155714Skris/* ssl/s23_clnt.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8296341Sdelphij * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296341Sdelphij * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22296341Sdelphij * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37296341Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296341Sdelphij * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52296341Sdelphij * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58238405Sjkim/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60238405Sjkim * 61238405Sjkim * Redistribution and use in source and binary forms, with or without 62238405Sjkim * modification, are permitted provided that the following conditions 63238405Sjkim * are met: 64238405Sjkim * 65238405Sjkim * 1. Redistributions of source code must retain the above copyright 66296341Sdelphij * notice, this list of conditions and the following disclaimer. 67238405Sjkim * 68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright 69238405Sjkim * notice, this list of conditions and the following disclaimer in 70238405Sjkim * the documentation and/or other materials provided with the 71238405Sjkim * distribution. 72238405Sjkim * 73238405Sjkim * 3. All advertising materials mentioning features or use of this 74238405Sjkim * software must display the following acknowledgment: 75238405Sjkim * "This product includes software developed by the OpenSSL Project 76238405Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77238405Sjkim * 78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79238405Sjkim * endorse or promote products derived from this software without 80238405Sjkim * prior written permission. For written permission, please contact 81238405Sjkim * openssl-core@openssl.org. 82238405Sjkim * 83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL" 84238405Sjkim * nor may "OpenSSL" appear in their names without prior written 85238405Sjkim * permission of the OpenSSL Project. 86238405Sjkim * 87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following 88238405Sjkim * acknowledgment: 89238405Sjkim * "This product includes software developed by the OpenSSL Project 90238405Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91238405Sjkim * 92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95238405Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 104238405Sjkim * ==================================================================== 105238405Sjkim * 106238405Sjkim * This product includes cryptographic software written by Eric Young 107238405Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 108238405Sjkim * Hudson (tjh@cryptsoft.com). 109238405Sjkim * 110238405Sjkim */ 11155714Skris 11255714Skris#include <stdio.h> 113110007Smarkm#include "ssl_locl.h" 11455714Skris#include <openssl/buffer.h> 11555714Skris#include <openssl/rand.h> 11655714Skris#include <openssl/objects.h> 11755714Skris#include <openssl/evp.h> 11855714Skris 119238405Sjkimstatic const SSL_METHOD *ssl23_get_client_method(int ver); 12055714Skrisstatic int ssl23_client_hello(SSL *s); 12155714Skrisstatic int ssl23_get_server_hello(SSL *s); 122238405Sjkimstatic const SSL_METHOD *ssl23_get_client_method(int ver) 123296341Sdelphij{ 124110007Smarkm#ifndef OPENSSL_NO_SSL2 125296341Sdelphij if (ver == SSL2_VERSION) 126296341Sdelphij return (SSLv2_client_method()); 12755949Skris#endif 128273399Sdelphij#ifndef OPENSSL_NO_SSL3 129296341Sdelphij if (ver == SSL3_VERSION) 130296341Sdelphij return (SSLv3_client_method()); 131273399Sdelphij#endif 132296341Sdelphij if (ver == TLS1_VERSION) 133296341Sdelphij return (TLSv1_client_method()); 134296341Sdelphij else if (ver == TLS1_1_VERSION) 135296341Sdelphij return (TLSv1_1_client_method()); 136296341Sdelphij else if (ver == TLS1_2_VERSION) 137296341Sdelphij return (TLSv1_2_client_method()); 138296341Sdelphij else 139296341Sdelphij return (NULL); 140296341Sdelphij} 14155714Skris 142160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_client_method, 143296341Sdelphij ssl_undefined_function, 144296341Sdelphij ssl23_connect, ssl23_get_client_method) 14555714Skris 14655714Skrisint ssl23_connect(SSL *s) 147296341Sdelphij{ 148296341Sdelphij BUF_MEM *buf = NULL; 149296341Sdelphij unsigned long Time = (unsigned long)time(NULL); 150296341Sdelphij void (*cb) (const SSL *ssl, int type, int val) = NULL; 151296341Sdelphij int ret = -1; 152296341Sdelphij int new_state, state; 15355714Skris 154296341Sdelphij RAND_add(&Time, sizeof(Time), 0); 155296341Sdelphij ERR_clear_error(); 156296341Sdelphij clear_sys_error(); 15755714Skris 158296341Sdelphij if (s->info_callback != NULL) 159296341Sdelphij cb = s->info_callback; 160296341Sdelphij else if (s->ctx->info_callback != NULL) 161296341Sdelphij cb = s->ctx->info_callback; 16255714Skris 163296341Sdelphij s->in_handshake++; 164296341Sdelphij if (!SSL_in_init(s) || SSL_in_before(s)) 165296341Sdelphij SSL_clear(s); 16655714Skris 167296341Sdelphij for (;;) { 168296341Sdelphij state = s->state; 16955714Skris 170296341Sdelphij switch (s->state) { 171296341Sdelphij case SSL_ST_BEFORE: 172296341Sdelphij case SSL_ST_CONNECT: 173296341Sdelphij case SSL_ST_BEFORE | SSL_ST_CONNECT: 174296341Sdelphij case SSL_ST_OK | SSL_ST_CONNECT: 17555714Skris 176296341Sdelphij if (s->session != NULL) { 177296341Sdelphij SSLerr(SSL_F_SSL23_CONNECT, 178296341Sdelphij SSL_R_SSL23_DOING_SESSION_ID_REUSE); 179296341Sdelphij ret = -1; 180296341Sdelphij goto end; 181296341Sdelphij } 182296341Sdelphij s->server = 0; 183296341Sdelphij if (cb != NULL) 184296341Sdelphij cb(s, SSL_CB_HANDSHAKE_START, 1); 18555714Skris 186296341Sdelphij /* s->version=TLS1_VERSION; */ 187296341Sdelphij s->type = SSL_ST_CONNECT; 18855714Skris 189296341Sdelphij if (s->init_buf == NULL) { 190296341Sdelphij if ((buf = BUF_MEM_new()) == NULL) { 191296341Sdelphij ret = -1; 192296341Sdelphij goto end; 193296341Sdelphij } 194296341Sdelphij if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 195296341Sdelphij ret = -1; 196296341Sdelphij goto end; 197296341Sdelphij } 198296341Sdelphij s->init_buf = buf; 199296341Sdelphij buf = NULL; 200296341Sdelphij } 20155714Skris 202296341Sdelphij if (!ssl3_setup_buffers(s)) { 203296341Sdelphij ret = -1; 204296341Sdelphij goto end; 205296341Sdelphij } 20655714Skris 207296341Sdelphij ssl3_init_finished_mac(s); 20855714Skris 209296341Sdelphij s->state = SSL23_ST_CW_CLNT_HELLO_A; 210296341Sdelphij s->ctx->stats.sess_connect++; 211296341Sdelphij s->init_num = 0; 212296341Sdelphij break; 21355714Skris 214296341Sdelphij case SSL23_ST_CW_CLNT_HELLO_A: 215296341Sdelphij case SSL23_ST_CW_CLNT_HELLO_B: 21655714Skris 217296341Sdelphij s->shutdown = 0; 218296341Sdelphij ret = ssl23_client_hello(s); 219296341Sdelphij if (ret <= 0) 220296341Sdelphij goto end; 221296341Sdelphij s->state = SSL23_ST_CR_SRVR_HELLO_A; 222296341Sdelphij s->init_num = 0; 22355714Skris 224296341Sdelphij break; 22555714Skris 226296341Sdelphij case SSL23_ST_CR_SRVR_HELLO_A: 227296341Sdelphij case SSL23_ST_CR_SRVR_HELLO_B: 228296341Sdelphij ret = ssl23_get_server_hello(s); 229296341Sdelphij if (ret >= 0) 230296341Sdelphij cb = NULL; 231296341Sdelphij goto end; 232296341Sdelphij /* break; */ 23355714Skris 234296341Sdelphij default: 235296341Sdelphij SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE); 236296341Sdelphij ret = -1; 237296341Sdelphij goto end; 238296341Sdelphij /* break; */ 239296341Sdelphij } 24055714Skris 241296341Sdelphij if (s->debug) { 242296341Sdelphij (void)BIO_flush(s->wbio); 243296341Sdelphij } 24455714Skris 245296341Sdelphij if ((cb != NULL) && (s->state != state)) { 246296341Sdelphij new_state = s->state; 247296341Sdelphij s->state = state; 248296341Sdelphij cb(s, SSL_CB_CONNECT_LOOP, 1); 249296341Sdelphij s->state = new_state; 250296341Sdelphij } 251296341Sdelphij } 252296341Sdelphij end: 253296341Sdelphij s->in_handshake--; 254296341Sdelphij if (buf != NULL) 255296341Sdelphij BUF_MEM_free(buf); 256296341Sdelphij if (cb != NULL) 257296341Sdelphij cb(s, SSL_CB_CONNECT_EXIT, ret); 258296341Sdelphij return (ret); 259296341Sdelphij} 260296341Sdelphij 261238405Sjkimstatic int ssl23_no_ssl2_ciphers(SSL *s) 262296341Sdelphij{ 263296341Sdelphij SSL_CIPHER *cipher; 264296341Sdelphij STACK_OF(SSL_CIPHER) *ciphers; 265296341Sdelphij int i; 266296341Sdelphij ciphers = SSL_get_ciphers(s); 267296341Sdelphij for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 268296341Sdelphij cipher = sk_SSL_CIPHER_value(ciphers, i); 269296341Sdelphij if (cipher->algorithm_ssl == SSL_SSLV2) 270296341Sdelphij return 0; 271296341Sdelphij } 272296341Sdelphij return 1; 273296341Sdelphij} 27455714Skris 275296341Sdelphij/* 276296341Sdelphij * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on 277296341Sdelphij * failure, 1 on success. 278296341Sdelphij */ 279264331Sjkimint ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) 280296341Sdelphij{ 281296341Sdelphij int send_time = 0; 282264331Sjkim 283296341Sdelphij if (len < 4) 284296341Sdelphij return 0; 285296341Sdelphij if (server) 286296341Sdelphij send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; 287296341Sdelphij else 288296341Sdelphij send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; 289296341Sdelphij if (send_time) { 290296341Sdelphij unsigned long Time = (unsigned long)time(NULL); 291296341Sdelphij unsigned char *p = result; 292296341Sdelphij l2n(Time, p); 293296341Sdelphij return RAND_pseudo_bytes(p, len - 4); 294296341Sdelphij } else 295296341Sdelphij return RAND_pseudo_bytes(result, len); 296296341Sdelphij} 297264331Sjkim 29855714Skrisstatic int ssl23_client_hello(SSL *s) 299296341Sdelphij{ 300296341Sdelphij unsigned char *buf; 301296341Sdelphij unsigned char *p, *d; 302296341Sdelphij int i, ch_len; 303296341Sdelphij unsigned long l; 304296341Sdelphij int ssl2_compat; 305296341Sdelphij int version = 0, version_major, version_minor; 306205128Ssimon#ifndef OPENSSL_NO_COMP 307296341Sdelphij int j; 308296341Sdelphij SSL_COMP *comp; 309205128Ssimon#endif 310296341Sdelphij int ret; 311296341Sdelphij unsigned long mask, options = s->options; 31255714Skris 313296341Sdelphij ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1; 314160817Ssimon 315296341Sdelphij if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) 316296341Sdelphij ssl2_compat = 0; 317238405Sjkim 318296341Sdelphij /* 319296341Sdelphij * SSL_OP_NO_X disables all protocols above X *if* there are 320296341Sdelphij * some protocols below X enabled. This is required in order 321296341Sdelphij * to maintain "version capability" vector contiguous. So 322296341Sdelphij * that if application wants to disable TLS1.0 in favour of 323296341Sdelphij * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the 324296341Sdelphij * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. 325296341Sdelphij */ 326296341Sdelphij mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1 327238405Sjkim#if !defined(OPENSSL_NO_SSL3) 328296341Sdelphij | SSL_OP_NO_SSLv3 329238405Sjkim#endif 330238405Sjkim#if !defined(OPENSSL_NO_SSL2) 331296341Sdelphij | (ssl2_compat ? SSL_OP_NO_SSLv2 : 0) 332238405Sjkim#endif 333296341Sdelphij ; 334238405Sjkim#if !defined(OPENSSL_NO_TLS1_2_CLIENT) 335296341Sdelphij version = TLS1_2_VERSION; 336238405Sjkim 337296341Sdelphij if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) 338296341Sdelphij version = TLS1_1_VERSION; 339238405Sjkim#else 340296341Sdelphij version = TLS1_1_VERSION; 341238405Sjkim#endif 342296341Sdelphij mask &= ~SSL_OP_NO_TLSv1_1; 343296341Sdelphij if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) 344296341Sdelphij version = TLS1_VERSION; 345296341Sdelphij mask &= ~SSL_OP_NO_TLSv1; 346238405Sjkim#if !defined(OPENSSL_NO_SSL3) 347296341Sdelphij if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) 348296341Sdelphij version = SSL3_VERSION; 349296341Sdelphij mask &= ~SSL_OP_NO_SSLv3; 350238405Sjkim#endif 351238405Sjkim#if !defined(OPENSSL_NO_SSL2) 352296341Sdelphij if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask) 353296341Sdelphij version = SSL2_VERSION; 354238405Sjkim#endif 355238405Sjkim 356238405Sjkim#ifndef OPENSSL_NO_TLSEXT 357296341Sdelphij if (version != SSL2_VERSION) { 358296341Sdelphij /* 359296341Sdelphij * have to disable SSL 2.0 compatibility if we need TLS extensions 360296341Sdelphij */ 361160817Ssimon 362296341Sdelphij if (s->tlsext_hostname != NULL) 363296341Sdelphij ssl2_compat = 0; 364296341Sdelphij if (s->tlsext_status_type != -1) 365296341Sdelphij ssl2_compat = 0; 366296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 367296341Sdelphij if (s->ctx->tlsext_opaque_prf_input_callback != 0 368296341Sdelphij || s->tlsext_opaque_prf_input != NULL) 369296341Sdelphij ssl2_compat = 0; 370296341Sdelphij# endif 371296341Sdelphij } 372238405Sjkim#endif 373194206Ssimon 374296341Sdelphij buf = (unsigned char *)s->init_buf->data; 375296341Sdelphij if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { 37655714Skris#if 0 377296341Sdelphij /* don't reuse session-id's */ 378296341Sdelphij if (!ssl_get_new_session(s, 0)) { 379296341Sdelphij return (-1); 380296341Sdelphij } 38155714Skris#endif 38255714Skris 383296341Sdelphij p = s->s3->client_random; 384296341Sdelphij if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 385296341Sdelphij return -1; 38655714Skris 387296341Sdelphij if (version == TLS1_2_VERSION) { 388296341Sdelphij version_major = TLS1_2_VERSION_MAJOR; 389296341Sdelphij version_minor = TLS1_2_VERSION_MINOR; 390296341Sdelphij } else if (version == TLS1_1_VERSION) { 391296341Sdelphij version_major = TLS1_1_VERSION_MAJOR; 392296341Sdelphij version_minor = TLS1_1_VERSION_MINOR; 393296341Sdelphij } else if (version == TLS1_VERSION) { 394296341Sdelphij version_major = TLS1_VERSION_MAJOR; 395296341Sdelphij version_minor = TLS1_VERSION_MINOR; 396296341Sdelphij } 397194206Ssimon#ifdef OPENSSL_FIPS 398296341Sdelphij else if (FIPS_mode()) { 399296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, 400296341Sdelphij SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 401296341Sdelphij return -1; 402296341Sdelphij } 403194206Ssimon#endif 404296341Sdelphij else if (version == SSL3_VERSION) { 405296341Sdelphij version_major = SSL3_VERSION_MAJOR; 406296341Sdelphij version_minor = SSL3_VERSION_MINOR; 407296341Sdelphij } else if (version == SSL2_VERSION) { 408296341Sdelphij version_major = SSL2_VERSION_MAJOR; 409296341Sdelphij version_minor = SSL2_VERSION_MINOR; 410296341Sdelphij } else { 411296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE); 412296341Sdelphij return (-1); 413296341Sdelphij } 41455714Skris 415296341Sdelphij s->client_version = version; 416160817Ssimon 417296341Sdelphij if (ssl2_compat) { 418296341Sdelphij /* create SSL 2.0 compatible Client Hello */ 41955714Skris 420296341Sdelphij /* two byte record header will be written last */ 421296341Sdelphij d = &(buf[2]); 422296341Sdelphij p = d + 9; /* leave space for message type, version, 423296341Sdelphij * individual length fields */ 424160817Ssimon 425296341Sdelphij *(d++) = SSL2_MT_CLIENT_HELLO; 426296341Sdelphij *(d++) = version_major; 427296341Sdelphij *(d++) = version_minor; 428296341Sdelphij 429296341Sdelphij /* Ciphers supported */ 430296341Sdelphij i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), p, 0); 431296341Sdelphij if (i == 0) { 432296341Sdelphij /* no ciphers */ 433296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 434296341Sdelphij return -1; 435296341Sdelphij } 436296341Sdelphij s2n(i, d); 437296341Sdelphij p += i; 438296341Sdelphij 439296341Sdelphij /* 440296341Sdelphij * put in the session-id length (zero since there is no reuse) 441296341Sdelphij */ 44255714Skris#if 0 443296341Sdelphij s->session->session_id_length = 0; 44455714Skris#endif 445296341Sdelphij s2n(0, d); 44655714Skris 447296341Sdelphij if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) 448296341Sdelphij ch_len = SSL2_CHALLENGE_LENGTH; 449296341Sdelphij else 450296341Sdelphij ch_len = SSL2_MAX_CHALLENGE_LENGTH; 45155714Skris 452296341Sdelphij /* write out sslv2 challenge */ 453296341Sdelphij /* 454296341Sdelphij * Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because it 455296341Sdelphij * is one of SSL2_MAX_CHALLENGE_LENGTH (32) or 456296341Sdelphij * SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for 457296341Sdelphij * futurproofing 458296341Sdelphij */ 459296341Sdelphij if (SSL3_RANDOM_SIZE < ch_len) 460296341Sdelphij i = SSL3_RANDOM_SIZE; 461296341Sdelphij else 462296341Sdelphij i = ch_len; 463296341Sdelphij s2n(i, d); 464296341Sdelphij memset(&(s->s3->client_random[0]), 0, SSL3_RANDOM_SIZE); 465296341Sdelphij if (RAND_pseudo_bytes 466296341Sdelphij (&(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i) <= 0) 467296341Sdelphij return -1; 468160817Ssimon 469296341Sdelphij memcpy(p, &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i); 470296341Sdelphij p += i; 471160817Ssimon 472296341Sdelphij i = p - &(buf[2]); 473296341Sdelphij buf[0] = ((i >> 8) & 0xff) | 0x80; 474296341Sdelphij buf[1] = (i & 0xff); 475160817Ssimon 476296341Sdelphij /* number of bytes to write */ 477296341Sdelphij s->init_num = i + 2; 478296341Sdelphij s->init_off = 0; 479160817Ssimon 480296341Sdelphij ssl3_finish_mac(s, &(buf[2]), i); 481296341Sdelphij } else { 482296341Sdelphij /* create Client Hello in SSL 3.0/TLS 1.0 format */ 483142428Snectar 484296341Sdelphij /* 485296341Sdelphij * do the record header (5 bytes) and handshake message header (4 486296341Sdelphij * bytes) last 487296341Sdelphij */ 488296341Sdelphij d = p = &(buf[9]); 48955714Skris 490296341Sdelphij *(p++) = version_major; 491296341Sdelphij *(p++) = version_minor; 49255714Skris 493296341Sdelphij /* Random stuff */ 494296341Sdelphij memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 495296341Sdelphij p += SSL3_RANDOM_SIZE; 496160817Ssimon 497296341Sdelphij /* Session ID (zero since there is no reuse) */ 498296341Sdelphij *(p++) = 0; 499296341Sdelphij 500296341Sdelphij /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */ 501296341Sdelphij i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 502296341Sdelphij ssl3_put_cipher_by_char); 503296341Sdelphij if (i == 0) { 504296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 505296341Sdelphij return -1; 506296341Sdelphij } 507238405Sjkim#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 508296341Sdelphij /* 509296341Sdelphij * Some servers hang if client hello > 256 bytes as hack 510296341Sdelphij * workaround chop number of supported ciphers to keep it well 511296341Sdelphij * below this if we use TLS v1.2 512296341Sdelphij */ 513296341Sdelphij if (TLS1_get_version(s) >= TLS1_2_VERSION 514296341Sdelphij && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 515296341Sdelphij i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 516238405Sjkim#endif 517296341Sdelphij s2n(i, p); 518296341Sdelphij p += i; 519238405Sjkim 520296341Sdelphij /* COMPRESSION */ 521215697Ssimon#ifdef OPENSSL_NO_COMP 522296341Sdelphij *(p++) = 1; 523215697Ssimon#else 524296341Sdelphij if ((s->options & SSL_OP_NO_COMPRESSION) 525296341Sdelphij || !s->ctx->comp_methods) 526296341Sdelphij j = 0; 527296341Sdelphij else 528296341Sdelphij j = sk_SSL_COMP_num(s->ctx->comp_methods); 529296341Sdelphij *(p++) = 1 + j; 530296341Sdelphij for (i = 0; i < j; i++) { 531296341Sdelphij comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 532296341Sdelphij *(p++) = comp->id; 533296341Sdelphij } 534215697Ssimon#endif 535296341Sdelphij *(p++) = 0; /* Add the NULL method */ 536238405Sjkim 537194206Ssimon#ifndef OPENSSL_NO_TLSEXT 538296341Sdelphij /* TLS extensions */ 539296341Sdelphij if (ssl_prepare_clienthello_tlsext(s) <= 0) { 540296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 541296341Sdelphij return -1; 542296341Sdelphij } 543296341Sdelphij if ((p = 544296341Sdelphij ssl_add_clienthello_tlsext(s, p, 545296341Sdelphij buf + 546296341Sdelphij SSL3_RT_MAX_PLAIN_LENGTH)) == 547296341Sdelphij NULL) { 548296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 549296341Sdelphij return -1; 550296341Sdelphij } 551194206Ssimon#endif 552160817Ssimon 553296341Sdelphij l = p - d; 554160817Ssimon 555296341Sdelphij /* fill in 4-byte handshake header */ 556296341Sdelphij d = &(buf[5]); 557296341Sdelphij *(d++) = SSL3_MT_CLIENT_HELLO; 558296341Sdelphij l2n3(l, d); 559160817Ssimon 560296341Sdelphij l += 4; 561160817Ssimon 562296341Sdelphij if (l > SSL3_RT_MAX_PLAIN_LENGTH) { 563296341Sdelphij SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 564296341Sdelphij return -1; 565296341Sdelphij } 566160817Ssimon 567296341Sdelphij /* fill in 5-byte record header */ 568296341Sdelphij d = buf; 569296341Sdelphij *(d++) = SSL3_RT_HANDSHAKE; 570296341Sdelphij *(d++) = version_major; 571296341Sdelphij /* 572296341Sdelphij * Some servers hang if we use long client hellos and a record 573296341Sdelphij * number > TLS 1.0. 574296341Sdelphij */ 575296341Sdelphij if (TLS1_get_client_version(s) > TLS1_VERSION) 576296341Sdelphij *(d++) = 1; 577296341Sdelphij else 578296341Sdelphij *(d++) = version_minor; 579296341Sdelphij s2n((int)l, d); 580160817Ssimon 581296341Sdelphij /* number of bytes to write */ 582296341Sdelphij s->init_num = p - buf; 583296341Sdelphij s->init_off = 0; 58455714Skris 585296341Sdelphij ssl3_finish_mac(s, &(buf[5]), s->init_num - 5); 586296341Sdelphij } 587160817Ssimon 588296341Sdelphij s->state = SSL23_ST_CW_CLNT_HELLO_B; 589296341Sdelphij s->init_off = 0; 590296341Sdelphij } 591160817Ssimon 592296341Sdelphij /* SSL3_ST_CW_CLNT_HELLO_B */ 593296341Sdelphij ret = ssl23_write_bytes(s); 594160817Ssimon 595296341Sdelphij if ((ret >= 2) && s->msg_callback) { 596296341Sdelphij /* Client Hello has been sent; tell msg_callback */ 59755714Skris 598296341Sdelphij if (ssl2_compat) 599296341Sdelphij s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data + 2, 600296341Sdelphij ret - 2, s, s->msg_callback_arg); 601296341Sdelphij else 602296341Sdelphij s->msg_callback(1, version, SSL3_RT_HANDSHAKE, 603296341Sdelphij s->init_buf->data + 5, ret - 5, s, 604296341Sdelphij s->msg_callback_arg); 605296341Sdelphij } 606296341Sdelphij 607296341Sdelphij return ret; 608296341Sdelphij} 609296341Sdelphij 61055714Skrisstatic int ssl23_get_server_hello(SSL *s) 611296341Sdelphij{ 612296341Sdelphij char buf[8]; 613296341Sdelphij unsigned char *p; 614296341Sdelphij int i; 615296341Sdelphij int n; 61655714Skris 617296341Sdelphij n = ssl23_read_bytes(s, 7); 61855714Skris 619296341Sdelphij if (n != 7) 620296341Sdelphij return (n); 621296341Sdelphij p = s->packet; 62255714Skris 623296341Sdelphij memcpy(buf, p, n); 62455714Skris 625296341Sdelphij if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && 626296341Sdelphij (p[5] == 0x00) && (p[6] == 0x02)) { 627110007Smarkm#ifdef OPENSSL_NO_SSL2 628296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 629296341Sdelphij goto err; 63055949Skris#else 631296341Sdelphij /* we are talking sslv2 */ 632296341Sdelphij /* 633296341Sdelphij * we need to clean up the SSLv3 setup and put in the sslv2 stuff. 634296341Sdelphij */ 635296341Sdelphij int ch_len; 63655714Skris 637296341Sdelphij if (s->options & SSL_OP_NO_SSLv2) { 638296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 639296341Sdelphij goto err; 640296341Sdelphij } 641296341Sdelphij if (s->s2 == NULL) { 642296341Sdelphij if (!ssl2_new(s)) 643296341Sdelphij goto err; 644296341Sdelphij } else 645296341Sdelphij ssl2_clear(s); 64655714Skris 647296341Sdelphij if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) 648296341Sdelphij ch_len = SSL2_CHALLENGE_LENGTH; 649296341Sdelphij else 650296341Sdelphij ch_len = SSL2_MAX_CHALLENGE_LENGTH; 65155714Skris 652296341Sdelphij /* write out sslv2 challenge */ 653296341Sdelphij /* 654296341Sdelphij * Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because it is 655296341Sdelphij * one of SSL2_MAX_CHALLENGE_LENGTH (32) or SSL2_MAX_CHALLENGE_LENGTH 656296341Sdelphij * (16), but leave the check in for futurproofing 657296341Sdelphij */ 658296341Sdelphij i = (SSL3_RANDOM_SIZE < ch_len) 659296341Sdelphij ? SSL3_RANDOM_SIZE : ch_len; 660296341Sdelphij s->s2->challenge_length = i; 661296341Sdelphij memcpy(s->s2->challenge, 662296341Sdelphij &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i); 66355714Skris 664296341Sdelphij if (s->s3 != NULL) 665296341Sdelphij ssl3_free(s); 66655714Skris 667296341Sdelphij if (!BUF_MEM_grow_clean(s->init_buf, 668296341Sdelphij SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 669296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ERR_R_BUF_LIB); 670296341Sdelphij goto err; 671296341Sdelphij } 67255714Skris 673296341Sdelphij s->state = SSL2_ST_GET_SERVER_HELLO_A; 674296341Sdelphij if (!(s->client_version == SSL2_VERSION)) 675296341Sdelphij /* 676296341Sdelphij * use special padding (SSL 3.0 draft/RFC 2246, App. E.2) 677296341Sdelphij */ 678296341Sdelphij s->s2->ssl2_rollback = 1; 67955714Skris 680296341Sdelphij /* 681296341Sdelphij * setup the 7 bytes we have read so we get them from the sslv2 682296341Sdelphij * buffer 683296341Sdelphij */ 684296341Sdelphij s->rstate = SSL_ST_READ_HEADER; 685296341Sdelphij s->packet_length = n; 686296341Sdelphij s->packet = &(s->s2->rbuf[0]); 687296341Sdelphij memcpy(s->packet, buf, n); 688296341Sdelphij s->s2->rbuf_left = n; 689296341Sdelphij s->s2->rbuf_offs = 0; 69055714Skris 691296341Sdelphij /* we have already written one */ 692296341Sdelphij s->s2->write_sequence = 1; 69355714Skris 694296341Sdelphij s->method = SSLv2_client_method(); 695296341Sdelphij s->handshake_func = s->method->ssl_connect; 69655949Skris#endif 697296341Sdelphij } else if (p[1] == SSL3_VERSION_MAJOR && 698296341Sdelphij p[2] <= TLS1_2_VERSION_MINOR && 699296341Sdelphij ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || 700296341Sdelphij (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) { 701296341Sdelphij /* we have sslv3 or tls1 (server hello or alert) */ 70255714Skris 703273399Sdelphij#ifndef OPENSSL_NO_SSL3 704296341Sdelphij if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { 705296341Sdelphij# ifdef OPENSSL_FIPS 706296341Sdelphij if (FIPS_mode()) { 707296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, 708296341Sdelphij SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 709296341Sdelphij goto err; 710296341Sdelphij } 711296341Sdelphij# endif 712296341Sdelphij s->version = SSL3_VERSION; 713296341Sdelphij s->method = SSLv3_client_method(); 714296341Sdelphij } else 715194206Ssimon#endif 716296341Sdelphij if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { 717296341Sdelphij s->version = TLS1_VERSION; 718296341Sdelphij s->method = TLSv1_client_method(); 719296341Sdelphij } else if ((p[2] == TLS1_1_VERSION_MINOR) && 720296341Sdelphij !(s->options & SSL_OP_NO_TLSv1_1)) { 721296341Sdelphij s->version = TLS1_1_VERSION; 722296341Sdelphij s->method = TLSv1_1_client_method(); 723296341Sdelphij } else if ((p[2] == TLS1_2_VERSION_MINOR) && 724296341Sdelphij !(s->options & SSL_OP_NO_TLSv1_2)) { 725296341Sdelphij s->version = TLS1_2_VERSION; 726296341Sdelphij s->method = TLSv1_2_client_method(); 727296341Sdelphij } else { 728296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 729296341Sdelphij goto err; 730296341Sdelphij } 731238405Sjkim 732296341Sdelphij /* ensure that TLS_MAX_VERSION is up-to-date */ 733296341Sdelphij OPENSSL_assert(s->version <= TLS_MAX_VERSION); 734273399Sdelphij 735296341Sdelphij if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) { 736296341Sdelphij /* fatal alert */ 737238405Sjkim 738296341Sdelphij void (*cb) (const SSL *ssl, int type, int val) = NULL; 739296341Sdelphij int j; 740238405Sjkim 741296341Sdelphij if (s->info_callback != NULL) 742296341Sdelphij cb = s->info_callback; 743296341Sdelphij else if (s->ctx->info_callback != NULL) 744296341Sdelphij cb = s->ctx->info_callback; 74555714Skris 746296341Sdelphij i = p[5]; 747296341Sdelphij if (cb != NULL) { 748296341Sdelphij j = (i << 8) | p[6]; 749296341Sdelphij cb(s, SSL_CB_READ_ALERT, j); 750296341Sdelphij } 75155714Skris 752296341Sdelphij if (s->msg_callback) 753296341Sdelphij s->msg_callback(0, s->version, SSL3_RT_ALERT, p + 5, 2, s, 754296341Sdelphij s->msg_callback_arg); 755238405Sjkim 756296341Sdelphij s->rwstate = SSL_NOTHING; 757296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_AD_REASON_OFFSET + p[6]); 758296341Sdelphij goto err; 759296341Sdelphij } 760238405Sjkim 761296341Sdelphij if (!ssl_init_wbio_buffer(s, 1)) 762296341Sdelphij goto err; 763238405Sjkim 764296341Sdelphij /* we are in this state */ 765296341Sdelphij s->state = SSL3_ST_CR_SRVR_HELLO_A; 76655714Skris 767296341Sdelphij /* 768296341Sdelphij * put the 7 bytes we have read into the input buffer for SSLv3 769296341Sdelphij */ 770296341Sdelphij s->rstate = SSL_ST_READ_HEADER; 771296341Sdelphij s->packet_length = n; 772296341Sdelphij if (s->s3->rbuf.buf == NULL) 773296341Sdelphij if (!ssl3_setup_read_buffer(s)) 774296341Sdelphij goto err; 775296341Sdelphij s->packet = &(s->s3->rbuf.buf[0]); 776296341Sdelphij memcpy(s->packet, buf, n); 777296341Sdelphij s->s3->rbuf.left = n; 778296341Sdelphij s->s3->rbuf.offset = 0; 77955714Skris 780296341Sdelphij s->handshake_func = s->method->ssl_connect; 781296341Sdelphij } else { 782296341Sdelphij SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL); 783296341Sdelphij goto err; 784296341Sdelphij } 785296341Sdelphij s->init_num = 0; 786296341Sdelphij 787296341Sdelphij /* 788296341Sdelphij * Since, if we are sending a ssl23 client hello, we are not reusing a 789296341Sdelphij * session-id 790296341Sdelphij */ 791296341Sdelphij if (!ssl_get_new_session(s, 0)) 792296341Sdelphij goto err; 793296341Sdelphij 794296341Sdelphij return (SSL_connect(s)); 795296341Sdelphij err: 796296341Sdelphij return (-1); 797296341Sdelphij} 798