int ssl23_get_client_hello(SSL *s);
static const SSL_METHOD *ssl23_get_server_method(int ver)
{
-#ifndef OPENSSL_NO_SSL2
- if (ver == SSL2_VERSION)
- return(SSLv2_server_method());
-#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_server_method());
else if (ver == TLS1_1_VERSION)
return(TLSv1_1_server_method());
+ else if (ver == TLS1_2_VERSION)
+ return(TLSv1_2_server_method());
else
return(NULL);
}
}
if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
{
+ BUF_MEM_free(buf);
ret= -1;
goto end;
}
return(ret);
}
-
int ssl23_get_client_hello(SSL *s)
{
char buf_space[11]; /* Request this many bytes in initial read.
{
v[0]=p[3]; v[1]=p[4];
/* SSLv2 */
- if (!(s->options & SSL_OP_NO_SSLv2))
- type=1;
}
else if (p[3] == SSL3_VERSION_MAJOR)
{
/* SSLv3/TLSv1 */
if (p[4] >= TLS1_VERSION_MINOR)
{
- if (p[4] >= TLS1_1_VERSION_MINOR &&
+ if (p[4] >= TLS1_2_VERSION_MINOR &&
+ !(s->options & SSL_OP_NO_TLSv1_2))
+ {
+ s->version=TLS1_2_VERSION;
+ s->state=SSL23_ST_SR_CLNT_HELLO_B;
+ }
+ else if (p[4] >= TLS1_1_VERSION_MINOR &&
!(s->options & SSL_OP_NO_TLSv1_1))
{
s->version=TLS1_1_VERSION;
+ /* type=2; */ /* done later to survive restarts */
s->state=SSL23_ST_SR_CLNT_HELLO_B;
}
else if (!(s->options & SSL_OP_NO_TLSv1))
/* type=2; */
s->state=SSL23_ST_SR_CLNT_HELLO_B;
}
- else if (!(s->options & SSL_OP_NO_SSLv2))
- {
- type=1;
- }
}
else if (!(s->options & SSL_OP_NO_SSLv3))
{
/* type=2; */
s->state=SSL23_ST_SR_CLNT_HELLO_B;
}
- else if (!(s->options & SSL_OP_NO_SSLv2))
- type=1;
-
}
}
+ /* p[4] < 5 ... silly record length? */
else if ((p[0] == SSL3_RT_HANDSHAKE) &&
(p[1] == SSL3_VERSION_MAJOR) &&
(p[5] == SSL3_MT_CLIENT_HELLO) &&
- ((p[3] == 0 && p[4] < 5 /* silly record length? */)
+ ((p[3] == 0 && p[4] < 5)
|| (p[9] >= p[1])))
{
/*
* Client Hello message, this would be difficult, and we'd have
* to read more records to find out.
* No known SSL 3.0 client fragments ClientHello like this,
- * so we simply assume TLS 1.0 to avoid protocol version downgrade
- * attacks. */
+ * so we simply reject such connections to avoid
+ * protocol version downgrade attacks. */
if (p[3] == 0 && p[4] < 6)
{
-#if 0
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
goto err;
-#else
- v[1] = TLS1_VERSION_MINOR;
-#endif
}
/* if major version number > 3 set minor to a value
* which will use the highest version 3 we support.
* If TLS 2.0 ever appears we will need to revise
* this....
*/
- else if (p[9] > SSL3_VERSION_MAJOR)
+ if (p[9] > SSL3_VERSION_MAJOR)
v[1]=0xff;
else
v[1]=p[10]; /* minor version according to client_version */
if (v[1] >= TLS1_VERSION_MINOR)
{
- if (v[1] >= TLS1_1_VERSION_MINOR &&
+ if (v[1] >= TLS1_2_VERSION_MINOR &&
+ !(s->options & SSL_OP_NO_TLSv1_2))
+ {
+ s->version=TLS1_2_VERSION;
+ type=3;
+ }
+ else if (v[1] >= TLS1_1_VERSION_MINOR &&
!(s->options & SSL_OP_NO_TLSv1_1))
{
s->version=TLS1_1_VERSION;
}
}
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
+ if (s->version < TLS1_2_VERSION && tls1_suiteb(s))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+ goto err;
+ }
+
+ if (FIPS_mode() && (s->version < TLS1_VERSION))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+
+ if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_VERSION_TOO_LOW);
+ goto err;
+ }
+
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
v[1] = p[4];
+ /*-
+ * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
+ * header is sent directly on the wire, not wrapped as a TLS
+ * record. It's format is:
+ * Byte Content
+ * 0-1 msg_length
+ * 2 msg_type
+ * 3-4 version
+ * 5-6 cipher_spec_length
+ * 7-8 session_id_length
+ * 9-10 challenge_length
+ * ... ...
+ */
n=((p[0]&0x7f)<<8)|p[1];
if (n > (1024*4))
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
goto err;
}
+ if (n < 9)
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
+ goto err;
+ }
j=ssl23_read_bytes(s,n+2);
+ /* We previously read 11 bytes, so if j > 0, we must have
+ * j == n+2 == s->packet_length. We have at least 11 valid
+ * packet bytes. */
if (j <= 0) return(j);
ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
+
+ /* CLIENT-HELLO */
if (s->msg_callback)
- s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
+ s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg);
p=s->packet;
p+=5;
/* imaginary new state (for program structure): */
/* s->state = SSL23_SR_CLNT_HELLO_C */
- if (type == 1)
+ if ((type == 2) || (type == 3))
{
-#ifdef OPENSSL_NO_SSL2
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
- goto err;
-#else
- if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
- goto err;
- }
- /* we are talking sslv2 */
- /* we need to clean up the SSLv3/TLSv1 setup and put in the
- * sslv2 stuff. */
-
- if (s->s2 == NULL)
- {
- if (!ssl2_new(s))
- goto err;
- }
- else
- ssl2_clear(s);
-
- if (s->s3 != NULL) ssl3_free(s);
-
- if (!BUF_MEM_grow_clean(s->init_buf,
- SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+ /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+ const SSL_METHOD *new_method;
+ new_method = ssl23_get_server_method(s->version);
+ if (new_method == NULL)
{
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
-
- s->state=SSL2_ST_GET_CLIENT_HELLO_A;
- if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
- s->s2->ssl2_rollback=0;
- else
- /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
- * (SSL 3.0 draft/RFC 2246, App. E.2) */
- s->s2->ssl2_rollback=1;
-
- /* setup the n bytes we have read so we get them from
- * the sslv2 buffer */
- s->rstate=SSL_ST_READ_HEADER;
- s->packet_length=n;
- s->packet= &(s->s2->rbuf[0]);
- memcpy(s->packet,buf,n);
- s->s2->rbuf_left=n;
- s->s2->rbuf_offs=0;
-
- s->method=SSLv2_server_method();
- s->handshake_func=s->method->ssl_accept;
-#endif
- }
-
- if ((type == 2) || (type == 3))
- {
- /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+ s->method = new_method;
if (!ssl_init_wbio_buffer(s,1)) goto err;
s->s3->rbuf.left=0;
s->s3->rbuf.offset=0;
}
-
- if (s->version == TLS1_1_VERSION)
- s->method = TLSv1_1_server_method();
- else if (s->version == TLS1_VERSION)
- s->method = TLSv1_server_method();
- else
- s->method = SSLv3_server_method();
#if 0 /* ssl3_get_client_hello does this */
s->client_version=(v[0]<<8)|v[1];
#endif
s->handshake_func=s->method->ssl_accept;
}
-
- if ((type < 1) || (type > 3))
+ else
{
/* bad, very bad */
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
projects / openssl.git / blobdiff