From c23e1175373fe73f3cb5e3172bde57320fdc4d66 Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Thu, 30 Apr 2026 11:23:49 +0800 Subject: [PATCH] Update TLS 1.3 Full handshake is ok --- CMakeLists.txt | 1 + include/gmssl/tls.h | 2 +- src/tls13.c | 19 +++++-- src/tls_ocsp.c | 115 +++++++++++++++++++++----------------- src/tls_sct.c | 3 +- tests/tls_ocsptest.c | 130 +++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 212 insertions(+), 58 deletions(-) create mode 100644 tests/tls_ocsptest.c diff --git a/CMakeLists.txt b/CMakeLists.txt index 48eaee55..9f87028c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -227,6 +227,7 @@ set(tests cms tls tls13 + tls_ocsp ) diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h index 0032889f..86fb53f6 100644 --- a/include/gmssl/tls.h +++ b/include/gmssl/tls.h @@ -1810,7 +1810,7 @@ int tls_signed_certificate_timestamp_ext_to_bytes(const uint8_t *sct_list, size_ int tls_signed_certificate_timestamp_from_bytes(const uint8_t **sct_list, size_t *sct_list_len, const uint8_t **in, size_t *inlen); int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind, - const char *label, const uint8_t *d, size_t dlen); + const uint8_t *d, size_t dlen); diff --git a/src/tls13.c b/src/tls13.c index 4a46937c..3d98325c 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1789,10 +1789,9 @@ int tls13_client_hello_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_ tls_server_name_print(fp, fmt, ind + 4, ext_data, ext_datalen); break; case TLS_extension_status_request: - // tls_client_status_request_print(fp, fmt, ind + 4, ext_data, ext_datalen); + tls_client_status_request_print(fp, fmt, ind + 4, ext_data, ext_datalen); break; case TLS_extension_signed_certificate_timestamp: - format_print(fp, fmt, ind + 4, "signed_certificate_timestamp\n"); format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen); // should be empty break; case TLS_extension_supported_groups: @@ -1828,7 +1827,7 @@ int tls13_client_hello_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_ break; default: format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen); - //error_print(); + error_print(); //return -1; } } @@ -1917,6 +1916,7 @@ int tls13_server_hello_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_ break; default: format_bytes(fp, fmt, ind + 4, "raw_data", ext_data, ext_datalen); + error_print(); return -1; } } @@ -2176,8 +2176,11 @@ int tls13_encrypted_extensions_print(FILE *fp, int fmt, int ind, const uint8_t * case TLS_extension_heartbeat: case TLS_extension_application_layer_protocol_negotiation: case TLS_extension_record_size_limit: + format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen); + break; default: - format_bytes(fp, fmt, ind, "raw_data", ext_data, ext_datalen); + format_bytes(fp, fmt, ind + 4, "data", ext_data, ext_datalen); + error_print(); } } if (dlen) { @@ -2247,13 +2250,19 @@ int tls13_certificate_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t switch (ext_type) { case TLS_extension_status_request: + tls_server_status_request_print(fp, fmt, ind + 4, ext_data, ext_datalen); + break; case TLS_extension_signed_certificate_timestamp: + tls_signed_certificate_timestamp_print(fp, fmt, ind + 4, ext_data, ext_datalen); + break; case TLS_extension_server_certificate_type: case TLS_extension_client_certificate_type: + format_bytes(fp, fmt, ind, "data", ext_data, ext_datalen); break; default: + format_bytes(fp, fmt, ind, "data", ext_data, ext_datalen); error_print(); - return -1; + //return -1; } } } diff --git a/src/tls_ocsp.c b/src/tls_ocsp.c index b3da111e..901e31fd 100644 --- a/src/tls_ocsp.c +++ b/src/tls_ocsp.c @@ -50,18 +50,12 @@ int tls_ocsp_status_request_to_bytes( const uint8_t *request_exts, size_t request_exts_len, // optinoal uint8_t **out, size_t *outlen) { - uint8_t **pp = out; - size_t request_len = 0; - size_t len; - if (!outlen) { error_print(); return -1; } - tls_uint16_to_bytes(0, out, &len); - tls_uint16array_to_bytes(responder_id_list, responder_id_list_len, out, &request_len); - tls_uint16array_to_bytes(request_exts, request_exts_len, out, &request_len); - tls_uint16array_to_bytes(NULL, request_len, pp, outlen); + tls_uint16array_to_bytes(responder_id_list, responder_id_list_len, out, outlen); + tls_uint16array_to_bytes(request_exts, request_exts_len, out, outlen); return 1; } @@ -73,35 +67,20 @@ int tls_ocsp_status_request_from_bytes( const uint8_t *request; size_t request_len; - if (!responder_id_list || !responder_id_list_len || !request_exts || !request_exts_len - || !in || !(*in) || !inlen) { + if (!in || !(*in) || !inlen) { error_print(); return -1; } - if (tls_uint16array_from_bytes(&request, &request_len, in, inlen) != 1) { - error_print(); - return -1; - } - if (!request) { - *responder_id_list = NULL; - *responder_id_list_len = 0; - *request_exts = NULL; - *request_exts_len = 0; - return 1; - } - if (tls_uint16array_from_bytes(responder_id_list, responder_id_list_len, &request, &request_len) != 1 - || tls_uint16array_from_bytes(request_exts, request_exts_len, &request, &request_len) != 1 - || tls_length_is_zero(request_len) != 1) { + if (tls_uint16array_from_bytes(responder_id_list, responder_id_list_len, in, inlen) != 1 + || tls_uint16array_from_bytes(request_exts, request_exts_len, in, inlen) != 1) { error_print(); return -1; } return 1; } -int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *ext_data, size_t ext_datalen) +int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *request, size_t request_len) { - const uint8_t *request; - size_t request_len; const uint8_t *responder_id_list; size_t responder_id_list_len; const uint8_t *request_exts; @@ -110,16 +89,8 @@ int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label, format_print(fp, fmt, ind, "%s\n", label); ind += 4; - if (tls_uint16array_from_bytes(&request, &request_len, &ext_data, &ext_datalen) != 1) { - error_print(); - return -1; - } if (!request) { format_print(fp, fmt, ind, "(null)\n"); - if (ext_datalen) { - format_print(fp, fmt, ind, "error: left %zu bytes\n", ext_datalen); - return -1; - } return 1; } @@ -148,7 +119,7 @@ int tls_ocsp_status_request_print(FILE *fp, int fmt, int ind, const char *label, error_print(); return -1; } - // print + // TODO: print } return 1; } @@ -160,9 +131,13 @@ int tls_client_status_request_ext_to_bytes(int status_type, { int ext_type = TLS_extension_status_request; size_t ext_datalen = 0; - uint8_t **pp = out; + uint8_t request[256]; + size_t request_len = 0; + uint8_t *p; + uint8_t **pp = NULL; size_t len; + if (!outlen) { error_print(); return -1; @@ -171,10 +146,36 @@ int tls_client_status_request_ext_to_bytes(int status_type, error_print(); return -1; } + + if (responder_id_list && responder_id_list_len + && request_exts && request_exts_len) { + if (tls_ocsp_status_request_to_bytes( + responder_id_list, responder_id_list_len, + request_exts, request_exts_len, NULL, &request_len) != 1) { + error_print(); + return -1; + } + if (request_len > sizeof(request)) { + error_print(); + return -1; + } + p = request; + request_len = 0; + if (tls_ocsp_status_request_to_bytes( + responder_id_list, responder_id_list_len, + request_exts, request_exts_len, &p, &request_len) != 1) { + error_print(); + return -1; + } + } + + if (out) { + p = *out; + pp = &p; + } tls_ext_to_bytes(ext_type, NULL, 0, out, &len); tls_uint8_to_bytes(status_type, out, &ext_datalen); - tls_ocsp_status_request_to_bytes(responder_id_list, responder_id_list_len, - request_exts, request_exts_len, out, &ext_datalen); + tls_uint16array_to_bytes(request, request_len, out, &ext_datalen); tls_ext_to_bytes(ext_type, NULL, ext_datalen, pp, outlen); return 1; } @@ -185,13 +186,21 @@ int tls_client_status_request_from_bytes(int *status_type, const uint8_t *ext_data, size_t ext_datalen) { uint8_t status; + const uint8_t *request; + size_t request_len; if (!status_type || !responder_id_list || !responder_id_list_len - || !request_exts || !request_exts_len || !ext_data || !ext_datalen) { + || !request_exts || !request_exts_len) { error_print(); return -1; } - if (tls_uint8_from_bytes(&status, &ext_data, &ext_datalen) != 1) { + if (!ext_data || !ext_datalen) { + error_print(); + return -1; + } + if (tls_uint8_from_bytes(&status, &ext_data, &ext_datalen) != 1 + || tls_uint16array_from_bytes(&request, &request_len, &ext_data, &ext_datalen) != 1 + || tls_length_is_zero(ext_datalen) != 1) { error_print(); return -1; } @@ -200,11 +209,18 @@ int tls_client_status_request_from_bytes(int *status_type, return -1; } *status_type = status; - if (tls_ocsp_status_request_from_bytes(responder_id_list, responder_id_list_len, - request_exts, request_exts_len, &ext_data, &ext_datalen) != 1 - || tls_length_is_zero(ext_datalen) != 1) { - error_print(); - return -1; + *responder_id_list = NULL; + *responder_id_list_len = 0; + *request_exts = NULL; + *request_exts_len = 0; + if (request) { + if (tls_ocsp_status_request_from_bytes( + responder_id_list, responder_id_list_len, + request_exts, request_exts_len, &request, &request_len) != 1 + || tls_length_is_zero(request_len) != 1) { + error_print(); + return -1; + } } return 1; } @@ -221,11 +237,10 @@ int tls_client_status_request_print(FILE *fp, int fmt, int ind, const uint8_t *e return -1; } format_print(fp, fmt, ind, "status_type: %s (%d)\n", status_type == TLS_certificate_status_type_ocsp ? "ocsp" : NULL, status_type); - - request -= tls_uint16_size(); - request_len += tls_uint16_size(); tls_ocsp_status_request_print(fp, fmt, ind, "request", request, request_len); - + if (ext_datalen) { + format_print(fp, fmt, ind, "left: %zu bytes\n", ext_datalen); + } return 1; } diff --git a/src/tls_sct.c b/src/tls_sct.c index a8b7b0ee..1d1908d0 100644 --- a/src/tls_sct.c +++ b/src/tls_sct.c @@ -101,8 +101,7 @@ int tls_signed_certificate_timestamp_from_bytes(const uint8_t **sct_list, size_t return 1; } -int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind, - const char *label, const uint8_t *d, size_t dlen) +int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen) { const uint8_t *sct_list; size_t sct_list_len; diff --git a/tests/tls_ocsptest.c b/tests/tls_ocsptest.c new file mode 100644 index 00000000..f4d5ea5a --- /dev/null +++ b/tests/tls_ocsptest.c @@ -0,0 +1,130 @@ +/* + * Copyright 2014-2026 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static int test_tls_ocsp_status_request(void) +{ + uint8_t buf[256]; + uint8_t *p = buf; + const uint8_t *cp = buf; + size_t len = 0; + + const uint8_t *responder_id_list = NULL; + size_t responder_id_list_len = 0; + const uint8_t *request_exts = NULL; + size_t request_exts_len = 0; + + + if (tls_ocsp_status_request_to_bytes(responder_id_list, responder_id_list_len, + request_exts, request_exts_len, NULL, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "ocsp_status_request_len = %zu\n", len); + len = 0; + + if (tls_ocsp_status_request_to_bytes(responder_id_list, responder_id_list_len, + request_exts, request_exts_len, &p, &len) != 1) { + error_print(); + return -1; + } + format_bytes(stderr, 0, 4, "ocsp_status_request", buf, len); + + tls_ocsp_status_request_print(stderr, 0, 0, "ocsp_status_request", buf, len); + + if (tls_ocsp_status_request_from_bytes(&responder_id_list, &responder_id_list_len, + &request_exts, &request_exts_len, &cp, &len) != 1 + || tls_length_is_zero(len) != 1) { + error_print(); + return -1; + } + //format_bytes(stderr, 0, 4, "responder_id_list", responder_id_list, responder_id_list_len); + //format_bytes(stderr, 0, 4, "request_exts", request_exts, request_exts_len); + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +static int test_tls_client_status_request_ext(void) +{ + uint8_t buf[256]; + uint8_t *p = buf; + const uint8_t *cp = buf; + size_t len = 0; + + int ext_type; + const uint8_t *ext_data; + size_t ext_datalen; + + int status_type = 0; + const uint8_t *responder_id_list = NULL; + size_t responder_id_list_len = 0; + const uint8_t *request_exts = NULL; + size_t request_exts_len = 0; + + if (tls_client_status_request_ext_to_bytes(TLS_certificate_status_type_ocsp, + responder_id_list, responder_id_list_len, + request_exts, request_exts_len, NULL, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "tls_client_status_request_ext_len = %zu\n", len); + len = 0; + + if (tls_client_status_request_ext_to_bytes(TLS_certificate_status_type_ocsp, + responder_id_list, responder_id_list_len, + request_exts, request_exts_len, &p, &len) != 1) { + error_print(); + return -1; + } + format_bytes(stderr, 0, 0, "status_request_ext", buf, len); + + if (tls_ext_from_bytes(&ext_type, &ext_data, &ext_datalen, &cp, &len) != 1 + || tls_length_is_zero(len) != 1) { + error_print(); + return -1; + } + if (ext_type != TLS_extension_status_request) { + error_print(); + return -1; + } + tls_client_status_request_print(stderr, 0, 4, ext_data, ext_datalen); + + if (tls_client_status_request_from_bytes(&status_type, + &responder_id_list, &responder_id_list_len, + &request_exts, &request_exts_len, ext_data, ext_datalen) != 1) { + error_print(); + return -1; + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +int main(void) +{ + if (test_tls_ocsp_status_request() != 1) goto err; + if (test_tls_client_status_request_ext() != 1) goto err; + printf("%s all tests passed\n", __FILE__); + return 0; +err: + error_print(); + return -1; +}