/*

 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved

 * Copyright 2005 Nokia. All rights reserved.

 *

 * Licensed under the Apache License 2.0 (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy

 * in the file LICENSE in the source distribution or at

 * https://www.openssl.org/source/license.html

 */

#include "internal/e_os.h"

#include "internal/e_winsock.h"

#include "ssl_local.h"

#include <openssl/err.h>

#include <openssl/objects.h>

#include <openssl/x509v3.h>

#include <openssl/rand.h>

#include <openssl/ocsp.h>

#include <openssl/dh.h>

#include <openssl/async.h>

#include <openssl/ct.h>

#include <openssl/trace.h>

#include <openssl/core_names.h>

#include <openssl/provider.h>

#include "internal/cryptlib.h"

#include "internal/nelem.h"

#include "internal/refcount.h"

#include "internal/thread_once.h"

#include "internal/ktls.h"

#include "internal/to_hex.h"

#include "internal/ssl_unwrap.h"

#include "quic/quic_local.h"

#ifndef OPENSSL_NO_SSLKEYLOG

#include <sys/stat.h>

#include <fcntl.h>

#endif

static int ssl_undefined_function_3(SSL_CONNECTION *sc, unsigned char *r,

    unsigned char *s, size_t t, size_t *u)

{

    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));

}

static int ssl_undefined_function_4(SSL_CONNECTION *sc, int r)

{

    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));

}

static size_t ssl_undefined_function_5(SSL_CONNECTION *sc, const char *r,

    size_t s, unsigned char *t)

{

    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));

}

static int ssl_undefined_function_6(int r)

{

    return ssl_undefined_function(NULL);

}

static int ssl_undefined_function_7(SSL_CONNECTION *sc, unsigned char *r,

    size_t s, const char *t, size_t u,

    const unsigned char *v, size_t w, int x)

{

    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));

}

static int ssl_undefined_function_8(SSL_CONNECTION *sc)

{

    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));

}

const SSL3_ENC_METHOD ssl3_undef_enc_method = {

    ssl_undefined_function_8,

    ssl_undefined_function_3,

    ssl_undefined_function_4,

    ssl_undefined_function_5,

    NULL, /* client_finished_label */

    0, /* client_finished_label_len */

    NULL, /* server_finished_label */

    0, /* server_finished_label_len */

    ssl_undefined_function_6,

    ssl_undefined_function_7,

};

struct ssl_async_args {

    SSL *s;

    void *buf;

    size_t num;

    enum { READFUNC,

        WRITEFUNC,

        OTHERFUNC } type;

    union {

        int (*func_read)(SSL *, void *, size_t, size_t *);

        int (*func_write)(SSL *, const void *, size_t, size_t *);

        int (*func_other)(SSL *);

    } f;

};

static const struct {

    uint8_t mtype;

    uint8_t ord;

    int nid;

} dane_mds[] = {

    { DANETLS_MATCHING_FULL, 0, NID_undef },

    { DANETLS_MATCHING_2256, 1, NID_sha256 },

    { DANETLS_MATCHING_2512, 2, NID_sha512 },

};

static int dane_ctx_enable(struct dane_ctx_st *dctx)

{

    const EVP_MD **mdevp;

    uint8_t *mdord;

    uint8_t mdmax = DANETLS_MATCHING_LAST;

    int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */

    size_t i;

    if (dctx->mdevp != NULL)

        return 1;

    mdevp = OPENSSL_calloc(n, sizeof(*mdevp));

    mdord = OPENSSL_calloc(n, sizeof(*mdord));

    if (mdord == NULL || mdevp == NULL) {

        OPENSSL_free(mdord);

        OPENSSL_free(mdevp);

        return 0;

    }

    /* Install default entries */

    for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {

        const EVP_MD *md;

        if (dane_mds[i].nid == NID_undef || (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)

            continue;

        mdevp[dane_mds[i].mtype] = md;

        mdord[dane_mds[i].mtype] = dane_mds[i].ord;

    }

    dctx->mdevp = mdevp;

    dctx->mdord = mdord;

    dctx->mdmax = mdmax;

    return 1;

}

static void dane_ctx_final(struct dane_ctx_st *dctx)

{

    OPENSSL_free(dctx->mdevp);

    dctx->mdevp = NULL;

    OPENSSL_free(dctx->mdord);

    dctx->mdord = NULL;

    dctx->mdmax = 0;

}

static void tlsa_free(danetls_record *t)

{

    if (t == NULL)

        return;

    OPENSSL_free(t->data);

    EVP_PKEY_free(t->spki);

    OPENSSL_free(t);

}

static void dane_final(SSL_DANE *dane)

{

    sk_danetls_record_pop_free(dane->trecs, tlsa_free);

    dane->trecs = NULL;

    OSSL_STACK_OF_X509_free(dane->certs);

    dane->certs = NULL;

    X509_free(dane->mcert);

    dane->mcert = NULL;

    dane->mtlsa = NULL;

    dane->mdpth = -1;

    dane->pdpth = -1;

}

/*

 * dane_copy - Copy dane configuration, sans verification state.

 */

static int ssl_dane_dup(SSL_CONNECTION *to, SSL_CONNECTION *from)

{

    int num;

    int i;

    if (!DANETLS_ENABLED(&from->dane))

        return 1;

    num = sk_danetls_record_num(from->dane.trecs);

    dane_final(&to->dane);

    to->dane.flags = from->dane.flags;

    to->dane.dctx = &SSL_CONNECTION_GET_CTX(to)->dane;

    to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);

    if (to->dane.trecs == NULL) {

        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);

        return 0;

    }

    for (i = 0; i < num; ++i) {

        danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);

        if (SSL_dane_tlsa_add(SSL_CONNECTION_GET_SSL(to), t->usage,

                t->selector, t->mtype, t->data, t->dlen)

            <= 0)

            return 0;

    }

    return 1;

}

static int dane_mtype_set(struct dane_ctx_st *dctx,

    const EVP_MD *md, uint8_t mtype, uint8_t ord)

{

    int i;

    if (mtype == DANETLS_MATCHING_FULL && md != NULL) {

        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);

        return 0;

    }

    if (mtype > dctx->mdmax) {

        const EVP_MD **mdevp;

        uint8_t *mdord;

        int n = ((int)mtype) + 1;

        mdevp = OPENSSL_realloc_array(dctx->mdevp, n, sizeof(*mdevp));

        if (mdevp == NULL)

            return -1;

        dctx->mdevp = mdevp;

        mdord = OPENSSL_realloc_array(dctx->mdord, n, sizeof(*mdord));

        if (mdord == NULL)

            return -1;

        dctx->mdord = mdord;

        /* Zero-fill any gaps */

        for (i = dctx->mdmax + 1; i < mtype; ++i) {

            mdevp[i] = NULL;

            mdord[i] = 0;

        }

        dctx->mdmax = mtype;

    }

    dctx->mdevp[mtype] = md;

    /* Coerce ordinal of disabled matching types to 0 */

    dctx->mdord[mtype] = (md == NULL) ? 0 : ord;

    return 1;

}

static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)

{

    if (mtype > dane->dctx->mdmax)

        return NULL;

    return dane->dctx->mdevp[mtype];

}

static int dane_tlsa_add(SSL_DANE *dane,

    uint8_t usage,

    uint8_t selector,

    uint8_t mtype, const unsigned char *data, size_t dlen)

{

    danetls_record *t;

    const EVP_MD *md = NULL;

    int ilen = (int)dlen;

    int i;

    int num;

    int mdsize;

    if (dane->trecs == NULL) {

        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_NOT_ENABLED);

        return -1;

    }

    if (ilen < 0 || dlen != (size_t)ilen) {

        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);

        return 0;

    }

    if (usage > DANETLS_USAGE_LAST) {

        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);

        return 0;

    }

    if (selector > DANETLS_SELECTOR_LAST) {

        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_SELECTOR);

        return 0;

    }

    if (mtype != DANETLS_MATCHING_FULL) {

        md = tlsa_md_get(dane, mtype);

        if (md == NULL) {

            ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);

            return 0;

        }

    }

    if (md != NULL) {

        mdsize = EVP_MD_get_size(md);

        if (mdsize <= 0 || dlen != (size_t)mdsize) {

            ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);

            return 0;

        }

    }

    if (!data) {

        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_NULL_DATA);

        return 0;

    }

    if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL)

        return -1;

    t->usage = usage;

    t->selector = selector;

    t->mtype = mtype;

    t->data = OPENSSL_malloc(dlen);

    if (t->data == NULL) {

        tlsa_free(t);

        return -1;

    }

    memcpy(t->data, data, dlen);

    t->dlen = dlen;

    /* Validate and cache full certificate or public key */

    if (mtype == DANETLS_MATCHING_FULL) {

        const unsigned char *p = data;

        X509 *cert = NULL;

        EVP_PKEY *pkey = NULL;

        switch (selector) {

        case DANETLS_SELECTOR_CERT:

            if (!d2i_X509(&cert, &p, ilen) || p < data || dlen != (size_t)(p - data)) {

                X509_free(cert);

                tlsa_free(t);

                ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);

                return 0;

            }

            if (X509_get0_pubkey(cert) == NULL) {

                X509_free(cert);

                tlsa_free(t);

                ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);

                return 0;

            }

            if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {

                /*

                 * The Full(0) certificate decodes to a seemingly valid X.509

                 * object with a plausible key, so the TLSA record is well

                 * formed.  However, we don't actually need the certificate for

                 * usages PKIX-EE(1) or DANE-EE(3), because at least the EE

                 * certificate is always presented by the peer.  We discard the

                 * certificate, and just use the TLSA data as an opaque blob

                 * for matching the raw presented DER octets.

                 *

                 * DO NOT FREE `t` here, it will be added to the TLSA record

                 * list below!

                 */

                X509_free(cert);

                break;

            }

            /*

             * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA

             * records that contain full certificates of trust-anchors that are

             * not present in the wire chain.  For usage PKIX-TA(0), we augment

             * the chain with untrusted Full(0) certificates from DNS, in case

             * they are missing from the chain.

             */

            if ((dane->certs == NULL && (dane->certs = sk_X509_new_null()) == NULL) || !sk_X509_push(dane->certs, cert)) {

                ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);

                X509_free(cert);

                tlsa_free(t);

                return -1;

            }

            break;

        case DANETLS_SELECTOR_SPKI:

            if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data || dlen != (size_t)(p - data)) {

                EVP_PKEY_free(pkey);

                tlsa_free(t);

                ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);

                return 0;

            }

            /*

             * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA

             * records that contain full bare keys of trust-anchors that are

             * not present in the wire chain.

             */

            if (usage == DANETLS_USAGE_DANE_TA)

                t->spki = pkey;

            else

                EVP_PKEY_free(pkey);

            break;

        }

    }

    /*-

     * Find the right insertion point for the new record.

     *

     * See crypto/x509/x509_vfy.c.  We sort DANE-EE(3) records first, so that

     * they can be processed first, as they require no chain building, and no

     * expiration or hostname checks.  Because DANE-EE(3) is numerically

     * largest, this is accomplished via descending sort by "usage".

     *

     * We also sort in descending order by matching ordinal to simplify

     * the implementation of digest agility in the verification code.

     *

     * The choice of order for the selector is not significant, so we

     * use the same descending order for consistency.

     */

    num = sk_danetls_record_num(dane->trecs);

    for (i = 0; i < num; ++i) {

        danetls_record *rec = sk_danetls_record_value(dane->trecs, i);

        if (rec->usage > usage)

            continue;

        if (rec->usage < usage)

            break;

        if (rec->selector > selector)

            continue;

        if (rec->selector < selector)

            break;

        if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])

            continue;

        break;

    }

    if (!sk_danetls_record_insert(dane->trecs, t, i)) {

        tlsa_free(t);

        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);

        return -1;

    }

    dane->umask |= DANETLS_USAGE_BIT(usage);

    return 1;

}

/*

 * Return 0 if there is only one version configured and it was disabled

 * at configure time.  Return 1 otherwise.

 */

static int ssl_check_allowed_versions(int min_version, int max_version)

{

    int minisdtls = 0, maxisdtls = 0;

    /* Figure out if we're doing DTLS versions or TLS versions */

    if (min_version == DTLS1_BAD_VER

        || min_version >> 8 == DTLS1_VERSION_MAJOR)

        minisdtls = 1;

    if (max_version == DTLS1_BAD_VER

        || max_version >> 8 == DTLS1_VERSION_MAJOR)

        maxisdtls = 1;

    /* A wildcard version of 0 could be DTLS or TLS. */

    if ((minisdtls && !maxisdtls && max_version != 0)

        || (maxisdtls && !minisdtls && min_version != 0)) {

        /* Mixing DTLS and TLS versions will lead to sadness; deny it. */

        return 0;

    }

    if (minisdtls || maxisdtls) {

        /* Do DTLS version checks. */

        if (min_version == 0)

            /* Ignore DTLS1_BAD_VER */

            min_version = DTLS1_VERSION;

        if (max_version == 0)

            max_version = DTLS1_2_VERSION;

#ifdef OPENSSL_NO_DTLS1_2

        if (max_version == DTLS1_2_VERSION)

            max_version = DTLS1_VERSION;

#endif

#ifdef OPENSSL_NO_DTLS1

        if (min_version == DTLS1_VERSION)

            min_version = DTLS1_2_VERSION;

#endif

        /* Done massaging versions; do the check. */

        if (0

#ifdef OPENSSL_NO_DTLS1

            || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)

                && DTLS_VERSION_GE(DTLS1_VERSION, max_version))

#endif

#ifdef OPENSSL_NO_DTLS1_2

            || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)

                && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))

#endif

        )

            return 0;

    } else {

        /* Regular TLS version checks. */

        if (min_version == 0)

            min_version = TLS1_VERSION;

        if (max_version == 0)

            max_version = TLS1_3_VERSION;

#ifdef OPENSSL_NO_TLS1_3

        if (max_version == TLS1_3_VERSION)

            max_version = TLS1_2_VERSION;

#endif

#ifdef OPENSSL_NO_TLS1_2

        if (max_version == TLS1_2_VERSION)

            max_version = TLS1_1_VERSION;

#endif

#ifdef OPENSSL_NO_TLS1_1

        if (max_version == TLS1_1_VERSION)

            max_version = TLS1_VERSION;

#endif

#ifdef OPENSSL_NO_TLS1

        if (max_version == TLS1_VERSION)

            max_version = SSL3_VERSION;

#endif

#ifdef OPENSSL_NO_TLS1

        if (min_version == TLS1_VERSION)

            min_version = TLS1_1_VERSION;

#endif

#ifdef OPENSSL_NO_TLS1_1

        if (min_version == TLS1_1_VERSION)

            min_version = TLS1_2_VERSION;

#endif

#ifdef OPENSSL_NO_TLS1_2

        if (min_version == TLS1_2_VERSION)

            min_version = TLS1_3_VERSION;

#endif

        /* Done massaging versions; do the check. */

        if (0

#ifdef OPENSSL_NO_TLS1

            || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)

#endif

#ifdef OPENSSL_NO_TLS1_1

            || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)

#endif

#ifdef OPENSSL_NO_TLS1_2

            || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)

#endif

#ifdef OPENSSL_NO_TLS1_3

            || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)

#endif

        )

            return 0;

    }

    return 1;

}

#if defined(__TANDEM) && defined(OPENSSL_VPROC)

/*

 * Define a VPROC function for HP NonStop build ssl library.

 * This is used by platform version identification tools.

 * Do not inline this procedure or make it static.

 */

#define OPENSSL_VPROC_STRING_(x) x##_SSL

#define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x)

#define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC)

void OPENSSL_VPROC_FUNC(void) { }

#endif

int SSL_clear(SSL *s)

{

    if (s->method == NULL) {

        ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED);

        return 0;

    }

    return s->method->ssl_reset(s);

}

int ossl_ssl_connection_reset(SSL *s)

{

    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)

        return 0;

    if (ssl_clear_bad_session(sc)) {

        SSL_SESSION_free(sc->session);

        sc->session = NULL;

    }

    SSL_SESSION_free(sc->psksession);

    sc->psksession = NULL;

    OPENSSL_free(sc->psksession_id);

    sc->psksession_id = NULL;

    sc->psksession_id_len = 0;

    sc->hello_retry_request = SSL_HRR_NONE;

    sc->sent_tickets = 0;

    sc->error = 0;

    sc->hit = 0;

    sc->shutdown = 0;

    if (sc->renegotiate) {

        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);

        return 0;

    }

    ossl_statem_clear(sc);

    sc->version = s->method->version;

    sc->client_version = sc->version;

    sc->rwstate = SSL_NOTHING;

    BUF_MEM_free(sc->init_buf);

    sc->init_buf = NULL;

    sc->first_packet = 0;

    sc->key_update = SSL_KEY_UPDATE_NONE;

    memset(sc->ext.compress_certificate_from_peer, 0,

        sizeof(sc->ext.compress_certificate_from_peer));

    sc->ext.compress_certificate_sent = 0;

    EVP_MD_CTX_free(sc->pha_dgst);

    sc->pha_dgst = NULL;

    /* Reset DANE verification result state */

    sc->dane.mdpth = -1;

    sc->dane.pdpth = -1;

    X509_free(sc->dane.mcert);

    sc->dane.mcert = NULL;

    sc->dane.mtlsa = NULL;

    /* Clear the verification result peername */

    X509_VERIFY_PARAM_move_peername(sc->param, NULL);

    /* Clear any shared connection state */

    OPENSSL_free(sc->shared_sigalgs);

    sc->shared_sigalgs = NULL;

    sc->shared_sigalgslen = 0;

    /*

     * Check to see if we were changed into a different method, if so, revert

     * back.

     */

    if (s->method != s->defltmeth) {

        s->method->ssl_deinit(s);

        s->method = s->defltmeth;

        if (!s->method->ssl_init(s))

            return 0;

    } else {

        if (!s->method->ssl_clear(s))

            return 0;

    }

    ossl_quic_tls_clear(sc->qtls);

    if (!RECORD_LAYER_reset(&sc->rlayer))

        return 0;

    return 1;

}

#ifndef OPENSSL_NO_DEPRECATED_3_0

/** Used to change an SSL_CTXs default SSL method type */

int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)

{

    STACK_OF(SSL_CIPHER) *sk;

    if (IS_QUIC_CTX(ctx)) {

        ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);

        return 0;

    }

    ctx->method = meth;

    if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {

        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);

        return 0;

    }

    sk = ssl_create_cipher_list(ctx,

        ctx->tls13_ciphersuites,

        &(ctx->cipher_list),

        &(ctx->cipher_list_by_id),

        OSSL_default_cipher_list(), ctx->cert);

    if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {

        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);

        return 0;

    }

    return 1;

}

#endif

SSL *SSL_new(SSL_CTX *ctx)

{

    if (ctx == NULL) {

        ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX);

        return NULL;

    }

    if (ctx->method == NULL) {

        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);

        return NULL;

    }

    return ctx->method->ssl_new(ctx);

}

int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type)

{

    if (!SSL_CTX_up_ref(ctx))

        return 0;

    ssl->lock = CRYPTO_THREAD_lock_new();

    if (ssl->lock == NULL || !CRYPTO_NEW_REF(&ssl->references, 1))

        goto err;

    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, ssl, &ssl->ex_data)) {

        CRYPTO_FREE_REF(&ssl->references);

        goto err;

    }

    ssl->ctx = ctx;

    ssl->type = type;

    ssl->defltmeth = ssl->method = method;

    return 1;

err:

    CRYPTO_THREAD_lock_free(ssl->lock);

    ssl->lock = NULL;

    SSL_CTX_free(ctx);

    return 0;

}

SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl,

    const SSL_METHOD *method)

{

    SSL_CONNECTION *s;

    SSL *ssl;

    s = OPENSSL_zalloc(sizeof(*s));

    if (s == NULL)

        return NULL;

    ssl = &s->ssl;

    s->user_ssl = (user_ssl == NULL) ? ssl : user_ssl;

    if (!ossl_ssl_init(ssl, ctx, method, SSL_TYPE_SSL_CONNECTION)) {

        OPENSSL_free(s);

        s = NULL;

        ssl = NULL;

        goto sslerr;

    }

    RECORD_LAYER_init(&s->rlayer, s);

    s->options = ctx->options;

    s->dane.flags = ctx->dane.flags;

    if (method->version == ctx->method->version) {

        s->min_proto_version = ctx->min_proto_version;

        s->max_proto_version = ctx->max_proto_version;

    }

    s->mode = ctx->mode;

    s->max_cert_list = ctx->max_cert_list;

    s->max_early_data = ctx->max_early_data;

    s->recv_max_early_data = ctx->recv_max_early_data;

    s->num_tickets = ctx->num_tickets;

    s->pha_enabled = ctx->pha_enabled;

    /* Shallow copy of the ciphersuites stack */

    s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);

    if (s->tls13_ciphersuites == NULL)

        goto cerr;

    /*

     * Earlier library versions used to copy the pointer to the CERT, not

     * its contents; only when setting new parameters for the per-SSL

     * copy, ssl_cert_new would be called (and the direct reference to

     * the per-SSL_CTX settings would be lost, but those still were

     * indirectly accessed for various purposes, and for that reason they

     * used to be known as s->ctx->default_cert). Now we don't look at the

     * SSL_CTX's CERT after having duplicated it once.

     */

    s->cert = ssl_cert_dup(ctx->cert);

    if (s->cert == NULL)

        goto sslerr;

    RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);

    s->msg_callback = ctx->msg_callback;

    s->msg_callback_arg = ctx->msg_callback_arg;

    s->verify_mode = ctx->verify_mode;

    s->not_resumable_session_cb = ctx->not_resumable_session_cb;

    s->rlayer.record_padding_cb = ctx->record_padding_cb;

    s->rlayer.record_padding_arg = ctx->record_padding_arg;

    s->rlayer.block_padding = ctx->block_padding;

    s->rlayer.hs_padding = ctx->hs_padding;

    s->sid_ctx_length = ctx->sid_ctx_length;

    if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))

        goto err;

    memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));

    s->verify_callback = ctx->default_verify_callback;

    s->generate_session_id = ctx->generate_session_id;

    s->param = X509_VERIFY_PARAM_new();

    if (s->param == NULL)

        goto asn1err;

    X509_VERIFY_PARAM_inherit(s->param, ctx->param);

    s->quiet_shutdown = IS_QUIC_CTX(ctx) ? 0 : ctx->quiet_shutdown;

    if (!IS_QUIC_CTX(ctx))

        s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode;

    s->max_send_fragment = ctx->max_send_fragment;

    s->split_send_fragment = ctx->split_send_fragment;

    s->max_pipelines = ctx->max_pipelines;

    s->rlayer.default_read_buf_len = ctx->default_read_buf_len;

    s->ext.debug_cb = 0;

    s->ext.debug_arg = NULL;

    s->ext.ticket_expected = 0;

    s->ext.status_type = ctx->ext.status_type;

    s->ext.status_expected = 0;

    s->ext.ocsp.ids = NULL;

    s->ext.ocsp.exts = NULL;

    s->ext.ocsp.resp = NULL;

    s->ext.ocsp.resp_len = 0;

    s->ext.ocsp.resp_ex = NULL;

    if (!SSL_CTX_up_ref(ctx))

        goto err;

    s->session_ctx = ctx;

    if (ctx->ext.ecpointformats != NULL) {

        s->ext.ecpointformats = OPENSSL_memdup(ctx->ext.ecpointformats,

            ctx->ext.ecpointformats_len);

        if (s->ext.ecpointformats == NULL) {

            s->ext.ecpointformats_len = 0;

            goto err;

        }

        s->ext.ecpointformats_len = ctx->ext.ecpointformats_len;

    }

    if (ctx->ext.supportedgroups != NULL) {

        size_t add = 0;

        if (ctx->ext.supportedgroups_len == 0)

            /* Add 1 so allocation won't fail */

            add = 1;

        s->ext.supportedgroups = OPENSSL_memdup(ctx->ext.supportedgroups,

            (ctx->ext.supportedgroups_len + add)

                * sizeof(*ctx->ext.supportedgroups));

        if (s->ext.supportedgroups == NULL) {

            s->ext.supportedgroups_len = 0;

            goto err;

        }

        s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;

    }

    if (ctx->ext.keyshares != NULL) {

        size_t add = 0;

        if (ctx->ext.keyshares_len == 0)

            /* Add 1 so allocation won't fail */

            add = 1;

        s->ext.keyshares = OPENSSL_memdup(ctx->ext.keyshares,

            (ctx->ext.keyshares_len + add)

                * sizeof(*ctx->ext.keyshares));

        if (s->ext.keyshares == NULL) {

            s->ext.keyshares_len = 0;

            goto err;

        }

        s->ext.keyshares_len = ctx->ext.keyshares_len;

    }

    if (ctx->ext.tuples != NULL) {

        size_t add = 0;

        if (ctx->ext.tuples_len == 0)

            /* Add 1 so allocation won't fail */

            add = 1;

        s->ext.tuples = OPENSSL_memdup(ctx->ext.tuples,

            (ctx->ext.tuples_len + add)

                * sizeof(*ctx->ext.tuples));

        if (s->ext.tuples == NULL) {

            s->ext.tuples_len = 0;

            goto err;

        }

        s->ext.tuples_len = ctx->ext.tuples_len;

    }

#ifndef OPENSSL_NO_NEXTPROTONEG

    s->ext.npn = NULL;

#endif

    if (ctx->ext.alpn != NULL) {

        s->ext.alpn = OPENSSL_malloc(ctx->ext.alpn_len);

        if (s->ext.alpn == NULL) {

            s->ext.alpn_len = 0;

            goto err;