../deps/openssl/openssl/ssl/statem/statem

Bug Summary

File:	out/../deps/openssl/openssl/ssl/statem/statem_lib.c
Warning:	line 2142, column 24 Although the value stored to 'single' is used in the enclosing expression, the value is never actually read from 'single'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name statem_lib.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_NO_HW -D OPENSSL_API_COMPAT=0x10100001L -D STATIC_LEGACY -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D MODULESDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl/lib/openssl-modules" -D OPENSSLDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl" -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto/include/internal -I ../deps/openssl/config/archs/linux-x86_64/asm/providers/common/include -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/ssl/statem/statem_lib.c

1	/*
2	* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	*
5	* Licensed under the Apache License 2.0 (the "License"). You may not use
6	* this file except in compliance with the License. You can obtain a copy
7	* in the file LICENSE in the source distribution or at
8	* https://www.openssl.org/source/license.html
9	*/
10
11	#include <limits.h>
12	#include <string.h>
13	#include <stdio.h>
14	#include "../ssl_local.h"
15	#include "statem_local.h"
16	#include "internal/cryptlib.h"
17	#include <openssl/buffer.h>
18	#include <openssl/objects.h>
19	#include <openssl/evp.h>
20	#include <openssl/rsa.h>
21	#include <openssl/x509.h>
22	#include <openssl/trace.h>
23
24	/*
25	* Map error codes to TLS/SSL alart types.
26	*/
27	typedef struct x509err2alert_st {
28	int x509err;
29	int alert;
30	} X509ERR2ALERT;
31
32	/* Fixed value used in the ServerHello random field to identify an HRR */
33	const unsigned char hrrrandom[] = {
34	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35	0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37	};
38
39	/*
40	* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41	* SSL3_RT_CHANGE_CIPHER_SPEC)
42	*/
43	int ssl3_do_write(SSL *s, int type)
44	{
45	int ret;
46	size_t written = 0;
47
48	#ifndef OPENSSL_NO_QUIC
49	if (SSL_IS_QUIC(s)(s->quic_method != ((void*)0))) {
50	if (type == SSL3_RT_HANDSHAKE22) {
51	ret = s->quic_method->add_handshake_data(s, s->quic_write_level,
52	(const uint8_t*)&s->init_buf->data[s->init_off],
53	s->init_num);
54	if (!ret) {
55	ret = -1;
56	/* QUIC can't sent anything out sice the above failed */
57	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" ,57,__func__), ERR_set_error)((20),((259\|((0x1 << 18L)\| (0x2 << 18L)))),((void*)0));
58	} else {
59	written = s->init_num;
60	}
61	} else {
62	/* QUIC doesn't use ChangeCipherSpec */
63	ret = -1;
64	ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" ,64,__func__), ERR_set_error)((20),((257\|((0x1 << 18L)\| (0x2 << 18L)))),((void*)0));
65	}
66	} else
67	#endif
68	ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
69	s->init_num, &written);
70	if (ret < 0)
71	return -1;
72	if (type == SSL3_RT_HANDSHAKE22)
73	/*
74	* should not be done for 'Hello Request's, but in that case we'll
75	* ignore the result anyway
76	* TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
77	*/
78	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) \|\| (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
79	&& s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
80	&& s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
81	if (!ssl3_finish_mac(s,
82	(unsigned char *)&s->init_buf->data[s->init_off],
83	written))
84	return -1;
85	if (written == s->init_num) {
86	if (s->msg_callback)
87	s->msg_callback(1, s->version, type, s->init_buf->data,
88	(size_t)(s->init_off + s->init_num), s,
89	s->msg_callback_arg);
90	return 1;
91	}
92	s->init_off += written;
93	s->init_num -= written;
94	return 0;
95	}
96
97	int tls_close_construct_packet(SSL s, WPACKET pkt, int htype)
98	{
99	size_t msglen;
100
101	if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC0x0101 && !WPACKET_close(pkt))
102	\|\| !WPACKET_get_length(pkt, &msglen)
103	\|\| msglen > INT_MAX2147483647)
104	return 0;
105	s->init_num = (int)msglen;
106	s->init_off = 0;
107
108	return 1;
109	}
110
111	int tls_setup_handshake(SSL *s)
112	{
113	int ver_min, ver_max, ok;
114
115	if (!ssl3_init_finished_mac(s)) {
116	/* SSLfatal() already called */
117	return 0;
118	}
119
120	/* Reset any extension flags */
121	memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
122
123	if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL((void*)0)) != 0) {
124	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 124, __func__), ossl_statem_fatal)((s), (70), (191), ((void *)0));
125	return 0;
126	}
127
128	/* Sanity check that we have MD5-SHA1 if we need it */
129	if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX9] == NULL((void*)0)) {
130	int md5sha1_needed = 0;
131
132	/* We don't have MD5-SHA1 - do we need it? */
133	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
134	if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION)((((ver_max) == 0x0100) ? 0xff00 : (ver_max)) >= (((0xFEFF ) == 0x0100) ? 0xff00 : (0xFEFF))))
135	md5sha1_needed = 1;
136	} else {
137	if (ver_max <= TLS1_1_VERSION0x0302)
138	md5sha1_needed = 1;
139	}
140	if (md5sha1_needed) {
141	SSLfatal_data(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 141, __func__), ossl_statem_fatal)(s, SSL_AD_HANDSHAKE_FAILURE40,
142	SSL_R_NO_SUITABLE_DIGEST_ALGORITHM297,
143	"The max supported SSL/TLS version needs the"
144	" MD5-SHA1 digest but it is not available"
145	" in the loaded providers. Use (D)TLSv1.2 or"
146	" above, or load different providers");
147	return 0;
148	}
149
150	ok = 1;
151	/* Don't allow TLSv1.1 or below to be negotiated */
152	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
153	if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION)((((ver_min) == 0x0100) ? 0xff00 : (ver_min)) > (((0xFEFD) == 0x0100) ? 0xff00 : (0xFEFD))))
154	ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION)SSL_ctrl(s, 123, 0xFEFD, ((void*)0));
155	} else {
156	if (ver_min < TLS1_2_VERSION0x0303)
157	ok = SSL_set_min_proto_version(s, TLS1_2_VERSION)SSL_ctrl(s, 123, 0x0303, ((void*)0));
158	}
159	if (!ok) {
160	/* Shouldn't happen */
161	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 161, __func__), ossl_statem_fatal)((s), (40), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
162	return 0;
163	}
164	}
165
166	ok = 0;
167	if (s->server) {
168	STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers = SSL_get_ciphers(s);
169	int i;
170
171	/*
172	* Sanity check that the maximum version we accept has ciphers
173	* enabled. For clients we do this check during construction of the
174	* ClientHello.
175	*/
176	for (i = 0; i < sk_SSL_CIPHER_num(ciphers)OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(ciphers)); i++) {
177	const SSL_CIPHER c = sk_SSL_CIPHER_value(ciphers, i)((const SSL_CIPHER )OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type (ciphers), (i)));
178
179	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
180	if (DTLS_VERSION_GE(ver_max, c->min_dtls)((((ver_max) == 0x0100) ? 0xff00 : (ver_max)) <= (((c-> min_dtls) == 0x0100) ? 0xff00 : (c->min_dtls))) &&
181	DTLS_VERSION_LE(ver_max, c->max_dtls)((((ver_max) == 0x0100) ? 0xff00 : (ver_max)) >= (((c-> max_dtls) == 0x0100) ? 0xff00 : (c->max_dtls))))
182	ok = 1;
183	} else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
184	ok = 1;
185	}
186	if (ok)
187	break;
188	}
189	if (!ok) {
190	SSLfatal_data(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 190, __func__), ossl_statem_fatal)(s, SSL_AD_HANDSHAKE_FAILURE40,
191	SSL_R_NO_CIPHERS_AVAILABLE181,
192	"No ciphers enabled for max supported "
193	"SSL/TLS version");
194	return 0;
195	}
196	if (SSL_IS_FIRST_HANDSHAKE(s)((s)->s3.tmp.finish_md_len == 0 \|\| (s)->s3.tmp.peer_finish_md_len == 0)) {
197	/* N.B. s->session_ctx == s->ctx here */
198	ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
199	} else {
200	/* N.B. s->ctx may not equal s->session_ctx */
201	ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
202
203	s->s3.tmp.cert_request = 0;
204	}
205	} else {
206	if (SSL_IS_FIRST_HANDSHAKE(s)((s)->s3.tmp.finish_md_len == 0 \|\| (s)->s3.tmp.peer_finish_md_len == 0))
207	ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
208	else
209	ssl_tsan_counter(s->session_ctx,
210	&s->session_ctx->stats.sess_connect_renegotiate);
211
212	/* mark client_random uninitialized */
213	memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
214	s->hit = 0;
215
216	s->s3.tmp.cert_req = 0;
217
218	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8))
219	s->statem.use_timer = 1;
220	}
221
222	return 1;
223	}
224
225	/*
226	* Size of the to-be-signed TLS13 data, without the hash size itself:
227	* 64 bytes of value 32, 33 context bytes, 1 byte separator
228	*/
229	#define TLS13_TBS_START_SIZE64 64
230	#define TLS13_TBS_PREAMBLE_SIZE(64 + 33 + 1) (TLS13_TBS_START_SIZE64 + 33 + 1)
231
232	static int get_cert_verify_tbs_data(SSL s, unsigned char tls13tbs,
233	void *hdata, size_t hdatalen)
234	{
235	#ifdef CHARSET_EBCDIC
236	static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
237	0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
238	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
239	0x69, 0x66, 0x79, 0x00 };
240	static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
241	0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
242	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
243	0x69, 0x66, 0x79, 0x00 };
244	#else
245	static const char servercontext[] = "TLS 1.3, server CertificateVerify";
246	static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
247	#endif
248	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
249	size_t hashlen;
250
251	/* Set the first 64 bytes of to-be-signed data to octet 32 */
252	memset(tls13tbs, 32, TLS13_TBS_START_SIZE64);
253	/* This copies the 33 bytes of context plus the 0 separator byte */
254	if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
255	\|\| s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
256	strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE64, servercontext);
257	else
258	strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE64, clientcontext);
259
260	/*
261	* If we're currently reading then we need to use the saved handshake
262	* hash value. We can't use the current handshake hash state because
263	* that includes the CertVerify itself.
264	*/
265	if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
266	\|\| s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
267	memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE(64 + 33 + 1), s->cert_verify_hash,
268	s->cert_verify_hash_len);
269	hashlen = s->cert_verify_hash_len;
270	} else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE(64 + 33 + 1),
271	EVP_MAX_MD_SIZE64, &hashlen)) {
272	/* SSLfatal() already called */
273	return 0;
274	}
275
276	*hdata = tls13tbs;
277	*hdatalen = TLS13_TBS_PREAMBLE_SIZE(64 + 33 + 1) + hashlen;
278	} else {
279	size_t retlen;
280	long retlen_l;
281
282	retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata)BIO_ctrl(s->s3.handshake_buffer,3,0,(char *)(hdata));
283	if (retlen_l <= 0) {
284	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 284, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
285	return 0;
286	}
287	*hdatalen = retlen;
288	}
289
290	return 1;
291	}
292
293	int tls_construct_cert_verify(SSL s, WPACKET pkt)
294	{
295	EVP_PKEY pkey = NULL((void)0);
296	const EVP_MD md = NULL((void)0);
297	EVP_MD_CTX mctx = NULL((void)0);
298	EVP_PKEY_CTX pctx = NULL((void)0);
299	size_t hdatalen = 0, siglen = 0;
300	void *hdata;
301	unsigned char sig = NULL((void)0);
302	unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE(64 + 33 + 1) + EVP_MAX_MD_SIZE64];
303	const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
304
305	if (lu == NULL((void)0) \|\| s->s3.tmp.cert == NULL((void)0)) {
306	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 306, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
307	goto err;
308	}
309	pkey = s->s3.tmp.cert->privatekey;
310
311	if (pkey == NULL((void*)0) \|\| !tls1_lookup_md(s->ctx, lu, &md)) {
312	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 312, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
313	goto err;
314	}
315
316	mctx = EVP_MD_CTX_new();
317	if (mctx == NULL((void*)0)) {
318	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 318, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
319	goto err;
320	}
321
322	/* Get the data to be signed */
323	if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
324	/* SSLfatal() already called */
325	goto err;
326	}
327
328	if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)WPACKET_put_bytes__((pkt), (lu->sigalg), 2)) {
329	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 329, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
330	goto err;
331	}
332
333	if (EVP_DigestSignInit_ex(mctx, &pctx,
334	md == NULL((void)0) ? NULL((void)0) : EVP_MD_get0_name(md),
335	s->ctx->libctx, s->ctx->propq, pkey,
336	NULL((void*)0)) <= 0) {
337	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 337, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
338	goto err;
339	}
340
341	if (lu->sig == EVP_PKEY_RSA_PSS912) {
342	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING6) <= 0
343	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
344	RSA_PSS_SALTLEN_DIGEST-1) <= 0) {
345	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 345, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
346	goto err;
347	}
348	}
349	if (s->version == SSL3_VERSION0x0300) {
350	/*
351	* Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
352	* in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
353	*/
354	if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
355	\|\| EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET0x1d,
356	(int)s->session->master_key_length,
357	s->session->master_key) <= 0
358	\|\| EVP_DigestSignFinal(mctx, NULL((void*)0), &siglen) <= 0) {
359
360	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 360, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
361	goto err;
362	}
363	sig = OPENSSL_malloc(siglen)CRYPTO_malloc(siglen, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 363);
364	if (sig == NULL((void*)0)
365	\|\| EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
366	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 366, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
367	goto err;
368	}
369	} else {
370	/*
371	* Here we must use EVP_DigestSign() because Ed25519/Ed448 does not
372	* support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
373	*/
374	if (EVP_DigestSign(mctx, NULL((void*)0), &siglen, hdata, hdatalen) <= 0) {
375	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 375, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
376	goto err;
377	}
378	sig = OPENSSL_malloc(siglen)CRYPTO_malloc(siglen, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 378);
379	if (sig == NULL((void*)0)
380	\|\| EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
381	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 381, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
382	goto err;
383	}
384	}
385
386	#ifndef OPENSSL_NO_GOST
387	{
388	int pktype = lu->sig;
389
390	if (pktype == NID_id_GostR3410_2001811
391	\|\| pktype == NID_id_GostR3410_2012_256979
392	\|\| pktype == NID_id_GostR3410_2012_512980)
393	BUF_reverse(sig, NULL((void*)0), siglen);
394	}
395	#endif
396
397	if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)WPACKET_sub_memcpy__((pkt), (sig), (siglen), 2)) {
398	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 398, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
399	goto err;
400	}
401
402	/* Digest cached records and discard handshake buffer */
403	if (!ssl3_digest_cached_records(s, 0)) {
404	/* SSLfatal() already called */
405	goto err;
406	}
407
408	OPENSSL_free(sig)CRYPTO_free(sig, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 408);
409	EVP_MD_CTX_free(mctx);
410	return 1;
411	err:
412	OPENSSL_free(sig)CRYPTO_free(sig, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 412);
413	EVP_MD_CTX_free(mctx);
414	return 0;
415	}
416
417	MSG_PROCESS_RETURN tls_process_cert_verify(SSL s, PACKET pkt)
418	{
419	EVP_PKEY pkey = NULL((void)0);
420	const unsigned char *data;
421	#ifndef OPENSSL_NO_GOST
422	unsigned char gost_data = NULL((void)0);
423	#endif
424	MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
425	int j;
426	unsigned int len;
427	X509 *peer;
428	const EVP_MD md = NULL((void)0);
429	size_t hdatalen = 0;
430	void *hdata;
431	unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE(64 + 33 + 1) + EVP_MAX_MD_SIZE64];
432	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
433	EVP_PKEY_CTX pctx = NULL((void)0);
434
435	if (mctx == NULL((void*)0)) {
436	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 436, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
437	goto err;
438	}
439
440	peer = s->session->peer;
441	pkey = X509_get0_pubkey(peer);
442	if (pkey == NULL((void*)0)) {
443	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 443, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
444	goto err;
445	}
446
447	if (ssl_cert_lookup_by_pkey(pkey, NULL((void)0)) == NULL((void)0)) {
448	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 449, __func__), ossl_statem_fatal)((s), (47), (220), ((void *)0))
449	SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 449, __func__), ossl_statem_fatal)((s), (47), (220), ((void *)0));
450	goto err;
451	}
452
453	if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2)) {
454	unsigned int sigalg;
455
456	if (!PACKET_get_net_2(pkt, &sigalg)) {
457	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 457, __func__), ossl_statem_fatal)((s), (50), (240), ((void *)0));
458	goto err;
459	}
460	if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
461	/* SSLfatal() already called */
462	goto err;
463	}
464	} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
465	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 465, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
466	goto err;
467	}
468
469	if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
470	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 470, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
471	goto err;
472	}
473
474	if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2))
475	OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",((void)0)
476	md == NULL ? "n/a" : EVP_MD_get0_name(md))((void)0);
477
478	/* Check for broken implementations of GOST ciphersuites */
479	/*
480	* If key is GOST and len is exactly 64 or 128, it is signature without
481	* length field (CryptoPro implementations at least till TLS 1.2)
482	*/
483	#ifndef OPENSSL_NO_GOST
484	if (!SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2)
485	&& ((PACKET_remaining(pkt) == 64
486	&& (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001811
487	\|\| EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256979))
488	\|\| (PACKET_remaining(pkt) == 128
489	&& EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512980))) {
490	len = PACKET_remaining(pkt);
491	} else
492	#endif
493	if (!PACKET_get_net_2(pkt, &len)) {
494	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 494, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
495	goto err;
496	}
497
498	if (!PACKET_get_bytes(pkt, &data, len)) {
499	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 499, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
500	goto err;
501	}
502
503	if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
504	/* SSLfatal() already called */
505	goto err;
506	}
507
508	OSSL_TRACE1(TLS, "Using client verify alg %s\n",((void)0)
509	md == NULL ? "n/a" : EVP_MD_get0_name(md))((void)0);
510
511	if (EVP_DigestVerifyInit_ex(mctx, &pctx,
512	md == NULL((void)0) ? NULL((void)0) : EVP_MD_get0_name(md),
513	s->ctx->libctx, s->ctx->propq, pkey,
514	NULL((void*)0)) <= 0) {
515	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 515, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
516	goto err;
517	}
518	#ifndef OPENSSL_NO_GOST
519	{
520	int pktype = EVP_PKEY_get_id(pkey);
521	if (pktype == NID_id_GostR3410_2001811
522	\|\| pktype == NID_id_GostR3410_2012_256979
523	\|\| pktype == NID_id_GostR3410_2012_512980) {
524	if ((gost_data = OPENSSL_malloc(len)CRYPTO_malloc(len, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 524)) == NULL((void*)0)) {
525	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 525, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
526	goto err;
527	}
528	BUF_reverse(gost_data, data, len);
529	data = gost_data;
530	}
531	}
532	#endif
533
534	if (SSL_USE_PSS(s)(s->s3.tmp.peer_sigalg != ((void*)0) && s->s3.tmp .peer_sigalg->sig == 912)) {
535	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING6) <= 0
536	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
537	RSA_PSS_SALTLEN_DIGEST-1) <= 0) {
538	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 538, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
539	goto err;
540	}
541	}
542	if (s->version == SSL3_VERSION0x0300) {
543	if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
544	\|\| EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET0x1d,
545	(int)s->session->master_key_length,
546	s->session->master_key) <= 0) {
547	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 547, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
548	goto err;
549	}
550	if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
551	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 551, __func__), ossl_statem_fatal)((s), (51), (123), ((void *)0));
552	goto err;
553	}
554	} else {
555	j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
556	if (j <= 0) {
557	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 557, __func__), ossl_statem_fatal)((s), (51), (123), ((void *)0));
558	goto err;
559	}
560	}
561
562	/*
563	* In TLSv1.3 on the client side we make sure we prepare the client
564	* certificate after the CertVerify instead of when we get the
565	* CertificateRequest. This is because in TLSv1.3 the CertificateRequest
566	* comes before the Certificate message. In TLSv1.2 it comes after. We
567	* want to make sure that SSL_get1_peer_certificate() will return the actual
568	* server certificate from the client_cert_cb callback.
569	*/
570	if (!s->server && SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && s->s3.tmp.cert_req == 1)
571	ret = MSG_PROCESS_CONTINUE_PROCESSING;
572	else
573	ret = MSG_PROCESS_CONTINUE_READING;
574	err:
575	BIO_free(s->s3.handshake_buffer);
576	s->s3.handshake_buffer = NULL((void*)0);
577	EVP_MD_CTX_free(mctx);
578	#ifndef OPENSSL_NO_GOST
579	OPENSSL_free(gost_data)CRYPTO_free(gost_data, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 579);
580	#endif
581	return ret;
582	}
583
584	int tls_construct_finished(SSL s, WPACKET pkt)
585	{
586	size_t finish_md_len;
587	const char *sender;
588	size_t slen;
589
590	/* This is a real handshake so make sure we clean it up at the end */
591	if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
592	s->statem.cleanuphand = 1;
593
594	/*
595	* We only change the keys if we didn't already do this when we sent the
596	* client certificate
597	*/
598	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
599	&& !s->server
600	&& s->s3.tmp.cert_req == 0
601	&& (!s->method->ssl3_enc->change_cipher_state(s,
602	SSL3_CC_HANDSHAKE0x080 \| SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010\|0x002)))) {;
603	/* SSLfatal() already called */
604	return 0;
605	}
606
607	if (s->server) {
608	sender = s->method->ssl3_enc->server_finished_label;
609	slen = s->method->ssl3_enc->server_finished_label_len;
610	} else {
611	sender = s->method->ssl3_enc->client_finished_label;
612	slen = s->method->ssl3_enc->client_finished_label_len;
613	}
614
615	finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
616	sender, slen,
617	s->s3.tmp.finish_md);
618	if (finish_md_len == 0) {
619	/* SSLfatal() already called */
620	return 0;
621	}
622
623	s->s3.tmp.finish_md_len = finish_md_len;
624
625	if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
626	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 626, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
627	return 0;
628	}
629
630	/*
631	* Log the master secret, if logging is enabled. We don't log it for
632	* TLSv1.3: there's a different key schedule for that.
633	*/
634	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && !ssl_log_secret(s, MASTER_SECRET_LABEL"CLIENT_RANDOM",
635	s->session->master_key,
636	s->session->master_key_length)) {
637	/* SSLfatal() already called */
638	return 0;
639	}
640
641	/*
642	* Copy the finished so we can use it for renegotiation checks
643	*/
644	if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)((finish_md_len <= 64) != 0)) {
645	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 645, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
646	return 0;
647	}
648	if (!s->server) {
649	memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
650	finish_md_len);
651	s->s3.previous_client_finished_len = finish_md_len;
652	} else {
653	memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
654	finish_md_len);
655	s->s3.previous_server_finished_len = finish_md_len;
656	}
657
658	return 1;
659	}
660
661	int tls_construct_key_update(SSL s, WPACKET pkt)
662	{
663	#ifndef OPENSSL_NO_QUIC
664	if (SSL_is_quic(s)) {
665	/* TLS KeyUpdate is not used for QUIC, so this is an error. */
666	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 666, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
667	return 0;
668	}
669	#endif
670	if (!WPACKET_put_bytes_u8(pkt, s->key_update)WPACKET_put_bytes__((pkt), (s->key_update), 1)) {
671	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 671, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
672	return 0;
673	}
674
675	s->key_update = SSL_KEY_UPDATE_NONE-1;
676	return 1;
677	}
678
679	MSG_PROCESS_RETURN tls_process_key_update(SSL s, PACKET pkt)
680	{
681	unsigned int updatetype;
682
683	/*
684	* A KeyUpdate message signals a key change so the end of the message must
685	* be on a record boundary.
686	*/
687	if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
688	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 688, __func__), ossl_statem_fatal)((s), (10), (182), ((void *)0));
689	return MSG_PROCESS_ERROR;
690	}
691
692	#ifndef OPENSSL_NO_QUIC
693	if (SSL_is_quic(s)) {
694	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 694, __func__), ossl_statem_fatal)((s), (10), (244), ((void *)0));
695	return MSG_PROCESS_ERROR;
696	}
697	#endif
698
699	if (!PACKET_get_1(pkt, &updatetype)
700	\|\| PACKET_remaining(pkt) != 0) {
701	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 701, __func__), ossl_statem_fatal)((s), (50), (122), ((void *)0));
702	return MSG_PROCESS_ERROR;
703	}
704
705	/*
706	* There are only two defined key update types. Fail if we get a value we
707	* didn't recognise.
708	*/
709	if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED0
710	&& updatetype != SSL_KEY_UPDATE_REQUESTED1) {
711	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 711, __func__), ossl_statem_fatal)((s), (47), (122), ((void *)0));
712	return MSG_PROCESS_ERROR;
713	}
714
715	/*
716	* If we get a request for us to update our sending keys too then, we need
717	* to additionally send a KeyUpdate message. However that message should
718	* not also request an update (otherwise we get into an infinite loop).
719	*/
720	if (updatetype == SSL_KEY_UPDATE_REQUESTED1)
721	s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED0;
722
723	if (!tls13_update_key(s, 0)) {
724	/* SSLfatal() already called */
725	return MSG_PROCESS_ERROR;
726	}
727
728	return MSG_PROCESS_FINISHED_READING;
729	}
730
731	/*
732	* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
733	* to far.
734	*/
735	int ssl3_take_mac(SSL *s)
736	{
737	const char *sender;
738	size_t slen;
739
740	if (!s->server) {
741	sender = s->method->ssl3_enc->server_finished_label;
742	slen = s->method->ssl3_enc->server_finished_label_len;
743	} else {
744	sender = s->method->ssl3_enc->client_finished_label;
745	slen = s->method->ssl3_enc->client_finished_label_len;
746	}
747
748	s->s3.tmp.peer_finish_md_len =
749	s->method->ssl3_enc->final_finish_mac(s, sender, slen,
750	s->s3.tmp.peer_finish_md);
751
752	if (s->s3.tmp.peer_finish_md_len == 0) {
753	/* SSLfatal() already called */
754	return 0;
755	}
756
757	return 1;
758	}
759
760	MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL s, PACKET pkt)
761	{
762	size_t remain;
763
764	remain = PACKET_remaining(pkt);
765	/*
766	* 'Change Cipher Spec' is just a single byte, which should already have
767	* been consumed by ssl_get_message() so there should be no bytes left,
768	* unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
769	*/
770	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
771	if ((s->version == DTLS1_BAD_VER0x0100
772	&& remain != DTLS1_CCS_HEADER_LENGTH1 + 1)
773	\|\| (s->version != DTLS1_BAD_VER0x0100
774	&& remain != DTLS1_CCS_HEADER_LENGTH1 - 1)) {
775	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 775, __func__), ossl_statem_fatal)((s), (50), (103), ((void *)0));
776	return MSG_PROCESS_ERROR;
777	}
778	} else {
779	if (remain != 0) {
780	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 780, __func__), ossl_statem_fatal)((s), (50), (103), ((void *)0));
781	return MSG_PROCESS_ERROR;
782	}
783	}
784
785	/* Check we have a cipher to change to */
786	if (s->s3.tmp.new_cipher == NULL((void*)0)) {
787	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 787, __func__), ossl_statem_fatal)((s), (10), (133), ((void *)0));
788	return MSG_PROCESS_ERROR;
789	}
790
791	s->s3.change_cipher_spec = 1;
792	if (!ssl3_do_change_cipher_spec(s)) {
793	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 793, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
794	return MSG_PROCESS_ERROR;
795	}
796
797	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
798	dtls1_reset_seq_numbers(s, SSL3_CC_READ0x001);
799
800	if (s->version == DTLS1_BAD_VER0x0100)
801	s->d1->handshake_read_seq++;
802
803	#ifndef OPENSSL_NO_SCTP
804	/*
805	* Remember that a CCS has been received, so that an old key of
806	* SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
807	* SCTP is used
808	*/
809	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL((void*)0));
810	#endif
811	}
812
813	return MSG_PROCESS_CONTINUE_READING;
814	}
815
816	MSG_PROCESS_RETURN tls_process_finished(SSL s, PACKET pkt)
817	{
818	size_t md_len;
819
820
821	/* This is a real handshake so make sure we clean it up at the end */
822	if (s->server) {
823	/*
824	* To get this far we must have read encrypted data from the client. We
825	* no longer tolerate unencrypted alerts. This value is ignored if less
826	* than TLSv1.3
827	*/
828	s->statem.enc_read_state = ENC_READ_STATE_VALID;
829	if (s->post_handshake_auth != SSL_PHA_REQUESTED)
830	s->statem.cleanuphand = 1;
831	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && !tls13_save_handshake_digest_for_pha(s)) {
832	/* SSLfatal() already called */
833	return MSG_PROCESS_ERROR;
834	}
835	}
836
837	/*
838	* In TLSv1.3 a Finished message signals a key change so the end of the
839	* message must be on a record boundary.
840	*/
841	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
842	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 842, __func__), ossl_statem_fatal)((s), (10), (182), ((void *)0));
843	return MSG_PROCESS_ERROR;
844	}
845
846	/* If this occurs, we have missed a message */
847	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && !s->s3.change_cipher_spec) {
848	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 848, __func__), ossl_statem_fatal)((s), (10), (154), ((void *)0));
849	return MSG_PROCESS_ERROR;
850	}
851	s->s3.change_cipher_spec = 0;
852
853	md_len = s->s3.tmp.peer_finish_md_len;
854
855	if (md_len != PACKET_remaining(pkt)) {
856	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 856, __func__), ossl_statem_fatal)((s), (50), (111), ((void *)0));
857	return MSG_PROCESS_ERROR;
858	}
859
860	if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
861	md_len) != 0) {
862	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 862, __func__), ossl_statem_fatal)((s), (51), (149), ((void *)0));
863	return MSG_PROCESS_ERROR;
864	}
865
866	/*
867	* Copy the finished so we can use it for renegotiation checks
868	*/
869	if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)((md_len <= 64) != 0)) {
870	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 870, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
871	return MSG_PROCESS_ERROR;
872	}
873	if (s->server) {
874	memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
875	md_len);
876	s->s3.previous_client_finished_len = md_len;
877	} else {
878	memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
879	md_len);
880	s->s3.previous_server_finished_len = md_len;
881	}
882
883	/*
884	* In TLS1.3 we also have to change cipher state and do any final processing
885	* of the initial server flight (if we are a client)
886	*/
887	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
888	if (s->server) {
889	if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
890	!s->method->ssl3_enc->change_cipher_state(s,
891	SSL3_CC_APPLICATION0x100 \| SSL3_CHANGE_CIPHER_SERVER_READ(0x020\|0x001))) {
892	/* SSLfatal() already called */
893	return MSG_PROCESS_ERROR;
894	}
895	} else {
896	/* TLS 1.3 gets the secret size from the handshake md */
897	size_t dummy;
898	if (!s->method->ssl3_enc->generate_master_secret(s,
899	s->master_secret, s->handshake_secret, 0,
900	&dummy)) {
901	/* SSLfatal() already called */
902	return MSG_PROCESS_ERROR;
903	}
904	if (!s->method->ssl3_enc->change_cipher_state(s,
905	SSL3_CC_APPLICATION0x100 \| SSL3_CHANGE_CIPHER_CLIENT_READ(0x010\|0x001))) {
906	/* SSLfatal() already called */
907	return MSG_PROCESS_ERROR;
908	}
909	if (!tls_process_initial_server_flight(s)) {
910	/* SSLfatal() already called */
911	return MSG_PROCESS_ERROR;
912	}
913	}
914	}
915
916	return MSG_PROCESS_FINISHED_READING;
917	}
918
919	int tls_construct_change_cipher_spec(SSL s, WPACKET pkt)
920	{
921	if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)WPACKET_put_bytes__((pkt), (1), 1)) {
922	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 922, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
923	return 0;
924	}
925
926	return 1;
927	}
928
929	/* Add a certificate to the WPACKET */
930	static int ssl_add_cert_to_wpacket(SSL s, WPACKET pkt, X509 *x, int chain)
931	{
932	int len;
933	unsigned char *outbytes;
934
935	len = i2d_X509(x, NULL((void*)0));
936	if (len < 0) {
937	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 937, __func__), ossl_statem_fatal)((s), (80), ((7 \| (0x2 << 18L))), ((void*)0));
938	return 0;
939	}
940	if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)WPACKET_sub_allocate_bytes__((pkt), (len), (&outbytes), 3 )
941	\|\| i2d_X509(x, &outbytes) != len) {
942	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 942, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
943	return 0;
944	}
945
946	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
947	&& !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE0x1000, x,
948	chain)) {
949	/* SSLfatal() already called */
950	return 0;
951	}
952
953	return 1;
954	}
955
956	/* Add certificate chain to provided WPACKET */
957	static int ssl_add_cert_chain(SSL s, WPACKET pkt, CERT_PKEY *cpk)
958	{
959	int i, chain_count;
960	X509 *x;
961	STACK_OF(X509)struct stack_st_X509 *extra_certs;
962	STACK_OF(X509)struct stack_st_X509 chain = NULL((void)0);
963	X509_STORE *chain_store;
964
965	if (cpk == NULL((void)0) \|\| cpk->x509 == NULL((void)0))
966	return 1;
967
968	x = cpk->x509;
969
970	/*
971	* If we have a certificate specific chain use it, else use parent ctx.
972	*/
973	if (cpk->chain != NULL((void*)0))
974	extra_certs = cpk->chain;
975	else
976	extra_certs = s->ctx->extra_certs;
977
978	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN0x00000008U) \|\| extra_certs)
979	chain_store = NULL((void*)0);
980	else if (s->cert->chain_store)
981	chain_store = s->cert->chain_store;
982	else
983	chain_store = s->ctx->cert_store;
984
985	if (chain_store != NULL((void*)0)) {
986	X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
987	s->ctx->propq);
988
989	if (xs_ctx == NULL((void*)0)) {
990	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 990, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
991	return 0;
992	}
993	if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL((void*)0))) {
994	X509_STORE_CTX_free(xs_ctx);
995	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 995, __func__), ossl_statem_fatal)((s), (80), ((11 \| (0x2 << 18L))), ((void*)0));
996	return 0;
997	}
998	/*
999	* It is valid for the chain not to be complete (because normally we
1000	* don't include the root cert in the chain). Therefore we deliberately
1001	* ignore the error return from this call. We're not actually verifying
1002	* the cert - we're just building as much of the chain as we can
1003	*/
1004	(void)X509_verify_cert(xs_ctx);
1005	/* Don't leave errors in the queue */
1006	ERR_clear_error();
1007	chain = X509_STORE_CTX_get0_chain(xs_ctx);
1008	i = ssl_security_cert_chain(s, chain, NULL((void*)0), 0);
1009	if (i != 1) {
1010	#if 0
1011	/* Dummy error calls so mkerr generates them */
1012	ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" ,1012,__func__), ERR_set_error)((20),(399),((void*)0));
1013	ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" ,1013,__func__), ERR_set_error)((20),(397),((void*)0));
1014	ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" ,1014,__func__), ERR_set_error)((20),(398),((void*)0));
1015	#endif
1016	X509_STORE_CTX_free(xs_ctx);
1017	SSLfatal(s, SSL_AD_INTERNAL_ERROR, i)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1017, __func__), ossl_statem_fatal)((s), (80), (i), ((void* )0));
1018	return 0;
1019	}
1020	chain_count = sk_X509_num(chain)OPENSSL_sk_num(ossl_check_const_X509_sk_type(chain));
1021	for (i = 0; i < chain_count; i++) {
1022	x = sk_X509_value(chain, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(chain ), (i)));
1023
1024	if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1025	/* SSLfatal() already called */
1026	X509_STORE_CTX_free(xs_ctx);
1027	return 0;
1028	}
1029	}
1030	X509_STORE_CTX_free(xs_ctx);
1031	} else {
1032	i = ssl_security_cert_chain(s, extra_certs, x, 0);
1033	if (i != 1) {
1034	SSLfatal(s, SSL_AD_INTERNAL_ERROR, i)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1034, __func__), ossl_statem_fatal)((s), (80), (i), ((void* )0));
1035	return 0;
1036	}
1037	if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1038	/* SSLfatal() already called */
1039	return 0;
1040	}
1041	for (i = 0; i < sk_X509_num(extra_certs)OPENSSL_sk_num(ossl_check_const_X509_sk_type(extra_certs)); i++) {
1042	x = sk_X509_value(extra_certs, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(extra_certs ), (i)));
1043	if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1044	/* SSLfatal() already called */
1045	return 0;
1046	}
1047	}
1048	}
1049	return 1;
1050	}
1051
1052	unsigned long ssl3_output_cert_chain(SSL s, WPACKET pkt, CERT_PKEY *cpk)
1053	{
1054	if (!WPACKET_start_sub_packet_u24(pkt)WPACKET_start_sub_packet_len__((pkt), 3)) {
1055	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1055, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1056	return 0;
1057	}
1058
1059	if (!ssl_add_cert_chain(s, pkt, cpk))
1060	return 0;
1061
1062	if (!WPACKET_close(pkt)) {
1063	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1063, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1064	return 0;
1065	}
1066
1067	return 1;
1068	}
1069
1070	/*
1071	* Tidy up after the end of a handshake. In the case of SCTP this may result
1072	* in NBIO events. If \|clearbufs\| is set then init_buf and the wbio buffer is
1073	* freed up as well.
1074	*/
1075	WORK_STATE tls_finish_handshake(SSL *s, ossl_unused__attribute__((unused)) WORK_STATE wst,
1076	int clearbufs, int stop)
1077	{
1078	void (cb) (const SSL ssl, int type, int val) = NULL((void*)0);
1079	int cleanuphand = s->statem.cleanuphand;
1080
1081	if (clearbufs) {
1082	if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)
1083	#ifndef OPENSSL_NO_SCTP
1084	/*
1085	* RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1086	* messages that require it. Therefore, DTLS procedures for retransmissions
1087	* MUST NOT be used.
1088	* Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1089	*/
1090	\|\| BIO_dgram_is_sctp(SSL_get_wbio(s))
1091	#endif
1092	) {
1093	/*
1094	* We don't do this in DTLS over UDP because we may still need the init_buf
1095	* in case there are any unexpected retransmits
1096	*/
1097	BUF_MEM_free(s->init_buf);
1098	s->init_buf = NULL((void*)0);
1099	}
1100
1101	if (!ssl_free_wbio_buffer(s)) {
1102	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1102, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1103	return WORK_ERROR;
1104	}
1105	s->init_num = 0;
1106	}
1107
1108	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && !s->server
1109	&& s->post_handshake_auth == SSL_PHA_REQUESTED)
1110	s->post_handshake_auth = SSL_PHA_EXT_SENT;
1111
1112	/*
1113	* Only set if there was a Finished message and this isn't after a TLSv1.3
1114	* post handshake exchange
1115	*/
1116	if (cleanuphand) {
1117	/* skipped if we just sent a HelloRequest */
1118	s->renegotiate = 0;
1119	s->new_session = 0;
1120	s->statem.cleanuphand = 0;
1121	s->ext.ticket_expected = 0;
1122
1123	ssl3_cleanup_key_block(s);
1124
1125	if (s->server) {
1126	/*
1127	* In TLSv1.3 we update the cache as part of constructing the
1128	* NewSessionTicket
1129	*/
1130	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000))
1131	ssl_update_cache(s, SSL_SESS_CACHE_SERVER0x0002);
1132
1133	/* N.B. s->ctx may not equal s->session_ctx */
1134	ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1135	s->handshake_func = ossl_statem_accept;
1136	} else {
1137	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1138	/*
1139	* We encourage applications to only use TLSv1.3 tickets once,
1140	* so we remove this one from the cache.
1141	*/
1142	if ((s->session_ctx->session_cache_mode
1143	& SSL_SESS_CACHE_CLIENT0x0001) != 0)
1144	SSL_CTX_remove_session(s->session_ctx, s->session);
1145	} else {
1146	/*
1147	* In TLSv1.3 we update the cache as part of processing the
1148	* NewSessionTicket
1149	*/
1150	ssl_update_cache(s, SSL_SESS_CACHE_CLIENT0x0001);
1151	}
1152	if (s->hit)
1153	ssl_tsan_counter(s->session_ctx,
1154	&s->session_ctx->stats.sess_hit);
1155
1156	s->handshake_func = ossl_statem_connect;
1157	ssl_tsan_counter(s->session_ctx,
1158	&s->session_ctx->stats.sess_connect_good);
1159	}
1160
1161	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
1162	/* done with handshaking */
1163	s->d1->handshake_read_seq = 0;
1164	s->d1->handshake_write_seq = 0;
1165	s->d1->next_handshake_write_seq = 0;
1166	dtls1_clear_received_buffer(s);
1167	}
1168	}
1169
1170	if (s->info_callback != NULL((void*)0))
1171	cb = s->info_callback;
1172	else if (s->ctx->info_callback != NULL((void*)0))
1173	cb = s->ctx->info_callback;
1174
1175	/* The callback may expect us to not be in init at handshake done */
1176	ossl_statem_set_in_init(s, 0);
1177
1178	if (cb != NULL((void*)0)) {
1179	if (cleanuphand
1180	\|\| !SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
1181	\|\| SSL_IS_FIRST_HANDSHAKE(s)((s)->s3.tmp.finish_md_len == 0 \|\| (s)->s3.tmp.peer_finish_md_len == 0))
1182	cb(s, SSL_CB_HANDSHAKE_DONE0x20, 1);
1183	}
1184
1185	if (!stop) {
1186	/* If we've got more work to do we go back into init */
1187	ossl_statem_set_in_init(s, 1);
1188	return WORK_FINISHED_CONTINUE;
1189	}
1190
1191	return WORK_FINISHED_STOP;
1192	}
1193
1194	int tls_get_message_header(SSL s, int mt)
1195	{
1196	/* s->init_num < SSL3_HM_HEADER_LENGTH */
1197	int skip_message, i, recvd_type;
1198	unsigned char *p;
1199	size_t l, readbytes;
1200
1201	p = (unsigned char *)s->init_buf->data;
1202
1203	do {
1204	while (s->init_num < SSL3_HM_HEADER_LENGTH4) {
1205	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, &recvd_type,
1206	&p[s->init_num],
1207	SSL3_HM_HEADER_LENGTH4 - s->init_num,
1208	0, &readbytes);
1209	if (i <= 0) {
1210	s->rwstate = SSL_READING3;
1211	return 0;
1212	}
1213	if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC20) {
1214	/*
1215	* A ChangeCipherSpec must be a single byte and may not occur
1216	* in the middle of a handshake message.
1217	*/
1218	if (s->init_num != 0 \|\| readbytes != 1 \|\| p[0] != SSL3_MT_CCS1) {
1219	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1220, __func__), ossl_statem_fatal)((s), (10), (103), ((void *)0))
1220	SSL_R_BAD_CHANGE_CIPHER_SPEC)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1220, __func__), ossl_statem_fatal)((s), (10), (103), ((void *)0));
1221	return 0;
1222	}
1223	if (s->statem.hand_state == TLS_ST_BEFORE
1224	&& (s->s3.flags & TLS1_FLAGS_STATELESS0x0800) != 0) {
1225	/*
1226	* We are stateless and we received a CCS. Probably this is
1227	* from a client between the first and second ClientHellos.
1228	* We should ignore this, but return an error because we do
1229	* not return success until we see the second ClientHello
1230	* with a valid cookie.
1231	*/
1232	return 0;
1233	}
1234	s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC0x0101;
1235	s->init_num = readbytes - 1;
1236	s->init_msg = s->init_buf->data;
1237	s->s3.tmp.message_size = readbytes;
1238	return 1;
1239	} else if (recvd_type != SSL3_RT_HANDSHAKE22) {
1240	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1241, __func__), ossl_statem_fatal)((s), (10), (133), ((void *)0))
1241	SSL_R_CCS_RECEIVED_EARLY)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1241, __func__), ossl_statem_fatal)((s), (10), (133), ((void *)0));
1242	return 0;
1243	}
1244	s->init_num += readbytes;
1245	}
1246
1247	skip_message = 0;
1248	if (!s->server)
1249	if (s->statem.hand_state != TLS_ST_OK
1250	&& p[0] == SSL3_MT_HELLO_REQUEST0)
1251	/*
1252	* The server may always send 'Hello Request' messages --
1253	* we are doing a handshake anyway now, so ignore them if
1254	* their format is correct. Does not count for 'Finished'
1255	* MAC.
1256	*/
1257	if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1258	s->init_num = 0;
1259	skip_message = 1;
1260
1261	if (s->msg_callback)
1262	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE22,
1263	p, SSL3_HM_HEADER_LENGTH4, s,
1264	s->msg_callback_arg);
1265	}
1266	} while (skip_message);
1267	/* s->init_num == SSL3_HM_HEADER_LENGTH */
1268
1269	mt = p;
1270	s->s3.tmp.message_type = *(p++);
1271
1272	if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1273	/*
1274	* Only happens with SSLv3+ in an SSLv2 backward compatible
1275	* ClientHello
1276	*
1277	* Total message size is the remaining record bytes to read
1278	* plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1279	*/
1280	l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1281	+ SSL3_HM_HEADER_LENGTH4;
1282	s->s3.tmp.message_size = l;
1283
1284	s->init_msg = s->init_buf->data;
1285	s->init_num = SSL3_HM_HEADER_LENGTH4;
1286	} else {
1287	n2l3(p, l)((l =(((unsigned long)((p)[0]))<<16)\| (((unsigned long) ((p)[1]))<< 8)\| (((unsigned long)((p)[2])) )),(p)+=3);
1288	/* BUF_MEM_grow takes an 'int' parameter */
1289	if (l > (INT_MAX2147483647 - SSL3_HM_HEADER_LENGTH4)) {
1290	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1291, __func__), ossl_statem_fatal)((s), (47), (152), ((void *)0))
1291	SSL_R_EXCESSIVE_MESSAGE_SIZE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1291, __func__), ossl_statem_fatal)((s), (47), (152), ((void *)0));
1292	return 0;
1293	}
1294	s->s3.tmp.message_size = l;
1295
1296	s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH4;
1297	s->init_num = 0;
1298	}
1299
1300	return 1;
1301	}
1302
1303	int tls_get_message_body(SSL s, size_t len)
1304	{
1305	size_t n, readbytes;
1306	unsigned char *p;
1307	int i;
1308
1309	if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
1310	/* We've already read everything in */
1311	*len = (unsigned long)s->init_num;
1312	return 1;
1313	}
1314
1315	p = s->init_msg;
1316	n = s->s3.tmp.message_size - s->init_num;
1317	while (n > 0) {
1318	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, NULL((void*)0),
1319	&p[s->init_num], n, 0, &readbytes);
1320	if (i <= 0) {
1321	s->rwstate = SSL_READING3;
1322	*len = 0;
1323	return 0;
1324	}
1325	s->init_num += readbytes;
1326	n -= readbytes;
1327	}
1328
1329	/*
1330	* If receiving Finished, record MAC of prior handshake messages for
1331	* Finished verification.
1332	*/
1333	if (*(s->init_buf->data) == SSL3_MT_FINISHED20 && !ssl3_take_mac(s)) {
1334	/* SSLfatal() already called */
1335	*len = 0;
1336	return 0;
1337	}
1338
1339	/* Feed this message into MAC computation. */
1340	if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1341	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1342	s->init_num)) {
1343	/* SSLfatal() already called */
1344	*len = 0;
1345	return 0;
1346	}
1347	if (s->msg_callback)
1348	s->msg_callback(0, SSL2_VERSION0x0002, 0, s->init_buf->data,
1349	(size_t)s->init_num, s, s->msg_callback_arg);
1350	} else {
1351	/*
1352	* We defer feeding in the HRR until later. We'll do it as part of
1353	* processing the message
1354	* The TLsv1.3 handshake transcript stops at the ClientFinished
1355	* message.
1356	*/
1357	#define SERVER_HELLO_RANDOM_OFFSET(4 + 2) (SSL3_HM_HEADER_LENGTH4 + 2)
1358	/* KeyUpdate and NewSessionTicket do not need to be added */
1359	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) \|\| (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET4
1360	&& s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE24)) {
1361	if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO2
1362	\|\| s->init_num < SERVER_HELLO_RANDOM_OFFSET(4 + 2) + SSL3_RANDOM_SIZE32
1363	\|\| memcmp(hrrrandom,
1364	s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET(4 + 2),
1365	SSL3_RANDOM_SIZE32) != 0) {
1366	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1367	s->init_num + SSL3_HM_HEADER_LENGTH4)) {
1368	/* SSLfatal() already called */
1369	*len = 0;
1370	return 0;
1371	}
1372	}
1373	}
1374	if (s->msg_callback)
1375	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE22, s->init_buf->data,
1376	(size_t)s->init_num + SSL3_HM_HEADER_LENGTH4, s,
1377	s->msg_callback_arg);
1378	}
1379
1380	*len = s->init_num;
1381	return 1;
1382	}
1383
1384	static const X509ERR2ALERT x509table[] = {
1385	{X509_V_ERR_APPLICATION_VERIFICATION50, SSL_AD_HANDSHAKE_FAILURE40},
1386	{X509_V_ERR_CA_KEY_TOO_SMALL67, SSL_AD_BAD_CERTIFICATE42},
1387	{X509_V_ERR_EC_KEY_EXPLICIT_PARAMS94, SSL_AD_BAD_CERTIFICATE42},
1388	{X509_V_ERR_CA_MD_TOO_WEAK68, SSL_AD_BAD_CERTIFICATE42},
1389	{X509_V_ERR_CERT_CHAIN_TOO_LONG22, SSL_AD_UNKNOWN_CA48},
1390	{X509_V_ERR_CERT_HAS_EXPIRED10, SSL_AD_CERTIFICATE_EXPIRED45},
1391	{X509_V_ERR_CERT_NOT_YET_VALID9, SSL_AD_BAD_CERTIFICATE42},
1392	{X509_V_ERR_CERT_REJECTED28, SSL_AD_BAD_CERTIFICATE42},
1393	{X509_V_ERR_CERT_REVOKED23, SSL_AD_CERTIFICATE_REVOKED44},
1394	{X509_V_ERR_CERT_SIGNATURE_FAILURE7, SSL_AD_DECRYPT_ERROR51},
1395	{X509_V_ERR_CERT_UNTRUSTED27, SSL_AD_BAD_CERTIFICATE42},
1396	{X509_V_ERR_CRL_HAS_EXPIRED12, SSL_AD_CERTIFICATE_EXPIRED45},
1397	{X509_V_ERR_CRL_NOT_YET_VALID11, SSL_AD_BAD_CERTIFICATE42},
1398	{X509_V_ERR_CRL_SIGNATURE_FAILURE8, SSL_AD_DECRYPT_ERROR51},
1399	{X509_V_ERR_DANE_NO_MATCH65, SSL_AD_BAD_CERTIFICATE42},
1400	{X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT18, SSL_AD_UNKNOWN_CA48},
1401	{X509_V_ERR_EE_KEY_TOO_SMALL66, SSL_AD_BAD_CERTIFICATE42},
1402	{X509_V_ERR_EMAIL_MISMATCH63, SSL_AD_BAD_CERTIFICATE42},
1403	{X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD14, SSL_AD_BAD_CERTIFICATE42},
1404	{X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD13, SSL_AD_BAD_CERTIFICATE42},
1405	{X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD15, SSL_AD_BAD_CERTIFICATE42},
1406	{X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD16, SSL_AD_BAD_CERTIFICATE42},
1407	{X509_V_ERR_HOSTNAME_MISMATCH62, SSL_AD_BAD_CERTIFICATE42},
1408	{X509_V_ERR_INVALID_CA79, SSL_AD_UNKNOWN_CA48},
1409	{X509_V_ERR_INVALID_CALL69, SSL_AD_INTERNAL_ERROR80},
1410	{X509_V_ERR_INVALID_PURPOSE26, SSL_AD_UNSUPPORTED_CERTIFICATE43},
1411	{X509_V_ERR_IP_ADDRESS_MISMATCH64, SSL_AD_BAD_CERTIFICATE42},
1412	{X509_V_ERR_OUT_OF_MEM17, SSL_AD_INTERNAL_ERROR80},
1413	{X509_V_ERR_PATH_LENGTH_EXCEEDED25, SSL_AD_UNKNOWN_CA48},
1414	{X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN19, SSL_AD_UNKNOWN_CA48},
1415	{X509_V_ERR_STORE_LOOKUP70, SSL_AD_INTERNAL_ERROR80},
1416	{X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY6, SSL_AD_BAD_CERTIFICATE42},
1417	{X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE4, SSL_AD_BAD_CERTIFICATE42},
1418	{X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE5, SSL_AD_BAD_CERTIFICATE42},
1419	{X509_V_ERR_UNABLE_TO_GET_CRL3, SSL_AD_UNKNOWN_CA48},
1420	{X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER33, SSL_AD_UNKNOWN_CA48},
1421	{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT2, SSL_AD_UNKNOWN_CA48},
1422	{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY20, SSL_AD_UNKNOWN_CA48},
1423	{X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE21, SSL_AD_UNKNOWN_CA48},
1424	{X509_V_ERR_UNSPECIFIED1, SSL_AD_INTERNAL_ERROR80},
1425
1426	/* Last entry; return this if we don't find the value above. */
1427	{X509_V_OK0, SSL_AD_CERTIFICATE_UNKNOWN46}
1428	};
1429
1430	int ssl_x509err2alert(int x509err)
1431	{
1432	const X509ERR2ALERT *tp;
1433
1434	for (tp = x509table; tp->x509err != X509_V_OK0; ++tp)
1435	if (tp->x509err == x509err)
1436	break;
1437	return tp->alert;
1438	}
1439
1440	int ssl_allow_compression(SSL *s)
1441	{
1442	if (s->options & SSL_OP_NO_COMPRESSION((uint64_t)1 << (uint64_t)17))
1443	return 0;
1444	return ssl_security(s, SSL_SECOP_COMPRESSION(15 \| 0), 0, 0, NULL((void*)0));
1445	}
1446
1447	static int version_cmp(const SSL *s, int a, int b)
1448	{
1449	int dtls = SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8);
1450
1451	if (a == b)
1452	return 0;
1453	if (!dtls)
1454	return a < b ? -1 : 1;
1455	return DTLS_VERSION_LT(a, b)((((a) == 0x0100) ? 0xff00 : (a)) > (((b) == 0x0100) ? 0xff00 : (b))) ? -1 : 1;
1456	}
1457
1458	typedef struct {
1459	int version;
1460	const SSL_METHOD (cmeth) (void);
1461	const SSL_METHOD (smeth) (void);
1462	} version_info;
1463
1464	#if TLS_MAX_VERSION_INTERNAL0x0304 != TLS1_3_VERSION0x0304
1465	# error Code needs update for TLS_method() support beyond TLS1_3_VERSION0x0304.
1466	#endif
1467
1468	/* Must be in order high to low */
1469	static const version_info tls_version_table[] = {
1470	#ifndef OPENSSL_NO_TLS1_3
1471	{TLS1_3_VERSION0x0304, tlsv1_3_client_method, tlsv1_3_server_method},
1472	#else
1473	{TLS1_3_VERSION0x0304, NULL((void)0), NULL((void)0)},
1474	#endif
1475	#ifndef OPENSSL_NO_TLS1_2
1476	{TLS1_2_VERSION0x0303, tlsv1_2_client_method, tlsv1_2_server_method},
1477	#else
1478	{TLS1_2_VERSION0x0303, NULL((void)0), NULL((void)0)},
1479	#endif
1480	#ifndef OPENSSL_NO_TLS1_1
1481	{TLS1_1_VERSION0x0302, tlsv1_1_client_method, tlsv1_1_server_method},
1482	#else
1483	{TLS1_1_VERSION0x0302, NULL((void)0), NULL((void)0)},
1484	#endif
1485	#ifndef OPENSSL_NO_TLS1
1486	{TLS1_VERSION0x0301, tlsv1_client_method, tlsv1_server_method},
1487	#else
1488	{TLS1_VERSION0x0301, NULL((void)0), NULL((void)0)},
1489	#endif
1490	#ifndef OPENSSL_NO_SSL3
1491	{SSL3_VERSION0x0300, sslv3_client_method, sslv3_server_method},
1492	#else
1493	{SSL3_VERSION0x0300, NULL((void)0), NULL((void)0)},
1494	#endif
1495	{0, NULL((void)0), NULL((void)0)},
1496	};
1497
1498	#if DTLS_MAX_VERSION_INTERNAL0xFEFD != DTLS1_2_VERSION0xFEFD
1499	# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION0xFEFD.
1500	#endif
1501
1502	/* Must be in order high to low */
1503	static const version_info dtls_version_table[] = {
1504	#ifndef OPENSSL_NO_DTLS1_2
1505	{DTLS1_2_VERSION0xFEFD, dtlsv1_2_client_method, dtlsv1_2_server_method},
1506	#else
1507	{DTLS1_2_VERSION0xFEFD, NULL((void)0), NULL((void)0)},
1508	#endif
1509	#ifndef OPENSSL_NO_DTLS1
1510	{DTLS1_VERSION0xFEFF, dtlsv1_client_method, dtlsv1_server_method},
1511	{DTLS1_BAD_VER0x0100, dtls_bad_ver_client_method, NULL((void*)0)},
1512	#else
1513	{DTLS1_VERSION0xFEFF, NULL((void)0), NULL((void)0)},
1514	{DTLS1_BAD_VER0x0100, NULL((void)0), NULL((void)0)},
1515	#endif
1516	{0, NULL((void)0), NULL((void)0)},
1517	};
1518
1519	/*
1520	* ssl_method_error - Check whether an SSL_METHOD is enabled.
1521	*
1522	* @s: The SSL handle for the candidate method
1523	* @method: the intended method.
1524	*
1525	* Returns 0 on success, or an SSL error reason on failure.
1526	*/
1527	static int ssl_method_error(const SSL s, const SSL_METHOD method)
1528	{
1529	int version = method->version;
1530
1531	if ((s->min_proto_version != 0 &&
1532	version_cmp(s, version, s->min_proto_version) < 0) \|\|
1533	ssl_security(s, SSL_SECOP_VERSION(9 \| 0), 0, version, NULL((void*)0)) == 0)
1534	return SSL_R_VERSION_TOO_LOW396;
1535
1536	if (s->max_proto_version != 0 &&
1537	version_cmp(s, version, s->max_proto_version) > 0)
1538	return SSL_R_VERSION_TOO_HIGH166;
1539
1540	if ((s->options & method->mask) != 0)
1541	return SSL_R_UNSUPPORTED_PROTOCOL258;
1542	if ((method->flags & SSL_METHOD_NO_SUITEB(1U<<1)) != 0 && tls1_suiteb(s)(s->cert->cert_flags & 0x30000))
1543	return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE158;
1544
1545	return 0;
1546	}
1547
1548	/*
1549	* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1550	* certificate type, or has PSK or a certificate callback configured, or has
1551	* a servername callback configure. Otherwise returns 0.
1552	*/
1553	static int is_tls13_capable(const SSL *s)
1554	{
1555	int i;
1556	int curve;
1557
1558	if (!ossl_assert(s->ctx != NULL)((s->ctx != ((void)0)) != 0) \|\| !ossl_assert(s->session_ctx != NULL)((s->session_ctx != ((void)0)) != 0))
1559	return 0;
1560
1561	/*
1562	* A servername callback can change the available certs, so if a servername
1563	* cb is set then we just assume TLSv1.3 will be ok
1564	*/
1565	if (s->ctx->ext.servername_cb != NULL((void*)0)
1566	\|\| s->session_ctx->ext.servername_cb != NULL((void*)0))
1567	return 1;
1568
1569	#ifndef OPENSSL_NO_PSK
1570	if (s->psk_server_callback != NULL((void*)0))
1571	return 1;
1572	#endif
1573
1574	if (s->psk_find_session_cb != NULL((void)0) \|\| s->cert->cert_cb != NULL((void)0))
1575	return 1;
1576
1577	for (i = 0; i < SSL_PKEY_NUM9; i++) {
1578	/* Skip over certs disallowed for TLSv1.3 */
1579	switch (i) {
1580	case SSL_PKEY_DSA_SIGN2:
1581	case SSL_PKEY_GOST014:
1582	case SSL_PKEY_GOST12_2565:
1583	case SSL_PKEY_GOST12_5126:
1584	continue;
1585	default:
1586	break;
1587	}
1588	if (!ssl_has_cert(s, i))
1589	continue;
1590	if (i != SSL_PKEY_ECC3)
1591	return 1;
1592	/*
1593	* Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1594	* more restrictive so check that our sig algs are consistent with this
1595	* EC cert. See section 4.2.3 of RFC8446.
1596	*/
1597	curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC3].privatekey);
1598	if (tls_check_sigalg_curve(s, curve))
1599	return 1;
1600	}
1601
1602	return 0;
1603	}
1604
1605	/*
1606	* ssl_version_supported - Check that the specified `version` is supported by
1607	* `SSL *` instance
1608	*
1609	* @s: The SSL handle for the candidate method
1610	* @version: Protocol version to test against
1611	*
1612	* Returns 1 when supported, otherwise 0
1613	*/
1614	int ssl_version_supported(const SSL s, int version, const SSL_METHOD *meth)
1615	{
1616	const version_info *vent;
1617	const version_info *table;
1618
1619	switch (s->method->version) {
1620	default:
1621	/* Version should match method version for non-ANY method */
1622	return version_cmp(s, version, s->version) == 0;
1623	case TLS_ANY_VERSION0x10000:
1624	table = tls_version_table;
1625	break;
1626	case DTLS_ANY_VERSION0x1FFFF:
1627	table = dtls_version_table;
1628	break;
1629	}
1630
1631	for (vent = table;
1632	vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1633	++vent) {
1634	if (vent->cmeth != NULL((void*)0)
1635	&& version_cmp(s, version, vent->version) == 0
1636	&& ssl_method_error(s, vent->cmeth()) == 0
1637	&& (!s->server
1638	\|\| version != TLS1_3_VERSION0x0304
1639	\|\| is_tls13_capable(s))) {
1640	if (meth != NULL((void*)0))
1641	*meth = vent->cmeth();
1642	return 1;
1643	}
1644	}
1645	return 0;
1646	}
1647
1648	/*
1649	* ssl_check_version_downgrade - In response to RFC7507 SCSV version
1650	* fallback indication from a client check whether we're using the highest
1651	* supported protocol version.
1652	*
1653	* @s server SSL handle.
1654	*
1655	* Returns 1 when using the highest enabled version, 0 otherwise.
1656	*/
1657	int ssl_check_version_downgrade(SSL *s)
1658	{
1659	const version_info *vent;
1660	const version_info *table;
1661
1662	/*
1663	* Check that the current protocol is the highest enabled version
1664	* (according to s->ctx->method, as version negotiation may have changed
1665	* s->method).
1666	*/
1667	if (s->version == s->ctx->method->version)
1668	return 1;
1669
1670	/*
1671	* Apparently we're using a version-flexible SSL_METHOD (not at its
1672	* highest protocol version).
1673	*/
1674	if (s->ctx->method->version == TLS_method()->version)
1675	table = tls_version_table;
1676	else if (s->ctx->method->version == DTLS_method()->version)
1677	table = dtls_version_table;
1678	else {
1679	/* Unexpected state; fail closed. */
1680	return 0;
1681	}
1682
1683	for (vent = table; vent->version != 0; ++vent) {
1684	if (vent->smeth != NULL((void*)0) && ssl_method_error(s, vent->smeth()) == 0)
1685	return s->version == vent->version;
1686	}
1687	return 0;
1688	}
1689
1690	/*
1691	* ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1692	* protocols, provided the initial (D)TLS method is version-flexible. This
1693	* function sanity-checks the proposed value and makes sure the method is
1694	* version-flexible, then sets the limit if all is well.
1695	*
1696	* @method_version: The version of the current SSL_METHOD.
1697	* @version: the intended limit.
1698	* @bound: pointer to limit to be updated.
1699	*
1700	* Returns 1 on success, 0 on failure.
1701	*/
1702	int ssl_set_version_bound(int method_version, int version, int *bound)
1703	{
1704	int valid_tls;
1705	int valid_dtls;
1706
1707	if (version == 0) {
1708	*bound = version;
1709	return 1;
1710	}
1711
1712	valid_tls = version >= SSL3_VERSION0x0300 && version <= TLS_MAX_VERSION_INTERNAL0x0304;
1713	valid_dtls =
1714	DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL)((((version) == 0x0100) ? 0xff00 : (version)) >= (((0xFEFD ) == 0x0100) ? 0xff00 : (0xFEFD))) &&
1715	DTLS_VERSION_GE(version, DTLS1_BAD_VER)((((version) == 0x0100) ? 0xff00 : (version)) <= (((0x0100 ) == 0x0100) ? 0xff00 : (0x0100)));
1716
1717	if (!valid_tls && !valid_dtls)
1718	return 0;
1719
1720	/*-
1721	* Restrict TLS methods to TLS protocol versions.
1722	* Restrict DTLS methods to DTLS protocol versions.
1723	* Note, DTLS version numbers are decreasing, use comparison macros.
1724	*
1725	* Note that for both lower-bounds we use explicit versions, not
1726	* (D)TLS_MIN_VERSION. This is because we don't want to break user
1727	* configurations. If the MIN (supported) version ever rises, the user's
1728	* "floor" remains valid even if no longer available. We don't expect the
1729	* MAX ceiling to ever get lower, so making that variable makes sense.
1730	*
1731	* We ignore attempts to set bounds on version-inflexible methods,
1732	* returning success.
1733	*/
1734	switch (method_version) {
1735	default:
1736	break;
1737
1738	case TLS_ANY_VERSION0x10000:
1739	if (valid_tls)
1740	*bound = version;
1741	break;
1742
1743	case DTLS_ANY_VERSION0x1FFFF:
1744	if (valid_dtls)
1745	*bound = version;
1746	break;
1747	}
1748	return 1;
1749	}
1750
1751	static void check_for_downgrade(SSL s, int vers, DOWNGRADE dgrd)
1752	{
1753	if (vers == TLS1_2_VERSION0x0303
1754	&& ssl_version_supported(s, TLS1_3_VERSION0x0304, NULL((void*)0))) {
1755	*dgrd = DOWNGRADE_TO_1_2;
1756	} else if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)
1757	&& vers < TLS1_2_VERSION0x0303
1758	/*
1759	* We need to ensure that a server that disables TLSv1.2
1760	* (creating a hole between TLSv1.3 and TLSv1.1) can still
1761	* complete handshakes with clients that support TLSv1.2 and
1762	* below. Therefore we do not enable the sentinel if TLSv1.3 is
1763	* enabled and TLSv1.2 is not.
1764	*/
1765	&& ssl_version_supported(s, TLS1_2_VERSION0x0303, NULL((void*)0))) {
1766	*dgrd = DOWNGRADE_TO_1_1;
1767	} else {
1768	*dgrd = DOWNGRADE_NONE;
1769	}
1770	}
1771
1772	/*
1773	* ssl_choose_server_version - Choose server (D)TLS version. Called when the
1774	* client HELLO is received to select the final server protocol version and
1775	* the version specific method.
1776	*
1777	* @s: server SSL handle.
1778	*
1779	* Returns 0 on success or an SSL error reason number on failure.
1780	*/
1781	int ssl_choose_server_version(SSL s, CLIENTHELLO_MSG hello, DOWNGRADE *dgrd)
1782	{
1783	/*-
1784	* With version-flexible methods we have an initial state with:
1785	*
1786	* s->method->version == (D)TLS_ANY_VERSION,
1787	* s->version == (D)TLS_MAX_VERSION_INTERNAL.
1788	*
1789	* So we detect version-flexible methods via the method version, not the
1790	* handle version.
1791	*/
1792	int server_version = s->method->version;
1793	int client_version = hello->legacy_version;
1794	const version_info *vent;
1795	const version_info *table;
1796	int disabled = 0;
1797	RAW_EXTENSION *suppversions;
1798
1799	s->client_version = client_version;
1800
1801	switch (server_version) {
1802	default:
1803	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1804	if (version_cmp(s, client_version, s->version) < 0)
1805	return SSL_R_WRONG_SSL_VERSION266;
1806	*dgrd = DOWNGRADE_NONE;
1807	/*
1808	* If this SSL handle is not from a version flexible method we don't
1809	* (and never did) check min/max FIPS or Suite B constraints. Hope
1810	* that's OK. It is up to the caller to not choose fixed protocol
1811	* versions they don't want. If not, then easy to fix, just return
1812	* ssl_method_error(s, s->method)
1813	*/
1814	return 0;
1815	}
1816	/*
1817	* Fall through if we are TLSv1.3 already (this means we must be after
1818	* a HelloRetryRequest
1819	*/
1820	/* fall thru */
1821	case TLS_ANY_VERSION0x10000:
1822	table = tls_version_table;
1823	break;
1824	case DTLS_ANY_VERSION0x1FFFF:
1825	table = dtls_version_table;
1826	break;
1827	}
1828
1829	suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1830
1831	/* If we did an HRR then supported versions is mandatory */
1832	if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1833	return SSL_R_UNSUPPORTED_PROTOCOL258;
1834
1835	if (suppversions->present && !SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
1836	unsigned int candidate_vers = 0;
1837	unsigned int best_vers = 0;
1838	const SSL_METHOD best_method = NULL((void)0);
1839	PACKET versionslist;
1840
1841	suppversions->parsed = 1;
1842
1843	if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1844	/* Trailing or invalid data? */
1845	return SSL_R_LENGTH_MISMATCH159;
1846	}
1847
1848	/*
1849	* The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1850	* The spec only requires servers to check that it isn't SSLv3:
1851	* "Any endpoint receiving a Hello message with
1852	* ClientHello.legacy_version or ServerHello.legacy_version set to
1853	* 0x0300 MUST abort the handshake with a "protocol_version" alert."
1854	* We are slightly stricter and require that it isn't SSLv3 or lower.
1855	* We tolerate TLSv1 and TLSv1.1.
1856	*/
1857	if (client_version <= SSL3_VERSION0x0300)
1858	return SSL_R_BAD_LEGACY_VERSION292;
1859
1860	while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1861	if (version_cmp(s, candidate_vers, best_vers) <= 0)
1862	continue;
1863	if (ssl_version_supported(s, candidate_vers, &best_method))
1864	best_vers = candidate_vers;
1865	}
1866	if (PACKET_remaining(&versionslist) != 0) {
1867	/* Trailing data? */
1868	return SSL_R_LENGTH_MISMATCH159;
1869	}
1870
1871	if (best_vers > 0) {
1872	if (s->hello_retry_request != SSL_HRR_NONE) {
1873	/*
1874	* This is after a HelloRetryRequest so we better check that we
1875	* negotiated TLSv1.3
1876	*/
1877	if (best_vers != TLS1_3_VERSION0x0304)
1878	return SSL_R_UNSUPPORTED_PROTOCOL258;
1879	return 0;
1880	}
1881	check_for_downgrade(s, best_vers, dgrd);
1882	s->version = best_vers;
1883	s->method = best_method;
1884	return 0;
1885	}
1886	return SSL_R_UNSUPPORTED_PROTOCOL258;
1887	}
1888
1889	/*
1890	* If the supported versions extension isn't present, then the highest
1891	* version we can negotiate is TLSv1.2
1892	*/
1893	if (version_cmp(s, client_version, TLS1_3_VERSION0x0304) >= 0)
1894	client_version = TLS1_2_VERSION0x0303;
1895
1896	/*
1897	* No supported versions extension, so we just use the version supplied in
1898	* the ClientHello.
1899	*/
1900	for (vent = table; vent->version != 0; ++vent) {
1901	const SSL_METHOD *method;
1902
1903	if (vent->smeth == NULL((void*)0) \|\|
1904	version_cmp(s, client_version, vent->version) < 0)
1905	continue;
1906	method = vent->smeth();
1907	if (ssl_method_error(s, method) == 0) {
1908	check_for_downgrade(s, vent->version, dgrd);
1909	s->version = vent->version;
1910	s->method = method;
1911	return 0;
1912	}
1913	disabled = 1;
1914	}
1915	return disabled ? SSL_R_UNSUPPORTED_PROTOCOL258 : SSL_R_VERSION_TOO_LOW396;
1916	}
1917
1918	/*
1919	* ssl_choose_client_version - Choose client (D)TLS version. Called when the
1920	* server HELLO is received to select the final client protocol version and
1921	* the version specific method.
1922	*
1923	* @s: client SSL handle.
1924	* @version: The proposed version from the server's HELLO.
1925	* @extensions: The extensions received
1926	*
1927	* Returns 1 on success or 0 on error.
1928	*/
1929	int ssl_choose_client_version(SSL s, int version, RAW_EXTENSION extensions)
1930	{
1931	const version_info *vent;
1932	const version_info *table;
1933	int ret, ver_min, ver_max, real_max, origv;
1934
1935	origv = s->version;
1936	s->version = version;
1937
1938	/* This will overwrite s->version if the extension is present */
1939	if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1940	SSL_EXT_TLS1_2_SERVER_HELLO0x0100
1941	\| SSL_EXT_TLS1_3_SERVER_HELLO0x0200, extensions,
1942	NULL((void*)0), 0)) {
1943	s->version = origv;
1944	return 0;
1945	}
1946
1947	if (s->hello_retry_request != SSL_HRR_NONE
1948	&& s->version != TLS1_3_VERSION0x0304) {
1949	s->version = origv;
1950	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1950, __func__), ossl_statem_fatal)((s), (70), (266), ((void *)0));
1951	return 0;
1952	}
1953
1954	switch (s->method->version) {
1955	default:
1956	if (s->version != s->method->version) {
1957	s->version = origv;
1958	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1958, __func__), ossl_statem_fatal)((s), (70), (266), ((void *)0));
1959	return 0;
1960	}
1961	/*
1962	* If this SSL handle is not from a version flexible method we don't
1963	* (and never did) check min/max, FIPS or Suite B constraints. Hope
1964	* that's OK. It is up to the caller to not choose fixed protocol
1965	* versions they don't want. If not, then easy to fix, just return
1966	* ssl_method_error(s, s->method)
1967	*/
1968	return 1;
1969	case TLS_ANY_VERSION0x10000:
1970	table = tls_version_table;
1971	break;
1972	case DTLS_ANY_VERSION0x1FFFF:
1973	table = dtls_version_table;
1974	break;
1975	}
1976
1977	ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1978	if (ret != 0) {
1979	s->version = origv;
1980	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1980, __func__), ossl_statem_fatal)((s), (70), (ret), ((void *)0));
1981	return 0;
1982	}
1983	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) ? DTLS_VERSION_LT(s->version, ver_min)((((s->version) == 0x0100) ? 0xff00 : (s->version)) > (((ver_min) == 0x0100) ? 0xff00 : (ver_min)))
1984	: s->version < ver_min) {
1985	s->version = origv;
1986	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1986, __func__), ossl_statem_fatal)((s), (70), (258), ((void *)0));
1987	return 0;
1988	} else if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) ? DTLS_VERSION_GT(s->version, ver_max)((((s->version) == 0x0100) ? 0xff00 : (s->version)) < (((ver_max) == 0x0100) ? 0xff00 : (ver_max)))
1989	: s->version > ver_max) {
1990	s->version = origv;
1991	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 1991, __func__), ossl_statem_fatal)((s), (70), (258), ((void *)0));
1992	return 0;
1993	}
1994
1995	if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV0x00000080U) == 0)
1996	real_max = ver_max;
1997
1998	/* Check for downgrades */
1999	if (s->version == TLS1_2_VERSION0x0303 && real_max > s->version) {
2000	if (memcmp(tls12downgrade,
2001	s->s3.server_random + SSL3_RANDOM_SIZE32
2002	- sizeof(tls12downgrade),
2003	sizeof(tls12downgrade)) == 0) {
2004	s->version = origv;
2005	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2006, __func__), ossl_statem_fatal)((s), (47), (373), ((void *)0))
2006	SSL_R_INAPPROPRIATE_FALLBACK)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2006, __func__), ossl_statem_fatal)((s), (47), (373), ((void *)0));
2007	return 0;
2008	}
2009	} else if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)
2010	&& s->version < TLS1_2_VERSION0x0303
2011	&& real_max > s->version) {
2012	if (memcmp(tls11downgrade,
2013	s->s3.server_random + SSL3_RANDOM_SIZE32
2014	- sizeof(tls11downgrade),
2015	sizeof(tls11downgrade)) == 0) {
2016	s->version = origv;
2017	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2018, __func__), ossl_statem_fatal)((s), (47), (373), ((void *)0))
2018	SSL_R_INAPPROPRIATE_FALLBACK)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2018, __func__), ossl_statem_fatal)((s), (47), (373), ((void *)0));
2019	return 0;
2020	}
2021	}
2022
2023	for (vent = table; vent->version != 0; ++vent) {
2024	if (vent->cmeth == NULL((void*)0) \|\| s->version != vent->version)
2025	continue;
2026
2027	s->method = vent->cmeth();
2028	return 1;
2029	}
2030
2031	s->version = origv;
2032	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2032, __func__), ossl_statem_fatal)((s), (70), (258), ((void *)0));
2033	return 0;
2034	}
2035
2036	/*
2037	* ssl_get_min_max_version - get minimum and maximum protocol version
2038	* @s: The SSL connection
2039	* @min_version: The minimum supported version
2040	* @max_version: The maximum supported version
2041	* @real_max: The highest version below the lowest compile time version hole
2042	* where that hole lies above at least one run-time enabled
2043	* protocol.
2044	*
2045	* Work out what version we should be using for the initial ClientHello if the
2046	* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2047	* options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2048	* constraints and any floor imposed by the security level here,
2049	* so we don't advertise the wrong protocol version to only reject the outcome later.
2050	*
2051	* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2052	* TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2053	* only allow TLS 1.2, we want to advertise TLS1.2, not TLS1.
2054	*
2055	* Returns 0 on success or an SSL error reason number on failure. On failure
2056	* min_version and max_version will also be set to 0.
2057	*/
2058	int ssl_get_min_max_version(const SSL s, int min_version, int *max_version,
2059	int *real_max)
2060	{
2061	int version, tmp_real_max;
2062	int hole;
2063	const SSL_METHOD single = NULL((void)0);
2064	const SSL_METHOD *method;
2065	const version_info *table;
2066	const version_info *vent;
2067
2068	switch (s->method->version) {
2069	default:
2070	/*
2071	* If this SSL handle is not from a version flexible method we don't
2072	* (and never did) check min/max FIPS or Suite B constraints. Hope
2073	* that's OK. It is up to the caller to not choose fixed protocol
2074	* versions they don't want. If not, then easy to fix, just return
2075	* ssl_method_error(s, s->method)
2076	*/
2077	min_version = max_version = s->version;
2078	/*
2079	* Providing a real_max only makes sense where we're using a version
2080	* flexible method.
2081	*/
2082	if (!ossl_assert(real_max == NULL)((real_max == ((void*)0)) != 0))
2083	return ERR_R_INTERNAL_ERROR(259\|((0x1 << 18L)\|(0x2 << 18L)));
2084	return 0;
2085	case TLS_ANY_VERSION0x10000:
2086	table = tls_version_table;
2087	break;
2088	case DTLS_ANY_VERSION0x1FFFF:
2089	table = dtls_version_table;
2090	break;
2091	}
2092
2093	/*
2094	* SSL_OP_NO_X disables all protocols above X if there are some protocols
2095	* below X enabled. This is required in order to maintain the "version
2096	* capability" vector contiguous. Any versions with a NULL client method
2097	* (protocol version client is disabled at compile-time) is also a "hole".
2098	*
2099	* Our initial state is hole == 1, version == 0. That is, versions above
2100	* the first version in the method table are disabled (a "hole" above
2101	* the valid protocol entries) and we don't have a selected version yet.
2102	*
2103	* Whenever "hole == 1", and we hit an enabled method, its version becomes
2104	* the selected version, and the method becomes a candidate "single"
2105	* method. We're no longer in a hole, so "hole" becomes 0.
2106	*
2107	* If "hole == 0" and we hit an enabled method, then "single" is cleared,
2108	* as we support a contiguous range of at least two methods. If we hit
2109	* a disabled method, then hole becomes true again, but nothing else
2110	* changes yet, because all the remaining methods may be disabled too.
2111	* If we again hit an enabled method after the new hole, it becomes
2112	* selected, as we start from scratch.
2113	*/
2114	*min_version = version = 0;
2115	hole = 1;
2116	if (real_max != NULL((void*)0))
2117	*real_max = 0;
2118	tmp_real_max = 0;
2119	for (vent = table; vent->version != 0; ++vent) {
2120	/*
2121	* A table entry with a NULL client method is still a hole in the
2122	* "version capability" vector.
2123	*/
2124	if (vent->cmeth == NULL((void*)0)) {
2125	hole = 1;
2126	tmp_real_max = 0;
2127	continue;
2128	}
2129	method = vent->cmeth();
2130
2131	if (hole == 1 && tmp_real_max == 0)
2132	tmp_real_max = vent->version;
2133
2134	if (ssl_method_error(s, method) != 0) {
2135	hole = 1;
2136	} else if (!hole) {
2137	single = NULL((void*)0);
2138	*min_version = method->version;
2139	} else {
2140	if (real_max != NULL((void*)0) && tmp_real_max != 0)
2141	*real_max = tmp_real_max;
2142	version = (single = method)->version;
	Although the value stored to 'single' is used in the enclosing expression, the value is never actually read from 'single'
2143	*min_version = version;
2144	hole = 0;
2145	}
2146	}
2147
2148	*max_version = version;
2149
2150	/* Fail if everything is disabled */
2151	if (version == 0)
2152	return SSL_R_NO_PROTOCOLS_AVAILABLE191;
2153
2154	return 0;
2155	}
2156
2157	/*
2158	* ssl_set_client_hello_version - Work out what version we should be using for
2159	* the initial ClientHello.legacy_version field.
2160	*
2161	* @s: client SSL handle.
2162	*
2163	* Returns 0 on success or an SSL error reason number on failure.
2164	*/
2165	int ssl_set_client_hello_version(SSL *s)
2166	{
2167	int ver_min, ver_max, ret;
2168
2169	/*
2170	* In a renegotiation we always send the same client_version that we sent
2171	* last time, regardless of which version we eventually negotiated.
2172	*/
2173	if (!SSL_IS_FIRST_HANDSHAKE(s)((s)->s3.tmp.finish_md_len == 0 \|\| (s)->s3.tmp.peer_finish_md_len == 0))
2174	return 0;
2175
2176	ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL((void*)0));
2177
2178	if (ret != 0)
2179	return ret;
2180
2181	s->version = ver_max;
2182
2183	/* TLS1.3 always uses TLS1.2 in the legacy_version field */
2184	if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && ver_max > TLS1_2_VERSION0x0303)
2185	ver_max = TLS1_2_VERSION0x0303;
2186
2187	s->client_version = ver_max;
2188	return 0;
2189	}
2190
2191	/*
2192	* Checks a list of \|groups\| to determine if the \|group_id\| is in it. If it is
2193	* and \|checkallow\| is 1 then additionally check if the group is allowed to be
2194	* used. Returns 1 if the group is in the list (and allowed if \|checkallow\| is
2195	* 1) or 0 otherwise.
2196	*/
2197	int check_in_list(SSL s, uint16_t group_id, const uint16_t groups,
2198	size_t num_groups, int checkallow)
2199	{
2200	size_t i;
2201
2202	if (groups == NULL((void*)0) \|\| num_groups == 0)
2203	return 0;
2204
2205	for (i = 0; i < num_groups; i++) {
2206	uint16_t group = groups[i];
2207
2208	if (group_id == group
2209	&& (!checkallow
2210	\|\| tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK(6 \| (2 << 16))))) {
2211	return 1;
2212	}
2213	}
2214
2215	return 0;
2216	}
2217
2218	/* Replace ClientHello1 in the transcript hash with a synthetic message */
2219	int create_synthetic_message_hash(SSL s, const unsigned char hashval,
2220	size_t hashlen, const unsigned char *hrr,
2221	size_t hrrlen)
2222	{
2223	unsigned char hashvaltmp[EVP_MAX_MD_SIZE64];
2224	unsigned char msghdr[SSL3_HM_HEADER_LENGTH4];
2225
2226	memset(msghdr, 0, sizeof(msghdr));
2227
2228	if (hashval == NULL((void*)0)) {
2229	hashval = hashvaltmp;
2230	hashlen = 0;
2231	/* Get the hash of the initial ClientHello */
2232	if (!ssl3_digest_cached_records(s, 0)
2233	\|\| !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2234	&hashlen)) {
2235	/* SSLfatal() already called */
2236	return 0;
2237	}
2238	}
2239
2240	/* Reinitialise the transcript hash */
2241	if (!ssl3_init_finished_mac(s)) {
2242	/* SSLfatal() already called */
2243	return 0;
2244	}
2245
2246	/* Inject the synthetic message_hash message */
2247	msghdr[0] = SSL3_MT_MESSAGE_HASH254;
2248	msghdr[SSL3_HM_HEADER_LENGTH4 - 1] = (unsigned char)hashlen;
2249	if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH4)
2250	\|\| !ssl3_finish_mac(s, hashval, hashlen)) {
2251	/* SSLfatal() already called */
2252	return 0;
2253	}
2254
2255	/*
2256	* Now re-inject the HRR and current message if appropriate (we just deleted
2257	* it when we reinitialised the transcript hash above). Only necessary after
2258	* receiving a ClientHello2 with a cookie.
2259	*/
2260	if (hrr != NULL((void*)0)
2261	&& (!ssl3_finish_mac(s, hrr, hrrlen)
2262	\|\| !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2263	s->s3.tmp.message_size
2264	+ SSL3_HM_HEADER_LENGTH4))) {
2265	/* SSLfatal() already called */
2266	return 0;
2267	}
2268
2269	return 1;
2270	}
2271
2272	static int ca_dn_cmp(const X509_NAME const a, const X509_NAME const b)
2273	{
2274	return X509_NAME_cmp(a, b);
2275	}
2276
2277	int parse_ca_names(SSL s, PACKET pkt)
2278	{
2279	STACK_OF(X509_NAME)struct stack_st_X509_NAME ca_sk = sk_X509_NAME_new(ca_dn_cmp)((struct stack_st_X509_NAME )OPENSSL_sk_new(ossl_check_X509_NAME_compfunc_type (ca_dn_cmp)));
2280	X509_NAME xn = NULL((void)0);
2281	PACKET cadns;
2282
2283	if (ca_sk == NULL((void*)0)) {
2284	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2284, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2285	goto err;
2286	}
2287	/* get the CA RDNs */
2288	if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2289	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2289, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2290	goto err;
2291	}
2292
2293	while (PACKET_remaining(&cadns)) {
2294	const unsigned char namestart, namebytes;
2295	unsigned int name_len;
2296
2297	if (!PACKET_get_net_2(&cadns, &name_len)
2298	\|\| !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2299	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2299, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2300	goto err;
2301	}
2302
2303	namestart = namebytes;
2304	if ((xn = d2i_X509_NAME(NULL((void)0), &namebytes, name_len)) == NULL((void)0)) {
2305	SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2305, __func__), ossl_statem_fatal)((s), (50), ((13 \| (0x2 << 18L))), ((void*)0));
2306	goto err;
2307	}
2308	if (namebytes != (namestart + name_len)) {
2309	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2309, __func__), ossl_statem_fatal)((s), (50), (131), ((void *)0));
2310	goto err;
2311	}
2312
2313	if (!sk_X509_NAME_push(ca_sk, xn)OPENSSL_sk_push(ossl_check_X509_NAME_sk_type(ca_sk), ossl_check_X509_NAME_type (xn))) {
2314	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2314, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2315	goto err;
2316	}
2317	xn = NULL((void*)0);
2318	}
2319
2320	sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free)OPENSSL_sk_pop_free(ossl_check_X509_NAME_sk_type(s->s3.tmp .peer_ca_names),ossl_check_X509_NAME_freefunc_type(X509_NAME_free ));
2321	s->s3.tmp.peer_ca_names = ca_sk;
2322
2323	return 1;
2324
2325	err:
2326	sk_X509_NAME_pop_free(ca_sk, X509_NAME_free)OPENSSL_sk_pop_free(ossl_check_X509_NAME_sk_type(ca_sk),ossl_check_X509_NAME_freefunc_type (X509_NAME_free));
2327	X509_NAME_free(xn);
2328	return 0;
2329	}
2330
2331	const STACK_OF(X509_NAME)struct stack_st_X509_NAME get_ca_names(SSL s)
2332	{
2333	const STACK_OF(X509_NAME)struct stack_st_X509_NAME ca_sk = NULL((void)0);;
2334
2335	if (s->server) {
2336	ca_sk = SSL_get_client_CA_list(s);
2337	if (ca_sk != NULL((void*)0) && sk_X509_NAME_num(ca_sk)OPENSSL_sk_num(ossl_check_const_X509_NAME_sk_type(ca_sk)) == 0)
2338	ca_sk = NULL((void*)0);
2339	}
2340
2341	if (ca_sk == NULL((void*)0))
2342	ca_sk = SSL_get0_CA_list(s);
2343
2344	return ca_sk;
2345	}
2346
2347	int construct_ca_names(SSL s, const STACK_OF(X509_NAME)struct stack_st_X509_NAME ca_sk, WPACKET *pkt)
2348	{
2349	/* Start sub-packet for client CA list */
2350	if (!WPACKET_start_sub_packet_u16(pkt)WPACKET_start_sub_packet_len__((pkt), 2)) {
2351	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2351, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2352	return 0;
2353	}
2354
2355	if ((ca_sk != NULL((void*)0)) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES((uint64_t)1 << (uint64_t)9))) {
2356	int i;
2357
2358	for (i = 0; i < sk_X509_NAME_num(ca_sk)OPENSSL_sk_num(ossl_check_const_X509_NAME_sk_type(ca_sk)); i++) {
2359	unsigned char *namebytes;
2360	X509_NAME name = sk_X509_NAME_value(ca_sk, i)((X509_NAME )OPENSSL_sk_value(ossl_check_const_X509_NAME_sk_type (ca_sk), (i)));
2361	int namelen;
2362
2363	if (name == NULL((void*)0)
2364	\|\| (namelen = i2d_X509_NAME(name, NULL((void*)0))) < 0
2365	\|\| !WPACKET_sub_allocate_bytes_u16(pkt, namelen,WPACKET_sub_allocate_bytes__((pkt), (namelen), (&namebytes ), 2)
2366	&namebytes)WPACKET_sub_allocate_bytes__((pkt), (namelen), (&namebytes ), 2)
2367	\|\| i2d_X509_NAME(name, &namebytes) != namelen) {
2368	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2368, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2369	return 0;
2370	}
2371	}
2372	}
2373
2374	if (!WPACKET_close(pkt)) {
2375	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2375, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2376	return 0;
2377	}
2378
2379	return 1;
2380	}
2381
2382	/* Create a buffer containing data to be signed for server key exchange */
2383	size_t construct_key_exchange_tbs(SSL s, unsigned char *ptbs,
2384	const void *param, size_t paramlen)
2385	{
2386	size_t tbslen = 2 * SSL3_RANDOM_SIZE32 + paramlen;
2387	unsigned char *tbs = OPENSSL_malloc(tbslen)CRYPTO_malloc(tbslen, "../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2387);
2388
2389	if (tbs == NULL((void*)0)) {
2390	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2390, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2391	return 0;
2392	}
2393	memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE32);
2394	memcpy(tbs + SSL3_RANDOM_SIZE32, s->s3.server_random, SSL3_RANDOM_SIZE32);
2395
2396	memcpy(tbs + SSL3_RANDOM_SIZE32 * 2, param, paramlen);
2397
2398	*ptbs = tbs;
2399	return tbslen;
2400	}
2401
2402	/*
2403	* Saves the current handshake digest for Post-Handshake Auth,
2404	* Done after ClientFinished is processed, done exactly once
2405	*/
2406	int tls13_save_handshake_digest_for_pha(SSL *s)
2407	{
2408	if (s->pha_dgst == NULL((void*)0)) {
2409	if (!ssl3_digest_cached_records(s, 1))
2410	/* SSLfatal() already called */
2411	return 0;
2412
2413	s->pha_dgst = EVP_MD_CTX_new();
2414	if (s->pha_dgst == NULL((void*)0)) {
2415	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2415, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2416	return 0;
2417	}
2418	if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2419	s->s3.handshake_dgst)) {
2420	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2420, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2421	EVP_MD_CTX_free(s->pha_dgst);
2422	s->pha_dgst = NULL((void*)0);
2423	return 0;
2424	}
2425	}
2426	return 1;
2427	}
2428
2429	/*
2430	* Restores the Post-Handshake Auth handshake digest
2431	* Done just before sending/processing the Cert Request
2432	*/
2433	int tls13_restore_handshake_digest_for_pha(SSL *s)
2434	{
2435	if (s->pha_dgst == NULL((void*)0)) {
2436	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2436, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2437	return 0;
2438	}
2439	if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2440	s->pha_dgst)) {
2441	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_lib.c" , 2441, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2442	return 0;
2443	}
2444	return 1;
2445	}