自学教程：C++ CBS_init函数代码示例

EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp,                         long len) {  if (len < 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    return NULL;  }  // Parse with the legacy format.  CBS cbs;  CBS_init(&cbs, *inp, (size_t)len);  EVP_PKEY *ret = old_priv_decode(&cbs, type);  if (ret == NULL) {    // Try again with PKCS#8.    ERR_clear_error();    CBS_init(&cbs, *inp, (size_t)len);    ret = EVP_parse_private_key(&cbs);    if (ret == NULL) {      return NULL;    }    if (ret->type != type) {      OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES);      EVP_PKEY_free(ret);      return NULL;    }  }  if (out != NULL) {    EVP_PKEY_free(*out);    *out = ret;  }  *inp = CBS_data(&cbs);  return ret;}

/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7 * SignedData blob from |cbs| and sets |*out| to point to the rest of the * input. If the input is in BER format, then |*der_bytes| will be set to a * pointer that needs to be freed by the caller once they have finished * processing |*out| (which will be pointing into |*der_bytes|). * * It returns one on success or zero on error. On error, |*der_bytes| is * NULL. */static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {  size_t der_len;  CBS in, content_info, content_type, wrapped_signed_data, signed_data;  uint64_t version;  /* The input may be in BER format. */  *der_bytes = NULL;  if (!CBS_asn1_ber_to_der(cbs, der_bytes, &der_len)) {    return 0;  }  if (*der_bytes != NULL) {    CBS_init(&in, *der_bytes, der_len);  } else {    CBS_init(&in, CBS_data(cbs), CBS_len(cbs));  }  /* See https://tools.ietf.org/html/rfc2315#section-7 */  if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {    goto err;  }  if (OBJ_cbs2nid(&content_type) != NID_pkcs7_signed) {    OPENSSL_PUT_ERROR(X509, pkcs7_parse_header,                      X509_R_NOT_PKCS7_SIGNED_DATA);    goto err;  }  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */  if (!CBS_get_asn1(&content_info, &wrapped_signed_data,                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||      !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1_uint64(&signed_data, &version) ||      !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||      !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {    goto err;  }  if (version < 1) {    OPENSSL_PUT_ERROR(X509, pkcs7_parse_header,                      X509_R_BAD_PKCS7_VERSION);    goto err;  }  CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));  return 1;err:  if (*der_bytes) {    OPENSSL_free(*der_bytes);    *der_bytes = NULL;  }  return 0;}

static int test_asn1_uint64(void) {  size_t i;  for (i = 0; i < sizeof(kAsn1Uint64Tests) / sizeof(kAsn1Uint64Tests[0]); i++) {    const ASN1_UINT64_TEST *test = &kAsn1Uint64Tests[i];    CBS cbs;    uint64_t value;    CBB cbb;    uint8_t *out;    size_t len;    CBS_init(&cbs, (const uint8_t *)test->encoding, test->encoding_len);    if (!CBS_get_asn1_uint64(&cbs, &value) ||        CBS_len(&cbs) != 0 ||        value != test->value) {      return 0;    }    if (!CBB_init(&cbb, 0)) {      return 0;    }    if (!CBB_add_asn1_uint64(&cbb, test->value) ||        !CBB_finish(&cbb, &out, &len)) {      CBB_cleanup(&cbb);      return 0;    }    if (len != test->encoding_len || memcmp(out, test->encoding, len) != 0) {      free(out);      return 0;    }    free(out);  }  for (i = 0;       i < sizeof(kAsn1InvalidUint64Tests) / sizeof(kAsn1InvalidUint64Tests[0]);       i++) {    const ASN1_INVALID_UINT64_TEST *test = &kAsn1InvalidUint64Tests[i];    CBS cbs;    uint64_t value;    CBS_init(&cbs, (const uint8_t *)test->encoding, test->encoding_len);    if (CBS_get_asn1_uint64(&cbs, &value)) {      return 0;    }  }  return 1;}

int tls13_process_new_session_ticket(SSL *ssl) {  SSL_SESSION *session =      SSL_SESSION_dup(ssl->s3->established_session,                      SSL_SESSION_INCLUDE_NONAUTH);  if (session == NULL) {    return 0;  }  CBS cbs, extensions, ticket;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) ||      !CBS_get_u32(&cbs, &session->ticket_flags) ||      !CBS_get_u32(&cbs, &session->ticket_age_add) ||      !CBS_get_u16_length_prefixed(&cbs, &extensions) ||      !CBS_get_u16_length_prefixed(&cbs, &ticket) ||      !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||      CBS_len(&cbs) != 0) {    SSL_SESSION_free(session);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    return 0;  }  session->ticket_age_add_valid = 1;  session->not_resumable = 0;  if (ssl->ctx->new_session_cb != NULL &&      ssl->ctx->new_session_cb(ssl, session)) {    /* |new_session_cb|'s return value signals that it took ownership. */    return 1;  }  SSL_SESSION_free(session);  return 1;}

static int do_ber_convert(const char *name,                          const uint8_t *der_expected, size_t der_len,                          const uint8_t *ber, size_t ber_len) {  CBS in;  uint8_t *out;  size_t out_len;  CBS_init(&in, ber, ber_len);  if (!CBS_asn1_ber_to_der(&in, &out, &out_len)) {    fprintf(stderr, "%s: CBS_asn1_ber_to_der failed./n", name);    return 0;  }  if (out == NULL) {    if (ber_len != der_len ||        memcmp(der_expected, ber, ber_len) != 0) {      fprintf(stderr, "%s: incorrect unconverted result./n", name);      return 0;    }    return 1;  }  if (out_len != der_len ||      memcmp(out, der_expected, der_len) != 0) {    fprintf(stderr, "%s: incorrect converted result./n", name);    return 0;  }  free(out);  return 1;}

static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL *ssl,                                                          SSL_HANDSHAKE *hs) {  if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {    return ssl_hs_error;  }  CBS cbs;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!ssl_parse_serverhello_tlsext(ssl, &cbs)) {    OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);    return ssl_hs_error;  }  if (CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    return ssl_hs_error;  }  if (!ssl->method->hash_current_message(ssl)) {    return ssl_hs_error;  }  hs->state = state_process_certificate_request;  return ssl_hs_read_message;}

/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element was found. The value of * |in| is not changed. It returns one on success (i.e. |*ber_found| was set) * and zero on error. */static int cbs_find_ber(CBS *orig_in, char *ber_found, unsigned depth) {  CBS in;  if (depth > kMaxDepth) {    return 0;  }  CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in));  *ber_found = 0;  while (CBS_len(&in) > 0) {    CBS contents;    unsigned tag;    size_t header_len;    if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) {      return 0;    }    if (CBS_len(&contents) == header_len &&        header_len > 0 &&        CBS_data(&contents)[header_len-1] == 0x80) {      *ber_found = 1;      return 1;    }    if (tag & CBS_ASN1_CONSTRUCTED) {      if (!CBS_skip(&contents, header_len) ||          !cbs_find_ber(&contents, ber_found, depth + 1)) {        return 0;      }    }  }  return 1;}

int ssl3_get_finished(SSL *s, int a, int b){    int al, ok, md_len;    long n;    CBS cbs;    n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64,                                   /* should actually be 36+4 :-) */ &ok);    if (!ok)        return ((int)n);    /* If this occurs, we have missed a message */    if (!s->s3->change_cipher_spec) {        al = SSL_AD_UNEXPECTED_MESSAGE;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS);        goto f_err;    }    s->s3->change_cipher_spec = 0;    md_len = s->s3->tmp.peer_finish_md_len;    if (n < 0) {        al = SSL_AD_DECODE_ERROR;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);        goto f_err;    }    CBS_init(&cbs, s->init_msg, n);    if (s->s3->tmp.peer_finish_md_len != md_len || (int)CBS_len(&cbs) != md_len) {        al = SSL_AD_DECODE_ERROR;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);        goto f_err;    }    if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) {        al = SSL_AD_DECRYPT_ERROR;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED);        goto f_err;    }    /* Copy the finished so we can use it for       renegotiation checks */    if (s->type == SSL_ST_ACCEPT) {        OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);        memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, md_len);        s->s3->previous_client_finished_len = md_len;    } else {        OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);        memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, md_len);        s->s3->previous_server_finished_len = md_len;    }    return (1);f_err:    ssl3_send_alert(s, SSL3_AL_FATAL, al);    return (0);}

int tls13_process_certificate_verify(SSL *ssl) {  int ret = 0;  X509 *peer = ssl->s3->new_session->peer;  EVP_PKEY *pkey = NULL;  uint8_t *msg = NULL;  size_t msg_len;  /* Filter out unsupported certificate types. */  pkey = X509_get_pubkey(peer);  if (pkey == NULL) {    goto err;  }  CBS cbs, signature;  uint16_t signature_algorithm;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u16(&cbs, &signature_algorithm) ||      !CBS_get_u16_length_prefixed(&cbs, &signature) ||      CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    goto err;  }  int al;  if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);    goto err;  }  ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;  if (!tls13_get_cert_verify_signature_input(          ssl, &msg, &msg_len,          ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);    goto err;  }  int sig_ok =      ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),                            signature_algorithm, pkey, msg, msg_len);#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)  sig_ok = 1;  ERR_clear_error();#endif  if (!sig_ok) {    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);    goto err;  }  ret = 1;err:  EVP_PKEY_free(pkey);  OPENSSL_free(msg);  return ret;}

static int test_EVP_DigestVerifyInitFromAlgorithm(void) {  int ret = 0;  CBS cert, cert_body, tbs_cert, algorithm, signature;  uint8_t padding;  X509_ALGOR *algor = NULL;  const uint8_t *derp;  EVP_PKEY *pkey = NULL;  EVP_MD_CTX md_ctx;  EVP_MD_CTX_init(&md_ctx);  CBS_init(&cert, kExamplePSSCert, sizeof(kExamplePSSCert));  if (!CBS_get_asn1(&cert, &cert_body, CBS_ASN1_SEQUENCE) ||      CBS_len(&cert) != 0 ||      !CBS_get_any_asn1_element(&cert_body, &tbs_cert, NULL, NULL) ||      !CBS_get_asn1_element(&cert_body, &algorithm, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1(&cert_body, &signature, CBS_ASN1_BITSTRING) ||      CBS_len(&cert_body) != 0) {    fprintf(stderr, "Failed to parse certificate/n");    goto out;  }  /* Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the     leading phase byte is just a zero. */  if (!CBS_get_u8(&signature, &padding) || padding != 0) {    fprintf(stderr, "Invalid signature padding/n");    goto out;  }  derp = CBS_data(&algorithm);  if (!d2i_X509_ALGOR(&algor, &derp, CBS_len(&algorithm)) ||      derp != CBS_data(&algorithm) + CBS_len(&algorithm)) {    fprintf(stderr, "Failed to parse algorithm/n");  }  pkey = load_example_rsa_key();  if (pkey == NULL ||      !EVP_DigestVerifyInitFromAlgorithm(&md_ctx, algor, pkey) ||      !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&tbs_cert),                              CBS_len(&tbs_cert)) ||      !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),                             CBS_len(&signature))) {    goto out;  }  ret = 1;out:  if (!ret) {    BIO_print_errors_fp(stderr);  }  EVP_MD_CTX_cleanup(&md_ctx);  if (pkey) {    EVP_PKEY_free(pkey);  }  return ret;}

static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl,                                                         SSL_HANDSHAKE *hs) {  if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {    hs->state = state_process_server_hello;    return ssl_hs_ok;  }  CBS cbs, extensions;  uint16_t server_wire_version, cipher_suite, group_id;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u16(&cbs, &server_wire_version) ||      !CBS_get_u16(&cbs, &cipher_suite) ||      !CBS_get_u16(&cbs, &group_id) ||      /* We do not currently parse any HelloRetryRequest extensions. */      !CBS_get_u16_length_prefixed(&cbs, &extensions) ||      CBS_len(&cbs) != 0) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    return ssl_hs_error;  }  /* TODO(svaldez): Don't do early_data on HelloRetryRequest. */  const uint16_t *groups;  size_t groups_len;  tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len);  int found = 0;  for (size_t i = 0; i < groups_len; i++) {    if (groups[i] == group_id) {      found = 1;      break;    }  }  if (!found) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);    return ssl_hs_error;  }  for (size_t i = 0; i < ssl->s3->hs->groups_len; i++) {    /* Check that the HelloRetryRequest does not request a key share that was     * provided in the initial ClientHello.     *     * TODO(svaldez): Don't enforce this check when the HelloRetryRequest is due     * to a cookie. */    if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->groups[i]) == group_id) {      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);      OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);      return ssl_hs_error;    }  }  ssl_handshake_clear_groups(ssl->s3->hs);  ssl->s3->hs->retry_group = group_id;  hs->state = state_send_second_client_hello;  return ssl_hs_ok;}

static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,                                                         SSL_HANDSHAKE *hs) {  ssl->s3->tmp.cert_request = 0;  /* CertificateRequest may only be sent in certificate-based ciphers. */  if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {    hs->state = state_process_server_finished;    return ssl_hs_ok;  }  /* CertificateRequest is optional. */  if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {    hs->state = state_process_server_certificate;    return ssl_hs_ok;  }  CBS cbs, context, supported_signature_algorithms;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u8_length_prefixed(&cbs, &context) ||      /* The request context is always empty during the handshake. */      CBS_len(&context) != 0 ||      !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||      CBS_len(&supported_signature_algorithms) == 0 ||      !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    return ssl_hs_error;  }  uint8_t alert;  STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);  if (ca_sk == NULL) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);    return ssl_hs_error;  }  /* Ignore extensions. */  CBS extensions;  if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||      CBS_len(&cbs) != 0) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    return ssl_hs_error;  }  ssl->s3->tmp.cert_request = 1;  sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);  ssl->s3->tmp.ca_names = ca_sk;  if (!ssl->method->hash_current_message(ssl)) {    return ssl_hs_error;  }  hs->state = state_process_server_certificate;  return ssl_hs_read_message;}

intdtls1_get_hello_verify(SSL *s){	long n;	int al, ok = 0;	size_t cookie_len;	uint16_t ssl_version;	CBS hello_verify_request, cookie;	n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,	    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok);	if (!ok)		return ((int)n);	if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {		D1I(s)->send_cookie = 0;		S3I(s)->tmp.reuse_message = 1;		return (1);	}	if (n < 0)		goto truncated;	CBS_init(&hello_verify_request, s->internal->init_msg, n);	if (!CBS_get_u16(&hello_verify_request, &ssl_version))		goto truncated;	if (ssl_version != s->version) {		SSLerror(s, SSL_R_WRONG_SSL_VERSION);		s->version = (s->version & 0xff00) | (ssl_version & 0xff);		al = SSL_AD_PROTOCOL_VERSION;		goto f_err;	}	if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))		goto truncated;	if (!CBS_write_bytes(&cookie, D1I(s)->cookie,	    sizeof(D1I(s)->cookie), &cookie_len)) {		D1I(s)->cookie_len = 0;		al = SSL_AD_ILLEGAL_PARAMETER;		goto f_err;	}	D1I(s)->cookie_len = cookie_len;	D1I(s)->send_cookie = 1;	return 1;truncated:	al = SSL_AD_DECODE_ERROR;f_err:	ssl3_send_alert(s, SSL3_AL_FATAL, al);	return -1;}

ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {  CBS cbs;  CBS_init(&cbs, in, in_len);  ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);  if (ret == NULL || CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);    ECDSA_SIG_free(ret);    return NULL;  }  return ret;}

int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {  SSL *const ssl = hs->ssl;  int ret = 0;  uint8_t *msg = NULL;  size_t msg_len;  if (hs->peer_pubkey == NULL) {    goto err;  }  CBS cbs, signature;  uint16_t signature_algorithm;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u16(&cbs, &signature_algorithm) ||      !CBS_get_u16_length_prefixed(&cbs, &signature) ||      CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    goto err;  }  int al;  if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);    goto err;  }  ssl->s3->new_session->peer_signature_algorithm = signature_algorithm;  if (!tls13_get_cert_verify_signature_input(          ssl, &msg, &msg_len,          ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);    goto err;  }  int sig_ok =      ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),                            signature_algorithm, hs->peer_pubkey, msg, msg_len);#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)  sig_ok = 1;  ERR_clear_error();#endif  if (!sig_ok) {    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);    goto err;  }  ret = 1;err:  OPENSSL_free(msg);  return ret;}

RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {  CBS cbs;  CBS_init(&cbs, in, in_len);  RSA *ret = RSA_parse_private_key(&cbs);  if (ret == NULL || CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);    RSA_free(ret);    return NULL;  }  return ret;}

static int test_skip(void) {  static const uint8_t kData[] = {1, 2, 3};  CBS data;  CBS_init(&data, kData, sizeof(kData));  return CBS_len(&data) == 3 &&      CBS_skip(&data, 1) &&      CBS_len(&data) == 2 &&      CBS_skip(&data, 2) &&      CBS_len(&data) == 0 &&      !CBS_skip(&data, 1);}

static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,                                           size_t list_len) {  CBS sct_list;  CBS_init(&sct_list, list, list_len);  if (!ssl_is_sct_list_valid(&sct_list)) {    OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST);    return 0;  }  CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);  cert->signed_cert_timestamp_list =      CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), NULL);  return cert->signed_cert_timestamp_list != NULL;}

static int test_get_prefixed_bad(void) {  static const uint8_t kData1[] = {2, 1};  static const uint8_t kData2[] = {0, 2, 1};  static const uint8_t kData3[] = {0, 0, 2, 1};  CBS data, prefixed;  CBS_init(&data, kData1, sizeof(kData1));  if (CBS_get_u8_length_prefixed(&data, &prefixed)) {    return 0;  }  CBS_init(&data, kData2, sizeof(kData2));  if (CBS_get_u16_length_prefixed(&data, &prefixed)) {    return 0;  }  CBS_init(&data, kData3, sizeof(kData3));  if (CBS_get_u24_length_prefixed(&data, &prefixed)) {    return 0;  }  return 1;}

SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len,                                    const SSL_CTX *ctx) {  CBS cbs;  CBS_init(&cbs, in, in_len);  SSL_SESSION *ret = SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool);  if (ret == NULL) {    return NULL;  }  if (CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);    SSL_SESSION_free(ret);    return NULL;  }  return ret;}

static int test_get_optional_asn1_bool(void) {  CBS data;  int val;  static const uint8_t kTrue[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0xff};  static const uint8_t kFalse[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x00};  static const uint8_t kInvalid[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x01};  CBS_init(&data, NULL, 0);  val = 2;  if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0) ||      val != 0) {    return 0;  }  CBS_init(&data, kTrue, sizeof(kTrue));  val = 2;  if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0) ||      val != 1) {    return 0;  }  CBS_init(&data, kFalse, sizeof(kFalse));  val = 2;  if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1) ||      val != 0) {    return 0;  }  CBS_init(&data, kInvalid, sizeof(kInvalid));  if (CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1)) {    return 0;  }  return 1;}

static int dtls1_get_hello_verify(SSL *s) {  long n;  int al, ok = 0;  CBS hello_verify_request, cookie;  uint16_t server_version;  n = s->method->ssl_get_message(      s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,      -1,      /* Use the same maximum size as ssl3_get_server_hello. */      20000, ssl_hash_message, &ok);  if (!ok) {    return n;  }  if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {    s->d1->send_cookie = 0;    s->s3->tmp.reuse_message = 1;    return 1;  }  CBS_init(&hello_verify_request, s->init_msg, n);  if (!CBS_get_u16(&hello_verify_request, &server_version) ||      !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||      CBS_len(&hello_verify_request) != 0) {    al = SSL_AD_DECODE_ERROR;    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    goto f_err;  }  if (CBS_len(&cookie) > sizeof(s->d1->cookie)) {    al = SSL_AD_ILLEGAL_PARAMETER;    goto f_err;  }  memcpy(s->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));  s->d1->cookie_len = CBS_len(&cookie);  s->d1->send_cookie = 1;  return 1;f_err:  ssl3_send_alert(s, SSL3_AL_FATAL, al);  return -1;}

static int tls13_receive_key_update(SSL *ssl) {  CBS cbs;  uint8_t key_update_request;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u8(&cbs, &key_update_request) ||      CBS_len(&cbs) != 0 ||      (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&       key_update_request != SSL_KEY_UPDATE_REQUESTED)) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    return 0;  }  /* TODO(svaldez): Send KeyUpdate if |key_update_request| is   * |SSL_KEY_UPDATE_REQUESTED|. */  return tls13_rotate_traffic_key(ssl, evp_aead_open);}

DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len) {  if (len < 0) {    return NULL;  }  CBS cbs;  CBS_init(&cbs, *inp, (size_t)len);  DSA *ret = DSA_parse_parameters(&cbs);  if (ret == NULL) {    return NULL;  }  if (out != NULL) {    DSA_free(*out);    *out = ret;  }  *inp = CBS_data(&cbs);  return ret;}

static const SSL_CIPHER *choose_tls13_cipher(    const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {  if (client_hello->cipher_suites_len % 2 != 0) {    return NULL;  }  CBS cipher_suites;  CBS_init(&cipher_suites, client_hello->cipher_suites,           client_hello->cipher_suites_len);  const int aes_is_fine = EVP_has_aes_hardware();  const uint16_t version = ssl3_protocol_version(ssl);  const SSL_CIPHER *best = NULL;  while (CBS_len(&cipher_suites) > 0) {    uint16_t cipher_suite;    if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {      return NULL;    }    /* Limit to TLS 1.3 ciphers we know about. */    const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);    if (candidate == NULL ||        SSL_CIPHER_get_min_version(candidate) > version ||        SSL_CIPHER_get_max_version(candidate) < version) {      continue;    }    /* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer     * ChaCha20 if we do not have AES hardware. */    if (aes_is_fine) {      return candidate;    }    if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {      return candidate;    }    if (best == NULL) {      best = candidate;    }  }  return best;}

static int test_get_u(void) {  static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};  uint8_t u8;  uint16_t u16;  uint32_t u32;  CBS data;  CBS_init(&data, kData, sizeof(kData));  return CBS_get_u8(&data, &u8) &&    u8 == 1 &&    CBS_get_u16(&data, &u16) &&    u16 == 0x203 &&    CBS_get_u24(&data, &u32) &&    u32 == 0x40506 &&    CBS_get_u32(&data, &u32) &&    u32 == 0x708090a &&    !CBS_get_u8(&data, &u8);}