Support tls1.3 and ShangMi cipher suit

Author: ZBCccc

ctx.go

@@ -76,11 +76,12 @@ func newCtx(method *C.SSL_METHOD) (*Ctx, error) {
 type SSLVersion int
 
 const (
-	SSLv3   SSLVersion = 0x02 // Vulnerable to "POODLE" attack.
-	TLSv1   SSLVersion = 0x03
-	TLSv1_1 SSLVersion = 0x04
-	TLSv1_2 SSLVersion = 0x05
-	NTLS    SSLVersion = 0x06
+	SSLv3   SSLVersion = 0x0300 // Vulnerable to "POODLE" attack.
+	TLSv1   SSLVersion = 0x0301
+	TLSv1_1 SSLVersion = 0x0302
+	TLSv1_2 SSLVersion = 0x0303
+	TLSv1_3 SSLVersion = 0x0304
+	NTLS    SSLVersion = 0x0101
 
 	// AnyVersion Make sure to disable SSLv2 and SSLv3 if you use this. SSLv3 is vulnerable
 	// to the "POODLE" attack, and SSLv2 is what, just don't even.
@@ -92,20 +93,11 @@ const (
 func NewCtxWithVersion(version SSLVersion) (*Ctx, error) {
 	var enableNTLS bool
 	var method *C.SSL_METHOD
-	switch version {
-	case SSLv3:
-		method = C.X_SSLv3_method()
-	case TLSv1:
-		method = C.X_TLSv1_method()
-	case TLSv1_1:
-		method = C.X_TLSv1_1_method()
-	case TLSv1_2:
-		method = C.X_TLSv1_2_method()
-	case NTLS:
+	if version == NTLS {
 		method = C.X_NTLS_method()
 		enableNTLS = true
-	case AnyVersion:
-		method = C.X_SSLv23_method()
+	} else {
+		method = C.TLS_method()
 	}
 	if method == nil {
 		return nil, errors.New("unknown ssl/tls version")
@@ -118,6 +110,12 @@ func NewCtxWithVersion(version SSLVersion) (*Ctx, error) {
 
 	if enableNTLS {
 		C.X_SSL_CTX_enable_ntls(c.ctx)
+	} else if version == AnyVersion {
+		C.X_SSL_CTX_set_min_proto_version(c.ctx, C.int(TLSv1))
+		C.X_SSL_CTX_set_max_proto_version(c.ctx, C.int(TLSv1_3))
+	} else {
+		C.X_SSL_CTX_set_min_proto_version(c.ctx, C.int(version))
+		C.X_SSL_CTX_set_max_proto_version(c.ctx, C.int(version))
 	}
 
 	return c, nil
@@ -646,14 +644,29 @@ func (c *Ctx) SetSessionId(session_id []byte) error {
 func (c *Ctx) SetCipherList(list string) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
+
 	clist := C.CString(list)
 	defer C.free(unsafe.Pointer(clist))
+
 	if int(C.SSL_CTX_set_cipher_list(c.ctx, clist)) == 0 {
 		return crypto.ErrorFromErrorQueue()
 	}
 	return nil
 }
 
+func (c *Ctx) SetCipherSuites(suites string) error {
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	csuits := C.CString(suites)
+	defer C.free(unsafe.Pointer(csuits))
+
+	if int(C.SSL_CTX_set_ciphersuites(c.ctx, csuits)) == 0 {
+		return crypto.ErrorFromErrorQueue()
+	}
+	return nil
+}
+
 type SessionCacheModes int
 
 const (

examples/tlcp_client/main.go

@@ -28,7 +28,7 @@ func main() {
 	connAddr := ""
 	serverName := ""
 	alpnProtocols := []string{"h2", "http/1.1"}
-
+	tlsVersion := ""
 	flag.StringVar(&connAddr, "conn", "127.0.0.1:4438", "host:port")
 	flag.StringVar(&cipherSuite, "cipher", "ECC-SM2-SM4-CBC-SM3", "cipher suite")
 	flag.StringVar(&signCertFile, "sign_cert", "test/certs/sm2/client_sign.crt", "sign certificate file")
@@ -38,12 +38,27 @@ func main() {
 	flag.StringVar(&caFile, "CAfile", "test/certs/sm2/chain-ca.crt", "CA certificate file")
 	flag.StringVar(&serverName, "servername", "", "server name")
 	flag.Var((*stringSlice)(&alpnProtocols), "alpn", "ALPN protocols")
-
+	flag.StringVar(&tlsVersion, "version", "NTLS", "TLS version")
 	flag.Parse()
 
-	ctx, err := ts.NewCtxWithVersion(ts.NTLS)
+	var version ts.SSLVersion
+	switch tlsVersion {
+	case "TLSv1.3":
+		version = ts.TLSv1_3
+	case "TLSv1.2":
+		version = ts.TLSv1_2
+	case "TLSv1.1":
+		version = ts.TLSv1_1
+	case "TLSv1":
+		version = ts.TLSv1
+	case "NTLS":
+		version = ts.NTLS
+	default:
+		version = ts.NTLS
+	}
+	ctx, err := ts.NewCtxWithVersion(version)
 	if err != nil {
-		panic(err)
+		panic("NewCtxWithVersion failed: " + err.Error())
 	}
 
 	if err := ctx.SetClientALPNProtos(alpnProtocols); err != nil {
@@ -123,7 +138,7 @@ func main() {
 
 	conn, err := ts.Dial("tcp", connAddr, ctx, ts.InsecureSkipHostVerification, serverName)
 	if err != nil {
-		panic(err)
+		panic("connected failed" + err.Error())
 	}
 	defer conn.Close()
 

examples/tlcp_server/main.go

@@ -11,13 +11,14 @@ import (
 	"bufio"
 	"flag"
 	"fmt"
-	ts "github.com/tongsuo-project/tongsuo-go-sdk"
-	"github.com/tongsuo-project/tongsuo-go-sdk/crypto"
 	"log"
 	"net"
 	"os"
 	"path/filepath"
 	"strings"
+
+	ts "github.com/tongsuo-project/tongsuo-go-sdk"
+	"github.com/tongsuo-project/tongsuo-go-sdk/crypto"
 )
 
 func ReadCertificateFiles(dirPath string) (map[string]crypto.GMDoubleCertKey, error) {
@@ -89,14 +90,33 @@ func handleConn(conn net.Conn) {
 	log.Println("Close connection")
 }
 
-func newNTLSServer(acceptAddr string, certKeyPairs map[string]crypto.GMDoubleCertKey, cafile string, alpnProtocols []string) (net.Listener, error) {
-
-	ctx, err := ts.NewCtxWithVersion(ts.NTLS)
+func newTLSServer(acceptAddr string, certKeyPairs map[string]crypto.GMDoubleCertKey, cafile string, alpnProtocols []string, tlsVersion string) (net.Listener, error) {
+	var version ts.SSLVersion
+	switch tlsVersion {
+	case "TLSv1.3":
+		version = ts.TLSv1_3
+	case "TLSv1.2":
+		version = ts.TLSv1_2
+	case "TLSv1.1":
+		version = ts.TLSv1_1
+	case "TLSv1":
+		version = ts.TLSv1
+	case "NTLS":
+		version = ts.NTLS
+	default:
+		version = ts.TLSv1_3
+	}
+	ctx, err := ts.NewCtxWithVersion(version)
 	if err != nil {
 		log.Println(err)
 		return nil, err
 	}
 
+	err = ctx.SetCipherList("ECC-SM2-SM4-CBC-SM3")
+	if err != nil {
+		return nil, err
+	}
+
 	if err := ctx.LoadVerifyLocations(cafile, ""); err != nil {
 		log.Println(err)
 		return nil, err
@@ -286,6 +306,7 @@ func main() {
 	caFile := ""
 	acceptAddr := ""
 	alpnProtocols := []string{"h2", "http/1.1"}
+	tlsVersion := ""
 
 	flag.StringVar(&acceptAddr, "accept", "127.0.0.1:4438", "host:port")
 	flag.StringVar(&signCertFile, "sign_cert", "test/certs/sm2/server_sign.crt", "sign certificate file")
@@ -294,7 +315,7 @@ func main() {
 	flag.StringVar(&encKeyFile, "enc_key", "test/certs/sm2/server_enc.key", "encrypt private key file")
 	flag.StringVar(&caFile, "CAfile", "test/certs/sm2/chain-ca.crt", "CA certificate file")
 	flag.Var((*stringSlice)(&alpnProtocols), "alpn", "ALPN protocols")
-
+	flag.StringVar(&tlsVersion, "version", "NTLS", "TLS version")
 	flag.Parse()
 
 	certFiles, err := ReadCertificateFiles("test/sni_certs")
@@ -303,7 +324,7 @@ func main() {
 		return
 	}
 
-	server, err := newNTLSServer(acceptAddr, certFiles, caFile, alpnProtocols)
+	server, err := newTLSServer(acceptAddr, certFiles, caFile, alpnProtocols, tlsVersion)
 	if err != nil {
 		return
 	}