From 6da7e1056a96432e324fed480f988bca7eb8e40b Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Tue, 16 Jun 2026 18:01:54 +0800 Subject: [PATCH] Clean TLCP code --- CMakeLists.txt | 2 +- include/gmssl/version.h | 2 +- src/tlcp.c | 469 ++-------------------------------------- src/tls12.c | 66 +++--- 4 files changed, 49 insertions(+), 490 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 1d83d5e2..62bb3718 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -818,7 +818,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1061") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1062") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/version.h b/include/gmssl/version.h index 9ded9e72..94c1da68 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1061" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1062" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/src/tlcp.c b/src/tlcp.c index 4a3d19b5..cce99bfd 100644 --- a/src/tlcp.c +++ b/src/tlcp.c @@ -746,6 +746,8 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn) return 1; } + +// 这个必须要独立的,因为TLCP的是双证书,这个双证书是从对方读取的 int tlcp_recv_server_certificate(TLS_CONNECT *conn) { int ret; @@ -981,92 +983,6 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn) return 1; } -int tlcp_recv_server_hello_done(TLS_CONNECT *conn) -{ - int ret; - if(conn->verbose) tls_trace("recv ServerHelloDone\n"); - - if ((ret = tls_recv_record(conn)) != 1) { - if (ret != TLS_ERROR_RECV_AGAIN) { - error_print(); - } - return ret; - } - if (tls_record_protocol(conn->record) != TLS_protocol_tlcp) { - error_print(); - tls_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); - - if (tls_record_get_handshake_server_hello_done(conn->record) != 1) { - error_print(); - tls_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - - if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { - error_print(); - return -1; - } - if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); - - if (tls_update_transcript(conn, conn->record) != 1) { - error_print(); - return -1; - } - - return 1; -} - -int tlcp_send_client_certificate(TLS_CONNECT *conn) -{ - int ret; - - if (conn->client_certs_len == 0) { - error_print(); - return -1; - } - - if (conn->recordlen == 0) { - - if (conn->verbose) - tls_trace("send client Certificate\n"); - - if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen, - conn->cert_chain, conn->cert_chain_len) != 1) { - error_print(); - tls_send_alert(conn, TLS_alert_internal_error); - return -1; - } - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); - - if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { - error_print(); - return -1; - } - if (conn->verbose) - tls_handshake_digest_print(stderr, 0, 0, "client Certificate", &conn->dgst_ctx); - - if (tls_update_transcript(conn, conn->record) != 1) { - error_print(); - return -1; - } - } - - if ((ret = tls_send_record(conn)) != 1) { - if (ret != TLS_ERROR_SEND_AGAIN) { - error_print(); - } - return ret; - } - - - return 1; -} - int tlcp_send_client_key_exchange(TLS_CONNECT *conn) { int ret; @@ -1137,191 +1053,6 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn) return 1; } -int tlcp_send_certificate_verify(TLS_CONNECT *conn) -{ - int ret; - uint8_t sig[SM2_MAX_SIGNATURE_SIZE]; - size_t siglen; - - if (conn->verbose) - tls_trace("send CertificateVerify\n"); - - if (conn->recordlen == 0) { - X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1]; - X509_SIGN_CTX sign_ctx; - - if (x509_sign_init(&sign_ctx, sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1 - || x509_sign_update(&sign_ctx, conn->transcript, conn->transcript_len) != 1 - || x509_sign_finish(&sign_ctx, sig, &siglen) != 1) { - gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx)); - error_print(); - return -1; - } - gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx)); - - if (tls_record_set_handshake_certificate_verify(conn->record, &conn->recordlen, sig, siglen) != 1) { - error_print(); - tls_send_alert(conn, TLS_alert_internal_error); - return -1; - } - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); - - if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { - error_print(); - return -1; - } - if (conn->verbose) - tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); - - if (tls_update_transcript(conn, conn->record) != 1) { - error_print(); - return -1; - } - - } - - if ((ret = tls_send_record(conn)) != 1) { - if (ret != TLS_ERROR_SEND_AGAIN) { - error_print(); - } - return ret; - } - - return 1; -} - -int tlcp_send_client_finished(TLS_CONNECT *conn) -{ - int ret; - - if (conn->recordlen == 0) { - uint8_t verify_data[12]; - - if (conn->verbose) - tls_trace("send client {Finished}\n"); - - if (tls_compute_verify_data(conn->digest, conn->master_secret, "client finished", &conn->dgst_ctx, verify_data) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - - tls_record_set_protocol(conn->plain_record, conn->protocol); - - if (tls_record_set_handshake_finished(conn->plain_record, &conn->plain_recordlen, - verify_data, sizeof(verify_data)) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - - if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) { - error_print(); - return -1; - } - if (conn->verbose) - tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); - - if (tls_update_transcript(conn, conn->plain_record) != 1) { - error_print(); - return -1; - } - - if (tls_record_encrypt(conn->cipher_suite, - &conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv, - conn->client_seq_num, conn->plain_record, conn->plain_recordlen, - conn->record, &conn->recordlen) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - tls_seq_num_incr(conn->client_seq_num); - } - - if ((ret = tls_send_record(conn)) != 1) { - if (ret != TLS_ERROR_SEND_AGAIN) { - error_print(); - } - return ret; - } - return 1; -} - -int tlcp_recv_server_finished(TLS_CONNECT *conn) -{ - int ret; - - uint8_t sm3_hash[32]; - - const uint8_t *verify_data; - size_t verify_data_len; - uint8_t local_verify_data[12]; - - - - if ((ret = tls_recv_record(conn)) != 1) { - if (ret != TLS_ERROR_RECV_AGAIN) { - error_print(); - } - return ret; - } - if(conn->verbose) - tls_trace("recv server {Finished}\n"); - - if (conn->verbose) - tls_encrypted_record_print(stderr, conn->record, conn->recordlen, 0, 0); - - if (tls_record_protocol(conn->record) != TLS_protocol_tlcp) { - error_print(); - tls12_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - - if (tls_record_decrypt(conn->cipher_suite, - &conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv, - conn->server_seq_num, conn->record, conn->recordlen, - conn->plain_record, &conn->plain_recordlen) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_bad_record_mac); - return -1; - } - tls_seq_num_incr(conn->server_seq_num); - - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - // no more digest_update - - if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - if (verify_data_len != sizeof(local_verify_data)) { - error_print(); - tls12_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - - if (tls_compute_verify_data(conn->digest, conn->master_secret, "server finished", &conn->dgst_ctx, local_verify_data) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - memset(&conn->dgst_ctx, 0, sizeof(conn->dgst_ctx)); - - if (memcmp(verify_data, local_verify_data, sizeof(local_verify_data)) != 0) { - error_print(); - tls12_send_alert(conn, TLS_alert_decrypt_error); - return -1; - } - - return 1; -} - // Server static int tlcp_cert_chains_select(TLS_CONNECT *conn, @@ -1823,52 +1554,9 @@ int tlcp_send_server_hello(TLS_CONNECT *conn) return 1; } -int tlcp_send_server_certificate(TLS_CONNECT *conn) -{ - int ret; - if(conn->verbose) tls_trace("send ServerCertificate\n"); - - if (conn->recordlen == 0) { - if (!conn->cert_chain || !conn->cert_chain_len) { - error_print(); - tls_send_alert(conn, TLS_alert_internal_error); - return -1; - } - if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen, - conn->cert_chain, conn->cert_chain_len) != 1) { - error_print(); - tls_send_alert(conn, TLS_alert_internal_error); - return -1; - } - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); - - if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { - error_print(); - return -1; - } - if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); - - if (tls_update_transcript(conn, conn->record) != 1) { - error_print(); - return -1; - } - - } - - if ((ret = tls_send_record(conn)) != 1) { - if (ret != TLS_ERROR_SEND_AGAIN) { - error_print(); - } - return ret; - } - - if (conn->client_certificate_verify) { - tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5); - } - return 1; -} +// TLCP的ServerKeyExchange 需要对服务器的证书签名 +// 这是一个明显的不同,因此还是独立比较好 int tlcp_send_server_key_exchange(TLS_CONNECT *conn) { @@ -2024,6 +1712,8 @@ int tlcp_check_pre_master_secret(TLS_CONNECT *conn) return 1; } + + int tlcp_send_certificate_request(TLS_CONNECT *conn) { int ret; @@ -2163,135 +1853,6 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn) return 1; } -int tlcp_recv_certificate_verify(TLS_CONNECT *conn) -{ - int ret; - - if ((ret = tls_recv_certificate_verify(conn)) != 1) { - error_print(); - return ret; - } - return 1; -} - -int tlcp_recv_client_finished(TLS_CONNECT *conn) -{ - int ret; - const uint8_t *verify_data; - size_t verify_data_len; - uint8_t local_verify_data[12]; - - if (tls_compute_verify_data(conn->digest, conn->master_secret, "client finished", - &conn->dgst_ctx, local_verify_data) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - - if(conn->verbose) tls_trace("recv client {Finished}\n"); - - if ((ret = tls_recv_record(conn)) != 1) { - if (ret != TLS_ERROR_RECV_AGAIN) { - error_print(); - } - return ret; - } - if (tls_record_protocol(conn->record) != conn->protocol) { - error_print(); - tls12_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - if (tls_record_decrypt(conn->cipher_suite, - &conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv, - conn->client_seq_num, conn->record, conn->recordlen, - conn->plain_record, &conn->plain_recordlen) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_bad_record_mac); - return -1; - } - tls_seq_num_incr(conn->client_seq_num); - - if (tls_update_transcript(conn, conn->record) != 1) { - error_print(); - return -1; - } - - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - - if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_unexpected_message); - return -1; - } - if (verify_data_len != sizeof(local_verify_data) - || memcmp(verify_data, local_verify_data, sizeof(local_verify_data)) != 0) { - error_print(); - tls12_send_alert(conn, TLS_alert_decrypt_error); - return -1; - } - - if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) { - error_print(); - return -1; - } - if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); - - return 1; -} - -int tlcp_send_server_finished(TLS_CONNECT *conn) -{ - int ret; - uint8_t verify_data[12]; - - if (conn->recordlen == 0) { - if(conn->verbose) tls_trace("send server {Finished}\n"); - - if (tls_compute_verify_data(conn->digest, conn->master_secret, "server finished", - &conn->dgst_ctx, verify_data) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - - tls_record_set_protocol(conn->plain_record, conn->protocol); - - if (tls_record_set_handshake_finished(conn->plain_record, &conn->plain_recordlen, - verify_data, sizeof(verify_data)) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - if (conn->verbose) - tlcp_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - - if (tls_update_transcript(conn, conn->plain_record) != 1) { - error_print(); - return -1; - } - - if (tls_record_encrypt(conn->cipher_suite, - &conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv, - conn->server_seq_num, conn->plain_record, conn->plain_recordlen, - conn->record, &conn->recordlen) != 1) { - error_print(); - tls12_send_alert(conn, TLS_alert_internal_error); - return -1; - } - tls_seq_num_incr(conn->server_seq_num); - } - - if ((ret = tls_send_record(conn)) != 1) { - if (ret != TLS_ERROR_SEND_AGAIN) { - error_print(); - } - return ret; - } - - return 1; -} - int tlcp_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentlen) { const HMAC_CTX *hmac_ctx; @@ -2459,14 +2020,14 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn) break; case TLS_state_server_hello_done: - ret = tlcp_recv_server_hello_done(conn); + ret = tls_recv_server_hello_done(conn); if (conn->client_certificate_verify) next_state = TLS_state_client_certificate; else next_state = TLS_state_client_key_exchange; break; case TLS_state_client_certificate: - ret = tlcp_send_client_certificate(conn); + ret = tls_send_client_certificate(conn); next_state = TLS_state_client_key_exchange; break; @@ -2478,7 +2039,7 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn) break; case TLS_state_certificate_verify: - ret = tlcp_send_certificate_verify(conn); + ret = tls_send_certificate_verify(conn); next_state = TLS_state_client_change_cipher_spec; break; @@ -2488,7 +2049,7 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn) break; case TLS_state_client_finished: - ret = tlcp_send_client_finished(conn); + ret = tls_send_client_finished(conn); next_state = TLS_state_server_change_cipher_spec; break; @@ -2498,7 +2059,7 @@ int tlcp_do_client_handshake(TLS_CONNECT *conn) break; case TLS_state_server_finished: - ret = tlcp_recv_server_finished(conn); + ret = tls_recv_server_finished(conn); next_state = TLS_state_handshake_over; break; @@ -2543,7 +2104,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn) break; case TLS_state_server_certificate: - ret = tlcp_send_server_certificate(conn); + ret = tls_send_server_certificate(conn); next_state = TLS_state_server_key_exchange; break; @@ -2579,7 +2140,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn) break; case TLS_state_certificate_verify: - ret = tlcp_recv_certificate_verify(conn); + ret = tls_recv_certificate_verify(conn); next_state = TLS_state_client_change_cipher_spec; break; @@ -2589,7 +2150,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn) break; case TLS_state_client_finished: - ret = tlcp_recv_client_finished(conn); + ret = tls_recv_client_finished(conn); next_state = TLS_state_server_change_cipher_spec; break; @@ -2599,7 +2160,7 @@ int tlcp_do_server_handshake(TLS_CONNECT *conn) break; case TLS_state_server_finished: - ret = tlcp_send_server_finished(conn); + ret = tls_send_server_finished(conn); next_state = TLS_state_handshake_over; break; diff --git a/src/tls12.c b/src/tls12.c index 2f6dbeb9..545cbd3f 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -1553,14 +1553,11 @@ int tls_recv_server_hello(TLS_CONNECT *conn) return 1; } -// TLS12 发送的是常规的证书链 -// TLCP SM2 发送的是SM2的双证书链,但是在数据格式上没有区别 -// TLCP SM9 发送的是服务器的ID和SM9公开参数(这个格式是不同的),但是存储上可能也是一样的 -// 我不确定SM2和SM9的格式是否是相容的 int tls_send_server_certificate(TLS_CONNECT *conn) { int ret; - if(conn->verbose) tls_trace("send ServerCertificate\n"); + + if (conn->verbose) tls_trace("send ServerCertificate\n"); if (conn->recordlen == 0) { if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen, @@ -1569,18 +1566,17 @@ int tls_send_server_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if (conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); + if (conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); if (tls_update_transcript(conn, conn->record) != 1) { error_print(); return -1; } - } if ((ret = tls_send_record(conn)) != 1) { @@ -1590,9 +1586,6 @@ int tls_send_server_certificate(TLS_CONNECT *conn) return ret; } - if (conn->client_certificate_verify) { - tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5); - } return 1; } @@ -1863,11 +1856,8 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn) error_print(); return -1; } - - } - if ((ret = tls_send_record(conn)) != 1) { if (ret != TLS_ERROR_SEND_AGAIN) { error_print(); @@ -1875,11 +1865,6 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn) return ret; } - //sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5); - if (conn->client_certificate_verify) { - tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5); - } - return 1; } @@ -2105,7 +2090,6 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn) return 1; } - int tls12_send_certificate_request(TLS_CONNECT *conn) { int ret; @@ -2157,9 +2141,6 @@ int tls12_send_certificate_request(TLS_CONNECT *conn) return ret; } - //sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5); - tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5); - return 1; } @@ -2551,37 +2532,55 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn) } - - int tls_send_certificate_verify(TLS_CONNECT *conn) { int ret; uint8_t sig[SM2_MAX_SIGNATURE_SIZE]; size_t siglen; - if(conn->verbose) tls_trace("send CertificateVerify\n"); - - if (!conn->client_certificate_verify) { - error_print(); - return -1; - } + if (conn->verbose) + tls_trace("send CertificateVerify\n"); if (conn->recordlen == 0) { - if (sm2_sign_finish(&conn->sign_ctx, sig, &siglen) != 1) { + X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1]; + X509_SIGN_CTX sign_ctx; + const uint8_t *signer_id = NULL; + size_t signer_idlen = 0; + + if (sign_key->algor == OID_ec_public_key && sign_key->algor_param == OID_sm2) { + signer_id = (uint8_t *)SM2_DEFAULT_ID; + signer_idlen = SM2_DEFAULT_ID_LENGTH; + } + + if (x509_sign_init(&sign_ctx, sign_key, signer_id, signer_idlen) != 1 + || x509_sign_update(&sign_ctx, conn->transcript, conn->transcript_len) != 1 + || x509_sign_finish(&sign_ctx, sig, &siglen) != 1) { + gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx)); error_print(); return -1; } + gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx)); + if (tls_record_set_handshake_certificate_verify(conn->record, &conn->recordlen, sig, siglen) != 1) { error_print(); tls_send_alert(conn, TLS_alert_internal_error); return -1; } - if(conn->verbose) tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); + if (conn->verbose) + tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); + + if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { + error_print(); + return -1; + } + if (conn->verbose) + tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); if (tls_update_transcript(conn, conn->record) != 1) { error_print(); return -1; } + } if ((ret = tls_send_record(conn)) != 1) { @@ -2591,7 +2590,6 @@ int tls_send_certificate_verify(TLS_CONNECT *conn) return ret; } - //sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5); return 1; }