abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-14 12:26:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update TLCP client

Browse Source 
set optional CA certs and client keys
tlcp_client can correctly connect  https://ebssec.boc.cn, https://zffw.jxzwfww.gov.cn

Bugs:
send, recv return value.
handle input when connected.
This commit is contained in:
Zhi Guan
2022-07-26 22:36:33 +08:00
parent 43bec77d15
commit bb1dea9160
4 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/tlcp.c
View File

@@ -296,11 +296,15 @@ int tlcp_do_connect(TLS_CONNECT *conn)
sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
// verify ServerCertificate
if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
error_print();
tls_send_alert(conn, alert);
goto end;
if (conn->ca_certs_len) {
// 只有提供了CA证书才验证服务器证书链
// FIXME: 逻辑需要再检查
if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
error_print();
tls_send_alert(conn, alert);
goto end;
}
}
// recv ServerKeyExchange

2
src/tls.c
View File

@@ -1545,6 +1545,8 @@ int tls_record_do_recv(uint8_t *record, size_t *recordlen, int sock)
error_print();
return -1;
} else if (r != len) {
// FIXME: 不一定能够一次读取全部数据需要修正这个bug
fprintf(stderr, "%s %d: r = %zu, len = %zu\n", __FILE__, __LINE__, r, len);
error_print();
return -1;
}

2
src/x509_cer.c
View File

@@ -1472,6 +1472,7 @@ int x509_certs_get_cert_by_subject(const uint8_t *d, size_t dlen,
return 1;
}
}
error_print(); // 可能来自于没有找到对应的CA证书
return 0;
}
@@ -1649,6 +1650,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen,
return -1;
}
if (x509_certs_get_cert_by_subject(rootcerts, rootcertslen, name, namelen, &cacert, &cacertlen) != 1) {
// 当前证书链和提供的CA证书不匹配
error_print();
return -1;
}

18
tools/tlcp_client.c
View File

@@ -150,12 +150,24 @@ bad:
}
if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_client_mode) != 1
|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1
|| tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1
|| tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1) {
fprintf(stderr, "%s: context init error\n", prog);
goto end;
}
if (cacertfile) {
if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) {
fprintf(stderr, "%s: context init error\n", prog);
goto end;
}
}
if (certfile) {
if (tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
fprintf(stderr, "%s: context init error\n", prog);
goto end;
}
}
if (tls_init(&conn, &ctx) != 1
|| tls_set_socket(&conn, sock) != 1
|| tls_do_handshake(&conn) != 1) {