1 /*
2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the License); you may
5 * not use this file except in compliance with the License.
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 */
9
10
11
12 #include <time.h>
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <unistd.h>
17 #include <sys/types.h>
18 #include <arpa/inet.h>
19 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <gmssl/rand.h>
22 #include <gmssl/x509.h>
23 #include <gmssl/error.h>
24 #include <gmssl/sm2.h>
25 #include <gmssl/sm3.h>
26 #include <gmssl/sm4.h>
27 #include <gmssl/pem.h>
28 #include <gmssl/tls.h>
29 #include <gmssl/digest.h>
30 #include <gmssl/gcm.h>
31 #include <gmssl/hmac.h>
32 #include <gmssl/hkdf.h>
33 #include <gmssl/mem.h>
34
35 static const int tls13_ciphers[] = { TLS_cipher_sm4_gcm_sm3 };
36 static size_t tls13_ciphers_count = sizeof(tls13_ciphers)/sizeof(int);
37
38 /*
39 int tls13_record_print(FILE *fp, const uint8_t *record, size_t recordlen, int format, int indent)
40 {
41 // 目前只支持TLCP的ECC公钥加密套件,因此不论用哪个套件解析都是一样的
42 // 如果未来支持ECDHE套件,可以将函数改为宏,直接传入 (conn->cipher_suite << 8)
43 format |= tls13_ciphers[0] << 8;
44 return tls_record_print(fp, record, recordlen, format, indent);
45 }
46 */
47
48 static int tls13_client_hello_exts[] = {
49 TLS_extension_supported_versions,
50 TLS_extension_padding,
51 };
52
53
54 /*
55 struct {
56 opaque content[TLSPlaintext.length];
57 ContentType type;
58 uint8 zeros[length_of_padding];
59 } TLSInnerPlaintext;
60
61 struct {
62 ContentType opaque_type = application_data; // 23
63 ProtocolVersion legacy_record_version = 0x0303; // TLS v1.2
64 uint16 length;
65 opaque encrypted_record[TLSCiphertext.length];
66 } TLSCiphertext;
67 */
tls13_gcm_encrypt(const BLOCK_CIPHER_KEY * key,const uint8_t iv[12],const uint8_t seq_num[8],int record_type,const uint8_t * in,size_t inlen,size_t padding_len,uint8_t * out,size_t * outlen)68 int tls13_gcm_encrypt(const BLOCK_CIPHER_KEY *key, const uint8_t iv[12],
69 const uint8_t seq_num[8], int record_type,
70 const uint8_t *in, size_t inlen, size_t padding_len, // TLSInnerPlaintext.content
71 uint8_t *out, size_t *outlen) // TLSCiphertext.encrypted_record
72 {
73 uint8_t nonce[12];
74 uint8_t aad[5];
75 uint8_t *gmac;
76 uint8_t *mbuf = NULL; // FIXME: update gcm_encrypt API
77 size_t mlen, clen;
78
79 if (!(mbuf = malloc(inlen + 256))) {
80 error_print();
81 return -1;
82 }
83
84 // nonce = (zeros|seq_num) xor (iv)
85 nonce[0] = nonce[1] = nonce[2] = nonce[3] = 0;
86 memcpy(nonce + 4, seq_num, 8);
87 gmssl_memxor(nonce, nonce, iv, 12);
88
89 // TLSInnerPlaintext
90 memcpy(mbuf, in, inlen);
91 mbuf[inlen] = record_type;
92 memset(mbuf + inlen + 1, 0, padding_len);
93 mlen = inlen + 1 + padding_len;
94 clen = mlen + GHASH_SIZE;
95
96 // aad = TLSCiphertext header
97 aad[0] = TLS_record_application_data;
98 aad[1] = 0x03; //TLS_protocol_tls12_major;
99 aad[2] = 0x03; //TLS_protocol_tls12_minor;
100 aad[3] = clen >> 8;
101 aad[4] = clen;
102
103 gmac = out + mlen;
104 if (gcm_encrypt(key, nonce, sizeof(nonce), aad, sizeof(aad), mbuf, mlen, out, 16, gmac) != 1) {
105 error_print();
106 free(mbuf);
107 return -1;
108 }
109 *outlen = clen;
110 free(mbuf);
111
112 return 1;
113 }
114
tls13_gcm_decrypt(const BLOCK_CIPHER_KEY * key,const uint8_t iv[12],const uint8_t seq_num[8],const uint8_t * in,size_t inlen,int * record_type,uint8_t * out,size_t * outlen)115 int tls13_gcm_decrypt(const BLOCK_CIPHER_KEY *key, const uint8_t iv[12],
116 const uint8_t seq_num[8], const uint8_t *in, size_t inlen,
117 int *record_type, uint8_t *out, size_t *outlen)
118 {
119 uint8_t nonce[12];
120 uint8_t aad[5];
121 size_t mlen;
122 const uint8_t *gmac;
123 size_t i;
124
125 // nonce = (zeros|seq_num) xor (iv)
126 nonce[0] = nonce[1] = nonce[2] = nonce[3] = 0;
127 memcpy(nonce + 4, seq_num, 8);
128 gmssl_memxor(nonce, nonce, iv, 12);
129
130 // aad = TLSCiphertext header
131 aad[0] = TLS_record_application_data;
132 aad[1] = 0x03; //TLS_protocol_tls12_major;
133 aad[2] = 0x03; //TLS_protocol_tls12_minor;
134 aad[3] = inlen >> 8;
135 aad[4] = inlen;
136
137 if (inlen < GHASH_SIZE) {
138 error_print();
139 return -1;
140 }
141 mlen = inlen - GHASH_SIZE;
142 gmac = in + mlen;
143
144 if (gcm_decrypt(key, nonce, 12, aad, 5, in, mlen, gmac, GHASH_SIZE, out) != 1) {
145 error_print();
146 return -1;
147 }
148 // remove padding, get record_type
149 *record_type = 0;
150 while (mlen--) {
151 if (out[mlen] != 0) {
152 *record_type = out[mlen];
153 break;
154 }
155 }
156 *outlen = mlen;
157 if (!tls_record_type_name(*record_type)) {
158 error_print();
159 return -1;
160 }
161 return 1;
162 }
163
164 // 这个函数是不对的,在我们的一些情况下,加密的时候并不会组成完整的数据
tls13_record_encrypt(const BLOCK_CIPHER_KEY * key,const uint8_t iv[12],const uint8_t seq_num[8],const uint8_t * record,size_t recordlen,size_t padding_len,uint8_t * enced_record,size_t * enced_recordlen)165 int tls13_record_encrypt(const BLOCK_CIPHER_KEY *key, const uint8_t iv[12],
166 const uint8_t seq_num[8], const uint8_t *record, size_t recordlen, size_t padding_len,
167 uint8_t *enced_record, size_t *enced_recordlen)
168 {
169 // 被加密的是握手消息或者是应用层数据
170
171 if (tls13_gcm_encrypt(key, iv,
172 seq_num, record[0], record + 5, recordlen - 5, padding_len,
173 enced_record + 5, enced_recordlen) != 1) {
174 error_print();
175 return -1;
176 }
177
178 enced_record[0] = TLS_record_application_data; // 显然这个不太对啊
179 enced_record[1] = 0x03; //TLS_protocol_tls12_major;
180 enced_record[2] = 0x03; //TLS_protocol_tls12_minor;
181 enced_record[3] = (*enced_recordlen) >> 8;
182 enced_record[4] = (*enced_recordlen);
183
184 (*enced_recordlen) += 5;
185 return 1;
186 }
187
tls13_record_decrypt(const BLOCK_CIPHER_KEY * key,const uint8_t iv[12],const uint8_t seq_num[8],const uint8_t * enced_record,size_t enced_recordlen,uint8_t * record,size_t * recordlen)188 int tls13_record_decrypt(const BLOCK_CIPHER_KEY *key, const uint8_t iv[12],
189 const uint8_t seq_num[8], const uint8_t *enced_record, size_t enced_recordlen,
190 uint8_t *record, size_t *recordlen)
191 {
192 int record_type;
193
194 if (tls13_gcm_decrypt(key, iv,
195 seq_num, enced_record + 5, enced_recordlen - 5,
196 &record_type, record + 5, recordlen) != 1) {
197 error_print();
198 return -1;
199 }
200 record[0] = record_type;
201 record[1] = 0x03; //TLS_protocol_tls12_major;
202 record[2] = 0x03; //TLS_protocol_tls12_minor;
203 record[3] = (*recordlen) >> 8;
204 record[4] = (*recordlen);
205
206 (*recordlen) += 5;
207 return 1;
208 }
209
tls13_send(TLS_CONNECT * conn,const uint8_t * data,size_t datalen,size_t * sentlen)210 int tls13_send(TLS_CONNECT *conn, const uint8_t *data, size_t datalen, size_t *sentlen)
211 {
212 const BLOCK_CIPHER_KEY *key;
213 const uint8_t *iv;
214 uint8_t *seq_num;
215 uint8_t *record = conn->record;
216 size_t recordlen;
217 size_t padding_len = 0; //FIXME: 在conn中设置是否加随机填充,及设置该值
218
219 tls_trace("send {ApplicationData}\n");
220
221 if (conn->is_client) {
222 key = &conn->client_write_key;
223 iv = conn->client_write_iv;
224 seq_num = conn->client_seq_num;
225 } else {
226 key = &conn->server_write_key;
227 iv = conn->server_write_iv;
228 seq_num = conn->server_seq_num;
229 }
230
231 if (tls13_gcm_encrypt(key, iv,
232 seq_num, TLS_record_application_data, data, datalen, padding_len,
233 record + 5, &recordlen) != 1) {
234 error_print();
235 return -1;
236 }
237
238 record[0] = TLS_record_application_data;
239 record[1] = TLS_protocol_tls12 >> 8;
240 record[2] = TLS_protocol_tls12 & 0xff;
241 record[3] = recordlen >> 8;
242 record[4] = recordlen;
243 recordlen += 5;
244
245 tls_record_send(record, recordlen, conn->sock);
246 tls_record_trace(stderr, record, tls_record_length(record), 0, 0);
247
248 tls_seq_num_incr(seq_num);
249
250 *sentlen = datalen;
251
252 return 1;
253 }
254
255 /*
256 int tls13_recv(TLS_CONNECT *conn, uint8_t *data, size_t *datalen)
257 {
258 int record_type;
259 uint8_t *record = conn->record;
260 size_t recordlen;
261 const BLOCK_CIPHER_KEY *key;
262 const uint8_t *iv;
263 uint8_t *seq_num;
264
265
266 tls_trace("recv {ApplicationData}\n");
267
268 if (conn->is_client) {
269 key = &conn->server_write_key;
270 iv = conn->server_write_iv;
271 seq_num = conn->server_seq_num;
272 } else {
273 key = &conn->client_write_key;
274 iv = conn->client_write_iv;
275 seq_num = conn->client_seq_num;
276 }
277
278 if (tls_record_recv(record, &recordlen, conn->sock) != 1) {
279 error_print();
280 return -1;
281 }
282 if (record[0] != TLS_record_application_data) {
283 error_print();
284 return -1;
285 }
286
287 if (tls13_gcm_decrypt(key, iv,
288 seq_num, record + 5, recordlen - 5,
289 &record_type, data, datalen) != 1) {
290 error_print();
291 return -1;
292 }
293
294 tls_record_trace(stderr, record, tls_record_length(record), 0, 0);
295 tls_seq_num_incr(seq_num);
296
297 if (record_type != TLS_record_application_data) {
298 error_print();
299 return -1;
300 }
301 return 1;
302 }
303 */
304
tls13_do_recv(TLS_CONNECT * conn)305 int tls13_do_recv(TLS_CONNECT *conn)
306 {
307 int ret;
308 const BLOCK_CIPHER_KEY *key;
309 const uint8_t *iv;
310 uint8_t *seq_num;
311 uint8_t *record = conn->record;
312 size_t recordlen;
313 int record_type;
314
315 if (conn->is_client) {
316 key = &conn->server_write_key;
317 iv = conn->server_write_iv;
318 seq_num = conn->server_seq_num;
319 } else {
320 key = &conn->client_write_key;
321 iv = conn->client_write_iv;
322 seq_num = conn->client_seq_num;
323 }
324
325 tls_trace("recv ApplicationData\n");
326 if ((ret = tls_record_recv(record, &recordlen, conn->sock)) != 1) {
327 if (ret < 0) error_print();
328 return ret;
329 }
330 tls_record_trace(stderr, record, recordlen, 0, 0);
331 // TODO: 是否需要检查record_type? record[0] != TLS_record_application_data
332
333 if (tls13_gcm_decrypt(key, iv,
334 seq_num, record + 5, recordlen - 5,
335 &record_type, conn->databuf, &conn->datalen) != 1) {
336 error_print();
337 return -1;
338 }
339 conn->data = conn->databuf;
340 tls_seq_num_incr(seq_num);
341
342 tls_record_set_data(record, conn->data, conn->datalen);
343 tls_trace("decrypt ApplicationData\n");
344 tls_record_trace(stderr, record, tls_record_length(record), 0, 0);
345
346
347 if (record_type != TLS_record_application_data) {
348 error_print();
349 return -1;
350 }
351 return 1;
352 }
353
tls13_recv(TLS_CONNECT * conn,uint8_t * out,size_t outlen,size_t * recvlen)354 int tls13_recv(TLS_CONNECT *conn, uint8_t *out, size_t outlen, size_t *recvlen)
355 {
356 if (!conn || !out || !outlen || !recvlen) {
357 error_print();
358 return -1;
359 }
360 if (conn->datalen == 0) {
361 int ret;
362 if ((ret = tls13_do_recv(conn)) != 1) {
363 if (ret) error_print();
364 return ret;
365 }
366 }
367 *recvlen = outlen <= conn->datalen ? outlen : conn->datalen;
368 memcpy(out, conn->data, *recvlen);
369 conn->data += *recvlen;
370 conn->datalen -= *recvlen;
371 return 1;
372 }
373
374
375
376 /*
377 HKDF-Expand-Label(Secret, Label, Context, Length) =
378 HKDF-Expand(Secret, HkdfLabel, Length);
379
380 HkdfLabel = struct {
381 uint16 length = Length;
382 opaque label<7..255> = "tls13 " + Label;
383 opaque context<0..255> = Context; }
384
385 Derive-Secret(Secret, Label, Messages) =
386 HKDF-Expand-Label(Secret, Label, Hash(Messages), Hash.length)
387
388 */
389
tls13_hkdf_extract(const DIGEST * digest,const uint8_t salt[32],const uint8_t in[32],uint8_t out[32])390 int tls13_hkdf_extract(const DIGEST *digest, const uint8_t salt[32], const uint8_t in[32], uint8_t out[32])
391 {
392 size_t dgstlen;
393
394 if (hkdf_extract(digest, salt, 32, in, 32, out, &dgstlen) != 1
395 || dgstlen != 32) {
396 error_print();
397 return -1;
398 }
399 return 1;
400 }
401
tls13_hkdf_expand_label(const DIGEST * digest,const uint8_t secret[32],const char * label,const uint8_t * context,size_t context_len,size_t outlen,uint8_t * out)402 int tls13_hkdf_expand_label(const DIGEST *digest, const uint8_t secret[32],
403 const char *label, const uint8_t *context, size_t context_len,
404 size_t outlen, uint8_t *out)
405 {
406 uint8_t label_len;
407 uint8_t hkdf_label[2 + 256 + 256];
408 uint8_t *p = hkdf_label;
409 size_t hkdf_label_len = 0;
410
411 label_len = strlen("tls13 ") + strlen(label);
412 tls_uint16_to_bytes((uint16_t)outlen, &p, &hkdf_label_len);
413 tls_uint8_to_bytes(label_len, &p, &hkdf_label_len);
414 tls_array_to_bytes((uint8_t *)"tls13 ", strlen("tls13 "), &p, &hkdf_label_len);
415 tls_array_to_bytes((uint8_t *)label, strlen(label), &p, &hkdf_label_len);
416 tls_uint8array_to_bytes(context, context_len, &p, &hkdf_label_len);
417
418 hkdf_expand(digest, secret, 32, hkdf_label, hkdf_label_len, outlen, out);
419
420 return 1;
421 }
422
tls13_derive_secret(const uint8_t secret[32],const char * label,const DIGEST_CTX * dgst_ctx,uint8_t out[32])423 int tls13_derive_secret(const uint8_t secret[32], const char *label, const DIGEST_CTX *dgst_ctx, uint8_t out[32])
424 {
425 DIGEST_CTX ctx = *dgst_ctx;
426 uint8_t dgst[64];
427 size_t dgstlen;
428
429 if (digest_finish(&ctx, dgst, &dgstlen) != 1
430 || tls13_hkdf_expand_label(dgst_ctx->digest, secret, label, dgst, 32, dgstlen, out) != 1) {
431 error_print();
432 return -1;
433 }
434 return 1;
435 }
436
437 static const uint8_t TLS13_client_context_str_and_zero[] = "TLS 1.3, client CertificateVerify";
438 static const uint8_t TLS13_server_context_str_and_zero[] = "TLS 1.3, server CertificateVerify";
439 static size_t TLS13_client_context_str_and_zero_size = sizeof(TLS13_client_context_str_and_zero);
440 static size_t TLS13_server_context_str_and_zero_size = sizeof(TLS13_server_context_str_and_zero);
441
tls13_sign_certificate_verify(int tls_mode,const SM2_KEY * key,const char * signer_id,size_t signer_id_len,const DIGEST_CTX * tbs_dgst_ctx,uint8_t * sig,size_t * siglen)442 int tls13_sign_certificate_verify(int tls_mode,
443 const SM2_KEY *key, const char *signer_id, size_t signer_id_len,
444 const DIGEST_CTX *tbs_dgst_ctx,
445 uint8_t *sig, size_t *siglen)
446 {
447 SM2_SIGN_CTX sign_ctx;
448 uint8_t prefix[64];
449 const uint8_t *context_str_and_zero;
450 size_t context_str_and_zero_len;
451 DIGEST_CTX dgst_ctx;
452 uint8_t dgst[64];
453 size_t dgstlen;
454
455 memset(prefix, 0x20, 64);
456
457 switch (tls_mode) {
458 case TLS_client_mode:
459 context_str_and_zero = TLS13_client_context_str_and_zero;
460 context_str_and_zero_len = TLS13_client_context_str_and_zero_size;
461 break;
462 case TLS_server_mode:
463 context_str_and_zero = TLS13_server_context_str_and_zero;
464 context_str_and_zero_len = TLS13_server_context_str_and_zero_size;
465 break;
466 default:
467 error_print();
468 return -1;
469 }
470
471 dgst_ctx = *tbs_dgst_ctx;
472 digest_finish(&dgst_ctx, dgst, &dgstlen);
473
474 sm2_sign_init(&sign_ctx, key, signer_id, signer_id_len);
475 sm2_sign_update(&sign_ctx, prefix, 64);
476 sm2_sign_update(&sign_ctx, context_str_and_zero, context_str_and_zero_len);
477 sm2_sign_update(&sign_ctx, dgst, dgstlen);
478 sm2_sign_finish(&sign_ctx, sig, siglen);
479
480 gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
481 return 1;
482 }
483
tls13_verify_certificate_verify(int tls_mode,const SM2_KEY * public_key,const char * signer_id,size_t signer_id_len,const DIGEST_CTX * tbs_dgst_ctx,const uint8_t * sig,size_t siglen)484 int tls13_verify_certificate_verify(int tls_mode,
485 const SM2_KEY *public_key, const char *signer_id, size_t signer_id_len,
486 const DIGEST_CTX *tbs_dgst_ctx, const uint8_t *sig, size_t siglen)
487 {
488 int ret;
489 SM2_SIGN_CTX verify_ctx;
490 uint8_t prefix[64];
491 const uint8_t *context_str_and_zero;
492 size_t context_str_and_zero_len;
493 DIGEST_CTX dgst_ctx;
494 uint8_t dgst[64];
495 size_t dgstlen;
496
497 memset(prefix, 0x20, 64);
498
499 switch (tls_mode) {
500 case TLS_client_mode:
501 context_str_and_zero = TLS13_client_context_str_and_zero;
502 context_str_and_zero_len = TLS13_client_context_str_and_zero_size;
503 break;
504 case TLS_server_mode:
505 context_str_and_zero = TLS13_server_context_str_and_zero;
506 context_str_and_zero_len = TLS13_server_context_str_and_zero_size;
507 break;
508 default:
509 error_print();
510 return -1;
511 }
512
513 dgst_ctx = *tbs_dgst_ctx;
514 digest_finish(&dgst_ctx, dgst, &dgstlen);
515
516 sm2_verify_init(&verify_ctx, public_key, signer_id, signer_id_len);
517 sm2_verify_update(&verify_ctx, prefix, 64);
518 sm2_verify_update(&verify_ctx, context_str_and_zero, context_str_and_zero_len);
519 sm2_verify_update(&verify_ctx, dgst, dgstlen);
520
521 if ((ret = sm2_verify_finish(&verify_ctx, sig, siglen)) < 0) {
522 error_print();
523 return -1;
524 }
525 if (ret != 1) {
526 error_print();
527 }
528 return ret;
529 }
530
531 /*
532 verify_data in Finished
533
534 finished_key =
535 HKDF-Expand-Label(BaseKey, "finished", "", Hash.length)
536 Structure of this message:
537 struct {
538 opaque verify_data[Hash.length];
539 } Finished;
540 The verify_data value is computed as follows:
541 verify_data =
542 HMAC(finished_key,
543 Transcript-Hash(Handshake Context,
544 Certificate*, CertificateVerify*))
545 */
546
tls13_compute_verify_data(const uint8_t * handshake_traffic_secret,const DIGEST_CTX * dgst_ctx,uint8_t * verify_data,size_t * verify_data_len)547 int tls13_compute_verify_data(const uint8_t *handshake_traffic_secret,
548 const DIGEST_CTX *dgst_ctx, uint8_t *verify_data, size_t *verify_data_len)
549 {
550 DIGEST_CTX temp_dgst_ctx;
551 uint8_t dgst[64];
552 size_t dgstlen;
553 uint8_t finished_key[64];
554 size_t finished_key_len;
555
556 temp_dgst_ctx = *dgst_ctx;
557 digest_finish(&temp_dgst_ctx, dgst, &dgstlen);
558 finished_key_len = dgstlen;
559
560 tls13_hkdf_expand_label(dgst_ctx->digest, handshake_traffic_secret,
561 "finished", NULL, 0, finished_key_len, finished_key);
562
563 hmac(dgst_ctx->digest, finished_key, finished_key_len, dgst, dgstlen, verify_data, verify_data_len);
564 return 1;
565 }
566
567 /*
568 Handshakes
569
570 */
571
tls13_client_hello_exts_set(uint8_t * exts,size_t * extslen,size_t maxlen,const SM2_POINT * client_ecdhe_public)572 int tls13_client_hello_exts_set(uint8_t *exts, size_t *extslen, size_t maxlen,
573 const SM2_POINT *client_ecdhe_public)
574 {
575 int protocols[] = { TLS_protocol_tls13 };
576 int supported_groups[] = { TLS_curve_sm2p256v1 };
577 int sig_algs[] = { TLS_sig_sm2sig_sm3 };
578 size_t protocols_cnt = sizeof(protocols)/sizeof(int);
579 size_t supported_groups_cnt = sizeof(supported_groups)/sizeof(int);
580 size_t sig_algs_cnt = sizeof(sig_algs)/sizeof(int);
581
582
583 if (!exts || !extslen || !client_ecdhe_public) {
584 error_print();
585 return -1;
586 }
587
588 *extslen = 0;
589 if (tls13_supported_versions_ext_to_bytes(TLS_client_mode, protocols, protocols_cnt, NULL, extslen) != 1
590 || tls_supported_groups_ext_to_bytes(supported_groups, supported_groups_cnt, NULL, extslen) != 1
591 || tls_signature_algorithms_ext_to_bytes(sig_algs, sig_algs_cnt, NULL, extslen) != 1
592 || tls13_client_key_share_ext_to_bytes(client_ecdhe_public, NULL, extslen) != 1) {
593 error_print();
594 return -1;
595 }
596 if (*extslen > maxlen) {
597 error_print();
598 return -1;
599 }
600 *extslen = 0;
601 tls13_supported_versions_ext_to_bytes(TLS_client_mode, protocols, protocols_cnt, &exts, extslen);
602 tls_supported_groups_ext_to_bytes(supported_groups, supported_groups_cnt, &exts, extslen);
603 tls_signature_algorithms_ext_to_bytes(sig_algs, sig_algs_cnt, &exts, extslen);
604 tls13_client_key_share_ext_to_bytes(client_ecdhe_public, &exts, extslen);
605 return 1;
606 }
607
tls13_process_client_hello_exts(const uint8_t * exts,size_t extslen,const SM2_KEY * server_ecdhe_key,SM2_POINT * client_ecdhe_public,uint8_t * server_exts,size_t * server_exts_len,size_t server_exts_maxlen)608 int tls13_process_client_hello_exts(const uint8_t *exts, size_t extslen,
609 const SM2_KEY *server_ecdhe_key, SM2_POINT *client_ecdhe_public,
610 uint8_t *server_exts, size_t *server_exts_len, size_t server_exts_maxlen)
611 {
612 size_t len = 0;
613 *server_exts_len = 0;
614
615 while (extslen) {
616 uint16_t ext_type;
617 const uint8_t *ext_data;
618 size_t ext_datalen;
619
620 if (tls_uint16_from_bytes(&ext_type, &exts, &extslen) != 1
621 || tls_uint16array_from_bytes(&ext_data, &ext_datalen, &exts, &extslen) != 1) {
622 error_print();
623 return -1;
624 }
625
626 switch (ext_type) {
627 /*
628 // tls13_process_client_hello_exts 的接口需要处理,部分输出要输出到server_exts中
629 case TLS_extension_supported_groups: // 这个应该放在EE里面
630 if (tls_process_client_supported_groups(ext_data, ext_datalen, NULL, &len) != 1
631 || len > server_exts_maxlen) {
632 error_print();
633 return -1;
634 }
635 tls_process_client_supported_groups(ext_data, ext_datalen, &server_exts, server_exts_len);
636 break;
637 case TLS_extension_signature_algorithms: // client单方面通知就可以了,服务器不需要响应
638 if (tls_process_client_signature_algorithms(ext_data, ext_datalen, NULL, &len) != 1
639 || len > server_exts_maxlen) {
640 error_print();
641 return -1;
642 }
643 tls_process_client_signature_algorithms(ext_data, ext_datalen, &server_exts, server_exts_len);
644 break;
645 */
646 case TLS_extension_supported_versions:
647 if (tls13_process_client_supported_versions(ext_data, ext_datalen, NULL, &len) != 1
648 || len > server_exts_maxlen) {
649 error_print();
650 return -1;
651 }
652 tls13_process_client_supported_versions(ext_data, ext_datalen, &server_exts, server_exts_len);
653 break;
654 case TLS_extension_key_share:
655 if (tls13_process_client_key_share(ext_data, ext_datalen, server_ecdhe_key, client_ecdhe_public, &server_exts, server_exts_len) != 1
656 || len > server_exts_maxlen) {
657 error_print();
658 return -1;
659 }
660 break;
661
662 default:
663 ; // server ignore unkonwn extensions
664 }
665 }
666
667 return 1;
668 }
669
tls_client_key_shares_from_bytes(SM2_POINT * sm2_point,const uint8_t ** in,size_t * inlen)670 int tls_client_key_shares_from_bytes(SM2_POINT *sm2_point, const uint8_t **in, size_t *inlen)
671 {
672 const uint8_t *key_shares;
673 size_t key_shares_len;
674
675 tls_uint16array_from_bytes(&key_shares, &key_shares_len, in, inlen);
676
677 while (key_shares_len) {
678 uint16_t group;
679 const uint8_t *key_exch;
680 size_t key_exch_len;
681
682 tls_uint16_from_bytes(&group, &key_shares, &key_shares_len);
683 tls_uint16array_from_bytes(&key_exch, &key_exch_len, &key_shares, &key_shares_len);
684
685 if (key_exch_len != 65) {
686 error_print();
687 return -1;
688 }
689
690 switch (group) {
691 case TLS_curve_sm2p256v1:
692 sm2_point_from_octets(sm2_point, key_exch, key_exch_len);
693 break;
694 default:
695 error_print();
696 return -1;
697 }
698 }
699
700 return 1;
701 }
702
703 // 这个函数不是太正确,应该也是一个process
tls13_server_hello_extensions_get(const uint8_t * exts,size_t extslen,SM2_POINT * sm2_point)704 int tls13_server_hello_extensions_get(const uint8_t *exts, size_t extslen, SM2_POINT *sm2_point)
705 {
706 uint16_t version;
707 while (extslen) {
708 uint16_t ext_type;
709 const uint8_t *ext_data;
710 size_t ext_datalen;
711 const uint8_t *p;
712 size_t len;
713
714 tls_uint16_from_bytes(&ext_type, &exts, &extslen);
715 tls_uint16array_from_bytes(&ext_data, &ext_datalen, &exts, &extslen);
716
717 switch (ext_type) {
718 case TLS_extension_supported_versions:
719 if (tls_uint16_from_bytes(&version, &ext_data, &ext_datalen) != 1
720 || ext_datalen > 0) {
721 error_print();
722 return -1;
723 }
724 if (version != TLS_protocol_tls13) {
725 error_print();
726 return -1;
727 }
728 break;
729 case TLS_extension_key_share:
730 if (tls13_process_server_key_share(ext_data, ext_datalen, sm2_point) != 1) {
731 error_print();
732 return -1;
733 }
734 break;
735 //default:
736 // FIXME: 还有几个扩展没有处理!
737 //error_print();
738 //return -1;
739 }
740 }
741 return 1;
742 }
743
744
745 /*
746 struct {
747 Extension extensions<0..2^16-1>;
748 } EncryptedExtensions;
749 */
750 static int tls13_encrypted_exts[] = {
751 TLS_extension_server_name,
752 TLS_extension_max_fragment_length,
753 TLS_extension_supported_groups,
754 TLS_extension_use_srtp,
755 TLS_extension_heartbeat,
756 TLS_extension_application_layer_protocol_negotiation,
757 TLS_extension_client_certificate_type,
758 TLS_extension_server_certificate_type,
759 TLS_extension_early_data,
760 };
761
tls13_encrypted_extensions_print(FILE * fp,int fmt,int ind,const uint8_t * data,size_t datalen)762 int tls13_encrypted_extensions_print(FILE *fp, int fmt, int ind, const uint8_t *data, size_t datalen)
763 {
764 const uint8_t *exts;
765 size_t extslen;
766
767 format_print(fp, fmt, ind, "EncryptedExtensions\n");
768 ind += 4;
769
770 if (tls_uint16array_from_bytes(&exts, &extslen, &data, &datalen) != 1) {
771 error_print();
772 return -1;
773 }
774 if (exts) {
775 tls13_extensions_print(fp, fmt, ind, TLS_handshake_encrypted_extensions, exts, extslen);
776 }
777 if (tls_length_is_zero(datalen) != 1) {
778 error_print();
779 return -1;
780 }
781 return 1;
782 }
783
tls13_record_set_handshake_encrypted_extensions(uint8_t * record,size_t * recordlen)784 int tls13_record_set_handshake_encrypted_extensions(uint8_t *record, size_t *recordlen)
785 {
786 int type = TLS_handshake_encrypted_extensions;
787 uint8_t *p = record + 5 + 4;
788 size_t len = 0;
789 uint8_t exts[128];
790 size_t extslen = 0;
791 uint8_t *pexts = exts;
792 const int supported_groups[] = { TLS_curve_sm2p256v1 };
793
794 tls_supported_groups_ext_to_bytes(supported_groups, sizeof(supported_groups)/sizeof(int), &pexts, &extslen);
795
796 tls_uint16array_to_bytes(exts, extslen, &p, &len);
797 tls_record_set_handshake(record, recordlen, type, NULL, len);
798
799 return 1;
800 }
801
tls13_record_get_handshake_encrypted_extensions(const uint8_t * record)802 int tls13_record_get_handshake_encrypted_extensions(const uint8_t *record)
803 {
804 int type;
805 const uint8_t *p;
806 size_t len;
807 const uint8_t *exts_data;
808 size_t exts_datalen;
809
810 if (tls_record_get_handshake(record, &type, &p, &len) != 1) {
811 error_print();
812 return -1;
813 }
814 if (tls_uint16array_from_bytes(&exts_data, &exts_datalen, &p, &len) != 1) {
815 error_print();
816 return -1;
817 }
818 // 当前实现不需要在EncryptedExtensions提供扩展
819 if (exts_datalen) {
820 // FIXME: 实际上supported_groups是放在这里的,应该加以处理
821 //error_print();
822 //return -1;
823 }
824 return 1;
825 }
826
827
828 /*
829 ClientHello.Extensions.signature_algorithms 列出客户端支持的签名+哈希算法
830 ServerHello.Extensions.supported_groups 决定了服务器的公钥类型,
831 因此也决定了服务器的签名算法
832 ServerHello.cipher_suite决定了哈希函数
833 */
834
835 /*
836 struct {
837 SignatureScheme algorithm;
838 opaque signature<0..2^16-1>;
839 } CertificateVerify;
840
841 注意:TLS 1.2中只有RAW signature, 也就是没有经过uint16array封装的,这其实不太符合TLS的设计逻辑
842 */
tls13_record_set_handshake_certificate_verify(uint8_t * record,size_t * recordlen,int sign_algor,const uint8_t * sig,size_t siglen)843 int tls13_record_set_handshake_certificate_verify(uint8_t *record, size_t *recordlen,
844 int sign_algor, const uint8_t *sig, size_t siglen)
845 {
846 int type = TLS_handshake_certificate_verify;
847 uint8_t *p = record + 5 + 4;
848 size_t len = 0;
849
850 tls_uint16_to_bytes((uint16_t)sign_algor, &p, &len);
851 tls_uint16array_to_bytes(sig, siglen, &p, &len);
852
853 if (tls_record_set_handshake(record, recordlen, type, NULL, len) != 1) {
854 error_print();
855 return -1;
856 }
857 return 1;
858 }
859
tls13_record_get_handshake_certificate_verify(const uint8_t * record,int * sign_algor,const uint8_t ** sig,size_t * siglen)860 int tls13_record_get_handshake_certificate_verify(const uint8_t *record,
861 int *sign_algor, const uint8_t **sig, size_t *siglen)
862 {
863 int type;
864 const uint8_t *p;
865 size_t len ;
866
867 if (tls_record_get_handshake(record, &type, &p, &len) != 1
868 || type != TLS_handshake_certificate_verify) {
869 error_print();
870 return -1;
871 }
872
873 *sign_algor = 0;
874 tls_uint16_from_bytes((uint16_t *)sign_algor, &p, &len);
875 tls_uint16array_from_bytes(sig, siglen, &p, &len);
876
877 return 1;
878 }
879
880
881 /*
882 struct {
883 opaque certificate_request_context<0..2^8-1>;
884 Extension extensions<2..2^16-1>;
885 } CertificateRequest;
886
887 certificate_request_context 用于 Post-handshake Authentication,否则应该长度为0
888
889 */
890 static int tls13_certificate_request_exts[] = {
891 TLS_extension_signature_algorithms, // 必须包含
892 TLS_extension_status_request,
893 TLS_extension_signed_certificate_timestamp,
894 TLS_extension_certificate_authorities,
895 TLS_extension_oid_filters,
896 TLS_extension_signature_algorithms_cert,
897 };
898
899
900
901
902 /*
903 struct {
904 opaque certificate_request_context<0..2^8-1>;
905 Extension extensions<2..2^16-1>;
906 } CertificateRequest;
907
908 extensiosns:
909 Extension signature_algorithms MUST be specified
910 */
tls13_record_set_handshake_certificate_request(uint8_t * record,size_t * recordlen,const uint8_t * request_context,size_t request_context_len,const uint8_t * exts,size_t extslen)911 int tls13_record_set_handshake_certificate_request(uint8_t *record, size_t *recordlen,
912 const uint8_t *request_context, size_t request_context_len,
913 const uint8_t *exts, size_t extslen)
914 {
915 int type = TLS_handshake_certificate_request;
916 uint8_t *data;
917 size_t datalen = 0;
918
919 if (!record || !recordlen) {
920 error_print();
921 return -1;
922 }
923 data = tls_handshake_data(tls_record_data(record));
924 tls_uint8array_to_bytes(request_context, request_context_len, &data, &datalen);
925 tls_uint16array_to_bytes(exts, extslen, &data, &datalen);
926 tls_record_set_handshake(record, recordlen, type, NULL, datalen);
927 return 1;
928 }
929
tls13_record_set_handshake_certificate_request_default(uint8_t * record,size_t * recordlen)930 int tls13_record_set_handshake_certificate_request_default(uint8_t *record, size_t *recordlen)
931 {
932 int sig_algs[] = { TLS_sig_sm2sig_sm3 };
933 uint8_t exts[256];
934 uint8_t *p = exts;
935 size_t extslen = 0;
936
937 tls_signature_algorithms_ext_to_bytes(sig_algs, sizeof(sig_algs)/sizeof(int), &p, &extslen);
938 tls13_record_set_handshake_certificate_request(record, recordlen, NULL, 0, exts, extslen);
939 return 1;
940 }
941
tls13_record_get_handshake_certificate_request(const uint8_t * record,const uint8_t ** requst_context,size_t * request_context_len,const uint8_t ** exts,size_t * exts_len)942 int tls13_record_get_handshake_certificate_request(const uint8_t *record,
943 const uint8_t **requst_context, size_t *request_context_len,
944 const uint8_t **exts, size_t *exts_len)
945 {
946 int type;
947 const uint8_t *p;
948 size_t len;
949
950 if (tls_record_get_handshake(record, &type, &p, &len) != 1) {
951 error_print();
952 return -1;
953 }
954 if (type != TLS_handshake_certificate_request) {
955 error_print();
956 return -1;
957 }
958 if (tls_uint8array_from_bytes(requst_context, request_context_len, &p, &len) != 1
959 || tls_uint16array_from_bytes(exts, exts_len, &p, &len) != 1
960 || tls_length_is_zero(len) != 1) {
961 error_print();
962 return -1;
963 }
964 return 1;
965 }
966
967 static const int tls13_handshake_certificate_exts[] = {
968 TLS_extension_status_request,
969 TLS_extension_signed_certificate_timestamp,
970 };
971 /*
972 enum { X509(0), RawPublicKey(2), (255) } CertificateType;
973
974 struct {
975 select (certificate_type) {
976 case RawPublicKey: opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; -- TLS 1.3可以只传公钥不传证书
977 case X509: opaque cert_data<1..2^24-1>;
978 };
979 Extension extensions<0..2^16-1>;
980 } CertificateEntry;
981
982 struct {
983 opaque certificate_request_context<0..2^8-1>; -- 用于客户端证书,服务器证书该域长度为0
984 CertificateEntry certificate_list<0..2^24-1>;
985 } Certificate;
986
987 TLS 1.3 Certificate:
988
989 * TLS 1.3 支持发送公钥,可以去掉嵌入式环境的证书传输开销
990 * TLS 1.3 的证书链中增加了 certificate_request_context
991 用于客户端发送证书时标识context,服务器端的证书中该域的长度为0
992 * 证书链中每个证书都有一个独立的扩展域,TLS 1.2 中的证书相关扩展移至此处
993
994 Extensions in client Certificate MUST from ClientHello
995 Extensions in server Certificate MUST from CertificateRequest
996 Entensions apply to entire chain SHOULD be in the first CertificateEntry
997
998 目前CertificateEntry中的扩展主要用于服务器证书的验证
999 客户端在ClientHello中可以包含status_request 和 signed_certificate_timestamp
1000 让服务器提供 OCSP 的状态证明和时间戳信息
1001 服务器则在证书消息的每个证书否面附带这两个扩展,提供相关信息
1002
1003 在 RFC 8446 (TLS 1.3) 中还没有涉及客户端证书的具体扩展
1004 但是客户端在提供客户端证书时,应该响应服务器CertificateRequest消息中的扩展
1005
1006 目前GmSSLv3还不支持这两个证书扩展的生成,但是提供解析和显示
1007
1008 Valid extensions for server certificates:
1009 TLS_extension_status_request (5)
1010 TLS_extension_signed_certificate_timestamp (18)
1011 */
1012
tls13_certificate_print(FILE * fp,int fmt,int ind,const uint8_t * cert,size_t certlen)1013 int tls13_certificate_print(FILE *fp, int fmt, int ind, const uint8_t *cert, size_t certlen)
1014 {
1015 const uint8_t *p;
1016 size_t len;
1017
1018 format_print(fp, fmt, ind, "Certificate\n");
1019 ind += 4;
1020
1021 if (tls_uint8array_from_bytes(&p, &len, &cert, &certlen) != 1) {
1022 error_print();
1023 return -1;
1024 }
1025 format_bytes(fp, fmt, ind, "certificate_request_context", p, len);
1026
1027 format_print(fp, fmt, ind, "certificate_list\n");
1028 ind += 4;
1029 if (tls_uint24array_from_bytes(&p, &len, &cert, &certlen) != 1) {
1030 error_print();
1031 return -1;
1032 }
1033 while (len) {
1034 const uint8_t *cert_data;
1035 size_t cert_data_len;
1036 const uint8_t *exts;
1037 size_t extslen;
1038
1039 if (tls_uint24array_from_bytes(&cert_data, &cert_data_len, &p, &len) != 1
1040 || tls_uint16array_from_bytes(&exts, &extslen, &p, &len) != 1) {
1041 error_print();
1042 return -1;
1043 }
1044 if (!cert_data) {
1045 error_print();
1046 return -1;
1047 }
1048
1049 format_print(fp, fmt, ind, "CertificateEntry\n");
1050 x509_cert_print(fp, fmt, ind + 4, "Certificate", cert_data, cert_data_len);
1051 x509_cert_to_pem(cert_data, cert_data_len, fp);
1052 tls13_extensions_print(fp, fmt, ind + 4, TLS_handshake_certificate, exts, extslen);
1053 }
1054 return 1;
1055 }
1056
tls13_certificate_request_print(FILE * fp,int fmt,int ind,const uint8_t * certreq,size_t certreqlen)1057 int tls13_certificate_request_print(FILE *fp, int fmt, int ind, const uint8_t *certreq, size_t certreqlen)
1058 {
1059 const uint8_t *p;
1060 size_t len;
1061
1062 format_print(fp, fmt, ind, "CertificateRequest\n");
1063 ind += 4;
1064
1065 if (tls_uint8array_from_bytes(&p, &len, &certreq, &certreqlen) != 1) {
1066 error_print();
1067 return -1;
1068 }
1069 format_bytes(fp, fmt, ind, "certificate_request_context", p, len);
1070
1071 if (tls_uint16array_from_bytes(&p, &len, &certreq, &certreqlen) != 1) {
1072 error_print();
1073 return -1;
1074 }
1075 format_bytes(fp, fmt, ind, "extensions", p, len);
1076
1077 if (tls_length_is_zero(certreqlen) != 1) {
1078 error_print();
1079 return -1;
1080 }
1081 return 1;
1082 }
1083
tls13_certificate_verify_print(FILE * fp,int fmt,int ind,const uint8_t * d,size_t dlen)1084 int tls13_certificate_verify_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen)
1085 {
1086 uint16_t sig_alg;
1087 const uint8_t *sig;
1088 size_t siglen;
1089
1090 format_print(fp, fmt, ind, "CertificateVerify\n");
1091 ind += 4;
1092
1093 if (tls_uint16_from_bytes(&sig_alg, &d, &dlen) != 1) {
1094 error_print();
1095 return -1;
1096 }
1097 format_print(fp, fmt, ind, "algorithm: %s (0x%04x)\n", tls_signature_scheme_name(sig_alg), sig_alg);
1098 if (tls_uint16array_from_bytes(&sig, &siglen, &d, &dlen) != 1) {
1099 error_print();
1100 return -1;
1101 }
1102 format_bytes(fp, fmt, ind, "signature", sig, siglen);
1103 if (tls_length_is_zero(dlen) != 1) {
1104 error_print();
1105 return -1;
1106 }
1107 return 1;
1108 }
1109
tls13_certificate_list_to_bytes(const uint8_t * certs,size_t certslen,uint8_t ** out,size_t * outlen)1110 int tls13_certificate_list_to_bytes(const uint8_t *certs, size_t certslen,
1111 uint8_t **out, size_t *outlen)
1112 {
1113 uint8_t *p = NULL;
1114 size_t cert_list_len = 0;
1115
1116 if (out && *out) {
1117 p = (*out) + tls_uint24_size();
1118 }
1119 while (certslen) {
1120 const uint8_t *cert;
1121 size_t certlen;
1122 const uint8_t *entry_exts = NULL;
1123 size_t entry_exts_len = 0;
1124
1125 if (x509_cert_from_der(&cert, &certlen, &certs, &certslen) != 1) {
1126 error_print();
1127 return -1;
1128 }
1129 tls_uint24array_to_bytes(cert, certlen, &p, &cert_list_len);
1130 tls_uint16array_to_bytes(entry_exts, entry_exts_len, &p, &cert_list_len);
1131
1132 }
1133 tls_uint24array_to_bytes(NULL, cert_list_len, out, outlen);
1134 return 1;
1135 }
1136
tls13_process_certificate_list(const uint8_t * cert_list,size_t cert_list_len,uint8_t * certs,size_t * certs_len)1137 int tls13_process_certificate_list(const uint8_t *cert_list, size_t cert_list_len,
1138 uint8_t *certs, size_t *certs_len)
1139 {
1140 *certs_len = 0;
1141
1142 while (cert_list_len) {
1143 const uint8_t *cert_data;
1144 size_t cert_data_len;
1145 const uint8_t *exts;
1146 size_t exts_len;
1147 const uint8_t *cert;
1148 size_t cert_len;
1149
1150 if (tls_uint24array_from_bytes(&cert_data, &cert_data_len, &cert_list, &cert_list_len) != 1
1151 || tls_uint16array_from_bytes(&exts, &exts_len, &cert_list, &cert_list_len) != 1) {
1152 error_print();
1153 return -1;
1154 }
1155 if (x509_cert_from_der(&cert, &cert_len, &cert_data, &cert_data_len) != 1
1156 || asn1_length_is_zero(cert_data_len) != 1
1157 || x509_cert_to_der(cert, cert_len, &certs, certs_len) != 1) {
1158 error_print();
1159 return -1;
1160 }
1161
1162 while (exts_len) {
1163 int ext_type;
1164 const uint8_t *ext_data;
1165 size_t ext_data_len;
1166
1167 if (tls_ext_from_bytes(&ext_type, &ext_data, &ext_data_len, &exts, &exts_len) != 1) {
1168 error_print();
1169 return -1;
1170 }
1171 switch (ext_type) {
1172 case TLS_extension_status_request:
1173 case TLS_extension_signed_certificate_timestamp:
1174 error_print();
1175 return -1;
1176 default:
1177 error_print();
1178 return -1;
1179 }
1180 }
1181 }
1182 return 1;
1183 }
1184
tls13_record_set_handshake_certificate(uint8_t * record,size_t * recordlen,const uint8_t * request_context,size_t request_context_len,const uint8_t * certs,size_t certslen)1185 int tls13_record_set_handshake_certificate(uint8_t *record, size_t *recordlen,
1186 const uint8_t *request_context, size_t request_context_len,
1187 const uint8_t *certs, size_t certslen)
1188 {
1189 int type = TLS_handshake_certificate;
1190 uint8_t *data;
1191 size_t datalen;
1192
1193 if (!record || !recordlen || !certs || !certslen) {
1194 error_print();
1195 return -1;
1196 }
1197
1198 datalen = 0;
1199 tls_uint8array_to_bytes(request_context, request_context_len, NULL, &datalen);
1200 tls13_certificate_list_to_bytes(certs, certslen, NULL, &datalen);
1201 if (datalen > TLS_MAX_HANDSHAKE_DATA_SIZE) {
1202 error_print();
1203 return -1;
1204 }
1205
1206 data = tls_handshake_data(tls_record_data(record));
1207 datalen = 0;
1208 tls_uint8array_to_bytes(request_context, request_context_len, &data, &datalen);
1209 tls13_certificate_list_to_bytes(certs, certslen, &data, &datalen);
1210 tls_record_set_handshake(record, recordlen, type, NULL, datalen);
1211
1212 return 1;
1213 }
1214
tls13_record_get_handshake_certificate(const uint8_t * record,const uint8_t ** cert_request_context,size_t * cert_request_context_len,const uint8_t ** cert_list,size_t * cert_list_len)1215 int tls13_record_get_handshake_certificate(const uint8_t *record,
1216 const uint8_t **cert_request_context, size_t *cert_request_context_len,
1217 const uint8_t **cert_list, size_t *cert_list_len)
1218 {
1219 int type;
1220 const uint8_t *p;
1221 size_t len;
1222
1223 if (tls_record_get_handshake(record, &type, &p, &len) != 1) {
1224 error_print();
1225 return -1;
1226 }
1227 if (type != TLS_handshake_certificate) {
1228 error_print();
1229 return -1;
1230 }
1231 if (tls_uint8array_from_bytes(cert_request_context, cert_request_context_len, &p, &len) != 1
1232 || tls_uint24array_from_bytes(cert_list, cert_list_len, &p, &len) != 1
1233 || tls_length_is_zero(len) != 1) {
1234 error_print();
1235 return -1;
1236 }
1237 if (*cert_list == NULL) {
1238 error_print();
1239 return -1;
1240 }
1241 return 1;
1242 }
1243
1244
1245
1246 /*
1247 finished_key = HKDF-Expand-Label(BaseKey, "finished", "", Hash.length)
1248
1249 struct {
1250 opaque verify_data[Hash.length];
1251 } Finished;
1252
1253 verify_data = HMAC(finished_key, Hash(Handshake Context, Certificate*, CertificateVerify*))
1254 Hash = SM3, SHA256 or SHA384
1255 */
1256
1257
tls13_record_set_handshake_finished(uint8_t * record,size_t * recordlen,const uint8_t * verify_data,size_t verify_data_len)1258 int tls13_record_set_handshake_finished(uint8_t *record, size_t *recordlen,
1259 const uint8_t *verify_data, size_t verify_data_len)
1260 {
1261 int type = TLS_handshake_finished;
1262 if (!record || !recordlen || !verify_data) {
1263 error_print();
1264 return -1;
1265 }
1266 tls_record_set_handshake(record, recordlen, type, verify_data, verify_data_len);
1267 return 1;
1268 }
1269
tls13_record_get_handshake_finished(const uint8_t * record,const uint8_t ** verify_data,size_t * verify_data_len)1270 int tls13_record_get_handshake_finished(const uint8_t *record,
1271 const uint8_t **verify_data, size_t *verify_data_len)
1272 {
1273 int type;
1274
1275 if (tls_record_get_handshake(record, &type, verify_data, verify_data_len) != 1) {
1276 error_print();
1277 return -1;
1278 }
1279 if (type != TLS_handshake_finished) {
1280 error_print();
1281 return -1;
1282 }
1283 if (*verify_data_len != SM3_DIGEST_SIZE
1284 && *verify_data_len != SHA384_DIGEST_SIZE) {
1285 error_print();
1286 return -1;
1287 }
1288 return 1;
1289 }
1290
1291
tls13_padding_len_rand(size_t * padding_len)1292 int tls13_padding_len_rand(size_t *padding_len)
1293 {
1294 uint8_t val;
1295 rand_bytes(&val, 1);
1296 *padding_len = val % 128;
1297 return 1;
1298 }
1299
1300
1301
tls13_cipher_suite_get(int cipher_suite,const DIGEST ** digest,const BLOCK_CIPHER ** cipher)1302 int tls13_cipher_suite_get(int cipher_suite, const DIGEST **digest, const BLOCK_CIPHER **cipher)
1303 {
1304 switch (cipher_suite) {
1305 case TLS_cipher_sm4_gcm_sm3:
1306 *digest = DIGEST_sm3();
1307 *cipher = BLOCK_CIPHER_sm4();
1308 break;
1309 case TLS_cipher_aes_128_gcm_sha256:
1310 *digest = DIGEST_sha256();
1311 *cipher = BLOCK_CIPHER_aes128();
1312 break;
1313 default:
1314 error_print();
1315 return -1;
1316 }
1317 return 1;
1318 }
1319
1320
1321
1322 /*
1323 Client Server
1324
1325 Key ^ ClientHello
1326 Exch | + key_share*
1327 | + signature_algorithms*
1328 | + psk_key_exchange_modes*
1329 v + pre_shared_key* -------->
1330 ServerHello ^ Key
1331 + key_share* | Exch
1332 + pre_shared_key* v
1333
1334
1335 | ecdhe => handshake_secret |
1336 | handshake_secret => master_secret |
1337 | handshake_secret, client_hello, server_hello |
1338 | => client_handshake_traffic_secret |
1339 | => server_handshake_traffic_secret |
1340
1341
1342 {EncryptedExtensions} ^ Server
1343 {CertificateRequest*} v Params
1344 {Certificate} ^
1345 {CertificateVerify} | Auth
1346 {Finished} v
1347
1348 + master_secret, ClientHello .. server Finished
1349 => server_application_traffic_secret_0
1350
1351 <-------- [Application Data*]
1352
1353 ^ {Certificate*}
1354 Auth | {CertificateVerify*}
1355 v {Finished} -------->
1356
1357
1358 + master_secret, ClientHello .. server Finished
1359 => client_application_traffic_secret_0
1360
1361 [Application Data] <-------> [Application Data]
1362
1363
1364 TLS 1.3的区别:
1365
1366 * 首先在最开始的握手阶段就协商好了密钥,因此握手之后传输的就是加密消息了
1367 * 因此在第二阶段,双方不再发送ServerKeyExchange和ClientKeyExchange
1368 * 服务器先发送CertificateRequest,再发送Certificate
1369 * 没有ChangeCipherSpec了
1370 * 在握手阶段就需要加密,并且Certificate也在其中,因此需要格外的大的密文数据缓冲
1371
1372 0
1373 |
1374 v
1375 [1] PSK -> HKDF-Extract = Early Secret
1376 |
1377 [2] +-----> Derive-Secret(., "ext binder" | "res binder", "")
1378 | = binder_key
1379 |
1380 [3] +-----> Derive-Secret(., "c e traffic", ClientHello)
1381 | = client_early_traffic_secret
1382 |
1383 [4] +-----> Derive-Secret(., "e exp master", ClientHello)
1384 | = early_exporter_master_secret
1385 v
1386 [5] Derive-Secret(., "derived", "")
1387 |
1388 v
1389 [6] (EC)DHE -> HKDF-Extract = Handshake Secret
1390 |
1391 [7] +-----> Derive-Secret(., "c hs traffic",
1392 | ClientHello...ServerHello)
1393 | = client_handshake_traffic_secret
1394 |
1395 [8] +-----> Derive-Secret(., "s hs traffic",
1396 | ClientHello...ServerHello)
1397 | = server_handshake_traffic_secret
1398 v
1399 [9] Derive-Secret(., "derived", "")
1400 |
1401 v
1402 [10] 0 -> HKDF-Extract = Master Secret
1403 |
1404 [11] +-----> Derive-Secret(., "c ap traffic",
1405 | ClientHello...server Finished)
1406 | = client_application_traffic_secret_0
1407 |
1408 [12] +-----> Derive-Secret(., "s ap traffic",
1409 | ClientHello...server Finished)
1410 | = server_application_traffic_secret_0
1411 |
1412 [13] +-----> Derive-Secret(., "exp master",
1413 | ClientHello...server Finished)
1414 | = exporter_master_secret
1415 |
1416 [14] +-----> Derive-Secret(., "res master",
1417 ClientHello...client Finished)
1418 = resumption_master_secret
1419
1420 */
1421
1422
1423
tls13_do_connect(TLS_CONNECT * conn)1424 int tls13_do_connect(TLS_CONNECT *conn)
1425 {
1426 uint8_t *record = conn->record;
1427 uint8_t *enced_record = conn->enced_record;
1428 size_t recordlen;
1429
1430 size_t enced_recordlen;
1431
1432
1433 int type;
1434 const uint8_t *data;
1435 size_t datalen;
1436
1437 int protocol;
1438 uint8_t client_random[32];
1439 uint8_t server_random[32];
1440 int cipher_suite;
1441 const uint8_t *random;
1442 const uint8_t *session_id;
1443 size_t session_id_len;
1444
1445 int protocols[] = { TLS_protocol_tls13 };
1446 int supported_groups[] = { TLS_curve_sm2p256v1 };
1447 int sign_algors[] = { TLS_sig_sm2sig_sm3 };
1448
1449 uint8_t client_exts[TLS_MAX_EXTENSIONS_SIZE];
1450 size_t client_exts_len;
1451 const uint8_t *server_exts;
1452 size_t server_exts_len;
1453
1454 uint8_t sig[TLS_MAX_SIGNATURE_SIZE];
1455 size_t siglen = sizeof(sig);
1456 uint8_t verify_data[32];
1457 size_t verify_data_len;
1458
1459 int server_sign_algor;
1460 const uint8_t *server_sig;
1461 size_t server_siglen;
1462 const uint8_t *server_verify_data;
1463 size_t server_verify_data_len;
1464
1465 SM2_KEY client_ecdhe;
1466 SM2_POINT server_ecdhe_public;
1467 SM2_KEY server_sign_key;
1468
1469 const DIGEST *digest = DIGEST_sm3();
1470 DIGEST_CTX dgst_ctx; // secret generation过程中需要ClientHello等数据输入的
1471 DIGEST_CTX null_dgst_ctx; // secret generation过程中不需要握手数据的
1472 const BLOCK_CIPHER *cipher = NULL;
1473 size_t padding_len;
1474
1475 uint8_t zeros[32] = {0};
1476 uint8_t psk[32] = {0};
1477 uint8_t early_secret[32];
1478 uint8_t handshake_secret[32];
1479 uint8_t master_secret[32];
1480 uint8_t client_handshake_traffic_secret[32];
1481 uint8_t server_handshake_traffic_secret[32];
1482 uint8_t client_application_traffic_secret[32];
1483 uint8_t server_application_traffic_secret[32];
1484 uint8_t client_write_key[16];
1485 uint8_t server_write_key[16];
1486
1487
1488 const uint8_t *request_context;
1489 size_t request_context_len;
1490 const uint8_t *cert_request_exts;
1491 size_t cert_request_extslen;
1492 const uint8_t *cert_list;
1493 size_t cert_list_len;
1494 const uint8_t *cert;
1495 size_t certlen;
1496
1497 uint8_t *p;
1498
1499
1500 conn->is_client = 1;
1501 tls_record_set_protocol(enced_record, TLS_protocol_tls12);
1502
1503 digest_init(&dgst_ctx, digest);
1504 null_dgst_ctx = dgst_ctx;
1505
1506
1507 // send ClientHello
1508 tls_trace("send ClientHello\n");
1509 tls_record_set_protocol(record, TLS_protocol_tls1);
1510 rand_bytes(client_random, 32); // TLS 1.3 Random 不再包含 UNIX Time
1511 sm2_key_generate(&client_ecdhe);
1512 tls13_client_hello_exts_set(client_exts, &client_exts_len, sizeof(client_exts), &(client_ecdhe.public_key));
1513 tls_record_set_handshake_client_hello(record, &recordlen,
1514 TLS_protocol_tls12, client_random, NULL, 0,
1515 tls13_ciphers, sizeof(tls13_ciphers)/sizeof(tls13_ciphers[0]),
1516 client_exts, client_exts_len);
1517 tls13_record_trace(stderr, record, recordlen, 0, 0);
1518 if (tls_record_send(record, recordlen, conn->sock) != 1) {
1519 error_print();
1520 return -1;
1521 }
1522 // 此时尚未确定digest算法,因此无法digest_update
1523
1524
1525 // recv ServerHello
1526 tls_trace("recv ServerHello\n");
1527 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
1528 error_print();
1529 tls_send_alert(conn, TLS_alert_unexpected_message);
1530 return -1;
1531 }
1532 tls13_record_trace(stderr, enced_record, enced_recordlen, 0, 0);
1533 if (tls_record_get_handshake_server_hello(enced_record,
1534 &protocol, &random, &session_id, &session_id_len,
1535 &cipher_suite, &server_exts, &server_exts_len) != 1) {
1536 error_print();
1537 tls_send_alert(conn, TLS_alert_unexpected_message);
1538 return -1;
1539 }
1540 if (protocol != TLS_protocol_tls12) {
1541 error_print();
1542 tls_send_alert(conn, TLS_alert_protocol_version);
1543 return -1;
1544 }
1545 memcpy(server_random, random, 32);
1546 memcpy(conn->session_id, session_id, session_id_len);
1547 conn->session_id_len = session_id_len;
1548 if (tls_cipher_suite_in_list(cipher_suite,
1549 tls13_ciphers, sizeof(tls13_ciphers)/sizeof(tls13_ciphers[0])) != 1) {
1550 error_print();
1551 tls_send_alert(conn, TLS_alert_handshake_failure);
1552 return -1;
1553 }
1554 conn->cipher_suite = cipher_suite;
1555 if (tls13_server_hello_extensions_get(server_exts, server_exts_len, &server_ecdhe_public) != 1) {
1556 error_print();
1557 tls_send_alert(conn, TLS_alert_handshake_failure);
1558 return -1;
1559 }
1560 conn->protocol = TLS_protocol_tls13;
1561
1562 tls13_cipher_suite_get(conn->cipher_suite, &digest, &cipher);
1563 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1564 digest_update(&dgst_ctx, enced_record + 5, enced_recordlen - 5);
1565
1566
1567 printf("generate handshake secrets\n");
1568 /*
1569 generate handshake keys
1570 uint8_t client_write_key[32]
1571 uint8_t server_write_key[32]
1572 uint8_t client_write_iv[12]
1573 uint8_t server_write_iv[12]
1574 */
1575 sm2_ecdh(&client_ecdhe, &server_ecdhe_public, &server_ecdhe_public);
1576 /* [1] */ tls13_hkdf_extract(digest, zeros, psk, early_secret);
1577 /* [5] */ tls13_derive_secret(early_secret, "derived", &null_dgst_ctx, handshake_secret);
1578 /* [6] */ tls13_hkdf_extract(digest, handshake_secret, (uint8_t *)&server_ecdhe_public, handshake_secret);
1579 /* [7] */ tls13_derive_secret(handshake_secret, "c hs traffic", &dgst_ctx, client_handshake_traffic_secret);
1580 /* [8] */ tls13_derive_secret(handshake_secret, "s hs traffic", &dgst_ctx, server_handshake_traffic_secret);
1581 /* [9] */ tls13_derive_secret(handshake_secret, "derived", &null_dgst_ctx, master_secret);
1582 /* [10] */ tls13_hkdf_extract(digest, master_secret, zeros, master_secret);
1583 //[sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
1584 //[sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)
1585 //[sender] in {server, client}
1586 tls13_hkdf_expand_label(digest, server_handshake_traffic_secret, "key", NULL, 0, 16, server_write_key);
1587 tls13_hkdf_expand_label(digest, server_handshake_traffic_secret, "iv", NULL, 0, 12, conn->server_write_iv);
1588 block_cipher_set_encrypt_key(&conn->server_write_key, cipher, server_write_key);
1589 memset(conn->server_seq_num, 0, 8);
1590 tls13_hkdf_expand_label(digest, client_handshake_traffic_secret, "key", NULL, 0, 16, client_write_key);
1591 tls13_hkdf_expand_label(digest, client_handshake_traffic_secret, "iv", NULL, 0, 12, conn->client_write_iv);
1592 block_cipher_set_encrypt_key(&conn->client_write_key, cipher, client_write_key);
1593 memset(conn->client_seq_num, 0, 8);
1594 /*
1595 format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
1596 format_bytes(stderr, 0, 4, "server_write_key", server_write_key, 16);
1597 format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
1598 format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, 12);
1599 format_print(stderr, 0, 0, "\n");
1600 */
1601
1602 // recv {EncryptedExtensions}
1603 printf("recv {EncryptedExtensions}\n");
1604 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
1605 error_print();
1606 tls_send_alert(conn, TLS_alert_handshake_failure);
1607 return -1;
1608 }
1609 if (tls13_record_decrypt(&conn->server_write_key, conn->server_write_iv,
1610 conn->server_seq_num, enced_record, enced_recordlen,
1611 record, &recordlen) != 1) {
1612 error_print();
1613 tls_send_alert(conn, TLS_alert_bad_record_mac);
1614 return -1;
1615 }
1616 tls13_record_trace(stderr, record, recordlen, 0, 0);
1617 if (tls13_record_get_handshake_encrypted_extensions(record) != 1) {
1618 tls_send_alert(conn, TLS_alert_handshake_failure);
1619 error_print();
1620 return -1;
1621 }
1622 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1623 tls_seq_num_incr(conn->server_seq_num);
1624
1625
1626 // recv {CertififcateRequest*} or {Certificate}
1627 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
1628 error_print();
1629 tls_send_alert(conn, TLS_alert_handshake_failure);
1630 return -1;
1631 }
1632 if (tls13_record_decrypt(&conn->server_write_key, conn->server_write_iv,
1633 conn->server_seq_num, enced_record, enced_recordlen,
1634 record, &recordlen) != 1) {
1635 error_print();
1636 tls_send_alert(conn, TLS_alert_bad_record_mac);
1637 return -1;
1638 }
1639 if (tls_record_get_handshake(record, &type, &data, &datalen) != 1) {
1640 error_print();
1641 tls_send_alert(conn, TLS_alert_handshake_failure);
1642 return -1;
1643 }
1644 if (type == TLS_handshake_certificate_request) {
1645 tls_trace("recv {CertificateRequest*}\n");
1646 tls13_record_trace(stderr, record, recordlen, 0, 0);
1647 if (tls13_record_get_handshake_certificate_request(record,
1648 &request_context, &request_context_len,
1649 &cert_request_exts, &cert_request_extslen) != 1) {
1650 error_print();
1651 tls_send_alert(conn, TLS_alert_handshake_failure);
1652 return -1;
1653 }
1654 // 当前忽略 request_context 和 cert_request_exts
1655 // request_context 应该为空,当前实现中不支持Post-Handshake Auth
1656 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1657 tls_seq_num_incr(conn->server_seq_num);
1658
1659
1660 // recv {Certificate}
1661 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
1662 error_print();
1663 tls_send_alert(conn, TLS_alert_handshake_failure);
1664 return -1;
1665 }
1666 if (tls13_record_decrypt(&conn->server_write_key, conn->server_write_iv,
1667 conn->server_seq_num, enced_record, enced_recordlen,
1668 record, &recordlen) != 1) {
1669 error_print();
1670 tls_send_alert(conn, TLS_alert_bad_record_mac);
1671 return -1;
1672 }
1673 } else {
1674 conn->client_certs_len = 0;
1675 // 清空客户端签名密钥
1676 }
1677
1678 // recv {Certificate}
1679 tls_trace("recv {Certificate}\n");
1680 tls13_record_trace(stderr, record, recordlen, 0, 0);
1681 if (tls13_record_get_handshake_certificate(record,
1682 &request_context, &request_context_len,
1683 &cert_list, &cert_list_len) != 1) {
1684 error_print();
1685 tls_send_alert(conn, TLS_alert_unexpected_message);
1686 return -1;
1687 }
1688 if (tls13_process_certificate_list(cert_list, cert_list_len, conn->server_certs, &conn->server_certs_len) != 1) {
1689 error_print();
1690 tls_send_alert(conn, TLS_alert_unexpected_message);
1691 return -1;
1692 }
1693 if (x509_certs_get_cert_by_index(conn->server_certs, conn->server_certs_len, 0, &cert, &certlen) != 1
1694 || x509_cert_get_subject_public_key(cert, certlen, &server_sign_key) != 1) {
1695 error_print();
1696 tls_send_alert(conn, TLS_alert_unexpected_message);
1697 return -1;
1698 }
1699 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1700 tls_seq_num_incr(conn->server_seq_num);
1701
1702
1703 // recv {CertificateVerify}
1704 tls_trace("recv {CertificateVerify}\n");
1705 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
1706 error_print();
1707 tls_send_alert(conn, TLS_alert_unexpected_message);
1708 return -1;
1709 }
1710 if (tls13_record_decrypt(&conn->server_write_key, conn->server_write_iv,
1711 conn->server_seq_num, enced_record, enced_recordlen,
1712 record, &recordlen) != 1) {
1713 error_print();
1714 tls_send_alert(conn, TLS_alert_bad_record_mac);
1715 return -1;
1716 }
1717 tls13_record_trace(stderr, record, recordlen, 0, 0);
1718 if (tls13_record_get_handshake_certificate_verify(record,
1719 &server_sign_algor, &server_sig, &server_siglen) != 1) {
1720 error_print();
1721 tls_send_alert(conn, TLS_alert_unexpected_message);
1722 return -1;
1723 }
1724 if (server_sign_algor != TLS_sig_sm2sig_sm3) {
1725 error_print();
1726 tls_send_alert(conn, TLS_alert_unexpected_message);
1727 return -1;
1728 }
1729 if (tls13_verify_certificate_verify(TLS_server_mode, &server_sign_key, TLS13_SM2_ID, TLS13_SM2_ID_LENGTH, &dgst_ctx, server_sig, server_siglen) != 1) {
1730 error_print();
1731 return -1;
1732 }
1733 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1734 tls_seq_num_incr(conn->server_seq_num);
1735
1736
1737 // use Transcript-Hash(Handshake Context, Certificate*, CertificateVerify*)
1738 tls13_compute_verify_data(server_handshake_traffic_secret,
1739 &dgst_ctx, verify_data, &verify_data_len);
1740
1741
1742 // recv {Finished}
1743 tls_trace("recv {Finished}\n");
1744 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
1745 error_print();
1746 tls_send_alert(conn, TLS_alert_unexpected_message);
1747 return -1;
1748 }
1749 if (tls13_record_decrypt(&conn->server_write_key, conn->server_write_iv,
1750 conn->server_seq_num, enced_record, enced_recordlen,
1751 record, &recordlen) != 1) {
1752 error_print();
1753 tls_send_alert(conn, TLS_alert_bad_record_mac);
1754 return -1;
1755 }
1756 tls13_record_trace(stderr, record, recordlen, 0, 0);
1757 if (tls13_record_get_handshake_finished(record,
1758 &server_verify_data, &server_verify_data_len) != 1) {
1759 error_print();
1760 tls_send_alert(conn, TLS_alert_unexpected_message);
1761 return -1;
1762 }
1763 if (server_verify_data_len != verify_data_len
1764 || memcmp(server_verify_data, verify_data, verify_data_len) != 0) {
1765 error_print();
1766 tls_send_alert(conn, TLS_alert_unexpected_message);
1767 return -1;
1768 }
1769 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1770 tls_seq_num_incr(conn->server_seq_num);
1771
1772
1773 // generate server_application_traffic_secret
1774 /* [12] */ tls13_derive_secret(master_secret, "s ap traffic", &dgst_ctx, server_application_traffic_secret);
1775 // generate client_application_traffic_secret
1776 /* [11] */ tls13_derive_secret(master_secret, "c ap traffic", &dgst_ctx, client_application_traffic_secret);
1777
1778
1779 if (conn->client_certs_len) {
1780 int client_sign_algor;
1781 uint8_t sig[TLS_MAX_SIGNATURE_SIZE];
1782 size_t siglen;
1783
1784 // send client {Certificate*}
1785 tls_trace("send {Certificate*}\n");
1786 if (tls13_record_set_handshake_certificate(record, &recordlen,
1787 NULL, 0, // certificate_request_context
1788 conn->client_certs, conn->client_certs_len) != 1) {
1789 error_print();
1790 tls_send_alert(conn, TLS_alert_internal_error);
1791 goto end;
1792 }
1793 tls13_record_trace(stderr, record, recordlen, 0, 0);
1794 tls13_padding_len_rand(&padding_len);
1795 if (tls13_record_encrypt(&conn->client_write_key, conn->client_write_iv,
1796 conn->client_seq_num, record, recordlen, padding_len,
1797 enced_record, &enced_recordlen) != 1) {
1798 error_print();
1799 tls_send_alert(conn, TLS_alert_internal_error);
1800 return -1;
1801 }
1802 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
1803 error_print();
1804 tls_send_alert(conn, TLS_alert_internal_error);
1805 return -1;
1806 }
1807 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1808 tls_seq_num_incr(conn->client_seq_num);
1809
1810
1811 // send {CertificateVerify*}
1812 tls_trace("send {CertificateVerify*}\n");
1813 client_sign_algor = TLS_sig_sm2sig_sm3; // FIXME: 应该放在conn里面
1814 tls13_sign_certificate_verify(TLS_client_mode, &conn->sign_key, TLS13_SM2_ID, TLS13_SM2_ID_LENGTH, &dgst_ctx, sig, &siglen);
1815 if (tls13_record_set_handshake_certificate_verify(record, &recordlen,
1816 client_sign_algor, sig, siglen) != 1) {
1817 error_print();
1818 tls_send_alert(conn, TLS_alert_internal_error);
1819 return -1;
1820 }
1821 tls13_record_trace(stderr, record, recordlen, 0, 0);
1822 tls13_padding_len_rand(&padding_len);
1823 if (tls13_record_encrypt(&conn->client_write_key, conn->client_write_iv,
1824 conn->client_seq_num, record, recordlen, padding_len,
1825 enced_record, &enced_recordlen) != 1) {
1826 error_print();
1827 tls_send_alert(conn, TLS_alert_internal_error);
1828 return -1;
1829 }
1830 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
1831 error_print();
1832 return -1;
1833 }
1834 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1835 tls_seq_num_incr(conn->client_seq_num);
1836 }
1837
1838 // send Client {Finished}
1839 tls_trace("send {Finished}\n");
1840 tls13_compute_verify_data(client_handshake_traffic_secret, &dgst_ctx, verify_data, &verify_data_len);
1841 if (tls_record_set_handshake_finished(record, &recordlen, verify_data, verify_data_len) != 1) {
1842 error_print();
1843 tls_send_alert(conn, TLS_alert_internal_error);
1844 goto end;
1845 }
1846 tls13_record_trace(stderr, record, recordlen, 0, 0);
1847 tls13_padding_len_rand(&padding_len);
1848 if (tls13_record_encrypt(&conn->client_write_key, conn->client_write_iv,
1849 conn->client_seq_num, record, recordlen, padding_len,
1850 enced_record, &enced_recordlen) != 1) {
1851 error_print();
1852 tls_send_alert(conn, TLS_alert_internal_error);
1853 goto end;
1854 }
1855 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
1856 error_print();
1857 goto end;
1858 }
1859 digest_update(&dgst_ctx, record + 5, recordlen - 5);
1860 tls_seq_num_incr(conn->client_seq_num);
1861
1862
1863
1864 // update server_write_key, server_write_iv, reset server_seq_num
1865 tls13_hkdf_expand_label(digest, server_application_traffic_secret, "key", NULL, 0, 16, server_write_key);
1866 block_cipher_set_encrypt_key(&conn->server_write_key, cipher, server_write_key);
1867 tls13_hkdf_expand_label(digest, server_application_traffic_secret, "iv", NULL, 0, 12, conn->server_write_iv);
1868 memset(conn->server_seq_num, 0, 8);
1869 /*
1870 format_print(stderr, 0, 0, "update server secrets\n");
1871 format_bytes(stderr, 0, 4, "server_write_key", server_write_key, 16);
1872 format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, 12);
1873 format_print(stderr, 0, 0, "\n");
1874 */
1875
1876 //update client_write_key, client_write_iv, reset client_seq_num
1877 tls13_hkdf_expand_label(digest, client_application_traffic_secret, "key", NULL, 0, 16, client_write_key);
1878 tls13_hkdf_expand_label(digest, client_application_traffic_secret, "iv", NULL, 0, 12, conn->client_write_iv);
1879 block_cipher_set_encrypt_key(&conn->client_write_key, cipher, client_write_key);
1880 memset(conn->client_seq_num, 0, 8);
1881
1882 /*
1883 format_print(stderr, 0, 0, "update client secrets\n");
1884 format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
1885 format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
1886 format_print(stderr, 0, 0, "\n");
1887 */
1888 fprintf(stderr, "Connection established\n");
1889
1890 end:
1891 return 1;
1892 }
1893
tls13_do_accept(TLS_CONNECT * conn)1894 int tls13_do_accept(TLS_CONNECT *conn)
1895 {
1896 uint8_t *record = conn->record;
1897 size_t recordlen;
1898 uint8_t enced_record[25600];
1899 size_t enced_recordlen = sizeof(enced_record);
1900
1901 int server_ciphers[] = { TLS_cipher_sm4_gcm_sm3 };
1902
1903
1904 int protocol;
1905 const uint8_t *random;
1906 const uint8_t *session_id;
1907 size_t session_id_len;
1908 const uint8_t *client_exts;
1909 size_t client_exts_len;
1910
1911 uint8_t client_random[32];
1912 uint8_t server_random[32];
1913 const uint8_t *client_ciphers;
1914 size_t client_ciphers_len;
1915 uint8_t server_exts[TLS_MAX_EXTENSIONS_SIZE];
1916 size_t server_exts_len;
1917
1918 SM2_KEY server_ecdhe;
1919 SM2_POINT client_ecdhe_public;
1920 SM2_KEY client_sign_key;
1921 const BLOCK_CIPHER *cipher;
1922 const DIGEST *digest;
1923 DIGEST_CTX dgst_ctx;
1924 DIGEST_CTX null_dgst_ctx;
1925 size_t padding_len;
1926
1927
1928 uint8_t sig[TLS_MAX_SIGNATURE_SIZE];
1929 size_t siglen = sizeof(sig);
1930
1931 uint8_t verify_data[32];
1932 size_t verify_data_len;
1933
1934 const uint8_t *client_verify_data;
1935 size_t client_verify_data_len;
1936 size_t i;
1937
1938 uint8_t client_write_key[16];
1939 uint8_t server_write_key[16];
1940
1941 uint8_t zeros[32] = {0};
1942 uint8_t psk[32] = {0};
1943 uint8_t early_secret[32];
1944 uint8_t binder_key[32];
1945 uint8_t handshake_secret[32];
1946 uint8_t client_handshake_traffic_secret[32];
1947 uint8_t server_handshake_traffic_secret[32];
1948 uint8_t client_application_traffic_secret[32];
1949 uint8_t server_application_traffic_secret[32];
1950 uint8_t master_secret[32];
1951
1952 const uint8_t *request_context;
1953 size_t request_context_len;
1954 const uint8_t *cert_list;
1955 size_t cert_list_len;
1956 const uint8_t *cert;
1957 size_t certlen;
1958
1959
1960 int client_verify = 0;
1961 if (conn->ca_certs_len)
1962 client_verify = 1;
1963
1964
1965 // 1. Recv ClientHello
1966 tls_trace("recv ClientHello\n");
1967 if (tls_record_recv(record, &recordlen, conn->sock) != 1) {
1968 error_print();
1969 tls_send_alert(conn, TLS_alert_unexpected_message);
1970 return -1;
1971 }
1972 tls13_record_trace(stderr, record, recordlen, 0, 0);
1973 if (tls_record_get_handshake_client_hello(record,
1974 &protocol, &random,
1975 &session_id, &session_id_len, // 不支持SessionID,不做任何处理
1976 &client_ciphers, &client_ciphers_len,
1977 &client_exts, &client_exts_len) != 1) {
1978 error_print();
1979 tls_send_alert(conn, TLS_alert_unexpected_message);
1980 return -1;
1981 }
1982 if (protocol != TLS_protocol_tls12) {
1983 error_print();
1984 tls_send_alert(conn, TLS_alert_protocol_version);
1985 goto end;
1986 }
1987 memcpy(client_random, random, 32);
1988 if (tls_cipher_suites_select(client_ciphers, client_ciphers_len,
1989 server_ciphers, sizeof(server_ciphers)/sizeof(int),
1990 &conn->cipher_suite) != 1) {
1991 error_print();
1992 tls_send_alert(conn, TLS_alert_insufficient_security);
1993 goto end;
1994 }
1995 if (!client_exts) {
1996 error_print();
1997 return -1;
1998 }
1999 tls13_cipher_suite_get(conn->cipher_suite, &digest, &cipher); // 这个函数是否应该放到tls_里面?
2000 digest_init(&dgst_ctx, digest);
2001 null_dgst_ctx = dgst_ctx; // 在密钥导出函数中可能输入的消息为空,因此需要一个空的dgst_ctx,这里不对了,应该在tls13_derive_secret里面直接支持NULL!
2002 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2003
2004
2005 // 2. Send ServerHello
2006 tls_trace("send ServerHello\n");
2007 rand_bytes(server_random, 32);
2008 sm2_key_generate(&server_ecdhe);
2009 if (tls13_process_client_hello_exts(client_exts, client_exts_len,
2010 &server_ecdhe, &client_ecdhe_public,
2011 server_exts, &server_exts_len, sizeof(server_exts)) != 1) {
2012 error_print();
2013 tls_send_alert(conn, TLS_alert_unexpected_message);
2014 return -1;
2015 }
2016 tls_record_set_protocol(record, TLS_protocol_tls12);
2017 if (tls_record_set_handshake_server_hello(record, &recordlen,
2018 TLS_protocol_tls12, server_random,
2019 NULL, 0, // openssl的兼容模式在ClientHello中发送SessionID并检查在ServerHello是否返回,用`-no_middlebox`可关闭兼容模式
2020 conn->cipher_suite, server_exts, server_exts_len) != 1) {
2021 error_print();
2022 tls_send_alert(conn, TLS_alert_unexpected_message);
2023 return -1;
2024 }
2025 tls13_record_trace(stderr, record, recordlen, 0, 0);
2026 if (tls_record_send(record, recordlen, conn->sock) != 1) {
2027 error_print();
2028 return -1;
2029 }
2030 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2031
2032
2033 sm2_ecdh(&server_ecdhe, &client_ecdhe_public, &client_ecdhe_public);
2034 /* 1 */ tls13_hkdf_extract(digest, zeros, psk, early_secret);
2035 /* 5 */ tls13_derive_secret(early_secret, "derived", &null_dgst_ctx, handshake_secret);
2036 /* 6 */ tls13_hkdf_extract(digest, handshake_secret, (uint8_t *)&client_ecdhe_public, handshake_secret);
2037 /* 7 */ tls13_derive_secret(handshake_secret, "c hs traffic", &dgst_ctx, client_handshake_traffic_secret);
2038 /* 8 */ tls13_derive_secret(handshake_secret, "s hs traffic", &dgst_ctx, server_handshake_traffic_secret);
2039 /* 9 */ tls13_derive_secret(handshake_secret, "derived", &null_dgst_ctx, master_secret);
2040 /* 10 */ tls13_hkdf_extract(digest, master_secret, zeros, master_secret);
2041 // generate server_write_key, server_write_iv, reset server_seq_num
2042 tls13_hkdf_expand_label(digest, server_handshake_traffic_secret, "key", NULL, 0, 16, server_write_key);
2043 block_cipher_set_encrypt_key(&conn->server_write_key, cipher, server_write_key);
2044 tls13_hkdf_expand_label(digest, server_handshake_traffic_secret, "iv", NULL, 0, 12, conn->server_write_iv);
2045 memset(conn->server_seq_num, 0, 8);
2046 // generate client_write_key, client_write_iv, reset client_seq_num
2047 tls13_hkdf_expand_label(digest, client_handshake_traffic_secret, "key", NULL, 0, 16, client_write_key);
2048 block_cipher_set_encrypt_key(&conn->client_write_key, cipher, client_write_key);
2049 tls13_hkdf_expand_label(digest, client_handshake_traffic_secret, "iv", NULL, 0, 12, conn->client_write_iv);
2050 memset(conn->client_seq_num, 0, 8);
2051 /*
2052 format_print(stderr, 0, 0, "generate handshake secrets\n");
2053 format_bytes(stderr, 0, 4, "server_write_key", server_write_key, 16);
2054 format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, 12);
2055 format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
2056 format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
2057 format_print(stderr, 0, 0, "\n");
2058 */
2059
2060 // 3. Send {EncryptedExtensions}
2061 tls_trace("send {EncryptedExtensions}\n");
2062 tls_record_set_protocol(record, TLS_protocol_tls12);
2063 tls13_record_set_handshake_encrypted_extensions(record, &recordlen);
2064 tls13_record_trace(stderr, record, recordlen, 0, 0);
2065 tls13_padding_len_rand(&padding_len);
2066 if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv,
2067 conn->server_seq_num, record, recordlen, padding_len,
2068 enced_record, &enced_recordlen) != 1) {
2069 error_print();
2070 tls_send_alert(conn, TLS_alert_internal_error);
2071 return -1;
2072 }
2073 // FIXME: tls13_record_encrypt需要支持握手消息
2074 // tls_record_data(enced_record)[0] = TLS_handshake_encrypted_extensions;
2075 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
2076 error_print();
2077 return -1;
2078 }
2079 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2080 tls_seq_num_incr(conn->server_seq_num);
2081
2082
2083 // send {CertificateRequest*}
2084 if (client_verify) {
2085 tls_trace("send {CertificateRequest*}\n");
2086
2087 // TODO: 设置certificate_request中的extensions!
2088 if (tls13_record_set_handshake_certificate_request_default(record, &recordlen) != 1) {
2089 error_print();
2090 tls_send_alert(conn, TLS_alert_internal_error);
2091 return -1;
2092 }
2093 tls13_record_trace(stderr, record, recordlen, 0, 0);
2094 tls13_padding_len_rand(&padding_len);
2095 if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv,
2096 conn->server_seq_num, record, recordlen, padding_len,
2097 enced_record, &enced_recordlen) != 1) {
2098 error_print();
2099 tls_send_alert(conn, TLS_alert_internal_error);
2100 return -1;
2101 }
2102 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
2103 error_print();
2104 return -1;
2105 }
2106 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2107 tls_seq_num_incr(conn->server_seq_num);
2108 }
2109
2110 // send Server {Certificate}
2111 tls_trace("send {Certificate}\n");
2112 if (tls13_record_set_handshake_certificate(record, &recordlen, NULL, 0, conn->server_certs, conn->server_certs_len) != 1) {
2113 error_print();
2114 tls_send_alert(conn, TLS_alert_internal_error);
2115 goto end;
2116 }
2117 tls13_record_trace(stderr, record, recordlen, 0, 0);
2118 tls13_padding_len_rand(&padding_len);
2119 if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv,
2120 conn->server_seq_num, record, recordlen, padding_len,
2121 enced_record, &enced_recordlen) != 1) {
2122 error_print();
2123 tls_send_alert(conn, TLS_alert_internal_error);
2124 goto end;
2125 }
2126 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
2127 error_print();
2128 goto end;
2129 }
2130 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2131 tls_seq_num_incr(conn->server_seq_num);
2132
2133
2134 // send Server {CertificateVerify}
2135 tls_trace("send {CertificateVerify}\n");
2136 tls13_sign_certificate_verify(TLS_server_mode, &conn->sign_key, TLS13_SM2_ID, TLS13_SM2_ID_LENGTH, &dgst_ctx, sig, &siglen);
2137 if (tls13_record_set_handshake_certificate_verify(record, &recordlen,
2138 TLS_sig_sm2sig_sm3, sig, siglen) != 1) {
2139 error_print();
2140 tls_send_alert(conn, TLS_alert_internal_error);
2141 goto end;
2142 }
2143 tls13_record_trace(stderr, record, recordlen, 0, 0);
2144 tls13_padding_len_rand(&padding_len);
2145 if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv,
2146 conn->server_seq_num, record, recordlen, padding_len,
2147 enced_record, &enced_recordlen) != 1) {
2148 error_print();
2149 tls_send_alert(conn, TLS_alert_internal_error);
2150 goto end;
2151 }
2152 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
2153 error_print();
2154 goto end;
2155 }
2156 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2157 tls_seq_num_incr(conn->server_seq_num);
2158
2159
2160 // Send Server {Finished}
2161 tls_trace("send {Finished}\n");
2162
2163 // compute server verify_data before digest_update()
2164 tls13_compute_verify_data(server_handshake_traffic_secret,
2165 &dgst_ctx, verify_data, &verify_data_len);
2166 if (tls13_record_set_handshake_finished(record, &recordlen, verify_data, verify_data_len) != 1) {
2167 error_print();
2168 tls_send_alert(conn, TLS_alert_internal_error);
2169 goto end;
2170 }
2171 tls13_record_trace(stderr, record, recordlen, 0, 0);
2172 tls13_padding_len_rand(&padding_len);
2173 if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv,
2174 conn->server_seq_num, record, recordlen, padding_len,
2175 enced_record, &enced_recordlen) != 1) {
2176 error_print();
2177 tls_send_alert(conn, TLS_alert_internal_error);
2178 goto end;
2179 }
2180 if (tls_record_send(enced_record, enced_recordlen, conn->sock) != 1) {
2181 error_print();
2182 goto end;
2183 }
2184 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2185 tls_seq_num_incr(conn->server_seq_num);
2186
2187 // generate server_application_traffic_secret
2188 /* 12 */ tls13_derive_secret(master_secret, "s ap traffic", &dgst_ctx, server_application_traffic_secret);
2189 // Generate client_application_traffic_secret
2190 /* 11 */ tls13_derive_secret(master_secret, "c ap traffic", &dgst_ctx, client_application_traffic_secret);
2191 // 因为后面还要解密握手消息,因此client application key, iv 等到握手结束之后再更新
2192
2193 // Recv Client {Certificate*}
2194 if (client_verify) {
2195 tls_trace("recv {Certificate*}\n");
2196 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
2197 error_print();
2198 tls_send_alert(conn, TLS_alert_unexpected_message);
2199 return -1;
2200 }
2201 if (tls13_record_decrypt(&conn->client_write_key, conn->client_write_iv,
2202 conn->client_seq_num, enced_record, enced_recordlen,
2203 record, &recordlen) != 1) {
2204 error_print();
2205 tls_send_alert(conn, TLS_alert_bad_record_mac);
2206 return -1;
2207 }
2208 tls13_record_trace(stderr, record, recordlen, 0, 0);
2209
2210 if (tls13_record_get_handshake_certificate(record,
2211 &request_context, &request_context_len,
2212 &cert_list, &cert_list_len) != 1) {
2213 error_print();
2214 tls_send_alert(conn, TLS_alert_unexpected_message);
2215 return -1;
2216 }
2217 if (tls13_process_certificate_list(cert_list, cert_list_len, conn->client_certs, &conn->client_certs_len) != 1) {
2218 error_print();
2219 tls_send_alert(conn, TLS_alert_unexpected_message);
2220 return -1;
2221 }
2222 if (x509_certs_get_cert_by_index(conn->client_certs, conn->client_certs_len, 0, &cert, &certlen) != 1) {
2223 error_print();
2224 tls_send_alert(conn, TLS_alert_unexpected_message);
2225 return -1;
2226 }
2227 if (x509_cert_get_subject_public_key(cert, certlen, &client_sign_key) != 1) {
2228 error_print();
2229 tls_send_alert(conn, TLS_alert_unexpected_message);
2230 return -1;
2231 }
2232 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2233 tls_seq_num_incr(conn->client_seq_num);
2234 }
2235
2236 // Recv client {CertificateVerify*}
2237 if (client_verify) {
2238 int client_sign_algor;
2239 const uint8_t *client_sig;
2240 size_t client_siglen;
2241
2242 tls_trace("recv Client {CertificateVerify*}\n");
2243 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
2244 error_print();
2245 tls_send_alert(conn, TLS_alert_unexpected_message);
2246 return -1;
2247 }
2248 if (tls13_record_decrypt(&conn->client_write_key, conn->client_write_iv,
2249 conn->client_seq_num, enced_record, enced_recordlen, record, &recordlen) != 1) {
2250 error_print();
2251 tls_send_alert(conn, TLS_alert_bad_record_mac);
2252 return -1;
2253 }
2254 tls13_record_trace(stderr, record, recordlen, 0, 0);
2255
2256 if (tls13_record_get_handshake_certificate_verify(record, &client_sign_algor, &client_sig, &client_siglen) != 1) {
2257 error_print();
2258 tls_send_alert(conn, TLS_alert_unexpected_message);
2259 return -1;
2260 }
2261 if (tls13_verify_certificate_verify(TLS_client_mode, &client_sign_key, TLS13_SM2_ID, TLS13_SM2_ID_LENGTH, &dgst_ctx, client_sig, client_siglen) != 1) {
2262 error_print();
2263 tls_send_alert(conn, TLS_alert_decrypt_error);
2264 return -1;
2265 }
2266 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2267 tls_seq_num_incr(conn->client_seq_num);
2268 }
2269
2270 // 12. Recv Client {Finished}
2271
2272 tls_trace("recv {Finished}\n");
2273 if (tls_record_recv(enced_record, &enced_recordlen, conn->sock) != 1) {
2274 error_print();
2275 tls_send_alert(conn, TLS_alert_unexpected_message);
2276 return -1;
2277 }
2278 if (tls13_record_decrypt(&conn->client_write_key, conn->client_write_iv,
2279 conn->client_seq_num, enced_record, enced_recordlen,
2280 record, &recordlen) != 1) {
2281 error_print();
2282 tls_send_alert(conn, TLS_alert_bad_record_mac);
2283 return -1;
2284 }
2285 tls13_record_trace(stderr, record, recordlen, 0, 0);
2286 if (tls13_record_get_handshake_finished(record, &client_verify_data, &client_verify_data_len) != 1) {
2287 error_print();
2288 tls_send_alert(conn, TLS_alert_unexpected_message);
2289 return -1;
2290 }
2291 if (tls13_compute_verify_data(client_handshake_traffic_secret, &dgst_ctx, verify_data, &verify_data_len) != 1) {
2292 error_print();
2293 tls_send_alert(conn, TLS_alert_internal_error);
2294 return -1;
2295 }
2296 if (client_verify_data_len != verify_data_len
2297 || memcmp(client_verify_data, verify_data, verify_data_len) != 0) {
2298 error_print();
2299 tls_send_alert(conn, TLS_alert_bad_record_mac);
2300 return -1;
2301 }
2302 digest_update(&dgst_ctx, record + 5, recordlen - 5);
2303 tls_seq_num_incr(conn->client_seq_num);
2304
2305
2306 // 注意:OpenSSL兼容模式在此处会收发ChangeCipherSpec报文
2307
2308
2309 // update server_write_key, server_write_iv, reset server_seq_num
2310 tls13_hkdf_expand_label(digest, server_application_traffic_secret, "key", NULL, 0, 16, server_write_key);
2311 tls13_hkdf_expand_label(digest, server_application_traffic_secret, "iv", NULL, 0, 12, conn->server_write_iv);
2312 block_cipher_set_encrypt_key(&conn->server_write_key, cipher, server_write_key);
2313 memset(conn->server_seq_num, 0, 8);
2314 /*
2315 format_print(stderr, 0, 0, "update server secrets\n");
2316 format_bytes(stderr, 0, 4, "server_write_key", server_write_key, 16);
2317 format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, 12);
2318 format_print(stderr, 0, 0, "\n");
2319 */
2320
2321 // update client_write_key, client_write_iv
2322 // reset client_seq_num
2323 tls13_hkdf_expand_label(digest, client_application_traffic_secret, "key", NULL, 0, 16, client_write_key);
2324 tls13_hkdf_expand_label(digest, client_application_traffic_secret, "iv", NULL, 0, 12, conn->client_write_iv);
2325 block_cipher_set_encrypt_key(&conn->client_write_key, cipher, client_write_key);
2326 memset(conn->client_seq_num, 0, 8);
2327 /*
2328 format_print(stderr, 0, 0, "update client secrets\n");
2329 format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
2330 format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
2331 format_print(stderr, 0, 0, "\n");
2332 */
2333
2334 fprintf(stderr, "Connection Established!\n\n");
2335
2336 end:
2337 return 1;
2338 }
2339