Git Product home page Git Product logo

tongsuo-project / tongsuo Goto Github PK

View Code? Open in Web Editor NEW
1.1K 1.1K 177.0 46.61 MB

铜锁/Tongsuo is a Modern Cryptographic Primitives and Protocols Library

Home Page: https://www.tongsuo.net

License: Apache License 2.0

Perl 20.97% C 78.08% C++ 0.14% Shell 0.16% Assembly 0.42% M4 0.16% eC 0.03% Python 0.01% Dockerfile 0.01% Raku 0.01% Pawn 0.02% SourcePawn 0.01%
chinese-ciphers cryptography pki security tls

tongsuo's People

Contributors

arche8 avatar daipingh avatar daniel-hu-arm avatar dongbeiouba avatar fullyrobert avatar fury-fox avatar hustliyilin avatar infohunter avatar naghaabirami avatar sunny0826 avatar t8m avatar uudiin avatar vtrus avatar wa5i avatar zh-jq avatar zh-jq-b avatar zhsnew avatar zorrorffm avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

ssrwwy xuming0960 infohunter neo-zk anyiniov heshouyong hustliyilin ilibx galfw elitetony acp6 liweitianux auvkone linqigang888 easycoderwei daksan innas guozhidixian kangyupeng wa5i bm-awake tangxiao187 wusy1991 abyzsin apython123 xutao323 0x9527-zhou hk520570 izouxv dongbinghua dongjiang1989 xshandow sizaif zhangli344236745 zzl360 wikijone deedeewood luhuiguo jeff14994 b-xiang lipz31 liuguohua-cn rnshah9 27954741 huihh pangbit joshua-liu leapoo daipingh guozhengit shawn06053324 alexsmind tianyuanzhangnb taikulawo yangboyd yangyangtiantianlonglong xuming shuaiyuan21 nandsky zhsnew djybrandon js2thon yuzhangshlg wangqinghao123 losenineai dut3062796s liyanvip lihq luomor-web c0destarr jyao1 heyuanliu-intel 22826165 lielongxingkong yiming243 xiaoxinxin233333 chainsaid tobysunx dutmsn drinker-in-dream gzcassan flying1008 jasonjieliu johnhelsing zilong-dai arche8 kbfcy fyinte ylbp timonwong zzdboy lys1737 uudiin cleanmgr112 fuminzhang4809 fullyrobert ulvabianca271 kkeenee jhy-3 zdayalster

tongsuo's Issues

BabaSSL为何提供了单独的国密双证书加载API?

BabaSSL实现TLCP协议时,提供了单独的双证书加载API,而不是在原生的SSL_CTX_use_certificate函数做适配。这样做有什么特殊的考虑吗?

如下是BabaSSL新增的API,
SSL_CTX_use_sign_certificate
SSL_CTX_use_enc_certificate
SSL_CTX_use_sign_PrivateKey
SSL_CTX_use_enc_PrivateKey
新增API使得上层应用(例如Nginx)也要适配双证书加载的API。之前GMSSL库是在SSL_CTX_use_certificate函数调用里面做了证书X509v3 Key Usage的判断,这样Nginx可以不用改动代码集成TLCP功能。

国密的HTTPS的库

可以集成Android库吗?封装一个jar包 可以走https的国密SSL的通道

在使用TLS_SM4_GCM_SM3时,KeyShareEntry中没有包含SM2公钥信息

根据RFC8998
3.3.1.1 clientHello中的描述“For the key_share extension, a KeyShareEntry for the "curveSM2" group MUST be included.”
在实际使用https://github.com/BabaSSL/BabaSSL/wiki/TLS1.3---%E5%9B%BD%E5%AF%86%E5%8D%95%E8%AF%81%E4%B9%A6的s_server/s_client命令行进行验证时,仅包含了x25519曲线的信息。
这是因为SM2曲线参数实际上在RFC8998中是无法使用的,所以才这样实现么?

SSLv23_method NTLS_method

请问,SSLv23_method是不是默认对应着TLS算法套件?如果用国密SSL的话,只能是NTLS_method,不能用SSLv23_method?

SSL_set_cipher_list

./Configure --prefix=/tmp/openssl --cross-compile-prefix= linux-armv4 no-asm no-shared -fPIC

配置后,NTLS是默认开启的吗?NTLS_server_method怎么没有定义。

请问如何生成EVP_PKEY_SM2类型的EVP_PKEY

有相关样例吗?
使用如下流程生成的key,总是NULL:
if(!(kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SM2, NULL))) goto err;
if(!EVP_PKEY_keygen_init(kctx)) goto err;
if (!EVP_PKEY_keygen(kctx, &key)) goto err;

没有校验国密加密证书,严重bug

查看咱们代码,当前咱们应该是没有对国密加密证书进行校验,这似乎是个很严重的bug:加密证书有效时间,以及来源都没校验。请问咱们会进行这块的支持吗?或者是有规范写明无需校验国密加密证书(只需校验国密签名证书)?

iOS如何编译支持NTLS

看了NTLS使用手册,想要在iOS工程中使用NTLS_client_method,SSL_CTX_enable_ntls方法,找不到方法实现。请教在iOS平台下,需要如何才能支持到NTLS的使用

国密SSL如何兼容厂商?

由于SSL VPN规范没有很具体,当前有:
1.证书链构造的顺序
2.sm2 id的来源
3.某些字段的编解码等
...
都无法从协议中获取明确的做法。
阅读了BabaSSL,有自己独特的理解和实现,我想问下怎么去和其他厂家实现的SSL对接呢?比如TASSL。

关于NTLS的测试问题

根据wiki页面的“NTLS使用手册”进行NTLS连接测试时,并没有-enc_cert等相关选项。在编译最新版源码后,openssl s_server -hlep中也找不到NTLS相关的选项设置,请问现在的最新版本是否可以测试NTLS了?

代码中几处问题

  1. https://github.com/BabaSSL/BabaSSL/blob/1ac490549dff8261a17c8278fa8a6afd6834d4f4/ssl/t1_lib.c #L2368
    此处应该是处理TLS1.3逻辑(入口处已有条件限制 (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)),使用 OPENSSL_NO_NTLS 这个宏开关是否合适?相应的赋值是否也有问题(SSL_PKEY_SM2)?

  2. https://github.com/BabaSSL/BabaSSL/blob/1ac490549dff8261a17c8278fa8a6afd6834d4f4/ssl/ssl_ciph.c #L454
    最外层条件是如果定义了宏 OPENSSL_NO_SM2,内层宏条件与上 (!defined OPENSSL_NO_SM2) ,导致这个条件分支无效。

  3. https://github.com/BabaSSL/BabaSSL/blob/1ac490549dff8261a17c8278fa8a6afd6834d4f4/ssl/s3_lib.c #L4391
    选择套件时,tls1_set_cert_validity 和 ssl_set_masks 两个函数已做了相应的判断,此处应该不需要再特殊处理。

  4. 关于公共部分的判断NTLS_VERSION 条件应该增加附加开关条件判断,这样会更严谨。
    if (version == NTLS_VERSION) => if ( s->enable_ntls == 1 && version == NTLS_VERSION )
    开启编译选项 OPENSSL_NO_NTLS 且 使能enable_ntls开关,才会走国密状态机。开关没有开启,走的是标准状态机。
    相关位置如下:
    https://github.com/BabaSSL/BabaSSL/blob/1ac490549dff8261a17c8278fa8a6afd6834d4f4/ssl/record/ssl3_record.c #L325
    https://github.com/BabaSSL/BabaSSL/blob/1ac490549dff8261a17c8278fa8a6afd6834d4f4/ssl/ssl_asn1.c #L301
    https://github.com/BabaSSL/BabaSSL/blob/1ac490549dff8261a17c8278fa8a6afd6834d4f4/ssl/ssl_cert.c #L976
    诸如此类

国密协议使用ECDHE密钥交换算法时,为什么需要双向认证?

ECDHE密钥交换算法相关套件

./.ssl/bin/openssl ciphers -V | column -t | grep SM

0xE0,0x51 - ECDHE-SM2-SM4-GCM-SM3 NTLSv1.1 Kx=SM2DHE Au=SM2 Enc=SM4-GCM(128) Mac=AEAD
0xE0,0x11 - ECDHE-SM2-SM4-CBC-SM3 NTLSv1.1 Kx=SM2DHE Au=SM2 Enc=SM4(128) Mac=SM3
0xE0,0x11 - ECDHE-SM2-WITH-SM4-SM3 NTLSv1.1 Kx=SM2DHE Au=SM2 Enc=SM4(128) Mac=SM3

tls_post_process_client_hello_ntls
...
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSM2DHE)
s->verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
| SSL_VERIFY_CLIENT_ONCE;
...

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.