s23_srvr.c revision 238405 
155714Skris/* ssl/s23_srvr.c */
255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
355714Skris * All rights reserved.
455714Skris *
555714Skris * This package is an SSL implementation written
655714Skris * by Eric Young (eay@cryptsoft.com).
755714Skris * The implementation was written so as to conform with Netscapes SSL.
855714Skris *
955714Skris * This library is free for commercial and non-commercial use as long as
1055714Skris * the following conditions are aheared to.  The following conditions
1155714Skris * apply to all code found in this distribution, be it the RC4, RSA,
1255714Skris * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
1355714Skris * included with this distribution is covered by the same copyright terms
1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1555714Skris *
1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in
1755714Skris * the code are not to be removed.
1855714Skris * If this package is used in a product, Eric Young should be given attribution
1955714Skris * as the author of the parts of the library used.
2055714Skris * This can be in the form of a textual message at program startup or
2155714Skris * in documentation (online or textual) provided with the package.
2255714Skris *
2355714Skris * Redistribution and use in source and binary forms, with or without
2455714Skris * modification, are permitted provided that the following conditions
2555714Skris * are met:
2655714Skris * 1. Redistributions of source code must retain the copyright
2755714Skris *    notice, this list of conditions and the following disclaimer.
2855714Skris * 2. Redistributions in binary form must reproduce the above copyright
2955714Skris *    notice, this list of conditions and the following disclaimer in the
3055714Skris *    documentation and/or other materials provided with the distribution.
3155714Skris * 3. All advertising materials mentioning features or use of this software
3255714Skris *    must display the following acknowledgement:
3355714Skris *    "This product includes cryptographic software written by
3455714Skris *     Eric Young (eay@cryptsoft.com)"
3555714Skris *    The word 'cryptographic' can be left out if the rouines from the library
3655714Skris *    being used are not cryptographic related :-).
3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from
3855714Skris *    the apps directory (application code) you must include an acknowledgement:
3955714Skris *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
4055714Skris *
4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4455714Skris * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5155714Skris * SUCH DAMAGE.
5255714Skris *
5355714Skris * The licence and distribution terms for any publically available version or
5455714Skris * derivative of this code cannot be changed.  i.e. this code cannot simply be
5555714Skris * copied and put under another distribution licence
5655714Skris * [including the GNU Public Licence.]
5755714Skris */
5889840Skris/* ====================================================================
59238405Sjkim * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
6089840Skris *
6189840Skris * Redistribution and use in source and binary forms, with or without
6289840Skris * modification, are permitted provided that the following conditions
6389840Skris * are met:
6489840Skris *
6589840Skris * 1. Redistributions of source code must retain the above copyright
6689840Skris *    notice, this list of conditions and the following disclaimer.
6789840Skris *
6889840Skris * 2. Redistributions in binary form must reproduce the above copyright
6989840Skris *    notice, this list of conditions and the following disclaimer in
7089840Skris *    the documentation and/or other materials provided with the
7189840Skris *    distribution.
7289840Skris *
7389840Skris * 3. All advertising materials mentioning features or use of this
7489840Skris *    software must display the following acknowledgment:
7589840Skris *    "This product includes software developed by the OpenSSL Project
7689840Skris *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
7789840Skris *
7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7989840Skris *    endorse or promote products derived from this software without
8089840Skris *    prior written permission. For written permission, please contact
8189840Skris *    openssl-core@openssl.org.
8289840Skris *
8389840Skris * 5. Products derived from this software may not be called "OpenSSL"
8489840Skris *    nor may "OpenSSL" appear in their names without prior written
8589840Skris *    permission of the OpenSSL Project.
8689840Skris *
8789840Skris * 6. Redistributions of any form whatsoever must retain the following
8889840Skris *    acknowledgment:
8989840Skris *    "This product includes software developed by the OpenSSL Project
9089840Skris *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9189840Skris *
9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9589840Skris * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE.
10489840Skris * ====================================================================
10589840Skris *
10689840Skris * This product includes cryptographic software written by Eric Young
10789840Skris * (eay@cryptsoft.com).  This product includes software written by Tim
10889840Skris * Hudson (tjh@cryptsoft.com).
10989840Skris *
11089840Skris */
11155714Skris
11255714Skris#include <stdio.h>
113110007Smarkm#include "ssl_locl.h"
11455714Skris#include <openssl/buffer.h>
11555714Skris#include <openssl/rand.h>
11655714Skris#include <openssl/objects.h>
11755714Skris#include <openssl/evp.h>
118238405Sjkim#ifdef OPENSSL_FIPS
119238405Sjkim#include <openssl/fips.h>
120238405Sjkim#endif
12155714Skris
122238405Sjkimstatic const SSL_METHOD *ssl23_get_server_method(int ver);
12355714Skrisint ssl23_get_client_hello(SSL *s);
124238405Sjkimstatic const SSL_METHOD *ssl23_get_server_method(int ver)
12555714Skris	{
126110007Smarkm#ifndef OPENSSL_NO_SSL2
12755714Skris	if (ver == SSL2_VERSION)
12855714Skris		return(SSLv2_server_method());
12955949Skris#endif
13055714Skris	if (ver == SSL3_VERSION)
13155714Skris		return(SSLv3_server_method());
13255714Skris	else if (ver == TLS1_VERSION)
13355714Skris		return(TLSv1_server_method());
134238405Sjkim	else if (ver == TLS1_1_VERSION)
135238405Sjkim		return(TLSv1_1_server_method());
136238405Sjkim	else if (ver == TLS1_2_VERSION)
137238405Sjkim		return(TLSv1_2_server_method());
13855714Skris	else
13955714Skris		return(NULL);
14055714Skris	}
14155714Skris
142160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_server_method,
143160817Ssimon			ssl23_accept,
144160817Ssimon			ssl_undefined_function,
145160817Ssimon			ssl23_get_server_method)
14655714Skris
14755714Skrisint ssl23_accept(SSL *s)
14855714Skris	{
14955714Skris	BUF_MEM *buf;
150160817Ssimon	unsigned long Time=(unsigned long)time(NULL);
151110007Smarkm	void (*cb)(const SSL *ssl,int type,int val)=NULL;
15255714Skris	int ret= -1;
15355714Skris	int new_state,state;
15455714Skris
15559194Skris	RAND_add(&Time,sizeof(Time),0);
15655714Skris	ERR_clear_error();
15755714Skris	clear_sys_error();
15855714Skris
15955714Skris	if (s->info_callback != NULL)
16055714Skris		cb=s->info_callback;
16155714Skris	else if (s->ctx->info_callback != NULL)
16255714Skris		cb=s->ctx->info_callback;
16355714Skris
16489840Skris	s->in_handshake++;
16555714Skris	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
16655714Skris
16755714Skris	for (;;)
16855714Skris		{
16955714Skris		state=s->state;
17055714Skris
17155714Skris		switch(s->state)
17255714Skris			{
17355714Skris		case SSL_ST_BEFORE:
17455714Skris		case SSL_ST_ACCEPT:
17555714Skris		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
17655714Skris		case SSL_ST_OK|SSL_ST_ACCEPT:
17755714Skris
17855714Skris			s->server=1;
17955714Skris			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
18055714Skris
18155714Skris			/* s->version=SSL3_VERSION; */
18255714Skris			s->type=SSL_ST_ACCEPT;
18355714Skris
18455714Skris			if (s->init_buf == NULL)
18555714Skris				{
18655714Skris				if ((buf=BUF_MEM_new()) == NULL)
18755714Skris					{
18855714Skris					ret= -1;
18955714Skris					goto end;
19055714Skris					}
19155714Skris				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
19255714Skris					{
19355714Skris					ret= -1;
19455714Skris					goto end;
19555714Skris					}
19655714Skris				s->init_buf=buf;
19755714Skris				}
19855714Skris
19955714Skris			ssl3_init_finished_mac(s);
20055714Skris
20155714Skris			s->state=SSL23_ST_SR_CLNT_HELLO_A;
20255714Skris			s->ctx->stats.sess_accept++;
20355714Skris			s->init_num=0;
20455714Skris			break;
20555714Skris
20655714Skris		case SSL23_ST_SR_CLNT_HELLO_A:
20755714Skris		case SSL23_ST_SR_CLNT_HELLO_B:
20855714Skris
20955714Skris			s->shutdown=0;
21055714Skris			ret=ssl23_get_client_hello(s);
21155714Skris			if (ret >= 0) cb=NULL;
21255714Skris			goto end;
21355714Skris			/* break; */
21455714Skris
21555714Skris		default:
21655714Skris			SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
21755714Skris			ret= -1;
21855714Skris			goto end;
21955714Skris			/* break; */
22055714Skris			}
22155714Skris
22255714Skris		if ((cb != NULL) && (s->state != state))
22355714Skris			{
22455714Skris			new_state=s->state;
22555714Skris			s->state=state;
22655714Skris			cb(s,SSL_CB_ACCEPT_LOOP,1);
22755714Skris			s->state=new_state;
22855714Skris			}
22955714Skris		}
23055714Skrisend:
23189840Skris	s->in_handshake--;
23255714Skris	if (cb != NULL)
23355714Skris		cb(s,SSL_CB_ACCEPT_EXIT,ret);
23455714Skris	return(ret);
23555714Skris	}
23655714Skris
23755714Skris
23855714Skrisint ssl23_get_client_hello(SSL *s)
23955714Skris	{
24059194Skris	char buf_space[11]; /* Request this many bytes in initial read.
24159194Skris	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos
24259194Skris	                     * ('type == 3') correctly only when the following
24359194Skris	                     * is in a single record, which is not guaranteed by
24459194Skris	                     * the protocol specification:
24559194Skris	                     * Byte  Content
24659194Skris	                     *  0     type            \
24759194Skris	                     *  1/2   version          > record header
24859194Skris	                     *  3/4   length          /
24959194Skris	                     *  5     msg_type        \
25059194Skris	                     *  6-8   length           > Client Hello message
25159194Skris	                     *  9/10  client_version  /
25259194Skris	                     */
25355714Skris	char *buf= &(buf_space[0]);
254110007Smarkm	unsigned char *p,*d,*d_len,*dd;
25555714Skris	unsigned int i;
25655714Skris	unsigned int csl,sil,cl;
25759194Skris	int n=0,j;
25859194Skris	int type=0;
25955714Skris	int v[2];
26055714Skris
26155714Skris	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
26255714Skris		{
26359194Skris		/* read the initial header */
26459194Skris		v[0]=v[1]=0;
26559194Skris
26655714Skris		if (!ssl3_setup_buffers(s)) goto err;
26755714Skris
26859194Skris		n=ssl23_read_bytes(s, sizeof buf_space);
26959194Skris		if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */
27055714Skris
27155714Skris		p=s->packet;
27255714Skris
27355714Skris		memcpy(buf,p,n);
27455714Skris
27555714Skris		if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
27655714Skris			{
27759194Skris			/*
27859194Skris			 * SSLv2 header
27959194Skris			 */
28055714Skris			if ((p[3] == 0x00) && (p[4] == 0x02))
28155714Skris				{
28255714Skris				v[0]=p[3]; v[1]=p[4];
28355714Skris				/* SSLv2 */
28455714Skris				if (!(s->options & SSL_OP_NO_SSLv2))
28555714Skris					type=1;
28655714Skris				}
28755714Skris			else if (p[3] == SSL3_VERSION_MAJOR)
28855714Skris				{
28955714Skris				v[0]=p[3]; v[1]=p[4];
29055714Skris				/* SSLv3/TLSv1 */
29155714Skris				if (p[4] >= TLS1_VERSION_MINOR)
29255714Skris					{
293238405Sjkim					if (p[4] >= TLS1_2_VERSION_MINOR &&
294238405Sjkim					   !(s->options & SSL_OP_NO_TLSv1_2))
29555714Skris						{
296238405Sjkim						s->version=TLS1_2_VERSION;
297238405Sjkim						s->state=SSL23_ST_SR_CLNT_HELLO_B;
298238405Sjkim						}
299238405Sjkim					else if (p[4] >= TLS1_1_VERSION_MINOR &&
300238405Sjkim					   !(s->options & SSL_OP_NO_TLSv1_1))
301238405Sjkim						{
302238405Sjkim						s->version=TLS1_1_VERSION;
303238405Sjkim						/* type=2; */ /* done later to survive restarts */
304238405Sjkim						s->state=SSL23_ST_SR_CLNT_HELLO_B;
305238405Sjkim						}
306238405Sjkim					else if (!(s->options & SSL_OP_NO_TLSv1))
307238405Sjkim						{
30859194Skris						s->version=TLS1_VERSION;
30959194Skris						/* type=2; */ /* done later to survive restarts */
31055714Skris						s->state=SSL23_ST_SR_CLNT_HELLO_B;
31155714Skris						}
31255714Skris					else if (!(s->options & SSL_OP_NO_SSLv3))
31355714Skris						{
31459194Skris						s->version=SSL3_VERSION;
31559194Skris						/* type=2; */
31655714Skris						s->state=SSL23_ST_SR_CLNT_HELLO_B;
31755714Skris						}
31855714Skris					else if (!(s->options & SSL_OP_NO_SSLv2))
31955714Skris						{
32055714Skris						type=1;
32155714Skris						}
32255714Skris					}
32355714Skris				else if (!(s->options & SSL_OP_NO_SSLv3))
32459194Skris					{
32559194Skris					s->version=SSL3_VERSION;
32659194Skris					/* type=2; */
32755714Skris					s->state=SSL23_ST_SR_CLNT_HELLO_B;
32859194Skris					}
32955714Skris				else if (!(s->options & SSL_OP_NO_SSLv2))
33055714Skris					type=1;
33155714Skris
33255714Skris				}
33355714Skris			}
33455714Skris		else if ((p[0] == SSL3_RT_HANDSHAKE) &&
33555714Skris			 (p[1] == SSL3_VERSION_MAJOR) &&
33659194Skris			 (p[5] == SSL3_MT_CLIENT_HELLO) &&
33759194Skris			 ((p[3] == 0 && p[4] < 5 /* silly record length? */)
338205128Ssimon				|| (p[9] >= p[1])))
33955714Skris			{
34059194Skris			/*
34159194Skris			 * SSLv3 or tls1 header
34259194Skris			 */
34359194Skris
34468654Skris			v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
34559194Skris			/* We must look at client_version inside the Client Hello message
34668654Skris			 * to get the correct minor version.
34768654Skris			 * However if we have only a pathologically small fragment of the
34889840Skris			 * Client Hello message, this would be difficult, and we'd have
34989840Skris			 * to read more records to find out.
35089840Skris			 * No known SSL 3.0 client fragments ClientHello like this,
35189840Skris			 * so we simply assume TLS 1.0 to avoid protocol version downgrade
35289840Skris			 * attacks. */
35359194Skris			if (p[3] == 0 && p[4] < 6)
35468654Skris				{
35589840Skris#if 0
35668654Skris				SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
35768654Skris				goto err;
35889840Skris#else
35989840Skris				v[1] = TLS1_VERSION_MINOR;
36089840Skris#endif
36168654Skris				}
362205128Ssimon			/* if major version number > 3 set minor to a value
363205128Ssimon			 * which will use the highest version 3 we support.
364205128Ssimon			 * If TLS 2.0 ever appears we will need to revise
365205128Ssimon			 * this....
366205128Ssimon			 */
367205128Ssimon			else if (p[9] > SSL3_VERSION_MAJOR)
368205128Ssimon				v[1]=0xff;
36989840Skris			else
37089840Skris				v[1]=p[10]; /* minor version according to client_version */
37159194Skris			if (v[1] >= TLS1_VERSION_MINOR)
37255714Skris				{
373238405Sjkim				if (v[1] >= TLS1_2_VERSION_MINOR &&
374238405Sjkim					!(s->options & SSL_OP_NO_TLSv1_2))
37555714Skris					{
376238405Sjkim					s->version=TLS1_2_VERSION;
377238405Sjkim					type=3;
378238405Sjkim					}
379238405Sjkim				else if (v[1] >= TLS1_1_VERSION_MINOR &&
380238405Sjkim					!(s->options & SSL_OP_NO_TLSv1_1))
381238405Sjkim					{
382238405Sjkim					s->version=TLS1_1_VERSION;
383238405Sjkim					type=3;
384238405Sjkim					}
385238405Sjkim				else if (!(s->options & SSL_OP_NO_TLSv1))
386238405Sjkim					{
38759194Skris					s->version=TLS1_VERSION;
38855714Skris					type=3;
38955714Skris					}
39055714Skris				else if (!(s->options & SSL_OP_NO_SSLv3))
39159194Skris					{
39259194Skris					s->version=SSL3_VERSION;
39355714Skris					type=3;
39459194Skris					}
39555714Skris				}
39689840Skris			else
39759194Skris				{
39889840Skris				/* client requests SSL 3.0 */
39989840Skris				if (!(s->options & SSL_OP_NO_SSLv3))
40089840Skris					{
40189840Skris					s->version=SSL3_VERSION;
40289840Skris					type=3;
40389840Skris					}
40489840Skris				else if (!(s->options & SSL_OP_NO_TLSv1))
40589840Skris					{
40689840Skris					/* we won't be able to use TLS of course,
40789840Skris					 * but this will send an appropriate alert */
40889840Skris					s->version=TLS1_VERSION;
40989840Skris					type=3;
41089840Skris					}
41159194Skris				}
41255714Skris			}
41355714Skris		else if ((strncmp("GET ", (char *)p,4) == 0) ||
41455714Skris			 (strncmp("POST ",(char *)p,5) == 0) ||
41555714Skris			 (strncmp("HEAD ",(char *)p,5) == 0) ||
41655714Skris			 (strncmp("PUT ", (char *)p,4) == 0))
41755714Skris			{
41855714Skris			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST);
41955714Skris			goto err;
42055714Skris			}
42155714Skris		else if (strncmp("CONNECT",(char *)p,7) == 0)
42255714Skris			{
42355714Skris			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST);
42455714Skris			goto err;
42555714Skris			}
42655714Skris		}
42755714Skris
428194206Ssimon#ifdef OPENSSL_FIPS
429194206Ssimon	if (FIPS_mode() && (s->version < TLS1_VERSION))
430194206Ssimon		{
431194206Ssimon		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
432194206Ssimon					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
433194206Ssimon		goto err;
434194206Ssimon		}
435194206Ssimon#endif
436194206Ssimon
43755714Skris	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
43855714Skris		{
43959194Skris		/* we have SSLv3/TLSv1 in an SSLv2 header
44059194Skris		 * (other cases skip this state) */
44159194Skris
44255714Skris		type=2;
44355714Skris		p=s->packet;
44459194Skris		v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
44559194Skris		v[1] = p[4];
44659194Skris
44755714Skris		n=((p[0]&0x7f)<<8)|p[1];
44855714Skris		if (n > (1024*4))
44955714Skris			{
45055714Skris			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
45155714Skris			goto err;
45255714Skris			}
45355714Skris
45455714Skris		j=ssl23_read_bytes(s,n+2);
45555714Skris		if (j <= 0) return(j);
45655714Skris
457110007Smarkm		ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
458110007Smarkm		if (s->msg_callback)
459110007Smarkm			s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
46055714Skris
46155714Skris		p=s->packet;
46255714Skris		p+=5;
46355714Skris		n2s(p,csl);
46455714Skris		n2s(p,sil);
46555714Skris		n2s(p,cl);
46655714Skris		d=(unsigned char *)s->init_buf->data;
467238405Sjkim		if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format
468238405Sjkim		                                          * Client Hello, can we? Error condition should be
469238405Sjkim		                                          * '>' otherweise */
47055714Skris			{
47155714Skris			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
47255714Skris			goto err;
47355714Skris			}
47455714Skris
475110007Smarkm		/* record header: msg_type ... */
476110007Smarkm		*(d++) = SSL3_MT_CLIENT_HELLO;
477110007Smarkm		/* ... and length (actual value will be written later) */
478110007Smarkm		d_len = d;
479110007Smarkm		d += 3;
480110007Smarkm
481110007Smarkm		/* client_version */
48259194Skris		*(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
48359194Skris		*(d++) = v[1];
48455714Skris
48555714Skris		/* lets populate the random area */
48659194Skris		/* get the challenge_length */
48755714Skris		i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl;
48855714Skris		memset(d,0,SSL3_RANDOM_SIZE);
48955714Skris		memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i);
49055714Skris		d+=SSL3_RANDOM_SIZE;
49155714Skris
49255714Skris		/* no session-id reuse */
49355714Skris		*(d++)=0;
49455714Skris
49555714Skris		/* ciphers */
49655714Skris		j=0;
49755714Skris		dd=d;
49855714Skris		d+=2;
49955714Skris		for (i=0; i<csl; i+=3)
50055714Skris			{
50155714Skris			if (p[i] != 0) continue;
50255714Skris			*(d++)=p[i+1];
50355714Skris			*(d++)=p[i+2];
50455714Skris			j+=2;
50555714Skris			}
50655714Skris		s2n(j,dd);
50755714Skris
50855714Skris		/* COMPRESSION */
50955714Skris		*(d++)=1;
51055714Skris		*(d++)=0;
51155714Skris
512238405Sjkim#if 0
513238405Sjkim                /* copy any remaining data with may be extensions */
514238405Sjkim	        p = p+csl+sil+cl;
515238405Sjkim		while (p <  s->packet+s->packet_length)
516238405Sjkim			{
517238405Sjkim			*(d++)=*(p++);
518238405Sjkim			}
519238405Sjkim#endif
520238405Sjkim
521110007Smarkm		i = (d-(unsigned char *)s->init_buf->data) - 4;
522110007Smarkm		l2n3((long)i, d_len);
52355714Skris
52455714Skris		/* get the data reused from the init_buf */
52555714Skris		s->s3->tmp.reuse_message=1;
52655714Skris		s->s3->tmp.message_type=SSL3_MT_CLIENT_HELLO;
52755714Skris		s->s3->tmp.message_size=i;
52855714Skris		}
52955714Skris
53059194Skris	/* imaginary new state (for program structure): */
53159194Skris	/* s->state = SSL23_SR_CLNT_HELLO_C */
53259194Skris
53355714Skris	if (type == 1)
53455714Skris		{
535110007Smarkm#ifdef OPENSSL_NO_SSL2
53659194Skris		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
53759194Skris		goto err;
53855949Skris#else
53955714Skris		/* we are talking sslv2 */
54055714Skris		/* we need to clean up the SSLv3/TLSv1 setup and put in the
54155714Skris		 * sslv2 stuff. */
54255714Skris
54355714Skris		if (s->s2 == NULL)
54455714Skris			{
54555714Skris			if (!ssl2_new(s))
54655714Skris				goto err;
54755714Skris			}
54855714Skris		else
54955714Skris			ssl2_clear(s);
55055714Skris
55155714Skris		if (s->s3 != NULL) ssl3_free(s);
55255714Skris
553110007Smarkm		if (!BUF_MEM_grow_clean(s->init_buf,
55455714Skris			SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
55555714Skris			{
55655714Skris			goto err;
55755714Skris			}
55855714Skris
55955714Skris		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
560151233Scperciva		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
56155714Skris			s->s2->ssl2_rollback=0;
56255714Skris		else
56368654Skris			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
56468654Skris			 * (SSL 3.0 draft/RFC 2246, App. E.2) */
56555714Skris			s->s2->ssl2_rollback=1;
56655714Skris
56759194Skris		/* setup the n bytes we have read so we get them from
56855714Skris		 * the sslv2 buffer */
56955714Skris		s->rstate=SSL_ST_READ_HEADER;
57055714Skris		s->packet_length=n;
57155714Skris		s->packet= &(s->s2->rbuf[0]);
57255714Skris		memcpy(s->packet,buf,n);
57355714Skris		s->s2->rbuf_left=n;
57455714Skris		s->s2->rbuf_offs=0;
57555714Skris
57655714Skris		s->method=SSLv2_server_method();
57755714Skris		s->handshake_func=s->method->ssl_accept;
57855949Skris#endif
57955714Skris		}
58055714Skris
58155714Skris	if ((type == 2) || (type == 3))
58255714Skris		{
58359194Skris		/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
58455714Skris
58555714Skris		if (!ssl_init_wbio_buffer(s,1)) goto err;
58655714Skris
58755714Skris		/* we are in this state */
58855714Skris		s->state=SSL3_ST_SR_CLNT_HELLO_A;
58955714Skris
59055714Skris		if (type == 3)
59155714Skris			{
59255714Skris			/* put the 'n' bytes we have read into the input buffer
59355714Skris			 * for SSLv3 */
59455714Skris			s->rstate=SSL_ST_READ_HEADER;
59555714Skris			s->packet_length=n;
596238405Sjkim			if (s->s3->rbuf.buf == NULL)
597238405Sjkim				if (!ssl3_setup_read_buffer(s))
598238405Sjkim					goto err;
599238405Sjkim
60055714Skris			s->packet= &(s->s3->rbuf.buf[0]);
60155714Skris			memcpy(s->packet,buf,n);
60255714Skris			s->s3->rbuf.left=n;
60355714Skris			s->s3->rbuf.offset=0;
60455714Skris			}
60555714Skris		else
60655714Skris			{
60755714Skris			s->packet_length=0;
60855714Skris			s->s3->rbuf.left=0;
60955714Skris			s->s3->rbuf.offset=0;
61055714Skris			}
611238405Sjkim		if (s->version == TLS1_2_VERSION)
612238405Sjkim			s->method = TLSv1_2_server_method();
613238405Sjkim		else if (s->version == TLS1_1_VERSION)
614238405Sjkim			s->method = TLSv1_1_server_method();
615238405Sjkim		else if (s->version == TLS1_VERSION)
61659194Skris			s->method = TLSv1_server_method();
61755714Skris		else
61859194Skris			s->method = SSLv3_server_method();
61959194Skris#if 0 /* ssl3_get_client_hello does this */
62055714Skris		s->client_version=(v[0]<<8)|v[1];
62159194Skris#endif
62255714Skris		s->handshake_func=s->method->ssl_accept;
62355714Skris		}
62455714Skris
62555714Skris	if ((type < 1) || (type > 3))
62655714Skris		{
62755714Skris		/* bad, very bad */
62855714Skris		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
62955714Skris		goto err;
63055714Skris		}
63155714Skris	s->init_num=0;
63255714Skris
63368654Skris	if (buf != buf_space) OPENSSL_free(buf);
63455714Skris	return(SSL_accept(s));
63555714Skriserr:
63668654Skris	if (buf != buf_space) OPENSSL_free(buf);
63755714Skris	return(-1);
63855714Skris	}
639