mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-07 00:46:17 +08:00
Update TLCP client
set optional CA certs and client keys tlcp_client can correctly connect https://ebssec.boc.cn, https://zffw.jxzwfww.gov.cn Bugs: send, recv return value. handle input when connected.
This commit is contained in:
Zhi Guan
14
src/tlcp.c
14
src/tlcp.c
@@ -296,11 +296,15 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
|||||||
sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
|
sm2_sign_update(&sign_ctx, record + 5, recordlen - 5);
|
||||||
|
|
||||||
// verify ServerCertificate
|
// verify ServerCertificate
|
||||||
if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
|
if (conn->ca_certs_len) {
|
||||||
conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
|
// 只有提供了CA证书才验证服务器证书链
|
||||||
error_print();
|
// FIXME: 逻辑需要再检查
|
||||||
tls_send_alert(conn, alert);
|
if (x509_certs_verify_tlcp(conn->server_certs, conn->server_certs_len,
|
||||||
goto end;
|
conn->ca_certs, conn->ca_certs_len, depth, &verify_result) != 1) {
|
||||||
|
error_print();
|
||||||
|
tls_send_alert(conn, alert);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// recv ServerKeyExchange
|
// recv ServerKeyExchange
|
||||||
|
|||||||
@@ -1545,6 +1545,8 @@ int tls_record_do_recv(uint8_t *record, size_t *recordlen, int sock)
|
|||||||
error_print();
|
error_print();
|
||||||
return -1;
|
return -1;
|
||||||
} else if (r != len) {
|
} else if (r != len) {
|
||||||
|
// FIXME: 不一定能够一次读取全部数据,需要修正这个bug
|
||||||
|
fprintf(stderr, "%s %d: r = %zu, len = %zu\n", __FILE__, __LINE__, r, len);
|
||||||
error_print();
|
error_print();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1472,6 +1472,7 @@ int x509_certs_get_cert_by_subject(const uint8_t *d, size_t dlen,
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
error_print(); // 可能来自于没有找到对应的CA证书
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1649,6 +1650,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (x509_certs_get_cert_by_subject(rootcerts, rootcertslen, name, namelen, &cacert, &cacertlen) != 1) {
|
if (x509_certs_get_cert_by_subject(rootcerts, rootcertslen, name, namelen, &cacert, &cacertlen) != 1) {
|
||||||
|
// 当前证书链和提供的CA证书不匹配
|
||||||
error_print();
|
error_print();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -150,12 +150,24 @@ bad:
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_client_mode) != 1
|
if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_client_mode) != 1
|
||||||
|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1
|
|| tls_ctx_set_cipher_suites(&ctx, client_ciphers, sizeof(client_ciphers)/sizeof(client_ciphers[0])) != 1) {
|
||||||
|| tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1
|
|
||||||
|| tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
|
|
||||||
fprintf(stderr, "%s: context init error\n", prog);
|
fprintf(stderr, "%s: context init error\n", prog);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
if (cacertfile) {
|
||||||
|
if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) {
|
||||||
|
fprintf(stderr, "%s: context init error\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (certfile) {
|
||||||
|
if (tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
|
||||||
|
fprintf(stderr, "%s: context init error\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if (tls_init(&conn, &ctx) != 1
|
if (tls_init(&conn, &ctx) != 1
|
||||||
|| tls_set_socket(&conn, sock) != 1
|
|| tls_set_socket(&conn, sock) != 1
|
||||||
|| tls_do_handshake(&conn) != 1) {
|
|| tls_do_handshake(&conn) != 1) {
|
||||||
|
|||||||
Reference in New Issue
Block a user