From c47ae26730e93c74bc411b0f56b455672e495675 Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Sat, 20 Jun 2026 16:13:41 +0800 Subject: [PATCH] FIX TLS 1.2 renegotiation_info --- CMakeLists.txt | 10 +++++++++- cmake/openssl_interop_commands.cmake | 24 +++++++++++++++++++++++- cmake/tls12_commands.cmake | 16 ++++++++++++++++ include/gmssl/version.h | 2 +- src/tls12.c | 12 ++++++++---- tools/tls12_server.c | 2 +- 6 files changed, 58 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index bae0be19..01ce2c4b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -766,6 +766,8 @@ if(ENABLE_TLS AND NOT WIN32) add_test(NAME tls12_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") add_test(NAME tls12_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") add_test(NAME tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") + add_test(NAME tls12_sm4_gcm_renegotiation_info COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") + add_test(NAME tls12_sm4_gcm_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") add_test(NAME tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") add_test(NAME tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") @@ -779,6 +781,8 @@ if(ENABLE_TLS AND NOT WIN32) tls12_sm4_gcm_sni tls12_sm4_cbc_sni tls12_sm4_gcm_client_cert + tls12_sm4_gcm_renegotiation_info + tls12_sm4_gcm_renegotiation_info_scsv tls13_sm4_gcm_sni tls13_sm4_gcm_client_cert tls13_hrr_sm4_gcm @@ -793,6 +797,8 @@ if(ENABLE_TLS AND NOT WIN32) PROPERTIES DISABLED TRUE) if(OPENSSL_EXECUTABLE AND GMSSL_OPENSSL_INTEROP_ENABLED) add_test(NAME tls12_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") + add_test(NAME tls12_openssl_server_renegotiation_info COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") + add_test(NAME tls12_openssl_server_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") add_test(NAME tls12_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") add_test(NAME tls13_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") add_test(NAME tls13_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") @@ -803,6 +809,8 @@ if(ENABLE_TLS AND NOT WIN32) add_test(NAME tls13_psk_only_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake") set_tests_properties( tls12_openssl_server + tls12_openssl_server_renegotiation_info + tls12_openssl_server_renegotiation_info_scsv tls12_openssl_client tls13_openssl_server tls13_openssl_client @@ -831,7 +839,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1118") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1119") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/cmake/openssl_interop_commands.cmake b/cmake/openssl_interop_commands.cmake index 027018ee..828c2bd3 100644 --- a/cmake/openssl_interop_commands.cmake +++ b/cmake/openssl_interop_commands.cmake @@ -32,10 +32,32 @@ if(TEST_CASE STREQUAL tls12_openssl_server) SERVER_COMMAND "${SERVER_COMMAND}" CLIENT_COMMAND "${CLIENT_COMMAND}" EXPECT_CLIENT_LOG "Connection established") +elseif(TEST_CASE STREQUAL tls12_openssl_server_renegotiation_info) + set(TEST_NAME tls12_openssl_server_renegotiation_info) + set(TEST_PORT 4459) + set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256_tls_server_cert.pem -cert_chain p256_tls_server_cert_chain.pem -key p256_tls_server_key.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet") + set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name localhost -cacert p256_root_ca_cert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info -get /") + gmssl_run_command_interop_test( + TEST_NAME ${TEST_NAME} + PORT ${TEST_PORT} + SERVER_COMMAND "${SERVER_COMMAND}" + CLIENT_COMMAND "${CLIENT_COMMAND}" + EXPECT_CLIENT_LOG "Connection established") +elseif(TEST_CASE STREQUAL tls12_openssl_server_renegotiation_info_scsv) + set(TEST_NAME tls12_openssl_server_renegotiation_info_scsv) + set(TEST_PORT 4460) + set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256_tls_server_cert.pem -cert_chain p256_tls_server_cert_chain.pem -key p256_tls_server_key.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet") + set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name localhost -cacert p256_root_ca_cert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info_scsv -get /") + gmssl_run_command_interop_test( + TEST_NAME ${TEST_NAME} + PORT ${TEST_PORT} + SERVER_COMMAND "${SERVER_COMMAND}" + CLIENT_COMMAND "${CLIENT_COMMAND}" + EXPECT_CLIENT_LOG "Connection established") elseif(TEST_CASE STREQUAL tls12_openssl_client) set(TEST_NAME tls12_openssl_client) set(TEST_PORT 4451) - set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info") + set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256") set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256_root_ca_cert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername localhost -brief") gmssl_run_command_interop_test( TEST_NAME ${TEST_NAME} diff --git a/cmake/tls12_commands.cmake b/cmake/tls12_commands.cmake index c33b9bfb..9399afce 100644 --- a/cmake/tls12_commands.cmake +++ b/cmake/tls12_commands.cmake @@ -15,6 +15,18 @@ if(TEST_CASE STREQUAL tls12_sm4_gcm_sni) set(TEST_PORT 4434) set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3) set(TEST_CLIENT_CERT OFF) +elseif(TEST_CASE STREQUAL tls12_sm4_gcm_renegotiation_info) + set(TEST_NAME tls12_sm4_gcm_renegotiation_info) + set(TEST_PORT 4461) + set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3) + set(TEST_CLIENT_CERT OFF) + set(TEST_RENEGOTIATION_ARG -renegotiation_info) +elseif(TEST_CASE STREQUAL tls12_sm4_gcm_renegotiation_info_scsv) + set(TEST_NAME tls12_sm4_gcm_renegotiation_info_scsv) + set(TEST_PORT 4462) + set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3) + set(TEST_CLIENT_CERT OFF) + set(TEST_RENEGOTIATION_ARG -renegotiation_info_scsv) elseif(TEST_CASE STREQUAL tls12_sm4_cbc_sni) set(TEST_NAME tls12_sm4_cbc_sni) set(TEST_PORT 4432) @@ -50,6 +62,10 @@ set(TEST_CLIENT_ARGS -sig_alg sm2sig_sm3 -in ${TEST_NAME}_message.txt) +if(TEST_RENEGOTIATION_ARG) + list(APPEND TEST_CLIENT_ARGS ${TEST_RENEGOTIATION_ARG}) +endif() + if(TEST_CLIENT_CERT) list(APPEND TEST_SERVER_ARGS -cacert sm2_root_ca_cert.pem diff --git a/include/gmssl/version.h b/include/gmssl/version.h index a4cbf6fd..1e9ae0e2 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1118" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1119" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/src/tls12.c b/src/tls12.c index 5783394c..00ef01b1 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -1660,7 +1660,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn) int tls_send_client_certificate(TLS_CONNECT *conn) { int ret; - if(conn->verbose) tls_trace("send ClientCertificate\n"); + if(conn->verbose) tls_trace("send client Certificate\n"); if (conn->client_certs_len == 0) { error_print(); @@ -1917,6 +1917,9 @@ int tls_recv_server_finished(TLS_CONNECT *conn) return -1; } + if (conn->verbose) + tls_trace("recv server {Finished}\n"); + // Finished if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -2177,7 +2180,8 @@ int tls_recv_client_hello(TLS_CONNECT *conn) return -1; } } - if (conn->ctx->renegotiation_info && (renegotiation_info || empty_renegotiation_info_scsv)) { + // RFC 5746 signaling is supported for the initial handshake only. + if (renegotiation_info || empty_renegotiation_info_scsv) { conn->secure_renegotiation = 1; } @@ -2441,7 +2445,7 @@ int tls_send_server_certificate(TLS_CONNECT *conn) { int ret; - if (conn->verbose) tls_trace("send ServerCertificate\n"); + if (conn->verbose) tls_trace("send server Certificate\n"); if (conn->recordlen == 0) { if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen, @@ -2662,7 +2666,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn) int ret; int verify_result = 0; - if(conn->verbose) tls_trace("recv ClientCertificate\n"); + if(conn->verbose) tls_trace("recv client Certificate\n"); if (conn->ctx->cacertslen == 0) { error_print(); diff --git a/tools/tls12_server.c b/tools/tls12_server.c index ba46ae0f..d86a7f93 100644 --- a/tools/tls12_server.c +++ b/tools/tls12_server.c @@ -33,7 +33,7 @@ static const char *help = " -cacert pem CA certificate for client certificate verification\n" " -verify_depth num Certificate verification depth\n" " -client_cert_optional Allow client send empty Certificate\n" -" -renegotiation_info Send renegotiation_info response when client supports RFC 5746\n" +" -renegotiation_info Accepted for compatibility; RFC 5746 response is automatic\n" " -verbose Print TLS handshake messages\n" "\n" #include "tls12_help.h"