155714Skris/* ssl/s23_clnt.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58238405Sjkim/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60238405Sjkim * 61238405Sjkim * Redistribution and use in source and binary forms, with or without 62238405Sjkim * modification, are permitted provided that the following conditions 63238405Sjkim * are met: 64238405Sjkim * 65238405Sjkim * 1. Redistributions of source code must retain the above copyright 66238405Sjkim * notice, this list of conditions and the following disclaimer. 67238405Sjkim * 68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright 69238405Sjkim * notice, this list of conditions and the following disclaimer in 70238405Sjkim * the documentation and/or other materials provided with the 71238405Sjkim * distribution. 72238405Sjkim * 73238405Sjkim * 3. All advertising materials mentioning features or use of this 74238405Sjkim * software must display the following acknowledgment: 75238405Sjkim * "This product includes software developed by the OpenSSL Project 76238405Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77238405Sjkim * 78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79238405Sjkim * endorse or promote products derived from this software without 80238405Sjkim * prior written permission. For written permission, please contact 81238405Sjkim * openssl-core@openssl.org. 82238405Sjkim * 83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL" 84238405Sjkim * nor may "OpenSSL" appear in their names without prior written 85238405Sjkim * permission of the OpenSSL Project. 86238405Sjkim * 87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following 88238405Sjkim * acknowledgment: 89238405Sjkim * "This product includes software developed by the OpenSSL Project 90238405Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91238405Sjkim * 92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95238405Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 104238405Sjkim * ==================================================================== 105238405Sjkim * 106238405Sjkim * This product includes cryptographic software written by Eric Young 107238405Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 108238405Sjkim * Hudson (tjh@cryptsoft.com). 109238405Sjkim * 110238405Sjkim */ 11155714Skris 11255714Skris#include <stdio.h> 113110007Smarkm#include "ssl_locl.h" 11455714Skris#include <openssl/buffer.h> 11555714Skris#include <openssl/rand.h> 11655714Skris#include <openssl/objects.h> 11755714Skris#include <openssl/evp.h> 11855714Skris 119238405Sjkimstatic const SSL_METHOD *ssl23_get_client_method(int ver); 12055714Skrisstatic int ssl23_client_hello(SSL *s); 12155714Skrisstatic int ssl23_get_server_hello(SSL *s); 122238405Sjkimstatic const SSL_METHOD *ssl23_get_client_method(int ver) 12355714Skris { 124110007Smarkm#ifndef OPENSSL_NO_SSL2 12555714Skris if (ver == SSL2_VERSION) 12655714Skris return(SSLv2_client_method()); 12755949Skris#endif 128273415Sdelphij#ifndef OPENSSL_NO_SSL3 12955714Skris if (ver == SSL3_VERSION) 13055714Skris return(SSLv3_client_method()); 131273415Sdelphij#endif 132273415Sdelphij if (ver == TLS1_VERSION) 13355714Skris return(TLSv1_client_method()); 134238405Sjkim else if (ver == TLS1_1_VERSION) 135238405Sjkim return(TLSv1_1_client_method()); 136238405Sjkim else if (ver == TLS1_2_VERSION) 137238405Sjkim return(TLSv1_2_client_method()); 13855714Skris else 13955714Skris return(NULL); 14055714Skris } 14155714Skris 142160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_client_method, 143160817Ssimon ssl_undefined_function, 144160817Ssimon ssl23_connect, 145160817Ssimon ssl23_get_client_method) 14655714Skris 14755714Skrisint ssl23_connect(SSL *s) 14855714Skris { 149110007Smarkm BUF_MEM *buf=NULL; 150160817Ssimon unsigned long Time=(unsigned long)time(NULL); 151110007Smarkm void (*cb)(const SSL *ssl,int type,int val)=NULL; 15255714Skris int ret= -1; 15355714Skris int new_state,state; 15455714Skris 15559194Skris RAND_add(&Time,sizeof(Time),0); 15655714Skris ERR_clear_error(); 15755714Skris clear_sys_error(); 15855714Skris 15955714Skris if (s->info_callback != NULL) 16055714Skris cb=s->info_callback; 16155714Skris else if (s->ctx->info_callback != NULL) 16255714Skris cb=s->ctx->info_callback; 16355714Skris 16489840Skris s->in_handshake++; 16555714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 16655714Skris 16755714Skris for (;;) 16855714Skris { 16955714Skris state=s->state; 17055714Skris 17155714Skris switch(s->state) 17255714Skris { 17355714Skris case SSL_ST_BEFORE: 17455714Skris case SSL_ST_CONNECT: 17555714Skris case SSL_ST_BEFORE|SSL_ST_CONNECT: 17655714Skris case SSL_ST_OK|SSL_ST_CONNECT: 17755714Skris 17855714Skris if (s->session != NULL) 17955714Skris { 18055714Skris SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE); 18155714Skris ret= -1; 18255714Skris goto end; 18355714Skris } 18455714Skris s->server=0; 18555714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 18655714Skris 18755714Skris /* s->version=TLS1_VERSION; */ 18855714Skris s->type=SSL_ST_CONNECT; 18955714Skris 19055714Skris if (s->init_buf == NULL) 19155714Skris { 19255714Skris if ((buf=BUF_MEM_new()) == NULL) 19355714Skris { 19455714Skris ret= -1; 19555714Skris goto end; 19655714Skris } 19755714Skris if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 19855714Skris { 19955714Skris ret= -1; 20055714Skris goto end; 20155714Skris } 20255714Skris s->init_buf=buf; 203110007Smarkm buf=NULL; 20455714Skris } 20555714Skris 20655714Skris if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 20755714Skris 20855714Skris ssl3_init_finished_mac(s); 20955714Skris 21055714Skris s->state=SSL23_ST_CW_CLNT_HELLO_A; 21155714Skris s->ctx->stats.sess_connect++; 21255714Skris s->init_num=0; 21355714Skris break; 21455714Skris 21555714Skris case SSL23_ST_CW_CLNT_HELLO_A: 21655714Skris case SSL23_ST_CW_CLNT_HELLO_B: 21755714Skris 21855714Skris s->shutdown=0; 21955714Skris ret=ssl23_client_hello(s); 22055714Skris if (ret <= 0) goto end; 22155714Skris s->state=SSL23_ST_CR_SRVR_HELLO_A; 22255714Skris s->init_num=0; 22355714Skris 22455714Skris break; 22555714Skris 22655714Skris case SSL23_ST_CR_SRVR_HELLO_A: 22755714Skris case SSL23_ST_CR_SRVR_HELLO_B: 22855714Skris ret=ssl23_get_server_hello(s); 22955714Skris if (ret >= 0) cb=NULL; 23055714Skris goto end; 23155714Skris /* break; */ 23255714Skris 23355714Skris default: 23455714Skris SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE); 23555714Skris ret= -1; 23655714Skris goto end; 23755714Skris /* break; */ 23855714Skris } 23955714Skris 24055714Skris if (s->debug) { (void)BIO_flush(s->wbio); } 24155714Skris 24255714Skris if ((cb != NULL) && (s->state != state)) 24355714Skris { 24455714Skris new_state=s->state; 24555714Skris s->state=state; 24655714Skris cb(s,SSL_CB_CONNECT_LOOP,1); 24755714Skris s->state=new_state; 24855714Skris } 24955714Skris } 25055714Skrisend: 25155714Skris s->in_handshake--; 252110007Smarkm if (buf != NULL) 253110007Smarkm BUF_MEM_free(buf); 25455714Skris if (cb != NULL) 25555714Skris cb(s,SSL_CB_CONNECT_EXIT,ret); 25655714Skris return(ret); 25755714Skris } 25855714Skris 259238405Sjkimstatic int ssl23_no_ssl2_ciphers(SSL *s) 260238405Sjkim { 261238405Sjkim SSL_CIPHER *cipher; 262238405Sjkim STACK_OF(SSL_CIPHER) *ciphers; 263238405Sjkim int i; 264238405Sjkim ciphers = SSL_get_ciphers(s); 265238405Sjkim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) 266238405Sjkim { 267238405Sjkim cipher = sk_SSL_CIPHER_value(ciphers, i); 268238405Sjkim if (cipher->algorithm_ssl == SSL_SSLV2) 269238405Sjkim return 0; 270238405Sjkim } 271238405Sjkim return 1; 272238405Sjkim } 27355714Skris 274279264Sdelphij/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 275279264Sdelphij * on failure, 1 on success. */ 276279264Sdelphijint ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) 277279264Sdelphij { 278279264Sdelphij int send_time = 0; 279279264Sdelphij 280279264Sdelphij if (len < 4) 281279264Sdelphij return 0; 282279264Sdelphij if (server) 283279264Sdelphij send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; 284279264Sdelphij else 285279264Sdelphij send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; 286279264Sdelphij if (send_time) 287279264Sdelphij { 288279264Sdelphij unsigned long Time = (unsigned long)time(NULL); 289279264Sdelphij unsigned char *p = result; 290279264Sdelphij l2n(Time, p); 291279264Sdelphij return RAND_pseudo_bytes(p, len-4); 292279264Sdelphij } 293279264Sdelphij else 294279264Sdelphij return RAND_pseudo_bytes(result, len); 295279264Sdelphij } 296279264Sdelphij 29755714Skrisstatic int ssl23_client_hello(SSL *s) 29855714Skris { 29955714Skris unsigned char *buf; 30055714Skris unsigned char *p,*d; 301205128Ssimon int i,ch_len; 302279264Sdelphij unsigned long l; 303160817Ssimon int ssl2_compat; 304160817Ssimon int version = 0, version_major, version_minor; 305205128Ssimon#ifndef OPENSSL_NO_COMP 306205128Ssimon int j; 307160817Ssimon SSL_COMP *comp; 308205128Ssimon#endif 309110007Smarkm int ret; 310238405Sjkim unsigned long mask, options = s->options; 31155714Skris 312238405Sjkim ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1; 313160817Ssimon 314238405Sjkim if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) 315238405Sjkim ssl2_compat = 0; 316238405Sjkim 317238405Sjkim /* 318238405Sjkim * SSL_OP_NO_X disables all protocols above X *if* there are 319238405Sjkim * some protocols below X enabled. This is required in order 320238405Sjkim * to maintain "version capability" vector contiguous. So 321238405Sjkim * that if application wants to disable TLS1.0 in favour of 322238405Sjkim * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the 323238405Sjkim * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. 324238405Sjkim */ 325238405Sjkim mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1 326238405Sjkim#if !defined(OPENSSL_NO_SSL3) 327238405Sjkim |SSL_OP_NO_SSLv3 328238405Sjkim#endif 329238405Sjkim#if !defined(OPENSSL_NO_SSL2) 330238405Sjkim |(ssl2_compat?SSL_OP_NO_SSLv2:0) 331238405Sjkim#endif 332238405Sjkim ; 333238405Sjkim#if !defined(OPENSSL_NO_TLS1_2_CLIENT) 334238405Sjkim version = TLS1_2_VERSION; 335238405Sjkim 336238405Sjkim if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) 337238405Sjkim version = TLS1_1_VERSION; 338238405Sjkim#else 339238405Sjkim version = TLS1_1_VERSION; 340238405Sjkim#endif 341238405Sjkim mask &= ~SSL_OP_NO_TLSv1_1; 342238405Sjkim if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) 343160817Ssimon version = TLS1_VERSION; 344238405Sjkim mask &= ~SSL_OP_NO_TLSv1; 345238405Sjkim#if !defined(OPENSSL_NO_SSL3) 346238405Sjkim if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) 347160817Ssimon version = SSL3_VERSION; 348238405Sjkim mask &= ~SSL_OP_NO_SSLv3; 349238405Sjkim#endif 350238405Sjkim#if !defined(OPENSSL_NO_SSL2) 351238405Sjkim if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask) 352160817Ssimon version = SSL2_VERSION; 353238405Sjkim#endif 354238405Sjkim 355238405Sjkim#ifndef OPENSSL_NO_TLSEXT 356194206Ssimon if (version != SSL2_VERSION) 357194206Ssimon { 358194206Ssimon /* have to disable SSL 2.0 compatibility if we need TLS extensions */ 359160817Ssimon 360194206Ssimon if (s->tlsext_hostname != NULL) 361194206Ssimon ssl2_compat = 0; 362194206Ssimon if (s->tlsext_status_type != -1) 363194206Ssimon ssl2_compat = 0; 364238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 365238405Sjkim if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL) 366238405Sjkim ssl2_compat = 0; 367238405Sjkim#endif 368194206Ssimon } 369194206Ssimon#endif 370194206Ssimon 37155714Skris buf=(unsigned char *)s->init_buf->data; 37255714Skris if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 37355714Skris { 37455714Skris#if 0 37555714Skris /* don't reuse session-id's */ 37655714Skris if (!ssl_get_new_session(s,0)) 37755714Skris { 37855714Skris return(-1); 37955714Skris } 38055714Skris#endif 38155714Skris 38255714Skris p=s->s3->client_random; 383279264Sdelphij if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 384160817Ssimon return -1; 38555714Skris 386238405Sjkim if (version == TLS1_2_VERSION) 38755714Skris { 388238405Sjkim version_major = TLS1_2_VERSION_MAJOR; 389238405Sjkim version_minor = TLS1_2_VERSION_MINOR; 390238405Sjkim } 391238405Sjkim else if (version == TLS1_1_VERSION) 392238405Sjkim { 393238405Sjkim version_major = TLS1_1_VERSION_MAJOR; 394238405Sjkim version_minor = TLS1_1_VERSION_MINOR; 395238405Sjkim } 396238405Sjkim else if (version == TLS1_VERSION) 397238405Sjkim { 398160817Ssimon version_major = TLS1_VERSION_MAJOR; 399160817Ssimon version_minor = TLS1_VERSION_MINOR; 40055714Skris } 401194206Ssimon#ifdef OPENSSL_FIPS 402194206Ssimon else if(FIPS_mode()) 403194206Ssimon { 404194206Ssimon SSLerr(SSL_F_SSL23_CLIENT_HELLO, 405194206Ssimon SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 406194206Ssimon return -1; 407194206Ssimon } 408194206Ssimon#endif 409160817Ssimon else if (version == SSL3_VERSION) 41055714Skris { 411160817Ssimon version_major = SSL3_VERSION_MAJOR; 412160817Ssimon version_minor = SSL3_VERSION_MINOR; 41355714Skris } 414160817Ssimon else if (version == SSL2_VERSION) 41555714Skris { 416160817Ssimon version_major = SSL2_VERSION_MAJOR; 417160817Ssimon version_minor = SSL2_VERSION_MINOR; 41855714Skris } 41955714Skris else 42055714Skris { 42155714Skris SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE); 42255714Skris return(-1); 42355714Skris } 42455714Skris 425160817Ssimon s->client_version = version; 426160817Ssimon 427160817Ssimon if (ssl2_compat) 42855714Skris { 429160817Ssimon /* create SSL 2.0 compatible Client Hello */ 43055714Skris 431160817Ssimon /* two byte record header will be written last */ 432160817Ssimon d = &(buf[2]); 433160817Ssimon p = d + 9; /* leave space for message type, version, individual length fields */ 434160817Ssimon 435160817Ssimon *(d++) = SSL2_MT_CLIENT_HELLO; 436160817Ssimon *(d++) = version_major; 437160817Ssimon *(d++) = version_minor; 438160817Ssimon 439160817Ssimon /* Ciphers supported */ 440160817Ssimon i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0); 441160817Ssimon if (i == 0) 442160817Ssimon { 443160817Ssimon /* no ciphers */ 444160817Ssimon SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 445160817Ssimon return -1; 446160817Ssimon } 447160817Ssimon s2n(i,d); 448160817Ssimon p+=i; 449160817Ssimon 450160817Ssimon /* put in the session-id length (zero since there is no reuse) */ 45155714Skris#if 0 452160817Ssimon s->session->session_id_length=0; 45355714Skris#endif 454160817Ssimon s2n(0,d); 45555714Skris 456160817Ssimon if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) 457160817Ssimon ch_len=SSL2_CHALLENGE_LENGTH; 458160817Ssimon else 459160817Ssimon ch_len=SSL2_MAX_CHALLENGE_LENGTH; 46055714Skris 461160817Ssimon /* write out sslv2 challenge */ 462238405Sjkim /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), 463238405Sjkim because it is one of SSL2_MAX_CHALLENGE_LENGTH (32) 464238405Sjkim or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the 465238405Sjkim check in for futurproofing */ 466160817Ssimon if (SSL3_RANDOM_SIZE < ch_len) 467160817Ssimon i=SSL3_RANDOM_SIZE; 468160817Ssimon else 469160817Ssimon i=ch_len; 470160817Ssimon s2n(i,d); 471160817Ssimon memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); 472160817Ssimon if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0) 473160817Ssimon return -1; 474160817Ssimon 475160817Ssimon memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); 476160817Ssimon p+=i; 477160817Ssimon 478160817Ssimon i= p- &(buf[2]); 479160817Ssimon buf[0]=((i>>8)&0xff)|0x80; 480160817Ssimon buf[1]=(i&0xff); 481160817Ssimon 482160817Ssimon /* number of bytes to write */ 483160817Ssimon s->init_num=i+2; 484160817Ssimon s->init_off=0; 485160817Ssimon 486160817Ssimon ssl3_finish_mac(s,&(buf[2]),i); 487160817Ssimon } 48855714Skris else 489160817Ssimon { 490160817Ssimon /* create Client Hello in SSL 3.0/TLS 1.0 format */ 491142428Snectar 492160817Ssimon /* do the record header (5 bytes) and handshake message header (4 bytes) last */ 493160817Ssimon d = p = &(buf[9]); 494160817Ssimon 495160817Ssimon *(p++) = version_major; 496160817Ssimon *(p++) = version_minor; 49755714Skris 498160817Ssimon /* Random stuff */ 499160817Ssimon memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 500160817Ssimon p += SSL3_RANDOM_SIZE; 50155714Skris 502160817Ssimon /* Session ID (zero since there is no reuse) */ 503160817Ssimon *(p++) = 0; 504160817Ssimon 505160817Ssimon /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */ 506160817Ssimon i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char); 507160817Ssimon if (i == 0) 508160817Ssimon { 509160817Ssimon SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 510160817Ssimon return -1; 511160817Ssimon } 512238405Sjkim#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 513238405Sjkim /* Some servers hang if client hello > 256 bytes 514238405Sjkim * as hack workaround chop number of supported ciphers 515238405Sjkim * to keep it well below this if we use TLS v1.2 516238405Sjkim */ 517238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION 518238405Sjkim && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 519238405Sjkim i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 520238405Sjkim#endif 521160817Ssimon s2n(i,p); 522160817Ssimon p+=i; 523238405Sjkim 524238405Sjkim /* COMPRESSION */ 525215697Ssimon#ifdef OPENSSL_NO_COMP 526215697Ssimon *(p++)=1; 527215697Ssimon#else 528238405Sjkim if ((s->options & SSL_OP_NO_COMPRESSION) 529238405Sjkim || !s->ctx->comp_methods) 530160817Ssimon j=0; 531160817Ssimon else 532160817Ssimon j=sk_SSL_COMP_num(s->ctx->comp_methods); 533160817Ssimon *(p++)=1+j; 534160817Ssimon for (i=0; i<j; i++) 535160817Ssimon { 536160817Ssimon comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 537160817Ssimon *(p++)=comp->id; 538160817Ssimon } 539215697Ssimon#endif 540160817Ssimon *(p++)=0; /* Add the NULL method */ 541238405Sjkim 542194206Ssimon#ifndef OPENSSL_NO_TLSEXT 543238405Sjkim /* TLS extensions*/ 544238405Sjkim if (ssl_prepare_clienthello_tlsext(s) <= 0) 545238405Sjkim { 546238405Sjkim SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 547238405Sjkim return -1; 548238405Sjkim } 549194206Ssimon if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 550194206Ssimon { 551194206Ssimon SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 552194206Ssimon return -1; 553194206Ssimon } 554194206Ssimon#endif 555160817Ssimon 556160817Ssimon l = p-d; 557160817Ssimon 558160817Ssimon /* fill in 4-byte handshake header */ 559160817Ssimon d=&(buf[5]); 560160817Ssimon *(d++)=SSL3_MT_CLIENT_HELLO; 561160817Ssimon l2n3(l,d); 562160817Ssimon 563160817Ssimon l += 4; 564160817Ssimon 565160817Ssimon if (l > SSL3_RT_MAX_PLAIN_LENGTH) 566160817Ssimon { 567160817Ssimon SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 568160817Ssimon return -1; 569160817Ssimon } 570160817Ssimon 571160817Ssimon /* fill in 5-byte record header */ 572160817Ssimon d=buf; 573160817Ssimon *(d++) = SSL3_RT_HANDSHAKE; 574160817Ssimon *(d++) = version_major; 575238405Sjkim /* Some servers hang if we use long client hellos 576238405Sjkim * and a record number > TLS 1.0. 577238405Sjkim */ 578238405Sjkim if (TLS1_get_client_version(s) > TLS1_VERSION) 579238405Sjkim *(d++) = 1; 580238405Sjkim else 581238405Sjkim *(d++) = version_minor; 582160817Ssimon s2n((int)l,d); 583160817Ssimon 584160817Ssimon /* number of bytes to write */ 585160817Ssimon s->init_num=p-buf; 586160817Ssimon s->init_off=0; 587160817Ssimon 588160817Ssimon ssl3_finish_mac(s,&(buf[5]), s->init_num - 5); 589160817Ssimon } 590160817Ssimon 59155714Skris s->state=SSL23_ST_CW_CLNT_HELLO_B; 59255714Skris s->init_off=0; 59355714Skris } 59455714Skris 59555714Skris /* SSL3_ST_CW_CLNT_HELLO_B */ 596110007Smarkm ret = ssl23_write_bytes(s); 597160817Ssimon 598160817Ssimon if ((ret >= 2) && s->msg_callback) 599160817Ssimon { 600160817Ssimon /* Client Hello has been sent; tell msg_callback */ 601160817Ssimon 602160817Ssimon if (ssl2_compat) 603160817Ssimon s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); 604160817Ssimon else 605160817Ssimon s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg); 606160817Ssimon } 607160817Ssimon 608110007Smarkm return ret; 60955714Skris } 61055714Skris 61155714Skrisstatic int ssl23_get_server_hello(SSL *s) 61255714Skris { 61355714Skris char buf[8]; 61455714Skris unsigned char *p; 61559194Skris int i; 61655714Skris int n; 61755714Skris 61855714Skris n=ssl23_read_bytes(s,7); 61955714Skris 62055714Skris if (n != 7) return(n); 62155714Skris p=s->packet; 62255714Skris 62355714Skris memcpy(buf,p,n); 62455714Skris 62555714Skris if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && 62655714Skris (p[5] == 0x00) && (p[6] == 0x02)) 62755714Skris { 628110007Smarkm#ifdef OPENSSL_NO_SSL2 62959194Skris SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); 63059194Skris goto err; 63155949Skris#else 63255714Skris /* we are talking sslv2 */ 63355714Skris /* we need to clean up the SSLv3 setup and put in the 63455714Skris * sslv2 stuff. */ 63559194Skris int ch_len; 63655714Skris 63755714Skris if (s->options & SSL_OP_NO_SSLv2) 63855714Skris { 63955714Skris SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); 64055714Skris goto err; 64155714Skris } 64255714Skris if (s->s2 == NULL) 64355714Skris { 64455714Skris if (!ssl2_new(s)) 64555714Skris goto err; 64655714Skris } 64755714Skris else 64855714Skris ssl2_clear(s); 64955714Skris 65055714Skris if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) 65155714Skris ch_len=SSL2_CHALLENGE_LENGTH; 65255714Skris else 65355714Skris ch_len=SSL2_MAX_CHALLENGE_LENGTH; 65455714Skris 65555714Skris /* write out sslv2 challenge */ 656238405Sjkim /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because 657238405Sjkim it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or 658238405Sjkim SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for 659238405Sjkim futurproofing */ 66055714Skris i=(SSL3_RANDOM_SIZE < ch_len) 66155714Skris ?SSL3_RANDOM_SIZE:ch_len; 66255714Skris s->s2->challenge_length=i; 66355714Skris memcpy(s->s2->challenge, 66455714Skris &(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); 66555714Skris 66655714Skris if (s->s3 != NULL) ssl3_free(s); 66755714Skris 668110007Smarkm if (!BUF_MEM_grow_clean(s->init_buf, 66955714Skris SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) 67055714Skris { 67155714Skris SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB); 67255714Skris goto err; 67355714Skris } 67455714Skris 67555714Skris s->state=SSL2_ST_GET_SERVER_HELLO_A; 67668654Skris if (!(s->client_version == SSL2_VERSION)) 67768654Skris /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */ 67868654Skris s->s2->ssl2_rollback=1; 67955714Skris 680238405Sjkim /* setup the 7 bytes we have read so we get them from 68155714Skris * the sslv2 buffer */ 68255714Skris s->rstate=SSL_ST_READ_HEADER; 68355714Skris s->packet_length=n; 68455714Skris s->packet= &(s->s2->rbuf[0]); 68555714Skris memcpy(s->packet,buf,n); 68655714Skris s->s2->rbuf_left=n; 68755714Skris s->s2->rbuf_offs=0; 68855714Skris 68955714Skris /* we have already written one */ 69055714Skris s->s2->write_sequence=1; 69155714Skris 69255714Skris s->method=SSLv2_client_method(); 69355714Skris s->handshake_func=s->method->ssl_connect; 69455949Skris#endif 69555714Skris } 696238405Sjkim else if (p[1] == SSL3_VERSION_MAJOR && 697238405Sjkim p[2] <= TLS1_2_VERSION_MINOR && 698238405Sjkim ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || 699238405Sjkim (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) 70055714Skris { 701238405Sjkim /* we have sslv3 or tls1 (server hello or alert) */ 70255714Skris 703273415Sdelphij#ifndef OPENSSL_NO_SSL3 70455714Skris if ((p[2] == SSL3_VERSION_MINOR) && 70555714Skris !(s->options & SSL_OP_NO_SSLv3)) 70655714Skris { 707194206Ssimon#ifdef OPENSSL_FIPS 708194206Ssimon if(FIPS_mode()) 709194206Ssimon { 710194206Ssimon SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, 711194206Ssimon SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 712194206Ssimon goto err; 713194206Ssimon } 714194206Ssimon#endif 71555714Skris s->version=SSL3_VERSION; 71655714Skris s->method=SSLv3_client_method(); 71755714Skris } 718273415Sdelphij else 719273415Sdelphij#endif 720273415Sdelphij if ((p[2] == TLS1_VERSION_MINOR) && 72155714Skris !(s->options & SSL_OP_NO_TLSv1)) 72255714Skris { 72355714Skris s->version=TLS1_VERSION; 72455714Skris s->method=TLSv1_client_method(); 72555714Skris } 726238405Sjkim else if ((p[2] == TLS1_1_VERSION_MINOR) && 727238405Sjkim !(s->options & SSL_OP_NO_TLSv1_1)) 728238405Sjkim { 729238405Sjkim s->version=TLS1_1_VERSION; 730238405Sjkim s->method=TLSv1_1_client_method(); 731238405Sjkim } 732238405Sjkim else if ((p[2] == TLS1_2_VERSION_MINOR) && 733238405Sjkim !(s->options & SSL_OP_NO_TLSv1_2)) 734238405Sjkim { 735238405Sjkim s->version=TLS1_2_VERSION; 736238405Sjkim s->method=TLSv1_2_client_method(); 737238405Sjkim } 73855714Skris else 73955714Skris { 74055714Skris SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); 74155714Skris goto err; 74255714Skris } 743238405Sjkim 744273415Sdelphij /* ensure that TLS_MAX_VERSION is up-to-date */ 745273415Sdelphij OPENSSL_assert(s->version <= TLS_MAX_VERSION); 746273415Sdelphij 747238405Sjkim if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) 748238405Sjkim { 749238405Sjkim /* fatal alert */ 750238405Sjkim 751238405Sjkim void (*cb)(const SSL *ssl,int type,int val)=NULL; 752238405Sjkim int j; 753238405Sjkim 754238405Sjkim if (s->info_callback != NULL) 755238405Sjkim cb=s->info_callback; 756238405Sjkim else if (s->ctx->info_callback != NULL) 757238405Sjkim cb=s->ctx->info_callback; 758238405Sjkim 759238405Sjkim i=p[5]; 760238405Sjkim if (cb != NULL) 761238405Sjkim { 762238405Sjkim j=(i<<8)|p[6]; 763238405Sjkim cb(s,SSL_CB_READ_ALERT,j); 764238405Sjkim } 76555714Skris 766238405Sjkim if (s->msg_callback) 767238405Sjkim s->msg_callback(0, s->version, SSL3_RT_ALERT, p+5, 2, s, s->msg_callback_arg); 76855714Skris 769238405Sjkim s->rwstate=SSL_NOTHING; 770238405Sjkim SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); 771238405Sjkim goto err; 77255714Skris } 77355714Skris 774238405Sjkim if (!ssl_init_wbio_buffer(s,1)) goto err; 775238405Sjkim 776238405Sjkim /* we are in this state */ 777238405Sjkim s->state=SSL3_ST_CR_SRVR_HELLO_A; 778238405Sjkim 779238405Sjkim /* put the 7 bytes we have read into the input buffer 780238405Sjkim * for SSLv3 */ 781238405Sjkim s->rstate=SSL_ST_READ_HEADER; 782238405Sjkim s->packet_length=n; 783238405Sjkim if (s->s3->rbuf.buf == NULL) 784238405Sjkim if (!ssl3_setup_read_buffer(s)) 785238405Sjkim goto err; 786238405Sjkim s->packet= &(s->s3->rbuf.buf[0]); 787238405Sjkim memcpy(s->packet,buf,n); 788238405Sjkim s->s3->rbuf.left=n; 789238405Sjkim s->s3->rbuf.offset=0; 790238405Sjkim 791238405Sjkim s->handshake_func=s->method->ssl_connect; 79255714Skris } 79355714Skris else 79455714Skris { 79555714Skris SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNKNOWN_PROTOCOL); 79655714Skris goto err; 79755714Skris } 79855714Skris s->init_num=0; 79955714Skris 80055714Skris /* Since, if we are sending a ssl23 client hello, we are not 80155714Skris * reusing a session-id */ 80255714Skris if (!ssl_get_new_session(s,0)) 80355714Skris goto err; 80455714Skris 80555714Skris return(SSL_connect(s)); 80655714Skriserr: 80755714Skris return(-1); 80855714Skris } 809