add gmssl command

tools/README.md

@@ -1,5 +1,10 @@
 # 命令行工具
 
+注意：
+
+* 命令行工具接口在v3版本正式发布前还会有较大调整
+* SM2, SM3, SM4等算法的命令相对比较底层，是对C语言接口的简单封装，命令行的应用开发者需要组合使用这些指令
+
 命令行工具：
 
 * `sm3` 计算SM3杂凑值，支持带公钥和ID的Z值计算
@@ -14,3 +19,23 @@
 * `certparse` 解析打印证书
 * `certverify` 验证证书链
 
+TLS功能
+
+* `tlcp_client`
+* `tlcp_server`
+* `tls12_client`
+* `tls12_server`
+* `tls13_client`
+* `tls13_server`
+
+私钥总是默认以口令加密的方式存储
+SM3/HMAC-SM3 以二进制的格式输出
+签名和SM2Ciphertext以DER编码输出
+
+
+应该提供一个口令导出密钥的算法，由口令导出密钥
+
+SM4加密需要外部提供key, iv
+HMAC-SM3可以用命令行的方式拼合
+因此没必要提供一个单独的SM4-CBC-HMAC-SM3
+

tools/certgen.c

@@ -79,7 +79,7 @@ static const char *options =
 	"[-key_usage str]*";
 
 
-int main(int argc, char **argv)
+int certgen_main(int argc, char **argv)
 {
 	int ret = 1;
 	char *prog = argv[0];

tools/certparse.c

@@ -55,7 +55,7 @@
 
 static const char *options = "[-in file]";
 
-int main(int argc, char **argv)
+int certparse_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *infile = NULL;

tools/certverify.c

@@ -59,7 +59,7 @@
 // 比如最基本的是证书中的签名、有效期、各个扩展等
 // 外部相关的：证书链、CRL等
 
-int main(int argc, char **argv)
+int certverify_main(int argc, char **argv)
 {
 	int ret = 0;
 	char *prog = argv[0];

tools/crlparse.c

@@ -56,7 +56,7 @@
 
 static const char *options = "[-in file]";
 
-int main(int argc, char **argv)
+int crlparse_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *infile = NULL;

tools/gmssl.c

@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2021 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/pem.h>
+#include <gmssl/x509.h>
+#include <gmssl/x509_ext.h>
+#include <gmssl/pkcs8.h>
+#include <gmssl/rand.h>
+#include <gmssl/version.h>
+#include <gmssl/error.h>
+
+
+extern int rand_main(int argc, char **argv);
+extern int certgen_main(int argc, char **argv);
+extern int certparse_main(int argc, char **argv);
+extern int certverify_main(int argc, char **argv);
+extern int crlparse_main(int argc, char **argv);
+extern int pbkdf2_main(int argc, char **argv);
+extern int reqgen_main(int argc, char **argv);
+extern int reqparse_main(int argc, char **argv);
+extern int reqsign_main(int argc, char **argv);
+extern int sm2decrypt_main(int argc, char **argv);
+extern int sm2encrypt_main(int argc, char **argv);
+extern int sm2keygen_main(int argc, char **argv);
+extern int sm2sign_main(int argc, char **argv);
+extern int sm2verify_main(int argc, char **argv);
+extern int sm3_main(int argc, char **argv);
+extern int sm3hmac_main(int argc, char **argv);
+extern int sm4_main(int argc, char **argv);
+extern int tlcp_client_main(int argc, char **argv);
+extern int tlcp_server_main(int argc, char **argv);
+extern int tls12_client_main(int argc, char **argv);
+extern int tls12_server_main(int argc, char **argv);
+extern int tls13_client_main(int argc, char **argv);
+extern int tls13_server_main(int argc, char **argv);
+
+
+static const char *options =
+	"  commands:\n"
+	"	help\n"
+	"	version\n"
+	"	rand\n"
+	"	sm2keygen\n"
+	"	sm2sign\n"
+	"	sm2verify\n"
+	"	sm2encrypt\n"
+	"	sm2decrypt\n"
+	"	pbkdf2\n"
+	"	reqgen\n"
+	"	reqsign\n"
+	"	reqparse\n"
+	"	crlparse\n"
+	"	certgen\n"
+	"	certparse\n"
+	"	certverify\n"
+	"	tlcp_client\n"
+	"	tlcp_server\n"
+	"	tls12_client\n"
+	"	tls12_server\n"
+	"	tls13_client\n"
+	"	tls13_server\n";
+
+
+int version_main(int argc, char **argv)
+{
+	printf("%s\n", gmssl_version_str());
+	return 0;
+}
+
+
+int main(int argc, char **argv)
+{
+	int ret = 1;
+	char *prog = argv[0];
+
+
+	if (argc < 2) {
+		printf("usage: %s\n %s\n", prog, options);
+		return 0;
+	}
+
+	argc--;
+	argv++;
+
+	while (argc > 0) {
+		if (!strcmp(*argv, "help")) {
+help:
+			printf("usage: %s\n %s\n", prog, options);
+			return 0;
+		} else if (!strcmp(*argv, "version")) {
+			return version_main(argc, argv);
+		} else if (!strcmp(*argv, "rand")) {
+			return rand_main(argc, argv);
+		} else if (!strcmp(*argv, "certgen")) {
+			return certgen_main(argc, argv);
+		} else if (!strcmp(*argv, "certparse")) {
+			return certparse_main(argc, argv);
+		} else if (!strcmp(*argv, "certverify")) {
+			return certverify_main(argc, argv);
+		} else if (!strcmp(*argv, "reqgen")) {
+			return reqgen_main(argc, argv);
+		} else if (!strcmp(*argv, "reqparse")) {
+			return reqparse_main(argc, argv);
+		} else if (!strcmp(*argv, "reqsign")) {
+			return reqsign_main(argc, argv);
+		} else if (!strcmp(*argv, "pbkdf2")) {
+			return pbkdf2_main(argc, argv);
+		} else if (!strcmp(*argv, "sm2sign")) {
+			return sm2sign_main(argc, argv);
+		} else if (!strcmp(*argv, "sm2verify")) {
+			return sm2verify_main(argc, argv);
+		} else if (!strcmp(*argv, "sm2encrypt")) {
+			return sm2encrypt_main(argc, argv);
+		} else if (!strcmp(*argv, "sm2decrypt")) {
+			return sm2decrypt_main(argc, argv);
+		} else if (!strcmp(*argv, "sm2keygen")) {
+			return sm2keygen_main(argc, argv);
+		} else if (!strcmp(*argv, "tlcp_client")) {
+			return tlcp_client_main(argc, argv);
+		} else if (!strcmp(*argv, "tlcp_server")) {
+			return tlcp_server_main(argc, argv);
+		} else if (!strcmp(*argv, "tls12_client")) {
+			return tls12_client_main(argc, argv);
+		} else if (!strcmp(*argv, "tls12_server")) {
+			return tls12_server_main(argc, argv);
+		} else if (!strcmp(*argv, "tls13_client")) {
+			return tls13_client_main(argc, argv);
+		} else if (!strcmp(*argv, "tls13_server")) {
+			return tls13_server_main(argc, argv);
+		} else {
+bad:
+			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
+			fprintf(stderr, "usage: %s %s\n", prog, options);
+			return 1;
+		}
+
+		argc--;
+		argv++;
+	}
+
+	return ret;
+}

tools/pbkdf2.c

@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2020 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gmssl/pbkdf2.h>
+#include <gmssl/hex.h>
+#include <gmssl/error.h>
+
+
+static const char *options = "-salt hex -iter num [-pass str] -outlen num";
+
+int pbkdf2_main(int argc, char **argv)
+{
+	int ret = -1;
+	char *prog = argv[0];
+	char *salthex = NULL;
+	uint8_t salt[PBKDF2_MAX_SALT_SIZE];
+	size_t saltlen;
+	int iter = 0;
+	char *pass = NULL;
+	int outlen = 0;
+	uint8_t outbuf[64];
+	int i;
+
+	argc--;
+	argv++;
+
+	if (argc < 1) {
+		fprintf(stderr, "usage: %s %s\n", prog, options);
+		return 1;
+	}
+
+	while (argc > 0) {
+		if (!strcmp(*argv, "-help")) {
+			fprintf(stderr, "usage: %s %s\n", prog, options);
+			return 1;
+		} else if (!strcmp(*argv, "-salt")) {
+			if (--argc < 1) goto bad;
+			salthex = *(++argv);
+		} else if (!strcmp(*argv, "-iter")) {
+			if (--argc < 1) goto bad;
+			iter = atoi(*(++argv));
+			if (iter < PBKDF2_MIN_ITER || iter > INT_MAX) {
+				error_print();
+				return 1;
+			}
+		} else if (!strcmp(*argv, "-pass")) {
+			if (--argc < 1) goto bad;
+			pass = *(++argv);
+		} else if (!strcmp(*argv, "-outlen")) {
+			if (--argc < 1) goto bad;
+			outlen = atoi(*(++argv));
+			if (outlen < 1 || outlen > sizeof(outbuf)) {
+				error_print();
+				return 1;
+			}
+		} else {
+			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
+			return 1;
+bad:
+			fprintf(stderr, "%s: invalid option argument\n", prog);
+			return 1;
+		}
+
+		argc--;
+		argv++;
+	}
+
+	if (!salthex) {
+		error_print();
+		return 1;
+	}
+	if (strlen(salthex) > sizeof(salt) * 2) {
+		error_print();
+		return 1;
+	}
+	if (hex_to_bytes(salthex, strlen(salthex), salt, &saltlen) != 1) {
+		error_print();
+		return 1;
+	}
+
+	if (!iter) {
+		error_print();
+		return 1;
+	}
+	if (!outlen) {
+		error_print();
+		return 1;
+	}
+
+
+	if (!pass) {
+		error_print();
+		return -1;
+	}
+
+	if (pbkdf2_hmac_sm3_genkey(pass, strlen(pass), salt, saltlen, iter, outlen, outbuf) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = 0; i < outlen; i++) {
+		printf("%02X", outbuf[i]);
+	}
+	printf("\n");
+
+
+	return 0;
+}

tools/rand.c

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2020 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <gmssl/rand.h>
+#include <gmssl/error.h>
+
+
+static const char *options = "[-hex] [-rdrand] -outlen num";
+
+int rand_main(int argc, char **argv)
+{
+	int ret = -1;
+	char *prog = argv[0];
+	int hex = 0;
+	int rdrand = 0;
+	int outlen = 0;
+	uint8_t buf[2048];
+	int i;
+
+	argc--;
+	argv++;
+
+	if (argc < 1) {
+		fprintf(stderr, "usage: %s %s\n", prog, options);
+		return 1;
+	}
+
+	while (argc > 0) {
+		if (!strcmp(*argv, "-help")) {
+			fprintf(stderr, "usage: %s %s\n", prog, options);
+			return 1;
+		} else if (!strcmp(*argv, "-hex")) {
+			hex = 1;
+		} else if (!strcmp(*argv, "-rdrand")) {
+			// rdrand = 1; // FIXME: CMakeList.txt should be updated to support this option
+		} else if (!strcmp(*argv, "-outlen")) {
+			if (--argc < 1) goto bad;
+			outlen = atoi(*(++argv));
+			if (outlen < 1 || outlen > INT_MAX) {
+				error_print();
+				return 1;
+			}
+		} else {
+			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
+			return 1;
+bad:
+			fprintf(stderr, "%s: invalid option argument\n", prog);
+			return 1;
+		}
+
+		argc--;
+		argv++;
+	}
+
+	if (!outlen) {
+		error_print();
+		return 1;
+	}
+
+	while (outlen) {
+		size_t len = outlen < sizeof(buf) ? outlen : sizeof(buf);
+
+		if (rdrand) {
+/*
+			if (rdrand_bytes(buf, len) != 1) {
+				error_print();
+				return 1;
+			}
+*/
+		} else {
+			if (rand_bytes(buf, len) != 1) {
+				error_print();
+				return -1;
+			}
+		}
+
+		if (hex) {
+			int i;
+			for (i = 0; i < len; i++) {
+				fprintf(stdout, "%02X", buf[i]);
+			}
+		} else {
+			fwrite(buf, 1, len, stdout);
+		}
+
+		outlen -= len;
+	}
+
+	if (hex) {
+		fprintf(stdout, "\n");
+	}
+
+	return 0;
+}

tools/reqgen.c

@@ -66,7 +66,7 @@ static const char *options =
 	"[-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -days num"
 	" -key file [-pass pass] [-out file]";
 
-int main(int argc, char **argv)
+int reqgen_main(int argc, char **argv)
 {
 	int ret = -1;
 	char *prog = argv[0];

tools/reqparse.c

@@ -55,7 +55,7 @@
 #include <gmssl/error.h>
 
 
-int main(int argc, char **argv)
+int reqparse_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *infile = NULL;

tools/reqsign.c

@@ -75,7 +75,7 @@ static int ext_key_usage_set(int *usages, const char *usage_name)
 
 static const char *usage = "usage: %s [-in file] -days num -cacert file -key file [-pass str] [-out file]\n";
 
-int main(int argc, char **argv)
+int reqsign_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *file;

tools/sm2decrypt.c

@@ -62,7 +62,7 @@
 #endif
 
 
-int main(int argc, char **argv)
+int sm2decrypt_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *keyfile = NULL;

tools/sm2encrypt.c

@@ -58,7 +58,7 @@
 #include <gmssl/error.h>
 
 
-int main(int argc, char **argv)
+int sm2encrypt_main(int argc, char **argv)
 {
 	int ret;
 	char *prog = argv[0];

tools/sm2keygen.c

@@ -59,7 +59,7 @@
 #include <unistd.h>
 #endif
 
-int main(int argc, char **argv)
+int sm2keygen_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *pass = NULL;

tools/sm2sign.c

@@ -64,7 +64,7 @@
 // echo data | sm2sign -id "Alice" -keyfile sm2.pem
 // echo data | sm2verify -id "Alice" -keyfile sm2pub.pem -certfile a -cacertfile b
 
-int main(int argc, char **argv)
+int sm2sign_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *keyfile = NULL;

tools/sm2verify.c

@@ -60,7 +60,7 @@
 
 // sm2verify [-in file] {-pubkey pem | -cert pem} [-id str] -sig file
 
-int main(int argc, char **argv)
+int sm2verify_main(int argc, char **argv)
 {
 	int ret;
 	char *prog = argv[0];

tools/sm3.c

@@ -54,7 +54,7 @@
 #include <gmssl/error.h>
 
 
-int main(int argc, char **argv)
+int sm3_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *pubkeyfile = NULL;

tools/sm3hmac.c

@@ -54,7 +54,7 @@
 #include <gmssl/error.h>
 
 
-int main(int argc, char **argv)
+int sm3hmac_main(int argc, char **argv)
 {
 	int ret = -1;
 	char *prog = argv[0];

tools/sm4.c

@@ -53,10 +53,14 @@
 #include <gmssl/hex.h>
 #include <gmssl/error.h>
 
-static const char *options = "-key hex -iv hex [-in file] [-out file]";
+
+#define SM4_MODE_CBC 1
+#define SM4_MODE_CTR 2
+
+static const char *options = "{-cbc|-ctr} {-encrypt|-decrypt} -key hex -iv hex [-in file] [-out file]";
 
 
-int main(int argc, char **argv)
+int sm4_main(int argc, char **argv)
 {
 	char *prog = argv[0];
 	char *keystr = NULL;
@@ -69,8 +73,10 @@ int main(int argc, char **argv)
 	size_t ivlen = sizeof(iv);
 	FILE *infp = stdin;
 	FILE *outfp = stdout;
+	int mode = 0;
 	int enc = -1;
 	SM4_CBC_CTX cbc_ctx;
+	SM4_CTR_CTX ctr_ctx;
 	uint8_t inbuf[4096];
 	size_t inlen;
 	uint8_t outbuf[4196];
@@ -98,6 +104,12 @@ int main(int argc, char **argv)
 			enc = 1;
 		} else if (!strcmp(*argv, "-decrypt")) {
 			enc = 0;
+		} else if (!strcmp(*argv, "-cbc")) {
+			if (mode) goto bad;
+			mode = SM4_MODE_CBC;
+		} else if (!strcmp(*argv, "-ctr")) {
+			if (mode) goto bad;
+			mode = SM4_MODE_CTR;
 		} else if (!strcmp(*argv, "-in")) {
 			if (--argc < 1) goto bad;
 			infile = *(++argv);
@@ -116,6 +128,10 @@ bad:
 		argv++;
 	}
 
+	if (!mode) {
+		fprintf(stderr, "%s: mode not assigned, -cbc or -ctr option required\n", prog);
+		return 1;
+	}
 
 	if (!keystr) {
 		error_print();
@@ -157,6 +173,36 @@ bad:
 		}
 	}
 
+
+	if (mode == SM4_MODE_CTR) {
+		if (sm4_ctr_encrypt_init(&ctr_ctx, key, iv) != 1) {
+			error_print();
+			return -1;
+		}
+		while ((inlen = fread(inbuf, 1, sizeof(inbuf), infp)) > 0) {
+			if (sm4_ctr_encrypt_update(&ctr_ctx, inbuf, inlen, outbuf, &outlen) != 1) {
+				error_print();
+				return -1;
+			}
+			if (fwrite(outbuf, 1, outlen, outfp) != outlen) {
+				error_print();
+				return -1;
+			}
+		}
+		if (sm4_ctr_encrypt_finish(&ctr_ctx, outbuf, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		if (fwrite(outbuf, 1, outlen, outfp) != outlen) {
+			error_print();
+			return -1;
+		}
+
+
+		return 0;
+	}
+
+
 	if (enc < 0) {
 		error_print();
 		return -1;
@@ -186,8 +232,6 @@ bad:
 			return -1;
 		}
 
-
-
 	} else {
 		if (sm4_cbc_decrypt_init(&cbc_ctx, key, iv) != 1) {
 			error_print();

tools/tlcp_client.c

@@ -54,7 +54,7 @@
 #include <gmssl/error.h>
 
 
-const char *http_get =
+static const char *http_get =
 	"GET / HTTP/1.1\r\n"
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";
@@ -63,7 +63,7 @@ const char *http_get =
 // 虽然服务器可以用双证书，但是客户端只能使用一个证书，也就是签名证书
 static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file [-pass str]]";
 
-int main(int argc, char *argv[])
+int tlcp_client_main(int argc, char *argv[])
 {
 	int ret = -1;
 	char *prog = argv[0];

tools/tlcp_server.c

@@ -58,7 +58,7 @@
 
 static const char *options = "[-port num] -cert file -key file [-pass str] -ex_key file [-ex_pass str] [-cacert file]";
 
-int main(int argc , char **argv)
+int tlcp_server_main(int argc , char **argv)
 {
 	int ret = -1;
 	char *prog = argv[0];

tools/tls12_client.c

@@ -62,7 +62,7 @@ const char *http_get =
 
 static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file [-pass str]]";
 
-int main(int argc , char *argv[])
+int tls12_client_main(int argc , char *argv[])
 {
 	char *prog = argv[0];
 	char *host = NULL;

tools/tls12_server.c

@@ -58,7 +58,7 @@
 // 因此如果提供了CA证书，那么等同于要求客户端验证
 static const char *options = " [-port num] -cert file -key file [-pass str] [-cacert file]";
 
-int main(int argc , char *argv[])
+int tls12_server_main(int argc , char *argv[])
 {
 	int ret = -1;
 	char *prog = argv[0];

tools/tls13_client.c

@@ -54,7 +54,7 @@
 #include <gmssl/error.h>
 
 
-const char *http_get =
+static const char *http_get =
 	"GET / HTTP/1.1\r\n"
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";
@@ -69,7 +69,7 @@ void print_usage(const char *prog)
 	printf("  -key <file>\n");
 }
 
-int main(int argc , char *argv[])
+int tls13_client_main(int argc , char *argv[])
 {
 	int ret = -1;
 	char *prog = argv[0];

tools/tls13_server.c

@@ -55,7 +55,7 @@
 #include <gmssl/error.h>
 
 
-void print_usage(const char *prog)
+static void print_usage(const char *prog)
 {
 	printf("Usage: %s [options]\n", prog);
 	printf("  -port <num>\n");
@@ -63,7 +63,7 @@ void print_usage(const char *prog)
 	printf("  -signkey <file>\n");
 }
 
-int main(int argc , char *argv[])
+int tls13_server_main(int argc , char *argv[])
 {
 	int ret = -1;
 	char *prog = argv[0];