Symaptic: os/ossrv/ssl/libssl/src/s2_srvr.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/s2_srvr.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111	/*
sl@0	112	© Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
sl@0	113	*/
sl@0	114
sl@0	115	#include "ssl_locl.h"
sl@0	116	#ifndef OPENSSL_NO_SSL2
sl@0	117	#include <stdio.h>
sl@0	118	#include <openssl/bio.h>
sl@0	119	#include <openssl/rand.h>
sl@0	120	#include <openssl/objects.h>
sl@0	121	#include <openssl/evp.h>
sl@0	122
sl@0	123	#if (defined(SYMBIAN) && (defined(__WINSCW__) \|\| defined(__WINS__)))
sl@0	124	#include "libssl_wsd.h"
sl@0	125	#endif
sl@0	126
sl@0	127	#ifdef EMULATOR
sl@0	128
sl@0	129	GET_STATIC_VAR_FROM_TLS(SSLv2_server_method_data,s2_srvr,SSL_METHOD)
sl@0	130
sl@0	131	#define SSLv2_server_method_data (*GET_WSD_VAR_NAME(SSLv2_server_method_data,s2_srvr,s)())
sl@0	132
sl@0	133	#endif
sl@0	134	static SSL_METHOD *ssl2_get_server_method(int ver);
sl@0	135	static int get_client_master_key(SSL *s);
sl@0	136	static int get_client_hello(SSL *s);
sl@0	137	static int server_hello(SSL *s);
sl@0	138	static int get_client_finished(SSL *s);
sl@0	139	static int server_verify(SSL *s);
sl@0	140	static int server_finish(SSL *s);
sl@0	141	static int request_certificate(SSL *s);
sl@0	142	static int ssl_rsa_private_decrypt(CERT c, int len, unsigned char from,
sl@0	143	unsigned char *to,int padding);
sl@0	144	#define BREAK break
sl@0	145
sl@0	146	static SSL_METHOD *ssl2_get_server_method(int ver)
sl@0	147	{
sl@0	148	if (ver == SSL2_VERSION)
sl@0	149	return(SSLv2_server_method());
sl@0	150	else
sl@0	151	return(NULL);
sl@0	152	}
sl@0	153
sl@0	154	EXPORT_C IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
sl@0	155	ssl2_accept,
sl@0	156	ssl_undefined_function,
sl@0	157	ssl2_get_server_method)
sl@0	158
sl@0	159	int ssl2_accept(SSL *s)
sl@0	160	{
sl@0	161	unsigned long l=(unsigned long)time(NULL);
sl@0	162	BUF_MEM *buf=NULL;
sl@0	163	int ret= -1;
sl@0	164	long num1;
sl@0	165	void (cb)(const SSL ssl,int type,int val)=NULL;
sl@0	166	int new_state,state;
sl@0	167
sl@0	168	RAND_add(&l,sizeof(l),0);
sl@0	169	ERR_clear_error();
sl@0	170	clear_sys_error();
sl@0	171
sl@0	172	if (s->info_callback != NULL)
sl@0	173	cb=s->info_callback;
sl@0	174	else if (s->ctx->info_callback != NULL)
sl@0	175	cb=s->ctx->info_callback;
sl@0	176
sl@0	177	/* init things to blank */
sl@0	178	s->in_handshake++;
sl@0	179	if (!SSL_in_init(s) \|\| SSL_in_before(s)) SSL_clear(s);
sl@0	180
sl@0	181	if (s->cert == NULL)
sl@0	182	{
sl@0	183	SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
sl@0	184	return(-1);
sl@0	185	}
sl@0	186
sl@0	187	clear_sys_error();
sl@0	188	for (;;)
sl@0	189	{
sl@0	190	state=s->state;
sl@0	191
sl@0	192	switch (s->state)
sl@0	193	{
sl@0	194	case SSL_ST_BEFORE:
sl@0	195	case SSL_ST_ACCEPT:
sl@0	196	case SSL_ST_BEFORE\|SSL_ST_ACCEPT:
sl@0	197	case SSL_ST_OK\|SSL_ST_ACCEPT:
sl@0	198
sl@0	199	s->server=1;
sl@0	200	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
sl@0	201
sl@0	202	s->version=SSL2_VERSION;
sl@0	203	s->type=SSL_ST_ACCEPT;
sl@0	204
sl@0	205	buf=s->init_buf;
sl@0	206	if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
sl@0	207	{ ret= -1; goto end; }
sl@0	208	if (!BUF_MEM_grow(buf,(int)
sl@0	209	SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
sl@0	210	{ ret= -1; goto end; }
sl@0	211	s->init_buf=buf;
sl@0	212	s->init_num=0;
sl@0	213	s->ctx->stats.sess_accept++;
sl@0	214	s->handshake_func=ssl2_accept;
sl@0	215	s->state=SSL2_ST_GET_CLIENT_HELLO_A;
sl@0	216	BREAK;
sl@0	217
sl@0	218	case SSL2_ST_GET_CLIENT_HELLO_A:
sl@0	219	case SSL2_ST_GET_CLIENT_HELLO_B:
sl@0	220	case SSL2_ST_GET_CLIENT_HELLO_C:
sl@0	221	s->shutdown=0;
sl@0	222	ret=get_client_hello(s);
sl@0	223	if (ret <= 0) goto end;
sl@0	224	s->init_num=0;
sl@0	225	s->state=SSL2_ST_SEND_SERVER_HELLO_A;
sl@0	226	BREAK;
sl@0	227
sl@0	228	case SSL2_ST_SEND_SERVER_HELLO_A:
sl@0	229	case SSL2_ST_SEND_SERVER_HELLO_B:
sl@0	230	ret=server_hello(s);
sl@0	231	if (ret <= 0) goto end;
sl@0	232	s->init_num=0;
sl@0	233	if (!s->hit)
sl@0	234	{
sl@0	235	s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A;
sl@0	236	BREAK;
sl@0	237	}
sl@0	238	else
sl@0	239	{
sl@0	240	s->state=SSL2_ST_SERVER_START_ENCRYPTION;
sl@0	241	BREAK;
sl@0	242	}
sl@0	243	case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
sl@0	244	case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
sl@0	245	ret=get_client_master_key(s);
sl@0	246	if (ret <= 0) goto end;
sl@0	247	s->init_num=0;
sl@0	248	s->state=SSL2_ST_SERVER_START_ENCRYPTION;
sl@0	249	BREAK;
sl@0	250
sl@0	251	case SSL2_ST_SERVER_START_ENCRYPTION:
sl@0	252	/* Ok we how have sent all the stuff needed to
sl@0	253	* start encrypting, the next packet back will
sl@0	254	* be encrypted. */
sl@0	255	if (!ssl2_enc_init(s,0))
sl@0	256	{ ret= -1; goto end; }
sl@0	257	s->s2->clear_text=0;
sl@0	258	s->state=SSL2_ST_SEND_SERVER_VERIFY_A;
sl@0	259	BREAK;
sl@0	260
sl@0	261	case SSL2_ST_SEND_SERVER_VERIFY_A:
sl@0	262	case SSL2_ST_SEND_SERVER_VERIFY_B:
sl@0	263	ret=server_verify(s);
sl@0	264	if (ret <= 0) goto end;
sl@0	265	s->init_num=0;
sl@0	266	if (s->hit)
sl@0	267	{
sl@0	268	/* If we are in here, we have been
sl@0	269	* buffering the output, so we need to
sl@0	270	* flush it and remove buffering from
sl@0	271	* future traffic */
sl@0	272	s->state=SSL2_ST_SEND_SERVER_VERIFY_C;
sl@0	273	BREAK;
sl@0	274	}
sl@0	275	else
sl@0	276	{
sl@0	277	s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
sl@0	278	break;
sl@0	279	}
sl@0	280
sl@0	281	case SSL2_ST_SEND_SERVER_VERIFY_C:
sl@0	282	/* get the number of bytes to write */
sl@0	283	num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
sl@0	284	if (num1 != 0)
sl@0	285	{
sl@0	286	s->rwstate=SSL_WRITING;
sl@0	287	num1=BIO_flush(s->wbio);
sl@0	288	if (num1 <= 0) { ret= -1; goto end; }
sl@0	289	s->rwstate=SSL_NOTHING;
sl@0	290	}
sl@0	291
sl@0	292	/* flushed and now remove buffering */
sl@0	293	s->wbio=BIO_pop(s->wbio);
sl@0	294
sl@0	295	s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
sl@0	296	BREAK;
sl@0	297
sl@0	298	case SSL2_ST_GET_CLIENT_FINISHED_A:
sl@0	299	case SSL2_ST_GET_CLIENT_FINISHED_B:
sl@0	300	ret=get_client_finished(s);
sl@0	301	if (ret <= 0)
sl@0	302	goto end;
sl@0	303	s->init_num=0;
sl@0	304	s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
sl@0	305	BREAK;
sl@0	306
sl@0	307	case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
sl@0	308	case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
sl@0	309	case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
sl@0	310	case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
sl@0	311	/* don't do a 'request certificate' if we
sl@0	312	* don't want to, or we already have one, and
sl@0	313	* we only want to do it once. */
sl@0	314	if (!(s->verify_mode & SSL_VERIFY_PEER) \|\|
sl@0	315	((s->session->peer != NULL) &&
sl@0	316	(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
sl@0	317	{
sl@0	318	s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
sl@0	319	break;
sl@0	320	}
sl@0	321	else
sl@0	322	{
sl@0	323	ret=request_certificate(s);
sl@0	324	if (ret <= 0) goto end;
sl@0	325	s->init_num=0;
sl@0	326	s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
sl@0	327	}
sl@0	328	BREAK;
sl@0	329
sl@0	330	case SSL2_ST_SEND_SERVER_FINISHED_A:
sl@0	331	case SSL2_ST_SEND_SERVER_FINISHED_B:
sl@0	332	ret=server_finish(s);
sl@0	333	if (ret <= 0) goto end;
sl@0	334	s->init_num=0;
sl@0	335	s->state=SSL_ST_OK;
sl@0	336	break;
sl@0	337
sl@0	338	case SSL_ST_OK:
sl@0	339	BUF_MEM_free(s->init_buf);
sl@0	340	ssl_free_wbio_buffer(s);
sl@0	341	s->init_buf=NULL;
sl@0	342	s->init_num=0;
sl@0	343	/* ERR_clear_error();*/
sl@0	344
sl@0	345	ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
sl@0	346
sl@0	347	s->ctx->stats.sess_accept_good++;
sl@0	348	/* s->server=1; */
sl@0	349	ret=1;
sl@0	350
sl@0	351	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
sl@0	352
sl@0	353	goto end;
sl@0	354	/* BREAK; */
sl@0	355
sl@0	356	default:
sl@0	357	SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE);
sl@0	358	ret= -1;
sl@0	359	goto end;
sl@0	360	/* BREAK; */
sl@0	361	}
sl@0	362
sl@0	363	if ((cb != NULL) && (s->state != state))
sl@0	364	{
sl@0	365	new_state=s->state;
sl@0	366	s->state=state;
sl@0	367	cb(s,SSL_CB_ACCEPT_LOOP,1);
sl@0	368	s->state=new_state;
sl@0	369	}
sl@0	370	}
sl@0	371	end:
sl@0	372	s->in_handshake--;
sl@0	373	if (cb != NULL)
sl@0	374	cb(s,SSL_CB_ACCEPT_EXIT,ret);
sl@0	375	return(ret);
sl@0	376	}
sl@0	377
sl@0	378	static int get_client_master_key(SSL *s)
sl@0	379	{
sl@0	380	int is_export,i,n,keya,ek;
sl@0	381	unsigned long len;
sl@0	382	unsigned char *p;
sl@0	383	SSL_CIPHER *cp;
sl@0	384	const EVP_CIPHER *c;
sl@0	385	const EVP_MD *md;
sl@0	386
sl@0	387	p=(unsigned char *)s->init_buf->data;
sl@0	388	if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
sl@0	389	{
sl@0	390	i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num);
sl@0	391
sl@0	392	if (i < (10-s->init_num))
sl@0	393	return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
sl@0	394	s->init_num = 10;
sl@0	395
sl@0	396	if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY)
sl@0	397	{
sl@0	398	if (p[-1] != SSL2_MT_ERROR)
sl@0	399	{
sl@0	400	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	401	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
sl@0	402	}
sl@0	403	else
sl@0	404	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
sl@0	405	return(-1);
sl@0	406	}
sl@0	407
sl@0	408	cp=ssl2_get_cipher_by_char(p);
sl@0	409	if (cp == NULL)
sl@0	410	{
sl@0	411	ssl2_return_error(s,SSL2_PE_NO_CIPHER);
sl@0	412	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
sl@0	413	return(-1);
sl@0	414	}
sl@0	415	s->session->cipher= cp;
sl@0	416
sl@0	417	p+=3;
sl@0	418	n2s(p,i); s->s2->tmp.clear=i;
sl@0	419	n2s(p,i); s->s2->tmp.enc=i;
sl@0	420	n2s(p,i); s->session->key_arg_length=i;
sl@0	421	if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
sl@0	422	{
sl@0	423	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	424	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
sl@0	425	return -1;
sl@0	426	}
sl@0	427	s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
sl@0	428	}
sl@0	429
sl@0	430	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
sl@0	431	p=(unsigned char *)s->init_buf->data;
sl@0	432	if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
sl@0	433	{
sl@0	434	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	435	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
sl@0	436	return -1;
sl@0	437	}
sl@0	438	keya=s->session->key_arg_length;
sl@0	439	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
sl@0	440	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
sl@0	441	{
sl@0	442	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	443	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
sl@0	444	return -1;
sl@0	445	}
sl@0	446	n = (int)len - s->init_num;
sl@0	447	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
sl@0	448	if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
sl@0	449	if (s->msg_callback)
sl@0	450	s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
sl@0	451	p += 10;
sl@0	452
sl@0	453	memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
sl@0	454	(unsigned int)keya);
sl@0	455
sl@0	456	if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
sl@0	457	{
sl@0	458	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	459	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
sl@0	460	return(-1);
sl@0	461	}
sl@0	462	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
sl@0	463	&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
sl@0	464	(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
sl@0	465
sl@0	466	is_export=SSL_C_IS_EXPORT(s->session->cipher);
sl@0	467
sl@0	468	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
sl@0	469	{
sl@0	470	ssl2_return_error(s,SSL2_PE_NO_CIPHER);
sl@0	471	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
sl@0	472	return(0);
sl@0	473	}
sl@0	474
sl@0	475	if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
sl@0	476	{
sl@0	477	is_export=1;
sl@0	478	ek=8;
sl@0	479	}
sl@0	480	else
sl@0	481	ek=5;
sl@0	482
sl@0	483	/* bad decrypt */
sl@0	484	#if 1
sl@0	485	/* If a bad decrypt, continue with protocol but with a
sl@0	486	* random master secret (Bleichenbacher attack) */
sl@0	487	if ((i < 0) \|\|
sl@0	488	((!is_export && (i != EVP_CIPHER_key_length(c)))
sl@0	489	\|\| (is_export && ((i != ek) \|\| (s->s2->tmp.clear+(unsigned int)i !=
sl@0	490	(unsigned int)EVP_CIPHER_key_length(c))))))
sl@0	491	{
sl@0	492	ERR_clear_error();
sl@0	493	if (is_export)
sl@0	494	i=ek;
sl@0	495	else
sl@0	496	i=EVP_CIPHER_key_length(c);
sl@0	497	if (RAND_pseudo_bytes(p,i) <= 0)
sl@0	498	return 0;
sl@0	499	}
sl@0	500	#else
sl@0	501	if (i < 0)
sl@0	502	{
sl@0	503	error=1;
sl@0	504	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
sl@0	505	}
sl@0	506	/* incorrect number of key bytes for non export cipher */
sl@0	507	else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
sl@0	508	\|\| (is_export && ((i != ek) \|\| (s->s2->tmp.clear+i !=
sl@0	509	EVP_CIPHER_key_length(c)))))
sl@0	510	{
sl@0	511	error=1;
sl@0	512	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS);
sl@0	513	}
sl@0	514	if (error)
sl@0	515	{
sl@0	516	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	517	return(-1);
sl@0	518	}
sl@0	519	#endif
sl@0	520
sl@0	521	if (is_export) i+=s->s2->tmp.clear;
sl@0	522
sl@0	523	if (i > SSL_MAX_MASTER_KEY_LENGTH)
sl@0	524	{
sl@0	525	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	526	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
sl@0	527	return -1;
sl@0	528	}
sl@0	529	s->session->master_key_length=i;
sl@0	530	memcpy(s->session->master_key,p,(unsigned int)i);
sl@0	531	return(1);
sl@0	532	}
sl@0	533
sl@0	534	static int get_client_hello(SSL *s)
sl@0	535	{
sl@0	536	int i,n;
sl@0	537	unsigned long len;
sl@0	538	unsigned char *p;
sl@0	539	STACK_OF(SSL_CIPHER) cs; / a stack of SSL_CIPHERS */
sl@0	540	STACK_OF(SSL_CIPHER) cl; / the ones we want to use */
sl@0	541	STACK_OF(SSL_CIPHER) prio, allow;
sl@0	542	int z;
sl@0	543
sl@0	544	/* This is a bit of a hack to check for the correct packet
sl@0	545	* type the first time round. */
sl@0	546	if (s->state == SSL2_ST_GET_CLIENT_HELLO_A)
sl@0	547	{
sl@0	548	s->first_packet=1;
sl@0	549	s->state=SSL2_ST_GET_CLIENT_HELLO_B;
sl@0	550	}
sl@0	551
sl@0	552	p=(unsigned char *)s->init_buf->data;
sl@0	553	if (s->state == SSL2_ST_GET_CLIENT_HELLO_B)
sl@0	554	{
sl@0	555	i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num);
sl@0	556	if (i < (9-s->init_num))
sl@0	557	return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
sl@0	558	s->init_num = 9;
sl@0	559
sl@0	560	if (*(p++) != SSL2_MT_CLIENT_HELLO)
sl@0	561	{
sl@0	562	if (p[-1] != SSL2_MT_ERROR)
sl@0	563	{
sl@0	564	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	565	SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE);
sl@0	566	}
sl@0	567	else
sl@0	568	SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
sl@0	569	return(-1);
sl@0	570	}
sl@0	571	n2s(p,i);
sl@0	572	if (i < s->version) s->version=i;
sl@0	573	n2s(p,i); s->s2->tmp.cipher_spec_length=i;
sl@0	574	n2s(p,i); s->s2->tmp.session_id_length=i;
sl@0	575	n2s(p,i); s->s2->challenge_length=i;
sl@0	576	if ( (i < SSL2_MIN_CHALLENGE_LENGTH) \|\|
sl@0	577	(i > SSL2_MAX_CHALLENGE_LENGTH))
sl@0	578	{
sl@0	579	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	580	SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
sl@0	581	return(-1);
sl@0	582	}
sl@0	583	s->state=SSL2_ST_GET_CLIENT_HELLO_C;
sl@0	584	}
sl@0	585
sl@0	586	/* SSL2_ST_GET_CLIENT_HELLO_C */
sl@0	587	p=(unsigned char *)s->init_buf->data;
sl@0	588	len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length;
sl@0	589	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
sl@0	590	{
sl@0	591	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	592	SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG);
sl@0	593	return -1;
sl@0	594	}
sl@0	595	n = (int)len - s->init_num;
sl@0	596	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
sl@0	597	if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
sl@0	598	if (s->msg_callback)
sl@0	599	s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
sl@0	600	p += 9;
sl@0	601
sl@0	602	/* get session-id before cipher stuff so we can get out session
sl@0	603	* structure if it is cached */
sl@0	604	/* session-id */
sl@0	605	if ((s->s2->tmp.session_id_length != 0) &&
sl@0	606	(s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH))
sl@0	607	{
sl@0	608	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	609	SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH);
sl@0	610	return(-1);
sl@0	611	}
sl@0	612
sl@0	613	if (s->s2->tmp.session_id_length == 0)
sl@0	614	{
sl@0	615	if (!ssl_get_new_session(s,1))
sl@0	616	{
sl@0	617	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	618	return(-1);
sl@0	619	}
sl@0	620	}
sl@0	621	else
sl@0	622	{
sl@0	623	i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]),
sl@0	624	s->s2->tmp.session_id_length, NULL);
sl@0	625	if (i == 1)
sl@0	626	{ /* previous session */
sl@0	627	s->hit=1;
sl@0	628	}
sl@0	629	else if (i == -1)
sl@0	630	{
sl@0	631	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	632	return(-1);
sl@0	633	}
sl@0	634	else
sl@0	635	{
sl@0	636	if (s->cert == NULL)
sl@0	637	{
sl@0	638	ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
sl@0	639	SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET);
sl@0	640	return(-1);
sl@0	641	}
sl@0	642
sl@0	643	if (!ssl_get_new_session(s,1))
sl@0	644	{
sl@0	645	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	646	return(-1);
sl@0	647	}
sl@0	648	}
sl@0	649	}
sl@0	650
sl@0	651	if (!s->hit)
sl@0	652	{
sl@0	653	cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length,
sl@0	654	&s->session->ciphers);
sl@0	655	if (cs == NULL) goto mem_err;
sl@0	656
sl@0	657	cl=SSL_get_ciphers(s);
sl@0	658
sl@0	659	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
sl@0	660	{
sl@0	661	prio=sk_SSL_CIPHER_dup(cl);
sl@0	662	if (prio == NULL) goto mem_err;
sl@0	663	allow = cs;
sl@0	664	}
sl@0	665	else
sl@0	666	{
sl@0	667	prio = cs;
sl@0	668	allow = cl;
sl@0	669	}
sl@0	670	for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
sl@0	671	{
sl@0	672	if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
sl@0	673	{
sl@0	674	(void)sk_SSL_CIPHER_delete(prio,z);
sl@0	675	z--;
sl@0	676	}
sl@0	677	}
sl@0	678	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
sl@0	679	{
sl@0	680	sk_SSL_CIPHER_free(s->session->ciphers);
sl@0	681	s->session->ciphers = prio;
sl@0	682	}
sl@0	683	/* s->session->ciphers should now have a list of
sl@0	684	* ciphers that are on both the client and server.
sl@0	685	* This list is ordered by the order the client sent
sl@0	686	* the ciphers or in the order of the server's preference
sl@0	687	* if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
sl@0	688	*/
sl@0	689	}
sl@0	690	p+=s->s2->tmp.cipher_spec_length;
sl@0	691	/* done cipher selection */
sl@0	692
sl@0	693	/* session id extracted already */
sl@0	694	p+=s->s2->tmp.session_id_length;
sl@0	695
sl@0	696	/* challenge */
sl@0	697	if (s->s2->challenge_length > sizeof s->s2->challenge)
sl@0	698	{
sl@0	699	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	700	SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
sl@0	701	return -1;
sl@0	702	}
sl@0	703	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
sl@0	704	return(1);
sl@0	705	mem_err:
sl@0	706	SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
sl@0	707	return(0);
sl@0	708	}
sl@0	709
sl@0	710	static int server_hello(SSL *s)
sl@0	711	{
sl@0	712	unsigned char p,d;
sl@0	713	int n,hit;
sl@0	714	STACK_OF(SSL_CIPHER) *sk;
sl@0	715
sl@0	716	p=(unsigned char *)s->init_buf->data;
sl@0	717	if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
sl@0	718	{
sl@0	719	d=p+11;
sl@0	720	(p++)=SSL2_MT_SERVER_HELLO; / type */
sl@0	721	hit=s->hit;
sl@0	722	*(p++)=(unsigned char)hit;
sl@0	723	#if 1
sl@0	724	if (!hit)
sl@0	725	{
sl@0	726	if (s->session->sess_cert != NULL)
sl@0	727	/* This can't really happen because get_client_hello
sl@0	728	* has called ssl_get_new_session, which does not set
sl@0	729	* sess_cert. */
sl@0	730	ssl_sess_cert_free(s->session->sess_cert);
sl@0	731	s->session->sess_cert = ssl_sess_cert_new();
sl@0	732	if (s->session->sess_cert == NULL)
sl@0	733	{
sl@0	734	SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
sl@0	735	return(-1);
sl@0	736	}
sl@0	737	}
sl@0	738	/* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
sl@0	739	* depending on whether it survived in the internal cache
sl@0	740	* or was retrieved from an external cache.
sl@0	741	* If it is NULL, we cannot put any useful data in it anyway,
sl@0	742	* so we don't touch it.
sl@0	743	*/
sl@0	744
sl@0	745	#else /* That's what used to be done when cert_st and sess_cert_st were
sl@0	746	* the same. */
sl@0	747	if (!hit)
sl@0	748	{ /* else add cert to session */
sl@0	749	CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
sl@0	750	if (s->session->sess_cert != NULL)
sl@0	751	ssl_cert_free(s->session->sess_cert);
sl@0	752	s->session->sess_cert=s->cert;
sl@0	753	}
sl@0	754	else /* We have a session id-cache hit, if the
sl@0	755	* session-id has no certificate listed against
sl@0	756	* the 'cert' structure, grab the 'old' one
sl@0	757	* listed against the SSL connection */
sl@0	758	{
sl@0	759	if (s->session->sess_cert == NULL)
sl@0	760	{
sl@0	761	CRYPTO_add(&s->cert->references,1,
sl@0	762	CRYPTO_LOCK_SSL_CERT);
sl@0	763	s->session->sess_cert=s->cert;
sl@0	764	}
sl@0	765	}
sl@0	766	#endif
sl@0	767
sl@0	768	if (s->cert == NULL)
sl@0	769	{
sl@0	770	ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
sl@0	771	SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
sl@0	772	return(-1);
sl@0	773	}
sl@0	774
sl@0	775	if (hit)
sl@0	776	{
sl@0	777	(p++)=0; / no certificate type */
sl@0	778	s2n(s->version,p); /* version */
sl@0	779	s2n(0,p); /* cert len */
sl@0	780	s2n(0,p); /* ciphers len */
sl@0	781	}
sl@0	782	else
sl@0	783	{
sl@0	784	/* EAY EAY */
sl@0	785	/* put certificate type */
sl@0	786	*(p++)=SSL2_CT_X509_CERTIFICATE;
sl@0	787	s2n(s->version,p); /* version */
sl@0	788	n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
sl@0	789	s2n(n,p); /* certificate length */
sl@0	790	i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d);
sl@0	791	n=0;
sl@0	792
sl@0	793	/* lets send out the ciphers we like in the
sl@0	794	* prefered order */
sl@0	795	sk= s->session->ciphers;
sl@0	796	n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
sl@0	797	d+=n;
sl@0	798	s2n(n,p); /* add cipher length */
sl@0	799	}
sl@0	800
sl@0	801	/* make and send conn_id */
sl@0	802	s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */
sl@0	803	s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
sl@0	804	if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
sl@0	805	return -1;
sl@0	806	memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
sl@0	807	d+=SSL2_CONNECTION_ID_LENGTH;
sl@0	808
sl@0	809	s->state=SSL2_ST_SEND_SERVER_HELLO_B;
sl@0	810	s->init_num=d-(unsigned char *)s->init_buf->data;
sl@0	811	s->init_off=0;
sl@0	812	}
sl@0	813	/* SSL2_ST_SEND_SERVER_HELLO_B */
sl@0	814	/* If we are using TCP/IP, the performance is bad if we do 2
sl@0	815	* writes without a read between them. This occurs when
sl@0	816	* Session-id reuse is used, so I will put in a buffering module
sl@0	817	*/
sl@0	818	if (s->hit)
sl@0	819	{
sl@0	820	if (!ssl_init_wbio_buffer(s,1)) return(-1);
sl@0	821	}
sl@0	822
sl@0	823	return(ssl2_do_write(s));
sl@0	824	}
sl@0	825
sl@0	826	static int get_client_finished(SSL *s)
sl@0	827	{
sl@0	828	unsigned char *p;
sl@0	829	int i, n;
sl@0	830	unsigned long len;
sl@0	831
sl@0	832	p=(unsigned char *)s->init_buf->data;
sl@0	833	if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A)
sl@0	834	{
sl@0	835	i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
sl@0	836	if (i < 1-s->init_num)
sl@0	837	return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
sl@0	838	s->init_num += i;
sl@0	839
sl@0	840	if (*p != SSL2_MT_CLIENT_FINISHED)
sl@0	841	{
sl@0	842	if (*p != SSL2_MT_ERROR)
sl@0	843	{
sl@0	844	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	845	SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
sl@0	846	}
sl@0	847	else
sl@0	848	{
sl@0	849	SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
sl@0	850	/* try to read the error message */
sl@0	851	i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
sl@0	852	return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
sl@0	853	}
sl@0	854	return(-1);
sl@0	855	}
sl@0	856	s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
sl@0	857	}
sl@0	858
sl@0	859	/* SSL2_ST_GET_CLIENT_FINISHED_B */
sl@0	860	if (s->s2->conn_id_length > sizeof s->s2->conn_id)
sl@0	861	{
sl@0	862	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	863	SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
sl@0	864	return -1;
sl@0	865	}
sl@0	866	len = 1 + (unsigned long)s->s2->conn_id_length;
sl@0	867	n = (int)len - s->init_num;
sl@0	868	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
sl@0	869	if (i < n)
sl@0	870	{
sl@0	871	return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
sl@0	872	}
sl@0	873	if (s->msg_callback)
sl@0	874	s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
sl@0	875	p += 1;
sl@0	876	if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
sl@0	877	{
sl@0	878	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	879	SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
sl@0	880	return(-1);
sl@0	881	}
sl@0	882	return(1);
sl@0	883	}
sl@0	884
sl@0	885	static int server_verify(SSL *s)
sl@0	886	{
sl@0	887	unsigned char *p;
sl@0	888
sl@0	889	if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A)
sl@0	890	{
sl@0	891	p=(unsigned char *)s->init_buf->data;
sl@0	892	*(p++)=SSL2_MT_SERVER_VERIFY;
sl@0	893	if (s->s2->challenge_length > sizeof s->s2->challenge)
sl@0	894	{
sl@0	895	SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
sl@0	896	return -1;
sl@0	897	}
sl@0	898	memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
sl@0	899	/* p+=s->s2->challenge_length; */
sl@0	900
sl@0	901	s->state=SSL2_ST_SEND_SERVER_VERIFY_B;
sl@0	902	s->init_num=s->s2->challenge_length+1;
sl@0	903	s->init_off=0;
sl@0	904	}
sl@0	905	return(ssl2_do_write(s));
sl@0	906	}
sl@0	907
sl@0	908	static int server_finish(SSL *s)
sl@0	909	{
sl@0	910	unsigned char *p;
sl@0	911
sl@0	912	if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A)
sl@0	913	{
sl@0	914	p=(unsigned char *)s->init_buf->data;
sl@0	915	*(p++)=SSL2_MT_SERVER_FINISHED;
sl@0	916
sl@0	917	if (s->session->session_id_length > sizeof s->session->session_id)
sl@0	918	{
sl@0	919	SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
sl@0	920	return -1;
sl@0	921	}
sl@0	922	memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
sl@0	923	/* p+=s->session->session_id_length; */
sl@0	924
sl@0	925	s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
sl@0	926	s->init_num=s->session->session_id_length+1;
sl@0	927	s->init_off=0;
sl@0	928	}
sl@0	929
sl@0	930	/* SSL2_ST_SEND_SERVER_FINISHED_B */
sl@0	931	return(ssl2_do_write(s));
sl@0	932	}
sl@0	933
sl@0	934	/* send the request and check the response */
sl@0	935	static int request_certificate(SSL *s)
sl@0	936	{
sl@0	937	const unsigned char *cp;
sl@0	938	unsigned char p,p2,*buf2;
sl@0	939	unsigned char *ccd;
sl@0	940	int i,j,ctype,ret= -1;
sl@0	941	unsigned long len;
sl@0	942	X509 *x509=NULL;
sl@0	943	STACK_OF(X509) *sk=NULL;
sl@0	944
sl@0	945	ccd=s->s2->tmp.ccl;
sl@0	946	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
sl@0	947	{
sl@0	948	p=(unsigned char *)s->init_buf->data;
sl@0	949	*(p++)=SSL2_MT_REQUEST_CERTIFICATE;
sl@0	950	*(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
sl@0	951	if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
sl@0	952	return -1;
sl@0	953	memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
sl@0	954
sl@0	955	s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
sl@0	956	s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2;
sl@0	957	s->init_off=0;
sl@0	958	}
sl@0	959
sl@0	960	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B)
sl@0	961	{
sl@0	962	i=ssl2_do_write(s);
sl@0	963	if (i <= 0)
sl@0	964	{
sl@0	965	ret=i;
sl@0	966	goto end;
sl@0	967	}
sl@0	968
sl@0	969	s->init_num=0;
sl@0	970	s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
sl@0	971	}
sl@0	972
sl@0	973	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C)
sl@0	974	{
sl@0	975	p=(unsigned char *)s->init_buf->data;
sl@0	976	i=ssl2_read(s,(char )&(p[s->init_num]),6-s->init_num); / try to read 6 octets ... */
sl@0	977	if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3
sl@0	978	* (probably NO-CERTIFICATE-ERROR) */
sl@0	979	{
sl@0	980	ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
sl@0	981	goto end;
sl@0	982	}
sl@0	983	s->init_num += i;
sl@0	984
sl@0	985	if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
sl@0	986	{
sl@0	987	n2s(p,i);
sl@0	988	if (i != SSL2_PE_NO_CERTIFICATE)
sl@0	989	{
sl@0	990	/* not the error message we expected -- let ssl2_part_read handle it */
sl@0	991	s->init_num -= 3;
sl@0	992	ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3);
sl@0	993	goto end;
sl@0	994	}
sl@0	995
sl@0	996	if (s->msg_callback)
sl@0	997	s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
sl@0	998
sl@0	999	/* this is the one place where we can recover from an SSL 2.0 error */
sl@0	1000
sl@0	1001	if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
sl@0	1002	{
sl@0	1003	ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
sl@0	1004	SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
sl@0	1005	goto end;
sl@0	1006	}
sl@0	1007	ret=1;
sl@0	1008	goto end;
sl@0	1009	}
sl@0	1010	if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) \|\| (s->init_num < 6))
sl@0	1011	{
sl@0	1012	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
sl@0	1013	SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ);
sl@0	1014	goto end;
sl@0	1015	}
sl@0	1016	if (s->init_num != 6)
sl@0	1017	{
sl@0	1018	SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
sl@0	1019	goto end;
sl@0	1020	}
sl@0	1021
sl@0	1022	/* ok we have a response */
sl@0	1023	/* certificate type, there is only one right now. */
sl@0	1024	ctype= *(p++);
sl@0	1025	if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
sl@0	1026	{
sl@0	1027	ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
sl@0	1028	SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT);
sl@0	1029	goto end;
sl@0	1030	}
sl@0	1031	n2s(p,i); s->s2->tmp.clen=i;
sl@0	1032	n2s(p,i); s->s2->tmp.rlen=i;
sl@0	1033	s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
sl@0	1034	}
sl@0	1035
sl@0	1036	/* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
sl@0	1037	p=(unsigned char *)s->init_buf->data;
sl@0	1038	len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
sl@0	1039	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
sl@0	1040	{
sl@0	1041	SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
sl@0	1042	goto end;
sl@0	1043	}
sl@0	1044	j = (int)len - s->init_num;
sl@0	1045	i = ssl2_read(s,(char *)&(p[s->init_num]),j);
sl@0	1046	if (i < j)
sl@0	1047	{
sl@0	1048	ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
sl@0	1049	goto end;
sl@0	1050	}
sl@0	1051	if (s->msg_callback)
sl@0	1052	s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
sl@0	1053	p += 6;
sl@0	1054
sl@0	1055	cp = p;
sl@0	1056	x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen);
sl@0	1057	if (x509 == NULL)
sl@0	1058	{
sl@0	1059	SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
sl@0	1060	goto msg_end;
sl@0	1061	}
sl@0	1062
sl@0	1063	if (((sk=sk_X509_new_null()) == NULL) \|\| (!sk_X509_push(sk,x509)))
sl@0	1064	{
sl@0	1065	SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
sl@0	1066	goto msg_end;
sl@0	1067	}
sl@0	1068
sl@0	1069	i=ssl_verify_cert_chain(s,sk);
sl@0	1070
sl@0	1071	if (i) /* we like the packet, now check the chksum */
sl@0	1072	{
sl@0	1073	EVP_MD_CTX ctx;
sl@0	1074	EVP_PKEY *pkey=NULL;
sl@0	1075
sl@0	1076	EVP_MD_CTX_init(&ctx);
sl@0	1077	EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
sl@0	1078	EVP_VerifyUpdate(&ctx,s->s2->key_material,
sl@0	1079	s->s2->key_material_length);
sl@0	1080	EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
sl@0	1081
sl@0	1082	i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
sl@0	1083	buf2=OPENSSL_malloc((unsigned int)i);
sl@0	1084	if (buf2 == NULL)
sl@0	1085	{
sl@0	1086	SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
sl@0	1087	goto msg_end;
sl@0	1088	}
sl@0	1089	p2=buf2;
sl@0	1090	i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
sl@0	1091	EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
sl@0	1092	OPENSSL_free(buf2);
sl@0	1093
sl@0	1094	pkey=X509_get_pubkey(x509);
sl@0	1095	if (pkey == NULL) goto end;
sl@0	1096	i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey);
sl@0	1097	EVP_PKEY_free(pkey);
sl@0	1098	EVP_MD_CTX_cleanup(&ctx);
sl@0	1099
sl@0	1100	if (i)
sl@0	1101	{
sl@0	1102	if (s->session->peer != NULL)
sl@0	1103	X509_free(s->session->peer);
sl@0	1104	s->session->peer=x509;
sl@0	1105	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
sl@0	1106	s->session->verify_result = s->verify_result;
sl@0	1107	ret=1;
sl@0	1108	goto end;
sl@0	1109	}
sl@0	1110	else
sl@0	1111	{
sl@0	1112	SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM);
sl@0	1113	goto msg_end;
sl@0	1114	}
sl@0	1115	}
sl@0	1116	else
sl@0	1117	{
sl@0	1118	msg_end:
sl@0	1119	ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
sl@0	1120	}
sl@0	1121	end:
sl@0	1122	sk_X509_free(sk);
sl@0	1123	X509_free(x509);
sl@0	1124	return(ret);
sl@0	1125	}
sl@0	1126
sl@0	1127	static int ssl_rsa_private_decrypt(CERT c, int len, unsigned char from,
sl@0	1128	unsigned char *to, int padding)
sl@0	1129	{
sl@0	1130	RSA *rsa;
sl@0	1131	int i;
sl@0	1132
sl@0	1133	if ((c == NULL) \|\| (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))
sl@0	1134	{
sl@0	1135	SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY);
sl@0	1136	return(-1);
sl@0	1137	}
sl@0	1138	if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA)
sl@0	1139	{
sl@0	1140	SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
sl@0	1141	return(-1);
sl@0	1142	}
sl@0	1143	rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
sl@0	1144
sl@0	1145	/* we have the public key */
sl@0	1146	i=RSA_private_decrypt(len,from,to,rsa,padding);
sl@0	1147	if (i < 0)
sl@0	1148	SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
sl@0	1149	return(i);
sl@0	1150	}
sl@0	1151	#else /* !OPENSSL_NO_SSL2 */
sl@0	1152
sl@0	1153	# if PEDANTIC
sl@0	1154	static void *dummy=&dummy;
sl@0	1155	# endif
sl@0	1156
sl@0	1157	#endif

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--