212 		state = s->s3->hs.state;  in ssl3_accept()
214 		switch (s->s3->hs.state) {  in ssl3_accept()
234 			    &s->s3->hs.our_min_tls_version,  in ssl3_accept()
235 			    &s->s3->hs.our_max_tls_version)) {  in ssl3_accept()
242 			    s->s3->hs.our_min_tls_version)) {  in ssl3_accept()
259 			if (s->s3->hs.state != SSL_ST_RENEGOTIATE) {  in ssl3_accept()
275 				s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A;  in ssl3_accept()
277 			} else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) {  in ssl3_accept()
294 				s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A;  in ssl3_accept()
309 				s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;  in ssl3_accept()
311 				s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;  in ssl3_accept()
312 			s->s3->hs.state = SSL3_ST_SW_FLUSH;  in ssl3_accept()
324 			s->s3->hs.state = SSL_ST_OK;  in ssl3_accept()
339 					s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;  in ssl3_accept()
341 					s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;  in ssl3_accept()
355 				if (listen && s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {  in ssl3_accept()
375 				s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;  in ssl3_accept()
385 			s->s3->hs.state = SSL3_ST_SW_FLUSH;  in ssl3_accept()
386 			s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;  in ssl3_accept()
403 					s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;  in ssl3_accept()
405 					s->s3->hs.state = SSL3_ST_SW_CHANGE_A;  in ssl3_accept()
407 				s->s3->hs.state = SSL3_ST_SW_CERT_A;  in ssl3_accept()
415 			if (!(s->s3->hs.cipher->algorithm_auth &  in ssl3_accept()
423 					s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A;  in ssl3_accept()
425 					s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;  in ssl3_accept()
428 				s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;  in ssl3_accept()
435 			alg_k = s->s3->hs.cipher->algorithm_mkey;  in ssl3_accept()
454 			s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A;  in ssl3_accept()
480 			    ((s->s3->hs.cipher->algorithm_auth &  in ssl3_accept()
485 				s->s3->hs.tls12.cert_request = 0;  in ssl3_accept()
486 				s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;  in ssl3_accept()
491 				s->s3->hs.tls12.cert_request = 1;  in ssl3_accept()
497 				s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;  in ssl3_accept()
509 			s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A;  in ssl3_accept()
510 			s->s3->hs.state = SSL3_ST_SW_FLUSH;  in ssl3_accept()
531 						s->s3->hs.state = s->s3->hs.tls12.next_state;  in ssl3_accept()
538 			s->s3->hs.state = s->s3->hs.tls12.next_state;  in ssl3_accept()
543 			if (s->s3->hs.tls12.cert_request != 0) {  in ssl3_accept()
549 			s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A;  in ssl3_accept()
559 				s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;  in ssl3_accept()
563 			alg_k = s->s3->hs.cipher->algorithm_mkey;  in ssl3_accept()
565 				s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;  in ssl3_accept()
575 				s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;  in ssl3_accept()
585 				    s->s3->hs.tls12.cert_verify,  in ssl3_accept()
586 				    sizeof(s->s3->hs.tls12.cert_verify),  in ssl3_accept()
599 				s->s3->flags |= SSL3_FLAGS_CCS_OK;  in ssl3_accept()
605 			s->s3->hs.state = SSL3_ST_SR_FINISHED_A;  in ssl3_accept()
614 				s->s3->flags |= SSL3_FLAGS_CCS_OK;  in ssl3_accept()
621 				s->s3->hs.state = SSL_ST_OK;  in ssl3_accept()
623 				s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;  in ssl3_accept()
625 				s->s3->hs.state = SSL3_ST_SW_CHANGE_A;  in ssl3_accept()
634 			s->s3->hs.state = SSL3_ST_SW_CHANGE_A;  in ssl3_accept()
643 			s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;  in ssl3_accept()
652 			s->s3->hs.state = SSL3_ST_SW_FINISHED_A;  in ssl3_accept()
654 			s->session->cipher_value = s->s3->hs.cipher->value;  in ssl3_accept()
671 			s->s3->hs.state = SSL3_ST_SW_FLUSH;  in ssl3_accept()
673 				s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;  in ssl3_accept()
676 				s->s3->hs.tls12.next_state = SSL_ST_OK;  in ssl3_accept()
684 			if (s->s3->handshake_transcript != NULL) {  in ssl3_accept()
731 		if (!s->s3->hs.tls12.reuse_message && !skip) {  in ssl3_accept()
732 			if (s->s3->hs.state != state) {  in ssl3_accept()
733 				new_state = s->s3->hs.state;  in ssl3_accept()
734 				s->s3->hs.state = state;  in ssl3_accept()
736 				s->s3->hs.state = new_state;  in ssl3_accept()
756 	if (s->s3->hs.state == SSL3_ST_SW_HELLO_REQ_A) {  in ssl3_send_hello_request()
763 		s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_B;  in ssl3_send_hello_request()
796 	if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A)  in ssl3_get_client_hello()
797 		s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B;  in ssl3_get_client_hello()
851 	s->s3->hs.peer_legacy_version = client_version;  in ssl3_get_client_hello()
854 	s->s3->hs.negotiated_tls_version = ssl_tls_version(shared_version);  in ssl3_get_client_hello()
855 	if (s->s3->hs.negotiated_tls_version == 0) {  in ssl3_get_client_hello()
878 	if (!CBS_write_bytes(&client_random, s->s3->client_random,  in ssl3_get_client_hello()
879 	    sizeof(s->s3->client_random), NULL))  in ssl3_get_client_hello()
1020 	if (!s->s3->renegotiate_seen && s->renegotiate) {  in ssl3_get_client_hello()
1037 	arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);  in ssl3_get_client_hello()
1039 	if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&  in ssl3_get_client_hello()
1040 	    s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {  in ssl3_get_client_hello()
1048 		uint8_t *magic = &s->s3->server_random[index];  in ssl3_get_client_hello()
1049 		if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION) {  in ssl3_get_client_hello()
1079 		sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);  in ssl3_get_client_hello()
1080 		s->s3->hs.client_ciphers = ciphers;  in ssl3_get_client_hello()
1092 			pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers,  in ssl3_get_client_hello()
1099 		s->s3->hs.cipher = pref_cipher;  in ssl3_get_client_hello()
1103 		s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers);  in ssl3_get_client_hello()
1117 		sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);  in ssl3_get_client_hello()
1118 		s->s3->hs.client_ciphers = ciphers;  in ssl3_get_client_hello()
1121 		if ((c = ssl3_choose_cipher(s, s->s3->hs.client_ciphers,  in ssl3_get_client_hello()
1127 		s->s3->hs.cipher = c;  in ssl3_get_client_hello()
1128 		s->session->cipher_value = s->s3->hs.cipher->value;  in ssl3_get_client_hello()
1130 		s->s3->hs.cipher = ssl3_get_cipher_by_value(s->session->cipher_value);  in ssl3_get_client_hello()
1131 		if (s->s3->hs.cipher == NULL)  in ssl3_get_client_hello()
1181 	if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {  in ssl3_send_dtls_hello_verify_request()
1206 		s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;  in ssl3_send_dtls_hello_verify_request()
1226 	if (s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {  in ssl3_send_server_hello()
1233 		if (!CBB_add_bytes(&server_hello, s->s3->server_random,  in ssl3_send_server_hello()
1234 		    sizeof(s->s3->server_random)))  in ssl3_send_server_hello()
1270 		if (!CBB_add_u16(&server_hello, s->s3->hs.cipher->value))  in ssl3_send_server_hello()
1303 	if (s->s3->hs.state == SSL3_ST_SW_SRVR_DONE_A) {  in ssl3_send_server_done()
1310 		s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_B;  in ssl3_send_server_done()
1327 	tls_key_share_free(s->s3->hs.key_share);  in ssl3_send_server_kex_dhe()
1328 	if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)  in ssl3_send_server_kex_dhe()
1340 		tls_key_share_set_key_bits(s->s3->hs.key_share,  in ssl3_send_server_kex_dhe()
1347 			    SSL_C_PKEYLENGTH(s->s3->hs.cipher));  in ssl3_send_server_kex_dhe()
1356 		if (!tls_key_share_set_dh_params(s->s3->hs.key_share, dh_params))  in ssl3_send_server_kex_dhe()
1360 	if (!tls_key_share_generate(s->s3->hs.key_share))  in ssl3_send_server_kex_dhe()
1363 	if (!tls_key_share_params(s->s3->hs.key_share, cbb))  in ssl3_send_server_kex_dhe()
1365 	if (!tls_key_share_public(s->s3->hs.key_share, cbb))  in ssl3_send_server_kex_dhe()
1368 	if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {  in ssl3_send_server_kex_dhe()
1392 	tls_key_share_free(s->s3->hs.key_share);  in ssl3_send_server_kex_ecdhe()
1393 	if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)  in ssl3_send_server_kex_ecdhe()
1396 	if (!tls_key_share_generate(s->s3->hs.key_share))  in ssl3_send_server_kex_ecdhe()
1404 	if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))  in ssl3_send_server_kex_ecdhe()
1408 	if (!tls_key_share_public(s->s3->hs.key_share, &public))  in ssl3_send_server_kex_ecdhe()
1442 	if (s->s3->hs.state == SSL3_ST_SW_KEY_EXCH_A) {  in ssl3_send_server_key_exchange()
1451 		if (!CBB_add_bytes(&cbb_signed_params, s->s3->client_random,  in ssl3_send_server_key_exchange()
1456 		if (!CBB_add_bytes(&cbb_signed_params, s->s3->server_random,  in ssl3_send_server_key_exchange()
1462 		type = s->s3->hs.cipher->algorithm_mkey;  in ssl3_send_server_key_exchange()
1488 		if (!(s->s3->hs.cipher->algorithm_auth & SSL_aNULL)) {  in ssl3_send_server_key_exchange()
1489 			if ((pkey = ssl_get_sign_pkey(s, s->s3->hs.cipher,  in ssl3_send_server_key_exchange()
1494 			s->s3->hs.our_sigalg = sigalg;  in ssl3_send_server_key_exchange()
1542 		s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_B;  in ssl3_send_server_key_exchange()
1577 	if (s->s3->hs.state == SSL3_ST_SW_CERT_REQ_A) {  in ssl3_send_certificate_request()
1591 			if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version,  in ssl3_send_certificate_request()
1618 		s->s3->hs.state = SSL3_ST_SW_CERT_REQ_B;  in ssl3_send_certificate_request()
1653 	fakepms[0] = s->s3->hs.peer_legacy_version >> 8;  in ssl3_get_client_kex_rsa()
1654 	fakepms[1] = s->s3->hs.peer_legacy_version & 0xff;  in ssl3_get_client_kex_rsa()
1714 	valid &= crypto_ct_eq_u8(pms[pad_len + 0], s->s3->hs.peer_legacy_version >> 8);  in ssl3_get_client_kex_rsa()
1715 	valid &= crypto_ct_eq_u8(pms[pad_len + 1], s->s3->hs.peer_legacy_version & 0xff);  in ssl3_get_client_kex_rsa()
1741 	if (s->s3->hs.key_share == NULL) {  in ssl3_get_client_kex_dhe()
1747 	if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,  in ssl3_get_client_kex_dhe()
1761 	if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))  in ssl3_get_client_kex_dhe()
1784 	if (s->s3->hs.key_share == NULL) {  in ssl3_get_client_kex_ecdhe()
1795 	if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,  in ssl3_get_client_kex_ecdhe()
1804 	if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))  in ssl3_get_client_kex_ecdhe()
1835 	alg_k = s->s3->hs.cipher->algorithm_mkey;  in ssl3_get_client_key_exchange()
1899 	if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {  in ssl3_get_cert_verify()
1900 		s->s3->hs.tls12.reuse_message = 1;  in ssl3_get_cert_verify()
1922 	if (s->s3->change_cipher_spec) {  in ssl3_get_cert_verify()
1951 	s->s3->hs.peer_sigalg = sigalg;  in ssl3_get_cert_verify()
1988 		verify = RSA_verify(NID_md5_sha1, s->s3->hs.tls12.cert_verify,  in ssl3_get_cert_verify()
2010 		    &(s->s3->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),  in ssl3_get_cert_verify()
2055 	if (s->s3->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {  in ssl3_get_client_certificate()
2067 		if (s->s3->hs.tls12.cert_request != 0) {  in ssl3_get_client_certificate()
2072 		s->s3->hs.tls12.reuse_message = 1;  in ssl3_get_client_certificate()
2076 	if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {  in ssl3_get_client_certificate()
2170 	if (s->s3->hs.state == SSL3_ST_SW_CERT_A) {  in ssl3_send_server_certificate()
2184 		s->s3->hs.state = SSL3_ST_SW_CERT_B;  in ssl3_send_server_certificate()
2224 	if (s->s3->hs.state == SSL3_ST_SW_SESSION_TICKET_A) {  in ssl3_send_newsession_ticket()
2311 		s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_B;  in ssl3_send_newsession_ticket()
2339 	if (s->s3->hs.state == SSL3_ST_SW_CERT_STATUS_A) {  in ssl3_send_cert_status()
2353 		s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_B;  in ssl3_send_cert_status()
2373 	if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) {  in ssl3_send_server_change_cipher_spec()
2396 		s->s3->hs.state = SSL3_ST_SW_CHANGE_B;  in ssl3_send_server_change_cipher_spec()
2420 	if (!s->s3->change_cipher_spec) {  in ssl3_get_client_finished()
2425 	s->s3->change_cipher_spec = 0;  in ssl3_get_client_finished()
2437 	if (s->s3->hs.peer_finished_len != md_len ||  in ssl3_get_client_finished()
2444 	if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {  in ssl3_get_client_finished()
2452 	memcpy(s->s3->previous_client_finished,  in ssl3_get_client_finished()
2453 	    s->s3->hs.peer_finished, md_len);  in ssl3_get_client_finished()
2454 	s->s3->previous_client_finished_len = md_len;  in ssl3_get_client_finished()
2469 	if (s->s3->hs.state == SSL3_ST_SW_FINISHED_A) {  in ssl3_send_server_finished()
2474 		memcpy(s->s3->previous_server_finished,  in ssl3_send_server_finished()
2475 		    s->s3->hs.finished, s->s3->hs.finished_len);  in ssl3_send_server_finished()
2476 		s->s3->previous_server_finished_len = s->s3->hs.finished_len;  in ssl3_send_server_finished()
2481 		if (!CBB_add_bytes(&finished, s->s3->hs.finished,  in ssl3_send_server_finished()
2482 		    s->s3->hs.finished_len))  in ssl3_send_server_finished()
2487 		s->s3->hs.state = SSL3_ST_SW_FINISHED_B;  in ssl3_send_server_finished()