Partial workaround for PR#2771.

[openssl.git] / ssl / s23_clnt.c
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c

index 78c39d9af558bf1137a52017f33aad913cc4cccc..299af0f03a85095f99b0a16c9a4f3424ee89d096 100644 (file)
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -129,6 +129,10 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
                 return(SSLv3_client_method());
         else if (ver == TLS1_VERSION)
                 return(TLSv1_client_method());
+       else if (ver == TLS1_1_VERSION)
+               return(TLSv1_1_client_method());
+       else if (ver == TLS1_2_VERSION)
+               return(TLSv1_2_client_method());
         else
                 return(NULL);
         }
@@ -250,21 +254,49 @@ end:
         return(ret);
         }
  
+static int ssl23_no_ssl2_ciphers(SSL *s)
+       {
+       SSL_CIPHER *cipher;
+       STACK_OF(SSL_CIPHER) *ciphers;
+       int i;
+       ciphers = SSL_get_ciphers(s);
+       for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
+               {
+               cipher = sk_SSL_CIPHER_value(ciphers, i);
+               if (cipher->algorithm_ssl == SSL_SSLV2)
+                       return 0;
+               }
+       return 1;
+       }
  
  static int ssl23_client_hello(SSL *s)
         {
         unsigned char *buf;
         unsigned char *p,*d;
-       int i,j,ch_len;
+       int i,ch_len;
         unsigned long Time,l;
         int ssl2_compat;
         int version = 0, version_major, version_minor;
+#ifndef OPENSSL_NO_COMP
+       int j;
         SSL_COMP *comp;
+#endif
         int ret;
  
         ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
  
-       if (!(s->options & SSL_OP_NO_TLSv1))
+       if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
+               ssl2_compat = 0;
+
+       if (!(s->options & SSL_OP_NO_TLSv1_2))
+               {
+               version = TLS1_2_VERSION;
+               }
+       else if (!(s->options & SSL_OP_NO_TLSv1_1))
+               {
+               version = TLS1_1_VERSION;
+               }
+       else if (!(s->options & SSL_OP_NO_TLSv1))
                 {
                 version = TLS1_VERSION;
                 }
@@ -276,7 +308,7 @@ static int ssl23_client_hello(SSL *s)
                 {
                 version = SSL2_VERSION;
                 }
-
+#ifndef OPENSSL_NO_TLSEXT
         if (version != SSL2_VERSION)
                 {
                 /* have to disable SSL 2.0 compatibility if we need TLS extensions */
@@ -285,12 +317,12 @@ static int ssl23_client_hello(SSL *s)
                         ssl2_compat = 0;
                 if (s->tlsext_status_type != -1)
                         ssl2_compat = 0;
-               
  #ifdef TLSEXT_TYPE_opaque_prf_input
                 if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
                         ssl2_compat = 0;
  #endif
                 }
+#endif
  
         buf=(unsigned char *)s->init_buf->data;
         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
@@ -309,11 +341,29 @@ static int ssl23_client_hello(SSL *s)
                 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
                         return -1;
  
-               if (version == TLS1_VERSION)
+               if (version == TLS1_2_VERSION)
+                       {
+                       version_major = TLS1_2_VERSION_MAJOR;
+                       version_minor = TLS1_2_VERSION_MINOR;
+                       }
+               else if (version == TLS1_1_VERSION)
+                       {
+                       version_major = TLS1_1_VERSION_MAJOR;
+                       version_minor = TLS1_1_VERSION_MINOR;
+                       }
+               else if (version == TLS1_VERSION)
                         {
                         version_major = TLS1_VERSION_MAJOR;
                         version_minor = TLS1_VERSION_MINOR;
                         }
+#ifdef OPENSSL_FIPS
+               else if(FIPS_mode())
+                       {
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                       return -1;
+                       }
+#endif
                 else if (version == SSL3_VERSION)
                         {
                         version_major = SSL3_VERSION_MAJOR;
@@ -367,6 +417,10 @@ static int ssl23_client_hello(SSL *s)
                                 ch_len=SSL2_MAX_CHALLENGE_LENGTH;
  
                         /* write out sslv2 challenge */
+                       /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32),
+                          because it is one of SSL2_MAX_CHALLENGE_LENGTH (32)
+                          or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the
+                          check in for futurproofing */
                         if (SSL3_RANDOM_SIZE < ch_len)
                                 i=SSL3_RANDOM_SIZE;
                         else
@@ -467,8 +521,13 @@ static int ssl23_client_hello(SSL *s)
                         d=buf;
                         *(d++) = SSL3_RT_HANDSHAKE;
                         *(d++) = version_major;
-                       *(d++) = version_minor; /* arguably we should send the *lowest* suported version here
-                                                * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
+                       /* Some servers hang if we use long client hellos
+                        * and a record number > TLS 1.0.
+                        */
+                       if (TLS1_get_client_version(s) > TLS1_VERSION)
+                               *(d++) = 1;
+                       else
+                               *(d++) = version_minor;
                         s2n((int)l,d);
  
                         /* number of bytes to write */
@@ -543,6 +602,10 @@ static int ssl23_get_server_hello(SSL *s)
                         ch_len=SSL2_MAX_CHALLENGE_LENGTH;
  
                 /* write out sslv2 challenge */
+               /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
+                  it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
+                  SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
+                  futurproofing */
                 i=(SSL3_RANDOM_SIZE < ch_len)
                         ?SSL3_RANDOM_SIZE:ch_len;
                 s->s2->challenge_length=i;
@@ -580,7 +643,7 @@ static int ssl23_get_server_hello(SSL *s)
  #endif
                 }
         else if (p[1] == SSL3_VERSION_MAJOR &&
-                (p[2] == SSL3_VERSION_MINOR || p[2] == TLS1_VERSION_MINOR) &&
+                p[2] <= TLS1_2_VERSION_MINOR &&
                  ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
                   (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
                 {
@@ -589,6 +652,14 @@ static int ssl23_get_server_hello(SSL *s)
                 if ((p[2] == SSL3_VERSION_MINOR) &&
                         !(s->options & SSL_OP_NO_SSLv3))
                         {
+#ifdef OPENSSL_FIPS
+                       if(FIPS_mode())
+                               {
+                               SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                               goto err;
+                               }
+#endif
                         s->version=SSL3_VERSION;
                         s->method=SSLv3_client_method();
                         }
@@ -598,6 +669,18 @@ static int ssl23_get_server_hello(SSL *s)
                         s->version=TLS1_VERSION;
                         s->method=TLSv1_client_method();
                         }
+               else if ((p[2] == TLS1_1_VERSION_MINOR) &&
+                       !(s->options & SSL_OP_NO_TLSv1_1))
+                       {
+                       s->version=TLS1_1_VERSION;
+                       s->method=TLSv1_1_client_method();
+                       }
+               else if ((p[2] == TLS1_2_VERSION_MINOR) &&
+                       !(s->options & SSL_OP_NO_TLSv1_2))
+                       {
+                       s->version=TLS1_2_VERSION;
+                       s->method=TLSv1_2_client_method();
+                       }
                 else
                         {
                         SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
@@ -640,6 +723,9 @@ static int ssl23_get_server_hello(SSL *s)
                  * for SSLv3 */
                 s->rstate=SSL_ST_READ_HEADER;
                 s->packet_length=n;
+               if (s->s3->rbuf.buf == NULL)
+                       if (!ssl3_setup_read_buffer(s))
+                               goto err;
                 s->packet= &(s->s3->rbuf.buf[0]);
                 memcpy(s->packet,buf,n);
                 s->s3->rbuf.left=n;