Implement msg_callback for SSL 2.0.
Important SSL 2.0 bugfixes (bugs found while implementing msg_callback).
This commit is contained in:
Bodo Möller
123
ssl/s2_clnt.c
123
ssl/s2_clnt.c
@@ -55,6 +55,59 @@
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
#include "ssl_locl.h"
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
@@ -287,6 +340,7 @@ static int get_server_hello(SSL *s)
|
||||
unsigned char *buf;
|
||||
unsigned char *p;
|
||||
int i,j;
|
||||
unsigned long len;
|
||||
STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow;
|
||||
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
@@ -296,6 +350,7 @@ static int get_server_hello(SSL *s)
|
||||
i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num);
|
||||
if (i < (11-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
|
||||
s->init_num = 11;
|
||||
|
||||
if (*(p++) != SSL2_MT_SERVER_HELLO)
|
||||
{
|
||||
@@ -324,18 +379,24 @@ static int get_server_hello(SSL *s)
|
||||
n2s(p,i); s->s2->tmp.csl=i;
|
||||
n2s(p,i); s->s2->tmp.conn_id_length=i;
|
||||
s->state=SSL2_ST_GET_SERVER_HELLO_B;
|
||||
s->init_num=0;
|
||||
}
|
||||
|
||||
/* SSL2_ST_GET_SERVER_HELLO_B */
|
||||
j=s->s2->tmp.cert_length+s->s2->tmp.csl+s->s2->tmp.conn_id_length
|
||||
- s->init_num;
|
||||
i=ssl2_read(s,(char *)&(buf[s->init_num]),j);
|
||||
len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length;
|
||||
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
|
||||
{
|
||||
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG);
|
||||
return -1;
|
||||
}
|
||||
j = (int)len - s->init_num;
|
||||
i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
|
||||
if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
|
||||
if (s->msg_callback)
|
||||
s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */
|
||||
|
||||
/* things are looking good */
|
||||
|
||||
p=buf;
|
||||
p = buf + 11;
|
||||
if (s->hit)
|
||||
{
|
||||
if (s->s2->tmp.cert_length != 0)
|
||||
@@ -661,11 +722,10 @@ static int client_certificate(SSL *s)
|
||||
unsigned char *p,*d;
|
||||
int i;
|
||||
unsigned int n;
|
||||
int cert_ch_len=0;
|
||||
int cert_ch_len;
|
||||
unsigned char *cert_ch;
|
||||
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
cert_ch= &(buf[2]);
|
||||
|
||||
/* We have a cert associated with the SSL, so attach it to
|
||||
* the session if it does not have one */
|
||||
@@ -676,6 +736,9 @@ static int client_certificate(SSL *s)
|
||||
SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
|
||||
if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
|
||||
s->init_num += i;
|
||||
if (s->msg_callback)
|
||||
s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */
|
||||
|
||||
/* type=buf[0]; */
|
||||
/* type eq x509 */
|
||||
@@ -685,7 +748,6 @@ static int client_certificate(SSL *s)
|
||||
SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE);
|
||||
return(-1);
|
||||
}
|
||||
cert_ch_len=i-1;
|
||||
|
||||
if ((s->cert == NULL) ||
|
||||
(s->cert->key->x509 == NULL) ||
|
||||
@@ -697,6 +759,9 @@ static int client_certificate(SSL *s)
|
||||
s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
|
||||
}
|
||||
|
||||
cert_ch = buf + 2;
|
||||
cert_ch_len = s->init_num - 2;
|
||||
|
||||
if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE)
|
||||
{
|
||||
X509 *x509=NULL;
|
||||
@@ -803,17 +868,17 @@ static int client_certificate(SSL *s)
|
||||
static int get_server_verify(SSL *s)
|
||||
{
|
||||
unsigned char *p;
|
||||
int i;
|
||||
int i, n, len;
|
||||
|
||||
p=(unsigned char *)s->init_buf->data;
|
||||
if (s->state == SSL2_ST_GET_SERVER_VERIFY_A)
|
||||
{
|
||||
i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
|
||||
if (i < (1-s->init_num))
|
||||
i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
|
||||
if (i < (3-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
|
||||
s->init_num += i;
|
||||
|
||||
s->state= SSL2_ST_GET_SERVER_VERIFY_B;
|
||||
s->init_num=0;
|
||||
if (*p != SSL2_MT_SERVER_VERIFY)
|
||||
{
|
||||
if (p[0] != SSL2_MT_ERROR)
|
||||
@@ -830,10 +895,15 @@ static int get_server_verify(SSL *s)
|
||||
}
|
||||
|
||||
p=(unsigned char *)s->init_buf->data;
|
||||
i=ssl2_read(s,(char *)&(p[s->init_num]),
|
||||
(unsigned int)s->s2->challenge_length-s->init_num);
|
||||
if (i < ((int)s->s2->challenge_length-s->init_num))
|
||||
len = 1 + s->s2->challenge_length;
|
||||
n = len - s->init_num;
|
||||
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
|
||||
if (i < n)
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
|
||||
if (s->msg_callback)
|
||||
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
|
||||
p += 1;
|
||||
|
||||
if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0)
|
||||
{
|
||||
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
|
||||
@@ -847,16 +917,17 @@ static int get_server_finished(SSL *s)
|
||||
{
|
||||
unsigned char *buf;
|
||||
unsigned char *p;
|
||||
int i;
|
||||
int i, n, len;
|
||||
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
p=buf;
|
||||
if (s->state == SSL2_ST_GET_SERVER_FINISHED_A)
|
||||
{
|
||||
i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num);
|
||||
if (i < (1-s->init_num))
|
||||
i=ssl2_read(s,(char *)&(buf[s->init_num]),3-s->init_num);
|
||||
if (i < (3-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
|
||||
s->init_num=i;
|
||||
s->init_num += i;
|
||||
|
||||
if (*p == SSL2_MT_REQUEST_CERTIFICATE)
|
||||
{
|
||||
s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A;
|
||||
@@ -873,14 +944,17 @@ static int get_server_finished(SSL *s)
|
||||
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
|
||||
return(-1);
|
||||
}
|
||||
s->state=SSL_ST_OK;
|
||||
s->init_num=0;
|
||||
s->state=SSL2_ST_GET_SERVER_FINISHED_B;
|
||||
}
|
||||
|
||||
i=ssl2_read(s,(char *)&(buf[s->init_num]),
|
||||
SSL2_SSL_SESSION_ID_LENGTH-s->init_num);
|
||||
if (i < (SSL2_SSL_SESSION_ID_LENGTH-s->init_num))
|
||||
len = 1 + SSL2_SSL_SESSION_ID_LENGTH;
|
||||
n = len - s->init_num;
|
||||
i = ssl2_read(s,(char *)&(buf[s->init_num]), n);
|
||||
if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
|
||||
s->init_num += i;
|
||||
if (s->msg_callback)
|
||||
s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */
|
||||
|
||||
if (!s->hit) /* new session */
|
||||
{
|
||||
@@ -904,6 +978,7 @@ static int get_server_finished(SSL *s)
|
||||
}
|
||||
}
|
||||
}
|
||||
s->state = SSL_ST_OK;
|
||||
return(1);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user