summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2017-01-26 05:31:25 +0000
committerjsing <>2017-01-26 05:31:25 +0000
commit7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd (patch)
tree4e54623d2ff33c8bd1295cf166bf8253188d9d34
parentfdf235a2a4a2ffd3c42bc4f501e4a86848af719c (diff)
downloadopenbsd-7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd.tar.gz
openbsd-7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd.tar.bz2
openbsd-7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd.zip
Merge the client/server version negotiation into the existing (currently
fixed version) client/server code. ok beck@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/Makefile7
-rw-r--r--src/lib/libssl/d1_clnt.c5
-rw-r--r--src/lib/libssl/d1_srvr.c5
-rw-r--r--src/lib/libssl/s23_clnt.c452
-rw-r--r--src/lib/libssl/s23_lib.c132
-rw-r--r--src/lib/libssl/s23_pkt.c116
-rw-r--r--src/lib/libssl/s23_srvr.c466
-rw-r--r--src/lib/libssl/s3_both.c18
-rw-r--r--src/lib/libssl/s3_clnt.c36
-rw-r--r--src/lib/libssl/s3_pkt.c11
-rw-r--r--src/lib/libssl/s3_srvr.c25
-rw-r--r--src/lib/libssl/ssl_locl.h9
-rw-r--r--src/lib/libssl/ssl_packet.c278
-rw-r--r--src/lib/libssl/t1_clnt.c22
-rw-r--r--src/lib/libssl/t1_meth.c20
-rw-r--r--src/lib/libssl/t1_srvr.c22
16 files changed, 395 insertions, 1229 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 2e90b02054..7321c0d114 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.27 2016/11/05 15:32:19 schwarze Exp $ 1# $OpenBSD: Makefile,v 1.28 2017/01/26 05:31:25 jsing Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.ifndef NOMAN 4.ifndef NOMAN
@@ -23,9 +23,8 @@ LDADD+= -L${BSDOBJDIR}/lib/libcrypto -lcrypto
23VERSION_SCRIPT= Symbols.map 23VERSION_SCRIPT= Symbols.map
24SYMBOL_LIST= ${.CURDIR}/Symbols.list 24SYMBOL_LIST= ${.CURDIR}/Symbols.list
25 25
26SRCS=\ 26SRCS= \
27 s3_srvr.c s3_clnt.c s3_lib.c s3_pkt.c s3_both.c \ 27 s3_srvr.c s3_clnt.c s3_lib.c s3_pkt.c s3_both.c \
28 s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
29 t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ 28 t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
30 d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ 29 d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
31 d1_both.c d1_enc.c d1_srtp.c \ 30 d1_both.c d1_enc.c d1_srtp.c \
@@ -33,7 +32,7 @@ SRCS=\
33 ssl_ciph.c ssl_stat.c ssl_rsa.c \ 32 ssl_ciph.c ssl_stat.c ssl_rsa.c \
34 ssl_asn1.c ssl_txt.c ssl_algs.c \ 33 ssl_asn1.c ssl_txt.c ssl_algs.c \
35 bio_ssl.c ssl_err.c t1_reneg.c \ 34 bio_ssl.c ssl_err.c t1_reneg.c \
36 pqueue.c 35 ssl_packet.c pqueue.c
37SRCS+= s3_cbc.c 36SRCS+= s3_cbc.c
38SRCS+= bs_ber.c bs_cbb.c bs_cbs.c 37SRCS+= bs_ber.c bs_cbb.c bs_cbs.c
39 38
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 6b5510c1e3..5f8b56ebed 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.69 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.70 2017/01/26 05:31:25 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -127,7 +127,6 @@
127 127
128#include "bytestring.h" 128#include "bytestring.h"
129 129
130static const SSL_METHOD *dtls1_get_client_method(int ver);
131static int dtls1_get_hello_verify(SSL *s); 130static int dtls1_get_hello_verify(SSL *s);
132 131
133static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { 132static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
@@ -170,7 +169,7 @@ DTLSv1_client_method(void)
170 return &DTLSv1_client_method_data; 169 return &DTLSv1_client_method_data;
171} 170}
172 171
173static const SSL_METHOD * 172const SSL_METHOD *
174dtls1_get_client_method(int ver) 173dtls1_get_client_method(int ver)
175{ 174{
176 if (ver == DTLS1_VERSION) 175 if (ver == DTLS1_VERSION)
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 1787412bf5..1be0e4b596 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.79 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.80 2017/01/26 05:31:25 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -125,7 +125,6 @@
125#include <openssl/objects.h> 125#include <openssl/objects.h>
126#include <openssl/x509.h> 126#include <openssl/x509.h>
127 127
128static const SSL_METHOD *dtls1_get_server_method(int ver);
129static int dtls1_send_hello_verify_request(SSL *s); 128static int dtls1_send_hello_verify_request(SSL *s);
130 129
131static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { 130static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
@@ -168,7 +167,7 @@ DTLSv1_server_method(void)
168 return &DTLSv1_server_method_data; 167 return &DTLSv1_server_method_data;
169} 168}
170 169
171static const SSL_METHOD * 170const SSL_METHOD *
172dtls1_get_server_method(int ver) 171dtls1_get_server_method(int ver)
173{ 172{
174 if (ver == DTLS1_VERSION) 173 if (ver == DTLS1_VERSION)
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
deleted file mode 100644
index 4a7641b818..0000000000
--- a/src/lib/libssl/s23_clnt.c
+++ /dev/null
@@ -1,452 +0,0 @@
1/* $OpenBSD: s23_clnt.c,v 1.57 2017/01/25 10:54:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113
114#include "ssl_locl.h"
115
116#include <openssl/buffer.h>
117#include <openssl/evp.h>
118#include <openssl/objects.h>
119
120static int ssl23_client_hello(SSL *s);
121static int ssl23_get_server_hello(SSL *s);
122
123int
124ssl23_connect(SSL *s)
125{
126 void (*cb)(const SSL *ssl, int type, int val) = NULL;
127 int ret = -1;
128 int new_state, state;
129
130 ERR_clear_error();
131 errno = 0;
132
133 if (s->internal->info_callback != NULL)
134 cb = s->internal->info_callback;
135 else if (s->ctx->internal->info_callback != NULL)
136 cb = s->ctx->internal->info_callback;
137
138 s->internal->in_handshake++;
139 if (!SSL_in_init(s) || SSL_in_before(s))
140 SSL_clear(s);
141
142 for (;;) {
143 state = s->internal->state;
144
145 switch (s->internal->state) {
146 case SSL_ST_BEFORE:
147 case SSL_ST_CONNECT:
148 case SSL_ST_BEFORE|SSL_ST_CONNECT:
149 case SSL_ST_OK|SSL_ST_CONNECT:
150
151 if (s->session != NULL) {
152 SSLerr(SSL_F_SSL23_CONNECT, SSL_R_SSL23_DOING_SESSION_ID_REUSE);
153 ret = -1;
154 goto end;
155 }
156 s->server = 0;
157 if (cb != NULL)
158 cb(s, SSL_CB_HANDSHAKE_START, 1);
159
160 /* s->version=TLS1_VERSION; */
161 s->internal->type = SSL_ST_CONNECT;
162
163 if (!ssl3_setup_init_buffer(s)) {
164 ret = -1;
165 goto end;
166 }
167 if (!ssl3_setup_buffers(s)) {
168 ret = -1;
169 goto end;
170 }
171 if (!tls1_init_finished_mac(s)) {
172 ret = -1;
173 goto end;
174 }
175
176 s->internal->state = SSL23_ST_CW_CLNT_HELLO_A;
177 s->ctx->internal->stats.sess_connect++;
178 s->internal->init_num = 0;
179 break;
180
181 case SSL23_ST_CW_CLNT_HELLO_A:
182 case SSL23_ST_CW_CLNT_HELLO_B:
183
184 s->internal->shutdown = 0;
185 ret = ssl23_client_hello(s);
186 if (ret <= 0)
187 goto end;
188 s->internal->state = SSL23_ST_CR_SRVR_HELLO_A;
189 s->internal->init_num = 0;
190
191 break;
192
193 case SSL23_ST_CR_SRVR_HELLO_A:
194 case SSL23_ST_CR_SRVR_HELLO_B:
195 ret = ssl23_get_server_hello(s);
196 if (ret >= 0)
197 cb = NULL;
198 goto end;
199 /* break; */
200
201 default:
202 SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE);
203 ret = -1;
204 goto end;
205 /* break; */
206 }
207
208 if (s->internal->debug) {
209 (void)BIO_flush(s->wbio);
210 }
211
212 if ((cb != NULL) && (s->internal->state != state)) {
213 new_state = s->internal->state;
214 s->internal->state = state;
215 cb(s, SSL_CB_CONNECT_LOOP, 1);
216 s->internal->state = new_state;
217 }
218 }
219
220end:
221 s->internal->in_handshake--;
222 if (cb != NULL)
223 cb(s, SSL_CB_CONNECT_EXIT, ret);
224
225 return (ret);
226}
227
228static int
229ssl23_client_hello(SSL *s)
230{
231 unsigned char *buf;
232 unsigned char *p, *d;
233 unsigned long l;
234 uint16_t version;
235 size_t outlen;
236 int ret;
237
238 buf = (unsigned char *)s->internal->init_buf->data;
239 if (s->internal->state == SSL23_ST_CW_CLNT_HELLO_A) {
240 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
241
242 if (ssl_supported_version_range(s, NULL, &version) != 1) {
243 SSLerr(SSL_F_SSL23_CLIENT_HELLO,
244 SSL_R_NO_PROTOCOLS_AVAILABLE);
245 return (-1);
246 }
247 s->client_version = version;
248
249 /* create Client Hello in SSL 3.0/TLS 1.0 format */
250
251 /*
252 * Do the record header (5 bytes) and handshake
253 * message header (4 bytes) last
254 */
255 d = p = &(buf[SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH]);
256
257 *(p++) = version >> 8;
258 *(p++) = version & 0xff;
259
260 /* Random stuff */
261 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
262 p += SSL3_RANDOM_SIZE;
263
264 /* Session ID (zero since there is no reuse) */
265 *(p++) = 0;
266
267 /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
268 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2],
269 buf - &p[2] + SSL3_RT_MAX_PLAIN_LENGTH, &outlen))
270 return -1;
271 if (outlen == 0) {
272 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
273 SSL_R_NO_CIPHERS_AVAILABLE);
274 return -1;
275 }
276 s2n(outlen, p);
277 p += outlen;
278
279 /* add in (no) COMPRESSION */
280 *(p++) = 1;
281 /* Add the NULL method */
282 *(p++) = 0;
283
284 /* TLS extensions*/
285 if ((p = ssl_add_clienthello_tlsext(s, p,
286 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
287 SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
288 return -1;
289 }
290
291 l = p - d;
292
293 /* fill in 4-byte handshake header */
294 d = &(buf[SSL3_RT_HEADER_LENGTH]);
295 *(d++) = SSL3_MT_CLIENT_HELLO;
296 l2n3(l, d);
297
298 l += 4;
299
300 if (l > SSL3_RT_MAX_PLAIN_LENGTH) {
301 SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
302 return -1;
303 }
304
305 /* fill in 5-byte record header */
306 d = buf;
307 *(d++) = SSL3_RT_HANDSHAKE;
308 *(d++) = version >> 8;
309
310 /*
311 * Some servers hang if we use long client hellos
312 * and a record number > TLS 1.0.
313 */
314 if (TLS1_get_client_version(s) > TLS1_VERSION)
315 *(d++) = 1;
316 else
317 *(d++) = version & 0xff;
318 s2n((int)l, d);
319
320 /* number of bytes to write */
321 s->internal->init_num = p - buf;
322 s->internal->init_off = 0;
323
324 tls1_finish_mac(s, &(buf[SSL3_RT_HEADER_LENGTH]),
325 s->internal->init_num - SSL3_RT_HEADER_LENGTH);
326
327 s->internal->state = SSL23_ST_CW_CLNT_HELLO_B;
328 s->internal->init_off = 0;
329 }
330
331 /* SSL3_ST_CW_CLNT_HELLO_B */
332 ret = ssl23_write_bytes(s);
333
334 if ((ret >= 2) && s->internal->msg_callback) {
335 /* Client Hello has been sent; tell msg_callback */
336 s->internal->msg_callback(1, s->client_version, SSL3_RT_HANDSHAKE,
337 s->internal->init_buf->data + 5, ret - 5, s, s->internal->msg_callback_arg);
338 }
339
340 return ret;
341}
342
343static int
344ssl23_get_server_hello(SSL *s)
345{
346 char buf[8];
347 unsigned char *p;
348 int i;
349 int n;
350
351 n = ssl23_read_bytes(s, 7);
352
353 if (n != 7)
354 return (n);
355 p = s->internal->packet;
356
357 memcpy(buf, p, n);
358
359 /* Old unsupported sslv2 handshake */
360 if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
361 (p[5] == 0x00) && (p[6] == 0x02)) {
362 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
363 SSL_R_UNSUPPORTED_PROTOCOL);
364 goto err;
365 }
366
367 if (p[1] == SSL3_VERSION_MAJOR &&
368 p[2] <= TLS1_2_VERSION_MINOR &&
369 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
370 (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
371 /* we have sslv3 or tls1 (server hello or alert) */
372
373 if ((p[2] == TLS1_VERSION_MINOR) &&
374 !(s->internal->options & SSL_OP_NO_TLSv1)) {
375 s->version = TLS1_VERSION;
376 s->method = TLSv1_client_method();
377 } else if ((p[2] == TLS1_1_VERSION_MINOR) &&
378 !(s->internal->options & SSL_OP_NO_TLSv1_1)) {
379 s->version = TLS1_1_VERSION;
380 s->method = TLSv1_1_client_method();
381 } else if ((p[2] == TLS1_2_VERSION_MINOR) &&
382 !(s->internal->options & SSL_OP_NO_TLSv1_2)) {
383 s->version = TLS1_2_VERSION;
384 s->method = TLSv1_2_client_method();
385 } else {
386 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
387 SSL_R_UNSUPPORTED_PROTOCOL);
388 goto err;
389 }
390
391 if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) {
392 /* fatal alert */
393 void (*cb)(const SSL *ssl, int type, int val) = NULL;
394 int j;
395
396 if (s->internal->info_callback != NULL)
397 cb = s->internal->info_callback;
398 else if (s->ctx->internal->info_callback != NULL)
399 cb = s->ctx->internal->info_callback;
400
401 i = p[5];
402 if (cb != NULL) {
403 j = (i << 8) | p[6];
404 cb(s, SSL_CB_READ_ALERT, j);
405 }
406
407 if (s->internal->msg_callback)
408 s->internal->msg_callback(0, s->version, SSL3_RT_ALERT,
409 p + 5, 2, s, s->internal->msg_callback_arg);
410
411 s->internal->rwstate = SSL_NOTHING;
412 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
413 SSL_AD_REASON_OFFSET + p[6]);
414 goto err;
415 }
416
417 if (!ssl_init_wbio_buffer(s, 1))
418 goto err;
419
420 /* we are in this state */
421 s->internal->state = SSL3_ST_CR_SRVR_HELLO_A;
422
423 /* put the 7 bytes we have read into the input buffer
424 * for SSLv3 */
425 s->internal->rstate = SSL_ST_READ_HEADER;
426 s->internal->packet_length = n;
427 if (s->s3->rbuf.buf == NULL)
428 if (!ssl3_setup_read_buffer(s))
429 goto err;
430 s->internal->packet = &(s->s3->rbuf.buf[0]);
431 memcpy(s->internal->packet, buf, n);
432 s->s3->rbuf.left = n;
433 s->s3->rbuf.offset = 0;
434
435 s->internal->handshake_func = s->method->internal->ssl_connect;
436 } else {
437 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
438 goto err;
439 }
440 s->internal->init_num = 0;
441
442 /*
443 * Since, if we are sending a ssl23 client hello, we are not
444 * reusing a session-id
445 */
446 if (!ssl_get_new_session(s, 0))
447 goto err;
448
449 return (SSL_connect(s));
450err:
451 return (-1);
452}
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
deleted file mode 100644
index 5de30c69e6..0000000000
--- a/src/lib/libssl/s23_lib.c
+++ /dev/null
@@ -1,132 +0,0 @@
1/* $OpenBSD: s23_lib.c,v 1.19 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/objects.h>
62
63#include "ssl_locl.h"
64
65long
66ssl23_default_timeout(void)
67{
68 return (300);
69}
70
71int
72ssl23_read(SSL *s, void *buf, int len)
73{
74 int n;
75
76 errno = 0;
77 if (SSL_in_init(s) && (!s->internal->in_handshake)) {
78 n = s->internal->handshake_func(s);
79 if (n < 0)
80 return (n);
81 if (n == 0) {
82 SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
83 return (-1);
84 }
85 return (SSL_read(s, buf, len));
86 } else {
87 ssl_undefined_function(s);
88 return (-1);
89 }
90}
91
92int
93ssl23_peek(SSL *s, void *buf, int len)
94{
95 int n;
96
97 errno = 0;
98 if (SSL_in_init(s) && (!s->internal->in_handshake)) {
99 n = s->internal->handshake_func(s);
100 if (n < 0)
101 return (n);
102 if (n == 0) {
103 SSLerr(SSL_F_SSL23_PEEK, SSL_R_SSL_HANDSHAKE_FAILURE);
104 return (-1);
105 }
106 return (SSL_peek(s, buf, len));
107 } else {
108 ssl_undefined_function(s);
109 return (-1);
110 }
111}
112
113int
114ssl23_write(SSL *s, const void *buf, int len)
115{
116 int n;
117
118 errno = 0;
119 if (SSL_in_init(s) && (!s->internal->in_handshake)) {
120 n = s->internal->handshake_func(s);
121 if (n < 0)
122 return (n);
123 if (n == 0) {
124 SSLerr(SSL_F_SSL23_WRITE, SSL_R_SSL_HANDSHAKE_FAILURE);
125 return (-1);
126 }
127 return (SSL_write(s, buf, len));
128 } else {
129 ssl_undefined_function(s);
130 return (-1);
131 }
132}
diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c
deleted file mode 100644
index da1ee900ab..0000000000
--- a/src/lib/libssl/s23_pkt.c
+++ /dev/null
@@ -1,116 +0,0 @@
1/* $OpenBSD: s23_pkt.c,v 1.10 2017/01/23 06:45:30 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <errno.h>
60#include <stdio.h>
61
62#include "ssl_locl.h"
63
64#include <openssl/buffer.h>
65#include <openssl/evp.h>
66
67int
68ssl23_write_bytes(SSL *s)
69{
70 int i, num, tot;
71 char *buf;
72
73 buf = s->internal->init_buf->data;
74 tot = s->internal->init_off;
75 num = s->internal->init_num;
76 for (;;) {
77 s->internal->rwstate = SSL_WRITING;
78 i = BIO_write(s->wbio, &(buf[tot]), num);
79 if (i <= 0) {
80 s->internal->init_off = tot;
81 s->internal->init_num = num;
82 return (i);
83 }
84 s->internal->rwstate = SSL_NOTHING;
85 if (i == num)
86 return (tot + i);
87
88 num -= i;
89 tot += i;
90 }
91}
92
93/* return regularly only when we have read (at least) 'n' bytes */
94int
95ssl23_read_bytes(SSL *s, int n)
96{
97 unsigned char *p;
98 int j;
99
100 if (s->internal->packet_length < (unsigned int)n) {
101 p = s->internal->packet;
102
103 for (;;) {
104 s->internal->rwstate = SSL_READING;
105 j = BIO_read(s->rbio, (char *)&(p[s->internal->packet_length]),
106 n - s->internal->packet_length);
107 if (j <= 0)
108 return (j);
109 s->internal->rwstate = SSL_NOTHING;
110 s->internal->packet_length += j;
111 if (s->internal->packet_length >= (unsigned int)n)
112 return (s->internal->packet_length);
113 }
114 }
115 return (n);
116}
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
deleted file mode 100644
index 1cd6721d1f..0000000000
--- a/src/lib/libssl/s23_srvr.c
+++ /dev/null
@@ -1,466 +0,0 @@
1/* $OpenBSD: s23_srvr.c,v 1.57 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113
114#include "ssl_locl.h"
115
116#include <openssl/buffer.h>
117#include <openssl/evp.h>
118#include <openssl/objects.h>
119
120static int ssl23_get_client_hello(SSL *s);
121
122int
123ssl23_accept(SSL *s)
124{
125 void (*cb)(const SSL *ssl, int type, int val) = NULL;
126 int ret = -1;
127 int new_state, state;
128
129 ERR_clear_error();
130 errno = 0;
131
132 if (s->internal->info_callback != NULL)
133 cb = s->internal->info_callback;
134 else if (s->ctx->internal->info_callback != NULL)
135 cb = s->ctx->internal->info_callback;
136
137 s->internal->in_handshake++;
138 if (!SSL_in_init(s) || SSL_in_before(s))
139 SSL_clear(s);
140
141 for (;;) {
142 state = s->internal->state;
143
144 switch (s->internal->state) {
145 case SSL_ST_BEFORE:
146 case SSL_ST_ACCEPT:
147 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
148 case SSL_ST_OK|SSL_ST_ACCEPT:
149
150 s->server = 1;
151 if (cb != NULL)
152 cb(s, SSL_CB_HANDSHAKE_START, 1);
153
154 /* s->version=SSL3_VERSION; */
155 s->internal->type = SSL_ST_ACCEPT;
156
157 if (!ssl3_setup_init_buffer(s)) {
158 ret = -1;
159 goto end;
160 }
161 if (!tls1_init_finished_mac(s)) {
162 ret = -1;
163 goto end;
164 }
165
166 s->internal->state = SSL23_ST_SR_CLNT_HELLO_A;
167 s->ctx->internal->stats.sess_accept++;
168 s->internal->init_num = 0;
169 break;
170
171 case SSL23_ST_SR_CLNT_HELLO_A:
172 case SSL23_ST_SR_CLNT_HELLO_B:
173
174 s->internal->shutdown = 0;
175 ret = ssl23_get_client_hello(s);
176 if (ret >= 0)
177 cb = NULL;
178 goto end;
179 /* break; */
180
181 default:
182 SSLerr(SSL_F_SSL23_ACCEPT, SSL_R_UNKNOWN_STATE);
183 ret = -1;
184 goto end;
185 /* break; */
186 }
187
188 if ((cb != NULL) && (s->internal->state != state)) {
189 new_state = s->internal->state;
190 s->internal->state = state;
191 cb(s, SSL_CB_ACCEPT_LOOP, 1);
192 s->internal->state = new_state;
193 }
194 }
195
196end:
197 s->internal->in_handshake--;
198 if (cb != NULL)
199 cb(s, SSL_CB_ACCEPT_EXIT, ret);
200
201 return (ret);
202}
203
204
205int
206ssl23_get_client_hello(SSL *s)
207{
208 char buf[11];
209 /*
210 * sizeof(buf) == 11, because we'll need to request this many bytes in
211 * the initial read.
212 * We can detect SSL 3.0/TLS 1.0 Client Hellos ('type == 3') correctly
213 * only when the following is in a single record, which is not
214 * guaranteed by the protocol specification:
215 * Byte Content
216 * 0 type \
217 * 1/2 version > record header
218 * 3/4 length /
219 * 5 msg_type \
220 * 6-8 length > Client Hello message
221 * 9/10 client_version /
222 */
223 uint16_t client_version = 0;
224 uint16_t shared_version;
225 unsigned char *p, *d, *d_len, *dd;
226 unsigned int i;
227 unsigned int csl, sil, cl;
228 int n = 0, j;
229 int type = 0;
230
231 if (s->internal->state == SSL23_ST_SR_CLNT_HELLO_A) {
232 /* read the initial header */
233 if (!ssl3_setup_buffers(s))
234 return -1;
235
236 n = ssl23_read_bytes(s, sizeof buf);
237 if (n != sizeof buf)
238 return(n);
239
240 p = s->internal->packet;
241
242 memcpy(buf, p, n);
243
244 if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
245 /*
246 * SSLv2 header
247 */
248 client_version = p[3] << 8 | p[4];
249
250 if (!ssl_max_shared_version(s, client_version,
251 &shared_version))
252 goto unsupported;
253
254 s->version = shared_version;
255 s->internal->state = SSL23_ST_SR_CLNT_HELLO_B;
256 } else if ((p[0] == SSL3_RT_HANDSHAKE) &&
257 (p[1] == SSL3_VERSION_MAJOR) &&
258 (p[5] == SSL3_MT_CLIENT_HELLO) &&
259 ((p[3] == 0 && p[4] < 5 /* silly record length? */) ||
260 (p[9] >= p[1]))) {
261 /*
262 * SSLv3 or tls1 header
263 */
264
265 /* We must look at client_version inside the Client Hello message
266 * to get the correct minor version.
267 * However if we have only a pathologically small fragment of the
268 * Client Hello message, this would be difficult, and we'd have
269 * to read more records to find out.
270 * No known SSL 3.0 client fragments ClientHello like this,
271 * so we simply reject such connections to avoid
272 * protocol version downgrade attacks. */
273 if (p[3] == 0 && p[4] < 6) {
274 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
275 SSL_R_RECORD_TOO_SMALL);
276 return -1;
277 }
278 client_version = p[9] << 8 | p[10];
279
280 if (!ssl_max_shared_version(s, client_version,
281 &shared_version)) {
282 if (s->internal->options & SSL_OP_NO_TLSv1)
283 goto unsupported;
284 /*
285 * We won't be able to use TLS of course,
286 * but this will send an appropriate alert.
287 */
288 shared_version = TLS1_VERSION;
289 }
290 s->version = shared_version;
291 type = 3;
292 } else if ((strncmp("GET ", (char *)p, 4) == 0) ||
293 (strncmp("POST ",(char *)p, 5) == 0) ||
294 (strncmp("HEAD ",(char *)p, 5) == 0) ||
295 (strncmp("PUT ", (char *)p, 4) == 0)) {
296 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST);
297 return -1;
298 } else if (strncmp("CONNECT", (char *)p, 7) == 0) {
299 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST);
300 return -1;
301 }
302 }
303
304 if (s->internal->state == SSL23_ST_SR_CLNT_HELLO_B) {
305 /* we have SSLv3/TLSv1 in an SSLv2 header
306 * (other cases skip this state) */
307
308 /*
309 * Limit the support of "backward compatible" headers
310 * only to "backward" versions of TLS. If we have moved
311 * on to modernity, just say no.
312 */
313 if (s->internal->options & SSL_OP_NO_TLSv1)
314 goto unsupported;
315
316 type = 2;
317 p = s->internal->packet;
318 client_version = p[3] << 8 | p[4];
319
320 /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
321 * header is sent directly on the wire, not wrapped as a TLS
322 * record. It's format is:
323 * Byte Content
324 * 0-1 msg_length
325 * 2 msg_type
326 * 3-4 version
327 * 5-6 cipher_spec_length
328 * 7-8 session_id_length
329 * 9-10 challenge_length
330 * ... ...
331 */
332 n = ((p[0] & 0x7f) << 8) | p[1];
333 if (n > (1024 * 4)) {
334 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE);
335 return -1;
336 }
337 if (n < 9) {
338 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
339 SSL_R_RECORD_LENGTH_MISMATCH);
340 return -1;
341 }
342
343 j = ssl23_read_bytes(s, n + 2);
344 if (j != n + 2)
345 return -1;
346
347 tls1_finish_mac(s, s->internal->packet + 2, s->internal->packet_length - 2);
348 if (s->internal->msg_callback)
349 s->internal->msg_callback(0, SSL2_VERSION, 0, s->internal->packet + 2,
350 s->internal->packet_length - 2, s, s->internal->msg_callback_arg);
351
352 p = s->internal->packet;
353 p += 5;
354 n2s(p, csl);
355 n2s(p, sil);
356 n2s(p, cl);
357 d = (unsigned char *)s->internal->init_buf->data;
358 if ((csl + sil + cl + 11) != s->internal->packet_length) {
359 /*
360 * We can't have TLS extensions in SSL 2.0 format
361 * Client Hello, can we ? Error condition should be
362 * '>' otherwise
363 */
364 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
365 SSL_R_RECORD_LENGTH_MISMATCH);
366 return -1;
367 }
368
369 /* record header: msg_type ... */
370 *(d++) = SSL3_MT_CLIENT_HELLO;
371 /* ... and length (actual value will be written later) */
372 d_len = d;
373 d += 3;
374
375 /* client_version */
376 *(d++) = client_version >> 8;
377 *(d++) = client_version & 0xff;
378
379 /* lets populate the random area */
380 /* get the challenge_length */
381 i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl;
382 memset(d, 0, SSL3_RANDOM_SIZE);
383 memcpy(&(d[SSL3_RANDOM_SIZE - i]), &(p[csl + sil]), i);
384 d += SSL3_RANDOM_SIZE;
385
386 /* no session-id reuse */
387 *(d++) = 0;
388
389 /* ciphers */
390 j = 0;
391 dd = d;
392 d += 2;
393 for (i = 0; i < csl; i += 3) {
394 if (p[i] != 0)
395 continue;
396 *(d++) = p[i + 1];
397 *(d++) = p[i + 2];
398 j += 2;
399 }
400 s2n(j, dd);
401
402 /* add in (no) COMPRESSION */
403 *(d++) = 1;
404 *(d++) = 0;
405
406 i = (d - (unsigned char *)s->internal->init_buf->data) - 4;
407 l2n3((long)i, d_len);
408
409 /* get the data reused from the init_buf */
410 S3I(s)->tmp.reuse_message = 1;
411 S3I(s)->tmp.message_type = SSL3_MT_CLIENT_HELLO;
412 S3I(s)->tmp.message_size = i;
413 }
414
415 /* imaginary new state (for program structure): */
416 /* s->internal->state = SSL23_SR_CLNT_HELLO_C */
417
418 if (type == 2 || type == 3) {
419 /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
420
421 if (!ssl_init_wbio_buffer(s, 1))
422 return -1;
423
424 /* we are in this state */
425 s->internal->state = SSL3_ST_SR_CLNT_HELLO_A;
426
427 if (type == 3) {
428 /* put the 'n' bytes we have read into the input buffer
429 * for SSLv3 */
430 s->internal->rstate = SSL_ST_READ_HEADER;
431 s->internal->packet_length = n;
432 if (s->s3->rbuf.buf == NULL)
433 if (!ssl3_setup_read_buffer(s))
434 return -1;
435
436 s->internal->packet = &(s->s3->rbuf.buf[0]);
437 memcpy(s->internal->packet, buf, n);
438 s->s3->rbuf.left = n;
439 s->s3->rbuf.offset = 0;
440 } else {
441 s->internal->packet_length = 0;
442 s->s3->rbuf.left = 0;
443 s->s3->rbuf.offset = 0;
444 }
445 if (s->version == TLS1_2_VERSION)
446 s->method = TLSv1_2_server_method();
447 else if (s->version == TLS1_1_VERSION)
448 s->method = TLSv1_1_server_method();
449 else if (s->version == TLS1_VERSION)
450 s->method = TLSv1_server_method();
451 else
452 goto unsupported;
453 s->internal->handshake_func = s->method->internal->ssl_accept;
454 } else {
455 /* bad, very bad */
456 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
457 return -1;
458 }
459 s->internal->init_num = 0;
460
461 return (SSL_accept(s));
462
463 unsupported:
464 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
465 return -1;
466}
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 033831e23d..41b35e5de6 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.56 2017/01/23 14:35:42 jsing Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.57 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -524,11 +524,17 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
524 ssl3_take_mac(s); 524 ssl3_take_mac(s);
525 525
526 /* Feed this message into MAC computation. */ 526 /* Feed this message into MAC computation. */
527 tls1_finish_mac(s, (unsigned char *)s->internal->init_buf->data, s->internal->init_num + 4); 527 if (s->internal->mac_packet) {
528 if (s->internal->msg_callback) 528 tls1_finish_mac(s, (unsigned char *)s->internal->init_buf->data,
529 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 529 s->internal->init_num + 4);
530 s->internal->init_buf->data, (size_t)s->internal->init_num + 4, s, 530 s->internal->mac_packet = 0;
531 s->internal->msg_callback_arg); 531
532 if (s->internal->msg_callback)
533 s->internal->msg_callback(0, s->version,
534 SSL3_RT_HANDSHAKE, s->internal->init_buf->data,
535 (size_t)s->internal->init_num + 4, s,
536 s->internal->msg_callback_arg);
537 }
532 538
533 *ok = 1; 539 *ok = 1;
534 return (s->internal->init_num); 540 return (s->internal->init_num);
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 0600e7519e..13915c2439 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.174 2017/01/24 15:11:55 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.175 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -587,6 +587,7 @@ int
587ssl3_client_hello(SSL *s) 587ssl3_client_hello(SSL *s)
588{ 588{
589 unsigned char *bufend, *p, *d; 589 unsigned char *bufend, *p, *d;
590 uint16_t max_version;
590 size_t outlen; 591 size_t outlen;
591 int i; 592 int i;
592 593
@@ -595,6 +596,13 @@ ssl3_client_hello(SSL *s)
595 if (s->internal->state == SSL3_ST_CW_CLNT_HELLO_A) { 596 if (s->internal->state == SSL3_ST_CW_CLNT_HELLO_A) {
596 SSL_SESSION *sess = s->session; 597 SSL_SESSION *sess = s->session;
597 598
599 if (ssl_supported_version_range(s, NULL, &max_version) != 1) {
600 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
601 SSL_R_NO_PROTOCOLS_AVAILABLE);
602 return (-1);
603 }
604 s->client_version = s->version = max_version;
605
598 if ((sess == NULL) || 606 if ((sess == NULL) ||
599 (sess->ssl_version != s->version) || 607 (sess->ssl_version != s->version) ||
600 (!sess->session_id_length && !sess->tlsext_tick) || 608 (!sess->session_id_length && !sess->tlsext_tick) ||
@@ -644,6 +652,7 @@ ssl3_client_hello(SSL *s)
644 * client_version in client hello and not resetting it to 652 * client_version in client hello and not resetting it to
645 * the negotiated version. 653 * the negotiated version.
646 */ 654 */
655
647 *(p++) = s->client_version >> 8; 656 *(p++) = s->client_version >> 8;
648 *(p++) = s->client_version & 0xff; 657 *(p++) = s->client_version & 0xff;
649 658
@@ -719,20 +728,23 @@ ssl3_get_server_hello(SSL *s)
719{ 728{
720 CBS cbs, server_random, session_id; 729 CBS cbs, server_random, session_id;
721 uint16_t server_version, cipher_suite; 730 uint16_t server_version, cipher_suite;
731 uint16_t min_version, max_version;
722 uint8_t compression_method; 732 uint8_t compression_method;
723 STACK_OF(SSL_CIPHER) *sk; 733 STACK_OF(SSL_CIPHER) *sk;
724 const SSL_CIPHER *cipher; 734 const SSL_CIPHER *cipher;
735 const SSL_METHOD *method;
725 unsigned char *p; 736 unsigned char *p;
726 unsigned long alg_k; 737 unsigned long alg_k;
727 size_t outlen; 738 size_t outlen;
728 int i, al, ok; 739 int i, al, ok;
729 long n; 740 long n;
730 741
742 s->internal->first_packet = 1;
731 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, 743 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
732 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok); 744 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
733
734 if (!ok) 745 if (!ok)
735 return ((int)n); 746 return ((int)n);
747 s->internal->first_packet = 0;
736 748
737 if (n < 0) 749 if (n < 0)
738 goto truncated; 750 goto truncated;
@@ -764,12 +776,27 @@ ssl3_get_server_hello(SSL *s)
764 if (!CBS_get_u16(&cbs, &server_version)) 776 if (!CBS_get_u16(&cbs, &server_version))
765 goto truncated; 777 goto truncated;
766 778
767 if (s->version != server_version) { 779 if (ssl_supported_version_range(s, &min_version, &max_version) != 1) {
780 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
781 SSL_R_NO_PROTOCOLS_AVAILABLE);
782 goto err;
783 }
784
785 if (server_version < min_version || server_version > max_version) {
768 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); 786 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
769 s->version = (s->version & 0xff00) | (server_version & 0xff); 787 s->version = (s->version & 0xff00) | (server_version & 0xff);
770 al = SSL_AD_PROTOCOL_VERSION; 788 al = SSL_AD_PROTOCOL_VERSION;
771 goto f_err; 789 goto f_err;
772 } 790 }
791 s->version = server_version;
792
793 if ((method = tls1_get_client_method(server_version)) == NULL)
794 method = dtls1_get_client_method(server_version);
795 if (method == NULL) {
796 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
797 goto err;
798 }
799 s->method = method;
773 800
774 /* Server random. */ 801 /* Server random. */
775 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE)) 802 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE))
@@ -836,6 +863,7 @@ ssl3_get_server_hello(SSL *s)
836 goto f_err; 863 goto f_err;
837 } 864 }
838 } 865 }
866
839 /* 867 /*
840 * XXX - improve the handling for the case where there is a 868 * XXX - improve the handling for the case where there is a
841 * zero length session identifier. 869 * zero length session identifier.
@@ -844,6 +872,8 @@ ssl3_get_server_hello(SSL *s)
844 sizeof(s->session->session_id), &outlen)) 872 sizeof(s->session->session_id), &outlen))
845 goto err; 873 goto err;
846 s->session->session_id_length = outlen; 874 s->session->session_id_length = outlen;
875
876 s->session->ssl_version = s->version;
847 } 877 }
848 878
849 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) { 879 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 152e384a4b..5dadc0654e 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.69 2017/01/25 06:13:02 jsing Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.70 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -333,9 +333,16 @@ again:
333 if (n <= 0) 333 if (n <= 0)
334 return (n); 334 return (n);
335 335
336 s->internal->mac_packet = 1;
336 s->internal->rstate = SSL_ST_READ_BODY; 337 s->internal->rstate = SSL_ST_READ_BODY;
337 338
338 CBS_init(&header, s->internal->packet, n); 339 if (s->server && s->internal->first_packet) {
340 if ((ret = ssl_server_legacy_first_packet(s)) != 1)
341 return (ret);
342 ret = -1;
343 }
344
345 CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH);
339 346
340 /* Pull apart the header into the SSL3_RECORD */ 347 /* Pull apart the header into the SSL3_RECORD */
341 if (!CBS_get_u8(&header, &type) || 348 if (!CBS_get_u8(&header, &type) ||
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index c6d340026a..28f0fc486a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.153 2017/01/24 14:57:31 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.154 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -730,6 +730,8 @@ ssl3_get_client_hello(SSL *s)
730 SSL_CIPHER *c; 730 SSL_CIPHER *c;
731 STACK_OF(SSL_CIPHER) *ciphers = NULL; 731 STACK_OF(SSL_CIPHER) *ciphers = NULL;
732 unsigned long alg_k; 732 unsigned long alg_k;
733 const SSL_METHOD *method;
734 uint16_t shared_version;
733 735
734 /* 736 /*
735 * We do this so that we will respond with our native type. 737 * We do this so that we will respond with our native type.
@@ -741,6 +743,7 @@ ssl3_get_client_hello(SSL *s)
741 if (s->internal->state == SSL3_ST_SR_CLNT_HELLO_A) { 743 if (s->internal->state == SSL3_ST_SR_CLNT_HELLO_A) {
742 s->internal->state = SSL3_ST_SR_CLNT_HELLO_B; 744 s->internal->state = SSL3_ST_SR_CLNT_HELLO_B;
743 } 745 }
746
744 s->internal->first_packet = 1; 747 s->internal->first_packet = 1;
745 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, 748 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
746 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, 749 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
@@ -749,6 +752,7 @@ ssl3_get_client_hello(SSL *s)
749 if (!ok) 752 if (!ok)
750 return ((int)n); 753 return ((int)n);
751 s->internal->first_packet = 0; 754 s->internal->first_packet = 0;
755
752 d = p = (unsigned char *)s->internal->init_msg; 756 d = p = (unsigned char *)s->internal->init_msg;
753 757
754 if (2 > n) 758 if (2 > n)
@@ -760,21 +764,28 @@ ssl3_get_client_hello(SSL *s)
760 s->client_version = (((int)p[0]) << 8)|(int)p[1]; 764 s->client_version = (((int)p[0]) << 8)|(int)p[1];
761 p += 2; 765 p += 2;
762 766
763 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 767 if (ssl_max_shared_version(s, s->client_version, &shared_version) != 1) {
764 (s->version != DTLS1_VERSION && s->client_version < s->version)) { 768 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
765 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
766 SSL_R_WRONG_VERSION_NUMBER);
767 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && 769 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
768 !s->internal->enc_write_ctx && !s->internal->write_hash) { 770 !s->internal->enc_write_ctx && !s->internal->write_hash) {
769 /* 771 /*
770 * Similar to ssl3_get_record, send alert using remote 772 * Similar to ssl3_get_record, send alert using remote
771 * version number 773 * version number.
772 */ 774 */
773 s->version = s->client_version; 775 s->version = s->client_version;
774 } 776 }
775 al = SSL_AD_PROTOCOL_VERSION; 777 al = SSL_AD_PROTOCOL_VERSION;
776 goto f_err; 778 goto f_err;
777 } 779 }
780 s->version = shared_version;
781
782 if ((method = tls1_get_server_method(shared_version)) == NULL)
783 method = dtls1_get_server_method(shared_version);
784 if (method == NULL) {
785 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
786 goto err;
787 }
788 s->method = method;
778 789
779 /* 790 /*
780 * If we require cookies (DTLS) and this ClientHello doesn't 791 * If we require cookies (DTLS) and this ClientHello doesn't
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index b682fc062e..bff28b1772 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.168 2017/01/26 00:42:44 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.169 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -769,6 +769,7 @@ typedef struct ssl_internal_st {
769 int state; /* where we are */ 769 int state; /* where we are */
770 int rstate; /* where we are when reading */ 770 int rstate; /* where we are when reading */
771 771
772 int mac_packet;
772} SSL_INTERNAL; 773} SSL_INTERNAL;
773 774
774typedef struct ssl3_state_internal_st { 775typedef struct ssl3_state_internal_st {
@@ -1082,6 +1083,11 @@ int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
1082int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); 1083int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
1083uint16_t ssl_max_server_version(SSL *s); 1084uint16_t ssl_max_server_version(SSL *s);
1084 1085
1086const SSL_METHOD *dtls1_get_client_method(int ver);
1087const SSL_METHOD *dtls1_get_server_method(int ver);
1088const SSL_METHOD *tls1_get_client_method(int ver);
1089const SSL_METHOD *tls1_get_server_method(int ver);
1090
1085extern SSL3_ENC_METHOD DTLSv1_enc_data; 1091extern SSL3_ENC_METHOD DTLSv1_enc_data;
1086extern SSL3_ENC_METHOD TLSv1_enc_data; 1092extern SSL3_ENC_METHOD TLSv1_enc_data;
1087extern SSL3_ENC_METHOD TLSv1_1_enc_data; 1093extern SSL3_ENC_METHOD TLSv1_1_enc_data;
@@ -1197,6 +1203,7 @@ long tls1_default_timeout(void);
1197int dtls1_do_write(SSL *s, int type); 1203int dtls1_do_write(SSL *s, int type);
1198int ssl3_packet_read(SSL *s, int plen); 1204int ssl3_packet_read(SSL *s, int plen);
1199int ssl3_packet_extend(SSL *s, int plen); 1205int ssl3_packet_extend(SSL *s, int plen);
1206int ssl_server_legacy_first_packet(SSL *s);
1200int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); 1207int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
1201int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, 1208int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
1202 unsigned int len); 1209 unsigned int len);
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
new file mode 100644
index 0000000000..0c5b4c463b
--- /dev/null
+++ b/src/lib/libssl/ssl_packet.c
@@ -0,0 +1,278 @@
1/*
2 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "ssl_locl.h"
18
19#include "bytestring.h"
20
21static int
22ssl_is_sslv2_client_hello(CBS *header)
23{
24 uint16_t record_length;
25 uint8_t message_type;
26 CBS cbs;
27
28 CBS_dup(header, &cbs);
29
30 if (!CBS_get_u16(&cbs, &record_length) ||
31 !CBS_get_u8(&cbs, &message_type))
32 return 0;
33
34 /*
35 * The SSLv2 record length field uses variable length (2 or 3 byte)
36 * encoding. Given the size of a client hello, we expect/require the
37 * 2-byte form which is indicated by a one in the most significant bit.
38 */
39 if ((record_length & 0x8000) == 0)
40 return 0;
41 if ((record_length & ~0x8000) < 3)
42 return 0;
43 if (message_type != SSL2_MT_CLIENT_HELLO)
44 return 0;
45
46 return 1;
47}
48
49static int
50ssl_is_sslv3_handshake(CBS *header)
51{
52 uint16_t record_version;
53 uint8_t record_type;
54 CBS cbs;
55
56 CBS_dup(header, &cbs);
57
58 if (!CBS_get_u8(&cbs, &record_type) ||
59 !CBS_get_u16(&cbs, &record_version))
60 return 0;
61
62 if (record_type != SSL3_RT_HANDSHAKE)
63 return 0;
64 if ((record_version >> 8) != SSL3_VERSION_MAJOR)
65 return 0;
66
67 return 1;
68}
69
70static int
71ssl_convert_sslv2_client_hello(SSL *s)
72{
73 CBB cbb, handshake, client_hello, cipher_suites, compression, session_id;
74 CBS cbs, challenge, cipher_specs, session;
75 uint16_t record_length, client_version, cipher_specs_length;
76 uint16_t session_id_length, challenge_length;
77 unsigned char *client_random, *data = NULL;
78 uint32_t cipher_spec;
79 uint8_t message_type;
80 size_t data_len;
81 int rv = -1;
82 int n;
83
84 memset(&cbb, 0, sizeof(cbb));
85
86 CBS_init(&cbs, s->internal->packet, SSL3_RT_HEADER_LENGTH);
87
88 if (!CBS_get_u16(&cbs, &record_length) ||
89 !CBS_get_u8(&cbs, &message_type) ||
90 !CBS_get_u16(&cbs, &client_version))
91 return -1;
92
93 /*
94 * The SSLv2 record length field uses variable length (2 or 3 byte)
95 * encoding. Given the size of a client hello, we expect/require the
96 * 2-byte form which is indicated by a one in the most significant bit.
97 * Also note that the record length value does not include the bytes
98 * used for the record length field.
99 */
100 if ((record_length & 0x8000) == 0)
101 return -1;
102 record_length &= ~0x8000;
103 if (record_length < SSL3_RT_HEADER_LENGTH - 2)
104 return -1;
105 if (message_type != SSL2_MT_CLIENT_HELLO)
106 return -1;
107
108 if (record_length < 9) {
109 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
110 SSL_R_RECORD_LENGTH_MISMATCH);
111 return -1;
112 }
113 if (record_length > 4096) {
114 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE);
115 return -1;
116 }
117
118 n = ssl3_packet_extend(s, record_length + 2);
119 if (n != record_length + 2)
120 return n;
121
122 tls1_finish_mac(s, s->internal->packet + 2,
123 s->internal->packet_length - 2);
124 s->internal->mac_packet = 0;
125
126 if (s->internal->msg_callback)
127 s->internal->msg_callback(0, SSL2_VERSION, 0,
128 s->internal->packet + 2, s->internal->packet_length - 2, s,
129 s->internal->msg_callback_arg);
130
131 /* Decode the SSLv2 record containing the client hello. */
132 CBS_init(&cbs, s->internal->packet, s->internal->packet_length);
133
134 if (!CBS_get_u16(&cbs, &record_length))
135 return -1;
136 if (!CBS_get_u8(&cbs, &message_type))
137 return -1;
138 if (!CBS_get_u16(&cbs, &client_version))
139 return -1;
140 if (!CBS_get_u16(&cbs, &cipher_specs_length))
141 return -1;
142 if (!CBS_get_u16(&cbs, &session_id_length))
143 return -1;
144 if (!CBS_get_u16(&cbs, &challenge_length))
145 return -1;
146 if (!CBS_get_bytes(&cbs, &cipher_specs, cipher_specs_length))
147 return -1;
148 if (!CBS_get_bytes(&cbs, &session, session_id_length))
149 return -1;
150 if (!CBS_get_bytes(&cbs, &challenge, challenge_length))
151 return -1;
152 if (CBS_len(&cbs) != 0) {
153 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
154 SSL_R_RECORD_LENGTH_MISMATCH);
155 return -1;
156 }
157
158 /* Build SSLv3/TLS record with client hello. */
159 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
160 goto err;
161 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
162 goto err;
163 if (!CBB_add_u16(&cbb, 0x0301))
164 goto err;
165 if (!CBB_add_u16_length_prefixed(&cbb, &handshake))
166 goto err;
167 if (!CBB_add_u8(&handshake, SSL3_MT_CLIENT_HELLO))
168 goto err;
169 if (!CBB_add_u24_length_prefixed(&handshake, &client_hello))
170 goto err;
171 if (!CBB_add_u16(&client_hello, client_version))
172 goto err;
173 if (!CBB_add_space(&client_hello, &client_random, SSL3_RANDOM_SIZE))
174 goto err;
175 memset(client_random, 0, SSL3_RANDOM_SIZE);
176 if (!CBS_write_bytes(&challenge, client_random, SSL3_RANDOM_SIZE, NULL))
177 goto err;
178 if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
179 goto err;
180 if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
181 goto err;
182 while (CBS_len(&cipher_specs) > 0) {
183 if (!CBS_get_u24(&cipher_specs, &cipher_spec))
184 goto err;
185 if ((cipher_spec & 0xff0000) != 0)
186 continue;
187 if (!CBB_add_u16(&cipher_suites, cipher_spec & 0xffff))
188 goto err;
189 }
190 if (!CBB_add_u8_length_prefixed(&client_hello, &compression))
191 goto err;
192 if (!CBB_add_u8(&compression, 0))
193 goto err;
194 if (!CBB_finish(&cbb, &data, &data_len))
195 goto err;
196
197 if (data_len > s->s3->rbuf.len)
198 goto err;
199
200 s->internal->packet = s->s3->rbuf.buf;
201 s->internal->packet_length = data_len;
202 memcpy(s->internal->packet, data, data_len);
203 rv = 1;
204
205 err:
206 CBB_cleanup(&cbb);
207 free(data);
208
209 return (rv);
210}
211
212/*
213 * Potentially do legacy processing on the first packet received by a TLS
214 * server. We return 1 if we want SSLv3/TLS record processing to continue
215 * normally, otherwise we must set an SSLerr and return -1.
216 */
217int
218ssl_server_legacy_first_packet(SSL *s)
219{
220 uint16_t min_version;
221 const char *data;
222 CBS header;
223
224 if (SSL_IS_DTLS(s))
225 return 1;
226
227 CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH);
228
229 if (ssl_is_sslv3_handshake(&header) == 1)
230 return 1;
231
232 /* Only continue if this is not a version locked method. */
233 if (s->method->internal->min_version == s->method->internal->max_version)
234 return 1;
235
236 if (ssl_is_sslv2_client_hello(&header) == 1) {
237 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
238 if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {
239 SSLerr(SSL_F_SSL23_CLIENT_HELLO,
240 SSL_R_NO_PROTOCOLS_AVAILABLE);
241 return -1;
242 }
243 if (min_version > TLS1_VERSION)
244 return 1;
245
246 if (ssl_convert_sslv2_client_hello(s) != 1) {
247 SSLerr(SSL_F_SSL23_CLIENT_HELLO,
248 SSL_R_BAD_PACKET_LENGTH);
249 return -1;
250 }
251
252 return 1;
253 }
254
255 /* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
256 if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
257 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
258 return -1;
259 }
260 data = (const char *)CBS_data(&header);
261
262 /* Is this a cleartext protocol? */
263 if (strncmp("GET ", data, 4) == 0 ||
264 strncmp("POST ", data, 5) == 0 ||
265 strncmp("HEAD ", data, 5) == 0 ||
266 strncmp("PUT ", data, 4) == 0) {
267 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST);
268 return -1;
269 }
270 if (strncmp("CONNE", data, 5) == 0) {
271 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST);
272 return -1;
273 }
274
275 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
276
277 return -1;
278}
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index d185df3c79..92b5efb11a 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_clnt.c,v 1.23 2017/01/26 00:42:44 jsing Exp $ */ 1/* $OpenBSD: t1_clnt.c,v 1.24 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -64,8 +64,6 @@
64#include <openssl/evp.h> 64#include <openssl/evp.h>
65#include <openssl/objects.h> 65#include <openssl/objects.h>
66 66
67static const SSL_METHOD *tls1_get_client_method(int ver);
68
69static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = { 67static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
70 .version = TLS1_2_VERSION, 68 .version = TLS1_2_VERSION,
71 .min_version = TLS1_VERSION, 69 .min_version = TLS1_VERSION,
@@ -74,21 +72,21 @@ static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
74 .ssl_clear = tls1_clear, 72 .ssl_clear = tls1_clear,
75 .ssl_free = tls1_free, 73 .ssl_free = tls1_free,
76 .ssl_accept = ssl_undefined_function, 74 .ssl_accept = ssl_undefined_function,
77 .ssl_connect = ssl23_connect, 75 .ssl_connect = ssl3_connect,
78 .ssl_read = ssl23_read, 76 .ssl_read = ssl3_read,
79 .ssl_peek = ssl23_peek, 77 .ssl_peek = ssl3_peek,
80 .ssl_write = ssl23_write, 78 .ssl_write = ssl3_write,
81 .ssl_shutdown = ssl_undefined_function, 79 .ssl_shutdown = ssl3_shutdown,
82 .ssl_pending = ssl_undefined_const_function, 80 .ssl_pending = ssl3_pending,
83 .get_ssl_method = tls1_get_client_method, 81 .get_ssl_method = tls1_get_client_method,
84 .get_timeout = ssl23_default_timeout, 82 .get_timeout = tls1_default_timeout,
85 .ssl_version = ssl_undefined_void_function, 83 .ssl_version = ssl_undefined_void_function,
86 .ssl_renegotiate = ssl_undefined_function, 84 .ssl_renegotiate = ssl_undefined_function,
87 .ssl_renegotiate_check = ssl_ok, 85 .ssl_renegotiate_check = ssl_ok,
88 .ssl_get_message = ssl3_get_message, 86 .ssl_get_message = ssl3_get_message,
89 .ssl_read_bytes = ssl3_read_bytes, 87 .ssl_read_bytes = ssl3_read_bytes,
90 .ssl_write_bytes = ssl3_write_bytes, 88 .ssl_write_bytes = ssl3_write_bytes,
91 .ssl3_enc = NULL, 89 .ssl3_enc = &TLSv1_2_enc_data,
92}; 90};
93 91
94static const SSL_METHOD TLS_client_method_data = { 92static const SSL_METHOD TLS_client_method_data = {
@@ -202,7 +200,7 @@ static const SSL_METHOD TLSv1_2_client_method_data = {
202 .internal = &TLSv1_2_client_method_internal_data, 200 .internal = &TLSv1_2_client_method_internal_data,
203}; 201};
204 202
205static const SSL_METHOD * 203const SSL_METHOD *
206tls1_get_client_method(int ver) 204tls1_get_client_method(int ver)
207{ 205{
208 if (ver == TLS1_2_VERSION) 206 if (ver == TLS1_2_VERSION)
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
index d6262e48cd..6a4a243b9d 100644
--- a/src/lib/libssl/t1_meth.c
+++ b/src/lib/libssl/t1_meth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_meth.c,v 1.22 2017/01/26 00:42:44 jsing Exp $ */ 1/* $OpenBSD: t1_meth.c,v 1.23 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -71,22 +71,22 @@ static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
71 .ssl_new = tls1_new, 71 .ssl_new = tls1_new,
72 .ssl_clear = tls1_clear, 72 .ssl_clear = tls1_clear,
73 .ssl_free = tls1_free, 73 .ssl_free = tls1_free,
74 .ssl_accept = ssl23_accept, 74 .ssl_accept = ssl3_accept,
75 .ssl_connect = ssl23_connect, 75 .ssl_connect = ssl3_connect,
76 .ssl_read = ssl23_read, 76 .ssl_read = ssl3_read,
77 .ssl_peek = ssl23_peek, 77 .ssl_peek = ssl3_peek,
78 .ssl_write = ssl23_write, 78 .ssl_write = ssl3_write,
79 .ssl_shutdown = ssl_undefined_function, 79 .ssl_shutdown = ssl3_shutdown,
80 .ssl_pending = ssl_undefined_const_function, 80 .ssl_pending = ssl3_pending,
81 .get_ssl_method = tls1_get_method, 81 .get_ssl_method = tls1_get_method,
82 .get_timeout = ssl23_default_timeout, 82 .get_timeout = tls1_default_timeout,
83 .ssl_version = ssl_undefined_void_function, 83 .ssl_version = ssl_undefined_void_function,
84 .ssl_renegotiate = ssl_undefined_function, 84 .ssl_renegotiate = ssl_undefined_function,
85 .ssl_renegotiate_check = ssl_ok, 85 .ssl_renegotiate_check = ssl_ok,
86 .ssl_get_message = ssl3_get_message, 86 .ssl_get_message = ssl3_get_message,
87 .ssl_read_bytes = ssl3_read_bytes, 87 .ssl_read_bytes = ssl3_read_bytes,
88 .ssl_write_bytes = ssl3_write_bytes, 88 .ssl_write_bytes = ssl3_write_bytes,
89 .ssl3_enc = NULL, 89 .ssl3_enc = &TLSv1_2_enc_data,
90}; 90};
91 91
92static const SSL_METHOD TLS_method_data = { 92static const SSL_METHOD TLS_method_data = {
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index 69da5cbb67..1fc0ebe6f7 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_srvr.c,v 1.24 2017/01/26 00:42:44 jsing Exp $ */ 1/* $OpenBSD: t1_srvr.c,v 1.25 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -65,8 +65,6 @@
65#include <openssl/objects.h> 65#include <openssl/objects.h>
66#include <openssl/x509.h> 66#include <openssl/x509.h>
67 67
68static const SSL_METHOD *tls1_get_server_method(int ver);
69
70static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = { 68static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = {
71 .version = TLS1_2_VERSION, 69 .version = TLS1_2_VERSION,
72 .min_version = TLS1_VERSION, 70 .min_version = TLS1_VERSION,
@@ -74,22 +72,22 @@ static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = {
74 .ssl_new = tls1_new, 72 .ssl_new = tls1_new,
75 .ssl_clear = tls1_clear, 73 .ssl_clear = tls1_clear,
76 .ssl_free = tls1_free, 74 .ssl_free = tls1_free,
77 .ssl_accept = ssl23_accept, 75 .ssl_accept = ssl3_accept,
78 .ssl_connect = ssl_undefined_function, 76 .ssl_connect = ssl_undefined_function,
79 .ssl_read = ssl23_read, 77 .ssl_read = ssl3_read,
80 .ssl_peek = ssl23_peek, 78 .ssl_peek = ssl3_peek,
81 .ssl_write = ssl23_write, 79 .ssl_write = ssl3_write,
82 .ssl_shutdown = ssl_undefined_function, 80 .ssl_shutdown = ssl3_shutdown,
83 .ssl_pending = ssl_undefined_const_function, 81 .ssl_pending = ssl3_pending,
84 .get_ssl_method = tls1_get_server_method, 82 .get_ssl_method = tls1_get_server_method,
85 .get_timeout = ssl23_default_timeout, 83 .get_timeout = tls1_default_timeout,
86 .ssl_version = ssl_undefined_void_function, 84 .ssl_version = ssl_undefined_void_function,
87 .ssl_renegotiate = ssl_undefined_function, 85 .ssl_renegotiate = ssl_undefined_function,
88 .ssl_renegotiate_check = ssl_ok, 86 .ssl_renegotiate_check = ssl_ok,
89 .ssl_get_message = ssl3_get_message, 87 .ssl_get_message = ssl3_get_message,
90 .ssl_read_bytes = ssl3_read_bytes, 88 .ssl_read_bytes = ssl3_read_bytes,
91 .ssl_write_bytes = ssl3_write_bytes, 89 .ssl_write_bytes = ssl3_write_bytes,
92 .ssl3_enc = NULL, 90 .ssl3_enc = &TLSv1_2_enc_data,
93}; 91};
94 92
95static const SSL_METHOD TLS_server_method_data = { 93static const SSL_METHOD TLS_server_method_data = {
@@ -203,7 +201,7 @@ static const SSL_METHOD TLSv1_2_server_method_data = {
203 .internal = &TLSv1_2_server_method_internal_data, 201 .internal = &TLSv1_2_server_method_internal_data,
204}; 202};
205 203
206static const SSL_METHOD * 204const SSL_METHOD *
207tls1_get_server_method(int ver) 205tls1_get_server_method(int ver)
208{ 206{
209 if (ver == TLS1_2_VERSION) 207 if (ver == TLS1_2_VERSION)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-09 06:48:36 +0000