From 0951d4c764547035ebb57a11d5c1d9a882c7d40a Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Thu, 11 Jun 2026 22:54:59 +0800 Subject: [PATCH] Update TLS command tools --- src/tls12.c | 25 ++++++++++++ tools/tls12_client.c | 15 ++++++- tools/tls12_help.h | 93 ++++++++++++++++++++++++++++++++++++-------- tools/tls13_client.c | 11 +++--- tools/tls13_help.h | 10 ++--- 5 files changed, 126 insertions(+), 28 deletions(-) diff --git a/src/tls12.c b/src/tls12.c index 2a1756b0..bcdef3ab 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -847,6 +847,14 @@ int tls_send_client_hello(TLS_CONNECT *conn) } } + // server_name + if (conn->server_name) { + if (tls_server_name_ext_to_bytes(conn->host_name, conn->host_name_len, &pexts, &extslen) != 1) { + error_print(); + return -1; + } + } + if (tls_record_set_handshake_client_hello(conn->record, &conn->recordlen, conn->protocol, conn->client_random, NULL, 0, conn->ctx->cipher_suites, conn->ctx->cipher_suites_cnt, @@ -1527,6 +1535,14 @@ int tls_send_server_hello(TLS_CONNECT *conn) } } + // server_name + if (conn->server_name) { + if (tls_ext_to_bytes(TLS_extension_server_name, NULL, 0, &pexts, &extslen) != 1) { + error_print(); + return -1; + } + } + if (tls_record_set_handshake_server_hello(conn->record, &conn->recordlen, conn->protocol, conn->server_random, NULL, 0, conn->cipher_suite, @@ -1574,6 +1590,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn) const uint8_t *ec_point_formats = NULL; size_t ec_point_formats_len = 0; + int server_name = 0; tls_trace("recv ServerHello\n"); @@ -1657,6 +1674,14 @@ int tls_recv_server_hello(TLS_CONNECT *conn) ec_point_formats = ext_data; ec_point_formats_len = ext_datalen; break; + case TLS_extension_server_name: + if (!conn->server_name || server_name || ext_datalen) { + error_print(); + tls_send_alert(conn, TLS_alert_illegal_parameter); + return -1; + } + server_name = 1; + break; default: error_print(); tls_send_alert(conn, TLS_alert_illegal_parameter); diff --git a/tools/tls12_client.c b/tools/tls12_client.c index 35a9edd6..32b4c78d 100644 --- a/tools/tls12_client.c +++ b/tools/tls12_client.c @@ -39,7 +39,7 @@ static const char *help = " -key file Client's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" " -client_cert_optional Allow client send empty Certificate\n" -" -server_name Send server_name (SNI) request\n" +" -server_name str Send server_name (SNI) request\n" " -status_request Send status_request (OCSP Stapling) request\n" "\n" #include "tls12_help.h" @@ -63,6 +63,7 @@ int tls12_client_main(int argc, char *argv[]) char *keyfile = NULL; char *pass = NULL; int client_cert_optional = 0; + char *server_name = NULL; TLS_CTX ctx; TLS_CONNECT conn; struct hostent *hp; @@ -151,6 +152,9 @@ int tls12_client_main(int argc, char *argv[]) } else if (!strcmp(*argv, "-pass")) { if (--argc < 1) goto bad; pass = *(++argv); + } else if (!strcmp(*argv, "-server_name")) { + if (--argc < 1) goto bad; + server_name = *(++argv); } else if (!strcmp(*argv, "-client_cert_optional")) { client_cert_optional = 1; } else { @@ -158,7 +162,7 @@ int tls12_client_main(int argc, char *argv[]) return 1; bad: fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv); - return 0; + return 1; } argc--; argv++; @@ -230,6 +234,13 @@ bad: goto end; } + if (server_name) { + if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) { + error_print(); + goto end; + } + } + if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) { fprintf(stderr, "%s: faild to open socket\n", prog); goto end; diff --git a/tools/tls12_help.h b/tools/tls12_help.h index 7974fd86..e4e39a45 100644 --- a/tools/tls12_help.h +++ b/tools/tls12_help.h @@ -9,24 +9,85 @@ "Examples\n" "\n" -" gmssl sm2keygen -pass 1234 -out rootcakey.pem\n" -" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n" -" -key rootcakey.pem -pass 1234 -out rootcacert.pem \\\n" +"Build with TLS 1.2, AES, and P-256 enabled\n" +"\n" +" cmake -S . -B build -DENABLE_TLS=ON -DENABLE_AES=ON -DENABLE_SECP256R1=ON\n" +" cmake --build build\n" +"\n" +"Generate SM2 certificates for sm2.example.com\n" +"\n" +" gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n" +" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN SM2ROOTCA -days 3650 \\\n" +" -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem \\\n" " -key_usage keyCertSign -key_usage cRLSign -ca\n" "\n" -" gmssl sm2keygen -pass 1234 -out cakey.pem\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n" -" -key cakey.pem -pass 1234 -out careq.pem\n" -" gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -cacert rootcacert.pem -key rootcakey.pem -pass 1234 \\\n" -" -out cacert.pem -ca -path_len_constraint 0\n" +" gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"SM2 Sub CA\" \\\n" +" -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n" +" gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign \\\n" +" -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 \\\n" +" -ca -path_len_constraint 0 -out sm2cacert.pem\n" "\n" -" gmssl sm2keygen -pass 1234 -out signkey.pem\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n" -" gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n" +" gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN sm2.example.com \\\n" +" -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n" +" gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature \\\n" +" -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 \\\n" +" -subject_dns_name sm2.example.com -out sm2signcert.pem\n" "\n" -" cat signcert.pem > certs.pem\n" -" cat cacert.pem >> certs.pem\n" +" cat sm2signcert.pem > sm2certs.pem\n" +" cat sm2cacert.pem >> sm2certs.pem\n" +"\n" +"Generate P-256 certificates for p256.example.com\n" +"\n" +" gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n" +" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n" +" -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n" +" -key_usage keyCertSign -key_usage cRLSign -ca\n" +"\n" +" gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n" +" -key p256cakey.pem -pass 1234 -out p256careq.pem\n" +" gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n" +" -cacert p256rootcacert.pem -key p256rootcakey.pem -pass 1234 \\\n" +" -ca -path_len_constraint 0 -out p256cacert.pem\n" +"\n" +" gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN p256.example.com \\\n" +" -key p256signkey.pem -pass 1234 -out p256signreq.pem\n" +" gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n" +" -cacert p256cacert.pem -key p256cakey.pem -pass 1234 \\\n" +" -subject_dns_name p256.example.com -out p256signcert.pem\n" +"\n" +" cat p256signcert.pem > p256certs.pem\n" +" cat p256cacert.pem >> p256certs.pem\n" +"\n" +" cat sm2rootcacert.pem > rootcacerts.pem\n" +" cat p256rootcacert.pem >> rootcacerts.pem\n" +"\n" +"TLS 1.2 server with two certificate chains selected by SNI\n" +"\n" +" gmssl tls12_server -port 4430 \\\n" +" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n" +" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n" +" -supported_group sm2p256v1 -supported_group prime256v1 \\\n" +" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n" +" -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" +" -cert p256certs.pem -key p256signkey.pem -pass 1234\n" +"\n" +"TLS 1.2 clients with SNI\n" +"\n" +" gmssl tls12_client -host 127.0.0.1 -port 4430 -server_name sm2.example.com \\\n" +" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n" +" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n" +" -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" +" -cacert rootcacerts.pem\n" +"\n" +" gmssl tls12_client -host 127.0.0.1 -port 4430 -server_name p256.example.com \\\n" +" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n" +" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n" +" -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" +" -cacert rootcacerts.pem\n" "\n" -" gmssl tls12_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n" -" gmssl tls12_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -cacert rootcacert.pem\n" - diff --git a/tools/tls13_client.c b/tools/tls13_client.c index cbb89b17..02261b26 100644 --- a/tools/tls13_client.c +++ b/tools/tls13_client.c @@ -44,7 +44,7 @@ static const char *help = " -cert file Client's certificate chain in PEM format\n" " -key file Client's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" -" -server_name Send server_name (SNI) request\n" +" -server_name str Send server_name (SNI) request\n" " -signature_algorithms_cert Send signature_algorithms_cert extension\n" " -certificate_authorities Send certificate_authorities extension\n" " -status_request Send status_request (OCSP Stapling) request\n" @@ -112,7 +112,7 @@ int tls13_client_main(int argc, char *argv[]) size_t sig_algs_cnt = 0; // server_name - int server_name = 0; + char *server_name = NULL; // certificate_authorities int certificate_authorities = 0; @@ -213,7 +213,8 @@ int tls13_client_main(int argc, char *argv[]) if (--argc < 1) goto bad; pass = *(++argv); } else if (!strcmp(*argv, "-server_name")) { - server_name = 1; + if (--argc < 1) goto bad; + server_name = *(++argv); } else if (!strcmp(*argv, "-signature_algorithms_cert")) { signature_algorithms_cert = 1; } else if (!strcmp(*argv, "-certificate_authorities")) { @@ -326,7 +327,7 @@ int tls13_client_main(int argc, char *argv[]) return 1; bad: fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv); - return 0; + return 1; } argc--; argv++; @@ -463,7 +464,7 @@ bad: } if (server_name) { - if (tls_set_server_name(&conn, (uint8_t *)host, strlen(host)) != 1) { + if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) { error_print(); goto end; } diff --git a/tools/tls13_help.h b/tools/tls13_help.h index 26974aec..17be32ae 100644 --- a/tools/tls13_help.h +++ b/tools/tls13_help.h @@ -98,13 +98,13 @@ " gmssl tls13_server -port 4430 \\\n" " -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" " -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n" -" -cert p256certs.pem -key p256signkey.pem -pass 1234 \\\n" +" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" +" -cert p256certs.pem -key p256signkey.pem -pass 1234\n" "\n" " gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" " -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n" -" -server_name\n" +" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" +" -server_name 127.0.0.1\n" "\n" "HelloRetryRequest\n" "\n" @@ -130,7 +130,7 @@ " -supported_group sm2p256v1 -supported_group prime256v1 \\\n" " -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n" " -max_key_exchanges 2 \\\n" -" -server_name \\\n" +" -server_name 127.0.0.1 \\\n" " -signature_algorithms_cert \\\n" " -status_request \\\n" " -post_handshake_auth \\\n"