Update tls12, tlcp

src/tls.c

@@ -2678,19 +2678,12 @@ int tls_ctx_set_key_update_seq_num_limit(TLS_CTX *ctx, size_t max_seq_num)
 }
 
 
-
-
-
-
-
 int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 {
 	size_t i;
 
-
 	memset(conn, 0, sizeof(*conn));
 
-
 	conn->protocol = ctx->protocol;
 
 	/*
@@ -2700,7 +2693,6 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 	conn->cipher_suites_cnt = ctx->cipher_suites_cnt;
 	*/
 
-
 	if (ctx->certslen > TLS_MAX_CERTIFICATES_SIZE) {
 		error_print();
 		return -1;
@@ -2722,15 +2714,12 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 	conn->ca_certs_len = ctx->cacertslen;
 	*/
 
-
 	conn->sign_key = ctx->signkey;
 	conn->kenc_key = ctx->kenckey;
-
 	conn->ctx = ctx;
 
 	conn->key_exchanges_cnt = ctx->key_exchanges_cnt;
 
-
 	conn->new_session_ticket = ctx->new_session_ticket;
 
 
@@ -2739,16 +2728,21 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 	if (ctx->supported_groups_cnt && ctx->signature_algorithms_cnt) {
 		conn->key_exchange_modes |= TLS_KE_CERT_DHE;
 	}
-	if (!conn->key_exchange_modes) {
-		error_print();
-		return -1;
+
+	if (ctx->protocol == TLS_protocol_tls13) {
+		if (!conn->key_exchange_modes) {
+			error_print();
+			return -1;
+		}
+
+		fprintf(stderr, "%s %d: conn->key_exchange_modes = %d\n", __FILE__, __LINE__, conn->key_exchange_modes);
+
+		if (conn->key_exchange_modes & (TLS_KE_CERT_DHE|TLS_KE_PSK_DHE)) {
+			conn->key_share = 1;
+		}
+
 	}
 
-	fprintf(stderr, "%s %d: conn->key_exchange_modes = %d\n", __FILE__, __LINE__, conn->key_exchange_modes);
-
-	if (conn->key_exchange_modes & (TLS_KE_CERT_DHE|TLS_KE_PSK_DHE)) {
-		conn->key_share = 1;
-	}
 
 	conn->signed_certificate_timestamp = ctx->signed_certificate_timestamp;
 
@@ -2761,7 +2755,6 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 		conn->pre_shared_key = 1;
 	}
 
-
 	return 1;
 }
 

tools/tlcp_client.c

@@ -41,34 +41,7 @@ static const char *help =
 "    -outcerts file         Save server certificates to a PEM file\n"
 "    -quiet                 Without printing any status message\n"
 "\n"
-"Examples\n"
-"\n"
-"  gmssl tlcp_client -host www.pbc.gov.cn -get / -outcerts certs.pem\n"
-"\n"
-"  gmssl tlcp_client -host www.pbc.gov.cn -port 443\n"
-"\n"
-"Examples\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out rootcakey.pem\n"
-"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca\n"
-"    gmssl sm2keygen -pass 1234 -out cakey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" -key cakey.pem -pass 1234 -out careq.pem\n"
-"    gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out signkey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n"
-"    gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out enckey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem\n"
-"    gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem\n"
-"\n"
-"    cat signcert.pem > double_certs.pem\n"
-"    cat enccert.pem >> double_certs.pem\n"
-"    cat cacert.pem >> double_certs.pem\n"
-"\n"
-"    sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n"
-"    gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n"
+#include "tlcp_help.h"
 "\n";
 
 

tools/tlcp_help.h

@@ -0,0 +1,38 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+"Examples\n"
+"\n"
+"  gmssl tlcp_client -host www.pbc.gov.cn -get / -outcerts certs.pem\n"
+"\n"
+"  gmssl tlcp_client -host www.pbc.gov.cn -port 443\n"
+"\n"
+"Examples\n"
+"\n"
+"    gmssl sm2keygen -pass 1234 -out rootcakey.pem\n"
+"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca\n"
+"    gmssl sm2keygen -pass 1234 -out cakey.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" -key cakey.pem -pass 1234 -out careq.pem\n"
+"    gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem\n"
+"\n"
+"    gmssl sm2keygen -pass 1234 -out signkey.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n"
+"    gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n"
+"\n"
+"    gmssl sm2keygen -pass 1234 -out enckey.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem\n"
+"    gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem\n"
+"\n"
+"    cat signcert.pem > double_certs.pem\n"
+"    cat enccert.pem >> double_certs.pem\n"
+"    cat cacert.pem >> double_certs.pem\n"
+"\n"
+"    gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n"
+"    gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n"
+

tools/tlcp_server.c

@@ -30,28 +30,7 @@ static const char *help =
 "    -pass str              Password to decrypt private key\n"
 "    -cacert file           CA certificate for client certificate verification\n"
 "\n"
-"Examples\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out rootcakey.pem\n"
-"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca\n"
-"    gmssl sm2keygen -pass 1234 -out cakey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" -key cakey.pem -pass 1234 -out careq.pem\n"
-"    gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out signkey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n"
-"    gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out enckey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem\n"
-"    gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem\n"
-"\n"
-"    cat signcert.pem > double_certs.pem\n"
-"    cat enccert.pem >> double_certs.pem\n"
-"    cat cacert.pem >> double_certs.pem\n"
-"\n"
-"    sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n"
-"    gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n"
+#include "tlcp_help.h"
 "\n";
 
 int tlcp_server_main(int argc , char **argv)

tools/tls12_client.c

@@ -35,28 +35,7 @@ static const char *help =
 "    -key file              Client's encrypted private key in PEM format\n"
 "    -pass str              Password to decrypt private key\n"
 "\n"
-"Examples\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out rootcakey.pem\n"
-"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
-"            -key rootcakey.pem -pass 1234 -out rootcacert.pem \\\n"
-"            -key_usage keyCertSign -key_usage cRLSign -ca\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out cakey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n"
-"            -key cakey.pem -pass 1234 -out careq.pem\n"
-"    gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -cacert rootcacert.pem -key rootcakey.pem -pass 1234 \\\n"
-"            -out cacert.pem -ca -path_len_constraint 0\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out signkey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n"
-"    gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n"
-"\n"
-"    cat signcert.pem > certs.pem\n"
-"    cat cacert.pem >> certs.pem\n"
-"\n"
-"    sudo gmssl tls12_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
-"    gmssl tls12_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem\n"
+#include "tls12_help.h"
 "\n";
 
 int tls12_client_main(int argc, char *argv[])

tools/tls12_help.h

@@ -0,0 +1,32 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+"Examples\n"
+"\n"
+"    gmssl sm2keygen -pass 1234 -out rootcakey.pem\n"
+"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
+"            -key rootcakey.pem -pass 1234 -out rootcacert.pem \\\n"
+"            -key_usage keyCertSign -key_usage cRLSign -ca\n"
+"\n"
+"    gmssl sm2keygen -pass 1234 -out cakey.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n"
+"            -key cakey.pem -pass 1234 -out careq.pem\n"
+"    gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -cacert rootcacert.pem -key rootcakey.pem -pass 1234 \\\n"
+"            -out cacert.pem -ca -path_len_constraint 0\n"
+"\n"
+"    gmssl sm2keygen -pass 1234 -out signkey.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n"
+"    gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n"
+"\n"
+"    cat signcert.pem > certs.pem\n"
+"    cat cacert.pem >> certs.pem\n"
+"\n"
+"    gmssl tls12_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
+"    gmssl tls12_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem\n"
+

tools/tls12_server.c

@@ -29,28 +29,7 @@ static const char *help =
 "    -pass str              Password to decrypt private key\n"
 "    -cacert file           CA certificate for client certificate verification\n"
 "\n"
-"Examples\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out rootcakey.pem\n"
-"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
-"            -key rootcakey.pem -pass 1234 -out rootcacert.pem \\\n"
-"            -key_usage keyCertSign -key_usage cRLSign -ca\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out cakey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n"
-"            -key cakey.pem -pass 1234 -out careq.pem\n"
-"    gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -cacert rootcacert.pem -key rootcakey.pem -pass 1234 \\\n"
-"            -out cacert.pem -ca -path_len_constraint 0\n"
-"\n"
-"    gmssl sm2keygen -pass 1234 -out signkey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n"
-"    gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n"
-"\n"
-"    cat signcert.pem > certs.pem\n"
-"    cat cacert.pem >> certs.pem\n"
-"\n"
-"    sudo gmssl tls12_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
-"    gmssl tls12_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem\n"
+#include "tls12_help.h"
 "\n";