2
0

s2_srvr.c 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143
  1. /* ssl/s2_srvr.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include "ssl_locl.h"
  112. #ifndef OPENSSL_NO_SSL2
  113. #include <stdio.h>
  114. #include <openssl/bio.h>
  115. #include <openssl/rand.h>
  116. #include <openssl/objects.h>
  117. #include <openssl/evp.h>
  118. static const SSL_METHOD *ssl2_get_server_method(int ver);
  119. static int get_client_master_key(SSL *s);
  120. static int get_client_hello(SSL *s);
  121. static int server_hello(SSL *s);
  122. static int get_client_finished(SSL *s);
  123. static int server_verify(SSL *s);
  124. static int server_finish(SSL *s);
  125. static int request_certificate(SSL *s);
  126. static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
  127. unsigned char *to,int padding);
  128. #define BREAK break
  129. static const SSL_METHOD *ssl2_get_server_method(int ver)
  130. {
  131. if (ver == SSL2_VERSION)
  132. return(SSLv2_server_method());
  133. else
  134. return(NULL);
  135. }
  136. IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
  137. ssl2_accept,
  138. ssl_undefined_function,
  139. ssl2_get_server_method)
  140. int ssl2_accept(SSL *s)
  141. {
  142. unsigned long l=(unsigned long)time(NULL);
  143. BUF_MEM *buf=NULL;
  144. int ret= -1;
  145. long num1;
  146. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  147. int new_state,state;
  148. RAND_add(&l,sizeof(l),0);
  149. ERR_clear_error();
  150. clear_sys_error();
  151. if (s->info_callback != NULL)
  152. cb=s->info_callback;
  153. else if (s->ctx->info_callback != NULL)
  154. cb=s->ctx->info_callback;
  155. /* init things to blank */
  156. s->in_handshake++;
  157. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  158. if (s->cert == NULL)
  159. {
  160. SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
  161. return(-1);
  162. }
  163. clear_sys_error();
  164. for (;;)
  165. {
  166. state=s->state;
  167. switch (s->state)
  168. {
  169. case SSL_ST_BEFORE:
  170. case SSL_ST_ACCEPT:
  171. case SSL_ST_BEFORE|SSL_ST_ACCEPT:
  172. case SSL_ST_OK|SSL_ST_ACCEPT:
  173. s->server=1;
  174. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  175. s->version=SSL2_VERSION;
  176. s->type=SSL_ST_ACCEPT;
  177. buf=s->init_buf;
  178. if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
  179. { ret= -1; goto end; }
  180. if (!BUF_MEM_grow(buf,(int)
  181. SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
  182. { ret= -1; goto end; }
  183. s->init_buf=buf;
  184. s->init_num=0;
  185. s->ctx->stats.sess_accept++;
  186. s->handshake_func=ssl2_accept;
  187. s->state=SSL2_ST_GET_CLIENT_HELLO_A;
  188. BREAK;
  189. case SSL2_ST_GET_CLIENT_HELLO_A:
  190. case SSL2_ST_GET_CLIENT_HELLO_B:
  191. case SSL2_ST_GET_CLIENT_HELLO_C:
  192. s->shutdown=0;
  193. ret=get_client_hello(s);
  194. if (ret <= 0) goto end;
  195. s->init_num=0;
  196. s->state=SSL2_ST_SEND_SERVER_HELLO_A;
  197. BREAK;
  198. case SSL2_ST_SEND_SERVER_HELLO_A:
  199. case SSL2_ST_SEND_SERVER_HELLO_B:
  200. ret=server_hello(s);
  201. if (ret <= 0) goto end;
  202. s->init_num=0;
  203. if (!s->hit)
  204. {
  205. s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A;
  206. BREAK;
  207. }
  208. else
  209. {
  210. s->state=SSL2_ST_SERVER_START_ENCRYPTION;
  211. BREAK;
  212. }
  213. case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
  214. case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
  215. ret=get_client_master_key(s);
  216. if (ret <= 0) goto end;
  217. s->init_num=0;
  218. s->state=SSL2_ST_SERVER_START_ENCRYPTION;
  219. BREAK;
  220. case SSL2_ST_SERVER_START_ENCRYPTION:
  221. /* Ok we how have sent all the stuff needed to
  222. * start encrypting, the next packet back will
  223. * be encrypted. */
  224. if (!ssl2_enc_init(s,0))
  225. { ret= -1; goto end; }
  226. s->s2->clear_text=0;
  227. s->state=SSL2_ST_SEND_SERVER_VERIFY_A;
  228. BREAK;
  229. case SSL2_ST_SEND_SERVER_VERIFY_A:
  230. case SSL2_ST_SEND_SERVER_VERIFY_B:
  231. ret=server_verify(s);
  232. if (ret <= 0) goto end;
  233. s->init_num=0;
  234. if (s->hit)
  235. {
  236. /* If we are in here, we have been
  237. * buffering the output, so we need to
  238. * flush it and remove buffering from
  239. * future traffic */
  240. s->state=SSL2_ST_SEND_SERVER_VERIFY_C;
  241. BREAK;
  242. }
  243. else
  244. {
  245. s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
  246. break;
  247. }
  248. case SSL2_ST_SEND_SERVER_VERIFY_C:
  249. /* get the number of bytes to write */
  250. num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
  251. if (num1 != 0)
  252. {
  253. s->rwstate=SSL_WRITING;
  254. num1=BIO_flush(s->wbio);
  255. if (num1 <= 0) { ret= -1; goto end; }
  256. s->rwstate=SSL_NOTHING;
  257. }
  258. /* flushed and now remove buffering */
  259. s->wbio=BIO_pop(s->wbio);
  260. s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
  261. BREAK;
  262. case SSL2_ST_GET_CLIENT_FINISHED_A:
  263. case SSL2_ST_GET_CLIENT_FINISHED_B:
  264. ret=get_client_finished(s);
  265. if (ret <= 0)
  266. goto end;
  267. s->init_num=0;
  268. s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
  269. BREAK;
  270. case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
  271. case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
  272. case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
  273. case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
  274. /* don't do a 'request certificate' if we
  275. * don't want to, or we already have one, and
  276. * we only want to do it once. */
  277. if (!(s->verify_mode & SSL_VERIFY_PEER) ||
  278. ((s->session->peer != NULL) &&
  279. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
  280. {
  281. s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
  282. break;
  283. }
  284. else
  285. {
  286. ret=request_certificate(s);
  287. if (ret <= 0) goto end;
  288. s->init_num=0;
  289. s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
  290. }
  291. BREAK;
  292. case SSL2_ST_SEND_SERVER_FINISHED_A:
  293. case SSL2_ST_SEND_SERVER_FINISHED_B:
  294. ret=server_finish(s);
  295. if (ret <= 0) goto end;
  296. s->init_num=0;
  297. s->state=SSL_ST_OK;
  298. break;
  299. case SSL_ST_OK:
  300. BUF_MEM_free(s->init_buf);
  301. ssl_free_wbio_buffer(s);
  302. s->init_buf=NULL;
  303. s->init_num=0;
  304. /* ERR_clear_error();*/
  305. ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
  306. s->ctx->stats.sess_accept_good++;
  307. /* s->server=1; */
  308. ret=1;
  309. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  310. goto end;
  311. /* BREAK; */
  312. default:
  313. SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE);
  314. ret= -1;
  315. goto end;
  316. /* BREAK; */
  317. }
  318. if ((cb != NULL) && (s->state != state))
  319. {
  320. new_state=s->state;
  321. s->state=state;
  322. cb(s,SSL_CB_ACCEPT_LOOP,1);
  323. s->state=new_state;
  324. }
  325. }
  326. end:
  327. s->in_handshake--;
  328. if (cb != NULL)
  329. cb(s,SSL_CB_ACCEPT_EXIT,ret);
  330. return(ret);
  331. }
  332. static int get_client_master_key(SSL *s)
  333. {
  334. int is_export,i,n,keya,ek;
  335. unsigned long len;
  336. unsigned char *p;
  337. SSL_CIPHER *cp;
  338. const EVP_CIPHER *c;
  339. const EVP_MD *md;
  340. p=(unsigned char *)s->init_buf->data;
  341. if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
  342. {
  343. i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num);
  344. if (i < (10-s->init_num))
  345. return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
  346. s->init_num = 10;
  347. if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY)
  348. {
  349. if (p[-1] != SSL2_MT_ERROR)
  350. {
  351. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  352. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
  353. }
  354. else
  355. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
  356. return(-1);
  357. }
  358. cp=ssl2_get_cipher_by_char(p);
  359. if (cp == NULL)
  360. {
  361. ssl2_return_error(s,SSL2_PE_NO_CIPHER);
  362. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
  363. return(-1);
  364. }
  365. s->session->cipher= cp;
  366. p+=3;
  367. n2s(p,i); s->s2->tmp.clear=i;
  368. n2s(p,i); s->s2->tmp.enc=i;
  369. n2s(p,i); s->session->key_arg_length=i;
  370. if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
  371. {
  372. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  373. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
  374. return -1;
  375. }
  376. s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
  377. }
  378. /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
  379. p=(unsigned char *)s->init_buf->data;
  380. if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
  381. {
  382. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  383. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
  384. return -1;
  385. }
  386. keya=s->session->key_arg_length;
  387. len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
  388. if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
  389. {
  390. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  391. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
  392. return -1;
  393. }
  394. n = (int)len - s->init_num;
  395. i = ssl2_read(s,(char *)&(p[s->init_num]),n);
  396. if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
  397. if (s->msg_callback)
  398. s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
  399. p += 10;
  400. memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
  401. (unsigned int)keya);
  402. if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
  403. {
  404. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  405. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
  406. return(-1);
  407. }
  408. i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
  409. &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
  410. (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
  411. is_export=SSL_C_IS_EXPORT(s->session->cipher);
  412. if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
  413. {
  414. ssl2_return_error(s,SSL2_PE_NO_CIPHER);
  415. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
  416. return(0);
  417. }
  418. if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
  419. {
  420. is_export=1;
  421. ek=8;
  422. }
  423. else
  424. ek=5;
  425. /* bad decrypt */
  426. #if 1
  427. /* If a bad decrypt, continue with protocol but with a
  428. * random master secret (Bleichenbacher attack) */
  429. if ((i < 0) ||
  430. ((!is_export && (i != EVP_CIPHER_key_length(c)))
  431. || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
  432. (unsigned int)EVP_CIPHER_key_length(c))))))
  433. {
  434. ERR_clear_error();
  435. if (is_export)
  436. i=ek;
  437. else
  438. i=EVP_CIPHER_key_length(c);
  439. if (RAND_pseudo_bytes(p,i) <= 0)
  440. return 0;
  441. }
  442. #else
  443. if (i < 0)
  444. {
  445. error=1;
  446. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
  447. }
  448. /* incorrect number of key bytes for non export cipher */
  449. else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
  450. || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
  451. EVP_CIPHER_key_length(c)))))
  452. {
  453. error=1;
  454. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS);
  455. }
  456. if (error)
  457. {
  458. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  459. return(-1);
  460. }
  461. #endif
  462. if (is_export) i+=s->s2->tmp.clear;
  463. if (i > SSL_MAX_MASTER_KEY_LENGTH)
  464. {
  465. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  466. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
  467. return -1;
  468. }
  469. s->session->master_key_length=i;
  470. memcpy(s->session->master_key,p,(unsigned int)i);
  471. return(1);
  472. }
  473. static int get_client_hello(SSL *s)
  474. {
  475. int i,n;
  476. unsigned long len;
  477. unsigned char *p;
  478. STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
  479. STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
  480. STACK_OF(SSL_CIPHER) *prio, *allow;
  481. int z;
  482. /* This is a bit of a hack to check for the correct packet
  483. * type the first time round. */
  484. if (s->state == SSL2_ST_GET_CLIENT_HELLO_A)
  485. {
  486. s->first_packet=1;
  487. s->state=SSL2_ST_GET_CLIENT_HELLO_B;
  488. }
  489. p=(unsigned char *)s->init_buf->data;
  490. if (s->state == SSL2_ST_GET_CLIENT_HELLO_B)
  491. {
  492. i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num);
  493. if (i < (9-s->init_num))
  494. return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
  495. s->init_num = 9;
  496. if (*(p++) != SSL2_MT_CLIENT_HELLO)
  497. {
  498. if (p[-1] != SSL2_MT_ERROR)
  499. {
  500. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  501. SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE);
  502. }
  503. else
  504. SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
  505. return(-1);
  506. }
  507. n2s(p,i);
  508. if (i < s->version) s->version=i;
  509. n2s(p,i); s->s2->tmp.cipher_spec_length=i;
  510. n2s(p,i); s->s2->tmp.session_id_length=i;
  511. n2s(p,i); s->s2->challenge_length=i;
  512. if ( (i < SSL2_MIN_CHALLENGE_LENGTH) ||
  513. (i > SSL2_MAX_CHALLENGE_LENGTH))
  514. {
  515. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  516. SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
  517. return(-1);
  518. }
  519. s->state=SSL2_ST_GET_CLIENT_HELLO_C;
  520. }
  521. /* SSL2_ST_GET_CLIENT_HELLO_C */
  522. p=(unsigned char *)s->init_buf->data;
  523. len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length;
  524. if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
  525. {
  526. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  527. SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG);
  528. return -1;
  529. }
  530. n = (int)len - s->init_num;
  531. i = ssl2_read(s,(char *)&(p[s->init_num]),n);
  532. if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
  533. if (s->msg_callback)
  534. s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
  535. p += 9;
  536. /* get session-id before cipher stuff so we can get out session
  537. * structure if it is cached */
  538. /* session-id */
  539. if ((s->s2->tmp.session_id_length != 0) &&
  540. (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH))
  541. {
  542. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  543. SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH);
  544. return(-1);
  545. }
  546. if (s->s2->tmp.session_id_length == 0)
  547. {
  548. if (!ssl_get_new_session(s,1))
  549. {
  550. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  551. return(-1);
  552. }
  553. }
  554. else
  555. {
  556. i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]),
  557. s->s2->tmp.session_id_length);
  558. if (i == 1)
  559. { /* previous session */
  560. s->hit=1;
  561. }
  562. else if (i == -1)
  563. {
  564. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  565. return(-1);
  566. }
  567. else
  568. {
  569. if (s->cert == NULL)
  570. {
  571. ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
  572. SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET);
  573. return(-1);
  574. }
  575. if (!ssl_get_new_session(s,1))
  576. {
  577. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  578. return(-1);
  579. }
  580. }
  581. }
  582. if (!s->hit)
  583. {
  584. cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length,
  585. &s->session->ciphers);
  586. if (cs == NULL) goto mem_err;
  587. cl=SSL_get_ciphers(s);
  588. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
  589. {
  590. prio=sk_SSL_CIPHER_dup(cl);
  591. if (prio == NULL) goto mem_err;
  592. allow = cs;
  593. }
  594. else
  595. {
  596. prio = cs;
  597. allow = cl;
  598. }
  599. for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
  600. {
  601. if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
  602. {
  603. sk_SSL_CIPHER_delete(prio,z);
  604. z--;
  605. }
  606. }
  607. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
  608. {
  609. sk_SSL_CIPHER_free(s->session->ciphers);
  610. s->session->ciphers = prio;
  611. }
  612. /* s->session->ciphers should now have a list of
  613. * ciphers that are on both the client and server.
  614. * This list is ordered by the order the client sent
  615. * the ciphers or in the order of the server's preference
  616. * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
  617. */
  618. }
  619. p+=s->s2->tmp.cipher_spec_length;
  620. /* done cipher selection */
  621. /* session id extracted already */
  622. p+=s->s2->tmp.session_id_length;
  623. /* challenge */
  624. if (s->s2->challenge_length > sizeof s->s2->challenge)
  625. {
  626. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  627. SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  628. return -1;
  629. }
  630. memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
  631. return(1);
  632. mem_err:
  633. SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
  634. return(0);
  635. }
  636. static int server_hello(SSL *s)
  637. {
  638. unsigned char *p,*d;
  639. int n,hit;
  640. STACK_OF(SSL_CIPHER) *sk;
  641. p=(unsigned char *)s->init_buf->data;
  642. if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
  643. {
  644. d=p+11;
  645. *(p++)=SSL2_MT_SERVER_HELLO; /* type */
  646. hit=s->hit;
  647. *(p++)=(unsigned char)hit;
  648. #if 1
  649. if (!hit)
  650. {
  651. if (s->session->sess_cert != NULL)
  652. /* This can't really happen because get_client_hello
  653. * has called ssl_get_new_session, which does not set
  654. * sess_cert. */
  655. ssl_sess_cert_free(s->session->sess_cert);
  656. s->session->sess_cert = ssl_sess_cert_new();
  657. if (s->session->sess_cert == NULL)
  658. {
  659. SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
  660. return(-1);
  661. }
  662. }
  663. /* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
  664. * depending on whether it survived in the internal cache
  665. * or was retrieved from an external cache.
  666. * If it is NULL, we cannot put any useful data in it anyway,
  667. * so we don't touch it.
  668. */
  669. #else /* That's what used to be done when cert_st and sess_cert_st were
  670. * the same. */
  671. if (!hit)
  672. { /* else add cert to session */
  673. CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
  674. if (s->session->sess_cert != NULL)
  675. ssl_cert_free(s->session->sess_cert);
  676. s->session->sess_cert=s->cert;
  677. }
  678. else /* We have a session id-cache hit, if the
  679. * session-id has no certificate listed against
  680. * the 'cert' structure, grab the 'old' one
  681. * listed against the SSL connection */
  682. {
  683. if (s->session->sess_cert == NULL)
  684. {
  685. CRYPTO_add(&s->cert->references,1,
  686. CRYPTO_LOCK_SSL_CERT);
  687. s->session->sess_cert=s->cert;
  688. }
  689. }
  690. #endif
  691. if (s->cert == NULL)
  692. {
  693. ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
  694. SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
  695. return(-1);
  696. }
  697. if (hit)
  698. {
  699. *(p++)=0; /* no certificate type */
  700. s2n(s->version,p); /* version */
  701. s2n(0,p); /* cert len */
  702. s2n(0,p); /* ciphers len */
  703. }
  704. else
  705. {
  706. /* EAY EAY */
  707. /* put certificate type */
  708. *(p++)=SSL2_CT_X509_CERTIFICATE;
  709. s2n(s->version,p); /* version */
  710. n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
  711. s2n(n,p); /* certificate length */
  712. i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d);
  713. n=0;
  714. /* lets send out the ciphers we like in the
  715. * prefered order */
  716. sk= s->session->ciphers;
  717. n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
  718. d+=n;
  719. s2n(n,p); /* add cipher length */
  720. }
  721. /* make and send conn_id */
  722. s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */
  723. s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
  724. if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
  725. return -1;
  726. memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
  727. d+=SSL2_CONNECTION_ID_LENGTH;
  728. s->state=SSL2_ST_SEND_SERVER_HELLO_B;
  729. s->init_num=d-(unsigned char *)s->init_buf->data;
  730. s->init_off=0;
  731. }
  732. /* SSL2_ST_SEND_SERVER_HELLO_B */
  733. /* If we are using TCP/IP, the performance is bad if we do 2
  734. * writes without a read between them. This occurs when
  735. * Session-id reuse is used, so I will put in a buffering module
  736. */
  737. if (s->hit)
  738. {
  739. if (!ssl_init_wbio_buffer(s,1)) return(-1);
  740. }
  741. return(ssl2_do_write(s));
  742. }
  743. static int get_client_finished(SSL *s)
  744. {
  745. unsigned char *p;
  746. int i, n;
  747. unsigned long len;
  748. p=(unsigned char *)s->init_buf->data;
  749. if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A)
  750. {
  751. i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
  752. if (i < 1-s->init_num)
  753. return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
  754. s->init_num += i;
  755. if (*p != SSL2_MT_CLIENT_FINISHED)
  756. {
  757. if (*p != SSL2_MT_ERROR)
  758. {
  759. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  760. SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
  761. }
  762. else
  763. {
  764. SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
  765. /* try to read the error message */
  766. i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
  767. return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
  768. }
  769. return(-1);
  770. }
  771. s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
  772. }
  773. /* SSL2_ST_GET_CLIENT_FINISHED_B */
  774. if (s->s2->conn_id_length > sizeof s->s2->conn_id)
  775. {
  776. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  777. SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
  778. return -1;
  779. }
  780. len = 1 + (unsigned long)s->s2->conn_id_length;
  781. n = (int)len - s->init_num;
  782. i = ssl2_read(s,(char *)&(p[s->init_num]),n);
  783. if (i < n)
  784. {
  785. return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
  786. }
  787. if (s->msg_callback)
  788. s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
  789. p += 1;
  790. if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
  791. {
  792. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  793. SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
  794. return(-1);
  795. }
  796. return(1);
  797. }
  798. static int server_verify(SSL *s)
  799. {
  800. unsigned char *p;
  801. if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A)
  802. {
  803. p=(unsigned char *)s->init_buf->data;
  804. *(p++)=SSL2_MT_SERVER_VERIFY;
  805. if (s->s2->challenge_length > sizeof s->s2->challenge)
  806. {
  807. SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
  808. return -1;
  809. }
  810. memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
  811. /* p+=s->s2->challenge_length; */
  812. s->state=SSL2_ST_SEND_SERVER_VERIFY_B;
  813. s->init_num=s->s2->challenge_length+1;
  814. s->init_off=0;
  815. }
  816. return(ssl2_do_write(s));
  817. }
  818. static int server_finish(SSL *s)
  819. {
  820. unsigned char *p;
  821. if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A)
  822. {
  823. p=(unsigned char *)s->init_buf->data;
  824. *(p++)=SSL2_MT_SERVER_FINISHED;
  825. if (s->session->session_id_length > sizeof s->session->session_id)
  826. {
  827. SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
  828. return -1;
  829. }
  830. memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
  831. /* p+=s->session->session_id_length; */
  832. s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
  833. s->init_num=s->session->session_id_length+1;
  834. s->init_off=0;
  835. }
  836. /* SSL2_ST_SEND_SERVER_FINISHED_B */
  837. return(ssl2_do_write(s));
  838. }
  839. /* send the request and check the response */
  840. static int request_certificate(SSL *s)
  841. {
  842. const unsigned char *cp;
  843. unsigned char *p,*p2,*buf2;
  844. unsigned char *ccd;
  845. int i,j,ctype,ret= -1;
  846. unsigned long len;
  847. X509 *x509=NULL;
  848. STACK_OF(X509) *sk=NULL;
  849. ccd=s->s2->tmp.ccl;
  850. if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
  851. {
  852. p=(unsigned char *)s->init_buf->data;
  853. *(p++)=SSL2_MT_REQUEST_CERTIFICATE;
  854. *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
  855. if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
  856. return -1;
  857. memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
  858. s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
  859. s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2;
  860. s->init_off=0;
  861. }
  862. if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B)
  863. {
  864. i=ssl2_do_write(s);
  865. if (i <= 0)
  866. {
  867. ret=i;
  868. goto end;
  869. }
  870. s->init_num=0;
  871. s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
  872. }
  873. if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C)
  874. {
  875. p=(unsigned char *)s->init_buf->data;
  876. i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */
  877. if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3
  878. * (probably NO-CERTIFICATE-ERROR) */
  879. {
  880. ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
  881. goto end;
  882. }
  883. s->init_num += i;
  884. if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
  885. {
  886. n2s(p,i);
  887. if (i != SSL2_PE_NO_CERTIFICATE)
  888. {
  889. /* not the error message we expected -- let ssl2_part_read handle it */
  890. s->init_num -= 3;
  891. ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3);
  892. goto end;
  893. }
  894. if (s->msg_callback)
  895. s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
  896. /* this is the one place where we can recover from an SSL 2.0 error */
  897. if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
  898. {
  899. ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
  900. SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  901. goto end;
  902. }
  903. ret=1;
  904. goto end;
  905. }
  906. if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6))
  907. {
  908. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  909. SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ);
  910. goto end;
  911. }
  912. if (s->init_num != 6)
  913. {
  914. SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  915. goto end;
  916. }
  917. /* ok we have a response */
  918. /* certificate type, there is only one right now. */
  919. ctype= *(p++);
  920. if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
  921. {
  922. ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
  923. SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT);
  924. goto end;
  925. }
  926. n2s(p,i); s->s2->tmp.clen=i;
  927. n2s(p,i); s->s2->tmp.rlen=i;
  928. s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
  929. }
  930. /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
  931. p=(unsigned char *)s->init_buf->data;
  932. len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
  933. if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
  934. {
  935. SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
  936. goto end;
  937. }
  938. j = (int)len - s->init_num;
  939. i = ssl2_read(s,(char *)&(p[s->init_num]),j);
  940. if (i < j)
  941. {
  942. ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
  943. goto end;
  944. }
  945. if (s->msg_callback)
  946. s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
  947. p += 6;
  948. cp = p;
  949. x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen);
  950. if (x509 == NULL)
  951. {
  952. SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
  953. goto msg_end;
  954. }
  955. if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509)))
  956. {
  957. SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  958. goto msg_end;
  959. }
  960. i=ssl_verify_cert_chain(s,sk);
  961. if (i) /* we like the packet, now check the chksum */
  962. {
  963. EVP_MD_CTX ctx;
  964. EVP_PKEY *pkey=NULL;
  965. EVP_MD_CTX_init(&ctx);
  966. EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
  967. EVP_VerifyUpdate(&ctx,s->s2->key_material,
  968. s->s2->key_material_length);
  969. EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
  970. i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
  971. buf2=OPENSSL_malloc((unsigned int)i);
  972. if (buf2 == NULL)
  973. {
  974. SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  975. goto msg_end;
  976. }
  977. p2=buf2;
  978. i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
  979. EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
  980. OPENSSL_free(buf2);
  981. pkey=X509_get_pubkey(x509);
  982. if (pkey == NULL) goto end;
  983. i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey);
  984. EVP_PKEY_free(pkey);
  985. EVP_MD_CTX_cleanup(&ctx);
  986. if (i)
  987. {
  988. if (s->session->peer != NULL)
  989. X509_free(s->session->peer);
  990. s->session->peer=x509;
  991. CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
  992. s->session->verify_result = s->verify_result;
  993. ret=1;
  994. goto end;
  995. }
  996. else
  997. {
  998. SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM);
  999. goto msg_end;
  1000. }
  1001. }
  1002. else
  1003. {
  1004. msg_end:
  1005. ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
  1006. }
  1007. end:
  1008. sk_X509_free(sk);
  1009. X509_free(x509);
  1010. return(ret);
  1011. }
  1012. static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
  1013. unsigned char *to, int padding)
  1014. {
  1015. RSA *rsa;
  1016. int i;
  1017. if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))
  1018. {
  1019. SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY);
  1020. return(-1);
  1021. }
  1022. if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA)
  1023. {
  1024. SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
  1025. return(-1);
  1026. }
  1027. rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
  1028. /* we have the public key */
  1029. i=RSA_private_decrypt(len,from,to,rsa,padding);
  1030. if (i < 0)
  1031. SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
  1032. return(i);
  1033. }
  1034. #else /* !OPENSSL_NO_SSL2 */
  1035. # if PEDANTIC
  1036. static void *dummy=&dummy;
  1037. # endif
  1038. #endif