155714Skris/* ssl/s2_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52280304Sjkim * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889840Skris/* ==================================================================== 5989840Skris * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6089840Skris * 6189840Skris * Redistribution and use in source and binary forms, with or without 6289840Skris * modification, are permitted provided that the following conditions 6389840Skris * are met: 6489840Skris * 6589840Skris * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 6789840Skris * 6889840Skris * 2. Redistributions in binary form must reproduce the above copyright 6989840Skris * notice, this list of conditions and the following disclaimer in 7089840Skris * the documentation and/or other materials provided with the 7189840Skris * distribution. 7289840Skris * 7389840Skris * 3. All advertising materials mentioning features or use of this 7489840Skris * software must display the following acknowledgment: 7589840Skris * "This product includes software developed by the OpenSSL Project 7689840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789840Skris * 7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989840Skris * endorse or promote products derived from this software without 8089840Skris * prior written permission. For written permission, please contact 8189840Skris * openssl-core@openssl.org. 8289840Skris * 8389840Skris * 5. Products derived from this software may not be called "OpenSSL" 8489840Skris * nor may "OpenSSL" appear in their names without prior written 8589840Skris * permission of the OpenSSL Project. 8689840Skris * 8789840Skris * 6. Redistributions of any form whatsoever must retain the following 8889840Skris * acknowledgment: 8989840Skris * "This product includes software developed by the OpenSSL Project 9089840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189840Skris * 9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489840Skris * ==================================================================== 10589840Skris * 10689840Skris * This product includes cryptographic software written by Eric Young 10789840Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889840Skris * Hudson (tjh@cryptsoft.com). 10989840Skris * 11089840Skris */ 11155714Skris 11259194Skris#include "ssl_locl.h" 113110007Smarkm#ifndef OPENSSL_NO_SSL2 114284285Sjkim#include "../crypto/constant_time_locl.h" 115280304Sjkim# include <stdio.h> 116280304Sjkim# include <openssl/bio.h> 117280304Sjkim# include <openssl/rand.h> 118280304Sjkim# include <openssl/objects.h> 119280304Sjkim# include <openssl/evp.h> 12055714Skris 121238405Sjkimstatic const SSL_METHOD *ssl2_get_server_method(int ver); 12255714Skrisstatic int get_client_master_key(SSL *s); 12355714Skrisstatic int get_client_hello(SSL *s); 124280304Sjkimstatic int server_hello(SSL *s); 12555714Skrisstatic int get_client_finished(SSL *s); 12655714Skrisstatic int server_verify(SSL *s); 12755714Skrisstatic int server_finish(SSL *s); 12855714Skrisstatic int request_certificate(SSL *s); 12955714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 130280304Sjkim unsigned char *to, int padding); 131280304Sjkim# define BREAK break 13255714Skris 133238405Sjkimstatic const SSL_METHOD *ssl2_get_server_method(int ver) 134280304Sjkim{ 135280304Sjkim if (ver == SSL2_VERSION) 136280304Sjkim return (SSLv2_server_method()); 137280304Sjkim else 138280304Sjkim return (NULL); 139280304Sjkim} 14055714Skris 141160817SsimonIMPLEMENT_ssl2_meth_func(SSLv2_server_method, 142280304Sjkim ssl2_accept, 143280304Sjkim ssl_undefined_function, ssl2_get_server_method) 14455714Skris 14555714Skrisint ssl2_accept(SSL *s) 146280304Sjkim{ 147280304Sjkim unsigned long l = (unsigned long)time(NULL); 148280304Sjkim BUF_MEM *buf = NULL; 149280304Sjkim int ret = -1; 150280304Sjkim long num1; 151280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 152280304Sjkim int new_state, state; 15355714Skris 154280304Sjkim RAND_add(&l, sizeof(l), 0); 155280304Sjkim ERR_clear_error(); 156280304Sjkim clear_sys_error(); 15755714Skris 158280304Sjkim if (s->info_callback != NULL) 159280304Sjkim cb = s->info_callback; 160280304Sjkim else if (s->ctx->info_callback != NULL) 161280304Sjkim cb = s->ctx->info_callback; 16255714Skris 163280304Sjkim /* init things to blank */ 164280304Sjkim s->in_handshake++; 165280304Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 166280304Sjkim SSL_clear(s); 16755714Skris 168280304Sjkim if (s->cert == NULL) { 169280304Sjkim SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_NO_CERTIFICATE_SET); 170280304Sjkim return (-1); 171280304Sjkim } 17255714Skris 173280304Sjkim clear_sys_error(); 174280304Sjkim for (;;) { 175280304Sjkim state = s->state; 17655714Skris 177280304Sjkim switch (s->state) { 178280304Sjkim case SSL_ST_BEFORE: 179280304Sjkim case SSL_ST_ACCEPT: 180280304Sjkim case SSL_ST_BEFORE | SSL_ST_ACCEPT: 181280304Sjkim case SSL_ST_OK | SSL_ST_ACCEPT: 18255714Skris 183280304Sjkim s->server = 1; 184280304Sjkim if (cb != NULL) 185280304Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 18655714Skris 187280304Sjkim s->version = SSL2_VERSION; 188280304Sjkim s->type = SSL_ST_ACCEPT; 18955714Skris 190280304Sjkim if (s->init_buf == NULL) { 191280304Sjkim if ((buf = BUF_MEM_new()) == NULL) { 192280304Sjkim ret = -1; 193280304Sjkim goto end; 194280304Sjkim } 195280304Sjkim if (!BUF_MEM_grow 196280304Sjkim (buf, (int)SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 197280304Sjkim BUF_MEM_free(buf); 198280304Sjkim ret = -1; 199280304Sjkim goto end; 200280304Sjkim } 201280304Sjkim s->init_buf = buf; 202280304Sjkim } 203280304Sjkim s->init_num = 0; 204280304Sjkim s->ctx->stats.sess_accept++; 205280304Sjkim s->handshake_func = ssl2_accept; 206280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_A; 207280304Sjkim BREAK; 20855714Skris 209280304Sjkim case SSL2_ST_GET_CLIENT_HELLO_A: 210280304Sjkim case SSL2_ST_GET_CLIENT_HELLO_B: 211280304Sjkim case SSL2_ST_GET_CLIENT_HELLO_C: 212280304Sjkim s->shutdown = 0; 213280304Sjkim ret = get_client_hello(s); 214280304Sjkim if (ret <= 0) 215280304Sjkim goto end; 216280304Sjkim s->init_num = 0; 217280304Sjkim s->state = SSL2_ST_SEND_SERVER_HELLO_A; 218280304Sjkim BREAK; 21955714Skris 220280304Sjkim case SSL2_ST_SEND_SERVER_HELLO_A: 221280304Sjkim case SSL2_ST_SEND_SERVER_HELLO_B: 222280304Sjkim ret = server_hello(s); 223280304Sjkim if (ret <= 0) 224280304Sjkim goto end; 225280304Sjkim s->init_num = 0; 226280304Sjkim if (!s->hit) { 227280304Sjkim s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_A; 228280304Sjkim BREAK; 229280304Sjkim } else { 230280304Sjkim s->state = SSL2_ST_SERVER_START_ENCRYPTION; 231280304Sjkim BREAK; 232280304Sjkim } 233280304Sjkim case SSL2_ST_GET_CLIENT_MASTER_KEY_A: 234280304Sjkim case SSL2_ST_GET_CLIENT_MASTER_KEY_B: 235280304Sjkim ret = get_client_master_key(s); 236280304Sjkim if (ret <= 0) 237280304Sjkim goto end; 238280304Sjkim s->init_num = 0; 239280304Sjkim s->state = SSL2_ST_SERVER_START_ENCRYPTION; 240280304Sjkim BREAK; 24155714Skris 242280304Sjkim case SSL2_ST_SERVER_START_ENCRYPTION: 243280304Sjkim /* 244280304Sjkim * Ok we how have sent all the stuff needed to start encrypting, 245280304Sjkim * the next packet back will be encrypted. 246280304Sjkim */ 247280304Sjkim if (!ssl2_enc_init(s, 0)) { 248280304Sjkim ret = -1; 249280304Sjkim goto end; 250280304Sjkim } 251280304Sjkim s->s2->clear_text = 0; 252280304Sjkim s->state = SSL2_ST_SEND_SERVER_VERIFY_A; 253280304Sjkim BREAK; 25455714Skris 255280304Sjkim case SSL2_ST_SEND_SERVER_VERIFY_A: 256280304Sjkim case SSL2_ST_SEND_SERVER_VERIFY_B: 257280304Sjkim ret = server_verify(s); 258280304Sjkim if (ret <= 0) 259280304Sjkim goto end; 260280304Sjkim s->init_num = 0; 261280304Sjkim if (s->hit) { 262280304Sjkim /* 263280304Sjkim * If we are in here, we have been buffering the output, so 264280304Sjkim * we need to flush it and remove buffering from future 265280304Sjkim * traffic 266280304Sjkim */ 267280304Sjkim s->state = SSL2_ST_SEND_SERVER_VERIFY_C; 268280304Sjkim BREAK; 269280304Sjkim } else { 270280304Sjkim s->state = SSL2_ST_GET_CLIENT_FINISHED_A; 271280304Sjkim break; 272280304Sjkim } 27355714Skris 274280304Sjkim case SSL2_ST_SEND_SERVER_VERIFY_C: 275280304Sjkim /* get the number of bytes to write */ 276280304Sjkim num1 = BIO_ctrl(s->wbio, BIO_CTRL_INFO, 0, NULL); 277280304Sjkim if (num1 > 0) { 278280304Sjkim s->rwstate = SSL_WRITING; 279280304Sjkim num1 = BIO_flush(s->wbio); 280280304Sjkim if (num1 <= 0) { 281280304Sjkim ret = -1; 282280304Sjkim goto end; 283280304Sjkim } 284280304Sjkim s->rwstate = SSL_NOTHING; 285280304Sjkim } 28655714Skris 287280304Sjkim /* flushed and now remove buffering */ 288280304Sjkim s->wbio = BIO_pop(s->wbio); 28955714Skris 290280304Sjkim s->state = SSL2_ST_GET_CLIENT_FINISHED_A; 291280304Sjkim BREAK; 29255714Skris 293280304Sjkim case SSL2_ST_GET_CLIENT_FINISHED_A: 294280304Sjkim case SSL2_ST_GET_CLIENT_FINISHED_B: 295280304Sjkim ret = get_client_finished(s); 296280304Sjkim if (ret <= 0) 297280304Sjkim goto end; 298280304Sjkim s->init_num = 0; 299280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_A; 300280304Sjkim BREAK; 30155714Skris 302280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: 303280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: 304280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: 305280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: 306280304Sjkim /* 307280304Sjkim * don't do a 'request certificate' if we don't want to, or we 308280304Sjkim * already have one, and we only want to do it once. 309280304Sjkim */ 310280304Sjkim if (!(s->verify_mode & SSL_VERIFY_PEER) || 311280304Sjkim ((s->session->peer != NULL) && 312280304Sjkim (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) { 313280304Sjkim s->state = SSL2_ST_SEND_SERVER_FINISHED_A; 314280304Sjkim break; 315280304Sjkim } else { 316280304Sjkim ret = request_certificate(s); 317280304Sjkim if (ret <= 0) 318280304Sjkim goto end; 319280304Sjkim s->init_num = 0; 320280304Sjkim s->state = SSL2_ST_SEND_SERVER_FINISHED_A; 321280304Sjkim } 322280304Sjkim BREAK; 32355714Skris 324280304Sjkim case SSL2_ST_SEND_SERVER_FINISHED_A: 325280304Sjkim case SSL2_ST_SEND_SERVER_FINISHED_B: 326280304Sjkim ret = server_finish(s); 327280304Sjkim if (ret <= 0) 328280304Sjkim goto end; 329280304Sjkim s->init_num = 0; 330280304Sjkim s->state = SSL_ST_OK; 331280304Sjkim break; 33255714Skris 333280304Sjkim case SSL_ST_OK: 334280304Sjkim BUF_MEM_free(s->init_buf); 335280304Sjkim ssl_free_wbio_buffer(s); 336280304Sjkim s->init_buf = NULL; 337280304Sjkim s->init_num = 0; 338280304Sjkim /* ERR_clear_error(); */ 33955714Skris 340280304Sjkim ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 34155714Skris 342280304Sjkim s->ctx->stats.sess_accept_good++; 343280304Sjkim /* s->server=1; */ 344280304Sjkim ret = 1; 34555714Skris 346280304Sjkim if (cb != NULL) 347280304Sjkim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 34855714Skris 349280304Sjkim goto end; 350280304Sjkim /* BREAK; */ 35155714Skris 352280304Sjkim default: 353280304Sjkim SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_UNKNOWN_STATE); 354280304Sjkim ret = -1; 355280304Sjkim goto end; 356280304Sjkim /* BREAK; */ 357280304Sjkim } 35855714Skris 359280304Sjkim if ((cb != NULL) && (s->state != state)) { 360280304Sjkim new_state = s->state; 361280304Sjkim s->state = state; 362280304Sjkim cb(s, SSL_CB_ACCEPT_LOOP, 1); 363280304Sjkim s->state = new_state; 364280304Sjkim } 365280304Sjkim } 366280304Sjkim end: 367280304Sjkim s->in_handshake--; 368280304Sjkim if (cb != NULL) 369280304Sjkim cb(s, SSL_CB_ACCEPT_EXIT, ret); 370280304Sjkim return (ret); 371280304Sjkim} 372280304Sjkim 37355714Skrisstatic int get_client_master_key(SSL *s) 374280304Sjkim{ 375280304Sjkim int is_export, i, n, keya; 376284285Sjkim unsigned int num_encrypted_key_bytes, key_length; 377280304Sjkim unsigned long len; 378280304Sjkim unsigned char *p; 379280304Sjkim const SSL_CIPHER *cp; 380280304Sjkim const EVP_CIPHER *c; 381280304Sjkim const EVP_MD *md; 382284285Sjkim unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 383284285Sjkim unsigned char decrypt_good; 384284285Sjkim size_t j; 38555714Skris 386280304Sjkim p = (unsigned char *)s->init_buf->data; 387280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) { 388280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 10 - s->init_num); 38955714Skris 390280304Sjkim if (i < (10 - s->init_num)) 391280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i)); 392280304Sjkim s->init_num = 10; 39389840Skris 394280304Sjkim if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) { 395280304Sjkim if (p[-1] != SSL2_MT_ERROR) { 396280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 397280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, 398280304Sjkim SSL_R_READ_WRONG_PACKET_TYPE); 399280304Sjkim } else 400280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR); 401280304Sjkim return (-1); 402280304Sjkim } 40355714Skris 404280304Sjkim cp = ssl2_get_cipher_by_char(p); 405295016Sjkim if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) { 406280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CIPHER); 407280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); 408280304Sjkim return (-1); 409280304Sjkim } 410280304Sjkim s->session->cipher = cp; 41155714Skris 412280304Sjkim p += 3; 413280304Sjkim n2s(p, i); 414280304Sjkim s->s2->tmp.clear = i; 415280304Sjkim n2s(p, i); 416280304Sjkim s->s2->tmp.enc = i; 417280304Sjkim n2s(p, i); 418280304Sjkim if (i > SSL_MAX_KEY_ARG_LENGTH) { 419280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 420280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG); 421280304Sjkim return -1; 422280304Sjkim } 423280304Sjkim s->session->key_arg_length = i; 424280304Sjkim s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_B; 425280304Sjkim } 42655714Skris 427280304Sjkim /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ 428280304Sjkim p = (unsigned char *)s->init_buf->data; 429280304Sjkim if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 430280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 431280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 432280304Sjkim return -1; 433280304Sjkim } 434280304Sjkim keya = s->session->key_arg_length; 435280304Sjkim len = 436280304Sjkim 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + 437280304Sjkim (unsigned long)keya; 438280304Sjkim if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 439280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 440280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_MESSAGE_TOO_LONG); 441280304Sjkim return -1; 442280304Sjkim } 443280304Sjkim n = (int)len - s->init_num; 444280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), n); 445280304Sjkim if (i != n) 446280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i)); 447280304Sjkim if (s->msg_callback) { 448280304Sjkim /* CLIENT-MASTER-KEY */ 449280304Sjkim s->msg_callback(0, s->version, 0, p, (size_t)len, s, 450280304Sjkim s->msg_callback_arg); 451280304Sjkim } 452280304Sjkim p += 10; 45355714Skris 454280304Sjkim memcpy(s->session->key_arg, &(p[s->s2->tmp.clear + s->s2->tmp.enc]), 455280304Sjkim (unsigned int)keya); 45655714Skris 457280304Sjkim if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) { 458280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 459280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY); 460280304Sjkim return (-1); 461280304Sjkim } 46255714Skris 463280304Sjkim is_export = SSL_C_IS_EXPORT(s->session->cipher); 46455714Skris 465280304Sjkim if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) { 466280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CIPHER); 467280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, 468280304Sjkim SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); 469280304Sjkim return (0); 470280304Sjkim } 47155714Skris 472280304Sjkim /* 473280304Sjkim * The format of the CLIENT-MASTER-KEY message is 474280304Sjkim * 1 byte message type 475280304Sjkim * 3 bytes cipher 476280304Sjkim * 2-byte clear key length (stored in s->s2->tmp.clear) 477280304Sjkim * 2-byte encrypted key length (stored in s->s2->tmp.enc) 478280304Sjkim * 2-byte key args length (IV etc) 479280304Sjkim * clear key 480280304Sjkim * encrypted key 481280304Sjkim * key args 482280304Sjkim * 483280304Sjkim * If the cipher is an export cipher, then the encrypted key bytes 484280304Sjkim * are a fixed portion of the total key (5 or 8 bytes). The size of 485284285Sjkim * this portion is in |num_encrypted_key_bytes|. If the cipher is not an 486284285Sjkim * export cipher, then the entire key material is encrypted (i.e., clear 487284285Sjkim * key length must be zero). 488280304Sjkim */ 489284285Sjkim key_length = (unsigned int)EVP_CIPHER_key_length(c); 490284285Sjkim if (key_length > SSL_MAX_MASTER_KEY_LENGTH) { 491280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 492284285Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 493284285Sjkim return -1; 494284285Sjkim } 495284285Sjkim 496284285Sjkim if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { 497284285Sjkim is_export = 1; 498284285Sjkim num_encrypted_key_bytes = 8; 499284285Sjkim } else if (is_export) { 500284285Sjkim num_encrypted_key_bytes = 5; 501284285Sjkim } else { 502284285Sjkim num_encrypted_key_bytes = key_length; 503284285Sjkim } 504284285Sjkim 505284285Sjkim if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) { 506284285Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 507280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); 508280304Sjkim return -1; 509280304Sjkim } 510280304Sjkim /* 511280304Sjkim * The encrypted blob must decrypt to the encrypted portion of the key. 512280304Sjkim * Decryption can't be expanding, so if we don't have enough encrypted 513280304Sjkim * bytes to fit the key in the buffer, stop now. 514280304Sjkim */ 515284285Sjkim if (s->s2->tmp.enc < num_encrypted_key_bytes) { 516280304Sjkim ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 517280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); 518280304Sjkim return -1; 519280304Sjkim } 520280304Sjkim 521284285Sjkim /* 522284285Sjkim * We must not leak whether a decryption failure occurs because of 523284285Sjkim * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, 524284285Sjkim * section 7.4.7.1). The code follows that advice of the TLS RFC and 525284285Sjkim * generates a random premaster secret for the case that the decrypt 526284285Sjkim * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 527284285Sjkim */ 528284285Sjkim 529306196Sjkim if (RAND_bytes(rand_premaster_secret, 530306196Sjkim (int)num_encrypted_key_bytes) <= 0) 531284285Sjkim return 0; 532284285Sjkim 533280304Sjkim i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, 534280266Sdelphij &(p[s->s2->tmp.clear]), 535280266Sdelphij &(p[s->s2->tmp.clear]), 536280266Sdelphij (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : 537280266Sdelphij RSA_PKCS1_PADDING); 538284285Sjkim ERR_clear_error(); 539280304Sjkim /* 540280304Sjkim * If a bad decrypt, continue with protocol but with a random master 541280304Sjkim * secret (Bleichenbacher attack) 542280304Sjkim */ 543284285Sjkim decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes); 544284285Sjkim for (j = 0; j < num_encrypted_key_bytes; j++) { 545284285Sjkim p[s->s2->tmp.clear + j] = 546284285Sjkim constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j], 547284285Sjkim rand_premaster_secret[j]); 548280304Sjkim } 54955714Skris 550284285Sjkim s->session->master_key_length = (int)key_length; 551284285Sjkim memcpy(s->session->master_key, p, key_length); 552284285Sjkim OPENSSL_cleanse(p, key_length); 553101621Snectar 554284285Sjkim return 1; 555280304Sjkim} 55655714Skris 55755714Skrisstatic int get_client_hello(SSL *s) 558280304Sjkim{ 559280304Sjkim int i, n; 560280304Sjkim unsigned long len; 561280304Sjkim unsigned char *p; 562280304Sjkim STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ 563280304Sjkim STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ 564280304Sjkim STACK_OF(SSL_CIPHER) *prio, *allow; 565280304Sjkim int z; 56655714Skris 567280304Sjkim /* 568280304Sjkim * This is a bit of a hack to check for the correct packet type the first 569280304Sjkim * time round. 570280304Sjkim */ 571280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) { 572280304Sjkim s->first_packet = 1; 573280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_B; 574280304Sjkim } 57555714Skris 576280304Sjkim p = (unsigned char *)s->init_buf->data; 577280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) { 578280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 9 - s->init_num); 579280304Sjkim if (i < (9 - s->init_num)) 580280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i)); 581280304Sjkim s->init_num = 9; 58255714Skris 583280304Sjkim if (*(p++) != SSL2_MT_CLIENT_HELLO) { 584280304Sjkim if (p[-1] != SSL2_MT_ERROR) { 585280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 586280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_READ_WRONG_PACKET_TYPE); 587280304Sjkim } else 588280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_PEER_ERROR); 589280304Sjkim return (-1); 590280304Sjkim } 591280304Sjkim n2s(p, i); 592280304Sjkim if (i < s->version) 593280304Sjkim s->version = i; 594280304Sjkim n2s(p, i); 595280304Sjkim s->s2->tmp.cipher_spec_length = i; 596280304Sjkim n2s(p, i); 597280304Sjkim s->s2->tmp.session_id_length = i; 598295016Sjkim if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) { 599295016Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 600295016Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 601295016Sjkim return -1; 602295016Sjkim } 603280304Sjkim n2s(p, i); 604280304Sjkim s->s2->challenge_length = i; 605280304Sjkim if ((i < SSL2_MIN_CHALLENGE_LENGTH) || 606280304Sjkim (i > SSL2_MAX_CHALLENGE_LENGTH)) { 607280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 608280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INVALID_CHALLENGE_LENGTH); 609280304Sjkim return (-1); 610280304Sjkim } 611280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_C; 612280304Sjkim } 61355714Skris 614280304Sjkim /* SSL2_ST_GET_CLIENT_HELLO_C */ 615280304Sjkim p = (unsigned char *)s->init_buf->data; 616280304Sjkim len = 617280304Sjkim 9 + (unsigned long)s->s2->tmp.cipher_spec_length + 618280304Sjkim (unsigned long)s->s2->challenge_length + 619280304Sjkim (unsigned long)s->s2->tmp.session_id_length; 620280304Sjkim if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 621280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 622280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_MESSAGE_TOO_LONG); 623280304Sjkim return -1; 624280304Sjkim } 625280304Sjkim n = (int)len - s->init_num; 626280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), n); 627280304Sjkim if (i != n) 628280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i)); 629280304Sjkim if (s->msg_callback) { 630280304Sjkim /* CLIENT-HELLO */ 631280304Sjkim s->msg_callback(0, s->version, 0, p, (size_t)len, s, 632280304Sjkim s->msg_callback_arg); 633280304Sjkim } 634280304Sjkim p += 9; 63555714Skris 636280304Sjkim /* 637280304Sjkim * get session-id before cipher stuff so we can get out session structure 638280304Sjkim * if it is cached 639280304Sjkim */ 640280304Sjkim /* session-id */ 641280304Sjkim if ((s->s2->tmp.session_id_length != 0) && 642280304Sjkim (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) { 643280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 644280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_BAD_SSL_SESSION_ID_LENGTH); 645280304Sjkim return (-1); 646280304Sjkim } 64755714Skris 648280304Sjkim if (s->s2->tmp.session_id_length == 0) { 649280304Sjkim if (!ssl_get_new_session(s, 1)) { 650280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 651280304Sjkim return (-1); 652280304Sjkim } 653280304Sjkim } else { 654280304Sjkim i = ssl_get_prev_session(s, &(p[s->s2->tmp.cipher_spec_length]), 655280304Sjkim s->s2->tmp.session_id_length, NULL); 656280304Sjkim if (i == 1) { /* previous session */ 657280304Sjkim s->hit = 1; 658280304Sjkim } else if (i == -1) { 659280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 660280304Sjkim return (-1); 661280304Sjkim } else { 662280304Sjkim if (s->cert == NULL) { 663280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE); 664280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CERTIFICATE_SET); 665280304Sjkim return (-1); 666280304Sjkim } 66755714Skris 668280304Sjkim if (!ssl_get_new_session(s, 1)) { 669280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 670280304Sjkim return (-1); 671280304Sjkim } 672280304Sjkim } 673280304Sjkim } 67455714Skris 675280304Sjkim if (!s->hit) { 676280304Sjkim cs = ssl_bytes_to_cipher_list(s, p, s->s2->tmp.cipher_spec_length, 677280304Sjkim &s->session->ciphers); 678280304Sjkim if (cs == NULL) 679280304Sjkim goto mem_err; 68055714Skris 681280304Sjkim cl = SSL_get_ciphers(s); 68255714Skris 683280304Sjkim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 684280304Sjkim prio = sk_SSL_CIPHER_dup(cl); 685280304Sjkim if (prio == NULL) 686280304Sjkim goto mem_err; 687280304Sjkim allow = cs; 688280304Sjkim } else { 689280304Sjkim prio = cs; 690280304Sjkim allow = cl; 691280304Sjkim } 692295016Sjkim 693295016Sjkim /* Generate list of SSLv2 ciphers shared between client and server */ 694280304Sjkim for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) { 695295016Sjkim const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z); 696295016Sjkim if ((cp->algorithm_ssl & SSL_SSLV2) == 0 || 697295016Sjkim sk_SSL_CIPHER_find(allow, cp) < 0) { 698280304Sjkim (void)sk_SSL_CIPHER_delete(prio, z); 699280304Sjkim z--; 700280304Sjkim } 701280304Sjkim } 702280304Sjkim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 703280304Sjkim sk_SSL_CIPHER_free(s->session->ciphers); 704280304Sjkim s->session->ciphers = prio; 705280304Sjkim } 706295016Sjkim 707295016Sjkim /* Make sure we have at least one cipher in common */ 708295016Sjkim if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) { 709295016Sjkim ssl2_return_error(s, SSL2_PE_NO_CIPHER); 710295016Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); 711295016Sjkim return -1; 712295016Sjkim } 713280304Sjkim /* 714280304Sjkim * s->session->ciphers should now have a list of ciphers that are on 715280304Sjkim * both the client and server. This list is ordered by the order the 716280304Sjkim * client sent the ciphers or in the order of the server's preference 717280304Sjkim * if SSL_OP_CIPHER_SERVER_PREFERENCE was set. 718280304Sjkim */ 719280304Sjkim } 720280304Sjkim p += s->s2->tmp.cipher_spec_length; 721280304Sjkim /* done cipher selection */ 72255714Skris 723280304Sjkim /* session id extracted already */ 724280304Sjkim p += s->s2->tmp.session_id_length; 72555714Skris 726280304Sjkim /* challenge */ 727280304Sjkim if (s->s2->challenge_length > sizeof s->s2->challenge) { 728280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 729280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 730280304Sjkim return -1; 731280304Sjkim } 732280304Sjkim memcpy(s->s2->challenge, p, (unsigned int)s->s2->challenge_length); 733280304Sjkim return (1); 734280304Sjkim mem_err: 735280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_MALLOC_FAILURE); 736280304Sjkim return (0); 737280304Sjkim} 738280304Sjkim 73955714Skrisstatic int server_hello(SSL *s) 740280304Sjkim{ 741280304Sjkim unsigned char *p, *d; 742280304Sjkim int n, hit; 74355714Skris 744280304Sjkim p = (unsigned char *)s->init_buf->data; 745280304Sjkim if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) { 746280304Sjkim d = p + 11; 747280304Sjkim *(p++) = SSL2_MT_SERVER_HELLO; /* type */ 748280304Sjkim hit = s->hit; 749280304Sjkim *(p++) = (unsigned char)hit; 750280304Sjkim# if 1 751280304Sjkim if (!hit) { 752280304Sjkim if (s->session->sess_cert != NULL) 753280304Sjkim /* 754280304Sjkim * This can't really happen because get_client_hello has 755280304Sjkim * called ssl_get_new_session, which does not set sess_cert. 756280304Sjkim */ 757280304Sjkim ssl_sess_cert_free(s->session->sess_cert); 758280304Sjkim s->session->sess_cert = ssl_sess_cert_new(); 759280304Sjkim if (s->session->sess_cert == NULL) { 760280304Sjkim SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE); 761280304Sjkim return (-1); 762280304Sjkim } 763280304Sjkim } 764280304Sjkim /* 765280304Sjkim * If 'hit' is set, then s->sess_cert may be non-NULL or NULL, 766280304Sjkim * depending on whether it survived in the internal cache or was 767280304Sjkim * retrieved from an external cache. If it is NULL, we cannot put any 768280304Sjkim * useful data in it anyway, so we don't touch it. 769280304Sjkim */ 77055714Skris 771280304Sjkim# else /* That's what used to be done when cert_st 772280304Sjkim * and sess_cert_st were * the same. */ 773280304Sjkim if (!hit) { /* else add cert to session */ 774280304Sjkim CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT); 775280304Sjkim if (s->session->sess_cert != NULL) 776280304Sjkim ssl_cert_free(s->session->sess_cert); 777280304Sjkim s->session->sess_cert = s->cert; 778280304Sjkim } else { /* We have a session id-cache hit, if the * 779280304Sjkim * session-id has no certificate listed 780280304Sjkim * against * the 'cert' structure, grab the 781280304Sjkim * 'old' one * listed against the SSL 782280304Sjkim * connection */ 783280304Sjkim if (s->session->sess_cert == NULL) { 784280304Sjkim CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT); 785280304Sjkim s->session->sess_cert = s->cert; 786280304Sjkim } 787280304Sjkim } 788280304Sjkim# endif 78955714Skris 790280304Sjkim if (s->cert == NULL) { 791280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE); 792280304Sjkim SSLerr(SSL_F_SERVER_HELLO, SSL_R_NO_CERTIFICATE_SPECIFIED); 793280304Sjkim return (-1); 794280304Sjkim } 79555714Skris 796280304Sjkim if (hit) { 797280304Sjkim *(p++) = 0; /* no certificate type */ 798280304Sjkim s2n(s->version, p); /* version */ 799280304Sjkim s2n(0, p); /* cert len */ 800280304Sjkim s2n(0, p); /* ciphers len */ 801280304Sjkim } else { 802280304Sjkim /* EAY EAY */ 803280304Sjkim /* put certificate type */ 804280304Sjkim *(p++) = SSL2_CT_X509_CERTIFICATE; 805280304Sjkim s2n(s->version, p); /* version */ 806280304Sjkim n = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL); 807280304Sjkim s2n(n, p); /* certificate length */ 808280304Sjkim i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &d); 809280304Sjkim n = 0; 81055714Skris 811280304Sjkim /* 812280304Sjkim * lets send out the ciphers we like in the prefered order 813280304Sjkim */ 814280304Sjkim n = ssl_cipher_list_to_bytes(s, s->session->ciphers, d, 0); 815280304Sjkim d += n; 816280304Sjkim s2n(n, p); /* add cipher length */ 817280304Sjkim } 81855714Skris 819280304Sjkim /* make and send conn_id */ 820280304Sjkim s2n(SSL2_CONNECTION_ID_LENGTH, p); /* add conn_id length */ 821280304Sjkim s->s2->conn_id_length = SSL2_CONNECTION_ID_LENGTH; 822306196Sjkim if (RAND_bytes(s->s2->conn_id, (int)s->s2->conn_id_length) <= 0) 823280304Sjkim return -1; 824280304Sjkim memcpy(d, s->s2->conn_id, SSL2_CONNECTION_ID_LENGTH); 825280304Sjkim d += SSL2_CONNECTION_ID_LENGTH; 82655714Skris 827280304Sjkim s->state = SSL2_ST_SEND_SERVER_HELLO_B; 828280304Sjkim s->init_num = d - (unsigned char *)s->init_buf->data; 829280304Sjkim s->init_off = 0; 830280304Sjkim } 831280304Sjkim /* SSL2_ST_SEND_SERVER_HELLO_B */ 832280304Sjkim /* 833280304Sjkim * If we are using TCP/IP, the performance is bad if we do 2 writes 834280304Sjkim * without a read between them. This occurs when Session-id reuse is 835280304Sjkim * used, so I will put in a buffering module 836280304Sjkim */ 837280304Sjkim if (s->hit) { 838280304Sjkim if (!ssl_init_wbio_buffer(s, 1)) 839280304Sjkim return (-1); 840280304Sjkim } 841280304Sjkim 842280304Sjkim return (ssl2_do_write(s)); 843280304Sjkim} 844280304Sjkim 84555714Skrisstatic int get_client_finished(SSL *s) 846280304Sjkim{ 847280304Sjkim unsigned char *p; 848280304Sjkim int i, n; 849280304Sjkim unsigned long len; 85055714Skris 851280304Sjkim p = (unsigned char *)s->init_buf->data; 852280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) { 853280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 1 - s->init_num); 854280304Sjkim if (i < 1 - s->init_num) 855280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i)); 856280304Sjkim s->init_num += i; 85755714Skris 858280304Sjkim if (*p != SSL2_MT_CLIENT_FINISHED) { 859280304Sjkim if (*p != SSL2_MT_ERROR) { 860280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 861280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, 862280304Sjkim SSL_R_READ_WRONG_PACKET_TYPE); 863280304Sjkim } else { 864280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_PEER_ERROR); 865280304Sjkim /* try to read the error message */ 866280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 3 - s->init_num); 867280304Sjkim return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i); 868280304Sjkim } 869280304Sjkim return (-1); 870280304Sjkim } 871280304Sjkim s->state = SSL2_ST_GET_CLIENT_FINISHED_B; 872280304Sjkim } 87355714Skris 874280304Sjkim /* SSL2_ST_GET_CLIENT_FINISHED_B */ 875280304Sjkim if (s->s2->conn_id_length > sizeof s->s2->conn_id) { 876280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 877280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); 878280304Sjkim return -1; 879280304Sjkim } 880280304Sjkim len = 1 + (unsigned long)s->s2->conn_id_length; 881280304Sjkim n = (int)len - s->init_num; 882280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), n); 883280304Sjkim if (i < n) { 884280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i)); 885280304Sjkim } 886280304Sjkim if (s->msg_callback) { 887280304Sjkim /* CLIENT-FINISHED */ 888280304Sjkim s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); 889280304Sjkim } 890280304Sjkim p += 1; 891280304Sjkim if (memcmp(p, s->s2->conn_id, s->s2->conn_id_length) != 0) { 892280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 893280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_CONNECTION_ID_IS_DIFFERENT); 894280304Sjkim return (-1); 895280304Sjkim } 896280304Sjkim return (1); 897280304Sjkim} 89855714Skris 89955714Skrisstatic int server_verify(SSL *s) 900280304Sjkim{ 901280304Sjkim unsigned char *p; 90255714Skris 903280304Sjkim if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) { 904280304Sjkim p = (unsigned char *)s->init_buf->data; 905280304Sjkim *(p++) = SSL2_MT_SERVER_VERIFY; 906280304Sjkim if (s->s2->challenge_length > sizeof s->s2->challenge) { 907280304Sjkim SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR); 908280304Sjkim return -1; 909280304Sjkim } 910280304Sjkim memcpy(p, s->s2->challenge, (unsigned int)s->s2->challenge_length); 911280304Sjkim /* p+=s->s2->challenge_length; */ 91255714Skris 913280304Sjkim s->state = SSL2_ST_SEND_SERVER_VERIFY_B; 914280304Sjkim s->init_num = s->s2->challenge_length + 1; 915280304Sjkim s->init_off = 0; 916280304Sjkim } 917280304Sjkim return (ssl2_do_write(s)); 918280304Sjkim} 91955714Skris 92055714Skrisstatic int server_finish(SSL *s) 921280304Sjkim{ 922280304Sjkim unsigned char *p; 92355714Skris 924280304Sjkim if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) { 925280304Sjkim p = (unsigned char *)s->init_buf->data; 926280304Sjkim *(p++) = SSL2_MT_SERVER_FINISHED; 92755714Skris 928280304Sjkim if (s->session->session_id_length > sizeof s->session->session_id) { 929280304Sjkim SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR); 930280304Sjkim return -1; 931280304Sjkim } 932280304Sjkim memcpy(p, s->session->session_id, 933280304Sjkim (unsigned int)s->session->session_id_length); 934280304Sjkim /* p+=s->session->session_id_length; */ 93555714Skris 936280304Sjkim s->state = SSL2_ST_SEND_SERVER_FINISHED_B; 937280304Sjkim s->init_num = s->session->session_id_length + 1; 938280304Sjkim s->init_off = 0; 939280304Sjkim } 94055714Skris 941280304Sjkim /* SSL2_ST_SEND_SERVER_FINISHED_B */ 942280304Sjkim return (ssl2_do_write(s)); 943280304Sjkim} 94455714Skris 94555714Skris/* send the request and check the response */ 94655714Skrisstatic int request_certificate(SSL *s) 947280304Sjkim{ 948280304Sjkim const unsigned char *cp; 949280304Sjkim unsigned char *p, *p2, *buf2; 950280304Sjkim unsigned char *ccd; 951280304Sjkim int i, j, ctype, ret = -1; 952280304Sjkim unsigned long len; 953280304Sjkim X509 *x509 = NULL; 954280304Sjkim STACK_OF(X509) *sk = NULL; 95555714Skris 956280304Sjkim ccd = s->s2->tmp.ccl; 957280304Sjkim if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) { 958280304Sjkim p = (unsigned char *)s->init_buf->data; 959280304Sjkim *(p++) = SSL2_MT_REQUEST_CERTIFICATE; 960280304Sjkim *(p++) = SSL2_AT_MD5_WITH_RSA_ENCRYPTION; 961306196Sjkim if (RAND_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0) 962280304Sjkim return -1; 963280304Sjkim memcpy(p, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH); 96455714Skris 965280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_B; 966280304Sjkim s->init_num = SSL2_MIN_CERT_CHALLENGE_LENGTH + 2; 967280304Sjkim s->init_off = 0; 968280304Sjkim } 96955714Skris 970280304Sjkim if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) { 971280304Sjkim i = ssl2_do_write(s); 972280304Sjkim if (i <= 0) { 973280304Sjkim ret = i; 974280304Sjkim goto end; 975280304Sjkim } 97655714Skris 977280304Sjkim s->init_num = 0; 978280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_C; 979280304Sjkim } 98055714Skris 981280304Sjkim if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) { 982280304Sjkim p = (unsigned char *)s->init_buf->data; 983280304Sjkim /* try to read 6 octets ... */ 984280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 6 - s->init_num); 985280304Sjkim /* 986280304Sjkim * ... but don't call ssl2_part_read now if we got at least 3 987280304Sjkim * (probably NO-CERTIFICATE-ERROR) 988280304Sjkim */ 989280304Sjkim if (i < 3 - s->init_num) { 990280304Sjkim ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i); 991280304Sjkim goto end; 992280304Sjkim } 993280304Sjkim s->init_num += i; 99455714Skris 995280304Sjkim if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) { 996280304Sjkim n2s(p, i); 997280304Sjkim if (i != SSL2_PE_NO_CERTIFICATE) { 998280304Sjkim /* 999280304Sjkim * not the error message we expected -- let ssl2_part_read 1000280304Sjkim * handle it 1001280304Sjkim */ 1002280304Sjkim s->init_num -= 3; 1003280304Sjkim ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, 3); 1004280304Sjkim goto end; 1005280304Sjkim } 100689840Skris 1007280304Sjkim if (s->msg_callback) { 1008280304Sjkim /* ERROR */ 1009280304Sjkim s->msg_callback(0, s->version, 0, p, 3, s, 1010280304Sjkim s->msg_callback_arg); 1011280304Sjkim } 1012110007Smarkm 1013280304Sjkim /* 1014280304Sjkim * this is the one place where we can recover from an SSL 2.0 1015280304Sjkim * error 1016280304Sjkim */ 101789840Skris 1018280304Sjkim if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { 1019280304Sjkim ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE); 1020280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, 1021280304Sjkim SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 1022280304Sjkim goto end; 1023280304Sjkim } 1024280304Sjkim ret = 1; 1025280304Sjkim goto end; 1026280304Sjkim } 1027280304Sjkim if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) { 1028280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 1029280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_SHORT_READ); 1030280304Sjkim goto end; 1031280304Sjkim } 1032280304Sjkim if (s->init_num != 6) { 1033280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR); 1034280304Sjkim goto end; 1035280304Sjkim } 103655714Skris 1037280304Sjkim /* ok we have a response */ 1038280304Sjkim /* certificate type, there is only one right now. */ 1039280304Sjkim ctype = *(p++); 1040280304Sjkim if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) { 1041280304Sjkim ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); 1042280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_RESPONSE_ARGUMENT); 1043280304Sjkim goto end; 1044280304Sjkim } 1045280304Sjkim n2s(p, i); 1046280304Sjkim s->s2->tmp.clen = i; 1047280304Sjkim n2s(p, i); 1048280304Sjkim s->s2->tmp.rlen = i; 1049280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_D; 1050280304Sjkim } 105155714Skris 1052280304Sjkim /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */ 1053280304Sjkim p = (unsigned char *)s->init_buf->data; 1054280304Sjkim len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; 1055280304Sjkim if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 1056280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_MESSAGE_TOO_LONG); 1057280304Sjkim goto end; 1058280304Sjkim } 1059280304Sjkim j = (int)len - s->init_num; 1060280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), j); 1061280304Sjkim if (i < j) { 1062280304Sjkim ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i); 1063280304Sjkim goto end; 1064280304Sjkim } 1065280304Sjkim if (s->msg_callback) { 1066280304Sjkim /* CLIENT-CERTIFICATE */ 1067280304Sjkim s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); 1068280304Sjkim } 1069280304Sjkim p += 6; 107055714Skris 1071280304Sjkim cp = p; 1072280304Sjkim x509 = (X509 *)d2i_X509(NULL, &cp, (long)s->s2->tmp.clen); 1073280304Sjkim if (x509 == NULL) { 1074280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_X509_LIB); 1075280304Sjkim goto msg_end; 1076280304Sjkim } 107755714Skris 1078280304Sjkim if (((sk = sk_X509_new_null()) == NULL) || (!sk_X509_push(sk, x509))) { 1079280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1080280304Sjkim goto msg_end; 1081280304Sjkim } 108255714Skris 1083280304Sjkim i = ssl_verify_cert_chain(s, sk); 108455714Skris 1085280304Sjkim if (i > 0) { /* we like the packet, now check the chksum */ 1086280304Sjkim EVP_MD_CTX ctx; 1087280304Sjkim EVP_PKEY *pkey = NULL; 108855714Skris 1089280304Sjkim EVP_MD_CTX_init(&ctx); 1090280304Sjkim if (!EVP_VerifyInit_ex(&ctx, s->ctx->rsa_md5, NULL) 1091280304Sjkim || !EVP_VerifyUpdate(&ctx, s->s2->key_material, 1092280304Sjkim s->s2->key_material_length) 1093280304Sjkim || !EVP_VerifyUpdate(&ctx, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH)) 1094280304Sjkim goto msg_end; 109555714Skris 1096280304Sjkim i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL); 1097280304Sjkim buf2 = OPENSSL_malloc((unsigned int)i); 1098280304Sjkim if (buf2 == NULL) { 1099280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1100280304Sjkim goto msg_end; 1101280304Sjkim } 1102280304Sjkim p2 = buf2; 1103280304Sjkim i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &p2); 1104280304Sjkim if (!EVP_VerifyUpdate(&ctx, buf2, (unsigned int)i)) { 1105280304Sjkim OPENSSL_free(buf2); 1106280304Sjkim goto msg_end; 1107280304Sjkim } 1108280304Sjkim OPENSSL_free(buf2); 110955714Skris 1110280304Sjkim pkey = X509_get_pubkey(x509); 1111280304Sjkim if (pkey == NULL) 1112280304Sjkim goto end; 1113280304Sjkim i = EVP_VerifyFinal(&ctx, cp, s->s2->tmp.rlen, pkey); 1114280304Sjkim EVP_PKEY_free(pkey); 1115280304Sjkim EVP_MD_CTX_cleanup(&ctx); 111655714Skris 1117280304Sjkim if (i > 0) { 1118280304Sjkim if (s->session->peer != NULL) 1119280304Sjkim X509_free(s->session->peer); 1120280304Sjkim s->session->peer = x509; 1121280304Sjkim CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509); 1122280304Sjkim s->session->verify_result = s->verify_result; 1123280304Sjkim ret = 1; 1124280304Sjkim goto end; 1125280304Sjkim } else { 1126280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_CHECKSUM); 1127280304Sjkim goto msg_end; 1128280304Sjkim } 1129280304Sjkim } else { 1130280304Sjkim msg_end: 1131280304Sjkim ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE); 1132280304Sjkim } 1133280304Sjkim end: 1134280304Sjkim sk_X509_free(sk); 1135280304Sjkim X509_free(x509); 1136280304Sjkim return (ret); 1137280304Sjkim} 1138280304Sjkim 113955714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 1140280304Sjkim unsigned char *to, int padding) 1141280304Sjkim{ 1142280304Sjkim RSA *rsa; 1143280304Sjkim int i; 114455714Skris 1145280304Sjkim if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) { 1146280304Sjkim SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_NO_PRIVATEKEY); 1147280304Sjkim return (-1); 1148280304Sjkim } 1149280304Sjkim if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) { 1150280304Sjkim SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA); 1151280304Sjkim return (-1); 1152280304Sjkim } 1153280304Sjkim rsa = c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa; 115455714Skris 1155280304Sjkim /* we have the public key */ 1156280304Sjkim i = RSA_private_decrypt(len, from, to, rsa, padding); 1157280304Sjkim if (i < 0) 1158280304Sjkim SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, ERR_R_RSA_LIB); 1159280304Sjkim return (i); 1160280304Sjkim} 1161280304Sjkim#else /* !OPENSSL_NO_SSL2 */ 116259194Skris 116359194Skris# if PEDANTIC 1164280304Sjkimstatic void *dummy = &dummy; 116559194Skris# endif 116659194Skris 116755714Skris#endif 1168