[thirdparty/openssl.git] / ssl / s23_clnt.c

/* ssl/s23_clnt.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
/* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>

static const SSL_METHOD *ssl23_get_client_method(int ver);
static int ssl23_client_hello(SSL *s);
static int ssl23_get_server_hello(SSL *s);
static const SSL_METHOD *ssl23_get_client_method(int ver)
{
#ifndef OPENSSL_NO_SSL3
    if (ver == SSL3_VERSION)
        return (SSLv3_client_method());
#endif
    if (ver == TLS1_VERSION)
        return (TLSv1_client_method());
    else if (ver == TLS1_1_VERSION)
        return (TLSv1_1_client_method());
    else if (ver == TLS1_2_VERSION)
        return (TLSv1_2_client_method());
    else
        return (NULL);
}

IMPLEMENT_ssl23_meth_func(SSLv23_client_method,
                          ssl_undefined_function,
                          ssl23_connect, ssl23_get_client_method)

int ssl23_connect(SSL *s)
{
    BUF_MEM *buf = NULL;
    unsigned long Time = (unsigned long)time(NULL);
    void (*cb) (const SSL *ssl, int type, int val) = NULL;
    int ret = -1;
    int new_state, state;

    RAND_add(&Time, sizeof(Time), 0);
    ERR_clear_error();
    clear_sys_error();

    if (s->info_callback != NULL)
        cb = s->info_callback;
    else if (s->ctx->info_callback != NULL)
        cb = s->ctx->info_callback;

    s->in_handshake++;
    if (!SSL_in_init(s) || SSL_in_before(s)) {
        if (!SSL_clear(s))
            return -1;
    }

    for (;;) {
        state = s->state;

        switch (s->state) {
        case SSL_ST_BEFORE:
        case SSL_ST_CONNECT:
        case SSL_ST_BEFORE | SSL_ST_CONNECT:
        case SSL_ST_OK | SSL_ST_CONNECT:

            if (s->session != NULL) {
                SSLerr(SSL_F_SSL23_CONNECT,
                       SSL_R_SSL23_DOING_SESSION_ID_REUSE);
                ret = -1;
                goto end;
            }
            s->server = 0;
            if (cb != NULL)
                cb(s, SSL_CB_HANDSHAKE_START, 1);

            /* s->version=TLS1_VERSION; */
            s->type = SSL_ST_CONNECT;

            if (s->init_buf == NULL) {
                if ((buf = BUF_MEM_new()) == NULL) {
                    ret = -1;
                    goto end;
                }
                if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
                    ret = -1;
                    goto end;
                }
                s->init_buf = buf;
                buf = NULL;
            }

            if (!ssl3_setup_buffers(s)) {
                ret = -1;
                goto end;
            }

            ssl3_init_finished_mac(s);

            s->state = SSL23_ST_CW_CLNT_HELLO_A;
            s->ctx->stats.sess_connect++;
            s->init_num = 0;
            break;

        case SSL23_ST_CW_CLNT_HELLO_A:
        case SSL23_ST_CW_CLNT_HELLO_B:

            s->shutdown = 0;
            ret = ssl23_client_hello(s);
            if (ret <= 0)
                goto end;
            s->state = SSL23_ST_CR_SRVR_HELLO_A;
            s->init_num = 0;

            break;

        case SSL23_ST_CR_SRVR_HELLO_A:
        case SSL23_ST_CR_SRVR_HELLO_B:
            ret = ssl23_get_server_hello(s);
            if (ret >= 0)
                cb = NULL;
            goto end;
            /* break; */

        default:
            SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE);
            ret = -1;
            goto end;
            /* break; */
        }

        if (s->debug) {
            (void)BIO_flush(s->wbio);
        }

        if ((cb != NULL) && (s->state != state)) {
            new_state = s->state;
            s->state = state;
            cb(s, SSL_CB_CONNECT_LOOP, 1);
            s->state = new_state;
        }
    }
 end:
    s->in_handshake--;
    if (buf != NULL)
        BUF_MEM_free(buf);
    if (cb != NULL)
        cb(s, SSL_CB_CONNECT_EXIT, ret);
    return (ret);
}

/*
 * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
 * failure, 1 on success.
 */
int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
{
    int send_time = 0;

    if (len < 4)
        return 0;
    if (server)
        send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
    else
        send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
    if (send_time) {
        unsigned long Time = (unsigned long)time(NULL);
        unsigned char *p = result;
        l2n(Time, p);
        return RAND_bytes(p, len - 4);
    } else
        return RAND_bytes(result, len);
}

static int ssl23_client_hello(SSL *s)
{
    unsigned char *buf;
    unsigned char *p, *d;
    int i;
    unsigned long l;
    int version = 0, version_major, version_minor;
    int al = 0;
#ifndef OPENSSL_NO_COMP
    int j;
    SSL_COMP *comp;
#endif
    int ret;
    unsigned long mask, options = s->options;

    /*
     * SSL_OP_NO_X disables all protocols above X *if* there are
     * some protocols below X enabled. This is required in order
     * to maintain "version capability" vector contiguous. So
     * that if application wants to disable TLS1.0 in favour of
     * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
     * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
     */
    mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1
#if !defined(OPENSSL_NO_SSL3)
        | SSL_OP_NO_SSLv3
#endif
        ;
#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
    version = TLS1_2_VERSION;

    if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
        version = TLS1_1_VERSION;
#else
    version = TLS1_1_VERSION;
#endif
    mask &= ~SSL_OP_NO_TLSv1_1;
    if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
        version = TLS1_VERSION;
    mask &= ~SSL_OP_NO_TLSv1;
#if !defined(OPENSSL_NO_SSL3)
    if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
        version = SSL3_VERSION;
    mask &= ~SSL_OP_NO_SSLv3;
#endif

    buf = (unsigned char *)s->init_buf->data;
    if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
        p = s->s3->client_random;
        if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
            return -1;

        if (version == TLS1_2_VERSION) {
            version_major = TLS1_2_VERSION_MAJOR;
            version_minor = TLS1_2_VERSION_MINOR;
        } else if (tls1_suiteb(s)) {
            SSLerr(SSL_F_SSL23_CLIENT_HELLO,
                   SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
            return -1;
        } else if (version == TLS1_1_VERSION) {
            version_major = TLS1_1_VERSION_MAJOR;
            version_minor = TLS1_1_VERSION_MINOR;
        } else if (version == TLS1_VERSION) {
            version_major = TLS1_VERSION_MAJOR;
            version_minor = TLS1_VERSION_MINOR;
        } else if (FIPS_mode()) {
            SSLerr(SSL_F_SSL23_CLIENT_HELLO,
                   SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
            return -1;
        } else if (version == SSL3_VERSION) {
            version_major = SSL3_VERSION_MAJOR;
            version_minor = SSL3_VERSION_MINOR;
        } else {
            SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
            return (-1);
        }

        s->client_version = version;

        /* create Client Hello in SSL 3.0/TLS 1.0 format */

        /*
         * do the record header (5 bytes) and handshake message header (4
         * bytes) last
         */
        d = p = &(buf[9]);

        *(p++) = version_major;
        *(p++) = version_minor;

        /* Random stuff */
        memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
        p += SSL3_RANDOM_SIZE;

        /* Session ID (zero since there is no reuse) */
        *(p++) = 0;

        /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
        i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]),
                                     ssl3_put_cipher_by_char);
        if (i == 0) {
            SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
            return -1;
        }
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
        /*
         * Some servers hang if client hello > 256 bytes as hack workaround
         * chop number of supported ciphers to keep it well below this if we
         * use TLS v1.2
         */
        if (TLS1_get_version(s) >= TLS1_2_VERSION
            && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
            i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
        s2n(i, p);
        p += i;

        /* COMPRESSION */
#ifdef OPENSSL_NO_COMP
        *(p++) = 1;
#else
        if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
            j = 0;
        else
            j = sk_SSL_COMP_num(s->ctx->comp_methods);
        *(p++) = 1 + j;
        for (i = 0; i < j; i++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
            *(p++) = comp->id;
        }
#endif
        *(p++) = 0;             /* Add the NULL method */

#ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions */
        if (ssl_prepare_clienthello_tlsext(s) <= 0) {
            SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
            return -1;
        }
        if ((p =
             ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
                                        &al)) == NULL) {
            ssl3_send_alert(s, SSL3_AL_FATAL, al);
            SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
            return -1;
        }
#endif

        l = p - d;

        /* fill in 4-byte handshake header */
        d = &(buf[5]);
        *(d++) = SSL3_MT_CLIENT_HELLO;
        l2n3(l, d);

        l += 4;

        if (l > SSL3_RT_MAX_PLAIN_LENGTH) {
            SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
            return -1;
        }

        /* fill in 5-byte record header */
        d = buf;
        *(d++) = SSL3_RT_HANDSHAKE;
        *(d++) = version_major;
        /*
         * Some servers hang if we use long client hellos and a record number
         * > TLS 1.0.
         */
        if (TLS1_get_client_version(s) > TLS1_VERSION)
            *(d++) = 1;
        else
            *(d++) = version_minor;
        s2n((int)l, d);

        /* number of bytes to write */
        s->init_num = p - buf;
        s->init_off = 0;

        ssl3_finish_mac(s, &(buf[5]), s->init_num - 5);

        s->state = SSL23_ST_CW_CLNT_HELLO_B;
        s->init_off = 0;
    }

    /* SSL3_ST_CW_CLNT_HELLO_B */
    ret = ssl23_write_bytes(s);

    if ((ret >= 2) && s->msg_callback) {
        /* Client Hello has been sent; tell msg_callback */
        s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s,
                        s->msg_callback_arg);
        s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data + 5,
                        ret - 5, s, s->msg_callback_arg);
    }

    return ret;
}

static int ssl23_get_server_hello(SSL *s)
{
    unsigned char buf[8];
    unsigned char *p;
    int i;
    int n;

    n = ssl23_read_bytes(s, 7);

    if (n != 7)
        return (n);
    p = RECORD_LAYER_get_packet(&s->rlayer);

    memcpy(buf, p, n);

    if (p[1] == SSL3_VERSION_MAJOR &&
        p[2] <= TLS1_2_VERSION_MINOR &&
        ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
         (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
        /* we have sslv3 or tls1 (server hello or alert) */

#ifndef OPENSSL_NO_SSL3
        if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) {
            if (FIPS_mode()) {
                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
                goto err;
            }
            s->version = SSL3_VERSION;
            s->method = SSLv3_client_method();
        } else
#endif
        if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) {
            s->version = TLS1_VERSION;
            s->method = TLSv1_client_method();
        } else if ((p[2] == TLS1_1_VERSION_MINOR) &&
                   !(s->options & SSL_OP_NO_TLSv1_1)) {
            s->version = TLS1_1_VERSION;
            s->method = TLSv1_1_client_method();
        } else if ((p[2] == TLS1_2_VERSION_MINOR) &&
                   !(s->options & SSL_OP_NO_TLSv1_2)) {
            s->version = TLS1_2_VERSION;
            s->method = TLSv1_2_client_method();
        } else {
            SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
            goto err;
        }

        /* ensure that TLS_MAX_VERSION is up-to-date */
        OPENSSL_assert(s->version <= TLS_MAX_VERSION);

        if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
            SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_VERSION_TOO_LOW);
            goto err;
        }

        if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) {
            /* fatal alert */

            void (*cb) (const SSL *ssl, int type, int val) = NULL;
            int j;

            if (s->info_callback != NULL)
                cb = s->info_callback;
            else if (s->ctx->info_callback != NULL)
                cb = s->ctx->info_callback;

            i = p[5];
            if (cb != NULL) {
                j = (i << 8) | p[6];
                cb(s, SSL_CB_READ_ALERT, j);
            }

            if (s->msg_callback) {
                s->msg_callback(0, s->version, SSL3_RT_HEADER, p, 5, s,
                                s->msg_callback_arg);
                s->msg_callback(0, s->version, SSL3_RT_ALERT, p + 5, 2, s,
                                s->msg_callback_arg);
            }

            s->rwstate = SSL_NOTHING;
            SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_AD_REASON_OFFSET + p[6]);
            goto err;
        }

        if (!ssl_init_wbio_buffer(s, 1))
            goto err;

        /* we are in this state */
        s->state = SSL3_ST_CR_SRVR_HELLO_A;

        /*
         * put the 7 bytes we have read into the input buffer for SSLv3
         */
        if (!RECORD_LAYER_set_data(&s->rlayer, buf, n))
            goto err;

        s->handshake_func = s->method->ssl_connect;
    } else {
        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
        goto err;
    }
    s->init_num = 0;

    /*
     * Since, if we are sending a ssl23 client hello, we are not reusing a
     * session-id
     */
    if (!ssl_get_new_session(s, 0))
        goto err;

    return (SSL_connect(s));
 err:
    return (-1);
}
Commit	Line	Data
d02b48c6	1	/* ssl/s23_clnt.c */
58964a49	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6 RE	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
0f113f3e	8	*
d02b48c6 RE	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e	15	*
d02b48c6 RE	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
0f113f3e	22	*
d02b48c6 RE	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
0f113f3e	37	* 4. If you include any Windows specific code (or a derivative thereof) from
d02b48c6 RE	38	* the apps directory (application code) you must include an acknowledgement:
d02b48c6 RE	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e	40	*
d02b48c6 RE	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
0f113f3e	52	*
d02b48c6 RE	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
f1fd4544 BM	58	/* ====================================================================
	59	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
	60	*
	61	* Redistribution and use in source and binary forms, with or without
	62	* modification, are permitted provided that the following conditions
	63	* are met:
	64	*
	65	* 1. Redistributions of source code must retain the above copyright
0f113f3e	66	* notice, this list of conditions and the following disclaimer.
f1fd4544 BM	67	*
	68	* 2. Redistributions in binary form must reproduce the above copyright
	69	* notice, this list of conditions and the following disclaimer in
	70	* the documentation and/or other materials provided with the
	71	* distribution.
	72	*
	73	* 3. All advertising materials mentioning features or use of this
	74	* software must display the following acknowledgment:
	75	* "This product includes software developed by the OpenSSL Project
	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	77	*
	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	79	* endorse or promote products derived from this software without
	80	* prior written permission. For written permission, please contact
	81	* openssl-core@openssl.org.
	82	*
	83	* 5. Products derived from this software may not be called "OpenSSL"
	84	* nor may "OpenSSL" appear in their names without prior written
	85	* permission of the OpenSSL Project.
	86	*
	87	* 6. Redistributions of any form whatsoever must retain the following
	88	* acknowledgment:
	89	* "This product includes software developed by the OpenSSL Project
	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	91	*
	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
	104	* ====================================================================
	105	*
	106	* This product includes cryptographic software written by Eric Young
	107	* (eay@cryptsoft.com). This product includes software written by Tim
	108	* Hudson (tjh@cryptsoft.com).
	109	*
	110	*/
d02b48c6 RE	111
d02b48c6 RE	112	#include <stdio.h>
7b63c0fa	113	#include "ssl_locl.h"
ec577822 BM	114	#include <openssl/buffer.h>
	115	#include <openssl/rand.h>
	116	#include <openssl/objects.h>
	117	#include <openssl/evp.h>
d02b48c6	118
4ebb342f	119	static const SSL_METHOD *ssl23_get_client_method(int ver);
d02b48c6 RE	120	static int ssl23_client_hello(SSL *s);
d02b48c6 RE	121	static int ssl23_get_server_hello(SSL *s);
4ebb342f	122	static const SSL_METHOD *ssl23_get_client_method(int ver)
0f113f3e	123	{
62f45cc2	124	#ifndef OPENSSL_NO_SSL3
0f113f3e MC	125	if (ver == SSL3_VERSION)
0f113f3e MC	126	return (SSLv3_client_method());
62f45cc2	127	#endif
0f113f3e MC	128	if (ver == TLS1_VERSION)
	129	return (TLSv1_client_method());
	130	else if (ver == TLS1_1_VERSION)
	131	return (TLSv1_1_client_method());
	132	else if (ver == TLS1_2_VERSION)
	133	return (TLSv1_2_client_method());
	134	else
	135	return (NULL);
	136	}
d02b48c6	137
f3b656b2	138	IMPLEMENT_ssl23_meth_func(SSLv23_client_method,
0f113f3e MC	139	ssl_undefined_function,
0f113f3e MC	140	ssl23_connect, ssl23_get_client_method)
d02b48c6	141
6b691a5c	142	int ssl23_connect(SSL *s)
0f113f3e MC	143	{
	144	BUF_MEM *buf = NULL;
	145	unsigned long Time = (unsigned long)time(NULL);
	146	void (cb) (const SSL ssl, int type, int val) = NULL;
	147	int ret = -1;
	148	int new_state, state;
	149
	150	RAND_add(&Time, sizeof(Time), 0);
	151	ERR_clear_error();
	152	clear_sys_error();
	153
	154	if (s->info_callback != NULL)
	155	cb = s->info_callback;
	156	else if (s->ctx->info_callback != NULL)
	157	cb = s->ctx->info_callback;
	158
	159	s->in_handshake++;
69f68237	160	if (!SSL_in_init(s) \|\| SSL_in_before(s)) {
61986d32	161	if (!SSL_clear(s))
69f68237 MC	162	return -1;
69f68237 MC	163	}
0f113f3e MC	164
	165	for (;;) {
	166	state = s->state;
	167
	168	switch (s->state) {
	169	case SSL_ST_BEFORE:
	170	case SSL_ST_CONNECT:
	171	case SSL_ST_BEFORE \| SSL_ST_CONNECT:
	172	case SSL_ST_OK \| SSL_ST_CONNECT:
	173
	174	if (s->session != NULL) {
	175	SSLerr(SSL_F_SSL23_CONNECT,
	176	SSL_R_SSL23_DOING_SESSION_ID_REUSE);
	177	ret = -1;
	178	goto end;
	179	}
	180	s->server = 0;
	181	if (cb != NULL)
	182	cb(s, SSL_CB_HANDSHAKE_START, 1);
	183
	184	/* s->version=TLS1_VERSION; */
	185	s->type = SSL_ST_CONNECT;
	186
	187	if (s->init_buf == NULL) {
	188	if ((buf = BUF_MEM_new()) == NULL) {
	189	ret = -1;
	190	goto end;
	191	}
	192	if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
	193	ret = -1;
	194	goto end;
	195	}
	196	s->init_buf = buf;
	197	buf = NULL;
	198	}
	199
	200	if (!ssl3_setup_buffers(s)) {
	201	ret = -1;
	202	goto end;
	203	}
	204
	205	ssl3_init_finished_mac(s);
	206
	207	s->state = SSL23_ST_CW_CLNT_HELLO_A;
	208	s->ctx->stats.sess_connect++;
	209	s->init_num = 0;
	210	break;
	211
	212	case SSL23_ST_CW_CLNT_HELLO_A:
	213	case SSL23_ST_CW_CLNT_HELLO_B:
	214
	215	s->shutdown = 0;
	216	ret = ssl23_client_hello(s);
	217	if (ret <= 0)
	218	goto end;
	219	s->state = SSL23_ST_CR_SRVR_HELLO_A;
	220	s->init_num = 0;
	221
	222	break;
	223
	224	case SSL23_ST_CR_SRVR_HELLO_A:
	225	case SSL23_ST_CR_SRVR_HELLO_B:
	226	ret = ssl23_get_server_hello(s);
	227	if (ret >= 0)
228	cb = NULL;
229	goto end;
230	/* break; */
231
232	default:
233	SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE);
234	ret = -1;
235	goto end;
236	/* break; */
237	}
238
239	if (s->debug) {
240	(void)BIO_flush(s->wbio);
241	}
242
243	if ((cb != NULL) && (s->state != state)) {
244	new_state = s->state;
245	s->state = state;
246	cb(s, SSL_CB_CONNECT_LOOP, 1);
247	s->state = new_state;
248	}
249	}
250	end:
251	s->in_handshake--;
252	if (buf != NULL)
253	BUF_MEM_free(buf);
254	if (cb != NULL)
255	cb(s, SSL_CB_CONNECT_EXIT, ret);
256	return (ret);
257	}
258
259	/*
260	* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
261	* failure, 1 on success.
262	*/
2016265d	263	int ssl_fill_hello_random(SSL s, int server, unsigned char result, int len)
0f113f3e MC	264	{
0f113f3e MC	265	int send_time = 0;
266483d2	266
0f113f3e MC	267	if (len < 4)
	268	return 0;
	269	if (server)
	270	send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
	271	else
	272	send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
	273	if (send_time) {
	274	unsigned long Time = (unsigned long)time(NULL);
	275	unsigned char *p = result;
	276	l2n(Time, p);
266483d2	277	return RAND_bytes(p, len - 4);
0f113f3e	278	} else
266483d2	279	return RAND_bytes(result, len);
0f113f3e	280	}
2016265d	281
6b691a5c	282	static int ssl23_client_hello(SSL *s)
0f113f3e MC	283	{
	284	unsigned char *buf;
	285	unsigned char p, d;
	286	int i;
	287	unsigned long l;
	288	int version = 0, version_major, version_minor;
	289	int al = 0;
f10f4447	290	#ifndef OPENSSL_NO_COMP
0f113f3e MC	291	int j;
0f113f3e MC	292	SSL_COMP *comp;
f10f4447	293	#endif
0f113f3e MC	294	int ret;
	295	unsigned long mask, options = s->options;
	296
	297	/*
	298	* SSL_OP_NO_X disables all protocols above X if there are
	299	* some protocols below X enabled. This is required in order
	300	* to maintain "version capability" vector contiguous. So
	301	* that if application wants to disable TLS1.0 in favour of
	302	* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
	303	* answer is SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2.
	304	*/
	305	mask = SSL_OP_NO_TLSv1_1 \| SSL_OP_NO_TLSv1
f2ad3582	306	#if !defined(OPENSSL_NO_SSL3)
0f113f3e	307	\| SSL_OP_NO_SSLv3
f2ad3582	308	#endif
0f113f3e	309	;
f2ad3582	310	#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
0f113f3e	311	version = TLS1_2_VERSION;
f2ad3582	312
0f113f3e MC	313	if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
0f113f3e MC	314	version = TLS1_1_VERSION;
f2ad3582	315	#else
0f113f3e	316	version = TLS1_1_VERSION;
f2ad3582	317	#endif
0f113f3e MC	318	mask &= ~SSL_OP_NO_TLSv1_1;
	319	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
	320	version = TLS1_VERSION;
	321	mask &= ~SSL_OP_NO_TLSv1;
f2ad3582	322	#if !defined(OPENSSL_NO_SSL3)
0f113f3e MC	323	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
	324	version = SSL3_VERSION;
	325	mask &= ~SSL_OP_NO_SSLv3;
f2ad3582	326	#endif
761772d7	327
0f113f3e MC	328	buf = (unsigned char *)s->init_buf->data;
0f113f3e MC	329	if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
0f113f3e MC	330	p = s->s3->client_random;
	331	if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
	332	return -1;
	333
	334	if (version == TLS1_2_VERSION) {
	335	version_major = TLS1_2_VERSION_MAJOR;
	336	version_minor = TLS1_2_VERSION_MINOR;
	337	} else if (tls1_suiteb(s)) {
	338	SSLerr(SSL_F_SSL23_CLIENT_HELLO,
	339	SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
	340	return -1;
	341	} else if (version == TLS1_1_VERSION) {
	342	version_major = TLS1_1_VERSION_MAJOR;
	343	version_minor = TLS1_1_VERSION_MINOR;
	344	} else if (version == TLS1_VERSION) {
	345	version_major = TLS1_VERSION_MAJOR;
	346	version_minor = TLS1_VERSION_MINOR;
	347	} else if (FIPS_mode()) {
	348	SSLerr(SSL_F_SSL23_CLIENT_HELLO,
	349	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
	350	return -1;
	351	} else if (version == SSL3_VERSION) {
	352	version_major = SSL3_VERSION_MAJOR;
	353	version_minor = SSL3_VERSION_MINOR;
	354	} else {
	355	SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
	356	return (-1);
	357	}
	358
	359	s->client_version = version;
	360
	361	/* create Client Hello in SSL 3.0/TLS 1.0 format */
	362
	363	/*
	364	* do the record header (5 bytes) and handshake message header (4
	365	* bytes) last
	366	*/
	367	d = p = &(buf[9]);
	368
	369	*(p++) = version_major;
	370	*(p++) = version_minor;
	371
	372	/* Random stuff */
	373	memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
	374	p += SSL3_RANDOM_SIZE;
	375
	376	/* Session ID (zero since there is no reuse) */
	377	*(p++) = 0;
	378
	379	/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
	380	i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]),
	381	ssl3_put_cipher_by_char);
	382	if (i == 0) {
	383	SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
	384	return -1;
	385	}
800e1cd9	386	#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
0f113f3e MC	387	/*
	388	* Some servers hang if client hello > 256 bytes as hack workaround
	389	* chop number of supported ciphers to keep it well below this if we
	390	* use TLS v1.2
	391	*/
	392	if (TLS1_get_version(s) >= TLS1_2_VERSION
	393	&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
	394	i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
800e1cd9	395	#endif
0f113f3e MC	396	s2n(i, p);
0f113f3e MC	397	p += i;
c6c2e313	398
0f113f3e	399	/* COMPRESSION */
ed3883d2	400	#ifdef OPENSSL_NO_COMP
0f113f3e	401	*(p++) = 1;
ed3883d2	402	#else
0f113f3e MC	403	if (!ssl_allow_compression(s) \|\| !s->ctx->comp_methods)
	404	j = 0;
	405	else
	406	j = sk_SSL_COMP_num(s->ctx->comp_methods);
	407	*(p++) = 1 + j;
	408	for (i = 0; i < j; i++) {
	409	comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
	410	*(p++) = comp->id;
	411	}
ed3883d2	412	#endif
0f113f3e	413	(p++) = 0; / Add the NULL method */
f1fd4544	414
ed3883d2	415	#ifndef OPENSSL_NO_TLSEXT
0f113f3e MC	416	/* TLS extensions */
	417	if (ssl_prepare_clienthello_tlsext(s) <= 0) {
	418	SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
	419	return -1;
	420	}
	421	if ((p =
	422	ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
	423	&al)) == NULL) {
	424	ssl3_send_alert(s, SSL3_AL_FATAL, al);
	425	SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
	426	return -1;
	427	}
ed3883d2	428	#endif
0f113f3e MC	429
	430	l = p - d;
	431
	432	/* fill in 4-byte handshake header */
	433	d = &(buf[5]);
	434	*(d++) = SSL3_MT_CLIENT_HELLO;
	435	l2n3(l, d);
	436
	437	l += 4;
	438
	439	if (l > SSL3_RT_MAX_PLAIN_LENGTH) {
	440	SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
	441	return -1;
	442	}
	443
	444	/* fill in 5-byte record header */
	445	d = buf;
	446	*(d++) = SSL3_RT_HANDSHAKE;
	447	*(d++) = version_major;
	448	/*
	449	* Some servers hang if we use long client hellos and a record number
	450	* > TLS 1.0.
	451	*/
	452	if (TLS1_get_client_version(s) > TLS1_VERSION)
	453	*(d++) = 1;
	454	else
	455	*(d++) = version_minor;
	456	s2n((int)l, d);
	457
	458	/* number of bytes to write */
	459	s->init_num = p - buf;
	460	s->init_off = 0;
	461
	462	ssl3_finish_mac(s, &(buf[5]), s->init_num - 5);
	463
	464	s->state = SSL23_ST_CW_CLNT_HELLO_B;
	465	s->init_off = 0;
	466	}
	467
	468	/* SSL3_ST_CW_CLNT_HELLO_B */
	469	ret = ssl23_write_bytes(s);
	470
	471	if ((ret >= 2) && s->msg_callback) {
	472	/* Client Hello has been sent; tell msg_callback */
	473	s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s,
	474	s->msg_callback_arg);
	475	s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data + 5,
	476	ret - 5, s, s->msg_callback_arg);
	477	}
	478
	479	return ret;
	480	}
d02b48c6	481
6b691a5c	482	static int ssl23_get_server_hello(SSL *s)
0f113f3e	483	{
28d59af8	484	unsigned char buf[8];
0f113f3e MC	485	unsigned char *p;
	486	int i;
	487	int n;
d02b48c6	488
0f113f3e	489	n = ssl23_read_bytes(s, 7);
d02b48c6	490
0f113f3e MC	491	if (n != 7)
0f113f3e MC	492	return (n);
7a7048af	493	p = RECORD_LAYER_get_packet(&s->rlayer);
d02b48c6	494
0f113f3e	495	memcpy(buf, p, n);
d02b48c6	496
0f113f3e MC	497	if (p[1] == SSL3_VERSION_MAJOR &&
	498	p[2] <= TLS1_2_VERSION_MINOR &&
	499	((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) \|\|
	500	(p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
	501	/* we have sslv3 or tls1 (server hello or alert) */
d02b48c6	502
62f45cc2	503	#ifndef OPENSSL_NO_SSL3
0f113f3e MC	504	if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) {
	505	if (FIPS_mode()) {
	506	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
	507	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
	508	goto err;
	509	}
	510	s->version = SSL3_VERSION;
	511	s->method = SSLv3_client_method();
	512	} else
62f45cc2	513	#endif
0f113f3e MC	514	if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) {
	515	s->version = TLS1_VERSION;
	516	s->method = TLSv1_client_method();
	517	} else if ((p[2] == TLS1_1_VERSION_MINOR) &&
	518	!(s->options & SSL_OP_NO_TLSv1_1)) {
	519	s->version = TLS1_1_VERSION;
	520	s->method = TLSv1_1_client_method();
	521	} else if ((p[2] == TLS1_2_VERSION_MINOR) &&
	522	!(s->options & SSL_OP_NO_TLSv1_2)) {
	523	s->version = TLS1_2_VERSION;
	524	s->method = TLSv1_2_client_method();
	525	} else {
	526	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
	527	goto err;
	528	}
	529
	530	/* ensure that TLS_MAX_VERSION is up-to-date */
	531	OPENSSL_assert(s->version <= TLS_MAX_VERSION);
	532
	533	if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
	534	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_VERSION_TOO_LOW);
	535	goto err;
	536	}
	537
	538	if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) {
	539	/* fatal alert */
	540
	541	void (cb) (const SSL ssl, int type, int val) = NULL;
	542	int j;
	543
	544	if (s->info_callback != NULL)
	545	cb = s->info_callback;
	546	else if (s->ctx->info_callback != NULL)
	547	cb = s->ctx->info_callback;
	548
	549	i = p[5];
	550	if (cb != NULL) {
	551	j = (i << 8) \| p[6];
	552	cb(s, SSL_CB_READ_ALERT, j);
	553	}
	554
	555	if (s->msg_callback) {
	556	s->msg_callback(0, s->version, SSL3_RT_HEADER, p, 5, s,
	557	s->msg_callback_arg);
	558	s->msg_callback(0, s->version, SSL3_RT_ALERT, p + 5, 2, s,
	559	s->msg_callback_arg);
	560	}
	561
	562	s->rwstate = SSL_NOTHING;
	563	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_AD_REASON_OFFSET + p[6]);
	564	goto err;
	565	}
	566
	567	if (!ssl_init_wbio_buffer(s, 1))
	568	goto err;
	569
	570	/* we are in this state */
	571	s->state = SSL3_ST_CR_SRVR_HELLO_A;
	572
	573	/*
	574	* put the 7 bytes we have read into the input buffer for SSLv3
	575	*/
61986d32	576	if (!RECORD_LAYER_set_data(&s->rlayer, buf, n))
bbcd6d7f	577	goto err;
0f113f3e MC	578
	579	s->handshake_func = s->method->ssl_connect;
	580	} else {
	581	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
	582	goto err;
	583	}
	584	s->init_num = 0;
	585
	586	/*
	587	* Since, if we are sending a ssl23 client hello, we are not reusing a
	588	* session-id
	589	*/
	590	if (!ssl_get_new_session(s, 0))
	591	goto err;
	592
	593	return (SSL_connect(s));
	594	err:
	595	return (-1);
	596	}