s2_srvr.c revision 89840
155714Skris/* ssl/s2_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755949Skris * 5855949Skris * $FreeBSD: head/crypto/openssl/ssl/s2_srvr.c 89840 2002-01-27 03:17:13Z kris $ 5955714Skris */ 6089840Skris/* ==================================================================== 6189840Skris * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6289840Skris * 6389840Skris * Redistribution and use in source and binary forms, with or without 6489840Skris * modification, are permitted provided that the following conditions 6589840Skris * are met: 6689840Skris * 6789840Skris * 1. Redistributions of source code must retain the above copyright 6889840Skris * notice, this list of conditions and the following disclaimer. 6989840Skris * 7089840Skris * 2. Redistributions in binary form must reproduce the above copyright 7189840Skris * notice, this list of conditions and the following disclaimer in 7289840Skris * the documentation and/or other materials provided with the 7389840Skris * distribution. 7489840Skris * 7589840Skris * 3. All advertising materials mentioning features or use of this 7689840Skris * software must display the following acknowledgment: 7789840Skris * "This product includes software developed by the OpenSSL Project 7889840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7989840Skris * 8089840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 8189840Skris * endorse or promote products derived from this software without 8289840Skris * prior written permission. For written permission, please contact 8389840Skris * openssl-core@openssl.org. 8489840Skris * 8589840Skris * 5. Products derived from this software may not be called "OpenSSL" 8689840Skris * nor may "OpenSSL" appear in their names without prior written 8789840Skris * permission of the OpenSSL Project. 8889840Skris * 8989840Skris * 6. Redistributions of any form whatsoever must retain the following 9089840Skris * acknowledgment: 9189840Skris * "This product includes software developed by the OpenSSL Project 9289840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9389840Skris * 9489840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9589840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9689840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9789840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9889840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9989840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 10089840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 10189840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10289840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10389840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10489840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10589840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10689840Skris * ==================================================================== 10789840Skris * 10889840Skris * This product includes cryptographic software written by Eric Young 10989840Skris * (eay@cryptsoft.com). This product includes software written by Tim 11089840Skris * Hudson (tjh@cryptsoft.com). 11189840Skris * 11289840Skris */ 11355714Skris 11459194Skris#include "ssl_locl.h" 11555949Skris#ifndef NO_SSL2 11655714Skris#include <stdio.h> 11755714Skris#include <openssl/bio.h> 11855714Skris#include <openssl/rand.h> 11955714Skris#include <openssl/objects.h> 12055714Skris#include <openssl/evp.h> 12155714Skris 12255714Skrisstatic SSL_METHOD *ssl2_get_server_method(int ver); 12355714Skrisstatic int get_client_master_key(SSL *s); 12455714Skrisstatic int get_client_hello(SSL *s); 12555714Skrisstatic int server_hello(SSL *s); 12655714Skrisstatic int get_client_finished(SSL *s); 12755714Skrisstatic int server_verify(SSL *s); 12855714Skrisstatic int server_finish(SSL *s); 12955714Skrisstatic int request_certificate(SSL *s); 13055714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 13155714Skris unsigned char *to,int padding); 13255714Skris#define BREAK break 13355714Skris 13455714Skrisstatic SSL_METHOD *ssl2_get_server_method(int ver) 13555714Skris { 13655714Skris if (ver == SSL2_VERSION) 13755714Skris return(SSLv2_server_method()); 13855714Skris else 13955714Skris return(NULL); 14055714Skris } 14155714Skris 14255714SkrisSSL_METHOD *SSLv2_server_method(void) 14355714Skris { 14455714Skris static int init=1; 14555714Skris static SSL_METHOD SSLv2_server_data; 14655714Skris 14755714Skris if (init) 14855714Skris { 14955714Skris memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), 15055714Skris sizeof(SSL_METHOD)); 15155714Skris SSLv2_server_data.ssl_accept=ssl2_accept; 15255714Skris SSLv2_server_data.get_ssl_method=ssl2_get_server_method; 15355714Skris init=0; 15455714Skris } 15555714Skris return(&SSLv2_server_data); 15655714Skris } 15755714Skris 15855714Skrisint ssl2_accept(SSL *s) 15955714Skris { 16055714Skris unsigned long l=time(NULL); 16155714Skris BUF_MEM *buf=NULL; 16255714Skris int ret= -1; 16355714Skris long num1; 16455714Skris void (*cb)()=NULL; 16555714Skris int new_state,state; 16655714Skris 16759194Skris RAND_add(&l,sizeof(l),0); 16855714Skris ERR_clear_error(); 16955714Skris clear_sys_error(); 17055714Skris 17155714Skris if (s->info_callback != NULL) 17255714Skris cb=s->info_callback; 17355714Skris else if (s->ctx->info_callback != NULL) 17455714Skris cb=s->ctx->info_callback; 17555714Skris 17655714Skris /* init things to blank */ 17789840Skris s->in_handshake++; 17855714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 17955714Skris 18055714Skris if (s->cert == NULL) 18155714Skris { 18255714Skris SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 18355714Skris return(-1); 18455714Skris } 18555714Skris 18655714Skris clear_sys_error(); 18755714Skris for (;;) 18855714Skris { 18955714Skris state=s->state; 19055714Skris 19155714Skris switch (s->state) 19255714Skris { 19355714Skris case SSL_ST_BEFORE: 19455714Skris case SSL_ST_ACCEPT: 19555714Skris case SSL_ST_BEFORE|SSL_ST_ACCEPT: 19655714Skris case SSL_ST_OK|SSL_ST_ACCEPT: 19755714Skris 19855714Skris s->server=1; 19955714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 20055714Skris 20155714Skris s->version=SSL2_VERSION; 20255714Skris s->type=SSL_ST_ACCEPT; 20355714Skris 20455714Skris buf=s->init_buf; 20555714Skris if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL)) 20655714Skris { ret= -1; goto end; } 20755714Skris if (!BUF_MEM_grow(buf,(int) 20855714Skris SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) 20955714Skris { ret= -1; goto end; } 21055714Skris s->init_buf=buf; 21155714Skris s->init_num=0; 21255714Skris s->ctx->stats.sess_accept++; 21355714Skris s->handshake_func=ssl2_accept; 21455714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_A; 21555714Skris BREAK; 21655714Skris 21755714Skris case SSL2_ST_GET_CLIENT_HELLO_A: 21855714Skris case SSL2_ST_GET_CLIENT_HELLO_B: 21955714Skris case SSL2_ST_GET_CLIENT_HELLO_C: 22055714Skris s->shutdown=0; 22155714Skris ret=get_client_hello(s); 22255714Skris if (ret <= 0) goto end; 22355714Skris s->init_num=0; 22455714Skris s->state=SSL2_ST_SEND_SERVER_HELLO_A; 22555714Skris BREAK; 22655714Skris 22755714Skris case SSL2_ST_SEND_SERVER_HELLO_A: 22855714Skris case SSL2_ST_SEND_SERVER_HELLO_B: 22955714Skris ret=server_hello(s); 23055714Skris if (ret <= 0) goto end; 23155714Skris s->init_num=0; 23255714Skris if (!s->hit) 23355714Skris { 23455714Skris s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A; 23555714Skris BREAK; 23655714Skris } 23755714Skris else 23855714Skris { 23955714Skris s->state=SSL2_ST_SERVER_START_ENCRYPTION; 24055714Skris BREAK; 24155714Skris } 24255714Skris case SSL2_ST_GET_CLIENT_MASTER_KEY_A: 24355714Skris case SSL2_ST_GET_CLIENT_MASTER_KEY_B: 24455714Skris ret=get_client_master_key(s); 24555714Skris if (ret <= 0) goto end; 24655714Skris s->init_num=0; 24755714Skris s->state=SSL2_ST_SERVER_START_ENCRYPTION; 24855714Skris BREAK; 24955714Skris 25055714Skris case SSL2_ST_SERVER_START_ENCRYPTION: 25155714Skris /* Ok we how have sent all the stuff needed to 25255714Skris * start encrypting, the next packet back will 25355714Skris * be encrypted. */ 25455714Skris if (!ssl2_enc_init(s,0)) 25555714Skris { ret= -1; goto end; } 25655714Skris s->s2->clear_text=0; 25755714Skris s->state=SSL2_ST_SEND_SERVER_VERIFY_A; 25855714Skris BREAK; 25955714Skris 26055714Skris case SSL2_ST_SEND_SERVER_VERIFY_A: 26155714Skris case SSL2_ST_SEND_SERVER_VERIFY_B: 26255714Skris ret=server_verify(s); 26355714Skris if (ret <= 0) goto end; 26455714Skris s->init_num=0; 26555714Skris if (s->hit) 26655714Skris { 26755714Skris /* If we are in here, we have been 26855714Skris * buffering the output, so we need to 26955714Skris * flush it and remove buffering from 27055714Skris * future traffic */ 27155714Skris s->state=SSL2_ST_SEND_SERVER_VERIFY_C; 27255714Skris BREAK; 27355714Skris } 27455714Skris else 27555714Skris { 27655714Skris s->state=SSL2_ST_GET_CLIENT_FINISHED_A; 27755714Skris break; 27855714Skris } 27955714Skris 28055714Skris case SSL2_ST_SEND_SERVER_VERIFY_C: 28155714Skris /* get the number of bytes to write */ 28255714Skris num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 28355714Skris if (num1 != 0) 28455714Skris { 28555714Skris s->rwstate=SSL_WRITING; 28655714Skris num1=BIO_flush(s->wbio); 28755714Skris if (num1 <= 0) { ret= -1; goto end; } 28855714Skris s->rwstate=SSL_NOTHING; 28955714Skris } 29055714Skris 29155714Skris /* flushed and now remove buffering */ 29255714Skris s->wbio=BIO_pop(s->wbio); 29355714Skris 29455714Skris s->state=SSL2_ST_GET_CLIENT_FINISHED_A; 29555714Skris BREAK; 29655714Skris 29755714Skris case SSL2_ST_GET_CLIENT_FINISHED_A: 29855714Skris case SSL2_ST_GET_CLIENT_FINISHED_B: 29955714Skris ret=get_client_finished(s); 30055714Skris if (ret <= 0) 30155714Skris goto end; 30255714Skris s->init_num=0; 30355714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A; 30455714Skris BREAK; 30555714Skris 30655714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: 30755714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: 30855714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: 30955714Skris case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: 31055714Skris /* don't do a 'request certificate' if we 31155714Skris * don't want to, or we already have one, and 31255714Skris * we only want to do it once. */ 31355714Skris if (!(s->verify_mode & SSL_VERIFY_PEER) || 31455714Skris ((s->session->peer != NULL) && 31555714Skris (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) 31655714Skris { 31755714Skris s->state=SSL2_ST_SEND_SERVER_FINISHED_A; 31855714Skris break; 31955714Skris } 32055714Skris else 32155714Skris { 32255714Skris ret=request_certificate(s); 32355714Skris if (ret <= 0) goto end; 32455714Skris s->init_num=0; 32555714Skris s->state=SSL2_ST_SEND_SERVER_FINISHED_A; 32655714Skris } 32755714Skris BREAK; 32855714Skris 32955714Skris case SSL2_ST_SEND_SERVER_FINISHED_A: 33055714Skris case SSL2_ST_SEND_SERVER_FINISHED_B: 33155714Skris ret=server_finish(s); 33255714Skris if (ret <= 0) goto end; 33355714Skris s->init_num=0; 33455714Skris s->state=SSL_ST_OK; 33555714Skris break; 33655714Skris 33755714Skris case SSL_ST_OK: 33855714Skris BUF_MEM_free(s->init_buf); 33955714Skris ssl_free_wbio_buffer(s); 34055714Skris s->init_buf=NULL; 34155714Skris s->init_num=0; 34255714Skris /* ERR_clear_error();*/ 34355714Skris 34455714Skris ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 34555714Skris 34655714Skris s->ctx->stats.sess_accept_good++; 34755714Skris /* s->server=1; */ 34855714Skris ret=1; 34955714Skris 35055714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 35155714Skris 35255714Skris goto end; 35355714Skris /* BREAK; */ 35455714Skris 35555714Skris default: 35655714Skris SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE); 35755714Skris ret= -1; 35855714Skris goto end; 35955714Skris /* BREAK; */ 36055714Skris } 36155714Skris 36255714Skris if ((cb != NULL) && (s->state != state)) 36355714Skris { 36455714Skris new_state=s->state; 36555714Skris s->state=state; 36655714Skris cb(s,SSL_CB_ACCEPT_LOOP,1); 36755714Skris s->state=new_state; 36855714Skris } 36955714Skris } 37055714Skrisend: 37155714Skris s->in_handshake--; 37255714Skris if (cb != NULL) 37355714Skris cb(s,SSL_CB_ACCEPT_EXIT,ret); 37455714Skris return(ret); 37555714Skris } 37655714Skris 37755714Skrisstatic int get_client_master_key(SSL *s) 37855714Skris { 37955714Skris int is_export,i,n,keya,ek; 38089840Skris unsigned long len; 38155714Skris unsigned char *p; 38255714Skris SSL_CIPHER *cp; 38355714Skris const EVP_CIPHER *c; 38455714Skris const EVP_MD *md; 38555714Skris 38655714Skris p=(unsigned char *)s->init_buf->data; 38755714Skris if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) 38855714Skris { 38955714Skris i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num); 39055714Skris 39155714Skris if (i < (10-s->init_num)) 39255714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); 39389840Skris s->init_num = 10; 39489840Skris 39555714Skris if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) 39655714Skris { 39755714Skris if (p[-1] != SSL2_MT_ERROR) 39855714Skris { 39955714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 40055714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE); 40155714Skris } 40255714Skris else 40355714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, 40455714Skris SSL_R_PEER_ERROR); 40555714Skris return(-1); 40655714Skris } 40755714Skris 40855714Skris cp=ssl2_get_cipher_by_char(p); 40955714Skris if (cp == NULL) 41055714Skris { 41155714Skris ssl2_return_error(s,SSL2_PE_NO_CIPHER); 41255714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, 41355714Skris SSL_R_NO_CIPHER_MATCH); 41455714Skris return(-1); 41555714Skris } 41655714Skris s->session->cipher= cp; 41755714Skris 41855714Skris p+=3; 41955714Skris n2s(p,i); s->s2->tmp.clear=i; 42055714Skris n2s(p,i); s->s2->tmp.enc=i; 42155714Skris n2s(p,i); s->session->key_arg_length=i; 42255714Skris s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; 42355714Skris } 42455714Skris 42555714Skris /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ 42655714Skris p=(unsigned char *)s->init_buf->data; 42755714Skris keya=s->session->key_arg_length; 42889840Skris len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; 42989840Skris if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 43089840Skris { 43189840Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); 43289840Skris return -1; 43389840Skris } 43489840Skris n = (int)len - s->init_num; 43589840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),n); 43655714Skris if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); 43789840Skris p += 10; 43855714Skris 43955714Skris memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]), 44055714Skris (unsigned int)keya); 44155714Skris 44255714Skris if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) 44355714Skris { 44455714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 44555714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); 44655714Skris return(-1); 44755714Skris } 44855714Skris i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, 44955714Skris &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), 45055714Skris (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); 45155714Skris 45255714Skris is_export=SSL_C_IS_EXPORT(s->session->cipher); 45355714Skris 45455714Skris if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) 45555714Skris { 45655714Skris ssl2_return_error(s,SSL2_PE_NO_CIPHER); 45755714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); 45855714Skris return(0); 45955714Skris } 46055714Skris 46155714Skris if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) 46255714Skris { 46355714Skris is_export=1; 46455714Skris ek=8; 46555714Skris } 46655714Skris else 46755714Skris ek=5; 46855714Skris 46955714Skris /* bad decrypt */ 47055714Skris#if 1 47155714Skris /* If a bad decrypt, continue with protocol but with a 47280001Skris * random master secret (Bleichenbacher attack) */ 47355714Skris if ((i < 0) || 47455714Skris ((!is_export && (i != EVP_CIPHER_key_length(c))) 47589840Skris || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != 47689840Skris (unsigned int)EVP_CIPHER_key_length(c)))))) 47755714Skris { 47880001Skris ERR_clear_error(); 47955714Skris if (is_export) 48055714Skris i=ek; 48155714Skris else 48255714Skris i=EVP_CIPHER_key_length(c); 48359194Skris RAND_pseudo_bytes(p,i); 48455714Skris } 48555714Skris#else 48655714Skris if (i < 0) 48755714Skris { 48855714Skris error=1; 48955714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT); 49055714Skris } 49155714Skris /* incorrect number of key bytes for non export cipher */ 49255714Skris else if ((!is_export && (i != EVP_CIPHER_key_length(c))) 49355714Skris || (is_export && ((i != ek) || (s->s2->tmp.clear+i != 49455714Skris EVP_CIPHER_key_length(c))))) 49555714Skris { 49655714Skris error=1; 49755714Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS); 49855714Skris } 49955714Skris if (error) 50055714Skris { 50155714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 50255714Skris return(-1); 50355714Skris } 50455714Skris#endif 50555714Skris 50655714Skris if (is_export) i+=s->s2->tmp.clear; 50755714Skris s->session->master_key_length=i; 50855714Skris memcpy(s->session->master_key,p,(unsigned int)i); 50955714Skris return(1); 51055714Skris } 51155714Skris 51255714Skrisstatic int get_client_hello(SSL *s) 51355714Skris { 51455714Skris int i,n; 51589840Skris unsigned long len; 51655714Skris unsigned char *p; 51755714Skris STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ 51855714Skris STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ 51955714Skris int z; 52055714Skris 52155714Skris /* This is a bit of a hack to check for the correct packet 52255714Skris * type the first time round. */ 52355714Skris if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) 52455714Skris { 52555714Skris s->first_packet=1; 52655714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_B; 52755714Skris } 52855714Skris 52955714Skris p=(unsigned char *)s->init_buf->data; 53055714Skris if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) 53155714Skris { 53255714Skris i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num); 53355714Skris if (i < (9-s->init_num)) 53455714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); 53589840Skris s->init_num = 9; 53655714Skris 53755714Skris if (*(p++) != SSL2_MT_CLIENT_HELLO) 53855714Skris { 53955714Skris if (p[-1] != SSL2_MT_ERROR) 54055714Skris { 54155714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 54255714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE); 54355714Skris } 54455714Skris else 54555714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR); 54655714Skris return(-1); 54755714Skris } 54855714Skris n2s(p,i); 54955714Skris if (i < s->version) s->version=i; 55055714Skris n2s(p,i); s->s2->tmp.cipher_spec_length=i; 55155714Skris n2s(p,i); s->s2->tmp.session_id_length=i; 55255714Skris n2s(p,i); s->s2->challenge_length=i; 55355714Skris if ( (i < SSL2_MIN_CHALLENGE_LENGTH) || 55455714Skris (i > SSL2_MAX_CHALLENGE_LENGTH)) 55555714Skris { 55655714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH); 55755714Skris return(-1); 55855714Skris } 55955714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_C; 56055714Skris } 56155714Skris 56255714Skris /* SSL2_ST_GET_CLIENT_HELLO_C */ 56355714Skris p=(unsigned char *)s->init_buf->data; 56489840Skris len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length; 56589840Skris if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 56689840Skris { 56789840Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG); 56889840Skris return -1; 56989840Skris } 57089840Skris n = (int)len - s->init_num; 57189840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),n); 57255714Skris if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); 57389840Skris p += 9; 57455714Skris 57555714Skris /* get session-id before cipher stuff so we can get out session 57655714Skris * structure if it is cached */ 57755714Skris /* session-id */ 57855714Skris if ((s->s2->tmp.session_id_length != 0) && 57955714Skris (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) 58055714Skris { 58155714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 58255714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH); 58355714Skris return(-1); 58455714Skris } 58555714Skris 58655714Skris if (s->s2->tmp.session_id_length == 0) 58755714Skris { 58855714Skris if (!ssl_get_new_session(s,1)) 58955714Skris { 59055714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 59155714Skris return(-1); 59255714Skris } 59355714Skris } 59455714Skris else 59555714Skris { 59655714Skris i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]), 59755714Skris s->s2->tmp.session_id_length); 59855714Skris if (i == 1) 59955714Skris { /* previous session */ 60055714Skris s->hit=1; 60155714Skris } 60255714Skris else if (i == -1) 60355714Skris { 60455714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 60555714Skris return(-1); 60655714Skris } 60755714Skris else 60855714Skris { 60955714Skris if (s->cert == NULL) 61055714Skris { 61155714Skris ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); 61255714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET); 61355714Skris return(-1); 61455714Skris } 61555714Skris 61655714Skris if (!ssl_get_new_session(s,1)) 61755714Skris { 61855714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 61955714Skris return(-1); 62055714Skris } 62155714Skris } 62255714Skris } 62355714Skris 62455714Skris if (!s->hit) 62555714Skris { 62655714Skris cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length, 62755714Skris &s->session->ciphers); 62855714Skris if (cs == NULL) goto mem_err; 62955714Skris 63055714Skris cl=ssl_get_ciphers_by_id(s); 63155714Skris 63255714Skris for (z=0; z<sk_SSL_CIPHER_num(cs); z++) 63355714Skris { 63455714Skris if (sk_SSL_CIPHER_find(cl,sk_SSL_CIPHER_value(cs,z)) < 0) 63555714Skris { 63655714Skris sk_SSL_CIPHER_delete(cs,z); 63755714Skris z--; 63855714Skris } 63955714Skris } 64055714Skris 64155714Skris /* s->session->ciphers should now have a list of 64255714Skris * ciphers that are on both the client and server. 64355714Skris * This list is ordered by the order the client sent 64455714Skris * the ciphers. 64555714Skris */ 64655714Skris } 64755714Skris p+=s->s2->tmp.cipher_spec_length; 64855714Skris /* done cipher selection */ 64955714Skris 65055714Skris /* session id extracted already */ 65155714Skris p+=s->s2->tmp.session_id_length; 65255714Skris 65355714Skris /* challenge */ 65455714Skris memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); 65555714Skris return(1); 65655714Skrismem_err: 65755714Skris SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE); 65855714Skris return(0); 65955714Skris } 66055714Skris 66155714Skrisstatic int server_hello(SSL *s) 66255714Skris { 66355714Skris unsigned char *p,*d; 66455714Skris int n,hit; 66555714Skris STACK_OF(SSL_CIPHER) *sk; 66655714Skris 66755714Skris p=(unsigned char *)s->init_buf->data; 66855714Skris if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) 66955714Skris { 67055714Skris d=p+11; 67155714Skris *(p++)=SSL2_MT_SERVER_HELLO; /* type */ 67255714Skris hit=s->hit; 67355714Skris *(p++)=(unsigned char)hit; 67455714Skris#if 1 67555714Skris if (!hit) 67655714Skris { 67755714Skris if (s->session->sess_cert != NULL) 67855714Skris /* This can't really happen because get_client_hello 67955714Skris * has called ssl_get_new_session, which does not set 68055714Skris * sess_cert. */ 68155714Skris ssl_sess_cert_free(s->session->sess_cert); 68255714Skris s->session->sess_cert = ssl_sess_cert_new(); 68355714Skris if (s->session->sess_cert == NULL) 68455714Skris { 68555714Skris SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE); 68655714Skris return(-1); 68755714Skris } 68855714Skris } 68955714Skris /* If 'hit' is set, then s->sess_cert may be non-NULL or NULL, 69055714Skris * depending on whether it survived in the internal cache 69155714Skris * or was retrieved from an external cache. 69255714Skris * If it is NULL, we cannot put any useful data in it anyway, 69355714Skris * so we don't touch it. 69455714Skris */ 69555714Skris 69655714Skris#else /* That's what used to be done when cert_st and sess_cert_st were 69755714Skris * the same. */ 69855714Skris if (!hit) 69955714Skris { /* else add cert to session */ 70055714Skris CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT); 70155714Skris if (s->session->sess_cert != NULL) 70255714Skris ssl_cert_free(s->session->sess_cert); 70355714Skris s->session->sess_cert=s->cert; 70455714Skris } 70555714Skris else /* We have a session id-cache hit, if the 70655714Skris * session-id has no certificate listed against 70755714Skris * the 'cert' structure, grab the 'old' one 70855714Skris * listed against the SSL connection */ 70955714Skris { 71055714Skris if (s->session->sess_cert == NULL) 71155714Skris { 71255714Skris CRYPTO_add(&s->cert->references,1, 71355714Skris CRYPTO_LOCK_SSL_CERT); 71455714Skris s->session->sess_cert=s->cert; 71555714Skris } 71655714Skris } 71755714Skris#endif 71855714Skris 71955714Skris if (s->cert == NULL) 72055714Skris { 72155714Skris ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); 72255714Skris SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED); 72355714Skris return(-1); 72455714Skris } 72555714Skris 72655714Skris if (hit) 72755714Skris { 72855714Skris *(p++)=0; /* no certificate type */ 72955714Skris s2n(s->version,p); /* version */ 73055714Skris s2n(0,p); /* cert len */ 73155714Skris s2n(0,p); /* ciphers len */ 73255714Skris } 73355714Skris else 73455714Skris { 73555714Skris /* EAY EAY */ 73655714Skris /* put certificate type */ 73755714Skris *(p++)=SSL2_CT_X509_CERTIFICATE; 73855714Skris s2n(s->version,p); /* version */ 73955714Skris n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); 74055714Skris s2n(n,p); /* certificate length */ 74155714Skris i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d); 74255714Skris n=0; 74355714Skris 74455714Skris /* lets send out the ciphers we like in the 74555714Skris * prefered order */ 74655714Skris sk= s->session->ciphers; 74755714Skris n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d); 74855714Skris d+=n; 74955714Skris s2n(n,p); /* add cipher length */ 75055714Skris } 75155714Skris 75255714Skris /* make and send conn_id */ 75355714Skris s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */ 75455714Skris s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH; 75559194Skris RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); 75655714Skris memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH); 75755714Skris d+=SSL2_CONNECTION_ID_LENGTH; 75855714Skris 75955714Skris s->state=SSL2_ST_SEND_SERVER_HELLO_B; 76055714Skris s->init_num=d-(unsigned char *)s->init_buf->data; 76155714Skris s->init_off=0; 76255714Skris } 76355714Skris /* SSL2_ST_SEND_SERVER_HELLO_B */ 76459194Skris /* If we are using TCP/IP, the performance is bad if we do 2 76555714Skris * writes without a read between them. This occurs when 76655714Skris * Session-id reuse is used, so I will put in a buffering module 76755714Skris */ 76855714Skris if (s->hit) 76955714Skris { 77055714Skris if (!ssl_init_wbio_buffer(s,1)) return(-1); 77155714Skris } 77255714Skris 77355714Skris return(ssl2_do_write(s)); 77455714Skris } 77555714Skris 77655714Skrisstatic int get_client_finished(SSL *s) 77755714Skris { 77855714Skris unsigned char *p; 77989840Skris int i, n; 78089840Skris unsigned long len; 78155714Skris 78255714Skris p=(unsigned char *)s->init_buf->data; 78355714Skris if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) 78455714Skris { 78555714Skris i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num); 78655714Skris if (i < 1-s->init_num) 78755714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); 78889840Skris s->init_num += i; 78955714Skris 79055714Skris if (*p != SSL2_MT_CLIENT_FINISHED) 79155714Skris { 79255714Skris if (*p != SSL2_MT_ERROR) 79355714Skris { 79455714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 79555714Skris SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE); 79655714Skris } 79755714Skris else 79855714Skris SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR); 79955714Skris return(-1); 80055714Skris } 80155714Skris s->state=SSL2_ST_GET_CLIENT_FINISHED_B; 80255714Skris } 80355714Skris 80455714Skris /* SSL2_ST_GET_CLIENT_FINISHED_B */ 80589840Skris len = 1 + (unsigned long)s->s2->conn_id_length; 80689840Skris n = (int)len - s->init_num; 80789840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),n); 80889840Skris if (i < n) 80955714Skris { 81055714Skris return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); 81155714Skris } 81289840Skris p += 1; 81355714Skris if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0) 81455714Skris { 81555714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 81655714Skris SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT); 81755714Skris return(-1); 81855714Skris } 81955714Skris return(1); 82055714Skris } 82155714Skris 82255714Skrisstatic int server_verify(SSL *s) 82355714Skris { 82455714Skris unsigned char *p; 82555714Skris 82655714Skris if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) 82755714Skris { 82855714Skris p=(unsigned char *)s->init_buf->data; 82955714Skris *(p++)=SSL2_MT_SERVER_VERIFY; 83055714Skris memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); 83155714Skris /* p+=s->s2->challenge_length; */ 83255714Skris 83355714Skris s->state=SSL2_ST_SEND_SERVER_VERIFY_B; 83455714Skris s->init_num=s->s2->challenge_length+1; 83555714Skris s->init_off=0; 83655714Skris } 83755714Skris return(ssl2_do_write(s)); 83855714Skris } 83955714Skris 84055714Skrisstatic int server_finish(SSL *s) 84155714Skris { 84255714Skris unsigned char *p; 84355714Skris 84455714Skris if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) 84555714Skris { 84655714Skris p=(unsigned char *)s->init_buf->data; 84755714Skris *(p++)=SSL2_MT_SERVER_FINISHED; 84855714Skris 84955714Skris memcpy(p,s->session->session_id, 85055714Skris (unsigned int)s->session->session_id_length); 85155714Skris /* p+=s->session->session_id_length; */ 85255714Skris 85355714Skris s->state=SSL2_ST_SEND_SERVER_FINISHED_B; 85455714Skris s->init_num=s->session->session_id_length+1; 85555714Skris s->init_off=0; 85655714Skris } 85755714Skris 85855714Skris /* SSL2_ST_SEND_SERVER_FINISHED_B */ 85955714Skris return(ssl2_do_write(s)); 86055714Skris } 86155714Skris 86255714Skris/* send the request and check the response */ 86355714Skrisstatic int request_certificate(SSL *s) 86455714Skris { 86555714Skris unsigned char *p,*p2,*buf2; 86655714Skris unsigned char *ccd; 86755714Skris int i,j,ctype,ret= -1; 86889840Skris unsigned long len; 86955714Skris X509 *x509=NULL; 87055714Skris STACK_OF(X509) *sk=NULL; 87155714Skris 87255714Skris ccd=s->s2->tmp.ccl; 87355714Skris if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) 87455714Skris { 87555714Skris p=(unsigned char *)s->init_buf->data; 87655714Skris *(p++)=SSL2_MT_REQUEST_CERTIFICATE; 87755714Skris *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION; 87859194Skris RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); 87955714Skris memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); 88055714Skris 88155714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B; 88255714Skris s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2; 88355714Skris s->init_off=0; 88455714Skris } 88555714Skris 88655714Skris if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) 88755714Skris { 88855714Skris i=ssl2_do_write(s); 88955714Skris if (i <= 0) 89055714Skris { 89155714Skris ret=i; 89255714Skris goto end; 89355714Skris } 89455714Skris 89555714Skris s->init_num=0; 89655714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C; 89755714Skris } 89855714Skris 89955714Skris if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) 90055714Skris { 90155714Skris p=(unsigned char *)s->init_buf->data; 90289840Skris i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */ 90389840Skris if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3 90489840Skris * (probably NO-CERTIFICATE-ERROR) */ 90555714Skris { 90655714Skris ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); 90755714Skris goto end; 90855714Skris } 90989840Skris s->init_num += i; 91055714Skris 91189840Skris if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) 91255714Skris { 91355714Skris n2s(p,i); 91489840Skris if (i != SSL2_PE_NO_CERTIFICATE) 91589840Skris { 91689840Skris /* not the error message we expected -- let ssl2_part_read handle it */ 91789840Skris s->init_num -= 3; 91889840Skris ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3); 91989840Skris goto end; 92089840Skris } 92189840Skris 92289840Skris /* this is the one place where we can recover from an SSL 2.0 error */ 92389840Skris 92455714Skris if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 92555714Skris { 92655714Skris ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); 92755714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 92855714Skris goto end; 92955714Skris } 93055714Skris ret=1; 93155714Skris goto end; 93255714Skris } 93389840Skris if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) 93455714Skris { 93555714Skris ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); 93655714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ); 93755714Skris goto end; 93855714Skris } 93989840Skris if (s->init_num != 6) 94089840Skris { 94189840Skris SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_INTERNAL_ERROR); 94289840Skris goto end; 94389840Skris } 94489840Skris 94555714Skris /* ok we have a response */ 94655714Skris /* certificate type, there is only one right now. */ 94755714Skris ctype= *(p++); 94855714Skris if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) 94955714Skris { 95055714Skris ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); 95155714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT); 95255714Skris goto end; 95355714Skris } 95455714Skris n2s(p,i); s->s2->tmp.clen=i; 95555714Skris n2s(p,i); s->s2->tmp.rlen=i; 95655714Skris s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D; 95755714Skris } 95855714Skris 95955714Skris /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */ 96055714Skris p=(unsigned char *)s->init_buf->data; 96189840Skris len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; 96289840Skris if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) 96389840Skris { 96489840Skris SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); 96589840Skris goto end; 96689840Skris } 96789840Skris j = (int)len - s->init_num; 96889840Skris i = ssl2_read(s,(char *)&(p[s->init_num]),j); 96955714Skris if (i < j) 97055714Skris { 97155714Skris ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); 97255714Skris goto end; 97355714Skris } 97489840Skris p += 6; 97555714Skris 97655714Skris x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen); 97755714Skris if (x509 == NULL) 97855714Skris { 97955714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB); 98055714Skris goto msg_end; 98155714Skris } 98255714Skris 98355714Skris if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509))) 98455714Skris { 98555714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); 98655714Skris goto msg_end; 98755714Skris } 98855714Skris 98955714Skris i=ssl_verify_cert_chain(s,sk); 99055714Skris 99155714Skris if (i) /* we like the packet, now check the chksum */ 99255714Skris { 99355714Skris EVP_MD_CTX ctx; 99455714Skris EVP_PKEY *pkey=NULL; 99555714Skris 99655714Skris EVP_VerifyInit(&ctx,s->ctx->rsa_md5); 99755714Skris EVP_VerifyUpdate(&ctx,s->s2->key_material, 99855714Skris (unsigned int)s->s2->key_material_length); 99955714Skris EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); 100055714Skris 100155714Skris i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); 100268654Skris buf2=OPENSSL_malloc((unsigned int)i); 100355714Skris if (buf2 == NULL) 100455714Skris { 100555714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); 100655714Skris goto msg_end; 100755714Skris } 100855714Skris p2=buf2; 100955714Skris i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2); 101055714Skris EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i); 101168654Skris OPENSSL_free(buf2); 101255714Skris 101355714Skris pkey=X509_get_pubkey(x509); 101455714Skris if (pkey == NULL) goto end; 101555714Skris i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey); 101655714Skris EVP_PKEY_free(pkey); 101755714Skris memset(&ctx,0,sizeof(ctx)); 101855714Skris 101955714Skris if (i) 102055714Skris { 102155714Skris if (s->session->peer != NULL) 102255714Skris X509_free(s->session->peer); 102355714Skris s->session->peer=x509; 102455714Skris CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); 102559194Skris s->session->verify_result = s->verify_result; 102655714Skris ret=1; 102755714Skris goto end; 102855714Skris } 102955714Skris else 103055714Skris { 103155714Skris SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM); 103255714Skris goto msg_end; 103355714Skris } 103455714Skris } 103555714Skris else 103655714Skris { 103755714Skrismsg_end: 103855714Skris ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); 103955714Skris } 104055714Skrisend: 104155714Skris sk_X509_free(sk); 104255714Skris X509_free(x509); 104355714Skris return(ret); 104455714Skris } 104555714Skris 104655714Skrisstatic int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, 104755714Skris unsigned char *to, int padding) 104855714Skris { 104955714Skris RSA *rsa; 105055714Skris int i; 105155714Skris 105255714Skris if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) 105355714Skris { 105455714Skris SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY); 105555714Skris return(-1); 105655714Skris } 105755714Skris if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) 105855714Skris { 105955714Skris SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA); 106055714Skris return(-1); 106155714Skris } 106255714Skris rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa; 106355714Skris 106455714Skris /* we have the public key */ 106555714Skris i=RSA_private_decrypt(len,from,to,rsa,padding); 106655714Skris if (i < 0) 106755714Skris SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB); 106855714Skris return(i); 106955714Skris } 107059194Skris#else /* !NO_SSL2 */ 107159194Skris 107259194Skris# if PEDANTIC 107359194Skrisstatic void *dummy=&dummy; 107459194Skris# endif 107559194Skris 107655714Skris#endif 1077