Support tls1.3 and ShangMi cipher suit

Tongsuo-Project · Oct 10, 2024 · 1387544 · 1387544
1 parent 1f31285
commit 1387544
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 53 deletions.
diff --git a/ctx.go b/ctx.go
@@ -81,7 +81,7 @@ const (
 	TLSv1_1 SSLVersion = 0x0302
 	TLSv1_2 SSLVersion = 0x0303
 	TLSv1_3 SSLVersion = 0x0304
-	NTLS    SSLVersion = 0x07
+	NTLS    SSLVersion = 0x0101
 
 	// AnyVersion Make sure to disable SSLv2 and SSLv3 if you use this. SSLv3 is vulnerable
 	// to the "POODLE" attack, and SSLv2 is what, just don't even.
@@ -644,8 +644,10 @@ func (c *Ctx) SetSessionId(session_id []byte) error {
 func (c *Ctx) SetCipherList(list string) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
+
 	clist := C.CString(list)
 	defer C.free(unsafe.Pointer(clist))
+
 	if int(C.SSL_CTX_set_cipher_list(c.ctx, clist)) == 0 {
 		return crypto.ErrorFromErrorQueue()
 	}
@@ -655,8 +657,10 @@ func (c *Ctx) SetCipherList(list string) error {
 func (c *Ctx) SetCipherSuites(suites string) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
+
 	csuits := C.CString(suites)
 	defer C.free(unsafe.Pointer(csuits))
+
 	if int(C.SSL_CTX_set_ciphersuites(c.ctx, csuits)) == 0 {
 		return crypto.ErrorFromErrorQueue()
 	}

diff --git a/ntls_test.go b/ntls_test.go
@@ -19,6 +19,7 @@ const (
 	ECCSM2Cipher   = "ECC-SM2-WITH-SM4-SM3"
 	ECDHESM2Cipher = "ECDHE-SM2-WITH-SM4-SM3"
 	TLSSMGCMCipher = "TLS_SM4_GCM_SM3"
+	TLSSMCCMCipher = "TLS_SM4_CCM_SM3"
 	internalServer = true
 	enableSNI      = true
 
@@ -1444,65 +1445,71 @@ func newTLS13Server(t *testing.T, testDir string, options ...func(sslctx *Ctx) e
 }
 
 func TestTLSv13SMCipher(t *testing.T) {
-	cipher := TLSSMGCMCipher
+	ciphers := []string{
+		TLSSMGCMCipher,
+		TLSSMCCMCipher,
+	}
 	testCertDir := "test/certs"
 
-	// Run server
-	server, err := newTLSv13SMCipherServer(t, testCertDir, func(sslctx *Ctx) error {
-		return sslctx.SetCipherSuites(cipher)
-	})
-	if err != nil {
-		t.Error(err)
-		return
-	}
+	for _, cipher := range ciphers {
+		t.Run(cipher, func(t *testing.T) {
+			// Run server
+			server, err := newTLSv13SMCipherServer(t, testCertDir, func(sslctx *Ctx) error {
+				return sslctx.SetCipherSuites(cipher)
+			})
+			if err != nil {
+				t.Error(err)
+				return
+			}
 
-	defer server.Close()
-	go server.Run()
+			defer server.Close()
+			go server.Run()
 
-	// Run client
-	ctx, err := NewCtxWithVersion(TLSv1_3)
-	if err != nil {
-		t.Error(err)
-		return
-	}
+			// Run client
+			ctx, err := NewCtxWithVersion(TLSv1_3)
+			if err != nil {
+				t.Error(err)
+				return
+			}
 
-	if err := ctx.SetCipherSuites(cipher); err != nil {
-		t.Error(err)
-		return
-	}
+			if err := ctx.SetCipherSuites(cipher); err != nil {
+				t.Error(err)
+				return
+			}
 
-	conn, err := DialSession("tcp", "127.0.0.1:4433", ctx, InsecureSkipHostVerification, nil, "")
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	defer conn.Close()
+			conn, err := Dial("tcp", "127.0.0.1:4433", ctx, InsecureSkipHostVerification, "")
+			if err != nil {
+				t.Error(err)
+				return
+			}
+			defer conn.Close()
 
-	cipher, err = conn.CurrentCipher()
-	if err != nil {
-		t.Error(err)
-		return
-	}
+			cipher, err = conn.CurrentCipher()
+			if err != nil {
+				t.Error(err)
+				return
+			}
 
-	t.Log("current cipher", cipher)
+			t.Log("current cipher", cipher)
 
-	request := "hello tongsuo\n"
-	if _, err := conn.Write([]byte(request)); err != nil {
-		t.Error(err)
-		return
-	}
+			request := "hello tongsuo\n"
+			if _, err := conn.Write([]byte(request)); err != nil {
+				t.Error(err)
+				return
+			}
 
-	resp, err := bufio.NewReader(conn).ReadString('\n')
-	if err != nil {
-		t.Error(err)
-		return
-	}
+			resp, err := bufio.NewReader(conn).ReadString('\n')
+			if err != nil {
+				t.Error(err)
+				return
+			}
 
-	if resp != request {
-		t.Error("response data is not expected: ", resp)
-		return
+			if resp != request {
+				t.Error("response data is not expected: ", resp)
+				return
+			}
+		})
 	}
-
 }
 
 func newTLSv13SMCipherServer(t *testing.T, testDir string, options ...func(sslctx *Ctx) error) (*echoServer, error) {

diff --git a/shim.h b/shim.h
@@ -87,11 +87,6 @@ extern int X_SSL_CTX_ticket_key_cb(SSL *s, unsigned char key_name[16],
         EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc);
 extern int X_SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
 extern int X_SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
-extern const int SSLv3_VERSION;
-extern const int TLSv1_VERSION;
-extern const int TLSv1_1_VERSION;
-extern const int TLSv1_2_VERSION;
-extern const int TLSv1_3_VERSION;
 
 extern int X_X509_add_ref(X509* x509);
 extern int X_sk_X509_num(STACK_OF(X509) *sk);