155714Skris/* ssl/s23_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52280304Sjkim * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889840Skris/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 6089840Skris * 6189840Skris * Redistribution and use in source and binary forms, with or without 6289840Skris * modification, are permitted provided that the following conditions 6389840Skris * are met: 6489840Skris * 6589840Skris * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 6789840Skris * 6889840Skris * 2. Redistributions in binary form must reproduce the above copyright 6989840Skris * notice, this list of conditions and the following disclaimer in 7089840Skris * the documentation and/or other materials provided with the 7189840Skris * distribution. 7289840Skris * 7389840Skris * 3. All advertising materials mentioning features or use of this 7489840Skris * software must display the following acknowledgment: 7589840Skris * "This product includes software developed by the OpenSSL Project 7689840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789840Skris * 7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989840Skris * endorse or promote products derived from this software without 8089840Skris * prior written permission. For written permission, please contact 8189840Skris * openssl-core@openssl.org. 8289840Skris * 8389840Skris * 5. Products derived from this software may not be called "OpenSSL" 8489840Skris * nor may "OpenSSL" appear in their names without prior written 8589840Skris * permission of the OpenSSL Project. 8689840Skris * 8789840Skris * 6. Redistributions of any form whatsoever must retain the following 8889840Skris * acknowledgment: 8989840Skris * "This product includes software developed by the OpenSSL Project 9089840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189840Skris * 9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489840Skris * ==================================================================== 10589840Skris * 10689840Skris * This product includes cryptographic software written by Eric Young 10789840Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889840Skris * Hudson (tjh@cryptsoft.com). 10989840Skris * 11089840Skris */ 11155714Skris 11255714Skris#include <stdio.h> 113110007Smarkm#include "ssl_locl.h" 11455714Skris#include <openssl/buffer.h> 11555714Skris#include <openssl/rand.h> 11655714Skris#include <openssl/objects.h> 11755714Skris#include <openssl/evp.h> 118238405Sjkim#ifdef OPENSSL_FIPS 119280304Sjkim# include <openssl/fips.h> 120238405Sjkim#endif 12155714Skris 122238405Sjkimstatic const SSL_METHOD *ssl23_get_server_method(int ver); 12355714Skrisint ssl23_get_client_hello(SSL *s); 124238405Sjkimstatic const SSL_METHOD *ssl23_get_server_method(int ver) 125280304Sjkim{ 126110007Smarkm#ifndef OPENSSL_NO_SSL2 127280304Sjkim if (ver == SSL2_VERSION) 128280304Sjkim return (SSLv2_server_method()); 12955949Skris#endif 130273149Sjkim#ifndef OPENSSL_NO_SSL3 131280304Sjkim if (ver == SSL3_VERSION) 132280304Sjkim return (SSLv3_server_method()); 133273149Sjkim#endif 134280304Sjkim if (ver == TLS1_VERSION) 135280304Sjkim return (TLSv1_server_method()); 136280304Sjkim else if (ver == TLS1_1_VERSION) 137280304Sjkim return (TLSv1_1_server_method()); 138280304Sjkim else if (ver == TLS1_2_VERSION) 139280304Sjkim return (TLSv1_2_server_method()); 140280304Sjkim else 141280304Sjkim return (NULL); 142280304Sjkim} 14355714Skris 144160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_server_method, 145280304Sjkim ssl23_accept, 146280304Sjkim ssl_undefined_function, ssl23_get_server_method) 14755714Skris 14855714Skrisint ssl23_accept(SSL *s) 149280304Sjkim{ 150280304Sjkim BUF_MEM *buf; 151280304Sjkim unsigned long Time = (unsigned long)time(NULL); 152280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 153280304Sjkim int ret = -1; 154280304Sjkim int new_state, state; 15555714Skris 156280304Sjkim RAND_add(&Time, sizeof(Time), 0); 157280304Sjkim ERR_clear_error(); 158280304Sjkim clear_sys_error(); 15955714Skris 160280304Sjkim if (s->info_callback != NULL) 161280304Sjkim cb = s->info_callback; 162280304Sjkim else if (s->ctx->info_callback != NULL) 163280304Sjkim cb = s->ctx->info_callback; 16455714Skris 165280304Sjkim s->in_handshake++; 166280304Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 167280304Sjkim SSL_clear(s); 16855714Skris 169280304Sjkim for (;;) { 170280304Sjkim state = s->state; 17155714Skris 172280304Sjkim switch (s->state) { 173280304Sjkim case SSL_ST_BEFORE: 174280304Sjkim case SSL_ST_ACCEPT: 175280304Sjkim case SSL_ST_BEFORE | SSL_ST_ACCEPT: 176280304Sjkim case SSL_ST_OK | SSL_ST_ACCEPT: 17755714Skris 178280304Sjkim s->server = 1; 179280304Sjkim if (cb != NULL) 180280304Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 18155714Skris 182280304Sjkim /* s->version=SSL3_VERSION; */ 183280304Sjkim s->type = SSL_ST_ACCEPT; 18455714Skris 185280304Sjkim if (s->init_buf == NULL) { 186280304Sjkim if ((buf = BUF_MEM_new()) == NULL) { 187280304Sjkim ret = -1; 188280304Sjkim goto end; 189280304Sjkim } 190280304Sjkim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 191280304Sjkim BUF_MEM_free(buf); 192280304Sjkim ret = -1; 193280304Sjkim goto end; 194280304Sjkim } 195280304Sjkim s->init_buf = buf; 196280304Sjkim } 19755714Skris 198280304Sjkim ssl3_init_finished_mac(s); 19955714Skris 200280304Sjkim s->state = SSL23_ST_SR_CLNT_HELLO_A; 201280304Sjkim s->ctx->stats.sess_accept++; 202280304Sjkim s->init_num = 0; 203280304Sjkim break; 20455714Skris 205280304Sjkim case SSL23_ST_SR_CLNT_HELLO_A: 206280304Sjkim case SSL23_ST_SR_CLNT_HELLO_B: 20755714Skris 208280304Sjkim s->shutdown = 0; 209280304Sjkim ret = ssl23_get_client_hello(s); 210280304Sjkim if (ret >= 0) 211280304Sjkim cb = NULL; 212280304Sjkim goto end; 213280304Sjkim /* break; */ 21455714Skris 215280304Sjkim default: 216280304Sjkim SSLerr(SSL_F_SSL23_ACCEPT, SSL_R_UNKNOWN_STATE); 217280304Sjkim ret = -1; 218280304Sjkim goto end; 219280304Sjkim /* break; */ 220280304Sjkim } 22155714Skris 222280304Sjkim if ((cb != NULL) && (s->state != state)) { 223280304Sjkim new_state = s->state; 224280304Sjkim s->state = state; 225280304Sjkim cb(s, SSL_CB_ACCEPT_LOOP, 1); 226280304Sjkim s->state = new_state; 227280304Sjkim } 228280304Sjkim } 229280304Sjkim end: 230280304Sjkim s->in_handshake--; 231280304Sjkim if (cb != NULL) 232280304Sjkim cb(s, SSL_CB_ACCEPT_EXIT, ret); 233280304Sjkim return (ret); 234280304Sjkim} 23555714Skris 23655714Skrisint ssl23_get_client_hello(SSL *s) 237280304Sjkim{ 238280304Sjkim /*- 239280304Sjkim * Request this many bytes in initial read. 240280304Sjkim * We can detect SSL 3.0/TLS 1.0 Client Hellos 241280304Sjkim * ('type == 3') correctly only when the following 242280304Sjkim * is in a single record, which is not guaranteed by 243280304Sjkim * the protocol specification: 244280304Sjkim * Byte Content 245280304Sjkim * 0 type \ 246280304Sjkim * 1/2 version > record header 247280304Sjkim * 3/4 length / 248280304Sjkim * 5 msg_type \ 249280304Sjkim * 6-8 length > Client Hello message 250280304Sjkim * 9/10 client_version / 251280304Sjkim */ 252280304Sjkim char buf_space[11]; 253280304Sjkim char *buf = &(buf_space[0]); 254280304Sjkim unsigned char *p, *d, *d_len, *dd; 255280304Sjkim unsigned int i; 256280304Sjkim unsigned int csl, sil, cl; 257280304Sjkim int n = 0, j; 258280304Sjkim int type = 0; 259280304Sjkim int v[2]; 26055714Skris 261280304Sjkim if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { 262280304Sjkim /* read the initial header */ 263280304Sjkim v[0] = v[1] = 0; 26459194Skris 265280304Sjkim if (!ssl3_setup_buffers(s)) 266280304Sjkim goto err; 26755714Skris 268280304Sjkim n = ssl23_read_bytes(s, sizeof buf_space); 269280304Sjkim if (n != sizeof buf_space) 270280304Sjkim return (n); /* n == -1 || n == 0 */ 27155714Skris 272280304Sjkim p = s->packet; 27355714Skris 274280304Sjkim memcpy(buf, p, n); 27555714Skris 276280304Sjkim if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) { 277280304Sjkim /* 278280304Sjkim * SSLv2 header 279280304Sjkim */ 280280304Sjkim if ((p[3] == 0x00) && (p[4] == 0x02)) { 281280304Sjkim v[0] = p[3]; 282280304Sjkim v[1] = p[4]; 283280304Sjkim /* SSLv2 */ 284280304Sjkim if (!(s->options & SSL_OP_NO_SSLv2)) 285280304Sjkim type = 1; 286280304Sjkim } else if (p[3] == SSL3_VERSION_MAJOR) { 287280304Sjkim v[0] = p[3]; 288280304Sjkim v[1] = p[4]; 289280304Sjkim /* SSLv3/TLSv1 */ 290280304Sjkim if (p[4] >= TLS1_VERSION_MINOR) { 291280304Sjkim if (p[4] >= TLS1_2_VERSION_MINOR && 292280304Sjkim !(s->options & SSL_OP_NO_TLSv1_2)) { 293280304Sjkim s->version = TLS1_2_VERSION; 294280304Sjkim s->state = SSL23_ST_SR_CLNT_HELLO_B; 295280304Sjkim } else if (p[4] >= TLS1_1_VERSION_MINOR && 296280304Sjkim !(s->options & SSL_OP_NO_TLSv1_1)) { 297280304Sjkim s->version = TLS1_1_VERSION; 298280304Sjkim /* 299280304Sjkim * type=2; 300280304Sjkim *//* 301280304Sjkim * done later to survive restarts 302280304Sjkim */ 303280304Sjkim s->state = SSL23_ST_SR_CLNT_HELLO_B; 304280304Sjkim } else if (!(s->options & SSL_OP_NO_TLSv1)) { 305280304Sjkim s->version = TLS1_VERSION; 306280304Sjkim /* 307280304Sjkim * type=2; 308280304Sjkim *//* 309280304Sjkim * done later to survive restarts 310280304Sjkim */ 311280304Sjkim s->state = SSL23_ST_SR_CLNT_HELLO_B; 312280304Sjkim } else if (!(s->options & SSL_OP_NO_SSLv3)) { 313280304Sjkim s->version = SSL3_VERSION; 314280304Sjkim /* type=2; */ 315280304Sjkim s->state = SSL23_ST_SR_CLNT_HELLO_B; 316280304Sjkim } else if (!(s->options & SSL_OP_NO_SSLv2)) { 317280304Sjkim type = 1; 318280304Sjkim } 319280304Sjkim } else if (!(s->options & SSL_OP_NO_SSLv3)) { 320280304Sjkim s->version = SSL3_VERSION; 321280304Sjkim /* type=2; */ 322280304Sjkim s->state = SSL23_ST_SR_CLNT_HELLO_B; 323280304Sjkim } else if (!(s->options & SSL_OP_NO_SSLv2)) 324280304Sjkim type = 1; 32555714Skris 326280304Sjkim } 327280304Sjkim } 328280304Sjkim /* p[4] < 5 ... silly record length? */ 329280304Sjkim else if ((p[0] == SSL3_RT_HANDSHAKE) && 330280304Sjkim (p[1] == SSL3_VERSION_MAJOR) && 331280304Sjkim (p[5] == SSL3_MT_CLIENT_HELLO) && ((p[3] == 0 && p[4] < 5) 332280304Sjkim || (p[9] >= p[1]))) { 333280304Sjkim /* 334280304Sjkim * SSLv3 or tls1 header 335280304Sjkim */ 33655714Skris 337280304Sjkim v[0] = p[1]; /* major version (= SSL3_VERSION_MAJOR) */ 338280304Sjkim /* 339280304Sjkim * We must look at client_version inside the Client Hello message 340280304Sjkim * to get the correct minor version. However if we have only a 341280304Sjkim * pathologically small fragment of the Client Hello message, this 342280304Sjkim * would be difficult, and we'd have to read more records to find 343280304Sjkim * out. No known SSL 3.0 client fragments ClientHello like this, 344280304Sjkim * so we simply reject such connections to avoid protocol version 345280304Sjkim * downgrade attacks. 346280304Sjkim */ 347280304Sjkim if (p[3] == 0 && p[4] < 6) { 348280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL); 349280304Sjkim goto err; 350280304Sjkim } 351280304Sjkim /* 352280304Sjkim * if major version number > 3 set minor to a value which will 353280304Sjkim * use the highest version 3 we support. If TLS 2.0 ever appears 354280304Sjkim * we will need to revise this.... 355280304Sjkim */ 356280304Sjkim if (p[9] > SSL3_VERSION_MAJOR) 357280304Sjkim v[1] = 0xff; 358280304Sjkim else 359280304Sjkim v[1] = p[10]; /* minor version according to client_version */ 360280304Sjkim if (v[1] >= TLS1_VERSION_MINOR) { 361280304Sjkim if (v[1] >= TLS1_2_VERSION_MINOR && 362280304Sjkim !(s->options & SSL_OP_NO_TLSv1_2)) { 363280304Sjkim s->version = TLS1_2_VERSION; 364280304Sjkim type = 3; 365280304Sjkim } else if (v[1] >= TLS1_1_VERSION_MINOR && 366280304Sjkim !(s->options & SSL_OP_NO_TLSv1_1)) { 367280304Sjkim s->version = TLS1_1_VERSION; 368280304Sjkim type = 3; 369280304Sjkim } else if (!(s->options & SSL_OP_NO_TLSv1)) { 370280304Sjkim s->version = TLS1_VERSION; 371280304Sjkim type = 3; 372280304Sjkim } else if (!(s->options & SSL_OP_NO_SSLv3)) { 373280304Sjkim s->version = SSL3_VERSION; 374280304Sjkim type = 3; 375280304Sjkim } 376280304Sjkim } else { 377280304Sjkim /* client requests SSL 3.0 */ 378280304Sjkim if (!(s->options & SSL_OP_NO_SSLv3)) { 379280304Sjkim s->version = SSL3_VERSION; 380280304Sjkim type = 3; 381280304Sjkim } else if (!(s->options & SSL_OP_NO_TLSv1)) { 382280304Sjkim /* 383280304Sjkim * we won't be able to use TLS of course, but this will 384280304Sjkim * send an appropriate alert 385280304Sjkim */ 386280304Sjkim s->version = TLS1_VERSION; 387280304Sjkim type = 3; 388280304Sjkim } 389280304Sjkim } 390280304Sjkim } else if ((strncmp("GET ", (char *)p, 4) == 0) || 391280304Sjkim (strncmp("POST ", (char *)p, 5) == 0) || 392280304Sjkim (strncmp("HEAD ", (char *)p, 5) == 0) || 393280304Sjkim (strncmp("PUT ", (char *)p, 4) == 0)) { 394280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); 395280304Sjkim goto err; 396280304Sjkim } else if (strncmp("CONNECT", (char *)p, 7) == 0) { 397280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); 398280304Sjkim goto err; 399280304Sjkim } 400280304Sjkim } 401273149Sjkim 402280304Sjkim /* ensure that TLS_MAX_VERSION is up-to-date */ 403280304Sjkim OPENSSL_assert(s->version <= TLS_MAX_VERSION); 404280304Sjkim 405194206Ssimon#ifdef OPENSSL_FIPS 406280304Sjkim if (FIPS_mode() && (s->version < TLS1_VERSION)) { 407280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 408280304Sjkim SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 409280304Sjkim goto err; 410280304Sjkim } 411194206Ssimon#endif 412194206Ssimon 413280304Sjkim if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { 414280304Sjkim /* 415280304Sjkim * we have SSLv3/TLSv1 in an SSLv2 header (other cases skip this 416280304Sjkim * state) 417280304Sjkim */ 41859194Skris 419280304Sjkim type = 2; 420280304Sjkim p = s->packet; 421280304Sjkim v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ 422280304Sjkim v[1] = p[4]; 42359194Skris 424280304Sjkim /*- 425280304Sjkim * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 426280304Sjkim * header is sent directly on the wire, not wrapped as a TLS 427280304Sjkim * record. It's format is: 428280304Sjkim * Byte Content 429280304Sjkim * 0-1 msg_length 430280304Sjkim * 2 msg_type 431280304Sjkim * 3-4 version 432280304Sjkim * 5-6 cipher_spec_length 433280304Sjkim * 7-8 session_id_length 434280304Sjkim * 9-10 challenge_length 435280304Sjkim * ... ... 436280304Sjkim */ 437280304Sjkim n = ((p[0] & 0x7f) << 8) | p[1]; 438280304Sjkim if (n > (1024 * 4)) { 439280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); 440280304Sjkim goto err; 441280304Sjkim } 442280304Sjkim if (n < 9) { 443280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 444280304Sjkim SSL_R_RECORD_LENGTH_MISMATCH); 445280304Sjkim goto err; 446280304Sjkim } 44755714Skris 448280304Sjkim j = ssl23_read_bytes(s, n + 2); 449280304Sjkim /* 450280304Sjkim * We previously read 11 bytes, so if j > 0, we must have j == n+2 == 451280304Sjkim * s->packet_length. We have at least 11 valid packet bytes. 452280304Sjkim */ 453280304Sjkim if (j <= 0) 454280304Sjkim return (j); 45555714Skris 456280304Sjkim ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); 45755714Skris 458280304Sjkim /* CLIENT-HELLO */ 459280304Sjkim if (s->msg_callback) 460280304Sjkim s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, 461280304Sjkim s->packet_length - 2, s, s->msg_callback_arg); 46255714Skris 463280304Sjkim p = s->packet; 464280304Sjkim p += 5; 465280304Sjkim n2s(p, csl); 466280304Sjkim n2s(p, sil); 467280304Sjkim n2s(p, cl); 468280304Sjkim d = (unsigned char *)s->init_buf->data; 469280304Sjkim if ((csl + sil + cl + 11) != s->packet_length) { /* We can't have TLS 470280304Sjkim * extensions in SSL 471280304Sjkim * 2.0 format * 472280304Sjkim * Client Hello, can 473280304Sjkim * we? Error 474280304Sjkim * condition should 475280304Sjkim * be * '>' 476280304Sjkim * otherweise */ 477280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 478280304Sjkim SSL_R_RECORD_LENGTH_MISMATCH); 479280304Sjkim goto err; 480280304Sjkim } 481110007Smarkm 482280304Sjkim /* record header: msg_type ... */ 483280304Sjkim *(d++) = SSL3_MT_CLIENT_HELLO; 484280304Sjkim /* ... and length (actual value will be written later) */ 485280304Sjkim d_len = d; 486280304Sjkim d += 3; 48755714Skris 488280304Sjkim /* client_version */ 489280304Sjkim *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ 490280304Sjkim *(d++) = v[1]; 49155714Skris 492280304Sjkim /* lets populate the random area */ 493280304Sjkim /* get the challenge_length */ 494280304Sjkim i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl; 495280304Sjkim memset(d, 0, SSL3_RANDOM_SIZE); 496280304Sjkim memcpy(&(d[SSL3_RANDOM_SIZE - i]), &(p[csl + sil]), i); 497280304Sjkim d += SSL3_RANDOM_SIZE; 49855714Skris 499280304Sjkim /* no session-id reuse */ 500280304Sjkim *(d++) = 0; 50155714Skris 502280304Sjkim /* ciphers */ 503280304Sjkim j = 0; 504280304Sjkim dd = d; 505280304Sjkim d += 2; 506280304Sjkim for (i = 0; i < csl; i += 3) { 507280304Sjkim if (p[i] != 0) 508280304Sjkim continue; 509280304Sjkim *(d++) = p[i + 1]; 510280304Sjkim *(d++) = p[i + 2]; 511280304Sjkim j += 2; 512280304Sjkim } 513280304Sjkim s2n(j, dd); 514280304Sjkim 515280304Sjkim /* COMPRESSION */ 516280304Sjkim *(d++) = 1; 517280304Sjkim *(d++) = 0; 518280304Sjkim 519238405Sjkim#if 0 520280304Sjkim /* copy any remaining data with may be extensions */ 521280304Sjkim p = p + csl + sil + cl; 522280304Sjkim while (p < s->packet + s->packet_length) { 523280304Sjkim *(d++) = *(p++); 524280304Sjkim } 525238405Sjkim#endif 526238405Sjkim 527280304Sjkim i = (d - (unsigned char *)s->init_buf->data) - 4; 528280304Sjkim l2n3((long)i, d_len); 52955714Skris 530280304Sjkim /* get the data reused from the init_buf */ 531280304Sjkim s->s3->tmp.reuse_message = 1; 532280304Sjkim s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO; 533280304Sjkim s->s3->tmp.message_size = i; 534280304Sjkim } 53555714Skris 536280304Sjkim /* imaginary new state (for program structure): */ 537280304Sjkim /* s->state = SSL23_SR_CLNT_HELLO_C */ 53859194Skris 539280304Sjkim if (type == 1) { 540110007Smarkm#ifdef OPENSSL_NO_SSL2 541280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 542280304Sjkim goto err; 54355949Skris#else 544280304Sjkim /* we are talking sslv2 */ 545280304Sjkim /* 546280304Sjkim * we need to clean up the SSLv3/TLSv1 setup and put in the sslv2 547280304Sjkim * stuff. 548280304Sjkim */ 54955714Skris 550280304Sjkim if (s->s2 == NULL) { 551280304Sjkim if (!ssl2_new(s)) 552280304Sjkim goto err; 553280304Sjkim } else 554280304Sjkim ssl2_clear(s); 55555714Skris 556280304Sjkim if (s->s3 != NULL) 557280304Sjkim ssl3_free(s); 55855714Skris 559280304Sjkim if (!BUF_MEM_grow_clean(s->init_buf, 560280304Sjkim SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 561280304Sjkim goto err; 562280304Sjkim } 56355714Skris 564280304Sjkim s->state = SSL2_ST_GET_CLIENT_HELLO_A; 565280304Sjkim if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3) 566280304Sjkim s->s2->ssl2_rollback = 0; 567280304Sjkim else 568280304Sjkim /* 569280304Sjkim * reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 570280304Sjkim * (SSL 3.0 draft/RFC 2246, App. E.2) 571280304Sjkim */ 572280304Sjkim s->s2->ssl2_rollback = 1; 57355714Skris 574280304Sjkim /* 575280304Sjkim * setup the n bytes we have read so we get them from the sslv2 576280304Sjkim * buffer 577280304Sjkim */ 578280304Sjkim s->rstate = SSL_ST_READ_HEADER; 579280304Sjkim s->packet_length = n; 580280304Sjkim s->packet = &(s->s2->rbuf[0]); 581280304Sjkim memcpy(s->packet, buf, n); 582280304Sjkim s->s2->rbuf_left = n; 583280304Sjkim s->s2->rbuf_offs = 0; 58455714Skris 585280304Sjkim s->method = SSLv2_server_method(); 586280304Sjkim s->handshake_func = s->method->ssl_accept; 58755949Skris#endif 588280304Sjkim } 58955714Skris 590280304Sjkim if ((type == 2) || (type == 3)) { 591280304Sjkim /* 592280304Sjkim * we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) 593280304Sjkim */ 594280304Sjkim const SSL_METHOD *new_method; 595280304Sjkim new_method = ssl23_get_server_method(s->version); 596280304Sjkim if (new_method == NULL) { 597280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 598280304Sjkim goto err; 599280304Sjkim } 600280304Sjkim s->method = new_method; 60155714Skris 602280304Sjkim if (!ssl_init_wbio_buffer(s, 1)) 603280304Sjkim goto err; 60455714Skris 605280304Sjkim /* we are in this state */ 606280304Sjkim s->state = SSL3_ST_SR_CLNT_HELLO_A; 60755714Skris 608280304Sjkim if (type == 3) { 609280304Sjkim /* 610280304Sjkim * put the 'n' bytes we have read into the input buffer for SSLv3 611280304Sjkim */ 612280304Sjkim s->rstate = SSL_ST_READ_HEADER; 613280304Sjkim s->packet_length = n; 614280304Sjkim if (s->s3->rbuf.buf == NULL) 615280304Sjkim if (!ssl3_setup_read_buffer(s)) 616280304Sjkim goto err; 617238405Sjkim 618280304Sjkim s->packet = &(s->s3->rbuf.buf[0]); 619280304Sjkim memcpy(s->packet, buf, n); 620280304Sjkim s->s3->rbuf.left = n; 621280304Sjkim s->s3->rbuf.offset = 0; 622280304Sjkim } else { 623280304Sjkim s->packet_length = 0; 624280304Sjkim s->s3->rbuf.left = 0; 625280304Sjkim s->s3->rbuf.offset = 0; 626280304Sjkim } 627280304Sjkim#if 0 /* ssl3_get_client_hello does this */ 628280304Sjkim s->client_version = (v[0] << 8) | v[1]; 62959194Skris#endif 630280304Sjkim s->handshake_func = s->method->ssl_accept; 631280304Sjkim } 63255714Skris 633280304Sjkim if ((type < 1) || (type > 3)) { 634280304Sjkim /* bad, very bad */ 635280304Sjkim SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); 636280304Sjkim goto err; 637280304Sjkim } 638280304Sjkim s->init_num = 0; 639280304Sjkim 640280304Sjkim if (buf != buf_space) 641280304Sjkim OPENSSL_free(buf); 642280304Sjkim return (SSL_accept(s)); 643280304Sjkim err: 644280304Sjkim if (buf != buf_space) 645280304Sjkim OPENSSL_free(buf); 646280304Sjkim return (-1); 647280304Sjkim} 648