自学教程：C++ CBS_len函数代码示例

/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element was found. The value of * |in| is not changed. It returns one on success (i.e. |*ber_found| was set) * and zero on error. */static int cbs_find_ber(CBS *orig_in, char *ber_found, unsigned depth) {  CBS in;  if (depth > kMaxDepth) {    return 0;  }  CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in));  *ber_found = 0;  while (CBS_len(&in) > 0) {    CBS contents;    unsigned tag;    size_t header_len;    if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) {      return 0;    }    if (CBS_len(&contents) == header_len &&        header_len > 0 &&        CBS_data(&contents)[header_len-1] == 0x80) {      *ber_found = 1;      return 1;    }    if (tag & CBS_ASN1_CONSTRUCTED) {      if (!CBS_skip(&contents, header_len) ||          !cbs_find_ber(&contents, ber_found, depth + 1)) {        return 0;      }    }  }  return 1;}

static int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {  // See RFC 5480, section 2.  // The parameters are a named curve.  EC_POINT *point = NULL;  EC_KEY *eckey = NULL;  EC_GROUP *group = EC_KEY_parse_curve_name(params);  if (group == NULL || CBS_len(params) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    goto err;  }  eckey = EC_KEY_new();  if (eckey == NULL || !EC_KEY_set_group(eckey, group)) {    goto err;  }  point = EC_POINT_new(group);  if (point == NULL ||      !EC_POINT_oct2point(group, point, CBS_data(key), CBS_len(key), NULL) ||      !EC_KEY_set_public_key(eckey, point)) {    goto err;  }  EC_GROUP_free(group);  EC_POINT_free(point);  EVP_PKEY_assign_EC_KEY(out, eckey);  return 1;err:  EC_GROUP_free(group);  EC_POINT_free(point);  EC_KEY_free(eckey);  return 0;}

/* ssl3_get_record reads a new input record. On success, it places it in * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if * more data is needed. */static int ssl3_get_record(SSL *ssl) {again:  switch (ssl->s3->recv_shutdown) {    case ssl_shutdown_none:      break;    case ssl_shutdown_fatal_alert:      OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);      return -1;    case ssl_shutdown_close_notify:      return 0;  }  CBS body;  uint8_t type, alert;  size_t consumed;  enum ssl_open_record_t open_ret =      tls_open_record(ssl, &type, &body, &consumed, &alert,                      ssl_read_buffer(ssl), ssl_read_buffer_len(ssl));  if (open_ret != ssl_open_record_partial) {    ssl_read_buffer_consume(ssl, consumed);  }  switch (open_ret) {    case ssl_open_record_partial: {      int read_ret = ssl_read_buffer_extend_to(ssl, consumed);      if (read_ret <= 0) {        return read_ret;      }      goto again;    }    case ssl_open_record_success:      if (CBS_len(&body) > 0xffff) {        OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);        return -1;      }      SSL3_RECORD *rr = &ssl->s3->rrec;      rr->type = type;      rr->length = (uint16_t)CBS_len(&body);      rr->data = (uint8_t *)CBS_data(&body);      return 1;    case ssl_open_record_discard:      goto again;    case ssl_open_record_close_notify:      return 0;    case ssl_open_record_fatal_alert:      return -1;    case ssl_open_record_error:      ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);      return -1;  }  assert(0);  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);  return -1;}

int ssl3_get_finished(SSL *s, int a, int b){    int al, ok, md_len;    long n;    CBS cbs;    n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64,                                   /* should actually be 36+4 :-) */ &ok);    if (!ok)        return ((int)n);    /* If this occurs, we have missed a message */    if (!s->s3->change_cipher_spec) {        al = SSL_AD_UNEXPECTED_MESSAGE;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS);        goto f_err;    }    s->s3->change_cipher_spec = 0;    md_len = s->s3->tmp.peer_finish_md_len;    if (n < 0) {        al = SSL_AD_DECODE_ERROR;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);        goto f_err;    }    CBS_init(&cbs, s->init_msg, n);    if (s->s3->tmp.peer_finish_md_len != md_len || (int)CBS_len(&cbs) != md_len) {        al = SSL_AD_DECODE_ERROR;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);        goto f_err;    }    if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) {        al = SSL_AD_DECRYPT_ERROR;        SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED);        goto f_err;    }    /* Copy the finished so we can use it for       renegotiation checks */    if (s->type == SSL_ST_ACCEPT) {        OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);        memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, md_len);        s->s3->previous_client_finished_len = md_len;    } else {        OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);        memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, md_len);        s->s3->previous_server_finished_len = md_len;    }    return (1);f_err:    ssl3_send_alert(s, SSL3_AL_FATAL, al);    return (0);}

int tls13_process_certificate_verify(SSL *ssl) {  int ret = 0;  X509 *peer = ssl->s3->new_session->peer;  EVP_PKEY *pkey = NULL;  uint8_t *msg = NULL;  size_t msg_len;  /* Filter out unsupported certificate types. */  pkey = X509_get_pubkey(peer);  if (pkey == NULL) {    goto err;  }  CBS cbs, signature;  uint16_t signature_algorithm;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u16(&cbs, &signature_algorithm) ||      !CBS_get_u16_length_prefixed(&cbs, &signature) ||      CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    goto err;  }  int al;  if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);    goto err;  }  ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;  if (!tls13_get_cert_verify_signature_input(          ssl, &msg, &msg_len,          ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);    goto err;  }  int sig_ok =      ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),                            signature_algorithm, pkey, msg, msg_len);#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)  sig_ok = 1;  ERR_clear_error();#endif  if (!sig_ok) {    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);    goto err;  }  ret = 1;err:  EVP_PKEY_free(pkey);  OPENSSL_free(msg);  return ret;}

static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,                                                         SSL_HANDSHAKE *hs) {  ssl->s3->tmp.cert_request = 0;  /* CertificateRequest may only be sent in certificate-based ciphers. */  if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {    hs->state = state_process_server_finished;    return ssl_hs_ok;  }  /* CertificateRequest is optional. */  if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {    hs->state = state_process_server_certificate;    return ssl_hs_ok;  }  CBS cbs, context, supported_signature_algorithms;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u8_length_prefixed(&cbs, &context) ||      /* The request context is always empty during the handshake. */      CBS_len(&context) != 0 ||      !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||      CBS_len(&supported_signature_algorithms) == 0 ||      !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    return ssl_hs_error;  }  uint8_t alert;  STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);  if (ca_sk == NULL) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);    return ssl_hs_error;  }  /* Ignore extensions. */  CBS extensions;  if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||      CBS_len(&cbs) != 0) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    return ssl_hs_error;  }  ssl->s3->tmp.cert_request = 1;  sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);  ssl->s3->tmp.ca_names = ca_sk;  if (!ssl->method->hash_current_message(ssl)) {    return ssl_hs_error;  }  hs->state = state_process_server_certificate;  return ssl_hs_read_message;}

/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7 * SignedData blob from |cbs| and sets |*out| to point to the rest of the * input. If the input is in BER format, then |*der_bytes| will be set to a * pointer that needs to be freed by the caller once they have finished * processing |*out| (which will be pointing into |*der_bytes|). * * It returns one on success or zero on error. On error, |*der_bytes| is * NULL. */static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {  size_t der_len;  CBS in, content_info, content_type, wrapped_signed_data, signed_data;  uint64_t version;  /* The input may be in BER format. */  *der_bytes = NULL;  if (!CBS_asn1_ber_to_der(cbs, der_bytes, &der_len)) {    return 0;  }  if (*der_bytes != NULL) {    CBS_init(&in, *der_bytes, der_len);  } else {    CBS_init(&in, CBS_data(cbs), CBS_len(cbs));  }  /* See https://tools.ietf.org/html/rfc2315#section-7 */  if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {    goto err;  }  if (OBJ_cbs2nid(&content_type) != NID_pkcs7_signed) {    OPENSSL_PUT_ERROR(X509, pkcs7_parse_header,                      X509_R_NOT_PKCS7_SIGNED_DATA);    goto err;  }  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */  if (!CBS_get_asn1(&content_info, &wrapped_signed_data,                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||      !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1_uint64(&signed_data, &version) ||      !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||      !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {    goto err;  }  if (version < 1) {    OPENSSL_PUT_ERROR(X509, pkcs7_parse_header,                      X509_R_BAD_PKCS7_VERSION);    goto err;  }  CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));  return 1;err:  if (*der_bytes) {    OPENSSL_free(*der_bytes);    *der_bytes = NULL;  }  return 0;}

int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {  SSL *const ssl = hs->ssl;  int ret = 0;  uint8_t *msg = NULL;  size_t msg_len;  if (hs->peer_pubkey == NULL) {    goto err;  }  CBS cbs, signature;  uint16_t signature_algorithm;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u16(&cbs, &signature_algorithm) ||      !CBS_get_u16_length_prefixed(&cbs, &signature) ||      CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    goto err;  }  int al;  if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, al);    goto err;  }  ssl->s3->new_session->peer_signature_algorithm = signature_algorithm;  if (!tls13_get_cert_verify_signature_input(          ssl, &msg, &msg_len,          ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);    goto err;  }  int sig_ok =      ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),                            signature_algorithm, hs->peer_pubkey, msg, msg_len);#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)  sig_ok = 1;  ERR_clear_error();#endif  if (!sig_ok) {    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);    goto err;  }  ret = 1;err:  OPENSSL_free(msg);  return ret;}

static int test_skip(void) {  static const uint8_t kData[] = {1, 2, 3};  CBS data;  CBS_init(&data, kData, sizeof(kData));  return CBS_len(&data) == 3 &&      CBS_skip(&data, 1) &&      CBS_len(&data) == 2 &&      CBS_skip(&data, 2) &&      CBS_len(&data) == 0 &&      !CBS_skip(&data, 1);}

/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING * explicitly tagged with |tag| of size at most |max_out|. */static int SSL_SESSION_parse_bounded_octet_string(    CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {  CBS value;  if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) ||      CBS_len(&value) > max_out) {    OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);    return 0;  }  OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value));  *out_len = (uint8_t)CBS_len(&value);  return 1;}

int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,                                     const uint8_t **out_label) {  CBS label;  if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,                         EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {    return -1;  }  if (CBS_len(&label) > INT_MAX) {    OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_get0_rsa_oaep_label, ERR_R_OVERFLOW);    return -1;  }  *out_label = CBS_data(&label);  return (int)CBS_len(&label);}

int tls13_process_new_session_ticket(SSL *ssl) {  SSL_SESSION *session =      SSL_SESSION_dup(ssl->s3->established_session,                      SSL_SESSION_INCLUDE_NONAUTH);  if (session == NULL) {    return 0;  }  CBS cbs, extensions, ticket;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) ||      !CBS_get_u32(&cbs, &session->ticket_flags) ||      !CBS_get_u32(&cbs, &session->ticket_age_add) ||      !CBS_get_u16_length_prefixed(&cbs, &extensions) ||      !CBS_get_u16_length_prefixed(&cbs, &ticket) ||      !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||      CBS_len(&cbs) != 0) {    SSL_SESSION_free(session);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    return 0;  }  session->ticket_age_add_valid = 1;  session->not_resumable = 0;  if (ssl->ctx->new_session_cb != NULL &&      ssl->ctx->new_session_cb(ssl, session)) {    /* |new_session_cb|'s return value signals that it took ownership. */    return 1;  }  SSL_SESSION_free(session);  return 1;}

static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL *ssl,                                                          SSL_HANDSHAKE *hs) {  if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {    return ssl_hs_error;  }  CBS cbs;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!ssl_parse_serverhello_tlsext(ssl, &cbs)) {    OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);    return ssl_hs_error;  }  if (CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    return ssl_hs_error;  }  if (!ssl->method->hash_current_message(ssl)) {    return ssl_hs_error;  }  hs->state = state_process_certificate_request;  return ssl_hs_read_message;}

int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {  CBB cbb;  /* First, do a quick walk to find any indefinite-length elements. Most of the   * time we hope that there aren't any and thus we can quickly return. */  char conversion_needed;  if (!cbs_find_ber(in, &conversion_needed, 0)) {    return 0;  }  if (!conversion_needed) {    *out = NULL;    *out_len = 0;    return 1;  }  if (!CBB_init(&cbb, CBS_len(in)) ||      !cbs_convert_ber(in, &cbb, 0, 0, 0) ||      !CBB_finish(&cbb, out, out_len)) {    CBB_cleanup(&cbb);    return 0;  }  return 1;}

DSA *DSA_parse_private_key(CBS *cbs) {  DSA *ret = DSA_new();  if (ret == NULL) {    return NULL;  }  CBS child;  uint64_t version;  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1_uint64(&child, &version)) {    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);    goto err;  }  if (version != 0) {    OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_VERSION);    goto err;  }  if (!parse_integer(&child, &ret->p) ||      !parse_integer(&child, &ret->q) ||      !parse_integer(&child, &ret->g) ||      !parse_integer(&child, &ret->pub_key) ||      !parse_integer(&child, &ret->priv_key) ||      CBS_len(&child) != 0) {    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);    goto err;  }  return ret;err:  DSA_free(ret);  return NULL;}

static int dtls1_get_hello_verify(SSL *s) {  long n;  int al, ok = 0;  CBS hello_verify_request, cookie;  uint16_t server_version;  n = s->method->ssl_get_message(      s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,      -1,      /* Use the same maximum size as ssl3_get_server_hello. */      20000, ssl_hash_message, &ok);  if (!ok) {    return n;  }  if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {    s->d1->send_cookie = 0;    s->s3->tmp.reuse_message = 1;    return 1;  }  CBS_init(&hello_verify_request, s->init_msg, n);  if (!CBS_get_u16(&hello_verify_request, &server_version) ||      !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||      CBS_len(&hello_verify_request) != 0) {    al = SSL_AD_DECODE_ERROR;    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    goto f_err;  }  if (CBS_len(&cookie) > sizeof(s->d1->cookie)) {    al = SSL_AD_ILLEGAL_PARAMETER;    goto f_err;  }  memcpy(s->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));  s->d1->cookie_len = CBS_len(&cookie);  s->d1->send_cookie = 1;  return 1;f_err:  ssl3_send_alert(s, SSL3_AL_FATAL, al);  return -1;}

static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl,                                                         SSL_HANDSHAKE *hs) {  if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {    hs->state = state_process_server_hello;    return ssl_hs_ok;  }  CBS cbs, extensions;  uint16_t server_wire_version, cipher_suite, group_id;  CBS_init(&cbs, ssl->init_msg, ssl->init_num);  if (!CBS_get_u16(&cbs, &server_wire_version) ||      !CBS_get_u16(&cbs, &cipher_suite) ||      !CBS_get_u16(&cbs, &group_id) ||      /* We do not currently parse any HelloRetryRequest extensions. */      !CBS_get_u16_length_prefixed(&cbs, &extensions) ||      CBS_len(&cbs) != 0) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);    return ssl_hs_error;  }  /* TODO(svaldez): Don't do early_data on HelloRetryRequest. */  const uint16_t *groups;  size_t groups_len;  tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len);  int found = 0;  for (size_t i = 0; i < groups_len; i++) {    if (groups[i] == group_id) {      found = 1;      break;    }  }  if (!found) {    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);    return ssl_hs_error;  }  for (size_t i = 0; i < ssl->s3->hs->groups_len; i++) {    /* Check that the HelloRetryRequest does not request a key share that was     * provided in the initial ClientHello.     *     * TODO(svaldez): Don't enforce this check when the HelloRetryRequest is due     * to a cookie. */    if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->groups[i]) == group_id) {      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);      OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);      return ssl_hs_error;    }  }  ssl_handshake_clear_groups(ssl->s3->hs);  ssl->s3->hs->retry_group = group_id;  hs->state = state_send_second_client_hello;  return ssl_hs_ok;}

int CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage,                                 unsigned outer_tag, unsigned inner_tag) {  assert(!(outer_tag & CBS_ASN1_CONSTRUCTED));  assert(!(inner_tag & CBS_ASN1_CONSTRUCTED));  assert(is_string_type(inner_tag));  if (CBS_peek_asn1_tag(in, outer_tag)) {    /* Normal implicitly-tagged string. */    *out_storage = NULL;    return CBS_get_asn1(in, out, outer_tag);  }  /* Otherwise, try to parse an implicitly-tagged constructed string.   * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep   * of nesting. */  CBB result;  CBS child;  if (!CBB_init(&result, CBS_len(in)) ||      !CBS_get_asn1(in, &child, outer_tag | CBS_ASN1_CONSTRUCTED)) {    goto err;  }  while (CBS_len(&child) > 0) {    CBS chunk;    if (!CBS_get_asn1(&child, &chunk, inner_tag) ||        !CBB_add_bytes(&result, CBS_data(&chunk), CBS_len(&chunk))) {      goto err;    }  }  uint8_t *data;  size_t len;  if (!CBB_finish(&result, &data, &len)) {    goto err;  }  CBS_init(out, data, len);  *out_storage = data;  return 1;err:  CBB_cleanup(&result);  return 0;}

static int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {  // Per RFC 3447, A.1, the parameters have type NULL.  CBS null;  if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) ||      CBS_len(&null) != 0 ||      CBS_len(params) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    return 0;  }  RSA *rsa = RSA_parse_private_key(key);  if (rsa == NULL || CBS_len(key) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    RSA_free(rsa);    return 0;  }  EVP_PKEY_assign_RSA(out, rsa);  return 1;}

RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {  CBS cbs;  CBS_init(&cbs, in, in_len);  RSA *ret = RSA_parse_private_key(&cbs);  if (ret == NULL || CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);    RSA_free(ret);    return NULL;  }  return ret;}

static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {  // See RFC 5915.  EC_GROUP *group = EC_KEY_parse_parameters(params);  if (group == NULL || CBS_len(params) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    EC_GROUP_free(group);    return 0;  }  EC_KEY *ec_key = EC_KEY_parse_private_key(key, group);  EC_GROUP_free(group);  if (ec_key == NULL || CBS_len(key) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    EC_KEY_free(ec_key);    return 0;  }  EVP_PKEY_assign_EC_KEY(out, ec_key);  return 1;}

ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {  CBS cbs;  CBS_init(&cbs, in, in_len);  ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);  if (ret == NULL || CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);    ECDSA_SIG_free(ret);    return NULL;  }  return ret;}

static int test_get_prefixed(void) {  static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1};  uint8_t u8;  uint16_t u16;  uint32_t u32;  CBS data, prefixed;  CBS_init(&data, kData, sizeof(kData));  return CBS_get_u8_length_prefixed(&data, &prefixed) &&    CBS_len(&prefixed) == 1 &&    CBS_get_u8(&prefixed, &u8) &&    u8 == 2 &&    CBS_get_u16_length_prefixed(&data, &prefixed) &&    CBS_len(&prefixed) == 2 &&    CBS_get_u16(&prefixed, &u16) &&    u16 == 0x304 &&    CBS_get_u24_length_prefixed(&data, &prefixed) &&    CBS_len(&prefixed) == 3 &&    CBS_get_u24(&prefixed, &u32) &&    u32 == 0x30201;}

/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element or constructed string was * found. The value of |orig_in| is not changed. It returns one on success (i.e. * |*ber_found| was set) and zero on error. */static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {  CBS in;  if (depth > kMaxDepth) {    return 0;  }  CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in));  *ber_found = 0;  while (CBS_len(&in) > 0) {    CBS contents;    unsigned tag;    size_t header_len;    if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) {      return 0;    }    if (CBS_len(&contents) == header_len &&        header_len > 0 &&        CBS_data(&contents)[header_len-1] == 0x80) {      /* Found an indefinite-length element. */      *ber_found = 1;      return 1;    }    if (tag & CBS_ASN1_CONSTRUCTED) {      if (is_string_type(tag)) {        /* Constructed strings are only legal in BER and require conversion. */        *ber_found = 1;        return 1;      }      if (!CBS_skip(&contents, header_len) ||          !cbs_find_ber(&contents, ber_found, depth + 1)) {        return 0;      }    }  }  return 1;}

static int rsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {  // See RFC 3279, section 2.3.1.  // The parameters must be NULL.  CBS null;  if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) ||      CBS_len(&null) != 0 ||      CBS_len(params) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    return 0;  }  RSA *rsa = RSA_parse_public_key(key);  if (rsa == NULL || CBS_len(key) != 0) {    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);    RSA_free(rsa);    return 0;  }  EVP_PKEY_assign_RSA(out, rsa);  return 1;}

static int test_EVP_DigestVerifyInitFromAlgorithm(void) {  int ret = 0;  CBS cert, cert_body, tbs_cert, algorithm, signature;  uint8_t padding;  X509_ALGOR *algor = NULL;  const uint8_t *derp;  EVP_PKEY *pkey = NULL;  EVP_MD_CTX md_ctx;  EVP_MD_CTX_init(&md_ctx);  CBS_init(&cert, kExamplePSSCert, sizeof(kExamplePSSCert));  if (!CBS_get_asn1(&cert, &cert_body, CBS_ASN1_SEQUENCE) ||      CBS_len(&cert) != 0 ||      !CBS_get_any_asn1_element(&cert_body, &tbs_cert, NULL, NULL) ||      !CBS_get_asn1_element(&cert_body, &algorithm, CBS_ASN1_SEQUENCE) ||      !CBS_get_asn1(&cert_body, &signature, CBS_ASN1_BITSTRING) ||      CBS_len(&cert_body) != 0) {    fprintf(stderr, "Failed to parse certificate/n");    goto out;  }  /* Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the     leading phase byte is just a zero. */  if (!CBS_get_u8(&signature, &padding) || padding != 0) {    fprintf(stderr, "Invalid signature padding/n");    goto out;  }  derp = CBS_data(&algorithm);  if (!d2i_X509_ALGOR(&algor, &derp, CBS_len(&algorithm)) ||      derp != CBS_data(&algorithm) + CBS_len(&algorithm)) {    fprintf(stderr, "Failed to parse algorithm/n");  }  pkey = load_example_rsa_key();  if (pkey == NULL ||      !EVP_DigestVerifyInitFromAlgorithm(&md_ctx, algor, pkey) ||      !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&tbs_cert),                              CBS_len(&tbs_cert)) ||      !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),                             CBS_len(&signature))) {    goto out;  }  ret = 1;out:  if (!ret) {    BIO_print_errors_fp(stderr);  }  EVP_MD_CTX_cleanup(&md_ctx);  if (pkey) {    EVP_PKEY_free(pkey);  }  return ret;}

int BN_cbs2unsigned(CBS *cbs, BIGNUM *ret) {  CBS child;  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||      CBS_len(&child) == 0) {    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);    return 0;  }  if (CBS_data(&child)[0] & 0x80) {    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);    return 0;  }  /* INTEGERs must be minimal. */  if (CBS_data(&child)[0] == 0x00 &&      CBS_len(&child) > 1 &&      !(CBS_data(&child)[1] & 0x80)) {    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);    return 0;  }  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;}

static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,                                           size_t list_len) {  CBS sct_list;  CBS_init(&sct_list, list, list_len);  if (!ssl_is_sct_list_valid(&sct_list)) {    OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST);    return 0;  }  CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);  cert->signed_cert_timestamp_list =      CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), NULL);  return cert->signed_cert_timestamp_list != NULL;}

STACK_OF(CRYPTO_BUFFER) *    ssl_parse_client_CA_list(SSL *ssl, uint8_t *out_alert, CBS *cbs) {  CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;  STACK_OF(CRYPTO_BUFFER) *ret = sk_CRYPTO_BUFFER_new_null();  if (ret == NULL) {    *out_alert = SSL_AD_INTERNAL_ERROR;    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);    return NULL;  }  CBS child;  if (!CBS_get_u16_length_prefixed(cbs, &child)) {    *out_alert = SSL_AD_DECODE_ERROR;    OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);    goto err;  }  while (CBS_len(&child) > 0) {    CBS distinguished_name;    if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) {      *out_alert = SSL_AD_DECODE_ERROR;      OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);      goto err;    }    CRYPTO_BUFFER *buffer =        CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool);    if (buffer == NULL ||        !sk_CRYPTO_BUFFER_push(ret, buffer)) {      CRYPTO_BUFFER_free(buffer);      *out_alert = SSL_AD_INTERNAL_ERROR;      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);      goto err;    }  }  if (!ssl->ctx->x509_method->check_client_CA_list(ret)) {    *out_alert = SSL_AD_INTERNAL_ERROR;    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);    goto err;  }  return ret;err:  sk_CRYPTO_BUFFER_pop_free(ret, CRYPTO_BUFFER_free);  return NULL;}

SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len,                                    const SSL_CTX *ctx) {  CBS cbs;  CBS_init(&cbs, in, in_len);  SSL_SESSION *ret = SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool);  if (ret == NULL) {    return NULL;  }  if (CBS_len(&cbs) != 0) {    OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);    SSL_SESSION_free(ret);    return NULL;  }  return ret;}