155714Skris/* ssl/s23_srvr.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8296465Sdelphij * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296465Sdelphij * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22296465Sdelphij * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37296465Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296465Sdelphij * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52296465Sdelphij * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889840Skris/* ==================================================================== 5989840Skris * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6089840Skris * 6189840Skris * Redistribution and use in source and binary forms, with or without 6289840Skris * modification, are permitted provided that the following conditions 6389840Skris * are met: 6489840Skris * 6589840Skris * 1. Redistributions of source code must retain the above copyright 66296465Sdelphij * notice, this list of conditions and the following disclaimer. 6789840Skris * 6889840Skris * 2. Redistributions in binary form must reproduce the above copyright 6989840Skris * notice, this list of conditions and the following disclaimer in 7089840Skris * the documentation and/or other materials provided with the 7189840Skris * distribution. 7289840Skris * 7389840Skris * 3. All advertising materials mentioning features or use of this 7489840Skris * software must display the following acknowledgment: 7589840Skris * "This product includes software developed by the OpenSSL Project 7689840Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789840Skris * 7889840Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989840Skris * endorse or promote products derived from this software without 8089840Skris * prior written permission. For written permission, please contact 8189840Skris * openssl-core@openssl.org. 8289840Skris * 8389840Skris * 5. Products derived from this software may not be called "OpenSSL" 8489840Skris * nor may "OpenSSL" appear in their names without prior written 8589840Skris * permission of the OpenSSL Project. 8689840Skris * 8789840Skris * 6. Redistributions of any form whatsoever must retain the following 8889840Skris * acknowledgment: 8989840Skris * "This product includes software developed by the OpenSSL Project 9089840Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189840Skris * 9289840Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389840Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489840Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589840Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689840Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789840Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889840Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989840Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089840Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189840Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289840Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389840Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489840Skris * ==================================================================== 10589840Skris * 10689840Skris * This product includes cryptographic software written by Eric Young 10789840Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889840Skris * Hudson (tjh@cryptsoft.com). 10989840Skris * 11089840Skris */ 11155714Skris 11255714Skris#include <stdio.h> 113110007Smarkm#include "ssl_locl.h" 11455714Skris#include <openssl/buffer.h> 11555714Skris#include <openssl/rand.h> 11655714Skris#include <openssl/objects.h> 11755714Skris#include <openssl/evp.h> 11855714Skris 11955714Skrisstatic SSL_METHOD *ssl23_get_server_method(int ver); 12055714Skrisint ssl23_get_client_hello(SSL *s); 12155714Skrisstatic SSL_METHOD *ssl23_get_server_method(int ver) 122296465Sdelphij{ 123110007Smarkm#ifndef OPENSSL_NO_SSL2 124296465Sdelphij if (ver == SSL2_VERSION) 125296465Sdelphij return (SSLv2_server_method()); 12655949Skris#endif 127273415Sdelphij#ifndef OPENSSL_NO_SSL3 128296465Sdelphij if (ver == SSL3_VERSION) 129296465Sdelphij return (SSLv3_server_method()); 130273415Sdelphij#endif 131296465Sdelphij if (ver == TLS1_VERSION) 132296465Sdelphij return (TLSv1_server_method()); 133296465Sdelphij else 134296465Sdelphij return (NULL); 135296465Sdelphij} 13655714Skris 137160817SsimonIMPLEMENT_ssl23_meth_func(SSLv23_server_method, 138296465Sdelphij ssl23_accept, 139296465Sdelphij ssl_undefined_function, ssl23_get_server_method) 14055714Skris 14155714Skrisint ssl23_accept(SSL *s) 142296465Sdelphij{ 143296465Sdelphij BUF_MEM *buf; 144296465Sdelphij unsigned long Time = (unsigned long)time(NULL); 145296465Sdelphij void (*cb) (const SSL *ssl, int type, int val) = NULL; 146296465Sdelphij int ret = -1; 147296465Sdelphij int new_state, state; 14855714Skris 149296465Sdelphij RAND_add(&Time, sizeof(Time), 0); 150296465Sdelphij ERR_clear_error(); 151296465Sdelphij clear_sys_error(); 15255714Skris 153296465Sdelphij if (s->info_callback != NULL) 154296465Sdelphij cb = s->info_callback; 155296465Sdelphij else if (s->ctx->info_callback != NULL) 156296465Sdelphij cb = s->ctx->info_callback; 15755714Skris 158296465Sdelphij s->in_handshake++; 159296465Sdelphij if (!SSL_in_init(s) || SSL_in_before(s)) 160296465Sdelphij SSL_clear(s); 16155714Skris 162296465Sdelphij for (;;) { 163296465Sdelphij state = s->state; 16455714Skris 165296465Sdelphij switch (s->state) { 166296465Sdelphij case SSL_ST_BEFORE: 167296465Sdelphij case SSL_ST_ACCEPT: 168296465Sdelphij case SSL_ST_BEFORE | SSL_ST_ACCEPT: 169296465Sdelphij case SSL_ST_OK | SSL_ST_ACCEPT: 17055714Skris 171296465Sdelphij s->server = 1; 172296465Sdelphij if (cb != NULL) 173296465Sdelphij cb(s, SSL_CB_HANDSHAKE_START, 1); 17455714Skris 175296465Sdelphij /* s->version=SSL3_VERSION; */ 176296465Sdelphij s->type = SSL_ST_ACCEPT; 17755714Skris 178296465Sdelphij if (s->init_buf == NULL) { 179296465Sdelphij if ((buf = BUF_MEM_new()) == NULL) { 180296465Sdelphij ret = -1; 181296465Sdelphij goto end; 182296465Sdelphij } 183296465Sdelphij if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 184296465Sdelphij ret = -1; 185296465Sdelphij goto end; 186296465Sdelphij } 187296465Sdelphij s->init_buf = buf; 188296465Sdelphij } 18955714Skris 190296465Sdelphij ssl3_init_finished_mac(s); 19155714Skris 192296465Sdelphij s->state = SSL23_ST_SR_CLNT_HELLO_A; 193296465Sdelphij s->ctx->stats.sess_accept++; 194296465Sdelphij s->init_num = 0; 195296465Sdelphij break; 19655714Skris 197296465Sdelphij case SSL23_ST_SR_CLNT_HELLO_A: 198296465Sdelphij case SSL23_ST_SR_CLNT_HELLO_B: 19955714Skris 200296465Sdelphij s->shutdown = 0; 201296465Sdelphij ret = ssl23_get_client_hello(s); 202296465Sdelphij if (ret >= 0) 203296465Sdelphij cb = NULL; 204296465Sdelphij goto end; 205296465Sdelphij /* break; */ 20655714Skris 207296465Sdelphij default: 208296465Sdelphij SSLerr(SSL_F_SSL23_ACCEPT, SSL_R_UNKNOWN_STATE); 209296465Sdelphij ret = -1; 210296465Sdelphij goto end; 211296465Sdelphij /* break; */ 212296465Sdelphij } 21355714Skris 214296465Sdelphij if ((cb != NULL) && (s->state != state)) { 215296465Sdelphij new_state = s->state; 216296465Sdelphij s->state = state; 217296465Sdelphij cb(s, SSL_CB_ACCEPT_LOOP, 1); 218296465Sdelphij s->state = new_state; 219296465Sdelphij } 220296465Sdelphij } 221296465Sdelphij end: 222296465Sdelphij s->in_handshake--; 223296465Sdelphij if (cb != NULL) 224296465Sdelphij cb(s, SSL_CB_ACCEPT_EXIT, ret); 225296465Sdelphij return (ret); 226296465Sdelphij} 22755714Skris 22855714Skrisint ssl23_get_client_hello(SSL *s) 229296465Sdelphij{ 230296465Sdelphij /*- 231296465Sdelphij * Request this many bytes in initial read. 232296465Sdelphij * We can detect SSL 3.0/TLS 1.0 Client Hellos 233296465Sdelphij * ('type == 3') correctly only when the following 234296465Sdelphij * is in a single record, which is not guaranteed by 235296465Sdelphij * the protocol specification: 236296465Sdelphij * Byte Content 237296465Sdelphij * 0 type \ 238296465Sdelphij * 1/2 version > record header 239296465Sdelphij * 3/4 length / 240296465Sdelphij * 5 msg_type \ 241296465Sdelphij * 6-8 length > Client Hello message 242296465Sdelphij * 9/10 client_version / 243296465Sdelphij */ 244296465Sdelphij char buf_space[11]; 245296465Sdelphij char *buf = &(buf_space[0]); 246296465Sdelphij unsigned char *p, *d, *d_len, *dd; 247296465Sdelphij unsigned int i; 248296465Sdelphij unsigned int csl, sil, cl; 249296465Sdelphij int n = 0, j; 250296465Sdelphij int type = 0; 251296465Sdelphij int v[2]; 25255714Skris 253296465Sdelphij if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { 254296465Sdelphij /* read the initial header */ 255296465Sdelphij v[0] = v[1] = 0; 25659194Skris 257296465Sdelphij if (!ssl3_setup_buffers(s)) 258296465Sdelphij goto err; 25955714Skris 260296465Sdelphij n = ssl23_read_bytes(s, sizeof buf_space); 261296465Sdelphij if (n != sizeof buf_space) 262296465Sdelphij return (n); /* n == -1 || n == 0 */ 26355714Skris 264296465Sdelphij p = s->packet; 26555714Skris 266296465Sdelphij memcpy(buf, p, n); 26755714Skris 268296465Sdelphij if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) { 269296465Sdelphij /* 270296465Sdelphij * SSLv2 header 271296465Sdelphij */ 272296465Sdelphij if ((p[3] == 0x00) && (p[4] == 0x02)) { 273296465Sdelphij v[0] = p[3]; 274296465Sdelphij v[1] = p[4]; 275296465Sdelphij /* SSLv2 */ 276296465Sdelphij if (!(s->options & SSL_OP_NO_SSLv2)) 277296465Sdelphij type = 1; 278296465Sdelphij } else if (p[3] == SSL3_VERSION_MAJOR) { 279296465Sdelphij v[0] = p[3]; 280296465Sdelphij v[1] = p[4]; 281296465Sdelphij /* SSLv3/TLSv1 */ 282296465Sdelphij if (p[4] >= TLS1_VERSION_MINOR) { 283296465Sdelphij if (!(s->options & SSL_OP_NO_TLSv1)) { 284296465Sdelphij s->version = TLS1_VERSION; 285296465Sdelphij /* 286296465Sdelphij * type=2; 287296465Sdelphij *//* 288296465Sdelphij * done later to survive restarts 289296465Sdelphij */ 290296465Sdelphij s->state = SSL23_ST_SR_CLNT_HELLO_B; 291296465Sdelphij } else if (!(s->options & SSL_OP_NO_SSLv3)) { 292296465Sdelphij s->version = SSL3_VERSION; 293296465Sdelphij /* type=2; */ 294296465Sdelphij s->state = SSL23_ST_SR_CLNT_HELLO_B; 295296465Sdelphij } else if (!(s->options & SSL_OP_NO_SSLv2)) { 296296465Sdelphij type = 1; 297296465Sdelphij } 298296465Sdelphij } else if (!(s->options & SSL_OP_NO_SSLv3)) { 299296465Sdelphij s->version = SSL3_VERSION; 300296465Sdelphij /* type=2; */ 301296465Sdelphij s->state = SSL23_ST_SR_CLNT_HELLO_B; 302296465Sdelphij } else if (!(s->options & SSL_OP_NO_SSLv2)) 303296465Sdelphij type = 1; 30455714Skris 305296465Sdelphij } 306296465Sdelphij } 307296465Sdelphij /* p[4] < 5 ... silly record length? */ 308296465Sdelphij else if ((p[0] == SSL3_RT_HANDSHAKE) && 309296465Sdelphij (p[1] == SSL3_VERSION_MAJOR) && 310296465Sdelphij (p[5] == SSL3_MT_CLIENT_HELLO) && ((p[3] == 0 && p[4] < 5) 311296465Sdelphij || (p[9] >= p[1]))) { 312296465Sdelphij /* 313296465Sdelphij * SSLv3 or tls1 header 314296465Sdelphij */ 31555714Skris 316296465Sdelphij v[0] = p[1]; /* major version (= SSL3_VERSION_MAJOR) */ 317296465Sdelphij /* 318296465Sdelphij * We must look at client_version inside the Client Hello message 319296465Sdelphij * to get the correct minor version. However if we have only a 320296465Sdelphij * pathologically small fragment of the Client Hello message, this 321296465Sdelphij * would be difficult, and we'd have to read more records to find 322296465Sdelphij * out. No known SSL 3.0 client fragments ClientHello like this, 323296465Sdelphij * so we simply reject such connections to avoid protocol version 324296465Sdelphij * downgrade attacks. 325296465Sdelphij */ 326296465Sdelphij if (p[3] == 0 && p[4] < 6) { 327296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL); 328296465Sdelphij goto err; 329296465Sdelphij } 330296465Sdelphij /* 331296465Sdelphij * if major version number > 3 set minor to a value which will 332296465Sdelphij * use the highest version 3 we support. If TLS 2.0 ever appears 333296465Sdelphij * we will need to revise this.... 334296465Sdelphij */ 335296465Sdelphij if (p[9] > SSL3_VERSION_MAJOR) 336296465Sdelphij v[1] = 0xff; 337296465Sdelphij else 338296465Sdelphij v[1] = p[10]; /* minor version according to client_version */ 339296465Sdelphij if (v[1] >= TLS1_VERSION_MINOR) { 340296465Sdelphij if (!(s->options & SSL_OP_NO_TLSv1)) { 341296465Sdelphij s->version = TLS1_VERSION; 342296465Sdelphij type = 3; 343296465Sdelphij } else if (!(s->options & SSL_OP_NO_SSLv3)) { 344296465Sdelphij s->version = SSL3_VERSION; 345296465Sdelphij type = 3; 346296465Sdelphij } 347296465Sdelphij } else { 348296465Sdelphij /* client requests SSL 3.0 */ 349296465Sdelphij if (!(s->options & SSL_OP_NO_SSLv3)) { 350296465Sdelphij s->version = SSL3_VERSION; 351296465Sdelphij type = 3; 352296465Sdelphij } else if (!(s->options & SSL_OP_NO_TLSv1)) { 353296465Sdelphij /* 354296465Sdelphij * we won't be able to use TLS of course, but this will 355296465Sdelphij * send an appropriate alert 356296465Sdelphij */ 357296465Sdelphij s->version = TLS1_VERSION; 358296465Sdelphij type = 3; 359296465Sdelphij } 360296465Sdelphij } 361296465Sdelphij } else if ((strncmp("GET ", (char *)p, 4) == 0) || 362296465Sdelphij (strncmp("POST ", (char *)p, 5) == 0) || 363296465Sdelphij (strncmp("HEAD ", (char *)p, 5) == 0) || 364296465Sdelphij (strncmp("PUT ", (char *)p, 4) == 0)) { 365296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); 366296465Sdelphij goto err; 367296465Sdelphij } else if (strncmp("CONNECT", (char *)p, 7) == 0) { 368296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); 369296465Sdelphij goto err; 370296465Sdelphij } 371296465Sdelphij } 372194206Ssimon#ifdef OPENSSL_FIPS 373296465Sdelphij if (FIPS_mode() && (s->version < TLS1_VERSION)) { 374296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 375296465Sdelphij SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); 376296465Sdelphij goto err; 377296465Sdelphij } 378194206Ssimon#endif 379194206Ssimon 380296465Sdelphij /* ensure that TLS_MAX_VERSION is up-to-date */ 381296465Sdelphij OPENSSL_assert(s->version <= TLS_MAX_VERSION); 382273415Sdelphij 383296465Sdelphij if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { 384296465Sdelphij /* 385296465Sdelphij * we have SSLv3/TLSv1 in an SSLv2 header (other cases skip this 386296465Sdelphij * state) 387296465Sdelphij */ 38859194Skris 389296465Sdelphij type = 2; 390296465Sdelphij p = s->packet; 391296465Sdelphij v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ 392296465Sdelphij v[1] = p[4]; 39359194Skris 394296465Sdelphij /*- 395296465Sdelphij * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 396296465Sdelphij * header is sent directly on the wire, not wrapped as a TLS 397296465Sdelphij * record. It's format is: 398296465Sdelphij * Byte Content 399296465Sdelphij * 0-1 msg_length 400296465Sdelphij * 2 msg_type 401296465Sdelphij * 3-4 version 402296465Sdelphij * 5-6 cipher_spec_length 403296465Sdelphij * 7-8 session_id_length 404296465Sdelphij * 9-10 challenge_length 405296465Sdelphij * ... ... 406296465Sdelphij */ 407296465Sdelphij n = ((p[0] & 0x7f) << 8) | p[1]; 408296465Sdelphij if (n > (1024 * 4)) { 409296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); 410296465Sdelphij goto err; 411296465Sdelphij } 412296465Sdelphij if (n < 9) { 413296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 414296465Sdelphij SSL_R_RECORD_LENGTH_MISMATCH); 415296465Sdelphij goto err; 416296465Sdelphij } 41755714Skris 418296465Sdelphij j = ssl23_read_bytes(s, n + 2); 419296465Sdelphij /* 420296465Sdelphij * We previously read 11 bytes, so if j > 0, we must have j == n+2 == 421296465Sdelphij * s->packet_length. We have at least 11 valid packet bytes. 422296465Sdelphij */ 423296465Sdelphij if (j <= 0) 424296465Sdelphij return (j); 42555714Skris 426296465Sdelphij ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); 42755714Skris 428296465Sdelphij /* CLIENT-HELLO */ 429296465Sdelphij if (s->msg_callback) 430296465Sdelphij s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, 431296465Sdelphij s->packet_length - 2, s, s->msg_callback_arg); 43255714Skris 433296465Sdelphij p = s->packet; 434296465Sdelphij p += 5; 435296465Sdelphij n2s(p, csl); 436296465Sdelphij n2s(p, sil); 437296465Sdelphij n2s(p, cl); 438296465Sdelphij d = (unsigned char *)s->init_buf->data; 439296465Sdelphij if ((csl + sil + cl + 11) != s->packet_length) { 440296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, 441296465Sdelphij SSL_R_RECORD_LENGTH_MISMATCH); 442296465Sdelphij goto err; 443296465Sdelphij } 444110007Smarkm 445296465Sdelphij /* record header: msg_type ... */ 446296465Sdelphij *(d++) = SSL3_MT_CLIENT_HELLO; 447296465Sdelphij /* ... and length (actual value will be written later) */ 448296465Sdelphij d_len = d; 449296465Sdelphij d += 3; 45055714Skris 451296465Sdelphij /* client_version */ 452296465Sdelphij *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ 453296465Sdelphij *(d++) = v[1]; 45455714Skris 455296465Sdelphij /* lets populate the random area */ 456296465Sdelphij /* get the challenge_length */ 457296465Sdelphij i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl; 458296465Sdelphij memset(d, 0, SSL3_RANDOM_SIZE); 459296465Sdelphij memcpy(&(d[SSL3_RANDOM_SIZE - i]), &(p[csl + sil]), i); 460296465Sdelphij d += SSL3_RANDOM_SIZE; 46155714Skris 462296465Sdelphij /* no session-id reuse */ 463296465Sdelphij *(d++) = 0; 46455714Skris 465296465Sdelphij /* ciphers */ 466296465Sdelphij j = 0; 467296465Sdelphij dd = d; 468296465Sdelphij d += 2; 469296465Sdelphij for (i = 0; i < csl; i += 3) { 470296465Sdelphij if (p[i] != 0) 471296465Sdelphij continue; 472296465Sdelphij *(d++) = p[i + 1]; 473296465Sdelphij *(d++) = p[i + 2]; 474296465Sdelphij j += 2; 475296465Sdelphij } 476296465Sdelphij s2n(j, dd); 47755714Skris 478296465Sdelphij /* COMPRESSION */ 479296465Sdelphij *(d++) = 1; 480296465Sdelphij *(d++) = 0; 48155714Skris 482296465Sdelphij i = (d - (unsigned char *)s->init_buf->data) - 4; 483296465Sdelphij l2n3((long)i, d_len); 48459194Skris 485296465Sdelphij /* get the data reused from the init_buf */ 486296465Sdelphij s->s3->tmp.reuse_message = 1; 487296465Sdelphij s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO; 488296465Sdelphij s->s3->tmp.message_size = i; 489296465Sdelphij } 490296465Sdelphij 491296465Sdelphij /* imaginary new state (for program structure): */ 492296465Sdelphij /* s->state = SSL23_SR_CLNT_HELLO_C */ 493296465Sdelphij 494296465Sdelphij if (type == 1) { 495110007Smarkm#ifdef OPENSSL_NO_SSL2 496296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 497296465Sdelphij goto err; 49855949Skris#else 499296465Sdelphij /* we are talking sslv2 */ 500296465Sdelphij /* 501296465Sdelphij * we need to clean up the SSLv3/TLSv1 setup and put in the sslv2 502296465Sdelphij * stuff. 503296465Sdelphij */ 50455714Skris 505296465Sdelphij if (s->s2 == NULL) { 506296465Sdelphij if (!ssl2_new(s)) 507296465Sdelphij goto err; 508296465Sdelphij } else 509296465Sdelphij ssl2_clear(s); 51055714Skris 511296465Sdelphij if (s->s3 != NULL) 512296465Sdelphij ssl3_free(s); 51355714Skris 514296465Sdelphij if (!BUF_MEM_grow_clean(s->init_buf, 515296465Sdelphij SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { 516296465Sdelphij goto err; 517296465Sdelphij } 51855714Skris 519296465Sdelphij s->state = SSL2_ST_GET_CLIENT_HELLO_A; 520296465Sdelphij if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3) 521296465Sdelphij s->s2->ssl2_rollback = 0; 522296465Sdelphij else 523296465Sdelphij /* 524296465Sdelphij * reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 525296465Sdelphij * (SSL 3.0 draft/RFC 2246, App. E.2) 526296465Sdelphij */ 527296465Sdelphij s->s2->ssl2_rollback = 1; 52855714Skris 529296465Sdelphij /* 530296465Sdelphij * setup the n bytes we have read so we get them from the sslv2 531296465Sdelphij * buffer 532296465Sdelphij */ 533296465Sdelphij s->rstate = SSL_ST_READ_HEADER; 534296465Sdelphij s->packet_length = n; 535296465Sdelphij s->packet = &(s->s2->rbuf[0]); 536296465Sdelphij memcpy(s->packet, buf, n); 537296465Sdelphij s->s2->rbuf_left = n; 538296465Sdelphij s->s2->rbuf_offs = 0; 53955714Skris 540296465Sdelphij s->method = SSLv2_server_method(); 541296465Sdelphij s->handshake_func = s->method->ssl_accept; 54255949Skris#endif 543296465Sdelphij } 54455714Skris 545296465Sdelphij if ((type == 2) || (type == 3)) { 546296465Sdelphij /* 547296465Sdelphij * we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) 548296465Sdelphij */ 549296465Sdelphij SSL_METHOD *new_method; 550296465Sdelphij new_method = ssl23_get_server_method(s->version); 551296465Sdelphij if (new_method == NULL) { 552296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 553296465Sdelphij goto err; 554296465Sdelphij } 555296465Sdelphij s->method = new_method; 55655714Skris 557296465Sdelphij if (!ssl_init_wbio_buffer(s, 1)) 558296465Sdelphij goto err; 55955714Skris 560296465Sdelphij /* we are in this state */ 561296465Sdelphij s->state = SSL3_ST_SR_CLNT_HELLO_A; 56255714Skris 563296465Sdelphij if (type == 3) { 564296465Sdelphij /* 565296465Sdelphij * put the 'n' bytes we have read into the input buffer for SSLv3 566296465Sdelphij */ 567296465Sdelphij s->rstate = SSL_ST_READ_HEADER; 568296465Sdelphij s->packet_length = n; 569296465Sdelphij s->packet = &(s->s3->rbuf.buf[0]); 570296465Sdelphij memcpy(s->packet, buf, n); 571296465Sdelphij s->s3->rbuf.left = n; 572296465Sdelphij s->s3->rbuf.offset = 0; 573296465Sdelphij } else { 574296465Sdelphij s->packet_length = 0; 575296465Sdelphij s->s3->rbuf.left = 0; 576296465Sdelphij s->s3->rbuf.offset = 0; 577296465Sdelphij } 578296465Sdelphij#if 0 /* ssl3_get_client_hello does this */ 579296465Sdelphij s->client_version = (v[0] << 8) | v[1]; 58059194Skris#endif 581296465Sdelphij s->handshake_func = s->method->ssl_accept; 582296465Sdelphij } 58355714Skris 584296465Sdelphij if ((type < 1) || (type > 3)) { 585296465Sdelphij /* bad, very bad */ 586296465Sdelphij SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); 587296465Sdelphij goto err; 588296465Sdelphij } 589296465Sdelphij s->init_num = 0; 590296465Sdelphij 591296465Sdelphij if (buf != buf_space) 592296465Sdelphij OPENSSL_free(buf); 593296465Sdelphij return (SSL_accept(s)); 594296465Sdelphij err: 595296465Sdelphij if (buf != buf_space) 596296465Sdelphij OPENSSL_free(buf); 597296465Sdelphij return (-1); 598296465Sdelphij} 599