void hot_function1(unsigned char *in, unsigned char *out, long length,
BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt){
register BF_LONG v0,v1,t;
register int n= *num;
register long l=length;
BF_LONG ti[2];
unsigned char *iv,c,cc;
iv=(unsigned char *)ivec;
if (encrypt)
{
while (l--)
{
if (n == 0)
{
n2l(iv,v0); ti[0]=v0;
n2l(iv,v1); ti[1]=v1;
BF_encrypt((unsigned long *)ti,schedule,BF_ENCRYPT);
iv=(unsigned char *)ivec;
t=ti[0]; l2n(t,iv);
t=ti[1]; l2n(t,iv);
iv=(unsigned char *)ivec;
}
c= *(in++)^iv[n];
*(out++)=c;
iv[n]=c;
n=(n+1)&0x07;
}
}
else
{
while (l--)
{
if (n == 0)
{
n2l(iv,v0); ti[0]=v0;
n2l(iv,v1); ti[1]=v1;
BF_encrypt((unsigned long *)ti,schedule,BF_ENCRYPT);
iv=(unsigned char *)ivec;
t=ti[0]; l2n(t,iv);
t=ti[1]; l2n(t,iv);
iv=(unsigned char *)ivec;
}
cc= *(in++);
c=iv[n];
iv[n]=cc;
*(out++)=c^cc;
n=(n+1)&0x07;
}
}
v0=v1=ti[0]=ti[1]=t=c=cc=0;
*num=n;
}
void BF_ecb_encrypt(const unsigned char *in,unsigned char *out,BF_KEY *ks,int encrypt)
{
BF_LONG l,d[2];
n2l(in,l); d[0]=l;
n2l(in,l); d[1]=l;
if (encrypt)
BF_encrypt(d,ks);
else
BF_decrypt(d,ks);
l=d[0]; l2n(l,out);
l=d[1]; l2n(l,out);
l=d[0]=d[1]=0;
}
void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out, const CAST_KEY *ks,
int enc) {
uint32_t d[2];
n2l(in, d[0]);
n2l(in, d[1]);
if (enc) {
CAST_encrypt(d, ks);
} else {
CAST_decrypt(d, ks);
}
l2n(d[0], out);
l2n(d[1], out);
}
void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
CAST_KEY *ks, int enc)
{
CAST_LONG l,d[2];
n2l(in,l); d[0]=l;
n2l(in,l); d[1]=l;
if (enc)
CAST_encrypt(d,ks);
else
CAST_decrypt(d,ks);
l=d[0]; l2n(l,out);
l=d[1]; l2n(l,out);
l=d[0]=d[1]=0;
}
void idea_ecb_encrypt (const unsigned char *in, unsigned char *out, IDEA_KEY_SCHEDULE * ks)
{
unsigned long l0, l1, d[2];
n2l (in, l0);
d[0] = l0;
n2l (in, l1);
d[1] = l1;
idea_encrypt (d, ks);
l0 = d[0];
l2n (l0, out);
l1 = d[1];
l2n (l1, out);
l0 = l1 = d[0] = d[1] = 0;
}
void ssl2_mac(SSL *s, unsigned char *md, int send)
{
EVP_MD_CTX c;
unsigned char sequence[4], *p, *sec, *act;
unsigned long seq;
unsigned int len;
if (send) {
seq = s->s2->write_sequence;
sec = s->s2->write_key;
len = s->s2->wact_data_length;
act = s->s2->wact_data;
} else {
seq = s->s2->read_sequence;
sec = s->s2->read_key;
len = s->s2->ract_data_length;
act = s->s2->ract_data;
}
p = &(sequence[0]);
l2n(seq, p);
/* There has to be a MAC algorithm. */
EVP_MD_CTX_init(&c);
EVP_MD_CTX_copy(&c, s->read_hash);
EVP_DigestUpdate(&c, sec, EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
EVP_DigestUpdate(&c, act, len);
/* the above line also does the pad data */
EVP_DigestUpdate(&c, sequence, 4);
EVP_DigestFinal_ex(&c, md, NULL);
EVP_MD_CTX_cleanup(&c);
}
/*
* Fill a ClientRandom or ServerRandom field of length len.
* Returns <= 0 on failure, 1 on success.
*/
int ssl_fill_hello_random(SSL *s, uint8_t *result, int len)
{
int send_time = 0;
if (len < 4)
return 0;
if (s->server)
send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
else
send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
if (send_time) {
unsigned long Time = time(NULL);
uint8_t *p = result;
l2n(Time, p);
return RAND_bytes(p, len - 4);
} else
return RAND_bytes(result, len);
}
/* The input and output encrypted as though 64bit ofb mode is being
* used. The extra state information to record how much of the
* 64bit block we have used is contained in *num;
*/
void BF_ofb64_encrypt (const unsigned char *in, unsigned char *out, long length,
const BF_KEY * schedule, unsigned char *ivec, int *num)
{
register BF_LONG v0, v1, t;
register int n = *num;
register long l = length;
unsigned char d[8];
register char *dp;
BF_LONG ti[2];
unsigned char *iv;
int save = 0;
iv = (unsigned char *) ivec;
n2l (iv, v0);
n2l (iv, v1);
ti[0] = v0;
ti[1] = v1;
dp = (char *) d;
l2n (v0, dp);
l2n (v1, dp);
while (l--)
{
if (n == 0)
{
BF_encrypt ((BF_LONG *) ti, schedule);
dp = (char *) d;
t = ti[0];
l2n (t, dp);
t = ti[1];
l2n (t, dp);
save++;
}
*(out++) = *(in++) ^ d[n];
n = (n + 1) & 0x07;
}
if (save)
{
v0 = ti[0];
v1 = ti[1];
iv = (unsigned char *) ivec;
l2n (v0, iv);
l2n (v1, iv);
}
t = v0 = v1 = ti[0] = ti[1] = 0;
*num = n;
}
/* The input and output encrypted as though 64bit ofb mode is being
* used. The extra state information to record how much of the
* 64bit block we have used is contained in *num;
*/
void idea_ofb64_encrypt(const unsigned char *in, unsigned char *out,
long length, IDEA_KEY_SCHEDULE *schedule,
unsigned char *ivec, int *num)
{
unsigned long v0,v1,t;
int n= *num;
long l=length;
unsigned char d[8];
char *dp;
unsigned long ti[2];
unsigned char *iv;
int save=0;
iv=(unsigned char *)ivec;
n2l(iv,v0);
n2l(iv,v1);
ti[0]=v0;
ti[1]=v1;
dp=(char *)d;
l2n(v0,dp);
l2n(v1,dp);
while (l--)
{
if (n == 0)
{
idea_encrypt((unsigned long *)ti,schedule);
dp=(char *)d;
t=ti[0];
l2n(t,dp);
t=ti[1];
l2n(t,dp);
save++;
}
*(out++)= *(in++)^d[n];
n=(n+1)&0x07;
}
if (save)
{
v0=ti[0];
v1=ti[1];
iv=(unsigned char *)ivec;
l2n(v0,iv);
l2n(v1,iv);
}
t=v0=v1=ti[0]=ti[1]=0;
*num=n;
}
/* The input and output encrypted as though 64bit ofb mode is being
* used. The extra state information to record how much of the
* 64bit block we have used is contained in *num;
*/
void BF_ofb64_encrypt(unsigned char *in, unsigned char *out, long length, BF_KEY *schedule,
unsigned char *ivec, int *num)
{
register unsigned long v0,v1,t;
register int n= *num;
register long l=length;
unsigned char d[8];
register unsigned char *dp;
unsigned long ti[2];
unsigned char *iv;
int save=0;
iv=(unsigned char *)ivec;
n2l(iv,v0);
n2l(iv,v1);
ti[0]=v0;
ti[1]=v1;
dp=(unsigned char *)d;
l2n(v0,dp);
l2n(v1,dp);
while (l-- != 0)
{
if (n == 0)
{
BF_encrypt((unsigned long *)ti,schedule,BF_ENCRYPT);
dp=(unsigned char *)d;
t=ti[0]; l2n(t,dp);
t=ti[1]; l2n(t,dp);
save++;
}
*(out++)= (unsigned char)(*(in++)^d[n]);
n=(n+1)&0x07;
}
if (save != 0)
{
v0=ti[0];
v1=ti[1];
iv=(unsigned char *)ivec;
l2n(v0,iv);
l2n(v1,iv);
}
t=v0=v1=ti[0]=ti[1]=0;
*num=n;
}
static int ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
int i,ch_len;
unsigned long Time,l;
int ssl2_compat;
int version = 0, version_major, version_minor;
#ifndef OPENSSL_NO_COMP
int j;
SSL_COMP *comp;
#endif
int ret;
unsigned long mask, options = s->options;
ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
ssl2_compat = 0;
/*
* SSL_OP_NO_X disables all protocols above X *if* there are
* some protocols below X enabled. This is required in order
* to maintain "version capability" vector contiguous. So
* that if application wants to disable TLS1.0 in favour of
* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
* answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
*/
mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
#if !defined(OPENSSL_NO_SSL3)
|SSL_OP_NO_SSLv3
#endif
#if !defined(OPENSSL_NO_SSL2)
|(ssl2_compat?SSL_OP_NO_SSLv2:0)
#endif
;
#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
version = TLS1_2_VERSION;
if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
version = TLS1_1_VERSION;
#else
version = TLS1_1_VERSION;
#endif
mask &= ~SSL_OP_NO_TLSv1_1;
if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
version = TLS1_VERSION;
mask &= ~SSL_OP_NO_TLSv1;
#if !defined(OPENSSL_NO_SSL3)
if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
version = SSL3_VERSION;
mask &= ~SSL_OP_NO_SSLv3;
#endif
#if !defined(OPENSSL_NO_SSL2)
if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
version = SSL2_VERSION;
#endif
#ifndef OPENSSL_NO_TLSEXT
if (version != SSL2_VERSION)
{
/* have to disable SSL 2.0 compatibility if we need TLS extensions */
if (s->tlsext_hostname != NULL)
ssl2_compat = 0;
if (s->tlsext_status_type != -1)
ssl2_compat = 0;
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
ssl2_compat = 0;
#endif
}
#endif
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
{
#if 0
/* don't reuse session-id's */
if (!ssl_get_new_session(s,0))
{
return(-1);
}
#endif
p=s->s3->client_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
if (version == TLS1_2_VERSION)
{
version_major = TLS1_2_VERSION_MAJOR;
version_minor = TLS1_2_VERSION_MINOR;
}
else if (version == TLS1_1_VERSION)
{
version_major = TLS1_1_VERSION_MAJOR;
version_minor = TLS1_1_VERSION_MINOR;
}
else if (version == TLS1_VERSION)
{
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
#ifdef OPENSSL_FIPS
else if(FIPS_mode())
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
return -1;
}
#endif
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
version_minor = SSL3_VERSION_MINOR;
}
else if (version == SSL2_VERSION)
{
version_major = SSL2_VERSION_MAJOR;
version_minor = SSL2_VERSION_MINOR;
}
else
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
return(-1);
}
s->client_version = version;
if (ssl2_compat)
{
/* create SSL 2.0 compatible Client Hello */
/* two byte record header will be written last */
d = &(buf[2]);
p = d + 9; /* leave space for message type, version, individual length fields */
*(d++) = SSL2_MT_CLIENT_HELLO;
*(d++) = version_major;
*(d++) = version_minor;
/* Ciphers supported */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
if (i == 0)
{
/* no ciphers */
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
s2n(i,d);
p+=i;
/* put in the session-id length (zero since there is no reuse) */
#if 0
s->session->session_id_length=0;
#endif
s2n(0,d);
if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
ch_len=SSL2_CHALLENGE_LENGTH;
else
ch_len=SSL2_MAX_CHALLENGE_LENGTH;
/* write out sslv2 challenge */
/* Note that ch_len must be <= SSL3_RANDOM_SIZE (32),
because it is one of SSL2_MAX_CHALLENGE_LENGTH (32)
or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the
check in for futurproofing */
if (SSL3_RANDOM_SIZE < ch_len)
i=SSL3_RANDOM_SIZE;
else
i=ch_len;
s2n(i,d);
memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
return -1;
memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
p+=i;
i= p- &(buf[2]);
buf[0]=((i>>8)&0xff)|0x80;
buf[1]=(i&0xff);
/* number of bytes to write */
s->init_num=i+2;
s->init_off=0;
ssl3_finish_mac(s,&(buf[2]),i);
}
else
{
/* create Client Hello in SSL 3.0/TLS 1.0 format */
/* do the record header (5 bytes) and handshake message
* header (4 bytes) last. Note: the final argument to
* ssl_add_clienthello_tlsext below depends on the size
* of this prefix. */
d = p = &(buf[9]);
*(p++) = version_major;
*(p++) = version_minor;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID (zero since there is no reuse) */
*(p++) = 0;
/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
if (i == 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/* Some servers hang if client hello > 256 bytes
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
s2n(i,p);
p+=i;
/* COMPRESSION */
#ifdef OPENSSL_NO_COMP
*(p++)=1;
#else
if ((s->options & SSL_OP_NO_COMPRESSION)
|| !s->ctx->comp_methods)
j=0;
else
j=sk_SSL_COMP_num(s->ctx->comp_methods);
*(p++)=1+j;
for (i=0; i<j; i++)
{
comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
*(p++)=comp->id;
}
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
return -1;
}
/* The buffer includes the 5 byte record header, so
* subtract it to compute hlen for
* ssl_add_clienthello_tlsext. */
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf-5)) == NULL)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
#endif
l = p-d;
/* fill in 4-byte handshake header */
d=&(buf[5]);
*(d++)=SSL3_MT_CLIENT_HELLO;
l2n3(l,d);
l += 4;
if (l > SSL3_RT_MAX_PLAIN_LENGTH)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
/* fill in 5-byte record header */
d=buf;
*(d++) = SSL3_RT_HANDSHAKE;
*(d++) = version_major;
/* Some servers hang if we use long client hellos
* and a record number > TLS 1.0.
*/
if (TLS1_get_client_version(s) > TLS1_VERSION)
*(d++) = 1;
else
*(d++) = version_minor;
s2n((int)l,d);
/* number of bytes to write */
s->init_num=p-buf;
s->init_off=0;
ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
}
s->state=SSL23_ST_CW_CLNT_HELLO_B;
s->init_off=0;
}
int DES_enc_write(int fd, const void *_buf, int len,
DES_key_schedule *sched, DES_cblock *iv)
{
#if defined(OPENSSL_NO_POSIX_IO)
return (-1);
#else
# ifdef _LIBC
extern unsigned long time();
extern int write();
# endif
const unsigned char *buf = _buf;
long rnum;
int i, j, k, outnum;
static unsigned char *outbuf = NULL;
unsigned char shortbuf[8];
unsigned char *p;
const unsigned char *cp;
static int start = 1;
if (len < 0)
return -1;
if (outbuf == NULL) {
outbuf = OPENSSL_malloc(BSIZE + HDRSIZE);
if (outbuf == NULL)
return (-1);
}
/*
* If we are sending less than 8 bytes, the same char will look the same
* if we don't pad it out with random bytes
*/
if (start) {
start = 0;
}
/* lets recurse if we want to send the data in small chunks */
if (len > MAXWRITE) {
j = 0;
for (i = 0; i < len; i += k) {
k = DES_enc_write(fd, &(buf[i]),
((len - i) > MAXWRITE) ? MAXWRITE : (len - i),
sched, iv);
if (k < 0)
return (k);
else
j += k;
}
return (j);
}
/* write length first */
p = outbuf;
l2n(len, p);
/* pad short strings */
if (len < 8) {
cp = shortbuf;
memcpy(shortbuf, buf, len);
if (RAND_bytes(shortbuf + len, 8 - len) <= 0)
return -1;
rnum = 8;
} else {
cp = buf;
rnum = ((len + 7) / 8 * 8); /* round up to nearest eight */
}
if (DES_rw_mode & DES_PCBC_MODE)
DES_pcbc_encrypt(cp, &(outbuf[HDRSIZE]), (len < 8) ? 8 : len, sched,
iv, DES_ENCRYPT);
else
DES_cbc_encrypt(cp, &(outbuf[HDRSIZE]), (len < 8) ? 8 : len, sched,
iv, DES_ENCRYPT);
/* output */
outnum = rnum + HDRSIZE;
for (j = 0; j < outnum; j += i) {
/*
* eay 26/08/92 I was not doing writing from where we got up to.
*/
# ifndef _WIN32
i = write(fd, (void *)&(outbuf[j]), outnum - j);
# else
i = _write(fd, (void *)&(outbuf[j]), outnum - j);
# endif
if (i == -1) {
# ifdef EINTR
if (errno == EINTR)
i = 0;
else
# endif
/*
* This is really a bad error - very bad It will stuff-up
* both ends.
*/
return (-1);
}
}
return (len);
#endif /* OPENSSL_NO_POSIX_IO */
}
static int ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
int i,ch_len;
unsigned long Time,l;
int ssl2_compat;
int version = 0, version_major, version_minor;
#ifndef OPENSSL_NO_COMP
int j;
SSL_COMP *comp;
#endif
int ret;
ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
ssl2_compat = 0;
if (!(s->options & SSL_OP_NO_TLSv1))
{
version = TLS1_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv3))
{
version = SSL3_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv2))
{
version = SSL2_VERSION;
}
#ifndef OPENSSL_NO_TLSEXT
if (version != SSL2_VERSION)
{
/* have to disable SSL 2.0 compatibility if we need TLS extensions */
if (s->tlsext_hostname != NULL)
ssl2_compat = 0;
if (s->tlsext_status_type != -1)
ssl2_compat = 0;
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
ssl2_compat = 0;
#endif
}
#endif
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
{
#if 0
/* don't reuse session-id's */
if (!ssl_get_new_session(s,0))
{
return(-1);
}
#endif
p=s->s3->client_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
if (version == TLS1_VERSION)
{
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
version_minor = SSL3_VERSION_MINOR;
}
else if (version == SSL2_VERSION)
{
version_major = SSL2_VERSION_MAJOR;
version_minor = SSL2_VERSION_MINOR;
}
else
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
return(-1);
}
s->client_version = version;
if (ssl2_compat)
{
/* create SSL 2.0 compatible Client Hello */
/* two byte record header will be written last */
d = &(buf[2]);
p = d + 9; /* leave space for message type, version, individual length fields */
*(d++) = SSL2_MT_CLIENT_HELLO;
*(d++) = version_major;
*(d++) = version_minor;
/* Ciphers supported */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
if (i == 0)
{
/* no ciphers */
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
s2n(i,d);
p+=i;
/* put in the session-id length (zero since there is no reuse) */
#if 0
s->session->session_id_length=0;
#endif
s2n(0,d);
if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
ch_len=SSL2_CHALLENGE_LENGTH;
else
ch_len=SSL2_MAX_CHALLENGE_LENGTH;
/* write out sslv2 challenge */
/* Note that ch_len must be <= SSL3_RANDOM_SIZE (32),
because it is one of SSL2_MAX_CHALLENGE_LENGTH (32)
or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the
check in for futurproofing */
if (SSL3_RANDOM_SIZE < ch_len)
i=SSL3_RANDOM_SIZE;
else
i=ch_len;
s2n(i,d);
memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
return -1;
memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
p+=i;
i= p- &(buf[2]);
buf[0]=((i>>8)&0xff)|0x80;
buf[1]=(i&0xff);
/* number of bytes to write */
s->init_num=i+2;
s->init_off=0;
ssl3_finish_mac(s,&(buf[2]),i);
}
else
{
/* create Client Hello in SSL 3.0/TLS 1.0 format */
/* do the record header (5 bytes) and handshake message header (4 bytes) last */
d = p = &(buf[9]);
*(p++) = version_major;
*(p++) = version_minor;
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
/* Session ID (zero since there is no reuse) */
*(p++) = 0;
/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
if (i == 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1;
}
s2n(i,p);
p+=i;
/* COMPRESSION */
#ifdef OPENSSL_NO_COMP
*(p++)=1;
#else
if ((s->options & SSL_OP_NO_COMPRESSION)
|| !s->ctx->comp_methods)
j=0;
else
j=sk_SSL_COMP_num(s->ctx->comp_methods);
*(p++)=1+j;
for (i=0; i<j; i++)
{
comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
*(p++)=comp->id;
}
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
return -1;
}
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
#endif
l = p-d;
/* fill in 4-byte handshake header */
d=&(buf[5]);
*(d++)=SSL3_MT_CLIENT_HELLO;
l2n3(l,d);
l += 4;
if (l > SSL3_RT_MAX_PLAIN_LENGTH)
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
/* fill in 5-byte record header */
d=buf;
*(d++) = SSL3_RT_HANDSHAKE;
*(d++) = version_major;
*(d++) = version_minor; /* arguably we should send the *lowest* suported version here
* (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
s2n((int)l,d);
/* number of bytes to write */
s->init_num=p-buf;
s->init_off=0;
ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
}
s->state=SSL23_ST_CW_CLNT_HELLO_B;
s->init_off=0;
}
void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
const BF_KEY *schedule, unsigned char *ivec, int encrypt)
{
register BF_LONG tin0, tin1;
register BF_LONG tout0, tout1, xor0, xor1;
register long l = length;
BF_LONG tin[2];
if (encrypt) {
n2l(ivec, tout0);
n2l(ivec, tout1);
ivec -= 8;
for (l -= 8; l >= 0; l -= 8) {
n2l(in, tin0);
n2l(in, tin1);
tin0 ^= tout0;
tin1 ^= tout1;
tin[0] = tin0;
tin[1] = tin1;
BF_encrypt(tin, schedule);
tout0 = tin[0];
tout1 = tin[1];
l2n(tout0, out);
l2n(tout1, out);
}
if (l != -8) {
n2ln(in, tin0, tin1, l + 8);
tin0 ^= tout0;
tin1 ^= tout1;
tin[0] = tin0;
tin[1] = tin1;
BF_encrypt(tin, schedule);
tout0 = tin[0];
tout1 = tin[1];
l2n(tout0, out);
l2n(tout1, out);
}
l2n(tout0, ivec);
l2n(tout1, ivec);
} else {
n2l(ivec, xor0);
n2l(ivec, xor1);
ivec -= 8;
for (l -= 8; l >= 0; l -= 8) {
n2l(in, tin0);
n2l(in, tin1);
tin[0] = tin0;
tin[1] = tin1;
BF_decrypt(tin, schedule);
tout0 = tin[0] ^ xor0;
tout1 = tin[1] ^ xor1;
l2n(tout0, out);
l2n(tout1, out);
xor0 = tin0;
xor1 = tin1;
}
if (l != -8) {
n2l(in, tin0);
n2l(in, tin1);
tin[0] = tin0;
tin[1] = tin1;
BF_decrypt(tin, schedule);
tout0 = tin[0] ^ xor0;
tout1 = tin[1] ^ xor1;
l2nn(tout0, tout1, out, l + 8);
xor0 = tin0;
xor1 = tin1;
}
l2n(xor0, ivec);
l2n(xor1, ivec);
}
tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
tin[0] = tin[1] = 0;
}
void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
IDEA_KEY_SCHEDULE *ks, unsigned char *iv, int encrypt)
{
register unsigned long tin0,tin1;
register unsigned long tout0,tout1,xor0,xor1;
register long l=length;
unsigned long tin[2];
if (encrypt)
{
n2l(iv,tout0);
n2l(iv,tout1);
iv-=8;
for (l-=8; l>=0; l-=8)
{
n2l(in,tin0);
n2l(in,tin1);
tin0^=tout0;
tin1^=tout1;
tin[0]=tin0;
tin[1]=tin1;
idea_encrypt(tin,ks);
tout0=tin[0]; l2n(tout0,out);
tout1=tin[1]; l2n(tout1,out);
}
if (l != -8)
{
n2ln(in,tin0,tin1,l+8);
tin0^=tout0;
tin1^=tout1;
tin[0]=tin0;
tin[1]=tin1;
idea_encrypt(tin,ks);
tout0=tin[0]; l2n(tout0,out);
tout1=tin[1]; l2n(tout1,out);
}
l2n(tout0,iv);
l2n(tout1,iv);
}
else
{
n2l(iv,xor0);
n2l(iv,xor1);
iv-=8;
for (l-=8; l>=0; l-=8)
{
n2l(in,tin0); tin[0]=tin0;
n2l(in,tin1); tin[1]=tin1;
idea_encrypt(tin,ks);
tout0=tin[0]^xor0;
tout1=tin[1]^xor1;
l2n(tout0,out);
l2n(tout1,out);
xor0=tin0;
xor1=tin1;
}
if (l != -8)
{
n2l(in,tin0); tin[0]=tin0;
n2l(in,tin1); tin[1]=tin1;
idea_encrypt(tin,ks);
tout0=tin[0]^xor0;
tout1=tin[1]^xor1;
l2nn(tout0,tout1,out,l+8);
xor0=tin0;
xor1=tin1;
}
l2n(xor0,iv);
l2n(xor1,iv);
}
tin0=tin1=tout0=tout1=xor0=xor1=0;
tin[0]=tin[1]=0;
}
void idea_cfb64_encrypt(const unsigned char *in, unsigned char *out,
long length, IDEA_KEY_SCHEDULE *schedule,
unsigned char *ivec, int *num, int encrypt)
{
register unsigned long v0,v1,t;
register int n= *num;
register long l=length;
unsigned long ti[2];
unsigned char *iv,c,cc;
iv=(unsigned char *)ivec;
if (encrypt)
{
while (l--)
{
if (n == 0)
{
n2l(iv,v0);
ti[0]=v0;
n2l(iv,v1);
ti[1]=v1;
idea_encrypt((unsigned long *)ti,schedule);
iv=(unsigned char *)ivec;
t=ti[0];
l2n(t,iv);
t=ti[1];
l2n(t,iv);
iv=(unsigned char *)ivec;
}
c= *(in++)^iv[n];
*(out++)=c;
iv[n]=c;
n=(n+1)&0x07;
}
}
else
{
while (l--)
{
if (n == 0)
{
n2l(iv,v0);
ti[0]=v0;
n2l(iv,v1);
ti[1]=v1;
idea_encrypt((unsigned long *)ti,schedule);
iv=(unsigned char *)ivec;
t=ti[0];
l2n(t,iv);
t=ti[1];
l2n(t,iv);
iv=(unsigned char *)ivec;
}
cc= *(in++);
c=iv[n];
iv[n]=cc;
*(out++)=c^cc;
n=(n+1)&0x07;
}
}
v0=v1=ti[0]=ti[1]=t=c=cc=0;
*num=n;
}
