diff --git a/CMakeLists.txt b/CMakeLists.txt index 03f07782..0446ed94 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -818,7 +818,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1072") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1073") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/cmake/tlcp_commands.cmake b/cmake/tlcp_commands.cmake index c0a1239e..64b757e0 100644 --- a/cmake/tlcp_commands.cmake +++ b/cmake/tlcp_commands.cmake @@ -26,6 +26,7 @@ gmssl_run_tls_command_test( SERVER_ARGS tlcp_server -port ${TEST_PORT} + -cipher_suite ${TEST_CIPHER_SUITE} -cert tlcp_server_certs.pem -key tlcp_server_keys.pem -pass P@ssw0rd diff --git a/include/gmssl/version.h b/include/gmssl/version.h index 24ce0517..45f56397 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1072" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1073" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/tools/tlcp_help.h b/tools/tlcp_help.h index c45fb3da..b90bc8b4 100644 --- a/tools/tlcp_help.h +++ b/tools/tlcp_help.h @@ -38,6 +38,6 @@ " gmssl tlcp_server -port 4431 -cert tlcpcert.pem -key tlcpkey.pem -pass 1234 -cipher_suite TLS_ECC_SM4_CBC_SM3\n" " gmssl tlcp_client -port 4431 -host 127.0.0.1 -cacert sm2rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3\n" "\n" -" gmssl tlcp_server -port 4431 -cert tlcpcert.pem -key tlcpkey.pem -pass 1234 -cacert sm2cacert.pem -verbose\n" +" gmssl tlcp_server -port 4431 -cert tlcpcert.pem -key tlcpkey.pem -pass 1234 -cacert sm2cacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 -cert_request -verbose\n" " gmssl tlcp_client -port 4431 -host 127.0.0.1 -cacert sm2rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 -cert sm2signcert.pem -key sm2signkey.pem -pass 1234 -verbose\n" "\n" diff --git a/tools/tlcp_server.c b/tools/tlcp_server.c index fad9acc0..c55f6fa5 100644 --- a/tools/tlcp_server.c +++ b/tools/tlcp_server.c @@ -17,7 +17,7 @@ #include -static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem] [-verbose]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-cipher_suite str] [-alpn str] [-cert_request] [-cacert pem] [-verbose]"; static const char *help = @@ -27,7 +27,9 @@ static const char *help = " -cert pem Server's certificate chain in PEM format, may appear multiple times\n" " -key pem Server's signing and encryption private keys in PEM format: signing key first, encryption key second, may appear multiple times\n" " -pass str Password to decrypt both private keys in the same -key PEM, may appear multiple times\n" +" -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n" " -alpn str Application protocol name, may appear multiple times, higher priority first\n" +" -cert_request Client certificate request\n" " -cacert pem CA certificate for client certificate verification\n" " -verbose Print TLS handshake messages\n" "\n" @@ -128,6 +130,8 @@ int tlcp_server_main(int argc , char **argv) int ret = 1; char *prog = argv[0]; int port = 443; + int cipher_suites[4]; + size_t cipher_suites_cnt = 0; char *certfiles[4]; size_t certfiles_cnt = 0; char *signkeyfiles[sizeof(certfiles)/sizeof(certfiles[0])]; @@ -136,14 +140,10 @@ int tlcp_server_main(int argc , char **argv) size_t signpasses_cnt = 0; char *alpn_protocols[4]; size_t alpn_protocols_cnt = 0; + int cert_request = 0; char *cacertfile = NULL; int verbose = 0; - int server_ciphers[] = { - TLS_cipher_ecc_sm4_gcm_sm3, - TLS_cipher_ecc_sm4_cbc_sm3, - }; - TLS_CTX ctx; TLS_CONNECT conn; char buf[1600] = {0}; @@ -192,13 +192,29 @@ int tlcp_server_main(int argc , char **argv) } if (--argc < 1) goto bad; signpasses[signpasses_cnt++] = *(++argv); - } else if (!strcmp(*argv, "-alpn")) { + } else if (!strcmp(*argv, "-cipher_suite")) { + char *cipher_suite_name; + int cipher_suite; + if (cipher_suites_cnt >= sizeof(cipher_suites)/sizeof(cipher_suites[0])) { + fprintf(stderr, "%s: too many -cipher_suite options\n", prog); + return -1; + } + if (--argc < 1) goto bad; + cipher_suite_name = *(++argv); + if ((cipher_suite = tls_cipher_suite_from_name(cipher_suite_name)) == 0) { + fprintf(stderr, "%s: invalid -cipher_suite '%s' value\n", prog, cipher_suite_name); + return -1; + } + cipher_suites[cipher_suites_cnt++] = cipher_suite; + } else if (!strcmp(*argv, "-alpn")) { if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) { fprintf(stderr, "%s: too many -alpn options\n", prog); return -1; } if (--argc < 1) goto bad; alpn_protocols[alpn_protocols_cnt++] = *(++argv); + } else if (!strcmp(*argv, "-cert_request")) { + cert_request = 1; } else if (!strcmp(*argv, "-cacert")) { if (--argc < 1) goto bad; cacertfile = *(++argv); @@ -231,11 +247,16 @@ bad: return 1; } + if (!cipher_suites_cnt) { + fprintf(stderr, "%s: '-cipher_suite' option required\n", prog); + return 1; + } + memset(&ctx, 0, sizeof(ctx)); memset(&conn, 0, sizeof(conn)); if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_server_mode) != 1 - || tls_ctx_set_cipher_suites(&ctx, server_ciphers, sizeof(server_ciphers)/sizeof(int)) != 1) { + || tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) { error_print(); return -1; } @@ -262,6 +283,12 @@ bad: error_print(); return -1; } + } + if (cert_request) { + if (!cacertfile) { + fprintf(stderr, "%s: -cacert required by -cert_request\n", prog); + return 1; + } if (tls_ctx_enable_certificate_request(&ctx, 1) != 1) { error_print(); return -1;