/*

 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved

 * Copyright 2005 Nokia. All rights reserved.

 *

 * Licensed under the Apache License 2.0 (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy

 * in the file LICENSE in the source distribution or at

 * https://www.openssl.org/source/license.html

 */

#ifndef OSSL_SSL_LOCAL_H

# define OSSL_SSL_LOCAL_H

# include <stdlib.h>

# include <time.h>

# include <errno.h>

# include "internal/common.h" /* for HAS_PREFIX */

# include <openssl/buffer.h>

# include <openssl/bio.h>

# include <openssl/comp.h>

# include <openssl/dsa.h>

# include <openssl/err.h>

# include <openssl/ssl.h>

# include <openssl/async.h>

# include <openssl/symhacks.h>

# include <openssl/ct.h>

# include "internal/recordmethod.h"

# include "internal/statem.h"

# include "internal/packet.h"

# include "internal/dane.h"

# include "internal/refcount.h"

# include "internal/tsan_assist.h"

# include "internal/bio.h"

# include "internal/ktls.h"

# include "internal/time.h"

# include "internal/ssl.h"

# include "internal/cryptlib.h"

# include "internal/quic_predef.h"

# include "record/record.h"

# include "internal/quic_predef.h"

# include "internal/quic_tls.h"

# ifdef OPENSSL_BUILD_SHLIBSSL

#  undef OPENSSL_EXTERN

#  define OPENSSL_EXTERN OPENSSL_EXPORT

# endif

# define TLS_MAX_VERSION_INTERNAL TLS1_3_VERSION

# define DTLS_MAX_VERSION_INTERNAL DTLS1_2_VERSION

/*

 * DTLS version numbers are strange because they're inverted. Except for

 * DTLS1_BAD_VER, which should be considered "lower" than the rest.

 */

# define dtls_ver_ordinal(v1) (((v1) == DTLS1_BAD_VER) ? 0xff00 : (v1))

# define DTLS_VERSION_GT(v1, v2) (dtls_ver_ordinal(v1) < dtls_ver_ordinal(v2))

# define DTLS_VERSION_GE(v1, v2) (dtls_ver_ordinal(v1) <= dtls_ver_ordinal(v2))

# define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2))

# define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2))

# define SSL_AD_NO_ALERT    -1

/*

 * Define the Bitmasks for SSL_CIPHER.algorithms.

 * This bits are used packed as dense as possible. If new methods/ciphers

 * etc will be added, the bits a likely to change, so this information

 * is for internal library use only, even though SSL_CIPHER.algorithms

 * can be publicly accessed.

 * Use the according functions for cipher management instead.

 *

 * The bit mask handling in the selection and sorting scheme in

 * ssl_create_cipher_list() has only limited capabilities, reflecting

 * that the different entities within are mutually exclusive:

 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.

 */

/* Bits for algorithm_mkey (key exchange algorithm) */

/* RSA key exchange */

# define SSL_kRSA                0x00000001U

/* tmp DH key no DH cert */

# define SSL_kDHE                0x00000002U

/* ephemeral ECDH */

# define SSL_kECDHE              0x00000004U

/* PSK */

# define SSL_kPSK                0x00000008U

/* GOST key exchange */

# define SSL_kGOST               0x00000010U

/* SRP */

# define SSL_kSRP                0x00000020U

# define SSL_kRSAPSK             0x00000040U

# define SSL_kECDHEPSK           0x00000080U

# define SSL_kDHEPSK             0x00000100U

/* GOST KDF key exchange, draft-smyshlyaev-tls12-gost-suites */

# define SSL_kGOST18             0x00000200U

/* all PSK */

# define SSL_PSK     (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK)

/* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */

# define SSL_kANY                0x00000000U

/* Bits for algorithm_auth (server authentication) */

/* RSA auth */

# define SSL_aRSA                0x00000001U

/* DSS auth */

# define SSL_aDSS                0x00000002U

/* no auth (i.e. use ADH or AECDH) */

# define SSL_aNULL               0x00000004U

/* ECDSA auth*/

# define SSL_aECDSA              0x00000008U

/* PSK auth */

# define SSL_aPSK                0x00000010U

/* GOST R 34.10-2001 signature auth */

# define SSL_aGOST01             0x00000020U

/* SRP auth */

# define SSL_aSRP                0x00000040U

/* GOST R 34.10-2012 signature auth */

# define SSL_aGOST12             0x00000080U

/* Any appropriate signature auth (for TLS 1.3 ciphersuites) */

# define SSL_aANY                0x00000000U

/* All bits requiring a certificate */

#define SSL_aCERT \

    (SSL_aRSA | SSL_aDSS | SSL_aECDSA | SSL_aGOST01 | SSL_aGOST12)

/* Bits for algorithm_enc (symmetric encryption) */

# define SSL_DES                 0x00000001U

# define SSL_3DES                0x00000002U

# define SSL_RC4                 0x00000004U

# define SSL_RC2                 0x00000008U

# define SSL_IDEA                0x00000010U

# define SSL_eNULL               0x00000020U

# define SSL_AES128              0x00000040U

# define SSL_AES256              0x00000080U

# define SSL_CAMELLIA128         0x00000100U

# define SSL_CAMELLIA256         0x00000200U

# define SSL_eGOST2814789CNT     0x00000400U

# define SSL_SEED                0x00000800U

# define SSL_AES128GCM           0x00001000U

# define SSL_AES256GCM           0x00002000U

# define SSL_AES128CCM           0x00004000U

# define SSL_AES256CCM           0x00008000U

# define SSL_AES128CCM8          0x00010000U

# define SSL_AES256CCM8          0x00020000U

# define SSL_eGOST2814789CNT12   0x00040000U

# define SSL_CHACHA20POLY1305    0x00080000U

# define SSL_ARIA128GCM          0x00100000U

# define SSL_ARIA256GCM          0x00200000U

# define SSL_MAGMA               0x00400000U

# define SSL_KUZNYECHIK          0x00800000U

# define SSL_AESGCM              (SSL_AES128GCM | SSL_AES256GCM)

# define SSL_AESCCM              (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)

# define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)

# define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)

# define SSL_CHACHA20            (SSL_CHACHA20POLY1305)

# define SSL_ARIAGCM             (SSL_ARIA128GCM | SSL_ARIA256GCM)

# define SSL_ARIA                (SSL_ARIAGCM)

# define SSL_CBC                 (SSL_DES | SSL_3DES | SSL_RC2 | SSL_IDEA \

                                  | SSL_AES128 | SSL_AES256 | SSL_CAMELLIA128 \

                                  | SSL_CAMELLIA256 | SSL_SEED)

/* Bits for algorithm_mac (symmetric authentication) */

# define SSL_MD5                 0x00000001U

# define SSL_SHA1                0x00000002U

# define SSL_GOST94      0x00000004U

# define SSL_GOST89MAC   0x00000008U

# define SSL_SHA256              0x00000010U

# define SSL_SHA384              0x00000020U

/* Not a real MAC, just an indication it is part of cipher */

# define SSL_AEAD                0x00000040U

# define SSL_GOST12_256          0x00000080U

# define SSL_GOST89MAC12         0x00000100U

# define SSL_GOST12_512          0x00000200U

# define SSL_MAGMAOMAC           0x00000400U

# define SSL_KUZNYECHIKOMAC      0x00000800U

/*

 * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make

 * sure to update this constant too

 */

# define SSL_MD_MD5_IDX  0

# define SSL_MD_SHA1_IDX 1

# define SSL_MD_GOST94_IDX 2

# define SSL_MD_GOST89MAC_IDX 3

# define SSL_MD_SHA256_IDX 4

# define SSL_MD_SHA384_IDX 5

# define SSL_MD_GOST12_256_IDX  6

# define SSL_MD_GOST89MAC12_IDX 7

# define SSL_MD_GOST12_512_IDX  8

# define SSL_MD_MD5_SHA1_IDX 9

# define SSL_MD_SHA224_IDX 10

# define SSL_MD_SHA512_IDX 11

# define SSL_MD_MAGMAOMAC_IDX 12

# define SSL_MD_KUZNYECHIKOMAC_IDX 13

# define SSL_MAX_DIGEST 14

#define SSL_MD_NUM_IDX  SSL_MAX_DIGEST

/* Bits for algorithm2 (handshake digests and other extra flags) */

/* Bits 0-7 are handshake MAC */

# define SSL_HANDSHAKE_MAC_MASK  0xFF

# define SSL_HANDSHAKE_MAC_MD5_SHA1 SSL_MD_MD5_SHA1_IDX

# define SSL_HANDSHAKE_MAC_SHA256   SSL_MD_SHA256_IDX

# define SSL_HANDSHAKE_MAC_SHA384   SSL_MD_SHA384_IDX

# define SSL_HANDSHAKE_MAC_GOST94 SSL_MD_GOST94_IDX

# define SSL_HANDSHAKE_MAC_GOST12_256 SSL_MD_GOST12_256_IDX

# define SSL_HANDSHAKE_MAC_GOST12_512 SSL_MD_GOST12_512_IDX

# define SSL_HANDSHAKE_MAC_DEFAULT  SSL_HANDSHAKE_MAC_MD5_SHA1

/* Bits 8-15 bits are PRF */

# define TLS1_PRF_DGST_SHIFT 8

# define TLS1_PRF_SHA1_MD5 (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT)

# define TLS1_PRF_SHA256 (SSL_MD_SHA256_IDX << TLS1_PRF_DGST_SHIFT)

# define TLS1_PRF_SHA384 (SSL_MD_SHA384_IDX << TLS1_PRF_DGST_SHIFT)

# define TLS1_PRF_GOST94 (SSL_MD_GOST94_IDX << TLS1_PRF_DGST_SHIFT)

# define TLS1_PRF_GOST12_256 (SSL_MD_GOST12_256_IDX << TLS1_PRF_DGST_SHIFT)

# define TLS1_PRF_GOST12_512 (SSL_MD_GOST12_512_IDX << TLS1_PRF_DGST_SHIFT)

# define TLS1_PRF            (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT)

/*

 * Stream MAC for GOST ciphersuites from cryptopro draft (currently this also

 * goes into algorithm2)

 */

# define TLS1_STREAM_MAC 0x10000

/*

 * TLSTREE cipher/mac key derivation from draft-smyshlyaev-tls12-gost-suites

 * (currently this also  goes into algorithm2)

 */

# define TLS1_TLSTREE 0x20000

/* Ciphersuite supported in QUIC */

# define SSL_QUIC                0x00040000U

# define SSL_STRONG_MASK         0x0000001FU

# define SSL_DEFAULT_MASK        0X00000020U

# define SSL_STRONG_NONE         0x00000001U

# define SSL_LOW                 0x00000002U

# define SSL_MEDIUM              0x00000004U

# define SSL_HIGH                0x00000008U

# define SSL_FIPS                0x00000010U

# define SSL_NOT_DEFAULT         0x00000020U

/* we have used 0000003f - 26 bits left to go */

/* Flag used on OpenSSL ciphersuite ids to indicate they are for SSLv3+ */

# define SSL3_CK_CIPHERSUITE_FLAG                0x03000000

/* Check if an SSL structure is using DTLS */

# define SSL_CONNECTION_IS_DTLS(s) \

    (SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)

/* Check if an SSL_CTX structure is using DTLS */

# define SSL_CTX_IS_DTLS(ctx) \

    (ctx->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)

/* Check if we are using TLSv1.3 */

# define SSL_CONNECTION_IS_TLS13(s) (!SSL_CONNECTION_IS_DTLS(s) \

    && SSL_CONNECTION_GET_SSL(s)->method->version >= TLS1_3_VERSION \

    && SSL_CONNECTION_GET_SSL(s)->method->version != TLS_ANY_VERSION)

# define SSL_CONNECTION_TREAT_AS_TLS13(s) \

    (SSL_CONNECTION_IS_TLS13(s) \

     || (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \

     || (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \

     || (s)->early_data_state == SSL_EARLY_DATA_WRITING \

     || (s)->early_data_state == SSL_EARLY_DATA_WRITE_RETRY \

     || (s)->hello_retry_request == SSL_HRR_PENDING)

# define SSL_IS_FIRST_HANDSHAKE(s) ((s)->s3.tmp.finish_md_len == 0 \

                                    || (s)->s3.tmp.peer_finish_md_len == 0)

/*

 * See if we use signature algorithms extension and signature algorithm

 * before signatures.

 */

# define SSL_USE_SIGALGS(s)      \

    (SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS)

/*

 * Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2: may

 * apply to others in future.

 */

# define SSL_USE_TLS1_2_CIPHERS(s)       \

    (SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)

# define IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value) \

    (((value) >= TLSEXT_max_fragment_length_512) && \

     ((value) <= TLSEXT_max_fragment_length_4096))

# define USE_MAX_FRAGMENT_LENGTH_EXT(session) \

    IS_MAX_FRAGMENT_LENGTH_EXT_VALID(session->ext.max_fragment_len_mode)

# define GET_MAX_FRAGMENT_LENGTH(session) \

    (512U << (session->ext.max_fragment_len_mode - 1))

# define SSL_READ_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ)

# define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)

# define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0)

# define SSL_IS_QUIC_INT_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC_INTERNAL) != 0)

/* no end of early data */

# define SSL_NO_EOED(s) SSL_IS_QUIC_HANDSHAKE(s)

/* alert_dispatch values */

/* No alert pending */

# define SSL_ALERT_DISPATCH_NONE    0

/* Alert pending */

# define SSL_ALERT_DISPATCH_PENDING 1

/* Pending alert write needs to be retried */

# define SSL_ALERT_DISPATCH_RETRY   2

/* Mostly for SSLv3 */

# define SSL_PKEY_RSA            0

# define SSL_PKEY_RSA_PSS_SIGN   1

# define SSL_PKEY_DSA_SIGN       2

# define SSL_PKEY_ECC            3

# define SSL_PKEY_GOST01         4

# define SSL_PKEY_GOST12_256     5

# define SSL_PKEY_GOST12_512     6

# define SSL_PKEY_ED25519        7

# define SSL_PKEY_ED448          8

# define SSL_PKEY_NUM            9

# define SSL_ENC_DES_IDX         0

# define SSL_ENC_3DES_IDX        1

# define SSL_ENC_RC4_IDX         2

# define SSL_ENC_RC2_IDX         3

# define SSL_ENC_IDEA_IDX        4

# define SSL_ENC_NULL_IDX        5

# define SSL_ENC_AES128_IDX      6

# define SSL_ENC_AES256_IDX      7

# define SSL_ENC_CAMELLIA128_IDX 8

# define SSL_ENC_CAMELLIA256_IDX 9

# define SSL_ENC_GOST89_IDX      10

# define SSL_ENC_SEED_IDX        11

# define SSL_ENC_AES128GCM_IDX   12

# define SSL_ENC_AES256GCM_IDX   13

# define SSL_ENC_AES128CCM_IDX   14

# define SSL_ENC_AES256CCM_IDX   15

# define SSL_ENC_AES128CCM8_IDX  16

# define SSL_ENC_AES256CCM8_IDX  17

# define SSL_ENC_GOST8912_IDX    18

# define SSL_ENC_CHACHA_IDX      19

# define SSL_ENC_ARIA128GCM_IDX  20

# define SSL_ENC_ARIA256GCM_IDX  21

# define SSL_ENC_MAGMA_IDX       22

# define SSL_ENC_KUZNYECHIK_IDX  23

# define SSL_ENC_NUM_IDX         24

/*-

 * SSL_kRSA <- RSA_ENC

 * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)

 * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN

 * SSL_aRSA <- RSA_ENC | RSA_SIGN

 * SSL_aDSS <- DSA_SIGN

 */

/* Certificate Type State */

# define OSSL_CERT_TYPE_CTOS_NONE    0

# define OSSL_CERT_TYPE_CTOS_GOOD    1

# define OSSL_CERT_TYPE_CTOS_ERROR   2

/* Post-Handshake Authentication state */

typedef enum {

    SSL_PHA_NONE = 0,

    SSL_PHA_EXT_SENT,        /* client-side only: extension sent */

    SSL_PHA_EXT_RECEIVED,    /* server-side only: extension received */

    SSL_PHA_REQUEST_PENDING, /* server-side only: request pending */

    SSL_PHA_REQUESTED        /* request received by client, or sent by server */

} SSL_PHA_STATE;

/* CipherSuite length. SSLv3 and all TLS versions. */

# define TLS_CIPHER_LEN 2

/* used to hold info on the particular ciphers used */

struct ssl_cipher_st {

    uint32_t valid;

    const char *name;           /* text name */

    const char *stdname;        /* RFC name */

    uint32_t id;                /* id, 4 bytes, first is version */

    /*

     * changed in 1.0.0: these four used to be portions of a single value

     * 'algorithms'

     */

    uint32_t algorithm_mkey;    /* key exchange algorithm */

    uint32_t algorithm_auth;    /* server authentication */

    uint32_t algorithm_enc;     /* symmetric encryption */

    uint32_t algorithm_mac;     /* symmetric authentication */

    int min_tls;                /* minimum SSL/TLS protocol version */

    int max_tls;                /* maximum SSL/TLS protocol version */

    int min_dtls;               /* minimum DTLS protocol version */

    int max_dtls;               /* maximum DTLS protocol version */

    uint32_t algo_strength;     /* strength and export flags */

    uint32_t algorithm2;        /* Extra flags */

    int32_t strength_bits;      /* Number of bits really used */

    uint32_t alg_bits;          /* Number of bits for algorithm */

};

/* Used to hold SSL/TLS functions */

struct ssl_method_st {

    int version;

    unsigned flags;

    uint64_t mask;

    SSL *(*ssl_new) (SSL_CTX *ctx);

    void (*ssl_free) (SSL *s);

    int (*ssl_reset) (SSL *s);

    int (*ssl_init) (SSL *s);

    int (*ssl_clear) (SSL *s);

    void (*ssl_deinit) (SSL *s);

    int (*ssl_accept) (SSL *s);

    int (*ssl_connect) (SSL *s);

    int (*ssl_read) (SSL *s, void *buf, size_t len, size_t *readbytes);

    int (*ssl_peek) (SSL *s, void *buf, size_t len, size_t *readbytes);

    int (*ssl_write) (SSL *s, const void *buf, size_t len, size_t *written);

    int (*ssl_shutdown) (SSL *s);

    int (*ssl_renegotiate) (SSL *s);

    int (*ssl_renegotiate_check) (SSL *s, int);

    int (*ssl_read_bytes) (SSL *s, uint8_t type, uint8_t *recvd_type,

                           unsigned char *buf, size_t len, int peek,

                           size_t *readbytes);

    int (*ssl_write_bytes) (SSL *s, uint8_t type, const void *buf_, size_t len,

                            size_t *written);

    int (*ssl_dispatch_alert) (SSL *s);

    long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg);

    long (*ssl_ctx_ctrl) (SSL_CTX *ctx, int cmd, long larg, void *parg);

    const SSL_CIPHER *(*get_cipher_by_char) (const unsigned char *ptr);

    int (*put_cipher_by_char) (const SSL_CIPHER *cipher, WPACKET *pkt,

                               size_t *len);

    size_t (*ssl_pending) (const SSL *s);

    int (*num_ciphers) (void);

    const SSL_CIPHER *(*get_cipher) (unsigned ncipher);

    OSSL_TIME (*get_timeout) (void);

    const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */

    int (*ssl_version) (void);

    long (*ssl_callback_ctrl) (SSL *s, int cb_id, void (*fp) (void));

    long (*ssl_ctx_callback_ctrl) (SSL_CTX *s, int cb_id, void (*fp) (void));

};

/*

 * Matches the length of PSK_MAX_PSK_LEN. We keep it the same value for

 * consistency, even in the event of OPENSSL_NO_PSK being defined.

 */

# define TLS13_MAX_RESUMPTION_PSK_LENGTH      512

/*-

 * Lets make this into an ASN.1 type structure as follows

 * SSL_SESSION_ID ::= SEQUENCE {

 *      version                 INTEGER,        -- structure version number

 *      SSLversion              INTEGER,        -- SSL version number

 *      Cipher                  OCTET STRING,   -- the 3 byte cipher ID

 *      Session_ID              OCTET STRING,   -- the Session ID

 *      Master_key              OCTET STRING,   -- the master key

 *      Key_Arg [ 0 ] IMPLICIT  OCTET STRING,   -- the optional Key argument

 *      Time [ 1 ] EXPLICIT     INTEGER,        -- optional Start Time

 *      Timeout [ 2 ] EXPLICIT  INTEGER,        -- optional Timeout ins seconds

 *      Peer [ 3 ] EXPLICIT     X509,           -- optional Peer Certificate

 *      Session_ID_context [ 4 ] EXPLICIT OCTET STRING,   -- the Session ID context

 *      Verify_result [ 5 ] EXPLICIT INTEGER,   -- X509_V_... code for `Peer'

 *      HostName [ 6 ] EXPLICIT OCTET STRING,   -- optional HostName from servername TLS extension

 *      PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint

 *      PSK_identity [ 8 ] EXPLICIT OCTET STRING,  -- optional PSK identity

 *      Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket

 *      Ticket [10]             EXPLICIT OCTET STRING, -- session ticket (clients only)

 *      Compression_meth [11]   EXPLICIT OCTET STRING, -- optional compression method

 *      SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username

 *      flags [ 13 ] EXPLICIT INTEGER -- optional flags

 *      }

 * Look in ssl/ssl_asn1.c for more details

 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).

 */

struct ssl_session_st {

    int ssl_version;            /* what ssl version session info is being kept

                                 * in here? */

    size_t master_key_length;

    /* TLSv1.3 early_secret used for external PSKs */

    unsigned char early_secret[EVP_MAX_MD_SIZE];

    /*

     * For <=TLS1.2 this is the master_key. For TLS1.3 this is the resumption

     * PSK

     */

    unsigned char master_key[TLS13_MAX_RESUMPTION_PSK_LENGTH];

    /* session_id - valid? */

    size_t session_id_length;

    unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];

    /*

     * this is used to determine whether the session is being reused in the

     * appropriate context. It is up to the application to set this, via

     * SSL_new

     */

    size_t sid_ctx_length;

    unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];

# ifndef OPENSSL_NO_PSK

    char *psk_identity_hint;

    char *psk_identity;

# endif

    /*

     * Used to indicate that session resumption is not allowed. Applications

     * can also set this bit for a new session via not_resumable_session_cb

     * to disable session caching and tickets.

     */

    int not_resumable;

    /* Peer raw public key, if available */

    EVP_PKEY *peer_rpk;

    /* This is the cert and type for the other end. */

    X509 *peer;

    /* Certificate chain peer sent. */

    STACK_OF(X509) *peer_chain;

    /*

     * when app_verify_callback accepts a session where the peer's

     * certificate is not ok, we must remember the error for session reuse:

     */

    long verify_result;         /* only for servers */

    OSSL_TIME timeout;

    OSSL_TIME time;

    OSSL_TIME calc_timeout;

    unsigned int compress_meth; /* Need to lookup the method */

    const SSL_CIPHER *cipher;

    unsigned long cipher_id;    /* when ASN.1 loaded, this needs to be used to

                                 * load the 'cipher' structure */

    unsigned int kex_group;      /* TLS group from key exchange */

    CRYPTO_EX_DATA ex_data;     /* application specific data */

    struct {

        char *hostname;

        /* RFC4507 info */

        unsigned char *tick; /* Session ticket */

        size_t ticklen;      /* Session ticket length */

        /* Session lifetime hint in seconds */

        unsigned long tick_lifetime_hint;

        uint32_t tick_age_add;

        /* Max number of bytes that can be sent as early data */

        uint32_t max_early_data;

        /* The ALPN protocol selected for this session */

        unsigned char *alpn_selected;

        size_t alpn_selected_len;

        /*

         * Maximum Fragment Length as per RFC 4366.

         * If this value does not contain RFC 4366 allowed values (1-4) then

         * either the Maximum Fragment Length Negotiation failed or was not

         * performed at all.

         */

        uint8_t max_fragment_len_mode;

    } ext;

# ifndef OPENSSL_NO_SRP

    char *srp_username;

# endif

    unsigned char *ticket_appdata;

    size_t ticket_appdata_len;

    uint32_t flags;

    SSL_CTX *owner;

    /*

     * These are used to make removal of session-ids more efficient and to

     * implement a maximum cache size. Access requires protection of ctx->lock.

     */

    struct ssl_session_st *prev, *next;

    CRYPTO_REF_COUNT references;

};

/* Extended master secret support */

# define SSL_SESS_FLAG_EXTMS             0x1

# ifndef OPENSSL_NO_SRP

typedef struct srp_ctx_st {

    /* param for all the callbacks */

    void *SRP_cb_arg;

    /* set client Hello login callback */

    int (*TLS_ext_srp_username_callback) (SSL *, int *, void *);

    /* set SRP N/g param callback for verification */

    int (*SRP_verify_param_callback) (SSL *, void *);

    /* set SRP client passwd callback */

    char *(*SRP_give_srp_client_pwd_callback) (SSL *, void *);

    char *login;

    BIGNUM *N, *g, *s, *B, *A;

    BIGNUM *a, *b, *v;

    char *info;

    int strength;

    unsigned long srp_Mask;

} SRP_CTX;

# endif

typedef enum {

    SSL_EARLY_DATA_NONE = 0,

    SSL_EARLY_DATA_CONNECT_RETRY,

    SSL_EARLY_DATA_CONNECTING,

    SSL_EARLY_DATA_WRITE_RETRY,

    SSL_EARLY_DATA_WRITING,

    SSL_EARLY_DATA_WRITE_FLUSH,

    SSL_EARLY_DATA_UNAUTH_WRITING,

    SSL_EARLY_DATA_FINISHED_WRITING,

    SSL_EARLY_DATA_ACCEPT_RETRY,

    SSL_EARLY_DATA_ACCEPTING,

    SSL_EARLY_DATA_READ_RETRY,

    SSL_EARLY_DATA_READING,

    SSL_EARLY_DATA_FINISHED_READING

} SSL_EARLY_DATA_STATE;

/*

 * We check that the amount of unreadable early data doesn't exceed

 * max_early_data. max_early_data is given in plaintext bytes. However if it is

 * unreadable then we only know the number of ciphertext bytes. We also don't

 * know how much the overhead should be because it depends on the ciphersuite.

 * We make a small allowance. We assume 5 records of actual data plus the end

 * of early data alert record. Each record has a tag and a content type byte.

 * The longest tag length we know of is EVP_GCM_TLS_TAG_LEN. We don't count the

 * content of the alert record either which is 2 bytes.

 */

# define EARLY_DATA_CIPHERTEXT_OVERHEAD ((6 * (EVP_GCM_TLS_TAG_LEN + 1)) + 2)

/*

 * The allowance we have between the client's calculated ticket age and our own.

 * We allow for 10 seconds. If a ticket is presented and the

 * client's age calculation is different by more than this than our own then we

 * do not allow that ticket for early_data.

 */

# define TICKET_AGE_ALLOWANCE   ossl_seconds2time(10)

#define MAX_COMPRESSIONS_SIZE   255

typedef struct raw_extension_st {

    /* Raw packet data for the extension */

    PACKET data;

    /* Set to 1 if the extension is present or 0 otherwise */

    int present;

    /* Set to 1 if we have already parsed the extension or 0 otherwise */

    int parsed;

    /* The type of this extension, i.e. a TLSEXT_TYPE_* value */

    unsigned int type;

    /* Track what order extensions are received in (0-based). */

    size_t received_order;

} RAW_EXTENSION;

typedef struct {

    unsigned int isv2;

    unsigned int legacy_version;

    unsigned char random[SSL3_RANDOM_SIZE];

    size_t session_id_len;

    unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];

    size_t dtls_cookie_len;

    unsigned char dtls_cookie[DTLS1_COOKIE_LENGTH];

    PACKET ciphersuites;

    size_t compressions_len;

    unsigned char compressions[MAX_COMPRESSIONS_SIZE];

    PACKET extensions;

    size_t pre_proc_exts_len;

    RAW_EXTENSION *pre_proc_exts;

} CLIENTHELLO_MSG;

/*

 * Extension index values NOTE: Any updates to these defines should be mirrored

 * with equivalent updates to ext_defs in extensions.c

 */

typedef enum tlsext_index_en {

    TLSEXT_IDX_renegotiate,

    TLSEXT_IDX_server_name,

    TLSEXT_IDX_max_fragment_length,

    TLSEXT_IDX_srp,

    TLSEXT_IDX_ec_point_formats,

    TLSEXT_IDX_supported_groups,

    TLSEXT_IDX_session_ticket,

    TLSEXT_IDX_status_request,

    TLSEXT_IDX_next_proto_neg,

    TLSEXT_IDX_application_layer_protocol_negotiation,

    TLSEXT_IDX_use_srtp,

    TLSEXT_IDX_encrypt_then_mac,

    TLSEXT_IDX_signed_certificate_timestamp,

    TLSEXT_IDX_extended_master_secret,

    TLSEXT_IDX_signature_algorithms_cert,

    TLSEXT_IDX_post_handshake_auth,

    TLSEXT_IDX_client_cert_type,

    TLSEXT_IDX_server_cert_type,

    TLSEXT_IDX_signature_algorithms,

    TLSEXT_IDX_supported_versions,

    TLSEXT_IDX_psk_kex_modes,

    TLSEXT_IDX_key_share,

    TLSEXT_IDX_cookie,

    TLSEXT_IDX_cryptopro_bug,

    TLSEXT_IDX_compress_certificate,

    TLSEXT_IDX_early_data,

    TLSEXT_IDX_certificate_authorities,

    TLSEXT_IDX_padding,

    TLSEXT_IDX_psk,

    /* Dummy index - must always be the last entry */

    TLSEXT_IDX_num_builtins

} TLSEXT_INDEX;

DEFINE_LHASH_OF_EX(SSL_SESSION);

/* Needed in ssl_cert.c */

DEFINE_LHASH_OF_EX(X509_NAME);

# define TLSEXT_KEYNAME_LENGTH  16

# define TLSEXT_TICK_KEY_LENGTH 32

typedef struct ssl_ctx_ext_secure_st {

    unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH];

    unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];

} SSL_CTX_EXT_SECURE;

/*

 * Helper function for HMAC

 * The structure should be considered opaque, it will change once the low

 * level deprecated calls are removed.  At that point it can be replaced

 * by EVP_MAC_CTX and most of the functions converted to macros or inlined

 * directly.

 */

typedef struct ssl_hmac_st {

    EVP_MAC_CTX *ctx;

# ifndef OPENSSL_NO_DEPRECATED_3_0

    HMAC_CTX *old_ctx;

# endif

} SSL_HMAC;

SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx);

void ssl_hmac_free(SSL_HMAC *ctx);

# ifndef OPENSSL_NO_DEPRECATED_3_0

HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx);

# endif

EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx);

int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md);

int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len);

int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len,

                   size_t max_size);

size_t ssl_hmac_size(const SSL_HMAC *ctx);

int ssl_get_EC_curve_nid(const EVP_PKEY *pkey);

__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey,

                                     const unsigned char *enckey,

                                     size_t enckeylen);

typedef struct tls_group_info_st {

    char *tlsname;           /* Curve Name as in TLS specs */

    char *realname;          /* Curve Name according to provider */

    char *algorithm;         /* Algorithm name to fetch */

    unsigned int secbits;    /* Bits of security (from SP800-57) */

    uint16_t group_id;       /* Group ID */

    int mintls;              /* Minimum TLS version, -1 unsupported */

    int maxtls;              /* Maximum TLS version (or 0 for undefined) */

    int mindtls;             /* Minimum DTLS version, -1 unsupported */

    int maxdtls;             /* Maximum DTLS version (or 0 for undefined) */

    char is_kem;             /* Mode for this Group: 0 is KEX, 1 is KEM */

} TLS_GROUP_INFO;

typedef struct tls_sigalg_info_st {

    char *name;              /* name as in IANA TLS specs */

    uint16_t code_point;     /* IANA-specified code point of sigalg-name */

    char *sigalg_name;       /* (combined) sigalg name */

    char *sigalg_oid;        /* (combined) sigalg OID */

    char *sig_name;          /* pure signature algorithm name */

    char *sig_oid;           /* pure signature algorithm OID */

    char *hash_name;         /* hash algorithm name */

    char *hash_oid;          /* hash algorithm OID */

    char *keytype;           /* keytype name */

    char *keytype_oid;       /* keytype OID */

    unsigned int secbits;    /* Bits of security (from SP800-57) */

    int mintls;              /* Minimum TLS version, -1 unsupported */

    int maxtls;              /* Maximum TLS version (or 0 for undefined) */

    int mindtls;             /* Minimum DTLS version, -1 unsupported */

    int maxdtls;             /* Maximum DTLS version (or 0 for undefined) */

} TLS_SIGALG_INFO;

/*

 * Structure containing table entry of certificate info corresponding to

 * CERT_PKEY entries

 */

typedef struct {

    int nid; /* NID of public key algorithm */

    uint32_t amask; /* authmask corresponding to key type */

} SSL_CERT_LOOKUP;

/* flags values */

# define TLS_GROUP_TYPE             0x0000000FU /* Mask for group type */

# define TLS_GROUP_CURVE_PRIME      0x00000001U

# define TLS_GROUP_CURVE_CHAR2      0x00000002U

# define TLS_GROUP_CURVE_CUSTOM     0x00000004U

# define TLS_GROUP_FFDHE            0x00000008U

# define TLS_GROUP_ONLY_FOR_TLS1_3  0x00000010U

# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3)

/* We limit the number of key shares sent */

# ifndef OPENSSL_CLIENT_MAX_KEY_SHARES

#  define OPENSSL_CLIENT_MAX_KEY_SHARES 4

# endif

struct ssl_ctx_st {

    OSSL_LIB_CTX *libctx;

    const SSL_METHOD *method;

    STACK_OF(SSL_CIPHER) *cipher_list;

    /* same as above but sorted for lookup */

    STACK_OF(SSL_CIPHER) *cipher_list_by_id;

    /* TLSv1.3 specific ciphersuites */

    STACK_OF(SSL_CIPHER) *tls13_ciphersuites;

    struct x509_store_st /* X509_STORE */ *cert_store;

    LHASH_OF(SSL_SESSION) *sessions;

    /*

     * Most session-ids that will be cached, default is

     * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited.

     */

    size_t session_cache_size;

    struct ssl_session_st *session_cache_head;

    struct ssl_session_st *session_cache_tail;

    /*

     * This can have one of 2 values, ored together, SSL_SESS_CACHE_CLIENT,

     * SSL_SESS_CACHE_SERVER, Default is SSL_SESSION_CACHE_SERVER, which

     * means only SSL_accept will cache SSL_SESSIONS.

     */

    uint32_t session_cache_mode;

    /*

     * If timeout is not 0, it is the default timeout value set when

     * SSL_new() is called.  This has been put in to make life easier to set

     * things up

     */

    OSSL_TIME session_timeout;

    /*

     * If this callback is not null, it will be called each time a session id

     * is added to the cache.  If this function returns 1, it means that the

     * callback will do an SSL_SESSION_free() when it has finished using it.

     * Otherwise, on 0, it means the callback has finished with it. If

     * remove_session_cb is not null, it will be called when a session-id is

     * removed from the cache.  After the call, OpenSSL will

     * SSL_SESSION_free() it.

     */

    int (*new_session_cb) (struct ssl_st *ssl, SSL_SESSION *sess);

    void (*remove_session_cb) (struct ssl_ctx_st *ctx, SSL_SESSION *sess);

    SSL_SESSION *(*get_session_cb) (struct ssl_st *ssl,

                                    const unsigned char *data, int len,

                                    int *copy);

    struct {

        TSAN_QUALIFIER int sess_connect;       /* SSL new conn - started */

        TSAN_QUALIFIER int sess_connect_renegotiate; /* SSL reneg - requested */

        TSAN_QUALIFIER int sess_connect_good;  /* SSL new conne/reneg - finished */

        TSAN_QUALIFIER int sess_accept;        /* SSL new accept - started */

        TSAN_QUALIFIER int sess_accept_renegotiate; /* SSL reneg - requested */

        TSAN_QUALIFIER int sess_accept_good;   /* SSL accept/reneg - finished */

        TSAN_QUALIFIER int sess_miss;          /* session lookup misses */

        TSAN_QUALIFIER int sess_timeout;       /* reuse attempt on timeouted session */

        TSAN_QUALIFIER int sess_cache_full;    /* session removed due to full cache */

        TSAN_QUALIFIER int sess_hit;           /* session reuse actually done */

        TSAN_QUALIFIER int sess_cb_hit;        /* session-id that was not in

                                                * the cache was passed back via

                                                * the callback. This indicates

                                                * that the application is

                                                * supplying session-id's from

                                                * other processes - spooky

                                                * :-) */

    } stats;

#ifdef TSAN_REQUIRES_LOCKING

    CRYPTO_RWLOCK *tsan_lock;

#endif

    CRYPTO_REF_COUNT references;

    /* if defined, these override the X509_verify_cert() calls */

    int (*app_verify_callback) (X509_STORE_CTX *, void *);

    void *app_verify_arg;

    /*

     * before OpenSSL 0.9.7, 'app_verify_arg' was ignored

     * ('app_verify_callback' was called with just one argument)

     */

    /* Default password callback. */

    pem_password_cb *default_passwd_callback;

    /* Default password callback user data. */

    void *default_passwd_callback_userdata;

    /* get client cert callback */

    int (*client_cert_cb) (SSL *ssl, X509 **x509, EVP_PKEY **pkey);

    /* cookie generate callback */

    int (*app_gen_cookie_cb) (SSL *ssl, unsigned char *cookie,

                              unsigned int *cookie_len);

    /* verify cookie callback */

    int (*app_verify_cookie_cb) (SSL *ssl, const unsigned char *cookie,

                                 unsigned int cookie_len);

    /* TLS1.3 app-controlled cookie generate callback */

    int (*gen_stateless_cookie_cb) (SSL *ssl, unsigned char *cookie,

                                    size_t *cookie_len);

    /* TLS1.3 verify app-controlled cookie callback */

    int (*verify_stateless_cookie_cb) (SSL *ssl, const unsigned char *cookie,

                                       size_t cookie_len);

    CRYPTO_EX_DATA ex_data;

    const EVP_MD *md5;          /* For SSLv3/TLSv1 'ssl3-md5' */

    const EVP_MD *sha1;         /* For SSLv3/TLSv1 'ssl3-sha1' */

    STACK_OF(X509) *extra_certs;

    STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */

    /* Default values used when no per-SSL value is defined follow */

    /* used if SSL's info_callback is NULL */

    void (*info_callback) (const SSL *ssl, int type, int val);

    /*

     * What we put in certificate_authorities extension for TLS 1.3

     * (ClientHello and CertificateRequest) or just client cert requests for

     * earlier versions. If client_ca_names is populated then it is only used

     * for client cert requests, and in preference to ca_names.

     */

    STACK_OF(X509_NAME) *ca_names;

    STACK_OF(X509_NAME) *client_ca_names;

    /*

     * Default values to use in SSL structures follow (these are copied by

     * SSL_new)

     */

    uint64_t options;

    uint32_t mode;

    int min_proto_version;

    int max_proto_version;

    size_t max_cert_list;

    struct cert_st /* CERT */ *cert;

    SSL_CERT_LOOKUP *ssl_cert_info;

    int read_ahead;

    /* callback that allows applications to peek at protocol messages */

    ossl_msg_cb msg_callback;

    void *msg_callback_arg;

    uint32_t verify_mode;

    size_t sid_ctx_length;

    unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];

    /* called 'verify_callback' in the SSL */

    int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx);

    /* Default generate session ID callback. */

    GEN_SESSION_CB generate_session_id;

    X509_VERIFY_PARAM *param;

    int quiet_shutdown;

# ifndef OPENSSL_NO_CT

    CTLOG_STORE *ctlog_store;   /* CT Log Store */

    /*

     * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.

     * If they are not, the connection should be aborted.

     */

    ssl_ct_validation_cb ct_validation_callback;

    void *ct_validation_callback_arg;

# endif

    /*

     * If we're using more than one pipeline how should we divide the data

     * up between the pipes?

     */

    size_t split_send_fragment;

    /*

     * Maximum amount of data to send in one fragment. actual record size can

     * be more than this due to padding and MAC overheads.

     */

    size_t max_send_fragment;

    /* Up to how many pipelines should we use? If 0 then 1 is assumed */

    size_t max_pipelines;

    /* The default read buffer length to use (0 means not set) */

    size_t default_read_buf_len;

# ifndef OPENSSL_NO_ENGINE

    /*

     * Engine to pass requests for client certs to

     */

    ENGINE *client_cert_engine;

# endif

    /* ClientHello callback.  Mostly for extensions, but not entirely. */

    SSL_client_hello_cb_fn client_hello_cb;

    void *client_hello_cb_arg;

    /* Callback to announce new pending ssl objects in the accept queue */

    SSL_new_pending_conn_cb_fn new_pending_conn_cb;

    void *new_pending_conn_arg;

    /* TLS extensions. */

    struct {

        /* TLS extensions servername callback */

        int (*servername_cb) (SSL *, int *, void *);

        void *servername_arg;

        /* RFC 4507 session ticket keys */

        unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];

        SSL_CTX_EXT_SECURE *secure;

# ifndef OPENSSL_NO_DEPRECATED_3_0

        /* Callback to support customisation of ticket key setting */

        int (*ticket_key_cb) (SSL *ssl,

                              unsigned char *name, unsigned char *iv,

                              EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);

#endif

        int (*ticket_key_evp_cb) (SSL *ssl,

                                  unsigned char *name, unsigned char *iv,

                                  EVP_CIPHER_CTX *ectx, EVP_MAC_CTX *hctx,

                                  int enc);

        /* certificate status request info */

        /* Callback for status request */

        int (*status_cb) (SSL *ssl, void *arg);

        void *status_arg;

        /* ext status type used for CSR extension (OCSP Stapling) */

        int status_type;

        /* RFC 4366 Maximum Fragment Length Negotiation */

        uint8_t max_fragment_len_mode;

        /* EC extension values inherited by SSL structure */

        size_t ecpointformats_len;

        unsigned char *ecpointformats;

        size_t supportedgroups_len;

        uint16_t *supportedgroups;

        size_t keyshares_len;

        uint16_t *keyshares;

        size_t tuples_len; /* Number of group tuples */

        size_t *tuples; /* Number of groups in each group tuple */

        /*

         * ALPN information (we are in the process of transitioning from NPN to

         * ALPN.)

         */

        /*-

         * For a server, this contains a callback function that allows the

         * server to select the protocol for the connection.

         *   out: on successful return, this must point to the raw protocol

         *        name (without the length prefix).

         *   outlen: on successful return, this contains the length of |*out|.

         *   in: points to the client's list of supported protocols in

         *       wire-format.

         *   inlen: the length of |in|.

         */

        int (*alpn_select_cb) (SSL *s,

                               const unsigned char **out,

                               unsigned char *outlen,

                               const unsigned char *in,

                               unsigned int inlen, void *arg);

        void *alpn_select_cb_arg;

        /*

         * For a client, this contains the list of supported protocols in wire

         * format.

         */

        unsigned char *alpn;

        size_t alpn_len;

# ifndef OPENSSL_NO_NEXTPROTONEG

        /* Next protocol negotiation information */

        /*

         * For a server, this contains a callback function by which the set of

         * advertised protocols can be provided.

         */

        SSL_CTX_npn_advertised_cb_func npn_advertised_cb;

        void *npn_advertised_cb_arg;

        /*

         * For a client, this contains a callback function that selects the next

         * protocol from the list provided by the server.

         */

        SSL_CTX_npn_select_cb_func npn_select_cb;

        void *npn_select_cb_arg;

# endif