Update TLS cmake

cmake/cert_commands.cmake

@@ -158,3 +158,111 @@ file(READ signcert.pem CERT_CONTENT)
 file(APPEND tls_server_certs.pem "${CERT_CONTENT}")
 file(READ cacert.pem CERT_CONTENT)
 file(APPEND tls_server_certs.pem "${CERT_CONTENT}")
+
+execute_process(
+	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256rootcakey.pem -export p256rootcakey.exp
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256rootcakey.pem OR NOT EXISTS p256rootcakey.exp)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 -key p256rootcakey.pem -pass P@ssw0rd -out p256rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256rootcacert.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256cakey.pem -export p256cakey.exp
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256cakey.pem OR NOT EXISTS p256cakey.exp)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "P256 Sub CA" -key p256cakey.pem -pass P@ssw0rd -out p256careq.pem
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256careq.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert p256rootcacert.pem -key p256rootcakey.pem -pass P@ssw0rd -out p256cacert.pem -ca
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256cacert.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256signkey.pem -export p256signkey.exp
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256signkey.pem OR NOT EXISTS p256signkey.exp)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 -key p256signkey.pem -pass P@ssw0rd -out p256signreq.pem
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256signreq.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature -cacert p256cacert.pem -key p256cakey.pem -pass P@ssw0rd -subject_dns_name 127.0.0.1 -out p256signcert.pem
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+if(NOT EXISTS p256signcert.pem)
+	message(FATAL_ERROR "generated file does not exist")
+endif()
+
+file(WRITE p256certs.pem "")
+file(READ p256signcert.pem CERT_CONTENT)
+file(APPEND p256certs.pem "${CERT_CONTENT}")
+file(READ p256cacert.pem CERT_CONTENT)
+file(APPEND p256certs.pem "${CERT_CONTENT}")
+
+file(WRITE rootcacerts.pem "")
+file(READ rootcacert.pem CERT_CONTENT)
+file(APPEND rootcacerts.pem "${CERT_CONTENT}")
+file(READ p256rootcacert.pem CERT_CONTENT)
+file(APPEND rootcacerts.pem "${CERT_CONTENT}")

cmake/openssl_interop_commands.cmake

@@ -0,0 +1,67 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
+
+if(NOT DEFINED OPENSSL_EXECUTABLE)
+	find_program(OPENSSL_EXECUTABLE openssl)
+endif()
+if(NOT OPENSSL_EXECUTABLE)
+	message(FATAL_ERROR "openssl executable not found")
+endif()
+
+gmssl_require_file(p256rootcacert.pem)
+gmssl_require_file(p256cacert.pem)
+gmssl_require_file(p256signcert.pem)
+gmssl_require_file(p256certs.pem)
+gmssl_require_file(p256signkey.pem)
+gmssl_require_file(p256signkey.exp)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tls12_openssl_server)
+endif()
+
+if(TEST_CASE STREQUAL tls12_openssl_server)
+	set(TEST_NAME tls12_openssl_server)
+	set(TEST_PORT 4450)
+	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet")
+	set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name 127.0.0.1 -cacert p256rootcacert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Connection established")
+elseif(TEST_CASE STREQUAL tls12_openssl_client)
+	set(TEST_NAME tls12_openssl_client)
+	set(TEST_PORT 4451)
+	set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256rootcacert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername 127.0.0.1 -brief")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Verification: OK")
+elseif(TEST_CASE STREQUAL tls13_openssl_server)
+	set(TEST_NAME tls13_openssl_server)
+	set(TEST_PORT 4452)
+	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -no_middlebox -www -naccept 1 -quiet")
+	set(CLIENT_COMMAND "bin/gmssl tls13_client -host 127.0.0.1 -port ${TEST_PORT} -server_name 127.0.0.1 -cacert p256rootcacert.pem -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Connection established")
+elseif(TEST_CASE STREQUAL tls13_openssl_client)
+	set(TEST_NAME tls13_openssl_client)
+	set(TEST_PORT 4453)
+	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -CAfile p256rootcacert.pem -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -sigalgs ecdsa_secp256r1_sha256 -no_middlebox -brief")
+	gmssl_run_command_interop_test(
+		TEST_NAME ${TEST_NAME}
+		PORT ${TEST_PORT}
+		SERVER_COMMAND "${SERVER_COMMAND}"
+		CLIENT_COMMAND "${CLIENT_COMMAND}"
+		EXPECT_CLIENT_LOG "Verification: OK")
+else()
+	message(FATAL_ERROR "unknown OpenSSL interop test case: ${TEST_CASE}")
+endif()

cmake/tlcp_commands.cmake

@@ -1,93 +1,39 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "file does not exist")
+gmssl_require_file(rootcacert.pem)
+gmssl_require_file(tlcp_server_certs.pem)
+gmssl_require_file(tlcp_server_keys.pem)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tlcp_sm4_cbc)
 endif()
 
-if(NOT EXISTS tlcp_server_certs.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-if(NOT EXISTS tlcp_server_keys.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-set(TLCP_TEST_PORT 4431)
-file(REMOVE "tlcp_client.log" "tlcp_server.log")
-
-if(NOT WIN32)
-	execute_process(
-		COMMAND pkill -f "gmssl tlcp_server"
-		OUTPUT_QUIET
-		ERROR_QUIET
-	)
-endif()
-
-if(WIN32)
-	execute_process(
-		COMMAND cmd /c "start /B bin\\gmssl tlcp_server -port ${TLCP_TEST_PORT} -cert tlcp_server_certs.pem -key tlcp_server_keys.pem -pass P@ssw0rd > tlcp_server.log 2>&1"
-		RESULT_VARIABLE SERVER_RESULT
-		TIMEOUT 5
-	)
+if(TEST_CASE STREQUAL tlcp_sm4_cbc)
+	set(TEST_NAME tlcp_sm4_cbc)
+	set(TEST_PORT 4431)
+	set(TEST_CIPHER_SUITE TLS_ECC_SM4_CBC_SM3)
+elseif(TEST_CASE STREQUAL tlcp_sm4_gcm)
+	set(TEST_NAME tlcp_sm4_gcm)
+	set(TEST_PORT 4435)
+	set(TEST_CIPHER_SUITE TLS_ECC_SM4_GCM_SM3)
 else()
-	execute_process(
-		COMMAND bash -c "nohup bin/gmssl tlcp_server -port ${TLCP_TEST_PORT} -cert tlcp_server_certs.pem -key tlcp_server_keys.pem -pass P@ssw0rd > tlcp_server.log 2>&1 &"
-		RESULT_VARIABLE SERVER_RESULT
-		TIMEOUT 5
-	)
-endif()
-if(NOT ${SERVER_RESULT} EQUAL 0)
-	message(FATAL_ERROR "server failed to start")
+	message(FATAL_ERROR "unknown TLCP test case: ${TEST_CASE}")
 endif()
 
-set(FOUND_INDEX -1)
-foreach(i RANGE 1 15)
-	if (WIN32)
-		execute_process(
-			COMMAND cmd /c "start /B bin\\gmssl tlcp_client -host 127.0.0.1 -port ${TLCP_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 > tlcp_client.log 2>&1"
-			RESULT_VARIABLE CLIENT_RESULT
-			TIMEOUT 5
-		)
-	else()
-		execute_process(
-			COMMAND bash -c "bin/gmssl tlcp_client -host 127.0.0.1 -port ${TLCP_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 < /dev/null > tlcp_client.log 2>&1 &"
-			RESULT_VARIABLE CLIENT_RESULT
-			TIMEOUT 5
-		)
-	endif()
-	if(NOT ${CLIENT_RESULT} EQUAL 0)
-		message(FATAL_ERROR "client failed to start")
-	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
-	if(EXISTS "tlcp_client.log")
-		file(READ "tlcp_client.log" CLIENT_LOG_CONTENT)
-		string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
-		if(NOT ${FOUND_INDEX} EQUAL -1)
-			break()
-		endif()
-	endif()
-endforeach()
-
-if(NOT WIN32)
-	execute_process(
-		COMMAND pkill -f "gmssl tlcp_server"
-		OUTPUT_QUIET
-		ERROR_QUIET
-	)
-	execute_process(
-		COMMAND pkill -f "gmssl tlcp_client"
-		OUTPUT_QUIET
-		ERROR_QUIET
-	)
-endif()
-
-if(${FOUND_INDEX} EQUAL -1)
-	if(EXISTS "tlcp_server.log")
-		file(READ "tlcp_server.log" SERVER_LOG_CONTENT)
-		message(STATUS "tlcp_server.log:\n${SERVER_LOG_CONTENT}")
-	endif()
-	if(EXISTS "tlcp_client.log")
-		file(READ "tlcp_client.log" CLIENT_LOG_CONTENT)
-		message(STATUS "tlcp_client.log:\n${CLIENT_LOG_CONTENT}")
-	endif()
-	message(FATAL_ERROR "Client did not establish connection with server.")
-endif()
+gmssl_run_tls_command_test(
+	TEST_NAME ${TEST_NAME}
+	PORT ${TEST_PORT}
+	SERVER_ARGS
+		tlcp_server
+		-port ${TEST_PORT}
+		-cert tlcp_server_certs.pem
+		-key tlcp_server_keys.pem
+		-pass P@ssw0rd
+	CLIENT_ARGS
+		tlcp_client
+		-host 127.0.0.1
+		-port ${TEST_PORT}
+		-cacert rootcacert.pem
+		-cipher_suite ${TEST_CIPHER_SUITE}
+		-in ${TEST_NAME}_message.txt
+)

cmake/tls12_commands.cmake

@@ -1,69 +1,44 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "file does not exist")
+gmssl_require_file(rootcacert.pem)
+gmssl_require_file(tls_server_certs.pem)
+gmssl_require_file(signkey.pem)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tls12_sm4_cbc)
 endif()
 
-if(NOT EXISTS tls_server_certs.pem)
-	message(FATAL_ERROR "file does not exist")
+if(TEST_CASE STREQUAL tls12_sm4_cbc)
+	set(TEST_NAME tls12_sm4_cbc)
+	set(TEST_PORT 4432)
+	set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_CBC_SM3)
+elseif(TEST_CASE STREQUAL tls12_sm4_gcm)
+	set(TEST_NAME tls12_sm4_gcm)
+	set(TEST_PORT 4434)
+	set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
+else()
+	message(FATAL_ERROR "unknown TLS 1.2 test case: ${TEST_CASE}")
 endif()
 
-if(NOT EXISTS signkey.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-if(NOT EXISTS enckey.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-set(TLS12_TEST_PORT 4432)
-file(REMOVE "tls12_client.log" "tls12_server.log")
-
-execute_process(
-	COMMAND pkill -f "gmssl tls12_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
+gmssl_run_tls_command_test(
+	TEST_NAME ${TEST_NAME}
+	PORT ${TEST_PORT}
+	SERVER_ARGS
+		tls12_server
+		-port ${TEST_PORT}
+		-cert tls_server_certs.pem
+		-key signkey.pem
+		-pass P@ssw0rd
+		-cipher_suite ${TEST_CIPHER_SUITE}
+		-supported_group sm2p256v1
+		-sig_alg sm2sig_sm3
+	CLIENT_ARGS
+		tls12_client
+		-host 127.0.0.1
+		-port ${TEST_PORT}
+		-cacert rootcacert.pem
+		-cipher_suite ${TEST_CIPHER_SUITE}
+		-supported_group sm2p256v1
+		-sig_alg sm2sig_sm3
+		-in ${TEST_NAME}_message.txt
 )
-
-execute_process(
-	COMMAND bash -c "nohup bin/gmssl tls12_server -port ${TLS12_TEST_PORT} -cert tls_server_certs.pem -key signkey.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_SM4_CBC_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 > tls12_server.log 2>&1 &"
-	RESULT_VARIABLE SERVER_RESULT
-	TIMEOUT 5
-)
-if(NOT ${SERVER_RESULT} EQUAL 0)
-	message(FATAL_ERROR "server failed to start")
-endif()
-
-execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 2)
-
-execute_process(
-	COMMAND bash -c "bin/gmssl tls12_client -host localhost -port ${TLS12_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_ECDHE_SM4_CBC_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 < /dev/null > tls12_client.log 2>&1 &"
-	RESULT_VARIABLE CLIENT_RESULT
-	TIMEOUT 5
-)
-
-set(FOUND_INDEX -1)
-foreach(i RANGE 1 15)
-	if(EXISTS "tls12_client.log")
-		file(READ "tls12_client.log" CLIENT_LOG_CONTENT)
-		string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
-		if(NOT ${FOUND_INDEX} EQUAL -1)
-			break()
-		endif()
-	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
-endforeach()
-
-execute_process(
-	COMMAND pkill -f "gmssl tls12_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-execute_process(
-	COMMAND pkill -f "gmssl tls12_client"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-
-if(${FOUND_INDEX} EQUAL -1)
-	message(FATAL_ERROR "Client did not establish connection with server.")
-endif()

cmake/tls13_commands.cmake

@@ -1,65 +1,149 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "file does not exist")
+gmssl_require_file(rootcacert.pem)
+gmssl_require_file(tls_server_certs.pem)
+gmssl_require_file(signkey.pem)
+
+set(TLS13_PSK 1122334455667788112233445566778811223344556677881122334455667788)
+
+if(NOT DEFINED TEST_CASE)
+	set(TEST_CASE tls13_sm4_gcm)
 endif()
 
-if(NOT EXISTS tls_server_certs.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-if(NOT EXISTS signkey.pem)
-	message(FATAL_ERROR "file does not exist")
-endif()
-
-set(TLS13_TEST_PORT 4433)
-file(REMOVE "tls13_client.log" "tls13_server.log")
-
-execute_process(
-	COMMAND pkill -f "gmssl tls13_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-
-execute_process(
-	COMMAND bash -c "nohup bin/gmssl tls13_server -port ${TLS13_TEST_PORT} -cert tls_server_certs.pem -key signkey.pem -pass P@ssw0rd -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 > tls13_server.log 2>&1 &"
-	RESULT_VARIABLE SERVER_RESULT
-	TIMEOUT 5
-)
-if(NOT ${SERVER_RESULT} EQUAL 0)
-	message(FATAL_ERROR "server failed to start")
-endif()
-
-execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 2)
-
-execute_process(
-	COMMAND bash -c "bin/gmssl tls13_client -host localhost -port ${TLS13_TEST_PORT} -cacert rootcacert.pem -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 < /dev/null > tls13_client.log 2>&1 &"
-	RESULT_VARIABLE CLIENT_RESULT
-	TIMEOUT 5
-)
-
-set(FOUND_INDEX -1)
-foreach(i RANGE 1 15)
-	if(EXISTS "tls13_client.log")
-		file(READ "tls13_client.log" CLIENT_LOG_CONTENT)
-		string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
-		if(NOT ${FOUND_INDEX} EQUAL -1)
-			break()
-		endif()
-	endif()
-	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
-endforeach()
-
-execute_process(
-	COMMAND pkill -f "gmssl tls13_server"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-execute_process(
-	COMMAND pkill -f "gmssl tls13_client"
-	OUTPUT_QUIET
-	ERROR_QUIET
-)
-
-if(${FOUND_INDEX} EQUAL -1)
-	message(FATAL_ERROR "Client did not establish connection with server.")
+if(TEST_CASE STREQUAL tls13_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_sm4_gcm
+		PORT 4433
+		SERVER_ARGS
+			tls13_server
+			-port 4433
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4433
+			-cacert rootcacert.pem
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+			-in tls13_sm4_gcm_message.txt
+	)
+elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_hrr_sm4_gcm
+		PORT 4436
+		EXPECT_CLIENT_LOG "selected_group: sm2p256v1"
+		SERVER_ARGS
+			tls13_server
+			-port 4436
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+			-verbose
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4436
+			-cacert rootcacert.pem
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group prime256v1
+			-supported_group sm2p256v1
+			-sig_alg sm2sig_sm3
+			-max_key_exchanges 1
+			-in tls13_hrr_sm4_gcm_message.txt
+			-verbose
+	)
+elseif(TEST_CASE STREQUAL tls13_psk_dhe_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_psk_dhe_sm4_gcm
+		PORT 4437
+		SERVER_ARGS
+			tls13_server
+			-port 4437
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-psk_dhe_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4437
+			-cipher_suite TLS_SM4_GCM_SM3
+			-supported_group sm2p256v1
+			-psk_dhe_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-in tls13_psk_dhe_sm4_gcm_message.txt
+	)
+elseif(TEST_CASE STREQUAL tls13_psk_only_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_psk_only_sm4_gcm
+		PORT 4438
+		SERVER_ARGS
+			tls13_server
+			-port 4438
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4438
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-in tls13_psk_only_sm4_gcm_message.txt
+	)
+elseif(TEST_CASE STREQUAL tls13_early_data_sm4_gcm)
+	gmssl_run_tls_command_test(
+		TEST_NAME tls13_early_data_sm4_gcm
+		PORT 4439
+		EXPECT_SERVER_LOG "EarlyData"
+		SERVER_ARGS
+			tls13_server
+			-port 4439
+			-cert tls_server_certs.pem
+			-key signkey.pem
+			-pass P@ssw0rd
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-early_data
+		CLIENT_ARGS
+			tls13_client
+			-host 127.0.0.1
+			-port 4439
+			-cipher_suite TLS_SM4_GCM_SM3
+			-psk_ke
+			-psk_identity 001
+			-psk_cipher_suite TLS_SM4_GCM_SM3
+			-psk_key ${TLS13_PSK}
+			-early_data tls13_early_data_sm4_gcm_early_data.txt
+			-in tls13_early_data_sm4_gcm_message.txt
+	)
+else()
+	message(FATAL_ERROR "unknown TLS 1.3 test case: ${TEST_CASE}")
 endif()

cmake/tls_command_test.cmake

@@ -0,0 +1,183 @@
+function(gmssl_require_file file)
+	if(NOT EXISTS "${file}")
+		message(FATAL_ERROR "required file does not exist: ${file}")
+	endif()
+endfunction()
+
+function(gmssl_run_command_interop_test)
+	set(one_value_args TEST_NAME PORT SERVER_COMMAND CLIENT_COMMAND EXPECT_CLIENT_LOG EXPECT_SERVER_LOG)
+	cmake_parse_arguments(TEST "" "${one_value_args}" "" ${ARGN})
+
+	if(NOT TEST_TEST_NAME)
+		message(FATAL_ERROR "TEST_NAME is required")
+	endif()
+	if(NOT TEST_PORT)
+		message(FATAL_ERROR "PORT is required")
+	endif()
+	if(NOT TEST_SERVER_COMMAND)
+		message(FATAL_ERROR "SERVER_COMMAND is required")
+	endif()
+	if(NOT TEST_CLIENT_COMMAND)
+		message(FATAL_ERROR "CLIENT_COMMAND is required")
+	endif()
+
+	set(SERVER_LOG "${TEST_TEST_NAME}_server.log")
+	set(CLIENT_LOG "${TEST_TEST_NAME}_client.log")
+	set(SERVER_PID_FILE "${TEST_TEST_NAME}_server.pid")
+
+	file(REMOVE "${SERVER_LOG}" "${CLIENT_LOG}" "${SERVER_PID_FILE}")
+
+	execute_process(
+		COMMAND bash -c "nohup ${TEST_SERVER_COMMAND} > ${SERVER_LOG} 2>&1 & echo $! > ${SERVER_PID_FILE}"
+		RESULT_VARIABLE SERVER_RESULT
+		TIMEOUT 5
+	)
+	if(NOT ${SERVER_RESULT} EQUAL 0)
+		message(FATAL_ERROR "server failed to start")
+	endif()
+
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	execute_process(
+		COMMAND bash -c "${TEST_CLIENT_COMMAND} > ${CLIENT_LOG} 2>&1"
+		RESULT_VARIABLE CLIENT_RESULT
+		TIMEOUT 30
+	)
+
+	execute_process(
+		COMMAND bash -c "if test -f ${SERVER_PID_FILE}; then kill $(cat ${SERVER_PID_FILE}) 2>/dev/null || true; fi"
+		OUTPUT_QUIET
+		ERROR_QUIET
+	)
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	set(SERVER_LOG_CONTENT "")
+	set(CLIENT_LOG_CONTENT "")
+	if(EXISTS "${SERVER_LOG}")
+		file(READ "${SERVER_LOG}" SERVER_LOG_CONTENT)
+	endif()
+	if(EXISTS "${CLIENT_LOG}")
+		file(READ "${CLIENT_LOG}" CLIENT_LOG_CONTENT)
+	endif()
+
+	if(NOT ${CLIENT_RESULT} EQUAL 0)
+		message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+		message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+		message(FATAL_ERROR "client failed with result ${CLIENT_RESULT}")
+	endif()
+
+	if(TEST_EXPECT_CLIENT_LOG)
+		string(FIND "${CLIENT_LOG_CONTENT}" "${TEST_EXPECT_CLIENT_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+			message(FATAL_ERROR "client log does not contain expected text: ${TEST_EXPECT_CLIENT_LOG}")
+		endif()
+	endif()
+
+	if(TEST_EXPECT_SERVER_LOG)
+		string(FIND "${SERVER_LOG_CONTENT}" "${TEST_EXPECT_SERVER_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+			message(FATAL_ERROR "server log does not contain expected text: ${TEST_EXPECT_SERVER_LOG}")
+		endif()
+	endif()
+endfunction()
+
+function(gmssl_run_tls_command_test)
+	set(one_value_args TEST_NAME PORT EXPECT_CLIENT_LOG EXPECT_SERVER_LOG)
+	set(multi_value_args SERVER_ARGS CLIENT_ARGS)
+	cmake_parse_arguments(TEST "" "${one_value_args}" "${multi_value_args}" ${ARGN})
+
+	if(NOT TEST_TEST_NAME)
+		message(FATAL_ERROR "TEST_NAME is required")
+	endif()
+	if(NOT TEST_PORT)
+		message(FATAL_ERROR "PORT is required")
+	endif()
+	if(NOT TEST_SERVER_ARGS)
+		message(FATAL_ERROR "SERVER_ARGS is required")
+	endif()
+	if(NOT TEST_CLIENT_ARGS)
+		message(FATAL_ERROR "CLIENT_ARGS is required")
+	endif()
+
+	list(GET TEST_SERVER_ARGS 0 SERVER_TOOL)
+	set(SERVER_LOG "${TEST_TEST_NAME}_server.log")
+	set(CLIENT_LOG "${TEST_TEST_NAME}_client.log")
+	set(SERVER_PID_FILE "${TEST_TEST_NAME}_server.pid")
+
+	file(REMOVE "${SERVER_LOG}" "${CLIENT_LOG}" "${SERVER_PID_FILE}")
+	file(WRITE "${TEST_TEST_NAME}_message.txt" "GmSSL ${TEST_TEST_NAME} command test\n")
+	file(WRITE "${TEST_TEST_NAME}_early_data.txt" "GmSSL ${TEST_TEST_NAME} early data\n")
+
+	string(REPLACE ";" " " SERVER_CMD "${TEST_SERVER_ARGS}")
+	string(REPLACE ";" " " CLIENT_CMD "${TEST_CLIENT_ARGS}")
+
+	execute_process(
+		COMMAND pkill -f "gmssl ${SERVER_TOOL} -port ${TEST_PORT}"
+		OUTPUT_QUIET
+		ERROR_QUIET
+	)
+
+	execute_process(
+		COMMAND bash -c "nohup bin/gmssl ${SERVER_CMD} > ${SERVER_LOG} 2>&1 & echo $! > ${SERVER_PID_FILE}"
+		RESULT_VARIABLE SERVER_RESULT
+		TIMEOUT 5
+	)
+	if(NOT ${SERVER_RESULT} EQUAL 0)
+		message(FATAL_ERROR "server failed to start")
+	endif()
+
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	execute_process(
+		COMMAND bash -c "bin/gmssl ${CLIENT_CMD} > ${CLIENT_LOG} 2>&1"
+		RESULT_VARIABLE CLIENT_RESULT
+		TIMEOUT 30
+	)
+
+	execute_process(
+		COMMAND pkill -f "gmssl ${SERVER_TOOL} -port ${TEST_PORT}"
+		OUTPUT_QUIET
+		ERROR_QUIET
+	)
+	execute_process(COMMAND ${CMAKE_COMMAND} -E sleep 1)
+
+	set(SERVER_LOG_CONTENT "")
+	set(CLIENT_LOG_CONTENT "")
+	if(EXISTS "${SERVER_LOG}")
+		file(READ "${SERVER_LOG}" SERVER_LOG_CONTENT)
+	endif()
+	if(EXISTS "${CLIENT_LOG}")
+		file(READ "${CLIENT_LOG}" CLIENT_LOG_CONTENT)
+	endif()
+
+	if(NOT ${CLIENT_RESULT} EQUAL 0)
+		message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+		message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+		message(FATAL_ERROR "client failed with result ${CLIENT_RESULT}")
+	endif()
+
+	string(FIND "${CLIENT_LOG_CONTENT}" "Connection established" FOUND_INDEX)
+	if(${FOUND_INDEX} EQUAL -1)
+		message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+		message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+		message(FATAL_ERROR "client did not establish connection with server")
+	endif()
+
+	if(TEST_EXPECT_CLIENT_LOG)
+		string(FIND "${CLIENT_LOG_CONTENT}" "${TEST_EXPECT_CLIENT_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${CLIENT_LOG}:\n${CLIENT_LOG_CONTENT}")
+			message(FATAL_ERROR "client log does not contain expected text: ${TEST_EXPECT_CLIENT_LOG}")
+		endif()
+	endif()
+
+	if(TEST_EXPECT_SERVER_LOG)
+		string(FIND "${SERVER_LOG_CONTENT}" "${TEST_EXPECT_SERVER_LOG}" FOUND_INDEX)
+		if(${FOUND_INDEX} EQUAL -1)
+			message(STATUS "${SERVER_LOG}:\n${SERVER_LOG_CONTENT}")
+			message(FATAL_ERROR "server log does not contain expected text: ${TEST_EXPECT_SERVER_LOG}")
+		endif()
+	endif()
+endfunction()