abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-19 19:33:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add trusted_ca_keys to TLS1.2/TLCP

Browse Source
This commit is contained in:
Zhi Guan
2026-06-12 10:24:32 +08:00
parent b1f670c6c6
commit dbbee6dbe0
9 changed files with 555 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tools/tlcp_client.c
View File

@@ -25,6 +25,7 @@ static const char *usage =
" [-outcerts file]"
" [-get path]"
" [-alpn str]"
" [-trusted_ca_keys]"
" [-quiet]";
static const char *help =
@@ -44,6 +45,7 @@ static const char *help =
" -get path Send a GET request with given path of URI\n"
" -outcerts file Save server certificates to a PEM file\n"
" -server_name str Send server_name (SNI) request\n"
" -trusted_ca_keys Send trusted_ca_keys request\n"
" -alpn str Application protocol name, may appear multiple times, higher priority first\n"
" -status_request Send status_request (OCSP Stapling) request\n"
" -quiet Without printing any status message\n"
@@ -71,6 +73,7 @@ int tlcp_client_main(int argc, char *argv[])
char *keyfile = NULL;
char *pass = NULL;
char *server_name = NULL;
int trusted_ca_keys = 0;
char *alpn_protocols[4];
size_t alpn_protocols_cnt = 0;
int client_cert_optional = 0;
@@ -169,6 +172,8 @@ int tlcp_client_main(int argc, char *argv[])
} else if (!strcmp(*argv, "-server_name")) {
if (--argc < 1) goto bad;
server_name = *(++argv);
} else if (!strcmp(*argv, "-trusted_ca_keys")) {
trusted_ca_keys = 1;
} else if (!strcmp(*argv, "-alpn")) {
if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) {
fprintf(stderr, "%s: too many -alpn options\n", prog);
@@ -224,6 +229,13 @@ bad:
goto end;
}
if (trusted_ca_keys) {
if (tls_ctx_enable_trusted_ca_keys(&ctx, 1) != 1) {
error_print();
goto end;
}
}
if (alpn_protocols_cnt) {
if (tls_ctx_set_application_layer_protocol_negotiation(&ctx,
alpn_protocols, alpn_protocols_cnt) != 1) {

13
tools/tls12_client.c
View File

@@ -23,7 +23,7 @@ static const char *http_get =
"Hostname: aaa\r\n"
"\r\n\r\n";
static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str]";
static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str] [-trusted_ca_keys]";
static const char *help =
"Options\n"
@@ -40,6 +40,7 @@ static const char *help =
" -pass str Password to decrypt private key\n"
" -client_cert_optional Allow client send empty Certificate\n"
" -server_name str Send server_name (SNI) request\n"
" -trusted_ca_keys Send trusted_ca_keys request\n"
" -renegotiation_info Send renegotiation_info extension\n"
" -renegotiation_info_scsv\n"
" Send TLS_EMPTY_RENEGOTIATION_INFO_SCSV\n"
@@ -67,6 +68,7 @@ int tls12_client_main(int argc, char *argv[])
char *pass = NULL;
int client_cert_optional = 0;
char *server_name = NULL;
int trusted_ca_keys = 0;
int renegotiation_info = 0;
int empty_renegotiation_info_scsv = 0;
TLS_CTX ctx;
@@ -160,6 +162,8 @@ int tls12_client_main(int argc, char *argv[])
} else if (!strcmp(*argv, "-server_name")) {
if (--argc < 1) goto bad;
server_name = *(++argv);
} else if (!strcmp(*argv, "-trusted_ca_keys")) {
trusted_ca_keys = 1;
} else if (!strcmp(*argv, "-renegotiation_info")) {
renegotiation_info = 1;
} else if (!strcmp(*argv, "-renegotiation_info_scsv")) {
@@ -202,6 +206,13 @@ bad:
goto end;
}
if (trusted_ca_keys) {
if (tls_ctx_enable_trusted_ca_keys(&ctx, 1) != 1) {
error_print();
goto end;
}
}
if (cacertfile) {
if (tls_ctx_set_ca_certificates(&ctx, cacertfile, verify_depth) != 1) {
fprintf(stderr, "%s: failed to load CA certificate\n", prog);