mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-06 16:36:16 +08:00
Update TLS 1.3
This commit is contained in:
Zhi Guan
@@ -37,6 +37,10 @@ static const char *help =
|
||||
" -cert file Client's certificate chain in PEM format\n"
|
||||
" -key file Client's encrypted private key in PEM format\n"
|
||||
" -pass str Password to decrypt private key\n"
|
||||
" -server_name Send server_name (SNI) request\n"
|
||||
" -signature_algorithms_cert Send signature_algorithms_cert extension\n"
|
||||
" -status_request Send status_request (OCSP Stapling) request\n"
|
||||
" -ct Send signed_certificate_timestamp (SCT) request\n"
|
||||
" -psk_ke Support PSK-only key exchange\n"
|
||||
" -psk_dhe_ke Support PSK with (EC)DHE key exchange\n"
|
||||
" -psk_identity str PSK Identity\n"
|
||||
@@ -45,6 +49,7 @@ static const char *help =
|
||||
" -sess_in Load server's session ticket file\n"
|
||||
" -sess_out Save server's session ticket file\n"
|
||||
" -early_data file Send early data, -psk_ke and/or -psk_dhe_ke should be set\n"
|
||||
" -post_handshake_auth Support post_handshake_auth\n"
|
||||
"\n"
|
||||
"CipherSuites\n"
|
||||
" TLS_SM4_GCM_SM3 TLS 1.3\n"
|
||||
@@ -138,7 +143,11 @@ int tls13_client_main(int argc, char *argv[])
|
||||
size_t sig_algs_cnt = 0;
|
||||
|
||||
|
||||
|
||||
int server_name = 0;
|
||||
int signature_algorithms_cert = 0;
|
||||
int status_request = 0;
|
||||
int signed_certificate_timestamp = 0;
|
||||
int post_handshake_auth = 0;
|
||||
|
||||
argc--;
|
||||
argv++;
|
||||
@@ -169,6 +178,16 @@ int tls13_client_main(int argc, char *argv[])
|
||||
} else if (!strcmp(*argv, "-pass")) {
|
||||
if (--argc < 1) goto bad;
|
||||
pass = *(++argv);
|
||||
} else if (!strcmp(*argv, "-server_name")) {
|
||||
server_name = 1;
|
||||
} else if (!strcmp(*argv, "-signature_algorithms_cert")) {
|
||||
signature_algorithms_cert = 1;
|
||||
} else if (!strcmp(*argv, "-status_request")) {
|
||||
status_request = 1;
|
||||
} else if (!strcmp(*argv, "-ct")) {
|
||||
signed_certificate_timestamp = 1;
|
||||
} else if (!strcmp(*argv, "-post_handshake_auth")) {
|
||||
post_handshake_auth = 1;
|
||||
} else if (!strcmp(*argv, "-sess_in")) {
|
||||
if (--argc < 1) goto bad;
|
||||
sess_in = *(++argv);
|
||||
@@ -286,29 +305,22 @@ bad:
|
||||
memset(&ctx, 0, sizeof(ctx));
|
||||
memset(&conn, 0, sizeof(conn));
|
||||
|
||||
server.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
|
||||
server.sin_family = AF_INET;
|
||||
server.sin_port = htons(port);
|
||||
|
||||
if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) {
|
||||
fprintf(stderr, "%s: socket create error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (tls_socket_connect(sock, &server) != 1) {
|
||||
fprintf(stderr, "%s: socket connect error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (tls_ctx_init(&ctx, TLS_protocol_tls13, TLS_client_mode) != 1) {
|
||||
fprintf(stderr, "%s: context init error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/*
|
||||
if (!cipher_suites_cnt) {
|
||||
error_print();
|
||||
fprintf(stderr, "%s: option '-cipher_suite' required\n", prog);
|
||||
goto end;
|
||||
}
|
||||
*/
|
||||
|
||||
if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
|
||||
fprintf(stderr, "%s: context init error\n", prog);
|
||||
@@ -364,11 +376,39 @@ bad:
|
||||
|
||||
|
||||
|
||||
if (tls_init(&conn, &ctx) != 1) {
|
||||
if (tls13_init(&conn, &ctx) != 1) {
|
||||
fprintf(stderr, "%s: error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
||||
if (server_name) {
|
||||
if (tls_set_server_name(&conn, (uint8_t *)host, strlen(host)) != 1) {
|
||||
error_print();
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (signature_algorithms_cert) {
|
||||
if (tls_enable_signature_algorithms_cert(&conn) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (status_request) {
|
||||
if (tls13_set_client_status_request(&conn, NULL, 0, NULL, 0) != 1) {
|
||||
error_print();
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (signed_certificate_timestamp) {
|
||||
if (tls_enable_signed_certificate_timestamp(&conn) != 1) {
|
||||
error_print();
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (sess_in) {
|
||||
FILE *sess_infp;
|
||||
int enable_psk = 0;
|
||||
@@ -470,6 +510,23 @@ bad:
|
||||
fclose(early_data_fp);
|
||||
}
|
||||
|
||||
if (post_handshake_auth) {
|
||||
}
|
||||
|
||||
|
||||
|
||||
server.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
|
||||
server.sin_family = AF_INET;
|
||||
server.sin_port = htons(port);
|
||||
|
||||
if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) {
|
||||
fprintf(stderr, "%s: socket create error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (tls_socket_connect(sock, &server) != 1) {
|
||||
fprintf(stderr, "%s: socket connect error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
||||
if (tls_set_socket(&conn, sock) != 1
|
||||
|
||||
@@ -77,13 +77,23 @@ static const char *help =
|
||||
" cat signcert.pem > certs.pem\n"
|
||||
" cat cacert.pem >> certs.pem\n"
|
||||
"\n"
|
||||
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
|
||||
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem\n"
|
||||
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234 -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
|
||||
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
|
||||
"\n"
|
||||
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234 \n"
|
||||
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \n"
|
||||
" -supported_group sm2p256v1 -supported_group prime256v1\n"
|
||||
" sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234 \\\n"
|
||||
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
|
||||
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
|
||||
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256\n"
|
||||
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem \\\n"
|
||||
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
|
||||
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
|
||||
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
|
||||
" -max_key_exchanges 2 \\\n"
|
||||
" -server_name \\\n"
|
||||
" -signature_algorithms_cert \\\n"
|
||||
" -status_request \\\n"
|
||||
" -post_handshake_auth \\\n"
|
||||
" -ct\n"
|
||||
"\n"
|
||||
" PSK=1122334455667788112233445566778811223344556677881122334455667788\n"
|
||||
" sudo gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
|
||||
@@ -276,10 +286,12 @@ bad:
|
||||
argv++;
|
||||
}
|
||||
|
||||
/*
|
||||
if (!cipher_suites_cnt) {
|
||||
error_print();
|
||||
goto end;
|
||||
}
|
||||
*/
|
||||
|
||||
if (tls_socket_lib_init() != 1) {
|
||||
error_print();
|
||||
@@ -398,11 +410,18 @@ bad:
|
||||
fprintf(stderr, "%s: socket bind error\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (tls13_init(&conn, &ctx) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
puts("start listen ...\n");
|
||||
tls_socket_listen(sock, 1);
|
||||
|
||||
|
||||
|
||||
|
||||
restart:
|
||||
|
||||
//client_addrlen = sizeof(client_addr);
|
||||
@@ -412,8 +431,7 @@ restart:
|
||||
}
|
||||
puts("socket connected\n");
|
||||
|
||||
if (tls_init(&conn, &ctx) != 1
|
||||
|| tls_set_socket(&conn, conn_sock) != 1) {
|
||||
if (tls_set_socket(&conn, conn_sock) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user