From bb1dea91604dfb4275ac73ab89f146763a40f900 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Tue, 26 Jul 2022 22:36:33 +0800
Subject: [PATCH] Update TLCP client

set optional CA certs and client keys
tlcp_client can correctly connect  https://ebssec.boc.cn, https://zffw.jxzwfww.gov.cn

Bugs:
send, recv return value.
handle input when connected.
---
 src/tlcp.c          | 14 +++++++++-----
 src/tls.c           |  2 ++
 src/x509_cer.c      |  2 ++
 tools/tlcp_client.c | 18 +++++++++++++++---
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/src/tlcp.c b/src/tlcp.c
index 743549a9..82a2378c 100644
--- a/src/tlcp.c
+++ b/src/tlcp.c
@@ -296,11 +296,15 @@ int tlcp_do_connect(TLS_CONNECT *conn)
 		sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
 
 	// verify ServerCertificate
-	if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
-		conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
-		error_print();
-		tls_send_alert(conn, alert);
-		goto end;
+	if (conn->ca_certs_len) {
+		// 只有提供了CA证书才验证服务器证书链
+		// FIXME: 逻辑需要再检查
+		if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
+			conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
+			error_print();
+			tls_send_alert(conn, alert);
+			goto end;
+		}
 	}
 
 	// recv ServerKeyExchange
diff --git a/src/tls.c b/src/tls.c
index 9f002fa3..41a0f2c4 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -1545,6 +1545,8 @@ int tls_record_do_recv(uint8_t *record, size_t *recordlen, int sock)
 			error_print();
 			return -1;
 		} else if (r != len) {
+			// FIXME: 不一定能够一次读取全部数据，需要修正这个bug
+			fprintf(stderr, "%s %d: r = %zu, len = %zu\n", __FILE__, __LINE__, r, len);
 			error_print();
 			return -1;
 		}
diff --git a/src/x509_cer.c b/src/x509_cer.c
index d11be327..0101c3fb 100644
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -1472,6 +1472,7 @@ int x509_certs_get_cert_by_subject(const uint8_t *d, size_t dlen,
 			return 1;
 		}
 	}
+	error_print(); // 可能来自于没有找到对应的CA证书
 	return 0;
 }
 
@@ -1649,6 +1650,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen,
 		return -1;
 	}
 	if (x509_certs_get_cert_by_subject(rootcerts, rootcertslen, name, namelen, &cacert, &cacertlen) != 1) {
+		// 当前证书链和提供的CA证书不匹配
 		error_print();
 		return -1;
 	}
diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c
index c715e4aa..8925b62d 100644
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -150,12 +150,24 @@ bad:
 	}
 
 	if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_client_mode) != 1
-		|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1
-		|| tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1
-		|| tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
+		|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1) {
 		fprintf(stderr, "%s: context init error\n", prog);
 		goto end;
 	}
+	if (cacertfile) {
+		if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) {
+			fprintf(stderr, "%s: context init error\n", prog);
+			goto end;
+		}
+	}
+	if (certfile) {
+		if (tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
+			fprintf(stderr, "%s: context init error\n", prog);
+			goto end;
+		}
+	}
+
+
 	if (tls_init(&conn, &ctx) != 1
 		|| tls_set_socket(&conn, sock) != 1
 		|| tls_do_handshake(&conn) != 1) {