s2_srvr.c revision 295061
155714Skris/* ssl/s2_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889840Skris/* ==================================================================== 5989840Skris * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6089840Skris * 6189840Skris * Redistribution and use in source and binary forms, with or without 6289840Skris * modification, are permitted provided that the following conditions 6389840Skris * are met: 6489840Skris * 6589840Skris * 1. Redistributions of source code must retain the above copyright 6689840Skris * notice, this list of conditions and the following disclaimer. 6789840Skris * 6889840Skris * 2. Redistributions in binary form must reproduce the above copyright 6989840Skris * notice, this list of conditions and the following disclaimer in 7089840Skris * the documentation and/or other materials provided with the 7189840Skris * distribution. 7289840Skris * 7389840Skris * 3. All advertising materials mentioning features or use of this 7489840Skris * software must display the following acknowledgment: 7589840Skris * "This product includes software developed by the OpenSSL Project 7689840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789840Skris * 7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989840Skris * endorse or promote products derived from this software without 8089840Skris * prior written permission. For written permission, please contact 8189840Skris * openssl-core@openssl.org. 8289840Skris * 8389840Skris * 5. Products derived from this software may not be called "OpenSSL" 8489840Skris * nor may "OpenSSL" appear in their names without prior written 8589840Skris * permission of the OpenSSL Project. 8689840Skris * 8789840Skris * 6. Redistributions of any form whatsoever must retain the following 8889840Skris * acknowledgment: 8989840Skris * "This product includes software developed by the OpenSSL Project 9089840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189840Skris * 9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489840Skris * ==================================================================== 10589840Skris * 10689840Skris * This product includes cryptographic software written by Eric Young 10789840Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889840Skris * Hudson (tjh@cryptsoft.com). 10989840Skris * 11089840Skris */ 11155714Skris 11259194Skris#include "ssl_locl.h" 113110007Smarkm#ifndef OPENSSL_NO_SSL2 11455714Skris#include <stdio.h> 11555714Skris#include <openssl/bio.h> 11655714Skris#include <openssl/rand.h> 11755714Skris#include <openssl/objects.h> 11855714Skris#include <openssl/evp.h> 11955714Skris 12055714Skrisstatic SSL_METHOD *ssl2_get_server_method(int ver); 12155714Skrisstatic int get_client_master_key(SSL *s); 12255714Skrisstatic int get_client_hello(SSL *s); 12355714Skrisstatic int server_hello(SSL *s); 12455714Skrisstatic int get_client_finished(SSL *s); 12555714Skrisstatic int server_verify(SSL *s); 12655714Skrisstatic int server_finish(SSL *s); 12755714Skrisstatic int request_certificate(SSL *s); 12855714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 12955714Skris unsigned char *to,int padding); 13055714Skris#define BREAK break 13155714Skris 13255714Skrisstatic SSL_METHOD *ssl2_get_server_method(int ver) 13355714Skris { 13455714Skris if (ver == SSL2_VERSION) 13555714Skris return(SSLv2_server_method()); 13655714Skris else 13755714Skris return(NULL); 13855714Skris } 13955714Skris 140160817SsimonIMPLEMENT_ssl2_meth_func(SSLv2_server_method, 141160817Ssimon ssl2_accept, 142160817Ssimon ssl_undefined_function, 143160817Ssimon ssl2_get_server_method) 14455714Skris 14555714Skrisint ssl2_accept(SSL *s) 14655714Skris { 147160817Ssimon unsigned long l=(unsigned long)time(NULL); 14855714Skris BUF_MEM *buf=NULL; 14955714Skris int ret= -1; 15055714Skris long num1; 151110007Smarkm void (*cb)(const SSL *ssl,int type,int val)=NULL; 15255714Skris int new_state,state; 15355714Skris 15459194Skris RAND_add(&l,sizeof(l),0); 15555714Skris ERR_clear_error(); 15655714Skris clear_sys_error(); 15755714Skris 15855714Skris if (s->info_callback != NULL) 15955714Skris cb=s->info_callback; 16055714Skris else if (s->ctx->info_callback != NULL) 16155714Skris cb=s->ctx->info_callback; 16255714Skris 16355714Skris /* init things to blank */ 16489840Skris s->in_handshake++; 16555714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 16655714Skris 16755714Skris if (s->cert == NULL) 16855714Skris { 16955714Skris SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 17055714Skris return(-1); 17155714Skris } 17255714Skris 17355714Skris clear_sys_error(); 17455714Skris for (;;) 17555714Skris { 17655714Skris state=s->state; 17755714Skris 17855714Skris switch (s->state) 17955714Skris { 18055714Skris case SSL_ST_BEFORE: 18155714Skris case SSL_ST_ACCEPT: 18255714Skris case SSL_ST_BEFORE|SSL_ST_ACCEPT: 18355714Skris case SSL_ST_OK|SSL_ST_ACCEPT: 18455714Skris 18555714Skris s->server=1; 18655714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 18755714Skris 18855714Skris s->version=SSL2_VERSION; 18955714Skris s->type=SSL_ST_ACCEPT; 19055714Skris 19155714Skris buf=s->init_buf; 19255714Skris if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL)) 19355714Skris { ret= -1; goto end; } 19455714Skris if (!BUF_MEM_grow(buf,(int) 19555714Skris SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) 19655714Skris { ret= -1; goto end; } 19755714Skris s->init_buf=buf; 19855714Skris s->init_num=0; 19955714Skris s->ctx->stats.sess_accept++; 20055714Skris s->handshake_func=ssl2_accept; 20155714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_A; 20255714Skris BREAK; 20355714Skris 20455714Skris case SSL2_ST_GET_CLIENT_HELLO_A: 20555714Skris case SSL2_ST_GET_CLIENT_HELLO_B: 20655714Skris case SSL2_ST_GET_CLIENT_HELLO_C: 20755714Skris s->shutdown=0; 20855714Skris ret=get_client_hello(s); 20955714Skris if (ret <= 0) goto end; 21055714Skris s->init_num=0; 21155714Skris s->state=SSL2_ST_SEND_SERVER_HELLO_A; 21255714Skris BREAK; 21355714Skris 21455714Skris case SSL2_ST_SEND_SERVER_HELLO_A: 21555714Skris case SSL2_ST_SEND_SERVER_HELLO_B: 21655714Skris ret=server_hello(s); 21755714Skris if (ret <= 0) goto end; 21855714Skris s->init_num=0; 21955714Skris if (!s->hit) 22055714Skris { 22155714Skris s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A; 22255714Skris BREAK; 22355714Skris } 22455714Skris else 22555714Skris { 22655714Skris s->state=SSL2_ST_SERVER_START_ENCRYPTION; 22755714Skris BREAK; 22855714Skris } 22955714Skris case SSL2_ST_GET_CLIENT_MASTER_KEY_A: 23055714Skris case SSL2_ST_GET_CLIENT_MASTER_KEY_B: 23155714Skris ret=get_client_master_key(s); 23255714Skris if (ret <= 0) goto end; 23355714Skris s->init_num=0; 23455714Skris s->state=SSL2_ST_SERVER_START_ENCRYPTION; 23555714Skris BREAK; 23655714Skris 23755714Skris case SSL2_ST_SERVER_START_ENCRYPTION: 23855714Skris /* Ok we how have sent all the stuff needed to 23955714Skris * start encrypting, the next packet back will 24055714Skris * be encrypted. */ 24155714Skris if (!ssl2_enc_init(s,0)) 24255714Skris { ret= -1; goto end; } 24355714Skris s->s2->clear_text=0; 24455714Skris s->state=SSL2_ST_SEND_SERVER_VERIFY_A; 24555714Skris BREAK; 24655714Skris 24755714Skris case SSL2_ST_SEND_SERVER_VERIFY_A: 24855714Skris case SSL2_ST_SEND_SERVER_VERIFY_B: 24955714Skris ret=server_verify(s); 25055714Skris if (ret <= 0) goto end; 25155714Skris s->init_num=0; 25255714Skris if (s->hit) 25355714Skris { 25455714Skris /* If we are in here, we have been 25555714Skris * buffering the output, so we need to 25655714Skris * flush it and remove buffering from 25755714Skris * future traffic */ 25855714Skris s->state=SSL2_ST_SEND_SERVER_VERIFY_C; 25955714Skris BREAK; 26055714Skris } 26155714Skris else 26255714Skris { 26355714Skris s->state=SSL2_ST_GET_CLIENT_FINISHED_A; 26455714Skris break; 26555714Skris } 26655714Skris 26755714Skris case SSL2_ST_SEND_SERVER_VERIFY_C: 26855714Skris /* get the number of bytes to write */ 26955714Skris num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 270205128Ssimon if (num1 > 0) 27155714Skris { 27255714Skris s->rwstate=SSL_WRITING; 27355714Skris num1=BIO_flush(s->wbio); 27455714Skris if (num1 <= 0) { ret= -1; goto end; } 27555714Skris s->rwstate=SSL_NOTHING; 27655714Skris } 27755714Skris 27855714Skris /* flushed and now remove buffering */ 27955714Skris s->wbio=BIO_pop(s->wbio); 28055714Skris 28155714Skris s->state=SSL2_ST_GET_CLIENT_FINISHED_A; 28255714Skris BREAK; 28355714Skris 28455714Skris case SSL2_ST_GET_CLIENT_FINISHED_A: 28555714Skris case SSL2_ST_GET_CLIENT_FINISHED_B: 28655714Skris ret=get_client_finished(s); 28755714Skris if (ret <= 0) 28855714Skris goto end; 28955714Skris s->init_num=0; 29055714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A; 29155714Skris BREAK; 29255714Skris 29355714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: 29455714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: 29555714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: 29655714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: 29755714Skris /* don't do a 'request certificate' if we 29855714Skris * don't want to, or we already have one, and 29955714Skris * we only want to do it once. */ 30055714Skris if (!(s->verify_mode & SSL_VERIFY_PEER) || 30155714Skris ((s->session->peer != NULL) && 30255714Skris (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) 30355714Skris { 30455714Skris s->state=SSL2_ST_SEND_SERVER_FINISHED_A; 30555714Skris break; 30655714Skris } 30755714Skris else 30855714Skris { 30955714Skris ret=request_certificate(s); 31055714Skris if (ret <= 0) goto end; 31155714Skris s->init_num=0; 31255714Skris s->state=SSL2_ST_SEND_SERVER_FINISHED_A; 31355714Skris } 31455714Skris BREAK; 31555714Skris 31655714Skris case SSL2_ST_SEND_SERVER_FINISHED_A: 31755714Skris case SSL2_ST_SEND_SERVER_FINISHED_B: 31855714Skris ret=server_finish(s); 31955714Skris if (ret <= 0) goto end; 32055714Skris s->init_num=0; 32155714Skris s->state=SSL_ST_OK; 32255714Skris break; 32355714Skris 32455714Skris case SSL_ST_OK: 32555714Skris BUF_MEM_free(s->init_buf); 32655714Skris ssl_free_wbio_buffer(s); 32755714Skris s->init_buf=NULL; 32855714Skris s->init_num=0; 32955714Skris /* ERR_clear_error();*/ 33055714Skris 33155714Skris ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 33255714Skris 33355714Skris s->ctx->stats.sess_accept_good++; 33455714Skris /* s->server=1; */ 33555714Skris ret=1; 33655714Skris 33755714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 33855714Skris 33955714Skris goto end; 34055714Skris /* BREAK; */ 34155714Skris 34255714Skris default: 34355714Skris SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE); 34455714Skris ret= -1; 34555714Skris goto end; 34655714Skris /* BREAK; */ 34755714Skris } 34855714Skris 34955714Skris if ((cb != NULL) && (s->state != state)) 35055714Skris { 35155714Skris new_state=s->state; 35255714Skris s->state=state; 35355714Skris cb(s,SSL_CB_ACCEPT_LOOP,1); 35455714Skris s->state=new_state; 35555714Skris } 35655714Skris } 35755714Skrisend: 35855714Skris s->in_handshake--; 35955714Skris if (cb != NULL) 36055714Skris cb(s,SSL_CB_ACCEPT_EXIT,ret); 36155714Skris return(ret); 36255714Skris } 36355714Skris 36455714Skrisstatic int get_client_master_key(SSL *s) 36555714Skris { 36655714Skris int is_export,i,n,keya,ek; 36789840Skris unsigned long len; 36855714Skris unsigned char *p; 36955714Skris SSL_CIPHER *cp; 37055714Skris const EVP_CIPHER *c; 37155714Skris const EVP_MD *md; 37255714Skris 37355714Skris p=(unsigned char *)s->init_buf->data; 37455714Skris if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) 37555714Skris { 37655714Skris i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num); 37755714Skris 37855714Skris if (i < (10-s->init_num)) 37955714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); 38089840Skris s->init_num = 10; 38189840Skris 38255714Skris if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) 38355714Skris { 38455714Skris if (p[-1] != SSL2_MT_ERROR) 38555714Skris { 38655714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 38755714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE); 38855714Skris } 38955714Skris else 390101621Snectar SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR); 39155714Skris return(-1); 39255714Skris } 39355714Skris 39455714Skris cp=ssl2_get_cipher_by_char(p); 395295061Sdelphij if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) 39655714Skris { 39755714Skris ssl2_return_error(s,SSL2_PE_NO_CIPHER); 398101621Snectar SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); 39955714Skris return(-1); 40055714Skris } 40155714Skris s->session->cipher= cp; 40255714Skris 40355714Skris p+=3; 40455714Skris n2s(p,i); s->s2->tmp.clear=i; 40555714Skris n2s(p,i); s->s2->tmp.enc=i; 406237998Sjkim n2s(p,i); 407237998Sjkim if(i > SSL_MAX_KEY_ARG_LENGTH) 408100943Snectar { 409101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 410101621Snectar SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG); 411100943Snectar return -1; 412100943Snectar } 413237998Sjkim s->session->key_arg_length=i; 41455714Skris s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; 41555714Skris } 41655714Skris 41755714Skris /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ 41855714Skris p=(unsigned char *)s->init_buf->data; 419101621Snectar if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 420101621Snectar { 421101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 422110007Smarkm SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 423101621Snectar return -1; 424101621Snectar } 42555714Skris keya=s->session->key_arg_length; 42689840Skris len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; 42789840Skris if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 42889840Skris { 429101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 43089840Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); 43189840Skris return -1; 43289840Skris } 43389840Skris n = (int)len - s->init_num; 43489840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),n); 43555714Skris if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); 436110007Smarkm if (s->msg_callback) 437110007Smarkm s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */ 43889840Skris p += 10; 43955714Skris 44055714Skris memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]), 44155714Skris (unsigned int)keya); 44255714Skris 44355714Skris if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) 44455714Skris { 44555714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 44655714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); 44755714Skris return(-1); 44855714Skris } 44955714Skris 45055714Skris is_export=SSL_C_IS_EXPORT(s->session->cipher); 45155714Skris 45255714Skris if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) 45355714Skris { 45455714Skris ssl2_return_error(s,SSL2_PE_NO_CIPHER); 45555714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); 45655714Skris return(0); 45755714Skris } 45855714Skris 45955714Skris if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) 46055714Skris { 46155714Skris is_export=1; 46255714Skris ek=8; 46355714Skris } 46455714Skris else 46555714Skris ek=5; 46655714Skris 467280268Sdelphij /* 468280268Sdelphij * The format of the CLIENT-MASTER-KEY message is 469280268Sdelphij * 1 byte message type 470280268Sdelphij * 3 bytes cipher 471280268Sdelphij * 2-byte clear key length (stored in s->s2->tmp.clear) 472280268Sdelphij * 2-byte encrypted key length (stored in s->s2->tmp.enc) 473280268Sdelphij * 2-byte key args length (IV etc) 474280268Sdelphij * clear key 475280268Sdelphij * encrypted key 476280268Sdelphij * key args 477280268Sdelphij * 478280268Sdelphij * If the cipher is an export cipher, then the encrypted key bytes 479280268Sdelphij * are a fixed portion of the total key (5 or 8 bytes). The size of 480280268Sdelphij * this portion is in |ek|. If the cipher is not an export cipher, 481280268Sdelphij * then the entire key material is encrypted (i.e., clear key length 482280268Sdelphij * must be zero). 483280268Sdelphij */ 484280268Sdelphij if ((!is_export && s->s2->tmp.clear != 0) || 485280268Sdelphij (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) { 486280268Sdelphij ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 487280268Sdelphij SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); 488280268Sdelphij return -1; 489280268Sdelphij } 490280268Sdelphij /* 491280268Sdelphij * The encrypted blob must decrypt to the encrypted portion of the key. 492280268Sdelphij * Decryption can't be expanding, so if we don't have enough encrypted 493280268Sdelphij * bytes to fit the key in the buffer, stop now. 494280268Sdelphij */ 495280268Sdelphij if ((is_export && s->s2->tmp.enc < ek) || 496280268Sdelphij (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) { 497280268Sdelphij ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 498280268Sdelphij SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); 499280268Sdelphij return -1; 500280268Sdelphij } 501280268Sdelphij 502280268Sdelphij i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, 503280268Sdelphij &(p[s->s2->tmp.clear]), 504280268Sdelphij &(p[s->s2->tmp.clear]), 505280268Sdelphij (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : 506280268Sdelphij RSA_PKCS1_PADDING); 507280268Sdelphij 50855714Skris /* bad decrypt */ 50955714Skris#if 1 51055714Skris /* If a bad decrypt, continue with protocol but with a 51180001Skris * random master secret (Bleichenbacher attack) */ 512280268Sdelphij if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) 513280268Sdelphij || (is_export && i != ek))) { 51480001Skris ERR_clear_error(); 51555714Skris if (is_export) 51655714Skris i=ek; 51755714Skris else 51855714Skris i=EVP_CIPHER_key_length(c); 519280268Sdelphij if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) 520160817Ssimon return 0; 521280268Sdelphij } 52255714Skris#else 52355714Skris if (i < 0) 52455714Skris { 52555714Skris error=1; 52655714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT); 52755714Skris } 52855714Skris /* incorrect number of key bytes for non export cipher */ 52955714Skris else if ((!is_export && (i != EVP_CIPHER_key_length(c))) 53055714Skris || (is_export && ((i != ek) || (s->s2->tmp.clear+i != 53155714Skris EVP_CIPHER_key_length(c))))) 53255714Skris { 53355714Skris error=1; 53455714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS); 53555714Skris } 53655714Skris if (error) 53755714Skris { 53855714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 53955714Skris return(-1); 54055714Skris } 54155714Skris#endif 54255714Skris 543280268Sdelphij if (is_export) 544280268Sdelphij i = EVP_CIPHER_key_length(c); 545101621Snectar 546101621Snectar if (i > SSL_MAX_MASTER_KEY_LENGTH) 547101621Snectar { 548101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 549110007Smarkm SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 550101621Snectar return -1; 551101621Snectar } 55255714Skris s->session->master_key_length=i; 55355714Skris memcpy(s->session->master_key,p,(unsigned int)i); 55455714Skris return(1); 55555714Skris } 55655714Skris 55755714Skrisstatic int get_client_hello(SSL *s) 55855714Skris { 55955714Skris int i,n; 56089840Skris unsigned long len; 56155714Skris unsigned char *p; 56255714Skris STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ 56355714Skris STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ 564110007Smarkm STACK_OF(SSL_CIPHER) *prio, *allow; 56555714Skris int z; 56655714Skris 56755714Skris /* This is a bit of a hack to check for the correct packet 56855714Skris * type the first time round. */ 56955714Skris if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) 57055714Skris { 57155714Skris s->first_packet=1; 57255714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_B; 57355714Skris } 57455714Skris 57555714Skris p=(unsigned char *)s->init_buf->data; 57655714Skris if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) 57755714Skris { 57855714Skris i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num); 57955714Skris if (i < (9-s->init_num)) 58055714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); 58189840Skris s->init_num = 9; 58255714Skris 58355714Skris if (*(p++) != SSL2_MT_CLIENT_HELLO) 58455714Skris { 58555714Skris if (p[-1] != SSL2_MT_ERROR) 58655714Skris { 58755714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 58855714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE); 58955714Skris } 59055714Skris else 59155714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR); 59255714Skris return(-1); 59355714Skris } 59455714Skris n2s(p,i); 59555714Skris if (i < s->version) s->version=i; 59655714Skris n2s(p,i); s->s2->tmp.cipher_spec_length=i; 59755714Skris n2s(p,i); s->s2->tmp.session_id_length=i; 59855714Skris n2s(p,i); s->s2->challenge_length=i; 59955714Skris if ( (i < SSL2_MIN_CHALLENGE_LENGTH) || 60055714Skris (i > SSL2_MAX_CHALLENGE_LENGTH)) 60155714Skris { 602101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 60355714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH); 60455714Skris return(-1); 60555714Skris } 60655714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_C; 60755714Skris } 60855714Skris 60955714Skris /* SSL2_ST_GET_CLIENT_HELLO_C */ 61055714Skris p=(unsigned char *)s->init_buf->data; 61189840Skris len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length; 61289840Skris if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 61389840Skris { 614101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 61589840Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG); 61689840Skris return -1; 61789840Skris } 61889840Skris n = (int)len - s->init_num; 61989840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),n); 62055714Skris if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); 621110007Smarkm if (s->msg_callback) 622110007Smarkm s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */ 62389840Skris p += 9; 62455714Skris 62555714Skris /* get session-id before cipher stuff so we can get out session 62655714Skris * structure if it is cached */ 62755714Skris /* session-id */ 62855714Skris if ((s->s2->tmp.session_id_length != 0) && 62955714Skris (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) 63055714Skris { 63155714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 63255714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH); 63355714Skris return(-1); 63455714Skris } 63555714Skris 63655714Skris if (s->s2->tmp.session_id_length == 0) 63755714Skris { 63855714Skris if (!ssl_get_new_session(s,1)) 63955714Skris { 64055714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 64155714Skris return(-1); 64255714Skris } 64355714Skris } 64455714Skris else 64555714Skris { 64655714Skris i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]), 647194206Ssimon s->s2->tmp.session_id_length, NULL); 64855714Skris if (i == 1) 64955714Skris { /* previous session */ 65055714Skris s->hit=1; 65155714Skris } 65255714Skris else if (i == -1) 65355714Skris { 65455714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 65555714Skris return(-1); 65655714Skris } 65755714Skris else 65855714Skris { 65955714Skris if (s->cert == NULL) 66055714Skris { 66155714Skris ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); 66255714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET); 66355714Skris return(-1); 66455714Skris } 66555714Skris 66655714Skris if (!ssl_get_new_session(s,1)) 66755714Skris { 66855714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 66955714Skris return(-1); 67055714Skris } 67155714Skris } 67255714Skris } 67355714Skris 67455714Skris if (!s->hit) 67555714Skris { 67655714Skris cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length, 67755714Skris &s->session->ciphers); 67855714Skris if (cs == NULL) goto mem_err; 67955714Skris 680110007Smarkm cl=SSL_get_ciphers(s); 68155714Skris 682110007Smarkm if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) 683110007Smarkm { 684110007Smarkm prio=sk_SSL_CIPHER_dup(cl); 685110007Smarkm if (prio == NULL) goto mem_err; 686110007Smarkm allow = cs; 687110007Smarkm } 688110007Smarkm else 689110007Smarkm { 690110007Smarkm prio = cs; 691110007Smarkm allow = cl; 692110007Smarkm } 693295061Sdelphij /* Generate list of SSLv2 ciphers shared between client and server */ 694295061Sdelphij for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) 69555714Skris { 696295061Sdelphij const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z); 697295061Sdelphij if ((cp->algorithms & SSL_SSLV2) == 0 || 698295061Sdelphij sk_SSL_CIPHER_find(allow, cp) < 0) 69955714Skris { 700194206Ssimon (void)sk_SSL_CIPHER_delete(prio,z); 70155714Skris z--; 70255714Skris } 70355714Skris } 704110007Smarkm if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) 705110007Smarkm { 706110007Smarkm sk_SSL_CIPHER_free(s->session->ciphers); 707110007Smarkm s->session->ciphers = prio; 708110007Smarkm } 709295061Sdelphij 710295061Sdelphij /* Make sure we have at least one cipher in common */ 711295061Sdelphij if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) 712295061Sdelphij { 713295061Sdelphij ssl2_return_error(s, SSL2_PE_NO_CIPHER); 714295061Sdelphij SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); 715295061Sdelphij return -1; 716295061Sdelphij } 71755714Skris /* s->session->ciphers should now have a list of 71855714Skris * ciphers that are on both the client and server. 71955714Skris * This list is ordered by the order the client sent 720110007Smarkm * the ciphers or in the order of the server's preference 721110007Smarkm * if SSL_OP_CIPHER_SERVER_PREFERENCE was set. 72255714Skris */ 72355714Skris } 72455714Skris p+=s->s2->tmp.cipher_spec_length; 72555714Skris /* done cipher selection */ 72655714Skris 72755714Skris /* session id extracted already */ 72855714Skris p+=s->s2->tmp.session_id_length; 72955714Skris 73055714Skris /* challenge */ 731101621Snectar if (s->s2->challenge_length > sizeof s->s2->challenge) 732101621Snectar { 733101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 734110007Smarkm SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 735101621Snectar return -1; 736101621Snectar } 73755714Skris memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); 73855714Skris return(1); 73955714Skrismem_err: 74055714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE); 74155714Skris return(0); 74255714Skris } 74355714Skris 74455714Skrisstatic int server_hello(SSL *s) 74555714Skris { 74655714Skris unsigned char *p,*d; 74755714Skris int n,hit; 74855714Skris 74955714Skris p=(unsigned char *)s->init_buf->data; 75055714Skris if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) 75155714Skris { 75255714Skris d=p+11; 75355714Skris *(p++)=SSL2_MT_SERVER_HELLO; /* type */ 75455714Skris hit=s->hit; 75555714Skris *(p++)=(unsigned char)hit; 75655714Skris#if 1 75755714Skris if (!hit) 75855714Skris { 75955714Skris if (s->session->sess_cert != NULL) 76055714Skris /* This can't really happen because get_client_hello 76155714Skris * has called ssl_get_new_session, which does not set 76255714Skris * sess_cert. */ 76355714Skris ssl_sess_cert_free(s->session->sess_cert); 76455714Skris s->session->sess_cert = ssl_sess_cert_new(); 76555714Skris if (s->session->sess_cert == NULL) 76655714Skris { 76755714Skris SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE); 76855714Skris return(-1); 76955714Skris } 77055714Skris } 77155714Skris /* If 'hit' is set, then s->sess_cert may be non-NULL or NULL, 77255714Skris * depending on whether it survived in the internal cache 77355714Skris * or was retrieved from an external cache. 77455714Skris * If it is NULL, we cannot put any useful data in it anyway, 77555714Skris * so we don't touch it. 77655714Skris */ 77755714Skris 77855714Skris#else /* That's what used to be done when cert_st and sess_cert_st were 77955714Skris * the same. */ 78055714Skris if (!hit) 78155714Skris { /* else add cert to session */ 78255714Skris CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT); 78355714Skris if (s->session->sess_cert != NULL) 78455714Skris ssl_cert_free(s->session->sess_cert); 78555714Skris s->session->sess_cert=s->cert; 78655714Skris } 78755714Skris else /* We have a session id-cache hit, if the 78855714Skris * session-id has no certificate listed against 78955714Skris * the 'cert' structure, grab the 'old' one 79055714Skris * listed against the SSL connection */ 79155714Skris { 79255714Skris if (s->session->sess_cert == NULL) 79355714Skris { 79455714Skris CRYPTO_add(&s->cert->references,1, 79555714Skris CRYPTO_LOCK_SSL_CERT); 79655714Skris s->session->sess_cert=s->cert; 79755714Skris } 79855714Skris } 79955714Skris#endif 80055714Skris 80155714Skris if (s->cert == NULL) 80255714Skris { 80355714Skris ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); 80455714Skris SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED); 80555714Skris return(-1); 80655714Skris } 80755714Skris 80855714Skris if (hit) 80955714Skris { 81055714Skris *(p++)=0; /* no certificate type */ 81155714Skris s2n(s->version,p); /* version */ 81255714Skris s2n(0,p); /* cert len */ 81355714Skris s2n(0,p); /* ciphers len */ 81455714Skris } 81555714Skris else 81655714Skris { 81755714Skris /* EAY EAY */ 81855714Skris /* put certificate type */ 81955714Skris *(p++)=SSL2_CT_X509_CERTIFICATE; 82055714Skris s2n(s->version,p); /* version */ 82155714Skris n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); 82255714Skris s2n(n,p); /* certificate length */ 82355714Skris i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d); 82455714Skris n=0; 82555714Skris 82655714Skris /* lets send out the ciphers we like in the 82755714Skris * prefered order */ 828160817Ssimon n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0); 82955714Skris d+=n; 83055714Skris s2n(n,p); /* add cipher length */ 83155714Skris } 83255714Skris 83355714Skris /* make and send conn_id */ 83455714Skris s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */ 83555714Skris s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH; 836160817Ssimon if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0) 837160817Ssimon return -1; 83855714Skris memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH); 83955714Skris d+=SSL2_CONNECTION_ID_LENGTH; 84055714Skris 84155714Skris s->state=SSL2_ST_SEND_SERVER_HELLO_B; 84255714Skris s->init_num=d-(unsigned char *)s->init_buf->data; 84355714Skris s->init_off=0; 84455714Skris } 84555714Skris /* SSL2_ST_SEND_SERVER_HELLO_B */ 84659194Skris /* If we are using TCP/IP, the performance is bad if we do 2 84755714Skris * writes without a read between them. This occurs when 84855714Skris * Session-id reuse is used, so I will put in a buffering module 84955714Skris */ 85055714Skris if (s->hit) 85155714Skris { 85255714Skris if (!ssl_init_wbio_buffer(s,1)) return(-1); 85355714Skris } 85455714Skris 85555714Skris return(ssl2_do_write(s)); 85655714Skris } 85755714Skris 85855714Skrisstatic int get_client_finished(SSL *s) 85955714Skris { 86055714Skris unsigned char *p; 86189840Skris int i, n; 86289840Skris unsigned long len; 86355714Skris 86455714Skris p=(unsigned char *)s->init_buf->data; 86555714Skris if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) 86655714Skris { 86755714Skris i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num); 86855714Skris if (i < 1-s->init_num) 86955714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); 87089840Skris s->init_num += i; 87155714Skris 87255714Skris if (*p != SSL2_MT_CLIENT_FINISHED) 87355714Skris { 87455714Skris if (*p != SSL2_MT_ERROR) 87555714Skris { 87655714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 87755714Skris SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE); 87855714Skris } 87955714Skris else 880110007Smarkm { 88155714Skris SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR); 882110007Smarkm /* try to read the error message */ 883110007Smarkm i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); 884110007Smarkm return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); 885110007Smarkm } 88655714Skris return(-1); 88755714Skris } 88855714Skris s->state=SSL2_ST_GET_CLIENT_FINISHED_B; 88955714Skris } 89055714Skris 89155714Skris /* SSL2_ST_GET_CLIENT_FINISHED_B */ 892101621Snectar if (s->s2->conn_id_length > sizeof s->s2->conn_id) 893101621Snectar { 894101621Snectar ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 895110007Smarkm SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); 896101621Snectar return -1; 897101621Snectar } 89889840Skris len = 1 + (unsigned long)s->s2->conn_id_length; 89989840Skris n = (int)len - s->init_num; 90089840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),n); 90189840Skris if (i < n) 90255714Skris { 90355714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); 90455714Skris } 905110007Smarkm if (s->msg_callback) 906110007Smarkm s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */ 90789840Skris p += 1; 908110007Smarkm if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0) 90955714Skris { 91055714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 91155714Skris SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT); 91255714Skris return(-1); 91355714Skris } 91455714Skris return(1); 91555714Skris } 91655714Skris 91755714Skrisstatic int server_verify(SSL *s) 91855714Skris { 91955714Skris unsigned char *p; 92055714Skris 92155714Skris if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) 92255714Skris { 92355714Skris p=(unsigned char *)s->init_buf->data; 92455714Skris *(p++)=SSL2_MT_SERVER_VERIFY; 925101621Snectar if (s->s2->challenge_length > sizeof s->s2->challenge) 926101621Snectar { 927110007Smarkm SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR); 928101621Snectar return -1; 929101621Snectar } 93055714Skris memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); 93155714Skris /* p+=s->s2->challenge_length; */ 93255714Skris 93355714Skris s->state=SSL2_ST_SEND_SERVER_VERIFY_B; 93455714Skris s->init_num=s->s2->challenge_length+1; 93555714Skris s->init_off=0; 93655714Skris } 93755714Skris return(ssl2_do_write(s)); 93855714Skris } 93955714Skris 94055714Skrisstatic int server_finish(SSL *s) 94155714Skris { 94255714Skris unsigned char *p; 94355714Skris 94455714Skris if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) 94555714Skris { 94655714Skris p=(unsigned char *)s->init_buf->data; 94755714Skris *(p++)=SSL2_MT_SERVER_FINISHED; 94855714Skris 949101621Snectar if (s->session->session_id_length > sizeof s->session->session_id) 950101621Snectar { 951110007Smarkm SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR); 952101621Snectar return -1; 953101621Snectar } 954101621Snectar memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); 95555714Skris /* p+=s->session->session_id_length; */ 95655714Skris 95755714Skris s->state=SSL2_ST_SEND_SERVER_FINISHED_B; 95855714Skris s->init_num=s->session->session_id_length+1; 95955714Skris s->init_off=0; 96055714Skris } 96155714Skris 96255714Skris /* SSL2_ST_SEND_SERVER_FINISHED_B */ 96355714Skris return(ssl2_do_write(s)); 96455714Skris } 96555714Skris 96655714Skris/* send the request and check the response */ 96755714Skrisstatic int request_certificate(SSL *s) 96855714Skris { 969160817Ssimon const unsigned char *cp; 97055714Skris unsigned char *p,*p2,*buf2; 97155714Skris unsigned char *ccd; 97255714Skris int i,j,ctype,ret= -1; 97389840Skris unsigned long len; 97455714Skris X509 *x509=NULL; 97555714Skris STACK_OF(X509) *sk=NULL; 97655714Skris 97755714Skris ccd=s->s2->tmp.ccl; 97855714Skris if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) 97955714Skris { 98055714Skris p=(unsigned char *)s->init_buf->data; 98155714Skris *(p++)=SSL2_MT_REQUEST_CERTIFICATE; 98255714Skris *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION; 983160817Ssimon if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0) 984142428Snectar return -1; 98555714Skris memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); 98655714Skris 98755714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B; 98855714Skris s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2; 98955714Skris s->init_off=0; 99055714Skris } 99155714Skris 99255714Skris if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) 99355714Skris { 99455714Skris i=ssl2_do_write(s); 99555714Skris if (i <= 0) 99655714Skris { 99755714Skris ret=i; 99855714Skris goto end; 99955714Skris } 100055714Skris 100155714Skris s->init_num=0; 100255714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C; 100355714Skris } 100455714Skris 100555714Skris if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) 100655714Skris { 100755714Skris p=(unsigned char *)s->init_buf->data; 100889840Skris i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */ 100989840Skris if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3 101089840Skris * (probably NO-CERTIFICATE-ERROR) */ 101155714Skris { 101255714Skris ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); 101355714Skris goto end; 101455714Skris } 101589840Skris s->init_num += i; 101655714Skris 101789840Skris if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) 101855714Skris { 101955714Skris n2s(p,i); 102089840Skris if (i != SSL2_PE_NO_CERTIFICATE) 102189840Skris { 102289840Skris /* not the error message we expected -- let ssl2_part_read handle it */ 102389840Skris s->init_num -= 3; 102489840Skris ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3); 102589840Skris goto end; 102689840Skris } 102789840Skris 1028110007Smarkm if (s->msg_callback) 1029110007Smarkm s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */ 1030110007Smarkm 103189840Skris /* this is the one place where we can recover from an SSL 2.0 error */ 103289840Skris 103355714Skris if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 103455714Skris { 103555714Skris ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); 103655714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 103755714Skris goto end; 103855714Skris } 103955714Skris ret=1; 104055714Skris goto end; 104155714Skris } 104289840Skris if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) 104355714Skris { 104455714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 104555714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ); 104655714Skris goto end; 104755714Skris } 104889840Skris if (s->init_num != 6) 104989840Skris { 1050110007Smarkm SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR); 105189840Skris goto end; 105289840Skris } 105389840Skris 105455714Skris /* ok we have a response */ 105555714Skris /* certificate type, there is only one right now. */ 105655714Skris ctype= *(p++); 105755714Skris if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) 105855714Skris { 105955714Skris ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); 106055714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT); 106155714Skris goto end; 106255714Skris } 106355714Skris n2s(p,i); s->s2->tmp.clen=i; 106455714Skris n2s(p,i); s->s2->tmp.rlen=i; 106555714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D; 106655714Skris } 106755714Skris 106855714Skris /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */ 106955714Skris p=(unsigned char *)s->init_buf->data; 107089840Skris len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; 107189840Skris if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 107289840Skris { 1073110007Smarkm SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG); 107489840Skris goto end; 107589840Skris } 107689840Skris j = (int)len - s->init_num; 107789840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),j); 107855714Skris if (i < j) 107955714Skris { 108055714Skris ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); 108155714Skris goto end; 108255714Skris } 1083110007Smarkm if (s->msg_callback) 1084110007Smarkm s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */ 108589840Skris p += 6; 108655714Skris 1087160817Ssimon cp = p; 1088160817Ssimon x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen); 108955714Skris if (x509 == NULL) 109055714Skris { 109155714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB); 109255714Skris goto msg_end; 109355714Skris } 109455714Skris 109555714Skris if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509))) 109655714Skris { 109755714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); 109855714Skris goto msg_end; 109955714Skris } 110055714Skris 110155714Skris i=ssl_verify_cert_chain(s,sk); 110255714Skris 1103186872Ssimon if (i > 0) /* we like the packet, now check the chksum */ 110455714Skris { 110555714Skris EVP_MD_CTX ctx; 110655714Skris EVP_PKEY *pkey=NULL; 110755714Skris 1108110007Smarkm EVP_MD_CTX_init(&ctx); 1109110007Smarkm EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL); 111055714Skris EVP_VerifyUpdate(&ctx,s->s2->key_material, 1111110007Smarkm s->s2->key_material_length); 111255714Skris EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); 111355714Skris 111455714Skris i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); 111568654Skris buf2=OPENSSL_malloc((unsigned int)i); 111655714Skris if (buf2 == NULL) 111755714Skris { 111855714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); 111955714Skris goto msg_end; 112055714Skris } 112155714Skris p2=buf2; 112255714Skris i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2); 112355714Skris EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i); 112468654Skris OPENSSL_free(buf2); 112555714Skris 112655714Skris pkey=X509_get_pubkey(x509); 112755714Skris if (pkey == NULL) goto end; 1128160817Ssimon i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey); 112955714Skris EVP_PKEY_free(pkey); 1130110007Smarkm EVP_MD_CTX_cleanup(&ctx); 113155714Skris 1132194206Ssimon if (i > 0) 113355714Skris { 113455714Skris if (s->session->peer != NULL) 113555714Skris X509_free(s->session->peer); 113655714Skris s->session->peer=x509; 113755714Skris CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); 113859194Skris s->session->verify_result = s->verify_result; 113955714Skris ret=1; 114055714Skris goto end; 114155714Skris } 114255714Skris else 114355714Skris { 114455714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM); 114555714Skris goto msg_end; 114655714Skris } 114755714Skris } 114855714Skris else 114955714Skris { 115055714Skrismsg_end: 115155714Skris ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); 115255714Skris } 115355714Skrisend: 115455714Skris sk_X509_free(sk); 115555714Skris X509_free(x509); 115655714Skris return(ret); 115755714Skris } 115855714Skris 115955714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 116055714Skris unsigned char *to, int padding) 116155714Skris { 116255714Skris RSA *rsa; 116355714Skris int i; 116455714Skris 116555714Skris if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) 116655714Skris { 116755714Skris SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY); 116855714Skris return(-1); 116955714Skris } 117055714Skris if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) 117155714Skris { 117255714Skris SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA); 117355714Skris return(-1); 117455714Skris } 117555714Skris rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa; 117655714Skris 117755714Skris /* we have the public key */ 117855714Skris i=RSA_private_decrypt(len,from,to,rsa,padding); 117955714Skris if (i < 0) 118055714Skris SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB); 118155714Skris return(i); 118255714Skris } 1183110007Smarkm#else /* !OPENSSL_NO_SSL2 */ 118459194Skris 118559194Skris# if PEDANTIC 118659194Skrisstatic void *dummy=&dummy; 118759194Skris# endif 118859194Skris 118955714Skris#endif 1190