From 3f84d721a679ab102238e5dbf194d54a6e7b00f9 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Mon, 15 Jun 2026 15:21:33 +0800
Subject: [PATCH] Update TLS cmake

---
 CMakeLists.txt                       |  44 +++++-
 cmake/cert_commands.cmake            | 108 ++++++++++++++
 cmake/openssl_interop_commands.cmake |  67 +++++++++
 cmake/tlcp_commands.cmake            | 120 +++++-----------
 cmake/tls12_commands.cmake           | 101 +++++--------
 cmake/tls13_commands.cmake           | 206 +++++++++++++++++++--------
 cmake/tls_command_test.cmake         | 183 ++++++++++++++++++++++++
 include/gmssl/version.h              |   2 +-
 8 files changed, 615 insertions(+), 216 deletions(-)
 create mode 100644 cmake/openssl_interop_commands.cmake
 create mode 100644 cmake/tls_command_test.cmake

diff --git a/CMakeLists.txt b/CMakeLists.txt
index afa98f3f..ccf3ad8d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -748,10 +748,46 @@ endif()
 add_test(NAME sm3_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/sm3_commands.cmake")
 add_test(NAME sm2_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/sm2_commands.cmake")
 add_test(NAME cert_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/cert_commands.cmake")
+set_tests_properties(cert_commands PROPERTIES FIXTURES_SETUP gmssl_cert_files)
 if(ENABLE_TLS AND NOT WIN32)
-	add_test(NAME tlcp_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
-	add_test(NAME tls12_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
-	add_test(NAME tls13_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	find_program(OPENSSL_EXECUTABLE openssl)
+	add_test(NAME tlcp_sm4_cbc COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_cbc -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tlcp_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tls12_sm4_cbc COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tls12_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tls13_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tls13_psk_dhe_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_dhe_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tls13_psk_only_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_only_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tls13_early_data_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_early_data_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	set_tests_properties(
+		tlcp_sm4_cbc
+		tlcp_sm4_gcm
+		tls12_sm4_cbc
+		tls12_sm4_gcm
+		tls13_sm4_gcm
+		tls13_hrr_sm4_gcm
+		tls13_psk_dhe_sm4_gcm
+		tls13_psk_only_sm4_gcm
+		tls13_early_data_sm4_gcm
+		PROPERTIES FIXTURES_REQUIRED gmssl_cert_files)
+	set_tests_properties(
+		tls13_hrr_sm4_gcm
+		tls13_psk_only_sm4_gcm
+		tls13_early_data_sm4_gcm
+		PROPERTIES DISABLED TRUE)
+	if(OPENSSL_EXECUTABLE)
+		add_test(NAME tls12_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tls12_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tls13_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tls13_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		set_tests_properties(
+			tls12_openssl_server
+			tls12_openssl_client
+			tls13_openssl_server
+			tls13_openssl_client
+			PROPERTIES FIXTURES_REQUIRED gmssl_cert_files)
+	endif()
 endif()
 
 # Generate install package with cpack
@@ -764,7 +800,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1056")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1057")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/cmake/cert_commands.cmake b/cmake/cert_commands.cmake
index aa035ca8..3839b2fe 100644
--- a/cmake/cert_commands.cmake
+++ b/cmake/cert_commands.cmake
@@ -158,3 +158,111 @@ file(READ signcert.pem CERT_CONTENT)
 file(APPEND tls_server_certs.pem "${CERT_CONTENT}")
 file(READ cacert.pem CERT_CONTENT)
 file(APPEND tls_server_certs.pem "${CERT_CONTENT}")
+
+execute_process(
+	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256rootcakey.pem -export p256rootcakey.exp
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256rootcakey.pem OR NOT EXISTS p256rootcakey.exp)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 -key p256rootcakey.pem -pass P@ssw0rd -out p256rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256rootcacert.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256cakey.pem -export p256cakey.exp
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256cakey.pem OR NOT EXISTS p256cakey.exp)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "P256 Sub CA" -key p256cakey.pem -pass P@ssw0rd -out p256careq.pem
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256careq.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert p256rootcacert.pem -key p256rootcakey.pem -pass P@ssw0rd -out p256cacert.pem -ca
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256cacert.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256signkey.pem -export p256signkey.exp
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256signkey.pem OR NOT EXISTS p256signkey.exp)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 -key p256signkey.pem -pass P@ssw0rd -out p256signreq.pem
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256signreq.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature -cacert p256cacert.pem -key p256cakey.pem -pass P@ssw0rd -subject_dns_name 127.0.0.1 -out p256signcert.pem
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256signcert.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+file(WRITE p256certs.pem "")
+file(READ p256signcert.pem CERT_CONTENT)
+file(APPEND p256certs.pem "${CERT_CONTENT}")
+file(READ p256cacert.pem CERT_CONTENT)
+file(APPEND p256certs.pem "${CERT_CONTENT}")
+
+file(WRITE rootcacerts.pem "")
+file(READ rootcacert.pem CERT_CONTENT)
+file(APPEND rootcacerts.pem "${CERT_CONTENT}")
+file(READ p256rootcacert.pem CERT_CONTENT)
+file(APPEND rootcacerts.pem "${CERT_CONTENT}")
diff --git a/cmake/openssl_interop_commands.cmake b/cmake/openssl_interop_commands.cmake
new file mode 100644
index 00000000..fadfc0fb
--- /dev/null
+++ b/cmake/openssl_interop_commands.cmake
@@ -0,0 +1,67 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
+
+if(NOT DEFINED OPENSSL_EXECUTABLE)
+	find_program(OPENSSL_EXECUTABLE openssl)
+endif()
+if(NOT OPENSSL_EXECUTABLE)
+	message(FATAL_ERROR "openssl executable not found")
+endif()
+
+gmssl_require_file(p256rootcacert.pem)
+gmssl_require_file(p256cacert.pem)
+gmssl_require_file(p256signcert.pem)
+gmssl_require_file(p256certs.pem)
+gmssl_require_file(p256signkey.pem)
+gmssl_require_file(p256signkey.exp)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tls12_openssl_server)
+endif()
+
+if(TEST_CASE STREQUAL tls12_openssl_server)
+	set(TEST_NAME tls12_openssl_server)
+	set(TEST_PORT 4450)
+	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet")
+	set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name 127.0.0.1 -cacert p256rootcacert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Connection established")
+elseif(TEST_CASE STREQUAL tls12_openssl_client)
+	set(TEST_NAME tls12_openssl_client)
+	set(TEST_PORT 4451)
+	set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256rootcacert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername 127.0.0.1 -brief")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Verification: OK")
+elseif(TEST_CASE STREQUAL tls13_openssl_server)
+	set(TEST_NAME tls13_openssl_server)
+	set(TEST_PORT 4452)
+	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -no_middlebox -www -naccept 1 -quiet")
+	set(CLIENT_COMMAND "bin/gmssl tls13_client -host 127.0.0.1 -port ${TEST_PORT} -server_name 127.0.0.1 -cacert p256rootcacert.pem -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Connection established")
+elseif(TEST_CASE STREQUAL tls13_openssl_client)
+	set(TEST_NAME tls13_openssl_client)
+	set(TEST_PORT 4453)
+	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -CAfile p256rootcacert.pem -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -sigalgs ecdsa_secp256r1_sha256 -no_middlebox -brief")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Verification: OK")
+else()
+	message(FATAL_ERROR "unknown OpenSSL interop test case: ${TEST_CASE}")
+endif()
diff --git a/cmake/tlcp_commands.cmake b/cmake/tlcp_commands.cmake
index 6b427ec2..c0a1239e 100644
--- a/cmake/tlcp_commands.cmake
+++ b/cmake/tlcp_commands.cmake
@@ -1,93 +1,39 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "file does not exist")
+gmssl_require_file(rootcacert.pem)
+gmssl_require_file(tlcp_server_certs.pem)
+gmssl_require_file(tlcp_server_keys.pem)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tlcp_sm4_cbc)
 endif()
 
-if(NOT EXISTS tlcp_server_certs.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-if(NOT EXISTS tlcp_server_keys.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-set(TLCP_TEST_PORT 4431)
-file(REMOVE "tlcp_client.log" "tlcp_server.log")
-
-if(NOT WIN32)
-	execute_process(
-		COMMAND pkill -f "gmssl tlcp_server"
-		OUTPUT_QUIET
-		ERROR_QUIET
-	)
-endif()
-
-if(WIN32)
-	execute_process(
-		COMMAND cmd /c "start /B bin\\gmssl tlcp_server -port ${TLCP_TEST_PORT} -cert tlcp_server_certs.pem -key tlcp_server_keys.pem -pass P@ssw0rd > tlcp_server.log 2>&1"
-		RESULT_VARIABLE SERVER_RESULT
-		TIMEOUT 5
-	)
+if(TEST_CASE STREQUAL tlcp_sm4_cbc)
+	set(TEST_NAME tlcp_sm4_cbc)
+	set(TEST_PORT 4431)
+	set(TEST_CIPHER_SUITE TLS_ECC_SM4_CBC_SM3)
+elseif(TEST_CASE STREQUAL tlcp_sm4_gcm)
+	set(TEST_NAME tlcp_sm4_gcm)
+	set(TEST_PORT 4435)
+	set(TEST_CIPHER_SUITE TLS_ECC_SM4_GCM_SM3)
 else()
-	execute_process(
-		COMMAND bash -c "nohup bin/gmssl tlcp_server -port ${TLCP_TEST_PORT} -cert tlcp_server_certs.pem -key tlcp_server_keys.pem -pass P@ssw0rd > tlcp_server.log 2>&1 &"
-		RESULT_VARIABLE SERVER_RESULT
-		TIMEOUT 5
-	)
-endif()
-if(NOT ${SERVER_RESULT} EQUAL 0)
-	message(FATAL_ERROR "server failed to start")
+	message(FATAL_ERROR "unknown TLCP test case: ${TEST_CASE}")
 endif()
 
-set(FOUND_INDEX -1)
-foreach(i RANGE 1 15)
-	if (WIN32)
-		execute_process(
-			COMMAND cmd /c "start /B bin\\gmssl tlcp_client -host 127.0.0.1 -port ${TLCP_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 > tlcp_client.log 2>&1"
-			RESULT_VARIABLE CLIENT_RESULT
-			TIMEOUT 5
-		)
-	else()
-		execute_process(
-			COMMAND bash -c "bin/gmssl tlcp_client -host 127.0.0.1 -port ${TLCP_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 < /dev/null > tlcp_client.log 2>&1 &"
-			RESULT_VARIABLE CLIENT_RESULT
-			TIMEOUT 5
-		)
-	endif()
-	if(NOT ${CLIENT_RESULT} EQUAL 0)
-		message(FATAL_ERROR "client failed to start")
-	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
-	if(EXISTS "tlcp_client.log")
-		file(READ "tlcp_client.log" CLIENT_LOG_CONTENT)
-		string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
-		if(NOT ${FOUND_INDEX} EQUAL -1)
-			break()
-		endif()
-	endif()
-endforeach()
-
-if(NOT WIN32)
-	execute_process(
-		COMMAND pkill -f "gmssl tlcp_server"
-		OUTPUT_QUIET
-		ERROR_QUIET
-	)
-	execute_process(
-		COMMAND pkill -f "gmssl tlcp_client"
-		OUTPUT_QUIET
-		ERROR_QUIET
-	)
-endif()
-
-if(${FOUND_INDEX} EQUAL -1)
-	if(EXISTS "tlcp_server.log")
-		file(READ "tlcp_server.log" SERVER_LOG_CONTENT)
-		message(STATUS "tlcp_server.log:\n${SERVER_LOG_CONTENT}")
-	endif()
-	if(EXISTS "tlcp_client.log")
-		file(READ "tlcp_client.log" CLIENT_LOG_CONTENT)
-		message(STATUS "tlcp_client.log:\n${CLIENT_LOG_CONTENT}")
-	endif()
-	message(FATAL_ERROR "Client did not establish connection with server.")
-endif()
+gmssl_run_tls_command_test(
+	TEST_NAME ${TEST_NAME}
+	PORT ${TEST_PORT}
+	SERVER_ARGS
+		tlcp_server
+		-port ${TEST_PORT}
+		-cert tlcp_server_certs.pem
+		-key tlcp_server_keys.pem
+		-pass P@ssw0rd
+	CLIENT_ARGS
+		tlcp_client
+		-host 127.0.0.1
+		-port ${TEST_PORT}
+		-cacert rootcacert.pem
+		-cipher_suite ${TEST_CIPHER_SUITE}
+		-in ${TEST_NAME}_message.txt
+)
diff --git a/cmake/tls12_commands.cmake b/cmake/tls12_commands.cmake
index 7849b52e..ed2cf1a2 100644
--- a/cmake/tls12_commands.cmake
+++ b/cmake/tls12_commands.cmake
@@ -1,69 +1,44 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "file does not exist")
+gmssl_require_file(rootcacert.pem)
+gmssl_require_file(tls_server_certs.pem)
+gmssl_require_file(signkey.pem)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tls12_sm4_cbc)
 endif()
 
-if(NOT EXISTS tls_server_certs.pem)
-	message(FATAL_ERROR "file does not exist")
+if(TEST_CASE STREQUAL tls12_sm4_cbc)
+	set(TEST_NAME tls12_sm4_cbc)
+	set(TEST_PORT 4432)
+	set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_CBC_SM3)
+elseif(TEST_CASE STREQUAL tls12_sm4_gcm)
+	set(TEST_NAME tls12_sm4_gcm)
+	set(TEST_PORT 4434)
+	set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
+else()
+	message(FATAL_ERROR "unknown TLS 1.2 test case: ${TEST_CASE}")
 endif()
 
-if(NOT EXISTS signkey.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-if(NOT EXISTS enckey.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-set(TLS12_TEST_PORT 4432)
-file(REMOVE "tls12_client.log" "tls12_server.log")
-
-execute_process(
-	COMMAND pkill -f "gmssl tls12_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
+gmssl_run_tls_command_test(
+	TEST_NAME ${TEST_NAME}
+	PORT ${TEST_PORT}
+	SERVER_ARGS
+		tls12_server
+		-port ${TEST_PORT}
+		-cert tls_server_certs.pem
+		-key signkey.pem
+		-pass P@ssw0rd
+		-cipher_suite ${TEST_CIPHER_SUITE}
+		-supported_group sm2p256v1
+		-sig_alg sm2sig_sm3
+	CLIENT_ARGS
+		tls12_client
+		-host 127.0.0.1
+		-port ${TEST_PORT}
+		-cacert rootcacert.pem
+		-cipher_suite ${TEST_CIPHER_SUITE}
+		-supported_group sm2p256v1
+		-sig_alg sm2sig_sm3
+		-in ${TEST_NAME}_message.txt
 )
-
-execute_process(
-	COMMAND bash -c "nohup bin/gmssl tls12_server -port ${TLS12_TEST_PORT} -cert tls_server_certs.pem -key signkey.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_SM4_CBC_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 > tls12_server.log 2>&1 &"
-	RESULT_VARIABLE SERVER_RESULT
-	TIMEOUT 5
-)
-if(NOT ${SERVER_RESULT} EQUAL 0)
-	message(FATAL_ERROR "server failed to start")
-endif()
-
-execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 2)
-
-execute_process(
-	COMMAND bash -c "bin/gmssl tls12_client -host localhost -port ${TLS12_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_ECDHE_SM4_CBC_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 < /dev/null > tls12_client.log 2>&1 &"
-	RESULT_VARIABLE CLIENT_RESULT
-	TIMEOUT 5
-)
-
-set(FOUND_INDEX -1)
-foreach(i RANGE 1 15)
-	if(EXISTS "tls12_client.log")
-		file(READ "tls12_client.log" CLIENT_LOG_CONTENT)
-		string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
-		if(NOT ${FOUND_INDEX} EQUAL -1)
-			break()
-		endif()
-	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
-endforeach()
-
-execute_process(
-	COMMAND pkill -f "gmssl tls12_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-execute_process(
-	COMMAND pkill -f "gmssl tls12_client"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-
-if(${FOUND_INDEX} EQUAL -1)
-	message(FATAL_ERROR "Client did not establish connection with server.")
-endif()
diff --git a/cmake/tls13_commands.cmake b/cmake/tls13_commands.cmake
index 7bbb547c..8fa57490 100644
--- a/cmake/tls13_commands.cmake
+++ b/cmake/tls13_commands.cmake
@@ -1,65 +1,149 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "file does not exist")
+gmssl_require_file(rootcacert.pem)
+gmssl_require_file(tls_server_certs.pem)
+gmssl_require_file(signkey.pem)
+
+set(TLS13_PSK 1122334455667788112233445566778811223344556677881122334455667788)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tls13_sm4_gcm)
 endif()
 
-if(NOT EXISTS tls_server_certs.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-if(NOT EXISTS signkey.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-set(TLS13_TEST_PORT 4433)
-file(REMOVE "tls13_client.log" "tls13_server.log")
-
-execute_process(
-	COMMAND pkill -f "gmssl tls13_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-
-execute_process(
-	COMMAND bash -c "nohup bin/gmssl tls13_server -port ${TLS13_TEST_PORT} -cert tls_server_certs.pem -key signkey.pem -pass P@ssw0rd -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 > tls13_server.log 2>&1 &"
-	RESULT_VARIABLE SERVER_RESULT
-	TIMEOUT 5
-)
-if(NOT ${SERVER_RESULT} EQUAL 0)
-	message(FATAL_ERROR "server failed to start")
-endif()
-
-execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 2)
-
-execute_process(
-	COMMAND bash -c "bin/gmssl tls13_client -host localhost -port ${TLS13_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 < /dev/null > tls13_client.log 2>&1 &"
-	RESULT_VARIABLE CLIENT_RESULT
-	TIMEOUT 5
-)
-
-set(FOUND_INDEX -1)
-foreach(i RANGE 1 15)
-	if(EXISTS "tls13_client.log")
-		file(READ "tls13_client.log" CLIENT_LOG_CONTENT)
-		string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
-		if(NOT ${FOUND_INDEX} EQUAL -1)
-			break()
-		endif()
-	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
-endforeach()
-
-execute_process(
-	COMMAND pkill -f "gmssl tls13_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-execute_process(
-	COMMAND pkill -f "gmssl tls13_client"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-
-if(${FOUND_INDEX} EQUAL -1)
-	message(FATAL_ERROR "Client did not establish connection with server.")
+if(TEST_CASE STREQUAL tls13_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_sm4_gcm
+		PORT 4433
+		SERVER_ARGS
+			tls13_server
+			-port 4433
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4433
+			-cacert rootcacert.pem
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+			-in tls13_sm4_gcm_message.txt
+	)
+elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_hrr_sm4_gcm
+		PORT 4436
+		EXPECT_CLIENT_LOG "selected_group: sm2p256v1"
+		SERVER_ARGS
+			tls13_server
+			-port 4436
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+			-verbose
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4436
+			-cacert rootcacert.pem
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group prime256v1
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+			-max_key_exchanges 1
+			-in tls13_hrr_sm4_gcm_message.txt
+			-verbose
+	)
+elseif(TEST_CASE STREQUAL tls13_psk_dhe_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_psk_dhe_sm4_gcm
+		PORT 4437
+		SERVER_ARGS
+			tls13_server
+			-port 4437
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-psk_dhe_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4437
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-psk_dhe_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-in tls13_psk_dhe_sm4_gcm_message.txt
+	)
+elseif(TEST_CASE STREQUAL tls13_psk_only_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_psk_only_sm4_gcm
+		PORT 4438
+		SERVER_ARGS
+			tls13_server
+			-port 4438
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4438
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-in tls13_psk_only_sm4_gcm_message.txt
+	)
+elseif(TEST_CASE STREQUAL tls13_early_data_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_early_data_sm4_gcm
+		PORT 4439
+		EXPECT_SERVER_LOG "EarlyData"
+		SERVER_ARGS
+			tls13_server
+			-port 4439
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-early_data
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4439
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-early_data tls13_early_data_sm4_gcm_early_data.txt
+			-in tls13_early_data_sm4_gcm_message.txt
+	)
+else()
+	message(FATAL_ERROR "unknown TLS 1.3 test case: ${TEST_CASE}")
 endif()
diff --git a/cmake/tls_command_test.cmake b/cmake/tls_command_test.cmake
new file mode 100644
index 00000000..6b40cea1
--- /dev/null
+++ b/cmake/tls_command_test.cmake
@@ -0,0 +1,183 @@
+function(gmssl_require_file file)
+	if(NOT EXISTS "${file}")
+		message(FATAL_ERROR "required file does not exist: ${file}")
+	endif()
+endfunction()
+
+function(gmssl_run_command_interop_test)
+	set(one_value_args TEST_NAME PORT SERVER_COMMAND CLIENT_COMMAND EXPECT_CLIENT_LOG EXPECT_SERVER_LOG)
+	cmake_parse_arguments(TEST "" "${one_value_args}" "" ${ARGN})
+
+	if(NOT TEST_TEST_NAME)
+		message(FATAL_ERROR "TEST_NAME is required")
+	endif()
+	if(NOT TEST_PORT)
+		message(FATAL_ERROR "PORT is required")
+	endif()
+	if(NOT TEST_SERVER_COMMAND)
+		message(FATAL_ERROR "SERVER_COMMAND is required")
+	endif()
+	if(NOT TEST_CLIENT_COMMAND)
+		message(FATAL_ERROR "CLIENT_COMMAND is required")
+	endif()
+
+	set(SERVER_LOG "${TEST_TEST_NAME}_server.log")
+	set(CLIENT_LOG "${TEST_TEST_NAME}_client.log")
+	set(SERVER_PID_FILE "${TEST_TEST_NAME}_server.pid")
+
+	file(REMOVE "${SERVER_LOG}" "${CLIENT_LOG}" "${SERVER_PID_FILE}")
+
+	execute_process(
+		COMMAND bash -c "nohup ${TEST_SERVER_COMMAND} > ${SERVER_LOG} 2>&1 & echo $! > ${SERVER_PID_FILE}"
+		RESULT_VARIABLE SERVER_RESULT
+		TIMEOUT 5
+	)
+	if(NOT ${SERVER_RESULT} EQUAL 0)
+		message(FATAL_ERROR "server failed to start")
+	endif()
+
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	execute_process(
+		COMMAND bash -c "${TEST_CLIENT_COMMAND} > ${CLIENT_LOG} 2>&1"
+		RESULT_VARIABLE CLIENT_RESULT
+		TIMEOUT 30
+	)
+
+	execute_process(
+		COMMAND bash -c "if test -f ${SERVER_PID_FILE}; then kill $(cat ${SERVER_PID_FILE}) 2>/dev/null || true; fi"
+		OUTPUT_QUIET
+		ERROR_QUIET
+	)
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	set(SERVER_LOG_CONTENT "")
+	set(CLIENT_LOG_CONTENT "")
+	if(EXISTS "${SERVER_LOG}")
+		file(READ "${SERVER_LOG}" SERVER_LOG_CONTENT)
+	endif()
+	if(EXISTS "${CLIENT_LOG}")
+		file(READ "${CLIENT_LOG}" CLIENT_LOG_CONTENT)
+	endif()
+
+	if(NOT ${CLIENT_RESULT} EQUAL 0)
+		message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+		message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+		message(FATAL_ERROR "client failed with result ${CLIENT_RESULT}")
+	endif()
+
+	if(TEST_EXPECT_CLIENT_LOG)
+		string(FIND "${CLIENT_LOG_CONTENT}" "${TEST_EXPECT_CLIENT_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+			message(FATAL_ERROR "client log does not contain expected text: ${TEST_EXPECT_CLIENT_LOG}")
+		endif()
+	endif()
+
+	if(TEST_EXPECT_SERVER_LOG)
+		string(FIND "${SERVER_LOG_CONTENT}" "${TEST_EXPECT_SERVER_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+			message(FATAL_ERROR "server log does not contain expected text: ${TEST_EXPECT_SERVER_LOG}")
+		endif()
+	endif()
+endfunction()
+
+function(gmssl_run_tls_command_test)
+	set(one_value_args TEST_NAME PORT EXPECT_CLIENT_LOG EXPECT_SERVER_LOG)
+	set(multi_value_args SERVER_ARGS CLIENT_ARGS)
+	cmake_parse_arguments(TEST "" "${one_value_args}" "${multi_value_args}" ${ARGN})
+
+	if(NOT TEST_TEST_NAME)
+		message(FATAL_ERROR "TEST_NAME is required")
+	endif()
+	if(NOT TEST_PORT)
+		message(FATAL_ERROR "PORT is required")
+	endif()
+	if(NOT TEST_SERVER_ARGS)
+		message(FATAL_ERROR "SERVER_ARGS is required")
+	endif()
+	if(NOT TEST_CLIENT_ARGS)
+		message(FATAL_ERROR "CLIENT_ARGS is required")
+	endif()
+
+	list(GET TEST_SERVER_ARGS 0 SERVER_TOOL)
+	set(SERVER_LOG "${TEST_TEST_NAME}_server.log")
+	set(CLIENT_LOG "${TEST_TEST_NAME}_client.log")
+	set(SERVER_PID_FILE "${TEST_TEST_NAME}_server.pid")
+
+	file(REMOVE "${SERVER_LOG}" "${CLIENT_LOG}" "${SERVER_PID_FILE}")
+	file(WRITE "${TEST_TEST_NAME}_message.txt" "GmSSL ${TEST_TEST_NAME} command test\n")
+	file(WRITE "${TEST_TEST_NAME}_early_data.txt" "GmSSL ${TEST_TEST_NAME} early data\n")
+
+	string(REPLACE ";" " " SERVER_CMD "${TEST_SERVER_ARGS}")
+	string(REPLACE ";" " " CLIENT_CMD "${TEST_CLIENT_ARGS}")
+
+	execute_process(
+		COMMAND pkill -f "gmssl ${SERVER_TOOL} -port ${TEST_PORT}"
+		OUTPUT_QUIET
+		ERROR_QUIET
+	)
+
+	execute_process(
+		COMMAND bash -c "nohup bin/gmssl ${SERVER_CMD} > ${SERVER_LOG} 2>&1 & echo $! > ${SERVER_PID_FILE}"
+		RESULT_VARIABLE SERVER_RESULT
+		TIMEOUT 5
+	)
+	if(NOT ${SERVER_RESULT} EQUAL 0)
+		message(FATAL_ERROR "server failed to start")
+	endif()
+
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	execute_process(
+		COMMAND bash -c "bin/gmssl ${CLIENT_CMD} > ${CLIENT_LOG} 2>&1"
+		RESULT_VARIABLE CLIENT_RESULT
+		TIMEOUT 30
+	)
+
+	execute_process(
+		COMMAND pkill -f "gmssl ${SERVER_TOOL} -port ${TEST_PORT}"
+		OUTPUT_QUIET
+		ERROR_QUIET
+	)
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	set(SERVER_LOG_CONTENT "")
+	set(CLIENT_LOG_CONTENT "")
+	if(EXISTS "${SERVER_LOG}")
+		file(READ "${SERVER_LOG}" SERVER_LOG_CONTENT)
+	endif()
+	if(EXISTS "${CLIENT_LOG}")
+		file(READ "${CLIENT_LOG}" CLIENT_LOG_CONTENT)
+	endif()
+
+	if(NOT ${CLIENT_RESULT} EQUAL 0)
+		message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+		message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+		message(FATAL_ERROR "client failed with result ${CLIENT_RESULT}")
+	endif()
+
+	string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
+	if(${FOUND_INDEX} EQUAL -1)
+		message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+		message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+		message(FATAL_ERROR "client did not establish connection with server")
+	endif()
+
+	if(TEST_EXPECT_CLIENT_LOG)
+		string(FIND "${CLIENT_LOG_CONTENT}" "${TEST_EXPECT_CLIENT_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+			message(FATAL_ERROR "client log does not contain expected text: ${TEST_EXPECT_CLIENT_LOG}")
+		endif()
+	endif()
+
+	if(TEST_EXPECT_SERVER_LOG)
+		string(FIND "${SERVER_LOG_CONTENT}" "${TEST_EXPECT_SERVER_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+			message(FATAL_ERROR "server log does not contain expected text: ${TEST_EXPECT_SERVER_LOG}")
+		endif()
+	endif()
+endfunction()
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 447237c4..cb336ea4 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1056"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1057"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);