERT_KEY_TYPE_SM2, CRYPT_PKEY_PARAID_MAX, BSL_CID_SM2DSAWITHSM3, - HITLS_SIGN_SM2, - HITLS_HASH_SM3, + HITLS_SIGN_SM2, HITLS_HASH_SM3, 128, TLCP11_VERSION_BIT | DTLCP11_VERSION_BIT | TLS13_VERSION_BIT, TLCP11_VERSION_BIT | DTLCP11_VERSION_BIT | TLS13_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_SM2 */ +#ifdef HITLS_CRYPTO_RSA { CONST_CAST("rsa_pss_pss_sha512"), CERT_SIG_SCHEME_RSA_PSS_PSS_SHA512, TLS_CERT_KEY_TYPE_RSA_PSS, CRYPT_PKEY_PARAID_MAX, BSL_CID_RSASSAPSS, - HITLS_SIGN_RSA_PSS, - HITLS_HASH_SHA_512, + HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_512, 256, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, @@ -170,8 +173,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS_CERT_KEY_TYPE_RSA_PSS, CRYPT_PKEY_PARAID_MAX, BSL_CID_RSASSAPSS, - HITLS_SIGN_RSA_PSS, - HITLS_HASH_SHA_384, + HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_384, 192, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, @@ -182,8 +184,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS_CERT_KEY_TYPE_RSA_PSS, CRYPT_PKEY_PARAID_MAX, BSL_CID_RSASSAPSS, - HITLS_SIGN_RSA_PSS, - HITLS_HASH_SHA_256, + HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_256, 128, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, @@ -194,8 +195,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_RSASSAPSS, - HITLS_SIGN_RSA_PSS, - HITLS_HASH_SHA_512, + HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_512, 256, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, @@ -206,8 +206,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_RSASSAPSS, - HITLS_SIGN_RSA_PSS, - HITLS_HASH_SHA_384, + HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_384, 192, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, @@ -218,8 +217,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_RSASSAPSS, - HITLS_SIGN_RSA_PSS, - HITLS_HASH_SHA_256, + HITLS_SIGN_RSA_PSS, HITLS_HASH_SHA_256, 128, TLS_VERSION_MASK | DTLS_VERSION_MASK, TLS_VERSION_MASK | DTLS_VERSION_MASK, @@ -230,108 +228,117 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_SHA512WITHRSAENCRYPTION, - HITLS_SIGN_RSA_PKCS1_V15, - HITLS_HASH_SHA_512, + HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_512, 256, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#endif /* HITLS_CRYPTO_RSA */ +#ifdef HITLS_CRYPTO_DSA { CONST_CAST("dsa_sha512"), CERT_SIG_SCHEME_DSA_SHA512, TLS_CERT_KEY_TYPE_DSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_DSAWITHSHA512, - HITLS_SIGN_DSA, - HITLS_HASH_SHA_512, + HITLS_SIGN_DSA, HITLS_HASH_SHA_512, 256, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_DSA */ +#ifdef HITLS_CRYPTO_RSA { CONST_CAST("rsa_pkcs1_sha384"), CERT_SIG_SCHEME_RSA_PKCS1_SHA384, TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_SHA384WITHRSAENCRYPTION, - HITLS_SIGN_RSA_PKCS1_V15, - HITLS_HASH_SHA_384, + HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_384, 192, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#endif /* HITLS_CRYPTO_RSA */ +#ifdef HITLS_CRYPTO_DSA { CONST_CAST("dsa_sha384"), CERT_SIG_SCHEME_DSA_SHA384, TLS_CERT_KEY_TYPE_DSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_DSAWITHSHA384, - HITLS_SIGN_DSA, - HITLS_HASH_SHA_384, + HITLS_SIGN_DSA, HITLS_HASH_SHA_384, 192, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_DSA */ +#ifdef HITLS_CRYPTO_RSA { CONST_CAST("rsa_pkcs1_sha256"), CERT_SIG_SCHEME_RSA_PKCS1_SHA256, TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_SHA256WITHRSAENCRYPTION, - HITLS_SIGN_RSA_PKCS1_V15, - HITLS_HASH_SHA_256, + HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_256, 128, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS_VERSION_MASK | DTLS_VERSION_MASK, }, +#endif /* HITLS_CRYPTO_RSA */ +#ifdef HITLS_CRYPTO_DSA { CONST_CAST("dsa_sha256"), CERT_SIG_SCHEME_DSA_SHA256, TLS_CERT_KEY_TYPE_DSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_DSAWITHSHA256, - HITLS_SIGN_DSA, - HITLS_HASH_SHA_256, + HITLS_SIGN_DSA, HITLS_HASH_SHA_256, 128, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_DSA */ +#ifdef HITLS_CRYPTO_ECDSA { CONST_CAST("ecdsa_sha224"), CERT_SIG_SCHEME_ECDSA_SHA224, TLS_CERT_KEY_TYPE_ECDSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_ECDSAWITHSHA224, - HITLS_SIGN_ECDSA, - HITLS_HASH_SHA_224, + HITLS_SIGN_ECDSA, HITLS_HASH_SHA_224, 112, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_ECDSA */ +#ifdef HITLS_CRYPTO_RSA { CONST_CAST("rsa_pkcs1_sha224"), CERT_SIG_SCHEME_RSA_PKCS1_SHA224, TLS_CERT_KEY_TYPE_RSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_SHA224WITHRSAENCRYPTION, - HITLS_SIGN_RSA_PKCS1_V15, - HITLS_HASH_SHA_224, + HITLS_SIGN_RSA_PKCS1_V15, HITLS_HASH_SHA_224, 112, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_RSA */ +#ifdef HITLS_CRYPTO_DSA { CONST_CAST("dsa_sha224"), CERT_SIG_SCHEME_DSA_SHA224, TLS_CERT_KEY_TYPE_DSA, CRYPT_PKEY_PARAID_MAX, BSL_CID_DSAWITHSHA224, - HITLS_SIGN_DSA, - HITLS_HASH_SHA_224, + HITLS_SIGN_DSA, HITLS_HASH_SHA_224, 112, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_DSA */ +#ifdef HITLS_CRYPTO_ECDSA { CONST_CAST("ecdsa_sha1"), CERT_SIG_SCHEME_ECDSA_SHA1, @@ -344,6 +351,8 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_ECDSA */ +#ifdef HITLS_CRYPTO_RSA { CONST_CAST("rsa_pkcs1_sha1"), CERT_SIG_SCHEME_RSA_PKCS1_SHA1, @@ -356,6 +365,8 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_RSA */ +#ifdef HITLS_CRYPTO_DSA { CONST_CAST("dsa_sha1"), CERT_SIG_SCHEME_DSA_SHA1, @@ -368,6 +379,7 @@ static const TLS_SigSchemeInfo SIGNATURE_SCHEME_INFO[] = { TLS12_VERSION_BIT | DTLS12_VERSION_BIT, TLS12_VERSION_BIT | DTLS12_VERSION_BIT, }, +#endif /* HITLS_CRYPTO_DSA */ }; int32_t ConfigLoadSignatureSchemeInfo(HITLS_Config *config) @@ -394,7 +406,7 @@ const TLS_SigSchemeInfo *ConfigGetSignatureSchemeInfoList(const HITLS_Config *co return SIGNATURE_SCHEME_INFO; } -#else // HITLS_TLS_FEATURE_PROVIDER +#else /* #ifndef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ static int32_t PrepareSignSchemeStorage(TLS_Config *config, TLS_SigSchemeInfo **scheme) { @@ -578,4 +590,4 @@ const TLS_SigSchemeInfo *ConfigGetSignatureSchemeInfoList(const HITLS_Config *co return config->sigSchemeInfo; } -#endif +#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */ diff --git a/tls/crypt/crypt_adapt/crypt.c b/tls/crypt/crypt_adapt/crypt.c index 510ed733..968597f9 100644 --- a/tls/crypt/crypt_adapt/crypt.c +++ b/tls/crypt/crypt_adapt/crypt.c @@ -102,24 +102,61 @@ int32_t HITLS_CRYPT_RegisterBaseMethod(HITLS_CRYPT_BaseMethod *userCryptCallBack BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT); return HITLS_NULL_INPUT; } - g_cryptBaseMethod.randBytes = userCryptCallBack->randBytes; - g_cryptBaseMethod.hmacSize = userCryptCallBack->hmacSize; - g_cryptBaseMethod.hmacInit = userCryptCallBack->hmacInit; - g_cryptBaseMethod.hmacReinit = userCryptCallBack->hmacReinit; - g_cryptBaseMethod.hmacFree = userCryptCallBack->hmacFree; - g_cryptBaseMethod.hmacUpdate = userCryptCallBack->hmacUpdate; - g_cryptBaseMethod.hmacFinal = userCryptCallBack->hmacFinal; - g_cryptBaseMethod.hmac = userCryptCallBack->hmac; - g_cryptBaseMethod.digestSize = userCryptCallBack->digestSize; - g_cryptBaseMethod.digestInit = userCryptCallBack->digestInit; - g_cryptBaseMethod.digestCopy = userCryptCallBack->digestCopy; - g_cryptBaseMethod.digestFree = userCryptCallBack->digestFree; - g_cryptBaseMethod.digestUpdate = userCryptCallBack->digestUpdate; - g_cryptBaseMethod.digestFinal = userCryptCallBack->digestFinal; - g_cryptBaseMethod.digest = userCryptCallBack->digest; - g_cryptBaseMethod.encrypt = userCryptCallBack->encrypt; - g_cryptBaseMethod.decrypt = userCryptCallBack->decrypt; - g_cryptBaseMethod.cipherFree = userCryptCallBack->cipherFree; + + if (userCryptCallBack->randBytes != NULL) { + g_cryptBaseMethod.randBytes = userCryptCallBack->randBytes; + } + if (userCryptCallBack->hmacSize != NULL) { + g_cryptBaseMethod.hmacSize = userCryptCallBack->hmacSize; + } + if (userCryptCallBack->hmacInit != NULL) { + g_cryptBaseMethod.hmacInit = userCryptCallBack->hmacInit; + } + if (userCryptCallBack->hmacReinit != NULL) { + g_cryptBaseMethod.hmacReinit = userCryptCallBack->hmacReinit; + } + if (userCryptCallBack->hmacFree != NULL) { + g_cryptBaseMethod.hmacFree = userCryptCallBack->hmacFree; + } + if (userCryptCallBack->hmacUpdate != NULL) { + g_cryptBaseMethod.hmacUpdate = userCryptCallBack->hmacUpdate; + } + if (userCryptCallBack->hmacFinal != NULL) { + g_cryptBaseMethod.hmacFinal = userCryptCallBack->hmacFinal; + } + if (userCryptCallBack->hmac != NULL) { + g_cryptBaseMethod.hmac = userCryptCallBack->hmac; + } + if (userCryptCallBack->digestSize != NULL) { + g_cryptBaseMethod.digestSize = userCryptCallBack->digestSize; + } + if (userCryptCallBack->digestInit != NULL) { + g_cryptBaseMethod.digestInit = userCryptCallBack->digestInit; + } + if (userCryptCallBack->digestCopy != NULL) { + g_cryptBaseMethod.digestCopy = userCryptCallBack->digestCopy; + } + if (userCryptCallBack->digestFree != NULL) { + g_cryptBaseMethod.digestFree = userCryptCallBack->digestFree; + } + if (userCryptCallBack->digestUpdate != NULL) { + g_cryptBaseMethod.digestUpdate = userCryptCallBack->digestUpdate; + } + if (userCryptCallBack->digestFinal != NULL) { + g_cryptBaseMethod.digestFinal = userCryptCallBack->digestFinal; + } + if (userCryptCallBack->digest != NULL) { + g_cryptBaseMethod.digest = userCryptCallBack->digest; + } + if (userCryptCallBack->encrypt != NULL) { + g_cryptBaseMethod.encrypt = userCryptCallBack->encrypt; + } + if (userCryptCallBack->decrypt != NULL) { + g_cryptBaseMethod.decrypt = userCryptCallBack->decrypt; + } + if (userCryptCallBack->cipherFree != NULL) { + g_cryptBaseMethod.cipherFree = userCryptCallBack->cipherFree; + } return HITLS_SUCCESS; } diff --git a/tls/handshake/common/src/hs_common.c b/tls/handshake/common/src/hs_common.c index 26d85265..c4944c30 100644 --- a/tls/handshake/common/src/hs_common.c +++ b/tls/handshake/common/src/hs_common.c @@ -254,7 +254,6 @@ uint8_t *HS_PrepareSignDataTlcp(const TLS_Ctx *ctx, const uint8_t *partSignData, uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData, uint32_t partSignDataLen, uint32_t *signDataLen) { - int32_t ret; /* Signature data: client random number + server random number + key exchange packet data/encryption certificate */ uint32_t randomLen = HS_RANDOM_SIZE * 2u; uint32_t dataLen = randomLen + partSignDataLen; @@ -269,13 +268,7 @@ uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData, (void)memcpy_s(data, dataLen, ctx->hsCtx->clientRandom, HS_RANDOM_SIZE); (void)memcpy_s(&data[HS_RANDOM_SIZE], dataLen - HS_RANDOM_SIZE, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE); /* Copy key exchange packet data */ - ret = memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen); - if (ret != EOK) { - BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16814, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0); - BSL_SAL_Free(data); - BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION); - return NULL; - } + (void)memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen); *signDataLen = dataLen; return data; @@ -603,20 +596,16 @@ uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type) #endif case SERVER_HELLO: return HITLS_SERVER_HELLO_MAX_SIZE; +#ifdef HITLS_TLS_PROTO_TLS13 case ENCRYPTED_EXTENSIONS: return HITLS_ENCRYPTED_EXTENSIONS_MAX_SIZE; - case CERTIFICATE: - if (ctx->config.tlsConfig.maxCertList == 0) { - return HITLS_MAX_CERT_LIST_DEFAULT; - } - return ctx->config.tlsConfig.maxCertList; +#endif case SERVER_KEY_EXCHANGE: return HITLS_SERVER_KEY_EXCH_MAX_SIZE; + case CERTIFICATE: case CERTIFICATE_REQUEST: - if (ctx->config.tlsConfig.maxCertList == 0) { - return HITLS_MAX_CERT_LIST_DEFAULT; - } - return ctx->config.tlsConfig.maxCertList; + return ctx->config.tlsConfig.maxCertList == 0 ? HITLS_MAX_CERT_LIST_DEFAULT + : ctx->config.tlsConfig.maxCertList; case SERVER_HELLO_DONE: return HITLS_SERVER_HELLO_DONE_MAX_SIZE; case CLIENT_KEY_EXCHANGE: @@ -624,20 +613,27 @@ uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type) case CERTIFICATE_VERIFY: return REC_MAX_PLAIN_LENGTH; case NEW_SESSION_TICKET: +#ifdef HITLS_TLS_PROTO_TLS13 if (GET_VERSION_FROM_CTX(ctx) == HITLS_VERSION_TLS13) { return HITLS_SESSION_TICKET_MAX_SIZE_TLS13; } +#endif return HITLS_SESSION_TICKET_MAX_SIZE_TLS12; +#ifdef HITLS_TLS_PROTO_TLS13 case END_OF_EARLY_DATA: return HITLS_END_OF_EARLY_DATA_MAX_SIZE; +#endif case FINISHED: return HITLS_FINISHED_MAX_SIZE; +#ifdef HITLS_TLS_PROTO_TLS13 case KEY_UPDATE: return HITLS_KEY_UPDATE_MAX_SIZE; +#endif default: return 0; } } + #ifdef HITLS_TLS_PROTO_TLS13 uint32_t HS_GetBinderLen(HITLS_Session *session, HITLS_HashAlgo *hashAlg) { diff --git a/tls/handshake/common/src/hs_kx.c b/tls/handshake/common/src/hs_kx.c index eb49d017..5722426e 100644 --- a/tls/handshake/common/src/hs_kx.c +++ b/tls/handshake/common/src/hs_kx.c @@ -434,22 +434,25 @@ int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_ { int32_t ret = HITLS_SUCCESS; const uint8_t masterSecretLabel[] = "master secret"; - const uint8_t exMasterSecretLabel[] = "extended master secret"; uint8_t seed[HS_RANDOM_SIZE * 2] = {0}; // seed size is twice the random size uint32_t seedLen = sizeof(seed); - bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret; CRYPT_KeyDeriveParameters deriveInfo; deriveInfo.hashAlgo = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg; deriveInfo.secret = preMasterSecret; deriveInfo.secretLen = len; - + +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET + const uint8_t exMasterSecretLabel[] = "extended master secret"; + bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret; if (isExtendedMasterSecret) { deriveInfo.label = exMasterSecretLabel; deriveInfo.labelLen = sizeof(exMasterSecretLabel) - 1u; ret = VERIFY_CalcSessionHash( ctx->hsCtx->verifyCtx, seed, &seedLen); // Use session hash as seed for key deriviation - } else { + } else +#endif + { deriveInfo.label = masterSecretLabel; deriveInfo.labelLen = sizeof(masterSecretLabel) - 1u; ret = HS_CombineRandom(ctx->hsCtx->clientRandom, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE, seed, seedLen); @@ -470,8 +473,7 @@ int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_ return ret; } #ifdef HITLS_TLS_MAINTAIN_KEYLOG - if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey, - MASTER_SECRET_LEN) != HITLS_SUCCESS) { + if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey, MASTER_SECRET_LEN) != HITLS_SUCCESS) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15336, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "failed to LogSecret, MASTER_SECRET_LABEL.", 0, 0, 0, 0); } diff --git a/tls/handshake/cookie/src/hs_cookie.c b/tls/handshake/cookie/src/hs_cookie.c index 951587cb..9ac0f3b7 100644 --- a/tls/handshake/cookie/src/hs_cookie.c +++ b/tls/handshake/cookie/src/hs_cookie.c @@ -281,6 +281,7 @@ static int32_t CheckCookieWithPreMacKey(TLS_Ctx *ctx, const ClientHelloMsg *clie return HITLS_SUCCESS; } +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid) { uint8_t *cookie = ctx->negotiatedInfo.cookie; @@ -292,6 +293,7 @@ static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg } return HITLS_SUCCESS; } +#endif int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid) { @@ -309,10 +311,12 @@ int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *is return HITLS_SUCCESS; } +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION /* In the renegotiation scenario, the cookie stored in the negotiatedInfo is used for verification */ if (ctx->negotiatedInfo.isRenegotiation) { return CheckCookieDuringRenegotiation(ctx, clientHello, isCookieValid); } +#endif /* If the user's cookie validation callback is registered, use the user's callback interface */ HITLS_AppVerifyCookieCb cookieCb = ctx->globalConfig->appVerifyCookieCb; diff --git a/tls/handshake/pack/src/pack.c b/tls/handshake/pack/src/pack.c index 2a4b2de1..46ac185f 100644 --- a/tls/handshake/pack/src/pack.c +++ b/tls/handshake/pack/src/pack.c @@ -33,7 +33,7 @@ #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt) { - int32_t ret = HITLS_SUCCESS; + int32_t ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG; switch (type) { #ifdef HITLS_TLS_HOST_SERVER case SERVER_HELLO: @@ -47,9 +47,11 @@ static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt) case SERVER_KEY_EXCHANGE: ret = PackServerKeyExchange(ctx, pkt); break; +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY case CERTIFICATE_REQUEST: ret = PackCertificateRequest(ctx, pkt); break; +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ case HELLO_REQUEST: case SERVER_HELLO_DONE: return HITLS_SUCCESS; @@ -77,7 +79,6 @@ static int32_t PackHsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt) ret = PackFinished(ctx, pkt); break; default: - ret = HITLS_PACK_UNSUPPORT_HANDSHAKE_MSG; break; } @@ -105,9 +106,11 @@ static int32_t PackTls13HsMsgBody(TLS_Ctx *ctx, HS_MsgType type, PackPacket *pkt case ENCRYPTED_EXTENSIONS: ret = PackEncryptedExtensions(ctx, pkt); break; +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY case CERTIFICATE_REQUEST: ret = Tls13PackCertificateRequest(ctx, pkt); break; +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ case NEW_SESSION_TICKET: ret = Tls13PackNewSessionTicket(ctx, pkt); break; diff --git a/tls/handshake/pack/src/pack_certificate_request.c b/tls/handshake/pack/src/pack_certificate_request.c index e5030329..2b46fd29 100644 --- a/tls/handshake/pack/src/pack_certificate_request.c +++ b/tls/handshake/pack/src/pack_certificate_request.c @@ -13,7 +13,7 @@ * See the Mulan PSL v2 for more details. */ #include "hitls_build.h" -#ifdef HITLS_TLS_HOST_SERVER +#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) #include #include #include "securec.h" @@ -118,6 +118,7 @@ static int32_t PackSignAlgorithms(const TLS_Ctx *ctx, PackPacket *pkt) #endif /* HITLS_TLS_PROTO_TLS12 || HITLS_TLS_PROTO_DTLS12 */ #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) +#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt) { const TLS_Config *config = &(ctx->config.tlsConfig); @@ -126,7 +127,6 @@ static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt) return PackAppendUint16ToBuf(pkt, 0); } -#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES uint32_t caListLenPosition = 0u; int32_t ret = PackStartLengthField(pkt, sizeof(uint16_t), &caListLenPosition); if (ret != HITLS_SUCCESS) { @@ -141,9 +141,9 @@ static int32_t PackCALists(const TLS_Ctx *ctx, PackPacket *pkt) } PackCloseUint16Field(pkt, caListLenPosition); -#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */ return HITLS_SUCCESS; } +#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */ int32_t PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt) { @@ -161,12 +161,15 @@ int32_t PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt) } } #endif +#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES ret = PackCALists(ctx, pkt); if (ret != HITLS_SUCCESS) { return ret; } - return HITLS_SUCCESS; +#else + return PackAppendUint16ToBuf(pkt, 0); +#endif /* HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES */ } #endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */ #ifdef HITLS_TLS_PROTO_TLS13 @@ -263,7 +266,7 @@ static int32_t PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt) return HITLS_SUCCESS; } -int32_t Tls13PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt) +static int32_t Tls13PackCertReqExtensions(const TLS_Ctx *ctx, PackPacket *pkt) { /* Start packing extensions length */ uint32_t extensionsLenPosition = 0u; @@ -301,4 +304,4 @@ int32_t Tls13PackCertificateRequest(const TLS_Ctx *ctx, PackPacket *pkt) return HITLS_SUCCESS; } #endif /* HITLS_TLS_PROTO_TLS13 */ -#endif /* HITLS_TLS_HOST_SERVER */ \ No newline at end of file +#endif /* HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ \ No newline at end of file diff --git a/tls/handshake/pack/src/pack_extensions.c b/tls/handshake/pack/src/pack_extensions.c index fe031546..76466633 100644 --- a/tls/handshake/pack/src/pack_extensions.c +++ b/tls/handshake/pack/src/pack_extensions.c @@ -889,7 +889,9 @@ static int32_t PackClientExtensions(const TLS_Ctx *ctx, PackPacket *pkt) { EXTENSION_MSG(HS_EX_TYPE_POST_HS_AUTH, isNeedPha, NULL) }, #endif /* HITLS_TLS_FEATURE_PHA */ #endif /* HITLS_TLS_PROTO_TLS13 */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET { EXTENSION_MSG(HS_EX_TYPE_EXTENDED_MASTER_SECRET, true, NULL) }, +#endif #ifdef HITLS_TLS_FEATURE_ALPN { EXTENSION_MSG(HS_EX_TYPE_APP_LAYER_PROTOCOLS, (tlsConfig->alpnList != NULL && ctx->state == CM_STATE_HANDSHAKING), PackClientAlpnList) }, @@ -931,7 +933,9 @@ static int32_t PackClientExtensions(const TLS_Ctx *ctx, PackPacket *pkt) #ifdef HITLS_TLS_FEATURE_PHA ctx->hsCtx->extFlag.havePostHsAuth = isNeedPha; #endif /* HITLS_TLS_FEATURE_PHA */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET ctx->hsCtx->extFlag.haveExtendedMasterSecret = true; +#endif #ifdef HITLS_TLS_FEATURE_ETM ctx->hsCtx->extFlag.haveEncryptThenMac = ctx->config.tlsConfig.isEncryptThenMac; #endif /* HITLS_TLS_FEATURE_ETM */ @@ -1147,6 +1151,7 @@ static int32_t PackServerPreSharedKey(const TLS_Ctx *ctx, PackPacket *pkt) #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) static int32_t PackServerSecRenegoInfo(const TLS_Ctx *ctx, PackPacket *pkt) { +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION bool isRenegotiation = ctx->negotiatedInfo.isRenegotiation; const uint8_t *clientData = ctx->negotiatedInfo.clientVerifyData; uint32_t clientDataSize = ctx->negotiatedInfo.clientVerifyDataSize; @@ -1174,7 +1179,14 @@ static int32_t PackServerSecRenegoInfo(const TLS_Ctx *ctx, PackPacket *pkt) (void)PackAppendDataToBuf(pkt, clientData, clientDataSize); (void)PackAppendDataToBuf(pkt, serverData, serverDataSize); - +#else + (void)ctx; + int32_t ret = PackExtensionHeader(HS_EX_TYPE_RENEGOTIATION_INFO, sizeof(uint8_t), pkt); + if (ret != HITLS_SUCCESS) { + return ret; + } + (void)PackAppendUint8ToBuf(pkt, 0); +#endif return HITLS_SUCCESS; } #endif /* defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) */ @@ -1207,7 +1219,6 @@ static bool IsNeedServerPackEncryptThenMac(const TLS_Ctx *ctx) // Pack the empty extension of Server Hello static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt) { - int32_t ret = HITLS_SUCCESS; #ifdef HITLS_TLS_PROTO_TLS13 uint32_t version = GET_VERSION_FROM_CTX(ctx); bool isHrrKeyshare = IsHrrKeyShare(ctx); @@ -1233,7 +1244,9 @@ static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt) #ifdef HITLS_TLS_PROTO_TLS13 { EXTENSION_MSG(HS_EX_TYPE_SUPPORTED_VERSIONS, isTls13, PackServerSupportedVersion) }, #endif /* HITLS_TLS_PROTO_TLS13 */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET { EXTENSION_MSG(HS_EX_TYPE_EXTENDED_MASTER_SECRET, negoInfo->isExtendedMasterSecret, NULL) }, +#endif #ifdef HITLS_TLS_FEATURE_ALPN { .exMsgType = HS_EX_TYPE_APP_LAYER_PROTOCOLS, .needPack = (negoInfo->alpnSelected != NULL @@ -1274,19 +1287,14 @@ static int32_t PackServerExtensions(const TLS_Ctx *ctx, PackPacket *pkt) } if (IsPackNeedCustomExtensions(CUSTOM_EXT_FROM_CTX(ctx), context)) { - ret = PackCustomExtensions(ctx, pkt, context, NULL, 0); + int32_t ret = PackCustomExtensions(ctx, pkt, context, NULL, 0); if (ret != HITLS_SUCCESS) { return ret; } } #endif /* HITLS_TLS_FEATURE_CUSTOM_EXTENSION */ - ret = PackExtensions(ctx, pkt, extMsgList, sizeof(extMsgList) / sizeof(extMsgList[0])); - if (ret != HITLS_SUCCESS) { - return ret; - } - - return HITLS_SUCCESS; + return PackExtensions(ctx, pkt, extMsgList, sizeof(extMsgList) / sizeof(extMsgList[0])); } // Pack the Server Hello extension diff --git a/tls/handshake/parse/src/parse.c b/tls/handshake/parse/src/parse.c index 8cc3bae6..40d48ddf 100644 --- a/tls/handshake/parse/src/parse.c +++ b/tls/handshake/parse/src/parse.c @@ -86,13 +86,16 @@ static int32_t CheckServerKeyExchangeType(TLS_Ctx *ctx, const HS_MsgType msgType static int32_t CheckCertificateRequestType(TLS_Ctx *ctx, const HS_MsgType msgType) { +#ifdef HITLS_TLS_PROTO_TLS13 uint32_t version = GET_VERSION_FROM_CTX(ctx); if (version == HITLS_VERSION_TLS13) { if (msgType == CERTIFICATE) { (void)HS_ChangeState(ctx, TRY_RECV_CERTIFICATE); return HITLS_SUCCESS; } - } else { + } else +#endif + { if (msgType == SERVER_HELLO_DONE) { (void)HS_ChangeState(ctx, TRY_RECV_SERVER_HELLO_DONE); return HITLS_SUCCESS; @@ -110,7 +113,9 @@ static const HsMsgTypeCheck g_checkHsMsgTypeList[] = { #ifdef HITLS_TLS_PROTO_DTLS12 [TRY_RECV_HELLO_VERIFY_REQUEST] = {.msgType = HELLO_VERIFY_REQUEST, .checkCb = CheckHelloVerifyRequestType}, #endif +#ifdef HITLS_TLS_PROTO_TLS13 [TRY_RECV_ENCRYPTED_EXTENSIONS] = {.msgType = ENCRYPTED_EXTENSIONS, .checkCb = NULL}, +#endif [TRY_RECV_CERTIFICATE] = {.msgType = CERTIFICATE, .checkCb = NULL}, [TRY_RECV_SERVER_KEY_EXCHANGE] = {.msgType = SERVER_KEY_EXCHANGE, .checkCb = CheckServerKeyExchangeType}, [TRY_RECV_CERTIFICATE_REQUEST] = {.msgType = CERTIFICATE_REQUEST, .checkCb = CheckCertificateRequestType}, @@ -119,7 +124,9 @@ static const HsMsgTypeCheck g_checkHsMsgTypeList[] = { [TRY_RECV_CERTIFICATE_VERIFY] = {.msgType = CERTIFICATE_VERIFY, .checkCb = NULL}, [TRY_RECV_NEW_SESSION_TICKET] = {.msgType = NEW_SESSION_TICKET, .checkCb = NULL}, [TRY_RECV_FINISH] = {.msgType = FINISHED, .checkCb = NULL}, +#ifdef HITLS_TLS_PROTO_TLS13 [TRY_RECV_KEY_UPDATE] = {.msgType = KEY_UPDATE, .checkCb = NULL}, +#endif [TRY_RECV_HELLO_REQUEST] = {.msgType = HELLO_REQUEST, .checkCb = NULL}, }; @@ -281,8 +288,10 @@ static int32_t ParseHandShakeMsg(TLS_Ctx *ctx, const uint8_t *data, uint32_t len return ParseCertificate(ctx, data, len, hsMsg); case CLIENT_KEY_EXCHANGE: return ParseClientKeyExchange(ctx, data, len, hsMsg); +#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) case CERTIFICATE_VERIFY: return ParseCertificateVerify(ctx, data, len, hsMsg); +#endif #ifdef HITLS_TLS_FEATURE_SESSION_TICKET case NEW_SESSION_TICKET: return ParseNewSessionTicket(ctx, data, len, hsMsg); @@ -477,8 +486,11 @@ void HS_CleanMsg(HS_Msg *hsMsg) #endif /* HITLS_TLS_HOST_CLIENT */ case CERTIFICATE: return CleanCertificate(&hsMsg->body.certificate); +#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \ + defined(HITLS_TLS_PROTO_TLS13) case CERTIFICATE_VERIFY: return CleanCertificateVerify(&hsMsg->body.certificateVerify); +#endif case FINISHED: return CleanFinished(&hsMsg->body.finished); case KEY_UPDATE: diff --git a/tls/handshake/parse/src/parse_certificate_verify.c b/tls/handshake/parse/src/parse_certificate_verify.c index ca856b20..48817f17 100644 --- a/tls/handshake/parse/src/parse_certificate_verify.c +++ b/tls/handshake/parse/src/parse_certificate_verify.c @@ -13,7 +13,8 @@ * See the Mulan PSL v2 for more details. */ #include "hitls_build.h" -#if defined(HITLS_TLS_HOST_SERVER) || defined(HITLS_TLS_PROTO_TLS13) +#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \ + defined(HITLS_TLS_PROTO_TLS13) #include "tls_binlog_id.h" #include "bsl_log.h" #include "bsl_log_internal.h" @@ -230,4 +231,4 @@ void CleanCertificateVerify(CertificateVerifyMsg *msg) BSL_SAL_FREE(msg->sign); } -#endif /* HITLS_TLS_HOST_CLIENT || HITLS_TLS_PROTO_TLS13 */ \ No newline at end of file +#endif /* (HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) || HITLS_TLS_PROTO_TLS13 */ \ No newline at end of file diff --git a/tls/handshake/parse/src/parse_extensions_client.c b/tls/handshake/parse/src/parse_extensions_client.c index 17fba7ba..0f4597b2 100644 --- a/tls/handshake/parse/src/parse_extensions_client.c +++ b/tls/handshake/parse/src/parse_extensions_client.c @@ -143,6 +143,7 @@ static int32_t ParseServerSupportedVersions(ParsePacket *pkt, ServerHelloMsg *ms } #endif /* HITLS_TLS_PROTO_TLS13 */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET // Parses the extended master secret sent by the serve static int32_t ParseServerExtMasterSecret(ParsePacket *pkt, ServerHelloMsg *msg) { @@ -150,6 +151,7 @@ static int32_t ParseServerExtMasterSecret(ParsePacket *pkt, ServerHelloMsg *msg) return ParseEmptyExtension(pkt->ctx, HS_EX_TYPE_EXTENDED_MASTER_SECRET, pkt->bufLen, &msg->haveExtendedMasterSecret); } +#endif #ifdef HITLS_TLS_FEATURE_ALPN int32_t ParseServerSelectedAlpnProtocol( ParsePacket *pkt, bool *haveSelectedAlpn, uint8_t **alpnSelected, uint16_t *alpnSelectedSize) @@ -313,8 +315,10 @@ static int32_t ParseServerExBody(TLS_Ctx *ctx, uint16_t extMsgType, const uint8_ case HS_EX_TYPE_SERVER_NAME: return ParseServerServerName(&pkt, msg); #endif /* HITLS_TLS_FEATURE_SNI */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET case HS_EX_TYPE_EXTENDED_MASTER_SECRET: return ParseServerExtMasterSecret(&pkt, msg); +#endif #ifdef HITLS_TLS_FEATURE_ALPN case HS_EX_TYPE_APP_LAYER_PROTOCOLS: return ParseServerSelectedAlpnProtocol( diff --git a/tls/handshake/parse/src/parse_extensions_server.c b/tls/handshake/parse/src/parse_extensions_server.c index 363b7db9..8aacaa4d 100644 --- a/tls/handshake/parse/src/parse_extensions_server.c +++ b/tls/handshake/parse/src/parse_extensions_server.c @@ -171,11 +171,13 @@ static int32_t ParseClientPointFormats(ParsePacket *pkt, ClientHelloMsg *msg) return HITLS_SUCCESS; } +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET static int32_t ParseClientExtMasterSecret(ParsePacket *pkt, ClientHelloMsg *msg) { return ParseEmptyExtension(pkt->ctx, HS_EX_TYPE_EXTENDED_MASTER_SECRET, pkt->bufLen, &msg->extension.flag.haveExtendedMasterSecret); } +#endif #ifdef HITLS_TLS_FEATURE_SNI static void SetRevMsgExtServernameInfo(ClientHelloMsg *msg, uint8_t serverNameType, uint8_t *serverName, uint16_t serverNameLen) @@ -844,8 +846,9 @@ static int32_t ParseClientExBody(TLS_Ctx *ctx, uint16_t extMsgType, const uint8_ #ifdef HITLS_TLS_FEATURE_SNI { .exMsgType = HS_EX_TYPE_SERVER_NAME, .parseFunc = ParseClientServerName}, #endif /* HITLS_TLS_FEATURE_SNI */ - +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET { .exMsgType = HS_EX_TYPE_EXTENDED_MASTER_SECRET, .parseFunc = ParseClientExtMasterSecret}, +#endif #ifdef HITLS_TLS_FEATURE_ALPN { .exMsgType = HS_EX_TYPE_APP_LAYER_PROTOCOLS, .parseFunc = ParseClientAlpnProposeList}, #endif diff --git a/tls/handshake/parse/src/parse_server_key_exchange.c b/tls/handshake/parse/src/parse_server_key_exchange.c index e6d6f78e..0f3c6d70 100644 --- a/tls/handshake/parse/src/parse_server_key_exchange.c +++ b/tls/handshake/parse/src/parse_server_key_exchange.c @@ -346,7 +346,9 @@ int32_t ParseDhePara(ParsePacket *pkt, uint16_t *paraLen, uint8_t **para) static int32_t ParseServerDhe(ParsePacket *pkt, ServerKeyExchangeMsg *msg) { ServerDh *dh = &msg->keyEx.dh; +#ifdef HITLS_BSL_LOG const char *logStr = BINGLOG_STR("parse dhe param or PubKey fail. ret %d"); +#endif TLS_Ctx *ctx = pkt->ctx; int32_t ret = ParseDhePara(pkt, &dh->plen, &dh->p); if (ret != HITLS_SUCCESS) { diff --git a/tls/handshake/recv/src/hs_state_recv.c b/tls/handshake/recv/src/hs_state_recv.c index 39675083..c28a3c02 100644 --- a/tls/handshake/recv/src/hs_state_recv.c +++ b/tls/handshake/recv/src/hs_state_recv.c @@ -99,10 +99,9 @@ static bool IsUnexpectedHandshaking(const TLS_Ctx *ctx) { return (ctx->state == CM_STATE_HANDSHAKING && ctx->preState == CM_STATE_TRANSPORTING); } + static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg) { - uint32_t version = GET_VERSION_FROM_CTX(ctx); - (void)version; switch (ctx->hsCtx->state) { #ifdef HITLS_TLS_HOST_SERVER case TRY_RECV_CLIENT_HELLO: @@ -118,8 +117,10 @@ static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg) #endif /* HITLS_TLS_PROTO_TLS_BASIC only for tls13 */ case TRY_RECV_CLIENT_KEY_EXCHANGE: return ServerRecvClientKxProcess(ctx, hsMsg); +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY case TRY_RECV_CERTIFICATE_VERIFY: return ServerRecvClientCertVerifyProcess(ctx); +#endif #endif /* HITLS_TLS_HOST_SERVER */ #ifdef HITLS_TLS_HOST_CLIENT case TRY_RECV_CERTIFICATE_REQUEST: @@ -175,14 +176,17 @@ static int32_t ProcessHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg) ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR); return HITLS_MSG_HANDLE_STATE_ILLEGAL; } + static int32_t ProcessReceivedHandshakeMsg(TLS_Ctx *ctx, HS_Msg *hsMsg) { if (hsMsg->type == HELLO_REQUEST) { +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION if (ctx->hsCtx->state == TRY_RECV_HELLO_REQUEST) { ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */ ctx->negotiatedInfo.renegotiationNum++; return HS_ChangeState(ctx, TRY_SEND_CLIENT_HELLO); } +#endif /* The HelloRequest message should be ignored during the handshake. */ return HITLS_SUCCESS; } diff --git a/tls/handshake/recv/src/recv_cert_verify.c b/tls/handshake/recv/src/recv_cert_verify.c index 5f3d0e98..52149f8b 100644 --- a/tls/handshake/recv/src/recv_cert_verify.c +++ b/tls/handshake/recv/src/recv_cert_verify.c @@ -13,7 +13,8 @@ * See the Mulan PSL v2 for more details. */ #include "hitls_build.h" -#if defined(HITLS_TLS_HOST_SERVER) || defined(HITLS_TLS_PROTO_TLS13) +#if (defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY)) || \ + defined(HITLS_TLS_PROTO_TLS13) #include #include "securec.h" #include "tls_binlog_id.h" @@ -81,4 +82,4 @@ int32_t Tls13RecvCertVerifyProcess(TLS_Ctx *ctx) return HS_ChangeState(ctx, TRY_RECV_FINISH); } #endif /* HITLS_TLS_PROTO_TLS13 */ -#endif /* HITLS_TLS_HOST_SERVER || HITLS_TLS_PROTO_TLS13 */ \ No newline at end of file +#endif /* (HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) || HITLS_TLS_PROTO_TLS13 */ \ No newline at end of file diff --git a/tls/handshake/recv/src/recv_certificate.c b/tls/handshake/recv/src/recv_certificate.c index b84ebf3d..1d6d253f 100644 --- a/tls/handshake/recv/src/recv_certificate.c +++ b/tls/handshake/recv/src/recv_certificate.c @@ -328,6 +328,7 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg) * the client MUST send a certificate message containing no certificates. */ if (certs->certCount == 0) { +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY /** Only the server allows the peer certificate to be empty */ if ((ctx->isClient == false) && (ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) { @@ -335,7 +336,7 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg) "server recv empty cert", 0, 0, 0, 0); return HS_ChangeState(ctx, TRY_RECV_CLIENT_KEY_EXCHANGE); } - +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE); BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15724, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "peer certificate is needed!", 0, 0, 0, 0); @@ -357,7 +358,11 @@ int32_t RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg) * fails to be verified */ if (ret != HITLS_SUCCESS) { if (!ctx->config.tlsConfig.isSupportVerifyNone) { +#ifdef HITLS_TLS_PROTO_DFX_INFO ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, GetAlertfromX509Err(ctx->peerInfo.verifyResult)); +#else + ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_CERTIFICATE); +#endif return ret; } } @@ -402,6 +407,29 @@ static int32_t CertificateReqCtxCheck(TLS_Ctx *ctx, const CertificateMsg *certs) return HITLS_SUCCESS; } +static int32_t ProcessEmptyCert(TLS_Ctx *ctx) +{ + if (ctx->isClient) { + BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE); + return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID16126, + "peer certificate is needed!", ALERT_DECODE_ERROR); + } + /** Only the server allows the peer certificate to be empty */ +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY + if ((ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) { + int32_t ret = VERIFY_Tls13CalcVerifyData(ctx, true); + if (ret != HITLS_SUCCESS) { + return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID15729, + "server calculate client finished data error", ALERT_INTERNAL_ERROR); + } + return HS_ChangeState(ctx, TRY_RECV_FINISH); + } +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ + BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE); + return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID15727, + "peer certificate is needed!", ALERT_CERTIFICATE_REQUIRED); +} + int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg) { const CertificateMsg *certs = &msg->body.certificate; @@ -425,24 +453,7 @@ int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg) * the client MUST send a certificate message containing no certificates. */ if (certs->certCount == 0) { - if (ctx->isClient) { - BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE); - return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID16126, - "peer certificate is needed!", ALERT_DECODE_ERROR); - } - /** Only the server allows the peer certificate to be empty */ - if ((ctx->config.tlsConfig.isSupportClientVerify && ctx->config.tlsConfig.isSupportNoClientCert)) { - ret = VERIFY_Tls13CalcVerifyData(ctx, true); - if (ret != HITLS_SUCCESS) { - return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID15729, - "server calculate client finished data error", ALERT_INTERNAL_ERROR); - } - return HS_ChangeState(ctx, TRY_RECV_FINISH); - } - - BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE); - return RETURN_ALERT_PROCESS(ctx, HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE, BINLOG_ID15727, - "peer certificate is needed!", ALERT_CERTIFICATE_REQUIRED); + return ProcessEmptyCert(ctx); } /** Process the obtained peer certificate */ @@ -459,7 +470,11 @@ int32_t Tls13RecvCertificateProcess(TLS_Ctx *ctx, const HS_Msg *msg) if (!ctx->config.tlsConfig.isSupportVerifyNone) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17045, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "VerifyCertChain fail, ret = 0x%x.", (uint32_t)ret, 0, 0, 0); +#ifdef HITLS_TLS_PROTO_DFX_INFO ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, GetAlertfromX509Err(ctx->peerInfo.verifyResult)); +#else + ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_BAD_CERTIFICATE); +#endif return ret; } } diff --git a/tls/handshake/recv/src/recv_client_hello.c b/tls/handshake/recv/src/recv_client_hello.c index fb008e3f..53b505f2 100644 --- a/tls/handshake/recv/src/recv_client_hello.c +++ b/tls/handshake/recv/src/recv_client_hello.c @@ -117,17 +117,21 @@ static uint16_t ServerSelectCurveId(const TLS_Ctx *ctx, const ClientHelloMsg *cl uint32_t normalGroupsSize = 0; uint16_t *perferenceGroups = NULL; uint16_t *normalGroups = NULL; +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER if (ctx->config.tlsConfig.isSupportServerPreference) { perferenceGroupsSize = ctx->config.tlsConfig.groupsSize; normalGroupsSize = clientHello->extension.content.supportedGroupsSize; perferenceGroups = ctx->config.tlsConfig.groups; normalGroups = clientHello->extension.content.supportedGroups; } else { +#endif perferenceGroupsSize = clientHello->extension.content.supportedGroupsSize; normalGroupsSize = ctx->config.tlsConfig.groupsSize; perferenceGroups = clientHello->extension.content.supportedGroups; normalGroups = ctx->config.tlsConfig.groups; +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER } +#endif /* Find supported curves */ for (uint32_t i = 0u; i < perferenceGroupsSize; i++) { @@ -463,23 +467,24 @@ int32_t ServerSelectCipherSuite(TLS_Ctx *ctx, const ClientHelloMsg *clientHello) /* Obtain server information */ uint16_t *cfgCipherSuites = ctx->config.tlsConfig.cipherSuites; uint32_t cfgCipherSuitesSize = ctx->config.tlsConfig.cipherSuitesSize; +#ifdef HITLS_TLS_PROTO_TLS13 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) { cfgCipherSuites = ctx->config.tlsConfig.tls13CipherSuites; cfgCipherSuitesSize = ctx->config.tlsConfig.tls13cipherSuitesSize; } - +#endif const uint16_t *preferenceCipherSuites = clientHello->cipherSuites; uint16_t preferenceCipherSuitesSize = clientHello->cipherSuitesSize; const uint16_t *normalCipherSuites = cfgCipherSuites; uint16_t normalCipherSuitesSize = (uint16_t)cfgCipherSuitesSize; - +#ifdef HITLS_TLS_PROTO_DFX_SERVER_PREFER if (ctx->config.tlsConfig.isSupportServerPreference) { preferenceCipherSuites = cfgCipherSuites; preferenceCipherSuitesSize = (uint16_t)cfgCipherSuitesSize; normalCipherSuites = clientHello->cipherSuites; normalCipherSuitesSize = clientHello->cipherSuitesSize; } - +#endif bool preferSha256 = false; #ifdef HITLS_TLS_PROTO_TLS13 @@ -1034,10 +1039,12 @@ static int32_t ServerCheckResume(TLS_Ctx *ctx, const ClientHelloMsg *clientHello { ctx->negotiatedInfo.isResume = false; ctx->negotiatedInfo.isTicket = false; +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION /* If session resumption is not allowed in the renegotiation state, return */ if (ctx->negotiatedInfo.isRenegotiation && !ctx->config.tlsConfig.isResumptionOnRenego) { return HITLS_SUCCESS; } +#endif /* Create a null session handle */ HITLS_Session *sess = NULL; uint32_t ticketBufSize = clientHello->extension.content.ticketSize; @@ -1146,6 +1153,7 @@ static int32_t ServerCheckAndProcessRenegoInfo(TLS_Ctx *ctx, const ClientHelloMs static int32_t ServerCheckEncryptThenMac(TLS_Ctx *ctx, const ClientHelloMsg *clientHello) { bool haveEncryptThenMac = clientHello->extension.flag.haveEncryptThenMac; +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION /* Renegotiation cannot be downgraded from EncryptThenMac to MacThenEncrypt */ if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac && !haveEncryptThenMac) { BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR); @@ -1154,7 +1162,7 @@ static int32_t ServerCheckEncryptThenMac(TLS_Ctx *ctx, const ClientHelloMsg *cli ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE); return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR; } - +#endif /* If EncryptThenMac is not configured, a success message is returned. */ if (!ctx->config.tlsConfig.isEncryptThenMac) { return HITLS_SUCCESS; @@ -1197,6 +1205,7 @@ static int32_t ServerSelectCipherSuiteInfo(TLS_Ctx *ctx, const ClientHelloMsg *c static int32_t ServerProcessClientHelloExt(TLS_Ctx *ctx, const ClientHelloMsg *clientHello) { +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET int32_t ret = HITLS_SUCCESS; (void)ret; (void)clientHello; @@ -1210,7 +1219,7 @@ static int32_t ServerProcessClientHelloExt(TLS_Ctx *ctx, const ClientHelloMsg *c return HITLS_MSG_HANDLE_INVALID_EXTENDED_MASTER_SECRET; } ctx->negotiatedInfo.isExtendedMasterSecret = clientHello->extension.flag.haveExtendedMasterSecret; - +#endif return ProcessClientHelloExt(ctx, clientHello, false); } @@ -1402,10 +1411,12 @@ int32_t Tls12ServerRecvClientHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg, bool return ret; } } +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION if (ctx->state == CM_STATE_RENEGOTIATION && !ctx->userRenego) { ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */ ctx->negotiatedInfo.renegotiationNum++; } +#endif return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO); } #endif /* HITLS_TLS_PROTO_TLS_BASIC */ @@ -1449,6 +1460,7 @@ static int32_t DtlsServerCheckAndProcessCookie(TLS_Ctx *ctx, const ClientHelloMs } /* If the cookie fails to be verified, send a hello verify request */ if (!*isCookieValid) { +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION /* During DTLS renegotiation, if the cookie verification fails, an alert message is sent. If the cookie is empty, the hello verify request is sent */ if ((clientHello->cookieLen != 0u) && (ctx->negotiatedInfo.isRenegotiation)) { @@ -1458,6 +1470,7 @@ static int32_t DtlsServerCheckAndProcessCookie(TLS_Ctx *ctx, const ClientHelloMs ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE); return HITLS_MSG_VERIFY_COOKIE_ERR; } +#endif ret = PrepareDtlsCookie(ctx, clientHello); if (ret != HITLS_SUCCESS) { return ret; @@ -1515,10 +1528,12 @@ int32_t DtlsServerRecvClientHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg) return ret; } } +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION if (ctx->state == CM_STATE_RENEGOTIATION && !ctx->userRenego) { ctx->negotiatedInfo.isRenegotiation = true; /* Start renegotiation */ ctx->negotiatedInfo.renegotiationNum++; } +#endif return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO); } #endif @@ -2344,13 +2359,13 @@ static int32_t Tls13ServerProcessClientHello(TLS_Ctx *ctx, HS_Msg *msg) return ret; } } -#ifdef HITLS_TLS_FEATURE_PHA +#if defined(HITLS_TLS_FEATURE_PHA) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) TLS_Config *tlsConfig = &ctx->config.tlsConfig; if (ctx->phaState == PHA_NONE && tlsConfig->isSupportClientVerify && msg->body.clientHello.extension.flag.havePostHsAuth) { ctx->phaState = PHA_EXTENSION; } -#endif /* HITLS_TLS_FEATURE_PHA */ +#endif /* HITLS_TLS_FEATURE_PHA && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO); } diff --git a/tls/handshake/recv/src/recv_finished.c b/tls/handshake/recv/src/recv_finished.c index deba8cdd..206d9d35 100644 --- a/tls/handshake/recv/src/recv_finished.c +++ b/tls/handshake/recv/src/recv_finished.c @@ -215,7 +215,8 @@ int32_t HsSetSessionInfo(TLS_Ctx *ctx) } #endif /* HITLS_TLS_FEATURE_SESSION */ -int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *verifyData, uint32_t verifyDataSize) +static int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *verifyData, + uint32_t verifyDataSize) { if ((finishedMsg->verifyDataSize == 0u) || (verifyDataSize == 0u)) { BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN); @@ -240,20 +241,19 @@ int32_t CheckFinishedVerifyData(const FinishedMsg *finishedMsg, const uint8_t *v return HITLS_SUCCESS; } -#ifdef HITLS_TLS_HOST_CLIENT -int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) + +static int32_t RecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) { - int32_t ret = 0; HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx; VerifyCtx *verifyCtx = hsCtx->verifyCtx; const FinishedMsg *finished = &msg->body.finished; uint8_t verifyData[MAX_DIGEST_SIZE] = {0}; uint32_t verifyDataSize = MAX_DIGEST_SIZE; - ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize); + int32_t ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize); if (ret != HITLS_SUCCESS) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15740, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "client get server finished verify data error.", 0, 0, 0, 0); + "Get finished verify data error.", 0, 0, 0, 0); ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR); return ret; } @@ -261,12 +261,9 @@ int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) ret = CheckFinishedVerifyData(finished, verifyData, verifyDataSize); if (ret != HITLS_SUCCESS) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15741, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "client verify server finished data error.", 0, 0, 0, 0); - if (ret == HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN) { - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECODE_ERROR); - } else { - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR); - } + "Verify finished data error.", 0, 0, 0, 0); + ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, + (ret == HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN) ? ALERT_DECODE_ERROR : ALERT_DECRYPT_ERROR); return HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL; } #ifdef HITLS_TLS_FEATURE_SESSION @@ -278,14 +275,17 @@ int32_t ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) return ret; } #endif /* HITLS_TLS_FEATURE_SESSION */ - /* CCS messages are not allowed to be received later. */ - ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY); + if (ctx->isClient) { + /* CCS messages are not allowed to be received later. */ + ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY); + } return HITLS_SUCCESS; } +#ifdef HITLS_TLS_HOST_CLIENT #ifdef HITLS_TLS_PROTO_TLS_BASIC int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) { - int32_t ret = ClientRecvFinishedProcess(ctx, msg); + int32_t ret = RecvFinishedProcess(ctx, msg); if (ret != HITLS_SUCCESS) { return ret; } @@ -313,7 +313,7 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) return HS_ChangeState(ctx, TLS_CONNECTED); } #endif /* HITLS_BSL_UIO_UDP */ - int32_t ret = ClientRecvFinishedProcess(ctx, msg); + int32_t ret = RecvFinishedProcess(ctx, msg); if (ret != HITLS_SUCCESS) { return ret; } @@ -332,7 +332,7 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) #ifdef HITLS_TLS_PROTO_TLS13 int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) { - int32_t ret = ClientRecvFinishedProcess(ctx, msg); + int32_t ret = RecvFinishedProcess(ctx, msg); if (ret != HITLS_SUCCESS) { return ret; } @@ -363,51 +363,10 @@ int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) #endif /* HITLS_TLS_HOST_CLIENT */ #ifdef HITLS_TLS_HOST_SERVER - -int32_t ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) -{ - int32_t ret = 0; - HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx; - VerifyCtx *verifyCtx = hsCtx->verifyCtx; - uint8_t verifyData[MAX_DIGEST_SIZE] = {0}; - uint32_t verifyDataSize = MAX_DIGEST_SIZE; - const FinishedMsg *finished = &msg->body.finished; - - ret = VERIFY_GetVerifyData(verifyCtx, verifyData, &verifyDataSize); - if (ret != HITLS_SUCCESS) { - BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15742, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "server get client finished verify data error.", 0, 0, 0, 0); - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR); - return ret; - } - - ret = CheckFinishedVerifyData(finished, verifyData, verifyDataSize); - if (ret != HITLS_SUCCESS) { - BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL); - BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15743, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "server verify client finished data error.", 0, 0, 0, 0); - if (ret == HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL) { - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR); - } else { - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECODE_ERROR); - } - return HITLS_MSG_HANDLE_VERIFY_FINISHED_FAIL; - } -#ifdef HITLS_TLS_FEATURE_SESSION - ret = HsSetSessionInfo(ctx); - if (ret != HITLS_SUCCESS) { - BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15897, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "set session information failed.", 0, 0, 0, 0); - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR); - return ret; - } -#endif /* HITLS_TLS_FEATURE_SESSION */ - return HITLS_SUCCESS; -} #ifdef HITLS_TLS_PROTO_TLS_BASIC int32_t Tls12ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) { - int32_t ret = ServerRecvFinishedProcess(ctx, msg); + int32_t ret = RecvFinishedProcess(ctx, msg); if (ret != HITLS_SUCCESS) { return ret; } @@ -438,7 +397,7 @@ int32_t DtlsServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) return HS_ChangeState(ctx, TLS_CONNECTED); } #endif /* HITLS_BSL_UIO_UDP */ - int32_t ret = ServerRecvFinishedProcess(ctx, msg); + int32_t ret = RecvFinishedProcess(ctx, msg); if (ret != HITLS_SUCCESS) { return ret; } @@ -467,7 +426,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY); ctx->plainAlertForbid = true; - int32_t ret = ServerRecvFinishedProcess(ctx, msg); + int32_t ret = RecvFinishedProcess(ctx, msg); if (ret != HITLS_SUCCESS) { return ret; } @@ -490,7 +449,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) if (ret != HITLS_SUCCESS) { return ret; } -#ifdef HITLS_TLS_FEATURE_PHA +#if defined(HITLS_TLS_FEATURE_PHA) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) if (ctx->phaState == PHA_EXTENSION && ctx->config.tlsConfig.isSupportClientVerify) { SAL_CRYPT_DigestFree(ctx->phaHash); ctx->phaHash = SAL_CRYPT_DigestCopy(ctx->hsCtx->verifyCtx->hashCtx); @@ -501,7 +460,7 @@ int32_t Tls13ServerRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg) return HITLS_CRYPT_ERR_DIGEST; } } -#endif /* HITLS_TLS_FEATURE_PHA */ +#endif /* HITLS_TLS_FEATURE_PHA && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ } #ifdef HITLS_TLS_FEATURE_SESSION_TICKET /* When ticketNums is 0, no ticket is sent */ diff --git a/tls/handshake/recv/src/recv_server_hello.c b/tls/handshake/recv/src/recv_server_hello.c index 5f1a61cc..1ed14623 100644 --- a/tls/handshake/recv/src/recv_server_hello.c +++ b/tls/handshake/recv/src/recv_server_hello.c @@ -124,6 +124,7 @@ static int32_t ClientCheckServerName(TLS_Ctx *ctx, const ServerHelloMsg *serverH return HITLS_SUCCESS; } #endif /* HITLS_TLS_FEATURE_SNI */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMsg *serverHello) { if ((!ctx->hsCtx->extFlag.haveExtendedMasterSecret) && serverHello->haveExtendedMasterSecret) { @@ -171,6 +172,7 @@ static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMs serverHello->haveExtendedMasterSecret); return HITLS_SUCCESS; } +#endif #ifdef HITLS_TLS_PROTO_TLS13 static int32_t ClientCheckKeyShare(TLS_Ctx *ctx, const ServerHelloMsg *serverHello) { @@ -340,7 +342,7 @@ static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *ser BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE); return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE; } - +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION /* During renegotiation, EncryptThenMac cannot be converted to MacThenEncrypt */ if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac && !serverHello->haveEncryptThenMac) { @@ -350,7 +352,7 @@ static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *ser BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR); return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR; } - +#endif /* This extension does not need to be negotiated for tls1.3 */ if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) { return HITLS_SUCCESS; @@ -413,7 +415,9 @@ static int32_t ClientCheckExtensionsFlag(TLS_Ctx *ctx, const ServerHelloMsg *ser #ifdef HITLS_TLS_FEATURE_SNI ClientCheckServerName, #endif /* HITLS_TLS_FEATURE_SNI */ +#ifdef HITLS_TLS_FEATURE_EXTENDED_MASTER_SECRET ClientCheckExtendedMasterSecret, +#endif #ifdef HITLS_TLS_FEATURE_ALPN ClientCheckNegotiatedAlpnOfServerHello, #endif /* HITLS_TLS_FEATURE_ALPN */ @@ -899,25 +903,6 @@ static int32_t ClientCheckHrrKeyShareExtension(TLS_Ctx *ctx, const ServerHelloMs return HITLS_SUCCESS; } -/* If an implementation receives an extension - * which it recognizes and which is not specified for the message in - * which it appears, it MUST abort the handshake with an - * "illegal_parameter" alert. */ -static int32_t ClientCheckHrrExtraExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest) -{ - if (helloRetryRequest->haveServerName || helloRetryRequest->haveExtendedMasterSecret || - helloRetryRequest->havePointFormats || helloRetryRequest->haveSelectedAlpn || - helloRetryRequest->haveSelectedIdentity || helloRetryRequest->haveSecRenego || helloRetryRequest->haveTicket || - helloRetryRequest->haveEncryptThenMac) { - BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17092, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "these extensions are not specified in the hrr message", 0, 0, 0, 0); - ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER); - BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE); - return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE; - } - return HITLS_SUCCESS; -} - static int32_t ClientCheckHrrCookieExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest) { if (helloRetryRequest->haveCookie == false) { @@ -946,11 +931,6 @@ static int32_t Tls13ClientCheckHrrExtension(TLS_Ctx *ctx, const ServerHelloMsg * return ret; } - /* Check whether there are redundant extensions */ - ret = ClientCheckHrrExtraExtension(ctx, helloRetryRequest); - if (ret != HITLS_SUCCESS) { - return ret; - } /* Check the key share extension */ ret = ClientCheckHrrCookieExtension(ctx, helloRetryRequest); diff --git a/tls/handshake/send/src/hs_state_send.c b/tls/handshake/send/src/hs_state_send.c index 9b7fc876..da1ce5cb 100644 --- a/tls/handshake/send/src/hs_state_send.c +++ b/tls/handshake/send/src/hs_state_send.c @@ -108,8 +108,10 @@ static int32_t ProcessSendHandshakeMsg(TLS_Ctx *ctx) return ServerSendServerHelloProcess(ctx); case TRY_SEND_SERVER_KEY_EXCHANGE: return ServerSendServerKeyExchangeProcess(ctx); +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY case TRY_SEND_CERTIFICATE_REQUEST: return ServerSendCertRequestProcess(ctx); +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ case TRY_SEND_SERVER_HELLO_DONE: return ServerSendServerHelloDoneProcess(ctx); #ifdef HITLS_TLS_FEATURE_SESSION_TICKET @@ -166,8 +168,10 @@ static int32_t Tls13ProcessSendHandshakeMsg(TLS_Ctx *ctx) return Tls13ServerSendServerHelloProcess(ctx); case TRY_SEND_ENCRYPTED_EXTENSIONS: return Tls13ServerSendEncryptedExtensionsProcess(ctx); +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY case TRY_SEND_CERTIFICATE_REQUEST: return Tls13ServerSendCertRequestProcess(ctx); +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ case TRY_SEND_NEW_SESSION_TICKET: return Tls13SendNewSessionTicketProcess(ctx); #endif /* HITLS_TLS_HOST_SERVER */ @@ -198,9 +202,8 @@ static int32_t Tls13ProcessSendHandshakeMsg(TLS_Ctx *ctx) return Tls13SendKeyUpdateProcess(ctx); #endif default: - break; + return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_STATE_ILLEGAL, BINLOG_ID17101, "Handshake state error"); } - return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_STATE_ILLEGAL, BINLOG_ID17101, "Handshake state error"); } #endif /* HITLS_TLS_PROTO_TLS13 */ int32_t HS_SendMsgProcess(TLS_Ctx *ctx) diff --git a/tls/handshake/send/src/send_cert_request.c b/tls/handshake/send/src/send_cert_request.c index e0ddf0e3..5273d9f7 100644 --- a/tls/handshake/send/src/send_cert_request.c +++ b/tls/handshake/send/src/send_cert_request.c @@ -13,7 +13,7 @@ * See the Mulan PSL v2 for more details. */ #include "hitls_build.h" -#ifdef HITLS_TLS_HOST_SERVER +#if defined(HITLS_TLS_HOST_SERVER) && defined(HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY) #include "tls_binlog_id.h" #include "bsl_log_internal.h" #include "bsl_log.h" @@ -110,4 +110,4 @@ int32_t Tls13ServerSendCertRequestProcess(TLS_Ctx *ctx) return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE); } #endif /* HITLS_TLS_PROTO_TLS13 */ -#endif /* HITLS_TLS_HOST_SERVER */ \ No newline at end of file +#endif /* HITLS_TLS_HOST_SERVER && HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ \ No newline at end of file diff --git a/tls/handshake/send/src/send_certificate.c b/tls/handshake/send/src/send_certificate.c index ddc75e0a..44838e8a 100644 --- a/tls/handshake/send/src/send_certificate.c +++ b/tls/handshake/send/src/send_certificate.c @@ -63,6 +63,7 @@ int32_t SendCertificateProcess(TLS_Ctx *ctx) if (IsNeedServerKeyExchange(ctx) == true) { return HS_ChangeState(ctx, TRY_SEND_SERVER_KEY_EXCHANGE); } +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY /* The server sends CertificateRequest only when the isSupportClientVerify mode is enabled */ if (ctx->config.tlsConfig.isSupportClientVerify) { /* isSupportClientOnceVerify specifies whether the CR is sent only in the initial handshake phase. */ @@ -72,6 +73,7 @@ int32_t SendCertificateProcess(TLS_Ctx *ctx) return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST); } } +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO_DONE); } #endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */ diff --git a/tls/handshake/send/src/send_client_hello.c b/tls/handshake/send/src/send_client_hello.c index 89533932..b4acd8c0 100644 --- a/tls/handshake/send/src/send_client_hello.c +++ b/tls/handshake/send/src/send_client_hello.c @@ -43,13 +43,13 @@ static int32_t ClientPrepareSession(TLS_Ctx *ctx) { HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx; - +#ifdef HITLS_TLS_FEATURE_RENEGOTIATION /* If the session cannot be resumed during renegotiation, delete the session */ if (ctx->negotiatedInfo.isRenegotiation && !ctx->config.tlsConfig.isResumptionOnRenego) { HITLS_SESS_Free(ctx->session); ctx->session = NULL; } - +#endif if (ctx->session != NULL) { uint64_t curTime = (uint64_t)BSL_SAL_CurrentSysTimeGet(); if (!SESS_CheckValidity(ctx->session, curTime)) { diff --git a/tls/handshake/send/src/send_encrypted_extensions.c b/tls/handshake/send/src/send_encrypted_extensions.c index 61957249..ce141e1a 100644 --- a/tls/handshake/send/src/send_encrypted_extensions.c +++ b/tls/handshake/send/src/send_encrypted_extensions.c @@ -72,6 +72,7 @@ int32_t Tls13ServerSendEncryptedExtensionsProcess(TLS_Ctx *ctx) if (ctx->hsCtx->kxCtx->pskInfo13.psk != NULL) { return HS_ChangeState(ctx, TRY_SEND_FINISH); } +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY /* The server sends a CertificateRequest message only when the VerifyPeer mode is enabled */ if (ctx->config.tlsConfig.isSupportClientVerify #ifdef HITLS_TLS_FEATURE_PHA @@ -80,6 +81,7 @@ int32_t Tls13ServerSendEncryptedExtensionsProcess(TLS_Ctx *ctx) ) { return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST); } +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE); } #endif /* HITLS_TLS_PROTO_TLS13 && HITLS_TLS_HOST_SERVER */ \ No newline at end of file diff --git a/tls/handshake/send/src/send_server_key_exchange.c b/tls/handshake/send/src/send_server_key_exchange.c index d243441c..995b10e0 100644 --- a/tls/handshake/send/src/send_server_key_exchange.c +++ b/tls/handshake/send/src/send_server_key_exchange.c @@ -287,7 +287,7 @@ int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx) BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15750, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN, "server send keyExchange msg success.", 0, 0, 0, 0); - +#ifdef HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY /* Update the state machine. If the CertificateRequest message does not need to be sent, the system directly * switches to theSend_SERVER_HELLO_DONE state */ if (ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_NULL && @@ -298,6 +298,7 @@ int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx) return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST); } } +#endif /* HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY */ /* Make sure the client will always send a certificate message, because ECDHE relies on the client's encrypted * certificate, even if the client does not require authentication (isSupportClientVerify equals false). */ #ifdef HITLS_TLS_PROTO_TLCP11 diff --git a/tls/include/cipher_suite.h b/tls/include/cipher_suite.h index daf3c58f..f5d5f1dd 100644 --- a/tls/include/cipher_suite.h +++ b/tls/include/cipher_suite.h @@ -165,7 +165,6 @@ bool CFG_GetSignParamBySchemes(const HITLS_Ctx *ctx, HITLS_SignHashAlgo scheme, */ uint8_t CFG_GetCertTypeByCipherSuite(uint16_t cipherSuite); - /** * @brief get the group name of the ecdsa * diff --git a/tls/include/tls.h b/tls/include/tls.h index f7d22503..9744c24e 100644 --- a/tls/include/tls.h +++ b/tls/include/tls.h @@ -122,7 +122,9 @@ typedef enum { CM_STATE_RENEGOTIATION, CM_STATE_ALERTING, CM_STATE_ALERTED, +#ifdef HITLS_TLS_PROTO_CLOSE_STATE CM_STATE_CLOSED, +#endif CM_STATE_END } CM_State; diff --git a/tls/include/tls_config.h b/tls/include/tls_config.h index b3a666b1..e8fa673f 100644 --- a/tls/include/tls_config.h +++ b/tls/include/tls_config.h @@ -121,7 +121,7 @@ typedef struct TlsConfig { BSL_SAL_RefCount references; /* reference count */ HITLS_Lib_Ctx *libCtx; /* library context */ const char *attrName; /* attrName */ -#ifdef HITLS_TLS_FEATURE_PROVIDER +#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC TLS_GroupInfo *groupInfo; uint32_t groupInfolen; uint32_t groupInfoSize; diff --git a/tls/record/src/rec_anti_replay.c b/tls/record/src/rec_anti_replay.c index b0220f7d..4bf276a2 100644 --- a/tls/record/src/rec_anti_replay.c +++ b/tls/record/src/rec_anti_replay.c @@ -14,7 +14,7 @@ */ #include "hitls_build.h" -#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) +#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY) #include "rec_anti_replay.h" #define REC_SLID_WINDOW_SIZE 64 @@ -66,4 +66,4 @@ void RecAntiReplayUpdate(RecSlidWindow *w, uint64_t seq) w->window |= 1; } } -#endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP */ \ No newline at end of file +#endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP && HITLS_TLS_FEATURE_ANTI_REPLAY */ \ No newline at end of file diff --git a/tls/record/src/rec_read.c b/tls/record/src/rec_read.c index c615c95a..008fb827 100644 --- a/tls/record/src/rec_read.c +++ b/tls/record/src/rec_read.c @@ -231,8 +231,6 @@ static int32_t RecordUnexpectedMsg(TLS_Ctx *ctx, RecBuf *decryptBuf, REC_Type re case REC_TYPE_APP: ret = RecBufListAddBuffer(ctx->recCtx->appRecList, decryptBuf); break; - case REC_TYPE_CHANGE_CIPHER_SPEC: - case REC_TYPE_ALERT: default: ret = ctx->method.unexpectedMsgProcessCb(ctx, recordType, decryptBuf->buf, decryptBuf->end, false); @@ -596,7 +594,7 @@ static uint8_t *GetUnprocessedMsg(RecCtx *recordCtx, REC_Type recordType, RecHdr return recordBody; } -#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) +#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY) static int32_t AntiReplay(TLS_Ctx *ctx, RecHdr *hdr) { /* In non-UDP scenarios, anti-replay check is not required */ @@ -650,7 +648,7 @@ static int32_t DtlsGetRecord(TLS_Ctx *ctx, REC_Type recordType, RecHdr *hdr, uin return ret; } } -#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) +#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY) ret = AntiReplay(ctx, hdr); if (ret != HITLS_SUCCESS) { BSL_SAL_FREE(*cachRecord); @@ -715,13 +713,15 @@ int32_t DtlsRecordRead(TLS_Ctx *ctx, REC_Type recordType, uint8_t *data, uint32_ if (ret != HITLS_SUCCESS) { return ret; } -#if defined(HITLS_BSL_UIO_UDP) +#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY) /* In UDP scenarios, update the sliding window flag */ if (BSL_UIO_GetUioChainTransportType(ctx->uio, BSL_UIO_UDP)) { RecAntiReplayUpdate(&GetReadConnState(ctx)->window, REC_SEQ_GET(hdr.epochSeq)); } #endif +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER ctx->method.clearAlert(ctx, cryptMsg.type); +#endif #ifdef HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS if ((ctx->config.tlsConfig.modeSupport & HITLS_MODE_RELEASE_BUFFERS) != 0 && (recordType == REC_TYPE_APP)) { RecTryFreeRecBuf(ctx, false); @@ -1047,7 +1047,9 @@ int32_t TlsRecordRead(TLS_Ctx *ctx, REC_Type recordType, uint8_t *data, uint32_t if (ret != HITLS_SUCCESS) { return ret; } +#ifdef HITLS_TLS_PROTO_DFX_ALERT_NUMBER ctx->method.clearAlert(ctx, encryptedMsg.type); +#endif #ifdef HITLS_TLS_FEATURE_MODE_RELEASE_BUFFERS if ((ctx->config.tlsConfig.modeSupport & HITLS_MODE_RELEASE_BUFFERS) != 0 && (recordType == REC_TYPE_APP)) { RecTryFreeRecBuf(ctx, false); diff --git a/tls/record/src/record.c b/tls/record/src/record.c index dd6e9a86..208a786b 100644 --- a/tls/record/src/record.c +++ b/tls/record/src/record.c @@ -114,9 +114,11 @@ static uint32_t RecGetReadBufferSize(const TLS_Ctx *ctx) if (ctx->negotiatedInfo.recordSizeLimit != 0 && ctx->negotiatedInfo.recordSizeLimit <= REC_MAX_PLAIN_TEXT_LENGTH) { recSize -= REC_MAX_PLAIN_TEXT_LENGTH - ctx->negotiatedInfo.recordSizeLimit; +#ifdef HITLS_TLS_PROTO_TLS13 if (GET_VERSION_FROM_CTX(ctx) == HITLS_VERSION_TLS13) { recSize--; } +#endif } return recSize; } @@ -134,9 +136,11 @@ static uint32_t RecGetWriteBufferSize(const TLS_Ctx *ctx) recSize -= REC_MAX_PLAIN_TEXT_LENGTH - maxSendFragment; if (ctx->negotiatedInfo.peerRecordSizeLimit != 0 && ctx->negotiatedInfo.peerRecordSizeLimit <= maxSendFragment) { recSize -= maxSendFragment - ctx->negotiatedInfo.peerRecordSizeLimit; +#ifdef HITLS_TLS_PROTO_TLS13 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) { recSize--; } +#endif } #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) RecCmpPmtu(ctx, &recSize); @@ -576,7 +580,7 @@ int32_t REC_ActivePendingState(TLS_Ctx *ctx, bool isOut) } else { ++recordCtx->readEpoch; RecConnSetEpoch(states->currentState, recordCtx->readEpoch); -#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) +#if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) && defined(HITLS_TLS_FEATURE_ANTI_REPLAY) RecAntiReplayReset(&states->currentState->window); #endif } @@ -599,9 +603,11 @@ static uint32_t REC_GetRecordSizeLimitWriteLen(const TLS_Ctx *ctx) #endif if (ctx->negotiatedInfo.recordSizeLimit != 0 && ctx->negotiatedInfo.peerRecordSizeLimit <= defaultLen) { defaultLen = ctx->negotiatedInfo.peerRecordSizeLimit; +#ifdef HITLS_TLS_PROTO_TLS13 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) { defaultLen--; } +#endif } return defaultLen; }