../deps/openssl/openssl/ssl/statem/statem

Bug Summary

File:	out/../deps/openssl/openssl/ssl/statem/statem_clnt.c
Warning:	line 3368, column 5 Value stored to 'pmslen' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name statem_clnt.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_NO_HW -D OPENSSL_API_COMPAT=0x10100001L -D STATIC_LEGACY -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D MODULESDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl/lib/openssl-modules" -D OPENSSLDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl" -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto/include/internal -I ../deps/openssl/config/archs/linux-x86_64/asm/providers/common/include -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/ssl/statem/statem_clnt.c

1	/*
2	* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	* Copyright 2005 Nokia. All rights reserved.
5	*
6	* Licensed under the Apache License 2.0 (the "License"). You may not use
7	* this file except in compliance with the License. You can obtain a copy
8	* in the file LICENSE in the source distribution or at
9	* https://www.openssl.org/source/license.html
10	*/
11
12	#include <stdio.h>
13	#include <time.h>
14	#include <assert.h>
15	#include "../ssl_local.h"
16	#include "statem_local.h"
17	#include <openssl/buffer.h>
18	#include <openssl/rand.h>
19	#include <openssl/objects.h>
20	#include <openssl/evp.h>
21	#include <openssl/md5.h>
22	#include <openssl/dh.h>
23	#include <openssl/rsa.h>
24	#include <openssl/bn.h>
25	#include <openssl/engine.h>
26	#include <openssl/trace.h>
27	#include <openssl/core_names.h>
28	#include <openssl/param_build.h>
29	#include "internal/cryptlib.h"
30
31	static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL s, PACKET pkt);
32	static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL s, PACKET pkt);
33
34	static ossl_inlineinline int cert_req_allowed(SSL *s);
35	static int key_exchange_expected(SSL *s);
36	static int ssl_cipher_list_to_bytes(SSL s, STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER sk,
37	WPACKET *pkt);
38
39	/*
40	* Is a CertificateRequest message allowed at the moment or not?
41	*
42	* Return values are:
43	* 1: Yes
44	* 0: No
45	*/
46	static ossl_inlineinline int cert_req_allowed(SSL *s)
47	{
48	/* TLS does not like anon-DH with client cert */
49	if ((s->version > SSL3_VERSION0x0300
50	&& (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL0x00000004U))
51	\|\| (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP0x00000040U \| SSL_aPSK0x00000010U)))
52	return 0;
53
54	return 1;
55	}
56
57	/*
58	* Should we expect the ServerKeyExchange message or not?
59	*
60	* Return values are:
61	* 1: Yes
62	* 0: No
63	*/
64	static int key_exchange_expected(SSL *s)
65	{
66	long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
67
68	/*
69	* Can't skip server key exchange if this is an ephemeral
70	* ciphersuite or for SRP
71	*/
72	if (alg_k & (SSL_kDHE0x00000002U \| SSL_kECDHE0x00000004U \| SSL_kDHEPSK0x00000100U \| SSL_kECDHEPSK0x00000080U
73	\| SSL_kSRP0x00000020U)) {
74	return 1;
75	}
76
77	return 0;
78	}
79
80	/*
81	* ossl_statem_client_read_transition() encapsulates the logic for the allowed
82	* handshake state transitions when a TLS1.3 client is reading messages from the
83	* server. The message type that the server has sent is provided in \|mt\|. The
84	* current state is in \|s->statem.hand_state\|.
85	*
86	* Return values are 1 for success (transition allowed) and 0 on error
87	* (transition not allowed)
88	*/
89	static int ossl_statem_client13_read_transition(SSL *s, int mt)
90	{
91	OSSL_STATEM *st = &s->statem;
92
93	/*
94	* Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
95	* yet negotiated TLSv1.3 at that point so that is handled by
96	* ossl_statem_client_read_transition()
97	*/
98
99	switch (st->hand_state) {
100	default:
101	break;
102
103	case TLS_ST_CW_CLNT_HELLO:
104	/*
105	* This must a ClientHello following a HelloRetryRequest, so the only
106	* thing we can get now is a ServerHello.
107	*/
108	if (mt == SSL3_MT_SERVER_HELLO2) {
109	st->hand_state = TLS_ST_CR_SRVR_HELLO;
110	return 1;
111	}
112	break;
113
114	case TLS_ST_CR_SRVR_HELLO:
115	if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS8) {
116	st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
117	return 1;
118	}
119	break;
120
121	case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
122	if (s->hit) {
123	if (mt == SSL3_MT_FINISHED20) {
124	st->hand_state = TLS_ST_CR_FINISHED;
125	return 1;
126	}
127	} else {
128	if (mt == SSL3_MT_CERTIFICATE_REQUEST13) {
129	st->hand_state = TLS_ST_CR_CERT_REQ;
130	return 1;
131	}
132	if (mt == SSL3_MT_CERTIFICATE11) {
133	st->hand_state = TLS_ST_CR_CERT;
134	return 1;
135	}
136	}
137	break;
138
139	case TLS_ST_CR_CERT_REQ:
140	if (mt == SSL3_MT_CERTIFICATE11) {
141	st->hand_state = TLS_ST_CR_CERT;
142	return 1;
143	}
144	break;
145
146	case TLS_ST_CR_CERT:
147	if (mt == SSL3_MT_CERTIFICATE_VERIFY15) {
148	st->hand_state = TLS_ST_CR_CERT_VRFY;
149	return 1;
150	}
151	break;
152
153	case TLS_ST_CR_CERT_VRFY:
154	if (mt == SSL3_MT_FINISHED20) {
155	st->hand_state = TLS_ST_CR_FINISHED;
156	return 1;
157	}
158	break;
159
160	case TLS_ST_OK:
161	if (mt == SSL3_MT_NEWSESSION_TICKET4) {
162	st->hand_state = TLS_ST_CR_SESSION_TICKET;
163	return 1;
164	}
165	if (mt == SSL3_MT_KEY_UPDATE24) {
166	st->hand_state = TLS_ST_CR_KEY_UPDATE;
167	return 1;
168	}
169	if (mt == SSL3_MT_CERTIFICATE_REQUEST13) {
170	#if DTLS_MAX_VERSION_INTERNAL0xFEFD != DTLS1_2_VERSION0xFEFD
171	/* Restore digest for PHA before adding message.*/
172	# error Internal DTLS version error
173	#endif
174	if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
175	s->post_handshake_auth = SSL_PHA_REQUESTED;
176	/*
177	* In TLS, this is called before the message is added to the
178	* digest. In DTLS, this is expected to be called after adding
179	* to the digest. Either move the digest restore, or add the
180	* message here after the swap, or do it after the clientFinished?
181	*/
182	if (!tls13_restore_handshake_digest_for_pha(s)) {
183	/* SSLfatal() already called */
184	return 0;
185	}
186	st->hand_state = TLS_ST_CR_CERT_REQ;
187	return 1;
188	}
189	}
190	break;
191	}
192
193	/* No valid transition found */
194	return 0;
195	}
196
197	/*
198	* ossl_statem_client_read_transition() encapsulates the logic for the allowed
199	* handshake state transitions when the client is reading messages from the
200	* server. The message type that the server has sent is provided in \|mt\|. The
201	* current state is in \|s->statem.hand_state\|.
202	*
203	* Return values are 1 for success (transition allowed) and 0 on error
204	* (transition not allowed)
205	*/
206	int ossl_statem_client_read_transition(SSL *s, int mt)
207	{
208	OSSL_STATEM *st = &s->statem;
209	int ske_expected;
210
211	/*
212	* Note that after writing the first ClientHello we don't know what version
213	* we are going to negotiate yet, so we don't take this branch until later.
214	*/
215	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
216	if (!ossl_statem_client13_read_transition(s, mt))
217	goto err;
218	return 1;
219	}
220
221	switch (st->hand_state) {
222	default:
223	break;
224
225	case TLS_ST_CW_CLNT_HELLO:
226	if (mt == SSL3_MT_SERVER_HELLO2) {
227	st->hand_state = TLS_ST_CR_SRVR_HELLO;
228	return 1;
229	}
230
231	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
232	if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST3) {
233	st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
234	return 1;
235	}
236	}
237	break;
238
239	case TLS_ST_EARLY_DATA:
240	/*
241	* We've not actually selected TLSv1.3 yet, but we have sent early
242	* data. The only thing allowed now is a ServerHello or a
243	* HelloRetryRequest.
244	*/
245	if (mt == SSL3_MT_SERVER_HELLO2) {
246	st->hand_state = TLS_ST_CR_SRVR_HELLO;
247	return 1;
248	}
249	break;
250
251	case TLS_ST_CR_SRVR_HELLO:
252	if (s->hit) {
253	if (s->ext.ticket_expected) {
254	if (mt == SSL3_MT_NEWSESSION_TICKET4) {
255	st->hand_state = TLS_ST_CR_SESSION_TICKET;
256	return 1;
257	}
258	} else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
259	st->hand_state = TLS_ST_CR_CHANGE;
260	return 1;
261	}
262	} else {
263	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST3) {
264	st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
265	return 1;
266	} else if (s->version >= TLS1_VERSION0x0301
267	&& s->ext.session_secret_cb != NULL((void*)0)
268	&& s->session->ext.tick != NULL((void*)0)
269	&& mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
270	/*
271	* Normally, we can tell if the server is resuming the session
272	* from the session ID. EAP-FAST (RFC 4851), however, relies on
273	* the next server message after the ServerHello to determine if
274	* the server is resuming.
275	*/
276	s->hit = 1;
277	st->hand_state = TLS_ST_CR_CHANGE;
278	return 1;
279	} else if (!(s->s3.tmp.new_cipher->algorithm_auth
280	& (SSL_aNULL0x00000004U \| SSL_aSRP0x00000040U \| SSL_aPSK0x00000010U))) {
281	if (mt == SSL3_MT_CERTIFICATE11) {
282	st->hand_state = TLS_ST_CR_CERT;
283	return 1;
284	}
285	} else {
286	ske_expected = key_exchange_expected(s);
287	/* SKE is optional for some PSK ciphersuites */
288	if (ske_expected
289	\|\| ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK(0x00000008U \| 0x00000040U \| 0x00000080U \| 0x00000100U))
290	&& mt == SSL3_MT_SERVER_KEY_EXCHANGE12)) {
291	if (mt == SSL3_MT_SERVER_KEY_EXCHANGE12) {
292	st->hand_state = TLS_ST_CR_KEY_EXCH;
293	return 1;
294	}
295	} else if (mt == SSL3_MT_CERTIFICATE_REQUEST13
296	&& cert_req_allowed(s)) {
297	st->hand_state = TLS_ST_CR_CERT_REQ;
298	return 1;
299	} else if (mt == SSL3_MT_SERVER_DONE14) {
300	st->hand_state = TLS_ST_CR_SRVR_DONE;
301	return 1;
302	}
303	}
304	}
305	break;
306
307	case TLS_ST_CR_CERT:
308	/*
309	* The CertificateStatus message is optional even if
310	* \|ext.status_expected\| is set
311	*/
312	if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS22) {
313	st->hand_state = TLS_ST_CR_CERT_STATUS;
314	return 1;
315	}
316	/* Fall through */
317
318	case TLS_ST_CR_CERT_STATUS:
319	ske_expected = key_exchange_expected(s);
320	/* SKE is optional for some PSK ciphersuites */
321	if (ske_expected \|\| ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK(0x00000008U \| 0x00000040U \| 0x00000080U \| 0x00000100U))
322	&& mt == SSL3_MT_SERVER_KEY_EXCHANGE12)) {
323	if (mt == SSL3_MT_SERVER_KEY_EXCHANGE12) {
324	st->hand_state = TLS_ST_CR_KEY_EXCH;
325	return 1;
326	}
327	goto err;
328	}
329	/* Fall through */
330
331	case TLS_ST_CR_KEY_EXCH:
332	if (mt == SSL3_MT_CERTIFICATE_REQUEST13) {
333	if (cert_req_allowed(s)) {
334	st->hand_state = TLS_ST_CR_CERT_REQ;
335	return 1;
336	}
337	goto err;
338	}
339	/* Fall through */
340
341	case TLS_ST_CR_CERT_REQ:
342	if (mt == SSL3_MT_SERVER_DONE14) {
343	st->hand_state = TLS_ST_CR_SRVR_DONE;
344	return 1;
345	}
346	break;
347
348	case TLS_ST_CW_FINISHED:
349	if (s->ext.ticket_expected) {
350	if (mt == SSL3_MT_NEWSESSION_TICKET4) {
351	st->hand_state = TLS_ST_CR_SESSION_TICKET;
352	return 1;
353	}
354	} else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
355	st->hand_state = TLS_ST_CR_CHANGE;
356	return 1;
357	}
358	break;
359
360	case TLS_ST_CR_SESSION_TICKET:
361	if (mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
362	st->hand_state = TLS_ST_CR_CHANGE;
363	return 1;
364	}
365	break;
366
367	case TLS_ST_CR_CHANGE:
368	if (mt == SSL3_MT_FINISHED20) {
369	st->hand_state = TLS_ST_CR_FINISHED;
370	return 1;
371	}
372	break;
373
374	case TLS_ST_OK:
375	if (mt == SSL3_MT_HELLO_REQUEST0) {
376	st->hand_state = TLS_ST_CR_HELLO_REQ;
377	return 1;
378	}
379	break;
380	}
381
382	err:
383	/* No valid transition found */
384	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
385	BIO *rbio;
386
387	/*
388	* CCS messages don't have a message sequence number so this is probably
389	* because of an out-of-order CCS. We'll just drop it.
390	*/
391	s->init_num = 0;
392	s->rwstate = SSL_READING3;
393	rbio = SSL_get_rbio(s);
394	BIO_clear_retry_flags(rbio)BIO_clear_flags(rbio, ((0x01\|0x02\|0x04)\|0x08));
395	BIO_set_retry_read(rbio)BIO_set_flags(rbio, (0x01\|0x08));
396	return 0;
397	}
398	SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 398, __func__), ossl_statem_fatal)((s), (10), (244), ((void *)0));
399	return 0;
400	}
401
402	/*
403	* ossl_statem_client13_write_transition() works out what handshake state to
404	* move to next when the TLSv1.3 client is writing messages to be sent to the
405	* server.
406	*/
407	static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
408	{
409	OSSL_STATEM *st = &s->statem;
410
411	/*
412	* Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
413	* TLSv1.3 yet at that point. They are handled by
414	* ossl_statem_client_write_transition().
415	*/
416	switch (st->hand_state) {
417	default:
418	/* Shouldn't happen */
419	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 419, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
420	return WRITE_TRAN_ERROR;
421
422	case TLS_ST_CR_CERT_REQ:
423	if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
424	st->hand_state = TLS_ST_CW_CERT;
425	return WRITE_TRAN_CONTINUE;
426	}
427	/*
428	* We should only get here if we received a CertificateRequest after
429	* we already sent close_notify
430	*/
431	if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)(((s->shutdown & 1) != 0) != 0)) {
432	/* Shouldn't happen - same as default case */
433	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 433, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
434	return WRITE_TRAN_ERROR;
435	}
436	st->hand_state = TLS_ST_OK;
437	return WRITE_TRAN_CONTINUE;
438
439	case TLS_ST_CR_FINISHED:
440	if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
441	\|\| s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
442	st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
443	else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0
444	&& s->hello_retry_request == SSL_HRR_NONE)
445	st->hand_state = TLS_ST_CW_CHANGE;
446	else
447	st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
448	: TLS_ST_CW_FINISHED;
449	return WRITE_TRAN_CONTINUE;
450
451	case TLS_ST_PENDING_EARLY_DATA_END:
452	if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED2) {
453	st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
454	return WRITE_TRAN_CONTINUE;
455	}
456	/* Fall through */
457
458	case TLS_ST_CW_END_OF_EARLY_DATA:
459	case TLS_ST_CW_CHANGE:
460	st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
461	: TLS_ST_CW_FINISHED;
462	return WRITE_TRAN_CONTINUE;
463
464	case TLS_ST_CW_CERT:
465	/* If a non-empty Certificate we also send CertificateVerify */
466	st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
467	: TLS_ST_CW_FINISHED;
468	return WRITE_TRAN_CONTINUE;
469
470	case TLS_ST_CW_CERT_VRFY:
471	st->hand_state = TLS_ST_CW_FINISHED;
472	return WRITE_TRAN_CONTINUE;
473
474	case TLS_ST_CR_KEY_UPDATE:
475	case TLS_ST_CW_KEY_UPDATE:
476	case TLS_ST_CR_SESSION_TICKET:
477	case TLS_ST_CW_FINISHED:
478	st->hand_state = TLS_ST_OK;
479	return WRITE_TRAN_CONTINUE;
480
481	case TLS_ST_OK:
482	if (s->key_update != SSL_KEY_UPDATE_NONE-1) {
483	st->hand_state = TLS_ST_CW_KEY_UPDATE;
484	return WRITE_TRAN_CONTINUE;
485	}
486
487	/* Try to read from the server instead */
488	return WRITE_TRAN_FINISHED;
489	}
490	}
491
492	/*
493	* ossl_statem_client_write_transition() works out what handshake state to
494	* move to next when the client is writing messages to be sent to the server.
495	*/
496	WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
497	{
498	OSSL_STATEM *st = &s->statem;
499
500	/*
501	* Note that immediately before/after a ClientHello we don't know what
502	* version we are going to negotiate yet, so we don't take this branch until
503	* later
504	*/
505	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000))
506	return ossl_statem_client13_write_transition(s);
507
508	switch (st->hand_state) {
509	default:
510	/* Shouldn't happen */
511	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 511, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
512	return WRITE_TRAN_ERROR;
513
514	case TLS_ST_OK:
515	if (!s->renegotiate) {
516	/*
517	* We haven't requested a renegotiation ourselves so we must have
518	* received a message from the server. Better read it.
519	*/
520	return WRITE_TRAN_FINISHED;
521	}
522	/* Renegotiation */
523	/* fall thru */
524	case TLS_ST_BEFORE:
525	st->hand_state = TLS_ST_CW_CLNT_HELLO;
526	return WRITE_TRAN_CONTINUE;
527
528	case TLS_ST_CW_CLNT_HELLO:
529	if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
530	/*
531	* We are assuming this is a TLSv1.3 connection, although we haven't
532	* actually selected a version yet.
533	*/
534	if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0)
535	st->hand_state = TLS_ST_CW_CHANGE;
536	else
537	st->hand_state = TLS_ST_EARLY_DATA;
538	return WRITE_TRAN_CONTINUE;
539	}
540	/*
541	* No transition at the end of writing because we don't know what
542	* we will be sent
543	*/
544	return WRITE_TRAN_FINISHED;
545
546	case TLS_ST_CR_SRVR_HELLO:
547	/*
548	* We only get here in TLSv1.3. We just received an HRR, so issue a
549	* CCS unless middlebox compat mode is off, or we already issued one
550	* because we did early data.
551	*/
552	if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0
553	&& s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
554	st->hand_state = TLS_ST_CW_CHANGE;
555	else
556	st->hand_state = TLS_ST_CW_CLNT_HELLO;
557	return WRITE_TRAN_CONTINUE;
558
559	case TLS_ST_EARLY_DATA:
560	return WRITE_TRAN_FINISHED;
561
562	case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
563	st->hand_state = TLS_ST_CW_CLNT_HELLO;
564	return WRITE_TRAN_CONTINUE;
565
566	case TLS_ST_CR_SRVR_DONE:
567	if (s->s3.tmp.cert_req)
568	st->hand_state = TLS_ST_CW_CERT;
569	else
570	st->hand_state = TLS_ST_CW_KEY_EXCH;
571	return WRITE_TRAN_CONTINUE;
572
573	case TLS_ST_CW_CERT:
574	st->hand_state = TLS_ST_CW_KEY_EXCH;
575	return WRITE_TRAN_CONTINUE;
576
577	case TLS_ST_CW_KEY_EXCH:
578	/*
579	* For TLS, cert_req is set to 2, so a cert chain of nothing is
580	* sent, but no verify packet is sent
581	*/
582	/*
583	* XXX: For now, we do not support client authentication in ECDH
584	* cipher suites with ECDH (rather than ECDSA) certificates. We
585	* need to skip the certificate verify message when client's
586	* ECDH public key is sent inside the client certificate.
587	*/
588	if (s->s3.tmp.cert_req == 1) {
589	st->hand_state = TLS_ST_CW_CERT_VRFY;
590	} else {
591	st->hand_state = TLS_ST_CW_CHANGE;
592	}
593	if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY0x0010) {
594	st->hand_state = TLS_ST_CW_CHANGE;
595	}
596	return WRITE_TRAN_CONTINUE;
597
598	case TLS_ST_CW_CERT_VRFY:
599	st->hand_state = TLS_ST_CW_CHANGE;
600	return WRITE_TRAN_CONTINUE;
601
602	case TLS_ST_CW_CHANGE:
603	if (s->hello_retry_request == SSL_HRR_PENDING) {
604	st->hand_state = TLS_ST_CW_CLNT_HELLO;
605	} else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
606	st->hand_state = TLS_ST_EARLY_DATA;
607	} else {
608	#if defined(OPENSSL_NO_NEXTPROTONEG)
609	st->hand_state = TLS_ST_CW_FINISHED;
610	#else
611	if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->s3.npn_seen)
612	st->hand_state = TLS_ST_CW_NEXT_PROTO;
613	else
614	st->hand_state = TLS_ST_CW_FINISHED;
615	#endif
616	}
617	return WRITE_TRAN_CONTINUE;
618
619	#if !defined(OPENSSL_NO_NEXTPROTONEG)
620	case TLS_ST_CW_NEXT_PROTO:
621	st->hand_state = TLS_ST_CW_FINISHED;
622	return WRITE_TRAN_CONTINUE;
623	#endif
624
625	case TLS_ST_CW_FINISHED:
626	if (s->hit) {
627	st->hand_state = TLS_ST_OK;
628	return WRITE_TRAN_CONTINUE;
629	} else {
630	return WRITE_TRAN_FINISHED;
631	}
632
633	case TLS_ST_CR_FINISHED:
634	if (s->hit) {
635	st->hand_state = TLS_ST_CW_CHANGE;
636	return WRITE_TRAN_CONTINUE;
637	} else {
638	st->hand_state = TLS_ST_OK;
639	return WRITE_TRAN_CONTINUE;
640	}
641
642	case TLS_ST_CR_HELLO_REQ:
643	/*
644	* If we can renegotiate now then do so, otherwise wait for a more
645	* convenient time.
646	*/
647	if (ssl3_renegotiate_check(s, 1)) {
648	if (!tls_setup_handshake(s)) {
649	/* SSLfatal() already called */
650	return WRITE_TRAN_ERROR;
651	}
652	st->hand_state = TLS_ST_CW_CLNT_HELLO;
653	return WRITE_TRAN_CONTINUE;
654	}
655	st->hand_state = TLS_ST_OK;
656	return WRITE_TRAN_CONTINUE;
657	}
658	}
659
660	/*
661	* Perform any pre work that needs to be done prior to sending a message from
662	* the client to the server.
663	*/
664	WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
665	{
666	OSSL_STATEM *st = &s->statem;
667
668	switch (st->hand_state) {
669	default:
670	/* No pre work to be done */
671	break;
672
673	case TLS_ST_CW_CLNT_HELLO:
674	s->shutdown = 0;
675	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
676	/* every DTLS ClientHello resets Finished MAC */
677	if (!ssl3_init_finished_mac(s)) {
678	/* SSLfatal() already called */
679	return WORK_ERROR;
680	}
681	}
682	break;
683
684	case TLS_ST_CW_CHANGE:
685	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
686	if (s->hit) {
687	/*
688	* We're into the last flight so we don't retransmit these
689	* messages unless we need to.
690	*/
691	st->use_timer = 0;
692	}
693	#ifndef OPENSSL_NO_SCTP
694	if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
695	/* Calls SSLfatal() as required */
696	return dtls_wait_for_dry(s);
697	}
698	#endif
699	}
700	break;
701
702	case TLS_ST_PENDING_EARLY_DATA_END:
703	/*
704	* If we've been called by SSL_do_handshake()/SSL_write(), or we did not
705	* attempt to write early data before calling SSL_read() then we press
706	* on with the handshake. Otherwise we pause here.
707	*/
708	if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
709	\|\| s->early_data_state == SSL_EARLY_DATA_NONE)
710	return WORK_FINISHED_CONTINUE;
711	/* Fall through */
712
713	case TLS_ST_EARLY_DATA:
714	return tls_finish_handshake(s, wst, 0, 1);
715
716	case TLS_ST_OK:
717	/* Calls SSLfatal() as required */
718	return tls_finish_handshake(s, wst, 1, 1);
719	}
720
721	return WORK_FINISHED_CONTINUE;
722	}
723
724	/*
725	* Perform any work that needs to be done after sending a message from the
726	* client to the server.
727	*/
728	WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
729	{
730	OSSL_STATEM *st = &s->statem;
731
732	s->init_num = 0;
733
734	switch (st->hand_state) {
735	default:
736	/* No post work to be done */
737	break;
738
739	case TLS_ST_CW_CLNT_HELLO:
740	if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
741	&& s->max_early_data > 0) {
742	/*
743	* We haven't selected TLSv1.3 yet so we don't call the change
744	* cipher state function associated with the SSL_METHOD. Instead
745	* we call tls13_change_cipher_state() directly.
746	*/
747	if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) == 0) {
748	if (!tls13_change_cipher_state(s,
749	SSL3_CC_EARLY0x040 \| SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010\|0x002))) {
750	/* SSLfatal() already called */
751	return WORK_ERROR;
752	}
753	}
754	/* else we're in compat mode so we delay flushing until after CCS */
755	} else if (!statem_flush(s)) {
756	return WORK_MORE_A;
757	}
758
759	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
760	/* Treat the next message as the first packet */
761	s->first_packet = 1;
762	}
763	break;
764
765	case TLS_ST_CW_END_OF_EARLY_DATA:
766	/*
767	* We set the enc_write_ctx back to NULL because we may end up writing
768	* in cleartext again if we get a HelloRetryRequest from the server.
769	*/
770	EVP_CIPHER_CTX_free(s->enc_write_ctx);
771	s->enc_write_ctx = NULL((void*)0);
772	break;
773
774	case TLS_ST_CW_KEY_EXCH:
775	if (tls_client_key_exchange_post_work(s) == 0) {
776	/* SSLfatal() already called */
777	return WORK_ERROR;
778	}
779	break;
780
781	case TLS_ST_CW_CHANGE:
782	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) \|\| s->hello_retry_request == SSL_HRR_PENDING)
783	break;
784	if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
785	&& s->max_early_data > 0) {
786	/*
787	* We haven't selected TLSv1.3 yet so we don't call the change
788	* cipher state function associated with the SSL_METHOD. Instead
789	* we call tls13_change_cipher_state() directly.
790	*/
791	if (!tls13_change_cipher_state(s,
792	SSL3_CC_EARLY0x040 \| SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010\|0x002)))
793	return WORK_ERROR;
794	break;
795	}
796	s->session->cipher = s->s3.tmp.new_cipher;
797	#ifdef OPENSSL_NO_COMP
798	s->session->compress_meth = 0;
799	#else
800	if (s->s3.tmp.new_compression == NULL((void*)0))
801	s->session->compress_meth = 0;
802	else
803	s->session->compress_meth = s->s3.tmp.new_compression->id;
804	#endif
805	if (!s->method->ssl3_enc->setup_key_block(s)) {
806	/* SSLfatal() already called */
807	return WORK_ERROR;
808	}
809
810	if (!s->method->ssl3_enc->change_cipher_state(s,
811	SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010\|0x002))) {
812	/* SSLfatal() already called */
813	return WORK_ERROR;
814	}
815
816	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
817	#ifndef OPENSSL_NO_SCTP
818	if (s->hit) {
819	/*
820	* Change to new shared key of SCTP-Auth, will be ignored if
821	* no SCTP used.
822	*/
823	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
824	0, NULL((void*)0));
825	}
826	#endif
827
828	dtls1_reset_seq_numbers(s, SSL3_CC_WRITE0x002);
829	}
830	break;
831
832	case TLS_ST_CW_FINISHED:
833	#ifndef OPENSSL_NO_SCTP
834	if (wst == WORK_MORE_A && SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->hit == 0) {
835	/*
836	* Change to new shared key of SCTP-Auth, will be ignored if
837	* no SCTP used.
838	*/
839	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
840	0, NULL((void*)0));
841	}
842	#endif
843	if (statem_flush(s) != 1)
844	return WORK_MORE_B;
845
846	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
847	if (!tls13_save_handshake_digest_for_pha(s)) {
848	/* SSLfatal() already called */
849	return WORK_ERROR;
850	}
851	if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
852	if (!s->method->ssl3_enc->change_cipher_state(s,
853	SSL3_CC_APPLICATION0x100 \| SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010\|0x002))) {
854	/* SSLfatal() already called */
855	return WORK_ERROR;
856	}
857	}
858	}
859	break;
860
861	case TLS_ST_CW_KEY_UPDATE:
862	if (statem_flush(s) != 1)
863	return WORK_MORE_A;
864	if (!tls13_update_key(s, 1)) {
865	/* SSLfatal() already called */
866	return WORK_ERROR;
867	}
868	break;
869	}
870
871	return WORK_FINISHED_CONTINUE;
872	}
873
874	/*
875	* Get the message construction function and message type for sending from the
876	* client
877	*
878	* Valid return values are:
879	* 1: Success
880	* 0: Error
881	*/
882	int ossl_statem_client_construct_message(SSL s, WPACKET pkt,
883	confunc_f confunc, int mt)
884	{
885	OSSL_STATEM *st = &s->statem;
886
887	switch (st->hand_state) {
888	default:
889	/* Shouldn't happen */
890	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 890, __func__), ossl_statem_fatal)((s), (80), (236), ((void *)0));
891	return 0;
892
893	case TLS_ST_CW_CHANGE:
894	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8))
895	*confunc = dtls_construct_change_cipher_spec;
896	else
897	*confunc = tls_construct_change_cipher_spec;
898	*mt = SSL3_MT_CHANGE_CIPHER_SPEC0x0101;
899	break;
900
901	case TLS_ST_CW_CLNT_HELLO:
902	*confunc = tls_construct_client_hello;
903	*mt = SSL3_MT_CLIENT_HELLO1;
904	break;
905
906	case TLS_ST_CW_END_OF_EARLY_DATA:
907	#ifndef OPENSSL_NO_QUIC
908	/* QUIC does not send EndOfEarlyData, RFC9001 S8.3 */
909	if (SSL_IS_QUIC(s)(s->quic_method != ((void*)0))) {
910	confunc = NULL((void)0);
911	*mt = SSL3_MT_DUMMY-1;
912	break;
913	}
914	#endif
915	*confunc = tls_construct_end_of_early_data;
916	*mt = SSL3_MT_END_OF_EARLY_DATA5;
917	break;
918
919	case TLS_ST_PENDING_EARLY_DATA_END:
920	confunc = NULL((void)0);
921	*mt = SSL3_MT_DUMMY-1;
922	break;
923
924	case TLS_ST_CW_CERT:
925	*confunc = tls_construct_client_certificate;
926	*mt = SSL3_MT_CERTIFICATE11;
927	break;
928
929	case TLS_ST_CW_KEY_EXCH:
930	*confunc = tls_construct_client_key_exchange;
931	*mt = SSL3_MT_CLIENT_KEY_EXCHANGE16;
932	break;
933
934	case TLS_ST_CW_CERT_VRFY:
935	*confunc = tls_construct_cert_verify;
936	*mt = SSL3_MT_CERTIFICATE_VERIFY15;
937	break;
938
939	#if !defined(OPENSSL_NO_NEXTPROTONEG)
940	case TLS_ST_CW_NEXT_PROTO:
941	*confunc = tls_construct_next_proto;
942	*mt = SSL3_MT_NEXT_PROTO67;
943	break;
944	#endif
945	case TLS_ST_CW_FINISHED:
946	*confunc = tls_construct_finished;
947	*mt = SSL3_MT_FINISHED20;
948	break;
949
950	case TLS_ST_CW_KEY_UPDATE:
951	*confunc = tls_construct_key_update;
952	*mt = SSL3_MT_KEY_UPDATE24;
953	break;
954	}
955
956	return 1;
957	}
958
959	/*
960	* Returns the maximum allowed length for the current message that we are
961	* reading. Excludes the message header.
962	*/
963	size_t ossl_statem_client_max_message_size(SSL *s)
964	{
965	OSSL_STATEM *st = &s->statem;
966
967	switch (st->hand_state) {
968	default:
969	/* Shouldn't happen */
970	return 0;
971
972	case TLS_ST_CR_SRVR_HELLO:
973	return SERVER_HELLO_MAX_LENGTH65607;
974
975	case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
976	return HELLO_VERIFY_REQUEST_MAX_LENGTH258;
977
978	case TLS_ST_CR_CERT:
979	return s->max_cert_list;
980
981	case TLS_ST_CR_CERT_VRFY:
982	return SSL3_RT_MAX_PLAIN_LENGTH16384;
983
984	case TLS_ST_CR_CERT_STATUS:
985	return SSL3_RT_MAX_PLAIN_LENGTH16384;
986
987	case TLS_ST_CR_KEY_EXCH:
988	return SERVER_KEY_EXCH_MAX_LENGTH102400;
989
990	case TLS_ST_CR_CERT_REQ:
991	/*
992	* Set to s->max_cert_list for compatibility with previous releases. In
993	* practice these messages can get quite long if servers are configured
994	* to provide a long list of acceptable CAs
995	*/
996	return s->max_cert_list;
997
998	case TLS_ST_CR_SRVR_DONE:
999	return SERVER_HELLO_DONE_MAX_LENGTH0;
1000
1001	case TLS_ST_CR_CHANGE:
1002	if (s->version == DTLS1_BAD_VER0x0100)
1003	return 3;
1004	return CCS_MAX_LENGTH1;
1005
1006	case TLS_ST_CR_SESSION_TICKET:
1007	return (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) ? SESSION_TICKET_MAX_LENGTH_TLS13131338
1008	: SESSION_TICKET_MAX_LENGTH_TLS1265541;
1009
1010	case TLS_ST_CR_FINISHED:
1011	return FINISHED_MAX_LENGTH64;
1012
1013	case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1014	return ENCRYPTED_EXTENSIONS_MAX_LENGTH20000;
1015
1016	case TLS_ST_CR_KEY_UPDATE:
1017	return KEY_UPDATE_MAX_LENGTH1;
1018	}
1019	}
1020
1021	/*
1022	* Process a message that the client has received from the server.
1023	*/
1024	MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL s, PACKET pkt)
1025	{
1026	OSSL_STATEM *st = &s->statem;
1027
1028	switch (st->hand_state) {
1029	default:
1030	/* Shouldn't happen */
1031	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1031, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1032	return MSG_PROCESS_ERROR;
1033
1034	case TLS_ST_CR_SRVR_HELLO:
1035	return tls_process_server_hello(s, pkt);
1036
1037	case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1038	return dtls_process_hello_verify(s, pkt);
1039
1040	case TLS_ST_CR_CERT:
1041	return tls_process_server_certificate(s, pkt);
1042
1043	case TLS_ST_CR_CERT_VRFY:
1044	return tls_process_cert_verify(s, pkt);
1045
1046	case TLS_ST_CR_CERT_STATUS:
1047	return tls_process_cert_status(s, pkt);
1048
1049	case TLS_ST_CR_KEY_EXCH:
1050	return tls_process_key_exchange(s, pkt);
1051
1052	case TLS_ST_CR_CERT_REQ:
1053	return tls_process_certificate_request(s, pkt);
1054
1055	case TLS_ST_CR_SRVR_DONE:
1056	return tls_process_server_done(s, pkt);
1057
1058	case TLS_ST_CR_CHANGE:
1059	return tls_process_change_cipher_spec(s, pkt);
1060
1061	case TLS_ST_CR_SESSION_TICKET:
1062	return tls_process_new_session_ticket(s, pkt);
1063
1064	case TLS_ST_CR_FINISHED:
1065	return tls_process_finished(s, pkt);
1066
1067	case TLS_ST_CR_HELLO_REQ:
1068	return tls_process_hello_req(s, pkt);
1069
1070	case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1071	return tls_process_encrypted_extensions(s, pkt);
1072
1073	case TLS_ST_CR_KEY_UPDATE:
1074	return tls_process_key_update(s, pkt);
1075	}
1076	}
1077
1078	/*
1079	* Perform any further processing required following the receipt of a message
1080	* from the server
1081	*/
1082	WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
1083	{
1084	OSSL_STATEM *st = &s->statem;
1085
1086	switch (st->hand_state) {
1087	default:
1088	/* Shouldn't happen */
1089	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1089, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1090	return WORK_ERROR;
1091
1092	case TLS_ST_CR_CERT:
1093	return tls_post_process_server_certificate(s, wst);
1094
1095	case TLS_ST_CR_CERT_VRFY:
1096	case TLS_ST_CR_CERT_REQ:
1097	return tls_prepare_client_certificate(s, wst);
1098	}
1099	}
1100
1101	int tls_construct_client_hello(SSL s, WPACKET pkt)
1102	{
1103	unsigned char *p;
1104	size_t sess_id_len;
1105	int i, protverr;
1106	#ifndef OPENSSL_NO_COMP
1107	SSL_COMP *comp;
1108	#endif
1109	SSL_SESSION *sess = s->session;
1110	unsigned char *session_id;
1111
1112	/* Work out what SSL/TLS/DTLS version to use */
1113	protverr = ssl_set_client_hello_version(s);
1114	if (protverr != 0) {
1115	SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1115, __func__), ossl_statem_fatal)((s), (80), (protverr), ( (void*)0));
1116	return 0;
1117	}
1118
1119	if (sess == NULL((void*)0)
1120	\|\| !ssl_version_supported(s, sess->ssl_version, NULL((void*)0))
1121	\|\| !SSL_SESSION_is_resumable(sess)) {
1122	if (s->hello_retry_request == SSL_HRR_NONE
1123	&& !ssl_get_new_session(s, 0)) {
1124	/* SSLfatal() already called */
1125	return 0;
1126	}
1127	}
1128	/* else use the pre-loaded session */
1129
1130	p = s->s3.client_random;
1131
1132	/*
1133	* for DTLS if client_random is initialized, reuse it, we are
1134	* required to use same upon reply to HelloVerify
1135	*/
1136	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
1137	size_t idx;
1138	i = 1;
1139	for (idx = 0; idx < sizeof(s->s3.client_random); idx++) {
1140	if (p[idx]) {
1141	i = 0;
1142	break;
1143	}
1144	}
1145	} else {
1146	i = (s->hello_retry_request == SSL_HRR_NONE);
1147	}
1148
1149	if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
1150	DOWNGRADE_NONE) <= 0) {
1151	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1151, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1152	return 0;
1153	}
1154
1155	/*-
1156	* version indicates the negotiated version: for example from
1157	* an SSLv2/v3 compatible client hello). The client_version
1158	* field is the maximum version we permit and it is also
1159	* used in RSA encrypted premaster secrets. Some servers can
1160	* choke if we initially report a higher version then
1161	* renegotiate to a lower one in the premaster secret. This
1162	* didn't happen with TLS 1.0 as most servers supported it
1163	* but it can with TLS 1.1 or later if the server only supports
1164	* 1.0.
1165	*
1166	* Possible scenario with previous logic:
1167	* 1. Client hello indicates TLS 1.2
1168	* 2. Server hello says TLS 1.0
1169	* 3. RSA encrypted premaster secret uses 1.2.
1170	* 4. Handshake proceeds using TLS 1.0.
1171	* 5. Server sends hello request to renegotiate.
1172	* 6. Client hello indicates TLS v1.0 as we now
1173	* know that is maximum server supports.
1174	* 7. Server chokes on RSA encrypted premaster secret
1175	* containing version 1.0.
1176	*
1177	* For interoperability it should be OK to always use the
1178	* maximum version we support in client hello and then rely
1179	* on the checking of version to ensure the servers isn't
1180	* being inconsistent: for example initially negotiating with
1181	* TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1182	* client_version in client hello and not resetting it to
1183	* the negotiated version.
1184	*
1185	* For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
1186	* supported_versions extension for the real supported versions.
1187	*/
1188	if (!WPACKET_put_bytes_u16(pkt, s->client_version)WPACKET_put_bytes__((pkt), (s->client_version), 2)
1189	\|\| !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE32)) {
1190	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1190, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1191	return 0;
1192	}
1193
1194	/* Session ID */
1195	session_id = s->session->session_id;
1196	if (s->new_session \|\| s->session->ssl_version == TLS1_3_VERSION0x0304) {
1197	if (s->version == TLS1_3_VERSION0x0304
1198	&& (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0) {
1199	sess_id_len = sizeof(s->tmp_session_id);
1200	s->tmp_session_id_len = sess_id_len;
1201	session_id = s->tmp_session_id;
1202	if (s->hello_retry_request == SSL_HRR_NONE
1203	&& RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id,
1204	sess_id_len, 0) <= 0) {
1205	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1205, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1206	return 0;
1207	}
1208	} else {
1209	sess_id_len = 0;
1210	}
1211	} else {
1212	assert(s->session->session_id_length <= sizeof(s->session->session_id))((void) (0));
1213	sess_id_len = s->session->session_id_length;
1214	if (s->version == TLS1_3_VERSION0x0304) {
1215	s->tmp_session_id_len = sess_id_len;
1216	memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
1217	}
1218	}
1219	if (!WPACKET_start_sub_packet_u8(pkt)WPACKET_start_sub_packet_len__((pkt), 1)
1220	\|\| (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
1221	sess_id_len))
1222	\|\| !WPACKET_close(pkt)) {
1223	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1223, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1224	return 0;
1225	}
1226
1227	/* cookie stuff for DTLS */
1228	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
1229	if (s->d1->cookie_len > sizeof(s->d1->cookie)
1230	\|\| !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,WPACKET_sub_memcpy__((pkt), (s->d1->cookie), (s->d1-> cookie_len), 1)
1231	s->d1->cookie_len)WPACKET_sub_memcpy__((pkt), (s->d1->cookie), (s->d1-> cookie_len), 1)) {
1232	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1232, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1233	return 0;
1234	}
1235	}
1236
1237	/* Ciphers supported */
1238	if (!WPACKET_start_sub_packet_u16(pkt)WPACKET_start_sub_packet_len__((pkt), 2)) {
1239	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1239, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1240	return 0;
1241	}
1242
1243	if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
1244	/* SSLfatal() already called */
1245	return 0;
1246	}
1247	if (!WPACKET_close(pkt)) {
1248	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1248, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1249	return 0;
1250	}
1251
1252	/* COMPRESSION */
1253	if (!WPACKET_start_sub_packet_u8(pkt)WPACKET_start_sub_packet_len__((pkt), 1)) {
1254	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1254, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1255	return 0;
1256	}
1257	#ifndef OPENSSL_NO_COMP
1258	if (ssl_allow_compression(s)
1259	&& s->ctx->comp_methods
1260	&& (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) \|\| s->s3.tmp.max_ver < TLS1_3_VERSION0x0304)) {
1261	int compnum = sk_SSL_COMP_num(s->ctx->comp_methods)OPENSSL_sk_num(ossl_check_const_SSL_COMP_sk_type(s->ctx-> comp_methods));
1262	for (i = 0; i < compnum; i++) {
1263	comp = sk_SSL_COMP_value(s->ctx->comp_methods, i)((SSL_COMP *)OPENSSL_sk_value(ossl_check_const_SSL_COMP_sk_type (s->ctx->comp_methods), (i)));
1264	if (!WPACKET_put_bytes_u8(pkt, comp->id)WPACKET_put_bytes__((pkt), (comp->id), 1)) {
1265	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1265, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1266	return 0;
1267	}
1268	}
1269	}
1270	#endif
1271	/* Add the NULL method */
1272	if (!WPACKET_put_bytes_u8(pkt, 0)WPACKET_put_bytes__((pkt), (0), 1) \|\| !WPACKET_close(pkt)) {
1273	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1273, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1274	return 0;
1275	}
1276
1277	/* TLS extensions */
1278	if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO0x0080, NULL((void*)0), 0)) {
1279	/* SSLfatal() already called */
1280	return 0;
1281	}
1282
1283	return 1;
1284	}
1285
1286	MSG_PROCESS_RETURN dtls_process_hello_verify(SSL s, PACKET pkt)
1287	{
1288	size_t cookie_len;
1289	PACKET cookiepkt;
1290
1291	if (!PACKET_forward(pkt, 2)
1292	\|\| !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
1293	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1293, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1294	return MSG_PROCESS_ERROR;
1295	}
1296
1297	cookie_len = PACKET_remaining(&cookiepkt);
1298	if (cookie_len > sizeof(s->d1->cookie)) {
1299	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1299, __func__), ossl_statem_fatal)((s), (47), (404), ((void *)0));
1300	return MSG_PROCESS_ERROR;
1301	}
1302
1303	if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1304	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1304, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1305	return MSG_PROCESS_ERROR;
1306	}
1307	s->d1->cookie_len = cookie_len;
1308
1309	return MSG_PROCESS_FINISHED_READING;
1310	}
1311
1312	static int set_client_ciphersuite(SSL s, const unsigned char cipherchars)
1313	{
1314	STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk;
1315	const SSL_CIPHER *c;
1316	int i;
1317
1318	c = ssl_get_cipher_by_char(s, cipherchars, 0);
1319	if (c == NULL((void*)0)) {
1320	/* unknown cipher */
1321	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1321, __func__), ossl_statem_fatal)((s), (47), (248), ((void *)0));
1322	return 0;
1323	}
1324	/*
1325	* If it is a disabled cipher we either didn't send it in client hello,
1326	* or it's not allowed for the selected protocol. So we return an error.
1327	*/
1328	if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK(3 \| (1 << 16)), 1)) {
1329	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1329, __func__), ossl_statem_fatal)((s), (47), (261), ((void *)0));
1330	return 0;
1331	}
1332
1333	sk = ssl_get_ciphers_by_id(s);
1334	i = sk_SSL_CIPHER_find(sk, c)OPENSSL_sk_find(ossl_check_SSL_CIPHER_sk_type(sk), ossl_check_SSL_CIPHER_type (c));
1335	if (i < 0) {
1336	/* we did not say we would use this cipher */
1337	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1337, __func__), ossl_statem_fatal)((s), (47), (261), ((void *)0));
1338	return 0;
1339	}
1340
1341	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && s->s3.tmp.new_cipher != NULL((void*)0)
1342	&& s->s3.tmp.new_cipher->id != c->id) {
1343	/* ServerHello selected a different ciphersuite to that in the HRR */
1344	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1344, __func__), ossl_statem_fatal)((s), (47), (261), ((void *)0));
1345	return 0;
1346	}
1347
1348	/*
1349	* Depending on the session caching (internal/external), the cipher
1350	* and/or cipher_id values may not be set. Make sure that cipher_id is
1351	* set and use it for comparison.
1352	*/
1353	if (s->session->cipher != NULL((void*)0))
1354	s->session->cipher_id = s->session->cipher->id;
1355	if (s->hit && (s->session->cipher_id != c->id)) {
1356	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1357	/*
1358	* In TLSv1.3 it is valid for the server to select a different
1359	* ciphersuite as long as the hash is the same.
1360	*/
1361	if (ssl_md(s->ctx, c->algorithm2)
1362	!= ssl_md(s->ctx, s->session->cipher->algorithm2)) {
1363	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1364, __func__), ossl_statem_fatal)((s), (47), (218), ((void *)0))
1364	SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1364, __func__), ossl_statem_fatal)((s), (47), (218), ((void *)0));
1365	return 0;
1366	}
1367	} else {
1368	/*
1369	* Prior to TLSv1.3 resuming a session always meant using the same
1370	* ciphersuite.
1371	*/
1372	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1373, __func__), ossl_statem_fatal)((s), (47), (197), ((void *)0))
1373	SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1373, __func__), ossl_statem_fatal)((s), (47), (197), ((void *)0));
1374	return 0;
1375	}
1376	}
1377	s->s3.tmp.new_cipher = c;
1378
1379	return 1;
1380	}
1381
1382	MSG_PROCESS_RETURN tls_process_server_hello(SSL s, PACKET pkt)
1383	{
1384	PACKET session_id, extpkt;
1385	size_t session_id_len;
1386	const unsigned char *cipherchars;
1387	int hrr = 0;
1388	unsigned int compression;
1389	unsigned int sversion;
1390	unsigned int context;
1391	RAW_EXTENSION extensions = NULL((void)0);
1392	#ifndef OPENSSL_NO_COMP
1393	SSL_COMP *comp;
1394	#endif
1395
1396	if (!PACKET_get_net_2(pkt, &sversion)) {
1397	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1397, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1398	goto err;
1399	}
1400
1401	/* load the server random */
1402	if (s->version == TLS1_3_VERSION0x0304
1403	&& sversion == TLS1_2_VERSION0x0303
1404	&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE32
1405	&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE32) == 0) {
1406	if (s->hello_retry_request != SSL_HRR_NONE) {
1407	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1407, __func__), ossl_statem_fatal)((s), (10), (244), ((void *)0));
1408	goto err;
1409	}
1410	s->hello_retry_request = SSL_HRR_PENDING;
1411	hrr = 1;
1412	if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE32)) {
1413	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1413, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1414	goto err;
1415	}
1416	} else {
1417	if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE32)) {
1418	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1418, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1419	goto err;
1420	}
1421	}
1422
1423	/* Get the session-id. */
1424	if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1425	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1425, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1426	goto err;
1427	}
1428	session_id_len = PACKET_remaining(&session_id);
1429	if (session_id_len > sizeof(s->session->session_id)
1430	\|\| session_id_len > SSL3_SESSION_ID_SIZE32) {
1431	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1431, __func__), ossl_statem_fatal)((s), (47), (300), ((void *)0));
1432	goto err;
1433	}
1434
1435	if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN2)) {
1436	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1436, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1437	goto err;
1438	}
1439
1440	if (!PACKET_get_1(pkt, &compression)) {
1441	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1441, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1442	goto err;
1443	}
1444
1445	/* TLS extensions */
1446	if (PACKET_remaining(pkt) == 0 && !hrr) {
1447	PACKET_null_init(&extpkt);
1448	} else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
1449	\|\| PACKET_remaining(pkt) != 0) {
1450	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1450, __func__), ossl_statem_fatal)((s), (50), (271), ((void *)0));
1451	goto err;
1452	}
1453
1454	if (!hrr) {
1455	if (!tls_collect_extensions(s, &extpkt,
1456	SSL_EXT_TLS1_2_SERVER_HELLO0x0100
1457	\| SSL_EXT_TLS1_3_SERVER_HELLO0x0200,
1458	&extensions, NULL((void*)0), 1)) {
1459	/* SSLfatal() already called */
1460	goto err;
1461	}
1462
1463	if (!ssl_choose_client_version(s, sversion, extensions)) {
1464	/* SSLfatal() already called */
1465	goto err;
1466	}
1467	}
1468
1469	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) \|\| hrr) {
1470	if (compression != 0) {
1471	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1472, __func__), ossl_statem_fatal)((s), (47), (341), ((void *)0))
1472	SSL_R_INVALID_COMPRESSION_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1472, __func__), ossl_statem_fatal)((s), (47), (341), ((void *)0));
1473	goto err;
1474	}
1475
1476	if (session_id_len != s->tmp_session_id_len
1477	\|\| memcmp(PACKET_data(&session_id), s->tmp_session_id,
1478	session_id_len) != 0) {
1479	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1479, __func__), ossl_statem_fatal)((s), (47), (999), ((void *)0));
1480	goto err;
1481	}
1482	}
1483
1484	if (hrr) {
1485	if (!set_client_ciphersuite(s, cipherchars)) {
1486	/* SSLfatal() already called */
1487	goto err;
1488	}
1489
1490	return tls_process_as_hello_retry_request(s, &extpkt);
1491	}
1492
1493	/*
1494	* Now we have chosen the version we need to check again that the extensions
1495	* are appropriate for this version.
1496	*/
1497	context = SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) ? SSL_EXT_TLS1_3_SERVER_HELLO0x0200
1498	: SSL_EXT_TLS1_2_SERVER_HELLO0x0100;
1499	if (!tls_validate_all_contexts(s, context, extensions)) {
1500	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1500, __func__), ossl_statem_fatal)((s), (47), (110), ((void *)0));
1501	goto err;
1502	}
1503
1504	s->hit = 0;
1505
1506	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1507	/*
1508	* In TLSv1.3 a ServerHello message signals a key change so the end of
1509	* the message must be on a record boundary.
1510	*/
1511	if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1512	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1513, __func__), ossl_statem_fatal)((s), (10), (182), ((void *)0))
1513	SSL_R_NOT_ON_RECORD_BOUNDARY)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1513, __func__), ossl_statem_fatal)((s), (10), (182), ((void *)0));
1514	goto err;
1515	}
1516
1517	/* This will set s->hit if we are resuming */
1518	if (!tls_parse_extension(s, TLSEXT_IDX_psk,
1519	SSL_EXT_TLS1_3_SERVER_HELLO0x0200,
1520	extensions, NULL((void*)0), 0)) {
1521	/* SSLfatal() already called */
1522	goto err;
1523	}
1524	} else {
1525	/*
1526	* Check if we can resume the session based on external pre-shared
1527	* secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1528	* Resumption based on server-side state works with session IDs.
1529	* Resumption based on pre-shared Protected Access Credentials (PACs)
1530	* works by overriding the SessionTicket extension at the application
1531	* layer, and does not send a session ID. (We do not know whether
1532	* EAP-FAST servers would honour the session ID.) Therefore, the session
1533	* ID alone is not a reliable indicator of session resumption, so we
1534	* first check if we can resume, and later peek at the next handshake
1535	* message to see if the server wants to resume.
1536	*/
1537	if (s->version >= TLS1_VERSION0x0301
1538	&& s->ext.session_secret_cb != NULL((void*)0) && s->session->ext.tick) {
1539	const SSL_CIPHER pref_cipher = NULL((void)0);
1540	/*
1541	* s->session->master_key_length is a size_t, but this is an int for
1542	* backwards compat reasons
1543	*/
1544	int master_key_length;
1545	master_key_length = sizeof(s->session->master_key);
1546	if (s->ext.session_secret_cb(s, s->session->master_key,
1547	&master_key_length,
1548	NULL((void*)0), &pref_cipher,
1549	s->ext.session_secret_cb_arg)
1550	&& master_key_length > 0) {
1551	s->session->master_key_length = master_key_length;
1552	s->session->cipher = pref_cipher ?
1553	pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
1554	} else {
1555	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1555, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1556	goto err;
1557	}
1558	}
1559
1560	if (session_id_len != 0
1561	&& session_id_len == s->session->session_id_length
1562	&& memcmp(PACKET_data(&session_id), s->session->session_id,
1563	session_id_len) == 0)
1564	s->hit = 1;
1565	}
1566
1567	if (s->hit) {
1568	if (s->sid_ctx_length != s->session->sid_ctx_length
1569	\|\| memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1570	/* actually a client application bug */
1571	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1572, __func__), ossl_statem_fatal)((s), (47), (272), ((void *)0))
1572	SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1572, __func__), ossl_statem_fatal)((s), (47), (272), ((void *)0));
1573	goto err;
1574	}
1575	} else {
1576	/*
1577	* If we were trying for session-id reuse but the server
1578	* didn't resume, make a new SSL_SESSION.
1579	* In the case of EAP-FAST and PAC, we do not send a session ID,
1580	* so the PAC-based session secret is always preserved. It'll be
1581	* overwritten if the server refuses resumption.
1582	*/
1583	if (s->session->session_id_length > 0) {
1584	ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss);
1585	if (!ssl_get_new_session(s, 0)) {
1586	/* SSLfatal() already called */
1587	goto err;
1588	}
1589	}
1590
1591	s->session->ssl_version = s->version;
1592	/*
1593	* In TLSv1.2 and below we save the session id we were sent so we can
1594	* resume it later. In TLSv1.3 the session id we were sent is just an
1595	* echo of what we originally sent in the ClientHello and should not be
1596	* used for resumption.
1597	*/
1598	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1599	s->session->session_id_length = session_id_len;
1600	/* session_id_len could be 0 */
1601	if (session_id_len > 0)
1602	memcpy(s->session->session_id, PACKET_data(&session_id),
1603	session_id_len);
1604	}
1605	}
1606
1607	/* Session version and negotiated protocol version should match */
1608	if (s->version != s->session->ssl_version) {
1609	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1610, __func__), ossl_statem_fatal)((s), (70), (210), ((void *)0))
1610	SSL_R_SSL_SESSION_VERSION_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1610, __func__), ossl_statem_fatal)((s), (70), (210), ((void *)0));
1611	goto err;
1612	}
1613	/*
1614	* Now that we know the version, update the check to see if it's an allowed
1615	* version.
1616	*/
1617	s->s3.tmp.min_ver = s->version;
1618	s->s3.tmp.max_ver = s->version;
1619
1620	if (!set_client_ciphersuite(s, cipherchars)) {
1621	/* SSLfatal() already called */
1622	goto err;
1623	}
1624
1625	#ifdef OPENSSL_NO_COMP
1626	if (compression != 0) {
1627	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1628, __func__), ossl_statem_fatal)((s), (47), (257), ((void *)0))
1628	SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1628, __func__), ossl_statem_fatal)((s), (47), (257), ((void *)0));
1629	goto err;
1630	}
1631	/*
1632	* If compression is disabled we'd better not try to resume a session
1633	* using compression.
1634	*/
1635	if (s->session->compress_meth != 0) {
1636	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1636, __func__), ossl_statem_fatal)((s), (40), (340), ((void *)0));
1637	goto err;
1638	}
1639	#else
1640	if (s->hit && compression != s->session->compress_meth) {
1641	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1642, __func__), ossl_statem_fatal)((s), (47), (344), ((void *)0))
1642	SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1642, __func__), ossl_statem_fatal)((s), (47), (344), ((void *)0));
1643	goto err;
1644	}
1645	if (compression == 0)
1646	comp = NULL((void*)0);
1647	else if (!ssl_allow_compression(s)) {
1648	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1648, __func__), ossl_statem_fatal)((s), (47), (343), ((void *)0));
1649	goto err;
1650	} else {
1651	comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1652	}
1653
1654	if (compression != 0 && comp == NULL((void*)0)) {
1655	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1656, __func__), ossl_statem_fatal)((s), (47), (257), ((void *)0))
1656	SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1656, __func__), ossl_statem_fatal)((s), (47), (257), ((void *)0));
1657	goto err;
1658	} else {
1659	s->s3.tmp.new_compression = comp;
1660	}
1661	#endif
1662
1663	if (!tls_parse_all_extensions(s, context, extensions, NULL((void*)0), 0, 1)) {
1664	/* SSLfatal() already called */
1665	goto err;
1666	}
1667
1668	#ifndef OPENSSL_NO_SCTP
1669	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->hit) {
1670	unsigned char sctpauthkey[64];
1671	char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1672	size_t labellen;
1673
1674	/*
1675	* Add new shared key for SCTP-Auth, will be ignored if
1676	* no SCTP used.
1677	*/
1678	memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1679	sizeof(DTLS1_SCTP_AUTH_LABEL));
1680
1681	/* Don't include the terminating zero. */
1682	labellen = sizeof(labelbuffer) - 1;
1683	if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG0x00000400U)
1684	labellen += 1;
1685
1686	if (SSL_export_keying_material(s, sctpauthkey,
1687	sizeof(sctpauthkey),
1688	labelbuffer,
1689	labellen, NULL((void*)0), 0, 0) <= 0) {
1690	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1690, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1691	goto err;
1692	}
1693
1694	BIO_ctrl(SSL_get_wbio(s),
1695	BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1696	sizeof(sctpauthkey), sctpauthkey);
1697	}
1698	#endif
1699
1700	/*
1701	* In TLSv1.3 we have some post-processing to change cipher state, otherwise
1702	* we're done with this message
1703	*/
1704	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
1705	&& (!s->method->ssl3_enc->setup_key_block(s)
1706	\|\| !s->method->ssl3_enc->change_cipher_state(s,
1707	SSL3_CC_HANDSHAKE0x080 \| SSL3_CHANGE_CIPHER_CLIENT_READ(0x010\|0x001)))) {
1708	/* SSLfatal() already called */
1709	goto err;
1710	}
1711
1712	OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1712);
1713	return MSG_PROCESS_CONTINUE_READING;
1714	err:
1715	OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1715);
1716	return MSG_PROCESS_ERROR;
1717	}
1718
1719	static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
1720	PACKET *extpkt)
1721	{
1722	RAW_EXTENSION extensions = NULL((void)0);
1723
1724	/*
1725	* If we were sending early_data then the enc_write_ctx is now invalid and
1726	* should not be used.
1727	*/
1728	EVP_CIPHER_CTX_free(s->enc_write_ctx);
1729	s->enc_write_ctx = NULL((void*)0);
1730
1731	if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST0x0800,
1732	&extensions, NULL((void*)0), 1)
1733	\|\| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST0x0800,
1734	extensions, NULL((void*)0), 0, 1)) {
1735	/* SSLfatal() already called */
1736	goto err;
1737	}
1738
1739	OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1739);
1740	extensions = NULL((void*)0);
1741
1742	if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL((void*)0)) {
1743	/*
1744	* We didn't receive a cookie or a new key_share so the next
1745	* ClientHello will not change
1746	*/
1747	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1747, __func__), ossl_statem_fatal)((s), (47), (214), ((void *)0));
1748	goto err;
1749	}
1750
1751	/*
1752	* Re-initialise the Transcript Hash. We're going to prepopulate it with
1753	* a synthetic message_hash in place of ClientHello1.
1754	*/
1755	if (!create_synthetic_message_hash(s, NULL((void)0), 0, NULL((void)0), 0)) {
1756	/* SSLfatal() already called */
1757	goto err;
1758	}
1759
1760	/*
1761	* Add this message to the Transcript Hash. Normally this is done
1762	* automatically prior to the message processing stage. However due to the
1763	* need to create the synthetic message hash, we defer that step until now
1764	* for HRR messages.
1765	*/
1766	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1767	s->init_num + SSL3_HM_HEADER_LENGTH4)) {
1768	/* SSLfatal() already called */
1769	goto err;
1770	}
1771
1772	return MSG_PROCESS_FINISHED_READING;
1773	err:
1774	OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1774);
1775	return MSG_PROCESS_ERROR;
1776	}
1777
1778	/* prepare server cert verification by setting s->session->peer_chain from pkt */
1779	MSG_PROCESS_RETURN tls_process_server_certificate(SSL s, PACKET pkt)
1780	{
1781	unsigned long cert_list_len, cert_len;
1782	X509 x = NULL((void)0);
1783	const unsigned char certstart, certbytes;
1784	size_t chainidx;
1785	unsigned int context = 0;
1786
1787	if ((s->session->peer_chain = sk_X509_new_null()((struct stack_st_X509 )OPENSSL_sk_new_null())) == NULL((void)0)) {
1788	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1788, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1789	goto err;
1790	}
1791
1792	if ((SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && !PACKET_get_1(pkt, &context))
1793	\|\| context != 0
1794	\|\| !PACKET_get_net_3(pkt, &cert_list_len)
1795	\|\| PACKET_remaining(pkt) != cert_list_len
1796	\|\| PACKET_remaining(pkt) == 0) {
1797	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1797, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1798	goto err;
1799	}
1800	for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
1801	if (!PACKET_get_net_3(pkt, &cert_len)
1802	\|\| !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1803	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1803, __func__), ossl_statem_fatal)((s), (50), (135), ((void *)0));
1804	goto err;
1805	}
1806
1807	certstart = certbytes;
1808	x = X509_new_ex(s->ctx->libctx, s->ctx->propq);
1809	if (x == NULL((void*)0)) {
1810	SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1810, __func__), ossl_statem_fatal)((s), (50), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1811	ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" ,1811,__func__), ERR_set_error)((20),((256\|((0x1 << 18L )\|(0x2 << 18L)))),((void*)0));
1812	goto err;
1813	}
1814	if (d2i_X509(&x, (const unsigned char **)&certbytes,
1815	cert_len) == NULL((void*)0)) {
1816	SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1816, __func__), ossl_statem_fatal)((s), (42), ((13 \| (0x2 << 18L))), ((void*)0));
1817	goto err;
1818	}
1819
1820	if (certbytes != (certstart + cert_len)) {
1821	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1821, __func__), ossl_statem_fatal)((s), (50), (135), ((void *)0));
1822	goto err;
1823	}
1824
1825	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1826	RAW_EXTENSION rawexts = NULL((void)0);
1827	PACKET extensions;
1828
1829	if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
1830	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1830, __func__), ossl_statem_fatal)((s), (50), (271), ((void *)0));
1831	goto err;
1832	}
1833	if (!tls_collect_extensions(s, &extensions,
1834	SSL_EXT_TLS1_3_CERTIFICATE0x1000, &rawexts,
1835	NULL((void*)0), chainidx == 0)
1836	\|\| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE0x1000,
1837	rawexts, x, chainidx,
1838	PACKET_remaining(pkt) == 0)) {
1839	OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1839);
1840	/* SSLfatal already called */
1841	goto err;
1842	}
1843	OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1843);
1844	}
1845
1846	if (!sk_X509_push(s->session->peer_chain, x)OPENSSL_sk_push(ossl_check_X509_sk_type(s->session->peer_chain ), ossl_check_X509_type(x))) {
1847	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1847, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1848	goto err;
1849	}
1850	x = NULL((void*)0);
1851	}
1852	return MSG_PROCESS_CONTINUE_PROCESSING;
1853
1854	err:
1855	X509_free(x);
1856	sk_X509_pop_free(s->session->peer_chain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s->session-> peer_chain),ossl_check_X509_freefunc_type(X509_free));
1857	s->session->peer_chain = NULL((void*)0);
1858	return MSG_PROCESS_ERROR;
1859	}
1860
1861	/*
1862	* Verify the s->session->peer_chain and check server cert type.
1863	* On success set s->session->peer and s->session->verify_result.
1864	* Else the peer certificate verification callback may request retry.
1865	*/
1866	WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst)
1867	{
1868	X509 *x;
1869	EVP_PKEY pkey = NULL((void)0);
1870	const SSL_CERT_LOOKUP *clu;
1871	size_t certidx;
1872	int i;
1873
1874	if (s->rwstate == SSL_RETRY_VERIFY8)
1875	s->rwstate = SSL_NOTHING1;
1876	i = ssl_verify_cert_chain(s, s->session->peer_chain);
1877	if (i > 0 && s->rwstate == SSL_RETRY_VERIFY8) {
1878	return WORK_MORE_A;
1879	}
1880	/*
1881	* The documented interface is that SSL_VERIFY_PEER should be set in order
1882	* for client side verification of the server certificate to take place.
1883	* However, historically the code has only checked that any flag is set
1884	* to cause server verification to take place. Use of the other flags makes
1885	* no sense in client mode. An attempt to clean up the semantics was
1886	* reverted because at least one application only set
1887	* SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1888	* server verification to take place, after the clean up it silently did
1889	* nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1890	* sent to them because they are void functions. Therefore, we now use the
1891	* (less clean) historic behaviour of performing validation if any flag is
1892	* set. The documented interface remains the same.
1893	*/
1894	if (s->verify_mode != SSL_VERIFY_NONE0x00 && i <= 0) {
1895	SSLfatal(s, ssl_x509err2alert(s->verify_result),(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1896, __func__), ossl_statem_fatal)((s), (ssl_x509err2alert (s->verify_result)), (134), ((void*)0))
1896	SSL_R_CERTIFICATE_VERIFY_FAILED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1896, __func__), ossl_statem_fatal)((s), (ssl_x509err2alert (s->verify_result)), (134), ((void*)0));
1897	return WORK_ERROR;
1898	}
1899	ERR_clear_error(); /* but we keep s->verify_result */
1900
1901	/*
1902	* Inconsistency alert: cert_chain does include the peer's certificate,
1903	* which we don't include in statem_srvr.c
1904	*/
1905	x = sk_X509_value(s->session->peer_chain, 0)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(s-> session->peer_chain), (0)));
1906
1907	pkey = X509_get0_pubkey(x);
1908
1909	if (pkey == NULL((void*)0) \|\| EVP_PKEY_missing_parameters(pkey)) {
1910	SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1911, __func__), ossl_statem_fatal)((s), (80), (239), ((void *)0))
1911	SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1911, __func__), ossl_statem_fatal)((s), (80), (239), ((void *)0));
1912	return WORK_ERROR;
1913	}
1914
1915	if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL((void*)0)) {
1916	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1916, __func__), ossl_statem_fatal)((s), (47), (247), ((void *)0));
1917	return WORK_ERROR;
1918	}
1919	/*
1920	* Check certificate type is consistent with ciphersuite. For TLS 1.3
1921	* skip check since TLS 1.3 ciphersuites can be used with any certificate
1922	* type.
1923	*/
1924	if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
1925	if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
1926	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1926, __func__), ossl_statem_fatal)((s), (47), (383), ((void *)0));
1927	return WORK_ERROR;
1928	}
1929	}
1930
1931	X509_free(s->session->peer);
1932	X509_up_ref(x);
1933	s->session->peer = x;
1934	s->session->verify_result = s->verify_result;
1935
1936	/* Save the current hash state for when we receive the CertificateVerify */
1937	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
1938	&& !ssl_handshake_hash(s, s->cert_verify_hash,
1939	sizeof(s->cert_verify_hash),
1940	&s->cert_verify_hash_len)) {
1941	/* SSLfatal() already called */;
1942	return WORK_ERROR;
1943	}
1944	return WORK_FINISHED_CONTINUE;
1945	}
1946
1947	static int tls_process_ske_psk_preamble(SSL s, PACKET pkt)
1948	{
1949	#ifndef OPENSSL_NO_PSK
1950	PACKET psk_identity_hint;
1951
1952	/* PSK ciphersuites are preceded by an identity hint */
1953
1954	if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
1955	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1955, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1956	return 0;
1957	}
1958
1959	/*
1960	* Store PSK identity hint for later use, hint is used in
1961	* tls_construct_client_key_exchange. Assume that the maximum length of
1962	* a PSK identity hint can be as long as the maximum length of a PSK
1963	* identity.
1964	*/
1965	if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN256) {
1966	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1966, __func__), ossl_statem_fatal)((s), (40), (146), ((void *)0));
1967	return 0;
1968	}
1969
1970	if (PACKET_remaining(&psk_identity_hint) == 0) {
1971	OPENSSL_free(s->session->psk_identity_hint)CRYPTO_free(s->session->psk_identity_hint, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1971);
1972	s->session->psk_identity_hint = NULL((void*)0);
1973	} else if (!PACKET_strndup(&psk_identity_hint,
1974	&s->session->psk_identity_hint)) {
1975	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1975, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1976	return 0;
1977	}
1978
1979	return 1;
1980	#else
1981	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1981, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
1982	return 0;
1983	#endif
1984	}
1985
1986	static int tls_process_ske_srp(SSL s, PACKET pkt, EVP_PKEY **pkey)
1987	{
1988	#ifndef OPENSSL_NO_SRP
1989	PACKET prime, generator, salt, server_pub;
1990
1991	if (!PACKET_get_length_prefixed_2(pkt, &prime)
1992	\|\| !PACKET_get_length_prefixed_2(pkt, &generator)
1993	\|\| !PACKET_get_length_prefixed_1(pkt, &salt)
1994	\|\| !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
1995	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 1995, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
1996	return 0;
1997	}
1998
1999	if ((s->srp_ctx.N =
2000	BN_bin2bn(PACKET_data(&prime),
2001	(int)PACKET_remaining(&prime), NULL((void)0))) == NULL((void)0)
2002	\|\| (s->srp_ctx.g =
2003	BN_bin2bn(PACKET_data(&generator),
2004	(int)PACKET_remaining(&generator), NULL((void)0))) == NULL((void)0)
2005	\|\| (s->srp_ctx.s =
2006	BN_bin2bn(PACKET_data(&salt),
2007	(int)PACKET_remaining(&salt), NULL((void)0))) == NULL((void)0)
2008	\|\| (s->srp_ctx.B =
2009	BN_bin2bn(PACKET_data(&server_pub),
2010	(int)PACKET_remaining(&server_pub), NULL((void)0))) == NULL((void)0)) {
2011	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2011, __func__), ossl_statem_fatal)((s), (80), ((3 \| (0x2 << 18L))), ((void*)0));
2012	return 0;
2013	}
2014
2015	if (!srp_verify_server_param(s)) {
2016	/* SSLfatal() already called */
2017	return 0;
2018	}
2019
2020	/* We must check if there is a certificate */
2021	if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA0x00000001U \| SSL_aDSS0x00000002U))
2022	*pkey = X509_get0_pubkey(s->session->peer);
2023
2024	return 1;
2025	#else
2026	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2026, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2027	return 0;
2028	#endif
2029	}
2030
2031	static int tls_process_ske_dhe(SSL s, PACKET pkt, EVP_PKEY **pkey)
2032	{
2033	PACKET prime, generator, pub_key;
2034	EVP_PKEY peer_tmp = NULL((void)0);
2035	BIGNUM p = NULL((void)0), g = NULL((void)0), bnpub_key = NULL((void)0);
2036	EVP_PKEY_CTX pctx = NULL((void)0);
2037	OSSL_PARAM params = NULL((void)0);
2038	OSSL_PARAM_BLD tmpl = NULL((void)0);
2039	int ret = 0;
2040
2041	if (!PACKET_get_length_prefixed_2(pkt, &prime)
2042	\|\| !PACKET_get_length_prefixed_2(pkt, &generator)
2043	\|\| !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
2044	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2044, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2045	return 0;
2046	}
2047
2048	p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL((void*)0));
2049	g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
2050	NULL((void*)0));
2051	bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
2052	(int)PACKET_remaining(&pub_key), NULL((void*)0));
2053	if (p == NULL((void)0) \|\| g == NULL((void)0) \|\| bnpub_key == NULL((void*)0)) {
2054	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2054, __func__), ossl_statem_fatal)((s), (80), ((3 \| (0x2 << 18L))), ((void*)0));
2055	goto err;
2056	}
2057
2058	tmpl = OSSL_PARAM_BLD_new();
2059	if (tmpl == NULL((void*)0)
2060	\|\| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P"p", p)
2061	\|\| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G"g", g)
2062	\|\| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY"pub",
2063	bnpub_key)
2064	\|\| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL((void*)0)) {
2065	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2065, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2066	goto err;
2067	}
2068
2069	pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
2070	if (pctx == NULL((void*)0)) {
2071	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2071, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2072	goto err;
2073	}
2074	if (EVP_PKEY_fromdata_init(pctx) <= 0
2075	\|\| EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR( ( ( ( 0x04 \| 0x80) ) \| 0x02 ) \| 0x01 ), params) <= 0) {
2076	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2076, __func__), ossl_statem_fatal)((s), (80), (102), ((void *)0));
2077	goto err;
2078	}
2079
2080	EVP_PKEY_CTX_free(pctx);
2081	pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq);
2082	if (pctx == NULL((void*)0)
2083	/*
2084	* EVP_PKEY_param_check() will verify that the DH params are using
2085	* a safe prime. In this context, because we're using ephemeral DH,
2086	* we're ok with it not being a safe prime.
2087	* EVP_PKEY_param_check_quick() skips the safe prime check.
2088	*/
2089	\|\| EVP_PKEY_param_check_quick(pctx) != 1
2090	\|\| EVP_PKEY_public_check(pctx) != 1) {
2091	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2091, __func__), ossl_statem_fatal)((s), (47), (102), ((void *)0));
2092	goto err;
2093	}
2094
2095	if (!ssl_security(s, SSL_SECOP_TMP_DH(7 \| (4 << 16)),
2096	EVP_PKEY_get_security_bits(peer_tmp),
2097	0, peer_tmp)) {
2098	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2098, __func__), ossl_statem_fatal)((s), (40), (394), ((void *)0));
2099	goto err;
2100	}
2101
2102	s->s3.peer_tmp = peer_tmp;
2103	peer_tmp = NULL((void*)0);
2104
2105	/*
2106	* FIXME: This makes assumptions about which ciphersuites come with
2107	* public keys. We should have a less ad-hoc way of doing this
2108	*/
2109	if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA0x00000001U \| SSL_aDSS0x00000002U))
2110	*pkey = X509_get0_pubkey(s->session->peer);
2111	/* else anonymous DH, so no certificate or pkey. */
2112
2113	ret = 1;
2114
2115	err:
2116	OSSL_PARAM_BLD_free(tmpl);
2117	OSSL_PARAM_free(params);
2118	EVP_PKEY_free(peer_tmp);
2119	EVP_PKEY_CTX_free(pctx);
2120	BN_free(p);
2121	BN_free(g);
2122	BN_free(bnpub_key);
2123
2124	return ret;
2125	}
2126
2127	static int tls_process_ske_ecdhe(SSL s, PACKET pkt, EVP_PKEY **pkey)
2128	{
2129	PACKET encoded_pt;
2130	unsigned int curve_type, curve_id;
2131
2132	/*
2133	* Extract elliptic curve parameters and the server's ephemeral ECDH
2134	* public key. We only support named (not generic) curves and
2135	* ECParameters in this case is just three bytes.
2136	*/
2137	if (!PACKET_get_1(pkt, &curve_type) \|\| !PACKET_get_net_2(pkt, &curve_id)) {
2138	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2138, __func__), ossl_statem_fatal)((s), (50), (160), ((void *)0));
2139	return 0;
2140	}
2141	/*
2142	* Check curve is named curve type and one of our preferences, if not
2143	* server has sent an invalid curve.
2144	*/
2145	if (curve_type != NAMED_CURVE_TYPE3
2146	\|\| !tls1_check_group_id(s, curve_id, 1)) {
2147	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2147, __func__), ossl_statem_fatal)((s), (47), (378), ((void *)0));
2148	return 0;
2149	}
2150
2151	if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL((void*)0)) {
2152	SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2153, __func__), ossl_statem_fatal)((s), (80), (314), ((void *)0))
2153	SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2153, __func__), ossl_statem_fatal)((s), (80), (314), ((void *)0));
2154	return 0;
2155	}
2156
2157	if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
2158	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2158, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2159	return 0;
2160	}
2161
2162	if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
2163	PACKET_data(&encoded_pt),
2164	PACKET_remaining(&encoded_pt)) <= 0) {
2165	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2165, __func__), ossl_statem_fatal)((s), (47), (306), ((void *)0));
2166	return 0;
2167	}
2168
2169	/*
2170	* The ECC/TLS specification does not mention the use of DSA to sign
2171	* ECParameters in the server key exchange message. We do support RSA
2172	* and ECDSA.
2173	*/
2174	if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA0x00000008U)
2175	*pkey = X509_get0_pubkey(s->session->peer);
2176	else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA0x00000001U)
2177	*pkey = X509_get0_pubkey(s->session->peer);
2178	/* else anonymous ECDH, so no certificate or pkey. */
2179
2180	/* Cache the agreed upon group in the SSL_SESSION */
2181	s->session->kex_group = curve_id;
2182	return 1;
2183	}
2184
2185	MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
2186	{
2187	long alg_k;
2188	EVP_PKEY pkey = NULL((void)0);
2189	EVP_MD_CTX md_ctx = NULL((void)0);
2190	EVP_PKEY_CTX pctx = NULL((void)0);
2191	PACKET save_param_start, signature;
2192
2193	alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
2194
2195	save_param_start = *pkt;
2196
2197	EVP_PKEY_free(s->s3.peer_tmp);
2198	s->s3.peer_tmp = NULL((void*)0);
2199
2200	if (alg_k & SSL_PSK(0x00000008U \| 0x00000040U \| 0x00000080U \| 0x00000100U)) {
2201	if (!tls_process_ske_psk_preamble(s, pkt)) {
2202	/* SSLfatal() already called */
2203	goto err;
2204	}
2205	}
2206
2207	/* Nothing else to do for plain PSK or RSAPSK */
2208	if (alg_k & (SSL_kPSK0x00000008U \| SSL_kRSAPSK0x00000040U)) {
2209	} else if (alg_k & SSL_kSRP0x00000020U) {
2210	if (!tls_process_ske_srp(s, pkt, &pkey)) {
2211	/* SSLfatal() already called */
2212	goto err;
2213	}
2214	} else if (alg_k & (SSL_kDHE0x00000002U \| SSL_kDHEPSK0x00000100U)) {
2215	if (!tls_process_ske_dhe(s, pkt, &pkey)) {
2216	/* SSLfatal() already called */
2217	goto err;
2218	}
2219	} else if (alg_k & (SSL_kECDHE0x00000004U \| SSL_kECDHEPSK0x00000080U)) {
2220	if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
2221	/* SSLfatal() already called */
2222	goto err;
2223	}
2224	} else if (alg_k) {
2225	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2225, __func__), ossl_statem_fatal)((s), (10), (244), ((void *)0));
2226	goto err;
2227	}
2228
2229	/* if it was signed, check the signature */
2230	if (pkey != NULL((void*)0)) {
2231	PACKET params;
2232	const EVP_MD md = NULL((void)0);
2233	unsigned char *tbs;
2234	size_t tbslen;
2235	int rv;
2236
2237	/*
2238	* \|pkt\| now points to the beginning of the signature, so the difference
2239	* equals the length of the parameters.
2240	*/
2241	if (!PACKET_get_sub_packet(&save_param_start, &params,
2242	PACKET_remaining(&save_param_start) -
2243	PACKET_remaining(pkt))) {
2244	SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2244, __func__), ossl_statem_fatal)((s), (50), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2245	goto err;
2246	}
2247
2248	if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2)) {
2249	unsigned int sigalg;
2250
2251	if (!PACKET_get_net_2(pkt, &sigalg)) {
2252	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2252, __func__), ossl_statem_fatal)((s), (50), (160), ((void *)0));
2253	goto err;
2254	}
2255	if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
2256	/* SSLfatal() already called */
2257	goto err;
2258	}
2259	} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
2260	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2260, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2261	goto err;
2262	}
2263
2264	if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
2265	SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2266, __func__), ossl_statem_fatal)((s), (80), (297), ((void *)0))
2266	SSL_R_NO_SUITABLE_DIGEST_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2266, __func__), ossl_statem_fatal)((s), (80), (297), ((void *)0));
2267	goto err;
2268	}
2269	if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2))
2270	OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",((void)0)
2271	md == NULL ? "n/a" : EVP_MD_get0_name(md))((void)0);
2272
2273	if (!PACKET_get_length_prefixed_2(pkt, &signature)
2274	\|\| PACKET_remaining(pkt) != 0) {
2275	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2275, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2276	goto err;
2277	}
2278
2279	md_ctx = EVP_MD_CTX_new();
2280	if (md_ctx == NULL((void*)0)) {
2281	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2281, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2282	goto err;
2283	}
2284
2285	if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
2286	md == NULL((void)0) ? NULL((void)0) : EVP_MD_get0_name(md),
2287	s->ctx->libctx, s->ctx->propq, pkey,
2288	NULL((void*)0)) <= 0) {
2289	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2289, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
2290	goto err;
2291	}
2292	if (SSL_USE_PSS(s)(s->s3.tmp.peer_sigalg != ((void*)0) && s->s3.tmp .peer_sigalg->sig == 912)) {
2293	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING6) <= 0
2294	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
2295	RSA_PSS_SALTLEN_DIGEST-1) <= 0) {
2296	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2296, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
2297	goto err;
2298	}
2299	}
2300	tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
2301	PACKET_remaining(&params));
2302	if (tbslen == 0) {
2303	/* SSLfatal() already called */
2304	goto err;
2305	}
2306
2307	rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
2308	PACKET_remaining(&signature), tbs, tbslen);
2309	OPENSSL_free(tbs)CRYPTO_free(tbs, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2309);
2310	if (rv <= 0) {
2311	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2311, __func__), ossl_statem_fatal)((s), (51), (123), ((void *)0));
2312	goto err;
2313	}
2314	EVP_MD_CTX_free(md_ctx);
2315	md_ctx = NULL((void*)0);
2316	} else {
2317	/* aNULL, aSRP or PSK do not need public keys */
2318	if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL0x00000004U \| SSL_aSRP0x00000040U))
2319	&& !(alg_k & SSL_PSK(0x00000008U \| 0x00000040U \| 0x00000080U \| 0x00000100U))) {
2320	/* Might be wrong key type, check it */
2321	if (ssl3_check_cert_and_algorithm(s)) {
2322	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2322, __func__), ossl_statem_fatal)((s), (50), (390), ((void *)0));
2323	}
2324	/* else this shouldn't happen, SSLfatal() already called */
2325	goto err;
2326	}
2327	/* still data left over */
2328	if (PACKET_remaining(pkt) != 0) {
2329	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2329, __func__), ossl_statem_fatal)((s), (50), (153), ((void *)0));
2330	goto err;
2331	}
2332	}
2333
2334	return MSG_PROCESS_CONTINUE_READING;
2335	err:
2336	EVP_MD_CTX_free(md_ctx);
2337	return MSG_PROCESS_ERROR;
2338	}
2339
2340	MSG_PROCESS_RETURN tls_process_certificate_request(SSL s, PACKET pkt)
2341	{
2342	size_t i;
2343
2344	/* Clear certificate validity flags */
2345	for (i = 0; i < SSL_PKEY_NUM9; i++)
2346	s->s3.tmp.valid_flags[i] = 0;
2347
2348	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
2349	PACKET reqctx, extensions;
2350	RAW_EXTENSION rawexts = NULL((void)0);
2351
2352	if ((s->shutdown & SSL_SENT_SHUTDOWN1) != 0) {
2353	/*
2354	* We already sent close_notify. This can only happen in TLSv1.3
2355	* post-handshake messages. We can't reasonably respond to this, so
2356	* we just ignore it
2357	*/
2358	return MSG_PROCESS_FINISHED_READING;
2359	}
2360
2361	/* Free and zero certificate types: it is not present in TLS 1.3 */
2362	OPENSSL_free(s->s3.tmp.ctype)CRYPTO_free(s->s3.tmp.ctype, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2362);
2363	s->s3.tmp.ctype = NULL((void*)0);
2364	s->s3.tmp.ctype_len = 0;
2365	OPENSSL_free(s->pha_context)CRYPTO_free(s->pha_context, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2365);
2366	s->pha_context = NULL((void*)0);
2367	s->pha_context_len = 0;
2368
2369	if (!PACKET_get_length_prefixed_1(pkt, &reqctx) \|\|
2370	!PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
2371	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2371, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2372	return MSG_PROCESS_ERROR;
2373	}
2374
2375	if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
2376	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2376, __func__), ossl_statem_fatal)((s), (50), (271), ((void *)0));
2377	return MSG_PROCESS_ERROR;
2378	}
2379	if (!tls_collect_extensions(s, &extensions,
2380	SSL_EXT_TLS1_3_CERTIFICATE_REQUEST0x4000,
2381	&rawexts, NULL((void*)0), 1)
2382	\|\| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST0x4000,
2383	rawexts, NULL((void*)0), 0, 1)) {
2384	/* SSLfatal() already called */
2385	OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2385);
2386	return MSG_PROCESS_ERROR;
2387	}
2388	OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2388);
2389	if (!tls1_process_sigalgs(s)) {
2390	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2390, __func__), ossl_statem_fatal)((s), (80), (271), ((void *)0));
2391	return MSG_PROCESS_ERROR;
2392	}
2393	} else {
2394	PACKET ctypes;
2395
2396	/* get the certificate types */
2397	if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
2398	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2398, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2399	return MSG_PROCESS_ERROR;
2400	}
2401
2402	if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) {
2403	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2403, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2404	return MSG_PROCESS_ERROR;
2405	}
2406
2407	if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2)) {
2408	PACKET sigalgs;
2409
2410	if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
2411	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2411, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2412	return MSG_PROCESS_ERROR;
2413	}
2414
2415	/*
2416	* Despite this being for certificates, preserve compatibility
2417	* with pre-TLS 1.3 and use the regular sigalgs field.
2418	*/
2419	if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
2420	SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2421, __func__), ossl_statem_fatal)((s), (80), (360), ((void *)0))
2421	SSL_R_SIGNATURE_ALGORITHMS_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2421, __func__), ossl_statem_fatal)((s), (80), (360), ((void *)0));
2422	return MSG_PROCESS_ERROR;
2423	}
2424	if (!tls1_process_sigalgs(s)) {
2425	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2425, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2426	return MSG_PROCESS_ERROR;
2427	}
2428	}
2429
2430	/* get the CA RDNs */
2431	if (!parse_ca_names(s, pkt)) {
2432	/* SSLfatal() already called */
2433	return MSG_PROCESS_ERROR;
2434	}
2435	}
2436
2437	if (PACKET_remaining(pkt) != 0) {
2438	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2438, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2439	return MSG_PROCESS_ERROR;
2440	}
2441
2442	/* we should setup a certificate to return.... */
2443	s->s3.tmp.cert_req = 1;
2444
2445	/*
2446	* In TLSv1.3 we don't prepare the client certificate yet. We wait until
2447	* after the CertificateVerify message has been received. This is because
2448	* in TLSv1.3 the CertificateRequest arrives before the Certificate message
2449	* but in TLSv1.2 it is the other way around. We want to make sure that
2450	* SSL_get1_peer_certificate() returns something sensible in
2451	* client_cert_cb.
2452	*/
2453	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) && s->post_handshake_auth != SSL_PHA_REQUESTED)
2454	return MSG_PROCESS_CONTINUE_READING;
2455
2456	return MSG_PROCESS_CONTINUE_PROCESSING;
2457	}
2458
2459	MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL s, PACKET pkt)
2460	{
2461	unsigned int ticklen;
2462	unsigned long ticket_lifetime_hint, age_add = 0;
2463	unsigned int sess_len;
2464	RAW_EXTENSION exts = NULL((void)0);
2465	PACKET nonce;
2466	EVP_MD sha256 = NULL((void)0);
2467
2468	PACKET_null_init(&nonce);
2469
2470	if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
2471	\|\| (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
2472	&& (!PACKET_get_net_4(pkt, &age_add)
2473	\|\| !PACKET_get_length_prefixed_1(pkt, &nonce)))
2474	\|\| !PACKET_get_net_2(pkt, &ticklen)
2475	\|\| (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) ? (ticklen == 0 \|\| PACKET_remaining(pkt) < ticklen)
2476	: PACKET_remaining(pkt) != ticklen)) {
2477	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2477, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2478	goto err;
2479	}
2480
2481	/*
2482	* Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2483	* ticket. We already checked this TLSv1.3 case above, so it should never
2484	* be 0 here in that instance
2485	*/
2486	if (ticklen == 0)
2487	return MSG_PROCESS_CONTINUE_READING;
2488
2489	/*
2490	* Sessions must be immutable once they go into the session cache. Otherwise
2491	* we can get multi-thread problems. Therefore we don't "update" sessions,
2492	* we replace them with a duplicate. In TLSv1.3 we need to do this every
2493	* time a NewSessionTicket arrives because those messages arrive
2494	* post-handshake and the session may have already gone into the session
2495	* cache.
2496	*/
2497	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000) \|\| s->session->session_id_length > 0) {
2498	SSL_SESSION *new_sess;
2499
2500	/*
2501	* We reused an existing session, so we need to replace it with a new
2502	* one
2503	*/
2504	if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2505	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2505, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2506	goto err;
2507	}
2508
2509	if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT0x0001) != 0
2510	&& !SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
2511	/*
2512	* In TLSv1.2 and below the arrival of a new tickets signals that
2513	* any old ticket we were using is now out of date, so we remove the
2514	* old session from the cache. We carry on if this fails
2515	*/
2516	SSL_CTX_remove_session(s->session_ctx, s->session);
2517	}
2518
2519	SSL_SESSION_free(s->session);
2520	s->session = new_sess;
2521	}
2522
2523	s->session->time = time(NULL((void*)0));
2524	ssl_session_calculate_timeout(s->session);
2525
2526	OPENSSL_free(s->session->ext.tick)CRYPTO_free(s->session->ext.tick, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2526);
2527	s->session->ext.tick = NULL((void*)0);
2528	s->session->ext.ticklen = 0;
2529
2530	s->session->ext.tick = OPENSSL_malloc(ticklen)CRYPTO_malloc(ticklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2530);
2531	if (s->session->ext.tick == NULL((void*)0)) {
2532	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2532, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2533	goto err;
2534	}
2535	if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
2536	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2536, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2537	goto err;
2538	}
2539
2540	s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
2541	s->session->ext.tick_age_add = age_add;
2542	s->session->ext.ticklen = ticklen;
2543
2544	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
2545	PACKET extpkt;
2546
2547	if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
2548	\|\| PACKET_remaining(pkt) != 0) {
2549	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2549, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2550	goto err;
2551	}
2552
2553	if (!tls_collect_extensions(s, &extpkt,
2554	SSL_EXT_TLS1_3_NEW_SESSION_TICKET0x2000, &exts,
2555	NULL((void*)0), 1)
2556	\|\| !tls_parse_all_extensions(s,
2557	SSL_EXT_TLS1_3_NEW_SESSION_TICKET0x2000,
2558	exts, NULL((void*)0), 0, 1)) {
2559	/* SSLfatal() already called */
2560	goto err;
2561	}
2562	}
2563
2564	/*
2565	* There are two ways to detect a resumed ticket session. One is to set
2566	* an appropriate session ID and then the server must return a match in
2567	* ServerHello. This allows the normal client session ID matching to work
2568	* and we know much earlier that the ticket has been accepted. The
2569	* other way is to set zero length session ID when the ticket is
2570	* presented and rely on the handshake to determine session resumption.
2571	* We choose the former approach because this fits in with assumptions
2572	* elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
2573	* ticket.
2574	*/
2575	sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq);
2576	if (sha256 == NULL((void*)0)) {
2577	/* Error is already recorded */
2578	SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR)ossl_statem_send_fatal((s), (80));
2579	goto err;
2580	}
2581	/*
2582	* We use sess_len here because EVP_Digest expects an int
2583	* but s->session->session_id_length is a size_t
2584	*/
2585	if (!EVP_Digest(s->session->ext.tick, ticklen,
2586	s->session->session_id, &sess_len,
2587	sha256, NULL((void*)0))) {
2588	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2588, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
2589	goto err;
2590	}
2591	EVP_MD_free(sha256);
2592	sha256 = NULL((void*)0);
2593	s->session->session_id_length = sess_len;
2594	s->session->not_resumable = 0;
2595
2596	/* This is a standalone message in TLSv1.3, so there is no more to read */
2597	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
2598	const EVP_MD *md = ssl_handshake_md(s);
2599	int hashleni = EVP_MD_get_size(md);
2600	size_t hashlen;
2601	static const unsigned char nonce_label[] = "resumption";
2602
2603	/* Ensure cast to size_t is safe */
2604	if (!ossl_assert(hashleni >= 0)((hashleni >= 0) != 0)) {
2605	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2605, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2606	goto err;
2607	}
2608	hashlen = (size_t)hashleni;
2609
2610	if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
2611	nonce_label,
2612	sizeof(nonce_label) - 1,
2613	PACKET_data(&nonce),
2614	PACKET_remaining(&nonce),
2615	s->session->master_key,
2616	hashlen, 1)) {
2617	/* SSLfatal() already called */
2618	goto err;
2619	}
2620	s->session->master_key_length = hashlen;
2621
2622	OPENSSL_free(exts)CRYPTO_free(exts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2622);
2623	ssl_update_cache(s, SSL_SESS_CACHE_CLIENT0x0001);
2624	return MSG_PROCESS_FINISHED_READING;
2625	}
2626
2627	return MSG_PROCESS_CONTINUE_READING;
2628	err:
2629	EVP_MD_free(sha256);
2630	OPENSSL_free(exts)CRYPTO_free(exts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2630);
2631	return MSG_PROCESS_ERROR;
2632	}
2633
2634	/*
2635	* In TLSv1.3 this is called from the extensions code, otherwise it is used to
2636	* parse a separate message. Returns 1 on success or 0 on failure
2637	*/
2638	int tls_process_cert_status_body(SSL s, PACKET pkt)
2639	{
2640	size_t resplen;
2641	unsigned int type;
2642
2643	if (!PACKET_get_1(pkt, &type)
2644	\|\| type != TLSEXT_STATUSTYPE_ocsp1) {
2645	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2645, __func__), ossl_statem_fatal)((s), (50), (329), ((void *)0));
2646	return 0;
2647	}
2648	if (!PACKET_get_net_3_len(pkt, &resplen)
2649	\|\| PACKET_remaining(pkt) != resplen) {
2650	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2650, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2651	return 0;
2652	}
2653	s->ext.ocsp.resp = OPENSSL_malloc(resplen)CRYPTO_malloc(resplen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2653);
2654	if (s->ext.ocsp.resp == NULL((void*)0)) {
2655	s->ext.ocsp.resp_len = 0;
2656	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2656, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2657	return 0;
2658	}
2659	s->ext.ocsp.resp_len = resplen;
2660	if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
2661	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2661, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2662	return 0;
2663	}
2664
2665	return 1;
2666	}
2667
2668
2669	MSG_PROCESS_RETURN tls_process_cert_status(SSL s, PACKET pkt)
2670	{
2671	if (!tls_process_cert_status_body(s, pkt)) {
2672	/* SSLfatal() already called */
2673	return MSG_PROCESS_ERROR;
2674	}
2675
2676	return MSG_PROCESS_CONTINUE_READING;
2677	}
2678
2679	/*
2680	* Perform miscellaneous checks and processing after we have received the
2681	* server's initial flight. In TLS1.3 this is after the Server Finished message.
2682	* In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2683	* on failure.
2684	*/
2685	int tls_process_initial_server_flight(SSL *s)
2686	{
2687	/*
2688	* at this point we check that we have the required stuff from
2689	* the server
2690	*/
2691	if (!ssl3_check_cert_and_algorithm(s)) {
2692	/* SSLfatal() already called */
2693	return 0;
2694	}
2695
2696	/*
2697	* Call the ocsp status callback if needed. The \|ext.ocsp.resp\| and
2698	* \|ext.ocsp.resp_len\| values will be set if we actually received a status
2699	* message, or NULL and -1 otherwise
2700	*/
2701	if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing-1
2702	&& s->ctx->ext.status_cb != NULL((void*)0)) {
2703	int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2704
2705	if (ret == 0) {
2706	SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2707, __func__), ossl_statem_fatal)((s), (113), (328), ((void *)0))
2707	SSL_R_INVALID_STATUS_RESPONSE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2707, __func__), ossl_statem_fatal)((s), (113), (328), ((void *)0));
2708	return 0;
2709	}
2710	if (ret < 0) {
2711	SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2712, __func__), ossl_statem_fatal)((s), (80), (305), ((void *)0))
2712	SSL_R_OCSP_CALLBACK_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2712, __func__), ossl_statem_fatal)((s), (80), (305), ((void *)0));
2713	return 0;
2714	}
2715	}
2716	#ifndef OPENSSL_NO_CT
2717	if (s->ct_validation_callback != NULL((void*)0)) {
2718	/* Note we validate the SCTs whether or not we abort on error */
2719	if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER0x01)) {
2720	/* SSLfatal() already called */
2721	return 0;
2722	}
2723	}
2724	#endif
2725
2726	return 1;
2727	}
2728
2729	MSG_PROCESS_RETURN tls_process_server_done(SSL s, PACKET pkt)
2730	{
2731	if (PACKET_remaining(pkt) > 0) {
2732	/* should contain no data */
2733	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2733, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
2734	return MSG_PROCESS_ERROR;
2735	}
2736	#ifndef OPENSSL_NO_SRP
2737	if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP0x00000020U) {
2738	if (ssl_srp_calc_a_param_intern(s) <= 0) {
2739	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2739, __func__), ossl_statem_fatal)((s), (80), (361), ((void *)0));
2740	return MSG_PROCESS_ERROR;
2741	}
2742	}
2743	#endif
2744
2745	if (!tls_process_initial_server_flight(s)) {
2746	/* SSLfatal() already called */
2747	return MSG_PROCESS_ERROR;
2748	}
2749
2750	return MSG_PROCESS_FINISHED_READING;
2751	}
2752
2753	static int tls_construct_cke_psk_preamble(SSL s, WPACKET pkt)
2754	{
2755	#ifndef OPENSSL_NO_PSK
2756	int ret = 0;
2757	/*
2758	* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2759	* \0-terminated identity. The last byte is for us for simulating
2760	* strnlen.
2761	*/
2762	char identity[PSK_MAX_IDENTITY_LEN256 + 1];
2763	size_t identitylen = 0;
2764	unsigned char psk[PSK_MAX_PSK_LEN512];
2765	unsigned char tmppsk = NULL((void)0);
2766	char tmpidentity = NULL((void)0);
2767	size_t psklen = 0;
2768
2769	if (s->psk_client_callback == NULL((void*)0)) {
2770	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2770, __func__), ossl_statem_fatal)((s), (80), (224), ((void *)0));
2771	goto err;
2772	}
2773
2774	memset(identity, 0, sizeof(identity));
2775
2776	psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2777	identity, sizeof(identity) - 1,
2778	psk, sizeof(psk));
2779
2780	if (psklen > PSK_MAX_PSK_LEN512) {
2781	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2781, __func__), ossl_statem_fatal)((s), (40), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2782	psklen = PSK_MAX_PSK_LEN512; /* Avoid overrunning the array on cleanse */
2783	goto err;
2784	} else if (psklen == 0) {
2785	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2785, __func__), ossl_statem_fatal)((s), (40), (223), ((void *)0));
2786	goto err;
2787	}
2788
2789	identitylen = strlen(identity);
2790	if (identitylen > PSK_MAX_IDENTITY_LEN256) {
2791	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2791, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2792	goto err;
2793	}
2794
2795	tmppsk = OPENSSL_memdup(psk, psklen)CRYPTO_memdup((psk), psklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2795);
2796	tmpidentity = OPENSSL_strdup(identity)CRYPTO_strdup(identity, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2796);
2797	if (tmppsk == NULL((void)0) \|\| tmpidentity == NULL((void)0)) {
2798	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2798, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2799	goto err;
2800	}
2801
2802	OPENSSL_free(s->s3.tmp.psk)CRYPTO_free(s->s3.tmp.psk, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2802);
2803	s->s3.tmp.psk = tmppsk;
2804	s->s3.tmp.psklen = psklen;
2805	tmppsk = NULL((void*)0);
2806	OPENSSL_free(s->session->psk_identity)CRYPTO_free(s->session->psk_identity, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2806);
2807	s->session->psk_identity = tmpidentity;
2808	tmpidentity = NULL((void*)0);
2809
2810	if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)WPACKET_sub_memcpy__((pkt), (identity), (identitylen), 2)) {
2811	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2811, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2812	goto err;
2813	}
2814
2815	ret = 1;
2816
2817	err:
2818	OPENSSL_cleanse(psk, psklen);
2819	OPENSSL_cleanse(identity, sizeof(identity));
2820	OPENSSL_clear_free(tmppsk, psklen)CRYPTO_clear_free(tmppsk, psklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2820);
2821	OPENSSL_clear_free(tmpidentity, identitylen)CRYPTO_clear_free(tmpidentity, identitylen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2821);
2822
2823	return ret;
2824	#else
2825	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2825, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2826	return 0;
2827	#endif
2828	}
2829
2830	static int tls_construct_cke_rsa(SSL s, WPACKET pkt)
2831	{
2832	unsigned char encdata = NULL((void)0);
2833	EVP_PKEY pkey = NULL((void)0);
2834	EVP_PKEY_CTX pctx = NULL((void)0);
2835	size_t enclen;
2836	unsigned char pms = NULL((void)0);
2837	size_t pmslen = 0;
2838
2839	if (s->session->peer == NULL((void*)0)) {
2840	/*
2841	* We should always have a server certificate with SSL_kRSA.
2842	*/
2843	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2843, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2844	return 0;
2845	}
2846
2847	pkey = X509_get0_pubkey(s->session->peer);
2848	if (!EVP_PKEY_is_a(pkey, "RSA")) {
2849	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2849, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2850	return 0;
2851	}
2852
2853	pmslen = SSL_MAX_MASTER_KEY_LENGTH48;
2854	pms = OPENSSL_malloc(pmslen)CRYPTO_malloc(pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2854);
2855	if (pms == NULL((void*)0)) {
2856	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2856, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2857	return 0;
2858	}
2859
2860	pms[0] = s->client_version >> 8;
2861	pms[1] = s->client_version & 0xff;
2862	if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
2863	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2863, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2864	goto err;
2865	}
2866
2867	/* Fix buf for TLS and beyond */
2868	if (s->version > SSL3_VERSION0x0300 && !WPACKET_start_sub_packet_u16(pkt)WPACKET_start_sub_packet_len__((pkt), 2)) {
2869	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2869, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2870	goto err;
2871	}
2872
2873	pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq);
2874	if (pctx == NULL((void*)0) \|\| EVP_PKEY_encrypt_init(pctx) <= 0
2875	\|\| EVP_PKEY_encrypt(pctx, NULL((void*)0), &enclen, pms, pmslen) <= 0) {
2876	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2876, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
2877	goto err;
2878	}
2879	if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
2880	\|\| EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
2881	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2881, __func__), ossl_statem_fatal)((s), (80), (119), ((void *)0));
2882	goto err;
2883	}
2884	EVP_PKEY_CTX_free(pctx);
2885	pctx = NULL((void*)0);
2886
2887	/* Fix buf for TLS and beyond */
2888	if (s->version > SSL3_VERSION0x0300 && !WPACKET_close(pkt)) {
2889	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2889, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2890	goto err;
2891	}
2892
2893	/* Log the premaster secret, if logging is enabled. */
2894	if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
2895	/* SSLfatal() already called */
2896	goto err;
2897	}
2898
2899	s->s3.tmp.pms = pms;
2900	s->s3.tmp.pmslen = pmslen;
2901
2902	return 1;
2903	err:
2904	OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2904);
2905	EVP_PKEY_CTX_free(pctx);
2906
2907	return 0;
2908	}
2909
2910	static int tls_construct_cke_dhe(SSL s, WPACKET pkt)
2911	{
2912	EVP_PKEY ckey = NULL((void)0), skey = NULL((void)0);
2913	unsigned char keybytes = NULL((void)0);
2914	int prime_len;
2915	unsigned char encoded_pub = NULL((void)0);
2916	size_t encoded_pub_len, pad_len;
2917	int ret = 0;
2918
2919	skey = s->s3.peer_tmp;
2920	if (skey == NULL((void*)0)) {
2921	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2921, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2922	goto err;
2923	}
2924
2925	ckey = ssl_generate_pkey(s, skey);
2926	if (ckey == NULL((void*)0)) {
2927	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2927, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2928	goto err;
2929	}
2930
2931	if (ssl_derive(s, ckey, skey, 0) == 0) {
2932	/* SSLfatal() already called */
2933	goto err;
2934	}
2935
2936	/* send off the data */
2937
2938	/* Generate encoding of server key */
2939	encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub);
2940	if (encoded_pub_len == 0) {
2941	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2941, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2942	EVP_PKEY_free(ckey);
2943	return EXT_RETURN_FAIL;
2944	}
2945
2946	/*
2947	* For interoperability with some versions of the Microsoft TLS
2948	* stack, we need to zero pad the DHE pub key to the same length
2949	* as the prime.
2950	*/
2951	prime_len = EVP_PKEY_get_size(ckey);
2952	pad_len = prime_len - encoded_pub_len;
2953	if (pad_len > 0) {
2954	if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)WPACKET_sub_allocate_bytes__((pkt), (pad_len), (&keybytes ), 2)) {
2955	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2955, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2956	goto err;
2957	}
2958	memset(keybytes, 0, pad_len);
2959	}
2960
2961	if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)WPACKET_sub_memcpy__((pkt), (encoded_pub), (encoded_pub_len), 2)) {
2962	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2962, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2963	goto err;
2964	}
2965
2966	ret = 1;
2967	err:
2968	OPENSSL_free(encoded_pub)CRYPTO_free(encoded_pub, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2968);
2969	EVP_PKEY_free(ckey);
2970	return ret;
2971	}
2972
2973	static int tls_construct_cke_ecdhe(SSL s, WPACKET pkt)
2974	{
2975	unsigned char encodedPoint = NULL((void)0);
2976	size_t encoded_pt_len = 0;
2977	EVP_PKEY ckey = NULL((void)0), skey = NULL((void)0);
2978	int ret = 0;
2979
2980	skey = s->s3.peer_tmp;
2981	if (skey == NULL((void*)0)) {
2982	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2982, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2983	return 0;
2984	}
2985
2986	ckey = ssl_generate_pkey(s, skey);
2987	if (ckey == NULL((void*)0)) {
2988	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 2988, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
2989	goto err;
2990	}
2991
2992	if (ssl_derive(s, ckey, skey, 0) == 0) {
2993	/* SSLfatal() already called */
2994	goto err;
2995	}
2996
2997	/* Generate encoding of client key */
2998	encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
2999
3000	if (encoded_pt_len == 0) {
3001	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3001, __func__), ossl_statem_fatal)((s), (80), ((16 \| (0x2 << 18L))), ((void*)0));
3002	goto err;
3003	}
3004
3005	if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)WPACKET_sub_memcpy__((pkt), (encodedPoint), (encoded_pt_len), 1)) {
3006	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3006, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3007	goto err;
3008	}
3009
3010	ret = 1;
3011	err:
3012	OPENSSL_free(encodedPoint)CRYPTO_free(encodedPoint, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3012);
3013	EVP_PKEY_free(ckey);
3014	return ret;
3015	}
3016
3017	static int tls_construct_cke_gost(SSL s, WPACKET pkt)
3018	{
3019	#ifndef OPENSSL_NO_GOST
3020	/* GOST key exchange message creation */
3021	EVP_PKEY_CTX pkey_ctx = NULL((void)0);
3022	X509 *peer_cert;
3023	size_t msglen;
3024	unsigned int md_len;
3025	unsigned char shared_ukm[32], tmp[256];
3026	EVP_MD_CTX ukm_hash = NULL((void)0);
3027	int dgst_nid = NID_id_GostR3411_94809;
3028	unsigned char pms = NULL((void)0);
3029	size_t pmslen = 0;
3030
3031	if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST120x00000080U) != 0)
3032	dgst_nid = NID_id_GostR3411_2012_256982;
3033
3034	/*
3035	* Get server certificate PKEY and create ctx from it
3036	*/
3037	peer_cert = s->session->peer;
3038	if (peer_cert == NULL((void*)0)) {
3039	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3040, __func__), ossl_statem_fatal)((s), (40), (330), ((void *)0))
3040	SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3040, __func__), ossl_statem_fatal)((s), (40), (330), ((void *)0));
3041	return 0;
3042	}
3043
3044	pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
3045	X509_get0_pubkey(peer_cert),
3046	s->ctx->propq);
3047	if (pkey_ctx == NULL((void*)0)) {
3048	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3048, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3049	return 0;
3050	}
3051	/*
3052	* If we have send a certificate, and certificate key
3053	* parameters match those of server certificate, use
3054	* certificate key for key exchange
3055	*/
3056
3057	/* Otherwise, generate ephemeral key pair */
3058	pmslen = 32;
3059	pms = OPENSSL_malloc(pmslen)CRYPTO_malloc(pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3059);
3060	if (pms == NULL((void*)0)) {
3061	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3061, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3062	goto err;
3063	}
3064
3065	if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
3066	/* Generate session key
3067	*/
3068	\|\| RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
3069	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3069, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3070	goto err;
3071	};
3072	/*
3073	* Compute shared IV and store it in algorithm-specific context
3074	* data
3075	*/
3076	ukm_hash = EVP_MD_CTX_new();
3077	if (ukm_hash == NULL((void*)0)
3078	\|\| EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)EVP_get_digestbyname(OBJ_nid2sn(dgst_nid))) <= 0
3079	\|\| EVP_DigestUpdate(ukm_hash, s->s3.client_random,
3080	SSL3_RANDOM_SIZE32) <= 0
3081	\|\| EVP_DigestUpdate(ukm_hash, s->s3.server_random,
3082	SSL3_RANDOM_SIZE32) <= 0
3083	\|\| EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
3084	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3084, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3085	goto err;
3086	}
3087	EVP_MD_CTX_free(ukm_hash);
3088	ukm_hash = NULL((void*)0);
3089	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<9),
3090	EVP_PKEY_CTRL_SET_IV8, 8, shared_ukm) <= 0) {
3091	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3091, __func__), ossl_statem_fatal)((s), (80), (274), ((void *)0));
3092	goto err;
3093	}
3094	/* Make GOST keytransport blob message */
3095	/*
3096	* Encapsulate it into sequence
3097	*/
3098	msglen = 255;
3099	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3100	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3100, __func__), ossl_statem_fatal)((s), (80), (274), ((void *)0));
3101	goto err;
3102	}
3103
3104	if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE \| V_ASN1_CONSTRUCTED)WPACKET_put_bytes__((pkt), (16 \| 0x20), 1)
3105	\|\| (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)WPACKET_put_bytes__((pkt), (0x81), 1))
3106	\|\| !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)WPACKET_sub_memcpy__((pkt), (tmp), (msglen), 1)) {
3107	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3107, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3108	goto err;
3109	}
3110
3111	EVP_PKEY_CTX_free(pkey_ctx);
3112	s->s3.tmp.pms = pms;
3113	s->s3.tmp.pmslen = pmslen;
3114
3115	return 1;
3116	err:
3117	EVP_PKEY_CTX_free(pkey_ctx);
3118	OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3118);
3119	EVP_MD_CTX_free(ukm_hash);
3120	return 0;
3121	#else
3122	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3122, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3123	return 0;
3124	#endif
3125	}
3126
3127	#ifndef OPENSSL_NO_GOST
3128	int ossl_gost18_cke_cipher_nid(const SSL *s)
3129	{
3130	if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA0x00400000U) != 0)
3131	return NID_magma_ctr1188;
3132	else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK0x00800000U) != 0)
3133	return NID_kuznyechik_ctr1013;
3134
3135	return NID_undef0;
3136	}
3137
3138	int ossl_gost_ukm(const SSL s, unsigned char dgst_buf)
3139	{
3140	EVP_MD_CTX * hash = NULL((void*)0);
3141	unsigned int md_len;
3142	const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256982, s->ctx->propq);
3143
3144	if (md == NULL((void*)0))
3145	return 0;
3146
3147	if ((hash = EVP_MD_CTX_new()) == NULL((void*)0)
3148	\|\| EVP_DigestInit(hash, md) <= 0
3149	\|\| EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE32) <= 0
3150	\|\| EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE32) <= 0
3151	\|\| EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
3152	EVP_MD_CTX_free(hash);
3153	ssl_evp_md_free(md);
3154	return 0;
3155	}
3156
3157	EVP_MD_CTX_free(hash);
3158	ssl_evp_md_free(md);
3159	return 1;
3160	}
3161	#endif
3162
3163	static int tls_construct_cke_gost18(SSL s, WPACKET pkt)
3164	{
3165	#ifndef OPENSSL_NO_GOST
3166	/* GOST 2018 key exchange message creation */
3167	unsigned char rnd_dgst[32];
3168	unsigned char encdata = NULL((void)0);
3169	EVP_PKEY_CTX pkey_ctx = NULL((void)0);
3170	X509 *peer_cert;
3171	unsigned char pms = NULL((void)0);
3172	size_t pmslen = 0;
3173	size_t msglen;
3174	int cipher_nid = ossl_gost18_cke_cipher_nid(s);
3175
3176	if (cipher_nid == NID_undef0) {
3177	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3177, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3178	return 0;
3179	}
3180
3181	if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
3182	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3182, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3183	goto err;
3184	}
3185
3186	/* Pre-master secret - random bytes */
3187	pmslen = 32;
3188	pms = OPENSSL_malloc(pmslen)CRYPTO_malloc(pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3188);
3189	if (pms == NULL((void*)0)) {
3190	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3190, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3191	goto err;
3192	}
3193
3194	if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
3195	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3195, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3196	goto err;
3197	}
3198
3199	/* Get server certificate PKEY and create ctx from it */
3200	peer_cert = s->session->peer;
3201	if (peer_cert == NULL((void*)0)) {
3202	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3203, __func__), ossl_statem_fatal)((s), (40), (330), ((void *)0))
3203	SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3203, __func__), ossl_statem_fatal)((s), (40), (330), ((void *)0));
3204	goto err;
3205	}
3206
3207	pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
3208	X509_get0_pubkey(peer_cert),
3209	s->ctx->propq);
3210	if (pkey_ctx == NULL((void*)0)) {
3211	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3211, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3212	goto err;
3213	}
3214
3215	if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
3216	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3216, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3217	goto err;
3218	};
3219
3220	/* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
3221	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<9),
3222	EVP_PKEY_CTRL_SET_IV8, 32, rnd_dgst) <= 0) {
3223	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3223, __func__), ossl_statem_fatal)((s), (80), (274), ((void *)0));
3224	goto err;
3225	}
3226
3227	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<9),
3228	EVP_PKEY_CTRL_CIPHER12, cipher_nid, NULL((void*)0)) <= 0) {
3229	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3229, __func__), ossl_statem_fatal)((s), (80), (274), ((void *)0));
3230	goto err;
3231	}
3232
3233	if (EVP_PKEY_encrypt(pkey_ctx, NULL((void*)0), &msglen, pms, pmslen) <= 0) {
3234	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3234, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
3235	goto err;
3236	}
3237
3238	if (!WPACKET_allocate_bytes(pkt, msglen, &encdata)
3239	\|\| EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) {
3240	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3240, __func__), ossl_statem_fatal)((s), (80), ((6 \| (0x2 << 18L))), ((void*)0));
3241	goto err;
3242	}
3243
3244	EVP_PKEY_CTX_free(pkey_ctx);
3245	pkey_ctx = NULL((void*)0);
3246	s->s3.tmp.pms = pms;
3247	s->s3.tmp.pmslen = pmslen;
3248
3249	return 1;
3250	err:
3251	EVP_PKEY_CTX_free(pkey_ctx);
3252	OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3252);
3253	return 0;
3254	#else
3255	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3255, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3256	return 0;
3257	#endif
3258	}
3259
3260	static int tls_construct_cke_srp(SSL s, WPACKET pkt)
3261	{
3262	#ifndef OPENSSL_NO_SRP
3263	unsigned char abytes = NULL((void)0);
3264
3265	if (s->srp_ctx.A == NULL((void*)0)
3266	\|\| !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),WPACKET_sub_allocate_bytes__((pkt), (((BN_num_bits(s->srp_ctx .A)+7)/8)), (&abytes), 2)
3267	&abytes)WPACKET_sub_allocate_bytes__((pkt), (((BN_num_bits(s->srp_ctx .A)+7)/8)), (&abytes), 2)) {
3268	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3268, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3269	return 0;
3270	}
3271	BN_bn2bin(s->srp_ctx.A, abytes);
3272
3273	OPENSSL_free(s->session->srp_username)CRYPTO_free(s->session->srp_username, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3273);
3274	s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login)CRYPTO_strdup(s->srp_ctx.login, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3274);
3275	if (s->session->srp_username == NULL((void*)0)) {
3276	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3276, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3277	return 0;
3278	}
3279
3280	return 1;
3281	#else
3282	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3282, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3283	return 0;
3284	#endif
3285	}
3286
3287	int tls_construct_client_key_exchange(SSL s, WPACKET pkt)
3288	{
3289	unsigned long alg_k;
3290
3291	alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3292
3293	/*
3294	* All of the construct functions below call SSLfatal() if necessary so
3295	* no need to do so here.
3296	*/
3297	if ((alg_k & SSL_PSK(0x00000008U \| 0x00000040U \| 0x00000080U \| 0x00000100U))
3298	&& !tls_construct_cke_psk_preamble(s, pkt))
3299	goto err;
3300
3301	if (alg_k & (SSL_kRSA0x00000001U \| SSL_kRSAPSK0x00000040U)) {
3302	if (!tls_construct_cke_rsa(s, pkt))
3303	goto err;
3304	} else if (alg_k & (SSL_kDHE0x00000002U \| SSL_kDHEPSK0x00000100U)) {
3305	if (!tls_construct_cke_dhe(s, pkt))
3306	goto err;
3307	} else if (alg_k & (SSL_kECDHE0x00000004U \| SSL_kECDHEPSK0x00000080U)) {
3308	if (!tls_construct_cke_ecdhe(s, pkt))
3309	goto err;
3310	} else if (alg_k & SSL_kGOST0x00000010U) {
3311	if (!tls_construct_cke_gost(s, pkt))
3312	goto err;
3313	} else if (alg_k & SSL_kGOST180x00000200U) {
3314	if (!tls_construct_cke_gost18(s, pkt))
3315	goto err;
3316	} else if (alg_k & SSL_kSRP0x00000020U) {
3317	if (!tls_construct_cke_srp(s, pkt))
3318	goto err;
3319	} else if (!(alg_k & SSL_kPSK0x00000008U)) {
3320	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3320, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3321	goto err;
3322	}
3323
3324	return 1;
3325	err:
3326	OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen)CRYPTO_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3326);
3327	s->s3.tmp.pms = NULL((void*)0);
3328	s->s3.tmp.pmslen = 0;
3329	#ifndef OPENSSL_NO_PSK
3330	OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen)CRYPTO_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3330);
3331	s->s3.tmp.psk = NULL((void*)0);
3332	s->s3.tmp.psklen = 0;
3333	#endif
3334	return 0;
3335	}
3336
3337	int tls_client_key_exchange_post_work(SSL *s)
3338	{
3339	unsigned char pms = NULL((void)0);
3340	size_t pmslen = 0;
3341
3342	pms = s->s3.tmp.pms;
3343	pmslen = s->s3.tmp.pmslen;
3344
3345	#ifndef OPENSSL_NO_SRP
3346	/* Check for SRP */
3347	if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP0x00000020U) {
3348	if (!srp_generate_client_master_secret(s)) {
3349	/* SSLfatal() already called */
3350	goto err;
3351	}
3352	return 1;
3353	}
3354	#endif
3355
3356	if (pms == NULL((void*)0) && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK0x00000008U)) {
3357	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3357, __func__), ossl_statem_fatal)((s), (80), ((256\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3358	goto err;
3359	}
3360	if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
3361	/* SSLfatal() already called */
3362	/* ssl_generate_master_secret frees the pms even on error */
3363	pms = NULL((void*)0);
3364	pmslen = 0;
3365	goto err;
3366	}
3367	pms = NULL((void*)0);
3368	pmslen = 0;
	Value stored to 'pmslen' is never read
3369
3370	#ifndef OPENSSL_NO_SCTP
3371	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
3372	unsigned char sctpauthkey[64];
3373	char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3374	size_t labellen;
3375
3376	/*
3377	* Add new shared key for SCTP-Auth, will be ignored if no SCTP
3378	* used.
3379	*/
3380	memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3381	sizeof(DTLS1_SCTP_AUTH_LABEL));
3382
3383	/* Don't include the terminating zero. */
3384	labellen = sizeof(labelbuffer) - 1;
3385	if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG0x00000400U)
3386	labellen += 1;
3387
3388	if (SSL_export_keying_material(s, sctpauthkey,
3389	sizeof(sctpauthkey), labelbuffer,
3390	labellen, NULL((void*)0), 0, 0) <= 0) {
3391	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3391, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3392	goto err;
3393	}
3394
3395	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3396	sizeof(sctpauthkey), sctpauthkey);
3397	}
3398	#endif
3399
3400	return 1;
3401	err:
3402	OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3402);
3403	s->s3.tmp.pms = NULL((void*)0);
3404	s->s3.tmp.pmslen = 0;
3405	return 0;
3406	}
3407
3408	/*
3409	* Check a certificate can be used for client authentication. Currently check
3410	* cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3411	* certificates can be used and optionally checks suitability for Suite B.
3412	*/
3413	static int ssl3_check_client_certificate(SSL *s)
3414	{
3415	/* If no suitable signature algorithm can't use certificate */
3416	if (!tls_choose_sigalg(s, 0) \|\| s->s3.tmp.sigalg == NULL((void*)0))
3417	return 0;
3418	/*
3419	* If strict mode check suitability of chain before using it. This also
3420	* adjusts suite B digest if necessary.
3421	*/
3422	if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT(0x30000\|0x00000001U) &&
3423	!tls1_check_chain(s, NULL((void)0), NULL((void)0), NULL((void*)0), -2))
3424	return 0;
3425	return 1;
3426	}
3427
3428	WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
3429	{
3430	X509 x509 = NULL((void)0);
3431	EVP_PKEY pkey = NULL((void)0);
3432	int i;
3433
3434	if (wst == WORK_MORE_A) {
3435	/* Let cert callback update client certificates if required */
3436	if (s->cert->cert_cb) {
3437	i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3438	if (i < 0) {
3439	s->rwstate = SSL_X509_LOOKUP4;
3440	return WORK_MORE_A;
3441	}
3442	if (i == 0) {
3443	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3443, __func__), ossl_statem_fatal)((s), (80), (234), ((void *)0));
3444	return WORK_ERROR;
3445	}
3446	s->rwstate = SSL_NOTHING1;
3447	}
3448	if (ssl3_check_client_certificate(s)) {
3449	if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3450	return WORK_FINISHED_STOP;
3451	}
3452	return WORK_FINISHED_CONTINUE;
3453	}
3454
3455	/* Fall through to WORK_MORE_B */
3456	wst = WORK_MORE_B;
3457	}
3458
3459	/* We need to get a client cert */
3460	if (wst == WORK_MORE_B) {
3461	/*
3462	* If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3463	* return(-1); We then get retied later
3464	*/
3465	i = ssl_do_client_cert_cb(s, &x509, &pkey);
3466	if (i < 0) {
3467	s->rwstate = SSL_X509_LOOKUP4;
3468	return WORK_MORE_B;
3469	}
3470	s->rwstate = SSL_NOTHING1;
3471	if ((i == 1) && (pkey != NULL((void)0)) && (x509 != NULL((void)0))) {
3472	if (!SSL_use_certificate(s, x509) \|\| !SSL_use_PrivateKey(s, pkey))
3473	i = 0;
3474	} else if (i == 1) {
3475	i = 0;
3476	ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" ,3476,__func__), ERR_set_error)((20),(106),((void*)0));
3477	}
3478
3479	X509_free(x509);
3480	EVP_PKEY_free(pkey);
3481	if (i && !ssl3_check_client_certificate(s))
3482	i = 0;
3483	if (i == 0) {
3484	if (s->version == SSL3_VERSION0x0300) {
3485	s->s3.tmp.cert_req = 0;
3486	ssl3_send_alert(s, SSL3_AL_WARNING1, SSL_AD_NO_CERTIFICATE41);
3487	return WORK_FINISHED_CONTINUE;
3488	} else {
3489	s->s3.tmp.cert_req = 2;
3490	if (!ssl3_digest_cached_records(s, 0)) {
3491	/* SSLfatal() already called */
3492	return WORK_ERROR;
3493	}
3494	}
3495	}
3496
3497	if (s->post_handshake_auth == SSL_PHA_REQUESTED)
3498	return WORK_FINISHED_STOP;
3499	return WORK_FINISHED_CONTINUE;
3500	}
3501
3502	/* Shouldn't ever get here */
3503	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3503, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3504	return WORK_ERROR;
3505	}
3506
3507	int tls_construct_client_certificate(SSL s, WPACKET pkt)
3508	{
3509	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)) {
3510	if (s->pha_context == NULL((void*)0)) {
3511	/* no context available, add 0-length context */
3512	if (!WPACKET_put_bytes_u8(pkt, 0)WPACKET_put_bytes__((pkt), (0), 1)) {
3513	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3513, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3514	return 0;
3515	}
3516	} else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)WPACKET_sub_memcpy__((pkt), (s->pha_context), (s->pha_context_len ), 1)) {
3517	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3517, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3518	return 0;
3519	}
3520	}
3521	if (!ssl3_output_cert_chain(s, pkt,
3522	(s->s3.tmp.cert_req == 2) ? NULL((void*)0)
3523	: s->cert->key)) {
3524	/* SSLfatal() already called */
3525	return 0;
3526	}
3527
3528	if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) && (s)->method->version >= 0x0304 && (s)->method ->version != 0x10000)
3529	&& SSL_IS_FIRST_HANDSHAKE(s)((s)->s3.tmp.finish_md_len == 0 \|\| (s)->s3.tmp.peer_finish_md_len == 0)
3530	&& (!s->method->ssl3_enc->change_cipher_state(s,
3531	SSL3_CC_HANDSHAKE0x080 \| SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010\|0x002)))) {
3532	/*
3533	* This is a fatal error, which leaves enc_write_ctx in an inconsistent
3534	* state and thus ssl3_send_alert may crash.
3535	*/
3536	SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3536, __func__), ossl_statem_fatal)((s), (-1), (109), ((void *)0));
3537	return 0;
3538	}
3539
3540	return 1;
3541	}
3542
3543	int ssl3_check_cert_and_algorithm(SSL *s)
3544	{
3545	const SSL_CERT_LOOKUP *clu;
3546	size_t idx;
3547	long alg_k, alg_a;
3548
3549	alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3550	alg_a = s->s3.tmp.new_cipher->algorithm_auth;
3551
3552	/* we don't have a certificate */
3553	if (!(alg_a & SSL_aCERT(0x00000001U \| 0x00000002U \| 0x00000008U \| 0x00000020U \| 0x00000080U )))
3554	return 1;
3555
3556	/* This is the passed certificate */
3557	clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
3558
3559	/* Check certificate is recognised and suitable for cipher */
3560	if (clu == NULL((void*)0) \|\| (alg_a & clu->amask) == 0) {
3561	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3561, __func__), ossl_statem_fatal)((s), (40), (221), ((void *)0));
3562	return 0;
3563	}
3564
3565	if (clu->amask & SSL_aECDSA0x00000008U) {
3566	if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
3567	return 1;
3568	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3568, __func__), ossl_statem_fatal)((s), (40), (304), ((void *)0));
3569	return 0;
3570	}
3571
3572	if (alg_k & (SSL_kRSA0x00000001U \| SSL_kRSAPSK0x00000040U) && idx != SSL_PKEY_RSA0) {
3573	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3574, __func__), ossl_statem_fatal)((s), (40), (169), ((void *)0))
3574	SSL_R_MISSING_RSA_ENCRYPTING_CERT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3574, __func__), ossl_statem_fatal)((s), (40), (169), ((void *)0));
3575	return 0;
3576	}
3577
3578	if ((alg_k & SSL_kDHE0x00000002U) && (s->s3.peer_tmp == NULL((void*)0))) {
3579	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3579, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3580	return 0;
3581	}
3582
3583	return 1;
3584	}
3585
3586	#ifndef OPENSSL_NO_NEXTPROTONEG
3587	int tls_construct_next_proto(SSL s, WPACKET pkt)
3588	{
3589	size_t len, padding_len;
3590	unsigned char padding = NULL((void)0);
3591
3592	len = s->ext.npn_len;
3593	padding_len = 32 - ((len + 2) % 32);
3594
3595	if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)WPACKET_sub_memcpy__((pkt), (s->ext.npn), (len), 1)
3596	\|\| !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)WPACKET_sub_allocate_bytes__((pkt), (padding_len), (&padding ), 1)) {
3597	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3597, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3598	return 0;
3599	}
3600
3601	memset(padding, 0, padding_len);
3602
3603	return 1;
3604	}
3605	#endif
3606
3607	MSG_PROCESS_RETURN tls_process_hello_req(SSL s, PACKET pkt)
3608	{
3609	if (PACKET_remaining(pkt) > 0) {
3610	/* should contain no data */
3611	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3611, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
3612	return MSG_PROCESS_ERROR;
3613	}
3614
3615	if ((s->options & SSL_OP_NO_RENEGOTIATION((uint64_t)1 << (uint64_t)30))) {
3616	ssl3_send_alert(s, SSL3_AL_WARNING1, SSL_AD_NO_RENEGOTIATION100);
3617	return MSG_PROCESS_FINISHED_READING;
3618	}
3619
3620	/*
3621	* This is a historical discrepancy (not in the RFC) maintained for
3622	* compatibility reasons. If a TLS client receives a HelloRequest it will
3623	* attempt an abbreviated handshake. However if a DTLS client receives a
3624	* HelloRequest it will do a full handshake. Either behaviour is reasonable
3625	* but doing one for TLS and another for DTLS is odd.
3626	*/
3627	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8))
3628	SSL_renegotiate(s);
3629	else
3630	SSL_renegotiate_abbreviated(s);
3631
3632	return MSG_PROCESS_FINISHED_READING;
3633	}
3634
3635	static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL s, PACKET pkt)
3636	{
3637	PACKET extensions;
3638	RAW_EXTENSION rawexts = NULL((void)0);
3639
3640	if (!PACKET_as_length_prefixed_2(pkt, &extensions)
3641	\|\| PACKET_remaining(pkt) != 0) {
3642	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3642, __func__), ossl_statem_fatal)((s), (50), (159), ((void *)0));
3643	goto err;
3644	}
3645
3646	if (!tls_collect_extensions(s, &extensions,
3647	SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS0x0400, &rawexts,
3648	NULL((void*)0), 1)
3649	\|\| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS0x0400,
3650	rawexts, NULL((void*)0), 0, 1)) {
3651	/* SSLfatal() already called */
3652	goto err;
3653	}
3654
3655	OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3655);
3656	return MSG_PROCESS_CONTINUE_READING;
3657
3658	err:
3659	OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3659);
3660	return MSG_PROCESS_ERROR;
3661	}
3662
3663	int ssl_do_client_cert_cb(SSL s, X509 px509, EVP_PKEY *ppkey)
3664	{
3665	int i = 0;
3666	#ifndef OPENSSL_NO_ENGINE
3667	if (s->ctx->client_cert_engine) {
3668	i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
3669	if (i != 0)
3670	return i;
3671	}
3672	#endif
3673	if (s->ctx->client_cert_cb)
3674	i = s->ctx->client_cert_cb(s, px509, ppkey);
3675	return i;
3676	}
3677
3678	int ssl_cipher_list_to_bytes(SSL s, STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER sk, WPACKET *pkt)
3679	{
3680	int i;
3681	size_t totlen = 0, len, maxlen, maxverok = 0;
3682	int empty_reneg_info_scsv = !s->renegotiate;
3683
3684	/* Set disabled masks for this session */
3685	if (!ssl_set_client_disabled(s)) {
3686	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3686, __func__), ossl_statem_fatal)((s), (80), (191), ((void *)0));
3687	return 0;
3688	}
3689
3690	if (sk == NULL((void*)0)) {
3691	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3691, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3692	return 0;
3693	}
3694
3695	#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3696	# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3697	# error Max cipher length too short
3698	# endif
3699	/*
3700	* Some servers hang if client hello > 256 bytes as hack workaround
3701	* chop number of supported ciphers to keep it well below this if we
3702	* use TLS v1.2
3703	*/
3704	if (TLS1_get_version(s)((SSL_version(s) >> 8) == 0x03 ? SSL_version(s) : 0) >= TLS1_2_VERSION0x0303)
3705	maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3706	else
3707	#endif
3708	/* Maximum length that can be stored in 2 bytes. Length must be even */
3709	maxlen = 0xfffe;
3710
3711	if (empty_reneg_info_scsv)
3712	maxlen -= 2;
3713	if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV0x00000080U)
3714	maxlen -= 2;
3715
3716	for (i = 0; i < sk_SSL_CIPHER_num(sk)OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(sk)) && totlen < maxlen; i++) {
3717	const SSL_CIPHER *c;
3718
3719	c = sk_SSL_CIPHER_value(sk, i)((const SSL_CIPHER *)OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type (sk), (i)));
3720	/* Skip disabled ciphers */
3721	if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED(1 \| (1 << 16)), 0))
3722	continue;
3723
3724	if (!s->method->put_cipher_by_char(c, pkt, &len)) {
3725	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3725, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3726	return 0;
3727	}
3728
3729	/* Sanity check that the maximum version we offer has ciphers enabled */
3730	if (!maxverok) {
3731	if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
3732	if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver)((((c->max_dtls) == 0x0100) ? 0xff00 : (c->max_dtls)) <= (((s->s3.tmp.max_ver) == 0x0100) ? 0xff00 : (s->s3.tmp .max_ver)))
3733	&& DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver)((((c->min_dtls) == 0x0100) ? 0xff00 : (c->min_dtls)) >= (((s->s3.tmp.max_ver) == 0x0100) ? 0xff00 : (s->s3.tmp .max_ver))))
3734	maxverok = 1;
3735	} else {
3736	if (c->max_tls >= s->s3.tmp.max_ver
3737	&& c->min_tls <= s->s3.tmp.max_ver)
3738	maxverok = 1;
3739	}
3740	}
3741
3742	totlen += len;
3743	}
3744
3745	if (totlen == 0 \|\| !maxverok) {
3746	const char *maxvertext =
3747	!maxverok
3748	? "No ciphers enabled for max supported SSL/TLS version"
3749	: NULL((void*)0);
3750
3751	SSLfatal_data(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3751, __func__), ossl_statem_fatal)(s, SSL_AD_INTERNAL_ERROR80, SSL_R_NO_CIPHERS_AVAILABLE181,
3752	maxvertext);
3753	return 0;
3754	}
3755
3756	if (totlen != 0) {
3757	if (empty_reneg_info_scsv) {
3758	static SSL_CIPHER scsv = {
3759	0, NULL((void)0), NULL((void)0), SSL3_CK_SCSV0x030000FF, 0, 0, 0, 0, 0, 0, 0, 0, 0
3760	};
3761	if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3762	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3762, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3763	return 0;
3764	}
3765	}
3766	if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV0x00000080U) {
3767	static SSL_CIPHER scsv = {
3768	0, NULL((void)0), NULL((void)0), SSL3_CK_FALLBACK_SCSV0x03005600, 0, 0, 0, 0, 0, 0, 0, 0, 0
3769	};
3770	if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3771	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3771, __func__), ossl_statem_fatal)((s), (80), ((259\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3772	return 0;
3773	}
3774	}
3775	}
3776
3777	return 1;
3778	}
3779
3780	int tls_construct_end_of_early_data(SSL s, WPACKET pkt)
3781	{
3782	if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
3783	&& s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
3784	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c" , 3784, __func__), ossl_statem_fatal)((s), (80), ((257\|((0x1 << 18L)\|(0x2 << 18L)))), ((void*)0));
3785	return 0;
3786	}
3787
3788	s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
3789	return 1;
3790	}