/usr/src/lib/libssl/ssl

Bug Summary

File:	src/lib/libssl/ssl_clnt.c
Warning:	line 1605, column 2 Value stored to 'ret' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ssl_clnt.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libssl/ssl_clnt.c

1	/* $OpenBSD: ssl_clnt.c,v 1.137 2022/01/11 19:03:15 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58	/* ====================================================================
59	* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60	*
61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions
63	* are met:
64	*
65	* 1. Redistributions of source code must retain the above copyright
66	* notice, this list of conditions and the following disclaimer.
67	*
68	* 2. Redistributions in binary form must reproduce the above copyright
69	* notice, this list of conditions and the following disclaimer in
70	* the documentation and/or other materials provided with the
71	* distribution.
72	*
73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.
82	*
83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written
85	* permission of the OpenSSL Project.
86	*
87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111	/* ====================================================================
112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113	*
114	* Portions of the attached software ("Contribution") are developed by
115	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116	*
117	* The Contribution is licensed pursuant to the OpenSSL open source
118	* license provided above.
119	*
120	* ECC cipher suite support in OpenSSL originally written by
121	* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122	*
123	*/
124	/* ====================================================================
125	* Copyright 2005 Nokia. All rights reserved.
126	*
127	* The portions of the attached software ("Contribution") is developed by
128	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
129	* license.
130	*
131	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
132	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133	* support (see RFC 4279) to OpenSSL.
134	*
135	* No patent licenses or other rights except those expressly stated in
136	* the OpenSSL open source license shall be deemed granted or received
137	* expressly, by implication, estoppel, or otherwise.
138	*
139	* No assurances are provided by Nokia that the Contribution does not
140	* infringe the patent or other intellectual property rights of any third
141	* party or that the license provides you with all the necessary rights
142	* to make use of the Contribution.
143	*
144	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148	* OTHERWISE.
149	*/
150
151	#include <limits.h>
152	#include <stdint.h>
153	#include <stdio.h>
154
155	#include <openssl/bn.h>
156	#include <openssl/buffer.h>
157	#include <openssl/curve25519.h>
158	#include <openssl/dh.h>
159	#include <openssl/evp.h>
160	#include <openssl/md5.h>
161	#include <openssl/objects.h>
162	#include <openssl/opensslconf.h>
163
164	#ifndef OPENSSL_NO_ENGINE
165	#include <openssl/engine.h>
166	#endif
167	#ifndef OPENSSL_NO_GOST
168	#include <openssl/gost.h>
169	#endif
170
171	#include "bytestring.h"
172	#include "dtls_locl.h"
173	#include "ssl_locl.h"
174	#include "ssl_sigalgs.h"
175	#include "ssl_tlsext.h"
176
177	static int ca_dn_cmp(const X509_NAME * const a, const X509_NAME const *b);
178
179	int
180	ssl3_connect(SSL *s)
181	{
182	int new_state, state, skip = 0;
183	int ret = -1;
184
185	ERR_clear_error();
186	errno(*__errno()) = 0;
187
188	s->internal->in_handshake++;
189	if (!SSL_in_init(s)(SSL_state((s))&(0x1000\|0x2000)) \|\| SSL_in_before(s)(SSL_state((s))&0x4000))
190	SSL_clear(s);
191
192	for (;;) {
193	state = S3I(s)(s->s3->internal)->hs.state;
194
195	switch (S3I(s)(s->s3->internal)->hs.state) {
196	case SSL_ST_RENEGOTIATE(0x04\|(0x1000\|0x2000)):
197	s->internal->renegotiate = 1;
198	S3I(s)(s->s3->internal)->hs.state = SSL_ST_CONNECT0x1000;
199	s->ctx->internal->stats.sess_connect_renegotiate++;
200	/* break */
201	case SSL_ST_BEFORE0x4000:
202	case SSL_ST_CONNECT0x1000:
203	case SSL_ST_BEFORE0x4000\|SSL_ST_CONNECT0x1000:
204	case SSL_ST_OK0x03\|SSL_ST_CONNECT0x1000:
205
206	s->server = 0;
207
208	ssl_info_callback(s, SSL_CB_HANDSHAKE_START0x10, 1);
209
210	if (!ssl_legacy_stack_version(s, s->version)) {
211	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 211);
212	ret = -1;
213	goto end;
214	}
215
216	if (!ssl_supported_tls_version_range(s,
217	&S3I(s)(s->s3->internal)->hs.our_min_tls_version,
218	&S3I(s)(s->s3->internal)->hs.our_max_tls_version)) {
219	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE)SSL_error_internal(s, 191, "/usr/src/lib/libssl/ssl_clnt.c", 219 );
220	ret = -1;
221	goto end;
222	}
223
224	if (!ssl3_setup_init_buffer(s)) {
225	ret = -1;
226	goto end;
227	}
228	if (!ssl3_setup_buffers(s)) {
229	ret = -1;
230	goto end;
231	}
232	if (!ssl_init_wbio_buffer(s, 0)) {
233	ret = -1;
234	goto end;
235	}
236
237	/* don't push the buffering BIO quite yet */
238
239	if (!tls1_transcript_init(s)) {
240	ret = -1;
241	goto end;
242	}
243
244	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CLNT_HELLO_A(0x110\|0x1000);
245	s->ctx->internal->stats.sess_connect++;
246	s->internal->init_num = 0;
247
248	if (SSL_is_dtls(s)) {
249	/* mark client_random uninitialized */
250	memset(s->s3->client_random, 0,
251	sizeof(s->s3->client_random));
252	s->d1->send_cookie = 0;
253	s->internal->hit = 0;
254	}
255	break;
256
257	case SSL3_ST_CW_CLNT_HELLO_A(0x110\|0x1000):
258	case SSL3_ST_CW_CLNT_HELLO_B(0x111\|0x1000):
259	s->internal->shutdown = 0;
260
261	if (SSL_is_dtls(s)) {
262	/* every DTLS ClientHello resets Finished MAC */
263	tls1_transcript_reset(s);
264
265	dtls1_start_timer(s);
266	}
267
268	ret = ssl3_send_client_hello(s);
269	if (ret <= 0)
270	goto end;
271
272	if (SSL_is_dtls(s) && s->d1->send_cookie) {
273	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_FLUSH(0x100\|0x1000);
274	S3I(s)(s->s3->internal)->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A(0x120\|0x1000);
275	} else
276	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_SRVR_HELLO_A(0x120\|0x1000);
277
278	s->internal->init_num = 0;
279
280	/* turn on buffering for the next lot of output */
281	if (s->bbio != s->wbio)
282	s->wbio = BIO_push(s->bbio, s->wbio);
283
284	break;
285
286	case SSL3_ST_CR_SRVR_HELLO_A(0x120\|0x1000):
287	case SSL3_ST_CR_SRVR_HELLO_B(0x121\|0x1000):
288	ret = ssl3_get_server_hello(s);
289	if (ret <= 0)
290	goto end;
291
292	if (s->internal->hit) {
293	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_FINISHED_A(0x1D0\|0x1000);
294	if (!SSL_is_dtls(s)) {
295	if (s->internal->tlsext_ticket_expected) {
296	/* receive renewed session ticket */
297	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_SESSION_TICKET_A(0x1E0\|0x1000);
298	}
299
300	/* No client certificate verification. */
301	tls1_transcript_free(s);
302	}
303	} else if (SSL_is_dtls(s)) {
304	S3I(s)(s->s3->internal)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A(0x126\|0x1000);
305	} else {
306	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_CERT_A(0x130\|0x1000);
307	}
308	s->internal->init_num = 0;
309	break;
310
311	case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A(0x126\|0x1000):
312	case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B(0x127\|0x1000):
313	ret = ssl3_get_dtls_hello_verify(s);
314	if (ret <= 0)
315	goto end;
316	dtls1_stop_timer(s);
317	if (s->d1->send_cookie) /* start again, with a cookie */
318	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CLNT_HELLO_A(0x110\|0x1000);
319	else
320	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_CERT_A(0x130\|0x1000);
321	s->internal->init_num = 0;
322	break;
323
324	case SSL3_ST_CR_CERT_A(0x130\|0x1000):
325	case SSL3_ST_CR_CERT_B(0x131\|0x1000):
326	ret = ssl3_check_finished(s);
327	if (ret <= 0)
328	goto end;
329	if (ret == 2) {
330	s->internal->hit = 1;
331	if (s->internal->tlsext_ticket_expected)
332	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_SESSION_TICKET_A(0x1E0\|0x1000);
333	else
334	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_FINISHED_A(0x1D0\|0x1000);
335	s->internal->init_num = 0;
336	break;
337	}
338	/* Check if it is anon DH/ECDH. */
339	if (!(S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth &
340	SSL_aNULL0x00000004L)) {
341	ret = ssl3_get_server_certificate(s);
342	if (ret <= 0)
343	goto end;
344	if (s->internal->tlsext_status_expected)
345	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_CERT_STATUS_A(0x1F0\|0x1000);
346	else
347	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_KEY_EXCH_A(0x140\|0x1000);
348	} else {
349	skip = 1;
350	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_KEY_EXCH_A(0x140\|0x1000);
351	}
352	s->internal->init_num = 0;
353	break;
354
355	case SSL3_ST_CR_KEY_EXCH_A(0x140\|0x1000):
356	case SSL3_ST_CR_KEY_EXCH_B(0x141\|0x1000):
357	ret = ssl3_get_server_key_exchange(s);
358	if (ret <= 0)
359	goto end;
360	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_CERT_REQ_A(0x150\|0x1000);
361	s->internal->init_num = 0;
362
363	/*
364	* At this point we check that we have the
365	* required stuff from the server.
366	*/
367	if (!ssl3_check_cert_and_algorithm(s)) {
368	ret = -1;
369	goto end;
370	}
371	break;
372
373	case SSL3_ST_CR_CERT_REQ_A(0x150\|0x1000):
374	case SSL3_ST_CR_CERT_REQ_B(0x151\|0x1000):
375	ret = ssl3_get_certificate_request(s);
376	if (ret <= 0)
377	goto end;
378	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_SRVR_DONE_A(0x160\|0x1000);
379	s->internal->init_num = 0;
380	break;
381
382	case SSL3_ST_CR_SRVR_DONE_A(0x160\|0x1000):
383	case SSL3_ST_CR_SRVR_DONE_B(0x161\|0x1000):
384	ret = ssl3_get_server_done(s);
385	if (ret <= 0)
386	goto end;
387	if (SSL_is_dtls(s))
388	dtls1_stop_timer(s);
389	if (S3I(s)(s->s3->internal)->hs.tls12.cert_request)
390	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_A(0x170\|0x1000);
391	else
392	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_KEY_EXCH_A(0x180\|0x1000);
393	s->internal->init_num = 0;
394
395	break;
396
397	case SSL3_ST_CW_CERT_A(0x170\|0x1000):
398	case SSL3_ST_CW_CERT_B(0x171\|0x1000):
399	case SSL3_ST_CW_CERT_C(0x172\|0x1000):
400	case SSL3_ST_CW_CERT_D(0x173\|0x1000):
401	if (SSL_is_dtls(s))
402	dtls1_start_timer(s);
403	ret = ssl3_send_client_certificate(s);
404	if (ret <= 0)
405	goto end;
406	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_KEY_EXCH_A(0x180\|0x1000);
407	s->internal->init_num = 0;
408	break;
409
410	case SSL3_ST_CW_KEY_EXCH_A(0x180\|0x1000):
411	case SSL3_ST_CW_KEY_EXCH_B(0x181\|0x1000):
412	if (SSL_is_dtls(s))
413	dtls1_start_timer(s);
414	ret = ssl3_send_client_key_exchange(s);
415	if (ret <= 0)
416	goto end;
417	/*
418	* EAY EAY EAY need to check for DH fix cert
419	* sent back
420	*/
421	/*
422	* For TLS, cert_req is set to 2, so a cert chain
423	* of nothing is sent, but no verify packet is sent
424	*/
425	/*
426	* XXX: For now, we do not support client
427	* authentication in ECDH cipher suites with
428	* ECDH (rather than ECDSA) certificates.
429	* We need to skip the certificate verify
430	* message when client's ECDH public key is sent
431	* inside the client certificate.
432	*/
433	if (S3I(s)(s->s3->internal)->hs.tls12.cert_request == 1) {
434	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_VRFY_A(0x190\|0x1000);
435	} else {
436	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CHANGE_A(0x1A0\|0x1000);
437	S3I(s)(s->s3->internal)->change_cipher_spec = 0;
438	}
439	if (!SSL_is_dtls(s)) {
440	if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY0x0010) {
441	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CHANGE_A(0x1A0\|0x1000);
442	S3I(s)(s->s3->internal)->change_cipher_spec = 0;
443	}
444	}
445
446	s->internal->init_num = 0;
447	break;
448
449	case SSL3_ST_CW_CERT_VRFY_A(0x190\|0x1000):
450	case SSL3_ST_CW_CERT_VRFY_B(0x191\|0x1000):
451	if (SSL_is_dtls(s))
452	dtls1_start_timer(s);
453	ret = ssl3_send_client_verify(s);
454	if (ret <= 0)
455	goto end;
456	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CHANGE_A(0x1A0\|0x1000);
457	s->internal->init_num = 0;
458	S3I(s)(s->s3->internal)->change_cipher_spec = 0;
459	break;
460
461	case SSL3_ST_CW_CHANGE_A(0x1A0\|0x1000):
462	case SSL3_ST_CW_CHANGE_B(0x1A1\|0x1000):
463	if (SSL_is_dtls(s) && !s->internal->hit)
464	dtls1_start_timer(s);
465	ret = ssl3_send_change_cipher_spec(s,
466	SSL3_ST_CW_CHANGE_A(0x1A0\|0x1000), SSL3_ST_CW_CHANGE_B(0x1A1\|0x1000));
467	if (ret <= 0)
468	goto end;
469
470	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_FINISHED_A(0x1B0\|0x1000);
471	s->internal->init_num = 0;
472	s->session->cipher = S3I(s)(s->s3->internal)->hs.cipher;
473
474	if (!tls1_setup_key_block(s)) {
475	ret = -1;
476	goto end;
477	}
478	if (!tls1_change_write_cipher_state(s)) {
479	ret = -1;
480	goto end;
481	}
482	break;
483
484	case SSL3_ST_CW_FINISHED_A(0x1B0\|0x1000):
485	case SSL3_ST_CW_FINISHED_B(0x1B1\|0x1000):
486	if (SSL_is_dtls(s) && !s->internal->hit)
487	dtls1_start_timer(s);
488	ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A(0x1B0\|0x1000),
489	SSL3_ST_CW_FINISHED_B(0x1B1\|0x1000));
490	if (ret <= 0)
491	goto end;
492	if (!SSL_is_dtls(s))
493	s->s3->flags \|= SSL3_FLAGS_CCS_OK0x0080;
494	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_FLUSH(0x100\|0x1000);
495
496	/* clear flags */
497	if (s->internal->hit) {
498	S3I(s)(s->s3->internal)->hs.tls12.next_state = SSL_ST_OK0x03;
499	} else {
500	/* Allow NewSessionTicket if ticket expected */
501	if (s->internal->tlsext_ticket_expected)
502	S3I(s)(s->s3->internal)->hs.tls12.next_state =
503	SSL3_ST_CR_SESSION_TICKET_A(0x1E0\|0x1000);
504	else
505	S3I(s)(s->s3->internal)->hs.tls12.next_state =
506	SSL3_ST_CR_FINISHED_A(0x1D0\|0x1000);
507	}
508	s->internal->init_num = 0;
509	break;
510
511	case SSL3_ST_CR_SESSION_TICKET_A(0x1E0\|0x1000):
512	case SSL3_ST_CR_SESSION_TICKET_B(0x1E1\|0x1000):
513	ret = ssl3_get_new_session_ticket(s);
514	if (ret <= 0)
515	goto end;
516	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_FINISHED_A(0x1D0\|0x1000);
517	s->internal->init_num = 0;
518	break;
519
520	case SSL3_ST_CR_CERT_STATUS_A(0x1F0\|0x1000):
521	case SSL3_ST_CR_CERT_STATUS_B(0x1F1\|0x1000):
522	ret = ssl3_get_cert_status(s);
523	if (ret <= 0)
524	goto end;
525	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CR_KEY_EXCH_A(0x140\|0x1000);
526	s->internal->init_num = 0;
527	break;
528
529	case SSL3_ST_CR_FINISHED_A(0x1D0\|0x1000):
530	case SSL3_ST_CR_FINISHED_B(0x1D1\|0x1000):
531	if (SSL_is_dtls(s))
532	s->d1->change_cipher_spec_ok = 1;
533	else
534	s->s3->flags \|= SSL3_FLAGS_CCS_OK0x0080;
535	ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A(0x1D0\|0x1000),
536	SSL3_ST_CR_FINISHED_B(0x1D1\|0x1000));
537	if (ret <= 0)
538	goto end;
539	if (SSL_is_dtls(s))
540	dtls1_stop_timer(s);
541
542	if (s->internal->hit)
543	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CHANGE_A(0x1A0\|0x1000);
544	else
545	S3I(s)(s->s3->internal)->hs.state = SSL_ST_OK0x03;
546	s->internal->init_num = 0;
547	break;
548
549	case SSL3_ST_CW_FLUSH(0x100\|0x1000):
550	s->internal->rwstate = SSL_WRITING2;
551	if (BIO_flush(s->wbio)(int)BIO_ctrl(s->wbio,11,0,((void*)0)) <= 0) {
552	if (SSL_is_dtls(s)) {
553	/* If the write error was fatal, stop trying */
554	if (!BIO_should_retry(s->wbio)BIO_test_flags(s->wbio, 0x08)) {
555	s->internal->rwstate = SSL_NOTHING1;
556	S3I(s)(s->s3->internal)->hs.state = S3I(s)(s->s3->internal)->hs.tls12.next_state;
557	}
558	}
559	ret = -1;
560	goto end;
561	}
562	s->internal->rwstate = SSL_NOTHING1;
563	S3I(s)(s->s3->internal)->hs.state = S3I(s)(s->s3->internal)->hs.tls12.next_state;
564	break;
565
566	case SSL_ST_OK0x03:
567	/* clean a few things up */
568	tls1_cleanup_key_block(s);
569
570	if (S3I(s)(s->s3->internal)->handshake_transcript != NULL((void*)0)) {
571	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 571);
572	ret = -1;
573	goto end;
574	}
575
576	if (!SSL_is_dtls(s))
577	ssl3_release_init_buffer(s);
578
579	ssl_free_wbio_buffer(s);
580
581	s->internal->init_num = 0;
582	s->internal->renegotiate = 0;
583	s->internal->new_session = 0;
584
585	ssl_update_cache(s, SSL_SESS_CACHE_CLIENT0x0001);
586	if (s->internal->hit)
587	s->ctx->internal->stats.sess_hit++;
588
589	ret = 1;
590	/* s->server=0; */
591	s->internal->handshake_func = ssl3_connect;
592	s->ctx->internal->stats.sess_connect_good++;
593
594	ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE0x20, 1);
595
596	if (SSL_is_dtls(s)) {
597	/* done with handshaking */
598	s->d1->handshake_read_seq = 0;
599	s->d1->next_handshake_write_seq = 0;
600	}
601
602	goto end;
603	/* break; */
604
605	default:
606	SSLerror(s, SSL_R_UNKNOWN_STATE)SSL_error_internal(s, 255, "/usr/src/lib/libssl/ssl_clnt.c", 606 );
607	ret = -1;
608	goto end;
609	/* break; */
610	}
611
612	/* did we do anything */
613	if (!S3I(s)(s->s3->internal)->hs.tls12.reuse_message && !skip) {
614	if (s->internal->debug) {
615	if ((ret = BIO_flush(s->wbio)(int)BIO_ctrl(s->wbio,11,0,((void*)0))) <= 0)
616	goto end;
617	}
618
619	if (S3I(s)(s->s3->internal)->hs.state != state) {
620	new_state = S3I(s)(s->s3->internal)->hs.state;
621	S3I(s)(s->s3->internal)->hs.state = state;
622	ssl_info_callback(s, SSL_CB_CONNECT_LOOP(0x1000\|0x01), 1);
623	S3I(s)(s->s3->internal)->hs.state = new_state;
624	}
625	}
626	skip = 0;
627	}
628
629	end:
630	s->internal->in_handshake--;
631	ssl_info_callback(s, SSL_CB_CONNECT_EXIT(0x1000\|0x02), ret);
632
633	return (ret);
634	}
635
636	int
637	ssl3_send_client_hello(SSL *s)
638	{
639	CBB cbb, client_hello, session_id, cookie, cipher_suites;
640	CBB compression_methods;
641	uint16_t max_version;
642	size_t sl;
643
644	memset(&cbb, 0, sizeof(cbb));
645
646	if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_CLNT_HELLO_A(0x110\|0x1000)) {
647	SSL_SESSION *sess = s->session;
648
649	if (!ssl_max_supported_version(s, &max_version)) {
650	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE)SSL_error_internal(s, 191, "/usr/src/lib/libssl/ssl_clnt.c", 650 );
651	return (-1);
652	}
653	s->version = max_version;
654
655	if (sess == NULL((void*)0) \|\|
656	sess->ssl_version != s->version \|\|
657	(!sess->session_id_length && !sess->tlsext_tick) \|\|
658	sess->not_resumable) {
659	if (!ssl_get_new_session(s, 0))
660	goto err;
661	}
662	/* else use the pre-loaded session */
663
664	/*
665	* If a DTLS ClientHello message is being resent after a
666	* HelloVerifyRequest, we must retain the original client
667	* random value.
668	*/
669	if (!SSL_is_dtls(s) \|\| s->d1->send_cookie == 0)
670	arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE32);
671
672	if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
673	SSL3_MT_CLIENT_HELLO1))
674	goto err;
675
676	if (!CBB_add_u16(&client_hello, s->version))
677	goto err;
678
679	/* Random stuff */
680	if (!CBB_add_bytes(&client_hello, s->s3->client_random,
681	sizeof(s->s3->client_random)))
682	goto err;
683
684	/* Session ID */
685	if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
686	goto err;
687	if (!s->internal->new_session &&
688	s->session->session_id_length > 0) {
689	sl = s->session->session_id_length;
690	if (sl > sizeof(s->session->session_id)) {
691	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 691);
692	goto err;
693	}
694	if (!CBB_add_bytes(&session_id,
695	s->session->session_id, sl))
696	goto err;
697	}
698
699	/* DTLS Cookie. */
700	if (SSL_is_dtls(s)) {
701	if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
702	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 702);
703	goto err;
704	}
705	if (!CBB_add_u8_length_prefixed(&client_hello, &cookie))
706	goto err;
707	if (!CBB_add_bytes(&cookie, s->d1->cookie,
708	s->d1->cookie_len))
709	goto err;
710	}
711
712	/* Ciphers supported */
713	if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
714	return 0;
715	if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s),
716	&cipher_suites)) {
717	SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE)SSL_error_internal(s, 181, "/usr/src/lib/libssl/ssl_clnt.c", 717 );
718	goto err;
719	}
720
721	/* Add in compression methods (null) */
722	if (!CBB_add_u8_length_prefixed(&client_hello,
723	&compression_methods))
724	goto err;
725	if (!CBB_add_u8(&compression_methods, 0))
726	goto err;
727
728	/* TLS extensions */
729	if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH0x0001, &client_hello)) {
730	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 730);
731	goto err;
732	}
733
734	if (!ssl3_handshake_msg_finish(s, &cbb))
735	goto err;
736
737	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CLNT_HELLO_B(0x111\|0x1000);
738	}
739
740	/* SSL3_ST_CW_CLNT_HELLO_B */
741	return (ssl3_handshake_write(s));
742
743	err:
744	CBB_cleanup(&cbb);
745
746	return (-1);
747	}
748
749	int
750	ssl3_get_dtls_hello_verify(SSL *s)
751	{
752	CBS hello_verify_request, cookie;
753	size_t cookie_len;
754	uint16_t ssl_version;
755	int al, ret;
756
757	if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A(0x126\|0x1000),
758	DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B(0x127\|0x1000), -1, s->internal->max_cert_list)) <= 0)
759	return ret;
760
761	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST3) {
762	s->d1->send_cookie = 0;
763	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
764	return (1);
765	}
766
767	if (s->internal->init_num < 0)
768	goto decode_err;
769
770	CBS_init(&hello_verify_request, s->internal->init_msg,
771	s->internal->init_num);
772
773	if (!CBS_get_u16(&hello_verify_request, &ssl_version))
774	goto decode_err;
775	if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
776	goto decode_err;
777	if (CBS_len(&hello_verify_request) != 0)
778	goto decode_err;
779
780	/*
781	* Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always
782	* contain DTLSv1.0 the version that is going to be negotiated.
783	* Tolerate DTLSv1.2 just in case.
784	*/
785	if (ssl_version != DTLS1_VERSION0xFEFF && ssl_version != DTLS1_2_VERSION0xFEFD) {
786	SSLerror(s, SSL_R_WRONG_SSL_VERSION)SSL_error_internal(s, 266, "/usr/src/lib/libssl/ssl_clnt.c", 786 );
787	s->version = (s->version & 0xff00) \| (ssl_version & 0xff);
788	al = SSL_AD_PROTOCOL_VERSION70;
789	goto fatal_err;
790	}
791
792	if (!CBS_write_bytes(&cookie, s->d1->cookie,
793	sizeof(s->d1->cookie), &cookie_len)) {
794	s->d1->cookie_len = 0;
795	al = SSL_AD_ILLEGAL_PARAMETER47;
796	goto fatal_err;
797	}
798	s->d1->cookie_len = cookie_len;
799	s->d1->send_cookie = 1;
800
801	return 1;
802
803	decode_err:
804	al = SSL_AD_DECODE_ERROR50;
805	fatal_err:
806	ssl3_send_alert(s, SSL3_AL_FATAL2, al);
807	return -1;
808	}
809
810	int
811	ssl3_get_server_hello(SSL *s)
812	{
813	CBS cbs, server_random, session_id;
814	uint16_t server_version, cipher_suite;
815	uint8_t compression_method;
816	const SSL_CIPHER *cipher;
817	const SSL_METHOD *method;
818	unsigned long alg_k;
819	size_t outlen;
820	int al, ret;
821
822	s->internal->first_packet = 1;
823	if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A(0x120\|0x1000),
824	SSL3_ST_CR_SRVR_HELLO_B(0x121\|0x1000), -1, 20000 /* ?? */)) <= 0)
825	return ret;
826	s->internal->first_packet = 0;
827
828	if (s->internal->init_num < 0)
829	goto decode_err;
830
831	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
832
833	if (SSL_is_dtls(s)) {
834	if (S3I(s)(s->s3->internal)->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST3) {
835	if (s->d1->send_cookie == 0) {
836	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
837	return (1);
838	} else {
839	/* Already sent a cookie. */
840	al = SSL_AD_UNEXPECTED_MESSAGE10;
841	SSLerror(s, SSL_R_BAD_MESSAGE_TYPE)SSL_error_internal(s, 114, "/usr/src/lib/libssl/ssl_clnt.c", 841 );
842	goto fatal_err;
843	}
844	}
845	}
846
847	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_SERVER_HELLO2) {
848	al = SSL_AD_UNEXPECTED_MESSAGE10;
849	SSLerror(s, SSL_R_BAD_MESSAGE_TYPE)SSL_error_internal(s, 114, "/usr/src/lib/libssl/ssl_clnt.c", 849 );
850	goto fatal_err;
851	}
852
853	if (!CBS_get_u16(&cbs, &server_version))
854	goto decode_err;
855
856	if (!ssl_check_version_from_server(s, server_version)) {
857	SSLerror(s, SSL_R_WRONG_SSL_VERSION)SSL_error_internal(s, 266, "/usr/src/lib/libssl/ssl_clnt.c", 857 );
858	s->version = (s->version & 0xff00) \| (server_version & 0xff);
859	al = SSL_AD_PROTOCOL_VERSION70;
860	goto fatal_err;
861	}
862	S3I(s)(s->s3->internal)->hs.peer_legacy_version = server_version;
863	s->version = server_version;
864
865	S3I(s)(s->s3->internal)->hs.negotiated_tls_version = ssl_tls_version(server_version);
866	if (S3I(s)(s->s3->internal)->hs.negotiated_tls_version == 0) {
867	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 867);
868	goto err;
869	}
870
871	if ((method = ssl_get_method(server_version)) == NULL((void*)0)) {
872	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 872);
873	goto err;
874	}
875	s->method = method;
876
877	/* Server random. */
878	if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE32))
879	goto decode_err;
880	if (!CBS_write_bytes(&server_random, s->s3->server_random,
881	sizeof(s->s3->server_random), NULL((void*)0)))
882	goto err;
883
884	if (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_2_VERSION0x0303 &&
885	S3I(s)(s->s3->internal)->hs.negotiated_tls_version < S3I(s)(s->s3->internal)->hs.our_max_tls_version) {
886	/*
887	* RFC 8446 section 4.1.3. We must not downgrade if the server
888	* random value contains the TLS 1.2 or TLS 1.1 magical value.
889	*/
890	if (!CBS_skip(&server_random,
891	CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
892	goto err;
893	if (S3I(s)(s->s3->internal)->hs.negotiated_tls_version == TLS1_2_VERSION0x0303 &&
894	CBS_mem_equal(&server_random, tls13_downgrade_12,
895	sizeof(tls13_downgrade_12))) {
896	al = SSL_AD_ILLEGAL_PARAMETER47;
897	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK)SSL_error_internal(s, 373, "/usr/src/lib/libssl/ssl_clnt.c", 897 );
898	goto fatal_err;
899	}
900	if (CBS_mem_equal(&server_random, tls13_downgrade_11,
901	sizeof(tls13_downgrade_11))) {
902	al = SSL_AD_ILLEGAL_PARAMETER47;
903	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK)SSL_error_internal(s, 373, "/usr/src/lib/libssl/ssl_clnt.c", 903 );
904	goto fatal_err;
905	}
906	}
907
908	/* Session ID. */
909	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
910	goto decode_err;
911
912	if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE32) {
913	al = SSL_AD_ILLEGAL_PARAMETER47;
914	SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG)SSL_error_internal(s, 300, "/usr/src/lib/libssl/ssl_clnt.c", 914 );
915	goto fatal_err;
916	}
917
918	/* Cipher suite. */
919	if (!CBS_get_u16(&cbs, &cipher_suite))
920	goto decode_err;
921
922	/*
923	* Check if we want to resume the session based on external
924	* pre-shared secret.
925	*/
926	if (s->internal->tls_session_secret_cb) {
927	SSL_CIPHER pref_cipher = NULL((void)0);
928	s->session->master_key_length = sizeof(s->session->master_key);
929	if (s->internal->tls_session_secret_cb(s, s->session->master_key,
930	&s->session->master_key_length, NULL((void*)0), &pref_cipher,
931	s->internal->tls_session_secret_cb_arg)) {
932	s->session->cipher = pref_cipher ? pref_cipher :
933	ssl3_get_cipher_by_value(cipher_suite);
934	s->s3->flags \|= SSL3_FLAGS_CCS_OK0x0080;
935	}
936	}
937
938	if (s->session->session_id_length != 0 &&
939	CBS_mem_equal(&session_id, s->session->session_id,
940	s->session->session_id_length)) {
941	if (s->sid_ctx_length != s->session->sid_ctx_length \|\|
942	timingsafe_memcmp(s->session->sid_ctx,
943	s->sid_ctx, s->sid_ctx_length) != 0) {
944	/* actually a client application bug */
945	al = SSL_AD_ILLEGAL_PARAMETER47;
946	SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT)SSL_error_internal(s, 272, "/usr/src/lib/libssl/ssl_clnt.c", 946 );
947	goto fatal_err;
948	}
949	s->s3->flags \|= SSL3_FLAGS_CCS_OK0x0080;
950	s->internal->hit = 1;
951	} else {
952	/* a miss or crap from the other end */
953
954	/* If we were trying for session-id reuse, make a new
955	* SSL_SESSION so we don't stuff up other people */
956	s->internal->hit = 0;
957	if (s->session->session_id_length > 0) {
958	if (!ssl_get_new_session(s, 0)) {
959	al = SSL_AD_INTERNAL_ERROR80;
960	goto fatal_err;
961	}
962	}
963
964	/*
965	* XXX - improve the handling for the case where there is a
966	* zero length session identifier.
967	*/
968	if (!CBS_write_bytes(&session_id, s->session->session_id,
969	sizeof(s->session->session_id), &outlen))
970	goto err;
971	s->session->session_id_length = outlen;
972
973	s->session->ssl_version = s->version;
974	}
975
976	if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL((void*)0)) {
977	al = SSL_AD_ILLEGAL_PARAMETER47;
978	SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED)SSL_error_internal(s, 248, "/usr/src/lib/libssl/ssl_clnt.c", 978 );
979	goto fatal_err;
980	}
981
982	/* TLS v1.2 only ciphersuites require v1.2 or later. */
983	if ((cipher->algorithm_ssl & SSL_TLSV1_20x00000004L) &&
984	S3I(s)(s->s3->internal)->hs.negotiated_tls_version < TLS1_2_VERSION0x0303) {
985	al = SSL_AD_ILLEGAL_PARAMETER47;
986	SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED)SSL_error_internal(s, 261, "/usr/src/lib/libssl/ssl_clnt.c", 986 );
987	goto fatal_err;
988	}
989
990	if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
991	/* we did not say we would use this cipher */
992	al = SSL_AD_ILLEGAL_PARAMETER47;
993	SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED)SSL_error_internal(s, 261, "/usr/src/lib/libssl/ssl_clnt.c", 993 );
994	goto fatal_err;
995	}
996
997	/*
998	* Depending on the session caching (internal/external), the cipher
999	* and/or cipher_id values may not be set. Make sure that
1000	* cipher_id is set and use it for comparison.
1001	*/
1002	if (s->session->cipher)
1003	s->session->cipher_id = s->session->cipher->id;
1004	if (s->internal->hit && (s->session->cipher_id != cipher->id)) {
1005	al = SSL_AD_ILLEGAL_PARAMETER47;
1006	SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED)SSL_error_internal(s, 197, "/usr/src/lib/libssl/ssl_clnt.c", 1006 );
1007	goto fatal_err;
1008	}
1009	S3I(s)(s->s3->internal)->hs.cipher = cipher;
1010
1011	if (!tls1_transcript_hash_init(s))
1012	goto err;
1013
1014	/*
1015	* Don't digest cached records if no sigalgs: we may need them for
1016	* client authentication.
1017	*/
1018	alg_k = S3I(s)(s->s3->internal)->hs.cipher->algorithm_mkey;
1019	if (!(SSL_USE_SIGALGS(s)(s->method->enc_flags & (1 << 1)) \|\| (alg_k & SSL_kGOST0x00000200L)))
1020	tls1_transcript_free(s);
1021
1022	if (!CBS_get_u8(&cbs, &compression_method))
1023	goto decode_err;
1024
1025	if (compression_method != 0) {
1026	al = SSL_AD_ILLEGAL_PARAMETER47;
1027	SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM)SSL_error_internal(s, 257, "/usr/src/lib/libssl/ssl_clnt.c", 1027 );
1028	goto fatal_err;
1029	}
1030
1031	if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH0x0002, &cbs, &al)) {
1032	SSLerror(s, SSL_R_PARSE_TLSEXT)SSL_error_internal(s, 227, "/usr/src/lib/libssl/ssl_clnt.c", 1032 );
1033	goto fatal_err;
1034	}
1035
1036	if (CBS_len(&cbs) != 0)
1037	goto decode_err;
1038
1039	/*
1040	* Determine if we need to see RI. Strictly speaking if we want to
1041	* avoid an attack we should always see RI even on initial server
1042	* hello because the client doesn't see any renegotiation during an
1043	* attack. However this would mean we could not connect to any server
1044	* which doesn't support RI so for the immediate future tolerate RI
1045	* absence on initial connect only.
1046	*/
1047	if (!S3I(s)(s->s3->internal)->renegotiate_seen &&
1048	!(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT0x00000004L)) {
1049	al = SSL_AD_HANDSHAKE_FAILURE40;
1050	SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED)SSL_error_internal(s, 338, "/usr/src/lib/libssl/ssl_clnt.c", 1050 );
1051	goto fatal_err;
1052	}
1053
1054	if (ssl_check_serverhello_tlsext(s) <= 0) {
1055	SSLerror(s, SSL_R_SERVERHELLO_TLSEXT)SSL_error_internal(s, 275, "/usr/src/lib/libssl/ssl_clnt.c", 1055 );
1056	goto err;
1057	}
1058
1059	return (1);
1060
1061	decode_err:
1062	/* wrong packet length */
1063	al = SSL_AD_DECODE_ERROR50;
1064	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1064 );
1065	fatal_err:
1066	ssl3_send_alert(s, SSL3_AL_FATAL2, al);
1067	err:
1068	return (-1);
1069	}
1070
1071	int
1072	ssl3_get_server_certificate(SSL *s)
1073	{
1074	CBS cbs, cert_list;
1075	X509 x = NULL((void)0);
1076	const unsigned char *q;
1077	STACK_OF(X509)struct stack_st_X509 sk = NULL((void)0);
1078	EVP_PKEY *pkey;
1079	int cert_type;
1080	int al, ret;
1081
1082	if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A(0x130\|0x1000),
1083	SSL3_ST_CR_CERT_B(0x131\|0x1000), -1, s->internal->max_cert_list)) <= 0)
1084	return ret;
1085
1086	ret = -1;
1087
1088	if (S3I(s)(s->s3->internal)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE12) {
1089	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
1090	return (1);
1091	}
1092
1093	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_CERTIFICATE11) {
1094	al = SSL_AD_UNEXPECTED_MESSAGE10;
1095	SSLerror(s, SSL_R_BAD_MESSAGE_TYPE)SSL_error_internal(s, 114, "/usr/src/lib/libssl/ssl_clnt.c", 1095 );
1096	goto fatal_err;
1097	}
1098
1099	if ((sk = sk_X509_new_null()((struct stack_st_X509 )sk_new_null())) == NULL((void)0)) {
1100	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1100);
1101	goto err;
1102	}
1103
1104	if (s->internal->init_num < 0)
1105	goto decode_err;
1106
1107	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1108	if (CBS_len(&cbs) < 3)
1109	goto decode_err;
1110
1111	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) \|\|
1112	CBS_len(&cbs) != 0) {
1113	al = SSL_AD_DECODE_ERROR50;
1114	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1114 );
1115	goto fatal_err;
1116	}
1117
1118	while (CBS_len(&cert_list) > 0) {
1119	CBS cert;
1120
1121	if (CBS_len(&cert_list) < 3)
1122	goto decode_err;
1123	if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {
1124	al = SSL_AD_DECODE_ERROR50;
1125	SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH)SSL_error_internal(s, 135, "/usr/src/lib/libssl/ssl_clnt.c", 1125 );
1126	goto fatal_err;
1127	}
1128
1129	q = CBS_data(&cert);
1130	x = d2i_X509(NULL((void*)0), &q, CBS_len(&cert));
1131	if (x == NULL((void*)0)) {
1132	al = SSL_AD_BAD_CERTIFICATE42;
1133	SSLerror(s, ERR_R_ASN1_LIB)SSL_error_internal(s, 13, "/usr/src/lib/libssl/ssl_clnt.c", 1133 );
1134	goto fatal_err;
1135	}
1136	if (q != CBS_data(&cert) + CBS_len(&cert)) {
1137	al = SSL_AD_DECODE_ERROR50;
1138	SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH)SSL_error_internal(s, 135, "/usr/src/lib/libssl/ssl_clnt.c", 1138 );
1139	goto fatal_err;
1140	}
1141	if (!sk_X509_push(sk, x)sk_push(((_STACK) (1 ? (sk) : (struct stack_st_X509)0)), (( void) (1 ? (x) : (X509)0)))) {
1142	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1142);
1143	goto err;
1144	}
1145	x = NULL((void*)0);
1146	}
1147
1148	if (ssl_verify_cert_chain(s, sk) <= 0 &&
1149	s->verify_mode != SSL_VERIFY_NONE0x00) {
1150	al = ssl_verify_alarm_type(s->verify_result);
1151	SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED)SSL_error_internal(s, 134, "/usr/src/lib/libssl/ssl_clnt.c", 1151 );
1152	goto fatal_err;
1153	}
1154	ERR_clear_error(); /* but we keep s->verify_result */
1155
1156	/*
1157	* Inconsistency alert: cert_chain does include the peer's
1158	* certificate, which we don't include in s3_srvr.c
1159	*/
1160	x = sk_X509_value(sk, 0)((X509 )sk_value(((_STACK) (1 ? (sk) : (struct stack_st_X509 *)0)), (0)));
1161
1162	if ((pkey = X509_get0_pubkey(x)) == NULL((void*)0) \|\|
1163	EVP_PKEY_missing_parameters(pkey)) {
1164	x = NULL((void*)0);
1165	al = SSL3_AL_FATAL2;
1166	SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS)SSL_error_internal(s, 239, "/usr/src/lib/libssl/ssl_clnt.c", 1166 );
1167	goto fatal_err;
1168	}
1169	if ((cert_type = ssl_cert_type(x, pkey)) < 0) {
1170	x = NULL((void*)0);
1171	al = SSL3_AL_FATAL2;
1172	SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE)SSL_error_internal(s, 247, "/usr/src/lib/libssl/ssl_clnt.c", 1172 );
1173	goto fatal_err;
1174	}
1175
1176	X509_up_ref(x);
1177	X509_free(s->session->peer_cert);
1178	s->session->peer_cert = x;
1179	s->session->peer_cert_type = cert_type;
1180
1181	s->session->verify_result = s->verify_result;
1182
1183	sk_X509_pop_free(s->session->cert_chain, X509_free)sk_pop_free(((_STACK) (1 ? (s->session->cert_chain) : ( struct stack_st_X509)0)), ((void ()(void )) ((1 ? (X509_free ) : (void ()(X509 ))0))));
1184	s->session->cert_chain = sk;
1185	sk = NULL((void*)0);
1186
1187	x = NULL((void*)0);
1188	ret = 1;
1189
1190	if (0) {
1191	decode_err:
1192	/* wrong packet length */
1193	al = SSL_AD_DECODE_ERROR50;
1194	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1194 );
1195	fatal_err:
1196	ssl3_send_alert(s, SSL3_AL_FATAL2, al);
1197	}
1198	err:
1199	X509_free(x);
1200	sk_X509_pop_free(sk, X509_free)sk_pop_free(((_STACK) (1 ? (sk) : (struct stack_st_X509)0)) , ((void ()(void )) ((1 ? (X509_free) : (void ()(X509 ))0 ))));
1201
1202	return (ret);
1203	}
1204
1205	static int
1206	ssl3_get_server_kex_dhe(SSL s, CBS cbs)
1207	{
1208	int decode_error, invalid_params, invalid_key;
1209	int nid = NID_dhKeyAgreement28;
1210
1211	tls_key_share_free(S3I(s)(s->s3->internal)->hs.key_share);
1212	if ((S3I(s)(s->s3->internal)->hs.key_share = tls_key_share_new_nid(nid)) == NULL((void*)0))
1213	goto err;
1214
1215	if (!tls_key_share_peer_params(S3I(s)(s->s3->internal)->hs.key_share, cbs,
1216	&decode_error, &invalid_params)) {
1217	if (decode_error) {
1218	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1218 );
1219	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1220	}
1221	goto err;
1222	}
1223	if (!tls_key_share_peer_public(S3I(s)(s->s3->internal)->hs.key_share, cbs,
1224	&decode_error, &invalid_key)) {
1225	if (decode_error) {
1226	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1226 );
1227	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1228	}
1229	goto err;
1230	}
1231
1232	if (invalid_params) {
1233	SSLerror(s, SSL_R_BAD_DH_P_LENGTH)SSL_error_internal(s, 110, "/usr/src/lib/libssl/ssl_clnt.c", 1233 );
1234	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_ILLEGAL_PARAMETER47);
1235	goto err;
1236	}
1237	if (invalid_key) {
1238	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH)SSL_error_internal(s, 109, "/usr/src/lib/libssl/ssl_clnt.c", 1238 );
1239	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_ILLEGAL_PARAMETER47);
1240	goto err;
1241	}
1242
1243	return 1;
1244
1245	err:
1246	return 0;
1247	}
1248
1249	static int
1250	ssl3_get_server_kex_ecdhe(SSL s, CBS cbs)
1251	{
1252	uint8_t curve_type;
1253	uint16_t curve_id;
1254	int decode_error;
1255	CBS public;
1256
1257	if (!CBS_get_u8(cbs, &curve_type))
1258	goto decode_err;
1259	if (!CBS_get_u16(cbs, &curve_id))
1260	goto decode_err;
1261
1262	/* Only named curves are supported. */
1263	if (curve_type != NAMED_CURVE_TYPE3) {
1264	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE)SSL_error_internal(s, 315, "/usr/src/lib/libssl/ssl_clnt.c", 1264 );
1265	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_HANDSHAKE_FAILURE40);
1266	goto err;
1267	}
1268
1269	if (!CBS_get_u8_length_prefixed(cbs, &public))
1270	goto decode_err;
1271
1272	/*
1273	* Check that the curve is one of our preferences - if it is not,
1274	* the server has sent us an invalid curve.
1275	*/
1276	if (!tls1_check_curve(s, curve_id)) {
1277	SSLerror(s, SSL_R_WRONG_CURVE)SSL_error_internal(s, 378, "/usr/src/lib/libssl/ssl_clnt.c", 1277 );
1278	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_ILLEGAL_PARAMETER47);
1279	goto err;
1280	}
1281
1282	tls_key_share_free(S3I(s)(s->s3->internal)->hs.key_share);
1283	if ((S3I(s)(s->s3->internal)->hs.key_share = tls_key_share_new(curve_id)) == NULL((void*)0))
1284	goto err;
1285
1286	if (!tls_key_share_peer_public(S3I(s)(s->s3->internal)->hs.key_share, &public,
1287	&decode_error, NULL((void*)0))) {
1288	if (decode_error)
1289	goto decode_err;
1290	goto err;
1291	}
1292
1293	return 1;
1294
1295	decode_err:
1296	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1296 );
1297	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1298	err:
1299	return 0;
1300	}
1301
1302	int
1303	ssl3_get_server_key_exchange(SSL *s)
1304	{
1305	CBS cbs, signature;
1306	EVP_MD_CTX *md_ctx;
1307	const unsigned char *param;
1308	size_t param_len;
1309	long alg_k, alg_a;
1310	int al, ret;
1311
1312	alg_k = S3I(s)(s->s3->internal)->hs.cipher->algorithm_mkey;
1313	alg_a = S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth;
1314
1315	/*
1316	* Use same message size as in ssl3_get_certificate_request()
1317	* as ServerKeyExchange message may be skipped.
1318	*/
1319	if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A(0x140\|0x1000),
1320	SSL3_ST_CR_KEY_EXCH_B(0x141\|0x1000), -1, s->internal->max_cert_list)) <= 0)
1321	return ret;
1322
1323	if ((md_ctx = EVP_MD_CTX_new()) == NULL((void*)0))
1324	goto err;
1325
1326	if (s->internal->init_num < 0)
1327	goto err;
1328
1329	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1330
1331	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE12) {
1332	/*
1333	* Do not skip server key exchange if this cipher suite uses
1334	* ephemeral keys.
1335	*/
1336	if (alg_k & (SSL_kDHE0x00000008L\|SSL_kECDHE0x00000080L)) {
1337	SSLerror(s, SSL_R_UNEXPECTED_MESSAGE)SSL_error_internal(s, 244, "/usr/src/lib/libssl/ssl_clnt.c", 1337 );
1338	al = SSL_AD_UNEXPECTED_MESSAGE10;
1339	goto fatal_err;
1340	}
1341
1342	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
1343	EVP_MD_CTX_free(md_ctx);
1344	return (1);
1345	}
1346
1347	param = CBS_data(&cbs);
1348	param_len = CBS_len(&cbs);
1349
1350	if (alg_k & SSL_kDHE0x00000008L) {
1351	if (!ssl3_get_server_kex_dhe(s, &cbs))
1352	goto err;
1353	} else if (alg_k & SSL_kECDHE0x00000080L) {
1354	if (!ssl3_get_server_kex_ecdhe(s, &cbs))
1355	goto err;
1356	} else if (alg_k != 0) {
1357	al = SSL_AD_UNEXPECTED_MESSAGE10;
1358	SSLerror(s, SSL_R_UNEXPECTED_MESSAGE)SSL_error_internal(s, 244, "/usr/src/lib/libssl/ssl_clnt.c", 1358 );
1359	goto fatal_err;
1360	}
1361
1362	param_len -= CBS_len(&cbs);
1363
1364	/* if it was signed, check the signature */
1365	if ((alg_a & SSL_aNULL0x00000004L) == 0) {
1366	uint16_t sigalg_value = SIGALG_NONE0x0000;
1367	const struct ssl_sigalg *sigalg;
1368	EVP_PKEY_CTX *pctx;
1369	EVP_PKEY pkey = NULL((void)0);
1370
1371	if ((alg_a & SSL_aRSA0x00000001L) != 0 &&
1372	s->session->peer_cert_type == SSL_PKEY_RSA0) {
1373	pkey = X509_get0_pubkey(s->session->peer_cert);
1374	} else if ((alg_a & SSL_aECDSA0x00000040L) != 0 &&
1375	s->session->peer_cert_type == SSL_PKEY_ECC1) {
1376	pkey = X509_get0_pubkey(s->session->peer_cert);
1377	}
1378	if (pkey == NULL((void*)0)) {
1379	al = SSL_AD_ILLEGAL_PARAMETER47;
1380	SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE)SSL_error_internal(s, 247, "/usr/src/lib/libssl/ssl_clnt.c", 1380 );
1381	goto err;
1382	}
1383
1384	if (SSL_USE_SIGALGS(s)(s->method->enc_flags & (1 << 1))) {
1385	if (!CBS_get_u16(&cbs, &sigalg_value))
1386	goto decode_err;
1387	}
1388	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1389	goto decode_err;
1390	if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1391	al = SSL_AD_DECODE_ERROR50;
1392	SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH)SSL_error_internal(s, 264, "/usr/src/lib/libssl/ssl_clnt.c", 1392 );
1393	goto fatal_err;
1394	}
1395
1396	if ((sigalg = ssl_sigalg_for_peer(s, pkey,
1397	sigalg_value)) == NULL((void*)0)) {
1398	al = SSL_AD_DECODE_ERROR50;
1399	goto fatal_err;
1400	}
1401	S3I(s)(s->s3->internal)->hs.peer_sigalg = sigalg;
1402
1403	if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1404	NULL((void*)0), pkey))
1405	goto err;
1406	if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->client_random,EVP_DigestUpdate(md_ctx,s->s3->client_random,32)
1407	SSL3_RANDOM_SIZE)EVP_DigestUpdate(md_ctx,s->s3->client_random,32))
1408	goto err;
1409	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS0x00000001) &&
1410	(!EVP_PKEY_CTX_set_rsa_padding(pctx,RSA_pkey_ctx_ctrl(pctx, -1, (0x1000 + 1), 6, ((void*)0))
1411	RSA_PKCS1_PSS_PADDING)RSA_pkey_ctx_ctrl(pctx, -1, (0x1000 + 1), 6, ((void*)0)) \|\|
1412	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)RSA_pkey_ctx_ctrl(pctx, ((1<<3)\|(1<<4)), (0x1000 + 2), -1, ((void*)0))))
1413	goto err;
1414	if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->server_random,EVP_DigestUpdate(md_ctx,s->s3->server_random,32)
1415	SSL3_RANDOM_SIZE)EVP_DigestUpdate(md_ctx,s->s3->server_random,32))
1416	goto err;
1417	if (!EVP_DigestVerifyUpdate(md_ctx, param, param_len)EVP_DigestUpdate(md_ctx,param,param_len))
1418	goto err;
1419	if (EVP_DigestVerifyFinal(md_ctx, CBS_data(&signature),
1420	CBS_len(&signature)) <= 0) {
1421	al = SSL_AD_DECRYPT_ERROR51;
1422	SSLerror(s, SSL_R_BAD_SIGNATURE)SSL_error_internal(s, 123, "/usr/src/lib/libssl/ssl_clnt.c", 1422 );
1423	goto fatal_err;
1424	}
1425	}
1426
1427	if (CBS_len(&cbs) != 0) {
1428	al = SSL_AD_DECODE_ERROR50;
1429	SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE)SSL_error_internal(s, 153, "/usr/src/lib/libssl/ssl_clnt.c", 1429 );
1430	goto fatal_err;
1431	}
1432
1433	EVP_MD_CTX_free(md_ctx);
1434
1435	return (1);
1436
1437	decode_err:
1438	al = SSL_AD_DECODE_ERROR50;
1439	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1439 );
1440
1441	fatal_err:
1442	ssl3_send_alert(s, SSL3_AL_FATAL2, al);
1443
1444	err:
1445	EVP_MD_CTX_free(md_ctx);
1446
1447	return (-1);
1448	}
1449
1450	int
1451	ssl3_get_certificate_request(SSL *s)
1452	{
1453	CBS cert_request, cert_types, rdn_list;
1454	X509_NAME xn = NULL((void)0);
1455	const unsigned char *q;
1456	STACK_OF(X509_NAME)struct stack_st_X509_NAME ca_sk = NULL((void)0);
1457	int ret;
1458
1459	if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A(0x150\|0x1000),
1460	SSL3_ST_CR_CERT_REQ_B(0x151\|0x1000), -1, s->internal->max_cert_list)) <= 0)
1461	return ret;
1462
1463	ret = 0;
1464
1465	S3I(s)(s->s3->internal)->hs.tls12.cert_request = 0;
1466
1467	if (S3I(s)(s->s3->internal)->hs.tls12.message_type == SSL3_MT_SERVER_DONE14) {
1468	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
1469	/*
1470	* If we get here we don't need any cached handshake records
1471	* as we wont be doing client auth.
1472	*/
1473	tls1_transcript_free(s);
1474	return (1);
1475	}
1476
1477	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST13) {
1478	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_UNEXPECTED_MESSAGE10);
1479	SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE)SSL_error_internal(s, 262, "/usr/src/lib/libssl/ssl_clnt.c", 1479 );
1480	goto err;
1481	}
1482
1483	/* TLS does not like anon-DH with client cert */
1484	if (S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth & SSL_aNULL0x00000004L) {
1485	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_UNEXPECTED_MESSAGE10);
1486	SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER)SSL_error_internal(s, 232, "/usr/src/lib/libssl/ssl_clnt.c", 1486 );
1487	goto err;
1488	}
1489
1490	if (s->internal->init_num < 0)
1491	goto decode_err;
1492	CBS_init(&cert_request, s->internal->init_msg, s->internal->init_num);
1493
1494	if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)((struct stack_st_X509_NAME )sk_new(((int ()(const void , const void )) ((1 ? (ca_dn_cmp) : (int ()(const X509_NAME const , const X509_NAME const ))0)))))) == NULL((void)0)) {
1495	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1495);
1496	goto err;
1497	}
1498
1499	if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types))
1500	goto decode_err;
1501
1502	if (SSL_USE_SIGALGS(s)(s->method->enc_flags & (1 << 1))) {
1503	CBS sigalgs;
1504
1505	if (CBS_len(&cert_request) < 2) {
1506	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG)SSL_error_internal(s, 146, "/usr/src/lib/libssl/ssl_clnt.c", 1506 );
1507	goto err;
1508	}
1509	if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
1510	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1511	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG)SSL_error_internal(s, 146, "/usr/src/lib/libssl/ssl_clnt.c", 1511 );
1512	goto err;
1513	}
1514	if (CBS_len(&sigalgs) % 2 != 0 \|\| CBS_len(&sigalgs) > 64) {
1515	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1516	SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR)SSL_error_internal(s, 360, "/usr/src/lib/libssl/ssl_clnt.c", 1516 );
1517	goto err;
1518	}
1519	if (!CBS_stow(&sigalgs, &S3I(s)(s->s3->internal)->hs.sigalgs,
1520	&S3I(s)(s->s3->internal)->hs.sigalgs_len))
1521	goto err;
1522	}
1523
1524	/* get the CA RDNs */
1525	if (CBS_len(&cert_request) < 2) {
1526	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG)SSL_error_internal(s, 146, "/usr/src/lib/libssl/ssl_clnt.c", 1526 );
1527	goto err;
1528	}
1529
1530	if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) \|\|
1531	CBS_len(&cert_request) != 0) {
1532	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1533	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1533 );
1534	goto err;
1535	}
1536
1537	while (CBS_len(&rdn_list) > 0) {
1538	CBS rdn;
1539
1540	if (CBS_len(&rdn_list) < 2) {
1541	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG)SSL_error_internal(s, 146, "/usr/src/lib/libssl/ssl_clnt.c", 1541 );
1542	goto err;
1543	}
1544
1545	if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
1546	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1547	SSLerror(s, SSL_R_CA_DN_TOO_LONG)SSL_error_internal(s, 132, "/usr/src/lib/libssl/ssl_clnt.c", 1547 );
1548	goto err;
1549	}
1550
1551	q = CBS_data(&rdn);
1552	if ((xn = d2i_X509_NAME(NULL((void)0), &q, CBS_len(&rdn))) == NULL((void)0)) {
1553	ssl3_send_alert(s, SSL3_AL_FATAL2,
1554	SSL_AD_DECODE_ERROR50);
1555	SSLerror(s, ERR_R_ASN1_LIB)SSL_error_internal(s, 13, "/usr/src/lib/libssl/ssl_clnt.c", 1555 );
1556	goto err;
1557	}
1558
1559	if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
1560	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1561	SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH)SSL_error_internal(s, 131, "/usr/src/lib/libssl/ssl_clnt.c", 1561 );
1562	goto err;
1563	}
1564	if (!sk_X509_NAME_push(ca_sk, xn)sk_push(((_STACK) (1 ? (ca_sk) : (struct stack_st_X509_NAME )0)), ((void) (1 ? (xn) : (X509_NAME)0)))) {
1565	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1565);
1566	goto err;
1567	}
1568	xn = NULL((void)0); / avoid free in err block */
1569	}
1570
1571	/* we should setup a certificate to return.... */
1572	S3I(s)(s->s3->internal)->hs.tls12.cert_request = 1;
1573	sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free)sk_pop_free(((_STACK) (1 ? ((s->s3->internal)->hs.tls12 .ca_names) : (struct stack_st_X509_NAME)0)), ((void ()(void )) ((1 ? (X509_NAME_free) : (void ()(X509_NAME ))0))));
1574	S3I(s)(s->s3->internal)->hs.tls12.ca_names = ca_sk;
1575	ca_sk = NULL((void*)0);
1576
1577	ret = 1;
1578	if (0) {
1579	decode_err:
1580	SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_clnt.c", 1580 );
1581	}
1582	err:
1583	X509_NAME_free(xn);
1584	sk_X509_NAME_pop_free(ca_sk, X509_NAME_free)sk_pop_free(((_STACK) (1 ? (ca_sk) : (struct stack_st_X509_NAME )0)), ((void ()(void )) ((1 ? (X509_NAME_free) : (void () (X509_NAME ))0))));
1585	return (ret);
1586	}
1587
1588	static int
1589	ca_dn_cmp(const X509_NAME * const a, const X509_NAME const *b)
1590	{
1591	return (X509_NAME_cmp(a, b));
1592	}
1593
1594	int
1595	ssl3_get_new_session_ticket(SSL *s)
1596	{
1597	uint32_t lifetime_hint;
1598	CBS cbs, session_ticket;
1599	int al, ret;
1600
1601	if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A(0x1E0\|0x1000),
1602	SSL3_ST_CR_SESSION_TICKET_B(0x1E1\|0x1000), -1, 16384)) <= 0)
1603	return ret;
1604
1605	ret = 0;
	Value stored to 'ret' is never read
1606
1607	if (S3I(s)(s->s3->internal)->hs.tls12.message_type == SSL3_MT_FINISHED20) {
1608	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
1609	return (1);
1610	}
1611	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET4) {
1612	al = SSL_AD_UNEXPECTED_MESSAGE10;
1613	SSLerror(s, SSL_R_BAD_MESSAGE_TYPE)SSL_error_internal(s, 114, "/usr/src/lib/libssl/ssl_clnt.c", 1613 );
1614	goto fatal_err;
1615	}
1616
1617	if (s->internal->init_num < 0) {
1618	al = SSL_AD_DECODE_ERROR50;
1619	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1619 );
1620	goto fatal_err;
1621	}
1622
1623	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1624	if (!CBS_get_u32(&cbs, &lifetime_hint) \|\|
1625	!CBS_get_u16_length_prefixed(&cbs, &session_ticket) \|\|
1626	CBS_len(&cbs) != 0) {
1627	al = SSL_AD_DECODE_ERROR50;
1628	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1628 );
1629	goto fatal_err;
1630	}
1631	s->session->tlsext_tick_lifetime_hint = lifetime_hint;
1632
1633	if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
1634	&s->session->tlsext_ticklen)) {
1635	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1635);
1636	goto err;
1637	}
1638
1639	/*
1640	* There are two ways to detect a resumed ticket sesion.
1641	* One is to set an appropriate session ID and then the server
1642	* must return a match in ServerHello. This allows the normal
1643	* client session ID matching to work and we know much
1644	* earlier that the ticket has been accepted.
1645	*
1646	* The other way is to set zero length session ID when the
1647	* ticket is presented and rely on the handshake to determine
1648	* session resumption.
1649	*
1650	* We choose the former approach because this fits in with
1651	* assumptions elsewhere in OpenSSL. The session ID is set
1652	* to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1653	* ticket.
1654	*/
1655	EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
1656	s->session->session_id, &s->session->session_id_length,
1657	EVP_sha256(), NULL((void*)0));
1658	ret = 1;
1659	return (ret);
1660	fatal_err:
1661	ssl3_send_alert(s, SSL3_AL_FATAL2, al);
1662	err:
1663	return (-1);
1664	}
1665
1666	int
1667	ssl3_get_cert_status(SSL *s)
1668	{
1669	CBS cert_status, response;
1670	uint8_t status_type;
1671	int al, ret;
1672
1673	if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A(0x1F0\|0x1000),
1674	SSL3_ST_CR_CERT_STATUS_B(0x1F1\|0x1000), -1, 16384)) <= 0)
1675	return ret;
1676
1677	if (S3I(s)(s->s3->internal)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE12) {
1678	/*
1679	* Tell the callback the server did not send us an OSCP
1680	* response, and has decided to head directly to key exchange.
1681	*/
1682	if (s->ctx->internal->tlsext_status_cb) {
1683	free(s->internal->tlsext_ocsp_resp);
1684	s->internal->tlsext_ocsp_resp = NULL((void*)0);
1685	s->internal->tlsext_ocsp_resp_len = 0;
1686
1687	ret = s->ctx->internal->tlsext_status_cb(s,
1688	s->ctx->internal->tlsext_status_arg);
1689	if (ret == 0) {
1690	al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE113;
1691	SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE)SSL_error_internal(s, 328, "/usr/src/lib/libssl/ssl_clnt.c", 1691 );
1692	goto fatal_err;
1693	}
1694	if (ret < 0) {
1695	al = SSL_AD_INTERNAL_ERROR80;
1696	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1696);
1697	goto fatal_err;
1698	}
1699	}
1700	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
1701	return (1);
1702	}
1703
1704	if (S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_CERTIFICATE11 &&
1705	S3I(s)(s->s3->internal)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS22) {
1706	al = SSL_AD_UNEXPECTED_MESSAGE10;
1707	SSLerror(s, SSL_R_BAD_MESSAGE_TYPE)SSL_error_internal(s, 114, "/usr/src/lib/libssl/ssl_clnt.c", 1707 );
1708	goto fatal_err;
1709	}
1710
1711	if (s->internal->init_num < 0) {
1712	/* need at least status type + length */
1713	al = SSL_AD_DECODE_ERROR50;
1714	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1714 );
1715	goto fatal_err;
1716	}
1717
1718	CBS_init(&cert_status, s->internal->init_msg, s->internal->init_num);
1719	if (!CBS_get_u8(&cert_status, &status_type) \|\|
1720	CBS_len(&cert_status) < 3) {
1721	/* need at least status type + length */
1722	al = SSL_AD_DECODE_ERROR50;
1723	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1723 );
1724	goto fatal_err;
1725	}
1726
1727	if (status_type != TLSEXT_STATUSTYPE_ocsp1) {
1728	al = SSL_AD_DECODE_ERROR50;
1729	SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE)SSL_error_internal(s, 329, "/usr/src/lib/libssl/ssl_clnt.c", 1729 );
1730	goto fatal_err;
1731	}
1732
1733	if (!CBS_get_u24_length_prefixed(&cert_status, &response) \|\|
1734	CBS_len(&cert_status) != 0) {
1735	al = SSL_AD_DECODE_ERROR50;
1736	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1736 );
1737	goto fatal_err;
1738	}
1739
1740	if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1741	&s->internal->tlsext_ocsp_resp_len)) {
1742	al = SSL_AD_INTERNAL_ERROR80;
1743	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1743);
1744	goto fatal_err;
1745	}
1746
1747	if (s->ctx->internal->tlsext_status_cb) {
1748	int ret;
1749	ret = s->ctx->internal->tlsext_status_cb(s,
1750	s->ctx->internal->tlsext_status_arg);
1751	if (ret == 0) {
1752	al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE113;
1753	SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE)SSL_error_internal(s, 328, "/usr/src/lib/libssl/ssl_clnt.c", 1753 );
1754	goto fatal_err;
1755	}
1756	if (ret < 0) {
1757	al = SSL_AD_INTERNAL_ERROR80;
1758	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1758);
1759	goto fatal_err;
1760	}
1761	}
1762	return (1);
1763	fatal_err:
1764	ssl3_send_alert(s, SSL3_AL_FATAL2, al);
1765	return (-1);
1766	}
1767
1768	int
1769	ssl3_get_server_done(SSL *s)
1770	{
1771	int ret;
1772
1773	if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A(0x160\|0x1000),
1774	SSL3_ST_CR_SRVR_DONE_B(0x161\|0x1000), SSL3_MT_SERVER_DONE14,
1775	30 /* should be very small, like 0 :-) */)) <= 0)
1776	return ret;
1777
1778	if (s->internal->init_num != 0) {
1779	/* should contain no data */
1780	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_DECODE_ERROR50);
1781	SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_clnt.c", 1781 );
1782	return -1;
1783	}
1784
1785	return 1;
1786	}
1787
1788	static int
1789	ssl3_send_client_kex_rsa(SSL s, CBB cbb)
1790	{
1791	unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH48];
1792	unsigned char enc_pms = NULL((void)0);
1793	uint16_t max_legacy_version;
1794	EVP_PKEY *pkey;
1795	RSA *rsa;
1796	int ret = 0;
1797	int enc_len;
1798	CBB epms;
1799
1800	/*
1801	* RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.
1802	*/
1803
1804	pkey = X509_get0_pubkey(s->session->peer_cert);
1805	if (pkey == NULL((void)0) \|\| (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL((void)0)) {
1806	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1806);
1807	goto err;
1808	}
1809
1810	/*
1811	* Our maximum legacy protocol version - while RFC 5246 section 7.4.7.1
1812	* says "The latest (newest) version supported by the client", if we're
1813	* doing RSA key exchange then we have to presume that we're talking to
1814	* a server that does not understand the supported versions extension
1815	* and therefore our maximum version is that sent in the ClientHello.
1816	*/
1817	if (!ssl_max_legacy_version(s, &max_legacy_version))
1818	goto err;
1819	pms[0] = max_legacy_version >> 8;
1820	pms[1] = max_legacy_version & 0xff;
1821	arc4random_buf(&pms[2], sizeof(pms) - 2);
1822
1823	if ((enc_pms = malloc(RSA_size(rsa))) == NULL((void*)0)) {
1824	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1824);
1825	goto err;
1826	}
1827
1828	enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
1829	RSA_PKCS1_PADDING1);
1830	if (enc_len <= 0) {
1831	SSLerror(s, SSL_R_BAD_RSA_ENCRYPT)SSL_error_internal(s, 119, "/usr/src/lib/libssl/ssl_clnt.c", 1831 );
1832	goto err;
1833	}
1834
1835	if (!CBB_add_u16_length_prefixed(cbb, &epms))
1836	goto err;
1837	if (!CBB_add_bytes(&epms, enc_pms, enc_len))
1838	goto err;
1839	if (!CBB_flush(cbb))
1840	goto err;
1841
1842	if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
1843	goto err;
1844
1845	ret = 1;
1846
1847	err:
1848	explicit_bzero(pms, sizeof(pms));
1849	free(enc_pms);
1850
1851	return ret;
1852	}
1853
1854	static int
1855	ssl3_send_client_kex_dhe(SSL s, CBB cbb)
1856	{
1857	uint8_t key = NULL((void)0);
1858	size_t key_len = 0;
1859	int ret = 0;
1860
1861	/* Ensure that we have an ephemeral key from the server for DHE. */
1862	if (S3I(s)(s->s3->internal)->hs.key_share == NULL((void*)0)) {
1863	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_HANDSHAKE_FAILURE40);
1864	SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS)SSL_error_internal(s, 238, "/usr/src/lib/libssl/ssl_clnt.c", 1864 );
1865	goto err;
1866	}
1867
1868	if (!tls_key_share_generate(S3I(s)(s->s3->internal)->hs.key_share))
1869	goto err;
1870	if (!tls_key_share_public(S3I(s)(s->s3->internal)->hs.key_share, cbb))
1871	goto err;
1872	if (!tls_key_share_derive(S3I(s)(s->s3->internal)->hs.key_share, &key, &key_len))
1873	goto err;
1874
1875	if (!tls12_derive_master_secret(s, key, key_len))
1876	goto err;
1877
1878	ret = 1;
1879
1880	err:
1881	freezero(key, key_len);
1882
1883	return ret;
1884	}
1885
1886	static int
1887	ssl3_send_client_kex_ecdhe(SSL s, CBB cbb)
1888	{
1889	uint8_t key = NULL((void)0);
1890	size_t key_len = 0;
1891	CBB public;
1892	int ret = 0;
1893
1894	/* Ensure that we have an ephemeral key for ECDHE. */
1895	if (S3I(s)(s->s3->internal)->hs.key_share == NULL((void*)0)) {
1896	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_HANDSHAKE_FAILURE40);
1897	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1897);
1898	goto err;
1899	}
1900
1901	if (!tls_key_share_generate(S3I(s)(s->s3->internal)->hs.key_share))
1902	goto err;
1903
1904	if (!CBB_add_u8_length_prefixed(cbb, &public))
1905	return 0;
1906	if (!tls_key_share_public(S3I(s)(s->s3->internal)->hs.key_share, &public))
1907	goto err;
1908	if (!CBB_flush(cbb))
1909	goto err;
1910
1911	if (!tls_key_share_derive(S3I(s)(s->s3->internal)->hs.key_share, &key, &key_len))
1912	goto err;
1913
1914	if (!tls12_derive_master_secret(s, key, key_len))
1915	goto err;
1916
1917	ret = 1;
1918
1919	err:
1920	freezero(key, key_len);
1921
1922	return ret;
1923	}
1924
1925	static int
1926	ssl3_send_client_kex_gost(SSL s, CBB cbb)
1927	{
1928	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1929	EVP_PKEY_CTX pkey_ctx = NULL((void)0);
1930	EVP_MD_CTX ukm_hash = NULL((void)0);
1931	EVP_PKEY *pkey;
1932	size_t msglen;
1933	unsigned int md_len;
1934	CBB gostblob;
1935	int nid;
1936	int ret = 0;
1937
1938	/* Get server sertificate PKEY and create ctx from it */
1939	pkey = X509_get0_pubkey(s->session->peer_cert);
1940	if (pkey == NULL((void*)0) \|\| s->session->peer_cert_type != SSL_PKEY_GOST012) {
1941	SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER)SSL_error_internal(s, 330, "/usr/src/lib/libssl/ssl_clnt.c", 1941 );
1942	goto err;
1943	}
1944	if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL((void)0))) == NULL((void)0)) {
1945	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1945);
1946	goto err;
1947	}
1948
1949	/*
1950	* If we have send a certificate, and certificate key parameters match
1951	* those of server certificate, use certificate key for key exchange.
1952	* Otherwise, generate ephemeral key pair.
1953	*/
1954	if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
1955	goto err;
1956
1957	/* Generate session key. */
1958	arc4random_buf(premaster_secret, sizeof(premaster_secret));
1959
1960	/*
1961	* If we have client certificate, use its secret as peer key.
1962	* XXX - this presumably lacks PFS.
1963	*/
1964	if (S3I(s)(s->s3->internal)->hs.tls12.cert_request != 0 &&
1965	s->cert->key->privatekey != NULL((void*)0)) {
1966	if (EVP_PKEY_derive_set_peer(pkey_ctx,
1967	s->cert->key->privatekey) <=0) {
1968	/*
1969	* If there was an error - just ignore it.
1970	* Ephemeral key would be used.
1971	*/
1972	ERR_clear_error();
1973	}
1974	}
1975
1976	/*
1977	* Compute shared IV and store it in algorithm-specific context data.
1978	*/
1979	if ((ukm_hash = EVP_MD_CTX_new()) == NULL((void*)0)) {
1980	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 1980);
1981	goto err;
1982	}
1983
1984	/* XXX check handshake hash instead. */
1985	if (S3I(s)(s->s3->internal)->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST940x040)
1986	nid = NID_id_GostR3411_94809;
1987	else
1988	nid = NID_id_tc26_gost3411_2012_256941;
1989	if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)EVP_get_digestbyname(OBJ_nid2sn(nid))))
1990	goto err;
1991	if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE32))
1992	goto err;
1993	if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE32))
1994	goto err;
1995	if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
1996	goto err;
1997	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<8),
1998	EVP_PKEY_CTRL_SET_IV8, 8, shared_ukm) < 0) {
1999	SSLerror(s, SSL_R_LIBRARY_BUG)SSL_error_internal(s, 274, "/usr/src/lib/libssl/ssl_clnt.c", 1999 );
2000	goto err;
2001	}
2002
2003	/*
2004	* Make GOST keytransport blob message, encapsulate it into sequence.
2005	*/
2006	msglen = 255;
2007	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2008	sizeof(premaster_secret)) < 0) {
2009	SSLerror(s, SSL_R_LIBRARY_BUG)SSL_error_internal(s, 274, "/usr/src/lib/libssl/ssl_clnt.c", 2009 );
2010	goto err;
2011	}
2012
2013	if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE(0x00 \| 0x20 \| 0x10)))
2014	goto err;
2015	if (!CBB_add_bytes(&gostblob, tmp, msglen))
2016	goto err;
2017	if (!CBB_flush(cbb))
2018	goto err;
2019
2020	/* Check if pubkey from client certificate was used. */
2021	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY2, 2,
2022	NULL((void*)0)) > 0)
2023	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY0x0010;
2024
2025	if (!tls12_derive_master_secret(s, premaster_secret, 32))
2026	goto err;
2027
2028	ret = 1;
2029
2030	err:
2031	explicit_bzero(premaster_secret, sizeof(premaster_secret));
2032	EVP_PKEY_CTX_free(pkey_ctx);
2033	EVP_MD_CTX_free(ukm_hash);
2034
2035	return ret;
2036	}
2037
2038	int
2039	ssl3_send_client_key_exchange(SSL *s)
2040	{
2041	unsigned long alg_k;
2042	CBB cbb, kex;
2043
2044	memset(&cbb, 0, sizeof(cbb));
2045
2046	if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_KEY_EXCH_A(0x180\|0x1000)) {
2047	alg_k = S3I(s)(s->s3->internal)->hs.cipher->algorithm_mkey;
2048
2049	if (!ssl3_handshake_msg_start(s, &cbb, &kex,
2050	SSL3_MT_CLIENT_KEY_EXCHANGE16))
2051	goto err;
2052
2053	if (alg_k & SSL_kRSA0x00000001L) {
2054	if (!ssl3_send_client_kex_rsa(s, &kex))
2055	goto err;
2056	} else if (alg_k & SSL_kDHE0x00000008L) {
2057	if (!ssl3_send_client_kex_dhe(s, &kex))
2058	goto err;
2059	} else if (alg_k & SSL_kECDHE0x00000080L) {
2060	if (!ssl3_send_client_kex_ecdhe(s, &kex))
2061	goto err;
2062	} else if (alg_k & SSL_kGOST0x00000200L) {
2063	if (!ssl3_send_client_kex_gost(s, &kex))
2064	goto err;
2065	} else {
2066	ssl3_send_alert(s, SSL3_AL_FATAL2,
2067	SSL_AD_HANDSHAKE_FAILURE40);
2068	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 2068);
2069	goto err;
2070	}
2071
2072	if (!ssl3_handshake_msg_finish(s, &cbb))
2073	goto err;
2074
2075	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_KEY_EXCH_B(0x181\|0x1000);
2076	}
2077
2078	/* SSL3_ST_CW_KEY_EXCH_B */
2079	return (ssl3_handshake_write(s));
2080
2081	err:
2082	CBB_cleanup(&cbb);
2083
2084	return (-1);
2085	}
2086
2087	static int
2088	ssl3_send_client_verify_sigalgs(SSL s, EVP_PKEY pkey,
2089	const struct ssl_sigalg sigalg, CBB cert_verify)
2090	{
2091	CBB cbb_signature;
2092	EVP_PKEY_CTX pctx = NULL((void)0);
2093	EVP_MD_CTX mctx = NULL((void)0);
2094	const unsigned char *hdata;
2095	unsigned char signature = NULL((void)0);
2096	size_t signature_len, hdata_len;
2097	int ret = 0;
2098
2099	if ((mctx = EVP_MD_CTX_new()) == NULL((void*)0))
2100	goto err;
2101
2102	if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2103	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 2103);
2104	goto err;
2105	}
2106	if (!EVP_DigestSignInit(mctx, &pctx, sigalg->md(), NULL((void*)0), pkey)) {
2107	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2107 );
2108	goto err;
2109	}
2110	if (sigalg->key_type == EVP_PKEY_GOSTR01811 &&
2111	EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN(1<<3),
2112	EVP_PKEY_CTRL_GOST_SIG_FORMAT(0x1000 +2), GOST_SIG_FORMAT_RS_LE1, NULL((void*)0)) <= 0) {
2113	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2113 );
2114	goto err;
2115	}
2116	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS0x00000001) &&
2117	(!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)RSA_pkey_ctx_ctrl(pctx, -1, (0x1000 + 1), 6, ((void*)0)) \|\|
2118	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)RSA_pkey_ctx_ctrl(pctx, ((1<<3)\|(1<<4)), (0x1000 + 2), -1, ((void*)0)))) {
2119	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2119 );
2120	goto err;
2121	}
2122	if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)EVP_DigestUpdate(mctx,hdata,hdata_len)) {
2123	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2123 );
2124	goto err;
2125	}
2126	if (!EVP_DigestSignFinal(mctx, NULL((void*)0), &signature_len) \|\|
2127	signature_len == 0) {
2128	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2128 );
2129	goto err;
2130	}
2131	if ((signature = calloc(1, signature_len)) == NULL((void*)0)) {
2132	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 2132);
2133	goto err;
2134	}
2135	if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
2136	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2136 );
2137	goto err;
2138	}
2139
2140	if (!CBB_add_u16(cert_verify, sigalg->value))
2141	goto err;
2142	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2143	goto err;
2144	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2145	goto err;
2146	if (!CBB_flush(cert_verify))
2147	goto err;
2148
2149	ret = 1;
2150
2151	err:
2152	EVP_MD_CTX_free(mctx);
2153	free(signature);
2154	return ret;
2155	}
2156
2157	static int
2158	ssl3_send_client_verify_rsa(SSL s, EVP_PKEY pkey, CBB *cert_verify)
2159	{
2160	CBB cbb_signature;
2161	RSA *rsa;
2162	unsigned char data[EVP_MAX_MD_SIZE64];
2163	unsigned char signature = NULL((void)0);
2164	unsigned int signature_len;
2165	size_t data_len;
2166	int ret = 0;
2167
2168	if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
2169	goto err;
2170	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL((void*)0))
2171	goto err;
2172	if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL((void*)0))
2173	goto err;
2174	if (RSA_sign(NID_md5_sha1114, data, data_len, signature, &signature_len,
2175	rsa) <= 0 ) {
2176	SSLerror(s, ERR_R_RSA_LIB)SSL_error_internal(s, 4, "/usr/src/lib/libssl/ssl_clnt.c", 2176 );
2177	goto err;
2178	}
2179
2180	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2181	goto err;
2182	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2183	goto err;
2184	if (!CBB_flush(cert_verify))
2185	goto err;
2186
2187	ret = 1;
2188	err:
2189	free(signature);
2190	return ret;
2191	}
2192
2193	static int
2194	ssl3_send_client_verify_ec(SSL s, EVP_PKEY pkey, CBB *cert_verify)
2195	{
2196	CBB cbb_signature;
2197	EC_KEY *eckey;
2198	unsigned char data[EVP_MAX_MD_SIZE64];
2199	unsigned char signature = NULL((void)0);
2200	unsigned int signature_len;
2201	int ret = 0;
2202
2203	if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL((void*)0)))
2204	goto err;
2205	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL((void*)0))
2206	goto err;
2207	if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL((void*)0))
2208	goto err;
2209	if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH16], SHA_DIGEST_LENGTH20,
2210	signature, &signature_len, eckey)) {
2211	SSLerror(s, ERR_R_ECDSA_LIB)SSL_error_internal(s, 42, "/usr/src/lib/libssl/ssl_clnt.c", 2211 );
2212	goto err;
2213	}
2214
2215	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2216	goto err;
2217	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2218	goto err;
2219	if (!CBB_flush(cert_verify))
2220	goto err;
2221
2222	ret = 1;
2223	err:
2224	free(signature);
2225	return ret;
2226	}
2227
2228	#ifndef OPENSSL_NO_GOST
2229	static int
2230	ssl3_send_client_verify_gost(SSL s, EVP_PKEY pkey, CBB *cert_verify)
2231	{
2232	CBB cbb_signature;
2233	EVP_MD_CTX *mctx;
2234	EVP_PKEY_CTX *pctx;
2235	const EVP_MD *md;
2236	const unsigned char *hdata;
2237	unsigned char signature = NULL((void)0);
2238	size_t signature_len;
2239	size_t hdata_len;
2240	int nid;
2241	int ret = 0;
2242
2243	if ((mctx = EVP_MD_CTX_new()) == NULL((void*)0))
2244	goto err;
2245
2246	if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2247	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 2247);
2248	goto err;
2249	}
2250	if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) \|\|
2251	(md = EVP_get_digestbynid(nid)EVP_get_digestbyname(OBJ_nid2sn(nid))) == NULL((void*)0)) {
2252	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2252 );
2253	goto err;
2254	}
2255	if (!EVP_DigestSignInit(mctx, &pctx, md, NULL((void*)0), pkey)) {
2256	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2256 );
2257	goto err;
2258	}
2259	if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN(1<<3),
2260	EVP_PKEY_CTRL_GOST_SIG_FORMAT(0x1000 +2), GOST_SIG_FORMAT_RS_LE1, NULL((void*)0)) <= 0) {
2261	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2261 );
2262	goto err;
2263	}
2264	if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)EVP_DigestUpdate(mctx,hdata,hdata_len)) {
2265	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2265 );
2266	goto err;
2267	}
2268	if (!EVP_DigestSignFinal(mctx, NULL((void*)0), &signature_len) \|\|
2269	signature_len == 0) {
2270	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2270 );
2271	goto err;
2272	}
2273	if ((signature = calloc(1, signature_len)) == NULL((void*)0)) {
2274	SSLerror(s, ERR_R_MALLOC_FAILURE)SSL_error_internal(s, (1\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 2274);
2275	goto err;
2276	}
2277	if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
2278	SSLerror(s, ERR_R_EVP_LIB)SSL_error_internal(s, 6, "/usr/src/lib/libssl/ssl_clnt.c", 2278 );
2279	goto err;
2280	}
2281
2282	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2283	goto err;
2284	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2285	goto err;
2286	if (!CBB_flush(cert_verify))
2287	goto err;
2288
2289	ret = 1;
2290	err:
2291	EVP_MD_CTX_free(mctx);
2292	free(signature);
2293	return ret;
2294	}
2295	#endif
2296
2297	int
2298	ssl3_send_client_verify(SSL *s)
2299	{
2300	const struct ssl_sigalg *sigalg;
2301	CBB cbb, cert_verify;
2302	EVP_PKEY *pkey;
2303
2304	memset(&cbb, 0, sizeof(cbb));
2305
2306	if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_CERT_VRFY_A(0x190\|0x1000)) {
2307	if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2308	SSL3_MT_CERTIFICATE_VERIFY15))
2309	goto err;
2310
2311	pkey = s->cert->key->privatekey;
2312	if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL((void*)0)) {
2313	SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR)SSL_error_internal(s, 360, "/usr/src/lib/libssl/ssl_clnt.c", 2313 );
2314	goto err;
2315	}
2316	S3I(s)(s->s3->internal)->hs.our_sigalg = sigalg;
2317
2318	/*
2319	* For TLS v1.2 send signature algorithm and signature using
2320	* agreed digest and cached handshake records.
2321	*/
2322	if (SSL_USE_SIGALGS(s)(s->method->enc_flags & (1 << 1))) {
2323	if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2324	&cert_verify))
2325	goto err;
2326	} else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA6) {
2327	if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2328	goto err;
2329	} else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC408) {
2330	if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2331	goto err;
2332	#ifndef OPENSSL_NO_GOST
2333	} else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94812 \|\|
2334	EVP_PKEY_id(pkey) == NID_id_GostR3410_2001811) {
2335	if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2336	goto err;
2337	#endif
2338	} else {
2339	SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4\|64), "/usr/src/lib/libssl/ssl_clnt.c" , 2339);
2340	goto err;
2341	}
2342
2343	tls1_transcript_free(s);
2344
2345	if (!ssl3_handshake_msg_finish(s, &cbb))
2346	goto err;
2347
2348	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_VRFY_B(0x191\|0x1000);
2349	}
2350
2351	return (ssl3_handshake_write(s));
2352
2353	err:
2354	CBB_cleanup(&cbb);
2355
2356	return (-1);
2357	}
2358
2359	int
2360	ssl3_send_client_certificate(SSL *s)
2361	{
2362	EVP_PKEY pkey = NULL((void)0);
2363	X509 x509 = NULL((void)0);
2364	CBB cbb, client_cert;
2365	int i;
2366
2367	memset(&cbb, 0, sizeof(cbb));
2368
2369	if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_CERT_A(0x170\|0x1000)) {
2370	if (s->cert->key->x509 == NULL((void*)0) \|\|
2371	s->cert->key->privatekey == NULL((void*)0))
2372	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_B(0x171\|0x1000);
2373	else
2374	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_C(0x172\|0x1000);
2375	}
2376
2377	/* We need to get a client cert */
2378	if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_CERT_B(0x171\|0x1000)) {
2379	/*
2380	* If we get an error, we need to
2381	* ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1);
2382	* We then get retried later.
2383	*/
2384	i = ssl_do_client_cert_cb(s, &x509, &pkey);
2385	if (i < 0) {
2386	s->internal->rwstate = SSL_X509_LOOKUP4;
2387	return (-1);
2388	}
2389	s->internal->rwstate = SSL_NOTHING1;
2390	if ((i == 1) && (pkey != NULL((void)0)) && (x509 != NULL((void)0))) {
2391	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_B(0x171\|0x1000);
2392	if (!SSL_use_certificate(s, x509) \|\|
2393	!SSL_use_PrivateKey(s, pkey))
2394	i = 0;
2395	} else if (i == 1) {
2396	i = 0;
2397	SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK)SSL_error_internal(s, 106, "/usr/src/lib/libssl/ssl_clnt.c", 2397 );
2398	}
2399
2400	X509_free(x509);
2401	EVP_PKEY_free(pkey);
2402	if (i == 0) {
2403	S3I(s)(s->s3->internal)->hs.tls12.cert_request = 2;
2404
2405	/* There is no client certificate to verify. */
2406	tls1_transcript_free(s);
2407	}
2408
2409	/* Ok, we have a cert */
2410	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_C(0x172\|0x1000);
2411	}
2412
2413	if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_CERT_C(0x172\|0x1000)) {
2414	if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
2415	SSL3_MT_CERTIFICATE11))
2416	goto err;
2417	if (!ssl3_output_cert_chain(s, &client_cert,
2418	(S3I(s)(s->s3->internal)->hs.tls12.cert_request == 2) ? NULL((void*)0) : s->cert->key))
2419	goto err;
2420	if (!ssl3_handshake_msg_finish(s, &cbb))
2421	goto err;
2422
2423	S3I(s)(s->s3->internal)->hs.state = SSL3_ST_CW_CERT_D(0x173\|0x1000);
2424	}
2425
2426	/* SSL3_ST_CW_CERT_D */
2427	return (ssl3_handshake_write(s));
2428
2429	err:
2430	CBB_cleanup(&cbb);
2431
2432	return (0);
2433	}
2434
2435	#define has_bits(i,m)(((i)&(m)) == (m)) (((i)&(m)) == (m))
2436
2437	int
2438	ssl3_check_cert_and_algorithm(SSL *s)
2439	{
2440	long alg_k, alg_a;
2441	int nid = NID_undef0;
2442	int i;
2443
2444	alg_k = S3I(s)(s->s3->internal)->hs.cipher->algorithm_mkey;
2445	alg_a = S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth;
2446
2447	/* We don't have a certificate. */
2448	if (alg_a & SSL_aNULL0x00000004L)
2449	return (1);
2450
2451	if (S3I(s)(s->s3->internal)->hs.key_share != NULL((void*)0))
2452	nid = tls_key_share_nid(S3I(s)(s->s3->internal)->hs.key_share);
2453
2454	/* This is the passed certificate. */
2455
2456	if (s->session->peer_cert_type == SSL_PKEY_ECC1) {
2457	if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
2458	SSLerror(s, SSL_R_BAD_ECC_CERT)SSL_error_internal(s, 304, "/usr/src/lib/libssl/ssl_clnt.c", 2458 );
2459	goto fatal_err;
2460	}
2461	return (1);
2462	}
2463
2464	i = X509_certificate_type(s->session->peer_cert, NULL((void*)0));
2465
2466	/* Check that we have a certificate if we require one. */
2467	if ((alg_a & SSL_aRSA0x00000001L) && !has_bits(i, EVP_PK_RSA\|EVP_PKT_SIGN)(((i)&(0x0001\|0x0010)) == (0x0001\|0x0010))) {
2468	SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT)SSL_error_internal(s, 170, "/usr/src/lib/libssl/ssl_clnt.c", 2468 );
2469	goto fatal_err;
2470	}
2471	if ((alg_k & SSL_kRSA0x00000001L) && !has_bits(i, EVP_PK_RSA\|EVP_PKT_ENC)(((i)&(0x0001\|0x0020)) == (0x0001\|0x0020))) {
2472	SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT)SSL_error_internal(s, 169, "/usr/src/lib/libssl/ssl_clnt.c", 2472 );
2473	goto fatal_err;
2474	}
2475	if ((alg_k & SSL_kDHE0x00000008L) &&
2476	!(has_bits(i, EVP_PK_DH\|EVP_PKT_EXCH)(((i)&(0x0004\|0x0040)) == (0x0004\|0x0040)) \|\| (nid == NID_dhKeyAgreement28))) {
2477	SSLerror(s, SSL_R_MISSING_DH_KEY)SSL_error_internal(s, 163, "/usr/src/lib/libssl/ssl_clnt.c", 2477 );
2478	goto fatal_err;
2479	}
2480
2481	return (1);
2482
2483	fatal_err:
2484	ssl3_send_alert(s, SSL3_AL_FATAL2, SSL_AD_HANDSHAKE_FAILURE40);
2485
2486	return (0);
2487	}
2488
2489	/*
2490	* Check to see if handshake is full or resumed. Usually this is just a
2491	* case of checking to see if a cache hit has occurred. In the case of
2492	* session tickets we have to check the next message to be sure.
2493	*/
2494
2495	int
2496	ssl3_check_finished(SSL *s)
2497	{
2498	int ret;
2499
2500	/* If we have no ticket it cannot be a resumed session. */
2501	if (!s->session->tlsext_tick)
2502	return (1);
2503	/* this function is called when we really expect a Certificate
2504	* message, so permit appropriate message length */
2505	if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A(0x130\|0x1000),
2506	SSL3_ST_CR_CERT_B(0x131\|0x1000), -1, s->internal->max_cert_list)) <= 0)
2507	return ret;
2508
2509	S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 1;
2510	if ((S3I(s)(s->s3->internal)->hs.tls12.message_type == SSL3_MT_FINISHED20) \|\|
2511	(S3I(s)(s->s3->internal)->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET4))
2512	return (2);
2513
2514	return (1);
2515	}
2516
2517	int
2518	ssl_do_client_cert_cb(SSL s, X509 px509, EVP_PKEY *ppkey)
2519	{
2520	int i = 0;
2521
2522	#ifndef OPENSSL_NO_ENGINE
2523	if (s->ctx->internal->client_cert_engine) {
2524	i = ENGINE_load_ssl_client_cert(
2525	s->ctx->internal->client_cert_engine, s,
2526	SSL_get_client_CA_list(s), px509, ppkey, NULL((void)0), NULL((void)0), NULL((void*)0));
2527	if (i != 0)
2528	return (i);
2529	}
2530	#endif
2531	if (s->ctx->internal->client_cert_cb)
2532	i = s->ctx->internal->client_cert_cb(s, px509, ppkey);
2533	return (i);
2534	}