mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-27 15:43:42 +08:00
FIX TLS 1.2 renegotiation_info
This commit is contained in:
Zhi Guan
@@ -766,6 +766,8 @@ if(ENABLE_TLS AND NOT WIN32)
|
|||||||
add_test(NAME tls12_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
add_test(NAME tls12_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
||||||
add_test(NAME tls12_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
add_test(NAME tls12_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
||||||
add_test(NAME tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
add_test(NAME tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
||||||
|
add_test(NAME tls12_sm4_gcm_renegotiation_info COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
||||||
|
add_test(NAME tls12_sm4_gcm_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
|
||||||
add_test(NAME tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
|
add_test(NAME tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
|
||||||
add_test(NAME tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
|
add_test(NAME tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
|
||||||
add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
|
add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
|
||||||
@@ -779,6 +781,8 @@ if(ENABLE_TLS AND NOT WIN32)
|
|||||||
tls12_sm4_gcm_sni
|
tls12_sm4_gcm_sni
|
||||||
tls12_sm4_cbc_sni
|
tls12_sm4_cbc_sni
|
||||||
tls12_sm4_gcm_client_cert
|
tls12_sm4_gcm_client_cert
|
||||||
|
tls12_sm4_gcm_renegotiation_info
|
||||||
|
tls12_sm4_gcm_renegotiation_info_scsv
|
||||||
tls13_sm4_gcm_sni
|
tls13_sm4_gcm_sni
|
||||||
tls13_sm4_gcm_client_cert
|
tls13_sm4_gcm_client_cert
|
||||||
tls13_hrr_sm4_gcm
|
tls13_hrr_sm4_gcm
|
||||||
@@ -793,6 +797,8 @@ if(ENABLE_TLS AND NOT WIN32)
|
|||||||
PROPERTIES DISABLED TRUE)
|
PROPERTIES DISABLED TRUE)
|
||||||
if(OPENSSL_EXECUTABLE AND GMSSL_OPENSSL_INTEROP_ENABLED)
|
if(OPENSSL_EXECUTABLE AND GMSSL_OPENSSL_INTEROP_ENABLED)
|
||||||
add_test(NAME tls12_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
add_test(NAME tls12_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
|
add_test(NAME tls12_openssl_server_renegotiation_info COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
|
add_test(NAME tls12_openssl_server_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
add_test(NAME tls12_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
add_test(NAME tls12_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
add_test(NAME tls13_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
add_test(NAME tls13_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
add_test(NAME tls13_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
add_test(NAME tls13_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
@@ -803,6 +809,8 @@ if(ENABLE_TLS AND NOT WIN32)
|
|||||||
add_test(NAME tls13_psk_only_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
add_test(NAME tls13_psk_only_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
|
||||||
set_tests_properties(
|
set_tests_properties(
|
||||||
tls12_openssl_server
|
tls12_openssl_server
|
||||||
|
tls12_openssl_server_renegotiation_info
|
||||||
|
tls12_openssl_server_renegotiation_info_scsv
|
||||||
tls12_openssl_client
|
tls12_openssl_client
|
||||||
tls13_openssl_server
|
tls13_openssl_server
|
||||||
tls13_openssl_client
|
tls13_openssl_client
|
||||||
@@ -831,7 +839,7 @@ endif()
|
|||||||
#
|
#
|
||||||
set(CPACK_PACKAGE_NAME "GmSSL")
|
set(CPACK_PACKAGE_NAME "GmSSL")
|
||||||
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
||||||
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1118")
|
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1119")
|
||||||
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
||||||
set(CPACK_NSIS_MODIFY_PATH ON)
|
set(CPACK_NSIS_MODIFY_PATH ON)
|
||||||
include(CPack)
|
include(CPack)
|
||||||
|
|||||||
@@ -32,10 +32,32 @@ if(TEST_CASE STREQUAL tls12_openssl_server)
|
|||||||
SERVER_COMMAND "${SERVER_COMMAND}"
|
SERVER_COMMAND "${SERVER_COMMAND}"
|
||||||
CLIENT_COMMAND "${CLIENT_COMMAND}"
|
CLIENT_COMMAND "${CLIENT_COMMAND}"
|
||||||
EXPECT_CLIENT_LOG "Connection established")
|
EXPECT_CLIENT_LOG "Connection established")
|
||||||
|
elseif(TEST_CASE STREQUAL tls12_openssl_server_renegotiation_info)
|
||||||
|
set(TEST_NAME tls12_openssl_server_renegotiation_info)
|
||||||
|
set(TEST_PORT 4459)
|
||||||
|
set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256_tls_server_cert.pem -cert_chain p256_tls_server_cert_chain.pem -key p256_tls_server_key.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet")
|
||||||
|
set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name localhost -cacert p256_root_ca_cert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info -get /")
|
||||||
|
gmssl_run_command_interop_test(
|
||||||
|
TEST_NAME ${TEST_NAME}
|
||||||
|
PORT ${TEST_PORT}
|
||||||
|
SERVER_COMMAND "${SERVER_COMMAND}"
|
||||||
|
CLIENT_COMMAND "${CLIENT_COMMAND}"
|
||||||
|
EXPECT_CLIENT_LOG "Connection established")
|
||||||
|
elseif(TEST_CASE STREQUAL tls12_openssl_server_renegotiation_info_scsv)
|
||||||
|
set(TEST_NAME tls12_openssl_server_renegotiation_info_scsv)
|
||||||
|
set(TEST_PORT 4460)
|
||||||
|
set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256_tls_server_cert.pem -cert_chain p256_tls_server_cert_chain.pem -key p256_tls_server_key.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet")
|
||||||
|
set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name localhost -cacert p256_root_ca_cert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info_scsv -get /")
|
||||||
|
gmssl_run_command_interop_test(
|
||||||
|
TEST_NAME ${TEST_NAME}
|
||||||
|
PORT ${TEST_PORT}
|
||||||
|
SERVER_COMMAND "${SERVER_COMMAND}"
|
||||||
|
CLIENT_COMMAND "${CLIENT_COMMAND}"
|
||||||
|
EXPECT_CLIENT_LOG "Connection established")
|
||||||
elseif(TEST_CASE STREQUAL tls12_openssl_client)
|
elseif(TEST_CASE STREQUAL tls12_openssl_client)
|
||||||
set(TEST_NAME tls12_openssl_client)
|
set(TEST_NAME tls12_openssl_client)
|
||||||
set(TEST_PORT 4451)
|
set(TEST_PORT 4451)
|
||||||
set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info")
|
set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256")
|
||||||
set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256_root_ca_cert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername localhost -brief")
|
set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256_root_ca_cert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername localhost -brief")
|
||||||
gmssl_run_command_interop_test(
|
gmssl_run_command_interop_test(
|
||||||
TEST_NAME ${TEST_NAME}
|
TEST_NAME ${TEST_NAME}
|
||||||
|
|||||||
@@ -15,6 +15,18 @@ if(TEST_CASE STREQUAL tls12_sm4_gcm_sni)
|
|||||||
set(TEST_PORT 4434)
|
set(TEST_PORT 4434)
|
||||||
set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
|
set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
|
||||||
set(TEST_CLIENT_CERT OFF)
|
set(TEST_CLIENT_CERT OFF)
|
||||||
|
elseif(TEST_CASE STREQUAL tls12_sm4_gcm_renegotiation_info)
|
||||||
|
set(TEST_NAME tls12_sm4_gcm_renegotiation_info)
|
||||||
|
set(TEST_PORT 4461)
|
||||||
|
set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
|
||||||
|
set(TEST_CLIENT_CERT OFF)
|
||||||
|
set(TEST_RENEGOTIATION_ARG -renegotiation_info)
|
||||||
|
elseif(TEST_CASE STREQUAL tls12_sm4_gcm_renegotiation_info_scsv)
|
||||||
|
set(TEST_NAME tls12_sm4_gcm_renegotiation_info_scsv)
|
||||||
|
set(TEST_PORT 4462)
|
||||||
|
set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
|
||||||
|
set(TEST_CLIENT_CERT OFF)
|
||||||
|
set(TEST_RENEGOTIATION_ARG -renegotiation_info_scsv)
|
||||||
elseif(TEST_CASE STREQUAL tls12_sm4_cbc_sni)
|
elseif(TEST_CASE STREQUAL tls12_sm4_cbc_sni)
|
||||||
set(TEST_NAME tls12_sm4_cbc_sni)
|
set(TEST_NAME tls12_sm4_cbc_sni)
|
||||||
set(TEST_PORT 4432)
|
set(TEST_PORT 4432)
|
||||||
@@ -50,6 +62,10 @@ set(TEST_CLIENT_ARGS
|
|||||||
-sig_alg sm2sig_sm3
|
-sig_alg sm2sig_sm3
|
||||||
-in ${TEST_NAME}_message.txt)
|
-in ${TEST_NAME}_message.txt)
|
||||||
|
|
||||||
|
if(TEST_RENEGOTIATION_ARG)
|
||||||
|
list(APPEND TEST_CLIENT_ARGS ${TEST_RENEGOTIATION_ARG})
|
||||||
|
endif()
|
||||||
|
|
||||||
if(TEST_CLIENT_CERT)
|
if(TEST_CLIENT_CERT)
|
||||||
list(APPEND TEST_SERVER_ARGS
|
list(APPEND TEST_SERVER_ARGS
|
||||||
-cacert sm2_root_ca_cert.pem
|
-cacert sm2_root_ca_cert.pem
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ extern "C" {
|
|||||||
|
|
||||||
|
|
||||||
#define GMSSL_VERSION_NUM 30200
|
#define GMSSL_VERSION_NUM 30200
|
||||||
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1118"
|
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1119"
|
||||||
|
|
||||||
int gmssl_version_num(void);
|
int gmssl_version_num(void);
|
||||||
const char *gmssl_version_str(void);
|
const char *gmssl_version_str(void);
|
||||||
|
|||||||
12
src/tls12.c
12
src/tls12.c
@@ -1660,7 +1660,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn)
|
|||||||
int tls_send_client_certificate(TLS_CONNECT *conn)
|
int tls_send_client_certificate(TLS_CONNECT *conn)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
if(conn->verbose) tls_trace("send ClientCertificate\n");
|
if(conn->verbose) tls_trace("send client Certificate\n");
|
||||||
|
|
||||||
if (conn->client_certs_len == 0) {
|
if (conn->client_certs_len == 0) {
|
||||||
error_print();
|
error_print();
|
||||||
@@ -1917,6 +1917,9 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (conn->verbose)
|
||||||
|
tls_trace("recv server {Finished}\n");
|
||||||
|
|
||||||
// Finished
|
// Finished
|
||||||
if ((ret = tls_recv_record(conn)) != 1) {
|
if ((ret = tls_recv_record(conn)) != 1) {
|
||||||
if (ret != TLS_ERROR_RECV_AGAIN) {
|
if (ret != TLS_ERROR_RECV_AGAIN) {
|
||||||
@@ -2177,7 +2180,8 @@ int tls_recv_client_hello(TLS_CONNECT *conn)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (conn->ctx->renegotiation_info && (renegotiation_info || empty_renegotiation_info_scsv)) {
|
// RFC 5746 signaling is supported for the initial handshake only.
|
||||||
|
if (renegotiation_info || empty_renegotiation_info_scsv) {
|
||||||
conn->secure_renegotiation = 1;
|
conn->secure_renegotiation = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2441,7 +2445,7 @@ int tls_send_server_certificate(TLS_CONNECT *conn)
|
|||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (conn->verbose) tls_trace("send ServerCertificate\n");
|
if (conn->verbose) tls_trace("send server Certificate\n");
|
||||||
|
|
||||||
if (conn->recordlen == 0) {
|
if (conn->recordlen == 0) {
|
||||||
if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen,
|
if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen,
|
||||||
@@ -2662,7 +2666,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
|
|||||||
int ret;
|
int ret;
|
||||||
int verify_result = 0;
|
int verify_result = 0;
|
||||||
|
|
||||||
if(conn->verbose) tls_trace("recv ClientCertificate\n");
|
if(conn->verbose) tls_trace("recv client Certificate\n");
|
||||||
|
|
||||||
if (conn->ctx->cacertslen == 0) {
|
if (conn->ctx->cacertslen == 0) {
|
||||||
error_print();
|
error_print();
|
||||||
|
|||||||
@@ -33,7 +33,7 @@ static const char *help =
|
|||||||
" -cacert pem CA certificate for client certificate verification\n"
|
" -cacert pem CA certificate for client certificate verification\n"
|
||||||
" -verify_depth num Certificate verification depth\n"
|
" -verify_depth num Certificate verification depth\n"
|
||||||
" -client_cert_optional Allow client send empty Certificate\n"
|
" -client_cert_optional Allow client send empty Certificate\n"
|
||||||
" -renegotiation_info Send renegotiation_info response when client supports RFC 5746\n"
|
" -renegotiation_info Accepted for compatibility; RFC 5746 response is automatic\n"
|
||||||
" -verbose Print TLS handshake messages\n"
|
" -verbose Print TLS handshake messages\n"
|
||||||
"\n"
|
"\n"
|
||||||
#include "tls12_help.h"
|
#include "tls12_help.h"
|
||||||
|
|||||||
Reference in New Issue
Block a user