mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-07 00:46:17 +08:00
Fix last commit bug in TLS cert_verify
This commit is contained in:
Zhi Guan
@@ -71,6 +71,12 @@ set(src
|
||||
src/tls13.c
|
||||
)
|
||||
|
||||
option(ENABLE_TLS_DEBUG "Enable TLS and TLCP print debug message" OFF)
|
||||
if (ENABLE_TLS_DEBUG)
|
||||
add_definitions(-DTLS_DEBUG)
|
||||
endif()
|
||||
|
||||
|
||||
option(ENABLE_SM3_AVX_BMI2 "Enable SM3 AVX+BMI2 assembly implementation" OFF)
|
||||
if (ENABLE_SM3_AVX_BMI2)
|
||||
enable_language(ASM)
|
||||
|
||||
42
src/tlcp.c
42
src/tlcp.c
@@ -427,24 +427,19 @@ int tlcp_do_connect(TLS_CONNECT *conn)
|
||||
// send CertificateVerify
|
||||
if (conn->client_certs_len) {
|
||||
tls_trace("send CertificateVerify\n");
|
||||
uint8_t sigbuf[2 + SM2_MAX_SIGNATURE_SIZE];
|
||||
memset(sigbuf, 0, 2 + SM2_MAX_SIGNATURE_SIZE);
|
||||
SM3_CTX cert_verify_ctx;
|
||||
uint8_t cert_verify_hash[SM3_DIGEST_SIZE] = {0};
|
||||
memset(&cert_verify_ctx, 0, sizeof(SM3_CTX));
|
||||
memset(cert_verify_hash, 0, SM3_DIGEST_SIZE);
|
||||
memcpy(&cert_verify_ctx, &sm3_ctx, sizeof(sm3_ctx));
|
||||
sm3_finish(&cert_verify_ctx, cert_verify_hash);
|
||||
sm2_sign_init(&sign_ctx, &conn->sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
|
||||
sm2_sign_update(&sign_ctx, cert_verify_hash, SM3_DIGEST_SIZE);
|
||||
if (sm2_sign_finish(&sign_ctx, sigbuf+2, &siglen) != 1) {
|
||||
|
||||
SM3_CTX cert_verify_sm3_ctx = sm3_ctx;
|
||||
uint8_t cert_verify_hash[SM3_DIGEST_SIZE];
|
||||
uint8_t sigbuf[SM2_MAX_SIGNATURE_SIZE];
|
||||
|
||||
sm3_finish(&cert_verify_sm3_ctx, cert_verify_hash);
|
||||
if (sm2_sign_init(&sign_ctx, &conn->sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
|
||||
|| sm2_sign_update(&sign_ctx, cert_verify_hash, SM3_DIGEST_SIZE) != 1
|
||||
|| sm2_sign_finish(&sign_ctx, sigbuf, &siglen) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_internal_error);
|
||||
goto end;
|
||||
}
|
||||
sigbuf[0] = siglen >> 8;
|
||||
sigbuf[1] = siglen ;
|
||||
siglen += 2;
|
||||
if (tls_record_set_handshake_certificate_verify(record, &recordlen, sigbuf, siglen) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_internal_error);
|
||||
@@ -608,6 +603,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
|
||||
// ClientCertificate, CertificateVerify
|
||||
SM2_KEY client_sign_key;
|
||||
SM2_SIGN_CTX verify_ctx;
|
||||
const uint8_t *sig;
|
||||
const int verify_depth = 5;
|
||||
int verify_result;
|
||||
@@ -834,6 +830,9 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
// recv CertificateVerify
|
||||
if (client_verify) {
|
||||
tls_trace("recv CertificateVerify\n");
|
||||
SM3_CTX cert_verify_sm3_ctx = sm3_ctx;
|
||||
uint8_t cert_verify_hash[SM3_DIGEST_SIZE];
|
||||
|
||||
if (tls_record_recv(record, &recordlen, conn->sock) != 1
|
||||
|| tls_record_protocol(record) != TLS_protocol_tlcp) {
|
||||
tls_send_alert(conn, TLS_alert_unexpected_message);
|
||||
@@ -852,16 +851,11 @@ int tlcp_do_accept(TLS_CONNECT *conn)
|
||||
tls_send_alert(conn, TLS_alert_bad_certificate);
|
||||
goto end;
|
||||
}
|
||||
SM3_CTX cert_verify_ctx;
|
||||
SM2_SIGN_CTX sm2_ctx;
|
||||
uint8_t cert_verify_hash[SM3_DIGEST_SIZE] = {0};
|
||||
memset(&cert_verify_ctx, 0, sizeof(SM3_CTX));
|
||||
memset(cert_verify_hash, 0, SM3_DIGEST_SIZE);
|
||||
memcpy(&cert_verify_ctx, &sm3_ctx, sizeof(sm3_ctx));
|
||||
sm3_finish(&cert_verify_ctx, cert_verify_hash);
|
||||
sm2_verify_init(&sm2_ctx, &client_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
|
||||
sm2_verify_update(&sm2_ctx, cert_verify_hash, SM3_DIGEST_SIZE);
|
||||
if (sm2_verify_finish(&sm2_ctx, sig+2, siglen-2) != 1) {
|
||||
|
||||
sm3_finish(&cert_verify_sm3_ctx, cert_verify_hash);
|
||||
if (sm2_verify_init(&verify_ctx, &client_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
|
||||
|| sm2_verify_update(&verify_ctx, cert_verify_hash, SM3_DIGEST_SIZE) != 1
|
||||
|| sm2_verify_finish(&verify_ctx, sig, siglen) != 1) {
|
||||
error_print();
|
||||
tls_send_alert(conn, TLS_alert_decrypt_error);
|
||||
goto end;
|
||||
|
||||
17
src/tls.c
17
src/tls.c
@@ -1227,6 +1227,8 @@ int tls_record_set_handshake_certificate_verify(uint8_t *record, size_t *recordl
|
||||
const uint8_t *sig, size_t siglen)
|
||||
{
|
||||
int type = TLS_handshake_certificate_verify;
|
||||
uint8_t *p;
|
||||
size_t len = 0;
|
||||
|
||||
if (!record || !recordlen || !sig || !siglen) {
|
||||
error_print();
|
||||
@@ -1236,7 +1238,9 @@ int tls_record_set_handshake_certificate_verify(uint8_t *record, size_t *recordl
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
tls_record_set_handshake(record, recordlen, type, sig, siglen);
|
||||
p = tls_handshake_data(tls_record_data(record));
|
||||
tls_uint16array_to_bytes(sig, siglen, &p, &len);
|
||||
tls_record_set_handshake(record, recordlen, type, NULL, len);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1244,12 +1248,14 @@ int tls_record_get_handshake_certificate_verify(const uint8_t *record,
|
||||
const uint8_t **sig, size_t *siglen)
|
||||
{
|
||||
int type;
|
||||
const uint8_t *cp;
|
||||
size_t len;
|
||||
|
||||
if (!record || !sig || !siglen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (tls_record_get_handshake(record, &type, sig, siglen) != 1) {
|
||||
if (tls_record_get_handshake(record, &type, &cp, &len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1257,11 +1263,8 @@ int tls_record_get_handshake_certificate_verify(const uint8_t *record,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (*sig == NULL || *siglen == 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (*siglen > TLS_MAX_SIGNATURE_SIZE) {
|
||||
if (tls_uint16array_from_bytes(sig, siglen, &cp, &len) != 1
|
||||
|| tls_length_is_zero(len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user