Update TLS 1.2

2026-05-07 00:46:17 +08:00 · 2022-06-13 22:17:53 +08:00
parent 79182e93eb
commit 48e0178837
13 changed files with 1572 additions and 854 deletions
--- a/tools/gmssl.c
+++ b/tools/gmssl.c
@@ -222,11 +222,11 @@ int main(int argc, char **argv)
 			return tlcp_client_main(argc, argv);
 		} else if (!strcmp(*argv, "tlcp_server")) {
 			return tlcp_server_main(argc, argv);
-/*
 		} else if (!strcmp(*argv, "tls12_client")) {
 			return tls12_client_main(argc, argv);
 		} else if (!strcmp(*argv, "tls12_server")) {
 			return tls12_server_main(argc, argv);
+/*
 		} else if (!strcmp(*argv, "tls13_client")) {
 			return tls13_client_main(argc, argv);
 		} else if (!strcmp(*argv, "tls13_server")) {
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -60,7 +60,7 @@
 #include <gmssl/error.h>


-static int client_ciphers[] = { TLCP_cipher_ecc_sm4_cbc_sm3, };
+static int client_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3, };

 static const char *http_get =
 	"GET / HTTP/1.1\r\n"
@@ -149,7 +149,7 @@ bad:
 		goto end;
 	}

-	if (tls_ctx_init(&ctx, TLS_version_tlcp, TLS_client_mode) != 1
+	if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_client_mode) != 1
 		|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1
 		|| tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1
 		|| tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
--- a/tools/tlcp_server.c
+++ b/tools/tlcp_server.c
@@ -75,7 +75,7 @@ int tlcp_server_main(int argc , char **argv)
 	char *encpass = NULL;
 	char *cacertfile = NULL;

-	int server_ciphers[] = { TLCP_cipher_ecc_sm4_cbc_sm3, };
+	int server_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3, };
 	uint8_t verify_buf[4096];

 	TLS_CTX ctx;
@@ -157,7 +157,7 @@ bad:
 	memset(&ctx, 0, sizeof(ctx));
 	memset(&conn, 0, sizeof(conn));

-	if (tls_ctx_init(&ctx, TLS_version_tlcp, TLS_server_mode) != 1
+	if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_server_mode) != 1
 		|| tls_ctx_set_cipher_suites(&ctx, server_ciphers, sizeof(server_ciphers)/sizeof(int)) != 1
 		|| tls_ctx_set_tlcp_server_certificate_and_keys(&ctx, certfile, signkeyfile, signpass, enckeyfile, encpass) != 1) {
 		error_print();
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -47,23 +47,33 @@
 */

 #include <stdio.h>
+#include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+
 #include <unistd.h>
+#include <sys/types.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
 #include <gmssl/tls.h>
 #include <gmssl/error.h>


-const char *http_get =
+// TLSv1.2客户单和TLCP客户端可能没有什么区别
+
+static int client_ciphers[] = { TLS_cipher_ecdhe_sm4_cbc_sm3 };
+
+static const char *http_get =
 	"GET / HTTP/1.1\r\n"
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";

+static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str]";

-static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file [-pass str]]";
-
-int tls12_client_main(int argc , char *argv[])
+int tls12_client_main(int argc, char *argv[])
 {
+	int ret = -1;
 	char *prog = argv[0];
 	char *host = NULL;
 	int port = 443;
@@ -71,24 +81,22 @@ int tls12_client_main(int argc , char *argv[])
 	char *certfile = NULL;
 	char *keyfile = NULL;
 	char *pass = NULL;
-
-	FILE *cacertfp = NULL;
-	FILE *certfp = NULL;
-	FILE *keyfp = NULL;
-	SM2_KEY sm2_key;
-
+	struct sockaddr_in server;
+	int sock;
+	TLS_CTX ctx;
 	TLS_CONNECT conn;
 	char buf[100] = {0};
 	size_t len = sizeof(buf);
-
-	if (argc < 2) {
-		fprintf(stderr, "usage: %s %s\n", prog, options);
-		return 1;
-	}
+	char send_buf[1024] = {0};
+	size_t send_len;

 	argc--;
 	argv++;
-	while (argc > 0) {
+	if (argc < 1) {
+		fprintf(stderr, "usage: %s %s\n", prog, options);
+		return 1;
+	}
+	while (argc >= 1) {
 		if (!strcmp(*argv, "-help")) {
 			printf("usage: %s %s\n", prog, options);
 			return 0;
@@ -122,62 +130,73 @@ bad:
 	}

 	if (!host) {
-		error_print();
-		return 1;
-	}
-
-	if (cacertfile) {
-		if (!(cacertfp = fopen(cacertfile, "r"))) {
-			error_print();
-			return 1;
-		}
-	}
-
-	if (certfile) {
-		if (!(certfp = fopen(certfile, "r"))) {
-			error_print();
-			return 1;
-		}
-		if (!pass) {
-			pass = getpass("Password : ");
-		}
-		if (!keyfile) {
-			error_print();
-			return 1;
-		}
-		if (!(keyfp = fopen(keyfile, "r"))) {
-			error_print();
-			return -1;
-		}
-		if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
-			error_print();
-			return -1;
-		}
+		fprintf(stderr, "%s: '-in' option required\n", prog);
+		return -1;
 	}

+	memset(&ctx, 0, sizeof(ctx));
 	memset(&conn, 0, sizeof(conn));

-	if (tls12_connect(&conn, host, port, cacertfp, certfp, &sm2_key) != 1) {
-		error_print();
-		return -1;
+	server.sin_addr.s_addr = inet_addr(host);
+	server.sin_family = AF_INET;
+	server.sin_port = htons(port);
+
+
+	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+		fprintf(stderr, "%s: open socket error : %s\n", prog, strerror(errno));
+		goto end;
+	}
+	if (connect(sock, (struct sockaddr *)&server , sizeof(server)) < 0) {
+		fprintf(stderr, "%s: connect error : %s\n", prog, strerror(errno));
+		goto end;
 	}

-	if (tls_send(&conn, (uint8_t *)"12345\n", 6) != 1) {
-		error_print();
-		return -1;
+	if (tls_ctx_init(&ctx, TLS_protocol_tls12, TLS_client_mode) != 1
+		|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1
+		|| tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1
+		|| tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
+		fprintf(stderr, "%s: context init error\n", prog);
+		goto end;
+	}
+	if (tls_init(&conn, &ctx) != 1
+		|| tls_set_socket(&conn, sock) != 1
+		|| tls_do_handshake(&conn) != 1) {
+		fprintf(stderr, "%s: error\n", prog);
+		goto end;
 	}

 	for (;;) {
-		memset(buf, 0, sizeof(buf));
-		len = sizeof(buf);
-		if (tls_recv(&conn, (uint8_t *)buf, &len) != 1) {
-			error_print();
-			return -1;
+		size_t sentlen;
+
+		memset(send_buf, 0, sizeof(send_buf));
+		if (!fgets(send_buf, sizeof(send_buf), stdin)) {
+			if (feof(stdin)) {
+				tls_shutdown(&conn);
+				goto end;
+			} else {
+				continue;
+			}
 		}
-		if (len > 0) {
+		if (tls_send(&conn, (uint8_t *)send_buf, strlen(send_buf), &sentlen) != 1) {
+			fprintf(stderr, "%s: send error\n", prog);
+			goto end;
+		}
+
+		{
+			memset(buf, 0, sizeof(buf));
+			len = sizeof(buf);
+			if (tls_recv(&conn, (uint8_t *)buf, sizeof(len), &len) != 1) {
+				goto end;
+			}
+			buf[len] = 0;
 			printf("%s\n", buf);
-			break;
 		}
 	}
+
+
+end:
+	close(sock);
+	tls_ctx_cleanup(&ctx);
+	tls_cleanup(&conn);
 	return 0;
 }
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -1,4 +1,4 @@
-/*
+/*
 * Copyright (c) 2021 - 2021 The GmSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -47,48 +47,56 @@
 */

 #include <stdio.h>
+#include <errno.h>
 #include <string.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <sys/types.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <gmssl/mem.h>
 #include <gmssl/sm2.h>
 #include <gmssl/tls.h>
 #include <gmssl/error.h>

-// [-cacert file] 如果服务器需要客户端提供证书，那么自己必须准备可以验证客户端证书的CA证书
-// 因此如果提供了CA证书，那么等同于要求客户端验证
-static const char *options = " [-port num] -cert file -key file [-pass str] [-cacert file]";

-int tls12_server_main(int argc , char *argv[])
+static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]";
+
+int tls12_server_main(int argc , char **argv)
 {
-	int ret = -1;
+	int ret = 1;
 	char *prog = argv[0];
-
 	int port = 443;
 	char *certfile = NULL;
 	char *keyfile = NULL;
 	char *pass = NULL;
 	char *cacertfile = NULL;

-	FILE *certfp = NULL;
-	FILE *keyfp = NULL;
-	FILE *cacertfp = NULL;
-	SM2_KEY sm2_key;
-
+	int server_ciphers[] = { TLS_cipher_ecdhe_sm4_cbc_sm3, };
 	uint8_t verify_buf[4096];

-
+	TLS_CTX ctx;
 	TLS_CONNECT conn;
 	char buf[1600] = {0};
 	size_t len = sizeof(buf);

-	if (argc < 2) {
+	int sock;
+	struct sockaddr_in server_addr;
+	struct sockaddr_in client_addr;
+	socklen_t client_addrlen;
+	int conn_sock;
+
+
+	argc--;
+	argv++;
+
+	if (argc < 1) {
 		fprintf(stderr, "usage: %s %s\n", prog, options);
 		return 1;
 	}

-	argc--;
-	argv++;
-	while (argc >= 1) {
+	while (argc > 0) {
 		if (!strcmp(*argv, "-help")) {
 			printf("usage: %s %s\n", prog, options);
 			return 0;
@@ -117,65 +125,98 @@ bad:
 		argc--;
 		argv++;
 	}
-
-	if (!certfile || !keyfile) {
-		error_print();
+	if (!certfile) {
+		fprintf(stderr, "%s: '-cert' option required\n", prog);
+		return 1;
+	}
+	if (!keyfile) {
+		fprintf(stderr, "%s: '-key' option required\n", prog);
+		return 1;
+	}
+	if (!pass) {
+		fprintf(stderr, "%s: '-pass' option required\n", prog);
 		return 1;
 	}

+	memset(&ctx, 0, sizeof(ctx));
+	memset(&conn, 0, sizeof(conn));
+
+	if (tls_ctx_init(&ctx, TLS_protocol_tls12, TLS_server_mode) != 1
+		|| tls_ctx_set_cipher_suites(&ctx, server_ciphers, sizeof(server_ciphers)/sizeof(int)) != 1
+		|| tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
+		error_print();
+		return -1;
+	}
 	if (cacertfile) {
-		if (!(cacertfp = fopen(cacertfile, "r"))) {
+		if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) {
 			error_print();
 			return -1;
 		}
 	}

-	if (!(certfp = fopen(certfile, "r"))) {
+	// Socket
+	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+		error_print();
+		return 1;
+	}
+	server_addr.sin_family = AF_INET;
+	server_addr.sin_addr.s_addr = INADDR_ANY;
+	server_addr.sin_port = htons(port);
+	if (bind(sock, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
+		error_print();
+		perror("tlcp_accept: bind: ");
+		goto end;
+	}
+	puts("start listen ...\n");
+	listen(sock, 1);
+
+
+
+restart:
+
+	client_addrlen = sizeof(client_addr);
+	if ((conn_sock = accept(sock, (struct sockaddr *)&client_addr, &client_addrlen)) < 0) {
+		error_print();
+		goto end;
+	}
+	puts("socket connected\n");
+
+	if (tls_init(&conn, &ctx) != 1
+		|| tls_set_socket(&conn, conn_sock) != 1) {
 		error_print();
 		return -1;
 	}

-	if (!pass) {
-		pass = getpass("Password : ");
-	}
-	if (!(keyfp = fopen(keyfile, "r"))) {
-		error_print();
-		return -1;
-	}
-	if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
-		error_print();
+	if (tls_do_handshake(&conn) != 1) {
+		error_print(); // 为什么这个会触发呢？
 		return -1;
 	}

-	memset(&conn, 0, sizeof(conn));
-	if (tls12_accept(&conn, port, certfp, &sm2_key, cacertfp, verify_buf, 4096) != 1) {
-	//if (tls12_accept(&conn, port, certfp, &sm2_key, NULL, NULL, 0) != 1) {
-		error_print();
-		return -1;
-	}
-
-	// 我要做一个反射的服务器，接收到用户的输入之后，再反射回去
 	for (;;) {

-		// 接收一个消息
-		// 按道理说第二次执行的时候是不可能成功的了，因此客户端没有数据发过来
+		int rv;
+		size_t sentlen;
+
 		do {
 			len = sizeof(buf);
-			if (tls_recv(&conn, (uint8_t *)buf, &len) != 1) {
-				error_print();
-				return -1;
+			if ((rv = tls_recv(&conn, (uint8_t *)buf, sizeof(buf), &len)) != 1) {
+				if (rv < 0) fprintf(stderr, "%s: recv failure\n", prog);
+				else fprintf(stderr, "%s: Disconnected by remote\n", prog);
+
+				//close(conn.sock);
+				tls_cleanup(&conn);
+				goto restart;
 			}
 		} while (!len);

-
-		// 把这个消息再发回去
-		if (tls_send(&conn, (uint8_t *)buf, len) != 1) {
-			error_print();
-			return -1;
+		if (tls_send(&conn, (uint8_t *)buf, len, &sentlen) != 1) {
+			fprintf(stderr, "%s: send failure, close connection\n", prog);
+			close(conn.sock);
+			goto end;
 		}
-
-		fprintf(stderr, "-----------------\n\n\n\n\n\n");
-
 	}
-	return 0;
+
+
+end:
+	return ret;
 }