abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-27 07:33:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix hostname verify bug

Browse Source
This commit is contained in:
Zhi Guan
2026-06-19 17:38:57 +08:00
parent f4abd90fba
commit bf80df075f
14 changed files with 55 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -821,7 +821,7 @@ endif()
# #
set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_NAME "GmSSL")
set(CPACK_PACKAGE_VENDOR "GmSSL develop team") set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1105") set(CPACK_PACKAGE_VERSION "3.2.0-dev.1106")
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
set(CPACK_NSIS_MODIFY_PATH ON) set(CPACK_NSIS_MODIFY_PATH ON)
include(CPack) include(CPack)

4
cmake/cert_commands.cmake
View File

@@ -92,7 +92,7 @@ if(NOT EXISTS signreq.pem)
endif() endif()
execute_process( execute_process(
COMMAND bin/gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out signcert.pem COMMAND bin/gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -subject_dns_name localhost -out signcert.pem
RESULT_VARIABLE TEST_RESULT RESULT_VARIABLE TEST_RESULT
ERROR_VARIABLE TEST_STDERR ERROR_VARIABLE TEST_STDERR
) )
@@ -128,7 +128,7 @@ if(NOT EXISTS encreq.pem)
endif() endif()
execute_process( execute_process(
COMMAND bin/gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -out enccert.pem COMMAND bin/gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -subject_dns_name localhost -out enccert.pem
RESULT_VARIABLE TEST_RESULT RESULT_VARIABLE TEST_RESULT
ERROR_VARIABLE TEST_STDERR ERROR_VARIABLE TEST_STDERR
) )

1
cmake/tlcp_commands.cmake
View File

@@ -34,6 +34,7 @@ gmssl_run_tls_command_test(
tlcp_client tlcp_client
-host 127.0.0.1 -host 127.0.0.1
-port ${TEST_PORT} -port ${TEST_PORT}
-server_name localhost
-cacert rootcacert.pem -cacert rootcacert.pem
-cipher_suite ${TEST_CIPHER_SUITE} -cipher_suite ${TEST_CIPHER_SUITE}
-in ${TEST_NAME}_message.txt -in ${TEST_NAME}_message.txt

1
cmake/tls12_commands.cmake
View File

@@ -36,6 +36,7 @@ gmssl_run_tls_command_test(
tls12_client tls12_client
-host 127.0.0.1 -host 127.0.0.1
-port ${TEST_PORT} -port ${TEST_PORT}
-server_name localhost
-cacert rootcacert.pem -cacert rootcacert.pem
-cipher_suite ${TEST_CIPHER_SUITE} -cipher_suite ${TEST_CIPHER_SUITE}
-supported_group sm2p256v1 -supported_group sm2p256v1

2
cmake/tls13_commands.cmake
View File

@@ -27,6 +27,7 @@ if(TEST_CASE STREQUAL tls13_sm4_gcm)
tls13_client tls13_client
-host 127.0.0.1 -host 127.0.0.1
-port 4433 -port 4433
-server_name localhost
-cacert rootcacert.pem -cacert rootcacert.pem
-cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_SM4_GCM_SM3
-supported_group sm2p256v1 -supported_group sm2p256v1
@@ -52,6 +53,7 @@ elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm)
tls13_client tls13_client
-host 127.0.0.1 -host 127.0.0.1
-port 4460 -port 4460
-server_name localhost
-cacert rootcacert.pem -cacert rootcacert.pem
-cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_SM4_GCM_SM3
-supported_group prime256v1 -supported_group prime256v1

4
include/gmssl/tls.h
View File

@@ -1235,7 +1235,7 @@ typedef struct {
// 0. server_name // 0. server_name
int server_name; int server_name;
// ClientHello.server_name // Hostname used for certificate name verification and ClientHello.server_name
uint8_t host_name[256]; uint8_t host_name[256];
size_t host_name_len; size_t host_name_len;
// EncryptedExtensions.server_name (emtpy) // EncryptedExtensions.server_name (emtpy)
@@ -1914,7 +1914,7 @@ int tls_ctx_enable_certificate_request(TLS_CTX *ctx, int enable);
// 0. server_name (SNI): in ClientHello, EncryptedExtensions // 0. server_name (SNI): in ClientHello, EncryptedExtensions
int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host_name_len); // client only int tls_set_server_name(TLS_CONNECT *conn); // client only
int tls_server_name_ext_to_bytes(const uint8_t *host_name, size_t host_name_len, uint8_t **out, size_t *outlen); int tls_server_name_ext_to_bytes(const uint8_t *host_name, size_t host_name_len, uint8_t **out, size_t *outlen);
int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len, int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len,
const uint8_t *ext_data, size_t ext_datalen); const uint8_t *ext_data, size_t ext_datalen);

2
include/gmssl/version.h
View File

@@ -18,7 +18,7 @@ extern "C" {
#define GMSSL_VERSION_NUM 30200 #define GMSSL_VERSION_NUM 30200
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1105" #define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1106"
int gmssl_version_num(void); int gmssl_version_num(void);
const char *gmssl_version_str(void); const char *gmssl_version_str(void);

2
src/tlcp.c
View File

@@ -791,7 +791,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn)
tls_send_alert(conn, TLS_alert_bad_certificate); tls_send_alert(conn, TLS_alert_bad_certificate);
return -1; return -1;
} }
if (conn->server_name) { if (conn->host_name_len) {
if ((ret = tls_cert_match_server_name(server_cert, server_cert_len, if ((ret = tls_cert_match_server_name(server_cert, server_cert_len,
conn->host_name, conn->host_name_len)) < 0) { conn->host_name, conn->host_name_len)) < 0) {
error_print(); error_print();

4
src/tls12.c
View File

@@ -1259,8 +1259,8 @@ int tls_recv_server_certificate(TLS_CONNECT *conn)
} }
} }
// check server certificate matches ClientHello.server_name // check server certificate matches configured hostname
if (conn->server_name) { if (conn->host_name_len) {
if ((ret = tls_cert_match_server_name(server_cert, server_cert_len, if ((ret = tls_cert_match_server_name(server_cert, server_cert_len,
conn->host_name, conn->host_name_len)) < 0) { conn->host_name, conn->host_name_len)) < 0) {
error_print(); error_print();

2
src/tls13.c
View File

@@ -6237,7 +6237,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn)
ca_names = conn->ctx->ca_names; ca_names = conn->ctx->ca_names;
ca_names_len = conn->ctx->ca_names_len; ca_names_len = conn->ctx->ca_names_len;
} }
if (conn->server_name) { if (conn->host_name_len) {
host_name = conn->host_name; host_name = conn->host_name;
host_name_len = conn->host_name_len; host_name_len = conn->host_name_len;
} }

28
src/tls_sni.c
View File

@@ -108,9 +108,11 @@ int tls_server_name_from_bytes(const uint8_t **host_name, size_t *host_name_len,
return 1; return 1;
} }
int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host_name_len) int tls_set_hostname(TLS_CONNECT *conn, const char *host_name)
{ {
if (!conn || !host_name || !host_name_len) { size_t host_name_len;
if (!conn || !host_name) {
error_print(); error_print();
return -1; return -1;
} }
@@ -118,6 +120,11 @@ int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host
error_print(); error_print();
return -1; return -1;
} }
host_name_len = strlen(host_name);
if (!host_name_len) {
error_print();
return -1;
}
if (host_name_len >= sizeof(conn->host_name)) { if (host_name_len >= sizeof(conn->host_name)) {
error_print(); error_print();
return -1; return -1;
@@ -125,6 +132,23 @@ int tls_set_server_name(TLS_CONNECT *conn, const uint8_t *host_name, size_t host
memcpy(conn->host_name, host_name, host_name_len); memcpy(conn->host_name, host_name, host_name_len);
conn->host_name[host_name_len] = 0; conn->host_name[host_name_len] = 0;
conn->host_name_len = host_name_len; conn->host_name_len = host_name_len;
return 1;
}
int tls_set_server_name(TLS_CONNECT *conn)
{
if (!conn) {
error_print();
return -1;
}
if (!conn->is_client) {
error_print();
return -1;
}
if (!conn->host_name_len) {
error_print();
return -1;
}
conn->server_name = 1; conn->server_name = 1;
return 1; return 1;
} }

6
tools/tlcp_client.c
View File

@@ -461,8 +461,12 @@ bad:
error_print(); error_print();
goto end; goto end;
} }
if (tls_set_hostname(&conn, server_name ? server_name : host) != 1) {
error_print();
goto end;
}
if (server_name) { if (server_name) {
if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) { if (tls_set_server_name(&conn) != 1) {
error_print(); error_print();
goto end; goto end;
} }

6
tools/tls12_client.c
View File

@@ -447,8 +447,12 @@ bad:
goto end; goto end;
} }
if (tls_set_hostname(&conn, server_name ? server_name : host) != 1) {
error_print();
goto end;
}
if (server_name) { if (server_name) {
if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) { if (tls_set_server_name(&conn) != 1) {
error_print(); error_print();
goto end; goto end;
} }

6
tools/tls13_client.c
View File

@@ -636,8 +636,12 @@ bad:
} }
} }
if (tls_set_hostname(&conn, server_name ? server_name : host) != 1) {
error_print();
goto end;
}
if (server_name) { if (server_name) {
if (tls_set_server_name(&conn, (uint8_t *)server_name, strlen(server_name)) != 1) { if (tls_set_server_name(&conn) != 1) {
error_print(); error_print();
goto end; goto end;
} }