ssl2Message.cpp   [plain text]


/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */

#include "ssl.h"
#include "ssl2.h"
#include "sslRecord.h"
#include "sslMemory.h"
#include "sslContext.h"
#include "sslAlertMessage.h"
#include "sslHandshake.h"
#include "sslSession.h"
#include "sslDebug.h"
#include "cipherSpecs.h"
#include "appleCdsa.h"
#include "sslUtils.h"

#include <string.h>
#include <assert.h>

OSStatus
SSL2ProcessClientHello(SSLBuffer msg, SSLContext *ctx)
{   OSStatus      		err;
    UInt8               *charPtr, *cipherList;
    unsigned            i, j, cipherKindCount, sessionIDLen, challengeLen;
    SSL2CipherKind      cipherKind;
    SSLCipherSuite      matchingCipher, selectedCipher;
    SSLProtocolVersion  version;
    
    if (msg.length < 27) {
		sslErrorLog("SSL2ProcessClientHello: msg len error 1\n");
        return errSSLProtocol;
    }
    
    charPtr = msg.data;
    
    version = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
	if (version > ctx->maxProtocolVersion) {
		version = ctx->maxProtocolVersion;
	}
    /* FIXME - I think this needs work for a SSL_Version_2_0 server, to ensure that
	 * the client isn't establishing a v3 session. */
    if (ctx->negProtocolVersion == SSL_Version_Undetermined)
    {   
		/* FIXME - this ifndef should not be necessary */
		#ifndef	NDEBUG
        sslLogNegotiateDebug("===SSL2 server: negVersion was undetermined; "
			"is %s", protocolVersStr(version));
		#endif
        ctx->negProtocolVersion = version;
		if(version >= TLS_Version_1_0) {
			ctx->sslTslCalls = &Tls1Callouts;
		}
		else {
			/* default from context init */
			assert(ctx->sslTslCalls == &Ssl3Callouts);
		}
    }
    else if (ctx->negProtocolVersion == SSL_Version_3_0_With_2_0_Hello)
    {   if (version < SSL_Version_3_0) {
			sslErrorLog("SSL2ProcessClientHello: version error\n");
            return errSSLProtocol;
        }
		/* FIXME - I don't think path is ever taken - we NEVER set any
		 * protocol var to 	SSL_Version_3_0_With_2_0_Hello... */
        sslLogNegotiateDebug("===SSL2 server: negVersion was "
			"3_0_With_2_0_Hello; is 3_0");
        ctx->negProtocolVersion = version;
    }
    
    charPtr += 2;
    cipherKindCount = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    if (cipherKindCount % 3 != 0) {
		sslErrorLog("SSL2ProcessClientHello: cipherKindCount error\n");
        return errSSLProtocol;
    }
    cipherKindCount /= 3;
    sessionIDLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    challengeLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    
    if (msg.length != 8 + 3*cipherKindCount + sessionIDLen + challengeLen ||
        (sessionIDLen != 0 && sessionIDLen != 16) ||
        challengeLen < 16 || challengeLen > 32 ) {
		sslErrorLog("SSL2ProcessClientHello: msg len error 2\n");
        return errSSLProtocol;
    }
    cipherList = charPtr;
    selectedCipher = SSL_NO_SUCH_CIPHERSUITE;

    if (ctx->negProtocolVersion >= SSL_Version_3_0) {
		/* If we're negotiating an SSL 3.0 session, use SSL 3.0 suites first */
        for (i = 0; i < cipherKindCount; i++) {
            cipherKind = (SSL2CipherKind)SSLDecodeInt(charPtr, 3);
            charPtr += 3;
            if (selectedCipher != SSL_NO_SUCH_CIPHERSUITE)
                continue;
            if ((((UInt32)cipherKind) & 0xFF0000) != 0)
                continue;       /* Skip SSL 2 suites */
            matchingCipher = (SSLCipherSuite)((UInt32)cipherKind & 0x00FFFF);
            for (j = 0; j<ctx->numValidCipherSpecs; j++) {
                if (ctx->validCipherSpecs[j].cipherSpec == matchingCipher) {
                    selectedCipher = matchingCipher;
                    break;
                }
			}	/* searching thru all our valid ciphers */
        }	/* for each client cipher */
    }	/* v3 or greater */
    
	if(selectedCipher == SSL_NO_SUCH_CIPHERSUITE) {
		/* try again using SSL2 ciphers only */
	    charPtr = cipherList;
		for (i = 0; i < cipherKindCount; i++) {
			cipherKind = (SSL2CipherKind)SSLDecodeInt(charPtr, 3);
			charPtr += 3;
			if (selectedCipher == SSL_NO_SUCH_CIPHERSUITE) {
				/* After we find one, just keep advancing ptr past 
				 * the unused ones */
				if ((((UInt32)cipherKind) & 0xFF0000) != 0) {
					/* If it's a real SSL2 spec, look for it in the list */
					matchingCipher = SSL_NO_SUCH_CIPHERSUITE;
					for (j = 0; j < SSL2CipherMapCount; j++) {
						if (cipherKind == SSL2CipherMap[j].cipherKind) {
							matchingCipher = SSL2CipherMap[j].cipherSuite;
							break;
						}
					}
				}	/* real 3-byte SSL2 suite */
				else {
					/* if the first byte is zero, it's an encoded SSL 3 CipherSuite */
					matchingCipher = (SSLCipherSuite)((UInt32)cipherKind & 0x00FFFF);
					/* 
					* One more restriction - if we've negotiated a v2 session,
					* ignore this matching cipher if it's not in the SSL2 map.
					*/
					if(ctx->negProtocolVersion < SSL_Version_3_0) {
						int isInMap = 0;
						for (j = 0; j < SSL2CipherMapCount; j++) {
							if (matchingCipher == SSL2CipherMap[j].cipherSuite) {
								isInMap = 1;
								break;
							}
						}
						if(!isInMap) {
							/* Sorry, no can do */
							matchingCipher = SSL_NO_SUCH_CIPHERSUITE;
						}
					}	/* SSL2 check */
				}	/* two-byte suite */
				
				/* now see if we are enabled for this cipher */
				if (matchingCipher != SSL_NO_SUCH_CIPHERSUITE) {
					for (j = 0; j < ctx->numValidCipherSpecs; j++) {
						if (ctx->validCipherSpecs[j].cipherSpec == matchingCipher) {
							selectedCipher = matchingCipher;
							break;
						}
					}
				}
			}	/* not ignoring this suite */
		}	/* for each suite in the hello msg */
	}		/* not found in SSL3 ciphersuites */
	
    if (selectedCipher == SSL_NO_SUCH_CIPHERSUITE)
        return errSSLNegotiation;
    
    ctx->selectedCipher = selectedCipher;
    err = FindCipherSpec(ctx);
    if(err != 0) {
        return err;
    }
    if (sessionIDLen > 0 && ctx->peerID.data != 0)
    {   /* Don't die on error; just treat it as an uncacheable session */
        err = SSLAllocBuffer(ctx->sessionID, sessionIDLen, ctx);
        if (err == 0)
            memcpy(ctx->sessionID.data, charPtr, sessionIDLen);
    }
    charPtr += sessionIDLen;
    
    ctx->ssl2ChallengeLength = challengeLen;
    memset(ctx->clientRandom, 0, SSL_CLIENT_SRVR_RAND_SIZE);
    memcpy(ctx->clientRandom + SSL_CLIENT_SRVR_RAND_SIZE - challengeLen, 
		charPtr, challengeLen);
    charPtr += challengeLen;
    assert(charPtr == msg.data + msg.length);
    
    return noErr;
}

/*
 * The SSL v2 spec says that the challenge string sent by the client can be
 * between 16 and 32 bytes. However all Netscape enterprise servers actually
 * require a 16 byte challenge. Q.v. cdnow.com, store.apple.com. 
 * Unfortunately this means that when we're trying to do a 
 * SSL_Version_3_0_With_2_0_Hello negotiation, we have to limit ourself to 
 * a 16-byte clientRandom, which we have to concatenate to 16 bytes of 
 * zeroes if we end up with a 3.0 or 3.1 connection. Thus we lose 16 bytes
 * of entropy.
 */
#define SSL2_CHALLENGE_LEN	16

OSStatus
SSL2EncodeClientHello(SSLBuffer &msg, SSLContext *ctx)
{   OSStatus 	err;
    UInt8 		*charPtr;
    unsigned   	i, j;
	int		 	useSSL3Ciphers = 0;
	int			totalCipherCount;
    int			sessionIDLen;
    UInt16		version;
    SSLBuffer	sessionIdentifier, randomData;
    
    switch (ctx->negProtocolVersion)
    {   case SSL_Version_Undetermined:
        case SSL_Version_3_0_With_2_0_Hello:
        	/* go for it, see if server can handle upgrading */
           	useSSL3Ciphers = 1;
			/* could be SSLv3 or TLSv1 */
            version = ctx->maxProtocolVersion;
            break;
        case SSL_Version_2_0:
            useSSL3Ciphers = 0;
            version = SSL_Version_2_0;
            break;
        case SSL_Version_3_0_Only:
        case SSL_Version_3_0:
        case TLS_Version_1_0_Only:
        case TLS_Version_1_0:
        default:
            assert("Bad protocol version for sending SSL 2 Client Hello");
            return errSSLInternal;
    }
	/* FIXME - this ifndef should not be necessary */
	#ifndef	NDEBUG
	sslLogNegotiateDebug("===SSL client: proclaiming %s capable", 
		protocolVersStr((SSLProtocolVersion)version));
    #endif
	
    if (useSSL3Ciphers != 0)
        totalCipherCount = ctx->numValidCipherSpecs;
    else
        totalCipherCount = 0;
        
    for (i = 0; i < SSL2CipherMapCount; i++)
        for (j = 0; j < ctx->numValidCipherSpecs; j++)
            if (ctx->validCipherSpecs[j].cipherSpec == SSL2CipherMap[i].cipherSuite)
            {   totalCipherCount++;
                break;
            }
    
    sessionIDLen = 0;
    sessionIdentifier.data = 0;
    if (ctx->resumableSession.data != 0)
    {   if ((err = SSLRetrieveSessionID(ctx->resumableSession, &sessionIdentifier, ctx)) != 0)
            return err;
        sessionIDLen = sessionIdentifier.length;
    }
    
	/* msg length = 9 + 3 * totalCipherCount + sessionIDLen + 16 bytes of challenge
	 *  Use exactly 16 bytes of challenge because Netscape products have a bug
	 *  that requires this length
	 */ 
    if ((err = SSLAllocBuffer(msg, 9 + (3*totalCipherCount) + sessionIDLen + 
			SSL2_CHALLENGE_LEN, ctx)) != 0)
    {   SSLFreeBuffer(sessionIdentifier, ctx);
        return err;
    }
    
    charPtr = msg.data;
    *charPtr++ = SSL2_MsgClientHello;
    charPtr = SSLEncodeInt(charPtr, version, 2);
    charPtr = SSLEncodeInt(charPtr, 3*totalCipherCount, 2);
    charPtr = SSLEncodeInt(charPtr, sessionIDLen, 2);
    charPtr = SSLEncodeInt(charPtr, SSL2_CHALLENGE_LEN, 2);
    
	/* If we can send SSL3 ciphers, encode the two-byte cipher specs into three-byte
	 *  CipherKinds which have a leading 0.
	 */
    if (useSSL3Ciphers != 0)
        for (i = 0; i < ctx->numValidCipherSpecs; i++)
            charPtr = SSLEncodeInt(charPtr, ctx->validCipherSpecs[i].cipherSpec, 3);
    
	/* Now send those SSL2 specs for which we have implementations */
    for (i = 0; i < SSL2CipherMapCount; i++)
        for (j = 0; j < ctx->numValidCipherSpecs; j++)
            if (ctx->validCipherSpecs[j].cipherSpec == SSL2CipherMap[i].cipherSuite)
            {   charPtr = SSLEncodeInt(charPtr, SSL2CipherMap[i].cipherKind, 3);
                break;
            }
    
    if (sessionIDLen > 0)
    {   memcpy(charPtr, sessionIdentifier.data, sessionIDLen);
        charPtr += sessionIDLen;
        SSLFreeBuffer(sessionIdentifier, ctx);
    }
    
    randomData.data = charPtr;
    randomData.length = SSL2_CHALLENGE_LEN;
    if ((err = sslRand(ctx, &randomData)) != 0)
    {   SSLFreeBuffer(msg, ctx);
        return err;
    }
    charPtr += SSL2_CHALLENGE_LEN;
    
	/* Zero out the first 16 bytes of clientRandom, and store 
	 * the challenge in the second 16 bytes */
	#if (SSL2_CHALLENGE_LEN == SSL_CLIENT_SRVR_RAND_SIZE)
	/* this path verified to fail with Netscape Enterprise servers 1/16/02 */
    memcpy(ctx->clientRandom, randomData.data, SSL2_CHALLENGE_LEN);
	#else
    memset(ctx->clientRandom, 0, SSL_CLIENT_SRVR_RAND_SIZE - SSL2_CHALLENGE_LEN);
    memcpy(ctx->clientRandom + SSL_CLIENT_SRVR_RAND_SIZE - SSL2_CHALLENGE_LEN, 
			randomData.data, SSL2_CHALLENGE_LEN);
	#endif
    ctx->ssl2ChallengeLength = SSL2_CHALLENGE_LEN;
    
    assert(charPtr == msg.data + msg.length);
    
    return noErr;
}

OSStatus
SSL2ProcessClientMasterKey(SSLBuffer msg, SSLContext *ctx)
{   OSStatus        err;
    SSL2CipherKind  cipherKind;
    SSLBuffer       secretData;
    unsigned        clearLength, encryptedLength, keyArgLength;
    UInt32    		secretLength, localKeyModulusLen;
    UInt8           *charPtr;
    const CSSM_KEY	*decryptKey;
	CSSM_CSP_HANDLE	decryptCspHand;
	
    if (msg.length < 9) {
		sslErrorLog("SSL2ProcessClientMasterKey: msg.length error 1\n");
        return errSSLProtocol;
    }
    assert(ctx->protocolSide == SSL_ServerSide);
    
    charPtr = msg.data;
    cipherKind = (SSL2CipherKind)SSLDecodeInt(charPtr, 3);
    charPtr += 3;
    clearLength = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    encryptedLength = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    keyArgLength = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    
    if (msg.length != 9 + clearLength + encryptedLength + keyArgLength) {
		sslErrorLog("SSL2ProcessClientMasterKey: msg.length error 2\n");
        return errSSLProtocol;
    }
    
	/* Master key == CLEAR_DATA || SECRET_DATA */
    memcpy(ctx->masterSecret, charPtr, clearLength);
    charPtr += clearLength;

	/* 
	 * Just as in SSL2EncodeServerHello, which key we use depends on the
	 * app's config.
	 */ 
	if(ctx->encryptPrivKey) {
		decryptKey = ctx->encryptPrivKey;
		assert(ctx->encryptKeyCsp != 0);
		decryptCspHand = ctx->encryptKeyCsp;
	}
	else if(ctx->signingPrivKey) {
		decryptKey = ctx->signingPrivKey;
		assert(ctx->signingKeyCsp != 0);
		decryptCspHand = ctx->signingKeyCsp;
	}
	else {
		/* really should not happen... */
		sslErrorLog("SSL2ProcessClientMasterKey: No server key!\n");
		return badReqErr;
	}
	localKeyModulusLen = sslKeyLengthInBytes(decryptKey);

    if (encryptedLength != localKeyModulusLen) {
		sslErrorLog("SSL2ProcessClientMasterKey: encryptedLength error 1\n");
        return errSSLProtocol;
	}
	
	/* Allocate enough room to hold any decrypted value */
    if ((err = SSLAllocBuffer(secretData, encryptedLength, ctx)) != 0)
        return err;
    
	err = sslRsaDecrypt(ctx,
		decryptKey,
		decryptCspHand,
		charPtr, 
		encryptedLength,
		secretData.data,
		encryptedLength,	// same length for both...? 
		&secretLength);
	if(err) {
		SSLFreeBuffer(secretData, ctx);
		return err;
	}
    
    charPtr += encryptedLength;
    
    if (clearLength + secretLength != ctx->selectedCipherSpec->cipher->keySize) {
    	sslErrorLog("SSL2ProcessClientMasterKey: length error 3\n");
        return errSSLProtocol;
    }
    memcpy(ctx->masterSecret + clearLength, secretData.data, secretLength);
    if ((err = SSLFreeBuffer(secretData, ctx)) != 0)
        return err;
    
    if (keyArgLength != ctx->selectedCipherSpec->cipher->ivSize) {
    	sslErrorLog("SSL2ProcessClientMasterKey: length error 4\n");
        return errSSLProtocol;
    }
    
	/* Stash the IV after the master key in master secret storage */
    memcpy(ctx->masterSecret + ctx->selectedCipherSpec->cipher->keySize, charPtr, keyArgLength);
    charPtr += keyArgLength;
    assert(charPtr = msg.data + msg.length);
    
    return noErr;
}

OSStatus
SSL2EncodeClientMasterKey(SSLBuffer &msg, SSLContext *ctx)
{   OSStatus            err;
    unsigned            length, i, clearLen;
    UInt32        		outputLen, peerKeyModulusLen;
    SSLBuffer           keyData;
    UInt8               *charPtr;
	
	peerKeyModulusLen = sslKeyLengthInBytes(ctx->peerPubKey);

	/* Length is 10 + clear key size + encrypted output size + iv size */
    length = 10;
    clearLen = ctx->selectedCipherSpec->cipher->keySize - ctx->selectedCipherSpec->cipher->secretKeySize;
    length += clearLen;
    length += peerKeyModulusLen;
    length += ctx->selectedCipherSpec->cipher->ivSize;
    
    if ((err = SSLAllocBuffer(msg, length, ctx)) != 0)
        return err;
    charPtr = msg.data;
    *charPtr++ = SSL2_MsgClientMasterKey;
    for (i = 0; i < SSL2CipherMapCount; i++)
        if (ctx->selectedCipher == SSL2CipherMap[i].cipherSuite)
            break;
    assert(i < SSL2CipherMapCount);
	sslLogNegotiateDebug("===SSL2EncodeClientMasterKey: sending cipherKind 0x%x", 
		SSL2CipherMap[i].cipherKind);
    charPtr = SSLEncodeInt(charPtr, SSL2CipherMap[i].cipherKind, 3);
    charPtr = SSLEncodeInt(charPtr, clearLen, 2);
    charPtr = SSLEncodeInt(charPtr, peerKeyModulusLen, 2);
    charPtr = SSLEncodeInt(charPtr, ctx->selectedCipherSpec->cipher->ivSize, 2);
    
    /* Generate the keying material; we need enough data for the key and IV */
    keyData.data = ctx->masterSecret;
    keyData.length = ctx->selectedCipherSpec->cipher->keySize + ctx->selectedCipherSpec->cipher->ivSize;
    assert(keyData.length <= 48);   /* Must be able to store it in the masterSecret array */
    if ((err = sslRand(ctx, &keyData)) != 0)
        return err;
    
    memcpy(charPtr, ctx->masterSecret, clearLen);
    charPtr += clearLen;
    
	/* Replace this with code to do encryption at lower level & set PKCS1 padding
    for rollback attack */

	/* 
	 * encrypt only the secret key portion of masterSecret, starting at
	 * clearLen bytes
	 */
	err = sslRsaEncrypt(ctx,
		ctx->peerPubKey,
		ctx->peerPubKeyCsp,		// XX - maybe cspHand
		ctx->masterSecret + clearLen,
		ctx->selectedCipherSpec->cipher->keySize - clearLen,
		charPtr, 
		peerKeyModulusLen,
		&outputLen);
	if(err) {
		return err;
	}

    charPtr += outputLen;
        
    /* copy clear IV to msg buf */
    memcpy(charPtr, ctx->masterSecret + ctx->selectedCipherSpec->cipher->keySize,
            ctx->selectedCipherSpec->cipher->ivSize);
    charPtr += ctx->selectedCipherSpec->cipher->ivSize;
    
    assert(charPtr == msg.data + msg.length);
    
    return noErr;
}

OSStatus
SSL2ProcessClientFinished(SSLBuffer msg, SSLContext *ctx)
{   if (msg.length != ctx->sessionID.length) {
    	sslErrorLog("SSL2ProcessClientFinished: length error\n");
        return errSSLProtocol;
    }
    if (memcmp(msg.data, ctx->serverRandom, ctx->ssl2ConnectionIDLength) != 0) {
    	sslErrorLog("SSL2ProcessClientFinished: data compare error\n");
        return errSSLProtocol;
	}    
    return noErr;
}

OSStatus
SSL2EncodeClientFinished(SSLBuffer &msg, SSLContext *ctx)
{   OSStatus      err;
    
    if ((err = SSLAllocBuffer(msg, ctx->ssl2ConnectionIDLength+1, ctx)) != 0)
        return err;
    msg.data[0] = SSL2_MsgClientFinished;
    memcpy(msg.data+1, ctx->serverRandom, ctx->ssl2ConnectionIDLength);
    return noErr;
}

OSStatus
SSL2ProcessServerHello(SSLBuffer msg, SSLContext *ctx)
{   OSStatus            err;
    SSL2CertTypeCode    certType;
    unsigned            sessionIDMatch, certLen, cipherSpecsLen, connectionIDLen;
    unsigned            i, j;
    SSL2CipherKind      cipherKind;
    SSLCertificate      *cert;
    SSLCipherSuite      matchingCipher = 0;		// avoid compiler warning
    SSLCipherSuite      selectedCipher;
    UInt8               *charPtr;
    SSLProtocolVersion  version;
    
    if (msg.length < 10) {
    	sslErrorLog("SSL2ProcessServerHello: length error\n");
        return errSSLProtocol;
    }
    charPtr = msg.data;
    
    sessionIDMatch = *charPtr++;
    certType = (SSL2CertTypeCode)*charPtr++;
    version = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    if (version != SSL_Version_2_0) {
    	sslErrorLog("SSL2ProcessServerHello: version error\n");
        return errSSLProtocol;
    }
    ctx->negProtocolVersion = version;
    sslLogNegotiateDebug("===SSL2 client: negVersion is 2_0");
    certLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    cipherSpecsLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    connectionIDLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    
    if (connectionIDLen < 16 || connectionIDLen > 32 || cipherSpecsLen % 3 != 0 ||
        (msg.length != 10 + certLen + cipherSpecsLen + connectionIDLen) )
        return errSSLProtocol;
    if (sessionIDMatch != 0)
    {   if (certLen != 0 || cipherSpecsLen != 0 /* || certType != 0 */ )
            return errSSLProtocol;
        ctx->ssl2SessionMatch = 1;
        
        ctx->ssl2ConnectionIDLength = connectionIDLen;
        memcpy(ctx->serverRandom, charPtr, connectionIDLen);
        charPtr += connectionIDLen;
    }
    else
    {   if (certType != SSL2_CertTypeX509)
            return errSSLNegotiation;
        cipherSpecsLen /= 3;
        
 		cert = (SSLCertificate *)sslMalloc(sizeof(SSLCertificate));
		if(cert == NULL) {
			return memFullErr;
		}
        cert->next = 0;
        if ((err = SSLAllocBuffer(cert->derCert, certLen, ctx)) != 0)
        {   
			sslFree(cert);
            return err;
        }
        memcpy(cert->derCert.data, charPtr, certLen);
        charPtr += certLen;
        ctx->peerCert = cert;
    	if((err = sslVerifyCertChain(ctx, *ctx->peerCert)) != 0) {
    		return err;
    	}
        if((err = sslPubKeyFromCert(ctx, 
        	cert->derCert, 
        	&ctx->peerPubKey,
        	&ctx->peerPubKeyCsp)) != 0)
            return err;
        
        selectedCipher = SSL_NO_SUCH_CIPHERSUITE;
        for (i = 0; i < cipherSpecsLen; i++)
        {   cipherKind = (SSL2CipherKind)SSLDecodeInt(charPtr, 3);
            charPtr += 3;
            if (selectedCipher == SSL_NO_SUCH_CIPHERSUITE)  /* After we find one, just keep advancing charPtr past the unused ones */
            {   for (j = 0; j < SSL2CipherMapCount; j++)
                    if (cipherKind == SSL2CipherMap[j].cipherKind)
                    {   matchingCipher = SSL2CipherMap[j].cipherSuite;
                        break;
                    }
                for (j = 0; j < ctx->numValidCipherSpecs; j++)   
                    if (ctx->validCipherSpecs[j].cipherSpec == matchingCipher)
                    {   selectedCipher = matchingCipher;
                        break;
                    }
            }
        }
        if (selectedCipher == SSL_NO_SUCH_CIPHERSUITE)
            return errSSLNegotiation;
		sslLogNegotiateDebug("===SSL2 client: selectedCipher 0x%x", 
			(unsigned)selectedCipher);
        
        ctx->selectedCipher = selectedCipher;
        if ((err = FindCipherSpec(ctx)) != 0) {
            return err;
        }
        ctx->ssl2ConnectionIDLength = connectionIDLen;
        memcpy(ctx->serverRandom, charPtr, connectionIDLen);
        charPtr += connectionIDLen;
    }
    
    assert(charPtr == msg.data + msg.length);
    
    return noErr;
}

OSStatus
SSL2EncodeServerHello(SSLBuffer &msg, SSLContext *ctx)
{   OSStatus            err;
    SSLCertificate      *cert;
    SSLBuffer           randomData;
    UInt8               *charPtr;
    unsigned            i;
    
    /* Create the connection ID */
    ctx->ssl2ConnectionIDLength = SSL2_CONNECTION_ID_LENGTH;
    randomData.data = ctx->serverRandom;
    randomData.length = ctx->ssl2ConnectionIDLength;
    if ((err = sslRand(ctx, &randomData)) != 0)
        return err;
        
    if (ctx->ssl2SessionMatch != 0)
    {   if ((err = SSLAllocBuffer(msg, 11 + ctx->sessionID.length, ctx)) != 0)
            return err;
        charPtr = msg.data;
        *charPtr++ = SSL2_MsgServerHello;
        *charPtr++ = ctx->ssl2SessionMatch;
        *charPtr++ = 0;    /* cert type */
        charPtr = SSLEncodeInt(charPtr, ctx->negProtocolVersion, 2);
        charPtr = SSLEncodeInt(charPtr, 0, 2);    /* cert len */
        charPtr = SSLEncodeInt(charPtr, 0, 2);    /* cipherspecs len */
        charPtr = SSLEncodeInt(charPtr, ctx->ssl2ConnectionIDLength, 2);
        memcpy(charPtr, ctx->serverRandom, ctx->ssl2ConnectionIDLength);
        charPtr += ctx->ssl2ConnectionIDLength;
    }
    else
    {   /* First, find the last cert in the chain; it's the one we'll send */
    
    	/*
    	 * Use encryptCert if we have it, but allow for the case of app 
		 * specifying one cert which can encrypt and sign.
    	 */
    	if(ctx->encryptCert != NULL) {
			cert = ctx->encryptCert;
		}
		else if(ctx->localCert != NULL) {
			cert = ctx->localCert;
		}
		else {
			/* really should not happen... */
    		sslErrorLog("SSL2EncodeServerHello: No server cert!\n");
    		return badReqErr;
    	}
        
        while (cert->next != 0)
            cert = cert->next;
        
        if ((err = SSLAllocBuffer(msg, 11 + cert->derCert.length + 3 + ctx->sessionID.length, ctx)) != 0)
            return err;
        charPtr = msg.data;
        *charPtr++ = SSL2_MsgServerHello;
        *charPtr++ = ctx->ssl2SessionMatch;
        *charPtr++ = SSL2_CertTypeX509; /* cert type */

		/* FIXME - this ifndef should not be necessary */
		#ifndef	NDEBUG
		sslLogNegotiateDebug("===SSL2 server: sending vers info %s", 
			protocolVersStr((SSLProtocolVersion)ctx->negProtocolVersion));
		#endif
		
        charPtr = SSLEncodeInt(charPtr, ctx->negProtocolVersion, 2);
        charPtr = SSLEncodeInt(charPtr, cert->derCert.length, 2);
        charPtr = SSLEncodeInt(charPtr, 3, 2);    /* cipherspecs len */
        charPtr = SSLEncodeInt(charPtr, ctx->ssl2ConnectionIDLength, 2);
        memcpy(charPtr, cert->derCert.data, cert->derCert.length);
        charPtr += cert->derCert.length;
        for (i = 0; i < SSL2CipherMapCount; i++)
            if (ctx->selectedCipher == SSL2CipherMap[i].cipherSuite)
                break;
        assert(i < SSL2CipherMapCount);
        charPtr = SSLEncodeInt(charPtr, SSL2CipherMap[i].cipherKind, 3);
    	sslLogNegotiateDebug("ssl2: server specifying cipherKind 0x%lx", 
     		(UInt32)SSL2CipherMap[i].cipherKind);
        memcpy(charPtr, ctx->serverRandom, ctx->ssl2ConnectionIDLength);
        charPtr += ctx->ssl2ConnectionIDLength;
    }
    
    assert(charPtr == msg.data + msg.length);
    return noErr;
}

OSStatus
SSL2ProcessServerVerify(SSLBuffer msg, SSLContext *ctx)
{   if (msg.length != ctx->ssl2ChallengeLength)
        return errSSLProtocol;
    
    if (memcmp(msg.data, ctx->clientRandom + SSL_CLIENT_SRVR_RAND_SIZE - 
			ctx->ssl2ChallengeLength, ctx->ssl2ChallengeLength) != 0)
        return errSSLProtocol;
    
    return noErr;
}

OSStatus
SSL2EncodeServerVerify(SSLBuffer &msg, SSLContext *ctx)
{   OSStatus      err;
    
    if ((err = SSLAllocBuffer(msg, 1 + ctx->ssl2ChallengeLength, ctx)) != 0)
        return err;
    
    msg.data[0] = SSL2_MsgServerVerify;
    memcpy(msg.data+1, ctx->clientRandom + SSL_CLIENT_SRVR_RAND_SIZE - 
			ctx->ssl2ChallengeLength, ctx->ssl2ChallengeLength);
    
    return noErr;
}

OSStatus
SSL2ProcessServerFinished(SSLBuffer msg, SSLContext *ctx)
{   OSStatus      err;
    
    if ((err = SSLAllocBuffer(ctx->sessionID, msg.length, ctx)) != 0)
        return err;
    memcpy(ctx->sessionID.data, msg.data, msg.length);
    return noErr;
}

OSStatus
SSL2EncodeServerFinished(SSLBuffer &msg, SSLContext *ctx)
{   OSStatus      err;
    
    if ((err = SSLAllocBuffer(msg, 1 + ctx->sessionID.length, ctx)) != 0)
        return err;
    
    msg.data[0] = SSL2_MsgServerFinished;
    memcpy(msg.data+1, ctx->sessionID.data, ctx->sessionID.length);
    
    return noErr;
}