155714Skris/* ssl/s23_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889840Skris/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 6089840Skris * 6189840Skris * Redistribution and use in source and binary forms, with or without 6289840Skris * modification, are permitted provided that the following conditions 6389840Skris * are met: 6489840Skris * 6589840Skris * 1. Redistributions of source code must retain the above copyright 6689840Skris * notice, this list of conditions and the following disclaimer. 6789840Skris * 6889840Skris * 2. Redistributions in binary form must reproduce the above copyright 6989840Skris * notice, this list of conditions and the following disclaimer in 7089840Skris * the documentation and/or other materials provided with the 7189840Skris * distribution. 7289840Skris * 7389840Skris * 3. All advertising materials mentioning features or use of this 7489840Skris * software must display the following acknowledgment: 7589840Skris * "This product includes software developed by the OpenSSL Project 7689840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789840Skris * 7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989840Skris * endorse or promote products derived from this software without 8089840Skris * prior written permission. For written permission, please contact 8189840Skris * openssl-core@openssl.org. 8289840Skris * 8389840Skris * 5. Products derived from this software may not be called "OpenSSL" 8489840Skris * nor may "OpenSSL" appear in their names without prior written 8589840Skris * permission of the OpenSSL Project. 8689840Skris * 8789840Skris * 6. Redistributions of any form whatsoever must retain the following 8889840Skris * acknowledgment: 8989840Skris * "This product includes software developed by the OpenSSL Project 9089840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189840Skris * 9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489840Skris * ==================================================================== 10589840Skris * 10689840Skris * This product includes cryptographic software written by Eric Young 10789840Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889840Skris * Hudson (tjh@cryptsoft.com). 10989840Skris * 11089840Skris */ 11155714Skris 11255714Skris#include <stdio.h> 113110007Smarkm#include "ssl_locl.h" 11455714Skris#include <openssl/buffer.h> 11555714Skris#include <openssl/rand.h> 11655714Skris#include <openssl/objects.h> 11755714Skris#include <openssl/evp.h> 118238405Sjkim#ifdef OPENSSL_FIPS 119238405Sjkim#include <openssl/fips.h> 120238405Sjkim#endif 12155714Skris 122238405Sjkimstatic const SSL_METHOD *ssl23_get_server_method(int ver); 12355714Skrisint ssl23_get_client_hello(SSL *s); 124238405Sjkimstatic const SSL_METHOD *ssl23_get_server_method(int ver) 12555714Skris { 126110007Smarkm#ifndef OPENSSL_NO_SSL2 12755714Skris if (ver == SSL2_VERSION) 12855714Skris return(SSLv2_server_method()); 12955949Skris#endif 130273415Sdelphij#ifndef OPENSSL_NO_SSL3 13155714Skris if (ver == SSL3_VERSION) 13255714Skris return(SSLv3_server_method()); 133273415Sdelphij#endif 134273415Sdelphij if (ver == TLS1_VERSION) 13555714Skris return(TLSv1_server_method()); 136238405Sjkim else if (ver == TLS1_1_VERSION) 137238405Sjkim return(TLSv1_1_server_method()); 138238405Sjkim else if (ver == TLS1_2_VERSION) 139238405Sjkim return(TLSv1_2_server_method()); 14055714Skris else 14155714Skris return(NULL); 14255714Skris } 14355714Skris 144160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_server_method, 145160817Ssimon ssl23_accept, 146160817Ssimon ssl_undefined_function, 147160817Ssimon ssl23_get_server_method) 14855714Skris 14955714Skrisint ssl23_accept(SSL *s) 15055714Skris { 15155714Skris BUF_MEM *buf; 152160817Ssimon unsigned long Time=(unsigned long)time(NULL); 153110007Smarkm void (*cb)(const SSL *ssl,int type,int val)=NULL; 15455714Skris int ret= -1; 15555714Skris int new_state,state; 15655714Skris 15759194Skris RAND_add(&Time,sizeof(Time),0); 15855714Skris ERR_clear_error(); 15955714Skris clear_sys_error(); 16055714Skris 16155714Skris if (s->info_callback != NULL) 16255714Skris cb=s->info_callback; 16355714Skris else if (s->ctx->info_callback != NULL) 16455714Skris cb=s->ctx->info_callback; 16555714Skris 16689840Skris s->in_handshake++; 16755714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 16855714Skris 16955714Skris for (;;) 17055714Skris { 17155714Skris state=s->state; 17255714Skris 17355714Skris switch(s->state) 17455714Skris { 17555714Skris case SSL_ST_BEFORE: 17655714Skris case SSL_ST_ACCEPT: 17755714Skris case SSL_ST_BEFORE|SSL_ST_ACCEPT: 17855714Skris case SSL_ST_OK|SSL_ST_ACCEPT: 17955714Skris 18055714Skris s->server=1; 18155714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 18255714Skris 18355714Skris /* s->version=SSL3_VERSION; */ 18455714Skris s->type=SSL_ST_ACCEPT; 18555714Skris 18655714Skris if (s->init_buf == NULL) 18755714Skris { 18855714Skris if ((buf=BUF_MEM_new()) == NULL) 18955714Skris { 19055714Skris ret= -1; 19155714Skris goto end; 19255714Skris } 19355714Skris if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 19455714Skris { 195279264Sdelphij BUF_MEM_free(buf); 19655714Skris ret= -1; 19755714Skris goto end; 19855714Skris } 19955714Skris s->init_buf=buf; 20055714Skris } 20155714Skris 20255714Skris ssl3_init_finished_mac(s); 20355714Skris 20455714Skris s->state=SSL23_ST_SR_CLNT_HELLO_A; 20555714Skris s->ctx->stats.sess_accept++; 20655714Skris s->init_num=0; 20755714Skris break; 20855714Skris 20955714Skris case SSL23_ST_SR_CLNT_HELLO_A: 21055714Skris case SSL23_ST_SR_CLNT_HELLO_B: 21155714Skris 21255714Skris s->shutdown=0; 21355714Skris ret=ssl23_get_client_hello(s); 21455714Skris if (ret >= 0) cb=NULL; 21555714Skris goto end; 21655714Skris /* break; */ 21755714Skris 21855714Skris default: 21955714Skris SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE); 22055714Skris ret= -1; 22155714Skris goto end; 22255714Skris /* break; */ 22355714Skris } 22455714Skris 22555714Skris if ((cb != NULL) && (s->state != state)) 22655714Skris { 22755714Skris new_state=s->state; 22855714Skris s->state=state; 22955714Skris cb(s,SSL_CB_ACCEPT_LOOP,1); 23055714Skris s->state=new_state; 23155714Skris } 23255714Skris } 23355714Skrisend: 23489840Skris s->in_handshake--; 23555714Skris if (cb != NULL) 23655714Skris cb(s,SSL_CB_ACCEPT_EXIT,ret); 23755714Skris return(ret); 23855714Skris } 23955714Skris 24055714Skris 24155714Skrisint ssl23_get_client_hello(SSL *s) 24255714Skris { 24359194Skris char buf_space[11]; /* Request this many bytes in initial read. 24459194Skris * We can detect SSL 3.0/TLS 1.0 Client Hellos 24559194Skris * ('type == 3') correctly only when the following 24659194Skris * is in a single record, which is not guaranteed by 24759194Skris * the protocol specification: 24859194Skris * Byte Content 24959194Skris * 0 type \ 25059194Skris * 1/2 version > record header 25159194Skris * 3/4 length / 25259194Skris * 5 msg_type \ 25359194Skris * 6-8 length > Client Hello message 25459194Skris * 9/10 client_version / 25559194Skris */ 25655714Skris char *buf= &(buf_space[0]); 257110007Smarkm unsigned char *p,*d,*d_len,*dd; 25855714Skris unsigned int i; 25955714Skris unsigned int csl,sil,cl; 26059194Skris int n=0,j; 26159194Skris int type=0; 26255714Skris int v[2]; 26355714Skris 26455714Skris if (s->state == SSL23_ST_SR_CLNT_HELLO_A) 26555714Skris { 26659194Skris /* read the initial header */ 26759194Skris v[0]=v[1]=0; 26859194Skris 26955714Skris if (!ssl3_setup_buffers(s)) goto err; 27055714Skris 27159194Skris n=ssl23_read_bytes(s, sizeof buf_space); 27259194Skris if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */ 27355714Skris 27455714Skris p=s->packet; 27555714Skris 27655714Skris memcpy(buf,p,n); 27755714Skris 27855714Skris if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) 27955714Skris { 28059194Skris /* 28159194Skris * SSLv2 header 28259194Skris */ 28355714Skris if ((p[3] == 0x00) && (p[4] == 0x02)) 28455714Skris { 28555714Skris v[0]=p[3]; v[1]=p[4]; 28655714Skris /* SSLv2 */ 28755714Skris if (!(s->options & SSL_OP_NO_SSLv2)) 28855714Skris type=1; 28955714Skris } 29055714Skris else if (p[3] == SSL3_VERSION_MAJOR) 29155714Skris { 29255714Skris v[0]=p[3]; v[1]=p[4]; 29355714Skris /* SSLv3/TLSv1 */ 29455714Skris if (p[4] >= TLS1_VERSION_MINOR) 29555714Skris { 296238405Sjkim if (p[4] >= TLS1_2_VERSION_MINOR && 297238405Sjkim !(s->options & SSL_OP_NO_TLSv1_2)) 29855714Skris { 299238405Sjkim s->version=TLS1_2_VERSION; 300238405Sjkim s->state=SSL23_ST_SR_CLNT_HELLO_B; 301238405Sjkim } 302238405Sjkim else if (p[4] >= TLS1_1_VERSION_MINOR && 303238405Sjkim !(s->options & SSL_OP_NO_TLSv1_1)) 304238405Sjkim { 305238405Sjkim s->version=TLS1_1_VERSION; 306238405Sjkim /* type=2; */ /* done later to survive restarts */ 307238405Sjkim s->state=SSL23_ST_SR_CLNT_HELLO_B; 308238405Sjkim } 309238405Sjkim else if (!(s->options & SSL_OP_NO_TLSv1)) 310238405Sjkim { 31159194Skris s->version=TLS1_VERSION; 31259194Skris /* type=2; */ /* done later to survive restarts */ 31355714Skris s->state=SSL23_ST_SR_CLNT_HELLO_B; 31455714Skris } 31555714Skris else if (!(s->options & SSL_OP_NO_SSLv3)) 31655714Skris { 31759194Skris s->version=SSL3_VERSION; 31859194Skris /* type=2; */ 31955714Skris s->state=SSL23_ST_SR_CLNT_HELLO_B; 32055714Skris } 32155714Skris else if (!(s->options & SSL_OP_NO_SSLv2)) 32255714Skris { 32355714Skris type=1; 32455714Skris } 32555714Skris } 32655714Skris else if (!(s->options & SSL_OP_NO_SSLv3)) 32759194Skris { 32859194Skris s->version=SSL3_VERSION; 32959194Skris /* type=2; */ 33055714Skris s->state=SSL23_ST_SR_CLNT_HELLO_B; 33159194Skris } 33255714Skris else if (!(s->options & SSL_OP_NO_SSLv2)) 33355714Skris type=1; 33455714Skris 33555714Skris } 33655714Skris } 33755714Skris else if ((p[0] == SSL3_RT_HANDSHAKE) && 33855714Skris (p[1] == SSL3_VERSION_MAJOR) && 33959194Skris (p[5] == SSL3_MT_CLIENT_HELLO) && 34059194Skris ((p[3] == 0 && p[4] < 5 /* silly record length? */) 341205128Ssimon || (p[9] >= p[1]))) 34255714Skris { 34359194Skris /* 34459194Skris * SSLv3 or tls1 header 34559194Skris */ 34659194Skris 34768654Skris v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */ 34859194Skris /* We must look at client_version inside the Client Hello message 34968654Skris * to get the correct minor version. 35068654Skris * However if we have only a pathologically small fragment of the 35189840Skris * Client Hello message, this would be difficult, and we'd have 35289840Skris * to read more records to find out. 35389840Skris * No known SSL 3.0 client fragments ClientHello like this, 354271304Sdelphij * so we simply reject such connections to avoid 355271304Sdelphij * protocol version downgrade attacks. */ 35659194Skris if (p[3] == 0 && p[4] < 6) 35768654Skris { 35868654Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); 35968654Skris goto err; 36068654Skris } 361205128Ssimon /* if major version number > 3 set minor to a value 362205128Ssimon * which will use the highest version 3 we support. 363205128Ssimon * If TLS 2.0 ever appears we will need to revise 364205128Ssimon * this.... 365205128Ssimon */ 366271304Sdelphij if (p[9] > SSL3_VERSION_MAJOR) 367205128Ssimon v[1]=0xff; 36889840Skris else 36989840Skris v[1]=p[10]; /* minor version according to client_version */ 37059194Skris if (v[1] >= TLS1_VERSION_MINOR) 37155714Skris { 372238405Sjkim if (v[1] >= TLS1_2_VERSION_MINOR && 373238405Sjkim !(s->options & SSL_OP_NO_TLSv1_2)) 37455714Skris { 375238405Sjkim s->version=TLS1_2_VERSION; 376238405Sjkim type=3; 377238405Sjkim } 378238405Sjkim else if (v[1] >= TLS1_1_VERSION_MINOR && 379238405Sjkim !(s->options & SSL_OP_NO_TLSv1_1)) 380238405Sjkim { 381238405Sjkim s->version=TLS1_1_VERSION; 382238405Sjkim type=3; 383238405Sjkim } 384238405Sjkim else if (!(s->options & SSL_OP_NO_TLSv1)) 385238405Sjkim { 38659194Skris s->version=TLS1_VERSION; 38755714Skris type=3; 38855714Skris } 38955714Skris else if (!(s->options & SSL_OP_NO_SSLv3)) 39059194Skris { 39159194Skris s->version=SSL3_VERSION; 39255714Skris type=3; 39359194Skris } 39455714Skris } 39589840Skris else 39659194Skris { 39789840Skris /* client requests SSL 3.0 */ 39889840Skris if (!(s->options & SSL_OP_NO_SSLv3)) 39989840Skris { 40089840Skris s->version=SSL3_VERSION; 40189840Skris type=3; 40289840Skris } 40389840Skris else if (!(s->options & SSL_OP_NO_TLSv1)) 40489840Skris { 40589840Skris /* we won't be able to use TLS of course, 40689840Skris * but this will send an appropriate alert */ 40789840Skris s->version=TLS1_VERSION; 40889840Skris type=3; 40989840Skris } 41059194Skris } 41155714Skris } 41255714Skris else if ((strncmp("GET ", (char *)p,4) == 0) || 41355714Skris (strncmp("POST ",(char *)p,5) == 0) || 41455714Skris (strncmp("HEAD ",(char *)p,5) == 0) || 41555714Skris (strncmp("PUT ", (char *)p,4) == 0)) 41655714Skris { 41755714Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST); 41855714Skris goto err; 41955714Skris } 42055714Skris else if (strncmp("CONNECT",(char *)p,7) == 0) 42155714Skris { 42255714Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST); 42355714Skris goto err; 42455714Skris } 42555714Skris } 42655714Skris 427273415Sdelphij /* ensure that TLS_MAX_VERSION is up-to-date */ 428273415Sdelphij OPENSSL_assert(s->version <= TLS_MAX_VERSION); 429273415Sdelphij 430194206Ssimon#ifdef OPENSSL_FIPS 431194206Ssimon if (FIPS_mode() && (s->version < TLS1_VERSION)) 432194206Ssimon { 433194206Ssimon SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 434194206Ssimon SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 435194206Ssimon goto err; 436194206Ssimon } 437194206Ssimon#endif 438194206Ssimon 43955714Skris if (s->state == SSL23_ST_SR_CLNT_HELLO_B) 44055714Skris { 44159194Skris /* we have SSLv3/TLSv1 in an SSLv2 header 44259194Skris * (other cases skip this state) */ 44359194Skris 44455714Skris type=2; 44555714Skris p=s->packet; 44659194Skris v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ 44759194Skris v[1] = p[4]; 44859194Skris 449271304Sdelphij /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 450271304Sdelphij * header is sent directly on the wire, not wrapped as a TLS 451271304Sdelphij * record. It's format is: 452271304Sdelphij * Byte Content 453271304Sdelphij * 0-1 msg_length 454271304Sdelphij * 2 msg_type 455271304Sdelphij * 3-4 version 456271304Sdelphij * 5-6 cipher_spec_length 457271304Sdelphij * 7-8 session_id_length 458271304Sdelphij * 9-10 challenge_length 459271304Sdelphij * ... ... 460271304Sdelphij */ 46155714Skris n=((p[0]&0x7f)<<8)|p[1]; 46255714Skris if (n > (1024*4)) 46355714Skris { 46455714Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); 46555714Skris goto err; 46655714Skris } 467271304Sdelphij if (n < 9) 468271304Sdelphij { 469271304Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); 470271304Sdelphij goto err; 471271304Sdelphij } 47255714Skris 47355714Skris j=ssl23_read_bytes(s,n+2); 474271304Sdelphij /* We previously read 11 bytes, so if j > 0, we must have 475271304Sdelphij * j == n+2 == s->packet_length. We have at least 11 valid 476271304Sdelphij * packet bytes. */ 47755714Skris if (j <= 0) return(j); 47855714Skris 479110007Smarkm ssl3_finish_mac(s, s->packet+2, s->packet_length-2); 480110007Smarkm if (s->msg_callback) 481110007Smarkm s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */ 48255714Skris 48355714Skris p=s->packet; 48455714Skris p+=5; 48555714Skris n2s(p,csl); 48655714Skris n2s(p,sil); 48755714Skris n2s(p,cl); 48855714Skris d=(unsigned char *)s->init_buf->data; 489238405Sjkim if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format 490238405Sjkim * Client Hello, can we? Error condition should be 491238405Sjkim * '>' otherweise */ 49255714Skris { 49355714Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); 49455714Skris goto err; 49555714Skris } 49655714Skris 497110007Smarkm /* record header: msg_type ... */ 498110007Smarkm *(d++) = SSL3_MT_CLIENT_HELLO; 499110007Smarkm /* ... and length (actual value will be written later) */ 500110007Smarkm d_len = d; 501110007Smarkm d += 3; 502110007Smarkm 503110007Smarkm /* client_version */ 50459194Skris *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ 50559194Skris *(d++) = v[1]; 50655714Skris 50755714Skris /* lets populate the random area */ 50859194Skris /* get the challenge_length */ 50955714Skris i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl; 51055714Skris memset(d,0,SSL3_RANDOM_SIZE); 51155714Skris memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i); 51255714Skris d+=SSL3_RANDOM_SIZE; 51355714Skris 51455714Skris /* no session-id reuse */ 51555714Skris *(d++)=0; 51655714Skris 51755714Skris /* ciphers */ 51855714Skris j=0; 51955714Skris dd=d; 52055714Skris d+=2; 52155714Skris for (i=0; i<csl; i+=3) 52255714Skris { 52355714Skris if (p[i] != 0) continue; 52455714Skris *(d++)=p[i+1]; 52555714Skris *(d++)=p[i+2]; 52655714Skris j+=2; 52755714Skris } 52855714Skris s2n(j,dd); 52955714Skris 53055714Skris /* COMPRESSION */ 53155714Skris *(d++)=1; 53255714Skris *(d++)=0; 53355714Skris 534238405Sjkim#if 0 535238405Sjkim /* copy any remaining data with may be extensions */ 536238405Sjkim p = p+csl+sil+cl; 537238405Sjkim while (p < s->packet+s->packet_length) 538238405Sjkim { 539238405Sjkim *(d++)=*(p++); 540238405Sjkim } 541238405Sjkim#endif 542238405Sjkim 543110007Smarkm i = (d-(unsigned char *)s->init_buf->data) - 4; 544110007Smarkm l2n3((long)i, d_len); 54555714Skris 54655714Skris /* get the data reused from the init_buf */ 54755714Skris s->s3->tmp.reuse_message=1; 54855714Skris s->s3->tmp.message_type=SSL3_MT_CLIENT_HELLO; 54955714Skris s->s3->tmp.message_size=i; 55055714Skris } 55155714Skris 55259194Skris /* imaginary new state (for program structure): */ 55359194Skris /* s->state = SSL23_SR_CLNT_HELLO_C */ 55459194Skris 55555714Skris if (type == 1) 55655714Skris { 557110007Smarkm#ifdef OPENSSL_NO_SSL2 55859194Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); 55959194Skris goto err; 56055949Skris#else 56155714Skris /* we are talking sslv2 */ 56255714Skris /* we need to clean up the SSLv3/TLSv1 setup and put in the 56355714Skris * sslv2 stuff. */ 56455714Skris 56555714Skris if (s->s2 == NULL) 56655714Skris { 56755714Skris if (!ssl2_new(s)) 56855714Skris goto err; 56955714Skris } 57055714Skris else 57155714Skris ssl2_clear(s); 57255714Skris 57355714Skris if (s->s3 != NULL) ssl3_free(s); 57455714Skris 575110007Smarkm if (!BUF_MEM_grow_clean(s->init_buf, 57655714Skris SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) 57755714Skris { 57855714Skris goto err; 57955714Skris } 58055714Skris 58155714Skris s->state=SSL2_ST_GET_CLIENT_HELLO_A; 582151233Scperciva if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3) 58355714Skris s->s2->ssl2_rollback=0; 58455714Skris else 58568654Skris /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 58668654Skris * (SSL 3.0 draft/RFC 2246, App. E.2) */ 58755714Skris s->s2->ssl2_rollback=1; 58855714Skris 58959194Skris /* setup the n bytes we have read so we get them from 59055714Skris * the sslv2 buffer */ 59155714Skris s->rstate=SSL_ST_READ_HEADER; 59255714Skris s->packet_length=n; 59355714Skris s->packet= &(s->s2->rbuf[0]); 59455714Skris memcpy(s->packet,buf,n); 59555714Skris s->s2->rbuf_left=n; 59655714Skris s->s2->rbuf_offs=0; 59755714Skris 59855714Skris s->method=SSLv2_server_method(); 59955714Skris s->handshake_func=s->method->ssl_accept; 60055949Skris#endif 60155714Skris } 60255714Skris 60355714Skris if ((type == 2) || (type == 3)) 60455714Skris { 60559194Skris /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ 606277195Sdelphij const SSL_METHOD *new_method; 607277195Sdelphij new_method = ssl23_get_server_method(s->version); 608277195Sdelphij if (new_method == NULL) 609273415Sdelphij { 610273415Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); 611273415Sdelphij goto err; 612273415Sdelphij } 613277195Sdelphij s->method = new_method; 61455714Skris 61555714Skris if (!ssl_init_wbio_buffer(s,1)) goto err; 61655714Skris 61755714Skris /* we are in this state */ 61855714Skris s->state=SSL3_ST_SR_CLNT_HELLO_A; 61955714Skris 62055714Skris if (type == 3) 62155714Skris { 62255714Skris /* put the 'n' bytes we have read into the input buffer 62355714Skris * for SSLv3 */ 62455714Skris s->rstate=SSL_ST_READ_HEADER; 62555714Skris s->packet_length=n; 626238405Sjkim if (s->s3->rbuf.buf == NULL) 627238405Sjkim if (!ssl3_setup_read_buffer(s)) 628238405Sjkim goto err; 629238405Sjkim 63055714Skris s->packet= &(s->s3->rbuf.buf[0]); 63155714Skris memcpy(s->packet,buf,n); 63255714Skris s->s3->rbuf.left=n; 63355714Skris s->s3->rbuf.offset=0; 63455714Skris } 63555714Skris else 63655714Skris { 63755714Skris s->packet_length=0; 63855714Skris s->s3->rbuf.left=0; 63955714Skris s->s3->rbuf.offset=0; 64055714Skris } 64159194Skris#if 0 /* ssl3_get_client_hello does this */ 64255714Skris s->client_version=(v[0]<<8)|v[1]; 64359194Skris#endif 64455714Skris s->handshake_func=s->method->ssl_accept; 64555714Skris } 64655714Skris 64755714Skris if ((type < 1) || (type > 3)) 64855714Skris { 64955714Skris /* bad, very bad */ 65055714Skris SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL); 65155714Skris goto err; 65255714Skris } 65355714Skris s->init_num=0; 65455714Skris 65568654Skris if (buf != buf_space) OPENSSL_free(buf); 65655714Skris return(SSL_accept(s)); 65755714Skriserr: 65868654Skris if (buf != buf_space) OPENSSL_free(buf); 65955714Skris return(-1); 66055714Skris } 661