Home | History | Annotate | Download | only in ssl
      1 /* ssl/s2_srvr.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #include "ssl_locl.h"
    113 #ifndef OPENSSL_NO_SSL2
    114 #include <stdio.h>
    115 #include <openssl/bio.h>
    116 #include <openssl/rand.h>
    117 #include <openssl/objects.h>
    118 #include <openssl/evp.h>
    119 
    120 static const SSL_METHOD *ssl2_get_server_method(int ver);
    121 static int get_client_master_key(SSL *s);
    122 static int get_client_hello(SSL *s);
    123 static int server_hello(SSL *s);
    124 static int get_client_finished(SSL *s);
    125 static int server_verify(SSL *s);
    126 static int server_finish(SSL *s);
    127 static int request_certificate(SSL *s);
    128 static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
    129 	unsigned char *to,int padding);
    130 #define BREAK	break
    131 
    132 static const SSL_METHOD *ssl2_get_server_method(int ver)
    133 	{
    134 	if (ver == SSL2_VERSION)
    135 		return(SSLv2_server_method());
    136 	else
    137 		return(NULL);
    138 	}
    139 
    140 IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
    141 			ssl2_accept,
    142 			ssl_undefined_function,
    143 			ssl2_get_server_method)
    144 
    145 int ssl2_accept(SSL *s)
    146 	{
    147 	unsigned long l=(unsigned long)time(NULL);
    148 	BUF_MEM *buf=NULL;
    149 	int ret= -1;
    150 	long num1;
    151 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
    152 	int new_state,state;
    153 
    154 	RAND_add(&l,sizeof(l),0);
    155 	ERR_clear_error();
    156 	clear_sys_error();
    157 
    158 	if (s->info_callback != NULL)
    159 		cb=s->info_callback;
    160 	else if (s->ctx->info_callback != NULL)
    161 		cb=s->ctx->info_callback;
    162 
    163 	/* init things to blank */
    164 	s->in_handshake++;
    165 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
    166 
    167 	if (s->cert == NULL)
    168 		{
    169 		SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
    170 		return(-1);
    171 		}
    172 
    173 	clear_sys_error();
    174 	for (;;)
    175 		{
    176 		state=s->state;
    177 
    178 		switch (s->state)
    179 			{
    180 		case SSL_ST_BEFORE:
    181 		case SSL_ST_ACCEPT:
    182 		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
    183 		case SSL_ST_OK|SSL_ST_ACCEPT:
    184 
    185 			s->server=1;
    186 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
    187 
    188 			s->version=SSL2_VERSION;
    189 			s->type=SSL_ST_ACCEPT;
    190 
    191 			buf=s->init_buf;
    192 			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
    193 				{ ret= -1; goto end; }
    194 			if (!BUF_MEM_grow(buf,(int)
    195 				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
    196 				{ ret= -1; goto end; }
    197 			s->init_buf=buf;
    198 			s->init_num=0;
    199 			s->ctx->stats.sess_accept++;
    200 			s->handshake_func=ssl2_accept;
    201 			s->state=SSL2_ST_GET_CLIENT_HELLO_A;
    202 			BREAK;
    203 
    204 		case SSL2_ST_GET_CLIENT_HELLO_A:
    205 		case SSL2_ST_GET_CLIENT_HELLO_B:
    206 		case SSL2_ST_GET_CLIENT_HELLO_C:
    207 			s->shutdown=0;
    208 			ret=get_client_hello(s);
    209 			if (ret <= 0) goto end;
    210 			s->init_num=0;
    211 			s->state=SSL2_ST_SEND_SERVER_HELLO_A;
    212 			BREAK;
    213 
    214 		case SSL2_ST_SEND_SERVER_HELLO_A:
    215 		case SSL2_ST_SEND_SERVER_HELLO_B:
    216 			ret=server_hello(s);
    217 			if (ret <= 0) goto end;
    218 			s->init_num=0;
    219 			if (!s->hit)
    220 				{
    221 				s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A;
    222 				BREAK;
    223 				}
    224 			else
    225 				{
    226 				s->state=SSL2_ST_SERVER_START_ENCRYPTION;
    227 				BREAK;
    228 				}
    229 		case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
    230 		case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
    231 			ret=get_client_master_key(s);
    232 			if (ret <= 0) goto end;
    233 			s->init_num=0;
    234 			s->state=SSL2_ST_SERVER_START_ENCRYPTION;
    235 			BREAK;
    236 
    237 		case SSL2_ST_SERVER_START_ENCRYPTION:
    238 			/* Ok we how have sent all the stuff needed to
    239 			 * start encrypting, the next packet back will
    240 			 * be encrypted. */
    241 			if (!ssl2_enc_init(s,0))
    242 				{ ret= -1; goto end; }
    243 			s->s2->clear_text=0;
    244 			s->state=SSL2_ST_SEND_SERVER_VERIFY_A;
    245 			BREAK;
    246 
    247 		case SSL2_ST_SEND_SERVER_VERIFY_A:
    248 		case SSL2_ST_SEND_SERVER_VERIFY_B:
    249 			ret=server_verify(s);
    250 			if (ret <= 0) goto end;
    251 			s->init_num=0;
    252 			if (s->hit)
    253 				{
    254 				/* If we are in here, we have been
    255 				 * buffering the output, so we need to
    256 				 * flush it and remove buffering from
    257 				 * future traffic */
    258 				s->state=SSL2_ST_SEND_SERVER_VERIFY_C;
    259 				BREAK;
    260 				}
    261 			else
    262 				{
    263 				s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
    264 				break;
    265 				}
    266 
    267  		case SSL2_ST_SEND_SERVER_VERIFY_C:
    268  			/* get the number of bytes to write */
    269  			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
    270  			if (num1 > 0)
    271  				{
    272 				s->rwstate=SSL_WRITING;
    273  				num1=BIO_flush(s->wbio);
    274  				if (num1 <= 0) { ret= -1; goto end; }
    275 				s->rwstate=SSL_NOTHING;
    276 				}
    277 
    278  			/* flushed and now remove buffering */
    279  			s->wbio=BIO_pop(s->wbio);
    280 
    281  			s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
    282   			BREAK;
    283 
    284 		case SSL2_ST_GET_CLIENT_FINISHED_A:
    285 		case SSL2_ST_GET_CLIENT_FINISHED_B:
    286 			ret=get_client_finished(s);
    287 			if (ret <= 0)
    288 				goto end;
    289 			s->init_num=0;
    290 			s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
    291 			BREAK;
    292 
    293 		case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
    294 		case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
    295 		case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
    296 		case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
    297 			/* don't do a 'request certificate' if we
    298 			 * don't want to, or we already have one, and
    299 			 * we only want to do it once. */
    300 			if (!(s->verify_mode & SSL_VERIFY_PEER) ||
    301 				((s->session->peer != NULL) &&
    302 				(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
    303 				{
    304 				s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
    305 				break;
    306 				}
    307 			else
    308 				{
    309 				ret=request_certificate(s);
    310 				if (ret <= 0) goto end;
    311 				s->init_num=0;
    312 				s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
    313 				}
    314 			BREAK;
    315 
    316 		case SSL2_ST_SEND_SERVER_FINISHED_A:
    317 		case SSL2_ST_SEND_SERVER_FINISHED_B:
    318 			ret=server_finish(s);
    319 			if (ret <= 0) goto end;
    320 			s->init_num=0;
    321 			s->state=SSL_ST_OK;
    322 			break;
    323 
    324 		case SSL_ST_OK:
    325 			BUF_MEM_free(s->init_buf);
    326 			ssl_free_wbio_buffer(s);
    327 			s->init_buf=NULL;
    328 			s->init_num=0;
    329 		/*	ERR_clear_error();*/
    330 
    331 			ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
    332 
    333 			s->ctx->stats.sess_accept_good++;
    334 			/* s->server=1; */
    335 			ret=1;
    336 
    337 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
    338 
    339 			goto end;
    340 			/* BREAK; */
    341 
    342 		default:
    343 			SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE);
    344 			ret= -1;
    345 			goto end;
    346 			/* BREAK; */
    347 			}
    348 
    349 		if ((cb != NULL) && (s->state != state))
    350 			{
    351 			new_state=s->state;
    352 			s->state=state;
    353 			cb(s,SSL_CB_ACCEPT_LOOP,1);
    354 			s->state=new_state;
    355 			}
    356 		}
    357 end:
    358 	s->in_handshake--;
    359 	if (cb != NULL)
    360 		cb(s,SSL_CB_ACCEPT_EXIT,ret);
    361 	return(ret);
    362 	}
    363 
    364 static int get_client_master_key(SSL *s)
    365 	{
    366 	int is_export,i,n,keya,ek;
    367 	unsigned long len;
    368 	unsigned char *p;
    369 	const SSL_CIPHER *cp;
    370 	const EVP_CIPHER *c;
    371 	const EVP_MD *md;
    372 
    373 	p=(unsigned char *)s->init_buf->data;
    374 	if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
    375 		{
    376 		i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num);
    377 
    378 		if (i < (10-s->init_num))
    379 			return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
    380 		s->init_num = 10;
    381 
    382 		if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY)
    383 			{
    384 			if (p[-1] != SSL2_MT_ERROR)
    385 				{
    386 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    387 				SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
    388 				}
    389 			else
    390 				SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
    391 			return(-1);
    392 			}
    393 
    394 		cp=ssl2_get_cipher_by_char(p);
    395 		if (cp == NULL)
    396 			{
    397 			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
    398 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
    399 			return(-1);
    400 			}
    401 		s->session->cipher= cp;
    402 
    403 		p+=3;
    404 		n2s(p,i); s->s2->tmp.clear=i;
    405 		n2s(p,i); s->s2->tmp.enc=i;
    406 		n2s(p,i);
    407 		if(i > SSL_MAX_KEY_ARG_LENGTH)
    408 			{
    409 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    410 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
    411 			return -1;
    412 			}
    413 		s->session->key_arg_length=i;
    414 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
    415 		}
    416 
    417 	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
    418 	p=(unsigned char *)s->init_buf->data;
    419 	if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
    420 		{
    421 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    422 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
    423 		return -1;
    424 		}
    425 	keya=s->session->key_arg_length;
    426 	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
    427 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
    428 		{
    429 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    430 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
    431 		return -1;
    432 		}
    433 	n = (int)len - s->init_num;
    434 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
    435 	if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
    436 	if (s->msg_callback)
    437 		s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
    438 	p += 10;
    439 
    440 	memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
    441 		(unsigned int)keya);
    442 
    443 	if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
    444 		{
    445 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    446 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
    447 		return(-1);
    448 		}
    449 	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
    450 		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
    451 		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
    452 
    453 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
    454 
    455 	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
    456 		{
    457 		ssl2_return_error(s,SSL2_PE_NO_CIPHER);
    458 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
    459 		return(0);
    460 		}
    461 
    462 	if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
    463 		{
    464 		is_export=1;
    465 		ek=8;
    466 		}
    467 	else
    468 		ek=5;
    469 
    470 	/* bad decrypt */
    471 #if 1
    472 	/* If a bad decrypt, continue with protocol but with a
    473 	 * random master secret (Bleichenbacher attack) */
    474 	if ((i < 0) ||
    475 		((!is_export && (i != EVP_CIPHER_key_length(c)))
    476 		|| (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
    477 			(unsigned int)EVP_CIPHER_key_length(c))))))
    478 		{
    479 		ERR_clear_error();
    480 		if (is_export)
    481 			i=ek;
    482 		else
    483 			i=EVP_CIPHER_key_length(c);
    484 		if (RAND_pseudo_bytes(p,i) <= 0)
    485 			return 0;
    486 		}
    487 #else
    488 	if (i < 0)
    489 		{
    490 		error=1;
    491 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
    492 		}
    493 	/* incorrect number of key bytes for non export cipher */
    494 	else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
    495 		|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
    496 			EVP_CIPHER_key_length(c)))))
    497 		{
    498 		error=1;
    499 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS);
    500 		}
    501 	if (error)
    502 		{
    503 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    504 		return(-1);
    505 		}
    506 #endif
    507 
    508 	if (is_export) i+=s->s2->tmp.clear;
    509 
    510 	if (i > SSL_MAX_MASTER_KEY_LENGTH)
    511 		{
    512 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    513 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
    514 		return -1;
    515 		}
    516 	s->session->master_key_length=i;
    517 	memcpy(s->session->master_key,p,(unsigned int)i);
    518 	return(1);
    519 	}
    520 
    521 static int get_client_hello(SSL *s)
    522 	{
    523 	int i,n;
    524 	unsigned long len;
    525 	unsigned char *p;
    526 	STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
    527 	STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
    528 	STACK_OF(SSL_CIPHER) *prio, *allow;
    529 	int z;
    530 
    531 	/* This is a bit of a hack to check for the correct packet
    532 	 * type the first time round. */
    533 	if (s->state == SSL2_ST_GET_CLIENT_HELLO_A)
    534 		{
    535 		s->first_packet=1;
    536 		s->state=SSL2_ST_GET_CLIENT_HELLO_B;
    537 		}
    538 
    539 	p=(unsigned char *)s->init_buf->data;
    540 	if (s->state == SSL2_ST_GET_CLIENT_HELLO_B)
    541 		{
    542 		i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num);
    543 		if (i < (9-s->init_num))
    544 			return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
    545 		s->init_num = 9;
    546 
    547 		if (*(p++) != SSL2_MT_CLIENT_HELLO)
    548 			{
    549 			if (p[-1] != SSL2_MT_ERROR)
    550 				{
    551 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    552 				SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE);
    553 				}
    554 			else
    555 				SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
    556 			return(-1);
    557 			}
    558 		n2s(p,i);
    559 		if (i < s->version) s->version=i;
    560 		n2s(p,i); s->s2->tmp.cipher_spec_length=i;
    561 		n2s(p,i); s->s2->tmp.session_id_length=i;
    562 		n2s(p,i); s->s2->challenge_length=i;
    563 		if (	(i < SSL2_MIN_CHALLENGE_LENGTH) ||
    564 			(i > SSL2_MAX_CHALLENGE_LENGTH))
    565 			{
    566 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    567 			SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
    568 			return(-1);
    569 			}
    570 		s->state=SSL2_ST_GET_CLIENT_HELLO_C;
    571 		}
    572 
    573 	/* SSL2_ST_GET_CLIENT_HELLO_C */
    574 	p=(unsigned char *)s->init_buf->data;
    575 	len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length;
    576 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
    577 		{
    578 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    579 		SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG);
    580 		return -1;
    581 		}
    582 	n = (int)len - s->init_num;
    583 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
    584 	if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
    585 	if (s->msg_callback)
    586 		s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
    587 	p += 9;
    588 
    589 	/* get session-id before cipher stuff so we can get out session
    590 	 * structure if it is cached */
    591 	/* session-id */
    592 	if ((s->s2->tmp.session_id_length != 0) &&
    593 		(s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH))
    594 		{
    595 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    596 		SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH);
    597 		return(-1);
    598 		}
    599 
    600 	if (s->s2->tmp.session_id_length == 0)
    601 		{
    602 		if (!ssl_get_new_session(s,1))
    603 			{
    604 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    605 			return(-1);
    606 			}
    607 		}
    608 	else
    609 		{
    610 		i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]),
    611 			s->s2->tmp.session_id_length, NULL);
    612 		if (i == 1)
    613 			{ /* previous session */
    614 			s->hit=1;
    615 			}
    616 		else if (i == -1)
    617 			{
    618 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    619 			return(-1);
    620 			}
    621 		else
    622 			{
    623 			if (s->cert == NULL)
    624 				{
    625 				ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
    626 				SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET);
    627 				return(-1);
    628 				}
    629 
    630 			if (!ssl_get_new_session(s,1))
    631 				{
    632 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    633 				return(-1);
    634 				}
    635 			}
    636 		}
    637 
    638 	if (!s->hit)
    639 		{
    640 		cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length,
    641 			&s->session->ciphers);
    642 		if (cs == NULL) goto mem_err;
    643 
    644 		cl=SSL_get_ciphers(s);
    645 
    646 		if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
    647 		    {
    648 		    prio=sk_SSL_CIPHER_dup(cl);
    649 		    if (prio == NULL) goto mem_err;
    650 		    allow = cs;
    651 		    }
    652 		else
    653 		    {
    654 		    prio = cs;
    655 		    allow = cl;
    656 		    }
    657 		for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
    658 			{
    659 			if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
    660 				{
    661 				(void)sk_SSL_CIPHER_delete(prio,z);
    662 				z--;
    663 				}
    664 			}
    665 		if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
    666 		    {
    667 		    sk_SSL_CIPHER_free(s->session->ciphers);
    668 		    s->session->ciphers = prio;
    669 		    }
    670 		/* s->session->ciphers should now have a list of
    671 		 * ciphers that are on both the client and server.
    672 		 * This list is ordered by the order the client sent
    673 		 * the ciphers or in the order of the server's preference
    674 		 * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
    675 		 */
    676 		}
    677 	p+=s->s2->tmp.cipher_spec_length;
    678 	/* done cipher selection */
    679 
    680 	/* session id extracted already */
    681 	p+=s->s2->tmp.session_id_length;
    682 
    683 	/* challenge */
    684 	if (s->s2->challenge_length > sizeof s->s2->challenge)
    685 		{
    686 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    687 		SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
    688 		return -1;
    689 		}
    690 	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
    691 	return(1);
    692 mem_err:
    693 	SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
    694 	return(0);
    695 	}
    696 
    697 static int server_hello(SSL *s)
    698 	{
    699 	unsigned char *p,*d;
    700 	int n,hit;
    701 
    702 	p=(unsigned char *)s->init_buf->data;
    703 	if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
    704 		{
    705 		d=p+11;
    706 		*(p++)=SSL2_MT_SERVER_HELLO;		/* type */
    707 		hit=s->hit;
    708 		*(p++)=(unsigned char)hit;
    709 #if 1
    710 		if (!hit)
    711 			{
    712 			if (s->session->sess_cert != NULL)
    713 				/* This can't really happen because get_client_hello
    714 				 * has called ssl_get_new_session, which does not set
    715 				 * sess_cert. */
    716 				ssl_sess_cert_free(s->session->sess_cert);
    717 			s->session->sess_cert = ssl_sess_cert_new();
    718 			if (s->session->sess_cert == NULL)
    719 				{
    720 				SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
    721 				return(-1);
    722 				}
    723 			}
    724 		/* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
    725 		 * depending on whether it survived in the internal cache
    726 		 * or was retrieved from an external cache.
    727 		 * If it is NULL, we cannot put any useful data in it anyway,
    728 		 * so we don't touch it.
    729 		 */
    730 
    731 #else /* That's what used to be done when cert_st and sess_cert_st were
    732 	   * the same. */
    733 		if (!hit)
    734 			{			/* else add cert to session */
    735 			CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
    736 			if (s->session->sess_cert != NULL)
    737 				ssl_cert_free(s->session->sess_cert);
    738 			s->session->sess_cert=s->cert;
    739 			}
    740 		else	/* We have a session id-cache hit, if the
    741 			 * session-id has no certificate listed against
    742 			 * the 'cert' structure, grab the 'old' one
    743 			 * listed against the SSL connection */
    744 			{
    745 			if (s->session->sess_cert == NULL)
    746 				{
    747 				CRYPTO_add(&s->cert->references,1,
    748 					CRYPTO_LOCK_SSL_CERT);
    749 				s->session->sess_cert=s->cert;
    750 				}
    751 			}
    752 #endif
    753 
    754 		if (s->cert == NULL)
    755 			{
    756 			ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
    757 			SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
    758 			return(-1);
    759 			}
    760 
    761 		if (hit)
    762 			{
    763 			*(p++)=0;		/* no certificate type */
    764 			s2n(s->version,p);	/* version */
    765 			s2n(0,p);		/* cert len */
    766 			s2n(0,p);		/* ciphers len */
    767 			}
    768 		else
    769 			{
    770 			/* EAY EAY */
    771 			/* put certificate type */
    772 			*(p++)=SSL2_CT_X509_CERTIFICATE;
    773 			s2n(s->version,p);	/* version */
    774 			n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
    775 			s2n(n,p);		/* certificate length */
    776 			i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d);
    777 			n=0;
    778 
    779 			/* lets send out the ciphers we like in the
    780 			 * prefered order */
    781 			n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
    782 			d+=n;
    783 			s2n(n,p);		/* add cipher length */
    784 			}
    785 
    786 		/* make and send conn_id */
    787 		s2n(SSL2_CONNECTION_ID_LENGTH,p);	/* add conn_id length */
    788 		s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
    789 		if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
    790 			return -1;
    791 		memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
    792 		d+=SSL2_CONNECTION_ID_LENGTH;
    793 
    794 		s->state=SSL2_ST_SEND_SERVER_HELLO_B;
    795 		s->init_num=d-(unsigned char *)s->init_buf->data;
    796 		s->init_off=0;
    797 		}
    798 	/* SSL2_ST_SEND_SERVER_HELLO_B */
    799  	/* If we are using TCP/IP, the performance is bad if we do 2
    800  	 * writes without a read between them.  This occurs when
    801  	 * Session-id reuse is used, so I will put in a buffering module
    802  	 */
    803  	if (s->hit)
    804  		{
    805 		if (!ssl_init_wbio_buffer(s,1)) return(-1);
    806  		}
    807 
    808 	return(ssl2_do_write(s));
    809 	}
    810 
    811 static int get_client_finished(SSL *s)
    812 	{
    813 	unsigned char *p;
    814 	int i, n;
    815 	unsigned long len;
    816 
    817 	p=(unsigned char *)s->init_buf->data;
    818 	if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A)
    819 		{
    820 		i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
    821 		if (i < 1-s->init_num)
    822 			return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
    823 		s->init_num += i;
    824 
    825 		if (*p != SSL2_MT_CLIENT_FINISHED)
    826 			{
    827 			if (*p != SSL2_MT_ERROR)
    828 				{
    829 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    830 				SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
    831 				}
    832 			else
    833 				{
    834 				SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
    835 				/* try to read the error message */
    836 				i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
    837 				return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
    838 				}
    839 			return(-1);
    840 			}
    841 		s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
    842 		}
    843 
    844 	/* SSL2_ST_GET_CLIENT_FINISHED_B */
    845 	if (s->s2->conn_id_length > sizeof s->s2->conn_id)
    846 		{
    847 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    848 		SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
    849 		return -1;
    850 		}
    851 	len = 1 + (unsigned long)s->s2->conn_id_length;
    852 	n = (int)len - s->init_num;
    853 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
    854 	if (i < n)
    855 		{
    856 		return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
    857 		}
    858 	if (s->msg_callback)
    859 		s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
    860 	p += 1;
    861 	if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
    862 		{
    863 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    864 		SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
    865 		return(-1);
    866 		}
    867 	return(1);
    868 	}
    869 
    870 static int server_verify(SSL *s)
    871 	{
    872 	unsigned char *p;
    873 
    874 	if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A)
    875 		{
    876 		p=(unsigned char *)s->init_buf->data;
    877 		*(p++)=SSL2_MT_SERVER_VERIFY;
    878 		if (s->s2->challenge_length > sizeof s->s2->challenge)
    879 			{
    880 			SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
    881 			return -1;
    882 			}
    883 		memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
    884 		/* p+=s->s2->challenge_length; */
    885 
    886 		s->state=SSL2_ST_SEND_SERVER_VERIFY_B;
    887 		s->init_num=s->s2->challenge_length+1;
    888 		s->init_off=0;
    889 		}
    890 	return(ssl2_do_write(s));
    891 	}
    892 
    893 static int server_finish(SSL *s)
    894 	{
    895 	unsigned char *p;
    896 
    897 	if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A)
    898 		{
    899 		p=(unsigned char *)s->init_buf->data;
    900 		*(p++)=SSL2_MT_SERVER_FINISHED;
    901 
    902 		if (s->session->session_id_length > sizeof s->session->session_id)
    903 			{
    904 			SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
    905 			return -1;
    906 			}
    907 		memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
    908 		/* p+=s->session->session_id_length; */
    909 
    910 		s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
    911 		s->init_num=s->session->session_id_length+1;
    912 		s->init_off=0;
    913 		}
    914 
    915 	/* SSL2_ST_SEND_SERVER_FINISHED_B */
    916 	return(ssl2_do_write(s));
    917 	}
    918 
    919 /* send the request and check the response */
    920 static int request_certificate(SSL *s)
    921 	{
    922 	const unsigned char *cp;
    923 	unsigned char *p,*p2,*buf2;
    924 	unsigned char *ccd;
    925 	int i,j,ctype,ret= -1;
    926 	unsigned long len;
    927 	X509 *x509=NULL;
    928 	STACK_OF(X509) *sk=NULL;
    929 
    930 	ccd=s->s2->tmp.ccl;
    931 	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
    932 		{
    933 		p=(unsigned char *)s->init_buf->data;
    934 		*(p++)=SSL2_MT_REQUEST_CERTIFICATE;
    935 		*(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
    936 		if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
    937 			return -1;
    938 		memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
    939 
    940 		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
    941 		s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2;
    942 		s->init_off=0;
    943 		}
    944 
    945 	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B)
    946 		{
    947 		i=ssl2_do_write(s);
    948 		if (i <= 0)
    949 			{
    950 			ret=i;
    951 			goto end;
    952 			}
    953 
    954 		s->init_num=0;
    955 		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
    956 		}
    957 
    958 	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C)
    959 		{
    960 		p=(unsigned char *)s->init_buf->data;
    961 		i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */
    962 		if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3
    963 		                        * (probably NO-CERTIFICATE-ERROR) */
    964 			{
    965 			ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
    966 			goto end;
    967 			}
    968 		s->init_num += i;
    969 
    970 		if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
    971 			{
    972 			n2s(p,i);
    973 			if (i != SSL2_PE_NO_CERTIFICATE)
    974 				{
    975 				/* not the error message we expected -- let ssl2_part_read handle it */
    976 				s->init_num -= 3;
    977 				ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3);
    978 				goto end;
    979 				}
    980 
    981 			if (s->msg_callback)
    982 				s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
    983 
    984 			/* this is the one place where we can recover from an SSL 2.0 error */
    985 
    986 			if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
    987 				{
    988 				ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
    989 				SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
    990 				goto end;
    991 				}
    992 			ret=1;
    993 			goto end;
    994 			}
    995 		if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6))
    996 			{
    997 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
    998 			SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ);
    999 			goto end;
   1000 			}
   1001 		if (s->init_num != 6)
   1002 			{
   1003 			SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
   1004 			goto end;
   1005 			}
   1006 
   1007 		/* ok we have a response */
   1008 		/* certificate type, there is only one right now. */
   1009 		ctype= *(p++);
   1010 		if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
   1011 			{
   1012 			ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
   1013 			SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT);
   1014 			goto end;
   1015 			}
   1016 		n2s(p,i); s->s2->tmp.clen=i;
   1017 		n2s(p,i); s->s2->tmp.rlen=i;
   1018 		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
   1019 		}
   1020 
   1021 	/* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
   1022 	p=(unsigned char *)s->init_buf->data;
   1023 	len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
   1024 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
   1025 		{
   1026 		SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
   1027 		goto end;
   1028 		}
   1029 	j = (int)len - s->init_num;
   1030 	i = ssl2_read(s,(char *)&(p[s->init_num]),j);
   1031 	if (i < j)
   1032 		{
   1033 		ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
   1034 		goto end;
   1035 		}
   1036 	if (s->msg_callback)
   1037 		s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
   1038 	p += 6;
   1039 
   1040 	cp = p;
   1041 	x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen);
   1042 	if (x509 == NULL)
   1043 		{
   1044 		SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
   1045 		goto msg_end;
   1046 		}
   1047 
   1048 	if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509)))
   1049 		{
   1050 		SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
   1051 		goto msg_end;
   1052 		}
   1053 
   1054 	i=ssl_verify_cert_chain(s,sk);
   1055 
   1056 	if (i > 0)	/* we like the packet, now check the chksum */
   1057 		{
   1058 		EVP_MD_CTX ctx;
   1059 		EVP_PKEY *pkey=NULL;
   1060 
   1061 		EVP_MD_CTX_init(&ctx);
   1062 		EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
   1063 		EVP_VerifyUpdate(&ctx,s->s2->key_material,
   1064 				 s->s2->key_material_length);
   1065 		EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
   1066 
   1067 		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
   1068 		buf2=OPENSSL_malloc((unsigned int)i);
   1069 		if (buf2 == NULL)
   1070 			{
   1071 			SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
   1072 			goto msg_end;
   1073 			}
   1074 		p2=buf2;
   1075 		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
   1076 		EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
   1077 		OPENSSL_free(buf2);
   1078 
   1079 		pkey=X509_get_pubkey(x509);
   1080 		if (pkey == NULL) goto end;
   1081 		i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey);
   1082 		EVP_PKEY_free(pkey);
   1083 		EVP_MD_CTX_cleanup(&ctx);
   1084 
   1085 		if (i > 0)
   1086 			{
   1087 			if (s->session->peer != NULL)
   1088 				X509_free(s->session->peer);
   1089 			s->session->peer=x509;
   1090 			CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
   1091 			s->session->verify_result = s->verify_result;
   1092 			ret=1;
   1093 			goto end;
   1094 			}
   1095 		else
   1096 			{
   1097 			SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM);
   1098 			goto msg_end;
   1099 			}
   1100 		}
   1101 	else
   1102 		{
   1103 msg_end:
   1104 		ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
   1105 		}
   1106 end:
   1107 	sk_X509_free(sk);
   1108 	X509_free(x509);
   1109 	return(ret);
   1110 	}
   1111 
   1112 static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
   1113 	     unsigned char *to, int padding)
   1114 	{
   1115 	RSA *rsa;
   1116 	int i;
   1117 
   1118 	if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))
   1119 		{
   1120 		SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY);
   1121 		return(-1);
   1122 		}
   1123 	if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA)
   1124 		{
   1125 		SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
   1126 		return(-1);
   1127 		}
   1128 	rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
   1129 
   1130 	/* we have the public key */
   1131 	i=RSA_private_decrypt(len,from,to,rsa,padding);
   1132 	if (i < 0)
   1133 		SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
   1134 	return(i);
   1135 	}
   1136 #else /* !OPENSSL_NO_SSL2 */
   1137 
   1138 # if PEDANTIC
   1139 static void *dummy=&dummy;
   1140 # endif
   1141 
   1142 #endif
   1143