1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57/* ==================================================================== 58 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). */ 108 109#include <stdio.h> 110 111#include <openssl/buf.h> 112#include <openssl/err.h> 113#include <openssl/evp.h> 114#include <openssl/obj.h> 115#include <openssl/rand.h> 116 117#include "ssl_locl.h" 118 119static const SSL_METHOD *ssl23_get_client_method(int ver); 120static int ssl23_client_hello(SSL *s); 121static int ssl23_get_server_hello(SSL *s); 122static const SSL_METHOD *ssl23_get_client_method(int ver) 123 { 124 /* When SSL_set_session is called, do NOT switch to the version-specific 125 * method table. The server may still negotiate a different version when 126 * rejecting the session. 127 * 128 * TODO(davidben): Clean this up. This duplicates logic from the 129 * version-specific tables. https://crbug.com/403378 */ 130 return SSLv23_client_method(); 131 } 132 133IMPLEMENT_ssl23_meth_func(SSLv23_client_method, 134 ssl_undefined_function, 135 ssl23_connect, 136 ssl23_get_client_method) 137 138int ssl23_connect(SSL *s) 139 { 140 BUF_MEM *buf=NULL; 141 void (*cb)(const SSL *ssl,int type,int val)=NULL; 142 int ret= -1; 143 int new_state,state; 144 145 ERR_clear_error(); 146 ERR_clear_system_error(); 147 148 if (s->info_callback != NULL) 149 cb=s->info_callback; 150 else if (s->ctx->info_callback != NULL) 151 cb=s->ctx->info_callback; 152 153 s->in_handshake++; 154 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 155 156 for (;;) 157 { 158 state=s->state; 159 160 switch(s->state) 161 { 162 case SSL_ST_BEFORE: 163 case SSL_ST_CONNECT: 164 case SSL_ST_BEFORE|SSL_ST_CONNECT: 165 case SSL_ST_OK|SSL_ST_CONNECT: 166 167 s->server=0; 168 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 169 170 /* s->version=TLS1_VERSION; */ 171 s->type=SSL_ST_CONNECT; 172 173 if (s->init_buf == NULL) 174 { 175 if ((buf=BUF_MEM_new()) == NULL) 176 { 177 ret= -1; 178 goto end; 179 } 180 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 181 { 182 ret= -1; 183 goto end; 184 } 185 s->init_buf=buf; 186 buf=NULL; 187 } 188 189 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 190 191 ssl3_init_finished_mac(s); 192 193 s->state=SSL23_ST_CW_CLNT_HELLO_A; 194 s->ctx->stats.sess_connect++; 195 s->init_num=0; 196 break; 197 198 case SSL23_ST_CW_CLNT_HELLO_A: 199 case SSL23_ST_CW_CLNT_HELLO_B: 200 201 s->shutdown=0; 202 ret=ssl23_client_hello(s); 203 if (ret <= 0) goto end; 204 s->state=SSL23_ST_CR_SRVR_HELLO_A; 205 s->init_num=0; 206 207 break; 208 209 case SSL23_ST_CR_SRVR_HELLO_A: 210 case SSL23_ST_CR_SRVR_HELLO_B: 211 ret=ssl23_get_server_hello(s); 212 if (ret >= 0) cb=NULL; 213 goto end; 214 /* break; */ 215 216 default: 217 OPENSSL_PUT_ERROR(SSL, ssl23_connect, SSL_R_UNKNOWN_STATE); 218 ret= -1; 219 goto end; 220 /* break; */ 221 } 222 223 if (s->debug) { (void)BIO_flush(s->wbio); } 224 225 if ((cb != NULL) && (s->state != state)) 226 { 227 new_state=s->state; 228 s->state=state; 229 cb(s,SSL_CB_CONNECT_LOOP,1); 230 s->state=new_state; 231 } 232 } 233end: 234 s->in_handshake--; 235 if (buf != NULL) 236 BUF_MEM_free(buf); 237 if (cb != NULL) 238 cb(s,SSL_CB_CONNECT_EXIT,ret); 239 return(ret); 240 } 241 242/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 243 * on failure, 1 on success. */ 244int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) 245 { 246 int send_time = 0; 247 if (len < 4) 248 return 0; 249 if (server) 250 send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; 251 else 252 send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; 253 if (send_time) 254 { 255 unsigned long Time = (unsigned long)time(NULL); 256 unsigned char *p = result; 257 l2n(Time, p); 258 return RAND_pseudo_bytes(p, len-4); 259 } 260 else 261 return RAND_pseudo_bytes(result, len); 262 } 263 264static int ssl23_client_hello(SSL *s) 265 { 266 unsigned char *buf; 267 unsigned char *p,*d; 268 int i; 269 unsigned long l; 270 int version = 0, version_major, version_minor; 271 int ret; 272 unsigned long mask, options = s->options; 273 274 /* 275 * SSL_OP_NO_X disables all protocols above X *if* there are 276 * some protocols below X enabled. This is required in order 277 * to maintain "version capability" vector contiguous. So 278 * that if application wants to disable TLS1.0 in favour of 279 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the 280 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. 281 */ 282 mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3; 283 version = TLS1_2_VERSION; 284 if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) 285 version = TLS1_1_VERSION; 286 mask &= ~SSL_OP_NO_TLSv1_1; 287 if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) 288 version = TLS1_VERSION; 289 mask &= ~SSL_OP_NO_TLSv1; 290 if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) 291 version = SSL3_VERSION; 292 mask &= ~SSL_OP_NO_SSLv3; 293 294 buf=(unsigned char *)s->init_buf->data; 295 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 296 { 297 /* Check if the session is resumable. If not, drop it. */ 298 if (s->session != NULL) 299 { 300 if (s->session->ssl_version > version || 301 s->session->session_id_length == 0 || 302 s->session->not_resumable) 303 { 304 SSL_SESSION_free(s->session); 305 s->session = NULL; 306 } 307 } 308 309 p=s->s3->client_random; 310 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 311 return -1; 312 313 if (version == TLS1_2_VERSION) 314 { 315 version_major = TLS1_2_VERSION_MAJOR; 316 version_minor = TLS1_2_VERSION_MINOR; 317 } 318 else if (version == TLS1_1_VERSION) 319 { 320 version_major = TLS1_1_VERSION_MAJOR; 321 version_minor = TLS1_1_VERSION_MINOR; 322 } 323 else if (version == TLS1_VERSION) 324 { 325 version_major = TLS1_VERSION_MAJOR; 326 version_minor = TLS1_VERSION_MINOR; 327 } 328 else if (version == SSL3_VERSION) 329 { 330 version_major = SSL3_VERSION_MAJOR; 331 version_minor = SSL3_VERSION_MINOR; 332 } 333 else if (version == SSL2_VERSION) 334 { 335 version_major = SSL2_VERSION_MAJOR; 336 version_minor = SSL2_VERSION_MINOR; 337 } 338 else 339 { 340 OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, SSL_R_NO_PROTOCOLS_AVAILABLE); 341 return(-1); 342 } 343 344 s->client_version = version; 345 346 /* create Client Hello in SSL 3.0/TLS 1.0 format */ 347 348 /* do the record header (5 bytes) and handshake message 349 * header (4 bytes) last. Note: the final argument to 350 * ssl_add_clienthello_tlsext below depends on the size 351 * of this prefix. */ 352 d = p = &(buf[9]); 353 354 *(p++) = version_major; 355 *(p++) = version_minor; 356 357 /* Random stuff */ 358 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 359 p += SSL3_RANDOM_SIZE; 360 361 /* Session ID */ 362 if (s->new_session || s->session == NULL) 363 i=0; 364 else 365 i=s->session->session_id_length; 366 *(p++)=i; 367 if (i != 0) 368 { 369 if (i > (int)sizeof(s->session->session_id)) 370 { 371 OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, ERR_R_INTERNAL_ERROR); 372 return -1; 373 } 374 memcpy(p,s->session->session_id,i); 375 p+=i; 376 } 377 378 /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */ 379 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]); 380 if (i == 0) 381 { 382 OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, SSL_R_NO_CIPHERS_AVAILABLE); 383 return -1; 384 } 385 s2n(i,p); 386 p+=i; 387 388 /* COMPRESSION */ 389 *(p++)=1; 390 *(p++)=0; /* Add the NULL method */ 391 392 /* TLS extensions*/ 393 if (ssl_prepare_clienthello_tlsext(s) <= 0) 394 { 395 OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, SSL_R_CLIENTHELLO_TLSEXT); 396 return -1; 397 } 398 399 /* The buffer includes the 5 byte record header, so 400 * subtract it to compute hlen for 401 * ssl_add_clienthello_tlsext. */ 402 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf-5)) == NULL) 403 { 404 OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, ERR_R_INTERNAL_ERROR); 405 return -1; 406 } 407 408 l = p-d; 409 410 /* fill in 4-byte handshake header */ 411 d=&(buf[5]); 412 *(d++)=SSL3_MT_CLIENT_HELLO; 413 l2n3(l,d); 414 415 l += 4; 416 417 if (l > SSL3_RT_MAX_PLAIN_LENGTH) 418 { 419 OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, ERR_R_INTERNAL_ERROR); 420 return -1; 421 } 422 423 /* fill in 5-byte record header */ 424 d=buf; 425 *(d++) = SSL3_RT_HANDSHAKE; 426 *(d++) = version_major; 427 /* Some servers hang if we use long client hellos 428 * and a record number > TLS 1.0. 429 */ 430 if (TLS1_get_client_version(s) > TLS1_VERSION) 431 *(d++) = 1; 432 else 433 *(d++) = version_minor; 434 s2n((int)l,d); 435 436 /* number of bytes to write */ 437 s->init_num=p-buf; 438 s->init_off=0; 439 440 ssl3_finish_mac(s,&(buf[5]), s->init_num - 5); 441 442 s->state=SSL23_ST_CW_CLNT_HELLO_B; 443 s->init_off=0; 444 } 445 446 /* SSL3_ST_CW_CLNT_HELLO_B */ 447 ret = ssl23_write_bytes(s); 448 449 if ((ret >= 2) && s->msg_callback) 450 { 451 /* Client Hello has been sent; tell msg_callback */ 452 453 s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s, s->msg_callback_arg); 454 s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg); 455 } 456 457 return ret; 458 } 459 460static int ssl23_get_server_hello(SSL *s) 461 { 462 char buf[8]; 463 unsigned char *p; 464 int i; 465 int n; 466 467 n=ssl23_read_bytes(s,7); 468 469 if (n != 7) return(n); 470 p=s->packet; 471 472 memcpy(buf,p,n); 473 474 if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && 475 (p[5] == 0x00) && (p[6] == 0x02)) 476 { 477 OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_UNSUPPORTED_PROTOCOL); 478 goto err; 479 } 480 else if (p[1] == SSL3_VERSION_MAJOR && 481 p[2] <= TLS1_2_VERSION_MINOR && 482 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || 483 (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) 484 { 485 /* we have sslv3 or tls1 (server hello or alert) */ 486 487 if ((p[2] == SSL3_VERSION_MINOR) && 488 !(s->options & SSL_OP_NO_SSLv3)) 489 { 490 s->version=SSL3_VERSION; 491 s->method=SSLv3_client_method(); 492 } 493 else if ((p[2] == TLS1_VERSION_MINOR) && 494 !(s->options & SSL_OP_NO_TLSv1)) 495 { 496 s->version=TLS1_VERSION; 497 s->method=TLSv1_client_method(); 498 } 499 else if ((p[2] == TLS1_1_VERSION_MINOR) && 500 !(s->options & SSL_OP_NO_TLSv1_1)) 501 { 502 s->version=TLS1_1_VERSION; 503 s->method=TLSv1_1_client_method(); 504 } 505 else if ((p[2] == TLS1_2_VERSION_MINOR) && 506 !(s->options & SSL_OP_NO_TLSv1_2)) 507 { 508 s->version=TLS1_2_VERSION; 509 s->method=TLSv1_2_client_method(); 510 } 511 else 512 { 513 OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_UNSUPPORTED_PROTOCOL); 514 goto err; 515 } 516 517 if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) 518 { 519 /* fatal alert */ 520 521 void (*cb)(const SSL *ssl,int type,int val)=NULL; 522 int j; 523 524 if (s->info_callback != NULL) 525 cb=s->info_callback; 526 else if (s->ctx->info_callback != NULL) 527 cb=s->ctx->info_callback; 528 529 i=p[5]; 530 if (cb != NULL) 531 { 532 j=(i<<8)|p[6]; 533 cb(s,SSL_CB_READ_ALERT,j); 534 } 535 536 if (s->msg_callback) 537 { 538 s->msg_callback(0, s->version, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg); 539 s->msg_callback(0, s->version, SSL3_RT_ALERT, p+5, 2, s, s->msg_callback_arg); 540 } 541 542 s->rwstate=SSL_NOTHING; 543 OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_AD_REASON_OFFSET + p[6]); 544 goto err; 545 } 546 547 if (!ssl_init_wbio_buffer(s,1)) goto err; 548 549 /* we are in this state */ 550 s->state=SSL3_ST_CR_SRVR_HELLO_A; 551 552 /* put the 7 bytes we have read into the input buffer 553 * for SSLv3 */ 554 s->rstate=SSL_ST_READ_HEADER; 555 s->packet_length=n; 556 if (s->s3->rbuf.buf == NULL) 557 if (!ssl3_setup_read_buffer(s)) 558 goto err; 559 s->packet= &(s->s3->rbuf.buf[0]); 560 memcpy(s->packet,buf,n); 561 s->s3->rbuf.left=n; 562 s->s3->rbuf.offset=0; 563 564 s->handshake_func=s->method->ssl_connect; 565 } 566 else 567 { 568 OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_UNKNOWN_PROTOCOL); 569 goto err; 570 } 571 s->init_num=0; 572 573 /* If there was no session to resume, now that the final version is 574 * determined, insert a fresh one. */ 575 if (s->session == NULL && !ssl_get_new_session(s,0)) 576 goto err; 577 578 return(SSL_connect(s)); 579err: 580 return(-1); 581 } 582