Update TLS 1.3

Full handshake is ok
2026-05-06 16:36:16 +08:00 · 2026-04-30 11:23:49 +08:00
parent b548e98d34
commit c23e117537
6 changed files with 212 additions and 58 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -227,6 +227,7 @@ set(tests
 	cms
 	tls
 	tls13
+	tls_ocsp
 )


--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -1810,7 +1810,7 @@ int tls_signed_certificate_timestamp_ext_to_bytes(const uint8_t *sct_list, size_
 int tls_signed_certificate_timestamp_from_bytes(const uint8_t **sct_list, size_t *sct_list_len,
 	const uint8_t **in, size_t *inlen);
 int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind,
-	const char *label, const uint8_t *d, size_t dlen);
+	const uint8_t *d, size_t dlen);



--- a/src/tls13.c
+++ b/src/tls13.c
@@ -1789,10 +1789,9 @@ int tls13_client_hello_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_
 			tls_server_name_print(fp, fmt, ind + 4, ext_data, ext_datalen);
 			break;
 		case TLS_extension_status_request:
-		//	tls_client_status_request_print(fp, fmt, ind + 4, ext_data, ext_datalen);
+			tls_client_status_request_print(fp, fmt, ind + 4, ext_data, ext_datalen);
 			break;
 		case TLS_extension_signed_certificate_timestamp:
-			format_print(fp, fmt, ind + 4, "signed_certificate_timestamp\n");
 			format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen); // should be empty
 			break;
 		case TLS_extension_supported_groups:
@@ -1828,7 +1827,7 @@ int tls13_client_hello_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_
 			break;
 		default:
 			format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen);
-			//error_print();
+			error_print();
 			//return -1;
 		}
 	}
@@ -1917,6 +1916,7 @@ int tls13_server_hello_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_
 			break;
 		default:
 			format_bytes(fp, fmt, ind + 4, "raw_data", ext_data, ext_datalen);
+			error_print();
 			return -1;
 		}
 	}
@@ -2176,8 +2176,11 @@ int tls13_encrypted_extensions_print(FILE *fp, int fmt, int ind, const uint8_t *
 		case TLS_extension_heartbeat:
 		case TLS_extension_application_layer_protocol_negotiation:
 		case TLS_extension_record_size_limit:
+			format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen);
+			break;
 		default:
-			format_bytes(fp, fmt, ind, "raw_data", ext_data, ext_datalen);
+			format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen);
+			error_print();
 		}
 	}
 	if (dlen) {
@@ -2247,13 +2250,19 @@ int tls13_certificate_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t

 			switch (ext_type) {
 			case TLS_extension_status_request:
+				tls_server_status_request_print(fp, fmt, ind + 4, ext_data, ext_datalen);
+				break;
 			case TLS_extension_signed_certificate_timestamp:
+				tls_signed_certificate_timestamp_print(fp, fmt, ind + 4, ext_data, ext_datalen);
+				break;
 			case TLS_extension_server_certificate_type:
 			case TLS_extension_client_certificate_type:
+				format_bytes(fp, fmt, ind, "data", ext_data, ext_datalen);
 				break;
 			default:
+				format_bytes(fp, fmt, ind, "data", ext_data, ext_datalen);
 				error_print();
-				return -1;
+				//return -1;
 			}
 		}
 	}
--- a/src/tls_ocsp.c
+++ b/src/tls_ocsp.c
@@ -50,18 +50,12 @@ int tls_ocsp_status_request_to_bytes(
 	const uint8_t *request_exts, size_t request_exts_len, // optinoal
 	uint8_t **out, size_t *outlen)
 {
-	uint8_t **pp = out;
-	size_t request_len = 0;
-	size_t len;
-
 	if (!outlen) {
 		error_print();
 		return -1;
 	}
-	tls_uint16_to_bytes(0, out, &len);
-	tls_uint16array_to_bytes(responder_id_list, responder_id_list_len, out, &request_len);
-	tls_uint16array_to_bytes(request_exts, request_exts_len, out, &request_len);
-	tls_uint16array_to_bytes(NULL, request_len, pp, outlen);
+	tls_uint16array_to_bytes(responder_id_list, responder_id_list_len, out, outlen);
+	tls_uint16array_to_bytes(request_exts, request_exts_len, out, outlen);
 	return 1;
 }

@@ -73,35 +67,20 @@ int tls_ocsp_status_request_from_bytes(
 	const uint8_t *request;
 	size_t request_len;

-	if (!responder_id_list || !responder_id_list_len || !request_exts || !request_exts_len
-		|| !in || !(*in) || !inlen) {
+	if (!in || !(*in) || !inlen) {
 		error_print();
 		return -1;
 	}
-	if (tls_uint16array_from_bytes(&request, &request_len, in, inlen) != 1) {
-		error_print();
-		return -1;
-	}
-	if (!request) {
-		*responder_id_list = NULL;
-		*responder_id_list_len = 0;
-		*request_exts = NULL;
-		*request_exts_len = 0;
-		return 1;
-	}
-	if (tls_uint16array_from_bytes(responder_id_list, responder_id_list_len, &request, &request_len) != 1
-		|| tls_uint16array_from_bytes(request_exts, request_exts_len, &request, &request_len) != 1
-		|| tls_length_is_zero(request_len) != 1) {
+	if (tls_uint16array_from_bytes(responder_id_list, responder_id_list_len, in, inlen) != 1
+		|| tls_uint16array_from_bytes(request_exts, request_exts_len, in, inlen) != 1) {
 		error_print();
 		return -1;
 	}
 	return 1;
 }

-int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *ext_data, size_t ext_datalen)
+int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *request, size_t request_len)
 {
-	const uint8_t *request;
-	size_t request_len;
 	const uint8_t *responder_id_list;
 	size_t responder_id_list_len;
 	const uint8_t *request_exts;
@@ -110,16 +89,8 @@ int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label,
 	format_print(fp, fmt, ind, "%s\n", label);
 	ind += 4;

-	if (tls_uint16array_from_bytes(&request, &request_len, &ext_data, &ext_datalen) != 1) {
-		error_print();
-		return -1;
-	}
 	if (!request) {
 		format_print(fp, fmt, ind, "(null)\n");
-		if (ext_datalen) {
-			format_print(fp, fmt, ind, "error: left %zu bytes\n", ext_datalen);
-			return -1;
-		}
 		return 1;
 	}

@@ -148,7 +119,7 @@ int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label,
 			error_print();
 			return -1;
 		}
-		// print
+		// TODO: print
 	}
 	return 1;
 }
@@ -160,9 +131,13 @@ int tls_client_status_request_ext_to_bytes(int status_type,
 {
 	int ext_type = TLS_extension_status_request;
 	size_t ext_datalen = 0;
-	uint8_t **pp = out;
+	uint8_t request[256];
+	size_t request_len = 0;
+	uint8_t *p;
+	uint8_t **pp = NULL;
 	size_t len;

+
 	if (!outlen) {
 		error_print();
 		return -1;
@@ -171,10 +146,36 @@ int tls_client_status_request_ext_to_bytes(int status_type,
 		error_print();
 		return -1;
 	}
+
+	if (responder_id_list && responder_id_list_len
+		&& request_exts && request_exts_len) {
+		if (tls_ocsp_status_request_to_bytes(
+			responder_id_list, responder_id_list_len,
+			request_exts, request_exts_len, NULL, &request_len) != 1) {
+			error_print();
+			return -1;
+		}
+		if (request_len > sizeof(request)) {
+			error_print();
+			return -1;
+		}
+		p = request;
+		request_len = 0;
+		if (tls_ocsp_status_request_to_bytes(
+			responder_id_list, responder_id_list_len,
+			request_exts, request_exts_len, &p, &request_len) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	if (out) {
+		p = *out;
+		pp = &p;
+	}
 	tls_ext_to_bytes(ext_type, NULL, 0, out, &len);
 	tls_uint8_to_bytes(status_type, out, &ext_datalen);
-	tls_ocsp_status_request_to_bytes(responder_id_list, responder_id_list_len,
-		request_exts, request_exts_len, out, &ext_datalen);
+	tls_uint16array_to_bytes(request, request_len, out, &ext_datalen);
 	tls_ext_to_bytes(ext_type, NULL, ext_datalen, pp, outlen);
 	return 1;
 }
@@ -185,13 +186,21 @@ int tls_client_status_request_from_bytes(int *status_type,
 	const uint8_t *ext_data, size_t ext_datalen)
 {
 	uint8_t status;
+	const uint8_t *request;
+	size_t request_len;

 	if (!status_type || !responder_id_list || !responder_id_list_len
-		|| !request_exts || !request_exts_len || !ext_data || !ext_datalen) {
+		|| !request_exts || !request_exts_len) {
 		error_print();
 		return -1;
 	}
-	if (tls_uint8_from_bytes(&status, &ext_data, &ext_datalen) != 1) {
+	if (!ext_data || !ext_datalen) {
+		error_print();
+		return -1;
+	}
+	if (tls_uint8_from_bytes(&status, &ext_data, &ext_datalen) != 1
+		|| tls_uint16array_from_bytes(&request, &request_len, &ext_data, &ext_datalen) != 1
+		|| tls_length_is_zero(ext_datalen) != 1) {
 		error_print();
 		return -1;
 	}
@@ -200,11 +209,18 @@ int tls_client_status_request_from_bytes(int *status_type,
 		return -1;
 	}
 	*status_type = status;
-	if (tls_ocsp_status_request_from_bytes(responder_id_list, responder_id_list_len,
-		request_exts, request_exts_len, &ext_data, &ext_datalen) != 1
-		|| tls_length_is_zero(ext_datalen) != 1) {
-		error_print();
-		return -1;
+	*responder_id_list = NULL;
+	*responder_id_list_len = 0;
+	*request_exts = NULL;
+	*request_exts_len = 0;
+	if (request) {
+		if (tls_ocsp_status_request_from_bytes(
+			responder_id_list, responder_id_list_len,
+			request_exts, request_exts_len, &request, &request_len) != 1
+			|| tls_length_is_zero(request_len) != 1) {
+			error_print();
+			return -1;
+		}
 	}
 	return 1;
 }
@@ -221,11 +237,10 @@ int tls_client_status_request_print(FILE *fp, int fmt, int ind, const uint8_t *e
 		return -1;
 	}
 	format_print(fp, fmt, ind, "status_type: %s (%d)\n", status_type == TLS_certificate_status_type_ocsp ? "ocsp" : NULL, status_type);
-
-	request -= tls_uint16_size();
-	request_len += tls_uint16_size();
 	tls_ocsp_status_request_print(fp, fmt, ind, "request", request, request_len);
-
+	if (ext_datalen) {
+		format_print(fp, fmt, ind, "left: %zu bytes\n", ext_datalen);
+	}
 	return 1;
 }

--- a/src/tls_sct.c
+++ b/src/tls_sct.c
@@ -101,8 +101,7 @@ int tls_signed_certificate_timestamp_from_bytes(const uint8_t **sct_list, size_t
 	return 1;
 }

-int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind,
-	const char *label, const uint8_t *d, size_t dlen)
+int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen)
 {
 	const uint8_t *sct_list;
 	size_t sct_list_len;
--- a/tests/tls_ocsptest.c
+++ b/tests/tls_ocsptest.c
@@ -0,0 +1,130 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/oid.h>
+#include <gmssl/x509.h>
+#include <gmssl/rand.h>
+#include <gmssl/error.h>
+#include <gmssl/tls.h>
+#include <gmssl/sm3.h>
+#include <gmssl/sm4.h>
+
+static int test_tls_ocsp_status_request(void)
+{
+	uint8_t buf[256];
+	uint8_t *p = buf;
+	const uint8_t *cp = buf;
+	size_t len = 0;
+
+	const uint8_t *responder_id_list = NULL;
+	size_t responder_id_list_len = 0;
+	const uint8_t *request_exts = NULL;
+	size_t request_exts_len = 0;
+
+
+	if (tls_ocsp_status_request_to_bytes(responder_id_list, responder_id_list_len,
+		request_exts, request_exts_len, NULL, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "ocsp_status_request_len = %zu\n", len);
+	len = 0;
+
+	if (tls_ocsp_status_request_to_bytes(responder_id_list, responder_id_list_len,
+		request_exts, request_exts_len, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_bytes(stderr, 0, 4, "ocsp_status_request", buf, len);
+
+	tls_ocsp_status_request_print(stderr, 0, 0, "ocsp_status_request", buf, len);
+
+	if (tls_ocsp_status_request_from_bytes(&responder_id_list, &responder_id_list_len,
+		&request_exts, &request_exts_len, &cp, &len) != 1
+		|| tls_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+	//format_bytes(stderr, 0, 4, "responder_id_list", responder_id_list, responder_id_list_len);
+	//format_bytes(stderr, 0, 4, "request_exts", request_exts, request_exts_len);
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_tls_client_status_request_ext(void)
+{
+	uint8_t buf[256];
+	uint8_t *p = buf;
+	const uint8_t *cp = buf;
+	size_t len = 0;
+
+	int ext_type;
+	const uint8_t *ext_data;
+	size_t ext_datalen;
+
+	int status_type = 0;
+	const uint8_t *responder_id_list = NULL;
+	size_t responder_id_list_len = 0;
+	const uint8_t *request_exts = NULL;
+	size_t request_exts_len = 0;
+
+	if (tls_client_status_request_ext_to_bytes(TLS_certificate_status_type_ocsp,
+		responder_id_list, responder_id_list_len,
+		request_exts, request_exts_len, NULL, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "tls_client_status_request_ext_len = %zu\n", len);
+	len = 0;
+
+	if (tls_client_status_request_ext_to_bytes(TLS_certificate_status_type_ocsp,
+		responder_id_list, responder_id_list_len,
+		request_exts, request_exts_len, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_bytes(stderr, 0, 0, "status_request_ext", buf, len);
+
+	if (tls_ext_from_bytes(&ext_type, &ext_data, &ext_datalen, &cp, &len) != 1
+		|| tls_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+	if (ext_type != TLS_extension_status_request) {
+		error_print();
+		return -1;
+	}
+	tls_client_status_request_print(stderr, 0, 4, ext_data, ext_datalen);
+
+	if (tls_client_status_request_from_bytes(&status_type,
+		&responder_id_list, &responder_id_list_len,
+		&request_exts, &request_exts_len, ext_data, ext_datalen) != 1) {
+		error_print();
+		return -1;
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+int main(void)
+{
+	if (test_tls_ocsp_status_request() != 1) goto err;
+	if (test_tls_client_status_request_ext() != 1) goto err;
+	printf("%s all tests passed\n", __FILE__);
+	return 0;
+err:
+	error_print();
+	return -1;
+}