abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update TLS 1.3

Browse Source
This commit is contained in:
Zhi Guan
2026-04-28 11:50:15 +08:00
parent 34698ddc6f
commit b548e98d34
12 changed files with 2182 additions and 1301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

257
include/gmssl/tls.h
View File

@@ -744,7 +744,7 @@ typedef struct {
uint8_t cert_chains[8192];
size_t cert_chains_len;
size_t cert_chains_cnt; // 这是一个多余的值,不应该存储多余的值
size_t cert_chain_idx;
// size_t cert_chain_idx; // == 1 mean the first certificate
uint8_t *certs; // 这里应该改为cert_chain我们将certs表示为互相独立的证书
size_t certslen;
@@ -770,12 +770,6 @@ typedef struct {
size_t cacertslen;
int verify_depth;
// NewSessionTicket
int new_session_ticket;
int new_session_ticket_cnt;
@@ -794,10 +788,12 @@ typedef struct {
// server_name is connection only
// 5. status_request
int status_request; // if send in ClientHello, CertificateRequest
// list of (uint24array)CertificateEntry.extensions.status_request.response
uint8_t status_request_ocsp_responses[512];
size_t status_request_ocsp_responses_len;
// 10. supported_gruops
int supported_groups[32];
size_t supported_groups_cnt;
@@ -808,7 +804,7 @@ typedef struct {
// 18. signed_certificate_timestamp
int signed_certificate_timestamp;
uint8_t signed_certificate_timestamp_lists[512];
uint8_t signed_certificate_timestamp_lists[512]; // list of uint16array
size_t signed_certificate_timestamp_lists_len;
// 35. session_ticket
@@ -832,6 +828,23 @@ typedef struct {
// 46. psk_key_exchange_modes
int psk_key_exchange_modes;
// 47. certificate_authorities
//int certificate_authorities;
uint8_t ca_names[512];
size_t ca_names_len;
// 48. oid_filters
// ClientHello, CertificateRequest中是否包含这个扩展
const uint8_t *oid_filters;
size_t oid_filters_len;
// 49. post_handshake_auth
int post_handshake_auth;
// 50. signature_algorithms_cert
int signature_algorithms_cert; // 我方是否在ClientHello, CertificateRequest 中包含这个扩展
// 51. key_share
size_t key_exchanges_cnt;
@@ -839,7 +852,6 @@ typedef struct {
int tls_ctx_init(TLS_CTX *ctx, int protocol, int is_client);
int tls_ctx_set_cipher_suites(TLS_CTX *ctx, const int *cipher_suites, size_t cipher_suites_cnt);
int tls_ctx_set_signature_algorithms(TLS_CTX *ctx, const int *sig_algs, size_t sig_algs_cnt);
@@ -925,8 +937,6 @@ enum {
typedef struct {
int is_client; // 这个在CTX中应该是有的
int quiet;
tls_socket_t sock;
TLS_CTX *ctx;
@@ -974,9 +984,20 @@ typedef struct {
// 己方的证书链指向TLS_CTX中的cert_chains
const uint8_t *cert_chain;
size_t cert_chain_len;
int cert_chain_idx; // 这样就指向了CTX中的密钥
size_t cert_chain_idx;
int sig_alg; // 这个算法是和cert_chain中的end_entity_cert的公钥绑定的并且是从客户端的signature_algorithms中
/*
客户端和服务器端的签名算法是没有关系的
服务器和客户端都是在选择自己的证书链的同时确定了自己的签名算法
这个签名算法是通过CertificateVerify通知给对方的
*/
int sig_alg;
uint8_t peer_cert_chain[TLS_MAX_CERTIFICATES_SIZE];
@@ -1025,8 +1046,6 @@ typedef struct {
SM2_SIGN_CTX sign_ctx;
TLS_CLIENT_VERIFY_CTX client_verify_ctx;
// 所有这些命名为ecdh的都需要替换掉
uint16_t ecdh_named_curve;
X509_KEY ecdh_keys[2];
@@ -1036,75 +1055,74 @@ typedef struct {
size_t peer_ecdh_point_len;
// CertificateRequest.signature_algorithms =
// common(ClientHello.signature_algorithms, ctx->signature_algorithms)
/*
int signature_algorithms[2];
size_t signature_algorithms_cnt;
*/
// handshake messages
// HelloRetryRequest
int hello_retry_request;
// CertificateRequest
int certificate_request;
//int new_session_ticket;
// NewSessionTicket
int new_session_ticket;
int new_session_ticket_cnt;
const char *session_in;
const char *session_out;
// KeyUpdate
size_t client_data_size;
size_t server_data_size;
// extensions
// Extensions
// 0. server_name
// server_name is client only, server should not response server_name ext
int server_name;
// ClientHello.server_name
uint8_t host_name[256];
size_t host_name_len;
// EncryptedExtensions.server_name (emtpy)
// 5. status_request
int status_request;
// ClientHello.status_request set by app
// ClientHello.status_request
const uint8_t *status_request_responder_id_list;
size_t status_request_responder_id_list_len;
const uint8_t *status_request_exts;
size_t status_request_exts_len;
// ServerCertificate.CertificateEntry.status_request
// 在选择好证书之后这些值应该指向ctx->status_request_ocsp_responses
// 但是有可能指针为空或者长度为0
// 如果客户端发送了status_request还需要进一步检查是否匹配如果不匹配需要设置为0
// CertificateRequest.status_request (empty)
// Certificate.CertificateEntry.status_request
const uint8_t *status_request_ocsp_response;
size_t status_request_ocsp_response_len;
// 10. supported_gruops
// 10. supported_groups
// in ClientHello; EncryptedExtensions
int supported_groups[32];
size_t supported_groups_cnt;
// 13. signature_algorithms
// in ClientHello, CertificateRequest;
int signature_algorithms[2];
size_t signature_algorithms_cnt;
// 18. signed_certificate_timestamp
int signed_certificate_timestamp;
// ClientHello.signed_certificate_timestamp (empty)
// CertificateRequest.signed_certificate_timestamp (empty)
// Certificate.CertificateEntry.signed_certificate_timestamp
const uint8_t *signed_certificate_timestamp_list;
size_t signed_certificate_timestamp_list_len;
// 35. session_ticket
// NewSessionTicket
int new_session_ticket;
int new_session_ticket_cnt;
// 35. session_ticket (TLS12_ONLY)
// 41. pre_shared_key
// in ClientHello; ServerHello
int pre_shared_key;
uint8_t psk_identities[512];
uint8_t psk_identities[512]; // list of PskIdentity objects
size_t psk_identities_len;
int psk_cipher_suites[8];
size_t psk_cipher_suites_cnt;
uint8_t psk_keys[32 * 8];
uint8_t psk_keys[32 * 8]; // uint8array
size_t psk_keys_len;
// selected
const uint8_t *psk_identity;
size_t psk_identity_len;
uint8_t psk[32]; // 这应该改为一个指针
@@ -1112,25 +1130,47 @@ typedef struct {
int selected_psk_identity;
// session_ticket
const char *session_in;
const char *session_out;
int client_certificate_verify; // TLS1.2 TLCP需要这个
// 42. early_data
// in NewSessionTicket, ClientHello1; EncryptedExtensions
int early_data;
size_t max_early_data_size;
uint8_t early_data_buf[8192];
size_t early_data_offset;
size_t early_data_len;
// 43. supported_versions
// in ClientHello; ServerHello, HelloRetryRequest
// not optional
// 44. cookie
// in HelloRetryRequest; ClientHello2
int cookie;
uint8_t cookie_buf[256];
size_t cookie_len;
// 46. psk_key_exchange_modes
// in ClientHello;
// 47. certificate_authorities
// in ClientHello, CertificateRequest;
int certificate_authorities;
// 48. oid_filters
int oid_filters;
// 49. post_handshake_auth
int post_handshake_auth;
// in ClientHello;
// 50. signature_algorithms_cert
// in ClientHello, CertificateRequest;
int signature_algorithms_cert;
// 51. key_share
// in ClientHello; HelloRetryRequest, ServerHello
int key_share;
X509_KEY key_exchanges[2];
size_t key_exchanges_cnt;
@@ -1358,7 +1398,8 @@ int tls13_send_new_session_ticket(TLS_CONNECT *conn);
// tls13 client/server
int tls13_send_key_update(TLS_CONNECT *conn, int request_update);
int tls13_send_client_key_update(TLS_CONNECT *conn, int request_update);
int tls13_send_server_key_update(TLS_CONNECT *conn, int request_update);
int tls13_recv_key_update(TLS_CONNECT *conn);
@@ -1384,6 +1425,8 @@ int tls12_do_connect(TLS_CONNECT *conn);
int tls12_do_accept(TLS_CONNECT *conn);
int tls13_init(TLS_CONNECT *conn, TLS_CTX *ctx);
int tls13_do_connect(TLS_CONNECT *conn);
int tls13_do_accept(TLS_CONNECT *conn);
@@ -1598,27 +1641,86 @@ int tls13_process_new_session_ticket(TLS_CONNECT *conn);
int tls_cert_match_signature_algorithms(const uint8_t *cert, size_t certlen,
const int *signature_algorithms, size_t signature_algorithms_cnt,
int *first_matched_sig_alg);
int tls_cert_chain_match_signature_algorithms_cert(
const uint8_t *cert_chain, size_t cert_chain_len,
const int *signature_algorithms_cert, size_t signature_algorithms_cert_cnt);
// if cert has on subject_alt_name to match tls server_name extension
// return error (0) or success (1) to ignore the server_name
#define TLS_CERT_VERIFY_NO_SUBJECT_ALT_NAME 1
int tls_cert_match_server_name(const uint8_t *cert, size_t certlen, const uint8_t *host_name, size_t host_name_len);
int tls_cert_chain_match_extensions(
const uint8_t *cert_chain, size_t cert_chain_len,
const int *signature_algorithms, size_t signature_algorithms_cnt,
const int *signature_algorithms_cert, size_t signature_algorithms_cert_cnt, // optional
const uint8_t *ca_names, size_t ca_names_len, // optional
const uint8_t *oid_filters, size_t oid_filters_len, // optional
const uint8_t *host_name, size_t host_name_len, // optional
int *prefered_sig_alg);
int tls13_cert_chains_select(const uint8_t *cert_chains, size_t cert_chains_len,
const int *signature_algorithms, size_t signature_algorithms_cnt,
const int *signature_algorithms_cert, size_t signature_algorithms_cert_cnt, // optional
const uint8_t *ca_names, size_t ca_names_len, // certificate_authorities optional
const uint8_t *oid_filters, size_t oid_filters_len, // optional, only in CertificateRequest
const uint8_t *host_name, size_t host_name_len, // optional, only in ClientHello
const uint8_t **certs, size_t *certs_len, size_t *certs_idx, // optional
int *prefered_sig_alg);
// Extensions
// 0. server_name (sni)
// 0. server_name (SNI): in ClientHello, EncryptedExtensions
int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host_name_len); // client only
int tls_server_name_ext_to_bytes(const uint8_t *host_name, size_t host_name_len, uint8_t **out, size_t *outlen);
int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len,
const uint8_t *ext_data, size_t ext_datalen);
int tls_server_name_print(FILE *fp, int fmt, int ind, const uint8_t *ext_data, size_t ext_datalen);
int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host_name_len);
// 5. status_request (ocsp stapling)
// 5. status_request (OCSP stapling)
enum {
TLS_certificate_status_type_ocsp = 1,
};
// set ClientHello.status_request
// server CertifcateRequest.status_request only if ClientHello.status_request send
int tls13_set_client_status_request(TLS_CONNECT *conn,
const uint8_t *status_request_responder_id_list, size_t status_request_responder_id_list_len, // optional
const uint8_t *status_request_exts, size_t status_request_exts_len); // optional
// ocsp_response is set by tls_ctx_add_certificate_list_and_key()
// status_request in CertificateRequest
// depends on ClientHello.status_request, can not be set explicitly
int ocsp_response_verify(const uint8_t *ocsp_response, size_t ocsp_response_len,
const uint8_t *ca_certs, size_t ca_certs_len);
int tls_ocsp_response_match_status_request(
const uint8_t *status_request_ocsp_response, size_t status_request_ocsp_response_len,
const uint8_t *responder_id_list, size_t responder_id_list_len,
const uint8_t *request_exts, size_t request_exts_len);
// status_request in ClientHello
int tls_ocsp_status_request_to_bytes(
const uint8_t *responder_id_list, size_t responder_id_list_len,
const uint8_t *request_exts, size_t request_exts_len,
@@ -1639,10 +1741,7 @@ int tls_client_status_request_from_bytes(int *status_type,
const uint8_t *ext_data, size_t ext_datalen);
int tls_client_status_request_print(FILE *fp, int fmt, int ind,
const uint8_t *ext_data, size_t ext_datalen);
int tls13_set_client_status_request(TLS_CONNECT *conn,
const uint8_t *status_request_responder_id_list, size_t status_request_responder_id_list_len, // optional
const uint8_t *status_request_exts, size_t status_request_exts_len); // optional
// Certificate 这个命名有问题客户端证书也可以包含status_request应该以client_hello, certificate结尾来标注函数名
int tls_server_status_request_ext_to_bytes(const uint8_t *ocsp_response, size_t ocsp_response_len,
uint8_t **out, size_t *outlen);
int tls_server_status_request_from_bytes(const uint8_t **ocsp_response, size_t *ocsp_response_len,
@@ -1650,10 +1749,10 @@ int tls_server_status_request_from_bytes(const uint8_t **ocsp_response, size_t *
int tls_server_status_request_print(FILE *fp, int fmt, int ind,
const uint8_t *ext_data, size_t ext_datalen);
int tls_ocsp_response_match_status_request(
const uint8_t *status_request_ocsp_response, size_t status_request_ocsp_response_len,
const uint8_t *responder_id_list, size_t responder_id_list_len,
const uint8_t *request_exts, size_t request_exts_len);
// 10. supported_groups
int tls_supported_groups_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen);
@@ -1675,6 +1774,9 @@ int tls_process_client_ec_point_formats(const uint8_t *ext_data, size_t ext_data
int tls_process_server_ec_point_formats(const uint8_t *ext_data, size_t ext_datalen);
// 13. signature_algorithms
int tls_enable_signature_algorithms_cert(TLS_CONNECT *conn);
int tls_signature_algorithms_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen);
int tls_signature_algorithms_ext_to_bytes_ex(int ext_type, const int *algs, size_t algs_cnt,
uint8_t **out, size_t *outlen);
@@ -1685,7 +1787,18 @@ int tls_process_signature_algorithms(const uint8_t *ext_data, size_t ext_datalen
const int *local_sig_algs, size_t local_sig_algs_cnt,
int *common_sig_algs, size_t *common_sig_algs_cnt, size_t max_cnt);
// 18. signed_certificate_timestamp (certificate transparency, CT)
// signed_certificate_timestamp response is set by tls_ctx_add_certificate_list_and_key()
int tls_ctx_enable_signed_certificate_timestamp(TLS_CTX *ctx); // 这里enable的是什么是否请求吗
int tls_enable_signed_certificate_timestamp(TLS_CONNECT *conn);
// 客户端需要一组SCT服务器的公钥列表才能够去验证SCT我们假定这个公钥列表在CTX中
int tls13_signed_certificate_timestamp_verify(const uint8_t *sct_list, size_t sct_list_len);
int tls_signed_certificate_timestamp_entry_to_bytes(const uint8_t key_id[32],
uint64_t timestamp, const uint8_t *signature, size_t signature_len,
uint8_t **out, size_t *outlen);
@@ -1698,8 +1811,12 @@ int tls_signed_certificate_timestamp_from_bytes(const uint8_t **sct_list, size_t
const uint8_t **in, size_t *inlen);
int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind,
const char *label, const uint8_t *d, size_t dlen);
int tls_ctx_enable_signed_certificate_timestamp(TLS_CTX *ctx);
int tls_enable_signed_certificate_timestamp(TLS_CONNECT *conn);
// 41. pre_shared_key
int tls13_psk_identity_to_bytes(const uint8_t *ticket, size_t ticketlen, uint32_t obfuscated_ticket_age,
@@ -1797,6 +1914,26 @@ int tls13_psk_key_exchange_modes_print(FILE *fp, int fmt, int ind, const uint8_t
int tls13_ctx_set_psk_key_exchange_modes(TLS_CTX *ctx, int psk_ke, int psk_dhe_ke);
// 47. certificate_authorities
int tls13_enable_certificate_authorities(TLS_CONNECT *conn);
int tls13_certificate_authorities_ext_to_bytes(const uint8_t *ca_names, size_t ca_names_len,
uint8_t **out, size_t *outlen);
int tls13_certificate_authorities_from_bytes(const uint8_t **ca_names, size_t *ca_names_len,
const uint8_t *ext_data, size_t ext_datalen);
int tls13_certificate_authorities_print(FILE *fp, int fmt, int ind,
const uint8_t *ext_data, size_t ext_datalen);
// 48. oid_filters
// 49. post_handshake_auth
int tls13_enable_post_handshake_auth(TLS_CONNECT *conn);
// 50. signature_algorithms_cert
int tls13_signature_algorithms_cert_ext_to_bytes(const int *algs, size_t algs_cnt,
uint8_t **out, size_t *outlen);

19
src/tls.c
View File

@@ -1999,6 +1999,8 @@ int tls_authorities_from_certs(uint8_t *names, size_t *nameslen, size_t maxlen,
return 1;
}
// 这个函数在语义上有问题:
// 首先我们判断的是证书链因此函数名上应该是一个cert_chain
int tls_authorities_issued_certificate(const uint8_t *ca_names, size_t ca_names_len, const uint8_t *certs, size_t certslen)
{
const uint8_t *cert;
@@ -2240,6 +2242,10 @@ int tls_ctx_init(TLS_CTX *ctx, int protocol, int is_client)
ctx->verify_depth = 5;
// 默认就发送一个因为只要发送key_share那么至少有一个group
ctx->key_exchanges_cnt = 1;
return 1;
}
@@ -2343,6 +2349,11 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth
error_print();
return -1;
}
if (tls_authorities_from_certs(ctx->ca_names, &ctx->ca_names_len, sizeof(ctx->ca_names),
ctx->cacerts, ctx->cacertslen) != 1) {
error_print();
return -1;
}
ctx->verify_depth = depth;
return 1;
@@ -2651,8 +2662,6 @@ int tls_ctx_set_supported_groups(TLS_CTX *ctx, const int *groups, size_t groups_
}
ctx->supported_groups_cnt = groups_cnt;
ctx->key_exchanges_cnt = (groups_cnt >= 2) ? 2 : 1;
return 1;
}
@@ -2716,7 +2725,7 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
conn->is_client = ctx->is_client;
//conn->is_client = ctx->is_client;
conn->protocol = ctx->protocol;
@@ -2753,10 +2762,6 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
conn->sign_key = ctx->signkey;
conn->kenc_key = ctx->kenckey;
conn->quiet = ctx->quiet;
conn->ctx = ctx;
conn->key_exchanges_cnt = ctx->key_exchanges_cnt;

6
src/tls12.c
View File

@@ -172,6 +172,10 @@ int tls_recv_record(TLS_CONNECT *conn)
}
conn->recordlen = conn->record_offset;
// 应该判断是否为Alert这种异常状况
return 1;
}
@@ -2407,7 +2411,7 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
return -1;
}
if (!conn->quiet)
if (!conn->ctx->quiet)
fprintf(stderr, "Connection established!\n");
return 1;

3042
src/tls13.c
View File

File diff suppressed because it is too large Load Diff

21
src/tls_ext.c
View File

@@ -327,7 +327,7 @@ Example:
*/
int tls_signature_algorithms_print_ex(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
int tls_signature_algorithms_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen)
{
const uint8_t *sig_algs;
size_t sig_algs_len;
@@ -355,6 +355,23 @@ int tls_signature_algorithms_print_ex(FILE *fp, int fmt, int ind, const char *la
return 1;
}
int tls_enable_signature_algorithms_cert(TLS_CONNECT *conn)
{
if (!conn) {
error_print();
return -1;
}
if (!conn->ctx->signature_algorithms_cnt) {
error_print();
return -1;
}
conn->signature_algorithms_cert = 1;
return 1;
}
/*
int tls_signature_algorithms_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen)
{
if (tls_signature_algorithms_print_ex(fp, fmt, ind, "signature_algorithms", d, dlen) != 1) {
@@ -372,7 +389,7 @@ int tls13_signature_algorithms_cert_print(FILE *fp, int fmt, int ind, const uint
}
return 1;
}
*/

4
src/tls_ocsp.c
View File

@@ -28,7 +28,6 @@
#include <sys/select.h>
/*
status_request(5)
@@ -46,7 +45,6 @@ ClientHello.status_request
} OCSPStatusRequest;
*/
// 如果两个参数都为空的话我们应该提供一个空的request
int tls_ocsp_status_request_to_bytes(
const uint8_t *responder_id_list, size_t responder_id_list_len, // optional
const uint8_t *request_exts, size_t request_exts_len, // optinoal
@@ -302,11 +300,11 @@ int tls13_set_client_status_request(TLS_CONNECT *conn,
error_print();
return -1;
}
conn->status_request = 1;
conn->status_request_responder_id_list = status_request_responder_id_list;
conn->status_request_responder_id_list_len = status_request_responder_id_list_len;
conn->status_request_exts = status_request_exts;
conn->status_request_exts_len = status_request_exts_len;
conn->status_request = 1;
return 1;
}

5
src/tls_psk.c
View File

@@ -735,6 +735,7 @@ int tls13_send_new_session_ticket(TLS_CONNECT *conn)
return 1;
}
// 这个函数是有点问题的还是应该改为recv_new_session_ticket
int tls13_process_new_session_ticket(TLS_CONNECT *conn)
{
int ret;
@@ -756,7 +757,6 @@ int tls13_process_new_session_ticket(TLS_CONNECT *conn)
const uint8_t *cp;
size_t len;
// only cheching encoding
if ((ret = tls13_record_get_handshake_new_session_ticket(conn->plain_record,
&ticket_lifetime, &ticket_age_add, &ticket_nonce, &ticket_nonce_len,
@@ -775,6 +775,9 @@ int tls13_process_new_session_ticket(TLS_CONNECT *conn)
const uint8_t *ext_data;
size_t ext_datalen;
// exts in NST
// * early_data
if (tls_ext_from_bytes(&ext_type, &ext_data, &ext_datalen, &exts, &extslen) != 1) {
error_print();
return -1;

10
src/tls_sct.c
View File

@@ -163,3 +163,13 @@ int tls_ctx_enable_signed_certificate_timestamp(TLS_CTX *ctx)
ctx->signed_certificate_timestamp = 1;
return 1;
}
int tls13_signed_certificate_timestamp_verify(const uint8_t *sct_list, size_t sct_list_len)
{
//error_print();
return 1;
}

2
src/tls_sni.c
View File

@@ -130,7 +130,7 @@ int tls_server_name_print(FILE *fp, int fmt, int ind, const uint8_t *ext_data, s
return -1;
}
format_print(fp, fmt, ind, "name_type: %s (%d)\n", name_type == 0 ? "host_name" : "(unknown)", name_type);
format_bytes(fp, fmt, ind, "host_name", host_name, host_name_len); // TODO: print string
format_string(fp, fmt, ind, "host_name", host_name, host_name_len); // TODO: print string
}
if (ext_datalen) {
error_print();

2
tests/tls13test.c
View File

@@ -448,7 +448,7 @@ static int test_tls13_signature_algorithms_cert_ext(void)
error_print();
return -1;
}
tls13_signature_algorithms_cert_print(stderr, 0, 4, ext_data, ext_datalen);
tls_signature_algorithms_print(stderr, 0, 4, ext_data, ext_datalen);
if (tls_process_signature_algorithms(ext_data, ext_datalen,
server_sig_algs, server_sig_algs_cnt,

83
tools/tls13_client.c
View File

@@ -37,6 +37,10 @@ static const char *help =
" -cert file Client's certificate chain in PEM format\n"
" -key file Client's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n"
" -server_name Send server_name (SNI) request\n"
" -signature_algorithms_cert Send signature_algorithms_cert extension\n"
" -status_request Send status_request (OCSP Stapling) request\n"
" -ct Send signed_certificate_timestamp (SCT) request\n"
" -psk_ke Support PSK-only key exchange\n"
" -psk_dhe_ke Support PSK with (EC)DHE key exchange\n"
" -psk_identity str PSK Identity\n"
@@ -45,6 +49,7 @@ static const char *help =
" -sess_in Load server's session ticket file\n"
" -sess_out Save server's session ticket file\n"
" -early_data file Send early data, -psk_ke and/or -psk_dhe_ke should be set\n"
" -post_handshake_auth Support post_handshake_auth\n"
"\n"
"CipherSuites\n"
" TLS_SM4_GCM_SM3 TLS 1.3\n"
@@ -138,7 +143,11 @@ int tls13_client_main(int argc, char *argv[])
size_t sig_algs_cnt = 0;
int server_name = 0;
int signature_algorithms_cert = 0;
int status_request = 0;
int signed_certificate_timestamp = 0;
int post_handshake_auth = 0;
argc--;
argv++;
@@ -169,6 +178,16 @@ int tls13_client_main(int argc, char *argv[])
} else if (!strcmp(*argv, "-pass")) {
if (--argc < 1) goto bad;
pass = *(++argv);
} else if (!strcmp(*argv, "-server_name")) {
server_name = 1;
} else if (!strcmp(*argv, "-signature_algorithms_cert")) {
signature_algorithms_cert = 1;
} else if (!strcmp(*argv, "-status_request")) {
status_request = 1;
} else if (!strcmp(*argv, "-ct")) {
signed_certificate_timestamp = 1;
} else if (!strcmp(*argv, "-post_handshake_auth")) {
post_handshake_auth = 1;
} else if (!strcmp(*argv, "-sess_in")) {
if (--argc < 1) goto bad;
sess_in = *(++argv);
@@ -286,29 +305,22 @@ bad:
memset(&ctx, 0, sizeof(ctx));
memset(&conn, 0, sizeof(conn));
server.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
server.sin_family = AF_INET;
server.sin_port = htons(port);
if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) {
fprintf(stderr, "%s: socket create error\n", prog);
goto end;
}
if (tls_socket_connect(sock, &server) != 1) {
fprintf(stderr, "%s: socket connect error\n", prog);
goto end;
}
if (tls_ctx_init(&ctx, TLS_protocol_tls13, TLS_client_mode) != 1) {
fprintf(stderr, "%s: context init error\n", prog);
goto end;
}
/*
if (!cipher_suites_cnt) {
error_print();
fprintf(stderr, "%s: option '-cipher_suite' required\n", prog);
goto end;
}
*/
if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
fprintf(stderr, "%s: context init error\n", prog);
@@ -364,11 +376,39 @@ bad:
if (tls_init(&conn, &ctx) != 1) {
if (tls13_init(&conn, &ctx) != 1) {
fprintf(stderr, "%s: error\n", prog);
goto end;
}
if (server_name) {
if (tls_set_server_name(&conn, (uint8_t *)host, strlen(host)) != 1) {
error_print();
goto end;
}
}
if (signature_algorithms_cert) {
if (tls_enable_signature_algorithms_cert(&conn) != 1) {
error_print();
return -1;
}
}
if (status_request) {
if (tls13_set_client_status_request(&conn, NULL, 0, NULL, 0) != 1) {
error_print();
goto end;
}
}
if (signed_certificate_timestamp) {
if (tls_enable_signed_certificate_timestamp(&conn) != 1) {
error_print();
goto end;
}
}
if (sess_in) {
FILE *sess_infp;
int enable_psk = 0;
@@ -470,6 +510,23 @@ bad:
fclose(early_data_fp);
}
if (post_handshake_auth) {
}
server.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
server.sin_family = AF_INET;
server.sin_port = htons(port);
if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) {
fprintf(stderr, "%s: socket create error\n", prog);
goto end;
}
if (tls_socket_connect(sock, &server) != 1) {
fprintf(stderr, "%s: socket connect error\n", prog);
goto end;
}
if (tls_set_socket(&conn, sock) != 1

32
tools/tls13_server.c
View File

@@ -77,13 +77,23 @@ static const char *help =
" cat signcert.pem > certs.pem\n"
" cat cacert.pem >> certs.pem\n"
"\n"
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem\n"
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234 -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
"\n"
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234 \n"
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \n"
" -supported_group sm2p256v1 -supported_group prime256v1\n"
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234 \\\n"
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256\n"
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem \\\n"
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
" -max_key_exchanges 2 \\\n"
" -server_name \\\n"
" -signature_algorithms_cert \\\n"
" -status_request \\\n"
" -post_handshake_auth \\\n"
" -ct\n"
"\n"
" PSK=1122334455667788112233445566778811223344556677881122334455667788\n"
" sudo gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
@@ -276,10 +286,12 @@ bad:
argv++;
}
/*
if (!cipher_suites_cnt) {
error_print();
goto end;
}
*/
if (tls_socket_lib_init() != 1) {
error_print();
@@ -398,11 +410,18 @@ bad:
fprintf(stderr, "%s: socket bind error\n", prog);
goto end;
}
if (tls13_init(&conn, &ctx) != 1) {
error_print();
return -1;
}
puts("start listen ...\n");
tls_socket_listen(sock, 1);
restart:
//client_addrlen = sizeof(client_addr);
@@ -412,8 +431,7 @@ restart:
}
puts("socket connected\n");
if (tls_init(&conn, &ctx) != 1
|| tls_set_socket(&conn, conn_sock) != 1) {
if (tls_set_socket(&conn, conn_sock) != 1) {
error_print();
return -1;
}