s2_srvr.c 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167
  1. /* ssl/s2_srvr.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include "ssl_locl.h"
  112. #ifndef OPENSSL_NO_SSL2
  113. #include "../crypto/constant_time_locl.h"
  114. # include <stdio.h>
  115. # include <openssl/bio.h>
  116. # include <openssl/rand.h>
  117. # include <openssl/objects.h>
  118. # include <openssl/evp.h>
  119. static const SSL_METHOD *ssl2_get_server_method(int ver);
  120. static int get_client_master_key(SSL *s);
  121. static int get_client_hello(SSL *s);
  122. static int server_hello(SSL *s);
  123. static int get_client_finished(SSL *s);
  124. static int server_verify(SSL *s);
  125. static int server_finish(SSL *s);
  126. static int request_certificate(SSL *s);
  127. static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
  128. unsigned char *to, int padding);
  129. # define BREAK break
  130. static const SSL_METHOD *ssl2_get_server_method(int ver)
  131. {
  132. if (ver == SSL2_VERSION)
  133. return (SSLv2_server_method());
  134. else
  135. return (NULL);
  136. }
  137. IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
  138. ssl2_accept,
  139. ssl_undefined_function, ssl2_get_server_method)
  140. int ssl2_accept(SSL *s)
  141. {
  142. unsigned long l = (unsigned long)time(NULL);
  143. BUF_MEM *buf = NULL;
  144. int ret = -1;
  145. long num1;
  146. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  147. int new_state, state;
  148. RAND_add(&l, sizeof(l), 0);
  149. ERR_clear_error();
  150. clear_sys_error();
  151. if (s->info_callback != NULL)
  152. cb = s->info_callback;
  153. else if (s->ctx->info_callback != NULL)
  154. cb = s->ctx->info_callback;
  155. /* init things to blank */
  156. s->in_handshake++;
  157. if (!SSL_in_init(s) || SSL_in_before(s))
  158. SSL_clear(s);
  159. if (s->cert == NULL) {
  160. SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
  161. return (-1);
  162. }
  163. clear_sys_error();
  164. for (;;) {
  165. state = s->state;
  166. switch (s->state) {
  167. case SSL_ST_BEFORE:
  168. case SSL_ST_ACCEPT:
  169. case SSL_ST_BEFORE | SSL_ST_ACCEPT:
  170. case SSL_ST_OK | SSL_ST_ACCEPT:
  171. s->server = 1;
  172. if (cb != NULL)
  173. cb(s, SSL_CB_HANDSHAKE_START, 1);
  174. s->version = SSL2_VERSION;
  175. s->type = SSL_ST_ACCEPT;
  176. if (s->init_buf == NULL) {
  177. if ((buf = BUF_MEM_new()) == NULL) {
  178. ret = -1;
  179. goto end;
  180. }
  181. if (!BUF_MEM_grow
  182. (buf, (int)SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
  183. BUF_MEM_free(buf);
  184. ret = -1;
  185. goto end;
  186. }
  187. s->init_buf = buf;
  188. }
  189. s->init_num = 0;
  190. s->ctx->stats.sess_accept++;
  191. s->handshake_func = ssl2_accept;
  192. s->state = SSL2_ST_GET_CLIENT_HELLO_A;
  193. BREAK;
  194. case SSL2_ST_GET_CLIENT_HELLO_A:
  195. case SSL2_ST_GET_CLIENT_HELLO_B:
  196. case SSL2_ST_GET_CLIENT_HELLO_C:
  197. s->shutdown = 0;
  198. ret = get_client_hello(s);
  199. if (ret <= 0)
  200. goto end;
  201. s->init_num = 0;
  202. s->state = SSL2_ST_SEND_SERVER_HELLO_A;
  203. BREAK;
  204. case SSL2_ST_SEND_SERVER_HELLO_A:
  205. case SSL2_ST_SEND_SERVER_HELLO_B:
  206. ret = server_hello(s);
  207. if (ret <= 0)
  208. goto end;
  209. s->init_num = 0;
  210. if (!s->hit) {
  211. s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_A;
  212. BREAK;
  213. } else {
  214. s->state = SSL2_ST_SERVER_START_ENCRYPTION;
  215. BREAK;
  216. }
  217. case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
  218. case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
  219. ret = get_client_master_key(s);
  220. if (ret <= 0)
  221. goto end;
  222. s->init_num = 0;
  223. s->state = SSL2_ST_SERVER_START_ENCRYPTION;
  224. BREAK;
  225. case SSL2_ST_SERVER_START_ENCRYPTION:
  226. /*
  227. * Ok we how have sent all the stuff needed to start encrypting,
  228. * the next packet back will be encrypted.
  229. */
  230. if (!ssl2_enc_init(s, 0)) {
  231. ret = -1;
  232. goto end;
  233. }
  234. s->s2->clear_text = 0;
  235. s->state = SSL2_ST_SEND_SERVER_VERIFY_A;
  236. BREAK;
  237. case SSL2_ST_SEND_SERVER_VERIFY_A:
  238. case SSL2_ST_SEND_SERVER_VERIFY_B:
  239. ret = server_verify(s);
  240. if (ret <= 0)
  241. goto end;
  242. s->init_num = 0;
  243. if (s->hit) {
  244. /*
  245. * If we are in here, we have been buffering the output, so
  246. * we need to flush it and remove buffering from future
  247. * traffic
  248. */
  249. s->state = SSL2_ST_SEND_SERVER_VERIFY_C;
  250. BREAK;
  251. } else {
  252. s->state = SSL2_ST_GET_CLIENT_FINISHED_A;
  253. break;
  254. }
  255. case SSL2_ST_SEND_SERVER_VERIFY_C:
  256. /* get the number of bytes to write */
  257. num1 = BIO_ctrl(s->wbio, BIO_CTRL_INFO, 0, NULL);
  258. if (num1 > 0) {
  259. s->rwstate = SSL_WRITING;
  260. num1 = BIO_flush(s->wbio);
  261. if (num1 <= 0) {
  262. ret = -1;
  263. goto end;
  264. }
  265. s->rwstate = SSL_NOTHING;
  266. }
  267. /* flushed and now remove buffering */
  268. s->wbio = BIO_pop(s->wbio);
  269. s->state = SSL2_ST_GET_CLIENT_FINISHED_A;
  270. BREAK;
  271. case SSL2_ST_GET_CLIENT_FINISHED_A:
  272. case SSL2_ST_GET_CLIENT_FINISHED_B:
  273. ret = get_client_finished(s);
  274. if (ret <= 0)
  275. goto end;
  276. s->init_num = 0;
  277. s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
  278. BREAK;
  279. case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
  280. case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
  281. case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
  282. case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
  283. /*
  284. * don't do a 'request certificate' if we don't want to, or we
  285. * already have one, and we only want to do it once.
  286. */
  287. if (!(s->verify_mode & SSL_VERIFY_PEER) ||
  288. ((s->session->peer != NULL) &&
  289. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) {
  290. s->state = SSL2_ST_SEND_SERVER_FINISHED_A;
  291. break;
  292. } else {
  293. ret = request_certificate(s);
  294. if (ret <= 0)
  295. goto end;
  296. s->init_num = 0;
  297. s->state = SSL2_ST_SEND_SERVER_FINISHED_A;
  298. }
  299. BREAK;
  300. case SSL2_ST_SEND_SERVER_FINISHED_A:
  301. case SSL2_ST_SEND_SERVER_FINISHED_B:
  302. ret = server_finish(s);
  303. if (ret <= 0)
  304. goto end;
  305. s->init_num = 0;
  306. s->state = SSL_ST_OK;
  307. break;
  308. case SSL_ST_OK:
  309. BUF_MEM_free(s->init_buf);
  310. ssl_free_wbio_buffer(s);
  311. s->init_buf = NULL;
  312. s->init_num = 0;
  313. /* ERR_clear_error(); */
  314. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  315. s->ctx->stats.sess_accept_good++;
  316. /* s->server=1; */
  317. ret = 1;
  318. if (cb != NULL)
  319. cb(s, SSL_CB_HANDSHAKE_DONE, 1);
  320. goto end;
  321. /* BREAK; */
  322. default:
  323. SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_UNKNOWN_STATE);
  324. ret = -1;
  325. goto end;
  326. /* BREAK; */
  327. }
  328. if ((cb != NULL) && (s->state != state)) {
  329. new_state = s->state;
  330. s->state = state;
  331. cb(s, SSL_CB_ACCEPT_LOOP, 1);
  332. s->state = new_state;
  333. }
  334. }
  335. end:
  336. s->in_handshake--;
  337. if (cb != NULL)
  338. cb(s, SSL_CB_ACCEPT_EXIT, ret);
  339. return (ret);
  340. }
  341. static int get_client_master_key(SSL *s)
  342. {
  343. int is_export, i, n, keya;
  344. unsigned int num_encrypted_key_bytes, key_length;
  345. unsigned long len;
  346. unsigned char *p;
  347. const SSL_CIPHER *cp;
  348. const EVP_CIPHER *c;
  349. const EVP_MD *md;
  350. unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
  351. unsigned char decrypt_good;
  352. size_t j;
  353. p = (unsigned char *)s->init_buf->data;
  354. if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) {
  355. i = ssl2_read(s, (char *)&(p[s->init_num]), 10 - s->init_num);
  356. if (i < (10 - s->init_num))
  357. return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i));
  358. s->init_num = 10;
  359. if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) {
  360. if (p[-1] != SSL2_MT_ERROR) {
  361. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  362. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
  363. SSL_R_READ_WRONG_PACKET_TYPE);
  364. } else
  365. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
  366. return (-1);
  367. }
  368. cp = ssl2_get_cipher_by_char(p);
  369. if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
  370. ssl2_return_error(s, SSL2_PE_NO_CIPHER);
  371. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
  372. return (-1);
  373. }
  374. s->session->cipher = cp;
  375. p += 3;
  376. n2s(p, i);
  377. s->s2->tmp.clear = i;
  378. n2s(p, i);
  379. s->s2->tmp.enc = i;
  380. n2s(p, i);
  381. if (i > SSL_MAX_KEY_ARG_LENGTH) {
  382. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  383. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
  384. return -1;
  385. }
  386. s->session->key_arg_length = i;
  387. s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_B;
  388. }
  389. /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
  390. p = (unsigned char *)s->init_buf->data;
  391. if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
  392. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  393. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
  394. return -1;
  395. }
  396. keya = s->session->key_arg_length;
  397. len =
  398. 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc +
  399. (unsigned long)keya;
  400. if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
  401. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  402. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_MESSAGE_TOO_LONG);
  403. return -1;
  404. }
  405. n = (int)len - s->init_num;
  406. i = ssl2_read(s, (char *)&(p[s->init_num]), n);
  407. if (i != n)
  408. return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i));
  409. if (s->msg_callback) {
  410. /* CLIENT-MASTER-KEY */
  411. s->msg_callback(0, s->version, 0, p, (size_t)len, s,
  412. s->msg_callback_arg);
  413. }
  414. p += 10;
  415. memcpy(s->session->key_arg, &(p[s->s2->tmp.clear + s->s2->tmp.enc]),
  416. (unsigned int)keya);
  417. if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) {
  418. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  419. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
  420. return (-1);
  421. }
  422. is_export = SSL_C_IS_EXPORT(s->session->cipher);
  423. if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) {
  424. ssl2_return_error(s, SSL2_PE_NO_CIPHER);
  425. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
  426. SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
  427. return (0);
  428. }
  429. /*
  430. * The format of the CLIENT-MASTER-KEY message is
  431. * 1 byte message type
  432. * 3 bytes cipher
  433. * 2-byte clear key length (stored in s->s2->tmp.clear)
  434. * 2-byte encrypted key length (stored in s->s2->tmp.enc)
  435. * 2-byte key args length (IV etc)
  436. * clear key
  437. * encrypted key
  438. * key args
  439. *
  440. * If the cipher is an export cipher, then the encrypted key bytes
  441. * are a fixed portion of the total key (5 or 8 bytes). The size of
  442. * this portion is in |num_encrypted_key_bytes|. If the cipher is not an
  443. * export cipher, then the entire key material is encrypted (i.e., clear
  444. * key length must be zero).
  445. */
  446. key_length = (unsigned int)EVP_CIPHER_key_length(c);
  447. if (key_length > SSL_MAX_MASTER_KEY_LENGTH) {
  448. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  449. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
  450. return -1;
  451. }
  452. if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) {
  453. is_export = 1;
  454. num_encrypted_key_bytes = 8;
  455. } else if (is_export) {
  456. num_encrypted_key_bytes = 5;
  457. } else {
  458. num_encrypted_key_bytes = key_length;
  459. }
  460. if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) {
  461. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  462. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
  463. return -1;
  464. }
  465. /*
  466. * The encrypted blob must decrypt to the encrypted portion of the key.
  467. * Decryption can't be expanding, so if we don't have enough encrypted
  468. * bytes to fit the key in the buffer, stop now.
  469. */
  470. if (s->s2->tmp.enc < num_encrypted_key_bytes) {
  471. ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
  472. SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
  473. return -1;
  474. }
  475. /*
  476. * We must not leak whether a decryption failure occurs because of
  477. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  478. * section 7.4.7.1). The code follows that advice of the TLS RFC and
  479. * generates a random premaster secret for the case that the decrypt
  480. * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  481. */
  482. if (RAND_bytes(rand_premaster_secret,
  483. (int)num_encrypted_key_bytes) <= 0)
  484. return 0;
  485. i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
  486. &(p[s->s2->tmp.clear]),
  487. &(p[s->s2->tmp.clear]),
  488. (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
  489. RSA_PKCS1_PADDING);
  490. ERR_clear_error();
  491. /*
  492. * If a bad decrypt, continue with protocol but with a random master
  493. * secret (Bleichenbacher attack)
  494. */
  495. decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes);
  496. for (j = 0; j < num_encrypted_key_bytes; j++) {
  497. p[s->s2->tmp.clear + j] =
  498. constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j],
  499. rand_premaster_secret[j]);
  500. }
  501. s->session->master_key_length = (int)key_length;
  502. memcpy(s->session->master_key, p, key_length);
  503. OPENSSL_cleanse(p, key_length);
  504. return 1;
  505. }
  506. static int get_client_hello(SSL *s)
  507. {
  508. int i, n;
  509. unsigned long len;
  510. unsigned char *p;
  511. STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
  512. STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
  513. STACK_OF(SSL_CIPHER) *prio, *allow;
  514. int z;
  515. /*
  516. * This is a bit of a hack to check for the correct packet type the first
  517. * time round.
  518. */
  519. if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) {
  520. s->first_packet = 1;
  521. s->state = SSL2_ST_GET_CLIENT_HELLO_B;
  522. }
  523. p = (unsigned char *)s->init_buf->data;
  524. if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) {
  525. i = ssl2_read(s, (char *)&(p[s->init_num]), 9 - s->init_num);
  526. if (i < (9 - s->init_num))
  527. return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i));
  528. s->init_num = 9;
  529. if (*(p++) != SSL2_MT_CLIENT_HELLO) {
  530. if (p[-1] != SSL2_MT_ERROR) {
  531. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  532. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_READ_WRONG_PACKET_TYPE);
  533. } else
  534. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_PEER_ERROR);
  535. return (-1);
  536. }
  537. n2s(p, i);
  538. if (i < s->version)
  539. s->version = i;
  540. n2s(p, i);
  541. s->s2->tmp.cipher_spec_length = i;
  542. n2s(p, i);
  543. s->s2->tmp.session_id_length = i;
  544. if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
  545. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  546. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  547. return -1;
  548. }
  549. n2s(p, i);
  550. s->s2->challenge_length = i;
  551. if ((i < SSL2_MIN_CHALLENGE_LENGTH) ||
  552. (i > SSL2_MAX_CHALLENGE_LENGTH)) {
  553. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  554. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INVALID_CHALLENGE_LENGTH);
  555. return (-1);
  556. }
  557. s->state = SSL2_ST_GET_CLIENT_HELLO_C;
  558. }
  559. /* SSL2_ST_GET_CLIENT_HELLO_C */
  560. p = (unsigned char *)s->init_buf->data;
  561. len =
  562. 9 + (unsigned long)s->s2->tmp.cipher_spec_length +
  563. (unsigned long)s->s2->challenge_length +
  564. (unsigned long)s->s2->tmp.session_id_length;
  565. if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
  566. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  567. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_MESSAGE_TOO_LONG);
  568. return -1;
  569. }
  570. n = (int)len - s->init_num;
  571. i = ssl2_read(s, (char *)&(p[s->init_num]), n);
  572. if (i != n)
  573. return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i));
  574. if (s->msg_callback) {
  575. /* CLIENT-HELLO */
  576. s->msg_callback(0, s->version, 0, p, (size_t)len, s,
  577. s->msg_callback_arg);
  578. }
  579. p += 9;
  580. /*
  581. * get session-id before cipher stuff so we can get out session structure
  582. * if it is cached
  583. */
  584. /* session-id */
  585. if ((s->s2->tmp.session_id_length != 0) &&
  586. (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) {
  587. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  588. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_BAD_SSL_SESSION_ID_LENGTH);
  589. return (-1);
  590. }
  591. if (s->s2->tmp.session_id_length == 0) {
  592. if (!ssl_get_new_session(s, 1)) {
  593. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  594. return (-1);
  595. }
  596. } else {
  597. i = ssl_get_prev_session(s, &(p[s->s2->tmp.cipher_spec_length]),
  598. s->s2->tmp.session_id_length, NULL);
  599. if (i == 1) { /* previous session */
  600. s->hit = 1;
  601. } else if (i == -1) {
  602. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  603. return (-1);
  604. } else {
  605. if (s->cert == NULL) {
  606. ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE);
  607. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CERTIFICATE_SET);
  608. return (-1);
  609. }
  610. if (!ssl_get_new_session(s, 1)) {
  611. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  612. return (-1);
  613. }
  614. }
  615. }
  616. if (!s->hit) {
  617. cs = ssl_bytes_to_cipher_list(s, p, s->s2->tmp.cipher_spec_length,
  618. &s->session->ciphers);
  619. if (cs == NULL)
  620. goto mem_err;
  621. cl = SSL_get_ciphers(s);
  622. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  623. prio = sk_SSL_CIPHER_dup(cl);
  624. if (prio == NULL)
  625. goto mem_err;
  626. allow = cs;
  627. } else {
  628. prio = cs;
  629. allow = cl;
  630. }
  631. /* Generate list of SSLv2 ciphers shared between client and server */
  632. for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
  633. const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
  634. if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
  635. sk_SSL_CIPHER_find(allow, cp) < 0) {
  636. (void)sk_SSL_CIPHER_delete(prio, z);
  637. z--;
  638. }
  639. }
  640. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  641. sk_SSL_CIPHER_free(s->session->ciphers);
  642. s->session->ciphers = prio;
  643. }
  644. /* Make sure we have at least one cipher in common */
  645. if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
  646. ssl2_return_error(s, SSL2_PE_NO_CIPHER);
  647. SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
  648. return -1;
  649. }
  650. /*
  651. * s->session->ciphers should now have a list of ciphers that are on
  652. * both the client and server. This list is ordered by the order the
  653. * client sent the ciphers or in the order of the server's preference
  654. * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
  655. */
  656. }
  657. p += s->s2->tmp.cipher_spec_length;
  658. /* done cipher selection */
  659. /* session id extracted already */
  660. p += s->s2->tmp.session_id_length;
  661. /* challenge */
  662. if (s->s2->challenge_length > sizeof s->s2->challenge) {
  663. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  664. SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  665. return -1;
  666. }
  667. memcpy(s->s2->challenge, p, (unsigned int)s->s2->challenge_length);
  668. return (1);
  669. mem_err:
  670. SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_MALLOC_FAILURE);
  671. return (0);
  672. }
  673. static int server_hello(SSL *s)
  674. {
  675. unsigned char *p, *d;
  676. int n, hit;
  677. p = (unsigned char *)s->init_buf->data;
  678. if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) {
  679. d = p + 11;
  680. *(p++) = SSL2_MT_SERVER_HELLO; /* type */
  681. hit = s->hit;
  682. *(p++) = (unsigned char)hit;
  683. # if 1
  684. if (!hit) {
  685. if (s->session->sess_cert != NULL)
  686. /*
  687. * This can't really happen because get_client_hello has
  688. * called ssl_get_new_session, which does not set sess_cert.
  689. */
  690. ssl_sess_cert_free(s->session->sess_cert);
  691. s->session->sess_cert = ssl_sess_cert_new();
  692. if (s->session->sess_cert == NULL) {
  693. SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
  694. return (-1);
  695. }
  696. }
  697. /*
  698. * If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
  699. * depending on whether it survived in the internal cache or was
  700. * retrieved from an external cache. If it is NULL, we cannot put any
  701. * useful data in it anyway, so we don't touch it.
  702. */
  703. # else /* That's what used to be done when cert_st
  704. * and sess_cert_st were * the same. */
  705. if (!hit) { /* else add cert to session */
  706. CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
  707. if (s->session->sess_cert != NULL)
  708. ssl_cert_free(s->session->sess_cert);
  709. s->session->sess_cert = s->cert;
  710. } else { /* We have a session id-cache hit, if the *
  711. * session-id has no certificate listed
  712. * against * the 'cert' structure, grab the
  713. * 'old' one * listed against the SSL
  714. * connection */
  715. if (s->session->sess_cert == NULL) {
  716. CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
  717. s->session->sess_cert = s->cert;
  718. }
  719. }
  720. # endif
  721. if (s->cert == NULL) {
  722. ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE);
  723. SSLerr(SSL_F_SERVER_HELLO, SSL_R_NO_CERTIFICATE_SPECIFIED);
  724. return (-1);
  725. }
  726. if (hit) {
  727. *(p++) = 0; /* no certificate type */
  728. s2n(s->version, p); /* version */
  729. s2n(0, p); /* cert len */
  730. s2n(0, p); /* ciphers len */
  731. } else {
  732. /* EAY EAY */
  733. /* put certificate type */
  734. *(p++) = SSL2_CT_X509_CERTIFICATE;
  735. s2n(s->version, p); /* version */
  736. n = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL);
  737. s2n(n, p); /* certificate length */
  738. i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &d);
  739. n = 0;
  740. /*
  741. * lets send out the ciphers we like in the prefered order
  742. */
  743. n = ssl_cipher_list_to_bytes(s, s->session->ciphers, d, 0);
  744. d += n;
  745. s2n(n, p); /* add cipher length */
  746. }
  747. /* make and send conn_id */
  748. s2n(SSL2_CONNECTION_ID_LENGTH, p); /* add conn_id length */
  749. s->s2->conn_id_length = SSL2_CONNECTION_ID_LENGTH;
  750. if (RAND_bytes(s->s2->conn_id, (int)s->s2->conn_id_length) <= 0)
  751. return -1;
  752. memcpy(d, s->s2->conn_id, SSL2_CONNECTION_ID_LENGTH);
  753. d += SSL2_CONNECTION_ID_LENGTH;
  754. s->state = SSL2_ST_SEND_SERVER_HELLO_B;
  755. s->init_num = d - (unsigned char *)s->init_buf->data;
  756. s->init_off = 0;
  757. }
  758. /* SSL2_ST_SEND_SERVER_HELLO_B */
  759. /*
  760. * If we are using TCP/IP, the performance is bad if we do 2 writes
  761. * without a read between them. This occurs when Session-id reuse is
  762. * used, so I will put in a buffering module
  763. */
  764. if (s->hit) {
  765. if (!ssl_init_wbio_buffer(s, 1))
  766. return (-1);
  767. }
  768. return (ssl2_do_write(s));
  769. }
  770. static int get_client_finished(SSL *s)
  771. {
  772. unsigned char *p;
  773. int i, n;
  774. unsigned long len;
  775. p = (unsigned char *)s->init_buf->data;
  776. if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) {
  777. i = ssl2_read(s, (char *)&(p[s->init_num]), 1 - s->init_num);
  778. if (i < 1 - s->init_num)
  779. return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i));
  780. s->init_num += i;
  781. if (*p != SSL2_MT_CLIENT_FINISHED) {
  782. if (*p != SSL2_MT_ERROR) {
  783. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  784. SSLerr(SSL_F_GET_CLIENT_FINISHED,
  785. SSL_R_READ_WRONG_PACKET_TYPE);
  786. } else {
  787. SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_PEER_ERROR);
  788. /* try to read the error message */
  789. i = ssl2_read(s, (char *)&(p[s->init_num]), 3 - s->init_num);
  790. return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i);
  791. }
  792. return (-1);
  793. }
  794. s->state = SSL2_ST_GET_CLIENT_FINISHED_B;
  795. }
  796. /* SSL2_ST_GET_CLIENT_FINISHED_B */
  797. if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
  798. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  799. SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
  800. return -1;
  801. }
  802. len = 1 + (unsigned long)s->s2->conn_id_length;
  803. n = (int)len - s->init_num;
  804. i = ssl2_read(s, (char *)&(p[s->init_num]), n);
  805. if (i < n) {
  806. return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i));
  807. }
  808. if (s->msg_callback) {
  809. /* CLIENT-FINISHED */
  810. s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg);
  811. }
  812. p += 1;
  813. if (memcmp(p, s->s2->conn_id, s->s2->conn_id_length) != 0) {
  814. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  815. SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_CONNECTION_ID_IS_DIFFERENT);
  816. return (-1);
  817. }
  818. return (1);
  819. }
  820. static int server_verify(SSL *s)
  821. {
  822. unsigned char *p;
  823. if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) {
  824. p = (unsigned char *)s->init_buf->data;
  825. *(p++) = SSL2_MT_SERVER_VERIFY;
  826. if (s->s2->challenge_length > sizeof s->s2->challenge) {
  827. SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
  828. return -1;
  829. }
  830. memcpy(p, s->s2->challenge, (unsigned int)s->s2->challenge_length);
  831. /* p+=s->s2->challenge_length; */
  832. s->state = SSL2_ST_SEND_SERVER_VERIFY_B;
  833. s->init_num = s->s2->challenge_length + 1;
  834. s->init_off = 0;
  835. }
  836. return (ssl2_do_write(s));
  837. }
  838. static int server_finish(SSL *s)
  839. {
  840. unsigned char *p;
  841. if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) {
  842. p = (unsigned char *)s->init_buf->data;
  843. *(p++) = SSL2_MT_SERVER_FINISHED;
  844. if (s->session->session_id_length > sizeof s->session->session_id) {
  845. SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
  846. return -1;
  847. }
  848. memcpy(p, s->session->session_id,
  849. (unsigned int)s->session->session_id_length);
  850. /* p+=s->session->session_id_length; */
  851. s->state = SSL2_ST_SEND_SERVER_FINISHED_B;
  852. s->init_num = s->session->session_id_length + 1;
  853. s->init_off = 0;
  854. }
  855. /* SSL2_ST_SEND_SERVER_FINISHED_B */
  856. return (ssl2_do_write(s));
  857. }
  858. /* send the request and check the response */
  859. static int request_certificate(SSL *s)
  860. {
  861. const unsigned char *cp;
  862. unsigned char *p, *p2, *buf2;
  863. unsigned char *ccd;
  864. int i, j, ctype, ret = -1;
  865. unsigned long len;
  866. X509 *x509 = NULL;
  867. STACK_OF(X509) *sk = NULL;
  868. ccd = s->s2->tmp.ccl;
  869. if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) {
  870. p = (unsigned char *)s->init_buf->data;
  871. *(p++) = SSL2_MT_REQUEST_CERTIFICATE;
  872. *(p++) = SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
  873. if (RAND_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
  874. return -1;
  875. memcpy(p, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH);
  876. s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
  877. s->init_num = SSL2_MIN_CERT_CHALLENGE_LENGTH + 2;
  878. s->init_off = 0;
  879. }
  880. if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) {
  881. i = ssl2_do_write(s);
  882. if (i <= 0) {
  883. ret = i;
  884. goto end;
  885. }
  886. s->init_num = 0;
  887. s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
  888. }
  889. if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) {
  890. p = (unsigned char *)s->init_buf->data;
  891. /* try to read 6 octets ... */
  892. i = ssl2_read(s, (char *)&(p[s->init_num]), 6 - s->init_num);
  893. /*
  894. * ... but don't call ssl2_part_read now if we got at least 3
  895. * (probably NO-CERTIFICATE-ERROR)
  896. */
  897. if (i < 3 - s->init_num) {
  898. ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i);
  899. goto end;
  900. }
  901. s->init_num += i;
  902. if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) {
  903. n2s(p, i);
  904. if (i != SSL2_PE_NO_CERTIFICATE) {
  905. /*
  906. * not the error message we expected -- let ssl2_part_read
  907. * handle it
  908. */
  909. s->init_num -= 3;
  910. ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, 3);
  911. goto end;
  912. }
  913. if (s->msg_callback) {
  914. /* ERROR */
  915. s->msg_callback(0, s->version, 0, p, 3, s,
  916. s->msg_callback_arg);
  917. }
  918. /*
  919. * this is the one place where we can recover from an SSL 2.0
  920. * error
  921. */
  922. if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
  923. ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
  924. SSLerr(SSL_F_REQUEST_CERTIFICATE,
  925. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  926. goto end;
  927. }
  928. ret = 1;
  929. goto end;
  930. }
  931. if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) {
  932. ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
  933. SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_SHORT_READ);
  934. goto end;
  935. }
  936. if (s->init_num != 6) {
  937. SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  938. goto end;
  939. }
  940. /* ok we have a response */
  941. /* certificate type, there is only one right now. */
  942. ctype = *(p++);
  943. if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) {
  944. ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
  945. SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_RESPONSE_ARGUMENT);
  946. goto end;
  947. }
  948. n2s(p, i);
  949. s->s2->tmp.clen = i;
  950. n2s(p, i);
  951. s->s2->tmp.rlen = i;
  952. s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
  953. }
  954. /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
  955. p = (unsigned char *)s->init_buf->data;
  956. len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
  957. if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
  958. SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_MESSAGE_TOO_LONG);
  959. goto end;
  960. }
  961. j = (int)len - s->init_num;
  962. i = ssl2_read(s, (char *)&(p[s->init_num]), j);
  963. if (i < j) {
  964. ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i);
  965. goto end;
  966. }
  967. if (s->msg_callback) {
  968. /* CLIENT-CERTIFICATE */
  969. s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg);
  970. }
  971. p += 6;
  972. cp = p;
  973. x509 = (X509 *)d2i_X509(NULL, &cp, (long)s->s2->tmp.clen);
  974. if (x509 == NULL) {
  975. SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_X509_LIB);
  976. goto msg_end;
  977. }
  978. if (((sk = sk_X509_new_null()) == NULL) || (!sk_X509_push(sk, x509))) {
  979. SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  980. goto msg_end;
  981. }
  982. i = ssl_verify_cert_chain(s, sk);
  983. if (i > 0) { /* we like the packet, now check the chksum */
  984. EVP_MD_CTX ctx;
  985. EVP_PKEY *pkey = NULL;
  986. EVP_MD_CTX_init(&ctx);
  987. if (!EVP_VerifyInit_ex(&ctx, s->ctx->rsa_md5, NULL)
  988. || !EVP_VerifyUpdate(&ctx, s->s2->key_material,
  989. s->s2->key_material_length)
  990. || !EVP_VerifyUpdate(&ctx, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH))
  991. goto msg_end;
  992. i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL);
  993. buf2 = OPENSSL_malloc((unsigned int)i);
  994. if (buf2 == NULL) {
  995. SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  996. goto msg_end;
  997. }
  998. p2 = buf2;
  999. i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &p2);
  1000. if (!EVP_VerifyUpdate(&ctx, buf2, (unsigned int)i)) {
  1001. OPENSSL_free(buf2);
  1002. goto msg_end;
  1003. }
  1004. OPENSSL_free(buf2);
  1005. pkey = X509_get_pubkey(x509);
  1006. if (pkey == NULL)
  1007. goto end;
  1008. i = EVP_VerifyFinal(&ctx, cp, s->s2->tmp.rlen, pkey);
  1009. EVP_PKEY_free(pkey);
  1010. EVP_MD_CTX_cleanup(&ctx);
  1011. if (i > 0) {
  1012. if (s->session->peer != NULL)
  1013. X509_free(s->session->peer);
  1014. s->session->peer = x509;
  1015. CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
  1016. s->session->verify_result = s->verify_result;
  1017. ret = 1;
  1018. goto end;
  1019. } else {
  1020. SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_CHECKSUM);
  1021. goto msg_end;
  1022. }
  1023. } else {
  1024. msg_end:
  1025. ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
  1026. }
  1027. end:
  1028. sk_X509_free(sk);
  1029. X509_free(x509);
  1030. return (ret);
  1031. }
  1032. static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
  1033. unsigned char *to, int padding)
  1034. {
  1035. RSA *rsa;
  1036. int i;
  1037. if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) {
  1038. SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_NO_PRIVATEKEY);
  1039. return (-1);
  1040. }
  1041. if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) {
  1042. SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA);
  1043. return (-1);
  1044. }
  1045. rsa = c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
  1046. /* we have the public key */
  1047. i = RSA_private_decrypt(len, from, to, rsa, padding);
  1048. if (i < 0)
  1049. SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, ERR_R_RSA_LIB);
  1050. return (i);
  1051. }
  1052. #else /* !OPENSSL_NO_SSL2 */
  1053. # if PEDANTIC
  1054. static void *dummy = &dummy;
  1055. # endif
  1056. #endif