Update TLS 1.2 renegotiation_info

2026-06-27 07:33:41 +08:00 · 2026-06-20 16:47:56 +08:00
parent c47ae26730
commit 0f2f35ab97
9 changed files with 40 additions and 5 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -768,6 +768,8 @@ if(ENABLE_TLS AND NOT WIN32)
 	add_test(NAME tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
 	add_test(NAME tls12_sm4_gcm_renegotiation_info COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
 	add_test(NAME tls12_sm4_gcm_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tls12_client_reject_renegotiation_info_both
+		COMMAND bash -c "bin/gmssl tls12_client -host 127.0.0.1 -renegotiation_info -renegotiation_info_scsv > tls12_client_reject_renegotiation_info_both.log 2>&1; test $? -ne 0 && grep -q 'should not be used together' tls12_client_reject_renegotiation_info_both.log")
 	add_test(NAME tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
 	add_test(NAME tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
 	add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
@@ -839,7 +841,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1119")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1120")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
--- a/cmake/openssl_interop_commands.cmake
+++ b/cmake/openssl_interop_commands.cmake
@@ -57,7 +57,7 @@ elseif(TEST_CASE STREQUAL tls12_openssl_server_renegotiation_info_scsv)
 elseif(TEST_CASE STREQUAL tls12_openssl_client)
 	set(TEST_NAME tls12_openssl_client)
 	set(TEST_PORT 4451)
-	set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256")
+	set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info")
 	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256_root_ca_cert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername localhost -brief")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
--- a/cmake/tls12_commands.cmake
+++ b/cmake/tls12_commands.cmake
@@ -63,6 +63,7 @@ set(TEST_CLIENT_ARGS
 	-in ${TEST_NAME}_message.txt)

 if(TEST_RENEGOTIATION_ARG)
+	list(APPEND TEST_SERVER_ARGS -renegotiation_info)
 	list(APPEND TEST_CLIENT_ARGS ${TEST_RENEGOTIATION_ARG})
 endif()

--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -1946,6 +1946,8 @@ int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len,
 int tls_server_name_print(FILE *fp, int fmt, int ind, const uint8_t *ext_data, size_t ext_datalen);

 // 65281. renegotiation_info (TLS 1.2 only)
+int tls_renegotiation_info_print(FILE *fp, int fmt, int ind,
+	const uint8_t *ext_data, size_t ext_datalen);
 int tls12_ctx_set_renegotiation_info(TLS_CTX *ctx, int enable);
 int tls12_ctx_set_empty_renegotiation_info_scsv(TLS_CTX *ctx, int enable);

--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {


 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1119"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1120"

 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -2181,7 +2181,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn)
 		}
 	}
 	// RFC 5746 signaling is supported for the initial handshake only.
-	if (renegotiation_info || empty_renegotiation_info_scsv) {
+	if (conn->ctx->renegotiation_info && (renegotiation_info || empty_renegotiation_info_scsv)) {
 		conn->secure_renegotiation = 1;
 	}

--- a/src/tls_trace.c
+++ b/src/tls_trace.c
@@ -477,6 +477,26 @@ int tls_pre_master_secret_print(FILE *fp, const uint8_t pre_master_secret[48], i
 	return 1;
 }

+int tls_renegotiation_info_print(FILE *fp, int fmt, int ind,
+	const uint8_t *ext_data, size_t ext_datalen)
+{
+	const uint8_t *renegotiated_connection;
+	size_t renegotiated_connection_len;
+
+	if (tls_uint8array_from_bytes(&renegotiated_connection, &renegotiated_connection_len, &ext_data, &ext_datalen) != 1
+		|| tls_length_is_zero(ext_datalen) != 1) {
+		error_print();
+		return -1;
+	}
+	if (renegotiated_connection_len) {
+		format_bytes(fp, fmt, ind, "renegotiated_connection",
+			renegotiated_connection, renegotiated_connection_len);
+	} else {
+		format_print(fp, fmt, ind, "renegotiated_connection: (empty)\n");
+	}
+	return 1;
+}
+
 /*
 * SupportedVersions Extension (only defined in TLS 1.3)
 *
@@ -575,6 +595,12 @@ int tls_extension_print(FILE *fp, int fmt, int ind, int handshake_type, int type
 			return -1;
 		}
 		break;
+	case TLS_extension_renegotiation_info:
+		if (tls_renegotiation_info_print(fp, fmt, ind, data, datalen) != 1) {
+			error_print();
+			return -1;
+		}
+		break;
 	case TLS_extension_signature_algorithms:
 		if (tls_uint16array_from_bytes(&p, &len, &data, &datalen) != 1
 			|| datalen
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -350,6 +350,10 @@ bad:
 		fprintf(stderr, "%s: '-host' option required\n", prog);
 		return -1;
 	}
+	if (renegotiation_info && empty_renegotiation_info_scsv) {
+		fprintf(stderr, "%s: '-renegotiation_info' and '-renegotiation_info_scsv' should not be used together\n", prog);
+		return -1;
+	}
 	if (get && infile) {
 		fprintf(stderr, "%s: '-get' and '-in' should not be used together\n", prog);
 		return -1;
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -33,7 +33,7 @@ static const char *help =
 "    -cacert pem            CA certificate for client certificate verification\n"
 "    -verify_depth num      Certificate verification depth\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
-"    -renegotiation_info    Accepted for compatibility; RFC 5746 response is automatic\n"
+"    -renegotiation_info    Enable RFC 5746 renegotiation_info response\n"
 "    -verbose               Print TLS handshake messages\n"
 "\n"
 #include "tls12_help.h"