s2_clnt.c revision 296341
1/* ssl/s2_clnt.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include "ssl_locl.h" 113#ifndef OPENSSL_NO_SSL2 114# include <stdio.h> 115# include <openssl/rand.h> 116# include <openssl/buffer.h> 117# include <openssl/objects.h> 118# include <openssl/evp.h> 119 120static const SSL_METHOD *ssl2_get_client_method(int ver); 121static int get_server_finished(SSL *s); 122static int get_server_verify(SSL *s); 123static int get_server_hello(SSL *s); 124static int client_hello(SSL *s); 125static int client_master_key(SSL *s); 126static int client_finished(SSL *s); 127static int client_certificate(SSL *s); 128static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from, 129 unsigned char *to, int padding); 130# define BREAK break 131 132static const SSL_METHOD *ssl2_get_client_method(int ver) 133{ 134 if (ver == SSL2_VERSION) 135 return (SSLv2_client_method()); 136 else 137 return (NULL); 138} 139 140IMPLEMENT_ssl2_meth_func(SSLv2_client_method, 141 ssl_undefined_function, 142 ssl2_connect, ssl2_get_client_method) 143 144int ssl2_connect(SSL *s) 145{ 146 unsigned long l = (unsigned long)time(NULL); 147 BUF_MEM *buf = NULL; 148 int ret = -1; 149 void (*cb) (const SSL *ssl, int type, int val) = NULL; 150 int new_state, state; 151 152 RAND_add(&l, sizeof(l), 0); 153 ERR_clear_error(); 154 clear_sys_error(); 155 156 if (s->info_callback != NULL) 157 cb = s->info_callback; 158 else if (s->ctx->info_callback != NULL) 159 cb = s->ctx->info_callback; 160 161 /* init things to blank */ 162 s->in_handshake++; 163 if (!SSL_in_init(s) || SSL_in_before(s)) 164 SSL_clear(s); 165 166 for (;;) { 167 state = s->state; 168 169 switch (s->state) { 170 case SSL_ST_BEFORE: 171 case SSL_ST_CONNECT: 172 case SSL_ST_BEFORE | SSL_ST_CONNECT: 173 case SSL_ST_OK | SSL_ST_CONNECT: 174 175 s->server = 0; 176 if (cb != NULL) 177 cb(s, SSL_CB_HANDSHAKE_START, 1); 178 179 s->version = SSL2_VERSION; 180 s->type = SSL_ST_CONNECT; 181 182 buf = s->init_buf; 183 if ((buf == NULL) && ((buf = BUF_MEM_new()) == NULL)) { 184 ret = -1; 185 goto end; 186 } 187 if (!BUF_MEM_grow(buf, SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 188 if (buf == s->init_buf) 189 buf = NULL; 190 ret = -1; 191 goto end; 192 } 193 s->init_buf = buf; 194 buf = NULL; 195 s->init_num = 0; 196 s->state = SSL2_ST_SEND_CLIENT_HELLO_A; 197 s->ctx->stats.sess_connect++; 198 s->handshake_func = ssl2_connect; 199 BREAK; 200 201 case SSL2_ST_SEND_CLIENT_HELLO_A: 202 case SSL2_ST_SEND_CLIENT_HELLO_B: 203 s->shutdown = 0; 204 ret = client_hello(s); 205 if (ret <= 0) 206 goto end; 207 s->init_num = 0; 208 s->state = SSL2_ST_GET_SERVER_HELLO_A; 209 BREAK; 210 211 case SSL2_ST_GET_SERVER_HELLO_A: 212 case SSL2_ST_GET_SERVER_HELLO_B: 213 ret = get_server_hello(s); 214 if (ret <= 0) 215 goto end; 216 s->init_num = 0; 217 if (!s->hit) { /* new session */ 218 s->state = SSL2_ST_SEND_CLIENT_MASTER_KEY_A; 219 BREAK; 220 } else { 221 s->state = SSL2_ST_CLIENT_START_ENCRYPTION; 222 break; 223 } 224 225 case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: 226 case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: 227 ret = client_master_key(s); 228 if (ret <= 0) 229 goto end; 230 s->init_num = 0; 231 s->state = SSL2_ST_CLIENT_START_ENCRYPTION; 232 break; 233 234 case SSL2_ST_CLIENT_START_ENCRYPTION: 235 /* 236 * Ok, we now have all the stuff needed to start encrypting, so 237 * lets fire it up :-) 238 */ 239 if (!ssl2_enc_init(s, 1)) { 240 ret = -1; 241 goto end; 242 } 243 s->s2->clear_text = 0; 244 s->state = SSL2_ST_SEND_CLIENT_FINISHED_A; 245 break; 246 247 case SSL2_ST_SEND_CLIENT_FINISHED_A: 248 case SSL2_ST_SEND_CLIENT_FINISHED_B: 249 ret = client_finished(s); 250 if (ret <= 0) 251 goto end; 252 s->init_num = 0; 253 s->state = SSL2_ST_GET_SERVER_VERIFY_A; 254 break; 255 256 case SSL2_ST_GET_SERVER_VERIFY_A: 257 case SSL2_ST_GET_SERVER_VERIFY_B: 258 ret = get_server_verify(s); 259 if (ret <= 0) 260 goto end; 261 s->init_num = 0; 262 s->state = SSL2_ST_GET_SERVER_FINISHED_A; 263 break; 264 265 case SSL2_ST_GET_SERVER_FINISHED_A: 266 case SSL2_ST_GET_SERVER_FINISHED_B: 267 ret = get_server_finished(s); 268 if (ret <= 0) 269 goto end; 270 break; 271 272 case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: 273 case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: 274 case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: 275 case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: 276 case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: 277 ret = client_certificate(s); 278 if (ret <= 0) 279 goto end; 280 s->init_num = 0; 281 s->state = SSL2_ST_GET_SERVER_FINISHED_A; 282 break; 283 284 case SSL_ST_OK: 285 if (s->init_buf != NULL) { 286 BUF_MEM_free(s->init_buf); 287 s->init_buf = NULL; 288 } 289 s->init_num = 0; 290 /* ERR_clear_error(); */ 291 292 /* 293 * If we want to cache session-ids in the client and we 294 * successfully add the session-id to the cache, and there is a 295 * callback, then pass it out. 26/11/96 - eay - only add if not a 296 * re-used session. 297 */ 298 299 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 300 if (s->hit) 301 s->ctx->stats.sess_hit++; 302 303 ret = 1; 304 /* s->server=0; */ 305 s->ctx->stats.sess_connect_good++; 306 307 if (cb != NULL) 308 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 309 310 goto end; 311 /* break; */ 312 default: 313 SSLerr(SSL_F_SSL2_CONNECT, SSL_R_UNKNOWN_STATE); 314 return (-1); 315 /* break; */ 316 } 317 318 if ((cb != NULL) && (s->state != state)) { 319 new_state = s->state; 320 s->state = state; 321 cb(s, SSL_CB_CONNECT_LOOP, 1); 322 s->state = new_state; 323 } 324 } 325 end: 326 s->in_handshake--; 327 if (buf != NULL) 328 BUF_MEM_free(buf); 329 if (cb != NULL) 330 cb(s, SSL_CB_CONNECT_EXIT, ret); 331 return (ret); 332} 333 334static int get_server_hello(SSL *s) 335{ 336 unsigned char *buf; 337 unsigned char *p; 338 int i, j; 339 unsigned long len; 340 STACK_OF(SSL_CIPHER) *sk = NULL, *cl, *prio, *allow; 341 342 buf = (unsigned char *)s->init_buf->data; 343 p = buf; 344 if (s->state == SSL2_ST_GET_SERVER_HELLO_A) { 345 i = ssl2_read(s, (char *)&(buf[s->init_num]), 11 - s->init_num); 346 if (i < (11 - s->init_num)) 347 return (ssl2_part_read(s, SSL_F_GET_SERVER_HELLO, i)); 348 s->init_num = 11; 349 350 if (*(p++) != SSL2_MT_SERVER_HELLO) { 351 if (p[-1] != SSL2_MT_ERROR) { 352 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 353 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_READ_WRONG_PACKET_TYPE); 354 } else 355 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_PEER_ERROR); 356 return (-1); 357 } 358# if 0 359 s->hit = (*(p++)) ? 1 : 0; 360 /* 361 * Some [PPC?] compilers fail to increment p in above statement, e.g. 362 * one provided with Rhapsody 5.5, but most recent example XL C 11.1 363 * for AIX, even without optimization flag... 364 */ 365# else 366 s->hit = (*p) ? 1 : 0; 367 p++; 368# endif 369 s->s2->tmp.cert_type = *(p++); 370 n2s(p, i); 371 if (i < s->version) 372 s->version = i; 373 n2s(p, i); 374 s->s2->tmp.cert_length = i; 375 n2s(p, i); 376 s->s2->tmp.csl = i; 377 n2s(p, i); 378 s->s2->tmp.conn_id_length = i; 379 s->state = SSL2_ST_GET_SERVER_HELLO_B; 380 } 381 382 /* SSL2_ST_GET_SERVER_HELLO_B */ 383 len = 384 11 + (unsigned long)s->s2->tmp.cert_length + 385 (unsigned long)s->s2->tmp.csl + 386 (unsigned long)s->s2->tmp.conn_id_length; 387 if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { 388 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_MESSAGE_TOO_LONG); 389 return -1; 390 } 391 j = (int)len - s->init_num; 392 i = ssl2_read(s, (char *)&(buf[s->init_num]), j); 393 if (i != j) 394 return (ssl2_part_read(s, SSL_F_GET_SERVER_HELLO, i)); 395 if (s->msg_callback) { 396 /* SERVER-HELLO */ 397 s->msg_callback(0, s->version, 0, buf, (size_t)len, s, 398 s->msg_callback_arg); 399 } 400 401 /* things are looking good */ 402 403 p = buf + 11; 404 if (s->hit) { 405 if (s->s2->tmp.cert_length != 0) { 406 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_REUSE_CERT_LENGTH_NOT_ZERO); 407 return (-1); 408 } 409 if (s->s2->tmp.cert_type != 0) { 410 if (!(s->options & SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)) { 411 SSLerr(SSL_F_GET_SERVER_HELLO, 412 SSL_R_REUSE_CERT_TYPE_NOT_ZERO); 413 return (-1); 414 } 415 } 416 if (s->s2->tmp.csl != 0) { 417 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_REUSE_CIPHER_LIST_NOT_ZERO); 418 return (-1); 419 } 420 } else { 421# ifdef undef 422 /* very bad */ 423 memset(s->session->session_id, 0, 424 SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES); 425 s->session->session_id_length = 0; 426 */ 427# endif 428 /* 429 * we need to do this in case we were trying to reuse a client 430 * session but others are already reusing it. If this was a new 431 * 'blank' session ID, the session-id length will still be 0 432 */ 433 if (s->session->session_id_length > 0) { 434 if (!ssl_get_new_session(s, 0)) { 435 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 436 return (-1); 437 } 438 } 439 440 if (ssl2_set_certificate(s, s->s2->tmp.cert_type, 441 s->s2->tmp.cert_length, p) <= 0) { 442 ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE); 443 return (-1); 444 } 445 p += s->s2->tmp.cert_length; 446 447 if (s->s2->tmp.csl == 0) { 448 ssl2_return_error(s, SSL2_PE_NO_CIPHER); 449 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_NO_CIPHER_LIST); 450 return (-1); 451 } 452 453 /* 454 * We have just received a list of ciphers back from the server. We 455 * need to get the ones that match, then select the one we want the 456 * most :-). 457 */ 458 459 /* load the ciphers */ 460 sk = ssl_bytes_to_cipher_list(s, p, s->s2->tmp.csl, 461 &s->session->ciphers); 462 p += s->s2->tmp.csl; 463 if (sk == NULL) { 464 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 465 SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_MALLOC_FAILURE); 466 return (-1); 467 } 468 469 (void)sk_SSL_CIPHER_set_cmp_func(sk, ssl_cipher_ptr_id_cmp); 470 471 /* get the array of ciphers we will accept */ 472 cl = SSL_get_ciphers(s); 473 (void)sk_SSL_CIPHER_set_cmp_func(cl, ssl_cipher_ptr_id_cmp); 474 475 /* 476 * If server preference flag set, choose the first 477 * (highest priority) cipher the server sends, otherwise 478 * client preference has priority. 479 */ 480 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 481 prio = sk; 482 allow = cl; 483 } else { 484 prio = cl; 485 allow = sk; 486 } 487 /* 488 * In theory we could have ciphers sent back that we don't want to 489 * use but that does not matter since we will check against the list 490 * we originally sent and for performance reasons we should not 491 * bother to match the two lists up just to check. 492 */ 493 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 494 if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, i)) >= 0) 495 break; 496 } 497 498 if (i >= sk_SSL_CIPHER_num(prio)) { 499 ssl2_return_error(s, SSL2_PE_NO_CIPHER); 500 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_NO_CIPHER_MATCH); 501 return (-1); 502 } 503 s->session->cipher = sk_SSL_CIPHER_value(prio, i); 504 505 if (s->session->peer != NULL) { /* can't happen */ 506 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 507 SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 508 return (-1); 509 } 510 511 s->session->peer = s->session->sess_cert->peer_key->x509; 512 /* peer_key->x509 has been set by ssl2_set_certificate. */ 513 CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509); 514 } 515 516 if (s->session->sess_cert == NULL 517 || s->session->peer != s->session->sess_cert->peer_key->x509) 518 /* can't happen */ 519 { 520 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 521 SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 522 return (-1); 523 } 524 525 s->s2->conn_id_length = s->s2->tmp.conn_id_length; 526 if (s->s2->conn_id_length > sizeof s->s2->conn_id) { 527 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 528 SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG); 529 return -1; 530 } 531 memcpy(s->s2->conn_id, p, s->s2->tmp.conn_id_length); 532 return (1); 533} 534 535static int client_hello(SSL *s) 536{ 537 unsigned char *buf; 538 unsigned char *p, *d; 539/* CIPHER **cipher;*/ 540 int i, n, j; 541 542 buf = (unsigned char *)s->init_buf->data; 543 if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A) { 544 if ((s->session == NULL) || (s->session->ssl_version != s->version)) { 545 if (!ssl_get_new_session(s, 0)) { 546 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 547 return (-1); 548 } 549 } 550 /* else use the pre-loaded session */ 551 552 p = buf; /* header */ 553 d = p + 9; /* data section */ 554 *(p++) = SSL2_MT_CLIENT_HELLO; /* type */ 555 s2n(SSL2_VERSION, p); /* version */ 556 n = j = 0; 557 558 n = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), d, 0); 559 d += n; 560 561 if (n == 0) { 562 SSLerr(SSL_F_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 563 return (-1); 564 } 565 566 s2n(n, p); /* cipher spec num bytes */ 567 568 if ((s->session->session_id_length > 0) && 569 (s->session->session_id_length <= 570 SSL2_MAX_SSL_SESSION_ID_LENGTH)) { 571 i = s->session->session_id_length; 572 s2n(i, p); /* session id length */ 573 memcpy(d, s->session->session_id, (unsigned int)i); 574 d += i; 575 } else { 576 s2n(0, p); 577 } 578 579 s->s2->challenge_length = SSL2_CHALLENGE_LENGTH; 580 s2n(SSL2_CHALLENGE_LENGTH, p); /* challenge length */ 581 /* 582 * challenge id data 583 */ 584 if (RAND_pseudo_bytes(s->s2->challenge, SSL2_CHALLENGE_LENGTH) <= 0) 585 return -1; 586 memcpy(d, s->s2->challenge, SSL2_CHALLENGE_LENGTH); 587 d += SSL2_CHALLENGE_LENGTH; 588 589 s->state = SSL2_ST_SEND_CLIENT_HELLO_B; 590 s->init_num = d - buf; 591 s->init_off = 0; 592 } 593 /* SSL2_ST_SEND_CLIENT_HELLO_B */ 594 return (ssl2_do_write(s)); 595} 596 597static int client_master_key(SSL *s) 598{ 599 unsigned char *buf; 600 unsigned char *p, *d; 601 int clear, enc, karg, i; 602 SSL_SESSION *sess; 603 const EVP_CIPHER *c; 604 const EVP_MD *md; 605 606 buf = (unsigned char *)s->init_buf->data; 607 if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A) { 608 609 if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) { 610 ssl2_return_error(s, SSL2_PE_NO_CIPHER); 611 SSLerr(SSL_F_CLIENT_MASTER_KEY, 612 SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); 613 return (-1); 614 } 615 sess = s->session; 616 p = buf; 617 d = p + 10; 618 *(p++) = SSL2_MT_CLIENT_MASTER_KEY; /* type */ 619 620 i = ssl_put_cipher_by_char(s, sess->cipher, p); 621 p += i; 622 623 /* make key_arg data */ 624 i = EVP_CIPHER_iv_length(c); 625 sess->key_arg_length = i; 626 if (i > SSL_MAX_KEY_ARG_LENGTH) { 627 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 628 SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 629 return -1; 630 } 631 if (i > 0) 632 if (RAND_pseudo_bytes(sess->key_arg, i) <= 0) 633 return -1; 634 635 /* make a master key */ 636 i = EVP_CIPHER_key_length(c); 637 sess->master_key_length = i; 638 if (i > 0) { 639 if (i > (int)sizeof(sess->master_key)) { 640 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 641 SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 642 return -1; 643 } 644 if (RAND_bytes(sess->master_key, i) <= 0) { 645 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 646 return (-1); 647 } 648 } 649 650 if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) 651 enc = 8; 652 else if (SSL_C_IS_EXPORT(sess->cipher)) 653 enc = 5; 654 else 655 enc = i; 656 657 if ((int)i < enc) { 658 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 659 SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_CIPHER_TABLE_SRC_ERROR); 660 return (-1); 661 } 662 clear = i - enc; 663 s2n(clear, p); 664 memcpy(d, sess->master_key, (unsigned int)clear); 665 d += clear; 666 667 enc = ssl_rsa_public_encrypt(sess->sess_cert, enc, 668 &(sess->master_key[clear]), d, 669 (s-> 670 s2->ssl2_rollback) ? RSA_SSLV23_PADDING 671 : RSA_PKCS1_PADDING); 672 if (enc <= 0) { 673 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 674 SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_PUBLIC_KEY_ENCRYPT_ERROR); 675 return (-1); 676 } 677# ifdef PKCS1_CHECK 678 if (s->options & SSL_OP_PKCS1_CHECK_1) 679 d[1]++; 680 if (s->options & SSL_OP_PKCS1_CHECK_2) 681 sess->master_key[clear]++; 682# endif 683 s2n(enc, p); 684 d += enc; 685 karg = sess->key_arg_length; 686 s2n(karg, p); /* key arg size */ 687 if (karg > (int)sizeof(sess->key_arg)) { 688 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 689 SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); 690 return -1; 691 } 692 memcpy(d, sess->key_arg, (unsigned int)karg); 693 d += karg; 694 695 s->state = SSL2_ST_SEND_CLIENT_MASTER_KEY_B; 696 s->init_num = d - buf; 697 s->init_off = 0; 698 } 699 700 /* SSL2_ST_SEND_CLIENT_MASTER_KEY_B */ 701 return (ssl2_do_write(s)); 702} 703 704static int client_finished(SSL *s) 705{ 706 unsigned char *p; 707 708 if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A) { 709 p = (unsigned char *)s->init_buf->data; 710 *(p++) = SSL2_MT_CLIENT_FINISHED; 711 if (s->s2->conn_id_length > sizeof s->s2->conn_id) { 712 SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); 713 return -1; 714 } 715 memcpy(p, s->s2->conn_id, (unsigned int)s->s2->conn_id_length); 716 717 s->state = SSL2_ST_SEND_CLIENT_FINISHED_B; 718 s->init_num = s->s2->conn_id_length + 1; 719 s->init_off = 0; 720 } 721 return (ssl2_do_write(s)); 722} 723 724/* read the data and then respond */ 725static int client_certificate(SSL *s) 726{ 727 unsigned char *buf; 728 unsigned char *p, *d; 729 int i; 730 unsigned int n; 731 int cert_ch_len; 732 unsigned char *cert_ch; 733 734 buf = (unsigned char *)s->init_buf->data; 735 736 /* 737 * We have a cert associated with the SSL, so attach it to the session if 738 * it does not have one 739 */ 740 741 if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A) { 742 i = ssl2_read(s, (char *)&(buf[s->init_num]), 743 SSL2_MAX_CERT_CHALLENGE_LENGTH + 2 - s->init_num); 744 if (i < (SSL2_MIN_CERT_CHALLENGE_LENGTH + 2 - s->init_num)) 745 return (ssl2_part_read(s, SSL_F_CLIENT_CERTIFICATE, i)); 746 s->init_num += i; 747 if (s->msg_callback) { 748 /* REQUEST-CERTIFICATE */ 749 s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, 750 s->msg_callback_arg); 751 } 752 753 /* type=buf[0]; */ 754 /* type eq x509 */ 755 if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) { 756 ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); 757 SSLerr(SSL_F_CLIENT_CERTIFICATE, SSL_R_BAD_AUTHENTICATION_TYPE); 758 return (-1); 759 } 760 761 if ((s->cert == NULL) || 762 (s->cert->key->x509 == NULL) || 763 (s->cert->key->privatekey == NULL)) { 764 s->state = SSL2_ST_X509_GET_CLIENT_CERTIFICATE; 765 } else 766 s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_C; 767 } 768 769 cert_ch = buf + 2; 770 cert_ch_len = s->init_num - 2; 771 772 if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE) { 773 X509 *x509 = NULL; 774 EVP_PKEY *pkey = NULL; 775 776 /* 777 * If we get an error we need to ssl->rwstate=SSL_X509_LOOKUP; 778 * return(error); We should then be retried when things are ok and we 779 * can get a cert or not 780 */ 781 782 i = 0; 783 if (s->ctx->client_cert_cb != NULL) { 784 i = s->ctx->client_cert_cb(s, &(x509), &(pkey)); 785 } 786 787 if (i < 0) { 788 s->rwstate = SSL_X509_LOOKUP; 789 return (-1); 790 } 791 s->rwstate = SSL_NOTHING; 792 793 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 794 s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_C; 795 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) { 796 i = 0; 797 } 798 X509_free(x509); 799 EVP_PKEY_free(pkey); 800 } else if (i == 1) { 801 if (x509 != NULL) 802 X509_free(x509); 803 if (pkey != NULL) 804 EVP_PKEY_free(pkey); 805 SSLerr(SSL_F_CLIENT_CERTIFICATE, 806 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 807 i = 0; 808 } 809 810 if (i == 0) { 811 /* 812 * We have no client certificate to respond with so send the 813 * correct error message back 814 */ 815 s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_B; 816 p = buf; 817 *(p++) = SSL2_MT_ERROR; 818 s2n(SSL2_PE_NO_CERTIFICATE, p); 819 s->init_off = 0; 820 s->init_num = 3; 821 /* Write is done at the end */ 822 } 823 } 824 825 if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B) { 826 return (ssl2_do_write(s)); 827 } 828 829 if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C) { 830 EVP_MD_CTX ctx; 831 832 /* 833 * ok, now we calculate the checksum do it first so we can reuse buf 834 * :-) 835 */ 836 p = buf; 837 EVP_MD_CTX_init(&ctx); 838 EVP_SignInit_ex(&ctx, s->ctx->rsa_md5, NULL); 839 EVP_SignUpdate(&ctx, s->s2->key_material, s->s2->key_material_length); 840 EVP_SignUpdate(&ctx, cert_ch, (unsigned int)cert_ch_len); 841 i = i2d_X509(s->session->sess_cert->peer_key->x509, &p); 842 /* 843 * Don't update the signature if it fails - FIXME: probably should 844 * handle this better 845 */ 846 if (i > 0) 847 EVP_SignUpdate(&ctx, buf, (unsigned int)i); 848 849 p = buf; 850 d = p + 6; 851 *(p++) = SSL2_MT_CLIENT_CERTIFICATE; 852 *(p++) = SSL2_CT_X509_CERTIFICATE; 853 n = i2d_X509(s->cert->key->x509, &d); 854 s2n(n, p); 855 856 if (!EVP_SignFinal(&ctx, d, &n, s->cert->key->privatekey)) { 857 /* 858 * this is not good. If things have failed it means there so 859 * something wrong with the key. We will continue with a 0 length 860 * signature 861 */ 862 } 863 EVP_MD_CTX_cleanup(&ctx); 864 s2n(n, p); 865 d += n; 866 867 s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_D; 868 s->init_num = d - buf; 869 s->init_off = 0; 870 } 871 /* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */ 872 return (ssl2_do_write(s)); 873} 874 875static int get_server_verify(SSL *s) 876{ 877 unsigned char *p; 878 int i, n, len; 879 880 p = (unsigned char *)s->init_buf->data; 881 if (s->state == SSL2_ST_GET_SERVER_VERIFY_A) { 882 i = ssl2_read(s, (char *)&(p[s->init_num]), 1 - s->init_num); 883 if (i < (1 - s->init_num)) 884 return (ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i)); 885 s->init_num += i; 886 887 s->state = SSL2_ST_GET_SERVER_VERIFY_B; 888 if (*p != SSL2_MT_SERVER_VERIFY) { 889 if (p[0] != SSL2_MT_ERROR) { 890 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 891 SSLerr(SSL_F_GET_SERVER_VERIFY, SSL_R_READ_WRONG_PACKET_TYPE); 892 } else { 893 SSLerr(SSL_F_GET_SERVER_VERIFY, SSL_R_PEER_ERROR); 894 /* try to read the error message */ 895 i = ssl2_read(s, (char *)&(p[s->init_num]), 3 - s->init_num); 896 return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i); 897 } 898 return (-1); 899 } 900 } 901 902 p = (unsigned char *)s->init_buf->data; 903 len = 1 + s->s2->challenge_length; 904 n = len - s->init_num; 905 i = ssl2_read(s, (char *)&(p[s->init_num]), n); 906 if (i < n) 907 return (ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i)); 908 if (s->msg_callback) { 909 /* SERVER-VERIFY */ 910 s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); 911 } 912 p += 1; 913 914 if (CRYPTO_memcmp(p, s->s2->challenge, s->s2->challenge_length) != 0) { 915 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 916 SSLerr(SSL_F_GET_SERVER_VERIFY, SSL_R_CHALLENGE_IS_DIFFERENT); 917 return (-1); 918 } 919 return (1); 920} 921 922static int get_server_finished(SSL *s) 923{ 924 unsigned char *buf; 925 unsigned char *p; 926 int i, n, len; 927 928 buf = (unsigned char *)s->init_buf->data; 929 p = buf; 930 if (s->state == SSL2_ST_GET_SERVER_FINISHED_A) { 931 i = ssl2_read(s, (char *)&(buf[s->init_num]), 1 - s->init_num); 932 if (i < (1 - s->init_num)) 933 return (ssl2_part_read(s, SSL_F_GET_SERVER_FINISHED, i)); 934 s->init_num += i; 935 936 if (*p == SSL2_MT_REQUEST_CERTIFICATE) { 937 s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_A; 938 return (1); 939 } else if (*p != SSL2_MT_SERVER_FINISHED) { 940 if (p[0] != SSL2_MT_ERROR) { 941 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 942 SSLerr(SSL_F_GET_SERVER_FINISHED, 943 SSL_R_READ_WRONG_PACKET_TYPE); 944 } else { 945 SSLerr(SSL_F_GET_SERVER_FINISHED, SSL_R_PEER_ERROR); 946 /* try to read the error message */ 947 i = ssl2_read(s, (char *)&(p[s->init_num]), 3 - s->init_num); 948 return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i); 949 } 950 return (-1); 951 } 952 s->state = SSL2_ST_GET_SERVER_FINISHED_B; 953 } 954 955 len = 1 + SSL2_SSL_SESSION_ID_LENGTH; 956 n = len - s->init_num; 957 i = ssl2_read(s, (char *)&(buf[s->init_num]), n); 958 if (i < n) { 959 /* 960 * XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, 961 * that's the maximum 962 */ 963 return (ssl2_part_read(s, SSL_F_GET_SERVER_FINISHED, i)); 964 } 965 s->init_num += i; 966 if (s->msg_callback) { 967 /* SERVER-FINISHED */ 968 s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, 969 s->msg_callback_arg); 970 } 971 972 if (!s->hit) { /* new session */ 973 /* new session-id */ 974 /* 975 * Make sure we were not trying to re-use an old SSL_SESSION or bad 976 * things can happen 977 */ 978 /* ZZZZZZZZZZZZZ */ 979 s->session->session_id_length = SSL2_SSL_SESSION_ID_LENGTH; 980 memcpy(s->session->session_id, p + 1, SSL2_SSL_SESSION_ID_LENGTH); 981 } else { 982 if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) { 983 if ((s->session->session_id_length > 984 sizeof s->session->session_id) 985 || (0 != 986 memcmp(buf + 1, s->session->session_id, 987 (unsigned int)s->session->session_id_length))) { 988 ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); 989 SSLerr(SSL_F_GET_SERVER_FINISHED, 990 SSL_R_SSL_SESSION_ID_IS_DIFFERENT); 991 return (-1); 992 } 993 } 994 } 995 s->state = SSL_ST_OK; 996 return (1); 997} 998 999/* loads in the certificate from the server */ 1000int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data) 1001{ 1002 STACK_OF(X509) *sk = NULL; 1003 EVP_PKEY *pkey = NULL; 1004 SESS_CERT *sc = NULL; 1005 int i; 1006 X509 *x509 = NULL; 1007 int ret = 0; 1008 1009 x509 = d2i_X509(NULL, &data, (long)len); 1010 if (x509 == NULL) { 1011 SSLerr(SSL_F_SSL2_SET_CERTIFICATE, ERR_R_X509_LIB); 1012 goto err; 1013 } 1014 1015 if ((sk = sk_X509_new_null()) == NULL || !sk_X509_push(sk, x509)) { 1016 SSLerr(SSL_F_SSL2_SET_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1017 goto err; 1018 } 1019 1020 i = ssl_verify_cert_chain(s, sk); 1021 1022 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { 1023 SSLerr(SSL_F_SSL2_SET_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED); 1024 goto err; 1025 } 1026 ERR_clear_error(); /* but we keep s->verify_result */ 1027 s->session->verify_result = s->verify_result; 1028 1029 /* server's cert for this session */ 1030 sc = ssl_sess_cert_new(); 1031 if (sc == NULL) { 1032 ret = -1; 1033 goto err; 1034 } 1035 if (s->session->sess_cert) 1036 ssl_sess_cert_free(s->session->sess_cert); 1037 s->session->sess_cert = sc; 1038 1039 sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509 = x509; 1040 sc->peer_key = &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]); 1041 1042 pkey = X509_get_pubkey(x509); 1043 x509 = NULL; 1044 if (pkey == NULL) { 1045 SSLerr(SSL_F_SSL2_SET_CERTIFICATE, 1046 SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY); 1047 goto err; 1048 } 1049 if (pkey->type != EVP_PKEY_RSA) { 1050 SSLerr(SSL_F_SSL2_SET_CERTIFICATE, SSL_R_PUBLIC_KEY_NOT_RSA); 1051 goto err; 1052 } 1053 1054 if (!ssl_set_peer_cert_type(sc, SSL2_CT_X509_CERTIFICATE)) 1055 goto err; 1056 ret = 1; 1057 err: 1058 sk_X509_free(sk); 1059 X509_free(x509); 1060 EVP_PKEY_free(pkey); 1061 return (ret); 1062} 1063 1064static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from, 1065 unsigned char *to, int padding) 1066{ 1067 EVP_PKEY *pkey = NULL; 1068 int i = -1; 1069 1070 if ((sc == NULL) || (sc->peer_key->x509 == NULL) || 1071 ((pkey = X509_get_pubkey(sc->peer_key->x509)) == NULL)) { 1072 SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT, SSL_R_NO_PUBLICKEY); 1073 return (-1); 1074 } 1075 if (pkey->type != EVP_PKEY_RSA) { 1076 SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA); 1077 goto end; 1078 } 1079 1080 /* we have the public key */ 1081 i = RSA_public_encrypt(len, from, to, pkey->pkey.rsa, padding); 1082 if (i < 0) 1083 SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT, ERR_R_RSA_LIB); 1084 end: 1085 EVP_PKEY_free(pkey); 1086 return (i); 1087} 1088#else /* !OPENSSL_NO_SSL2 */ 1089 1090# if PEDANTIC 1091static void *dummy = &dummy; 1092# endif 1093 1094#endif 1095