1// ssl/statem/statem_lib.c
2int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
3{
4 EVP_PKEY *pkey = NULL;
5 const EVP_MD *md = NULL;
6 EVP_MD_CTX *mctx = NULL;
7 EVP_PKEY_CTX *pctx = NULL;
8 size_t hdatalen = 0, siglen = 0;
9 void *hdata;
10 unsigned char *sig = NULL;
11 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
12 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
13
14 if (lu == NULL || s->s3.tmp.cert == NULL) {
15 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
16 goto err;
17 }
18 // 从证书中取私钥用于签名
19 pkey = s->s3.tmp.cert->privatekey;
20
21 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
22 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
23 goto err;
24 }
25
26 mctx = EVP_MD_CTX_new();
27 if (mctx == NULL) {
28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
29 goto err;
30 }
31
32 /* Get the data to be signed */
33 // 获取要用于签名的数据
34 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
35 /* SSLfatal() already called */
36 goto err;
37 }
38
39 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
40 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
41 goto err;
42 }
43
44 // 做签名的准备
45 if (EVP_DigestSignInit_ex(mctx, &pctx,
46 md == NULL ? NULL : EVP_MD_get0_name(md),
47 s->ctx->libctx, s->ctx->propq, pkey,
48 NULL) <= 0) {
49 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
50 goto err;
51 }
52
53 if (lu->sig == EVP_PKEY_RSA_PSS) {
54 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
55 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
56 RSA_PSS_SALTLEN_DIGEST) <= 0) {
57 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
58 goto err;
59 }
60 }
61
62 // 根据版本做不同的签名信息
63 if (s->version == SSL3_VERSION) {
64 /*
65 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
66 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
67 */
68 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
69 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
70 (int)s->session->master_key_length,
71 s->session->master_key) <= 0
72 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
73
74 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
75 goto err;
76 }
77 sig = OPENSSL_malloc(siglen);
78 if (sig == NULL
79 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
81 goto err;
82 }
83 } else {
84 /*
85 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
86 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
87 */
88 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
89 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
90 goto err;
91 }
92 sig = OPENSSL_malloc(siglen);
93 if (sig == NULL
94 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
95 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
96 goto err;
97 }
98 }
99
100#ifndef OPENSSL_NO_GOST
101 {
102 int pktype = lu->sig;
103
104 if (pktype == NID_id_GostR3410_2001
105 || pktype == NID_id_GostR3410_2012_256
106 || pktype == NID_id_GostR3410_2012_512)
107 BUF_reverse(sig, NULL, siglen);
108 }
109#endif
110
111 // 把签名信息放到包里面
112 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
113 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
114 goto err;
115 }
116
117 /* Digest cached records and discard handshake buffer */
118 if (!ssl3_digest_cached_records(s, 0)) {
119 /* SSLfatal() already called */
120 goto err;
121 }
122
123 OPENSSL_free(sig);
124 EVP_MD_CTX_free(mctx);
125 return 1;
126 err:
127 OPENSSL_free(sig);
128 EVP_MD_CTX_free(mctx);
129 return 0;
130}
1// ssl/statem/statem_lib.c
2/*
3 * Size of the to-be-signed TLS13 data, without the hash size itself:
4 * 64 bytes of value 32, 33 context bytes, 1 byte separator
5 */
6#define TLS13_TBS_START_SIZE 64
7#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
8
9static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
10 void **hdata, size_t *hdatalen)
11{
12 /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */
13 static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72"
14 "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
15 /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */
16 static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69"
17 "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
18
19 if (SSL_IS_TLS13(s)) {
20 size_t hashlen;
21
22 /* Set the first 64 bytes of to-be-signed data to octet 32 */
23 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
24 /* This copies the 33 bytes of context plus the 0 separator byte */
25 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
26 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
27 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
28 else
29 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
30
31 /*
32 * If we're currently reading then we need to use the saved handshake
33 * hash value. We can't use the current handshake hash state because
34 * that includes the CertVerify itself.
35 */
36 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
37 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
38 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
39 s->cert_verify_hash_len);
40 hashlen = s->cert_verify_hash_len;
41 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
42 EVP_MAX_MD_SIZE, &hashlen)) {
43 /* SSLfatal() already called */
44 return 0;
45 }
46
47 *hdata = tls13tbs;
48 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
49 } else {
50 size_t retlen;
51 long retlen_l;
52
53 // tls1.3之前使用握手缓冲区的数据作为要用于签名的数据
54 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
55 if (retlen_l <= 0) {
56 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
57 return 0;
58 }
59 *hdatalen = retlen;
60 }
61
62 return 1;
63}