diff --git a/CMakeLists.txt b/CMakeLists.txt index 1f9c246b..3b4e5399 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -763,9 +763,11 @@ if(ENABLE_TLS AND NOT WIN32) add_test(NAME tlcp_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake") add_test(NAME tlcp_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake") add_test(NAME tlcp_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake") - add_test(NAME tls12_sm4_cbc COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") - add_test(NAME tls12_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") - add_test(NAME tls13_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") + add_test(NAME tls12_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") + add_test(NAME tls12_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") + add_test(NAME tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") + add_test(NAME tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") + add_test(NAME tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") add_test(NAME tls13_psk_dhe_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_dhe_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") add_test(NAME tls13_psk_only_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_only_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") @@ -774,9 +776,11 @@ if(ENABLE_TLS AND NOT WIN32) tlcp_sm4_gcm_sni tlcp_sm4_cbc_sni tlcp_sm4_gcm_client_cert - tls12_sm4_cbc - tls12_sm4_gcm - tls13_sm4_gcm + tls12_sm4_gcm_sni + tls12_sm4_cbc_sni + tls12_sm4_gcm_client_cert + tls13_sm4_gcm_sni + tls13_sm4_gcm_client_cert tls13_hrr_sm4_gcm tls13_psk_dhe_sm4_gcm tls13_psk_only_sm4_gcm @@ -827,7 +831,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1113") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1114") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/cmake/tls12_commands.cmake b/cmake/tls12_commands.cmake index e1690ec8..c33b9bfb 100644 --- a/cmake/tls12_commands.cmake +++ b/cmake/tls12_commands.cmake @@ -3,43 +3,66 @@ include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake") gmssl_require_file(sm2_root_ca_cert.pem) gmssl_require_file(sm2_tls_server_certs.pem) gmssl_require_file(sm2_tls_server_key.pem) +gmssl_require_file(sm2_tls_client_certs.pem) +gmssl_require_file(sm2_tls_client_key.pem) if(NOT DEFINED TEST_CASE) - set(TEST_CASE tls12_sm4_cbc) + set(TEST_CASE tls12_sm4_gcm_sni) endif() -if(TEST_CASE STREQUAL tls12_sm4_cbc) - set(TEST_NAME tls12_sm4_cbc) - set(TEST_PORT 4432) - set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_CBC_SM3) -elseif(TEST_CASE STREQUAL tls12_sm4_gcm) - set(TEST_NAME tls12_sm4_gcm) +if(TEST_CASE STREQUAL tls12_sm4_gcm_sni) + set(TEST_NAME tls12_sm4_gcm_sni) set(TEST_PORT 4434) set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3) + set(TEST_CLIENT_CERT OFF) +elseif(TEST_CASE STREQUAL tls12_sm4_cbc_sni) + set(TEST_NAME tls12_sm4_cbc_sni) + set(TEST_PORT 4432) + set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_CBC_SM3) + set(TEST_CLIENT_CERT OFF) +elseif(TEST_CASE STREQUAL tls12_sm4_gcm_client_cert) + set(TEST_NAME tls12_sm4_gcm_client_cert) + set(TEST_PORT 4438) + set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3) + set(TEST_CLIENT_CERT ON) else() message(FATAL_ERROR "unknown TLS 1.2 test case: ${TEST_CASE}") endif() +set(TEST_SERVER_ARGS + tls12_server + -port ${TEST_PORT} + -cipher_suite ${TEST_CIPHER_SUITE} + -supported_group sm2p256v1 + -sig_alg sm2sig_sm3 + -cert sm2_tls_server_certs.pem + -key sm2_tls_server_key.pem + -pass P@ssw0rd) + +set(TEST_CLIENT_ARGS + tls12_client + -host 127.0.0.1 + -port ${TEST_PORT} + -server_name localhost + -cacert sm2_root_ca_cert.pem + -cipher_suite ${TEST_CIPHER_SUITE} + -supported_group sm2p256v1 + -sig_alg sm2sig_sm3 + -in ${TEST_NAME}_message.txt) + +if(TEST_CLIENT_CERT) + list(APPEND TEST_SERVER_ARGS + -cacert sm2_root_ca_cert.pem + -cert_request) + list(APPEND TEST_CLIENT_ARGS + -cert sm2_tls_client_certs.pem + -key sm2_tls_client_key.pem + -pass P@ssw0rd) +endif() + gmssl_run_tls_command_test( TEST_NAME ${TEST_NAME} PORT ${TEST_PORT} - SERVER_ARGS - tls12_server - -port ${TEST_PORT} - -cert sm2_tls_server_certs.pem - -key sm2_tls_server_key.pem - -pass P@ssw0rd - -cipher_suite ${TEST_CIPHER_SUITE} - -supported_group sm2p256v1 - -sig_alg sm2sig_sm3 - CLIENT_ARGS - tls12_client - -host 127.0.0.1 - -port ${TEST_PORT} - -server_name localhost - -cacert sm2_root_ca_cert.pem - -cipher_suite ${TEST_CIPHER_SUITE} - -supported_group sm2p256v1 - -sig_alg sm2sig_sm3 - -in ${TEST_NAME}_message.txt + SERVER_ARGS ${TEST_SERVER_ARGS} + CLIENT_ARGS ${TEST_CLIENT_ARGS} ) diff --git a/cmake/tls13_commands.cmake b/cmake/tls13_commands.cmake index 7d9ff0ff..3e6c9d24 100644 --- a/cmake/tls13_commands.cmake +++ b/cmake/tls13_commands.cmake @@ -3,36 +3,62 @@ include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake") gmssl_require_file(sm2_root_ca_cert.pem) gmssl_require_file(sm2_tls_server_certs.pem) gmssl_require_file(sm2_tls_server_key.pem) +gmssl_require_file(sm2_tls_client_certs.pem) +gmssl_require_file(sm2_tls_client_key.pem) set(TLS13_PSK 1122334455667788112233445566778811223344556677881122334455667788) if(NOT DEFINED TEST_CASE) - set(TEST_CASE tls13_sm4_gcm) + set(TEST_CASE tls13_sm4_gcm_sni) endif() -if(TEST_CASE STREQUAL tls13_sm4_gcm) - gmssl_run_tls_command_test( - TEST_NAME tls13_sm4_gcm - PORT 4433 - SERVER_ARGS - tls13_server - -port 4433 - -cert sm2_tls_server_certs.pem - -key sm2_tls_server_key.pem - -pass P@ssw0rd - -cipher_suite TLS_SM4_GCM_SM3 - -supported_group sm2p256v1 - -sig_alg sm2sig_sm3 - CLIENT_ARGS - tls13_client - -host 127.0.0.1 - -port 4433 - -server_name localhost +if(TEST_CASE STREQUAL tls13_sm4_gcm_sni) + set(TEST_NAME tls13_sm4_gcm_sni) + set(TEST_PORT 4433) + set(TEST_CLIENT_CERT OFF) +elseif(TEST_CASE STREQUAL tls13_sm4_gcm_client_cert) + set(TEST_NAME tls13_sm4_gcm_client_cert) + set(TEST_PORT 4439) + set(TEST_CLIENT_CERT ON) +endif() + +if(DEFINED TEST_NAME) + set(TEST_SERVER_ARGS + tls13_server + -port ${TEST_PORT} + -cipher_suite TLS_SM4_GCM_SM3 + -supported_group sm2p256v1 + -sig_alg sm2sig_sm3 + -cert sm2_tls_server_certs.pem + -key sm2_tls_server_key.pem + -pass P@ssw0rd) + + set(TEST_CLIENT_ARGS + tls13_client + -host 127.0.0.1 + -port ${TEST_PORT} + -server_name localhost + -cacert sm2_root_ca_cert.pem + -cipher_suite TLS_SM4_GCM_SM3 + -supported_group sm2p256v1 + -sig_alg sm2sig_sm3 + -in ${TEST_NAME}_message.txt) + + if(TEST_CLIENT_CERT) + list(APPEND TEST_SERVER_ARGS -cacert sm2_root_ca_cert.pem - -cipher_suite TLS_SM4_GCM_SM3 - -supported_group sm2p256v1 - -sig_alg sm2sig_sm3 - -in tls13_sm4_gcm_message.txt + -cert_request) + list(APPEND TEST_CLIENT_ARGS + -cert sm2_tls_client_certs.pem + -key sm2_tls_client_key.pem + -pass P@ssw0rd) + endif() + + gmssl_run_tls_command_test( + TEST_NAME ${TEST_NAME} + PORT ${TEST_PORT} + SERVER_ARGS ${TEST_SERVER_ARGS} + CLIENT_ARGS ${TEST_CLIENT_ARGS} ) elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm) gmssl_run_tls_command_test( diff --git a/include/gmssl/version.h b/include/gmssl/version.h index 4503fdb6..110e58b3 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1113" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1114" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/tools/tlcp_help.h b/tools/tlcp_help.h index d13022ca..1d458f5c 100644 --- a/tools/tlcp_help.h +++ b/tools/tlcp_help.h @@ -9,8 +9,8 @@ "\n" "Supported cipher suites:\n" -" TLS_ECC_SM4_GCM_SM3\n" " TLS_ECC_SM4_CBC_SM3\n" +" TLS_ECC_SM4_GCM_SM3\n" "\n" "\n" "Examples\n" diff --git a/tools/tls12_help.h b/tools/tls12_help.h index 1c4b5093..dd660680 100644 --- a/tools/tls12_help.h +++ b/tools/tls12_help.h @@ -8,98 +8,63 @@ */ "\n" -" -cipher_suite options\n" -" TLS_ECDHE_SM4_CBC_SM3 TLS 1.2\n" -" TLS_ECDHE_SM4_GCM_SM3 TLS 1.2\n" -" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS 1.2\n" -" TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS 1.2\n" +"Supported cipher suites:\n" +" TLS_ECDHE_SM4_CBC_SM3\n" +" TLS_ECDHE_SM4_GCM_SM3\n" +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) && defined(ENABLE_SECP256R1) +" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\n" +" TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n" +#ifdef ENABLE_AES_CCM +" TLS_ECDHE_ECDSA_WITH_AES_128_CCM\n" +#endif +#endif +"\n" "\n" "Examples\n" "\n" -"Build with TLS 1.2, AES, and P-256 enabled\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_root_ca_key.pem\n" +" gmssl certgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 Test Root CA\" \\\n" +" -days 3650 -key sm2_root_ca_key.pem -pass P@ssw0rd -out sm2_root_ca_cert.pem \\\n" +" -key_usage keyCertSign -key_usage cRLSign -ca\n" "\n" -" cmake -S . -B build -DENABLE_TLS=ON -DENABLE_AES=ON -DENABLE_SECP256R1=ON\n" -" cmake --build build\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_ca_key.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS CA\" \\\n" +" -key sm2_tls_ca_key.pem -pass P@ssw0rd -out sm2_tls_ca_req.pem\n" +" gmssl reqsign -in sm2_tls_ca_req.pem -days 1825 -key_usage keyCertSign \\\n" +" -key_usage cRLSign -path_len_constraint 0 -cacert sm2_root_ca_cert.pem \\\n" +" -key sm2_root_ca_key.pem -pass P@ssw0rd -out sm2_tls_ca_cert.pem -ca\n" "\n" -"Generate SM2 certificates for sm2.example.com\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_server_key.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS Server\" \\\n" +" -key sm2_tls_server_key.pem -pass P@ssw0rd -out sm2_tls_server_req.pem\n" +" gmssl reqsign -in sm2_tls_server_req.pem -days 365 -key_usage digitalSignature \\\n" +" -ext_key_usage serverAuth -subject_dns_name localhost -cacert sm2_tls_ca_cert.pem \\\n" +" -key sm2_tls_ca_key.pem -pass P@ssw0rd -out sm2_tls_server_cert.pem\n" +" cat sm2_tls_server_cert.pem > sm2_tls_server_certs.pem\n" +" cat sm2_tls_ca_cert.pem >> sm2_tls_server_certs.pem\n" "\n" -" gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n" -" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN SM2ROOTCA -days 3650 \\\n" -" -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem \\\n" -" -key_usage keyCertSign -key_usage cRLSign -ca\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_client_key.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS Client\" \\\n" +" -key sm2_tls_client_key.pem -pass P@ssw0rd -out sm2_tls_client_req.pem\n" +" gmssl reqsign -in sm2_tls_client_req.pem -days 365 -key_usage digitalSignature \\\n" +" -ext_key_usage clientAuth -cacert sm2_tls_ca_cert.pem -key sm2_tls_ca_key.pem \\\n" +" -pass P@ssw0rd -out sm2_tls_client_cert.pem\n" +" cat sm2_tls_client_cert.pem > sm2_tls_client_certs.pem\n" +" cat sm2_tls_ca_cert.pem >> sm2_tls_client_certs.pem\n" "\n" -" gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"SM2 Sub CA\" \\\n" -" -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n" -" gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign \\\n" -" -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 \\\n" -" -ca -path_len_constraint 0 -out sm2cacert.pem\n" +" printf 'hello tls12\\n' > message.txt\n" "\n" -" gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN sm2.example.com \\\n" -" -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n" -" gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature \\\n" -" -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 \\\n" -" -subject_dns_name sm2.example.com -out sm2signcert.pem\n" +" gmssl tls12_server -port 4432 -cert sm2_tls_server_certs.pem -key sm2_tls_server_key.pem -pass P@ssw0rd \\\n" +" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n" +" gmssl tls12_client -host 127.0.0.1 -port 4432 -server_name localhost -cacert sm2_root_ca_cert.pem \\\n" +" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -in message.txt\n" "\n" -" cat sm2signcert.pem > sm2certs.pem\n" -" cat sm2cacert.pem >> sm2certs.pem\n" -"\n" -"Generate P-256 certificates for p256.example.com\n" -"\n" -" gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n" -" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n" -" -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n" -" -key_usage keyCertSign -key_usage cRLSign -ca\n" -"\n" -" gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n" -" -key p256cakey.pem -pass 1234 -out p256careq.pem\n" -" gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n" -" -cacert p256rootcacert.pem -key p256rootcakey.pem -pass 1234 \\\n" -" -ca -path_len_constraint 0 -out p256cacert.pem\n" -"\n" -" gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN p256.example.com \\\n" -" -key p256signkey.pem -pass 1234 -out p256signreq.pem\n" -" gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n" -" -cacert p256cacert.pem -key p256cakey.pem -pass 1234 \\\n" -" -subject_dns_name p256.example.com -out p256signcert.pem\n" -"\n" -" cat p256signcert.pem > p256certs.pem\n" -" cat p256cacert.pem >> p256certs.pem\n" -"\n" -" cat sm2rootcacert.pem > rootcacerts.pem\n" -" cat p256rootcacert.pem >> rootcacerts.pem\n" -"\n" -"TLS 1.2 server with two certificate chains selected by SNI\n" -"\n" -" gmssl tls12_server -port 4430 \\\n" -" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n" -" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n" -" -supported_group sm2p256v1 -supported_group prime256v1 \\\n" -" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cert p256certs.pem -key p256signkey.pem -pass 1234\n" -"\n" -"TLS 1.2 clients with SNI\n" -"\n" -" gmssl tls12_client -host 127.0.0.1 -port 4430 -server_name sm2.example.com \\\n" -" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n" -" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n" -" -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cacert rootcacerts.pem\n" -"\n" -" gmssl tls12_client -host 127.0.0.1 -port 4430 -server_name p256.example.com \\\n" -" -cipher_suite TLS_ECDHE_SM4_CBC_SM3 \\\n" -" -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \\\n" -" -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cacert rootcacerts.pem\n" -"\n" -" gmssl tls12_server -port 4430 -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -cert p256certs.pem -key p256signkey.pem -pass 1234 \\\n" -" -cacert p256cacert.pem -verbose -cert_request\n" -" gmssl tls12_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cert p256signcert.pem -key p256signkey.pem -pass 1234 -cacert p256rootcacert.pem -verbose\n" +" gmssl tls12_server -port 4438 -cert sm2_tls_server_certs.pem -key sm2_tls_server_key.pem -pass P@ssw0rd \\\n" +" -cipher_suite TLS_ECDHE_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -cacert sm2_root_ca_cert.pem -cert_request\n" +" gmssl tls12_client -host 127.0.0.1 -port 4438 -server_name localhost -cacert sm2_root_ca_cert.pem \\\n" +" -cipher_suite TLS_ECDHE_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -cert sm2_tls_client_certs.pem -key sm2_tls_client_key.pem -pass P@ssw0rd \\\n" +" -in message.txt\n" "\n" diff --git a/tools/tls13_help.h b/tools/tls13_help.h index 17be32ae..fd46d6de 100644 --- a/tools/tls13_help.h +++ b/tools/tls13_help.h @@ -1,202 +1,62 @@ "\n" -" -cipher_suite options\n" -" TLS_SM4_GCM_SM3 TLS 1.3\n" -" TLS_AES_128_GCM_SHA256 TLS 1.3\n" -" TLS_ECC_SM4_CBC_SM3 TLCP\n" -" TLS_ECDHE_SM4_CBC_SM3 TLCP TLS 1.2\n" -" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS 1.2\n" +"Supported cipher suites:\n" +" TLS_SM4_GCM_SM3\n" +#ifdef ENABLE_SM4_CCM +" TLS_SM4_CCM_SM3\n" +#endif +#if defined(ENABLE_AES) && defined(ENABLE_SHA2) +" TLS_AES_128_GCM_SHA256\n" +#ifdef ENABLE_AES_CCM +" TLS_AES_128_CCM_SHA256\n" +#endif +#endif "\n" -" -supported_group options\n" -" sm2p256v1\n" -" prime256v1\n" "\n" -" -sig_alg options\n" -" sm2sig_sm3\n" -" ecdsa_secp256r1_sha256\n" +"Examples\n" "\n" -"Generate SM2 certificates\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_root_ca_key.pem\n" +" gmssl certgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 Test Root CA\" \\\n" +" -days 3650 -key sm2_root_ca_key.pem -pass P@ssw0rd -out sm2_root_ca_cert.pem \\\n" +" -key_usage keyCertSign -key_usage cRLSign -ca\n" "\n" -" gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n" -" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n" -" -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem \\\n" -" -key_usage keyCertSign -key_usage cRLSign -ca\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_ca_key.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS CA\" \\\n" +" -key sm2_tls_ca_key.pem -pass P@ssw0rd -out sm2_tls_ca_req.pem\n" +" gmssl reqsign -in sm2_tls_ca_req.pem -days 1825 -key_usage keyCertSign \\\n" +" -key_usage cRLSign -path_len_constraint 0 -cacert sm2_root_ca_cert.pem \\\n" +" -key sm2_root_ca_key.pem -pass P@ssw0rd -out sm2_tls_ca_cert.pem -ca\n" "\n" -" gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n" -" -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n" -" gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign \\\n" -" -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 \\\n" -" -ca -path_len_constraint 0 \\\n" -" -out sm2cacert.pem\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_server_key.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS Server\" \\\n" +" -key sm2_tls_server_key.pem -pass P@ssw0rd -out sm2_tls_server_req.pem\n" +" gmssl reqsign -in sm2_tls_server_req.pem -days 365 -key_usage digitalSignature \\\n" +" -ext_key_usage serverAuth -subject_dns_name localhost -cacert sm2_tls_ca_cert.pem \\\n" +" -key sm2_tls_ca_key.pem -pass P@ssw0rd -out sm2_tls_server_cert.pem\n" +" cat sm2_tls_server_cert.pem > sm2_tls_server_certs.pem\n" +" cat sm2_tls_ca_cert.pem >> sm2_tls_server_certs.pem\n" "\n" -" gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost \\\n" -" -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n" -" gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature \\\n" -" -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 \\\n" -" -out sm2signcert.pem\n" +" gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_client_key.pem\n" +" gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS Client\" \\\n" +" -key sm2_tls_client_key.pem -pass P@ssw0rd -out sm2_tls_client_req.pem\n" +" gmssl reqsign -in sm2_tls_client_req.pem -days 365 -key_usage digitalSignature \\\n" +" -ext_key_usage clientAuth -cacert sm2_tls_ca_cert.pem -key sm2_tls_ca_key.pem \\\n" +" -pass P@ssw0rd -out sm2_tls_client_cert.pem\n" +" cat sm2_tls_client_cert.pem > sm2_tls_client_certs.pem\n" +" cat sm2_tls_ca_cert.pem >> sm2_tls_client_certs.pem\n" "\n" -" cat sm2signcert.pem > sm2certs.pem\n" -" cat sm2cacert.pem >> sm2certs.pem\n" +" printf 'hello tls13\\n' > message.txt\n" "\n" -"TLS 1.3 with TLS_SM4_GCM_SM3 cipher suite\n" +" gmssl tls13_server -port 4433 -cert sm2_tls_server_certs.pem -key sm2_tls_server_key.pem -pass P@ssw0rd \\\n" +" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n" +" gmssl tls13_client -host 127.0.0.1 -port 4433 -server_name localhost -cacert sm2_root_ca_cert.pem \\\n" +" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -in message.txt\n" "\n" -" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n" +" gmssl tls13_server -port 4439 -cert sm2_tls_server_certs.pem -key sm2_tls_server_key.pem -pass P@ssw0rd \\\n" +" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -cacert sm2_root_ca_cert.pem -cert_request\n" +" gmssl tls13_client -host 127.0.0.1 -port 4439 -server_name localhost -cacert sm2_root_ca_cert.pem \\\n" +" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" +" -cert sm2_tls_client_certs.pem -key sm2_tls_client_key.pem -pass P@ssw0rd \\\n" +" -in message.txt\n" "\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n" -"\n" -"Generate P-256 certificates\n" -"\n" -" gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n" -" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n" -" -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n" -" -key_usage keyCertSign -key_usage cRLSign -ca\n" -"\n" -" gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n" -" -key p256cakey.pem -pass 1234 -out p256careq.pem\n" -" gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n" -" -cacert p256rootcacert.pem -key p256rootcakey.pem -pass 1234 \\\n" -" -ca -path_len_constraint 0 \\\n" -" -out p256cacert.pem\n" -"\n" -" gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n" -" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 \\\n" -" -key p256signkey.pem -pass 1234 -out p256signreq.pem\n" -" gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n" -" -cacert p256cacert.pem -key p256cakey.pem -pass 1234 \\\n" -" -subject_dns_name 127.0.0.1 \\\n" -" -out p256signcert.pem\n" -"\n" -" cat p256signcert.pem > p256certs.pem\n" -" cat p256cacert.pem >> p256certs.pem\n" -"\n" -" cat sm2rootcacert.pem > rootcacerts.pem\n" -" cat p256rootcacert.pem >> rootcacerts.pem\n" -"\n" -"TLS 1.3 with TLS_AES_128_GCM_SHA256\n" -" gmssl tls13_server -port 4430 \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cert p256certs.pem -key p256signkey.pem -pass 1234\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n" -"\n" -" add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_server.c\n" -" add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_client.c\n" -"\n" -" /usr/local/bin/openssl s_server -accept 4430 -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp \\\n" -" -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -named_curve prime256v1 \\\n" -" -trace\n" -"\n" -" /usr/local/bin/openssl s_client -connect 127.0.0.1:4430 -tls1_3 -CAfile p256rootcacert.pem -groups prime256v1 -trace\n" -"\n" -"TLS 1.3 SNI\n" -"\n" -" gmssl tls13_server -port 4430 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cert p256certs.pem -key p256signkey.pem -pass 1234\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -server_name 127.0.0.1\n" -"\n" -"HelloRetryRequest\n" -"\n" -" gmssl tls13_server -port 4430 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" -" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -max_key_exchanges 1 # or -max_key_exchanges 0 \n" -"\n" -"ClientHello with OCSP request, CT, and other extensions\n" -"\n" -" gmssl tls13_server -port 4430 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n" -" -supported_group sm2p256v1 -supported_group prime256v1 \\\n" -" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n" -" -supported_group sm2p256v1 -supported_group prime256v1 \\\n" -" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n" -" -max_key_exchanges 2 \\\n" -" -server_name 127.0.0.1 \\\n" -" -signature_algorithms_cert \\\n" -" -status_request \\\n" -" -post_handshake_auth \\\n" -" -ct\n" -"\n" -"NewSessionTicket\n" -"\n" -" TICKET_KEY=11223344556677881122334455667788\n" -"\n" -" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -new_session_ticket 2 -ticket_key $TICKET_KEY\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -sess_out session.bin\n" -"\n" -"PSK-DHE from session ticket\n" -"\n" -" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 \\\n" -" -psk_dhe_ke -ticket_key $TICKET_KEY\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 \\\n" -" -psk_dhe_ke -sess_in session.bin\n" -"\n" -"PSK-DHE/PSK from external\n" -"\n" -" PSK=1122334455667788112233445566778811223344556677881122334455667788\n" -"\n" -" gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n" -" -supported_group sm2p256v1 -psk_dhe_ke \\\n" -" -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n" -" -supported_group sm2p256v1 -psk_dhe_ke \\\n" -" -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n" -"\n" -" gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n" -" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n" -" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n" -"\n" -"EarlyData (0-RTT)\n" -"\n" -" gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n" -" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK \\\n" -" -early_data\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n" -" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK \\\n" -" -early_data early_data.txt\n" -"\n" -"CertificateRequest\n" -"\n" -" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -cert_request -cacert sm2rootcacert.pem\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n" -" -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n" -"\n" -"CertificateRequest without CertificateVerify\n" -"\n" -" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n" -" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"