_ Git - BearSSL/blob - ssl/ssl_hs_client.c

   1 /* Automatically generated code; do not modify directly. */
   2
   3 #include <stddef.h>
   4 #include <stdint.h>
   5
   6 typedef struct {
   7         uint32_t *dp;
   8         uint32_t *rp;
   9         const unsigned char *ip;
  10 } t0_context;
  11
  12 static uint32_t
  13 t0_parse7E_unsigned(const unsigned char **p)
  14 {
  15         uint32_t x;
  16
  17         x = 0;
  18         for (;;) {
  19                 unsigned y;
  20
  21                 y = *(*p) ++;
  22                 x = (x << 7) | (uint32_t)(y & 0x7F);
  23                 if (y < 0x80) {
  24                         return x;
  25                 }
  26         }
  27 }
  28
  29 static int32_t
  30 t0_parse7E_signed(const unsigned char **p)
  31 {
  32         int neg;
  33         uint32_t x;
  34
  35         neg = ((**p) >> 6) & 1;
  36         x = (uint32_t)-neg;
  37         for (;;) {
  38                 unsigned y;
  39
  40                 y = *(*p) ++;
  41                 x = (x << 7) | (uint32_t)(y & 0x7F);
  42                 if (y < 0x80) {
  43                         if (neg) {
  44                                 return -(int32_t)~x - 1;
  45                         } else {
  46                                 return (int32_t)x;
  47                         }
  48                 }
  49         }
  50 }
  51
  52 #define T0_VBYTE(x, n)   (unsigned char)((((uint32_t)(x) >> (n)) & 0x7F) | 0x80)
  53 #define T0_FBYTE(x, n)   (unsigned char)(((uint32_t)(x) >> (n)) & 0x7F)
  54 #define T0_SBYTE(x)      (unsigned char)((((uint32_t)(x) >> 28) + 0xF8) ^ 0xF8)
  55 #define T0_INT1(x)       T0_FBYTE(x, 0)
  56 #define T0_INT2(x)       T0_VBYTE(x, 7), T0_FBYTE(x, 0)
  57 #define T0_INT3(x)       T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
  58 #define T0_INT4(x)       T0_VBYTE(x, 21), T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
  59 #define T0_INT5(x)       T0_SBYTE(x), T0_VBYTE(x, 21), T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
  60
  61 /* static const unsigned char t0_datablock[]; */
  62
  63
  64 void br_ssl_hs_client_init_main(void *t0ctx);
  65
  66 void br_ssl_hs_client_run(void *t0ctx);
  67
  68
  69
  70 #include <stddef.h>
  71 #include <string.h>
  72
  73 #include "inner.h"
  74
  75 /*
  76  * This macro evaluates to a pointer to the current engine context.
  77  */
  78 #define ENG  ((br_ssl_engine_context *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu)))
  79
  80
  81
  82
  83
  84 /*
  85  * This macro evaluates to a pointer to the client context, under that
  86  * specific name. It must be noted that since the engine context is the
  87  * first field of the br_ssl_client_context structure ('eng'), then
  88  * pointers values of both types are interchangeable, modulo an
  89  * appropriate cast. This also means that "adresses" computed as offsets
  90  * within the structure work for both kinds of context.
  91  */
  92 #define CTX  ((br_ssl_client_context *)ENG)
  93
  94 /*
  95  * Generate the pre-master secret for RSA key exchange, and encrypt it
  96  * with the server's public key. Returned value is either the encrypted
  97  * data length (in bytes), or -x on error, with 'x' being an error code.
  98  *
  99  * This code assumes that the public key has been already verified (it
 100  * was properly obtained by the X.509 engine, and it has the right type,
 101  * i.e. it is of type RSA and suitable for encryption).
 102  */
 103 static int
 104 make_pms_rsa(br_ssl_client_context *ctx, int prf_id)
 105 {
 106         const br_x509_class **xc;
 107         const br_x509_pkey *pk;
 108         const unsigned char *n;
 109         unsigned char *pms;
 110         size_t nlen, u;
 111
 112         xc = ctx->eng.x509ctx;
 113         pk = (*xc)->get_pkey(xc, NULL);
 114
 115         /*
 116          * Compute actual RSA key length, in case there are leading zeros.
 117          */
 118         n = pk->key.rsa.n;
 119         nlen = pk->key.rsa.nlen;
 120         while (nlen > 0 && *n == 0) {
 121                 n ++;
 122                 nlen --;
 123         }
 124
 125         /*
 126          * We need at least 59 bytes (48 bytes for pre-master secret, and
 127          * 11 bytes for the PKCS#1 type 2 padding). Note that the X.509
 128          * minimal engine normally blocks RSA keys shorter than 128 bytes,
 129          * so this is mostly for public keys provided explicitly by the
 130          * caller.
 131          */
 132         if (nlen < 59) {
 133                 return -BR_ERR_X509_WEAK_PUBLIC_KEY;
 134         }
 135         if (nlen > sizeof ctx->eng.pad) {
 136                 return -BR_ERR_LIMIT_EXCEEDED;
 137         }
 138
 139         /*
 140          * Make PMS.
 141          */
 142         pms = ctx->eng.pad + nlen - 48;
 143         br_enc16be(pms, ctx->eng.version_max);
 144         br_hmac_drbg_generate(&ctx->eng.rng, pms + 2, 46);
 145         br_ssl_engine_compute_master(&ctx->eng, prf_id, pms, 48);
 146
 147         /*
 148          * Apply PKCS#1 type 2 padding.
 149          */
 150         ctx->eng.pad[0] = 0x00;
 151         ctx->eng.pad[1] = 0x02;
 152         ctx->eng.pad[nlen - 49] = 0x00;
 153         br_hmac_drbg_generate(&ctx->eng.rng, ctx->eng.pad + 2, nlen - 51);
 154         for (u = 2; u < nlen - 49; u ++) {
 155                 while (ctx->eng.pad[u] == 0) {
 156                         br_hmac_drbg_generate(&ctx->eng.rng,
 157                                 &ctx->eng.pad[u], 1);
 158                 }
 159         }
 160
 161         /*
 162          * Compute RSA encryption.
 163          */
 164         if (!ctx->irsapub(ctx->eng.pad, nlen, &pk->key.rsa)) {
 165                 return -BR_ERR_LIMIT_EXCEEDED;
 166         }
 167         return (int)nlen;
 168 }
 169
 170 /*
 171  * OID for hash functions in RSA signatures.
 172  */
 173 static const unsigned char HASH_OID_SHA1[] = {
 174         0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A
 175 };
 176
 177 static const unsigned char HASH_OID_SHA224[] = {
 178         0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04
 179 };
 180
 181 static const unsigned char HASH_OID_SHA256[] = {
 182         0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
 183 };
 184
 185 static const unsigned char HASH_OID_SHA384[] = {
 186         0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
 187 };
 188
 189 static const unsigned char HASH_OID_SHA512[] = {
 190         0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
 191 };
 192
 193 static const unsigned char *HASH_OID[] = {
 194         HASH_OID_SHA1,
 195         HASH_OID_SHA224,
 196         HASH_OID_SHA256,
 197         HASH_OID_SHA384,
 198         HASH_OID_SHA512
 199 };
 200
 201 /*
 202  * Check the RSA signature on the ServerKeyExchange message.
 203  *
 204  *   hash      hash function ID (2 to 6), or 0 for MD5+SHA-1 (with RSA only)
 205  *   use_rsa   non-zero for RSA signature, zero for ECDSA
 206  *   sig_len   signature length (in bytes); signature value is in the pad
 207  *
 208  * Returned value is 0 on success, or an error code.
 209  */
 210 static int
 211 verify_SKE_sig(br_ssl_client_context *ctx,
 212         int hash, int use_rsa, size_t sig_len)
 213 {
 214         const br_x509_class **xc;
 215         const br_x509_pkey *pk;
 216         br_multihash_context mhc;
 217         unsigned char hv[64], head[4];
 218         size_t hv_len;
 219
 220         xc = ctx->eng.x509ctx;
 221         pk = (*xc)->get_pkey(xc, NULL);
 222         br_multihash_zero(&mhc);
 223         br_multihash_copyimpl(&mhc, &ctx->eng.mhash);
 224         br_multihash_init(&mhc);
 225         br_multihash_update(&mhc,
 226                 ctx->eng.client_random, sizeof ctx->eng.client_random);
 227         br_multihash_update(&mhc,
 228                 ctx->eng.server_random, sizeof ctx->eng.server_random);
 229         head[0] = 3;
 230         head[1] = 0;
 231         head[2] = ctx->eng.ecdhe_curve;
 232         head[3] = ctx->eng.ecdhe_point_len;
 233         br_multihash_update(&mhc, head, sizeof head);
 234         br_multihash_update(&mhc,
 235                 ctx->eng.ecdhe_point, ctx->eng.ecdhe_point_len);
 236         if (hash) {
 237                 hv_len = br_multihash_out(&mhc, hash, hv);
 238                 if (hv_len == 0) {
 239                         return BR_ERR_INVALID_ALGORITHM;
 240                 }
 241         } else {
 242                 if (!br_multihash_out(&mhc, br_md5_ID, hv)
 243                         || !br_multihash_out(&mhc, br_sha1_ID, hv + 16))
 244                 {
 245                         return BR_ERR_INVALID_ALGORITHM;
 246                 }
 247                 hv_len = 36;
 248         }
 249         if (use_rsa) {
 250                 unsigned char tmp[64];
 251                 const unsigned char *hash_oid;
 252
 253                 if (hash) {
 254                         hash_oid = HASH_OID[hash - 2];
 255                 } else {
 256                         hash_oid = NULL;
 257                 }
 258                 if (!ctx->eng.irsavrfy(ctx->eng.pad, sig_len,
 259                         hash_oid, hv_len, &pk->key.rsa, tmp)
 260                         || memcmp(tmp, hv, hv_len) != 0)
 261                 {
 262                         return BR_ERR_BAD_SIGNATURE;
 263                 }
 264         } else {
 265                 if (!ctx->eng.iecdsa(ctx->eng.iec, hv, hv_len, &pk->key.ec,
 266                         ctx->eng.pad, sig_len))
 267                 {
 268                         return BR_ERR_BAD_SIGNATURE;
 269                 }
 270         }
 271         return 0;
 272 }
 273
 274 /*
 275  * Perform client-side ECDH (or ECDHE). The point that should be sent to
 276  * the server is written in the pad; returned value is either the point
 277  * length (in bytes), or -x on error, with 'x' being an error code.
 278  *
 279  * The point _from_ the server is taken from ecdhe_point[] if 'ecdhe'
 280  * is non-zero, or from the X.509 engine context if 'ecdhe' is zero
 281  * (for static ECDH).
 282  */
 283 static int
 284 make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
 285 {
 286         int curve;
 287         unsigned char key[66], point[133];
 288         const unsigned char *order, *point_src;
 289         size_t glen, olen, point_len, xoff, xlen;
 290         unsigned char mask;
 291
 292         if (ecdhe) {
 293                 curve = ctx->eng.ecdhe_curve;
 294                 point_src = ctx->eng.ecdhe_point;
 295                 point_len = ctx->eng.ecdhe_point_len;
 296         } else {
 297                 const br_x509_class **xc;
 298                 const br_x509_pkey *pk;
 299
 300                 xc = ctx->eng.x509ctx;
 301                 pk = (*xc)->get_pkey(xc, NULL);
 302                 curve = pk->key.ec.curve;
 303                 point_src = pk->key.ec.q;
 304                 point_len = pk->key.ec.qlen;
 305         }
 306         if ((ctx->eng.iec->supported_curves & ((uint32_t)1 << curve)) == 0) {
 307                 return -BR_ERR_INVALID_ALGORITHM;
 308         }
 309
 310         /*
 311          * We need to generate our key, as a non-zero random value which
 312          * is lower than the curve order, in a "large enough" range. We
 313          * force top bit to 0 and bottom bit to 1, which guarantees that
 314          * the value is in the proper range.
 315          */
 316         order = ctx->eng.iec->order(curve, &olen);
 317         mask = 0xFF;
 318         while (mask >= order[0]) {
 319                 mask >>= 1;
 320         }
 321         br_hmac_drbg_generate(&ctx->eng.rng, key, olen);
 322         key[0] &= mask;
 323         key[olen - 1] |= 0x01;
 324
 325         /*
 326          * Compute the common ECDH point, whose X coordinate is the
 327          * pre-master secret.
 328          */
 329         ctx->eng.iec->generator(curve, &glen);
 330         if (glen != point_len) {
 331                 return -BR_ERR_INVALID_ALGORITHM;
 332         }
 333
 334         memcpy(point, point_src, glen);
 335         if (!ctx->eng.iec->mul(point, glen, key, olen, curve)) {
 336                 return -BR_ERR_INVALID_ALGORITHM;
 337         }
 338
 339         /*
 340          * The pre-master secret is the X coordinate.
 341          */
 342         xoff = ctx->eng.iec->xoff(curve, &xlen);
 343         br_ssl_engine_compute_master(&ctx->eng, prf_id, point + xoff, xlen);
 344
 345         ctx->eng.iec->mulgen(point, key, olen, curve);
 346         memcpy(ctx->eng.pad, point, glen);
 347         return (int)glen;
 348 }
 349
 350 /*
 351  * Perform full static ECDH. This occurs only in the context of client
 352  * authentication with certificates: the server uses an EC public key,
 353  * the cipher suite is of type ECDH (not ECDHE), the server requested a
 354  * client certificate and accepts static ECDH, the client has a
 355  * certificate with an EC public key in the same curve, and accepts
 356  * static ECDH as well.
 357  *
 358  * Returned value is 0 on success, -1 on error.
 359  */
 360 static int
 361 make_pms_static_ecdh(br_ssl_client_context *ctx, int prf_id)
 362 {
 363         unsigned char point[133];
 364         size_t point_len;
 365         const br_x509_class **xc;
 366         const br_x509_pkey *pk;
 367
 368         xc = ctx->eng.x509ctx;
 369         pk = (*xc)->get_pkey(xc, NULL);
 370         point_len = pk->key.ec.qlen;
 371         if (point_len > sizeof point) {
 372                 return -1;
 373         }
 374         memcpy(point, pk->key.ec.q, point_len);
 375         if (!(*ctx->client_auth_vtable)->do_keyx(
 376                 ctx->client_auth_vtable, point, &point_len))
 377         {
 378                 return -1;
 379         }
 380         br_ssl_engine_compute_master(&ctx->eng,
 381                 prf_id, point, point_len);
 382         return 0;
 383 }
 384
 385 /*
 386  * Compute the client-side signature. This is invoked only when a
 387  * signature-based client authentication was selected. The computed
 388  * signature is in the pad; its length (in bytes) is returned. On
 389  * error, 0 is returned.
 390  */
 391 static size_t
 392 make_client_sign(br_ssl_client_context *ctx)
 393 {
 394         size_t hv_len;
 395
 396         /*
 397          * Compute hash of handshake messages so far. This "cannot" fail
 398          * because the list of supported hash functions provided to the
 399          * client certificate handler was trimmed to include only the
 400          * hash functions that the multi-hasher supports.
 401          */
 402         if (ctx->hash_id) {
 403                 hv_len = br_multihash_out(&ctx->eng.mhash,
 404                         ctx->hash_id, ctx->eng.pad);
 405         } else {
 406                 br_multihash_out(&ctx->eng.mhash,
 407                         br_md5_ID, ctx->eng.pad);
 408                 br_multihash_out(&ctx->eng.mhash,
 409                         br_sha1_ID, ctx->eng.pad + 16);
 410                 hv_len = 36;
 411         }
 412         return (*ctx->client_auth_vtable)->do_sign(
 413                 ctx->client_auth_vtable, ctx->hash_id, hv_len,
 414                 ctx->eng.pad, sizeof ctx->eng.pad);
 415 }
 416
 417
 418
 419 static const unsigned char t0_datablock[] = {
 420         0x00, 0x00, 0x0A, 0x00, 0x24, 0x00, 0x2F, 0x01, 0x24, 0x00, 0x35, 0x02,
 421         0x24, 0x00, 0x3C, 0x01, 0x44, 0x00, 0x3D, 0x02, 0x44, 0x00, 0x9C, 0x03,
 422         0x04, 0x00, 0x9D, 0x04, 0x05, 0xC0, 0x03, 0x40, 0x24, 0xC0, 0x04, 0x41,
 423         0x24, 0xC0, 0x05, 0x42, 0x24, 0xC0, 0x08, 0x20, 0x24, 0xC0, 0x09, 0x21,
 424         0x24, 0xC0, 0x0A, 0x22, 0x24, 0xC0, 0x0D, 0x30, 0x24, 0xC0, 0x0E, 0x31,
 425         0x24, 0xC0, 0x0F, 0x32, 0x24, 0xC0, 0x12, 0x10, 0x24, 0xC0, 0x13, 0x11,
 426         0x24, 0xC0, 0x14, 0x12, 0x24, 0xC0, 0x23, 0x21, 0x44, 0xC0, 0x24, 0x22,
 427         0x55, 0xC0, 0x25, 0x41, 0x44, 0xC0, 0x26, 0x42, 0x55, 0xC0, 0x27, 0x11,
 428         0x44, 0xC0, 0x28, 0x12, 0x55, 0xC0, 0x29, 0x31, 0x44, 0xC0, 0x2A, 0x32,
 429         0x55, 0xC0, 0x2B, 0x23, 0x04, 0xC0, 0x2C, 0x24, 0x05, 0xC0, 0x2D, 0x43,
 430         0x04, 0xC0, 0x2E, 0x44, 0x05, 0xC0, 0x2F, 0x13, 0x04, 0xC0, 0x30, 0x14,
 431         0x05, 0xC0, 0x31, 0x33, 0x04, 0xC0, 0x32, 0x34, 0x05, 0xCC, 0xA8, 0x15,
 432         0x04, 0xCC, 0xA9, 0x25, 0x04, 0x00, 0x00
 433 };
 434
 435 static const unsigned char t0_codeblock[] = {
 436         0x00, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x01,
 437         0x00, 0x0E, 0x00, 0x00, 0x01, 0x00, 0x0F, 0x00, 0x00, 0x01, 0x01, 0x08,
 438         0x00, 0x00, 0x01, 0x01, 0x09, 0x00, 0x00, 0x01, 0x02, 0x08, 0x00, 0x00,
 439         0x01, 0x02, 0x09, 0x00, 0x00, 0x25, 0x25, 0x00, 0x00, 0x01,
 440         T0_INT1(BR_ERR_BAD_CCS), 0x00, 0x00, 0x01,
 441         T0_INT1(BR_ERR_BAD_CIPHER_SUITE), 0x00, 0x00, 0x01,
 442         T0_INT1(BR_ERR_BAD_COMPRESSION), 0x00, 0x00, 0x01,
 443         T0_INT1(BR_ERR_BAD_FINISHED), 0x00, 0x00, 0x01,
 444         T0_INT1(BR_ERR_BAD_FRAGLEN), 0x00, 0x00, 0x01,
 445         T0_INT1(BR_ERR_BAD_HANDSHAKE), 0x00, 0x00, 0x01,
 446         T0_INT1(BR_ERR_BAD_HELLO_DONE), 0x00, 0x00, 0x01,
 447         T0_INT1(BR_ERR_BAD_PARAM), 0x00, 0x00, 0x01,
 448         T0_INT1(BR_ERR_BAD_SECRENEG), 0x00, 0x00, 0x01,
 449         T0_INT1(BR_ERR_BAD_SNI), 0x00, 0x00, 0x01, T0_INT1(BR_ERR_BAD_VERSION),
 450         0x00, 0x00, 0x01, T0_INT1(BR_ERR_EXTRA_EXTENSION), 0x00, 0x00, 0x01,
 451         T0_INT1(BR_ERR_INVALID_ALGORITHM), 0x00, 0x00, 0x01,
 452         T0_INT1(BR_ERR_LIMIT_EXCEEDED), 0x00, 0x00, 0x01, T0_INT1(BR_ERR_OK),
 453         0x00, 0x00, 0x01, T0_INT1(BR_ERR_OVERSIZED_ID), 0x00, 0x00, 0x01,
 454         T0_INT1(BR_ERR_RESUME_MISMATCH), 0x00, 0x00, 0x01,
 455         T0_INT1(BR_ERR_UNEXPECTED), 0x00, 0x00, 0x01,
 456         T0_INT1(BR_ERR_UNSUPPORTED_VERSION), 0x00, 0x00, 0x01,
 457         T0_INT1(BR_ERR_WRONG_KEY_USAGE), 0x00, 0x00, 0x01,
 458         T0_INT2(offsetof(br_ssl_engine_context, action)), 0x00, 0x00, 0x01,
 459         T0_INT2(offsetof(br_ssl_engine_context, alert)), 0x00, 0x00, 0x01,
 460         T0_INT2(offsetof(br_ssl_engine_context, application_data)), 0x00, 0x00,
 461         0x01, T0_INT2(offsetof(br_ssl_client_context, auth_type)), 0x00, 0x00,
 462         0x01,
 463         T0_INT2(offsetof(br_ssl_engine_context, session) + offsetof(br_ssl_session_parameters, cipher_suite)),
 464         0x00, 0x00, 0x01,
 465         T0_INT2(offsetof(br_ssl_engine_context, client_random)), 0x00, 0x00,
 466         0x01, T0_INT2(offsetof(br_ssl_engine_context, close_received)), 0x00,
 467         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, ecdhe_curve)),
 468         0x00, 0x00, 0x01,
 469         T0_INT2(offsetof(br_ssl_engine_context, ecdhe_point)), 0x00, 0x00,
 470         0x01, T0_INT2(offsetof(br_ssl_engine_context, ecdhe_point_len)), 0x00,
 471         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, flags)), 0x00,
 472         0x00, 0x01, T0_INT2(offsetof(br_ssl_client_context, hash_id)), 0x00,
 473         0x00, 0x01, T0_INT2(offsetof(br_ssl_client_context, hashes)), 0x00,
 474         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, log_max_frag_len)),
 475         0x00, 0x00, 0x01,
 476         T0_INT2(offsetof(br_ssl_client_context, min_clienthello_len)), 0x00,
 477         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, pad)), 0x00, 0x00,
 478         0x01, T0_INT2(offsetof(br_ssl_engine_context, protocol_names_num)),
 479         0x00, 0x00, 0x01,
 480         T0_INT2(offsetof(br_ssl_engine_context, record_type_in)), 0x00, 0x00,
 481         0x01, T0_INT2(offsetof(br_ssl_engine_context, record_type_out)), 0x00,
 482         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, reneg)), 0x00,
 483         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, saved_finished)),
 484         0x00, 0x00, 0x01,
 485         T0_INT2(offsetof(br_ssl_engine_context, selected_protocol)), 0x00,
 486         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, server_name)),
 487         0x00, 0x00, 0x01,
 488         T0_INT2(offsetof(br_ssl_engine_context, server_random)), 0x00, 0x00,
 489         0x01,
 490         T0_INT2(offsetof(br_ssl_engine_context, session) + offsetof(br_ssl_session_parameters, session_id)),
 491         0x00, 0x00, 0x01,
 492         T0_INT2(offsetof(br_ssl_engine_context, session) + offsetof(br_ssl_session_parameters, session_id_len)),
 493         0x00, 0x00, 0x01,
 494         T0_INT2(offsetof(br_ssl_engine_context, shutdown_recv)), 0x00, 0x00,
 495         0x01, T0_INT2(offsetof(br_ssl_engine_context, suites_buf)), 0x00, 0x00,
 496         0x01, T0_INT2(offsetof(br_ssl_engine_context, suites_num)), 0x00, 0x00,
 497         0x01,
 498         T0_INT2(offsetof(br_ssl_engine_context, session) + offsetof(br_ssl_session_parameters, version)),
 499         0x00, 0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, version_in)),
 500         0x00, 0x00, 0x01,
 501         T0_INT2(offsetof(br_ssl_engine_context, version_max)), 0x00, 0x00,
 502         0x01, T0_INT2(offsetof(br_ssl_engine_context, version_min)), 0x00,
 503         0x00, 0x01, T0_INT2(offsetof(br_ssl_engine_context, version_out)),
 504         0x00, 0x00, 0x09, 0x26, 0x56, 0x06, 0x02, 0x66, 0x28, 0x00, 0x00, 0x06,
 505         0x08, 0x2C, 0x0E, 0x05, 0x02, 0x6F, 0x28, 0x04, 0x01, 0x3C, 0x00, 0x00,
 506         0x01, 0x01, 0x00, 0x01, 0x03, 0x00, 0x97, 0x26, 0x5C, 0x44, 0x9B, 0x26,
 507         0x05, 0x04, 0x5E, 0x01, 0x00, 0x00, 0x02, 0x00, 0x0E, 0x06, 0x02, 0x9B,
 508         0x00, 0x5C, 0x04, 0x6B, 0x00, 0x06, 0x02, 0x66, 0x28, 0x00, 0x00, 0x26,
 509         0x87, 0x44, 0x05, 0x03, 0x01, 0x0C, 0x08, 0x44, 0x77, 0x2C, 0xA9, 0x1C,
 510         0x82, 0x01, 0x0C, 0x31, 0x00, 0x00, 0x26, 0x1F, 0x01, 0x08, 0x0B, 0x44,
 511         0x5A, 0x1F, 0x08, 0x00, 0x01, 0x03, 0x00, 0x01, 0x00, 0x75, 0x3E, 0x29,
 512         0x1A, 0x36, 0x06, 0x07, 0x02, 0x00, 0xCC, 0x03, 0x00, 0x04, 0x75, 0x01,
 513         0x00, 0xC3, 0x02, 0x00, 0x26, 0x1A, 0x17, 0x06, 0x02, 0x6D, 0x28, 0xCC,
 514         0x04, 0x76, 0x01, 0x01, 0x00, 0x75, 0x3E, 0x01, 0x16, 0x85, 0x3E, 0x01,
 515         0x00, 0x88, 0x3C, 0x34, 0xD2, 0x29, 0xB2, 0x06, 0x09, 0x01, 0x7F, 0xAD,
 516         0x01, 0x7F, 0xCF, 0x04, 0x80, 0x53, 0xAF, 0x77, 0x2C, 0x9F, 0x01,
 517         T0_INT1(BR_KEYTYPE_SIGN), 0x17, 0x06, 0x01, 0xB3, 0xB6, 0x26, 0x01,
 518         0x0D, 0x0E, 0x06, 0x07, 0x25, 0xB5, 0xB6, 0x01, 0x7F, 0x04, 0x02, 0x01,
 519         0x00, 0x03, 0x00, 0x01, 0x0E, 0x0E, 0x05, 0x02, 0x70, 0x28, 0x06, 0x02,
 520         0x65, 0x28, 0x33, 0x06, 0x02, 0x70, 0x28, 0x02, 0x00, 0x06, 0x1C, 0xD0,
 521         0x7E, 0x2E, 0x01, 0x81, 0x7F, 0x0E, 0x06, 0x0D, 0x25, 0x01, 0x10, 0xDB,
 522         0x01, 0x00, 0xDA, 0x77, 0x2C, 0xA9, 0x24, 0x04, 0x04, 0xD3, 0x06, 0x01,
 523         0xD1, 0x04, 0x01, 0xD3, 0x01, 0x7F, 0xCF, 0x01, 0x7F, 0xAD, 0x01, 0x01,
 524         0x75, 0x3E, 0x01, 0x17, 0x85, 0x3E, 0x00, 0x00, 0x38, 0x38, 0x00, 0x00,
 525         0x98, 0x01, 0x0C, 0x11, 0x01, 0x00, 0x38, 0x0E, 0x06, 0x05, 0x25, 0x01,
 526         T0_INT1(BR_KEYTYPE_RSA | BR_KEYTYPE_KEYX), 0x04, 0x30, 0x01, 0x01,
 527         0x38, 0x0E, 0x06, 0x05, 0x25, 0x01,
 528         T0_INT1(BR_KEYTYPE_RSA | BR_KEYTYPE_SIGN), 0x04, 0x25, 0x01, 0x02,
 529         0x38, 0x0E, 0x06, 0x05, 0x25, 0x01,
 530         T0_INT1(BR_KEYTYPE_EC  | BR_KEYTYPE_SIGN), 0x04, 0x1A, 0x01, 0x03,
 531         0x38, 0x0E, 0x06, 0x05, 0x25, 0x01,
 532         T0_INT1(BR_KEYTYPE_EC  | BR_KEYTYPE_KEYX), 0x04, 0x0F, 0x01, 0x04,
 533         0x38, 0x0E, 0x06, 0x05, 0x25, 0x01,
 534         T0_INT1(BR_KEYTYPE_EC  | BR_KEYTYPE_KEYX), 0x04, 0x04, 0x01, 0x00,
 535         0x44, 0x25, 0x00, 0x00, 0x80, 0x2E, 0x01, 0x0E, 0x0E, 0x06, 0x04, 0x01,
 536         0x00, 0x04, 0x02, 0x01, 0x05, 0x00, 0x00, 0x40, 0x06, 0x04, 0x01, 0x06,
 537         0x04, 0x02, 0x01, 0x00, 0x00, 0x00, 0x86, 0x2E, 0x26, 0x06, 0x08, 0x01,
 538         0x01, 0x09, 0x01, 0x11, 0x07, 0x04, 0x03, 0x25, 0x01, 0x05, 0x00, 0x01,
 539         0x41, 0x03, 0x00, 0x25, 0x01, 0x00, 0x43, 0x06, 0x03, 0x02, 0x00, 0x08,
 540         0x42, 0x06, 0x03, 0x02, 0x00, 0x08, 0x26, 0x06, 0x06, 0x01, 0x01, 0x0B,
 541         0x01, 0x06, 0x08, 0x00, 0x00, 0x89, 0x3F, 0x26, 0x06, 0x03, 0x01, 0x09,
 542         0x08, 0x00, 0x01, 0x40, 0x26, 0x06, 0x1E, 0x01, 0x00, 0x03, 0x00, 0x26,
 543         0x06, 0x0E, 0x26, 0x01, 0x01, 0x17, 0x02, 0x00, 0x08, 0x03, 0x00, 0x01,
 544         0x01, 0x11, 0x04, 0x6F, 0x25, 0x02, 0x00, 0x01, 0x01, 0x0B, 0x01, 0x06,
 545         0x08, 0x00, 0x00, 0x7D, 0x2D, 0x44, 0x11, 0x01, 0x01, 0x17, 0x35, 0x00,
 546         0x00, 0x9D, 0xCB, 0x26, 0x01, 0x07, 0x17, 0x01, 0x00, 0x38, 0x0E, 0x06,
 547         0x09, 0x25, 0x01, 0x10, 0x17, 0x06, 0x01, 0x9D, 0x04, 0x2D, 0x01, 0x01,
 548         0x38, 0x0E, 0x06, 0x24, 0x25, 0x25, 0x01, 0x00, 0x75, 0x3E, 0xB1, 0x86,
 549         0x2E, 0x01, 0x01, 0x0E, 0x01, 0x01, 0xA6, 0x37, 0x06, 0x0F, 0x29, 0x1A,
 550         0x36, 0x06, 0x04, 0xCB, 0x25, 0x04, 0x78, 0x01, 0x80, 0x64, 0xC3, 0x04,
 551         0x01, 0x9D, 0x04, 0x03, 0x70, 0x28, 0x25, 0x04, 0xFF, 0x3C, 0x01, 0x26,
 552         0x03, 0x00, 0x09, 0x26, 0x56, 0x06, 0x02, 0x66, 0x28, 0x02, 0x00, 0x00,
 553         0x00, 0x98, 0x01, 0x0F, 0x17, 0x00, 0x00, 0x74, 0x2E, 0x01, 0x00, 0x38,
 554         0x0E, 0x06, 0x10, 0x25, 0x26, 0x01, 0x01, 0x0D, 0x06, 0x03, 0x25, 0x01,
 555         0x02, 0x74, 0x3E, 0x01, 0x00, 0x04, 0x21, 0x01, 0x01, 0x38, 0x0E, 0x06,
 556         0x14, 0x25, 0x01, 0x00, 0x74, 0x3E, 0x26, 0x01, 0x80, 0x64, 0x0E, 0x06,
 557         0x05, 0x01, 0x82, 0x00, 0x08, 0x28, 0x58, 0x04, 0x07, 0x25, 0x01, 0x82,
 558         0x00, 0x08, 0x28, 0x25, 0x00, 0x00, 0x01, 0x00, 0x2F, 0x06, 0x05, 0x3A,
 559         0xAA, 0x37, 0x04, 0x78, 0x26, 0x06, 0x04, 0x01, 0x01, 0x8D, 0x3E, 0x00,
 560         0x01, 0xBD, 0xA8, 0xBD, 0xA8, 0xBF, 0x82, 0x44, 0x26, 0x03, 0x00, 0xB4,
 561         0x99, 0x99, 0x02, 0x00, 0x4B, 0x26, 0x56, 0x06, 0x0A, 0x01, 0x03, 0xA6,
 562         0x06, 0x02, 0x70, 0x28, 0x25, 0x04, 0x03, 0x5A, 0x88, 0x3C, 0x00, 0x00,
 563         0x2F, 0x06, 0x0B, 0x84, 0x2E, 0x01, 0x14, 0x0D, 0x06, 0x02, 0x70, 0x28,
 564         0x04, 0x11, 0xCB, 0x01, 0x07, 0x17, 0x26, 0x01, 0x02, 0x0D, 0x06, 0x06,
 565         0x06, 0x02, 0x70, 0x28, 0x04, 0x70, 0x25, 0xC0, 0x01, 0x01, 0x0D, 0x33,
 566         0x37, 0x06, 0x02, 0x5F, 0x28, 0x26, 0x01, 0x01, 0xC6, 0x36, 0xB0, 0x00,
 567         0x01, 0xB6, 0x01, 0x0B, 0x0E, 0x05, 0x02, 0x70, 0x28, 0x26, 0x01, 0x03,
 568         0x0E, 0x06, 0x08, 0xBE, 0x06, 0x02, 0x66, 0x28, 0x44, 0x25, 0x00, 0x44,
 569         0x55, 0xBE, 0xA8, 0x26, 0x06, 0x23, 0xBE, 0xA8, 0x26, 0x54, 0x26, 0x06,
 570         0x18, 0x26, 0x01, 0x82, 0x00, 0x0F, 0x06, 0x05, 0x01, 0x82, 0x00, 0x04,
 571         0x01, 0x26, 0x03, 0x00, 0x82, 0x02, 0x00, 0xB4, 0x02, 0x00, 0x51, 0x04,
 572         0x65, 0x99, 0x52, 0x04, 0x5A, 0x99, 0x99, 0x53, 0x26, 0x06, 0x02, 0x35,
 573         0x00, 0x25, 0x2B, 0x00, 0x00, 0x77, 0x2C, 0x9F, 0x01, 0x7F, 0xAE, 0x26,
 574         0x56, 0x06, 0x02, 0x35, 0x28, 0x26, 0x05, 0x02, 0x70, 0x28, 0x38, 0x17,
 575         0x0D, 0x06, 0x02, 0x72, 0x28, 0x3B, 0x00, 0x00, 0x9A, 0xB6, 0x01, 0x14,
 576         0x0D, 0x06, 0x02, 0x70, 0x28, 0x82, 0x01, 0x0C, 0x08, 0x01, 0x0C, 0xB4,
 577         0x99, 0x82, 0x26, 0x01, 0x0C, 0x08, 0x01, 0x0C, 0x30, 0x05, 0x02, 0x62,
 578         0x28, 0x00, 0x00, 0xB7, 0x06, 0x02, 0x70, 0x28, 0x06, 0x02, 0x64, 0x28,
 579         0x00, 0x0A, 0xB6, 0x01, 0x02, 0x0E, 0x05, 0x02, 0x70, 0x28, 0xBD, 0x03,
 580         0x00, 0x02, 0x00, 0x93, 0x2C, 0x0A, 0x02, 0x00, 0x92, 0x2C, 0x0F, 0x37,
 581         0x06, 0x02, 0x71, 0x28, 0x02, 0x00, 0x91, 0x2C, 0x0D, 0x06, 0x02, 0x69,
 582         0x28, 0x02, 0x00, 0x94, 0x3C, 0x8A, 0x01, 0x20, 0xB4, 0x01, 0x00, 0x03,
 583         0x01, 0xBF, 0x03, 0x02, 0x02, 0x02, 0x01, 0x20, 0x0F, 0x06, 0x02, 0x6E,
 584         0x28, 0x82, 0x02, 0x02, 0xB4, 0x02, 0x02, 0x8C, 0x2E, 0x0E, 0x02, 0x02,
 585         0x01, 0x00, 0x0F, 0x17, 0x06, 0x0B, 0x8B, 0x82, 0x02, 0x02, 0x30, 0x06,
 586         0x04, 0x01, 0x7F, 0x03, 0x01, 0x8B, 0x82, 0x02, 0x02, 0x31, 0x02, 0x02,
 587         0x8C, 0x3E, 0x02, 0x00, 0x90, 0x02, 0x01, 0x96, 0xBD, 0x26, 0xC1, 0x56,
 588         0x06, 0x02, 0x60, 0x28, 0x77, 0x02, 0x01, 0x96, 0xBF, 0x06, 0x02, 0x61,
 589         0x28, 0x26, 0x06, 0x81, 0x45, 0xBD, 0xA8, 0xA4, 0x03, 0x03, 0xA2, 0x03,
 590         0x04, 0xA0, 0x03, 0x05, 0xA3, 0x03, 0x06, 0xA5, 0x03, 0x07, 0xA1, 0x03,
 591         0x08, 0x27, 0x03, 0x09, 0x26, 0x06, 0x81, 0x18, 0xBD, 0x01, 0x00, 0x38,
 592         0x0E, 0x06, 0x0F, 0x25, 0x02, 0x03, 0x05, 0x02, 0x6A, 0x28, 0x01, 0x00,
 593         0x03, 0x03, 0xBC, 0x04, 0x80, 0x7F, 0x01, 0x01, 0x38, 0x0E, 0x06, 0x0F,
 594         0x25, 0x02, 0x05, 0x05, 0x02, 0x6A, 0x28, 0x01, 0x00, 0x03, 0x05, 0xBA,
 595         0x04, 0x80, 0x6A, 0x01, 0x83, 0xFE, 0x01, 0x38, 0x0E, 0x06, 0x0F, 0x25,
 596         0x02, 0x04, 0x05, 0x02, 0x6A, 0x28, 0x01, 0x00, 0x03, 0x04, 0xBB, 0x04,
 597         0x80, 0x53, 0x01, 0x0D, 0x38, 0x0E, 0x06, 0x0E, 0x25, 0x02, 0x06, 0x05,
 598         0x02, 0x6A, 0x28, 0x01, 0x00, 0x03, 0x06, 0xB8, 0x04, 0x3F, 0x01, 0x0A,
 599         0x38, 0x0E, 0x06, 0x0E, 0x25, 0x02, 0x07, 0x05, 0x02, 0x6A, 0x28, 0x01,
 600         0x00, 0x03, 0x07, 0xB8, 0x04, 0x2B, 0x01, 0x0B, 0x38, 0x0E, 0x06, 0x0E,
 601         0x25, 0x02, 0x08, 0x05, 0x02, 0x6A, 0x28, 0x01, 0x00, 0x03, 0x08, 0xB8,
 602         0x04, 0x17, 0x01, 0x10, 0x38, 0x0E, 0x06, 0x0E, 0x25, 0x02, 0x09, 0x05,
 603         0x02, 0x6A, 0x28, 0x01, 0x00, 0x03, 0x09, 0xAC, 0x04, 0x03, 0x6A, 0x28,
 604         0x25, 0x04, 0xFE, 0x64, 0x02, 0x04, 0x06, 0x0D, 0x02, 0x04, 0x01, 0x05,
 605         0x0F, 0x06, 0x02, 0x67, 0x28, 0x01, 0x01, 0x86, 0x3E, 0x99, 0x99, 0x02,
 606         0x01, 0x00, 0x04, 0xB6, 0x01, 0x0C, 0x0E, 0x05, 0x02, 0x70, 0x28, 0xBF,
 607         0x01, 0x03, 0x0E, 0x05, 0x02, 0x6B, 0x28, 0xBD, 0x26, 0x7A, 0x3E, 0x26,
 608         0x01, 0x20, 0x10, 0x06, 0x02, 0x6B, 0x28, 0x40, 0x44, 0x11, 0x01, 0x01,
 609         0x17, 0x05, 0x02, 0x6B, 0x28, 0xBF, 0x26, 0x01, 0x81, 0x05, 0x0F, 0x06,
 610         0x02, 0x6B, 0x28, 0x26, 0x7C, 0x3E, 0x7B, 0x44, 0xB4, 0x90, 0x2C, 0x01,
 611         0x86, 0x03, 0x10, 0x03, 0x00, 0x77, 0x2C, 0xC9, 0x03, 0x01, 0x01, 0x02,
 612         0x03, 0x02, 0x02, 0x00, 0x06, 0x21, 0xBF, 0x26, 0x26, 0x01, 0x02, 0x0A,
 613         0x44, 0x01, 0x06, 0x0F, 0x37, 0x06, 0x02, 0x6B, 0x28, 0x03, 0x02, 0xBF,
 614         0x02, 0x01, 0x01, 0x01, 0x0B, 0x01, 0x03, 0x08, 0x0E, 0x05, 0x02, 0x6B,
 615         0x28, 0x04, 0x08, 0x02, 0x01, 0x06, 0x04, 0x01, 0x00, 0x03, 0x02, 0xBD,
 616         0x26, 0x03, 0x03, 0x26, 0x01, 0x84, 0x00, 0x0F, 0x06, 0x02, 0x6C, 0x28,
 617         0x82, 0x44, 0xB4, 0x02, 0x02, 0x02, 0x01, 0x02, 0x03, 0x4E, 0x26, 0x06,
 618         0x01, 0x28, 0x25, 0x99, 0x00, 0x02, 0x03, 0x00, 0x03, 0x01, 0x02, 0x00,
 619         0x95, 0x02, 0x01, 0x02, 0x00, 0x39, 0x26, 0x01, 0x00, 0x0E, 0x06, 0x02,
 620         0x5E, 0x00, 0xCD, 0x04, 0x74, 0x02, 0x01, 0x00, 0x03, 0x00, 0xBF, 0xA8,
 621         0x26, 0x06, 0x80, 0x43, 0xBF, 0x01, 0x01, 0x38, 0x0E, 0x06, 0x06, 0x25,
 622         0x01, 0x81, 0x7F, 0x04, 0x2E, 0x01, 0x80, 0x40, 0x38, 0x0E, 0x06, 0x07,
 623         0x25, 0x01, 0x83, 0xFE, 0x00, 0x04, 0x20, 0x01, 0x80, 0x41, 0x38, 0x0E,
 624         0x06, 0x07, 0x25, 0x01, 0x84, 0x80, 0x00, 0x04, 0x12, 0x01, 0x80, 0x42,
 625         0x38, 0x0E, 0x06, 0x07, 0x25, 0x01, 0x88, 0x80, 0x00, 0x04, 0x04, 0x01,
 626         0x00, 0x44, 0x25, 0x02, 0x00, 0x37, 0x03, 0x00, 0x04, 0xFF, 0x39, 0x99,
 627         0x77, 0x2C, 0xC7, 0x05, 0x09, 0x02, 0x00, 0x01, 0x83, 0xFF, 0x7F, 0x17,
 628         0x03, 0x00, 0x90, 0x2C, 0x01, 0x86, 0x03, 0x10, 0x06, 0x3A, 0xB9, 0x26,
 629         0x7F, 0x3D, 0x41, 0x25, 0x26, 0x01, 0x08, 0x0B, 0x37, 0x01, 0x8C, 0x80,
 630         0x00, 0x37, 0x17, 0x02, 0x00, 0x17, 0x02, 0x00, 0x01, 0x8C, 0x80, 0x00,
 631         0x17, 0x06, 0x19, 0x26, 0x01, 0x81, 0x7F, 0x17, 0x06, 0x05, 0x01, 0x84,
 632         0x80, 0x00, 0x37, 0x26, 0x01, 0x83, 0xFE, 0x00, 0x17, 0x06, 0x05, 0x01,
 633         0x88, 0x80, 0x00, 0x37, 0x03, 0x00, 0x04, 0x09, 0x02, 0x00, 0x01, 0x8C,
 634         0x88, 0x01, 0x17, 0x03, 0x00, 0x16, 0xBD, 0xA8, 0x26, 0x06, 0x23, 0xBD,
 635         0xA8, 0x26, 0x15, 0x26, 0x06, 0x18, 0x26, 0x01, 0x82, 0x00, 0x0F, 0x06,
 636         0x05, 0x01, 0x82, 0x00, 0x04, 0x01, 0x26, 0x03, 0x01, 0x82, 0x02, 0x01,
 637         0xB4, 0x02, 0x01, 0x12, 0x04, 0x65, 0x99, 0x13, 0x04, 0x5A, 0x99, 0x14,
 638         0x99, 0x02, 0x00, 0x2A, 0x00, 0x00, 0xB7, 0x26, 0x58, 0x06, 0x07, 0x25,
 639         0x06, 0x02, 0x64, 0x28, 0x04, 0x74, 0x00, 0x00, 0xC0, 0x01, 0x03, 0xBE,
 640         0x44, 0x25, 0x44, 0x00, 0x00, 0xBD, 0xC4, 0x00, 0x03, 0x01, 0x00, 0x03,
 641         0x00, 0xBD, 0xA8, 0x26, 0x06, 0x80, 0x50, 0xBF, 0x03, 0x01, 0xBF, 0x03,
 642         0x02, 0x02, 0x01, 0x01, 0x08, 0x0E, 0x06, 0x16, 0x02, 0x02, 0x01, 0x0F,
 643         0x0C, 0x06, 0x0D, 0x01, 0x01, 0x02, 0x02, 0x01, 0x10, 0x08, 0x0B, 0x02,
 644         0x00, 0x37, 0x03, 0x00, 0x04, 0x2A, 0x02, 0x01, 0x01, 0x02, 0x10, 0x02,
 645         0x01, 0x01, 0x06, 0x0C, 0x17, 0x02, 0x02, 0x01, 0x01, 0x0E, 0x02, 0x02,
 646         0x01, 0x03, 0x0E, 0x37, 0x17, 0x06, 0x11, 0x02, 0x00, 0x01, 0x01, 0x02,
 647         0x02, 0x5B, 0x01, 0x02, 0x0B, 0x02, 0x01, 0x08, 0x0B, 0x37, 0x03, 0x00,
 648         0x04, 0xFF, 0x2C, 0x99, 0x02, 0x00, 0x00, 0x00, 0xBD, 0x01, 0x01, 0x0E,
 649         0x05, 0x02, 0x63, 0x28, 0xBF, 0x01, 0x08, 0x08, 0x80, 0x2E, 0x0E, 0x05,
 650         0x02, 0x63, 0x28, 0x00, 0x00, 0xBD, 0x86, 0x2E, 0x05, 0x15, 0x01, 0x01,
 651         0x0E, 0x05, 0x02, 0x67, 0x28, 0xBF, 0x01, 0x00, 0x0E, 0x05, 0x02, 0x67,
 652         0x28, 0x01, 0x02, 0x86, 0x3E, 0x04, 0x1C, 0x01, 0x19, 0x0E, 0x05, 0x02,
 653         0x67, 0x28, 0xBF, 0x01, 0x18, 0x0E, 0x05, 0x02, 0x67, 0x28, 0x82, 0x01,
 654         0x18, 0xB4, 0x87, 0x82, 0x01, 0x18, 0x30, 0x05, 0x02, 0x67, 0x28, 0x00,
 655         0x00, 0xBD, 0x06, 0x02, 0x68, 0x28, 0x00, 0x00, 0x01, 0x02, 0x95, 0xC0,
 656         0x01, 0x08, 0x0B, 0xC0, 0x08, 0x00, 0x00, 0x01, 0x03, 0x95, 0xC0, 0x01,
 657         0x08, 0x0B, 0xC0, 0x08, 0x01, 0x08, 0x0B, 0xC0, 0x08, 0x00, 0x00, 0x01,
 658         0x01, 0x95, 0xC0, 0x00, 0x00, 0x3A, 0x26, 0x56, 0x05, 0x01, 0x00, 0x25,
 659         0xCD, 0x04, 0x76, 0x02, 0x03, 0x00, 0x8F, 0x2E, 0x03, 0x01, 0x01, 0x00,
 660         0x26, 0x02, 0x01, 0x0A, 0x06, 0x10, 0x26, 0x01, 0x01, 0x0B, 0x8E, 0x08,
 661         0x2C, 0x02, 0x00, 0x0E, 0x06, 0x01, 0x00, 0x5A, 0x04, 0x6A, 0x25, 0x01,
 662         0x7F, 0x00, 0x00, 0x01, 0x15, 0x85, 0x3E, 0x44, 0x50, 0x25, 0x50, 0x25,
 663         0x29, 0x00, 0x00, 0x01, 0x01, 0x44, 0xC2, 0x00, 0x00, 0x44, 0x38, 0x95,
 664         0x44, 0x26, 0x06, 0x05, 0xC0, 0x25, 0x5B, 0x04, 0x78, 0x25, 0x00, 0x00,
 665         0x26, 0x01, 0x81, 0xAC, 0x00, 0x0E, 0x06, 0x04, 0x25, 0x01, 0x7F, 0x00,
 666         0x98, 0x57, 0x00, 0x02, 0x03, 0x00, 0x77, 0x2C, 0x98, 0x03, 0x01, 0x02,
 667         0x01, 0x01, 0x0F, 0x17, 0x02, 0x01, 0x01, 0x04, 0x11, 0x01, 0x0F, 0x17,
 668         0x02, 0x01, 0x01, 0x08, 0x11, 0x01, 0x0F, 0x17, 0x01, 0x00, 0x38, 0x0E,
 669         0x06, 0x10, 0x25, 0x01, 0x00, 0x01, 0x18, 0x02, 0x00, 0x06, 0x03, 0x47,
 670         0x04, 0x01, 0x48, 0x04, 0x80, 0x68, 0x01, 0x01, 0x38, 0x0E, 0x06, 0x10,
 671         0x25, 0x01, 0x01, 0x01, 0x10, 0x02, 0x00, 0x06, 0x03, 0x47, 0x04, 0x01,
 672         0x48, 0x04, 0x80, 0x52, 0x01, 0x02, 0x38, 0x0E, 0x06, 0x0F, 0x25, 0x01,
 673         0x01, 0x01, 0x20, 0x02, 0x00, 0x06, 0x03, 0x47, 0x04, 0x01, 0x48, 0x04,
 674         0x3D, 0x01, 0x03, 0x38, 0x0E, 0x06, 0x0E, 0x25, 0x25, 0x01, 0x10, 0x02,
 675         0x00, 0x06, 0x03, 0x45, 0x04, 0x01, 0x46, 0x04, 0x29, 0x01, 0x04, 0x38,
 676         0x0E, 0x06, 0x0E, 0x25, 0x25, 0x01, 0x20, 0x02, 0x00, 0x06, 0x03, 0x45,
 677         0x04, 0x01, 0x46, 0x04, 0x15, 0x01, 0x05, 0x38, 0x0E, 0x06, 0x0C, 0x25,
 678         0x25, 0x02, 0x00, 0x06, 0x03, 0x49, 0x04, 0x01, 0x4A, 0x04, 0x03, 0x66,
 679         0x28, 0x25, 0x00, 0x00, 0x98, 0x01, 0x0C, 0x11, 0x01, 0x02, 0x0F, 0x00,
 680         0x00, 0x98, 0x01, 0x0C, 0x11, 0x26, 0x59, 0x44, 0x01, 0x03, 0x0A, 0x17,
 681         0x00, 0x00, 0x98, 0x01, 0x0C, 0x11, 0x01, 0x01, 0x0E, 0x00, 0x00, 0x98,
 682         0x01, 0x0C, 0x11, 0x58, 0x00, 0x00, 0x1B, 0x01, 0x00, 0x73, 0x2E, 0x26,
 683         0x06, 0x1F, 0x01, 0x01, 0x38, 0x0E, 0x06, 0x06, 0x25, 0x01, 0x00, 0x9C,
 684         0x04, 0x11, 0x01, 0x02, 0x38, 0x0E, 0x06, 0x0A, 0x25, 0x75, 0x2E, 0x06,
 685         0x03, 0x01, 0x10, 0x37, 0x04, 0x01, 0x25, 0x04, 0x01, 0x25, 0x79, 0x2E,
 686         0x05, 0x33, 0x2F, 0x06, 0x30, 0x84, 0x2E, 0x01, 0x14, 0x38, 0x0E, 0x06,
 687         0x06, 0x25, 0x01, 0x02, 0x37, 0x04, 0x22, 0x01, 0x15, 0x38, 0x0E, 0x06,
 688         0x09, 0x25, 0xAB, 0x06, 0x03, 0x01, 0x7F, 0x9C, 0x04, 0x13, 0x01, 0x16,
 689         0x38, 0x0E, 0x06, 0x06, 0x25, 0x01, 0x01, 0x37, 0x04, 0x07, 0x25, 0x01,
 690         0x04, 0x37, 0x01, 0x00, 0x25, 0x1A, 0x06, 0x03, 0x01, 0x08, 0x37, 0x00,
 691         0x00, 0x1B, 0x26, 0x05, 0x0F, 0x2F, 0x06, 0x0C, 0x84, 0x2E, 0x01, 0x15,
 692         0x0E, 0x06, 0x04, 0x25, 0xAB, 0x04, 0x01, 0x20, 0x00, 0x00, 0xCB, 0x01,
 693         0x07, 0x17, 0x01, 0x01, 0x0F, 0x06, 0x02, 0x70, 0x28, 0x00, 0x01, 0x03,
 694         0x00, 0x29, 0x1A, 0x06, 0x05, 0x02, 0x00, 0x85, 0x3E, 0x00, 0xCB, 0x25,
 695         0x04, 0x74, 0x00, 0x01, 0x14, 0xCE, 0x01, 0x01, 0xDB, 0x29, 0x26, 0x01,
 696         0x00, 0xC6, 0x01, 0x16, 0xCE, 0xD4, 0x29, 0x00, 0x00, 0x01, 0x0B, 0xDB,
 697         0x4C, 0x26, 0x26, 0x01, 0x03, 0x08, 0xDA, 0xDA, 0x18, 0x26, 0x56, 0x06,
 698         0x02, 0x25, 0x00, 0xDA, 0x1D, 0x26, 0x06, 0x05, 0x82, 0x44, 0xD5, 0x04,
 699         0x77, 0x25, 0x04, 0x6C, 0x00, 0x21, 0x01, 0x0F, 0xDB, 0x26, 0x90, 0x2C,
 700         0x01, 0x86, 0x03, 0x10, 0x06, 0x0C, 0x01, 0x04, 0x08, 0xDA, 0x7E, 0x2E,
 701         0xDB, 0x76, 0x2E, 0xDB, 0x04, 0x02, 0x5C, 0xDA, 0x26, 0xD9, 0x82, 0x44,
 702         0xD5, 0x00, 0x02, 0xA2, 0xA4, 0x08, 0xA0, 0x08, 0xA3, 0x08, 0xA5, 0x08,
 703         0xA1, 0x08, 0x27, 0x08, 0x03, 0x00, 0x01, 0x01, 0xDB, 0x01, 0x27, 0x8C,
 704         0x2E, 0x08, 0x8F, 0x2E, 0x01, 0x01, 0x0B, 0x08, 0x02, 0x00, 0x06, 0x04,
 705         0x5C, 0x02, 0x00, 0x08, 0x81, 0x2C, 0x38, 0x09, 0x26, 0x59, 0x06, 0x24,
 706         0x02, 0x00, 0x05, 0x04, 0x44, 0x5C, 0x44, 0x5D, 0x01, 0x04, 0x09, 0x26,
 707         0x56, 0x06, 0x03, 0x25, 0x01, 0x00, 0x26, 0x01, 0x04, 0x08, 0x02, 0x00,
 708         0x08, 0x03, 0x00, 0x44, 0x01, 0x04, 0x08, 0x38, 0x08, 0x44, 0x04, 0x03,
 709         0x25, 0x01, 0x7F, 0x03, 0x01, 0xDA, 0x92, 0x2C, 0xD9, 0x78, 0x01, 0x04,
 710         0x19, 0x78, 0x01, 0x04, 0x08, 0x01, 0x1C, 0x32, 0x78, 0x01, 0x20, 0xD5,
 711         0x8B, 0x8C, 0x2E, 0xD7, 0x8F, 0x2E, 0x26, 0x01, 0x01, 0x0B, 0xD9, 0x8E,
 712         0x44, 0x26, 0x06, 0x0F, 0x5B, 0x38, 0x2C, 0x26, 0xC5, 0x05, 0x02, 0x60,
 713         0x28, 0xD9, 0x44, 0x5C, 0x44, 0x04, 0x6E, 0x5E, 0x01, 0x01, 0xDB, 0x01,
 714         0x00, 0xDB, 0x02, 0x00, 0x06, 0x81, 0x5A, 0x02, 0x00, 0xD9, 0xA2, 0x06,
 715         0x0E, 0x01, 0x83, 0xFE, 0x01, 0xD9, 0x87, 0xA2, 0x01, 0x04, 0x09, 0x26,
 716         0xD9, 0x5B, 0xD7, 0xA4, 0x06, 0x16, 0x01, 0x00, 0xD9, 0x89, 0xA4, 0x01,
 717         0x04, 0x09, 0x26, 0xD9, 0x01, 0x02, 0x09, 0x26, 0xD9, 0x01, 0x00, 0xDB,
 718         0x01, 0x03, 0x09, 0xD6, 0xA0, 0x06, 0x0C, 0x01, 0x01, 0xD9, 0x01, 0x01,
 719         0xD9, 0x80, 0x2E, 0x01, 0x08, 0x09, 0xDB, 0xA3, 0x06, 0x19, 0x01, 0x0D,
 720         0xD9, 0xA3, 0x01, 0x04, 0x09, 0x26, 0xD9, 0x01, 0x02, 0x09, 0xD9, 0x42,
 721         0x06, 0x03, 0x01, 0x03, 0xD8, 0x43, 0x06, 0x03, 0x01, 0x01, 0xD8, 0xA5,
 722         0x26, 0x06, 0x36, 0x01, 0x0A, 0xD9, 0x01, 0x04, 0x09, 0x26, 0xD9, 0x5D,
 723         0xD9, 0x40, 0x01, 0x00, 0x26, 0x01, 0x82, 0x80, 0x80, 0x80, 0x00, 0x17,
 724         0x06, 0x0A, 0x01, 0xFD, 0xFF, 0xFF, 0xFF, 0x7F, 0x17, 0x01, 0x1D, 0xD9,
 725         0x26, 0x01, 0x20, 0x0A, 0x06, 0x0C, 0x9E, 0x11, 0x01, 0x01, 0x17, 0x06,
 726         0x02, 0x26, 0xD9, 0x5A, 0x04, 0x6E, 0x5E, 0x04, 0x01, 0x25, 0xA1, 0x06,
 727         0x0A, 0x01, 0x0B, 0xD9, 0x01, 0x02, 0xD9, 0x01, 0x82, 0x00, 0xD9, 0x27,
 728         0x26, 0x06, 0x1F, 0x01, 0x10, 0xD9, 0x01, 0x04, 0x09, 0x26, 0xD9, 0x5D,
 729         0xD9, 0x83, 0x2C, 0x01, 0x00, 0x9E, 0x0F, 0x06, 0x0A, 0x26, 0x1E, 0x26,
 730         0xDB, 0x82, 0x44, 0xD5, 0x5A, 0x04, 0x72, 0x5E, 0x04, 0x01, 0x25, 0x02,
 731         0x01, 0x56, 0x05, 0x11, 0x01, 0x15, 0xD9, 0x02, 0x01, 0x26, 0xD9, 0x26,
 732         0x06, 0x06, 0x5B, 0x01, 0x00, 0xDB, 0x04, 0x77, 0x25, 0x00, 0x00, 0x01,
 733         0x10, 0xDB, 0x77, 0x2C, 0x26, 0xCA, 0x06, 0x0C, 0xA9, 0x23, 0x26, 0x5C,
 734         0xDA, 0x26, 0xD9, 0x82, 0x44, 0xD5, 0x04, 0x0D, 0x26, 0xC8, 0x44, 0xA9,
 735         0x22, 0x26, 0x5A, 0xDA, 0x26, 0xDB, 0x82, 0x44, 0xD5, 0x00, 0x00, 0x9A,
 736         0x01, 0x14, 0xDB, 0x01, 0x0C, 0xDA, 0x82, 0x01, 0x0C, 0xD5, 0x00, 0x00,
 737         0x4F, 0x26, 0x01, 0x00, 0x0E, 0x06, 0x02, 0x5E, 0x00, 0xCB, 0x25, 0x04,
 738         0x73, 0x00, 0x26, 0xD9, 0xD5, 0x00, 0x00, 0x26, 0xDB, 0xD5, 0x00, 0x01,
 739         0x03, 0x00, 0x41, 0x25, 0x26, 0x01, 0x10, 0x17, 0x06, 0x06, 0x01, 0x04,
 740         0xDB, 0x02, 0x00, 0xDB, 0x26, 0x01, 0x08, 0x17, 0x06, 0x06, 0x01, 0x03,
 741         0xDB, 0x02, 0x00, 0xDB, 0x26, 0x01, 0x20, 0x17, 0x06, 0x06, 0x01, 0x05,
 742         0xDB, 0x02, 0x00, 0xDB, 0x26, 0x01, 0x80, 0x40, 0x17, 0x06, 0x06, 0x01,
 743         0x06, 0xDB, 0x02, 0x00, 0xDB, 0x01, 0x04, 0x17, 0x06, 0x06, 0x01, 0x02,
 744         0xDB, 0x02, 0x00, 0xDB, 0x00, 0x00, 0x26, 0x01, 0x08, 0x4D, 0xDB, 0xDB,
 745         0x00, 0x00, 0x26, 0x01, 0x10, 0x4D, 0xDB, 0xD9, 0x00, 0x00, 0x26, 0x50,
 746         0x06, 0x02, 0x25, 0x00, 0xCB, 0x25, 0x04, 0x76
 747 };
 748
 749 static const uint16_t t0_caddr[] = {
 750         0,
 751         5,
 752         10,
 753         15,
 754         20,
 755         25,
 756         30,
 757         35,
 758         40,
 759         44,
 760         48,
 761         52,
 762         56,
 763         60,
 764         64,
 765         68,
 766         72,
 767         76,
 768         80,
 769         84,
 770         88,
 771         92,
 772         96,
 773         100,
 774         104,
 775         108,
 776         112,
 777         116,
 778         120,
 779         124,
 780         129,
 781         134,
 782         139,
 783         144,
 784         149,
 785         154,
 786         159,
 787         164,
 788         169,
 789         174,
 790         179,
 791         184,
 792         189,
 793         194,
 794         199,
 795         204,
 796         209,
 797         214,
 798         219,
 799         224,
 800         229,
 801         234,
 802         239,
 803         244,
 804         249,
 805         254,
 806         259,
 807         264,
 808         269,
 809         274,
 810         279,
 811         284,
 812         289,
 813         294,
 814         303,
 815         316,
 816         320,
 817         345,
 818         351,
 819         370,
 820         381,
 821         415,
 822         535,
 823         539,
 824         604,
 825         619,
 826         630,
 827         648,
 828         677,
 829         687,
 830         723,
 831         733,
 832         803,
 833         817,
 834         823,
 835         882,
 836         901,
 837         936,
 838         985,
 839         1061,
 840         1088,
 841         1119,
 842         1130,
 843         1455,
 844         1602,
 845         1626,
 846         1842,
 847         1856,
 848         1865,
 849         1869,
 850         1964,
 851         1985,
 852         2041,
 853         2048,
 854         2059,
 855         2075,
 856         2081,
 857         2092,
 858         2127,
 859         2139,
 860         2145,
 861         2160,
 862         2176,
 863         2332,
 864         2341,
 865         2354,
 866         2363,
 867         2370,
 868         2473,
 869         2494,
 870         2507,
 871         2523,
 872         2541,
 873         2573,
 874         2607,
 875         2975,
 876         3011,
 877         3024,
 878         3038,
 879         3043,
 880         3048,
 881         3114,
 882         3122,
 883         3130
 884 };
 885
 886 #define T0_INTERPRETED   86
 887
 888 #define T0_ENTER(ip, rp, slot)   do { \
 889                 const unsigned char *t0_newip; \
 890                 uint32_t t0_lnum; \
 891                 t0_newip = &t0_codeblock[t0_caddr[(slot) - T0_INTERPRETED]]; \
 892                 t0_lnum = t0_parse7E_unsigned(&t0_newip); \
 893                 (rp) += t0_lnum; \
 894                 *((rp) ++) = (uint32_t)((ip) - &t0_codeblock[0]) + (t0_lnum << 16); \
 895                 (ip) = t0_newip; \
 896         } while (0)
 897
 898 #define T0_DEFENTRY(name, slot) \
 899 void \
 900 name(void *ctx) \
 901 { \
 902         t0_context *t0ctx = ctx; \
 903         t0ctx->ip = &t0_codeblock[0]; \
 904         T0_ENTER(t0ctx->ip, t0ctx->rp, slot); \
 905 }
 906
 907 T0_DEFENTRY(br_ssl_hs_client_init_main, 167)
 908
 909 #define T0_NEXT(t0ipp)   (*(*(t0ipp)) ++)
 910
 911 void
 912 br_ssl_hs_client_run(void *t0ctx)
 913 {
 914         uint32_t *dp, *rp;
 915         const unsigned char *ip;
 916
 917 #define T0_LOCAL(x)    (*(rp - 2 - (x)))
 918 #define T0_POP()       (*-- dp)
 919 #define T0_POPi()      (*(int32_t *)(-- dp))
 920 #define T0_PEEK(x)     (*(dp - 1 - (x)))
 921 #define T0_PEEKi(x)    (*(int32_t *)(dp - 1 - (x)))
 922 #define T0_PUSH(v)     do { *dp = (v); dp ++; } while (0)
 923 #define T0_PUSHi(v)    do { *(int32_t *)dp = (v); dp ++; } while (0)
 924 #define T0_RPOP()      (*-- rp)
 925 #define T0_RPOPi()     (*(int32_t *)(-- rp))
 926 #define T0_RPUSH(v)    do { *rp = (v); rp ++; } while (0)
 927 #define T0_RPUSHi(v)   do { *(int32_t *)rp = (v); rp ++; } while (0)
 928 #define T0_ROLL(x)     do { \
 929         size_t t0len = (size_t)(x); \
 930         uint32_t t0tmp = *(dp - 1 - t0len); \
 931         memmove(dp - t0len - 1, dp - t0len, t0len * sizeof *dp); \
 932         *(dp - 1) = t0tmp; \
 933 } while (0)
 934 #define T0_SWAP()      do { \
 935         uint32_t t0tmp = *(dp - 2); \
 936         *(dp - 2) = *(dp - 1); \
 937         *(dp - 1) = t0tmp; \
 938 } while (0)
 939 #define T0_ROT()       do { \
 940         uint32_t t0tmp = *(dp - 3); \
 941         *(dp - 3) = *(dp - 2); \
 942         *(dp - 2) = *(dp - 1); \
 943         *(dp - 1) = t0tmp; \
 944 } while (0)
 945 #define T0_NROT()       do { \
 946         uint32_t t0tmp = *(dp - 1); \
 947         *(dp - 1) = *(dp - 2); \
 948         *(dp - 2) = *(dp - 3); \
 949         *(dp - 3) = t0tmp; \
 950 } while (0)
 951 #define T0_PICK(x)      do { \
 952         uint32_t t0depth = (x); \
 953         T0_PUSH(T0_PEEK(t0depth)); \
 954 } while (0)
 955 #define T0_CO()         do { \
 956         goto t0_exit; \
 957 } while (0)
 958 #define T0_RET()        goto t0_next
 959
 960         dp = ((t0_context *)t0ctx)->dp;
 961         rp = ((t0_context *)t0ctx)->rp;
 962         ip = ((t0_context *)t0ctx)->ip;
 963         goto t0_next;
 964         for (;;) {
 965                 uint32_t t0x;
 966
 967         t0_next:
 968                 t0x = T0_NEXT(&ip);
 969                 if (t0x < T0_INTERPRETED) {
 970                         switch (t0x) {
 971                                 int32_t t0off;
 972
 973                         case 0: /* ret */
 974                                 t0x = T0_RPOP();
 975                                 rp -= (t0x >> 16);
 976                                 t0x &= 0xFFFF;
 977                                 if (t0x == 0) {
 978                                         ip = NULL;
 979                                         goto t0_exit;
 980                                 }
 981                                 ip = &t0_codeblock[t0x];
 982                                 break;
 983                         case 1: /* literal constant */
 984                                 T0_PUSHi(t0_parse7E_signed(&ip));
 985                                 break;
 986                         case 2: /* read local */
 987                                 T0_PUSH(T0_LOCAL(t0_parse7E_unsigned(&ip)));
 988                                 break;
 989                         case 3: /* write local */
 990                                 T0_LOCAL(t0_parse7E_unsigned(&ip)) = T0_POP();
 991                                 break;
 992                         case 4: /* jump */
 993                                 t0off = t0_parse7E_signed(&ip);
 994                                 ip += t0off;
 995                                 break;
 996                         case 5: /* jump if */
 997                                 t0off = t0_parse7E_signed(&ip);
 998                                 if (T0_POP()) {
 999                                         ip += t0off;
1000                                 }
1001                                 break;
1002                         case 6: /* jump if not */
1003                                 t0off = t0_parse7E_signed(&ip);
1004                                 if (!T0_POP()) {
1005                                         ip += t0off;
1006                                 }
1007                                 break;
1008                         case 7: {
1009                                 /* * */
1010
1011         uint32_t b = T0_POP();
1012         uint32_t a = T0_POP();
1013         T0_PUSH(a * b);
1014
1015                                 }
1016                                 break;
1017                         case 8: {
1018                                 /* + */
1019
1020         uint32_t b = T0_POP();
1021         uint32_t a = T0_POP();
1022         T0_PUSH(a + b);
1023
1024                                 }
1025                                 break;
1026                         case 9: {
1027                                 /* - */
1028
1029         uint32_t b = T0_POP();
1030         uint32_t a = T0_POP();
1031         T0_PUSH(a - b);
1032
1033                                 }
1034                                 break;
1035                         case 10: {
1036                                 /* < */
1037
1038         int32_t b = T0_POPi();
1039         int32_t a = T0_POPi();
1040         T0_PUSH(-(uint32_t)(a < b));
1041
1042                                 }
1043                                 break;
1044                         case 11: {
1045                                 /* << */
1046
1047         int c = (int)T0_POPi();
1048         uint32_t x = T0_POP();
1049         T0_PUSH(x << c);
1050
1051                                 }
1052                                 break;
1053                         case 12: {
1054                                 /* <= */
1055
1056         int32_t b = T0_POPi();
1057         int32_t a = T0_POPi();
1058         T0_PUSH(-(uint32_t)(a <= b));
1059
1060                                 }
1061                                 break;
1062                         case 13: {
1063                                 /* <> */
1064
1065         uint32_t b = T0_POP();
1066         uint32_t a = T0_POP();
1067         T0_PUSH(-(uint32_t)(a != b));
1068
1069                                 }
1070                                 break;
1071                         case 14: {
1072                                 /* = */
1073
1074         uint32_t b = T0_POP();
1075         uint32_t a = T0_POP();
1076         T0_PUSH(-(uint32_t)(a == b));
1077
1078                                 }
1079                                 break;
1080                         case 15: {
1081                                 /* > */
1082
1083         int32_t b = T0_POPi();
1084         int32_t a = T0_POPi();
1085         T0_PUSH(-(uint32_t)(a > b));
1086
1087                                 }
1088                                 break;
1089                         case 16: {
1090                                 /* >= */
1091
1092         int32_t b = T0_POPi();
1093         int32_t a = T0_POPi();
1094         T0_PUSH(-(uint32_t)(a >= b));
1095
1096                                 }
1097                                 break;
1098                         case 17: {
1099                                 /* >> */
1100
1101         int c = (int)T0_POPi();
1102         int32_t x = T0_POPi();
1103         T0_PUSHi(x >> c);
1104
1105                                 }
1106                                 break;
1107                         case 18: {
1108                                 /* anchor-dn-append-name */
1109
1110         size_t len;
1111
1112         len = T0_POP();
1113         if (CTX->client_auth_vtable != NULL) {
1114                 (*CTX->client_auth_vtable)->append_name(
1115                         CTX->client_auth_vtable, ENG->pad, len);
1116         }
1117
1118                                 }
1119                                 break;
1120                         case 19: {
1121                                 /* anchor-dn-end-name */
1122
1123         if (CTX->client_auth_vtable != NULL) {
1124                 (*CTX->client_auth_vtable)->end_name(
1125                         CTX->client_auth_vtable);
1126         }
1127
1128                                 }
1129                                 break;
1130                         case 20: {
1131                                 /* anchor-dn-end-name-list */
1132
1133         if (CTX->client_auth_vtable != NULL) {
1134                 (*CTX->client_auth_vtable)->end_name_list(
1135                         CTX->client_auth_vtable);
1136         }
1137
1138                                 }
1139                                 break;
1140                         case 21: {
1141                                 /* anchor-dn-start-name */
1142
1143         size_t len;
1144
1145         len = T0_POP();
1146         if (CTX->client_auth_vtable != NULL) {
1147                 (*CTX->client_auth_vtable)->start_name(
1148                         CTX->client_auth_vtable, len);
1149         }
1150
1151                                 }
1152                                 break;
1153                         case 22: {
1154                                 /* anchor-dn-start-name-list */
1155
1156         if (CTX->client_auth_vtable != NULL) {
1157                 (*CTX->client_auth_vtable)->start_name_list(
1158                         CTX->client_auth_vtable);
1159         }
1160
1161                                 }
1162                                 break;
1163                         case 23: {
1164                                 /* and */
1165
1166         uint32_t b = T0_POP();
1167         uint32_t a = T0_POP();
1168         T0_PUSH(a & b);
1169
1170                                 }
1171                                 break;
1172                         case 24: {
1173                                 /* begin-cert */
1174
1175         if (ENG->chain_len == 0) {
1176                 T0_PUSHi(-1);
1177         } else {
1178                 ENG->cert_cur = ENG->chain->data;
1179                 ENG->cert_len = ENG->chain->data_len;
1180                 ENG->chain ++;
1181                 ENG->chain_len --;
1182                 T0_PUSH(ENG->cert_len);
1183         }
1184
1185                                 }
1186                                 break;
1187                         case 25: {
1188                                 /* bzero */
1189
1190         size_t len = (size_t)T0_POP();
1191         void *addr = (unsigned char *)ENG + (size_t)T0_POP();
1192         memset(addr, 0, len);
1193
1194                                 }
1195                                 break;
1196                         case 26: {
1197                                 /* can-output? */
1198
1199         T0_PUSHi(-(ENG->hlen_out > 0));
1200
1201                                 }
1202                                 break;
1203                         case 27: {
1204                                 /* co */
1205  T0_CO();
1206                                 }
1207                                 break;
1208                         case 28: {
1209                                 /* compute-Finished-inner */
1210
1211         int prf_id = T0_POP();
1212         int from_client = T0_POPi();
1213         unsigned char seed[48];
1214         size_t seed_len;
1215
1216         br_tls_prf_impl prf = br_ssl_engine_get_PRF(ENG, prf_id);
1217         if (ENG->session.version >= BR_TLS12) {
1218                 seed_len = br_multihash_out(&ENG->mhash, prf_id, seed);
1219         } else {
1220                 br_multihash_out(&ENG->mhash, br_md5_ID, seed);
1221                 br_multihash_out(&ENG->mhash, br_sha1_ID, seed + 16);
1222                 seed_len = 36;
1223         }
1224         prf(ENG->pad, 12, ENG->session.master_secret,
1225                 sizeof ENG->session.master_secret,
1226                 from_client ? "client finished" : "server finished",
1227                 seed, seed_len);
1228
1229                                 }
1230                                 break;
1231                         case 29: {
1232                                 /* copy-cert-chunk */
1233
1234         size_t clen;
1235
1236         clen = ENG->cert_len;
1237         if (clen > sizeof ENG->pad) {
1238                 clen = sizeof ENG->pad;
1239         }
1240         memcpy(ENG->pad, ENG->cert_cur, clen);
1241         ENG->cert_cur += clen;
1242         ENG->cert_len -= clen;
1243         T0_PUSH(clen);
1244
1245                                 }
1246                                 break;
1247                         case 30: {
1248                                 /* copy-protocol-name */
1249
1250         size_t idx = T0_POP();
1251         size_t len = strlen(ENG->protocol_names[idx]);
1252         memcpy(ENG->pad, ENG->protocol_names[idx], len);
1253         T0_PUSH(len);
1254
1255                                 }
1256                                 break;
1257                         case 31: {
1258                                 /* data-get8 */
1259
1260         size_t addr = T0_POP();
1261         T0_PUSH(t0_datablock[addr]);
1262
1263                                 }
1264                                 break;
1265                         case 32: {
1266                                 /* discard-input */
1267
1268         ENG->hlen_in = 0;
1269
1270                                 }
1271                                 break;
1272                         case 33: {
1273                                 /* do-client-sign */
1274
1275         size_t sig_len;
1276
1277         sig_len = make_client_sign(CTX);
1278         if (sig_len == 0) {
1279                 br_ssl_engine_fail(ENG, BR_ERR_INVALID_ALGORITHM);
1280                 T0_CO();
1281         }
1282         T0_PUSH(sig_len);
1283
1284                                 }
1285                                 break;
1286                         case 34: {
1287                                 /* do-ecdh */
1288
1289         unsigned prf_id = T0_POP();
1290         unsigned ecdhe = T0_POP();
1291         int x;
1292
1293         x = make_pms_ecdh(CTX, ecdhe, prf_id);
1294         if (x < 0) {
1295                 br_ssl_engine_fail(ENG, -x);
1296                 T0_CO();
1297         } else {
1298                 T0_PUSH(x);
1299         }
1300
1301                                 }
1302                                 break;
1303                         case 35: {
1304                                 /* do-rsa-encrypt */
1305
1306         int x;
1307
1308         x = make_pms_rsa(CTX, T0_POP());
1309         if (x < 0) {
1310                 br_ssl_engine_fail(ENG, -x);
1311                 T0_CO();
1312         } else {
1313                 T0_PUSH(x);
1314         }
1315
1316                                 }
1317                                 break;
1318                         case 36: {
1319                                 /* do-static-ecdh */
1320
1321         unsigned prf_id = T0_POP();
1322
1323         if (make_pms_static_ecdh(CTX, prf_id) < 0) {
1324                 br_ssl_engine_fail(ENG, BR_ERR_INVALID_ALGORITHM);
1325                 T0_CO();
1326         }
1327
1328                                 }
1329                                 break;
1330                         case 37: {
1331                                 /* drop */
1332  (void)T0_POP();
1333                                 }
1334                                 break;
1335                         case 38: {
1336                                 /* dup */
1337  T0_PUSH(T0_PEEK(0));
1338                                 }
1339                                 break;
1340                         case 39: {
1341                                 /* ext-ALPN-length */
1342
1343         size_t u, len;
1344
1345         if (ENG->protocol_names_num == 0) {
1346                 T0_PUSH(0);
1347                 T0_RET();
1348         }
1349         len = 6;
1350         for (u = 0; u < ENG->protocol_names_num; u ++) {
1351                 len += 1 + strlen(ENG->protocol_names[u]);
1352         }
1353         T0_PUSH(len);
1354
1355                                 }
1356                                 break;
1357                         case 40: {
1358                                 /* fail */
1359
1360         br_ssl_engine_fail(ENG, (int)T0_POPi());
1361         T0_CO();
1362
1363                                 }
1364                                 break;
1365                         case 41: {
1366                                 /* flush-record */
1367
1368         br_ssl_engine_flush_record(ENG);
1369
1370                                 }
1371                                 break;
1372                         case 42: {
1373                                 /* get-client-chain */
1374
1375         uint32_t auth_types;
1376
1377         auth_types = T0_POP();
1378         if (CTX->client_auth_vtable != NULL) {
1379                 br_ssl_client_certificate ux;
1380
1381                 (*CTX->client_auth_vtable)->choose(CTX->client_auth_vtable,
1382                         CTX, auth_types, &ux);
1383                 CTX->auth_type = (unsigned char)ux.auth_type;
1384                 CTX->hash_id = (unsigned char)ux.hash_id;
1385                 ENG->chain = ux.chain;
1386                 ENG->chain_len = ux.chain_len;
1387         } else {
1388                 CTX->hash_id = 0;
1389                 ENG->chain_len = 0;
1390         }
1391
1392                                 }
1393                                 break;
1394                         case 43: {
1395                                 /* get-key-type-usages */
1396
1397         const br_x509_class *xc;
1398         const br_x509_pkey *pk;
1399         unsigned usages;
1400
1401         xc = *(ENG->x509ctx);
1402         pk = xc->get_pkey(ENG->x509ctx, &usages);
1403         if (pk == NULL) {
1404                 T0_PUSH(0);
1405         } else {
1406                 T0_PUSH(pk->key_type | usages);
1407         }
1408
1409                                 }
1410                                 break;
1411                         case 44: {
1412                                 /* get16 */
1413
1414         size_t addr = (size_t)T0_POP();
1415         T0_PUSH(*(uint16_t *)((unsigned char *)ENG + addr));
1416
1417                                 }
1418                                 break;
1419                         case 45: {
1420                                 /* get32 */
1421
1422         size_t addr = (size_t)T0_POP();
1423         T0_PUSH(*(uint32_t *)((unsigned char *)ENG + addr));
1424
1425                                 }
1426                                 break;
1427                         case 46: {
1428                                 /* get8 */
1429
1430         size_t addr = (size_t)T0_POP();
1431         T0_PUSH(*((unsigned char *)ENG + addr));
1432
1433                                 }
1434                                 break;
1435                         case 47: {
1436                                 /* has-input? */
1437
1438         T0_PUSHi(-(ENG->hlen_in != 0));
1439
1440                                 }
1441                                 break;
1442                         case 48: {
1443                                 /* memcmp */
1444
1445         size_t len = (size_t)T0_POP();
1446         void *addr2 = (unsigned char *)ENG + (size_t)T0_POP();
1447         void *addr1 = (unsigned char *)ENG + (size_t)T0_POP();
1448         int x = memcmp(addr1, addr2, len);
1449         T0_PUSH((uint32_t)-(x == 0));
1450
1451                                 }
1452                                 break;
1453                         case 49: {
1454                                 /* memcpy */
1455
1456         size_t len = (size_t)T0_POP();
1457         void *src = (unsigned char *)ENG + (size_t)T0_POP();
1458         void *dst = (unsigned char *)ENG + (size_t)T0_POP();
1459         memcpy(dst, src, len);
1460
1461                                 }
1462                                 break;
1463                         case 50: {
1464                                 /* mkrand */
1465
1466         size_t len = (size_t)T0_POP();
1467         void *addr = (unsigned char *)ENG + (size_t)T0_POP();
1468         br_hmac_drbg_generate(&ENG->rng, addr, len);
1469
1470                                 }
1471                                 break;
1472                         case 51: {
1473                                 /* more-incoming-bytes? */
1474
1475         T0_PUSHi(ENG->hlen_in != 0 || !br_ssl_engine_recvrec_finished(ENG));
1476
1477                                 }
1478                                 break;
1479                         case 52: {
1480                                 /* multihash-init */
1481
1482         br_multihash_init(&ENG->mhash);
1483
1484                                 }
1485                                 break;
1486                         case 53: {
1487                                 /* neg */
1488
1489         uint32_t a = T0_POP();
1490         T0_PUSH(-a);
1491
1492                                 }
1493                                 break;
1494                         case 54: {
1495                                 /* not */
1496
1497         uint32_t a = T0_POP();
1498         T0_PUSH(~a);
1499
1500                                 }
1501                                 break;
1502                         case 55: {
1503                                 /* or */
1504
1505         uint32_t b = T0_POP();
1506         uint32_t a = T0_POP();
1507         T0_PUSH(a | b);
1508
1509                                 }
1510                                 break;
1511                         case 56: {
1512                                 /* over */
1513  T0_PUSH(T0_PEEK(1));
1514                                 }
1515                                 break;
1516                         case 57: {
1517                                 /* read-chunk-native */
1518
1519         size_t clen = ENG->hlen_in;
1520         if (clen > 0) {
1521                 uint32_t addr, len;
1522
1523                 len = T0_POP();
1524                 addr = T0_POP();
1525                 if ((size_t)len < clen) {
1526                         clen = (size_t)len;
1527                 }
1528                 memcpy((unsigned char *)ENG + addr, ENG->hbuf_in, clen);
1529                 if (ENG->record_type_in == BR_SSL_HANDSHAKE) {
1530                         br_multihash_update(&ENG->mhash, ENG->hbuf_in, clen);
1531                 }
1532                 T0_PUSH(addr + (uint32_t)clen);
1533                 T0_PUSH(len - (uint32_t)clen);
1534                 ENG->hbuf_in += clen;
1535                 ENG->hlen_in -= clen;
1536         }
1537
1538                                 }
1539                                 break;
1540                         case 58: {
1541                                 /* read8-native */
1542
1543         if (ENG->hlen_in > 0) {
1544                 unsigned char x;
1545
1546                 x = *ENG->hbuf_in ++;
1547                 if (ENG->record_type_in == BR_SSL_HANDSHAKE) {
1548                         br_multihash_update(&ENG->mhash, &x, 1);
1549                 }
1550                 T0_PUSH(x);
1551                 ENG->hlen_in --;
1552         } else {
1553                 T0_PUSHi(-1);
1554         }
1555
1556                                 }
1557                                 break;
1558                         case 59: {
1559                                 /* set-server-curve */
1560
1561         const br_x509_class *xc;
1562         const br_x509_pkey *pk;
1563
1564         xc = *(ENG->x509ctx);
1565         pk = xc->get_pkey(ENG->x509ctx, NULL);
1566         CTX->server_curve =
1567                 (pk->key_type == BR_KEYTYPE_EC) ? pk->key.ec.curve : 0;
1568
1569                                 }
1570                                 break;
1571                         case 60: {
1572                                 /* set16 */
1573
1574         size_t addr = (size_t)T0_POP();
1575         *(uint16_t *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP();
1576
1577                                 }
1578                                 break;
1579                         case 61: {
1580                                 /* set32 */
1581
1582         size_t addr = (size_t)T0_POP();
1583         *(uint32_t *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP();
1584
1585                                 }
1586                                 break;
1587                         case 62: {
1588                                 /* set8 */
1589
1590         size_t addr = (size_t)T0_POP();
1591         *((unsigned char *)ENG + addr) = (unsigned char)T0_POP();
1592
1593                                 }
1594                                 break;
1595                         case 63: {
1596                                 /* strlen */
1597
1598         void *str = (unsigned char *)ENG + (size_t)T0_POP();
1599         T0_PUSH((uint32_t)strlen(str));
1600
1601                                 }
1602                                 break;
1603                         case 64: {
1604                                 /* supported-curves */
1605
1606         uint32_t x = ENG->iec == NULL ? 0 : ENG->iec->supported_curves;
1607         T0_PUSH(x);
1608
1609                                 }
1610                                 break;
1611                         case 65: {
1612                                 /* supported-hash-functions */
1613
1614         int i;
1615         unsigned x, num;
1616
1617         x = 0;
1618         num = 0;
1619         for (i = br_sha1_ID; i <= br_sha512_ID; i ++) {
1620                 if (br_multihash_getimpl(&ENG->mhash, i)) {
1621                         x |= 1U << i;
1622                         num ++;
1623                 }
1624         }
1625         T0_PUSH(x);
1626         T0_PUSH(num);
1627
1628                                 }
1629                                 break;
1630                         case 66: {
1631                                 /* supports-ecdsa? */
1632
1633         T0_PUSHi(-(ENG->iecdsa != 0));
1634
1635                                 }
1636                                 break;
1637                         case 67: {
1638                                 /* supports-rsa-sign? */
1639
1640         T0_PUSHi(-(ENG->irsavrfy != 0));
1641
1642                                 }
1643                                 break;
1644                         case 68: {
1645                                 /* swap */
1646  T0_SWAP();
1647                                 }
1648                                 break;
1649                         case 69: {
1650                                 /* switch-aesgcm-in */
1651
1652         int is_client, prf_id;
1653         unsigned cipher_key_len;
1654
1655         cipher_key_len = T0_POP();
1656         prf_id = T0_POP();
1657         is_client = T0_POP();
1658         br_ssl_engine_switch_gcm_in(ENG, is_client, prf_id,
1659                 ENG->iaes_ctr, cipher_key_len);
1660
1661                                 }
1662                                 break;
1663                         case 70: {
1664                                 /* switch-aesgcm-out */
1665
1666         int is_client, prf_id;
1667         unsigned cipher_key_len;
1668
1669         cipher_key_len = T0_POP();
1670         prf_id = T0_POP();
1671         is_client = T0_POP();
1672         br_ssl_engine_switch_gcm_out(ENG, is_client, prf_id,
1673                 ENG->iaes_ctr, cipher_key_len);
1674
1675                                 }
1676                                 break;
1677                         case 71: {
1678                                 /* switch-cbc-in */
1679
1680         int is_client, prf_id, mac_id, aes;
1681         unsigned cipher_key_len;
1682
1683         cipher_key_len = T0_POP();
1684         aes = T0_POP();
1685         mac_id = T0_POP();
1686         prf_id = T0_POP();
1687         is_client = T0_POP();
1688         br_ssl_engine_switch_cbc_in(ENG, is_client, prf_id, mac_id,
1689                 aes ? ENG->iaes_cbcdec : ENG->ides_cbcdec, cipher_key_len);
1690
1691                                 }
1692                                 break;
1693                         case 72: {
1694                                 /* switch-cbc-out */
1695
1696         int is_client, prf_id, mac_id, aes;
1697         unsigned cipher_key_len;
1698
1699         cipher_key_len = T0_POP();
1700         aes = T0_POP();
1701         mac_id = T0_POP();
1702         prf_id = T0_POP();
1703         is_client = T0_POP();
1704         br_ssl_engine_switch_cbc_out(ENG, is_client, prf_id, mac_id,
1705                 aes ? ENG->iaes_cbcenc : ENG->ides_cbcenc, cipher_key_len);
1706
1707                                 }
1708                                 break;
1709                         case 73: {
1710                                 /* switch-chapol-in */
1711
1712         int is_client, prf_id;
1713
1714         prf_id = T0_POP();
1715         is_client = T0_POP();
1716         br_ssl_engine_switch_chapol_in(ENG, is_client, prf_id);
1717
1718                                 }
1719                                 break;
1720                         case 74: {
1721                                 /* switch-chapol-out */
1722
1723         int is_client, prf_id;
1724
1725         prf_id = T0_POP();
1726         is_client = T0_POP();
1727         br_ssl_engine_switch_chapol_out(ENG, is_client, prf_id);
1728
1729                                 }
1730                                 break;
1731                         case 75: {
1732                                 /* test-protocol-name */
1733
1734         size_t len = T0_POP();
1735         size_t u;
1736
1737         for (u = 0; u < ENG->protocol_names_num; u ++) {
1738                 const char *name;
1739
1740                 name = ENG->protocol_names[u];
1741                 if (len == strlen(name) && memcmp(ENG->pad, name, len) == 0) {
1742                         T0_PUSH(u);
1743                         T0_RET();
1744                 }
1745         }
1746         T0_PUSHi(-1);
1747
1748                                 }
1749                                 break;
1750                         case 76: {
1751                                 /* total-chain-length */
1752
1753         size_t u;
1754         uint32_t total;
1755
1756         total = 0;
1757         for (u = 0; u < ENG->chain_len; u ++) {
1758                 total += 3 + (uint32_t)ENG->chain[u].data_len;
1759         }
1760         T0_PUSH(total);
1761
1762                                 }
1763                                 break;
1764                         case 77: {
1765                                 /* u>> */
1766
1767         int c = (int)T0_POPi();
1768         uint32_t x = T0_POP();
1769         T0_PUSH(x >> c);
1770
1771                                 }
1772                                 break;
1773                         case 78: {
1774                                 /* verify-SKE-sig */
1775
1776         size_t sig_len = T0_POP();
1777         int use_rsa = T0_POPi();
1778         int hash = T0_POPi();
1779
1780         T0_PUSH(verify_SKE_sig(CTX, hash, use_rsa, sig_len));
1781
1782                                 }
1783                                 break;
1784                         case 79: {
1785                                 /* write-blob-chunk */
1786
1787         size_t clen = ENG->hlen_out;
1788         if (clen > 0) {
1789                 uint32_t addr, len;
1790
1791                 len = T0_POP();
1792                 addr = T0_POP();
1793                 if ((size_t)len < clen) {
1794                         clen = (size_t)len;
1795                 }
1796                 memcpy(ENG->hbuf_out, (unsigned char *)ENG + addr, clen);
1797                 if (ENG->record_type_out == BR_SSL_HANDSHAKE) {
1798                         br_multihash_update(&ENG->mhash, ENG->hbuf_out, clen);
1799                 }
1800                 T0_PUSH(addr + (uint32_t)clen);
1801                 T0_PUSH(len - (uint32_t)clen);
1802                 ENG->hbuf_out += clen;
1803                 ENG->hlen_out -= clen;
1804         }
1805
1806                                 }
1807                                 break;
1808                         case 80: {
1809                                 /* write8-native */
1810
1811         unsigned char x;
1812
1813         x = (unsigned char)T0_POP();
1814         if (ENG->hlen_out > 0) {
1815                 if (ENG->record_type_out == BR_SSL_HANDSHAKE) {
1816                         br_multihash_update(&ENG->mhash, &x, 1);
1817                 }
1818                 *ENG->hbuf_out ++ = x;
1819                 ENG->hlen_out --;
1820                 T0_PUSHi(-1);
1821         } else {
1822                 T0_PUSHi(0);
1823         }
1824
1825                                 }
1826                                 break;
1827                         case 81: {
1828                                 /* x509-append */
1829
1830         const br_x509_class *xc;
1831         size_t len;
1832
1833         xc = *(ENG->x509ctx);
1834         len = T0_POP();
1835         xc->append(ENG->x509ctx, ENG->pad, len);
1836
1837                                 }
1838                                 break;
1839                         case 82: {
1840                                 /* x509-end-cert */
1841
1842         const br_x509_class *xc;
1843
1844         xc = *(ENG->x509ctx);
1845         xc->end_cert(ENG->x509ctx);
1846
1847                                 }
1848                                 break;
1849                         case 83: {
1850                                 /* x509-end-chain */
1851
1852         const br_x509_class *xc;
1853
1854         xc = *(ENG->x509ctx);
1855         T0_PUSH(xc->end_chain(ENG->x509ctx));
1856
1857                                 }
1858                                 break;
1859                         case 84: {
1860                                 /* x509-start-cert */
1861
1862         const br_x509_class *xc;
1863
1864         xc = *(ENG->x509ctx);
1865         xc->start_cert(ENG->x509ctx, T0_POP());
1866
1867                                 }
1868                                 break;
1869                         case 85: {
1870                                 /* x509-start-chain */
1871
1872         const br_x509_class *xc;
1873         uint32_t bc;
1874
1875         bc = T0_POP();
1876         xc = *(ENG->x509ctx);
1877         xc->start_chain(ENG->x509ctx, bc ? ENG->server_name : NULL);
1878
1879                                 }
1880                                 break;
1881                         }
1882
1883                 } else {
1884                         T0_ENTER(ip, rp, t0x);
1885                 }
1886         }
1887 t0_exit:
1888         ((t0_context *)t0ctx)->dp = dp;
1889         ((t0_context *)t0ctx)->rp = rp;
1890         ((t0_context *)t0ctx)->ip = ip;
1891 }