2 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
70 static int get_client_master_key(SSL
*s
);
71 static int get_client_hello(SSL
*s
);
72 static int server_hello(SSL
*s
);
73 static int get_client_finished(SSL
*s
);
74 static int server_verify(SSL
*s
);
75 static int server_finish(SSL
*s
);
76 static int request_certificate(SSL
*s
);
77 static int ssl_rsa_private_decrypt(CERT
*c
, int len
, unsigned char *from
,
78 unsigned char *to
,int padding
);
80 static int get_client_master_key();
81 static int get_client_hello();
82 static int server_hello();
83 static int get_client_finished();
84 static int server_verify();
85 static int server_finish();
86 static int request_certificate();
87 static int ssl_rsa_private_decrypt();
92 static SSL_METHOD
*ssl2_get_server_method(ver
)
96 return(SSLv2_server_method());
101 SSL_METHOD
*SSLv2_server_method()
104 static SSL_METHOD SSLv2_server_data
;
109 memcpy((char *)&SSLv2_server_data
,(char *)sslv2_base_method(),
111 SSLv2_server_data
.ssl_accept
=ssl2_accept
;
112 SSLv2_server_data
.get_ssl_method
=ssl2_get_server_method
;
114 return(&SSLv2_server_data
);
120 unsigned long l
=time(NULL
);
127 RAND_seed((unsigned char *)&l
,sizeof(l
));
131 if (s
->info_callback
!= NULL
)
133 else if (s
->ctx
->info_callback
!= NULL
)
134 cb
=s
->ctx
->info_callback
;
136 /* init things to blank */
137 if (!SSL_in_init(s
) || SSL_in_before(s
)) SSL_clear(s
);
140 if (((s
->session
== NULL
) || (s
->session
->cert
== NULL
)) &&
143 SSLerr(SSL_F_SSL2_ACCEPT
,SSL_R_NO_CERTIFICATE_SET
);
156 case SSL_ST_BEFORE
|SSL_ST_ACCEPT
:
157 case SSL_ST_OK
|SSL_ST_ACCEPT
:
159 if (cb
!= NULL
) cb(s
,SSL_CB_HANDSHAKE_START
,1);
162 s
->type
=SSL_ST_ACCEPT
;
165 if ((buf
== NULL
) && ((buf
=BUF_MEM_new()) == NULL
))
166 { ret
= -1; goto end
; }
167 if (!BUF_MEM_grow(buf
,(int)
168 SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
))
169 { ret
= -1; goto end
; }
172 s
->ctx
->sess_accept
++;
173 s
->handshake_func
=ssl2_accept
;
174 s
->state
=SSL2_ST_GET_CLIENT_HELLO_A
;
177 case SSL2_ST_GET_CLIENT_HELLO_A
:
178 case SSL2_ST_GET_CLIENT_HELLO_B
:
179 case SSL2_ST_GET_CLIENT_HELLO_C
:
181 ret
=get_client_hello(s
);
182 if (ret
<= 0) goto end
;
184 s
->state
=SSL2_ST_SEND_SERVER_HELLO_A
;
187 case SSL2_ST_SEND_SERVER_HELLO_A
:
188 case SSL2_ST_SEND_SERVER_HELLO_B
:
190 if (ret
<= 0) goto end
;
194 s
->state
=SSL2_ST_GET_CLIENT_MASTER_KEY_A
;
199 s
->state
=SSL2_ST_SERVER_START_ENCRYPTION
;
202 case SSL2_ST_GET_CLIENT_MASTER_KEY_A
:
203 case SSL2_ST_GET_CLIENT_MASTER_KEY_B
:
204 ret
=get_client_master_key(s
);
205 if (ret
<= 0) goto end
;
207 s
->state
=SSL2_ST_SERVER_START_ENCRYPTION
;
210 case SSL2_ST_SERVER_START_ENCRYPTION
:
211 /* Ok we how have sent all the stuff needed to
212 * start encrypting, the next packet back will
214 if (!ssl2_enc_init(s
,0))
215 { ret
= -1; goto end
; }
217 s
->state
=SSL2_ST_SEND_SERVER_VERIFY_A
;
220 case SSL2_ST_SEND_SERVER_VERIFY_A
:
221 case SSL2_ST_SEND_SERVER_VERIFY_B
:
222 ret
=server_verify(s
);
223 if (ret
<= 0) goto end
;
227 /* If we are in here, we have been
228 * buffering the output, so we need to
229 * flush it and remove buffering from
231 s
->state
=SSL2_ST_SEND_SERVER_VERIFY_C
;
236 s
->state
=SSL2_ST_GET_CLIENT_FINISHED_A
;
240 case SSL2_ST_SEND_SERVER_VERIFY_C
:
241 /* get the number of bytes to write */
242 num1
=BIO_ctrl(s
->wbio
,BIO_CTRL_INFO
,0,NULL
);
245 s
->rwstate
=SSL_WRITING
;
246 num1
=BIO_flush(s
->wbio
);
247 if (num1
<= 0) { ret
= -1; goto end
; }
248 s
->rwstate
=SSL_NOTHING
;
251 /* flushed and now remove buffering */
252 s
->wbio
=BIO_pop(s
->wbio
);
254 s
->state
=SSL2_ST_GET_CLIENT_FINISHED_A
;
257 case SSL2_ST_GET_CLIENT_FINISHED_A
:
258 case SSL2_ST_GET_CLIENT_FINISHED_B
:
259 ret
=get_client_finished(s
);
263 s
->state
=SSL2_ST_SEND_REQUEST_CERTIFICATE_A
;
266 case SSL2_ST_SEND_REQUEST_CERTIFICATE_A
:
267 case SSL2_ST_SEND_REQUEST_CERTIFICATE_B
:
268 case SSL2_ST_SEND_REQUEST_CERTIFICATE_C
:
269 case SSL2_ST_SEND_REQUEST_CERTIFICATE_D
:
270 /* don't do a 'request certificate' if we
271 * don't want to, or we already have one, and
272 * we only want to do it once. */
273 if (!(s
->verify_mode
& SSL_VERIFY_PEER
) ||
274 ((s
->session
->peer
!= NULL
) &&
275 (s
->verify_mode
& SSL_VERIFY_CLIENT_ONCE
)))
277 s
->state
=SSL2_ST_SEND_SERVER_FINISHED_A
;
282 ret
=request_certificate(s
);
283 if (ret
<= 0) goto end
;
285 s
->state
=SSL2_ST_SEND_SERVER_FINISHED_A
;
289 case SSL2_ST_SEND_SERVER_FINISHED_A
:
290 case SSL2_ST_SEND_SERVER_FINISHED_B
:
291 ret
=server_finish(s
);
292 if (ret
<= 0) goto end
;
298 BUF_MEM_free(s
->init_buf
);
301 /* ERR_clear_error();*/
303 ssl_update_cache(s
,SSL_SESS_CACHE_SERVER
);
305 s
->ctx
->sess_accept_good
++;
309 if (cb
!= NULL
) cb(s
,SSL_CB_HANDSHAKE_DONE
,1);
315 SSLerr(SSL_F_SSL2_ACCEPT
,SSL_R_UNKNOWN_STATE
);
321 if ((cb
!= NULL
) && (s
->state
!= state
))
325 cb(s
,SSL_CB_ACCEPT_LOOP
,1);
332 cb(s
,SSL_CB_ACCEPT_EXIT
,ret
);
336 static int get_client_master_key(s
)
339 int export
,i
,n
,keya
,ek
;
345 p
=(unsigned char *)s
->init_buf
->data
;
346 if (s
->state
== SSL2_ST_GET_CLIENT_MASTER_KEY_A
)
348 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),10-s
->init_num
);
350 if (i
< (10-s
->init_num
))
351 return(ssl2_part_read(s
,SSL_F_GET_CLIENT_MASTER_KEY
,i
));
352 if (*(p
++) != SSL2_MT_CLIENT_MASTER_KEY
)
354 if (p
[-1] != SSL2_MT_ERROR
)
356 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
357 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,SSL_R_READ_WRONG_PACKET_TYPE
);
360 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,
365 cp
=ssl2_get_cipher_by_char(p
);
368 ssl2_return_error(s
,SSL2_PE_NO_CIPHER
);
369 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,
370 SSL_R_NO_CIPHER_MATCH
);
373 s
->session
->cipher
= cp
;
376 n2s(p
,i
); s
->s2
->tmp
.clear
=i
;
377 n2s(p
,i
); s
->s2
->tmp
.enc
=i
;
378 n2s(p
,i
); s
->session
->key_arg_length
=i
;
379 s
->state
=SSL2_ST_GET_CLIENT_MASTER_KEY_B
;
383 /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
384 p
=(unsigned char *)s
->init_buf
->data
;
385 keya
=s
->session
->key_arg_length
;
386 n
=s
->s2
->tmp
.clear
+s
->s2
->tmp
.enc
+keya
- s
->init_num
;
387 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),n
);
388 if (i
!= n
) return(ssl2_part_read(s
,SSL_F_GET_CLIENT_MASTER_KEY
,i
));
390 memcpy(s
->session
->key_arg
,&(p
[s
->s2
->tmp
.clear
+s
->s2
->tmp
.enc
]),
393 if (s
->session
->cert
->key
->privatekey
== NULL
)
395 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
396 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,SSL_R_NO_PRIVATEKEY
);
399 i
=ssl_rsa_private_decrypt(s
->cert
,s
->s2
->tmp
.enc
,
400 &(p
[s
->s2
->tmp
.clear
]),&(p
[s
->s2
->tmp
.clear
]),
401 (s
->s2
->ssl2_rollback
)?RSA_SSLV23_PADDING
:RSA_PKCS1_PADDING
);
403 export
=(s
->session
->cipher
->algorithms
& SSL_EXP
)?1:0;
405 if (!ssl_cipher_get_evp(s
->session
->cipher
,&c
,&md
))
407 ssl2_return_error(s
,SSL2_PE_NO_CIPHER
);
408 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS
);
412 if (s
->session
->cipher
->algorithm2
& SSL2_CF_8_BYTE_ENC
)
422 /* If a bad decrypt, continue with protocol but with a
423 * dud master secret */
425 ((!export
&& (i
!= EVP_CIPHER_key_length(c
)))
426 || ( export
&& ((i
!= ek
) || (s
->s2
->tmp
.clear
+i
!=
427 EVP_CIPHER_key_length(c
))))))
432 i
=EVP_CIPHER_key_length(c
);
439 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,SSL_R_BAD_RSA_DECRYPT
);
441 /* incorrect number of key bytes for non export cipher */
442 else if ((!export
&& (i
!= EVP_CIPHER_key_length(c
)))
443 || ( export
&& ((i
!= ek
) || (s
->s2
->tmp
.clear
+i
!=
444 EVP_CIPHER_key_length(c
)))))
447 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY
,SSL_R_WRONG_NUMBER_OF_KEY_BITS
);
451 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
456 if (export
) i
+=s
->s2
->tmp
.clear
;
457 s
->session
->master_key_length
=i
;
458 memcpy(s
->session
->master_key
,p
,(unsigned int)i
);
462 static int get_client_hello(s
)
467 STACK
*cs
; /* a stack of SSL_CIPHERS */
468 STACK
*cl
; /* the ones we want to use */
471 /* This is a bit of a hack to check for the correct packet
472 * type the first time round. */
473 if (s
->state
== SSL2_ST_GET_CLIENT_HELLO_A
)
476 s
->state
=SSL2_ST_GET_CLIENT_HELLO_B
;
479 p
=(unsigned char *)s
->init_buf
->data
;
480 if (s
->state
== SSL2_ST_GET_CLIENT_HELLO_B
)
482 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),9-s
->init_num
);
483 if (i
< (9-s
->init_num
))
484 return(ssl2_part_read(s
,SSL_F_GET_CLIENT_HELLO
,i
));
486 if (*(p
++) != SSL2_MT_CLIENT_HELLO
)
488 if (p
[-1] != SSL2_MT_ERROR
)
490 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
491 SSLerr(SSL_F_GET_CLIENT_HELLO
,SSL_R_READ_WRONG_PACKET_TYPE
);
494 SSLerr(SSL_F_GET_CLIENT_HELLO
,SSL_R_PEER_ERROR
);
498 if (i
< s
->version
) s
->version
=i
;
499 n2s(p
,i
); s
->s2
->tmp
.cipher_spec_length
=i
;
500 n2s(p
,i
); s
->s2
->tmp
.session_id_length
=i
;
501 n2s(p
,i
); s
->s2
->challenge_length
=i
;
502 if ( (i
< SSL2_MIN_CHALLENGE_LENGTH
) ||
503 (i
> SSL2_MAX_CHALLENGE_LENGTH
))
505 SSLerr(SSL_F_GET_CLIENT_HELLO
,SSL_R_INVALID_CHALLENGE_LENGTH
);
508 s
->state
=SSL2_ST_GET_CLIENT_HELLO_C
;
512 /* SSL2_ST_GET_CLIENT_HELLO_C */
513 p
=(unsigned char *)s
->init_buf
->data
;
514 n
=s
->s2
->tmp
.cipher_spec_length
+s
->s2
->challenge_length
+
515 s
->s2
->tmp
.session_id_length
-s
->init_num
;
516 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),n
);
517 if (i
!= n
) return(ssl2_part_read(s
,SSL_F_GET_CLIENT_HELLO
,i
));
519 /* get session-id before cipher stuff so we can get out session
520 * structure if it is cached */
522 if ((s
->s2
->tmp
.session_id_length
!= 0) &&
523 (s
->s2
->tmp
.session_id_length
!= SSL2_SSL_SESSION_ID_LENGTH
))
525 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
526 SSLerr(SSL_F_GET_CLIENT_HELLO
,SSL_R_BAD_SSL_SESSION_ID_LENGTH
);
530 if (s
->s2
->tmp
.session_id_length
== 0)
532 if (!ssl_get_new_session(s
,1))
534 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
540 i
=ssl_get_prev_session(s
,s
->s2
->tmp
.session_id_length
,
541 &(p
[s
->s2
->tmp
.cipher_spec_length
]));
543 { /* previous session */
548 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
555 ssl2_return_error(s
,SSL2_PE_NO_CERTIFICATE
);
556 SSLerr(SSL_F_GET_CLIENT_HELLO
,SSL_R_NO_CERTIFICATE_SET
);
560 if (!ssl_get_new_session(s
,1))
562 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
570 cs
=ssl_bytes_to_cipher_list(s
,p
,s
->s2
->tmp
.cipher_spec_length
,
571 &s
->session
->ciphers
);
572 if (cs
== NULL
) goto mem_err
;
574 cl
=ssl_get_ciphers_by_id(s
);
576 for (z
=0; z
<sk_num(cs
); z
++)
578 if (sk_find(cl
,sk_value(cs
,z
)) < 0)
585 /* s->session->ciphers should now have a list of
586 * ciphers that are on both the client and server.
587 * This list is ordered by the order the client sent
591 p
+=s
->s2
->tmp
.cipher_spec_length
;
592 /* done cipher selection */
594 /* session id extracted already */
595 p
+=s
->s2
->tmp
.session_id_length
;
598 memcpy(s
->s2
->challenge
,p
,(unsigned int)s
->s2
->challenge_length
);
601 SSLerr(SSL_F_GET_CLIENT_HELLO
,ERR_R_MALLOC_FAILURE
);
605 static int server_hello(s
)
612 p
=(unsigned char *)s
->init_buf
->data
;
613 if (s
->state
== SSL2_ST_SEND_SERVER_HELLO_A
)
616 *(p
++)=SSL2_MT_SERVER_HELLO
; /* type */
618 *(p
++)=(unsigned char)hit
;
620 { /* else add cert to session */
621 CRYPTO_add(&s
->cert
->references
,1,CRYPTO_LOCK_SSL_CERT
);
622 if (s
->session
->cert
!= NULL
)
623 ssl_cert_free(s
->session
->cert
);
624 s
->session
->cert
=s
->cert
;
626 else /* We have a session id-cache hit, if the
627 * session-id has no certificate listed against
628 * the 'cert' structure, grab the 'old' one
629 * listed against the SSL connection */
631 if (s
->session
->cert
== NULL
)
633 CRYPTO_add(&s
->cert
->references
,1,
634 CRYPTO_LOCK_SSL_CERT
);
635 s
->session
->cert
=s
->cert
;
639 if (s
->session
->cert
== NULL
)
641 ssl2_return_error(s
,SSL2_PE_NO_CERTIFICATE
);
642 SSLerr(SSL_F_SERVER_HELLO
,SSL_R_NO_CERTIFICATE_SPECIFIED
);
648 *(p
++)=0; /* no certificate type */
649 s2n(s
->version
,p
); /* version */
650 s2n(0,p
); /* cert len */
651 s2n(0,p
); /* ciphers len */
656 /* put certificate type */
657 *(p
++)=SSL2_CT_X509_CERTIFICATE
;
658 s2n(s
->version
,p
); /* version */
659 n
=i2d_X509(s
->cert
->key
->x509
,NULL
);
660 s2n(n
,p
); /* certificate length */
661 i2d_X509(s
->cert
->key
->x509
,&d
);
664 /* lets send out the ciphers we like in the
666 sk
= s
->session
->ciphers
;
667 n
=ssl_cipher_list_to_bytes(s
,s
->session
->ciphers
,d
);
669 s2n(n
,p
); /* add cipher length */
672 /* make and send conn_id */
673 s2n(SSL2_CONNECTION_ID_LENGTH
,p
); /* add conn_id length */
674 s
->s2
->conn_id_length
=SSL2_CONNECTION_ID_LENGTH
;
675 RAND_bytes(s
->s2
->conn_id
,(int)s
->s2
->conn_id_length
);
676 memcpy(d
,s
->s2
->conn_id
,SSL2_CONNECTION_ID_LENGTH
);
677 d
+=SSL2_CONNECTION_ID_LENGTH
;
679 s
->state
=SSL2_ST_SEND_SERVER_HELLO_B
;
680 s
->init_num
=d
-(unsigned char *)s
->init_buf
->data
;
683 /* SSL2_ST_SEND_SERVER_HELLO_B */
684 /* If we are using TCP/IP, the performace is bad if we do 2
685 * writes without a read between them. This occurs when
686 * Session-id reuse is used, so I will put in a buffering module
694 buf
=BIO_new(BIO_f_buffer());
697 SSLerr(SSL_F_SERVER_HELLO
,ERR_LIB_BUF
);
706 s
->wbio
=BIO_push(buf
,s
->wbio
);
709 return(ssl2_do_write(s
));
712 static int get_client_finished(s
)
718 p
=(unsigned char *)s
->init_buf
->data
;
719 if (s
->state
== SSL2_ST_GET_CLIENT_FINISHED_A
)
721 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),1-s
->init_num
);
722 if (i
< 1-s
->init_num
)
723 return(ssl2_part_read(s
,SSL_F_GET_CLIENT_FINISHED
,i
));
725 if (*p
!= SSL2_MT_CLIENT_FINISHED
)
727 if (*p
!= SSL2_MT_ERROR
)
729 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
730 SSLerr(SSL_F_GET_CLIENT_FINISHED
,SSL_R_READ_WRONG_PACKET_TYPE
);
733 SSLerr(SSL_F_GET_CLIENT_FINISHED
,SSL_R_PEER_ERROR
);
737 s
->state
=SSL2_ST_GET_CLIENT_FINISHED_B
;
740 /* SSL2_ST_GET_CLIENT_FINISHED_B */
741 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),s
->s2
->conn_id_length
-s
->init_num
);
742 if (i
< (int)s
->s2
->conn_id_length
-s
->init_num
)
744 return(ssl2_part_read(s
,SSL_F_GET_CLIENT_FINISHED
,i
));
746 if (memcmp(p
,s
->s2
->conn_id
,(unsigned int)s
->s2
->conn_id_length
) != 0)
748 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
749 SSLerr(SSL_F_GET_CLIENT_FINISHED
,SSL_R_CONNECTION_ID_IS_DIFFERENT
);
755 static int server_verify(s
)
760 if (s
->state
== SSL2_ST_SEND_SERVER_VERIFY_A
)
762 p
=(unsigned char *)s
->init_buf
->data
;
763 *(p
++)=SSL2_MT_SERVER_VERIFY
;
764 memcpy(p
,s
->s2
->challenge
,(unsigned int)s
->s2
->challenge_length
);
765 /* p+=s->s2->challenge_length; */
767 s
->state
=SSL2_ST_SEND_SERVER_VERIFY_B
;
768 s
->init_num
=s
->s2
->challenge_length
+1;
771 return(ssl2_do_write(s
));
774 static int server_finish(s
)
779 if (s
->state
== SSL2_ST_SEND_SERVER_FINISHED_A
)
781 p
=(unsigned char *)s
->init_buf
->data
;
782 *(p
++)=SSL2_MT_SERVER_FINISHED
;
784 memcpy(p
,s
->session
->session_id
,
785 (unsigned int)s
->session
->session_id_length
);
786 /* p+=s->session->session_id_length; */
788 s
->state
=SSL2_ST_SEND_SERVER_FINISHED_B
;
789 s
->init_num
=s
->session
->session_id_length
+1;
793 /* SSL2_ST_SEND_SERVER_FINISHED_B */
794 return(ssl2_do_write(s
));
797 /* send the request and check the response */
798 static int request_certificate(s
)
801 unsigned char *p
,*p2
,*buf2
;
803 int i
,j
,ctype
,ret
= -1;
808 if (s
->state
== SSL2_ST_SEND_REQUEST_CERTIFICATE_A
)
810 p
=(unsigned char *)s
->init_buf
->data
;
811 *(p
++)=SSL2_MT_REQUEST_CERTIFICATE
;
812 *(p
++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION
;
813 RAND_bytes(ccd
,SSL2_MIN_CERT_CHALLENGE_LENGTH
);
814 memcpy(p
,ccd
,SSL2_MIN_CERT_CHALLENGE_LENGTH
);
816 s
->state
=SSL2_ST_SEND_REQUEST_CERTIFICATE_B
;
817 s
->init_num
=SSL2_MIN_CERT_CHALLENGE_LENGTH
+2;
821 if (s
->state
== SSL2_ST_SEND_REQUEST_CERTIFICATE_B
)
831 s
->state
=SSL2_ST_SEND_REQUEST_CERTIFICATE_C
;
834 if (s
->state
== SSL2_ST_SEND_REQUEST_CERTIFICATE_C
)
836 p
=(unsigned char *)s
->init_buf
->data
;
837 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),6-s
->init_num
);
840 ret
=ssl2_part_read(s
,SSL_F_REQUEST_CERTIFICATE
,i
);
844 if ((*p
== SSL2_MT_ERROR
) && (i
>= 3))
847 if (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
)
849 ssl2_return_error(s
,SSL2_PE_BAD_CERTIFICATE
);
850 SSLerr(SSL_F_REQUEST_CERTIFICATE
,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
);
856 if ((*(p
++) != SSL2_MT_CLIENT_CERTIFICATE
) || (i
< 6))
858 ssl2_return_error(s
,SSL2_PE_UNDEFINED_ERROR
);
859 SSLerr(SSL_F_REQUEST_CERTIFICATE
,SSL_R_SHORT_READ
);
862 /* ok we have a response */
863 /* certificate type, there is only one right now. */
865 if (ctype
!= SSL2_AT_MD5_WITH_RSA_ENCRYPTION
)
867 ssl2_return_error(s
,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE
);
868 SSLerr(SSL_F_REQUEST_CERTIFICATE
,SSL_R_BAD_RESPONSE_ARGUMENT
);
871 n2s(p
,i
); s
->s2
->tmp
.clen
=i
;
872 n2s(p
,i
); s
->s2
->tmp
.rlen
=i
;
873 s
->state
=SSL2_ST_SEND_REQUEST_CERTIFICATE_D
;
877 /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
878 p
=(unsigned char *)s
->init_buf
->data
;
879 j
=s
->s2
->tmp
.clen
+s
->s2
->tmp
.rlen
-s
->init_num
;
880 i
=ssl2_read(s
,(char *)&(p
[s
->init_num
]),j
);
883 ret
=ssl2_part_read(s
,SSL_F_REQUEST_CERTIFICATE
,i
);
887 x509
=(X509
*)d2i_X509(NULL
,&p
,(long)s
->s2
->tmp
.clen
);
890 SSLerr(SSL_F_REQUEST_CERTIFICATE
,ERR_R_X509_LIB
);
894 if (((sk
=sk_new_null()) == NULL
) || (!sk_push(sk
,(char *)x509
)))
896 SSLerr(SSL_F_REQUEST_CERTIFICATE
,ERR_R_MALLOC_FAILURE
);
900 i
=ssl_verify_cert_chain(s
,sk
);
902 if (i
) /* we like the packet, now check the chksum */
907 EVP_VerifyInit(&ctx
,EVP_md5());
908 EVP_VerifyUpdate(&ctx
,s
->s2
->key_material
,
909 (unsigned int)s
->s2
->key_material_length
);
910 EVP_VerifyUpdate(&ctx
,ccd
,SSL2_MIN_CERT_CHALLENGE_LENGTH
);
912 i
=i2d_X509(s
->session
->cert
->key
->x509
,NULL
);
913 buf2
=(unsigned char *)Malloc((unsigned int)i
);
916 SSLerr(SSL_F_REQUEST_CERTIFICATE
,ERR_R_MALLOC_FAILURE
);
920 i
=i2d_X509(s
->session
->cert
->key
->x509
,&p2
);
921 EVP_VerifyUpdate(&ctx
,buf2
,(unsigned int)i
);
924 pkey
=X509_get_pubkey(x509
);
925 if (pkey
== NULL
) goto end
;
926 i
=EVP_VerifyFinal(&ctx
,p
,s
->s2
->tmp
.rlen
,pkey
);
927 memset(&ctx
,0,sizeof(ctx
));
931 if (s
->session
->peer
!= NULL
)
932 X509_free(s
->session
->peer
);
933 s
->session
->peer
=x509
;
934 CRYPTO_add(&x509
->references
,1,CRYPTO_LOCK_X509
);
940 SSLerr(SSL_F_REQUEST_CERTIFICATE
,SSL_R_BAD_CHECKSUM
);
947 ssl2_return_error(s
,SSL2_PE_BAD_CERTIFICATE
);
950 if (sk
!= NULL
) sk_free(sk
);
951 if (x509
!= NULL
) X509_free(x509
);
955 static int ssl_rsa_private_decrypt(c
, len
, from
, to
,padding
)
965 if ((c
== NULL
) || (c
->key
->privatekey
== NULL
))
967 SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT
,SSL_R_NO_PRIVATEKEY
);
970 if (c
->key
->privatekey
->type
!= EVP_PKEY_RSA
)
972 SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT
,SSL_R_PUBLIC_KEY_IS_NOT_RSA
);
975 rsa
=c
->key
->privatekey
->pkey
.rsa
;
977 /* we have the public key */
978 i
=RSA_private_decrypt(len
,from
,to
,rsa
,padding
);
980 SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT
,ERR_R_RSA_LIB
);