1 /*
2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the License); you may
5 * not use this file except in compliance with the License.
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 */
9
10
11
12 #include <time.h>
13 #include <errno.h>
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <string.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <arpa/inet.h>
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <gmssl/rand.h>
23 #include <gmssl/x509.h>
24 #include <gmssl/error.h>
25 #include <gmssl/mem.h>
26 #include <gmssl/sm2.h>
27 #include <gmssl/sm3.h>
28 #include <gmssl/sm4.h>
29 #include <gmssl/pem.h>
30 #include <gmssl/tls.h>
31
32
33 static const int tlcp_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3 };
34 static const size_t tlcp_ciphers_count = sizeof(tlcp_ciphers)/sizeof(tlcp_ciphers[0]);
35
tlcp_record_print(FILE * fp,const uint8_t * record,size_t recordlen,int format,int indent)36 int tlcp_record_print(FILE *fp, const uint8_t *record, size_t recordlen, int format, int indent)
37 {
38 // 目前只支持TLCP的ECC公钥加密套件,因此不论用哪个套件解析都是一样的
39 // 如果未来支持ECDHE套件,可以将函数改为宏,直接传入 (conn->cipher_suite << 8)
40 format |= tlcp_ciphers[0] << 8;
41 return tls_record_print(fp, record, recordlen, format, indent);
42 }
43
tlcp_record_set_handshake_server_key_exchange_pke(uint8_t * record,size_t * recordlen,const uint8_t * sig,size_t siglen)44 int tlcp_record_set_handshake_server_key_exchange_pke(uint8_t *record, size_t *recordlen,
45 const uint8_t *sig, size_t siglen)
46 {
47 int type = TLS_handshake_server_key_exchange;
48 uint8_t *p;
49 size_t len = 0;
50
51 if (!record || !recordlen || !sig || !siglen) {
52 error_print();
53 return -1;
54 }
55 if (siglen > SM2_MAX_SIGNATURE_SIZE) {
56 error_print();
57 return -1;
58 }
59 if (tls_record_protocol(record) != TLS_protocol_tlcp) {
60 error_print();
61 return -1;
62 }
63 p = tls_handshake_data(tls_record_data(record));
64 // 注意TLCP的ServerKeyExchange中的签名值需要封装在uint16array中
65 // 但是CertificateVerify中直接装载签名值DER
66 tls_uint16array_to_bytes(sig, siglen, &p, &len);
67 tls_record_set_handshake(record, recordlen, type, NULL, len);
68 return 1;
69 }
70
tlcp_record_get_handshake_server_key_exchange_pke(const uint8_t * record,const uint8_t ** sig,size_t * siglen)71 int tlcp_record_get_handshake_server_key_exchange_pke(const uint8_t *record,
72 const uint8_t **sig, size_t *siglen)
73 {
74 int type;
75 const uint8_t *p;
76 size_t len;
77
78 if (!record || !sig || !siglen) {
79 error_print();
80 return -1;
81 }
82 if (tls_record_get_handshake(record, &type, &p, &len) != 1) {
83 error_print();
84 return -1;
85 }
86 if (type != TLS_handshake_server_key_exchange) {
87 error_print();
88 return -1;
89 }
90 if (tls_record_protocol(record) != TLS_protocol_tlcp) {
91 error_print();
92 return -1;
93 }
94 if (tls_uint16array_from_bytes(sig, siglen, &p, &len) != 1) {
95 error_print();
96 return -1;
97 }
98 if (len) {
99 error_print();
100 return -1;
101 }
102 return 1;
103 }
104
tlcp_server_key_exchange_pke_print(FILE * fp,const uint8_t * data,size_t datalen,int format,int indent)105 int tlcp_server_key_exchange_pke_print(FILE *fp, const uint8_t *data, size_t datalen, int format, int indent)
106 {
107 const uint8_t *sig;
108 size_t siglen;
109
110 format_print(fp, format, indent, "ServerKeyExchange\n");
111 indent += 4;
112 if (tls_uint16array_from_bytes(&sig, &siglen, &data, &datalen) != 1) {
113 error_print();
114 return -1;
115 }
116 format_bytes(fp, format, indent, "signature", sig, siglen);
117 if (datalen) {
118 error_print();
119 return -1;
120 }
121 return 1;
122 }
123
tlcp_do_connect(TLS_CONNECT * conn)124 int tlcp_do_connect(TLS_CONNECT *conn)
125 {
126 int ret = -1;
127 uint8_t *record = conn->record;
128 uint8_t finished_record[TLS_FINISHED_RECORD_BUF_SIZE];
129 size_t recordlen, finished_record_len;
130
131 uint8_t client_random[32];
132 uint8_t server_random[32];
133 int protocol;
134 int cipher_suite;
135 const uint8_t *random;
136 const uint8_t *session_id;
137 size_t session_id_len;
138 const uint8_t *exts;
139 size_t exts_len;
140
141 SM2_KEY server_sign_key;
142 SM2_KEY server_enc_key;
143 SM2_SIGN_CTX verify_ctx;
144 SM2_SIGN_CTX sign_ctx;
145 const uint8_t *sig;
146 size_t siglen;
147 uint8_t pre_master_secret[48];
148 uint8_t enced_pre_master_secret[SM2_MAX_CIPHERTEXT_SIZE];
149 size_t enced_pre_master_secret_len;
150 SM3_CTX sm3_ctx;
151 SM3_CTX tmp_sm3_ctx;
152 uint8_t sm3_hash[32];
153 const uint8_t *verify_data;
154 size_t verify_data_len;
155 uint8_t local_verify_data[12];
156
157 int handshake_type;
158 const uint8_t *server_enc_cert;
159 size_t server_enc_cert_len;
160 uint8_t server_enc_cert_lenbuf[3];
161 const uint8_t *cp;
162 uint8_t *p;
163 size_t len;
164
165 int depth = 5;
166 int alert = 0;
167 int verify_result;
168
169
170 // 初始化记录缓冲
171 tls_record_set_protocol(record, TLS_protocol_tlcp);
172 tls_record_set_protocol(finished_record, TLS_protocol_tlcp);
173
174 // 准备Finished Context(和ClientVerify)
175 sm3_init(&sm3_ctx);
176 if (conn->client_certs_len)
177 sm2_sign_init(&sign_ctx, &conn->sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
178
179
180 // send ClientHello
181 tls_random_generate(client_random);
182 if (tls_record_set_handshake_client_hello(record, &recordlen,
183 TLS_protocol_tlcp, client_random, NULL, 0,
184 tlcp_ciphers, tlcp_ciphers_count, NULL, 0) != 1) {
185 error_print();
186 goto end;
187 }
188 tls_trace("send ClientHello\n");
189 tlcp_record_trace(stderr, record, recordlen, 0, 0);
190 if (tls_record_send(record, recordlen, conn->sock) != 1) {
191 error_print();
192 goto end;
193 }
194 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
195 if (conn->client_certs_len)
196 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
197
198 // recv ServerHello
199 tls_trace("recv ServerHello\n");
200 if (tls_record_recv(record, &recordlen, conn->sock) != 1) {
201 error_print();
202 tls_send_alert(conn, TLS_alert_unexpected_message);
203 goto end;
204 }
205 tlcp_record_trace(stderr, record, recordlen, 0, 0);
206 if (tls_record_protocol(record) != TLS_protocol_tlcp) {
207 error_print();
208 tls_send_alert(conn, TLS_alert_protocol_version);
209 goto end;
210 }
211 if (tls_record_get_handshake_server_hello(record,
212 &protocol, &random, &session_id, &session_id_len, &cipher_suite,
213 &exts, &exts_len) != 1) {
214 error_print();
215 tls_send_alert(conn, TLS_alert_unexpected_message);
216 goto end;
217 }
218 if (protocol != TLS_protocol_tlcp) {
219 tls_send_alert(conn, TLS_alert_protocol_version);
220 error_print();
221 goto end;
222 }
223 if (tls_cipher_suite_in_list(cipher_suite, tlcp_ciphers, tlcp_ciphers_count) != 1) {
224 tls_send_alert(conn, TLS_alert_handshake_failure);
225 error_print();
226 goto end;
227 }
228 if (exts) {
229 error_print();
230 tls_send_alert(conn, TLS_alert_unexpected_message);
231 goto end;
232 }
233 memcpy(server_random, random, 32);
234 memcpy(conn->session_id, session_id, session_id_len);
235 conn->cipher_suite = cipher_suite;
236 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
237 if (conn->client_certs_len)
238 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
239
240 // recv ServerCertificate
241 tls_trace("recv ServerCertificate\n");
242 if (tls_record_recv(record, &recordlen, conn->sock) != 1
243 || tls_record_protocol(record) != TLS_protocol_tlcp) {
244 error_print();
245 tls_send_alert(conn, TLS_alert_unexpected_message);
246 goto end;
247 }
248 tlcp_record_trace(stderr, record, recordlen, 0, 0);
249
250 if (tls_record_get_handshake_certificate(record,
251 conn->server_certs, &conn->server_certs_len) != 1) {
252 error_print();
253 tls_send_alert(conn, TLS_alert_unexpected_message);
254 goto end;
255 }
256 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
257 if (conn->client_certs_len)
258 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
259
260 // verify ServerCertificate
261 if (conn->ca_certs_len) {
262 // 只有提供了CA证书才验证服务器证书链
263 // FIXME: 逻辑需要再检查
264 if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
265 conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
266 error_print();
267 tls_send_alert(conn, alert);
268 goto end;
269 }
270 }
271
272 // recv ServerKeyExchange
273 tls_trace("recv ServerKeyExchange\n");
274 if (tls_record_recv(record, &recordlen, conn->sock) != 1
275 || tls_record_protocol(record) != TLS_protocol_tlcp) {
276 error_print();
277 tls_send_alert(conn, TLS_alert_unexpected_message);
278 goto end;
279 }
280 tlcp_record_trace(stderr, record, recordlen, 0, 0);
281 if (tlcp_record_get_handshake_server_key_exchange_pke(record, &sig, &siglen) != 1) {
282 error_print();
283 tls_send_alert(conn, TLS_alert_unexpected_message);
284 goto end;
285 }
286 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
287 if (conn->client_certs_len)
288 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
289
290 // verify ServerKeyExchange
291 if (x509_certs_get_cert_by_index(conn->server_certs, conn->server_certs_len, 0, &cp, &len) != 1
292 || x509_cert_get_subject_public_key(cp, len, &server_sign_key) != 1
293 || x509_certs_get_cert_by_index(conn->server_certs, conn->server_certs_len, 1, &server_enc_cert, &server_enc_cert_len) != 1
294 || x509_cert_get_subject_public_key(server_enc_cert, server_enc_cert_len, &server_enc_key) != 1) {
295 error_print();
296 tls_send_alert(conn, TLS_alert_bad_certificate);
297 goto end;
298 }
299 p = server_enc_cert_lenbuf; len = 0;
300 tls_uint24_to_bytes(server_enc_cert_len, &p, &len);
301 if (sm2_verify_init(&verify_ctx, &server_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
302 || sm2_verify_update(&verify_ctx, client_random, 32) != 1
303 || sm2_verify_update(&verify_ctx, server_random, 32) != 1
304 || sm2_verify_update(&verify_ctx, server_enc_cert_lenbuf, 3) != 1
305 || sm2_verify_update(&verify_ctx, server_enc_cert, server_enc_cert_len) != 1) {
306 error_print();
307 tls_send_alert(conn, TLS_alert_internal_error);
308 goto end;
309 }
310 if (sm2_verify_finish(&verify_ctx, sig, siglen) != 1) {
311 error_print();
312 tls_send_alert(conn, TLS_alert_decrypt_error);
313 goto end;
314 }
315
316 // recv CertificateRequest or ServerHelloDone
317 if (tls_record_recv(record, &recordlen, conn->sock) != 1
318 || tls_record_protocol(record) != TLS_protocol_tlcp
319 || tls_record_get_handshake(record, &handshake_type, &cp, &len) != 1) {
320 error_print();
321 tls_send_alert(conn, TLS_alert_unexpected_message);
322 goto end;
323 }
324 if (handshake_type == TLS_handshake_certificate_request) {
325 const uint8_t *cert_types;
326 size_t cert_types_len;
327 const uint8_t *ca_names;
328 size_t ca_names_len;
329
330 // recv CertificateRequest
331 tls_trace("recv CertificateRequest\n");
332 tlcp_record_trace(stderr, record, recordlen, 0, 0);
333 if (tls_record_get_handshake_certificate_request(record,
334 &cert_types, &cert_types_len, &ca_names, &ca_names_len) != 1) {
335 error_print();
336 tls_send_alert(conn, TLS_alert_unexpected_message);
337 goto end;
338 }
339 if(!conn->client_certs_len) {
340 error_print();
341 tls_send_alert(conn, TLS_alert_internal_error);
342 goto end;
343 }
344 if (tls_cert_types_accepted(cert_types, cert_types_len, conn->client_certs, conn->client_certs_len) != 1
345 || tls_authorities_issued_certificate(ca_names, ca_names_len, conn->client_certs, conn->client_certs_len) != 1) {
346 error_print();
347 tls_send_alert(conn, TLS_alert_unsupported_certificate);
348 goto end;
349 }
350 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
351 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
352
353 // recv ServerHelloDone
354 if (tls_record_recv(record, &recordlen, conn->sock) != 1
355 || tls_record_protocol(record) != TLS_protocol_tlcp) {
356 error_print();
357 tls_send_alert(conn, TLS_alert_unexpected_message);
358 goto end;
359 }
360 } else {
361 // 这个得处理一下
362 conn->client_certs_len = 0;
363 gmssl_secure_clear(&conn->sign_key, sizeof(SM2_KEY));
364 //client_sign_key = NULL;
365 }
366 tls_trace("recv ServerHelloDone\n");
367 tlcp_record_trace(stderr, record, recordlen, 0, 0);
368 if (tls_record_get_handshake_server_hello_done(record) != 1) {
369 error_print();
370 tls_send_alert(conn, TLS_alert_unexpected_message);
371 goto end;
372 }
373 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
374 if (conn->client_certs_len)
375 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
376
377 // send ClientCertificate
378 if (conn->client_certs_len) {
379 tls_trace("send ClientCertificate\n");
380 if (tls_record_set_handshake_certificate(record, &recordlen, conn->client_certs, conn->client_certs_len) != 1) {
381 error_print();
382 tls_send_alert(conn, TLS_alert_internal_error);
383 goto end;
384 }
385 tlcp_record_trace(stderr, record, recordlen, 0, 0);
386 if (tls_record_send(record, recordlen, conn->sock) != 1) {
387 error_print();
388 goto end;
389 }
390 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
391 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
392 }
393
394 // generate MASTER_SECRET
395 tls_trace("generate secrets\n");
396 if (tls_pre_master_secret_generate(pre_master_secret, TLS_protocol_tlcp) != 1
397 || tls_prf(pre_master_secret, 48, "master secret",
398 client_random, 32, server_random, 32,
399 48, conn->master_secret) != 1
400 || tls_prf(conn->master_secret, 48, "key expansion",
401 server_random, 32, client_random, 32,
402 96, conn->key_block) != 1) {
403 error_print();
404 tls_send_alert(conn, TLS_alert_internal_error);
405 goto end;
406 }
407 sm3_hmac_init(&conn->client_write_mac_ctx, conn->key_block, 32);
408 sm3_hmac_init(&conn->server_write_mac_ctx, conn->key_block + 32, 32);
409 sm4_set_encrypt_key(&conn->client_write_enc_key, conn->key_block + 64);
410 sm4_set_decrypt_key(&conn->server_write_enc_key, conn->key_block + 80);
411 /*
412 tls_secrets_print(stderr,
413 pre_master_secret, 48,
414 client_random, server_random,
415 conn->master_secret,
416 conn->key_block, 96,
417 0, 4);
418 */
419
420 // send ClientKeyExchange
421 tls_trace("send ClientKeyExchange\n");
422 if (sm2_encrypt(&server_enc_key, pre_master_secret, 48,
423 enced_pre_master_secret, &enced_pre_master_secret_len) != 1
424 || tls_record_set_handshake_client_key_exchange_pke(record, &recordlen,
425 enced_pre_master_secret, enced_pre_master_secret_len) != 1) {
426 error_print();
427 tls_send_alert(conn, TLS_alert_internal_error);
428 goto end;
429 }
430 tlcp_record_trace(stderr, record, recordlen, 0, 0);
431 if (tls_record_send(record, recordlen, conn->sock) != 1) {
432 error_print();
433 goto end;
434 }
435 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
436 if (conn->client_certs_len)
437 sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
438
439 // send CertificateVerify
440 if (conn->client_certs_len) {
441 tls_trace("send CertificateVerify\n");
442 uint8_t sigbuf[SM2_MAX_SIGNATURE_SIZE];
443 if (sm2_sign_finish(&sign_ctx, sigbuf, &siglen) != 1
444 || tls_record_set_handshake_certificate_verify(record, &recordlen, sigbuf, siglen) != 1) {
445 error_print();
446 tls_send_alert(conn, TLS_alert_internal_error);
447 goto end;
448 }
449 tlcp_record_trace(stderr, record, recordlen, 0, 0);
450 if (tls_record_send(record, recordlen, conn->sock) != 1) {
451 error_print();
452 goto end;
453 }
454 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
455 }
456
457 // send [ChangeCipherSpec]
458 tls_trace("send [ChangeCipherSpec]\n");
459 if (tls_record_set_change_cipher_spec(record, &recordlen) !=1) {
460 error_print();
461 tls_send_alert(conn, TLS_alert_internal_error);
462 goto end;
463 }
464 tlcp_record_trace(stderr, record, recordlen, 0, 0);
465 if (tls_record_send(record, recordlen, conn->sock) != 1) {
466 error_print();
467 goto end;
468 }
469
470 // send Client Finished
471 tls_trace("send Finished\n");
472 memcpy(&tmp_sm3_ctx, &sm3_ctx, sizeof(sm3_ctx));
473 sm3_finish(&tmp_sm3_ctx, sm3_hash);
474 if (tls_prf(conn->master_secret, 48, "client finished",
475 sm3_hash, 32, NULL, 0, sizeof(local_verify_data), local_verify_data) != 1
476 || tls_record_set_handshake_finished(finished_record, &finished_record_len,
477 local_verify_data, sizeof(local_verify_data)) != 1) {
478 error_print();
479 tls_send_alert(conn, TLS_alert_internal_error);
480 goto end;
481 }
482 tlcp_record_trace(stderr, finished_record, finished_record_len, 0, 0);
483 sm3_update(&sm3_ctx, finished_record + 5, finished_record_len - 5);
484
485 // encrypt Client Finished
486 tls_trace("encrypt Finished\n");
487 if (tls_record_encrypt(&conn->client_write_mac_ctx, &conn->client_write_enc_key,
488 conn->client_seq_num, finished_record, finished_record_len, record, &recordlen) != 1) {
489 error_print();
490 tls_send_alert(conn, TLS_alert_internal_error);
491 goto end;
492 }
493 tlcp_record_trace(stderr, record, recordlen, (1<<24), 0); // 强制打印密文原数据
494 tls_seq_num_incr(conn->client_seq_num);
495 if (tls_record_send(record, recordlen, conn->sock) != 1) {
496 error_print();
497 goto end;
498 }
499
500 // [ChangeCipherSpec]
501 tls_trace("recv [ChangeCipherSpec]\n");
502 if (tls_record_recv(record, &recordlen, conn->sock) != 1
503 || tls_record_protocol(record) != TLS_protocol_tlcp) {
504 error_print();
505 tls_send_alert(conn, TLS_alert_unexpected_message);
506 goto end;
507 }
508 tlcp_record_trace(stderr, record, recordlen, 0, 0);
509 if (tls_record_get_change_cipher_spec(record) != 1) {
510 error_print();
511 tls_send_alert(conn, TLS_alert_unexpected_message);
512 goto end;
513 }
514
515 // Finished
516 tls_trace("recv Finished\n");
517 if (tls_record_recv(record, &recordlen, conn->sock) != 1
518 || tls_record_protocol(record) != TLS_protocol_tlcp) {
519 error_print();
520 tls_send_alert(conn, TLS_alert_unexpected_message);
521 goto end;
522 }
523 if (recordlen > sizeof(finished_record)) {
524 error_print(); // 解密可能导致 finished_record 溢出
525 tls_send_alert(conn, TLS_alert_bad_record_mac);
526 goto end;
527 }
528 tlcp_record_trace(stderr, record, recordlen, (1<<24), 0); // 强制打印密文原数据
529 tls_trace("decrypt Finished\n");
530 if (tls_record_decrypt(&conn->server_write_mac_ctx, &conn->server_write_enc_key,
531 conn->server_seq_num, record, recordlen, finished_record, &finished_record_len) != 1) {
532 error_print();
533 tls_send_alert(conn, TLS_alert_bad_record_mac);
534 goto end;
535 }
536 tlcp_record_trace(stderr, finished_record, finished_record_len, 0, 0);
537 tls_seq_num_incr(conn->server_seq_num);
538 if (tls_record_get_handshake_finished(finished_record, &verify_data, &verify_data_len) != 1) {
539 error_print();
540 tls_send_alert(conn, TLS_alert_unexpected_message);
541 goto end;
542 }
543 if (verify_data_len != sizeof(local_verify_data)) {
544 error_print();
545 tls_send_alert(conn, TLS_alert_unexpected_message);
546 goto end;
547 }
548 sm3_finish(&sm3_ctx, sm3_hash);
549 if (tls_prf(conn->master_secret, 48, "server finished",
550 sm3_hash, 32, NULL, 0, sizeof(local_verify_data), local_verify_data) != 1) {
551 error_print();
552 tls_send_alert(conn, TLS_alert_internal_error);
553 goto end;
554 }
555 if (memcmp(verify_data, local_verify_data, sizeof(local_verify_data)) != 0) {
556 error_print();
557 tls_send_alert(conn, TLS_alert_decrypt_error);
558 goto end;
559 }
560 fprintf(stderr, "Connection established!\n");
561
562
563 conn->protocol = TLS_protocol_tlcp;
564 conn->cipher_suite = cipher_suite;
565
566 ret = 1;
567
568 end:
569 gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
570 gmssl_secure_clear(pre_master_secret, sizeof(pre_master_secret));
571 return 1;
572 }
573
tlcp_do_accept(TLS_CONNECT * conn)574 int tlcp_do_accept(TLS_CONNECT *conn)
575 {
576 int ret = -1;
577
578 int client_verify = 0;
579
580 uint8_t *record = conn->record;
581 uint8_t finished_record[TLS_FINISHED_RECORD_BUF_SIZE]; // 解密可能导致前面的record被覆盖
582 size_t recordlen, finished_record_len;
583 const int server_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3 }; // 未来应该支持GCM/CBC两个套件
584
585 // ClientHello, ServerHello
586 uint8_t client_random[32];
587 uint8_t server_random[32];
588 int protocol;
589 const uint8_t *random;
590 const uint8_t *session_id; // TLCP服务器忽略客户端SessionID,也不主动设置SessionID
591 size_t session_id_len;
592 const uint8_t *client_ciphers;
593 size_t client_ciphers_len;
594 const uint8_t *exts;
595 size_t exts_len;
596
597 // ServerKeyExchange
598 const uint8_t *server_enc_cert;
599 size_t server_enc_cert_len;
600 uint8_t server_enc_cert_lenbuf[3];
601 SM2_SIGN_CTX sign_ctx;
602 uint8_t sigbuf[SM2_MAX_SIGNATURE_SIZE];
603 size_t siglen;
604
605 // ClientCertificate, CertificateVerify
606 TLS_CLIENT_VERIFY_CTX client_verify_ctx;
607 SM2_KEY client_sign_key;
608 const uint8_t *sig;
609 const int verify_depth = 5;
610 int verify_result;
611
612 // ClientKeyExchange
613 const uint8_t *enced_pms;
614 size_t enced_pms_len;
615 uint8_t pre_master_secret[SM2_MAX_PLAINTEXT_SIZE]; // sm2_decrypt 保证输出不会溢出
616 size_t pre_master_secret_len;
617
618 // Finished
619 SM3_CTX sm3_ctx;
620 SM3_CTX tmp_sm3_ctx;
621 uint8_t sm3_hash[32];
622 uint8_t local_verify_data[12];
623 const uint8_t *verify_data;
624 size_t verify_data_len;
625
626 uint8_t *p;
627 const uint8_t *cp;
628 size_t len;
629
630
631 // 服务器端如果设置了CA
632 if (conn->ca_certs_len)
633 client_verify = 1;
634
635 // 初始化Finished和客户端验证环境
636 sm3_init(&sm3_ctx);
637 if (client_verify)
638 tls_client_verify_init(&client_verify_ctx);
639
640
641 // recv ClientHello
642 tls_trace("recv ClientHello\n");
643 if (tls_record_recv(record, &recordlen, conn->sock) != 1) {
644 error_print();
645 tls_send_alert(conn, TLS_alert_unexpected_message);
646 goto end;
647 }
648 tlcp_record_trace(stderr, record, recordlen, 0, 0);
649 if (tls_record_protocol(record) != TLS_protocol_tlcp) {
650 error_print();
651 tls_send_alert(conn, TLS_alert_protocol_version);
652 goto end;
653 }
654 if (tls_record_get_handshake_client_hello(record,
655 &protocol, &random, &session_id, &session_id_len,
656 &client_ciphers, &client_ciphers_len,
657 &exts, &exts_len) != 1) {
658 error_print();
659 tls_send_alert(conn, TLS_alert_unexpected_message);
660 goto end;
661 }
662 if (protocol != TLS_protocol_tlcp) {
663 error_print();
664 tls_send_alert(conn, TLS_alert_protocol_version);
665 goto end;
666 }
667 memcpy(client_random, random, 32);
668 if (tls_cipher_suites_select(client_ciphers, client_ciphers_len,
669 server_ciphers, sizeof(server_ciphers)/sizeof(server_ciphers[0]),
670 &conn->cipher_suite) != 1) {
671 error_print();
672 tls_send_alert(conn, TLS_alert_insufficient_security);
673 goto end;
674 }
675 if (exts) {
676 // 忽略客户端扩展错误可以兼容错误的TLCP客户端实现
677 error_print();
678 tls_send_alert(conn, TLS_alert_unexpected_message);
679 goto end;
680 }
681 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
682 if (client_verify)
683 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
684
685
686 // send ServerHello
687 tls_trace("send ServerHello\n");
688 tls_random_generate(server_random);
689 if (tls_record_set_handshake_server_hello(record, &recordlen,
690 TLS_protocol_tlcp, server_random, NULL, 0,
691 conn->cipher_suite, NULL, 0) != 1) {
692 error_print();
693 tls_send_alert(conn, TLS_alert_internal_error);
694 goto end;
695 }
696 tlcp_record_trace(stderr, record, recordlen, 0, 0);
697 if (tls_record_send(record, recordlen, conn->sock) != 1) {
698 error_print();
699 goto end;
700 }
701 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
702 if (client_verify)
703 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
704
705 // send ServerCertificate
706 tls_trace("send ServerCertificate\n");
707 if (tls_record_set_handshake_certificate(record, &recordlen,
708 conn->server_certs, conn->server_certs_len) != 1) {
709 error_print();
710 tls_send_alert(conn, TLS_alert_internal_error);
711 goto end;
712 }
713 tlcp_record_trace(stderr, record, recordlen, 0, 0);
714 if (tls_record_send(record, recordlen, conn->sock) != 1) {
715 error_print();
716 goto end;
717 }
718 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
719 if (client_verify)
720 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
721
722 // send ServerKeyExchange
723 tls_trace("send ServerKeyExchange\n");
724 if (x509_certs_get_cert_by_index(conn->server_certs, conn->server_certs_len, 1,
725 &server_enc_cert, &server_enc_cert_len) != 1) {
726 error_print();
727 goto end;
728 }
729 p = server_enc_cert_lenbuf; len = 0;
730 tls_uint24_to_bytes(server_enc_cert_len, &p, &len);
731 if (sm2_sign_init(&sign_ctx, &conn->sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
732 || sm2_sign_update(&sign_ctx, client_random, 32) != 1
733 || sm2_sign_update(&sign_ctx, server_random, 32) != 1
734 || sm2_sign_update(&sign_ctx, server_enc_cert_lenbuf, 3) != 1
735 || sm2_sign_update(&sign_ctx, server_enc_cert, server_enc_cert_len) != 1
736 || sm2_sign_finish(&sign_ctx, sigbuf, &siglen) != 1) {
737 error_print();
738 tls_send_alert(conn, TLS_alert_internal_error);
739 goto end;
740 }
741 if (tlcp_record_set_handshake_server_key_exchange_pke(record, &recordlen, sigbuf, siglen) != 1) {
742 error_print();
743 tls_send_alert(conn, TLS_alert_internal_error);
744 goto end;
745 }
746 tlcp_record_trace(stderr, record, recordlen, 0, 0);
747 if (tls_record_send(record, recordlen, conn->sock) != 1) {
748 error_print();
749 goto end;
750 }
751 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
752 if (client_verify)
753 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
754
755 // send CertificateRequest
756 if (client_verify) {
757 const uint8_t cert_types[] = { TLS_cert_type_ecdsa_sign };
758 uint8_t ca_names[TLS_MAX_CA_NAMES_SIZE] = {0}; // TODO: 根据客户端验证CA证书列计算缓冲大小,或直接输出到record缓冲
759 size_t ca_names_len = 0;
760
761 tls_trace("send CertificateRequest\n");
762 if (tls_authorities_from_certs(ca_names, &ca_names_len, sizeof(ca_names),
763 conn->ca_certs, conn->ca_certs_len) != 1) {
764 error_print();
765 goto end;
766 }
767 if (tls_record_set_handshake_certificate_request(record, &recordlen,
768 cert_types, sizeof(cert_types),
769 ca_names, ca_names_len) != 1) {
770 error_print();
771 goto end;
772 }
773 tlcp_record_trace(stderr, record, recordlen, 0, 0);
774 if (tls_record_send(record, recordlen, conn->sock) != 1) {
775 error_print();
776 goto end;
777 }
778 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
779 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
780 }
781
782 // send ServerHelloDone
783 tls_trace("send ServerHelloDone\n");
784 tls_record_set_handshake_server_hello_done(record, &recordlen);
785 tlcp_record_trace(stderr, record, recordlen, 0, 0);
786 if (tls_record_send(record, recordlen, conn->sock) != 1) {
787 error_print();
788 goto end;
789 }
790 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
791 if (client_verify)
792 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
793
794 // recv ClientCertificate
795 if (conn->ca_certs_len) {
796 tls_trace("recv ClientCertificate\n");
797 if (tls_record_recv(record, &recordlen, conn->sock) != 1
798 || tls_record_protocol(record) != TLS_protocol_tlcp) {
799 error_print();
800 tls_send_alert(conn, TLS_alert_unexpected_message);
801 goto end;
802 }
803 tlcp_record_trace(stderr, record, recordlen, 0, 0);
804 if (tls_record_get_handshake_certificate(record, conn->client_certs, &conn->client_certs_len) != 1) {
805 error_print();
806 tls_send_alert(conn, TLS_alert_unexpected_message);
807 goto end;
808 }
809 if (x509_certs_verify(conn->client_certs, conn->client_certs_len,
810 conn->ca_certs, conn->ca_certs_len, verify_depth, &verify_result) != 1) {
811 error_print();
812 tls_send_alert(conn, TLS_alert_bad_certificate);
813 goto end;
814 }
815 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
816 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
817 }
818
819 // ClientKeyExchange
820 tls_trace("recv ClientKeyExchange\n");
821 if (tls_record_recv(record, &recordlen, conn->sock) != 1
822 || tls_record_protocol(record) != TLS_protocol_tlcp) {
823 error_print();
824 tls_send_alert(conn, TLS_alert_unexpected_message);
825 goto end;
826 }
827 tlcp_record_trace(stderr, record, recordlen, 0, 0);
828 if (tls_record_get_handshake_client_key_exchange_pke(record, &enced_pms, &enced_pms_len) != 1) {
829 error_print();
830 tls_send_alert(conn, TLS_alert_unexpected_message);
831 goto end;
832 }
833 if (sm2_decrypt(&conn->kenc_key, enced_pms, enced_pms_len,
834 pre_master_secret, &pre_master_secret_len) != 1) {
835 error_print();
836 tls_send_alert(conn, TLS_alert_decrypt_error);
837 goto end;
838 }
839 if (pre_master_secret_len != 48) {
840 error_print();
841 tls_send_alert(conn, TLS_alert_decrypt_error);
842 goto end;
843 }
844 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
845 if (client_verify)
846 tls_client_verify_update(&client_verify_ctx, record + 5, recordlen - 5);
847
848 // recv CertificateVerify
849 if (client_verify) {
850 tls_trace("recv CertificateVerify\n");
851 if (tls_record_recv(record, &recordlen, conn->sock) != 1
852 || tls_record_protocol(record) != TLS_protocol_tlcp) {
853 tls_send_alert(conn, TLS_alert_unexpected_message);
854 error_print();
855 goto end;
856 }
857 tlcp_record_trace(stderr, record, recordlen, 0, 0);
858 if (tls_record_get_handshake_certificate_verify(record, &sig, &siglen) != 1) {
859 tls_send_alert(conn, TLS_alert_unexpected_message);
860 error_print();
861 goto end;
862 }
863 if (x509_certs_get_cert_by_index(conn->client_certs, conn->client_certs_len, 0, &cp, &len) != 1
864 || x509_cert_get_subject_public_key(cp, len, &client_sign_key) != 1) {
865 error_print();
866 tls_send_alert(conn, TLS_alert_bad_certificate);
867 goto end;
868 }
869 if (tls_client_verify_finish(&client_verify_ctx, sig, siglen, &client_sign_key) != 1) {
870 error_print();
871 tls_send_alert(conn, TLS_alert_decrypt_error);
872 goto end;
873 }
874 sm3_update(&sm3_ctx, record + 5, recordlen - 5);
875 }
876
877 // generate secrets
878 tls_trace("generate secrets\n");
879 if (tls_prf(pre_master_secret, 48, "master secret",
880 client_random, 32, server_random, 32,
881 48, conn->master_secret) != 1
882 || tls_prf(conn->master_secret, 48, "key expansion",
883 server_random, 32, client_random, 32,
884 96, conn->key_block) != 1) {
885 error_print();
886 tls_send_alert(conn, TLS_alert_internal_error);
887 goto end;
888 }
889 sm3_hmac_init(&conn->client_write_mac_ctx, conn->key_block, 32);
890 sm3_hmac_init(&conn->server_write_mac_ctx, conn->key_block + 32, 32);
891 sm4_set_decrypt_key(&conn->client_write_enc_key, conn->key_block + 64);
892 sm4_set_encrypt_key(&conn->server_write_enc_key, conn->key_block + 80);
893 /*
894 tls_secrets_print(stderr,
895 pre_master_secret, 48,
896 client_random, server_random,
897 conn->master_secret,
898 conn->key_block, 96,
899 0, 4);
900 */
901
902 // recv [ChangeCipherSpec]
903 tls_trace("recv [ChangeCipherSpec]\n");
904 if (tls_record_recv(record, &recordlen, conn->sock) != 1
905 || tls_record_protocol(record) != TLS_protocol_tlcp) {
906 error_print();
907 tls_send_alert(conn, TLS_alert_unexpected_message);
908 goto end;
909 }
910 tlcp_record_trace(stderr, record, recordlen, 0, 0);
911 if (tls_record_get_change_cipher_spec(record) != 1) {
912 error_print();
913 tls_send_alert(conn, TLS_alert_unexpected_message);
914 goto end;
915 }
916
917 // recv ClientFinished
918 tls_trace("recv Finished\n");
919 if (tls_record_recv(record, &recordlen, conn->sock) != 1
920 || tls_record_protocol(record) != TLS_protocol_tlcp) {
921 error_print();
922 tls_send_alert(conn, TLS_alert_unexpected_message);
923 goto end;
924 }
925 if (recordlen > sizeof(finished_record)) {
926 error_print();
927 tls_send_alert(conn, TLS_alert_unexpected_message);
928 goto end;
929 }
930 tlcp_record_trace(stderr, record, recordlen, (1<<24), 0); // 强制打印密文原数据
931
932 // decrypt ClientFinished
933 tls_trace("decrypt Finished\n");
934 if (tls_record_decrypt(&conn->client_write_mac_ctx, &conn->client_write_enc_key,
935 conn->client_seq_num, record, recordlen, finished_record, &finished_record_len) != 1) {
936 error_print();
937 tls_send_alert(conn, TLS_alert_bad_record_mac);
938 goto end;
939 }
940 tlcp_record_trace(stderr, finished_record, finished_record_len, 0, 0);
941 tls_seq_num_incr(conn->client_seq_num);
942 if (tls_record_get_handshake_finished(finished_record, &verify_data, &verify_data_len) != 1) {
943 error_print();
944 tls_send_alert(conn, TLS_alert_bad_record_mac);
945 goto end;
946 }
947 if (verify_data_len != sizeof(local_verify_data)) {
948 error_print();
949 tls_send_alert(conn, TLS_alert_bad_record_mac);
950 goto end;
951 }
952
953 // verify ClientFinished
954 memcpy(&tmp_sm3_ctx, &sm3_ctx, sizeof(SM3_CTX));
955 sm3_update(&sm3_ctx, finished_record + 5, finished_record_len - 5);
956 sm3_finish(&tmp_sm3_ctx, sm3_hash);
957 if (tls_prf(conn->master_secret, 48, "client finished", sm3_hash, 32, NULL, 0,
958 sizeof(local_verify_data), local_verify_data) != 1) {
959 error_print();
960 tls_send_alert(conn, TLS_alert_internal_error);
961 goto end;
962 }
963 if (memcmp(verify_data, local_verify_data, sizeof(local_verify_data)) != 0) {
964 error_puts("client_finished.verify_data verification failure");
965 tls_send_alert(conn, TLS_alert_decrypt_error);
966 goto end;
967 }
968
969 // send [ChangeCipherSpec]
970 tls_trace("send [ChangeCipherSpec]\n");
971 if (tls_record_set_change_cipher_spec(record, &recordlen) != 1) {
972 error_print();
973 tls_send_alert(conn, TLS_alert_internal_error);
974 goto end;
975 }
976 tlcp_record_trace(stderr, record, recordlen, 0, 0);
977 if (tls_record_send(record, recordlen, conn->sock) != 1) {
978 error_print();
979 goto end;
980 }
981
982 // send ServerFinished
983 tls_trace("send Finished\n");
984 sm3_finish(&sm3_ctx, sm3_hash);
985 if (tls_prf(conn->master_secret, 48, "server finished", sm3_hash, 32, NULL, 0,
986 sizeof(local_verify_data), local_verify_data) != 1
987 || tls_record_set_handshake_finished(finished_record, &finished_record_len,
988 local_verify_data, sizeof(local_verify_data)) != 1) {
989 error_print();
990 tls_send_alert(conn, TLS_alert_internal_error);
991 goto end;
992 }
993 tlcp_record_trace(stderr, finished_record, finished_record_len, 0, 0);
994 if (tls_record_encrypt(&conn->server_write_mac_ctx, &conn->server_write_enc_key,
995 conn->server_seq_num, finished_record, finished_record_len, record, &recordlen) != 1) {
996 error_print();
997 tls_send_alert(conn, TLS_alert_internal_error);
998 goto end;
999 }
1000 tls_trace("encrypt Finished\n");
1001 tlcp_record_trace(stderr, record, recordlen, (1<<24), 0); // 强制打印密文原数据
1002 tls_seq_num_incr(conn->server_seq_num);
1003 if (tls_record_send(record, recordlen, conn->sock) != 1) {
1004 error_print();
1005 goto end;
1006 }
1007
1008 conn->protocol = TLS_protocol_tlcp;
1009
1010 fprintf(stderr, "Connection Established!\n\n");
1011 ret = 1;
1012
1013 end:
1014 gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
1015 gmssl_secure_clear(pre_master_secret, sizeof(pre_master_secret));
1016 if (client_verify) tls_client_verify_cleanup(&client_verify_ctx);
1017 return ret;
1018 }
1019