155714Skris/* ssl/s2_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52280304Sjkim * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889840Skris/* ==================================================================== 5989840Skris * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6089840Skris * 6189840Skris * Redistribution and use in source and binary forms, with or without 6289840Skris * modification, are permitted provided that the following conditions 6389840Skris * are met: 6489840Skris * 6589840Skris * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 6789840Skris * 6889840Skris * 2. Redistributions in binary form must reproduce the above copyright 6989840Skris * notice, this list of conditions and the following disclaimer in 7089840Skris * the documentation and/or other materials provided with the 7189840Skris * distribution. 7289840Skris * 7389840Skris * 3. All advertising materials mentioning features or use of this 7489840Skris * software must display the following acknowledgment: 7589840Skris * "This product includes software developed by the OpenSSL Project 7689840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789840Skris * 7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989840Skris * endorse or promote products derived from this software without 8089840Skris * prior written permission. For written permission, please contact 8189840Skris * openssl-core@openssl.org. 8289840Skris * 8389840Skris * 5. Products derived from this software may not be called "OpenSSL" 8489840Skris * nor may "OpenSSL" appear in their names without prior written 8589840Skris * permission of the OpenSSL Project. 8689840Skris * 8789840Skris * 6. Redistributions of any form whatsoever must retain the following 8889840Skris * acknowledgment: 8989840Skris * "This product includes software developed by the OpenSSL Project 9089840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189840Skris * 9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489840Skris * ==================================================================== 10589840Skris * 10689840Skris * This product includes cryptographic software written by Eric Young 10789840Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889840Skris * Hudson (tjh@cryptsoft.com). 10989840Skris * 11089840Skris */ 11155714Skris 11259194Skris#include "ssl_locl.h" 113110007Smarkm#ifndef OPENSSL_NO_SSL2 114284285Sjkim#include "../crypto/constant_time_locl.h" 115280304Sjkim# include <stdio.h> 116280304Sjkim# include <openssl/bio.h> 117280304Sjkim# include <openssl/rand.h> 118280304Sjkim# include <openssl/objects.h> 119280304Sjkim# include <openssl/evp.h> 12055714Skris 121238405Sjkimstatic const SSL_METHOD *ssl2_get_server_method(int ver); 12255714Skrisstatic int get_client_master_key(SSL *s); 12355714Skrisstatic int get_client_hello(SSL *s); 124280304Sjkimstatic int server_hello(SSL *s); 12555714Skrisstatic int get_client_finished(SSL *s); 12655714Skrisstatic int server_verify(SSL *s); 12755714Skrisstatic int server_finish(SSL *s); 12855714Skrisstatic int request_certificate(SSL *s); 12955714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 130280304Sjkim unsigned char *to, int padding); 131280304Sjkim# define BREAK break 13255714Skris 133238405Sjkimstatic const SSL_METHOD *ssl2_get_server_method(int ver) 134280304Sjkim{ 135280304Sjkim if (ver == SSL2_VERSION) 136280304Sjkim return (SSLv2_server_method()); 137280304Sjkim else 138280304Sjkim return (NULL); 139280304Sjkim} 14055714Skris 141160817SsimonIMPLEMENT_ssl2_meth_func(SSLv2_server_method, 142280304Sjkim ssl2_accept, 143280304Sjkim ssl_undefined_function, ssl2_get_server_method) 14455714Skris 14555714Skrisint ssl2_accept(SSL *s) 146280304Sjkim{ 147280304Sjkim unsigned long l = (unsigned long)time(NULL); 148280304Sjkim BUF_MEM *buf = NULL; 149280304Sjkim int ret = -1; 150280304Sjkim long num1; 151280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 152280304Sjkim int new_state, state; 15355714Skris 154280304Sjkim RAND_add(&l, sizeof(l), 0); 155280304Sjkim ERR_clear_error(); 156280304Sjkim clear_sys_error(); 15755714Skris 158280304Sjkim if (s->info_callback != NULL) 159280304Sjkim cb = s->info_callback; 160280304Sjkim else if (s->ctx->info_callback != NULL) 161280304Sjkim cb = s->ctx->info_callback; 16255714Skris 163280304Sjkim /* init things to blank */ 164280304Sjkim s->in_handshake++; 165280304Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 166280304Sjkim SSL_clear(s); 16755714Skris 168280304Sjkim if (s->cert == NULL) { 169280304Sjkim SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_NO_CERTIFICATE_SET); 170280304Sjkim return (-1); 171280304Sjkim } 17255714Skris 173280304Sjkim clear_sys_error(); 174280304Sjkim for (;;) { 175280304Sjkim state = s->state; 17655714Skris 177280304Sjkim switch (s->state) { 178280304Sjkim case SSL_ST_BEFORE: 179280304Sjkim case SSL_ST_ACCEPT: 180280304Sjkim case SSL_ST_BEFORE | SSL_ST_ACCEPT: 181280304Sjkim case SSL_ST_OK | SSL_ST_ACCEPT: 18255714Skris 183280304Sjkim s->server = 1; 184280304Sjkim if (cb != NULL) 185280304Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 18655714Skris 187280304Sjkim s->version = SSL2_VERSION; 188280304Sjkim s->type = SSL_ST_ACCEPT; 18955714Skris 190280304Sjkim if (s->init_buf == NULL) { 191280304Sjkim if ((buf = BUF_MEM_new()) == NULL) { 192280304Sjkim ret = -1; 193280304Sjkim goto end; 194280304Sjkim } 195280304Sjkim if (!BUF_MEM_grow 196280304Sjkim (buf, (int)SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 197280304Sjkim BUF_MEM_free(buf); 198280304Sjkim ret = -1; 199280304Sjkim goto end; 200280304Sjkim } 201280304Sjkim s->init_buf = buf; 202280304Sjkim } 203280304Sjkim s->init_num = 0; 204280304Sjkim s->ctx->stats.sess_accept++; 205280304Sjkim s->handshake_func = ssl2_accept; 206280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_A; 207280304Sjkim BREAK; 20855714Skris 209280304Sjkim case SSL2_ST_GET_CLIENT_HELLO_A: 210280304Sjkim case SSL2_ST_GET_CLIENT_HELLO_B: 211280304Sjkim case SSL2_ST_GET_CLIENT_HELLO_C: 212280304Sjkim s->shutdown = 0; 213280304Sjkim ret = get_client_hello(s); 214280304Sjkim if (ret <= 0) 215280304Sjkim goto end; 216280304Sjkim s->init_num = 0; 217280304Sjkim s->state = SSL2_ST_SEND_SERVER_HELLO_A; 218280304Sjkim BREAK; 21955714Skris 220280304Sjkim case SSL2_ST_SEND_SERVER_HELLO_A: 221280304Sjkim case SSL2_ST_SEND_SERVER_HELLO_B: 222280304Sjkim ret = server_hello(s); 223280304Sjkim if (ret <= 0) 224280304Sjkim goto end; 225280304Sjkim s->init_num = 0; 226280304Sjkim if (!s->hit) { 227280304Sjkim s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_A; 228280304Sjkim BREAK; 229280304Sjkim } else { 230280304Sjkim s->state = SSL2_ST_SERVER_START_ENCRYPTION; 231280304Sjkim BREAK; 232280304Sjkim } 233280304Sjkim case SSL2_ST_GET_CLIENT_MASTER_KEY_A: 234280304Sjkim case SSL2_ST_GET_CLIENT_MASTER_KEY_B: 235280304Sjkim ret = get_client_master_key(s); 236280304Sjkim if (ret <= 0) 237280304Sjkim goto end; 238280304Sjkim s->init_num = 0; 239280304Sjkim s->state = SSL2_ST_SERVER_START_ENCRYPTION; 240280304Sjkim BREAK; 24155714Skris 242280304Sjkim case SSL2_ST_SERVER_START_ENCRYPTION: 243280304Sjkim /* 244280304Sjkim * Ok we how have sent all the stuff needed to start encrypting, 245280304Sjkim * the next packet back will be encrypted. 246280304Sjkim */ 247280304Sjkim if (!ssl2_enc_init(s, 0)) { 248280304Sjkim ret = -1; 249280304Sjkim goto end; 250280304Sjkim } 251280304Sjkim s->s2->clear_text = 0; 252280304Sjkim s->state = SSL2_ST_SEND_SERVER_VERIFY_A; 253280304Sjkim BREAK; 25455714Skris 255280304Sjkim case SSL2_ST_SEND_SERVER_VERIFY_A: 256280304Sjkim case SSL2_ST_SEND_SERVER_VERIFY_B: 257280304Sjkim ret = server_verify(s); 258280304Sjkim if (ret <= 0) 259280304Sjkim goto end; 260280304Sjkim s->init_num = 0; 261280304Sjkim if (s->hit) { 262280304Sjkim /* 263280304Sjkim * If we are in here, we have been buffering the output, so 264280304Sjkim * we need to flush it and remove buffering from future 265280304Sjkim * traffic 266280304Sjkim */ 267280304Sjkim s->state = SSL2_ST_SEND_SERVER_VERIFY_C; 268280304Sjkim BREAK; 269280304Sjkim } else { 270280304Sjkim s->state = SSL2_ST_GET_CLIENT_FINISHED_A; 271280304Sjkim break; 272280304Sjkim } 27355714Skris 274280304Sjkim case SSL2_ST_SEND_SERVER_VERIFY_C: 275280304Sjkim /* get the number of bytes to write */ 276280304Sjkim num1 = BIO_ctrl(s->wbio, BIO_CTRL_INFO, 0, NULL); 277280304Sjkim if (num1 > 0) { 278280304Sjkim s->rwstate = SSL_WRITING; 279280304Sjkim num1 = BIO_flush(s->wbio); 280280304Sjkim if (num1 <= 0) { 281280304Sjkim ret = -1; 282280304Sjkim goto end; 283280304Sjkim } 284280304Sjkim s->rwstate = SSL_NOTHING; 285280304Sjkim } 28655714Skris 287280304Sjkim /* flushed and now remove buffering */ 288280304Sjkim s->wbio = BIO_pop(s->wbio); 28955714Skris 290280304Sjkim s->state = SSL2_ST_GET_CLIENT_FINISHED_A; 291280304Sjkim BREAK; 29255714Skris 293280304Sjkim case SSL2_ST_GET_CLIENT_FINISHED_A: 294280304Sjkim case SSL2_ST_GET_CLIENT_FINISHED_B: 295280304Sjkim ret = get_client_finished(s); 296280304Sjkim if (ret <= 0) 297280304Sjkim goto end; 298280304Sjkim s->init_num = 0; 299280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_A; 300280304Sjkim BREAK; 30155714Skris 302280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: 303280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: 304280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: 305280304Sjkim case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: 306280304Sjkim /* 307280304Sjkim * don't do a 'request certificate' if we don't want to, or we 308280304Sjkim * already have one, and we only want to do it once. 309280304Sjkim */ 310280304Sjkim if (!(s->verify_mode & SSL_VERIFY_PEER) || 311280304Sjkim ((s->session->peer != NULL) && 312280304Sjkim (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) { 313280304Sjkim s->state = SSL2_ST_SEND_SERVER_FINISHED_A; 314280304Sjkim break; 315280304Sjkim } else { 316280304Sjkim ret = request_certificate(s); 317280304Sjkim if (ret <= 0) 318280304Sjkim goto end; 319280304Sjkim s->init_num = 0; 320280304Sjkim s->state = SSL2_ST_SEND_SERVER_FINISHED_A; 321280304Sjkim } 322280304Sjkim BREAK; 32355714Skris 324280304Sjkim case SSL2_ST_SEND_SERVER_FINISHED_A: 325280304Sjkim case SSL2_ST_SEND_SERVER_FINISHED_B: 326280304Sjkim ret = server_finish(s); 327280304Sjkim if (ret <= 0) 328280304Sjkim goto end; 329280304Sjkim s->init_num = 0; 330280304Sjkim s->state = SSL_ST_OK; 331280304Sjkim break; 33255714Skris 333280304Sjkim case SSL_ST_OK: 334280304Sjkim BUF_MEM_free(s->init_buf); 335280304Sjkim ssl_free_wbio_buffer(s); 336280304Sjkim s->init_buf = NULL; 337280304Sjkim s->init_num = 0; 338280304Sjkim /* ERR_clear_error(); */ 33955714Skris 340280304Sjkim ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 34155714Skris 342280304Sjkim s->ctx->stats.sess_accept_good++; 343280304Sjkim /* s->server=1; */ 344280304Sjkim ret = 1; 34555714Skris 346280304Sjkim if (cb != NULL) 347280304Sjkim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 34855714Skris 349280304Sjkim goto end; 350280304Sjkim /* BREAK; */ 35155714Skris 352280304Sjkim default: 353280304Sjkim SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_UNKNOWN_STATE); 354280304Sjkim ret = -1; 355280304Sjkim goto end; 356280304Sjkim /* BREAK; */ 357280304Sjkim } 35855714Skris 359280304Sjkim if ((cb != NULL) && (s->state != state)) { 360280304Sjkim new_state = s->state; 361280304Sjkim s->state = state; 362280304Sjkim cb(s, SSL_CB_ACCEPT_LOOP, 1); 363280304Sjkim s->state = new_state; 364280304Sjkim } 365280304Sjkim } 366280304Sjkim end: 367280304Sjkim s->in_handshake--; 368280304Sjkim if (cb != NULL) 369280304Sjkim cb(s, SSL_CB_ACCEPT_EXIT, ret); 370280304Sjkim return (ret); 371280304Sjkim} 372280304Sjkim 37355714Skrisstatic int get_client_master_key(SSL *s) 374280304Sjkim{ 375280304Sjkim int is_export, i, n, keya; 376284285Sjkim unsigned int num_encrypted_key_bytes, key_length; 377280304Sjkim unsigned long len; 378280304Sjkim unsigned char *p; 379280304Sjkim const SSL_CIPHER *cp; 380280304Sjkim const EVP_CIPHER *c; 381280304Sjkim const EVP_MD *md; 382284285Sjkim unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 383284285Sjkim unsigned char decrypt_good; 384284285Sjkim size_t j; 38555714Skris 386280304Sjkim p = (unsigned char *)s->init_buf->data; 387280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) { 388280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 10 - s->init_num); 38955714Skris 390280304Sjkim if (i < (10 - s->init_num)) 391280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i)); 392280304Sjkim s->init_num = 10; 39389840Skris 394280304Sjkim if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) { 395280304Sjkim if (p[-1] != SSL2_MT_ERROR) { 396280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 397280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, 398280304Sjkim SSL_R_READ_WRONG_PACKET_TYPE); 399280304Sjkim } else 400280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR); 401280304Sjkim return (-1); 402280304Sjkim } 40355714Skris 404280304Sjkim cp = ssl2_get_cipher_by_char(p); 405295016Sjkim if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) { 406280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CIPHER); 407280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); 408280304Sjkim return (-1); 409280304Sjkim } 410280304Sjkim s->session->cipher = cp; 41155714Skris 412280304Sjkim p += 3; 413280304Sjkim n2s(p, i); 414280304Sjkim s->s2->tmp.clear = i; 415280304Sjkim n2s(p, i); 416280304Sjkim s->s2->tmp.enc = i; 417280304Sjkim n2s(p, i); 418280304Sjkim if (i > SSL_MAX_KEY_ARG_LENGTH) { 419280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 420280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG); 421280304Sjkim return -1; 422280304Sjkim } 423280304Sjkim s->session->key_arg_length = i; 424280304Sjkim s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_B; 425280304Sjkim } 42655714Skris 427280304Sjkim /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ 428280304Sjkim p = (unsigned char *)s->init_buf->data; 429280304Sjkim if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 430280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 431280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 432280304Sjkim return -1; 433280304Sjkim } 434280304Sjkim keya = s->session->key_arg_length; 435280304Sjkim len = 436280304Sjkim 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + 437280304Sjkim (unsigned long)keya; 438280304Sjkim if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 439280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 440280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_MESSAGE_TOO_LONG); 441280304Sjkim return -1; 442280304Sjkim } 443280304Sjkim n = (int)len - s->init_num; 444280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), n); 445280304Sjkim if (i != n) 446280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i)); 447280304Sjkim if (s->msg_callback) { 448280304Sjkim /* CLIENT-MASTER-KEY */ 449280304Sjkim s->msg_callback(0, s->version, 0, p, (size_t)len, s, 450280304Sjkim s->msg_callback_arg); 451280304Sjkim } 452280304Sjkim p += 10; 45355714Skris 454280304Sjkim memcpy(s->session->key_arg, &(p[s->s2->tmp.clear + s->s2->tmp.enc]), 455280304Sjkim (unsigned int)keya); 45655714Skris 457280304Sjkim if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) { 458280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 459280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY); 460280304Sjkim return (-1); 461280304Sjkim } 46255714Skris 463280304Sjkim is_export = SSL_C_IS_EXPORT(s->session->cipher); 46455714Skris 465280304Sjkim if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) { 466280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CIPHER); 467280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, 468280304Sjkim SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); 469280304Sjkim return (0); 470280304Sjkim } 47155714Skris 472280304Sjkim /* 473280304Sjkim * The format of the CLIENT-MASTER-KEY message is 474280304Sjkim * 1 byte message type 475280304Sjkim * 3 bytes cipher 476280304Sjkim * 2-byte clear key length (stored in s->s2->tmp.clear) 477280304Sjkim * 2-byte encrypted key length (stored in s->s2->tmp.enc) 478280304Sjkim * 2-byte key args length (IV etc) 479280304Sjkim * clear key 480280304Sjkim * encrypted key 481280304Sjkim * key args 482280304Sjkim * 483280304Sjkim * If the cipher is an export cipher, then the encrypted key bytes 484280304Sjkim * are a fixed portion of the total key (5 or 8 bytes). The size of 485284285Sjkim * this portion is in |num_encrypted_key_bytes|. If the cipher is not an 486284285Sjkim * export cipher, then the entire key material is encrypted (i.e., clear 487284285Sjkim * key length must be zero). 488280304Sjkim */ 489284285Sjkim key_length = (unsigned int)EVP_CIPHER_key_length(c); 490284285Sjkim if (key_length > SSL_MAX_MASTER_KEY_LENGTH) { 491280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 492284285Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 493284285Sjkim return -1; 494284285Sjkim } 495284285Sjkim 496284285Sjkim if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { 497284285Sjkim is_export = 1; 498284285Sjkim num_encrypted_key_bytes = 8; 499284285Sjkim } else if (is_export) { 500284285Sjkim num_encrypted_key_bytes = 5; 501284285Sjkim } else { 502284285Sjkim num_encrypted_key_bytes = key_length; 503284285Sjkim } 504284285Sjkim 505284285Sjkim if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) { 506284285Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 507280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); 508280304Sjkim return -1; 509280304Sjkim } 510280304Sjkim /* 511280304Sjkim * The encrypted blob must decrypt to the encrypted portion of the key. 512280304Sjkim * Decryption can't be expanding, so if we don't have enough encrypted 513280304Sjkim * bytes to fit the key in the buffer, stop now. 514280304Sjkim */ 515284285Sjkim if (s->s2->tmp.enc < num_encrypted_key_bytes) { 516280304Sjkim ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 517280304Sjkim SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); 518280304Sjkim return -1; 519280304Sjkim } 520280304Sjkim 521284285Sjkim /* 522284285Sjkim * We must not leak whether a decryption failure occurs because of 523284285Sjkim * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, 524284285Sjkim * section 7.4.7.1). The code follows that advice of the TLS RFC and 525284285Sjkim * generates a random premaster secret for the case that the decrypt 526284285Sjkim * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 527284285Sjkim */ 528284285Sjkim 529284285Sjkim /* 530284285Sjkim * should be RAND_bytes, but we cannot work around a failure. 531284285Sjkim */ 532284285Sjkim if (RAND_pseudo_bytes(rand_premaster_secret, 533284285Sjkim (int)num_encrypted_key_bytes) <= 0) 534284285Sjkim return 0; 535284285Sjkim 536280304Sjkim i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, 537280266Sdelphij &(p[s->s2->tmp.clear]), 538280266Sdelphij &(p[s->s2->tmp.clear]), 539280266Sdelphij (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : 540280266Sdelphij RSA_PKCS1_PADDING); 541284285Sjkim ERR_clear_error(); 542280304Sjkim /* 543280304Sjkim * If a bad decrypt, continue with protocol but with a random master 544280304Sjkim * secret (Bleichenbacher attack) 545280304Sjkim */ 546284285Sjkim decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes); 547284285Sjkim for (j = 0; j < num_encrypted_key_bytes; j++) { 548284285Sjkim p[s->s2->tmp.clear + j] = 549284285Sjkim constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j], 550284285Sjkim rand_premaster_secret[j]); 551280304Sjkim } 55255714Skris 553284285Sjkim s->session->master_key_length = (int)key_length; 554284285Sjkim memcpy(s->session->master_key, p, key_length); 555284285Sjkim OPENSSL_cleanse(p, key_length); 556101621Snectar 557284285Sjkim return 1; 558280304Sjkim} 55955714Skris 56055714Skrisstatic int get_client_hello(SSL *s) 561280304Sjkim{ 562280304Sjkim int i, n; 563280304Sjkim unsigned long len; 564280304Sjkim unsigned char *p; 565280304Sjkim STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ 566280304Sjkim STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ 567280304Sjkim STACK_OF(SSL_CIPHER) *prio, *allow; 568280304Sjkim int z; 56955714Skris 570280304Sjkim /* 571280304Sjkim * This is a bit of a hack to check for the correct packet type the first 572280304Sjkim * time round. 573280304Sjkim */ 574280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) { 575280304Sjkim s->first_packet = 1; 576280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_B; 577280304Sjkim } 57855714Skris 579280304Sjkim p = (unsigned char *)s->init_buf->data; 580280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) { 581280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 9 - s->init_num); 582280304Sjkim if (i < (9 - s->init_num)) 583280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i)); 584280304Sjkim s->init_num = 9; 58555714Skris 586280304Sjkim if (*(p++) != SSL2_MT_CLIENT_HELLO) { 587280304Sjkim if (p[-1] != SSL2_MT_ERROR) { 588280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 589280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_READ_WRONG_PACKET_TYPE); 590280304Sjkim } else 591280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_PEER_ERROR); 592280304Sjkim return (-1); 593280304Sjkim } 594280304Sjkim n2s(p, i); 595280304Sjkim if (i < s->version) 596280304Sjkim s->version = i; 597280304Sjkim n2s(p, i); 598280304Sjkim s->s2->tmp.cipher_spec_length = i; 599280304Sjkim n2s(p, i); 600280304Sjkim s->s2->tmp.session_id_length = i; 601295016Sjkim if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) { 602295016Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 603295016Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 604295016Sjkim return -1; 605295016Sjkim } 606280304Sjkim n2s(p, i); 607280304Sjkim s->s2->challenge_length = i; 608280304Sjkim if ((i < SSL2_MIN_CHALLENGE_LENGTH) || 609280304Sjkim (i > SSL2_MAX_CHALLENGE_LENGTH)) { 610280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 611280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INVALID_CHALLENGE_LENGTH); 612280304Sjkim return (-1); 613280304Sjkim } 614280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_C; 615280304Sjkim } 61655714Skris 617280304Sjkim /* SSL2_ST_GET_CLIENT_HELLO_C */ 618280304Sjkim p = (unsigned char *)s->init_buf->data; 619280304Sjkim len = 620280304Sjkim 9 + (unsigned long)s->s2->tmp.cipher_spec_length + 621280304Sjkim (unsigned long)s->s2->challenge_length + 622280304Sjkim (unsigned long)s->s2->tmp.session_id_length; 623280304Sjkim if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 624280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 625280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_MESSAGE_TOO_LONG); 626280304Sjkim return -1; 627280304Sjkim } 628280304Sjkim n = (int)len - s->init_num; 629280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), n); 630280304Sjkim if (i != n) 631280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i)); 632280304Sjkim if (s->msg_callback) { 633280304Sjkim /* CLIENT-HELLO */ 634280304Sjkim s->msg_callback(0, s->version, 0, p, (size_t)len, s, 635280304Sjkim s->msg_callback_arg); 636280304Sjkim } 637280304Sjkim p += 9; 63855714Skris 639280304Sjkim /* 640280304Sjkim * get session-id before cipher stuff so we can get out session structure 641280304Sjkim * if it is cached 642280304Sjkim */ 643280304Sjkim /* session-id */ 644280304Sjkim if ((s->s2->tmp.session_id_length != 0) && 645280304Sjkim (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) { 646280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 647280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_BAD_SSL_SESSION_ID_LENGTH); 648280304Sjkim return (-1); 649280304Sjkim } 65055714Skris 651280304Sjkim if (s->s2->tmp.session_id_length == 0) { 652280304Sjkim if (!ssl_get_new_session(s, 1)) { 653280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 654280304Sjkim return (-1); 655280304Sjkim } 656280304Sjkim } else { 657280304Sjkim i = ssl_get_prev_session(s, &(p[s->s2->tmp.cipher_spec_length]), 658280304Sjkim s->s2->tmp.session_id_length, NULL); 659280304Sjkim if (i == 1) { /* previous session */ 660280304Sjkim s->hit = 1; 661280304Sjkim } else if (i == -1) { 662280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 663280304Sjkim return (-1); 664280304Sjkim } else { 665280304Sjkim if (s->cert == NULL) { 666280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE); 667280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CERTIFICATE_SET); 668280304Sjkim return (-1); 669280304Sjkim } 67055714Skris 671280304Sjkim if (!ssl_get_new_session(s, 1)) { 672280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 673280304Sjkim return (-1); 674280304Sjkim } 675280304Sjkim } 676280304Sjkim } 67755714Skris 678280304Sjkim if (!s->hit) { 679280304Sjkim cs = ssl_bytes_to_cipher_list(s, p, s->s2->tmp.cipher_spec_length, 680280304Sjkim &s->session->ciphers); 681280304Sjkim if (cs == NULL) 682280304Sjkim goto mem_err; 68355714Skris 684280304Sjkim cl = SSL_get_ciphers(s); 68555714Skris 686280304Sjkim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 687280304Sjkim prio = sk_SSL_CIPHER_dup(cl); 688280304Sjkim if (prio == NULL) 689280304Sjkim goto mem_err; 690280304Sjkim allow = cs; 691280304Sjkim } else { 692280304Sjkim prio = cs; 693280304Sjkim allow = cl; 694280304Sjkim } 695295016Sjkim 696295016Sjkim /* Generate list of SSLv2 ciphers shared between client and server */ 697280304Sjkim for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) { 698295016Sjkim const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z); 699295016Sjkim if ((cp->algorithm_ssl & SSL_SSLV2) == 0 || 700295016Sjkim sk_SSL_CIPHER_find(allow, cp) < 0) { 701280304Sjkim (void)sk_SSL_CIPHER_delete(prio, z); 702280304Sjkim z--; 703280304Sjkim } 704280304Sjkim } 705280304Sjkim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 706280304Sjkim sk_SSL_CIPHER_free(s->session->ciphers); 707280304Sjkim s->session->ciphers = prio; 708280304Sjkim } 709295016Sjkim 710295016Sjkim /* Make sure we have at least one cipher in common */ 711295016Sjkim if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) { 712295016Sjkim ssl2_return_error(s, SSL2_PE_NO_CIPHER); 713295016Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); 714295016Sjkim return -1; 715295016Sjkim } 716280304Sjkim /* 717280304Sjkim * s->session->ciphers should now have a list of ciphers that are on 718280304Sjkim * both the client and server. This list is ordered by the order the 719280304Sjkim * client sent the ciphers or in the order of the server's preference 720280304Sjkim * if SSL_OP_CIPHER_SERVER_PREFERENCE was set. 721280304Sjkim */ 722280304Sjkim } 723280304Sjkim p += s->s2->tmp.cipher_spec_length; 724280304Sjkim /* done cipher selection */ 72555714Skris 726280304Sjkim /* session id extracted already */ 727280304Sjkim p += s->s2->tmp.session_id_length; 72855714Skris 729280304Sjkim /* challenge */ 730280304Sjkim if (s->s2->challenge_length > sizeof s->s2->challenge) { 731280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 732280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 733280304Sjkim return -1; 734280304Sjkim } 735280304Sjkim memcpy(s->s2->challenge, p, (unsigned int)s->s2->challenge_length); 736280304Sjkim return (1); 737280304Sjkim mem_err: 738280304Sjkim SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_MALLOC_FAILURE); 739280304Sjkim return (0); 740280304Sjkim} 741280304Sjkim 74255714Skrisstatic int server_hello(SSL *s) 743280304Sjkim{ 744280304Sjkim unsigned char *p, *d; 745280304Sjkim int n, hit; 74655714Skris 747280304Sjkim p = (unsigned char *)s->init_buf->data; 748280304Sjkim if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) { 749280304Sjkim d = p + 11; 750280304Sjkim *(p++) = SSL2_MT_SERVER_HELLO; /* type */ 751280304Sjkim hit = s->hit; 752280304Sjkim *(p++) = (unsigned char)hit; 753280304Sjkim# if 1 754280304Sjkim if (!hit) { 755280304Sjkim if (s->session->sess_cert != NULL) 756280304Sjkim /* 757280304Sjkim * This can't really happen because get_client_hello has 758280304Sjkim * called ssl_get_new_session, which does not set sess_cert. 759280304Sjkim */ 760280304Sjkim ssl_sess_cert_free(s->session->sess_cert); 761280304Sjkim s->session->sess_cert = ssl_sess_cert_new(); 762280304Sjkim if (s->session->sess_cert == NULL) { 763280304Sjkim SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE); 764280304Sjkim return (-1); 765280304Sjkim } 766280304Sjkim } 767280304Sjkim /* 768280304Sjkim * If 'hit' is set, then s->sess_cert may be non-NULL or NULL, 769280304Sjkim * depending on whether it survived in the internal cache or was 770280304Sjkim * retrieved from an external cache. If it is NULL, we cannot put any 771280304Sjkim * useful data in it anyway, so we don't touch it. 772280304Sjkim */ 77355714Skris 774280304Sjkim# else /* That's what used to be done when cert_st 775280304Sjkim * and sess_cert_st were * the same. */ 776280304Sjkim if (!hit) { /* else add cert to session */ 777280304Sjkim CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT); 778280304Sjkim if (s->session->sess_cert != NULL) 779280304Sjkim ssl_cert_free(s->session->sess_cert); 780280304Sjkim s->session->sess_cert = s->cert; 781280304Sjkim } else { /* We have a session id-cache hit, if the * 782280304Sjkim * session-id has no certificate listed 783280304Sjkim * against * the 'cert' structure, grab the 784280304Sjkim * 'old' one * listed against the SSL 785280304Sjkim * connection */ 786280304Sjkim if (s->session->sess_cert == NULL) { 787280304Sjkim CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT); 788280304Sjkim s->session->sess_cert = s->cert; 789280304Sjkim } 790280304Sjkim } 791280304Sjkim# endif 79255714Skris 793280304Sjkim if (s->cert == NULL) { 794280304Sjkim ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE); 795280304Sjkim SSLerr(SSL_F_SERVER_HELLO, SSL_R_NO_CERTIFICATE_SPECIFIED); 796280304Sjkim return (-1); 797280304Sjkim } 79855714Skris 799280304Sjkim if (hit) { 800280304Sjkim *(p++) = 0; /* no certificate type */ 801280304Sjkim s2n(s->version, p); /* version */ 802280304Sjkim s2n(0, p); /* cert len */ 803280304Sjkim s2n(0, p); /* ciphers len */ 804280304Sjkim } else { 805280304Sjkim /* EAY EAY */ 806280304Sjkim /* put certificate type */ 807280304Sjkim *(p++) = SSL2_CT_X509_CERTIFICATE; 808280304Sjkim s2n(s->version, p); /* version */ 809280304Sjkim n = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL); 810280304Sjkim s2n(n, p); /* certificate length */ 811280304Sjkim i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &d); 812280304Sjkim n = 0; 81355714Skris 814280304Sjkim /* 815280304Sjkim * lets send out the ciphers we like in the prefered order 816280304Sjkim */ 817280304Sjkim n = ssl_cipher_list_to_bytes(s, s->session->ciphers, d, 0); 818280304Sjkim d += n; 819280304Sjkim s2n(n, p); /* add cipher length */ 820280304Sjkim } 82155714Skris 822280304Sjkim /* make and send conn_id */ 823280304Sjkim s2n(SSL2_CONNECTION_ID_LENGTH, p); /* add conn_id length */ 824280304Sjkim s->s2->conn_id_length = SSL2_CONNECTION_ID_LENGTH; 825280304Sjkim if (RAND_pseudo_bytes(s->s2->conn_id, (int)s->s2->conn_id_length) <= 826280304Sjkim 0) 827280304Sjkim return -1; 828280304Sjkim memcpy(d, s->s2->conn_id, SSL2_CONNECTION_ID_LENGTH); 829280304Sjkim d += SSL2_CONNECTION_ID_LENGTH; 83055714Skris 831280304Sjkim s->state = SSL2_ST_SEND_SERVER_HELLO_B; 832280304Sjkim s->init_num = d - (unsigned char *)s->init_buf->data; 833280304Sjkim s->init_off = 0; 834280304Sjkim } 835280304Sjkim /* SSL2_ST_SEND_SERVER_HELLO_B */ 836280304Sjkim /* 837280304Sjkim * If we are using TCP/IP, the performance is bad if we do 2 writes 838280304Sjkim * without a read between them. This occurs when Session-id reuse is 839280304Sjkim * used, so I will put in a buffering module 840280304Sjkim */ 841280304Sjkim if (s->hit) { 842280304Sjkim if (!ssl_init_wbio_buffer(s, 1)) 843280304Sjkim return (-1); 844280304Sjkim } 845280304Sjkim 846280304Sjkim return (ssl2_do_write(s)); 847280304Sjkim} 848280304Sjkim 84955714Skrisstatic int get_client_finished(SSL *s) 850280304Sjkim{ 851280304Sjkim unsigned char *p; 852280304Sjkim int i, n; 853280304Sjkim unsigned long len; 85455714Skris 855280304Sjkim p = (unsigned char *)s->init_buf->data; 856280304Sjkim if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) { 857280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 1 - s->init_num); 858280304Sjkim if (i < 1 - s->init_num) 859280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i)); 860280304Sjkim s->init_num += i; 86155714Skris 862280304Sjkim if (*p != SSL2_MT_CLIENT_FINISHED) { 863280304Sjkim if (*p != SSL2_MT_ERROR) { 864280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 865280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, 866280304Sjkim SSL_R_READ_WRONG_PACKET_TYPE); 867280304Sjkim } else { 868280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_PEER_ERROR); 869280304Sjkim /* try to read the error message */ 870280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 3 - s->init_num); 871280304Sjkim return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i); 872280304Sjkim } 873280304Sjkim return (-1); 874280304Sjkim } 875280304Sjkim s->state = SSL2_ST_GET_CLIENT_FINISHED_B; 876280304Sjkim } 87755714Skris 878280304Sjkim /* SSL2_ST_GET_CLIENT_FINISHED_B */ 879280304Sjkim if (s->s2->conn_id_length > sizeof s->s2->conn_id) { 880280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 881280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); 882280304Sjkim return -1; 883280304Sjkim } 884280304Sjkim len = 1 + (unsigned long)s->s2->conn_id_length; 885280304Sjkim n = (int)len - s->init_num; 886280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), n); 887280304Sjkim if (i < n) { 888280304Sjkim return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i)); 889280304Sjkim } 890280304Sjkim if (s->msg_callback) { 891280304Sjkim /* CLIENT-FINISHED */ 892280304Sjkim s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); 893280304Sjkim } 894280304Sjkim p += 1; 895280304Sjkim if (memcmp(p, s->s2->conn_id, s->s2->conn_id_length) != 0) { 896280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 897280304Sjkim SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_CONNECTION_ID_IS_DIFFERENT); 898280304Sjkim return (-1); 899280304Sjkim } 900280304Sjkim return (1); 901280304Sjkim} 90255714Skris 90355714Skrisstatic int server_verify(SSL *s) 904280304Sjkim{ 905280304Sjkim unsigned char *p; 90655714Skris 907280304Sjkim if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) { 908280304Sjkim p = (unsigned char *)s->init_buf->data; 909280304Sjkim *(p++) = SSL2_MT_SERVER_VERIFY; 910280304Sjkim if (s->s2->challenge_length > sizeof s->s2->challenge) { 911280304Sjkim SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR); 912280304Sjkim return -1; 913280304Sjkim } 914280304Sjkim memcpy(p, s->s2->challenge, (unsigned int)s->s2->challenge_length); 915280304Sjkim /* p+=s->s2->challenge_length; */ 91655714Skris 917280304Sjkim s->state = SSL2_ST_SEND_SERVER_VERIFY_B; 918280304Sjkim s->init_num = s->s2->challenge_length + 1; 919280304Sjkim s->init_off = 0; 920280304Sjkim } 921280304Sjkim return (ssl2_do_write(s)); 922280304Sjkim} 92355714Skris 92455714Skrisstatic int server_finish(SSL *s) 925280304Sjkim{ 926280304Sjkim unsigned char *p; 92755714Skris 928280304Sjkim if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) { 929280304Sjkim p = (unsigned char *)s->init_buf->data; 930280304Sjkim *(p++) = SSL2_MT_SERVER_FINISHED; 93155714Skris 932280304Sjkim if (s->session->session_id_length > sizeof s->session->session_id) { 933280304Sjkim SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR); 934280304Sjkim return -1; 935280304Sjkim } 936280304Sjkim memcpy(p, s->session->session_id, 937280304Sjkim (unsigned int)s->session->session_id_length); 938280304Sjkim /* p+=s->session->session_id_length; */ 93955714Skris 940280304Sjkim s->state = SSL2_ST_SEND_SERVER_FINISHED_B; 941280304Sjkim s->init_num = s->session->session_id_length + 1; 942280304Sjkim s->init_off = 0; 943280304Sjkim } 94455714Skris 945280304Sjkim /* SSL2_ST_SEND_SERVER_FINISHED_B */ 946280304Sjkim return (ssl2_do_write(s)); 947280304Sjkim} 94855714Skris 94955714Skris/* send the request and check the response */ 95055714Skrisstatic int request_certificate(SSL *s) 951280304Sjkim{ 952280304Sjkim const unsigned char *cp; 953280304Sjkim unsigned char *p, *p2, *buf2; 954280304Sjkim unsigned char *ccd; 955280304Sjkim int i, j, ctype, ret = -1; 956280304Sjkim unsigned long len; 957280304Sjkim X509 *x509 = NULL; 958280304Sjkim STACK_OF(X509) *sk = NULL; 95955714Skris 960280304Sjkim ccd = s->s2->tmp.ccl; 961280304Sjkim if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) { 962280304Sjkim p = (unsigned char *)s->init_buf->data; 963280304Sjkim *(p++) = SSL2_MT_REQUEST_CERTIFICATE; 964280304Sjkim *(p++) = SSL2_AT_MD5_WITH_RSA_ENCRYPTION; 965280304Sjkim if (RAND_pseudo_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0) 966280304Sjkim return -1; 967280304Sjkim memcpy(p, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH); 96855714Skris 969280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_B; 970280304Sjkim s->init_num = SSL2_MIN_CERT_CHALLENGE_LENGTH + 2; 971280304Sjkim s->init_off = 0; 972280304Sjkim } 97355714Skris 974280304Sjkim if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) { 975280304Sjkim i = ssl2_do_write(s); 976280304Sjkim if (i <= 0) { 977280304Sjkim ret = i; 978280304Sjkim goto end; 979280304Sjkim } 98055714Skris 981280304Sjkim s->init_num = 0; 982280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_C; 983280304Sjkim } 98455714Skris 985280304Sjkim if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) { 986280304Sjkim p = (unsigned char *)s->init_buf->data; 987280304Sjkim /* try to read 6 octets ... */ 988280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), 6 - s->init_num); 989280304Sjkim /* 990280304Sjkim * ... but don't call ssl2_part_read now if we got at least 3 991280304Sjkim * (probably NO-CERTIFICATE-ERROR) 992280304Sjkim */ 993280304Sjkim if (i < 3 - s->init_num) { 994280304Sjkim ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i); 995280304Sjkim goto end; 996280304Sjkim } 997280304Sjkim s->init_num += i; 99855714Skris 999280304Sjkim if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) { 1000280304Sjkim n2s(p, i); 1001280304Sjkim if (i != SSL2_PE_NO_CERTIFICATE) { 1002280304Sjkim /* 1003280304Sjkim * not the error message we expected -- let ssl2_part_read 1004280304Sjkim * handle it 1005280304Sjkim */ 1006280304Sjkim s->init_num -= 3; 1007280304Sjkim ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, 3); 1008280304Sjkim goto end; 1009280304Sjkim } 101089840Skris 1011280304Sjkim if (s->msg_callback) { 1012280304Sjkim /* ERROR */ 1013280304Sjkim s->msg_callback(0, s->version, 0, p, 3, s, 1014280304Sjkim s->msg_callback_arg); 1015280304Sjkim } 1016110007Smarkm 1017280304Sjkim /* 1018280304Sjkim * this is the one place where we can recover from an SSL 2.0 1019280304Sjkim * error 1020280304Sjkim */ 102189840Skris 1022280304Sjkim if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { 1023280304Sjkim ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE); 1024280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, 1025280304Sjkim SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 1026280304Sjkim goto end; 1027280304Sjkim } 1028280304Sjkim ret = 1; 1029280304Sjkim goto end; 1030280304Sjkim } 1031280304Sjkim if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) { 1032280304Sjkim ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 1033280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_SHORT_READ); 1034280304Sjkim goto end; 1035280304Sjkim } 1036280304Sjkim if (s->init_num != 6) { 1037280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR); 1038280304Sjkim goto end; 1039280304Sjkim } 104055714Skris 1041280304Sjkim /* ok we have a response */ 1042280304Sjkim /* certificate type, there is only one right now. */ 1043280304Sjkim ctype = *(p++); 1044280304Sjkim if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) { 1045280304Sjkim ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); 1046280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_RESPONSE_ARGUMENT); 1047280304Sjkim goto end; 1048280304Sjkim } 1049280304Sjkim n2s(p, i); 1050280304Sjkim s->s2->tmp.clen = i; 1051280304Sjkim n2s(p, i); 1052280304Sjkim s->s2->tmp.rlen = i; 1053280304Sjkim s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_D; 1054280304Sjkim } 105555714Skris 1056280304Sjkim /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */ 1057280304Sjkim p = (unsigned char *)s->init_buf->data; 1058280304Sjkim len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; 1059280304Sjkim if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 1060280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_MESSAGE_TOO_LONG); 1061280304Sjkim goto end; 1062280304Sjkim } 1063280304Sjkim j = (int)len - s->init_num; 1064280304Sjkim i = ssl2_read(s, (char *)&(p[s->init_num]), j); 1065280304Sjkim if (i < j) { 1066280304Sjkim ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i); 1067280304Sjkim goto end; 1068280304Sjkim } 1069280304Sjkim if (s->msg_callback) { 1070280304Sjkim /* CLIENT-CERTIFICATE */ 1071280304Sjkim s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); 1072280304Sjkim } 1073280304Sjkim p += 6; 107455714Skris 1075280304Sjkim cp = p; 1076280304Sjkim x509 = (X509 *)d2i_X509(NULL, &cp, (long)s->s2->tmp.clen); 1077280304Sjkim if (x509 == NULL) { 1078280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_X509_LIB); 1079280304Sjkim goto msg_end; 1080280304Sjkim } 108155714Skris 1082280304Sjkim if (((sk = sk_X509_new_null()) == NULL) || (!sk_X509_push(sk, x509))) { 1083280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1084280304Sjkim goto msg_end; 1085280304Sjkim } 108655714Skris 1087280304Sjkim i = ssl_verify_cert_chain(s, sk); 108855714Skris 1089280304Sjkim if (i > 0) { /* we like the packet, now check the chksum */ 1090280304Sjkim EVP_MD_CTX ctx; 1091280304Sjkim EVP_PKEY *pkey = NULL; 109255714Skris 1093280304Sjkim EVP_MD_CTX_init(&ctx); 1094280304Sjkim if (!EVP_VerifyInit_ex(&ctx, s->ctx->rsa_md5, NULL) 1095280304Sjkim || !EVP_VerifyUpdate(&ctx, s->s2->key_material, 1096280304Sjkim s->s2->key_material_length) 1097280304Sjkim || !EVP_VerifyUpdate(&ctx, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH)) 1098280304Sjkim goto msg_end; 109955714Skris 1100280304Sjkim i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL); 1101280304Sjkim buf2 = OPENSSL_malloc((unsigned int)i); 1102280304Sjkim if (buf2 == NULL) { 1103280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1104280304Sjkim goto msg_end; 1105280304Sjkim } 1106280304Sjkim p2 = buf2; 1107280304Sjkim i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &p2); 1108280304Sjkim if (!EVP_VerifyUpdate(&ctx, buf2, (unsigned int)i)) { 1109280304Sjkim OPENSSL_free(buf2); 1110280304Sjkim goto msg_end; 1111280304Sjkim } 1112280304Sjkim OPENSSL_free(buf2); 111355714Skris 1114280304Sjkim pkey = X509_get_pubkey(x509); 1115280304Sjkim if (pkey == NULL) 1116280304Sjkim goto end; 1117280304Sjkim i = EVP_VerifyFinal(&ctx, cp, s->s2->tmp.rlen, pkey); 1118280304Sjkim EVP_PKEY_free(pkey); 1119280304Sjkim EVP_MD_CTX_cleanup(&ctx); 112055714Skris 1121280304Sjkim if (i > 0) { 1122280304Sjkim if (s->session->peer != NULL) 1123280304Sjkim X509_free(s->session->peer); 1124280304Sjkim s->session->peer = x509; 1125280304Sjkim CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509); 1126280304Sjkim s->session->verify_result = s->verify_result; 1127280304Sjkim ret = 1; 1128280304Sjkim goto end; 1129280304Sjkim } else { 1130280304Sjkim SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_CHECKSUM); 1131280304Sjkim goto msg_end; 1132280304Sjkim } 1133280304Sjkim } else { 1134280304Sjkim msg_end: 1135280304Sjkim ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE); 1136280304Sjkim } 1137280304Sjkim end: 1138280304Sjkim sk_X509_free(sk); 1139280304Sjkim X509_free(x509); 1140280304Sjkim return (ret); 1141280304Sjkim} 1142280304Sjkim 114355714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 1144280304Sjkim unsigned char *to, int padding) 1145280304Sjkim{ 1146280304Sjkim RSA *rsa; 1147280304Sjkim int i; 114855714Skris 1149280304Sjkim if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) { 1150280304Sjkim SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_NO_PRIVATEKEY); 1151280304Sjkim return (-1); 1152280304Sjkim } 1153280304Sjkim if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) { 1154280304Sjkim SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA); 1155280304Sjkim return (-1); 1156280304Sjkim } 1157280304Sjkim rsa = c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa; 115855714Skris 1159280304Sjkim /* we have the public key */ 1160280304Sjkim i = RSA_private_decrypt(len, from, to, rsa, padding); 1161280304Sjkim if (i < 0) 1162280304Sjkim SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, ERR_R_RSA_LIB); 1163280304Sjkim return (i); 1164280304Sjkim} 1165280304Sjkim#else /* !OPENSSL_NO_SSL2 */ 116659194Skris 116759194Skris# if PEDANTIC 1168280304Sjkimstatic void *dummy = &dummy; 116959194Skris# endif 117059194Skris 117155714Skris#endif 1172