Support TLSv1.3 and ShangMi Ciphersuites.

Tongsuo-Project · Oct 10, 2024 · df80e34 · df80e34
1 parent 72a24dd
commit df80e34
Show file tree

Hide file tree

Showing 2 changed files with 120 additions and 64 deletions.
diff --git a/examples/tlcp_client/main.go b/examples/tlcp_client/main.go
@@ -18,6 +18,8 @@ import (
 	"github.com/tongsuo-project/tongsuo-go-sdk/crypto"
 )
 
+var cipherSuites = ""
+
 func main() {
 	cipherSuite := ""
 	signCertFile := ""
@@ -29,6 +31,7 @@ func main() {
 	serverName := ""
 	alpnProtocols := []string{"h2", "http/1.1"}
 	tlsVersion := ""
+
 	flag.StringVar(&connAddr, "conn", "127.0.0.1:4438", "host:port")
 	flag.StringVar(&cipherSuite, "cipher", "ECC-SM2-SM4-CBC-SM3", "cipher suite")
 	flag.StringVar(&signCertFile, "sign_cert", "test/certs/sm2/client_sign.crt", "sign certificate file")
@@ -39,6 +42,7 @@ func main() {
 	flag.StringVar(&serverName, "servername", "", "server name")
 	flag.Var((*stringSlice)(&alpnProtocols), "alpn", "ALPN protocols")
 	flag.StringVar(&tlsVersion, "version", "NTLS", "TLS version")
+	flag.StringVar(&cipherSuites, "ciphersuites", "ECC-SM2-SM4-CBC-SM3", "cipherSuites")
 	flag.Parse()
 
 	var version ts.SSLVersion
@@ -65,74 +69,79 @@ func main() {
 		panic(err)
 	}
 
-	if err := ctx.SetCipherList(cipherSuite); err != nil {
-		panic(err)
-	}
-
-	if signCertFile != "" {
-		signCertPEM, err := os.ReadFile(signCertFile)
-		if err != nil {
-			panic(err)
-		}
-		signCert, err := crypto.LoadCertificateFromPEM(signCertPEM)
-		if err != nil {
+	if cipherSuites == "TLS_SM4_GCM_SM3" || cipherSuites == "TLS_SM4_CCM_SM3" {
+		if err := ctx.SetCipherSuites(cipherSuites); err != nil {
 			panic(err)
 		}
-
-		if err := ctx.UseSignCertificate(signCert); err != nil {
-			panic(err)
-		}
-	}
-
-	if signKeyFile != "" {
-		signKeyPEM, err := os.ReadFile(signKeyFile)
-		if err != nil {
-			panic(err)
-		}
-		signKey, err := crypto.LoadPrivateKeyFromPEM(signKeyPEM)
-		if err != nil {
+	} else {
+		if err := ctx.SetCipherList(cipherSuites); err != nil {
 			panic(err)
 		}
-
-		if err := ctx.UseSignPrivateKey(signKey); err != nil {
-			panic(err)
+		if signCertFile != "" {
+			signCertPEM, err := os.ReadFile(signCertFile)
+			if err != nil {
+				panic(err)
+			}
+			signCert, err := crypto.LoadCertificateFromPEM(signCertPEM)
+			if err != nil {
+				panic(err)
+			}
+
+			if err := ctx.UseSignCertificate(signCert); err != nil {
+				panic(err)
+			}
 		}
-	}
 
-	if encCertFile != "" {
-		encCertPEM, err := os.ReadFile(encCertFile)
-		if err != nil {
-			panic(err)
-		}
-		encCert, err := crypto.LoadCertificateFromPEM(encCertPEM)
-		if err != nil {
-			panic(err)
+		if signKeyFile != "" {
+			signKeyPEM, err := os.ReadFile(signKeyFile)
+			if err != nil {
+				panic(err)
+			}
+			signKey, err := crypto.LoadPrivateKeyFromPEM(signKeyPEM)
+			if err != nil {
+				panic(err)
+			}
+
+			if err := ctx.UseSignPrivateKey(signKey); err != nil {
+				panic(err)
+			}
 		}
 
-		if err := ctx.UseEncryptCertificate(encCert); err != nil {
-			panic(err)
+		if encCertFile != "" {
+			encCertPEM, err := os.ReadFile(encCertFile)
+			if err != nil {
+				panic(err)
+			}
+			encCert, err := crypto.LoadCertificateFromPEM(encCertPEM)
+			if err != nil {
+				panic(err)
+			}
+
+			if err := ctx.UseEncryptCertificate(encCert); err != nil {
+				panic(err)
+			}
 		}
-	}
 
-	if encKeyFile != "" {
-		encKeyPEM, err := os.ReadFile(encKeyFile)
-		if err != nil {
-			panic(err)
-		}
+		if encKeyFile != "" {
+			encKeyPEM, err := os.ReadFile(encKeyFile)
+			if err != nil {
+				panic(err)
+			}
 
-		encKey, err := crypto.LoadPrivateKeyFromPEM(encKeyPEM)
-		if err != nil {
-			panic(err)
-		}
+			encKey, err := crypto.LoadPrivateKeyFromPEM(encKeyPEM)
+			if err != nil {
+				panic(err)
+			}
 
-		if err := ctx.UseEncryptPrivateKey(encKey); err != nil {
-			panic(err)
+			if err := ctx.UseEncryptPrivateKey(encKey); err != nil {
+				panic(err)
+			}
 		}
-	}
 
-	if caFile != "" {
-		if err := ctx.LoadVerifyLocations(caFile, ""); err != nil {
-			panic(err)
+		if caFile != "" {
+			if err := ctx.LoadVerifyLocations(caFile, ""); err != nil {
+				panic(err)
+			}
 		}
 	}
 

diff --git a/examples/tlcp_server/main.go b/examples/tlcp_server/main.go
@@ -21,6 +21,12 @@ import (
 	"github.com/tongsuo-project/tongsuo-go-sdk/crypto"
 )
 
+var (
+	cipherSuites = ""
+	cert         = ""
+	key          = ""
+)
+
 func ReadCertificateFiles(dirPath string) (map[string]crypto.GMDoubleCertKey, error) {
 	certFiles := make(map[string]crypto.GMDoubleCertKey)
 
@@ -112,9 +118,54 @@ func newTLSServer(acceptAddr string, certKeyPairs map[string]crypto.GMDoubleCert
 		return nil, err
 	}
 
-	err = ctx.SetCipherList("ECC-SM2-SM4-CBC-SM3")
-	if err != nil {
-		return nil, err
+	if cipherSuites == "TLS_SM4_GCM_SM3" || cipherSuites == "TLS_SM4_CCM_SM3" {
+		if err := ctx.SetCipherSuites(cipherSuites); err != nil {
+			return nil, err
+		}
+		// Load a default certificate and key for TLSv1.3
+		certPEM, err := os.ReadFile(filepath.Join(cert))
+		if err != nil {
+			log.Println(err)
+			return nil, err
+		}
+
+		cert, err := crypto.LoadCertificateFromPEM(certPEM)
+		if err != nil {
+			log.Println(err)
+			return nil, err
+		}
+
+		if err := ctx.UseCertificate(cert); err != nil {
+			log.Println(err)
+			return nil, err
+		}
+
+		keyPEM, err := os.ReadFile(filepath.Join(key))
+		if err != nil {
+			log.Println(err)
+			return nil, err
+		}
+
+		key, err := crypto.LoadPrivateKeyFromPEM(keyPEM)
+		if err != nil {
+			log.Println(err)
+			return nil, err
+		}
+
+		if err := ctx.UsePrivateKey(key); err != nil {
+			log.Println(err)
+			return nil, err
+		}
+	} else {
+		if err := ctx.SetCipherList(cipherSuites); err != nil {
+			return nil, err
+		}
+		// Load a default certificate and key
+		defaultCertKeyPair := certKeyPairs["default"]
+		if err := loadCertAndKey(ctx, defaultCertKeyPair); err != nil {
+			log.Println(err)
+			return nil, err
+		}
 	}
 
 	if err := ctx.LoadVerifyLocations(cafile, ""); err != nil {
@@ -143,13 +194,6 @@ func newTLSServer(acceptAddr string, certKeyPairs map[string]crypto.GMDoubleCert
 		return ts.SSLTLSExtErrOK
 	})
 
-	// Load a default certificate and key
-	defaultCertKeyPair := certKeyPairs["default"]
-	if err := loadCertAndKey(ctx, defaultCertKeyPair); err != nil {
-		log.Println(err)
-		return nil, err
-	}
-
 	// Listen for incoming connections
 	lis, err := ts.Listen("tcp", acceptAddr, ctx)
 	if err != nil {
@@ -316,6 +360,9 @@ func main() {
 	flag.StringVar(&caFile, "CAfile", "test/certs/sm2/chain-ca.crt", "CA certificate file")
 	flag.Var((*stringSlice)(&alpnProtocols), "alpn", "ALPN protocols")
 	flag.StringVar(&tlsVersion, "version", "NTLS", "TLS version")
+	flag.StringVar(&cipherSuites, "ciphersuites", "ECC-SM2-SM4-CBC-SM3", "cipherSuites")
+	flag.StringVar(&cert, "cert", "test/certs/sm2-cert.pem", "certificate file")
+	flag.StringVar(&key, "key", "test/certs/sm2.key", "private key file")
 	flag.Parse()
 
 	certFiles, err := ReadCertificateFiles("test/sni_certs")