Acasă Explorează Ajutor
Înregistrare Autentificare
Apq
/
winscp
oglindă de https://github.com/winscp/winscp.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: fd6977287e
Ramuri Etichete
winscp
/
libs
/
openssl
/
ssl
/
s2_srvr.c

s2_srvr.c 40 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167 
  1. /* ssl/s2_srvr.c */
    2. 

  2. /* Copyright (C) 1995-1998 Eric Young ([email protected])
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * This package is an SSL implementation written
    6. 

  6.  * by Eric Young ([email protected]).
    7. 

  7.  * The implementation was written so as to conform with Netscapes SSL.
    8. 

  8.  *
    9. 

  9.  * This library is free for commercial and non-commercial use as long as
    10. 

  10.  * the following conditions are aheared to.  The following conditions
    11. 

  11.  * apply to all code found in this distribution, be it the RC4, RSA,
    12. 

  12.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
    13. 

  13.  * included with this distribution is covered by the same copyright terms
    14. 

  14.  * except that the holder is Tim Hudson ([email protected]).
    15. 

  15.  *
    16. 

  16.  * Copyright remains Eric Young's, and as such any Copyright notices in
    17. 

  17.  * the code are not to be removed.
    18. 

  18.  * If this package is used in a product, Eric Young should be given attribution
    19. 

  19.  * as the author of the parts of the library used.
    20. 

  20.  * This can be in the form of a textual message at program startup or
    21. 

  21.  * in documentation (online or textual) provided with the package.
    22. 

  22.  *
    23. 

  23.  * Redistribution and use in source and binary forms, with or without
    24. 

  24.  * modification, are permitted provided that the following conditions
    25. 

  25.  * are met:
    26. 

  26.  * 1. Redistributions of source code must retain the copyright
    27. 

  27.  *    notice, this list of conditions and the following disclaimer.
    28. 

  28.  * 2. Redistributions in binary form must reproduce the above copyright
    29. 

  29.  *    notice, this list of conditions and the following disclaimer in the
    30. 

  30.  *    documentation and/or other materials provided with the distribution.
    31. 

  31.  * 3. All advertising materials mentioning features or use of this software
    32. 

  32.  *    must display the following acknowledgement:
    33. 

  33.  *    "This product includes cryptographic software written by
    34. 

  34.  *     Eric Young ([email protected])"
    35. 

  35.  *    The word 'cryptographic' can be left out if the rouines from the library
    36. 

  36.  *    being used are not cryptographic related :-).
    37. 

  37.  * 4. If you include any Windows specific code (or a derivative thereof) from
    38. 

  38.  *    the apps directory (application code) you must include an acknowledgement:
    39. 

  39.  *    "This product includes software written by Tim Hudson ([email protected])"
    40. 

  40.  *
    41. 

  41.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
    42. 

  42.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    43. 

  43.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    44. 

  44.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    45. 

  45.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    46. 

  46.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    47. 

  47.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    48. 

  48.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    49. 

  49.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    50. 

  50.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    51. 

  51.  * SUCH DAMAGE.
    52. 

  52.  *
    53. 

  53.  * The licence and distribution terms for any publically available version or
    54. 

  54.  * derivative of this code cannot be changed.  i.e. this code cannot simply be
    55. 

  55.  * copied and put under another distribution licence
    56. 

  56.  * [including the GNU Public Licence.]
    57. 

  57.  */
    58. 

  58. /* ====================================================================
    59. 

  59.  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
    60. 

  60.  *
    61. 

  61.  * Redistribution and use in source and binary forms, with or without
    62. 

  62.  * modification, are permitted provided that the following conditions
    63. 

  63.  * are met:
    64. 

  64.  *
    65. 

  65.  * 1. Redistributions of source code must retain the above copyright
    66. 

  66.  *    notice, this list of conditions and the following disclaimer.
    67. 

  67.  *
    68. 

  68.  * 2. Redistributions in binary form must reproduce the above copyright
    69. 

  69.  *    notice, this list of conditions and the following disclaimer in
    70. 

  70.  *    the documentation and/or other materials provided with the
    71. 

  71.  *    distribution.
    72. 

  72.  *
    73. 

  73.  * 3. All advertising materials mentioning features or use of this
    74. 

  74.  *    software must display the following acknowledgment:
    75. 

  75.  *    "This product includes software developed by the OpenSSL Project
    76. 

  76.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
    77. 

  77.  *
    78. 

  78.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
    79. 

  79.  *    endorse or promote products derived from this software without
    80. 

  80.  *    prior written permission. For written permission, please contact
    81. 

  81.  *    [email protected].
    82. 

  82.  *
    83. 

  83.  * 5. Products derived from this software may not be called "OpenSSL"
    84. 

  84.  *    nor may "OpenSSL" appear in their names without prior written
    85. 

  85.  *    permission of the OpenSSL Project.
    86. 

  86.  *
    87. 

  87.  * 6. Redistributions of any form whatsoever must retain the following
    88. 

  88.  *    acknowledgment:
    89. 

  89.  *    "This product includes software developed by the OpenSSL Project
    90. 

  90.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
    91. 

  91.  *
    92. 

  92.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
    93. 

  93.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    94. 

  94.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    95. 

  95.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
    96. 

  96.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    97. 

  97.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    98. 

  98.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    99. 

  99.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100. 

  100.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101. 

  101.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102. 

  102.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103. 

  103.  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104. 

  104.  * ====================================================================
    105. 

  105.  *
    106. 

  106.  * This product includes cryptographic software written by Eric Young
    107. 

  107.  * ([email protected]).  This product includes software written by Tim
    108. 

  108.  * Hudson ([email protected]).
    109. 

  109.  *
    110. 

  110.  */
    111. 

  111. 

  112. #include "ssl_locl.h"
    113. 

  113. #ifndef OPENSSL_NO_SSL2
    114. 

  114. #include "../crypto/constant_time_locl.h"
    115. 

  115. # include <stdio.h>
    116. 

  116. # include <openssl/bio.h>
    117. 

  117. # include <openssl/rand.h>
    118. 

  118. # include <openssl/objects.h>
    119. 

  119. # include <openssl/evp.h>
    120. 

  120. 

  121. static const SSL_METHOD *ssl2_get_server_method(int ver);
    122. 

  122. static int get_client_master_key(SSL *s);
    123. 

  123. static int get_client_hello(SSL *s);
    124. 

  124. static int server_hello(SSL *s);
    125. 

  125. static int get_client_finished(SSL *s);
    126. 

  126. static int server_verify(SSL *s);
    127. 

  127. static int server_finish(SSL *s);
    128. 

  128. static int request_certificate(SSL *s);
    129. 

  129. static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
    130. 

  130.                                    unsigned char *to, int padding);
    131. 

  131. # define BREAK   break
    132. 

  132. 

  133. static const SSL_METHOD *ssl2_get_server_method(int ver)
    134. 

  134. {
    135. 

  135.     if (ver == SSL2_VERSION)
    136. 

  136.         return (SSLv2_server_method());
    137. 

  137.     else
    138. 

  138.         return (NULL);
    139. 

  139. }
    140. 

  140. 

  141. IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
    142. 

  142.                          ssl2_accept,
    143. 

  143.                          ssl_undefined_function, ssl2_get_server_method)
    144. 

  144. 

  145. int ssl2_accept(SSL *s)
    146. 

  146. {
    147. 

  147.     unsigned long l = (unsigned long)time(NULL);
    148. 

  148.     BUF_MEM *buf = NULL;
    149. 

  149.     int ret = -1;
    150. 

  150.     long num1;
    151. 

  151.     void (*cb) (const SSL *ssl, int type, int val) = NULL;
    152. 

  152.     int new_state, state;
    153. 

  153. 

  154.     RAND_add(&l, sizeof(l), 0);
    155. 

  155.     ERR_clear_error();
    156. 

  156.     clear_sys_error();
    157. 

  157. 

  158.     if (s->info_callback != NULL)
    159. 

  159.         cb = s->info_callback;
    160. 

  160.     else if (s->ctx->info_callback != NULL)
    161. 

  161.         cb = s->ctx->info_callback;
    162. 

  162. 

  163.     /* init things to blank */
    164. 

  164.     s->in_handshake++;
    165. 

  165.     if (!SSL_in_init(s) || SSL_in_before(s))
    166. 

  166.         SSL_clear(s);
    167. 

  167. 

  168.     if (s->cert == NULL) {
    169. 

  169.         SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
    170. 

  170.         return (-1);
    171. 

  171.     }
    172. 

  172. 

  173.     clear_sys_error();
    174. 

  174.     for (;;) {
    175. 

  175.         state = s->state;
    176. 

  176. 

  177.         switch (s->state) {
    178. 

  178.         case SSL_ST_BEFORE:
    179. 

  179.         case SSL_ST_ACCEPT:
    180. 

  180.         case SSL_ST_BEFORE | SSL_ST_ACCEPT:
    181. 

  181.         case SSL_ST_OK | SSL_ST_ACCEPT:
    182. 

  182. 

  183.             s->server = 1;
    184. 

  184.             if (cb != NULL)
    185. 

  185.                 cb(s, SSL_CB_HANDSHAKE_START, 1);
    186. 

  186. 

  187.             s->version = SSL2_VERSION;
    188. 

  188.             s->type = SSL_ST_ACCEPT;
    189. 

  189. 

  190.             if (s->init_buf == NULL) {
    191. 

  191.                 if ((buf = BUF_MEM_new()) == NULL) {
    192. 

  192.                     ret = -1;
    193. 

  193.                     goto end;
    194. 

  194.                 }
    195. 

  195.                 if (!BUF_MEM_grow
    196. 

  196.                     (buf, (int)SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
    197. 

  197.                     BUF_MEM_free(buf);
    198. 

  198.                     ret = -1;
    199. 

  199.                     goto end;
    200. 

  200.                 }
    201. 

  201.                 s->init_buf = buf;
    202. 

  202.             }
    203. 

  203.             s->init_num = 0;
    204. 

  204.             s->ctx->stats.sess_accept++;
    205. 

  205.             s->handshake_func = ssl2_accept;
    206. 

  206.             s->state = SSL2_ST_GET_CLIENT_HELLO_A;
    207. 

  207.             BREAK;
    208. 

  208. 

  209.         case SSL2_ST_GET_CLIENT_HELLO_A:
    210. 

  210.         case SSL2_ST_GET_CLIENT_HELLO_B:
    211. 

  211.         case SSL2_ST_GET_CLIENT_HELLO_C:
    212. 

  212.             s->shutdown = 0;
    213. 

  213.             ret = get_client_hello(s);
    214. 

  214.             if (ret <= 0)
    215. 

  215.                 goto end;
    216. 

  216.             s->init_num = 0;
    217. 

  217.             s->state = SSL2_ST_SEND_SERVER_HELLO_A;
    218. 

  218.             BREAK;
    219. 

  219. 

  220.         case SSL2_ST_SEND_SERVER_HELLO_A:
    221. 

  221.         case SSL2_ST_SEND_SERVER_HELLO_B:
    222. 

  222.             ret = server_hello(s);
    223. 

  223.             if (ret <= 0)
    224. 

  224.                 goto end;
    225. 

  225.             s->init_num = 0;
    226. 

  226.             if (!s->hit) {
    227. 

  227.                 s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_A;
    228. 

  228.                 BREAK;
    229. 

  229.             } else {
    230. 

  230.                 s->state = SSL2_ST_SERVER_START_ENCRYPTION;
    231. 

  231.                 BREAK;
    232. 

  232.             }
    233. 

  233.         case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
    234. 

  234.         case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
    235. 

  235.             ret = get_client_master_key(s);
    236. 

  236.             if (ret <= 0)
    237. 

  237.                 goto end;
    238. 

  238.             s->init_num = 0;
    239. 

  239.             s->state = SSL2_ST_SERVER_START_ENCRYPTION;
    240. 

  240.             BREAK;
    241. 

  241. 

  242.         case SSL2_ST_SERVER_START_ENCRYPTION:
    243. 

  243.             /*
    244. 

  244.              * Ok we how have sent all the stuff needed to start encrypting,
    245. 

  245.              * the next packet back will be encrypted.
    246. 

  246.              */
    247. 

  247.             if (!ssl2_enc_init(s, 0)) {
    248. 

  248.                 ret = -1;
    249. 

  249.                 goto end;
    250. 

  250.             }
    251. 

  251.             s->s2->clear_text = 0;
    252. 

  252.             s->state = SSL2_ST_SEND_SERVER_VERIFY_A;
    253. 

  253.             BREAK;
    254. 

  254. 

  255.         case SSL2_ST_SEND_SERVER_VERIFY_A:
    256. 

  256.         case SSL2_ST_SEND_SERVER_VERIFY_B:
    257. 

  257.             ret = server_verify(s);
    258. 

  258.             if (ret <= 0)
    259. 

  259.                 goto end;
    260. 

  260.             s->init_num = 0;
    261. 

  261.             if (s->hit) {
    262. 

  262.                 /*
    263. 

  263.                  * If we are in here, we have been buffering the output, so
    264. 

  264.                  * we need to flush it and remove buffering from future
    265. 

  265.                  * traffic
    266. 

  266.                  */
    267. 

  267.                 s->state = SSL2_ST_SEND_SERVER_VERIFY_C;
    268. 

  268.                 BREAK;
    269. 

  269.             } else {
    270. 

  270.                 s->state = SSL2_ST_GET_CLIENT_FINISHED_A;
    271. 

  271.                 break;
    272. 

  272.             }
    273. 

  273. 

  274.         case SSL2_ST_SEND_SERVER_VERIFY_C:
    275. 

  275.             /* get the number of bytes to write */
    276. 

  276.             num1 = BIO_ctrl(s->wbio, BIO_CTRL_INFO, 0, NULL);
    277. 

  277.             if (num1 > 0) {
    278. 

  278.                 s->rwstate = SSL_WRITING;
    279. 

  279.                 num1 = BIO_flush(s->wbio);
    280. 

  280.                 if (num1 <= 0) {
    281. 

  281.                     ret = -1;
    282. 

  282.                     goto end;
    283. 

  283.                 }
    284. 

  284.                 s->rwstate = SSL_NOTHING;
    285. 

  285.             }
    286. 

  286. 

  287.             /* flushed and now remove buffering */
    288. 

  288.             s->wbio = BIO_pop(s->wbio);
    289. 

  289. 

  290.             s->state = SSL2_ST_GET_CLIENT_FINISHED_A;
    291. 

  291.             BREAK;
    292. 

  292. 

  293.         case SSL2_ST_GET_CLIENT_FINISHED_A:
    294. 

  294.         case SSL2_ST_GET_CLIENT_FINISHED_B:
    295. 

  295.             ret = get_client_finished(s);
    296. 

  296.             if (ret <= 0)
    297. 

  297.                 goto end;
    298. 

  298.             s->init_num = 0;
    299. 

  299.             s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
    300. 

  300.             BREAK;
    301. 

  301. 

  302.         case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
    303. 

  303.         case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
    304. 

  304.         case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
    305. 

  305.         case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
    306. 

  306.             /*
    307. 

  307.              * don't do a 'request certificate' if we don't want to, or we
    308. 

  308.              * already have one, and we only want to do it once.
    309. 

  309.              */
    310. 

  310.             if (!(s->verify_mode & SSL_VERIFY_PEER) ||
    311. 

  311.                 ((s->session->peer != NULL) &&
    312. 

  312.                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) {
    313. 

  313.                 s->state = SSL2_ST_SEND_SERVER_FINISHED_A;
    314. 

  314.                 break;
    315. 

  315.             } else {
    316. 

  316.                 ret = request_certificate(s);
    317. 

  317.                 if (ret <= 0)
    318. 

  318.                     goto end;
    319. 

  319.                 s->init_num = 0;
    320. 

  320.                 s->state = SSL2_ST_SEND_SERVER_FINISHED_A;
    321. 

  321.             }
    322. 

  322.             BREAK;
    323. 

  323. 

  324.         case SSL2_ST_SEND_SERVER_FINISHED_A:
    325. 

  325.         case SSL2_ST_SEND_SERVER_FINISHED_B:
    326. 

  326.             ret = server_finish(s);
    327. 

  327.             if (ret <= 0)
    328. 

  328.                 goto end;
    329. 

  329.             s->init_num = 0;
    330. 

  330.             s->state = SSL_ST_OK;
    331. 

  331.             break;
    332. 

  332. 

  333.         case SSL_ST_OK:
    334. 

  334.             BUF_MEM_free(s->init_buf);
    335. 

  335.             ssl_free_wbio_buffer(s);
    336. 

  336.             s->init_buf = NULL;
    337. 

  337.             s->init_num = 0;
    338. 

  338.             /*      ERR_clear_error(); */
    339. 

  339. 

  340.             ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
    341. 

  341. 

  342.             s->ctx->stats.sess_accept_good++;
    343. 

  343.             /* s->server=1; */
    344. 

  344.             ret = 1;
    345. 

  345. 

  346.             if (cb != NULL)
    347. 

  347.                 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
    348. 

  348. 

  349.             goto end;
    350. 

  350.             /* BREAK; */
    351. 

  351. 

  352.         default:
    353. 

  353.             SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_UNKNOWN_STATE);
    354. 

  354.             ret = -1;
    355. 

  355.             goto end;
    356. 

  356.             /* BREAK; */
    357. 

  357.         }
    358. 

  358. 

  359.         if ((cb != NULL) && (s->state != state)) {
    360. 

  360.             new_state = s->state;
    361. 

  361.             s->state = state;
    362. 

  362.             cb(s, SSL_CB_ACCEPT_LOOP, 1);
    363. 

  363.             s->state = new_state;
    364. 

  364.         }
    365. 

  365.     }
    366. 

  366.  end:
    367. 

  367.     s->in_handshake--;
    368. 

  368.     if (cb != NULL)
    369. 

  369.         cb(s, SSL_CB_ACCEPT_EXIT, ret);
    370. 

  370.     return (ret);
    371. 

  371. }
    372. 

  372. 

  373. static int get_client_master_key(SSL *s)
    374. 

  374. {
    375. 

  375.     int is_export, i, n, keya;
    376. 

  376.     unsigned int num_encrypted_key_bytes, key_length;
    377. 

  377.     unsigned long len;
    378. 

  378.     unsigned char *p;
    379. 

  379.     const SSL_CIPHER *cp;
    380. 

  380.     const EVP_CIPHER *c;
    381. 

  381.     const EVP_MD *md;
    382. 

  382.     unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    383. 

  383.     unsigned char decrypt_good;
    384. 

  384.     size_t j;
    385. 

  385. 

  386.     p = (unsigned char *)s->init_buf->data;
    387. 

  387.     if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) {
    388. 

  388.         i = ssl2_read(s, (char *)&(p[s->init_num]), 10 - s->init_num);
    389. 

  389. 

  390.         if (i < (10 - s->init_num))
    391. 

  391.             return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i));
    392. 

  392.         s->init_num = 10;
    393. 

  393. 

  394.         if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) {
    395. 

  395.             if (p[-1] != SSL2_MT_ERROR) {
    396. 

  396.                 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    397. 

  397.                 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
    398. 

  398.                        SSL_R_READ_WRONG_PACKET_TYPE);
    399. 

  399.             } else
    400. 

  400.                 SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
    401. 

  401.             return (-1);
    402. 

  402.         }
    403. 

  403. 

  404.         cp = ssl2_get_cipher_by_char(p);
    405. 

  405.         if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
    406. 

  406.             ssl2_return_error(s, SSL2_PE_NO_CIPHER);
    407. 

  407.             SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
    408. 

  408.             return (-1);
    409. 

  409.         }
    410. 

  410.         s->session->cipher = cp;
    411. 

  411. 

  412.         p += 3;
    413. 

  413.         n2s(p, i);
    414. 

  414.         s->s2->tmp.clear = i;
    415. 

  415.         n2s(p, i);
    416. 

  416.         s->s2->tmp.enc = i;
    417. 

  417.         n2s(p, i);
    418. 

  418.         if (i > SSL_MAX_KEY_ARG_LENGTH) {
    419. 

  419.             ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    420. 

  420.             SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
    421. 

  421.             return -1;
    422. 

  422.         }
    423. 

  423.         s->session->key_arg_length = i;
    424. 

  424.         s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_B;
    425. 

  425.     }
    426. 

  426. 

  427.     /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
    428. 

  428.     p = (unsigned char *)s->init_buf->data;
    429. 

  429.     if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
    430. 

  430.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    431. 

  431.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
    432. 

  432.         return -1;
    433. 

  433.     }
    434. 

  434.     keya = s->session->key_arg_length;
    435. 

  435.     len =
    436. 

  436.         10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc +
    437. 

  437.         (unsigned long)keya;
    438. 

  438.     if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
    439. 

  439.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    440. 

  440.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_MESSAGE_TOO_LONG);
    441. 

  441.         return -1;
    442. 

  442.     }
    443. 

  443.     n = (int)len - s->init_num;
    444. 

  444.     i = ssl2_read(s, (char *)&(p[s->init_num]), n);
    445. 

  445.     if (i != n)
    446. 

  446.         return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i));
    447. 

  447.     if (s->msg_callback) {
    448. 

  448.         /* CLIENT-MASTER-KEY */
    449. 

  449.         s->msg_callback(0, s->version, 0, p, (size_t)len, s,
    450. 

  450.                         s->msg_callback_arg);
    451. 

  451.     }
    452. 

  452.     p += 10;
    453. 

  453. 

  454.     memcpy(s->session->key_arg, &(p[s->s2->tmp.clear + s->s2->tmp.enc]),
    455. 

  455.            (unsigned int)keya);
    456. 

  456. 

  457.     if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) {
    458. 

  458.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    459. 

  459.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
    460. 

  460.         return (-1);
    461. 

  461.     }
    462. 

  462. 

  463.     is_export = SSL_C_IS_EXPORT(s->session->cipher);
    464. 

  464. 

  465.     if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) {
    466. 

  466.         ssl2_return_error(s, SSL2_PE_NO_CIPHER);
    467. 

  467.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
    468. 

  468.                SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
    469. 

  469.         return (0);
    470. 

  470.     }
    471. 

  471. 

  472.     /*
    473. 

  473.      * The format of the CLIENT-MASTER-KEY message is
    474. 

  474.      * 1 byte message type
    475. 

  475.      * 3 bytes cipher
    476. 

  476.      * 2-byte clear key length (stored in s->s2->tmp.clear)
    477. 

  477.      * 2-byte encrypted key length (stored in s->s2->tmp.enc)
    478. 

  478.      * 2-byte key args length (IV etc)
    479. 

  479.      * clear key
    480. 

  480.      * encrypted key
    481. 

  481.      * key args
    482. 

  482.      *
    483. 

  483.      * If the cipher is an export cipher, then the encrypted key bytes
    484. 

  484.      * are a fixed portion of the total key (5 or 8 bytes). The size of
    485. 

  485.      * this portion is in |num_encrypted_key_bytes|. If the cipher is not an
    486. 

  486.      * export cipher, then the entire key material is encrypted (i.e., clear
    487. 

  487.      * key length must be zero).
    488. 

  488.      */
    489. 

  489.     key_length = (unsigned int)EVP_CIPHER_key_length(c);
    490. 

  490.     if (key_length > SSL_MAX_MASTER_KEY_LENGTH) {
    491. 

  491.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    492. 

  492.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
    493. 

  493.         return -1;
    494. 

  494.     }
    495. 

  495. 

  496.     if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) {
    497. 

  497.         is_export = 1;
    498. 

  498.         num_encrypted_key_bytes = 8;
    499. 

  499.     } else if (is_export) {
    500. 

  500.         num_encrypted_key_bytes = 5;
    501. 

  501.     } else {
    502. 

  502.         num_encrypted_key_bytes = key_length;
    503. 

  503.     }
    504. 

  504. 

  505.     if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) {
    506. 

  506.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    507. 

  507.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
    508. 

  508.         return -1;
    509. 

  509.     }
    510. 

  510.     /*
    511. 

  511.      * The encrypted blob must decrypt to the encrypted portion of the key.
    512. 

  512.      * Decryption can't be expanding, so if we don't have enough encrypted
    513. 

  513.      * bytes to fit the key in the buffer, stop now.
    514. 

  514.      */
    515. 

  515.     if (s->s2->tmp.enc < num_encrypted_key_bytes) {
    516. 

  516.         ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    517. 

  517.         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
    518. 

  518.         return -1;
    519. 

  519.     }
    520. 

  520. 

  521.     /*
    522. 

  522.      * We must not leak whether a decryption failure occurs because of
    523. 

  523.      * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
    524. 

  524.      * section 7.4.7.1). The code follows that advice of the TLS RFC and
    525. 

  525.      * generates a random premaster secret for the case that the decrypt
    526. 

  526.      * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
    527. 

  527.      */
    528. 

  528. 

  529.     if (RAND_bytes(rand_premaster_secret,
    530. 

  530.                   (int)num_encrypted_key_bytes) <= 0)
    531. 

  531.         return 0;
    532. 

  532. 

  533.     i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
    534. 

  534.                                 &(p[s->s2->tmp.clear]),
    535. 

  535.                                 &(p[s->s2->tmp.clear]),
    536. 

  536.                                 (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
    537. 

  537.                                 RSA_PKCS1_PADDING);
    538. 

  538.     ERR_clear_error();
    539. 

  539.     /*
    540. 

  540.      * If a bad decrypt, continue with protocol but with a random master
    541. 

  541.      * secret (Bleichenbacher attack)
    542. 

  542.      */
    543. 

  543.     decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes);
    544. 

  544.     for (j = 0; j < num_encrypted_key_bytes; j++) {
    545. 

  545.         p[s->s2->tmp.clear + j] =
    546. 

  546.                 constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j],
    547. 

  547.                                        rand_premaster_secret[j]);
    548. 

  548.     }
    549. 

  549. 

  550.     s->session->master_key_length = (int)key_length;
    551. 

  551.     memcpy(s->session->master_key, p, key_length);
    552. 

  552.     OPENSSL_cleanse(p, key_length);
    553. 

  553. 

  554.     return 1;
    555. 

  555. }
    556. 

  556. 

  557. static int get_client_hello(SSL *s)
    558. 

  558. {
    559. 

  559.     int i, n;
    560. 

  560.     unsigned long len;
    561. 

  561.     unsigned char *p;
    562. 

  562.     STACK_OF(SSL_CIPHER) *cs;   /* a stack of SSL_CIPHERS */
    563. 

  563.     STACK_OF(SSL_CIPHER) *cl;   /* the ones we want to use */
    564. 

  564.     STACK_OF(SSL_CIPHER) *prio, *allow;
    565. 

  565.     int z;
    566. 

  566. 

  567.     /*
    568. 

  568.      * This is a bit of a hack to check for the correct packet type the first
    569. 

  569.      * time round.
    570. 

  570.      */
    571. 

  571.     if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) {
    572. 

  572.         s->first_packet = 1;
    573. 

  573.         s->state = SSL2_ST_GET_CLIENT_HELLO_B;
    574. 

  574.     }
    575. 

  575. 

  576.     p = (unsigned char *)s->init_buf->data;
    577. 

  577.     if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) {
    578. 

  578.         i = ssl2_read(s, (char *)&(p[s->init_num]), 9 - s->init_num);
    579. 

  579.         if (i < (9 - s->init_num))
    580. 

  580.             return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i));
    581. 

  581.         s->init_num = 9;
    582. 

  582. 

  583.         if (*(p++) != SSL2_MT_CLIENT_HELLO) {
    584. 

  584.             if (p[-1] != SSL2_MT_ERROR) {
    585. 

  585.                 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    586. 

  586.                 SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_READ_WRONG_PACKET_TYPE);
    587. 

  587.             } else
    588. 

  588.                 SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_PEER_ERROR);
    589. 

  589.             return (-1);
    590. 

  590.         }
    591. 

  591.         n2s(p, i);
    592. 

  592.         if (i < s->version)
    593. 

  593.             s->version = i;
    594. 

  594.         n2s(p, i);
    595. 

  595.         s->s2->tmp.cipher_spec_length = i;
    596. 

  596.         n2s(p, i);
    597. 

  597.         s->s2->tmp.session_id_length = i;
    598. 

  598.         if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
    599. 

  599.             ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    600. 

  600.             SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
    601. 

  601.             return -1;
    602. 

  602.         }
    603. 

  603.         n2s(p, i);
    604. 

  604.         s->s2->challenge_length = i;
    605. 

  605.         if ((i < SSL2_MIN_CHALLENGE_LENGTH) ||
    606. 

  606.             (i > SSL2_MAX_CHALLENGE_LENGTH)) {
    607. 

  607.             ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    608. 

  608.             SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INVALID_CHALLENGE_LENGTH);
    609. 

  609.             return (-1);
    610. 

  610.         }
    611. 

  611.         s->state = SSL2_ST_GET_CLIENT_HELLO_C;
    612. 

  612.     }
    613. 

  613. 

  614.     /* SSL2_ST_GET_CLIENT_HELLO_C */
    615. 

  615.     p = (unsigned char *)s->init_buf->data;
    616. 

  616.     len =
    617. 

  617.         9 + (unsigned long)s->s2->tmp.cipher_spec_length +
    618. 

  618.         (unsigned long)s->s2->challenge_length +
    619. 

  619.         (unsigned long)s->s2->tmp.session_id_length;
    620. 

  620.     if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
    621. 

  621.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    622. 

  622.         SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_MESSAGE_TOO_LONG);
    623. 

  623.         return -1;
    624. 

  624.     }
    625. 

  625.     n = (int)len - s->init_num;
    626. 

  626.     i = ssl2_read(s, (char *)&(p[s->init_num]), n);
    627. 

  627.     if (i != n)
    628. 

  628.         return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i));
    629. 

  629.     if (s->msg_callback) {
    630. 

  630.         /* CLIENT-HELLO */
    631. 

  631.         s->msg_callback(0, s->version, 0, p, (size_t)len, s,
    632. 

  632.                         s->msg_callback_arg);
    633. 

  633.     }
    634. 

  634.     p += 9;
    635. 

  635. 

  636.     /*
    637. 

  637.      * get session-id before cipher stuff so we can get out session structure
    638. 

  638.      * if it is cached
    639. 

  639.      */
    640. 

  640.     /* session-id */
    641. 

  641.     if ((s->s2->tmp.session_id_length != 0) &&
    642. 

  642.         (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) {
    643. 

  643.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    644. 

  644.         SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_BAD_SSL_SESSION_ID_LENGTH);
    645. 

  645.         return (-1);
    646. 

  646.     }
    647. 

  647. 

  648.     if (s->s2->tmp.session_id_length == 0) {
    649. 

  649.         if (!ssl_get_new_session(s, 1)) {
    650. 

  650.             ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    651. 

  651.             return (-1);
    652. 

  652.         }
    653. 

  653.     } else {
    654. 

  654.         i = ssl_get_prev_session(s, &(p[s->s2->tmp.cipher_spec_length]),
    655. 

  655.                                  s->s2->tmp.session_id_length, NULL);
    656. 

  656.         if (i == 1) {           /* previous session */
    657. 

  657.             s->hit = 1;
    658. 

  658.         } else if (i == -1) {
    659. 

  659.             ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    660. 

  660.             return (-1);
    661. 

  661.         } else {
    662. 

  662.             if (s->cert == NULL) {
    663. 

  663.                 ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE);
    664. 

  664.                 SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CERTIFICATE_SET);
    665. 

  665.                 return (-1);
    666. 

  666.             }
    667. 

  667. 

  668.             if (!ssl_get_new_session(s, 1)) {
    669. 

  669.                 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    670. 

  670.                 return (-1);
    671. 

  671.             }
    672. 

  672.         }
    673. 

  673.     }
    674. 

  674. 

  675.     if (!s->hit) {
    676. 

  676.         cs = ssl_bytes_to_cipher_list(s, p, s->s2->tmp.cipher_spec_length,
    677. 

  677.                                       &s->session->ciphers);
    678. 

  678.         if (cs == NULL)
    679. 

  679.             goto mem_err;
    680. 

  680. 

  681.         cl = SSL_get_ciphers(s);
    682. 

  682. 

  683.         if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
    684. 

  684.             prio = sk_SSL_CIPHER_dup(cl);
    685. 

  685.             if (prio == NULL)
    686. 

  686.                 goto mem_err;
    687. 

  687.             allow = cs;
    688. 

  688.         } else {
    689. 

  689.             prio = cs;
    690. 

  690.             allow = cl;
    691. 

  691.         }
    692. 

  692. 

  693.         /* Generate list of SSLv2 ciphers shared between client and server */
    694. 

  694.         for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
    695. 

  695.             const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
    696. 

  696.             if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
    697. 

  697.                 sk_SSL_CIPHER_find(allow, cp) < 0) {
    698. 

  698.                 (void)sk_SSL_CIPHER_delete(prio, z);
    699. 

  699.                 z--;
    700. 

  700.             }
    701. 

  701.         }
    702. 

  702.         if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
    703. 

  703.             sk_SSL_CIPHER_free(s->session->ciphers);
    704. 

  704.             s->session->ciphers = prio;
    705. 

  705.         }
    706. 

  706. 

  707.         /* Make sure we have at least one cipher in common */
    708. 

  708.         if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
    709. 

  709.             ssl2_return_error(s, SSL2_PE_NO_CIPHER);
    710. 

  710.             SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
    711. 

  711.             return -1;
    712. 

  712.         }
    713. 

  713.         /*
    714. 

  714.          * s->session->ciphers should now have a list of ciphers that are on
    715. 

  715.          * both the client and server. This list is ordered by the order the
    716. 

  716.          * client sent the ciphers or in the order of the server's preference
    717. 

  717.          * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
    718. 

  718.          */
    719. 

  719.     }
    720. 

  720.     p += s->s2->tmp.cipher_spec_length;
    721. 

  721.     /* done cipher selection */
    722. 

  722. 

  723.     /* session id extracted already */
    724. 

  724.     p += s->s2->tmp.session_id_length;
    725. 

  725. 

  726.     /* challenge */
    727. 

  727.     if (s->s2->challenge_length > sizeof s->s2->challenge) {
    728. 

  728.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    729. 

  729.         SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
    730. 

  730.         return -1;
    731. 

  731.     }
    732. 

  732.     memcpy(s->s2->challenge, p, (unsigned int)s->s2->challenge_length);
    733. 

  733.     return (1);
    734. 

  734.  mem_err:
    735. 

  735.     SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_MALLOC_FAILURE);
    736. 

  736.     return (0);
    737. 

  737. }
    738. 

  738. 

  739. static int server_hello(SSL *s)
    740. 

  740. {
    741. 

  741.     unsigned char *p, *d;
    742. 

  742.     int n, hit;
    743. 

  743. 

  744.     p = (unsigned char *)s->init_buf->data;
    745. 

  745.     if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) {
    746. 

  746.         d = p + 11;
    747. 

  747.         *(p++) = SSL2_MT_SERVER_HELLO; /* type */
    748. 

  748.         hit = s->hit;
    749. 

  749.         *(p++) = (unsigned char)hit;
    750. 

  750. # if 1
    751. 

  751.         if (!hit) {
    752. 

  752.             if (s->session->sess_cert != NULL)
    753. 

  753.                 /*
    754. 

  754.                  * This can't really happen because get_client_hello has
    755. 

  755.                  * called ssl_get_new_session, which does not set sess_cert.
    756. 

  756.                  */
    757. 

  757.                 ssl_sess_cert_free(s->session->sess_cert);
    758. 

  758.             s->session->sess_cert = ssl_sess_cert_new();
    759. 

  759.             if (s->session->sess_cert == NULL) {
    760. 

  760.                 SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
    761. 

  761.                 return (-1);
    762. 

  762.             }
    763. 

  763.         }
    764. 

  764.         /*
    765. 

  765.          * If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
    766. 

  766.          * depending on whether it survived in the internal cache or was
    767. 

  767.          * retrieved from an external cache. If it is NULL, we cannot put any
    768. 

  768.          * useful data in it anyway, so we don't touch it.
    769. 

  769.          */
    770. 

  770. 

  771. # else                          /* That's what used to be done when cert_st
    772. 

  772.                                  * and sess_cert_st were * the same. */
    773. 

  773.         if (!hit) {             /* else add cert to session */
    774. 

  774.             CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
    775. 

  775.             if (s->session->sess_cert != NULL)
    776. 

  776.                 ssl_cert_free(s->session->sess_cert);
    777. 

  777.             s->session->sess_cert = s->cert;
    778. 

  778.         } else {                /* We have a session id-cache hit, if the *
    779. 

  779.                                  * session-id has no certificate listed
    780. 

  780.                                  * against * the 'cert' structure, grab the
    781. 

  781.                                  * 'old' one * listed against the SSL
    782. 

  782.                                  * connection */
    783. 

  783.             if (s->session->sess_cert == NULL) {
    784. 

  784.                 CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
    785. 

  785.                 s->session->sess_cert = s->cert;
    786. 

  786.             }
    787. 

  787.         }
    788. 

  788. # endif
    789. 

  789. 

  790.         if (s->cert == NULL) {
    791. 

  791.             ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE);
    792. 

  792.             SSLerr(SSL_F_SERVER_HELLO, SSL_R_NO_CERTIFICATE_SPECIFIED);
    793. 

  793.             return (-1);
    794. 

  794.         }
    795. 

  795. 

  796.         if (hit) {
    797. 

  797.             *(p++) = 0;         /* no certificate type */
    798. 

  798.             s2n(s->version, p); /* version */
    799. 

  799.             s2n(0, p);          /* cert len */
    800. 

  800.             s2n(0, p);          /* ciphers len */
    801. 

  801.         } else {
    802. 

  802.             /* EAY EAY */
    803. 

  803.             /* put certificate type */
    804. 

  804.             *(p++) = SSL2_CT_X509_CERTIFICATE;
    805. 

  805.             s2n(s->version, p); /* version */
    806. 

  806.             n = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL);
    807. 

  807.             s2n(n, p);          /* certificate length */
    808. 

  808.             i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &d);
    809. 

  809.             n = 0;
    810. 

  810. 

  811.             /*
    812. 

  812.              * lets send out the ciphers we like in the prefered order
    813. 

  813.              */
    814. 

  814.             n = ssl_cipher_list_to_bytes(s, s->session->ciphers, d, 0);
    815. 

  815.             d += n;
    816. 

  816.             s2n(n, p);          /* add cipher length */
    817. 

  817.         }
    818. 

  818. 

  819.         /* make and send conn_id */
    820. 

  820.         s2n(SSL2_CONNECTION_ID_LENGTH, p); /* add conn_id length */
    821. 

  821.         s->s2->conn_id_length = SSL2_CONNECTION_ID_LENGTH;
    822. 

  822.         if (RAND_bytes(s->s2->conn_id, (int)s->s2->conn_id_length) <= 0)
    823. 

  823.             return -1;
    824. 

  824.         memcpy(d, s->s2->conn_id, SSL2_CONNECTION_ID_LENGTH);
    825. 

  825.         d += SSL2_CONNECTION_ID_LENGTH;
    826. 

  826. 

  827.         s->state = SSL2_ST_SEND_SERVER_HELLO_B;
    828. 

  828.         s->init_num = d - (unsigned char *)s->init_buf->data;
    829. 

  829.         s->init_off = 0;
    830. 

  830.     }
    831. 

  831.     /* SSL2_ST_SEND_SERVER_HELLO_B */
    832. 

  832.     /*
    833. 

  833.      * If we are using TCP/IP, the performance is bad if we do 2 writes
    834. 

  834.      * without a read between them.  This occurs when Session-id reuse is
    835. 

  835.      * used, so I will put in a buffering module
    836. 

  836.      */
    837. 

  837.     if (s->hit) {
    838. 

  838.         if (!ssl_init_wbio_buffer(s, 1))
    839. 

  839.             return (-1);
    840. 

  840.     }
    841. 

  841. 

  842.     return (ssl2_do_write(s));
    843. 

  843. }
    844. 

  844. 

  845. static int get_client_finished(SSL *s)
    846. 

  846. {
    847. 

  847.     unsigned char *p;
    848. 

  848.     int i, n;
    849. 

  849.     unsigned long len;
    850. 

  850. 

  851.     p = (unsigned char *)s->init_buf->data;
    852. 

  852.     if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) {
    853. 

  853.         i = ssl2_read(s, (char *)&(p[s->init_num]), 1 - s->init_num);
    854. 

  854.         if (i < 1 - s->init_num)
    855. 

  855.             return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i));
    856. 

  856.         s->init_num += i;
    857. 

  857. 

  858.         if (*p != SSL2_MT_CLIENT_FINISHED) {
    859. 

  859.             if (*p != SSL2_MT_ERROR) {
    860. 

  860.                 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    861. 

  861.                 SSLerr(SSL_F_GET_CLIENT_FINISHED,
    862. 

  862.                        SSL_R_READ_WRONG_PACKET_TYPE);
    863. 

  863.             } else {
    864. 

  864.                 SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_PEER_ERROR);
    865. 

  865.                 /* try to read the error message */
    866. 

  866.                 i = ssl2_read(s, (char *)&(p[s->init_num]), 3 - s->init_num);
    867. 

  867.                 return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i);
    868. 

  868.             }
    869. 

  869.             return (-1);
    870. 

  870.         }
    871. 

  871.         s->state = SSL2_ST_GET_CLIENT_FINISHED_B;
    872. 

  872.     }
    873. 

  873. 

  874.     /* SSL2_ST_GET_CLIENT_FINISHED_B */
    875. 

  875.     if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
    876. 

  876.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    877. 

  877.         SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
    878. 

  878.         return -1;
    879. 

  879.     }
    880. 

  880.     len = 1 + (unsigned long)s->s2->conn_id_length;
    881. 

  881.     n = (int)len - s->init_num;
    882. 

  882.     i = ssl2_read(s, (char *)&(p[s->init_num]), n);
    883. 

  883.     if (i < n) {
    884. 

  884.         return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i));
    885. 

  885.     }
    886. 

  886.     if (s->msg_callback) {
    887. 

  887.         /* CLIENT-FINISHED */
    888. 

  888.         s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg);
    889. 

  889.     }
    890. 

  890.     p += 1;
    891. 

  891.     if (memcmp(p, s->s2->conn_id, s->s2->conn_id_length) != 0) {
    892. 

  892.         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    893. 

  893.         SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_CONNECTION_ID_IS_DIFFERENT);
    894. 

  894.         return (-1);
    895. 

  895.     }
    896. 

  896.     return (1);
    897. 

  897. }
    898. 

  898. 

  899. static int server_verify(SSL *s)
    900. 

  900. {
    901. 

  901.     unsigned char *p;
    902. 

  902. 

  903.     if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) {
    904. 

  904.         p = (unsigned char *)s->init_buf->data;
    905. 

  905.         *(p++) = SSL2_MT_SERVER_VERIFY;
    906. 

  906.         if (s->s2->challenge_length > sizeof s->s2->challenge) {
    907. 

  907.             SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
    908. 

  908.             return -1;
    909. 

  909.         }
    910. 

  910.         memcpy(p, s->s2->challenge, (unsigned int)s->s2->challenge_length);
    911. 

  911.         /* p+=s->s2->challenge_length; */
    912. 

  912. 

  913.         s->state = SSL2_ST_SEND_SERVER_VERIFY_B;
    914. 

  914.         s->init_num = s->s2->challenge_length + 1;
    915. 

  915.         s->init_off = 0;
    916. 

  916.     }
    917. 

  917.     return (ssl2_do_write(s));
    918. 

  918. }
    919. 

  919. 

  920. static int server_finish(SSL *s)
    921. 

  921. {
    922. 

  922.     unsigned char *p;
    923. 

  923. 

  924.     if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) {
    925. 

  925.         p = (unsigned char *)s->init_buf->data;
    926. 

  926.         *(p++) = SSL2_MT_SERVER_FINISHED;
    927. 

  927. 

  928.         if (s->session->session_id_length > sizeof s->session->session_id) {
    929. 

  929.             SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
    930. 

  930.             return -1;
    931. 

  931.         }
    932. 

  932.         memcpy(p, s->session->session_id,
    933. 

  933.                (unsigned int)s->session->session_id_length);
    934. 

  934.         /* p+=s->session->session_id_length; */
    935. 

  935. 

  936.         s->state = SSL2_ST_SEND_SERVER_FINISHED_B;
    937. 

  937.         s->init_num = s->session->session_id_length + 1;
    938. 

  938.         s->init_off = 0;
    939. 

  939.     }
    940. 

  940. 

  941.     /* SSL2_ST_SEND_SERVER_FINISHED_B */
    942. 

  942.     return (ssl2_do_write(s));
    943. 

  943. }
    944. 

  944. 

  945. /* send the request and check the response */
    946. 

  946. static int request_certificate(SSL *s)
    947. 

  947. {
    948. 

  948.     const unsigned char *cp;
    949. 

  949.     unsigned char *p, *p2, *buf2;
    950. 

  950.     unsigned char *ccd;
    951. 

  951.     int i, j, ctype, ret = -1;
    952. 

  952.     unsigned long len;
    953. 

  953.     X509 *x509 = NULL;
    954. 

  954.     STACK_OF(X509) *sk = NULL;
    955. 

  955. 

  956.     ccd = s->s2->tmp.ccl;
    957. 

  957.     if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) {
    958. 

  958.         p = (unsigned char *)s->init_buf->data;
    959. 

  959.         *(p++) = SSL2_MT_REQUEST_CERTIFICATE;
    960. 

  960.         *(p++) = SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
    961. 

  961.         if (RAND_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
    962. 

  962.             return -1;
    963. 

  963.         memcpy(p, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH);
    964. 

  964. 

  965.         s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
    966. 

  966.         s->init_num = SSL2_MIN_CERT_CHALLENGE_LENGTH + 2;
    967. 

  967.         s->init_off = 0;
    968. 

  968.     }
    969. 

  969. 

  970.     if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) {
    971. 

  971.         i = ssl2_do_write(s);
    972. 

  972.         if (i <= 0) {
    973. 

  973.             ret = i;
    974. 

  974.             goto end;
    975. 

  975.         }
    976. 

  976. 

  977.         s->init_num = 0;
    978. 

  978.         s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
    979. 

  979.     }
    980. 

  980. 

  981.     if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) {
    982. 

  982.         p = (unsigned char *)s->init_buf->data;
    983. 

  983.         /* try to read 6 octets ... */
    984. 

  984.         i = ssl2_read(s, (char *)&(p[s->init_num]), 6 - s->init_num);
    985. 

  985.         /*
    986. 

  986.          * ... but don't call ssl2_part_read now if we got at least 3
    987. 

  987.          * (probably NO-CERTIFICATE-ERROR)
    988. 

  988.          */
    989. 

  989.         if (i < 3 - s->init_num) {
    990. 

  990.             ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i);
    991. 

  991.             goto end;
    992. 

  992.         }
    993. 

  993.         s->init_num += i;
    994. 

  994. 

  995.         if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) {
    996. 

  996.             n2s(p, i);
    997. 

  997.             if (i != SSL2_PE_NO_CERTIFICATE) {
    998. 

  998.                 /*
    999. 

  999.                  * not the error message we expected -- let ssl2_part_read
    1000. 

  1000.                  * handle it
    1001. 

  1001.                  */
    1002. 

  1002.                 s->init_num -= 3;
    1003. 

  1003.                 ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, 3);
    1004. 

  1004.                 goto end;
    1005. 

  1005.             }
    1006. 

  1006. 

  1007.             if (s->msg_callback) {
    1008. 

  1008.                 /* ERROR */
    1009. 

  1009.                 s->msg_callback(0, s->version, 0, p, 3, s,
    1010. 

  1010.                                 s->msg_callback_arg);
    1011. 

  1011.             }
    1012. 

  1012. 

  1013.             /*
    1014. 

  1014.              * this is the one place where we can recover from an SSL 2.0
    1015. 

  1015.              * error
    1016. 

  1016.              */
    1017. 

  1017. 

  1018.             if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
    1019. 

  1019.                 ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
    1020. 

  1020.                 SSLerr(SSL_F_REQUEST_CERTIFICATE,
    1021. 

  1021.                        SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
    1022. 

  1022.                 goto end;
    1023. 

  1023.             }
    1024. 

  1024.             ret = 1;
    1025. 

  1025.             goto end;
    1026. 

  1026.         }
    1027. 

  1027.         if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) {
    1028. 

  1028.             ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
    1029. 

  1029.             SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_SHORT_READ);
    1030. 

  1030.             goto end;
    1031. 

  1031.         }
    1032. 

  1032.         if (s->init_num != 6) {
    1033. 

  1033.             SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
    1034. 

  1034.             goto end;
    1035. 

  1035.         }
    1036. 

  1036. 

  1037.         /* ok we have a response */
    1038. 

  1038.         /* certificate type, there is only one right now. */
    1039. 

  1039.         ctype = *(p++);
    1040. 

  1040.         if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) {
    1041. 

  1041.             ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
    1042. 

  1042.             SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_RESPONSE_ARGUMENT);
    1043. 

  1043.             goto end;
    1044. 

  1044.         }
    1045. 

  1045.         n2s(p, i);
    1046. 

  1046.         s->s2->tmp.clen = i;
    1047. 

  1047.         n2s(p, i);
    1048. 

  1048.         s->s2->tmp.rlen = i;
    1049. 

  1049.         s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
    1050. 

  1050.     }
    1051. 

  1051. 

  1052.     /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
    1053. 

  1053.     p = (unsigned char *)s->init_buf->data;
    1054. 

  1054.     len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
    1055. 

  1055.     if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
    1056. 

  1056.         SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_MESSAGE_TOO_LONG);
    1057. 

  1057.         goto end;
    1058. 

  1058.     }
    1059. 

  1059.     j = (int)len - s->init_num;
    1060. 

  1060.     i = ssl2_read(s, (char *)&(p[s->init_num]), j);
    1061. 

  1061.     if (i < j) {
    1062. 

  1062.         ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i);
    1063. 

  1063.         goto end;
    1064. 

  1064.     }
    1065. 

  1065.     if (s->msg_callback) {
    1066. 

  1066.         /* CLIENT-CERTIFICATE */
    1067. 

  1067.         s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg);
    1068. 

  1068.     }
    1069. 

  1069.     p += 6;
    1070. 

  1070. 

  1071.     cp = p;
    1072. 

  1072.     x509 = (X509 *)d2i_X509(NULL, &cp, (long)s->s2->tmp.clen);
    1073. 

  1073.     if (x509 == NULL) {
    1074. 

  1074.         SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_X509_LIB);
    1075. 

  1075.         goto msg_end;
    1076. 

  1076.     }
    1077. 

  1077. 

  1078.     if (((sk = sk_X509_new_null()) == NULL) || (!sk_X509_push(sk, x509))) {
    1079. 

  1079.         SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE);
    1080. 

  1080.         goto msg_end;
    1081. 

  1081.     }
    1082. 

  1082. 

  1083.     i = ssl_verify_cert_chain(s, sk);
    1084. 

  1084. 

  1085.     if (i > 0) {                /* we like the packet, now check the chksum */
    1086. 

  1086.         EVP_MD_CTX ctx;
    1087. 

  1087.         EVP_PKEY *pkey = NULL;
    1088. 

  1088. 

  1089.         EVP_MD_CTX_init(&ctx);
    1090. 

  1090.         if (!EVP_VerifyInit_ex(&ctx, s->ctx->rsa_md5, NULL)
    1091. 

  1091.             || !EVP_VerifyUpdate(&ctx, s->s2->key_material,
    1092. 

  1092.                                  s->s2->key_material_length)
    1093. 

  1093.             || !EVP_VerifyUpdate(&ctx, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH))
    1094. 

  1094.             goto msg_end;
    1095. 

  1095. 

  1096.         i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL);
    1097. 

  1097.         buf2 = OPENSSL_malloc((unsigned int)i);
    1098. 

  1098.         if (buf2 == NULL) {
    1099. 

  1099.             SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE);
    1100. 

  1100.             goto msg_end;
    1101. 

  1101.         }
    1102. 

  1102.         p2 = buf2;
    1103. 

  1103.         i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &p2);
    1104. 

  1104.         if (!EVP_VerifyUpdate(&ctx, buf2, (unsigned int)i)) {
    1105. 

  1105.             OPENSSL_free(buf2);
    1106. 

  1106.             goto msg_end;
    1107. 

  1107.         }
    1108. 

  1108.         OPENSSL_free(buf2);
    1109. 

  1109. 

  1110.         pkey = X509_get_pubkey(x509);
    1111. 

  1111.         if (pkey == NULL)
    1112. 

  1112.             goto end;
    1113. 

  1113.         i = EVP_VerifyFinal(&ctx, cp, s->s2->tmp.rlen, pkey);
    1114. 

  1114.         EVP_PKEY_free(pkey);
    1115. 

  1115.         EVP_MD_CTX_cleanup(&ctx);
    1116. 

  1116. 

  1117.         if (i > 0) {
    1118. 

  1118.             if (s->session->peer != NULL)
    1119. 

  1119.                 X509_free(s->session->peer);
    1120. 

  1120.             s->session->peer = x509;
    1121. 

  1121.             CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
    1122. 

  1122.             s->session->verify_result = s->verify_result;
    1123. 

  1123.             ret = 1;
    1124. 

  1124.             goto end;
    1125. 

  1125.         } else {
    1126. 

  1126.             SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_CHECKSUM);
    1127. 

  1127.             goto msg_end;
    1128. 

  1128.         }
    1129. 

  1129.     } else {
    1130. 

  1130.  msg_end:
    1131. 

  1131.         ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
    1132. 

  1132.     }
    1133. 

  1133.  end:
    1134. 

  1134.     sk_X509_free(sk);
    1135. 

  1135.     X509_free(x509);
    1136. 

  1136.     return (ret);
    1137. 

  1137. }
    1138. 

  1138. 

  1139. static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
    1140. 

  1140.                                    unsigned char *to, int padding)
    1141. 

  1141. {
    1142. 

  1142.     RSA *rsa;
    1143. 

  1143.     int i;
    1144. 

  1144. 

  1145.     if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) {
    1146. 

  1146.         SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_NO_PRIVATEKEY);
    1147. 

  1147.         return (-1);
    1148. 

  1148.     }
    1149. 

  1149.     if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) {
    1150. 

  1150.         SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA);
    1151. 

  1151.         return (-1);
    1152. 

  1152.     }
    1153. 

  1153.     rsa = c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
    1154. 

  1154. 

  1155.     /* we have the public key */
    1156. 

  1156.     i = RSA_private_decrypt(len, from, to, rsa, padding);
    1157. 

  1157.     if (i < 0)
    1158. 

  1158.         SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, ERR_R_RSA_LIB);
    1159. 

  1159.     return (i);
    1160. 

  1160. }
    1161. 

  1161. #else                           /* !OPENSSL_NO_SSL2 */
    1162. 

  1162. 

  1163. # if PEDANTIC
    1164. 

  1164. static void *dummy = &dummy;
    1165. 

  1165. # endif
    1166. 

  1166. 

  1167. #endif
    1168.