/*

 * Copyright (C) 2000-2016 Free Software Foundation, Inc.

 * Copyright (C) 2015-2018 Red Hat, Inc.

 *

 * Author: Nikos Mavrogiannopoulos

 *

 * This file is part of GnuTLS.

 *

 * The GnuTLS is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public License

 * as published by the Free Software Foundation; either version 2.1 of

 * the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with this program.  If not, see <https://www.gnu.org/licenses/>

 *

 */

/* Functions that relate to the TLS handshake procedure.

 */

#include "gnutls_int.h"

#include "errors.h"

#include "dh.h"

#include "debug.h"

#include "algorithms.h"

#include "cipher.h"

#include "buffers.h"

#include "mbuffers.h"

#include "kx.h"

#include "handshake.h"

#include "num.h"

#include "hash_int.h"

#include "db.h"

#include "hello_ext.h"

#include "supplemental.h"

#include "auth.h"

#include "sslv2_compat.h"

#include "auth/cert.h"

#include "constate.h"

#include "record.h"

#include "state.h"

#include "ext/pre_shared_key.h"

#include "ext/srp.h"

#include "ext/session_ticket.h"

#include "ext/status_request.h"

#include "ext/safe_renegotiation.h"

#include "auth/anon.h" /* for gnutls_anon_server_credentials_t */

#include "auth/psk.h" /* for gnutls_psk_server_credentials_t */

#include "random.h"

#include "dtls.h"

#include "secrets.h"

#include "tls13/early_data.h"

#include "tls13/session_ticket.h"

#include "locks.h"

#include "system/ktls.h"

static int check_if_null_comp_present(gnutls_session_t session, uint8_t *data,

              int datalen);

static int handshake_client(gnutls_session_t session);

static int handshake_server(gnutls_session_t session);

static int read_server_hello(gnutls_session_t session, uint8_t *data,

           int datalen);

static int recv_handshake_final(gnutls_session_t session, int init);

static int send_handshake_final(gnutls_session_t session, int init);

/* Empties but does not free the buffer

 */

inline static void handshake_hash_buffer_reset(gnutls_session_t session)

{

  _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");

  session->internals.handshake_hash_buffer_client_hello_len = 0;

  session->internals.handshake_hash_buffer_client_kx_len = 0;

  session->internals.handshake_hash_buffer_server_finished_len = 0;

  session->internals.handshake_hash_buffer_client_finished_len = 0;

  session->internals.handshake_hash_buffer_prev_len = 0;

  session->internals.handshake_hash_buffer.length = 0;

  session->internals.full_client_hello.length = 0;

  return;

}

static int handshake_hash_add_recvd(gnutls_session_t session,

            gnutls_handshake_description_t recv_type,

            uint8_t *header, uint16_t header_size,

            uint8_t *dataptr, uint32_t datalen);

static int handshake_hash_add_sent(gnutls_session_t session,

           gnutls_handshake_description_t type,

           uint8_t *dataptr, uint32_t datalen);

static int recv_hello_verify_request(gnutls_session_t session, uint8_t *data,

             int datalen);

/* Clears the handshake hash buffers and handles.

 */

void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)

{

  handshake_hash_buffer_reset(session);

  _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);

  _gnutls_buffer_clear(&session->internals.full_client_hello);

}

/* Replace handshake message buffer, with the special synthetic message

 * needed by TLS1.3 when HRR is sent. */

int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,

             const mac_entry_st *prf,

             unsigned client)

{

  int ret;

  uint8_t hdata[4 + MAX_HASH_SIZE];

  size_t length;

  if (client)

    length = session->internals.handshake_hash_buffer_prev_len;

  else

    length = session->internals.handshake_hash_buffer.length;

  /* calculate hash */

  hdata[0] = 254;

  _gnutls_write_uint24(prf->output_size, &hdata[1]);

  ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id,

             session->internals.handshake_hash_buffer.data,

             length, hdata + 4);

  if (ret < 0)

    return gnutls_assert_val(ret);

  handshake_hash_buffer_reset(session);

  ret = _gnutls_buffer_append_data(

    &session->internals.handshake_hash_buffer, hdata,

    prf->output_size + 4);

  if (ret < 0)

    return gnutls_assert_val(ret);

  _gnutls_buffers_log(

    "BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n",

    prf->output_size + 4);

  return 0;

}

/* this will copy the required values for resuming to

 * internals, and to security_parameters.

 * this will keep as less data to security_parameters.

 */

static int tls12_resume_copy_required_vals(gnutls_session_t session,

             unsigned ticket)

{

  int ret;

  /* get the new random values */

  memcpy(session->internals.resumed_security_parameters.server_random,

         session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);

  memcpy(session->internals.resumed_security_parameters.client_random,

         session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);

  /* keep the ciphersuite and compression

   * That is because the client must see these in our

   * hello message.

   */

  ret = _gnutls_set_cipher_suite2(

    session, session->internals.resumed_security_parameters.cs);

  if (ret < 0)

    return gnutls_assert_val(ret);

  /* or write_compression_algorithm

   * they are the same

   */

  session->security_parameters.entity =

    session->internals.resumed_security_parameters.entity;

  if (session->internals.resumed_security_parameters.pversion == NULL)

    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

  if (_gnutls_set_current_version(

        session, session->internals.resumed_security_parameters

             .pversion->id) < 0)

    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

  session->security_parameters.client_ctype =

    session->internals.resumed_security_parameters.client_ctype;

  session->security_parameters.server_ctype =

    session->internals.resumed_security_parameters.server_ctype;

  if (!ticket) {

    memcpy(session->security_parameters.session_id,

           session->internals.resumed_security_parameters.session_id,

           sizeof(session->security_parameters.session_id));

    session->security_parameters.session_id_size =

      session->internals.resumed_security_parameters

        .session_id_size;

  }

  return 0;

}

void _gnutls_set_client_random(gnutls_session_t session, uint8_t *rnd)

{

  _gnutls_memory_mark_defined(session->security_parameters.client_random,

            GNUTLS_RANDOM_SIZE);

  memcpy(session->security_parameters.client_random, rnd,

         GNUTLS_RANDOM_SIZE);

}

static int _gnutls_gen_client_random(gnutls_session_t session)

{

  int ret;

  /* no random given, we generate. */

  if (session->internals.sc_random_set != 0) {

    _gnutls_memory_mark_defined(

      session->security_parameters.client_random,

      GNUTLS_RANDOM_SIZE);

    memcpy(session->security_parameters.client_random,

           session->internals.resumed_security_parameters

             .client_random,

           GNUTLS_RANDOM_SIZE);

  } else {

    _gnutls_memory_mark_defined(

      session->security_parameters.client_random,

      GNUTLS_RANDOM_SIZE);

    ret = gnutls_rnd(GNUTLS_RND_NONCE,

         session->security_parameters.client_random,

         GNUTLS_RANDOM_SIZE);

    if (ret < 0) {

      _gnutls_memory_mark_undefined(

        session->security_parameters.client_random,

        GNUTLS_RANDOM_SIZE);

      return gnutls_assert_val(ret);

    }

  }

  return 0;

}

static int _gnutls_set_server_random(gnutls_session_t session,

             const version_entry_st *vers, uint8_t *rnd)

{

  const version_entry_st *max;

  _gnutls_memory_mark_defined(session->security_parameters.server_random,

            GNUTLS_RANDOM_SIZE);

  memcpy(session->security_parameters.server_random, rnd,

         GNUTLS_RANDOM_SIZE);

  /* check whether the server random value is set according to

   * to TLS 1.3. p4.1.3 requirements */

  if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 &&

      have_creds_for_tls13(session)) {

    max = _gnutls_version_max(session);

    if (max->id <= GNUTLS_TLS1_2)

      return 0;

    if (vers->id == GNUTLS_TLS1_2 &&

        memcmp(&session->security_parameters

            .server_random[GNUTLS_RANDOM_SIZE - 8],

         "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) {

      _gnutls_audit_log(

        session,

        "Detected downgrade to TLS 1.2 from TLS 1.3\n");

      return gnutls_assert_val(

        GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

    } else if (vers->id <= GNUTLS_TLS1_1 &&

         memcmp(&session->security_parameters

             .server_random[GNUTLS_RANDOM_SIZE -

                8],

          "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8) == 0) {

      _gnutls_audit_log(

        session,

        "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n");

      return gnutls_assert_val(

        GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

    }

  }

  return 0;

}

int _gnutls_gen_server_random(gnutls_session_t session, int version)

{

  int ret;

  const version_entry_st *max;

  if (session->internals.sc_random_set != 0) {

    _gnutls_memory_mark_defined(

      session->security_parameters.server_random,

      GNUTLS_RANDOM_SIZE);

    memcpy(session->security_parameters.server_random,

           session->internals.resumed_security_parameters

             .server_random,

           GNUTLS_RANDOM_SIZE);

    return 0;

  }

  max = _gnutls_version_max(session);

  if (max == NULL)

    return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);

  _gnutls_memory_mark_defined(session->security_parameters.server_random,

            GNUTLS_RANDOM_SIZE);

  if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&

      version <= GNUTLS_TLS1_2) {

    if (version == GNUTLS_TLS1_2) {

      memcpy(&session->security_parameters

          .server_random[GNUTLS_RANDOM_SIZE - 8],

             "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8);

    } else {

      memcpy(&session->security_parameters

          .server_random[GNUTLS_RANDOM_SIZE - 8],

             "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8);

    }

    ret = gnutls_rnd(GNUTLS_RND_NONCE,

         session->security_parameters.server_random,

         GNUTLS_RANDOM_SIZE - 8);

  } else {

    ret = gnutls_rnd(GNUTLS_RND_NONCE,

         session->security_parameters.server_random,

         GNUTLS_RANDOM_SIZE);

  }

  if (ret < 0) {

    gnutls_assert();

    _gnutls_memory_mark_undefined(

      session->security_parameters.server_random,

      GNUTLS_RANDOM_SIZE);

    return ret;

  }

  return 0;

}

#ifdef ENABLE_SSL3

/* Calculate The SSL3 Finished message

 */

#define SSL3_CLIENT_MSG "CLNT"

#define SSL3_SERVER_MSG "SRVR"

#define SSL_MSG_LEN 4

static int _gnutls_ssl3_finished(gnutls_session_t session, int type,

         uint8_t *ret, int sending)

{

  digest_hd_st td_md5;

  digest_hd_st td_sha;

  const char *mesg;

  int rc, len;

  if (sending)

    len = session->internals.handshake_hash_buffer.length;

  else

    len = session->internals.handshake_hash_buffer_prev_len;

  rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));

  if (rc < 0)

    return gnutls_assert_val(rc);

  rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));

  if (rc < 0) {

    _gnutls_hash_deinit(&td_sha, NULL);

    return gnutls_assert_val(rc);

  }

  _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data,

         len);

  _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data,

         len);

  if (type == GNUTLS_SERVER)

    mesg = SSL3_SERVER_MSG;

  else

    mesg = SSL3_CLIENT_MSG;

  _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);

  _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);

  rc = _gnutls_mac_deinit_ssl3_handshake(

    &td_md5, ret, session->security_parameters.master_secret,

    GNUTLS_MASTER_SIZE);

  if (rc < 0) {

    _gnutls_hash_deinit(&td_md5, NULL);

    _gnutls_hash_deinit(&td_sha, NULL);

    return gnutls_assert_val(rc);

  }

  rc = _gnutls_mac_deinit_ssl3_handshake(

    &td_sha, &ret[16], session->security_parameters.master_secret,

    GNUTLS_MASTER_SIZE);

  if (rc < 0) {

    _gnutls_hash_deinit(&td_sha, NULL);

    return gnutls_assert_val(rc);

  }

  return 0;

}

#endif

/* Hash the handshake messages as required by TLS 1.0

 */

#define SERVER_MSG "server finished"

#define CLIENT_MSG "client finished"

#define TLS_MSG_LEN 15

static int _gnutls_finished(gnutls_session_t session, int type, void *ret,

          int sending)

{

  const int siz = TLS_MSG_LEN;

  uint8_t concat[MAX_HASH_SIZE];

  size_t hash_len;

  const char *mesg;

  int rc, len, algorithm;

  if (sending)

    len = session->internals.handshake_hash_buffer.length;

  else

    len = session->internals.handshake_hash_buffer_prev_len;

  algorithm = session->security_parameters.prf->id;

  rc = _gnutls_hash_fast(algorithm,

             session->internals.handshake_hash_buffer.data,

             len, concat);

  if (rc < 0)

    return gnutls_assert_val(rc);

  hash_len = session->security_parameters.prf->output_size;

  if (type == GNUTLS_SERVER) {

    mesg = SERVER_MSG;

  } else {

    mesg = CLIENT_MSG;

  }

  _gnutls_memory_mark_defined(session->security_parameters.master_secret,

            GNUTLS_MASTER_SIZE);

  rc = _gnutls_PRF(session, session->security_parameters.master_secret,

       GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len, 12,

       ret);

  if (rc < 0) {

    _gnutls_memory_mark_undefined(

      session->security_parameters.master_secret,

      GNUTLS_MASTER_SIZE);

  }

  return rc;

}

/* returns the 0 on success or a negative error code.

 */

int _gnutls_negotiate_version(gnutls_session_t session, uint8_t major,

            uint8_t minor, unsigned allow_tls13)

{

  const version_entry_st *vers;

  const version_entry_st *aversion = nversion_to_entry(major, minor);

  /* if we do not support that version, unless that version is TLS 1.2;

   * TLS 1.2 is handled separately because it is always advertised under TLS 1.3 or later */

  if (aversion == NULL ||

      _gnutls_nversion_is_supported(session, major, minor) == 0) {

    if (aversion && aversion->id == GNUTLS_TLS1_2) {

      vers = _gnutls_version_max(session);

      if (unlikely(vers == NULL))

        return gnutls_assert_val(

          GNUTLS_E_NO_CIPHER_SUITES);

      if (vers->id >= GNUTLS_TLS1_2) {

        session->security_parameters.pversion =

          aversion;

        return 0;

      }

    }

    /* if we get an unknown/unsupported version, then fail if the version we

     * got is too low to be supported */

    if (!_gnutls_version_is_too_high(session, major, minor))

      return gnutls_assert_val(

        GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

    /* If he requested something we do not support

     * then we send him the highest we support.

     */

    vers = _gnutls_legacy_version_max(session);

    if (vers == NULL) {

      /* this check is not really needed.

       */

      gnutls_assert();

      return GNUTLS_E_UNKNOWN_CIPHER_SUITE;

    }

    session->security_parameters.pversion = vers;

    return 0;

  } else {

    session->security_parameters.pversion = aversion;

    /* we do not allow TLS1.3 negotiation using this mechanism */

    if (aversion->tls13_sem && !allow_tls13) {

      vers = _gnutls_legacy_version_max(session);

      session->security_parameters.pversion = vers;

    }

    return 0;

  }

}

/* This function returns:

 *  - zero on success

 *  - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback

 *  - a negative error code on other error

 */

int _gnutls_user_hello_func(gnutls_session_t session, uint8_t major,

          uint8_t minor)

{

  int ret, sret = 0;

  const version_entry_st *vers, *old_vers;

  const version_entry_st *new_max;

  if (session->internals.user_hello_func != NULL) {

    ret = session->internals.user_hello_func(session);

    if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {

      gnutls_assert();

      sret = GNUTLS_E_INT_RET_0;

    } else if (ret < 0) {

      gnutls_assert();

      return ret;

    }

    /* This callback is often used to switch the priority string of the

     * server, and that includes switching version which we have already

     * negotiated; note that this doesn't apply when resuming as the version

     * negotiation is already complete. */

    if (!session->internals.resumed) {

      new_max = _gnutls_version_max(session);

      old_vers = get_version(session);

      if (!old_vers->tls13_sem ||

          (new_max && !new_max->tls13_sem)) {

#if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3

#error "Need to update the following logic"

#endif

        /* Here we need to renegotiate the version since the callee might

         * have disabled some TLS versions. This logic does not cope for

         * protocols later than TLS1.3 if they have the tls13_sem set */

        ret = _gnutls_negotiate_version(session, major,

                minor, 0);

        if (ret < 0)

          return gnutls_assert_val(ret);

        vers = get_version(session);

        if (old_vers != vers) {

          /* at this point we need to regenerate the random value to

           * avoid the peer detecting this session as a rollback

           * attempt. */

          ret = _gnutls_gen_server_random(

            session, vers->id);

          if (ret < 0)

            return gnutls_assert_val(ret);

        }

      }

    }

  }

  return sret;

}

/* Associates the right credential types for the session, and

 * performs sanity checks. */

static int set_auth_types(gnutls_session_t session)

{

  const version_entry_st *ver = get_version(session);

  gnutls_kx_algorithm_t kx;

  /* sanity check:

   * we see TLS1.3 negotiated but no key share was sent */

  if (ver->tls13_sem) {

    if (unlikely(!(session->internals.hsk_flags &

             HSK_PSK_KE_MODE_PSK) &&

           !(session->internals.hsk_flags &

             HSK_KEY_SHARE_RECEIVED))) {

      return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION);

    }

    /* Under TLS1.3 this returns a KX which matches the negotiated

     * groups from the key shares; if we are resuming then the KX seen

     * here doesn't match the original session. */

    if (!session->internals.resumed) {

      const gnutls_group_entry_st *group = get_group(session);

      if (session->internals.hsk_flags & HSK_PSK_SELECTED) {

        if (group) {

          kx = group->pk == GNUTLS_PK_DH ?

                 GNUTLS_KX_DHE_PSK :

                 GNUTLS_KX_ECDHE_PSK;

        } else {

          kx = GNUTLS_KX_PSK;

        }

      } else if (group) {

        /* Not necessarily be RSA, but just to

         * make _gnutls_map_kx_get_cred below

         * work.

         */

        kx = group->pk == GNUTLS_PK_DH ?

               GNUTLS_KX_DHE_RSA :

               GNUTLS_KX_ECDHE_RSA;

      } else

        kx = GNUTLS_KX_UNKNOWN;

    } else

      kx = GNUTLS_KX_UNKNOWN;

  } else {

    /* TLS1.2 or earlier, kx is associated with ciphersuite */

    kx = session->security_parameters.cs->kx_algorithm;

  }

  if (kx != GNUTLS_KX_UNKNOWN) {

    session->security_parameters.server_auth_type =

      _gnutls_map_kx_get_cred(kx, 1);

    session->security_parameters.client_auth_type =

      _gnutls_map_kx_get_cred(kx, 0);

  } else if (unlikely(!session->internals.resumed)) {

    /* Here we can only arrive if something we received

     * prevented the session from completing. */

    return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);

  }

  return 0;

}

/* Read a client hello packet.

 * A client hello must be a known version client hello

 * or version 2.0 client hello (only for compatibility

 * since SSL version 2.0 is not supported).

 */

static int read_client_hello(gnutls_session_t session, uint8_t *data,

           int datalen)

{

  uint8_t session_id_len;

  int pos = 0, ret;

  uint16_t suite_size, comp_size;

  int ext_size;

  int neg_version, sret = 0;

  int len = datalen;

  uint8_t major, minor;

  uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;

  const version_entry_st *vers;

  DECR_LEN(len, 2);

  _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n", session,

            data[pos], data[pos + 1]);

  major = data[pos];

  minor = data[pos + 1];

  set_adv_version(session, major, minor);

  ret = _gnutls_negotiate_version(session, major, minor, 0);

  if (ret < 0)

    return gnutls_assert_val(ret);

  vers = get_version(session);

  if (vers == NULL)

    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

  neg_version = vers->id;

  pos += 2;

  /* Read client random value.

   */

  DECR_LEN(len, GNUTLS_RANDOM_SIZE);

  _gnutls_set_client_random(session, &data[pos]);

  pos += GNUTLS_RANDOM_SIZE;

  ret = _gnutls_gen_server_random(session, neg_version);

  if (ret < 0)

    return gnutls_assert_val(ret);

  session->security_parameters.timestamp = gnutls_time(NULL);

  DECR_LEN(len, 1);

  session_id_len = data[pos++];

  /* RESUME SESSION

   */

  if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {

    gnutls_assert();

    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;

  }

  DECR_LEN(len, session_id_len);

  session_id = &data[pos];

  pos += session_id_len;

  if (IS_DTLS(session)) {

    int cookie_size;

    DECR_LEN(len, 1);

    cookie_size = data[pos++];

    DECR_LEN(len, cookie_size);

    pos += cookie_size;

  }

  /* move forward to extensions and store other vals */

  DECR_LEN(len, 2);

  suite_size = _gnutls_read_uint16(&data[pos]);

  pos += 2;

  if (suite_size == 0 || (suite_size % 2) != 0)

    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);

  suite_ptr = &data[pos];

  DECR_LEN(len, suite_size);

  pos += suite_size;

  DECR_LEN(len, 1);

  comp_size = data[pos++]; /* the number of compression methods */

  if (comp_size == 0)

    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);

  comp_ptr = &data[pos];

  DECR_LEN(len, comp_size);

  pos += comp_size;

  ext_ptr = &data[pos];

  ext_size = len;

  /* Parse only the mandatory to read extensions for resumption

   * and version negotiation. We don't want to parse any other

   * extensions since  we don't want new extension values to override

   * the resumed ones. */

  ret = _gnutls_parse_hello_extensions(session,

               GNUTLS_EXT_FLAG_CLIENT_HELLO,

               GNUTLS_EXT_VERSION_NEG, ext_ptr,

               ext_size);

  if (ret < 0)

    return gnutls_assert_val(ret);

  ret = _gnutls_parse_hello_extensions(session,

               GNUTLS_EXT_FLAG_CLIENT_HELLO,

               GNUTLS_EXT_MANDATORY, ext_ptr,

               ext_size);

  if (ret < 0)

    return gnutls_assert_val(ret);

  vers = get_version(session);

  if (unlikely(vers == NULL))

    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

  if (!vers->tls13_sem) {

    ret = _gnutls_server_restore_session(session, session_id,

                 session_id_len);

    if (session_id_len > 0)

      session->internals.resumption_requested = 1;

    if (ret == 0) { /* resumed using default TLS resumption! */

      ret = _gnutls_server_select_suite(session, suite_ptr,

                suite_size, 1);

      if (ret < 0)

        return gnutls_assert_val(ret);

      ret = tls12_resume_copy_required_vals(session, 0);

      if (ret < 0)

        return gnutls_assert_val(ret);

      session->internals.resumed = true;

      return _gnutls_user_hello_func(session, major, minor);

    } else {

      ret = _gnutls_generate_session_id(

        session->security_parameters.session_id,

        &session->security_parameters.session_id_size);

      if (ret < 0)

        return gnutls_assert_val(ret);

      session->internals.resumed = false;

    }

  } else { /* TLS1.3 */

    /* we echo client's session ID - length was checked previously */

    assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE);

    if (session_id_len > 0)

      memcpy(session->security_parameters.session_id,

             session_id, session_id_len);

    session->security_parameters.session_id_size = session_id_len;

  }

  /* Parse the extensions (if any)

   *

   * Unconditionally try to parse extensions; safe renegotiation uses them in

   * sslv3 and higher, even though sslv3 doesn't officially support them.

   */

  ret = _gnutls_parse_hello_extensions(session,

               GNUTLS_EXT_FLAG_CLIENT_HELLO,

               GNUTLS_EXT_APPLICATION, ext_ptr,

               ext_size);

  /* len is the rest of the parsed length */

  if (ret < 0) {

    gnutls_assert();

    return ret;

  }

  /* we cache this error code */

  sret = _gnutls_user_hello_func(session, major, minor);

  if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {

    gnutls_assert();

    return sret;

  }

  /* Session tickets are parsed in this point */

  ret = _gnutls_parse_hello_extensions(session,

               GNUTLS_EXT_FLAG_CLIENT_HELLO,

               GNUTLS_EXT_TLS, ext_ptr, ext_size);

  if (ret < 0) {

    gnutls_assert();

    return ret;

  }

  if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) {

    const cipher_entry_st *ce;

    const mac_entry_st *me;

    record_parameters_st *params;

    ce = cipher_to_entry(

      session->internals.resumed_security_parameters.cs

        ->block_algorithm);

    me = mac_to_entry(session->internals.resumed_security_parameters

            .cs->mac_algorithm);

    ret = _gnutls_epoch_get(session, EPOCH_NEXT, &params);

    if (ret < 0) {

      return gnutls_assert_val(ret);

    }

    params->cipher = ce;

    params->mac = me;

    ret = _tls13_read_connection_state_init(session, STAGE_EARLY);

    if (ret < 0) {

      return gnutls_assert_val(ret);

    }

    _gnutls_epoch_bump(session);

    ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);

    if (ret < 0) {

      return gnutls_assert_val(ret);

    }

  }

  /* resumed by session_ticket extension */

  if (!vers->tls13_sem && session->internals.resumed) {

    session->internals.resumed_security_parameters

      .max_record_recv_size =

      session->security_parameters.max_record_recv_size;

    session->internals.resumed_security_parameters

      .max_record_send_size =

      session->security_parameters.max_record_send_size;

    ret = _gnutls_server_select_suite(session, suite_ptr,

              suite_size, 1);

    if (ret < 0)

      return gnutls_assert_val(ret);

    ret = tls12_resume_copy_required_vals(session, 1);

    if (ret < 0)

      return gnutls_assert_val(ret);

    /* to indicate to the client that the current session is resumed */

    memcpy(session->security_parameters.session_id, session_id,

           session_id_len);

    session->security_parameters.session_id_size = session_id_len;

    return 0;

  }

  /* select an appropriate cipher suite (as well as certificate)

   */

  ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);

  if (ret < 0) {

    gnutls_assert();

    return ret;

  }

  /* Only at this point we know the version we are actually going to use

   * ("supported_versions" extension is parsed, user_hello_func is called,

   * legacy version negotiation is done). */

  vers = get_version(session);

  if (unlikely(vers == NULL))

    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

  if (_gnutls_version_priority(session, vers->id) < 0)

    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

  /* check if EMS is required */

  if (!vers->tls13_sem && vers->id != GNUTLS_SSL3 &&

      vers->id != GNUTLS_DTLS0_9 &&

      session->internals.priorities->force_ext_master_secret ==

        EMS_REQUIRE &&

      !session->security_parameters.ext_master_secret) {

    return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);

  }