abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-19 19:33:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update TLS command tools

Browse Source
This commit is contained in:
Zhi Guan
2026-06-11 22:54:59 +08:00
parent 5c34316d3d
commit 0951d4c764
5 changed files with 126 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/tls12.c
View File

@@ -847,6 +847,14 @@ int tls_send_client_hello(TLS_CONNECT *conn)
} }
} }
// server_name
if (conn->server_name) {
if (tls_server_name_ext_to_bytes(conn->host_name, conn->host_name_len, &pexts, &extslen) != 1) {
error_print();
return -1;
}
}
if (tls_record_set_handshake_client_hello(conn->record, &conn->recordlen, if (tls_record_set_handshake_client_hello(conn->record, &conn->recordlen,
conn->protocol, conn->client_random, NULL, 0, conn->protocol, conn->client_random, NULL, 0,
conn->ctx->cipher_suites, conn->ctx->cipher_suites_cnt, conn->ctx->cipher_suites, conn->ctx->cipher_suites_cnt,
@@ -1527,6 +1535,14 @@ int tls_send_server_hello(TLS_CONNECT *conn)
} }
} }
// server_name
if (conn->server_name) {
if (tls_ext_to_bytes(TLS_extension_server_name, NULL, 0, &pexts, &extslen) != 1) {
error_print();
return -1;
}
}
if (tls_record_set_handshake_server_hello(conn->record, &conn->recordlen, if (tls_record_set_handshake_server_hello(conn->record, &conn->recordlen,
conn->protocol, conn->server_random, NULL, 0, conn->protocol, conn->server_random, NULL, 0,
conn->cipher_suite, conn->cipher_suite,
@@ -1574,6 +1590,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn)
const uint8_t *ec_point_formats = NULL; const uint8_t *ec_point_formats = NULL;
size_t ec_point_formats_len = 0; size_t ec_point_formats_len = 0;
int server_name = 0;
tls_trace("recv ServerHello\n"); tls_trace("recv ServerHello\n");
@@ -1657,6 +1674,14 @@ int tls_recv_server_hello(TLS_CONNECT *conn)
ec_point_formats = ext_data; ec_point_formats = ext_data;
ec_point_formats_len = ext_datalen; ec_point_formats_len = ext_datalen;
break; break;
case TLS_extension_server_name:
if (!conn->server_name || server_name || ext_datalen) {
error_print();
tls_send_alert(conn, TLS_alert_illegal_parameter);
return -1;
}
server_name = 1;
break;
default: default:
error_print(); error_print();
tls_send_alert(conn, TLS_alert_illegal_parameter); tls_send_alert(conn, TLS_alert_illegal_parameter);

15
tools/tls12_client.c
View File

@@ -39,7 +39,7 @@ static const char *help =
" -key file Client's encrypted private key in PEM format\n" " -key file Client's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n" " -pass str Password to decrypt private key\n"
" -client_cert_optional Allow client send empty Certificate\n" " -client_cert_optional Allow client send empty Certificate\n"
" -server_name Send server_name (SNI) request\n" " -server_name str Send server_name (SNI) request\n"
" -status_request Send status_request (OCSP Stapling) request\n" " -status_request Send status_request (OCSP Stapling) request\n"
"\n" "\n"
#include "tls12_help.h" #include "tls12_help.h"
@@ -63,6 +63,7 @@ int tls12_client_main(int argc, char *argv[])
char *keyfile = NULL; char *keyfile = NULL;
char *pass = NULL; char *pass = NULL;
int client_cert_optional = 0; int client_cert_optional = 0;
char *server_name = NULL;
TLS_CTX ctx; TLS_CTX ctx;
TLS_CONNECT conn; TLS_CONNECT conn;
struct hostent *hp; struct hostent *hp;
@@ -151,6 +152,9 @@ int tls12_client_main(int argc, char *argv[])
} else if (!strcmp(*argv, "-pass")) { } else if (!strcmp(*argv, "-pass")) {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
pass = *(++argv); pass = *(++argv);
} else if (!strcmp(*argv, "-server_name")) {
if (--argc < 1) goto bad;
server_name = *(++argv);
} else if (!strcmp(*argv, "-client_cert_optional")) { } else if (!strcmp(*argv, "-client_cert_optional")) {
client_cert_optional = 1; client_cert_optional = 1;
} else { } else {
@@ -158,7 +162,7 @@ int tls12_client_main(int argc, char *argv[])
return 1; return 1;
bad: bad:
fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv); fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv);
return 0; return 1;
} }
argc--; argc--;
argv++; argv++;
@@ -230,6 +234,13 @@ bad:
goto end; goto end;
} }
if (server_name) {
if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) {
error_print();
goto end;
}
}
if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) { if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) {
fprintf(stderr, "%s: faild to open socket\n", prog); fprintf(stderr, "%s: faild to open socket\n", prog);
goto end; goto end;

93
tools/tls12_help.h
View File

@@ -9,24 +9,85 @@
"Examples\n" "Examples\n"
"\n" "\n"
" gmssl sm2keygen -pass 1234 -out rootcakey.pem\n" "Build with TLS 1.2, AES, and P-256 enabled\n"
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n" "\n"
" -key rootcakey.pem -pass 1234 -out rootcacert.pem \\\n" " cmake -S . -B build -DENABLE_TLS=ON -DENABLE_AES=ON -DENABLE_SECP256R1=ON\n"
" cmake --build build\n"
"\n"
"Generate SM2 certificates for sm2.example.com\n"
"\n"
" gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n"
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN SM2ROOTCA -days 3650 \\\n"
" -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem \\\n"
" -key_usage keyCertSign -key_usage cRLSign -ca\n" " -key_usage keyCertSign -key_usage cRLSign -ca\n"
"\n" "\n"
" gmssl sm2keygen -pass 1234 -out cakey.pem\n" " gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n"
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n" " gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"SM2 Sub CA\" \\\n"
" -key cakey.pem -pass 1234 -out careq.pem\n" " -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n"
" gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -cacert rootcacert.pem -key rootcakey.pem -pass 1234 \\\n" " gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign \\\n"
" -out cacert.pem -ca -path_len_constraint 0\n" " -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 \\\n"
" -ca -path_len_constraint 0 -out sm2cacert.pem\n"
"\n" "\n"
" gmssl sm2keygen -pass 1234 -out signkey.pem\n" " gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n"
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n" " gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN sm2.example.com \\\n"
" gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n" " -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n"
" gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature \\\n"
" -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 \\\n"
" -subject_dns_name sm2.example.com -out sm2signcert.pem\n"
"\n" "\n"
" cat signcert.pem > certs.pem\n" " cat sm2signcert.pem > sm2certs.pem\n"
" cat cacert.pem >> certs.pem\n" " cat sm2cacert.pem >> sm2certs.pem\n"
"\n"
"Generate P-256 certificates for p256.example.com\n"
"\n"
" gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n"
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n"
" -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n"
" -key_usage keyCertSign -key_usage cRLSign -ca\n"
"\n"
" gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n"
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n"
" -key p256cakey.pem -pass 1234 -out p256careq.pem\n"
" gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n"
" -cacert p256rootcacert.pem -key p256rootcakey.pem -pass 1234 \\\n"
" -ca -path_len_constraint 0 -out p256cacert.pem\n"
"\n"
" gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n"
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN p256.example.com \\\n"
" -key p256signkey.pem -pass 1234 -out p256signreq.pem\n"
" gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n"
" -cacert p256cacert.pem -key p256cakey.pem -pass 1234 \\\n"
" -subject_dns_name p256.example.com -out p256signcert.pem\n"
"\n"
" cat p256signcert.pem > p256certs.pem\n"
" cat p256cacert.pem >> p256certs.pem\n"
"\n"
" cat sm2rootcacert.pem > rootcacerts.pem\n"
" cat p256rootcacert.pem >> rootcacerts.pem\n"
"\n"
"TLS 1.2 server with two certificate chains selected by SNI\n"
"\n"
" gmssl tls12_server -port 4430 \\\n"
" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n"
" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n"
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
" -cert p256certs.pem -key p256signkey.pem -pass 1234\n"
"\n"
"TLS 1.2 clients with SNI\n"
"\n"
" gmssl tls12_client -host 127.0.0.1 -port 4430 -server_name sm2.example.com \\\n"
" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n"
" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n"
" -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
" -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -cacert rootcacerts.pem\n"
"\n"
" gmssl tls12_client -host 127.0.0.1 -port 4430 -server_name p256.example.com \\\n"
" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n"
" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n"
" -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
" -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -cacert rootcacerts.pem\n"
"\n" "\n"
" gmssl tls12_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
" gmssl tls12_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -cacert rootcacert.pem\n"

11
tools/tls13_client.c
View File

@@ -44,7 +44,7 @@ static const char *help =
" -cert file Client's certificate chain in PEM format\n" " -cert file Client's certificate chain in PEM format\n"
" -key file Client's encrypted private key in PEM format\n" " -key file Client's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n" " -pass str Password to decrypt private key\n"
" -server_name Send server_name (SNI) request\n" " -server_name str Send server_name (SNI) request\n"
" -signature_algorithms_cert Send signature_algorithms_cert extension\n" " -signature_algorithms_cert Send signature_algorithms_cert extension\n"
" -certificate_authorities Send certificate_authorities extension\n" " -certificate_authorities Send certificate_authorities extension\n"
" -status_request Send status_request (OCSP Stapling) request\n" " -status_request Send status_request (OCSP Stapling) request\n"
@@ -112,7 +112,7 @@ int tls13_client_main(int argc, char *argv[])
size_t sig_algs_cnt = 0; size_t sig_algs_cnt = 0;
// server_name // server_name
int server_name = 0; char *server_name = NULL;
// certificate_authorities // certificate_authorities
int certificate_authorities = 0; int certificate_authorities = 0;
@@ -213,7 +213,8 @@ int tls13_client_main(int argc, char *argv[])
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
pass = *(++argv); pass = *(++argv);
} else if (!strcmp(*argv, "-server_name")) { } else if (!strcmp(*argv, "-server_name")) {
server_name = 1; if (--argc < 1) goto bad;
server_name = *(++argv);
} else if (!strcmp(*argv, "-signature_algorithms_cert")) { } else if (!strcmp(*argv, "-signature_algorithms_cert")) {
signature_algorithms_cert = 1; signature_algorithms_cert = 1;
} else if (!strcmp(*argv, "-certificate_authorities")) { } else if (!strcmp(*argv, "-certificate_authorities")) {
@@ -326,7 +327,7 @@ int tls13_client_main(int argc, char *argv[])
return 1; return 1;
bad: bad:
fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv); fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv);
return 0; return 1;
} }
argc--; argc--;
argv++; argv++;
@@ -463,7 +464,7 @@ bad:
} }
if (server_name) { if (server_name) {
if (tls_set_server_name(&conn, (uint8_t *)host, strlen(host)) != 1) { if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) {
error_print(); error_print();
goto end; goto end;
} }

10
tools/tls13_help.h
View File

@@ -98,13 +98,13 @@
" gmssl tls13_server -port 4430 \\\n" " gmssl tls13_server -port 4430 \\\n"
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" " -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
" -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" " -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n" " -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -cert p256certs.pem -key p256signkey.pem -pass 1234 \\\n" " -cert p256certs.pem -key p256signkey.pem -pass 1234\n"
"\n" "\n"
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" " gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" " -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n" " -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -server_name\n" " -server_name 127.0.0.1\n"
"\n" "\n"
"HelloRetryRequest\n" "HelloRetryRequest\n"
"\n" "\n"
@@ -130,7 +130,7 @@
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n" " -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n" " -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -max_key_exchanges 2 \\\n" " -max_key_exchanges 2 \\\n"
" -server_name \\\n" " -server_name 127.0.0.1 \\\n"
" -signature_algorithms_cert \\\n" " -signature_algorithms_cert \\\n"
" -status_request \\\n" " -status_request \\\n"
" -post_handshake_auth \\\n" " -post_handshake_auth \\\n"