/src/openssl/ssl/s23_srvr.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* ssl/s23_srvr.c */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | |
112 | | #include <stdio.h> |
113 | | #include "ssl_locl.h" |
114 | | #include <openssl/buffer.h> |
115 | | #include <openssl/rand.h> |
116 | | #include <openssl/objects.h> |
117 | | #include <openssl/evp.h> |
118 | | #ifdef OPENSSL_FIPS |
119 | | # include <openssl/fips.h> |
120 | | #endif |
121 | | |
122 | | static const SSL_METHOD *ssl23_get_server_method(int ver); |
123 | | int ssl23_get_client_hello(SSL *s); |
124 | | static const SSL_METHOD *ssl23_get_server_method(int ver) |
125 | 0 | { |
126 | | #ifndef OPENSSL_NO_SSL2 |
127 | | if (ver == SSL2_VERSION) |
128 | | return (SSLv2_server_method()); |
129 | | #endif |
130 | 0 | #ifndef OPENSSL_NO_SSL3 |
131 | 0 | if (ver == SSL3_VERSION) |
132 | 0 | return (SSLv3_server_method()); |
133 | 0 | #endif |
134 | 0 | if (ver == TLS1_VERSION) |
135 | 0 | return (TLSv1_server_method()); |
136 | 0 | else if (ver == TLS1_1_VERSION) |
137 | 0 | return (TLSv1_1_server_method()); |
138 | 0 | else if (ver == TLS1_2_VERSION) |
139 | 0 | return (TLSv1_2_server_method()); |
140 | 0 | else |
141 | 0 | return (NULL); |
142 | 0 | } |
143 | | |
144 | | IMPLEMENT_ssl23_meth_func(SSLv23_server_method, |
145 | | ssl23_accept, |
146 | | ssl_undefined_function, ssl23_get_server_method) |
147 | | |
148 | | int ssl23_accept(SSL *s) |
149 | 0 | { |
150 | 0 | BUF_MEM *buf; |
151 | 0 | unsigned long Time = (unsigned long)time(NULL); |
152 | 0 | void (*cb) (const SSL *ssl, int type, int val) = NULL; |
153 | 0 | int ret = -1; |
154 | 0 | int new_state, state; |
155 | |
|
156 | 0 | RAND_add(&Time, sizeof(Time), 0); |
157 | 0 | ERR_clear_error(); |
158 | 0 | clear_sys_error(); |
159 | |
|
160 | 0 | if (s->info_callback != NULL) |
161 | 0 | cb = s->info_callback; |
162 | 0 | else if (s->ctx->info_callback != NULL) |
163 | 0 | cb = s->ctx->info_callback; |
164 | |
|
165 | 0 | s->in_handshake++; |
166 | 0 | if (!SSL_in_init(s) || SSL_in_before(s)) |
167 | 0 | SSL_clear(s); |
168 | |
|
169 | 0 | for (;;) { |
170 | 0 | state = s->state; |
171 | |
|
172 | 0 | switch (s->state) { |
173 | 0 | case SSL_ST_BEFORE: |
174 | 0 | case SSL_ST_ACCEPT: |
175 | 0 | case SSL_ST_BEFORE | SSL_ST_ACCEPT: |
176 | 0 | case SSL_ST_OK | SSL_ST_ACCEPT: |
177 | |
|
178 | 0 | s->server = 1; |
179 | 0 | if (cb != NULL) |
180 | 0 | cb(s, SSL_CB_HANDSHAKE_START, 1); |
181 | | |
182 | | /* s->version=SSL3_VERSION; */ |
183 | 0 | s->type = SSL_ST_ACCEPT; |
184 | |
|
185 | 0 | if (s->init_buf == NULL) { |
186 | 0 | if ((buf = BUF_MEM_new()) == NULL) { |
187 | 0 | ret = -1; |
188 | 0 | goto end; |
189 | 0 | } |
190 | 0 | if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { |
191 | 0 | BUF_MEM_free(buf); |
192 | 0 | ret = -1; |
193 | 0 | goto end; |
194 | 0 | } |
195 | 0 | s->init_buf = buf; |
196 | 0 | } |
197 | | |
198 | 0 | if (!ssl3_init_finished_mac(s)) { |
199 | 0 | ret = -1; |
200 | 0 | goto end; |
201 | 0 | } |
202 | | |
203 | 0 | s->state = SSL23_ST_SR_CLNT_HELLO_A; |
204 | 0 | s->ctx->stats.sess_accept++; |
205 | 0 | s->init_num = 0; |
206 | 0 | break; |
207 | | |
208 | 0 | case SSL23_ST_SR_CLNT_HELLO_A: |
209 | 0 | case SSL23_ST_SR_CLNT_HELLO_B: |
210 | |
|
211 | 0 | s->shutdown = 0; |
212 | 0 | ret = ssl23_get_client_hello(s); |
213 | 0 | if (ret >= 0) |
214 | 0 | cb = NULL; |
215 | 0 | goto end; |
216 | | /* break; */ |
217 | | |
218 | 0 | default: |
219 | 0 | SSLerr(SSL_F_SSL23_ACCEPT, SSL_R_UNKNOWN_STATE); |
220 | 0 | ret = -1; |
221 | 0 | goto end; |
222 | | /* break; */ |
223 | 0 | } |
224 | | |
225 | 0 | if ((cb != NULL) && (s->state != state)) { |
226 | 0 | new_state = s->state; |
227 | 0 | s->state = state; |
228 | 0 | cb(s, SSL_CB_ACCEPT_LOOP, 1); |
229 | 0 | s->state = new_state; |
230 | 0 | } |
231 | 0 | } |
232 | 0 | end: |
233 | 0 | s->in_handshake--; |
234 | 0 | if (cb != NULL) |
235 | 0 | cb(s, SSL_CB_ACCEPT_EXIT, ret); |
236 | 0 | return (ret); |
237 | 0 | } |
238 | | |
239 | | int ssl23_get_client_hello(SSL *s) |
240 | 0 | { |
241 | | /*- |
242 | | * Request this many bytes in initial read. |
243 | | * We can detect SSL 3.0/TLS 1.0 Client Hellos |
244 | | * ('type == 3') correctly only when the following |
245 | | * is in a single record, which is not guaranteed by |
246 | | * the protocol specification: |
247 | | * Byte Content |
248 | | * 0 type \ |
249 | | * 1/2 version > record header |
250 | | * 3/4 length / |
251 | | * 5 msg_type \ |
252 | | * 6-8 length > Client Hello message |
253 | | * 9/10 client_version / |
254 | | */ |
255 | 0 | char buf_space[11]; |
256 | 0 | char *buf = &(buf_space[0]); |
257 | 0 | unsigned char *p, *d, *d_len, *dd; |
258 | 0 | unsigned int i; |
259 | 0 | unsigned int csl, sil, cl; |
260 | 0 | int n = 0, j; |
261 | 0 | int type = 0; |
262 | 0 | int v[2]; |
263 | |
|
264 | 0 | if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { |
265 | | /* read the initial header */ |
266 | 0 | v[0] = v[1] = 0; |
267 | |
|
268 | 0 | if (!ssl3_setup_buffers(s)) |
269 | 0 | goto err; |
270 | | |
271 | 0 | n = ssl23_read_bytes(s, sizeof buf_space); |
272 | 0 | if (n != sizeof buf_space) |
273 | 0 | return (n); /* n == -1 || n == 0 */ |
274 | | |
275 | 0 | p = s->packet; |
276 | |
|
277 | 0 | memcpy(buf, p, n); |
278 | |
|
279 | 0 | if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) { |
280 | | /* |
281 | | * SSLv2 header |
282 | | */ |
283 | 0 | if ((p[3] == 0x00) && (p[4] == 0x02)) { |
284 | 0 | v[0] = p[3]; |
285 | 0 | v[1] = p[4]; |
286 | | /* SSLv2 */ |
287 | 0 | if (!(s->options & SSL_OP_NO_SSLv2)) |
288 | 0 | type = 1; |
289 | 0 | } else if (p[3] == SSL3_VERSION_MAJOR) { |
290 | 0 | v[0] = p[3]; |
291 | 0 | v[1] = p[4]; |
292 | | /* SSLv3/TLSv1 */ |
293 | 0 | if (p[4] >= TLS1_VERSION_MINOR) { |
294 | 0 | if (p[4] >= TLS1_2_VERSION_MINOR && |
295 | 0 | !(s->options & SSL_OP_NO_TLSv1_2)) { |
296 | 0 | s->version = TLS1_2_VERSION; |
297 | 0 | s->state = SSL23_ST_SR_CLNT_HELLO_B; |
298 | 0 | } else if (p[4] >= TLS1_1_VERSION_MINOR && |
299 | 0 | !(s->options & SSL_OP_NO_TLSv1_1)) { |
300 | 0 | s->version = TLS1_1_VERSION; |
301 | | /* |
302 | | * type=2; |
303 | | *//* |
304 | | * done later to survive restarts |
305 | | */ |
306 | 0 | s->state = SSL23_ST_SR_CLNT_HELLO_B; |
307 | 0 | } else if (!(s->options & SSL_OP_NO_TLSv1)) { |
308 | 0 | s->version = TLS1_VERSION; |
309 | | /* |
310 | | * type=2; |
311 | | *//* |
312 | | * done later to survive restarts |
313 | | */ |
314 | 0 | s->state = SSL23_ST_SR_CLNT_HELLO_B; |
315 | 0 | } else if (!(s->options & SSL_OP_NO_SSLv3)) { |
316 | 0 | s->version = SSL3_VERSION; |
317 | | /* type=2; */ |
318 | 0 | s->state = SSL23_ST_SR_CLNT_HELLO_B; |
319 | 0 | } else if (!(s->options & SSL_OP_NO_SSLv2)) { |
320 | 0 | type = 1; |
321 | 0 | } |
322 | 0 | } else if (!(s->options & SSL_OP_NO_SSLv3)) { |
323 | 0 | s->version = SSL3_VERSION; |
324 | | /* type=2; */ |
325 | 0 | s->state = SSL23_ST_SR_CLNT_HELLO_B; |
326 | 0 | } else if (!(s->options & SSL_OP_NO_SSLv2)) |
327 | 0 | type = 1; |
328 | |
|
329 | 0 | } |
330 | 0 | } |
331 | | /* p[4] < 5 ... silly record length? */ |
332 | 0 | else if ((p[0] == SSL3_RT_HANDSHAKE) && |
333 | 0 | (p[1] == SSL3_VERSION_MAJOR) && |
334 | 0 | (p[5] == SSL3_MT_CLIENT_HELLO) && ((p[3] == 0 && p[4] < 5) |
335 | 0 | || (p[9] >= p[1]))) { |
336 | | /* |
337 | | * SSLv3 or tls1 header |
338 | | */ |
339 | |
|
340 | 0 | v[0] = p[1]; /* major version (= SSL3_VERSION_MAJOR) */ |
341 | | /* |
342 | | * We must look at client_version inside the Client Hello message |
343 | | * to get the correct minor version. However if we have only a |
344 | | * pathologically small fragment of the Client Hello message, this |
345 | | * would be difficult, and we'd have to read more records to find |
346 | | * out. No known SSL 3.0 client fragments ClientHello like this, |
347 | | * so we simply reject such connections to avoid protocol version |
348 | | * downgrade attacks. |
349 | | */ |
350 | 0 | if (p[3] == 0 && p[4] < 6) { |
351 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL); |
352 | 0 | goto err; |
353 | 0 | } |
354 | | /* |
355 | | * if major version number > 3 set minor to a value which will |
356 | | * use the highest version 3 we support. If TLS 2.0 ever appears |
357 | | * we will need to revise this.... |
358 | | */ |
359 | 0 | if (p[9] > SSL3_VERSION_MAJOR) |
360 | 0 | v[1] = 0xff; |
361 | 0 | else |
362 | 0 | v[1] = p[10]; /* minor version according to client_version */ |
363 | 0 | if (v[1] >= TLS1_VERSION_MINOR) { |
364 | 0 | if (v[1] >= TLS1_2_VERSION_MINOR && |
365 | 0 | !(s->options & SSL_OP_NO_TLSv1_2)) { |
366 | 0 | s->version = TLS1_2_VERSION; |
367 | 0 | type = 3; |
368 | 0 | } else if (v[1] >= TLS1_1_VERSION_MINOR && |
369 | 0 | !(s->options & SSL_OP_NO_TLSv1_1)) { |
370 | 0 | s->version = TLS1_1_VERSION; |
371 | 0 | type = 3; |
372 | 0 | } else if (!(s->options & SSL_OP_NO_TLSv1)) { |
373 | 0 | s->version = TLS1_VERSION; |
374 | 0 | type = 3; |
375 | 0 | } else if (!(s->options & SSL_OP_NO_SSLv3)) { |
376 | 0 | s->version = SSL3_VERSION; |
377 | 0 | type = 3; |
378 | 0 | } |
379 | 0 | } else { |
380 | | /* client requests SSL 3.0 */ |
381 | 0 | if (!(s->options & SSL_OP_NO_SSLv3)) { |
382 | 0 | s->version = SSL3_VERSION; |
383 | 0 | type = 3; |
384 | 0 | } else if (!(s->options & SSL_OP_NO_TLSv1)) { |
385 | | /* |
386 | | * we won't be able to use TLS of course, but this will |
387 | | * send an appropriate alert |
388 | | */ |
389 | 0 | s->version = TLS1_VERSION; |
390 | 0 | type = 3; |
391 | 0 | } |
392 | 0 | } |
393 | 0 | } else if ((strncmp("GET ", (char *)p, 4) == 0) || |
394 | 0 | (strncmp("POST ", (char *)p, 5) == 0) || |
395 | 0 | (strncmp("HEAD ", (char *)p, 5) == 0) || |
396 | 0 | (strncmp("PUT ", (char *)p, 4) == 0)) { |
397 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); |
398 | 0 | goto err; |
399 | 0 | } else if (strncmp("CONNECT", (char *)p, 7) == 0) { |
400 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); |
401 | 0 | goto err; |
402 | 0 | } |
403 | 0 | } |
404 | | |
405 | | /* ensure that TLS_MAX_VERSION is up-to-date */ |
406 | 0 | OPENSSL_assert(s->version <= TLS_MAX_VERSION); |
407 | |
|
408 | 0 | if (s->version < TLS1_2_VERSION && tls1_suiteb(s)) { |
409 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
410 | 0 | SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE); |
411 | 0 | goto err; |
412 | 0 | } |
413 | | #ifdef OPENSSL_FIPS |
414 | | if (FIPS_mode() && (s->version < TLS1_VERSION)) { |
415 | | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
416 | | SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); |
417 | | goto err; |
418 | | } |
419 | | #endif |
420 | | |
421 | 0 | if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { |
422 | | /* |
423 | | * we have SSLv3/TLSv1 in an SSLv2 header (other cases skip this |
424 | | * state) |
425 | | */ |
426 | |
|
427 | 0 | type = 2; |
428 | 0 | p = s->packet; |
429 | 0 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ |
430 | 0 | v[1] = p[4]; |
431 | | |
432 | | /*- |
433 | | * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 |
434 | | * header is sent directly on the wire, not wrapped as a TLS |
435 | | * record. It's format is: |
436 | | * Byte Content |
437 | | * 0-1 msg_length |
438 | | * 2 msg_type |
439 | | * 3-4 version |
440 | | * 5-6 cipher_spec_length |
441 | | * 7-8 session_id_length |
442 | | * 9-10 challenge_length |
443 | | * ... ... |
444 | | */ |
445 | 0 | n = ((p[0] & 0x7f) << 8) | p[1]; |
446 | 0 | if (n > (1024 * 4)) { |
447 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); |
448 | 0 | goto err; |
449 | 0 | } |
450 | 0 | if (n < 9) { |
451 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
452 | 0 | SSL_R_RECORD_LENGTH_MISMATCH); |
453 | 0 | goto err; |
454 | 0 | } |
455 | | |
456 | 0 | j = ssl23_read_bytes(s, n + 2); |
457 | | /* |
458 | | * We previously read 11 bytes, so if j > 0, we must have j == n+2 == |
459 | | * s->packet_length. We have at least 11 valid packet bytes. |
460 | | */ |
461 | 0 | if (j <= 0) |
462 | 0 | return (j); |
463 | | |
464 | 0 | ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); |
465 | | |
466 | | /* CLIENT-HELLO */ |
467 | 0 | if (s->msg_callback) |
468 | 0 | s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, |
469 | 0 | s->packet_length - 2, s, s->msg_callback_arg); |
470 | |
|
471 | 0 | p = s->packet; |
472 | 0 | p += 5; |
473 | 0 | n2s(p, csl); |
474 | 0 | n2s(p, sil); |
475 | 0 | n2s(p, cl); |
476 | 0 | d = (unsigned char *)s->init_buf->data; |
477 | 0 | if ((csl + sil + cl + 11) != s->packet_length) { /* We can't have TLS |
478 | | * extensions in SSL |
479 | | * 2.0 format * |
480 | | * Client Hello, can |
481 | | * we? Error |
482 | | * condition should |
483 | | * be * '>' |
484 | | * otherweise */ |
485 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
486 | 0 | SSL_R_RECORD_LENGTH_MISMATCH); |
487 | 0 | goto err; |
488 | 0 | } |
489 | | |
490 | | /* record header: msg_type ... */ |
491 | 0 | *(d++) = SSL3_MT_CLIENT_HELLO; |
492 | | /* ... and length (actual value will be written later) */ |
493 | 0 | d_len = d; |
494 | 0 | d += 3; |
495 | | |
496 | | /* client_version */ |
497 | 0 | *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ |
498 | 0 | *(d++) = v[1]; |
499 | | |
500 | | /* lets populate the random area */ |
501 | | /* get the challenge_length */ |
502 | 0 | i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl; |
503 | 0 | memset(d, 0, SSL3_RANDOM_SIZE); |
504 | 0 | memcpy(&(d[SSL3_RANDOM_SIZE - i]), &(p[csl + sil]), i); |
505 | 0 | d += SSL3_RANDOM_SIZE; |
506 | | |
507 | | /* no session-id reuse */ |
508 | 0 | *(d++) = 0; |
509 | | |
510 | | /* ciphers */ |
511 | 0 | j = 0; |
512 | 0 | dd = d; |
513 | 0 | d += 2; |
514 | 0 | for (i = 0; i < csl; i += 3) { |
515 | 0 | if (p[i] != 0) |
516 | 0 | continue; |
517 | 0 | *(d++) = p[i + 1]; |
518 | 0 | *(d++) = p[i + 2]; |
519 | 0 | j += 2; |
520 | 0 | } |
521 | 0 | s2n(j, dd); |
522 | | |
523 | | /* COMPRESSION */ |
524 | 0 | *(d++) = 1; |
525 | 0 | *(d++) = 0; |
526 | |
|
527 | | #if 0 |
528 | | /* copy any remaining data with may be extensions */ |
529 | | p = p + csl + sil + cl; |
530 | | while (p < s->packet + s->packet_length) { |
531 | | *(d++) = *(p++); |
532 | | } |
533 | | #endif |
534 | |
|
535 | 0 | i = (d - (unsigned char *)s->init_buf->data) - 4; |
536 | 0 | l2n3((long)i, d_len); |
537 | | |
538 | | /* get the data reused from the init_buf */ |
539 | 0 | s->s3->tmp.reuse_message = 1; |
540 | 0 | s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO; |
541 | 0 | s->s3->tmp.message_size = i; |
542 | 0 | } |
543 | | |
544 | | /* imaginary new state (for program structure): */ |
545 | | /* s->state = SSL23_SR_CLNT_HELLO_C */ |
546 | | |
547 | 0 | if (type == 1) { |
548 | 0 | #ifdef OPENSSL_NO_SSL2 |
549 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); |
550 | 0 | goto err; |
551 | | #else |
552 | | /* we are talking sslv2 */ |
553 | | /* |
554 | | * we need to clean up the SSLv3/TLSv1 setup and put in the sslv2 |
555 | | * stuff. |
556 | | */ |
557 | | |
558 | | if (s->s2 == NULL) { |
559 | | if (!ssl2_new(s)) |
560 | | goto err; |
561 | | } else |
562 | | ssl2_clear(s); |
563 | | |
564 | | if (s->s3 != NULL) |
565 | | ssl3_free(s); |
566 | | |
567 | | if (!BUF_MEM_grow_clean(s->init_buf, |
568 | | SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { |
569 | | goto err; |
570 | | } |
571 | | |
572 | | s->state = SSL2_ST_GET_CLIENT_HELLO_A; |
573 | | if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3) |
574 | | s->s2->ssl2_rollback = 0; |
575 | | else |
576 | | /* |
577 | | * reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 |
578 | | * (SSL 3.0 draft/RFC 2246, App. E.2) |
579 | | */ |
580 | | s->s2->ssl2_rollback = 1; |
581 | | |
582 | | /* |
583 | | * setup the n bytes we have read so we get them from the sslv2 |
584 | | * buffer |
585 | | */ |
586 | | s->rstate = SSL_ST_READ_HEADER; |
587 | | s->packet_length = n; |
588 | | s->packet = &(s->s2->rbuf[0]); |
589 | | memcpy(s->packet, buf, n); |
590 | | s->s2->rbuf_left = n; |
591 | | s->s2->rbuf_offs = 0; |
592 | | |
593 | | s->method = SSLv2_server_method(); |
594 | | s->handshake_func = s->method->ssl_accept; |
595 | | #endif |
596 | 0 | } |
597 | | |
598 | 0 | if ((type == 2) || (type == 3)) { |
599 | | /* |
600 | | * we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) |
601 | | */ |
602 | 0 | const SSL_METHOD *new_method; |
603 | 0 | new_method = ssl23_get_server_method(s->version); |
604 | 0 | if (new_method == NULL) { |
605 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); |
606 | 0 | goto err; |
607 | 0 | } |
608 | 0 | s->method = new_method; |
609 | |
|
610 | 0 | if (!ssl_init_wbio_buffer(s, 1)) |
611 | 0 | goto err; |
612 | | |
613 | | /* we are in this state */ |
614 | 0 | s->state = SSL3_ST_SR_CLNT_HELLO_A; |
615 | |
|
616 | 0 | if (type == 3) { |
617 | | /* |
618 | | * put the 'n' bytes we have read into the input buffer for SSLv3 |
619 | | */ |
620 | 0 | s->rstate = SSL_ST_READ_HEADER; |
621 | 0 | s->packet_length = n; |
622 | 0 | if (s->s3->rbuf.buf == NULL) |
623 | 0 | if (!ssl3_setup_read_buffer(s)) |
624 | 0 | goto err; |
625 | | |
626 | 0 | s->packet = &(s->s3->rbuf.buf[0]); |
627 | 0 | memcpy(s->packet, buf, n); |
628 | 0 | s->s3->rbuf.left = n; |
629 | 0 | s->s3->rbuf.offset = 0; |
630 | 0 | } else { |
631 | 0 | s->packet_length = 0; |
632 | 0 | s->s3->rbuf.left = 0; |
633 | 0 | s->s3->rbuf.offset = 0; |
634 | 0 | } |
635 | | #if 0 /* ssl3_get_client_hello does this */ |
636 | | s->client_version = (v[0] << 8) | v[1]; |
637 | | #endif |
638 | 0 | s->handshake_func = s->method->ssl_accept; |
639 | 0 | } |
640 | | |
641 | 0 | if ((type < 1) || (type > 3)) { |
642 | | /* bad, very bad */ |
643 | 0 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); |
644 | 0 | goto err; |
645 | 0 | } |
646 | 0 | s->init_num = 0; |
647 | |
|
648 | 0 | if (buf != buf_space) |
649 | 0 | OPENSSL_free(buf); |
650 | 0 | return (SSL_accept(s)); |
651 | 0 | err: |
652 | 0 | if (buf != buf_space) |
653 | 0 | OPENSSL_free(buf); |
654 | 0 | return (-1); |
655 | 0 | } |