From bf80df075f3b100dd62a79579ddd275156162abd Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Fri, 19 Jun 2026 17:38:57 +0800
Subject: [PATCH] Fix hostname verify bug

---
 CMakeLists.txt             |  2 +-
 cmake/cert_commands.cmake  |  4 ++--
 cmake/tlcp_commands.cmake  |  1 +
 cmake/tls12_commands.cmake |  1 +
 cmake/tls13_commands.cmake |  2 ++
 include/gmssl/tls.h        |  4 ++--
 include/gmssl/version.h    |  2 +-
 src/tlcp.c                 |  2 +-
 src/tls12.c                |  4 ++--
 src/tls13.c                |  2 +-
 src/tls_sni.c              | 28 ++++++++++++++++++++++++++--
 tools/tlcp_client.c        |  6 +++++-
 tools/tls12_client.c       |  6 +++++-
 tools/tls13_client.c       |  6 +++++-
 14 files changed, 55 insertions(+), 15 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 24551a20..afc8fce7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -821,7 +821,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1105")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1106")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/cmake/cert_commands.cmake b/cmake/cert_commands.cmake
index 3839b2fe..6ed748b6 100644
--- a/cmake/cert_commands.cmake
+++ b/cmake/cert_commands.cmake
@@ -92,7 +92,7 @@ if(NOT EXISTS signreq.pem)
 endif()
 
 execute_process(
-	COMMAND bin/gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out signcert.pem
+	COMMAND bin/gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -subject_dns_name localhost -out signcert.pem
 	RESULT_VARIABLE TEST_RESULT
 	ERROR_VARIABLE TEST_STDERR
 )
@@ -128,7 +128,7 @@ if(NOT EXISTS encreq.pem)
 endif()
 
 execute_process(
-	COMMAND bin/gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out enccert.pem
+	COMMAND bin/gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -subject_dns_name localhost -out enccert.pem
 	RESULT_VARIABLE TEST_RESULT
 	ERROR_VARIABLE TEST_STDERR
 )
diff --git a/cmake/tlcp_commands.cmake b/cmake/tlcp_commands.cmake
index 64b757e0..58f3ff19 100644
--- a/cmake/tlcp_commands.cmake
+++ b/cmake/tlcp_commands.cmake
@@ -34,6 +34,7 @@ gmssl_run_tls_command_test(
 		tlcp_client
 		-host 127.0.0.1
 		-port ${TEST_PORT}
+		-server_name localhost
 		-cacert rootcacert.pem
 		-cipher_suite ${TEST_CIPHER_SUITE}
 		-in ${TEST_NAME}_message.txt
diff --git a/cmake/tls12_commands.cmake b/cmake/tls12_commands.cmake
index ed2cf1a2..92dabb1f 100644
--- a/cmake/tls12_commands.cmake
+++ b/cmake/tls12_commands.cmake
@@ -36,6 +36,7 @@ gmssl_run_tls_command_test(
 		tls12_client
 		-host 127.0.0.1
 		-port ${TEST_PORT}
+		-server_name localhost
 		-cacert rootcacert.pem
 		-cipher_suite ${TEST_CIPHER_SUITE}
 		-supported_group sm2p256v1
diff --git a/cmake/tls13_commands.cmake b/cmake/tls13_commands.cmake
index e3941895..aa6b7054 100644
--- a/cmake/tls13_commands.cmake
+++ b/cmake/tls13_commands.cmake
@@ -27,6 +27,7 @@ if(TEST_CASE STREQUAL tls13_sm4_gcm)
 			tls13_client
 			-host 127.0.0.1
 			-port 4433
+			-server_name localhost
 			-cacert rootcacert.pem
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group sm2p256v1
@@ -52,6 +53,7 @@ elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm)
 			tls13_client
 			-host 127.0.0.1
 			-port 4460
+			-server_name localhost
 			-cacert rootcacert.pem
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group prime256v1
diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h
index e04b1055..55756c4c 100644
--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -1235,7 +1235,7 @@ typedef struct {
 
 	// 0. server_name
 	int server_name;
-	// ClientHello.server_name
+	// Hostname used for certificate name verification and ClientHello.server_name
 	uint8_t host_name[256];
 	size_t host_name_len;
 	// EncryptedExtensions.server_name (emtpy)
@@ -1914,7 +1914,7 @@ int tls_ctx_enable_certificate_request(TLS_CTX *ctx, int enable);
 
 
 // 0. server_name (SNI): in ClientHello, EncryptedExtensions
-int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host_name_len); // client only
+int tls_set_server_name(TLS_CONNECT *conn); // client only
 int tls_server_name_ext_to_bytes(const uint8_t *host_name, size_t host_name_len, uint8_t **out, size_t *outlen);
 int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len,
 	const uint8_t *ext_data, size_t ext_datalen);
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index af5c3500..2131887c 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1105"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1106"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/tlcp.c b/src/tlcp.c
index 5df11fed..056d82aa 100644
--- a/src/tlcp.c
+++ b/src/tlcp.c
@@ -791,7 +791,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_bad_certificate);
 		return -1;
 	}
-	if (conn->server_name) {
+	if (conn->host_name_len) {
 		if ((ret = tls_cert_match_server_name(server_cert, server_cert_len,
 			conn->host_name, conn->host_name_len)) < 0) {
 			error_print();
diff --git a/src/tls12.c b/src/tls12.c
index 1ef878af..a3ae7b97 100644
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -1259,8 +1259,8 @@ int tls_recv_server_certificate(TLS_CONNECT *conn)
 		}
 	}
 
-	// check server certificate matches ClientHello.server_name
-	if (conn->server_name) {
+	// check server certificate matches configured hostname
+	if (conn->host_name_len) {
 		if ((ret = tls_cert_match_server_name(server_cert, server_cert_len,
 			conn->host_name, conn->host_name_len)) < 0) {
 			error_print();
diff --git a/src/tls13.c b/src/tls13.c
index 66d0fed1..beba8130 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -6237,7 +6237,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn)
 		ca_names = conn->ctx->ca_names;
 		ca_names_len = conn->ctx->ca_names_len;
 	}
-	if (conn->server_name) {
+	if (conn->host_name_len) {
 		host_name = conn->host_name;
 		host_name_len = conn->host_name_len;
 	}
diff --git a/src/tls_sni.c b/src/tls_sni.c
index ec1879c5..b2768b25 100644
--- a/src/tls_sni.c
+++ b/src/tls_sni.c
@@ -108,9 +108,11 @@ int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len,
 	return 1;
 }
 
-int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host_name_len)
+int tls_set_hostname(TLS_CONNECT *conn, const char *host_name)
 {
-	if (!conn || !host_name || !host_name_len) {
+	size_t host_name_len;
+
+	if (!conn || !host_name) {
 		error_print();
 		return -1;
 	}
@@ -118,6 +120,11 @@ int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host
 		error_print();
 		return -1;
 	}
+	host_name_len = strlen(host_name);
+	if (!host_name_len) {
+		error_print();
+		return -1;
+	}
 	if (host_name_len >= sizeof(conn->host_name)) {
 		error_print();
 		return -1;
@@ -125,6 +132,23 @@ int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host
 	memcpy(conn->host_name, host_name, host_name_len);
 	conn->host_name[host_name_len] = 0;
 	conn->host_name_len = host_name_len;
+	return 1;
+}
+
+int tls_set_server_name(TLS_CONNECT *conn)
+{
+	if (!conn) {
+		error_print();
+		return -1;
+	}
+	if (!conn->is_client) {
+		error_print();
+		return -1;
+	}
+	if (!conn->host_name_len) {
+		error_print();
+		return -1;
+	}
 	conn->server_name = 1;
 	return 1;
 }
diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c
index 10b2b5fe..a64c1467 100644
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -461,8 +461,12 @@ bad:
 		error_print();
 		goto end;
 	}
+	if (tls_set_hostname(&conn, server_name ? server_name : host) != 1) {
+		error_print();
+		goto end;
+	}
 	if (server_name) {
-		if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) {
+		if (tls_set_server_name(&conn) != 1) {
 			error_print();
 			goto end;
 		}
diff --git a/tools/tls12_client.c b/tools/tls12_client.c
index 22a592a1..37ee33b7 100644
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -447,8 +447,12 @@ bad:
 		goto end;
 	}
 
+	if (tls_set_hostname(&conn, server_name ? server_name : host) != 1) {
+		error_print();
+		goto end;
+	}
 	if (server_name) {
-		if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) {
+		if (tls_set_server_name(&conn) != 1) {
 			error_print();
 			goto end;
 		}
diff --git a/tools/tls13_client.c b/tools/tls13_client.c
index 969756bf..56b75e7c 100644
--- a/tools/tls13_client.c
+++ b/tools/tls13_client.c
@@ -636,8 +636,12 @@ bad:
 		}
 	}
 
+	if (tls_set_hostname(&conn, server_name ? server_name : host) != 1) {
+		error_print();
+		goto end;
+	}
 	if (server_name) {
-		if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) {
+		if (tls_set_server_name(&conn) != 1) {
 			error_print();
 			goto end;
 		}