155714Skris/* ssl/s23_clnt.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52280304Sjkim * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58238405Sjkim/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60238405Sjkim * 61238405Sjkim * Redistribution and use in source and binary forms, with or without 62238405Sjkim * modification, are permitted provided that the following conditions 63238405Sjkim * are met: 64238405Sjkim * 65238405Sjkim * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 67238405Sjkim * 68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright 69238405Sjkim * notice, this list of conditions and the following disclaimer in 70238405Sjkim * the documentation and/or other materials provided with the 71238405Sjkim * distribution. 72238405Sjkim * 73238405Sjkim * 3. All advertising materials mentioning features or use of this 74238405Sjkim * software must display the following acknowledgment: 75238405Sjkim * "This product includes software developed by the OpenSSL Project 76238405Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77238405Sjkim * 78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79238405Sjkim * endorse or promote products derived from this software without 80238405Sjkim * prior written permission. For written permission, please contact 81238405Sjkim * openssl-core@openssl.org. 82238405Sjkim * 83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL" 84238405Sjkim * nor may "OpenSSL" appear in their names without prior written 85238405Sjkim * permission of the OpenSSL Project. 86238405Sjkim * 87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following 88238405Sjkim * acknowledgment: 89238405Sjkim * "This product includes software developed by the OpenSSL Project 90238405Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91238405Sjkim * 92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95238405Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 104238405Sjkim * ==================================================================== 105238405Sjkim * 106238405Sjkim * This product includes cryptographic software written by Eric Young 107238405Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 108238405Sjkim * Hudson (tjh@cryptsoft.com). 109238405Sjkim * 110238405Sjkim */ 11155714Skris 11255714Skris#include <stdio.h> 113110007Smarkm#include "ssl_locl.h" 11455714Skris#include <openssl/buffer.h> 11555714Skris#include <openssl/rand.h> 11655714Skris#include <openssl/objects.h> 11755714Skris#include <openssl/evp.h> 11855714Skris 119238405Sjkimstatic const SSL_METHOD *ssl23_get_client_method(int ver); 12055714Skrisstatic int ssl23_client_hello(SSL *s); 12155714Skrisstatic int ssl23_get_server_hello(SSL *s); 122238405Sjkimstatic const SSL_METHOD *ssl23_get_client_method(int ver) 123280304Sjkim{ 124110007Smarkm#ifndef OPENSSL_NO_SSL2 125280304Sjkim if (ver == SSL2_VERSION) 126280304Sjkim return (SSLv2_client_method()); 12755949Skris#endif 128273149Sjkim#ifndef OPENSSL_NO_SSL3 129280304Sjkim if (ver == SSL3_VERSION) 130280304Sjkim return (SSLv3_client_method()); 131273149Sjkim#endif 132280304Sjkim if (ver == TLS1_VERSION) 133280304Sjkim return (TLSv1_client_method()); 134280304Sjkim else if (ver == TLS1_1_VERSION) 135280304Sjkim return (TLSv1_1_client_method()); 136280304Sjkim else if (ver == TLS1_2_VERSION) 137280304Sjkim return (TLSv1_2_client_method()); 138280304Sjkim else 139280304Sjkim return (NULL); 140280304Sjkim} 14155714Skris 142160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_client_method, 143280304Sjkim ssl_undefined_function, 144280304Sjkim ssl23_connect, ssl23_get_client_method) 14555714Skris 14655714Skrisint ssl23_connect(SSL *s) 147280304Sjkim{ 148280304Sjkim BUF_MEM *buf = NULL; 149280304Sjkim unsigned long Time = (unsigned long)time(NULL); 150280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 151280304Sjkim int ret = -1; 152280304Sjkim int new_state, state; 15355714Skris 154280304Sjkim RAND_add(&Time, sizeof(Time), 0); 155280304Sjkim ERR_clear_error(); 156280304Sjkim clear_sys_error(); 15755714Skris 158280304Sjkim if (s->info_callback != NULL) 159280304Sjkim cb = s->info_callback; 160280304Sjkim else if (s->ctx->info_callback != NULL) 161280304Sjkim cb = s->ctx->info_callback; 16255714Skris 163280304Sjkim s->in_handshake++; 164280304Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 165280304Sjkim SSL_clear(s); 16655714Skris 167280304Sjkim for (;;) { 168280304Sjkim state = s->state; 16955714Skris 170280304Sjkim switch (s->state) { 171280304Sjkim case SSL_ST_BEFORE: 172280304Sjkim case SSL_ST_CONNECT: 173280304Sjkim case SSL_ST_BEFORE | SSL_ST_CONNECT: 174280304Sjkim case SSL_ST_OK | SSL_ST_CONNECT: 17555714Skris 176280304Sjkim if (s->session != NULL) { 177280304Sjkim SSLerr(SSL_F_SSL23_CONNECT, 178280304Sjkim SSL_R_SSL23_DOING_SESSION_ID_REUSE); 179280304Sjkim ret = -1; 180280304Sjkim goto end; 181280304Sjkim } 182280304Sjkim s->server = 0; 183280304Sjkim if (cb != NULL) 184280304Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 18555714Skris 186280304Sjkim /* s->version=TLS1_VERSION; */ 187280304Sjkim s->type = SSL_ST_CONNECT; 18855714Skris 189280304Sjkim if (s->init_buf == NULL) { 190280304Sjkim if ((buf = BUF_MEM_new()) == NULL) { 191280304Sjkim ret = -1; 192280304Sjkim goto end; 193280304Sjkim } 194280304Sjkim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 195280304Sjkim ret = -1; 196280304Sjkim goto end; 197280304Sjkim } 198280304Sjkim s->init_buf = buf; 199280304Sjkim buf = NULL; 200280304Sjkim } 20155714Skris 202280304Sjkim if (!ssl3_setup_buffers(s)) { 203280304Sjkim ret = -1; 204280304Sjkim goto end; 205280304Sjkim } 20655714Skris 207280304Sjkim ssl3_init_finished_mac(s); 20855714Skris 209280304Sjkim s->state = SSL23_ST_CW_CLNT_HELLO_A; 210280304Sjkim s->ctx->stats.sess_connect++; 211280304Sjkim s->init_num = 0; 212280304Sjkim break; 21355714Skris 214280304Sjkim case SSL23_ST_CW_CLNT_HELLO_A: 215280304Sjkim case SSL23_ST_CW_CLNT_HELLO_B: 21655714Skris 217280304Sjkim s->shutdown = 0; 218280304Sjkim ret = ssl23_client_hello(s); 219280304Sjkim if (ret <= 0) 220280304Sjkim goto end; 221280304Sjkim s->state = SSL23_ST_CR_SRVR_HELLO_A; 222280304Sjkim s->init_num = 0; 22355714Skris 224280304Sjkim break; 22555714Skris 226280304Sjkim case SSL23_ST_CR_SRVR_HELLO_A: 227280304Sjkim case SSL23_ST_CR_SRVR_HELLO_B: 228280304Sjkim ret = ssl23_get_server_hello(s); 229280304Sjkim if (ret >= 0) 230280304Sjkim cb = NULL; 231280304Sjkim goto end; 232280304Sjkim /* break; */ 23355714Skris 234280304Sjkim default: 235280304Sjkim SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE); 236280304Sjkim ret = -1; 237280304Sjkim goto end; 238280304Sjkim /* break; */ 239280304Sjkim } 24055714Skris 241280304Sjkim if (s->debug) { 242280304Sjkim (void)BIO_flush(s->wbio); 243280304Sjkim } 24455714Skris 245280304Sjkim if ((cb != NULL) && (s->state != state)) { 246280304Sjkim new_state = s->state; 247280304Sjkim s->state = state; 248280304Sjkim cb(s, SSL_CB_CONNECT_LOOP, 1); 249280304Sjkim s->state = new_state; 250280304Sjkim } 251280304Sjkim } 252280304Sjkim end: 253280304Sjkim s->in_handshake--; 254280304Sjkim if (buf != NULL) 255280304Sjkim BUF_MEM_free(buf); 256280304Sjkim if (cb != NULL) 257280304Sjkim cb(s, SSL_CB_CONNECT_EXIT, ret); 258280304Sjkim return (ret); 259280304Sjkim} 260280304Sjkim 261238405Sjkimstatic int ssl23_no_ssl2_ciphers(SSL *s) 262280304Sjkim{ 263280304Sjkim SSL_CIPHER *cipher; 264280304Sjkim STACK_OF(SSL_CIPHER) *ciphers; 265280304Sjkim int i; 266280304Sjkim ciphers = SSL_get_ciphers(s); 267280304Sjkim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 268280304Sjkim cipher = sk_SSL_CIPHER_value(ciphers, i); 269280304Sjkim if (cipher->algorithm_ssl == SSL_SSLV2) 270280304Sjkim return 0; 271280304Sjkim } 272280304Sjkim return 1; 273280304Sjkim} 27455714Skris 275280304Sjkim/* 276280304Sjkim * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on 277280304Sjkim * failure, 1 on success. 278280304Sjkim */ 279264331Sjkimint ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) 280280304Sjkim{ 281280304Sjkim int send_time = 0; 282264331Sjkim 283280304Sjkim if (len < 4) 284280304Sjkim return 0; 285280304Sjkim if (server) 286280304Sjkim send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; 287280304Sjkim else 288280304Sjkim send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; 289280304Sjkim if (send_time) { 290280304Sjkim unsigned long Time = (unsigned long)time(NULL); 291280304Sjkim unsigned char *p = result; 292280304Sjkim l2n(Time, p); 293306196Sjkim return RAND_bytes(p, len - 4); 294280304Sjkim } else 295306196Sjkim return RAND_bytes(result, len); 296280304Sjkim} 297264331Sjkim 29855714Skrisstatic int ssl23_client_hello(SSL *s) 299280304Sjkim{ 300280304Sjkim unsigned char *buf; 301280304Sjkim unsigned char *p, *d; 302280304Sjkim int i, ch_len; 303280304Sjkim unsigned long l; 304280304Sjkim int ssl2_compat; 305280304Sjkim int version = 0, version_major, version_minor; 306205128Ssimon#ifndef OPENSSL_NO_COMP 307280304Sjkim int j; 308280304Sjkim SSL_COMP *comp; 309205128Ssimon#endif 310280304Sjkim int ret; 311280304Sjkim unsigned long mask, options = s->options; 31255714Skris 313280304Sjkim ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1; 314160817Ssimon 315280304Sjkim if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) 316280304Sjkim ssl2_compat = 0; 317238405Sjkim 318280304Sjkim /* 319280304Sjkim * SSL_OP_NO_X disables all protocols above X *if* there are 320280304Sjkim * some protocols below X enabled. This is required in order 321280304Sjkim * to maintain "version capability" vector contiguous. So 322280304Sjkim * that if application wants to disable TLS1.0 in favour of 323280304Sjkim * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the 324280304Sjkim * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. 325280304Sjkim */ 326280304Sjkim mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1 327238405Sjkim#if !defined(OPENSSL_NO_SSL3) 328280304Sjkim | SSL_OP_NO_SSLv3 329238405Sjkim#endif 330238405Sjkim#if !defined(OPENSSL_NO_SSL2) 331280304Sjkim | (ssl2_compat ? SSL_OP_NO_SSLv2 : 0) 332238405Sjkim#endif 333280304Sjkim ; 334238405Sjkim#if !defined(OPENSSL_NO_TLS1_2_CLIENT) 335280304Sjkim version = TLS1_2_VERSION; 336238405Sjkim 337280304Sjkim if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) 338280304Sjkim version = TLS1_1_VERSION; 339238405Sjkim#else 340280304Sjkim version = TLS1_1_VERSION; 341238405Sjkim#endif 342280304Sjkim mask &= ~SSL_OP_NO_TLSv1_1; 343280304Sjkim if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) 344280304Sjkim version = TLS1_VERSION; 345280304Sjkim mask &= ~SSL_OP_NO_TLSv1; 346238405Sjkim#if !defined(OPENSSL_NO_SSL3) 347280304Sjkim if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) 348280304Sjkim version = SSL3_VERSION; 349280304Sjkim mask &= ~SSL_OP_NO_SSLv3; 350238405Sjkim#endif 351238405Sjkim#if !defined(OPENSSL_NO_SSL2) 352280304Sjkim if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask) 353280304Sjkim version = SSL2_VERSION; 354238405Sjkim#endif 355238405Sjkim 356238405Sjkim#ifndef OPENSSL_NO_TLSEXT 357280304Sjkim if (version != SSL2_VERSION) { 358280304Sjkim /* 359280304Sjkim * have to disable SSL 2.0 compatibility if we need TLS extensions 360280304Sjkim */ 361160817Ssimon 362280304Sjkim if (s->tlsext_hostname != NULL) 363280304Sjkim ssl2_compat = 0; 364280304Sjkim if (s->tlsext_status_type != -1) 365280304Sjkim ssl2_compat = 0; 366280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 367280304Sjkim if (s->ctx->tlsext_opaque_prf_input_callback != 0 368280304Sjkim || s->tlsext_opaque_prf_input != NULL) 369280304Sjkim ssl2_compat = 0; 370280304Sjkim# endif 371280304Sjkim } 372238405Sjkim#endif 373194206Ssimon 374280304Sjkim buf = (unsigned char *)s->init_buf->data; 375280304Sjkim if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { 376291721Sjkim /* 377291721Sjkim * Since we're sending s23 client hello, we're not reusing a session, as 378291721Sjkim * we'd be using the method from the saved session instead 379291721Sjkim */ 380280304Sjkim if (!ssl_get_new_session(s, 0)) { 381291721Sjkim return -1; 382280304Sjkim } 38355714Skris 384280304Sjkim p = s->s3->client_random; 385280304Sjkim if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 386280304Sjkim return -1; 38755714Skris 388280304Sjkim if (version == TLS1_2_VERSION) { 389280304Sjkim version_major = TLS1_2_VERSION_MAJOR; 390280304Sjkim version_minor = TLS1_2_VERSION_MINOR; 391280304Sjkim } else if (version == TLS1_1_VERSION) { 392280304Sjkim version_major = TLS1_1_VERSION_MAJOR; 393280304Sjkim version_minor = TLS1_1_VERSION_MINOR; 394280304Sjkim } else if (version == TLS1_VERSION) { 395280304Sjkim version_major = TLS1_VERSION_MAJOR; 396280304Sjkim version_minor = TLS1_VERSION_MINOR; 397280304Sjkim } 398194206Ssimon#ifdef OPENSSL_FIPS 399280304Sjkim else if (FIPS_mode()) { 400280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, 401280304Sjkim SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 402280304Sjkim return -1; 403280304Sjkim } 404194206Ssimon#endif 405280304Sjkim else if (version == SSL3_VERSION) { 406280304Sjkim version_major = SSL3_VERSION_MAJOR; 407280304Sjkim version_minor = SSL3_VERSION_MINOR; 408280304Sjkim } else if (version == SSL2_VERSION) { 409280304Sjkim version_major = SSL2_VERSION_MAJOR; 410280304Sjkim version_minor = SSL2_VERSION_MINOR; 411280304Sjkim } else { 412280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE); 413280304Sjkim return (-1); 414280304Sjkim } 41555714Skris 416280304Sjkim s->client_version = version; 417160817Ssimon 418280304Sjkim if (ssl2_compat) { 419280304Sjkim /* create SSL 2.0 compatible Client Hello */ 42055714Skris 421280304Sjkim /* two byte record header will be written last */ 422280304Sjkim d = &(buf[2]); 423280304Sjkim p = d + 9; /* leave space for message type, version, 424280304Sjkim * individual length fields */ 425160817Ssimon 426280304Sjkim *(d++) = SSL2_MT_CLIENT_HELLO; 427280304Sjkim *(d++) = version_major; 428280304Sjkim *(d++) = version_minor; 429280304Sjkim 430280304Sjkim /* Ciphers supported */ 431280304Sjkim i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), p, 0); 432280304Sjkim if (i == 0) { 433280304Sjkim /* no ciphers */ 434280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 435280304Sjkim return -1; 436280304Sjkim } 437280304Sjkim s2n(i, d); 438280304Sjkim p += i; 439280304Sjkim 440280304Sjkim /* 441280304Sjkim * put in the session-id length (zero since there is no reuse) 442280304Sjkim */ 443280304Sjkim s2n(0, d); 44455714Skris 445280304Sjkim if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) 446280304Sjkim ch_len = SSL2_CHALLENGE_LENGTH; 447280304Sjkim else 448280304Sjkim ch_len = SSL2_MAX_CHALLENGE_LENGTH; 44955714Skris 450280304Sjkim /* write out sslv2 challenge */ 451280304Sjkim /* 452280304Sjkim * Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because it 453280304Sjkim * is one of SSL2_MAX_CHALLENGE_LENGTH (32) or 454280304Sjkim * SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for 455280304Sjkim * futurproofing 456280304Sjkim */ 457280304Sjkim if (SSL3_RANDOM_SIZE < ch_len) 458280304Sjkim i = SSL3_RANDOM_SIZE; 459280304Sjkim else 460280304Sjkim i = ch_len; 461280304Sjkim s2n(i, d); 462280304Sjkim memset(&(s->s3->client_random[0]), 0, SSL3_RANDOM_SIZE); 463306196Sjkim if (RAND_bytes (&(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i) 464306196Sjkim <= 0) 465280304Sjkim return -1; 466160817Ssimon 467280304Sjkim memcpy(p, &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i); 468280304Sjkim p += i; 469160817Ssimon 470280304Sjkim i = p - &(buf[2]); 471280304Sjkim buf[0] = ((i >> 8) & 0xff) | 0x80; 472280304Sjkim buf[1] = (i & 0xff); 473160817Ssimon 474280304Sjkim /* number of bytes to write */ 475280304Sjkim s->init_num = i + 2; 476280304Sjkim s->init_off = 0; 477160817Ssimon 478280304Sjkim ssl3_finish_mac(s, &(buf[2]), i); 479280304Sjkim } else { 480280304Sjkim /* create Client Hello in SSL 3.0/TLS 1.0 format */ 481142428Snectar 482280304Sjkim /* 483280304Sjkim * do the record header (5 bytes) and handshake message header (4 484280304Sjkim * bytes) last 485280304Sjkim */ 486280304Sjkim d = p = &(buf[9]); 48755714Skris 488280304Sjkim *(p++) = version_major; 489280304Sjkim *(p++) = version_minor; 49055714Skris 491280304Sjkim /* Random stuff */ 492280304Sjkim memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 493280304Sjkim p += SSL3_RANDOM_SIZE; 494160817Ssimon 495280304Sjkim /* Session ID (zero since there is no reuse) */ 496280304Sjkim *(p++) = 0; 497280304Sjkim 498280304Sjkim /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */ 499280304Sjkim i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 500280304Sjkim ssl3_put_cipher_by_char); 501280304Sjkim if (i == 0) { 502280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 503280304Sjkim return -1; 504280304Sjkim } 505238405Sjkim#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 506280304Sjkim /* 507280304Sjkim * Some servers hang if client hello > 256 bytes as hack 508280304Sjkim * workaround chop number of supported ciphers to keep it well 509280304Sjkim * below this if we use TLS v1.2 510280304Sjkim */ 511280304Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION 512280304Sjkim && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 513280304Sjkim i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 514238405Sjkim#endif 515280304Sjkim s2n(i, p); 516280304Sjkim p += i; 517238405Sjkim 518280304Sjkim /* COMPRESSION */ 519215697Ssimon#ifdef OPENSSL_NO_COMP 520280304Sjkim *(p++) = 1; 521215697Ssimon#else 522280304Sjkim if ((s->options & SSL_OP_NO_COMPRESSION) 523280304Sjkim || !s->ctx->comp_methods) 524280304Sjkim j = 0; 525280304Sjkim else 526280304Sjkim j = sk_SSL_COMP_num(s->ctx->comp_methods); 527280304Sjkim *(p++) = 1 + j; 528280304Sjkim for (i = 0; i < j; i++) { 529280304Sjkim comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 530280304Sjkim *(p++) = comp->id; 531280304Sjkim } 532215697Ssimon#endif 533280304Sjkim *(p++) = 0; /* Add the NULL method */ 534238405Sjkim 535194206Ssimon#ifndef OPENSSL_NO_TLSEXT 536280304Sjkim /* TLS extensions */ 537280304Sjkim if (ssl_prepare_clienthello_tlsext(s) <= 0) { 538280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 539280304Sjkim return -1; 540280304Sjkim } 541280304Sjkim if ((p = 542280304Sjkim ssl_add_clienthello_tlsext(s, p, 543280304Sjkim buf + 544280304Sjkim SSL3_RT_MAX_PLAIN_LENGTH)) == 545280304Sjkim NULL) { 546280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 547280304Sjkim return -1; 548280304Sjkim } 549194206Ssimon#endif 550160817Ssimon 551280304Sjkim l = p - d; 552160817Ssimon 553280304Sjkim /* fill in 4-byte handshake header */ 554280304Sjkim d = &(buf[5]); 555280304Sjkim *(d++) = SSL3_MT_CLIENT_HELLO; 556280304Sjkim l2n3(l, d); 557160817Ssimon 558280304Sjkim l += 4; 559160817Ssimon 560280304Sjkim if (l > SSL3_RT_MAX_PLAIN_LENGTH) { 561280304Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 562280304Sjkim return -1; 563280304Sjkim } 564160817Ssimon 565280304Sjkim /* fill in 5-byte record header */ 566280304Sjkim d = buf; 567280304Sjkim *(d++) = SSL3_RT_HANDSHAKE; 568280304Sjkim *(d++) = version_major; 569280304Sjkim /* 570280304Sjkim * Some servers hang if we use long client hellos and a record 571280304Sjkim * number > TLS 1.0. 572280304Sjkim */ 573280304Sjkim if (TLS1_get_client_version(s) > TLS1_VERSION) 574280304Sjkim *(d++) = 1; 575280304Sjkim else 576280304Sjkim *(d++) = version_minor; 577280304Sjkim s2n((int)l, d); 578160817Ssimon 579280304Sjkim /* number of bytes to write */ 580280304Sjkim s->init_num = p - buf; 581280304Sjkim s->init_off = 0; 58255714Skris 583280304Sjkim ssl3_finish_mac(s, &(buf[5]), s->init_num - 5); 584280304Sjkim } 585160817Ssimon 586280304Sjkim s->state = SSL23_ST_CW_CLNT_HELLO_B; 587280304Sjkim s->init_off = 0; 588280304Sjkim } 589160817Ssimon 590280304Sjkim /* SSL3_ST_CW_CLNT_HELLO_B */ 591280304Sjkim ret = ssl23_write_bytes(s); 592160817Ssimon 593280304Sjkim if ((ret >= 2) && s->msg_callback) { 594280304Sjkim /* Client Hello has been sent; tell msg_callback */ 59555714Skris 596280304Sjkim if (ssl2_compat) 597280304Sjkim s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data + 2, 598280304Sjkim ret - 2, s, s->msg_callback_arg); 599280304Sjkim else 600280304Sjkim s->msg_callback(1, version, SSL3_RT_HANDSHAKE, 601280304Sjkim s->init_buf->data + 5, ret - 5, s, 602280304Sjkim s->msg_callback_arg); 603280304Sjkim } 604280304Sjkim 605280304Sjkim return ret; 606280304Sjkim} 607280304Sjkim 60855714Skrisstatic int ssl23_get_server_hello(SSL *s) 609280304Sjkim{ 610280304Sjkim char buf[8]; 611280304Sjkim unsigned char *p; 612280304Sjkim int i; 613280304Sjkim int n; 61455714Skris 615280304Sjkim n = ssl23_read_bytes(s, 7); 61655714Skris 617280304Sjkim if (n != 7) 618280304Sjkim return (n); 619280304Sjkim p = s->packet; 62055714Skris 621280304Sjkim memcpy(buf, p, n); 62255714Skris 623280304Sjkim if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && 624280304Sjkim (p[5] == 0x00) && (p[6] == 0x02)) { 625110007Smarkm#ifdef OPENSSL_NO_SSL2 626280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 627280304Sjkim goto err; 62855949Skris#else 629280304Sjkim /* we are talking sslv2 */ 630280304Sjkim /* 631280304Sjkim * we need to clean up the SSLv3 setup and put in the sslv2 stuff. 632280304Sjkim */ 633280304Sjkim int ch_len; 63455714Skris 635280304Sjkim if (s->options & SSL_OP_NO_SSLv2) { 636280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 637280304Sjkim goto err; 638280304Sjkim } 639280304Sjkim if (s->s2 == NULL) { 640280304Sjkim if (!ssl2_new(s)) 641280304Sjkim goto err; 642280304Sjkim } else 643280304Sjkim ssl2_clear(s); 64455714Skris 645280304Sjkim if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) 646280304Sjkim ch_len = SSL2_CHALLENGE_LENGTH; 647280304Sjkim else 648280304Sjkim ch_len = SSL2_MAX_CHALLENGE_LENGTH; 64955714Skris 650280304Sjkim /* write out sslv2 challenge */ 651280304Sjkim /* 652280304Sjkim * Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because it is 653280304Sjkim * one of SSL2_MAX_CHALLENGE_LENGTH (32) or SSL2_MAX_CHALLENGE_LENGTH 654280304Sjkim * (16), but leave the check in for futurproofing 655280304Sjkim */ 656280304Sjkim i = (SSL3_RANDOM_SIZE < ch_len) 657280304Sjkim ? SSL3_RANDOM_SIZE : ch_len; 658280304Sjkim s->s2->challenge_length = i; 659280304Sjkim memcpy(s->s2->challenge, 660280304Sjkim &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i); 66155714Skris 662280304Sjkim if (s->s3 != NULL) 663280304Sjkim ssl3_free(s); 66455714Skris 665280304Sjkim if (!BUF_MEM_grow_clean(s->init_buf, 666280304Sjkim SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 667280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ERR_R_BUF_LIB); 668280304Sjkim goto err; 669280304Sjkim } 67055714Skris 671280304Sjkim s->state = SSL2_ST_GET_SERVER_HELLO_A; 672280304Sjkim if (!(s->client_version == SSL2_VERSION)) 673280304Sjkim /* 674280304Sjkim * use special padding (SSL 3.0 draft/RFC 2246, App. E.2) 675280304Sjkim */ 676280304Sjkim s->s2->ssl2_rollback = 1; 67755714Skris 678280304Sjkim /* 679280304Sjkim * setup the 7 bytes we have read so we get them from the sslv2 680280304Sjkim * buffer 681280304Sjkim */ 682280304Sjkim s->rstate = SSL_ST_READ_HEADER; 683280304Sjkim s->packet_length = n; 684280304Sjkim s->packet = &(s->s2->rbuf[0]); 685280304Sjkim memcpy(s->packet, buf, n); 686280304Sjkim s->s2->rbuf_left = n; 687280304Sjkim s->s2->rbuf_offs = 0; 68855714Skris 689280304Sjkim /* we have already written one */ 690280304Sjkim s->s2->write_sequence = 1; 69155714Skris 692280304Sjkim s->method = SSLv2_client_method(); 693280304Sjkim s->handshake_func = s->method->ssl_connect; 69455949Skris#endif 695280304Sjkim } else if (p[1] == SSL3_VERSION_MAJOR && 696280304Sjkim p[2] <= TLS1_2_VERSION_MINOR && 697280304Sjkim ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || 698280304Sjkim (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) { 699280304Sjkim /* we have sslv3 or tls1 (server hello or alert) */ 70055714Skris 701273149Sjkim#ifndef OPENSSL_NO_SSL3 702280304Sjkim if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { 703280304Sjkim# ifdef OPENSSL_FIPS 704280304Sjkim if (FIPS_mode()) { 705280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, 706280304Sjkim SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 707280304Sjkim goto err; 708280304Sjkim } 709280304Sjkim# endif 710280304Sjkim s->version = SSL3_VERSION; 711280304Sjkim s->method = SSLv3_client_method(); 712280304Sjkim } else 713194206Ssimon#endif 714280304Sjkim if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { 715280304Sjkim s->version = TLS1_VERSION; 716280304Sjkim s->method = TLSv1_client_method(); 717280304Sjkim } else if ((p[2] == TLS1_1_VERSION_MINOR) && 718280304Sjkim !(s->options & SSL_OP_NO_TLSv1_1)) { 719280304Sjkim s->version = TLS1_1_VERSION; 720280304Sjkim s->method = TLSv1_1_client_method(); 721280304Sjkim } else if ((p[2] == TLS1_2_VERSION_MINOR) && 722280304Sjkim !(s->options & SSL_OP_NO_TLSv1_2)) { 723280304Sjkim s->version = TLS1_2_VERSION; 724280304Sjkim s->method = TLSv1_2_client_method(); 725280304Sjkim } else { 726280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 727280304Sjkim goto err; 728280304Sjkim } 729238405Sjkim 730291721Sjkim s->session->ssl_version = s->version; 731291721Sjkim 732280304Sjkim /* ensure that TLS_MAX_VERSION is up-to-date */ 733280304Sjkim OPENSSL_assert(s->version <= TLS_MAX_VERSION); 734273149Sjkim 735280304Sjkim if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) { 736280304Sjkim /* fatal alert */ 737238405Sjkim 738280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 739280304Sjkim int j; 740238405Sjkim 741280304Sjkim if (s->info_callback != NULL) 742280304Sjkim cb = s->info_callback; 743280304Sjkim else if (s->ctx->info_callback != NULL) 744280304Sjkim cb = s->ctx->info_callback; 74555714Skris 746280304Sjkim i = p[5]; 747280304Sjkim if (cb != NULL) { 748280304Sjkim j = (i << 8) | p[6]; 749280304Sjkim cb(s, SSL_CB_READ_ALERT, j); 750280304Sjkim } 75155714Skris 752280304Sjkim if (s->msg_callback) 753280304Sjkim s->msg_callback(0, s->version, SSL3_RT_ALERT, p + 5, 2, s, 754280304Sjkim s->msg_callback_arg); 755238405Sjkim 756280304Sjkim s->rwstate = SSL_NOTHING; 757280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_AD_REASON_OFFSET + p[6]); 758280304Sjkim goto err; 759280304Sjkim } 760238405Sjkim 761280304Sjkim if (!ssl_init_wbio_buffer(s, 1)) 762280304Sjkim goto err; 763238405Sjkim 764280304Sjkim /* we are in this state */ 765280304Sjkim s->state = SSL3_ST_CR_SRVR_HELLO_A; 76655714Skris 767280304Sjkim /* 768280304Sjkim * put the 7 bytes we have read into the input buffer for SSLv3 769280304Sjkim */ 770280304Sjkim s->rstate = SSL_ST_READ_HEADER; 771280304Sjkim s->packet_length = n; 772280304Sjkim if (s->s3->rbuf.buf == NULL) 773280304Sjkim if (!ssl3_setup_read_buffer(s)) 774280304Sjkim goto err; 775280304Sjkim s->packet = &(s->s3->rbuf.buf[0]); 776280304Sjkim memcpy(s->packet, buf, n); 777280304Sjkim s->s3->rbuf.left = n; 778280304Sjkim s->s3->rbuf.offset = 0; 77955714Skris 780280304Sjkim s->handshake_func = s->method->ssl_connect; 781280304Sjkim } else { 782280304Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL); 783280304Sjkim goto err; 784280304Sjkim } 785280304Sjkim s->init_num = 0; 786280304Sjkim 787280304Sjkim return (SSL_connect(s)); 788280304Sjkim err: 789280304Sjkim return (-1); 790280304Sjkim} 791