static int get_server_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p;
int i,j;
unsigned long len;
STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow;
buf=(unsigned char *)s->init_buf->data;
p=buf;
if (s->state == SSL2_ST_GET_SERVER_HELLO_A)
{
i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num);
if (i < (11-s->init_num))
return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
s->init_num = 11;
if (*(p++) != SSL2_MT_SERVER_HELLO)
{
if (p[-1] != SSL2_MT_ERROR)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO,
SSL_R_READ_WRONG_PACKET_TYPE);
}
else
SSLerr(SSL_F_GET_SERVER_HELLO,
SSL_R_PEER_ERROR);
return(-1);
}
#ifdef __APPLE_CC__
/* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug
* workaround. <*****@*****.**> */
s->hit=(i=*(p++))?1:0;
#else
s->hit=(*(p++))?1:0;
#endif
s->s2->tmp.cert_type= *(p++);
n2s(p,i);
if (i < s->version) s->version=i;
n2s(p,i); s->s2->tmp.cert_length=i;
n2s(p,i); s->s2->tmp.csl=i;
n2s(p,i); s->s2->tmp.conn_id_length=i;
s->state=SSL2_ST_GET_SERVER_HELLO_B;
}
/* SSL2_ST_GET_SERVER_HELLO_B */
len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG);
return -1;
}
j = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
if (s->msg_callback)
s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */
/* things are looking good */
p = buf + 11;
if (s->hit)
{
if (s->s2->tmp.cert_length != 0)
{
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_LENGTH_NOT_ZERO);
return(-1);
}
if (s->s2->tmp.cert_type != 0)
{
if (!(s->options &
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG))
{
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_TYPE_NOT_ZERO);
return(-1);
}
}
if (s->s2->tmp.csl != 0)
{
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CIPHER_LIST_NOT_ZERO);
return(-1);
}
}
else
{
#ifdef undef
/* very bad */
memset(s->session->session_id,0,
SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES);
s->session->session_id_length=0;
*/
#endif
/* we need to do this in case we were trying to reuse a
* client session but others are already reusing it.
* If this was a new 'blank' session ID, the session-id
* length will still be 0 */
if (s->session->session_id_length > 0)
{
if (!ssl_get_new_session(s,0))
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
return(-1);
}
}
if (ssl2_set_certificate(s,s->s2->tmp.cert_type,
s->s2->tmp.cert_length,p) <= 0)
{
ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
return(-1);
}
p+=s->s2->tmp.cert_length;
if (s->s2->tmp.csl == 0)
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_LIST);
return(-1);
}
/* We have just received a list of ciphers back from the
* server. We need to get the ones that match, then select
* the one we want the most :-). */
/* load the ciphers */
sk=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.csl,
&s->session->ciphers);
p+=s->s2->tmp.csl;
if (sk == NULL)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
return(-1);
}
(void)sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
/* get the array of ciphers we will accept */
cl=SSL_get_ciphers(s);
(void)sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp);
/*
* If server preference flag set, choose the first
* (highest priority) cipher the server sends, otherwise
* client preference has priority.
*/
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
{
prio = sk;
allow = cl;
}
else
{
prio = cl;
allow = sk;
}
/* In theory we could have ciphers sent back that we
* don't want to use but that does not matter since we
* will check against the list we originally sent and
* for performance reasons we should not bother to match
* the two lists up just to check. */
for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
if (sk_SSL_CIPHER_find(allow,
sk_SSL_CIPHER_value(prio,i)) >= 0)
break;
}
if (i >= sk_SSL_CIPHER_num(prio))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
return(-1);
}
s->session->cipher=sk_SSL_CIPHER_value(prio,i);
if (s->session->peer != NULL) /* can't happen*/
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return(-1);
}
s->session->peer = s->session->sess_cert->peer_key->x509;
/* peer_key->x509 has been set by ssl2_set_certificate. */
CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
}
if (s->session->sess_cert == NULL
|| s->session->peer != s->session->sess_cert->peer_key->x509)
/* can't happen */
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return(-1);
}
s->s2->conn_id_length=s->s2->tmp.conn_id_length;
if (s->s2->conn_id_length > sizeof s->s2->conn_id)
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG);
return -1;
}
memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
return(1);
}
int
dtls1_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p, *d;
unsigned int i;
unsigned long l;
buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
SSL_SESSION *sess = s->session;
if ((s->session == NULL) ||
(s->session->ssl_version != s->version) ||
(!sess->session_id_length && !sess->tlsext_tick) ||
(s->session->not_resumable)) {
if (!ssl_get_new_session(s, 0))
goto err;
}
/* else use the pre-loaded session */
p = s->s3->client_random;
/* if client_random is initialized, reuse it, we are
* required to use same upon reply to HelloVerify */
for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
;
if (i == sizeof(s->s3->client_random))
RAND_pseudo_bytes(p, sizeof(s->s3->client_random));
/* Do the message type and length last */
d = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
*(p++) = s->version >> 8;
*(p++) = s->version&0xff;
s->client_version = s->version;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID */
if (s->new_session)
i = 0;
else
i = s->session->session_id_length;
*(p++) = i;
if (i != 0) {
if (i > sizeof s->session->session_id) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
goto err;
}
memcpy(p, s->session->session_id, i);
p += i;
}
/* cookie stuff */
if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
*(p++) = s->d1->cookie_len;
memcpy(p, s->d1->cookie, s->d1->cookie_len);
p += s->d1->cookie_len;
/* Ciphers supported */
i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
if (i == 0) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
SSL_R_NO_CIPHERS_AVAILABLE);
goto err;
}
s2n(i, p);
p += i;
/* add in (no) COMPRESSION */
*(p++) = 1;
*(p++) = 0; /* Add the NULL method */
if ((p = ssl_add_clienthello_tlsext(s, p,
buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
l = (p - d);
d = buf;
d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO,
l, 0, l);
s->state = SSL3_ST_CW_CLNT_HELLO_B;
/* number of bytes to write */
s->init_num = p - buf;
s->init_off = 0;
/* buffer the message to handle re-xmits */
dtls1_buffer_message(s, 0);
}
static int client_hello(SSL *s, int fastopen, struct sockaddr_in sa)
{
unsigned char *buf;
unsigned char *p,*d;
/* CIPHER **cipher;*/
int i,n,j;
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A)
{
if ((s->session == NULL) ||
(s->session->ssl_version != s->version))
{
if (!ssl_get_new_session(s,0))
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
return(-1);
}
}
/* else use the pre-loaded session */
p=buf; /* header */
d=p+9; /* data section */
*(p++)=SSL2_MT_CLIENT_HELLO; /* type */
s2n(SSL2_VERSION,p); /* version */
n=j=0;
n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d,0);
d+=n;
if (n == 0)
{
SSLerr(SSL_F_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return(-1);
}
s2n(n,p); /* cipher spec num bytes */
if ((s->session->session_id_length > 0) &&
(s->session->session_id_length <=
SSL2_MAX_SSL_SESSION_ID_LENGTH))
{
i=s->session->session_id_length;
s2n(i,p); /* session id length */
memcpy(d,s->session->session_id,(unsigned int)i);
d+=i;
}
else
{
s2n(0,p);
}
s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */
/*challenge id data*/
if (RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0)
return -1;
memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
d+=SSL2_CHALLENGE_LENGTH;
s->state=SSL2_ST_SEND_CLIENT_HELLO_B;
s->init_num=d-buf;
s->init_off=0;
}
/* SSL2_ST_SEND_CLIENT_HELLO_B */
return(ssl2_do_write(s));
}
//key: 32 bytes
//iv: 16 bytes
//mac_secret: 20 bytes
SSL* get_live_ssl_obj(char *master_key, size_t master_key_len, uint16_t cipher_suite, unsigned char *server_random, unsigned char *client_random)
{
static SSL_CTX *ctx = 0;
// TODO(ewust/SPTelex): probably having a single context is ok?
if (!ctx) {
/* Build our SSL context*/
//ctx=initialize_ctx(KEYFILE,PASSWORD);
SSL_library_init();
SSL_load_error_strings();
//extern BIO *bio_err;
//bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
ctx = SSL_CTX_new(TLSv1_2_server_method());
}
SSL *ssl = SSL_new(ctx);
if (!ssl) {
fprintf(stderr, "could not init ssl...\n");
exit(-1);
}
//ssl->telex_client_random = "hello, worldxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n";
//if (is_server) {
ssl->type = SSL_ST_ACCEPT;
ssl->method = TLSv1_2_server_method();
/*} else {
ssl->type = SSL_ST_CONNECT;
ssl->method = TLSv1_client_method();
} */
ssl->rwstate = SSL_NOTHING;
ssl->in_handshake = 0; /* We're simulating having finished SSL_connect. */
ssl->handshake_func = ssl3_connect;
ssl->server = 0;
ssl->new_session = 0;
ssl->quiet_shutdown = 0;
ssl->shutdown = 0;
ssl->state = SSL_ST_OK;
ssl->rstate = SSL_ST_READ_HEADER;
/* Handshake stuff, we're not doing a handshake. */
ssl->init_buf = ssl->init_msg = NULL;
ssl->init_num = ssl->init_off = 0;
assert(ssl->packet == NULL);
assert(ssl->packet_length == 0);
// Set by SSL_new.
assert(ssl->read_ahead == 0);
assert(ssl->msg_callback == NULL);
// Set by SSL_clear.
assert(ssl->hit == 0);
// Let's not touch ssl->param; it's set by SSL_new.
// Set by SSL_new.
assert(ssl->cipher_list == NULL);
assert(ssl->cipher_list_by_id == NULL);
//assert(ssl->mac_flags == 0);
// Set by SSL clear.
assert(ssl->enc_read_ctx == NULL);
assert(ssl->read_hash == NULL);
assert(ssl->expand == NULL);
assert(ssl->enc_write_ctx == NULL);
assert(ssl->write_hash == NULL);
assert(ssl->compress == NULL);
// Let's leave ssl->cert alone; should be set by SSL_new.
// Let's leave ssl->sid_ctx_length alone; should be set by SSL_new.
if (!ssl_get_new_session(ssl, 0)) {
fprintf(stderr, "Couldn't get session\n");
exit(-1);
}
// verify_mode and verify_callback are set by SSL_new.
assert(ssl->info_callback == NULL); // ?
assert(ssl->error == 0);
assert(ssl->error_code == 0);
//assert(ssl->psk_client_callback == NULL);
//assert(ssl->psk_server_callback == NULL);
assert(ssl->ctx);
ssl->verify_result = X509_V_OK; // Just say the cert's valid.
// ssl->ex_data is a TODO.
// Set by SSL_new (big memset to 0).
assert(ssl->client_CA == NULL);
assert(ssl->references == 1);
//ssl->options is set in SSL_new.
//ssl->mode is set in SSL_new.
//ssl->max_cert_list is set in SSL_new.
// TODO(ewust/SPTelex): would this be TLS 1.0 or TLS 1.2?
ssl->client_version = ssl->version;
// ssl->max_send_fragment is set in SSL_new.
// In SSL_new:
assert(ssl->tlsext_status_type == -1);
assert(ssl->tlsext_status_expected == 0);
assert(ssl->servername_done == 0);
assert(ssl->tlsext_ocsp_resplen == -1);
assert(ssl->tlsext_ticket_expected == 0);
// TODO(ewust/SPTelex): might be needed; but we already have master key?
#if 0
// The elliptic curve stuff below probably isn't necessary if
// we're not using an elliptic curve cipher.
ssl->tlsext_ecpointformatlist_length = 3;
ssl->tlsext_ecpointformatlist = OPENSSL_malloc(3);
memcpy(ssl->tlsext_ecpointformatlist, "\x00\x01\x02", 3);
ssl->tlsext_ellipticcurvelist_length = 50;
ssl->tlsext_ellipticcurvelist = OPENSSL_malloc(50);
memcpy(ssl->tlsext_ellipticcurvelist, "\x00\x01\x00\x02\x00\x03\x00"
"\x04\x00\x05\x00\x06\x00\x07\x00\x08\x00\x09\x00\x0a\x00\x0b\x00"
"\x0c\x00\x0d\x00\x0e\x00\x0f\x00\x10\x00\x11\x00\x12\x00\x13\x00"
"\x14\x00\x15\x00\x16\x00\x17\x00\x18\x00\x19", 50);
#endif
//ssl->tls_opaque_prf_input_len = 0;
ssl->initial_ctx = ssl->ctx;
// This is done by ssl3_new.
//memset(ssl->s3, 0, sizeof(*ssl->s3));
// TODO(SPTelex): don't think 1.2 in GCM needs this
ssl->s3->need_empty_fragments = 1;
//SSL3_BUFFER is {buf, len, offset, left};
//ssl->s3->rbuf.buf = NULL; //TODO these buffers are set up by first call to read
//ssl->s3->rrec = 0x16; //TODO?
//ssl->s3->wbuf.buf = NULL; //TODO same with these for first call to write
//ssl->s3->wrec = 0x16; //TODO?
// swolchok: We don't want to set this stuff, it's for pending writes.
#if 0
ssl->s3->wpend_tot = 16;
ssl->s3->wpend_type = 22;
ssl->s3->wpend_ret = 16;
#endif
ssl->s3->wpend_buf = NULL; //TODO
ssl3_setup_buffers(ssl);
//assert(ssl->s3->handshake_dgst == NULL); //TODO; swolchok: should be free.
ssl->s3->tmp.message_size = 12;
ssl->s3->tmp.message_type = 20;
ssl->s3->tmp.new_cipher = NULL; //TODO
ssl->s3->tmp.next_state = 4576; //hehe
ssl->s3->tmp.new_sym_enc = NULL; //TODO
ssl->s3->tmp.new_hash = NULL; //TODO
//ssl->s3->tmp.new_mac_pkey_type = 855;
//ssl->s3->tmp.new_mac_secret_size = 20;
if (!ssl_get_new_session(ssl, 0)) {
fprintf(stderr, "Couldn't initialize session\n");
exit(-1);
}
#if 0
c = malloc(sizeof(EVP_CIPHER));
//ssl->s3->tmp.new_sym_enc = c;
c->nid = 427;
c->block_size = 16;
c->key_len = 32;
c->iv_len = 16;
c->flags = 2;
//c->init = aes_init_key;
//c->do_cipher = aes_256_cbc_cipher;
c->cleanup = 0;
c->ctx_size = 244;
//c->set_asn1_parameters = EVP_CIPHER_set_asn1_iv;
//c->get_asn1_parameters = EVP_CIPHER_get_asn1_iv;
c->ctrl = 0;
c->app_data = NULL;
#endif
#if 0
memset(ssl->enc_write_ctx, 0, sizeof(EVP_CIPHER_CTX));
ssl->enc_write_ctx->cipher = NULL;
ssl->enc_write_ctx->engine = NULL;
ssl->enc_write_ctx->encrypt = 1;
ssl->enc_write_ctx->buf_len = 0;
ssl->enc_write_ctx->oiv; //TODO
ssl->enc_write_ctx->iv; //TODO
ssl->enc_write_ctx->key_len = 32;
ssl->enc_write_ctx->cipher_data; //TODO
ssl->enc_write_ctx->block_mask = 0x0f;
memset(ssl->enc_read_ctx, 0, sizeof(EVP_CIPHER_CTX));
ssl->enc_read_ctx->cipher = NULL; //they can share, for all i care
ssl->enc_read_ctx->engine = NULL;
ssl->enc_read_ctx->encrypt = 0;
ssl->enc_read_ctx->buf_len = 0;
ssl->enc_read_ctx->oiv; //TODO
ssl->enc_read_ctx->iv; //TODO
ssl->enc_read_ctx->key_len = 32;
ssl->enc_read_ctx->cipher_data; //TODO
ssl->enc_read_ctx->block_mask = 0x0f;
EVP_CipherInit_ex(ssl->enc_write_ctx, c, NULL, &ssl->s3->tmp.key_block[40],
&ssl->s3->tmp.key_block[104], 1);
EVP_CipherInit_ex(ssl->enc_read_ctx, c, NULL, &ssl->s3->tmp.key_block[72],
&ssl->s3->tmp.key_block[120], 0);
#endif
//BIO setup
SSL_set_bio(ssl, BIO_new(BIO_s_mem()), BIO_new(BIO_s_mem()));
#if 0 // Don't need to copy in secrets now, but the layout is handy to know.
memcpy(&ssl->s3->tmp.key_block[0], write->mac_secret, 20);
memcpy(&ssl->s3->tmp.key_block[40], write->key, 32);
memcpy(&ssl->s3->tmp.key_block[104], write->iv, 16);
memcpy(&ssl->s3->tmp.key_block[20], read->mac_secret, 20);
memcpy(&ssl->s3->tmp.key_block[72], read->key, 32);
memcpy(&ssl->s3->tmp.key_block[120], read->iv, 16);
#endif
// TODO(ewust/SPTelex)
memcpy(ssl->s3->client_random, client_random, 32);
memcpy(ssl->s3->server_random, server_random, 32);
if (!switch_to_telex_crypto(ssl, master_key,
master_key_len, cipher_suite)) {
fprintf(stderr, "Couldn't change to telex crypto!\n");
exit(-1);
}
return ssl;
}
static int ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
int i,j,ch_len;
unsigned long Time,l;
int ssl2_compat;
int version = 0, version_major, version_minor;
SSL_COMP *comp;
int ret;
ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
if (!(s->options & SSL_OP_NO_TLSv1))
{
version = TLS1_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv3))
{
version = SSL3_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv2))
{
version = SSL2_VERSION;
}
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
{
#if 0
/* don't reuse session-id's */
if (!ssl_get_new_session(s,0))
{
return(-1);
}
#endif
p=s->s3->client_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
if (version == TLS1_VERSION)
{
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
version_minor = SSL3_VERSION_MINOR;
}
else if (version == SSL2_VERSION)
{
version_major = SSL2_VERSION_MAJOR;
version_minor = SSL2_VERSION_MINOR;
}
else
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
return(-1);
}
s->client_version = version;
if (ssl2_compat)
{
/* create SSL 2.0 compatible Client Hello */
/* two byte record header will be written last */
d = &(buf[2]);
p = d + 9; /* leave space for message type, version, individual length fields */
*(d++) = SSL2_MT_CLIENT_HELLO;
*(d++) = version_major;
*(d++) = version_minor;
/* Ciphers supported */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
if (i == 0)
{
/* no ciphers */
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
s2n(i,d);
p+=i;
/* put in the session-id length (zero since there is no reuse) */
#if 0
s->session->session_id_length=0;
#endif
s2n(0,d);
if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
ch_len=SSL2_CHALLENGE_LENGTH;
else
ch_len=SSL2_MAX_CHALLENGE_LENGTH;
/* write out sslv2 challenge */
if (SSL3_RANDOM_SIZE < ch_len)
i=SSL3_RANDOM_SIZE;
else
i=ch_len;
s2n(i,d);
memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
return -1;
memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
p+=i;
i= p- &(buf[2]);
buf[0]=((i>>8)&0xff)|0x80;
buf[1]=(i&0xff);
/* number of bytes to write */
s->init_num=i+2;
s->init_off=0;
ssl3_finish_mac(s,&(buf[2]),i);
}
else
{
/* create Client Hello in SSL 3.0/TLS 1.0 format */
/* do the record header (5 bytes) and handshake message header (4 bytes) last */
d = p = &(buf[9]);
*(p++) = version_major;
*(p++) = version_minor;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID (zero since there is no reuse) */
*(p++) = 0;
/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
if (i == 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
s2n(i,p);
p+=i;
/* COMPRESSION */
if (s->ctx->comp_methods == NULL)
j=0;
else
j=sk_SSL_COMP_num(s->ctx->comp_methods);
*(p++)=1+j;
for (i=0; i<j; i++)
{
comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
*(p++)=comp->id;
}
*(p++)=0; /* Add the NULL method */
l = p-d;
*p = 42;
/* fill in 4-byte handshake header */
d=&(buf[5]);
*(d++)=SSL3_MT_CLIENT_HELLO;
l2n3(l,d);
l += 4;
if (l > SSL3_RT_MAX_PLAIN_LENGTH)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
/* fill in 5-byte record header */
d=buf;
*(d++) = SSL3_RT_HANDSHAKE;
*(d++) = version_major;
*(d++) = version_minor; /* arguably we should send the *lowest* suported version here
* (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
s2n((int)l,d);
/* number of bytes to write */
s->init_num=p-buf;
s->init_off=0;
ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
}
s->state=SSL23_ST_CW_CLNT_HELLO_B;
s->init_off=0;
}
static int ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
int i,ch_len;
unsigned long Time,l;
int ssl2_compat;
int version = 0, version_major, version_minor;
#ifndef OPENSSL_NO_COMP
int j;
SSL_COMP *comp;
#endif
int ret;
unsigned long mask, options = s->options;
ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
ssl2_compat = 0;
/*
* SSL_OP_NO_X disables all protocols above X *if* there are
* some protocols below X enabled. This is required in order
* to maintain "version capability" vector contiguous. So
* that if application wants to disable TLS1.0 in favour of
* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
* answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
*/
mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
#if !defined(OPENSSL_NO_SSL3)
|SSL_OP_NO_SSLv3
#endif
#if !defined(OPENSSL_NO_SSL2)
|(ssl2_compat?SSL_OP_NO_SSLv2:0)
#endif
;
#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
version = TLS1_2_VERSION;
if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
version = TLS1_1_VERSION;
#else
version = TLS1_1_VERSION;
#endif
mask &= ~SSL_OP_NO_TLSv1_1;
if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
version = TLS1_VERSION;
mask &= ~SSL_OP_NO_TLSv1;
#if !defined(OPENSSL_NO_SSL3)
if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
version = SSL3_VERSION;
mask &= ~SSL_OP_NO_SSLv3;
#endif
#if !defined(OPENSSL_NO_SSL2)
if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
version = SSL2_VERSION;
#endif
#ifndef OPENSSL_NO_TLSEXT
if (version != SSL2_VERSION)
{
/* have to disable SSL 2.0 compatibility if we need TLS extensions */
if (s->tlsext_hostname != NULL)
ssl2_compat = 0;
if (s->tlsext_status_type != -1)
ssl2_compat = 0;
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
ssl2_compat = 0;
#endif
if (s->ctx->custom_cli_ext_records_count != 0)
ssl2_compat = 0;
if (s->ctx->cli_supp_data_records_count != 0)
ssl2_compat = 0;
}
#endif
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
{
#if 0
/* don't reuse session-id's */
if (!ssl_get_new_session(s,0))
{
return(-1);
}
#endif
p=s->s3->client_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
if (version == TLS1_2_VERSION)
{
version_major = TLS1_2_VERSION_MAJOR;
version_minor = TLS1_2_VERSION_MINOR;
}
else if (tls1_suiteb(s))
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
return -1;
}
else if (version == TLS1_1_VERSION)
{
version_major = TLS1_1_VERSION_MAJOR;
version_minor = TLS1_1_VERSION_MINOR;
}
else if (version == TLS1_VERSION)
{
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
#ifdef OPENSSL_FIPS
else if(FIPS_mode())
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
return -1;
}
#endif
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
version_minor = SSL3_VERSION_MINOR;
}
else if (version == SSL2_VERSION)
{
version_major = SSL2_VERSION_MAJOR;
version_minor = SSL2_VERSION_MINOR;
}
else
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
return(-1);
}
s->client_version = version;
if (ssl2_compat)
{
/* create SSL 2.0 compatible Client Hello */
/* two byte record header will be written last */
d = &(buf[2]);
p = d + 9; /* leave space for message type, version, individual length fields */
*(d++) = SSL2_MT_CLIENT_HELLO;
*(d++) = version_major;
*(d++) = version_minor;
/* Ciphers supported */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
if (i == 0)
{
/* no ciphers */
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
s2n(i,d);
p+=i;
/* put in the session-id length (zero since there is no reuse) */
#if 0
s->session->session_id_length=0;
#endif
s2n(0,d);
if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
ch_len=SSL2_CHALLENGE_LENGTH;
else
ch_len=SSL2_MAX_CHALLENGE_LENGTH;
/* write out sslv2 challenge */
/* Note that ch_len must be <= SSL3_RANDOM_SIZE (32),
because it is one of SSL2_MAX_CHALLENGE_LENGTH (32)
or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the
check in for futurproofing */
if (SSL3_RANDOM_SIZE < ch_len)
i=SSL3_RANDOM_SIZE;
else
i=ch_len;
s2n(i,d);
memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
return -1;
memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
p+=i;
i= p- &(buf[2]);
buf[0]=((i>>8)&0xff)|0x80;
buf[1]=(i&0xff);
/* number of bytes to write */
s->init_num=i+2;
s->init_off=0;
ssl3_finish_mac(s,&(buf[2]),i);
}
else
{
/* create Client Hello in SSL 3.0/TLS 1.0 format */
/* do the record header (5 bytes) and handshake message header (4 bytes) last */
d = p = &(buf[9]);
*(p++) = version_major;
*(p++) = version_minor;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID (zero since there is no reuse) */
*(p++) = 0;
/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
if (i == 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/* Some servers hang if client hello > 256 bytes
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
s2n(i,p);
p+=i;
/* COMPRESSION */
#ifdef OPENSSL_NO_COMP
*(p++)=1;
#else
if ((s->options & SSL_OP_NO_COMPRESSION)
|| !s->ctx->comp_methods)
j=0;
else
j=sk_SSL_COMP_num(s->ctx->comp_methods);
*(p++)=1+j;
for (i=0; i<j; i++)
{
comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
*(p++)=comp->id;
}
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
return -1;
}
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
#endif
l = p-d;
/* fill in 4-byte handshake header */
d=&(buf[5]);
*(d++)=SSL3_MT_CLIENT_HELLO;
l2n3(l,d);
l += 4;
if (l > SSL3_RT_MAX_PLAIN_LENGTH)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
/* fill in 5-byte record header */
d=buf;
*(d++) = SSL3_RT_HANDSHAKE;
*(d++) = version_major;
/* Some servers hang if we use long client hellos
* and a record number > TLS 1.0.
*/
if (TLS1_get_client_version(s) > TLS1_VERSION)
*(d++) = 1;
else
*(d++) = version_minor;
s2n((int)l,d);
/* number of bytes to write */
s->init_num=p-buf;
s->init_off=0;
ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
}
s->state=SSL23_ST_CW_CLNT_HELLO_B;
s->init_off=0;
}
static int ssl23_get_server_hello(SSL *s)
{
char buf[8];
unsigned char *p;
int i;
int n;
n=ssl23_read_bytes(s,7);
if (n != 7) return(n);
p=s->packet;
memcpy(buf,p,n);
if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
(p[5] == 0x00) && (p[6] == 0x02))
{
OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
else if (p[1] == SSL3_VERSION_MAJOR &&
p[2] <= TLS1_2_VERSION_MINOR &&
((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
(p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
{
/* we have sslv3 or tls1 (server hello or alert) */
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
else if ((p[2] == TLS1_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1))
{
s->version=TLS1_VERSION;
s->method=TLSv1_client_method();
}
else if ((p[2] == TLS1_1_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1_1))
{
s->version=TLS1_1_VERSION;
s->method=TLSv1_1_client_method();
}
else if ((p[2] == TLS1_2_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1_2))
{
s->version=TLS1_2_VERSION;
s->method=TLSv1_2_client_method();
}
else
{
OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
{
/* fatal alert */
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int j;
if (s->info_callback != NULL)
cb=s->info_callback;
else if (s->ctx->info_callback != NULL)
cb=s->ctx->info_callback;
i=p[5];
if (cb != NULL)
{
j=(i<<8)|p[6];
cb(s,SSL_CB_READ_ALERT,j);
}
if (s->msg_callback)
{
s->msg_callback(0, s->version, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg);
s->msg_callback(0, s->version, SSL3_RT_ALERT, p+5, 2, s, s->msg_callback_arg);
}
s->rwstate=SSL_NOTHING;
OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_AD_REASON_OFFSET + p[6]);
goto err;
}
if (!ssl_init_wbio_buffer(s,1)) goto err;
/* we are in this state */
s->state=SSL3_ST_CR_SRVR_HELLO_A;
/* put the 7 bytes we have read into the input buffer
* for SSLv3 */
s->rstate=SSL_ST_READ_HEADER;
s->packet_length=n;
if (s->s3->rbuf.buf == NULL)
if (!ssl3_setup_read_buffer(s))
goto err;
s->packet= &(s->s3->rbuf.buf[0]);
memcpy(s->packet,buf,n);
s->s3->rbuf.left=n;
s->s3->rbuf.offset=0;
s->handshake_func=s->method->ssl_connect;
}
else
{
OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_UNKNOWN_PROTOCOL);
goto err;
}
s->init_num=0;
/* If there was no session to resume, now that the final version is
* determined, insert a fresh one. */
if (s->session == NULL && !ssl_get_new_session(s,0))
goto err;
return(SSL_connect(s));
err:
return(-1);
}
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* The short record header extension is incompatible with early data. */
if (ssl->s3->skip_early_data && ssl->s3->short_header) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
return ssl_hs_error;
}
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
ssl->init_num)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
/* Negotiate the cipher suite. */
ssl->s3->tmp.new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (ssl->s3->tmp.new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
/* Decode the ticket if we agree on a PSK key exchange mode. */
uint8_t alert = SSL_AD_DECODE_ERROR;
SSL_SESSION *session = NULL;
CBS pre_shared_key, binders;
if (hs->accept_psk_mode &&
ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
TLSEXT_TYPE_pre_shared_key)) {
/* Verify that the pre_shared_key extension is the last extension in
* ClientHello. */
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
client_hello.extensions + client_hello.extensions_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
&alert, &pre_shared_key)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
}
if (session != NULL &&
!ssl_session_is_resumable(ssl, session)) {
SSL_SESSION_free(session);
session = NULL;
}
/* Set up the new session, either using the original one as a template or
* creating a fresh one. */
if (session == NULL) {
if (!ssl_get_new_session(hs, 1 /* server */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
ssl->s3->new_session->cipher = ssl->s3->tmp.new_cipher;
/* On new sessions, stash the SNI value in the session. */
if (hs->hostname != NULL) {
OPENSSL_free(ssl->s3->new_session->tlsext_hostname);
ssl->s3->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
if (ssl->s3->new_session->tlsext_hostname == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
}
} else {
/* Check the PSK binder. */
if (!tls13_verify_psk_binder(ssl, session, &binders)) {
SSL_SESSION_free(session);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
return ssl_hs_error;
}
/* Only authentication information carries over in TLS 1.3. */
ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
if (ssl->s3->new_session == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
ssl->s3->session_reused = 1;
SSL_SESSION_free(session);
/* Resumption incorporates fresh key material, so refresh the timeout. */
ssl_session_renew_timeout(ssl, ssl->s3->new_session,
ssl->initial_ctx->session_psk_dhe_timeout);
}
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
* deferred. Complete it now. */
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
/* The PRF hash is now known. Set up the key schedule and hash the
* ClientHello. */
size_t hash_len =
EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
if (!tls13_init_key_schedule(hs) ||
!ssl_hash_current_message(ssl)) {
return ssl_hs_error;
}
/* Incorporate the PSK into the running secret. */
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,
ssl->s3->new_session->master_key_length)) {
return ssl_hs_error;
}
} else if (!tls13_advance_key_schedule(hs, kZeroes, hash_len)) {
return ssl_hs_error;
}
ssl->method->received_flight(ssl);
/* Resolve ECDHE and incorporate it into the secret. */
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
hs->tls13_state = state_send_hello_retry_request;
return ssl_hs_ok;
}
return ssl_hs_error;
}
hs->tls13_state = state_send_server_hello;
return ssl_hs_ok;
}
static int ssl23_get_server_hello(SSL *s)
{
unsigned char buf[8];
unsigned char *p;
int i;
int n;
n = ssl23_read_bytes(s, 7);
if (n != 7)
return (n);
p = RECORD_LAYER_get_packet(&s->rlayer);
memcpy(buf, p, n);
if (p[1] == SSL3_VERSION_MAJOR &&
p[2] <= TLS1_2_VERSION_MINOR &&
((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
(p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
/* we have sslv3 or tls1 (server hello or alert) */
#ifndef OPENSSL_NO_SSL3
if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) {
if (FIPS_mode()) {
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
goto err;
}
s->version = SSL3_VERSION;
s->method = SSLv3_client_method();
} else
#endif
if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) {
s->version = TLS1_VERSION;
s->method = TLSv1_client_method();
} else if ((p[2] == TLS1_1_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1_1)) {
s->version = TLS1_1_VERSION;
s->method = TLSv1_1_client_method();
} else if ((p[2] == TLS1_2_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1_2)) {
s->version = TLS1_2_VERSION;
s->method = TLSv1_2_client_method();
} else {
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
/* ensure that TLS_MAX_VERSION is up-to-date */
OPENSSL_assert(s->version <= TLS_MAX_VERSION);
if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_VERSION_TOO_LOW);
goto err;
}
if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) {
/* fatal alert */
void (*cb) (const SSL *ssl, int type, int val) = NULL;
int j;
if (s->info_callback != NULL)
cb = s->info_callback;
else if (s->ctx->info_callback != NULL)
cb = s->ctx->info_callback;
i = p[5];
if (cb != NULL) {
j = (i << 8) | p[6];
cb(s, SSL_CB_READ_ALERT, j);
}
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_HEADER, p, 5, s,
s->msg_callback_arg);
s->msg_callback(0, s->version, SSL3_RT_ALERT, p + 5, 2, s,
s->msg_callback_arg);
}
s->rwstate = SSL_NOTHING;
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_AD_REASON_OFFSET + p[6]);
goto err;
}
if (!ssl_init_wbio_buffer(s, 1))
goto err;
/* we are in this state */
s->state = SSL3_ST_CR_SRVR_HELLO_A;
/*
* put the 7 bytes we have read into the input buffer for SSLv3
*/
if (!RECORD_LAYER_set_data(&s->rlayer, buf, n))
goto err;
s->handshake_func = s->method->ssl_connect;
} else {
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
}
s->init_num = 0;
/*
* Since, if we are sending a ssl23 client hello, we are not reusing a
* session-id
*/
if (!ssl_get_new_session(s, 0))
goto err;
return (SSL_connect(s));
err:
return (-1);
}
static int ssl23_client_hello(SSL *s)
{
uint8_t *buf;
uint8_t *p, *d;
unsigned long l;
int version = 0, version_major, version_minor;
int ret, al;
unsigned long mask, options = s->options;
size_t outlen;
/*
* SSL_OP_NO_X disables all protocols above X *if* there are
* some protocols below X enabled. This is required in order
* to maintain "version capability" vector contiguous. So
* that if application wants to disable TLS1.0 in favour of
* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
* answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
*/
mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1 | SSL_OP_NO_SSLv3;
version = TLS1_2_VERSION;
if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
version = TLS1_1_VERSION;
mask &= ~SSL_OP_NO_TLSv1_1;
if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
version = TLS1_VERSION;
mask &= ~SSL_OP_NO_TLSv1;
buf = (uint8_t *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
/*
* Since we're sending s23 client hello, we're not reusing a session, as
* we'd be using the method from the saved session instead
*/
if (!ssl_get_new_session(s, 0)) {
return -1;
}
p = s->s3->client_random;
if (ssl_fill_hello_random(s, p, SSL3_RANDOM_SIZE) <= 0) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
if (version == TLS1_2_VERSION) {
version_major = TLS1_2_VERSION_MAJOR;
version_minor = TLS1_2_VERSION_MINOR;
} else if (tls1_suiteb(s)) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
return -1;
} else if (version == TLS1_1_VERSION) {
version_major = TLS1_1_VERSION_MAJOR;
version_minor = TLS1_1_VERSION_MINOR;
} else if (version == TLS1_VERSION) {
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
} else {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
return (-1);
}
s->client_version = version;
/* create Client Hello in SSL 3.0/TLS 1.0 format */
/*
* Do the record header (5 bytes) and handshake
* message header (4 bytes) last
*/
d = p = &(buf[SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH]);
*(p++) = version_major;
*(p++) = version_minor;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID (zero since there is no reuse) */
*(p++) = 0;
/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2],
buf - &p[2] + SSL3_RT_MAX_PLAIN_LENGTH,
&outlen))
return -1;
if (outlen == 0) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/*
* Some servers hang if client hello > 256 bytes
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
s2n(outlen, p);
p += outlen;
/* add in (no) COMPRESSION */
*(p++) = 1;
/* Add the NULL method */
*(p++) = 0;
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
return -1;
}
p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
&al);
if (p == NULL) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
l = p - d;
/* fill in 4-byte handshake header */
d = &(buf[SSL3_RT_HEADER_LENGTH]);
*(d++) = SSL3_MT_CLIENT_HELLO;
l2n3(l, d);
l += 4;
if (l > SSL3_RT_MAX_PLAIN_LENGTH) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
/* fill in 5-byte record header */
d = buf;
*(d++) = SSL3_RT_HANDSHAKE;
*(d++) = version_major;
/*
* Some servers hang if we use long client hellos
* and a record number > TLS 1.0.
*/
if (TLS1_get_client_version(s) > TLS1_VERSION)
*(d++) = 1;
else
*(d++) = version_minor;
s2n((int)l, d);
/* number of bytes to write */
s->init_num = p - buf;
s->init_off = 0;
tls1_finish_mac(s, &(buf[SSL3_RT_HEADER_LENGTH]),
s->init_num - SSL3_RT_HEADER_LENGTH);
s->state = SSL23_ST_CW_CLNT_HELLO_B;
s->init_off = 0;
}
/* SSL3_ST_CW_CLNT_HELLO_B */
ret = ssl23_write_bytes(s);
if ((ret >= 2) && s->msg_callback) {
/* Client Hello has been sent; tell msg_callback */
s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s,
s->msg_callback_arg);
s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data + 5,
ret - 5, s, s->msg_callback_arg);
}
return ret;
}
static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
return ssl_hs_error;
}
struct ssl_early_callback_ctx client_hello;
if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
ssl->init_num)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
assert(ssl->s3->have_version);
/* Load the client random. */
if (client_hello.random_len != SSL3_RANDOM_SIZE) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(ssl->s3->client_random, client_hello.random, client_hello.random_len);
uint8_t alert = SSL_AD_DECODE_ERROR;
SSL_SESSION *session = NULL;
CBS pre_shared_key;
if (ssl_early_callback_get_extension(&client_hello, &pre_shared_key,
TLSEXT_TYPE_pre_shared_key) &&
!ssl_ext_pre_shared_key_parse_clienthello(ssl, &session, &alert,
&pre_shared_key)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return 0;
}
uint16_t resumption_cipher;
if (session != NULL &&
/* We currently only support ECDHE-PSK resumption. */
((session->ticket_flags & SSL_TICKET_ALLOW_DHE_RESUMPTION) == 0 ||
/* Only resume if the session's version matches. */
session->ssl_version != ssl->version ||
!ssl_cipher_get_ecdhe_psk_cipher(session->cipher, &resumption_cipher) ||
!ssl_client_cipher_list_contains_cipher(&client_hello,
resumption_cipher))) {
SSL_SESSION_free(session);
session = NULL;
}
if (session == NULL) {
if (!ssl_get_new_session(ssl, 1 /* server */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
} else {
/* Only authentication information carries over in TLS 1.3. */
ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
if (ssl->s3->new_session == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
ssl->s3->session_reused = 1;
SSL_SESSION_free(session);
}
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
/* TLS 1.3 requires the peer only advertise the null compression. */
if (client_hello.compression_methods_len != 1 ||
client_hello.compression_methods[0] != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
/* TLS extensions. */
if (!ssl_parse_clienthello_tlsext(ssl, &client_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
return ssl_hs_error;
}
hs->state = state_select_parameters;
return ssl_hs_ok;
}
static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
ssl->init_num)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
uint8_t alert = SSL_AD_DECODE_ERROR;
SSL_SESSION *session = NULL;
switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
&client_hello)) {
case ssl_ticket_aead_ignore_ticket:
assert(session == NULL);
if (!ssl_get_new_session(hs, 1 /* server */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
break;
case ssl_ticket_aead_success:
/* Carry over authentication information from the previous handshake into
* a fresh session. */
hs->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
if (/* Early data must be acceptable for this ticket. */
ssl->cert->enable_early_data &&
session->ticket_max_early_data != 0 &&
/* The client must have offered early data. */
hs->early_data_offered &&
/* Channel ID is incompatible with 0-RTT. */
!ssl->s3->tlsext_channel_id_valid &&
/* The negotiated ALPN must match the one in the ticket. */
ssl->s3->alpn_selected_len == session->early_alpn_len &&
OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn,
ssl->s3->alpn_selected_len) == 0) {
ssl->early_data_accepted = 1;
}
SSL_SESSION_free(session);
if (hs->new_session == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
ssl->s3->session_reused = 1;
/* Resumption incorporates fresh key material, so refresh the timeout. */
ssl_session_renew_timeout(ssl, hs->new_session,
ssl->session_ctx->session_psk_dhe_timeout);
break;
case ssl_ticket_aead_error:
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
case ssl_ticket_aead_retry:
hs->tls13_state = state_select_session;
return ssl_hs_pending_ticket;
}
/* Record connection properties in the new session. */
hs->new_session->cipher = hs->new_cipher;
if (hs->hostname != NULL) {
OPENSSL_free(hs->new_session->tlsext_hostname);
hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
if (hs->new_session->tlsext_hostname == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
}
/* Store the initial negotiated ALPN in the session. */
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn =
BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
if (hs->new_session->early_alpn == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;
}
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
/* Incorporate the PSK into the running secret. */
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
return ssl_hs_error;
}
} else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
return ssl_hs_error;
}
if (ssl->early_data_accepted) {
if (!tls13_derive_early_secrets(hs)) {
return ssl_hs_error;
}
} else if (hs->early_data_offered) {
ssl->s3->skip_early_data = 1;
}
ssl->method->received_flight(ssl);
/* Resolve ECDHE and incorporate it into the secret. */
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
ssl->early_data_accepted = 0;
ssl->s3->skip_early_data = 1;
hs->tls13_state = state_send_hello_retry_request;
return ssl_hs_ok;
}
return ssl_hs_error;
}
hs->tls13_state = state_send_server_hello;
return ssl_hs_ok;
}
static int
ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p, *d;
int i;
unsigned long l;
int version = 0, version_major, version_minor;
#ifndef OPENSSL_NO_COMP
int j;
SSL_COMP *comp;
#endif
int ret;
unsigned long mask, options = s->options;
/*
* SSL_OP_NO_X disables all protocols above X *if* there are
* some protocols below X enabled. This is required in order
* to maintain "version capability" vector contiguous. So
* that if application wants to disable TLS1.0 in favour of
* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
* answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
*/
mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
version = TLS1_2_VERSION;
if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
version = TLS1_1_VERSION;
#else
version = TLS1_1_VERSION;
#endif
mask &= ~SSL_OP_NO_TLSv1_1;
if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
version = TLS1_VERSION;
mask &= ~SSL_OP_NO_TLSv1;
if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
version = SSL3_VERSION;
mask &= ~SSL_OP_NO_SSLv3;
buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
#if 0
/* don't reuse session-id's */
if (!ssl_get_new_session(s, 0)) {
return (-1);
}
#endif
p = s->s3->client_random;
if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
return -1;
if (version == TLS1_2_VERSION) {
version_major = TLS1_2_VERSION_MAJOR;
version_minor = TLS1_2_VERSION_MINOR;
} else if (version == TLS1_1_VERSION) {
version_major = TLS1_1_VERSION_MAJOR;
version_minor = TLS1_1_VERSION_MINOR;
} else if (version == TLS1_VERSION) {
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
} else if (version == SSL3_VERSION) {
version_major = SSL3_VERSION_MAJOR;
version_minor = SSL3_VERSION_MINOR;
} else {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
return (-1);
}
s->client_version = version;
/* create Client Hello in SSL 3.0/TLS 1.0 format */
/*
* Do the record header (5 bytes) and handshake
* message header (4 bytes) last
*/
d = p = &(buf[9]);
*(p++) = version_major;
*(p++) = version_minor;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID (zero since there is no reuse) */
*(p++) = 0;
/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]),
ssl3_put_cipher_by_char);
if (i == 0) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/*
* Some servers hang if client hello > 256 bytes
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION &&
i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
s2n(i, p);
p += i;
/* COMPRESSION */
#ifdef OPENSSL_NO_COMP
*(p++) = 1;
#else
if ((s->options & SSL_OP_NO_COMPRESSION) ||
!s->ctx->comp_methods)
j = 0;
else
j = sk_SSL_COMP_num(s->ctx->comp_methods);
*(p++) = 1 + j;
for (i = 0; i < j; i++) {
comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
*(p++) = comp->id;
}
#endif
/* Add the NULL method */
*(p++) = 0;
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_CLIENTHELLO_TLSEXT);
return -1;
}
if ((p = ssl_add_clienthello_tlsext(s, p,
buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
#endif
l = p - d;
/* fill in 4-byte handshake header */
d = &(buf[5]);
*(d++) = SSL3_MT_CLIENT_HELLO;
l2n3(l, d);
l += 4;
if (l > SSL3_RT_MAX_PLAIN_LENGTH) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
/* fill in 5-byte record header */
d = buf;
*(d++) = SSL3_RT_HANDSHAKE;
*(d++) = version_major;
/*
* Some servers hang if we use long client hellos
* and a record number > TLS 1.0.
*/
if (TLS1_get_client_version(s) > TLS1_VERSION)
*(d++) = 1;
else
*(d++) = version_minor;
s2n((int)l, d);
/* number of bytes to write */
s->init_num = p - buf;
s->init_off = 0;
ssl3_finish_mac(s, &(buf[5]), s->init_num - 5);
s->state = SSL23_ST_CW_CLNT_HELLO_B;
s->init_off = 0;
}
/* SSL3_ST_CW_CLNT_HELLO_B */
ret = ssl23_write_bytes(s);
if ((ret >= 2) && s->msg_callback) {
/* Client Hello has been sent; tell msg_callback */
s->msg_callback(1, version, SSL3_RT_HANDSHAKE,
s->init_buf->data + 5, ret - 5, s, s->msg_callback_arg);
}
return ret;
}
int
dtls1_client_hello(SSL *s)
{
unsigned char *bufend, *d, *p;
unsigned int i;
if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
SSL_SESSION *sess = s->session;
if ((s->session == NULL) ||
(s->session->ssl_version != s->version) ||
(!sess->session_id_length && !sess->tlsext_tick) ||
(s->session->not_resumable)) {
if (!ssl_get_new_session(s, 0))
goto err;
}
/* else use the pre-loaded session */
p = s->s3->client_random;
/* if client_random is initialized, reuse it, we are
* required to use same upon reply to HelloVerify */
for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
;
if (i == sizeof(s->s3->client_random))
arc4random_buf(p, sizeof(s->s3->client_random));
d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
*(p++) = s->version >> 8;
*(p++) = s->version&0xff;
s->client_version = s->version;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID */
if (s->new_session)
i = 0;
else
i = s->session->session_id_length;
*(p++) = i;
if (i != 0) {
if (i > sizeof s->session->session_id) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
goto err;
}
memcpy(p, s->session->session_id, i);
p += i;
}
/* cookie stuff */
if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
*(p++) = s->d1->cookie_len;
memcpy(p, s->d1->cookie, s->d1->cookie_len);
p += s->d1->cookie_len;
/* Ciphers supported */
i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]);
if (i == 0) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
SSL_R_NO_CIPHERS_AVAILABLE);
goto err;
}
s2n(i, p);
p += i;
/* add in (no) COMPRESSION */
*(p++) = 1;
*(p++) = 0; /* Add the NULL method */
bufend = (unsigned char *)s->init_buf->data +
SSL3_RT_MAX_PLAIN_LENGTH;
if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
ssl3_handshake_msg_finish(s, p - d);
s->state = SSL3_ST_CW_CLNT_HELLO_B;
}
