LCOV - code coverage report
Current view: top level - builds/gnutls/coverage/gnutls-git/lib - handshake.c (source / functions) Hit Total Coverage
Test: GnuTLS-3.6.14 Code Coverage Lines: 1492 1688 88.4 %
Date: 2020-10-30 04:50:48 Functions: 49 49 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*
       2             :  * Copyright (C) 2000-2016 Free Software Foundation, Inc.
       3             :  * Copyright (C) 2015-2018 Red Hat, Inc.
       4             :  *
       5             :  * Author: Nikos Mavrogiannopoulos
       6             :  *
       7             :  * This file is part of GnuTLS.
       8             :  *
       9             :  * The GnuTLS is free software; you can redistribute it and/or
      10             :  * modify it under the terms of the GNU Lesser General Public License
      11             :  * as published by the Free Software Foundation; either version 2.1 of
      12             :  * the License, or (at your option) any later version.
      13             :  *
      14             :  * This library is distributed in the hope that it will be useful, but
      15             :  * WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      17             :  * Lesser General Public License for more details.
      18             :  *
      19             :  * You should have received a copy of the GNU Lesser General Public License
      20             :  * along with this program.  If not, see <https://www.gnu.org/licenses/>
      21             :  *
      22             :  */
      23             : 
      24             : /* Functions that relate to the TLS handshake procedure.
      25             :  */
      26             : 
      27             : #include "gnutls_int.h"
      28             : #include "errors.h"
      29             : #include "dh.h"
      30             : #include "debug.h"
      31             : #include "algorithms.h"
      32             : #include "cipher.h"
      33             : #include "buffers.h"
      34             : #include "mbuffers.h"
      35             : #include "kx.h"
      36             : #include "handshake.h"
      37             : #include "num.h"
      38             : #include "hash_int.h"
      39             : #include "db.h"
      40             : #include "hello_ext.h"
      41             : #include "supplemental.h"
      42             : #include "auth.h"
      43             : #include "sslv2_compat.h"
      44             : #include <auth/cert.h>
      45             : #include "constate.h"
      46             : #include <record.h>
      47             : #include <state.h>
      48             : #include <ext/pre_shared_key.h>
      49             : #include <ext/srp.h>
      50             : #include <ext/session_ticket.h>
      51             : #include <ext/status_request.h>
      52             : #include <ext/safe_renegotiation.h>
      53             : #include <auth/anon.h>            /* for gnutls_anon_server_credentials_t */
      54             : #include <auth/psk.h>             /* for gnutls_psk_server_credentials_t */
      55             : #include <random.h>
      56             : #include <dtls.h>
      57             : #include "secrets.h"
      58             : #include "tls13/session_ticket.h"
      59             : #include "locks.h"
      60             : #ifdef HAVE_VALGRIND_MEMCHECK_H
      61             : #include <valgrind/memcheck.h>
      62             : #endif
      63             : 
      64             : #define TRUE 1
      65             : #define FALSE 0
      66             : 
      67             : static int check_if_null_comp_present(gnutls_session_t session,
      68             :                                              uint8_t * data, int datalen);
      69             : static int handshake_client(gnutls_session_t session);
      70             : static int handshake_server(gnutls_session_t session);
      71             : 
      72             : static int
      73             : read_server_hello(gnutls_session_t session,
      74             :                   uint8_t * data, int datalen);
      75             : 
      76             : static int
      77             : recv_handshake_final(gnutls_session_t session, int init);
      78             : static int
      79             : send_handshake_final(gnutls_session_t session, int init);
      80             : 
      81             : /* Empties but does not free the buffer
      82             :  */
      83             : inline static void
      84       60745 : handshake_hash_buffer_reset(gnutls_session_t session)
      85             : {
      86       60745 :         _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");
      87             : 
      88       60745 :         session->internals.handshake_hash_buffer_client_hello_len = 0;
      89       60745 :         session->internals.handshake_hash_buffer_client_kx_len = 0;
      90       60745 :         session->internals.handshake_hash_buffer_server_finished_len = 0;
      91       60745 :         session->internals.handshake_hash_buffer_client_finished_len = 0;
      92       60745 :         session->internals.handshake_hash_buffer_prev_len = 0;
      93       60745 :         session->internals.handshake_hash_buffer.length = 0;
      94       60745 :         session->internals.full_client_hello.length = 0;
      95       60745 :         return;
      96             : }
      97             : 
      98             : static int
      99             : handshake_hash_add_recvd(gnutls_session_t session,
     100             :                          gnutls_handshake_description_t recv_type,
     101             :                          uint8_t * header, uint16_t header_size,
     102             :                          uint8_t * dataptr, uint32_t datalen);
     103             : 
     104             : static int
     105             : handshake_hash_add_sent(gnutls_session_t session,
     106             :                         gnutls_handshake_description_t type,
     107             :                         uint8_t * dataptr, uint32_t datalen);
     108             : 
     109             : static int
     110             : recv_hello_verify_request(gnutls_session_t session,
     111             :                           uint8_t * data, int datalen);
     112             : 
     113             : 
     114             : /* Clears the handshake hash buffers and handles.
     115             :  */
     116       60475 : void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)
     117             : {
     118       60475 :         handshake_hash_buffer_reset(session);
     119       60475 :         _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
     120       60475 :         _gnutls_buffer_clear(&session->internals.full_client_hello);
     121       60475 : }
     122             : 
     123             : /* Replace handshake message buffer, with the special synthetic message
     124             :  * needed by TLS1.3 when HRR is sent. */
     125         243 : int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,
     126             :                                            const mac_entry_st *prf,
     127             :                                            unsigned client)
     128             : {
     129         243 :         int ret;
     130         243 :         uint8_t hdata[4+MAX_HASH_SIZE];
     131         243 :         size_t length;
     132             : 
     133         243 :         if (client)
     134          24 :                 length = session->internals.handshake_hash_buffer_prev_len;
     135             :         else
     136         219 :                 length = session->internals.handshake_hash_buffer.length;
     137             : 
     138             :         /* calculate hash */
     139         243 :         hdata[0] = 254;
     140         243 :         _gnutls_write_uint24(prf->output_size, &hdata[1]);
     141             : 
     142         486 :         ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id,
     143         243 :                                session->internals.handshake_hash_buffer.data,
     144             :                                length, hdata+4);
     145         243 :         if (ret < 0)
     146           0 :                 return gnutls_assert_val(ret);
     147             : 
     148         243 :         handshake_hash_buffer_reset(session);
     149             : 
     150         243 :         ret =
     151         486 :             _gnutls_buffer_append_data(&session->internals.
     152             :                                        handshake_hash_buffer,
     153         243 :                                        hdata, prf->output_size+4);
     154         243 :         if (ret < 0)
     155           0 :                 return gnutls_assert_val(ret);
     156             : 
     157         243 :         _gnutls_buffers_log("BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n",
     158             :                             prf->output_size+4);
     159             : 
     160             :         return 0;
     161             : }
     162             : 
     163             : /* this will copy the required values for resuming to
     164             :  * internals, and to security_parameters.
     165             :  * this will keep as less data to security_parameters.
     166             :  */
     167         782 : static int tls12_resume_copy_required_vals(gnutls_session_t session, unsigned ticket)
     168             : {
     169         782 :         int ret;
     170             : 
     171             :         /* get the new random values */
     172         782 :         memcpy(session->internals.resumed_security_parameters.
     173         782 :                server_random, session->security_parameters.server_random,
     174             :                GNUTLS_RANDOM_SIZE);
     175         782 :         memcpy(session->internals.resumed_security_parameters.
     176         782 :                client_random, session->security_parameters.client_random,
     177             :                GNUTLS_RANDOM_SIZE);
     178             : 
     179             :         /* keep the ciphersuite and compression
     180             :          * That is because the client must see these in our
     181             :          * hello message.
     182             :          */
     183        1564 :         ret = _gnutls_set_cipher_suite2(session,
     184             :                                        session->internals.
     185         782 :                                        resumed_security_parameters.
     186             :                                        cs);
     187         782 :         if (ret < 0)
     188           0 :                 return gnutls_assert_val(ret);
     189             : 
     190             :         /* or write_compression_algorithm
     191             :          * they are the same
     192             :          */
     193             : 
     194         782 :         session->security_parameters.entity =
     195         782 :             session->internals.resumed_security_parameters.entity;
     196             : 
     197         782 :         if (session->internals.resumed_security_parameters.pversion ==
     198             :             NULL)
     199           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     200             : 
     201        1564 :         if (_gnutls_set_current_version(session,
     202             :                                     session->internals.
     203         782 :                                     resumed_security_parameters.pversion->
     204             :                                     id) < 0)
     205           0 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
     206             : 
     207         782 :         session->security_parameters.client_ctype =
     208         782 :             session->internals.resumed_security_parameters.client_ctype;
     209         782 :         session->security_parameters.server_ctype =
     210         782 :             session->internals.resumed_security_parameters.server_ctype;
     211             : 
     212         782 :         if (!ticket) {
     213         487 :                 memcpy(session->security_parameters.session_id,
     214         487 :                        session->internals.resumed_security_parameters.session_id,
     215             :                        sizeof(session->security_parameters.session_id));
     216         487 :                 session->security_parameters.session_id_size =
     217         487 :                     session->internals.resumed_security_parameters.session_id_size;
     218             :         }
     219             : 
     220             :         return 0;
     221             : }
     222             : 
     223       19134 : void _gnutls_set_client_random(gnutls_session_t session, uint8_t * rnd)
     224             : {
     225       19134 :         memcpy(session->security_parameters.client_random, rnd,
     226             :                GNUTLS_RANDOM_SIZE);
     227       19134 : }
     228             : 
     229             : static
     230        3696 : int _gnutls_gen_client_random(gnutls_session_t session)
     231             : {
     232        3696 :         int ret;
     233             : 
     234             :         /* no random given, we generate. */
     235        3696 :         if (session->internals.sc_random_set != 0) {
     236           8 :                 memcpy(session->security_parameters.client_random,
     237             :                        session->internals.
     238           8 :                        resumed_security_parameters.client_random,
     239             :                        GNUTLS_RANDOM_SIZE);
     240             :         } else {
     241        7376 :                 ret = gnutls_rnd(GNUTLS_RND_NONCE,
     242        3688 :                         session->security_parameters.client_random,
     243             :                         GNUTLS_RANDOM_SIZE);
     244        3688 :                 if (ret < 0)
     245           0 :                         return gnutls_assert_val(ret);
     246             :         }
     247             : 
     248             : #ifdef HAVE_VALGRIND_MEMCHECK_H
     249             :         if (RUNNING_ON_VALGRIND)
     250             :                 VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random,
     251             :                                           GNUTLS_RANDOM_SIZE);
     252             : #endif
     253             : 
     254             :         return 0;
     255             : }
     256             : 
     257             : static
     258        2969 : int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *vers, uint8_t * rnd)
     259             : {
     260        2969 :         const version_entry_st *max;
     261             : 
     262        2969 :         memcpy(session->security_parameters.server_random, rnd,
     263             :                GNUTLS_RANDOM_SIZE);
     264             : 
     265             :         /* check whether the server random value is set according to
     266             :          * to TLS 1.3. p4.1.3 requirements */
     267        2969 :         if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) {
     268             : 
     269        1874 :                 max = _gnutls_version_max(session);
     270        1874 :                 if (max->id <= GNUTLS_TLS1_2)
     271             :                         return 0;
     272             : 
     273         814 :                 if (vers->id == GNUTLS_TLS1_2 &&
     274         702 :                     memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
     275             :                     "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) {
     276             : 
     277           2 :                         _gnutls_audit_log(session,
     278             :                                   "Detected downgrade to TLS 1.2 from TLS 1.3\n");
     279           2 :                         return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
     280         812 :                 } else if (vers->id <= GNUTLS_TLS1_1 &&
     281         112 :                            memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
     282             :                            "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8) == 0) {
     283             : 
     284           1 :                         _gnutls_audit_log(session,
     285             :                                   "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n");
     286           1 :                         return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
     287             :                 }
     288             :         }
     289             : 
     290             :         return 0;
     291             : }
     292             : 
     293       25262 : int _gnutls_gen_server_random(gnutls_session_t session, int version)
     294             : {
     295       25262 :         int ret;
     296       25262 :         const version_entry_st *max;
     297             : 
     298       25262 :         if (session->internals.sc_random_set != 0) {
     299          12 :                 memcpy(session->security_parameters.server_random,
     300             :                        session->internals.
     301          12 :                        resumed_security_parameters.server_random,
     302             :                        GNUTLS_RANDOM_SIZE);
     303          12 :                 return 0;
     304             :         }
     305             : 
     306       25250 :         max = _gnutls_version_max(session);
     307       25250 :         if (max == NULL)
     308           0 :                 return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
     309             : 
     310       25250 :         if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&
     311             :             version <= GNUTLS_TLS1_2) {
     312       13262 :                 if (version == GNUTLS_TLS1_2) {
     313       11454 :                         memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
     314             :                                 "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8);
     315             :                 } else {
     316        1808 :                         memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
     317             :                                 "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8);
     318             :                 }
     319       13262 :                 ret =
     320       13262 :                     gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8);
     321             : 
     322             :         } else {
     323       11988 :                 ret =
     324       11988 :                     gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
     325             :         }
     326             : 
     327       25250 :         if (ret < 0) {
     328           0 :                 gnutls_assert();
     329           0 :                 return ret;
     330             :         }
     331             : 
     332             : #ifdef HAVE_VALGRIND_MEMCHECK_H
     333             :         if (RUNNING_ON_VALGRIND)
     334             :                 VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random,
     335             :                                           GNUTLS_RANDOM_SIZE);
     336             : #endif
     337             : 
     338             :         return 0;
     339             : }
     340             : 
     341             : #ifdef ENABLE_SSL3
     342             : /* Calculate The SSL3 Finished message
     343             :  */
     344             : #define SSL3_CLIENT_MSG "CLNT"
     345             : #define SSL3_SERVER_MSG "SRVR"
     346             : #define SSL_MSG_LEN 4
     347             : static int
     348             : _gnutls_ssl3_finished(gnutls_session_t session, int type, uint8_t * ret,
     349             :                       int sending)
     350             : {
     351             :         digest_hd_st td_md5;
     352             :         digest_hd_st td_sha;
     353             :         const char *mesg;
     354             :         int rc, len;
     355             : 
     356             :         if (sending)
     357             :                 len = session->internals.handshake_hash_buffer.length;
     358             :         else
     359             :                 len = session->internals.handshake_hash_buffer_prev_len;
     360             : 
     361             :         rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
     362             :         if (rc < 0)
     363             :                 return gnutls_assert_val(rc);
     364             : 
     365             :         rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
     366             :         if (rc < 0) {
     367             :                 _gnutls_hash_deinit(&td_sha, NULL);
     368             :                 return gnutls_assert_val(rc);
     369             :         }
     370             : 
     371             :         _gnutls_hash(&td_sha,
     372             :                      session->internals.handshake_hash_buffer.data, len);
     373             :         _gnutls_hash(&td_md5,
     374             :                      session->internals.handshake_hash_buffer.data, len);
     375             : 
     376             :         if (type == GNUTLS_SERVER)
     377             :                 mesg = SSL3_SERVER_MSG;
     378             :         else
     379             :                 mesg = SSL3_CLIENT_MSG;
     380             : 
     381             :         _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);
     382             :         _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);
     383             : 
     384             :         rc = _gnutls_mac_deinit_ssl3_handshake(&td_md5, ret,
     385             :                                                session->security_parameters.
     386             :                                                master_secret,
     387             :                                                GNUTLS_MASTER_SIZE);
     388             :         if (rc < 0) {
     389             :                 _gnutls_hash_deinit(&td_md5, NULL);
     390             :                 _gnutls_hash_deinit(&td_sha, NULL);
     391             :                 return gnutls_assert_val(rc);
     392             :         }
     393             : 
     394             :         rc = _gnutls_mac_deinit_ssl3_handshake(&td_sha, &ret[16],
     395             :                                                session->security_parameters.
     396             :                                                master_secret,
     397             :                                                GNUTLS_MASTER_SIZE);
     398             :         if (rc < 0) {
     399             :                 _gnutls_hash_deinit(&td_sha, NULL);
     400             :                 return gnutls_assert_val(rc);
     401             :         }
     402             : 
     403             :         return 0;
     404             : }
     405             : #endif
     406             : 
     407             : /* Hash the handshake messages as required by TLS 1.0
     408             :  */
     409             : #define SERVER_MSG "server finished"
     410             : #define CLIENT_MSG "client finished"
     411             : #define TLS_MSG_LEN 15
     412             : static int
     413       17823 : _gnutls_finished(gnutls_session_t session, int type, void *ret,
     414             :                  int sending)
     415             : {
     416       17823 :         const int siz = TLS_MSG_LEN;
     417       17823 :         uint8_t concat[MAX_HASH_SIZE];
     418       17823 :         size_t hash_len;
     419       17823 :         const char *mesg;
     420       17823 :         int rc, len, algorithm;
     421             : 
     422       17823 :         if (sending)
     423        8980 :                 len = session->internals.handshake_hash_buffer.length;
     424             :         else
     425        8843 :                 len = session->internals.handshake_hash_buffer_prev_len;
     426             : 
     427       17823 :         algorithm = session->security_parameters.prf->id;
     428       35646 :         rc = _gnutls_hash_fast(algorithm,
     429             :                                session->internals.
     430       17823 :                                handshake_hash_buffer.data, len,
     431             :                                concat);
     432       17823 :         if (rc < 0)
     433           0 :                 return gnutls_assert_val(rc);
     434             : 
     435       17823 :         hash_len = session->security_parameters.prf->output_size;
     436             : 
     437       17823 :         if (type == GNUTLS_SERVER) {
     438             :                 mesg = SERVER_MSG;
     439             :         } else {
     440        8987 :                 mesg = CLIENT_MSG;
     441             :         }
     442             : 
     443       17823 :         return _gnutls_PRF(session,
     444       17823 :                            session->security_parameters.master_secret,
     445             :                            GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len,
     446             :                            12, ret);
     447             : }
     448             : 
     449             : 
     450             : /* returns the 0 on success or a negative error code.
     451             :  */
     452             : int
     453       20099 : _gnutls_negotiate_version(gnutls_session_t session,
     454             :                           uint8_t major, uint8_t minor, unsigned allow_tls13)
     455             : {
     456       20099 :         const version_entry_st *vers;
     457       20099 :         const version_entry_st *aversion = nversion_to_entry(major, minor);
     458             : 
     459             :         /* if we do not support that version, unless that version is TLS 1.2;
     460             :          * TLS 1.2 is handled separately because it is always advertized under TLS 1.3 or later */
     461       39532 :         if (aversion == NULL ||
     462       19433 :             _gnutls_nversion_is_supported(session, major, minor) == 0) {
     463             : 
     464        2557 :                 if (aversion && aversion->id == GNUTLS_TLS1_2) {
     465        1851 :                         vers = _gnutls_version_max(session);
     466        1851 :                         if (unlikely(vers == NULL))
     467           2 :                                 return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
     468             : 
     469        1849 :                         if (vers->id >= GNUTLS_TLS1_2) {
     470        1830 :                                 session->security_parameters.pversion = aversion;
     471        1830 :                                 return 0;
     472             :                         }
     473             :                 }
     474             : 
     475             :                 /* if we get an unknown/unsupported version, then fail if the version we
     476             :                  * got is too low to be supported */
     477         725 :                 if (!_gnutls_version_is_too_high(session, major, minor))
     478         116 :                         return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
     479             : 
     480             :                 /* If he requested something we do not support
     481             :                  * then we send him the highest we support.
     482             :                  */
     483         654 :                 vers = _gnutls_legacy_version_max(session);
     484         654 :                 if (vers == NULL) {
     485             :                         /* this check is not really needed.
     486             :                          */
     487           0 :                         gnutls_assert();
     488           0 :                         return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
     489             :                 }
     490             : 
     491         654 :                 session->security_parameters.pversion = vers;
     492             : 
     493         654 :                 return 0;
     494             :         } else {
     495       17542 :                 session->security_parameters.pversion = aversion;
     496             : 
     497             :                 /* we do not allow TLS1.3 negotiation using this mechanism */
     498       17542 :                 if (aversion->tls13_sem && !allow_tls13) {
     499          11 :                         vers = _gnutls_legacy_version_max(session);
     500          11 :                         session->security_parameters.pversion = vers;
     501             :                 }
     502             : 
     503       17542 :                 return 0;
     504             :         }
     505             : }
     506             : 
     507             : /* This function returns:
     508             :  *  - zero on success
     509             :  *  - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback
     510             :  *  - a negative error code on other error
     511             :  */
     512             : int
     513       18178 : _gnutls_user_hello_func(gnutls_session_t session,
     514             :                         uint8_t major, uint8_t minor)
     515             : {
     516       18178 :         int ret, sret = 0;
     517       18178 :         const version_entry_st *vers, *old_vers;
     518       18178 :         const version_entry_st *new_max;
     519             : 
     520       18178 :         if (session->internals.user_hello_func != NULL) {
     521         226 :                 ret = session->internals.user_hello_func(session);
     522             : 
     523         226 :                 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {
     524           3 :                         gnutls_assert();
     525             :                         sret = GNUTLS_E_INT_RET_0;
     526         223 :                 } else if (ret < 0) {
     527           2 :                         gnutls_assert();
     528           2 :                         return ret;
     529             :                 }
     530             : 
     531             :                 /* This callback is often used to switch the priority string of the
     532             :                  * server, and that includes switching version which we have already
     533             :                  * negotiated; note that this doesn't apply when resuming as the version
     534             :                  * negotiation is already complete. */
     535         224 :                 if (session->internals.resumed != RESUME_TRUE) {
     536         115 :                         new_max = _gnutls_version_max(session);
     537         115 :                         old_vers = get_version(session);
     538             : 
     539         115 :                         if (!old_vers->tls13_sem || (new_max && !new_max->tls13_sem)) {
     540             : #if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3
     541             : # error "Need to update the following logic"
     542             : #endif
     543             :                                 /* Here we need to renegotiate the version since the callee might
     544             :                                  * have disabled some TLS versions. This logic does not cope for
     545             :                                  * protocols later than TLS1.3 if they have the tls13_sem set */
     546          63 :                                 ret = _gnutls_negotiate_version(session, major, minor, 0);
     547          63 :                                 if (ret < 0)
     548           0 :                                         return gnutls_assert_val(ret);
     549             : 
     550          63 :                                 vers = get_version(session);
     551          63 :                                 if (old_vers != vers) {
     552             :                                         /* at this point we need to regenerate the random value to
     553             :                                          * avoid the peer detecting this session as a rollback
     554             :                                          * attempt. */
     555           1 :                                         ret = _gnutls_gen_server_random(session, vers->id);
     556           1 :                                         if (ret < 0)
     557           0 :                                                 return gnutls_assert_val(ret);
     558             :                                 }
     559             :                         }
     560             :                 }
     561             :         }
     562             :         return sret;
     563             : }
     564             : 
     565             : /* Associates the right credential types for the session, and
     566             :  * performs sanity checks. */
     567       17323 : static int set_auth_types(gnutls_session_t session)
     568             : {
     569       17323 :         const version_entry_st *ver = get_version(session);
     570       17323 :         gnutls_kx_algorithm_t kx;
     571             : 
     572             :         /* sanity check:
     573             :          * we see TLS1.3 negotiated but no key share was sent */
     574       17323 :         if (ver->tls13_sem) {
     575        5756 :                 if (unlikely(!(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK) &&
     576             :                              !(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED))) {
     577          55 :                         return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION);
     578             :                 }
     579             : 
     580             :                 /* Under TLS1.3 this returns a KX which matches the negotiated
     581             :                  * groups from the key shares; if we are resuming then the KX seen
     582             :                  * here doesn't match the original session. */
     583        5702 :                 if (session->internals.resumed == RESUME_FALSE)
     584        5477 :                         kx = gnutls_kx_get(session);
     585             :                 else
     586             :                         kx = GNUTLS_KX_UNKNOWN;
     587             :         } else {
     588             :                 /* TLS1.2 or earlier, kx is associated with ciphersuite */
     589       11567 :                 kx = session->security_parameters.cs->kx_algorithm;
     590             :         }
     591             : 
     592       17044 :         if (kx != GNUTLS_KX_UNKNOWN) {
     593       17044 :                 session->security_parameters.server_auth_type = _gnutls_map_kx_get_cred(kx, 1);
     594       17044 :                 session->security_parameters.client_auth_type = _gnutls_map_kx_get_cred(kx, 0);
     595         225 :         } else if (unlikely(session->internals.resumed == RESUME_FALSE)) {
     596             :                 /* Here we can only arrive if something we received
     597             :                  * prevented the session from completing. */
     598           0 :                 return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
     599             :         }
     600             : 
     601             :         return 0;
     602             : }
     603             : 
     604             : /* Read a client hello packet.
     605             :  * A client hello must be a known version client hello
     606             :  * or version 2.0 client hello (only for compatibility
     607             :  * since SSL version 2.0 is not supported).
     608             :  */
     609             : static int
     610       18659 : read_client_hello(gnutls_session_t session, uint8_t * data,
     611             :                           int datalen)
     612             : {
     613       18659 :         uint8_t session_id_len;
     614       18659 :         int pos = 0, ret;
     615       18659 :         uint16_t suite_size, comp_size;
     616       18659 :         int ext_size;
     617       18659 :         int neg_version, sret = 0;
     618       18659 :         int len = datalen;
     619       18659 :         uint8_t major, minor;
     620       18659 :         uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;
     621       18659 :         const version_entry_st *vers;
     622             : 
     623       18659 :         DECR_LEN(len, 2);
     624       18653 :         _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n",
     625             :                               session, data[pos], data[pos + 1]);
     626             : 
     627       18653 :         major = data[pos];
     628       18653 :         minor = data[pos+1];
     629             : 
     630       18653 :         set_adv_version(session, major, minor);
     631             : 
     632       18653 :         ret = _gnutls_negotiate_version(session, major, minor, 0);
     633       18653 :         if (ret < 0)
     634          44 :                 return gnutls_assert_val(ret);
     635             : 
     636       18619 :         vers = get_version(session);
     637       18619 :         if (vers == NULL)
     638           0 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
     639             : 
     640       18619 :         neg_version = vers->id;
     641             : 
     642       18619 :         pos += 2;
     643             : 
     644             :         /* Read client random value.
     645             :          */
     646       18619 :         DECR_LEN(len, GNUTLS_RANDOM_SIZE);
     647       18613 :         _gnutls_set_client_random(session, &data[pos]);
     648             : 
     649       18613 :         pos += GNUTLS_RANDOM_SIZE;
     650             : 
     651       18613 :         ret = _gnutls_gen_server_random(session, neg_version);
     652       18613 :         if (ret < 0)
     653           0 :                 return gnutls_assert_val(ret);
     654             : 
     655       18613 :         session->security_parameters.timestamp = gnutls_time(NULL);
     656             : 
     657       18613 :         DECR_LEN(len, 1);
     658       18610 :         session_id_len = data[pos++];
     659             : 
     660             :         /* RESUME SESSION
     661             :          */
     662       18610 :         if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
     663           6 :                 gnutls_assert();
     664           6 :                 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
     665             :         }
     666       18604 :         DECR_LEN(len, session_id_len);
     667       18601 :         session_id = &data[pos];
     668       18601 :         pos += session_id_len;
     669             : 
     670       18601 :         if (IS_DTLS(session)) {
     671         303 :                 int cookie_size;
     672             : 
     673         303 :                 DECR_LEN(len, 1);
     674         303 :                 cookie_size = data[pos++];
     675         303 :                 DECR_LEN(len, cookie_size);
     676         303 :                 pos += cookie_size;
     677             :         }
     678             : 
     679             :         /* move forward to extensions and store other vals */
     680       18601 :         DECR_LEN(len, 2);
     681       18596 :         suite_size = _gnutls_read_uint16(&data[pos]);
     682       18596 :         pos += 2;
     683             : 
     684       18596 :         if (suite_size == 0 || (suite_size % 2) != 0)
     685          35 :                 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     686             : 
     687       18577 :         suite_ptr = &data[pos];
     688       18577 :         DECR_LEN(len, suite_size);
     689       18552 :         pos += suite_size;
     690             : 
     691       18552 :         DECR_LEN(len, 1);
     692       18548 :         comp_size = data[pos++]; /* the number of compression methods */
     693             : 
     694       18548 :         if (comp_size == 0)
     695           3 :                 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     696             : 
     697       18545 :         comp_ptr = &data[pos];
     698       18545 :         DECR_LEN(len, comp_size);
     699       18540 :         pos += comp_size;
     700             : 
     701       18540 :         ext_ptr = &data[pos];
     702       18540 :         ext_size = len;
     703             : 
     704             :         /* Parse only the mandatory to read extensions for resumption
     705             :          * and version negotiation. We don't want to parse any other
     706             :          * extensions since  we don't want new extension values to override
     707             :          * the resumed ones. */
     708       18540 :         ret =
     709       18540 :             _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
     710             :                                            GNUTLS_EXT_VERSION_NEG,
     711             :                                            ext_ptr, ext_size);
     712       18540 :         if (ret < 0)
     713         726 :                 return gnutls_assert_val(ret);
     714             : 
     715       18107 :         ret =
     716       18107 :             _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
     717             :                                            GNUTLS_EXT_MANDATORY,
     718             :                                            ext_ptr, ext_size);
     719       18107 :         if (ret < 0)
     720         644 :                 return gnutls_assert_val(ret);
     721             : 
     722       17502 :         vers = get_version(session);
     723       17502 :         if (unlikely(vers == NULL))
     724           0 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
     725             : 
     726       17502 :         if (!vers->tls13_sem) {
     727       11403 :                 ret =
     728       11403 :                     _gnutls_server_restore_session(session, session_id,
     729             :                                                    session_id_len);
     730             : 
     731       11403 :                 if (session_id_len > 0)
     732        1771 :                         session->internals.resumption_requested = 1;
     733             : 
     734       11403 :                 if (ret == 0) {         /* resumed using default TLS resumption! */
     735         487 :                         ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
     736         487 :                         if (ret < 0)
     737           0 :                                 return gnutls_assert_val(ret);
     738             : 
     739         487 :                         ret = tls12_resume_copy_required_vals(session, 0);
     740         487 :                         if (ret < 0)
     741           0 :                                 return gnutls_assert_val(ret);
     742             : 
     743         487 :                         session->internals.resumed = RESUME_TRUE;
     744             : 
     745         487 :                         return _gnutls_user_hello_func(session, major, minor);
     746             :                 } else {
     747       10916 :                         ret = _gnutls_generate_session_id(session->security_parameters.
     748             :                                                           session_id,
     749             :                                                           &session->security_parameters.
     750             :                                                           session_id_size);
     751       10916 :                         if (ret < 0)
     752           0 :                                 return gnutls_assert_val(ret);
     753             : 
     754       10916 :                         session->internals.resumed = RESUME_FALSE;
     755             :                 }
     756             :         } else { /* TLS1.3 */
     757             :                 /* we echo client's session ID - length was checked previously */
     758        6099 :                 assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE);
     759        6099 :                 if (session_id_len > 0)
     760        3333 :                         memcpy(session->security_parameters.session_id, session_id, session_id_len);
     761        6099 :                 session->security_parameters.session_id_size = session_id_len;
     762             :         }
     763             : 
     764             :         /* Parse the extensions (if any)
     765             :          *
     766             :          * Unconditionally try to parse extensions; safe renegotiation uses them in
     767             :          * sslv3 and higher, even though sslv3 doesn't officially support them.
     768             :          */
     769       17015 :         ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
     770             :                                              GNUTLS_EXT_APPLICATION,
     771             :                                              ext_ptr, ext_size);
     772             :         /* len is the rest of the parsed length */
     773       17015 :         if (ret < 0) {
     774           3 :                 gnutls_assert();
     775           3 :                 return ret;
     776             :         }
     777             : 
     778             :         /* we cache this error code */
     779       17012 :         sret = _gnutls_user_hello_func(session, major, minor);
     780       17012 :         if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {
     781           2 :                 gnutls_assert();
     782           2 :                 return sret;
     783             :         }
     784             : 
     785             :         /* Session tickets are parsed in this point */
     786       17010 :         ret =
     787       17010 :             _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
     788             :                                            GNUTLS_EXT_TLS, ext_ptr, ext_size);
     789       17010 :         if (ret < 0) {
     790         833 :                 gnutls_assert();
     791         833 :                 return ret;
     792             :         }
     793             : 
     794             :         /* resumed by session_ticket extension */
     795       16177 :         if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE) {
     796         295 :                 session->internals.resumed_security_parameters.
     797         295 :                     max_record_recv_size =
     798         295 :                     session->security_parameters.max_record_recv_size;
     799         295 :                 session->internals.resumed_security_parameters.
     800         295 :                     max_record_send_size =
     801         295 :                     session->security_parameters.max_record_send_size;
     802             : 
     803         295 :                 ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
     804         295 :                 if (ret < 0)
     805           0 :                         return gnutls_assert_val(ret);
     806             : 
     807         295 :                 ret = tls12_resume_copy_required_vals(session, 1);
     808         295 :                 if (ret < 0)
     809           0 :                         return gnutls_assert_val(ret);
     810             : 
     811             :                 /* to indicate to the client that the current session is resumed */
     812         295 :                 memcpy(session->security_parameters.session_id, session_id, session_id_len);
     813         295 :                 session->security_parameters.session_id_size = session_id_len;
     814             : 
     815         295 :                 return 0;
     816             :         }
     817             : 
     818             :         /* select an appropriate cipher suite (as well as certificate)
     819             :          */
     820       15882 :         ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);
     821       15882 :         if (ret < 0) {
     822         836 :                 gnutls_assert();
     823         836 :                 return ret;
     824             :         }
     825             : 
     826             :         /* Only at this point we know the version we are actually going to use
     827             :          * ("supported_versions" extension is parsed, user_hello_func is called,
     828             :          * legacy version negotiation is done). */
     829       15046 :         vers = get_version(session);
     830       15046 :         if (unlikely(vers == NULL))
     831           0 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
     832             : 
     833       15046 :         if (_gnutls_version_priority(session, vers->id) < 0)
     834           1 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
     835             : 
     836       15045 :         _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name);
     837             : 
     838             :         /* select appropriate compression method */
     839       15045 :         ret =
     840       15045 :             check_if_null_comp_present(session, comp_ptr,
     841             :                                               comp_size);
     842       15045 :         if (ret < 0) {
     843          17 :                 gnutls_assert();
     844          17 :                 return ret;
     845             :         }
     846             : 
     847             :         /* call extensions that are intended to be parsed after the ciphersuite/cert
     848             :          * are known. */
     849       15028 :         ret =
     850       15028 :             _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
     851             :                                      _GNUTLS_EXT_TLS_POST_CS, ext_ptr, ext_size);
     852       15028 :         if (ret < 0) {
     853         360 :                 gnutls_assert();
     854         360 :                 return ret;
     855             :         }
     856             : 
     857             :         /* Calculate TLS 1.3 Early Secret */
     858       14668 :         if (session->security_parameters.pversion->tls13_sem &&
     859        5158 :             !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
     860        3698 :                 ret = _tls13_init_secret(session, NULL, 0);
     861        3698 :                 if (ret < 0)
     862           0 :                         return gnutls_assert_val(ret);
     863             :         }
     864             : 
     865       14668 :         ret = set_auth_types(session);
     866       14668 :         if (ret < 0) {
     867          54 :                 gnutls_assert();
     868          54 :                 return ret;
     869             :         }
     870             : 
     871             :         return sret;
     872             : }
     873             : 
     874             : /* This is to be called after sending CHANGE CIPHER SPEC packet
     875             :  * and initializing encryption. This is the first encrypted message
     876             :  * we send.
     877             :  */
     878        9015 : int _gnutls_send_finished(gnutls_session_t session, int again)
     879             : {
     880        9015 :         mbuffer_st *bufel;
     881        9015 :         uint8_t *data;
     882        9015 :         int ret;
     883        9015 :         size_t vdata_size = 0;
     884        9015 :         const version_entry_st *vers;
     885             : 
     886        9015 :         if (again == 0) {
     887        8980 :                 bufel =
     888        8980 :                     _gnutls_handshake_alloc(session,
     889             :                                             MAX_VERIFY_DATA_SIZE);
     890        8980 :                 if (bufel == NULL) {
     891           0 :                         gnutls_assert();
     892           0 :                         return GNUTLS_E_MEMORY_ERROR;
     893             :                 }
     894        8980 :                 data = _mbuffer_get_udata_ptr(bufel);
     895             : 
     896        8980 :                 vers = get_version(session);
     897        8980 :                 if (unlikely(vers == NULL))
     898           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     899             : 
     900             : #ifdef ENABLE_SSL3
     901             :                 if (vers->id == GNUTLS_SSL3) {
     902             :                         ret =
     903             :                             _gnutls_ssl3_finished(session,
     904             :                                                   session->
     905             :                                                   security_parameters.
     906             :                                                   entity, data, 1);
     907             :                         _mbuffer_set_udata_size(bufel, 36);
     908             :                 } else {        /* TLS 1.0+ */
     909             : #endif
     910       17960 :                         ret = _gnutls_finished(session,
     911             :                                                session->
     912        8980 :                                                security_parameters.entity,
     913             :                                                data, 1);
     914        8980 :                         _mbuffer_set_udata_size(bufel, 12);
     915             : #ifdef ENABLE_SSL3
     916             :                 }
     917             : #endif
     918             : 
     919        8980 :                 if (ret < 0) {
     920           0 :                         gnutls_assert();
     921           0 :                         return ret;
     922             :                 }
     923             : 
     924        8980 :                 vdata_size = _mbuffer_get_udata_size(bufel);
     925             : 
     926        8980 :                 ret =
     927        8980 :                     _gnutls_ext_sr_finished(session, data, vdata_size, 0);
     928        8980 :                 if (ret < 0) {
     929           0 :                         gnutls_assert();
     930           0 :                         return ret;
     931             :                 }
     932             : 
     933        8980 :                 if ((session->internals.resumed == RESUME_FALSE
     934        8084 :                      && session->security_parameters.entity ==
     935             :                      GNUTLS_CLIENT)
     936        7510 :                     || (session->internals.resumed != RESUME_FALSE
     937         896 :                         && session->security_parameters.entity ==
     938             :                         GNUTLS_SERVER)) {
     939             :                         /* if we are a client not resuming - or we are a server resuming */
     940        2252 :                         _gnutls_handshake_log
     941             :                             ("HSK[%p]: recording tls-unique CB (send)\n",
     942             :                              session);
     943        2252 :                         memcpy(session->internals.cb_tls_unique, data,
     944             :                                vdata_size);
     945        2252 :                         session->internals.cb_tls_unique_len = vdata_size;
     946             :                 }
     947             : 
     948        8980 :                 ret =
     949        8980 :                     _gnutls_send_handshake(session, bufel,
     950             :                                            GNUTLS_HANDSHAKE_FINISHED);
     951             :         } else {
     952          35 :                 ret =
     953          35 :                     _gnutls_send_handshake(session, NULL,
     954             :                                            GNUTLS_HANDSHAKE_FINISHED);
     955             :         }
     956             : 
     957             :         return ret;
     958             : }
     959             : 
     960             : /* This is to be called after sending our finished message. If everything
     961             :  * went fine we have negotiated a secure connection
     962             :  */
     963        9348 : int _gnutls_recv_finished(gnutls_session_t session)
     964             : {
     965        9348 :         uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
     966        9348 :         gnutls_buffer_st buf;
     967        9348 :         int data_size;
     968        9348 :         int ret;
     969        9348 :         int vrfy_size;
     970        9348 :         const version_entry_st *vers = get_version(session);
     971             : 
     972        9348 :         if (unlikely(vers == NULL))
     973           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     974             : 
     975        9348 :         ret =
     976        9348 :             _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED,
     977             :                                    0, &buf);
     978        9348 :         if (ret < 0) {
     979         503 :                 gnutls_assert();
     980         503 :                 return ret;
     981             :         }
     982             : 
     983        8845 :         vrfy = buf.data;
     984        8845 :         vrfy_size = buf.length;
     985             : 
     986             : #ifdef ENABLE_SSL3
     987             :         if (vers->id == GNUTLS_SSL3)
     988             :                 data_size = 36;
     989             :         else
     990             : #endif
     991        8845 :                 data_size = 12;
     992             : 
     993        8845 :         if (vrfy_size != data_size) {
     994           2 :                 gnutls_assert();
     995           2 :                 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
     996           2 :                 goto cleanup;
     997             :         }
     998             : 
     999             : #ifdef ENABLE_SSL3
    1000             :         if (vers->id == GNUTLS_SSL3) {
    1001             :                 ret =
    1002             :                     _gnutls_ssl3_finished(session,
    1003             :                                           (session->security_parameters.
    1004             :                                            entity + 1) % 2, data, 0);
    1005             :         } else /* TLS 1.0+ */
    1006             : #endif
    1007        8843 :                 ret =
    1008       17686 :                     _gnutls_finished(session,
    1009        8843 :                                      (session->security_parameters.entity +
    1010        8843 :                                       1) % 2, data, 0);
    1011             : 
    1012        8843 :         if (ret < 0) {
    1013           0 :                 gnutls_assert();
    1014           0 :                 goto cleanup;
    1015             :         }
    1016             : 
    1017             : #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
    1018             :         /* When fuzzying allow to proceed without verifying the handshake
    1019             :          * consistency */
    1020             :         (void) vrfy;
    1021             : # warning This is unsafe for production builds
    1022             : 
    1023             : #else
    1024        8843 :         if (memcmp(vrfy, data, data_size) != 0) {
    1025           8 :                 gnutls_assert();
    1026           8 :                 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
    1027           8 :                 goto cleanup;
    1028             :         }
    1029             : #endif
    1030             : 
    1031        8835 :         ret = _gnutls_ext_sr_finished(session, data, data_size, 1);
    1032        8835 :         if (ret < 0) {
    1033           0 :                 gnutls_assert();
    1034           0 :                 goto cleanup;
    1035             :         }
    1036             : 
    1037        8835 :         if ((session->internals.resumed != RESUME_FALSE
    1038         895 :              && session->security_parameters.entity == GNUTLS_CLIENT)
    1039        8721 :             || (session->internals.resumed == RESUME_FALSE
    1040        7940 :                 && session->security_parameters.entity == GNUTLS_SERVER)) {
    1041             :                 /* if we are a client resuming - or we are a server not resuming */
    1042        6728 :                 _gnutls_handshake_log
    1043             :                     ("HSK[%p]: recording tls-unique CB (recv)\n", session);
    1044        6728 :                 memcpy(session->internals.cb_tls_unique, data, data_size);
    1045        6728 :                 session->internals.cb_tls_unique_len = data_size;
    1046             :         }
    1047             : 
    1048             : 
    1049        2107 :       cleanup:
    1050        8845 :         _gnutls_buffer_clear(&buf);
    1051             : 
    1052        8845 :         return ret;
    1053             : }
    1054             : 
    1055             : /* This selects the best supported ciphersuite from the given ones. Then
    1056             :  * it adds the suite to the session and performs some checks.
    1057             :  *
    1058             :  * When @scsv_only is non-zero only the available SCSVs are parsed
    1059             :  * and acted upon.
    1060             :  */
    1061             : int
    1062       17337 : _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
    1063             :                             unsigned int datalen, unsigned scsv_only)
    1064             : {
    1065       17337 :         int ret;
    1066       17337 :         unsigned int i;
    1067       17337 :         ciphersuite_list_st peer_clist;
    1068       17337 :         const gnutls_cipher_suite_entry_st *selected;
    1069       17337 :         gnutls_kx_algorithm_t kx;
    1070       17337 :         int retval;
    1071       17337 :         const version_entry_st *vers = get_version(session);
    1072             : 
    1073       17337 :         peer_clist.size = 0;
    1074             : 
    1075      229347 :         for (i = 0; i < datalen; i += 2) {
    1076             :                 /* we support the TLS renegotiation SCSV, even if we are
    1077             :                  * not under SSL 3.0, because openssl sends this SCSV
    1078             :                  * on resumption unconditionally. */
    1079             :                 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
    1080      212044 :                 if (session->internals.priorities->sr != SR_DISABLED &&
    1081      211251 :                     data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
    1082       54702 :                     data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
    1083        8399 :                         _gnutls_handshake_log
    1084             :                             ("HSK[%p]: Received safe renegotiation CS\n",
    1085             :                              session);
    1086        8399 :                         retval = _gnutls_ext_sr_recv_cs(session);
    1087        8399 :                         if (retval < 0) {
    1088           0 :                                 gnutls_assert();
    1089           0 :                                 return retval;
    1090             :                         }
    1091             :                 }
    1092             : 
    1093             :                 /* TLS_FALLBACK_SCSV */
    1094      212044 :                 if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
    1095        2098 :                     data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
    1096        1160 :                         const version_entry_st *max = _gnutls_version_max(session);
    1097             : 
    1098        1160 :                         _gnutls_handshake_log
    1099             :                             ("HSK[%p]: Received fallback CS\n",
    1100             :                              session);
    1101             : 
    1102        1160 :                         if (vers != max)
    1103          53 :                                 return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
    1104      210884 :                 } else if (!scsv_only) {
    1105      203489 :                         if (peer_clist.size < MAX_CIPHERSUITE_SIZE) {
    1106      203239 :                                 peer_clist.entry[peer_clist.size] = ciphersuite_to_entry(&data[i]);
    1107      203239 :                                 if (peer_clist.entry[peer_clist.size] != NULL)
    1108       97754 :                                         peer_clist.size++;
    1109             :                         }
    1110             :                 }
    1111             :         }
    1112             : 
    1113       17303 :         if (scsv_only)
    1114             :                 return 0;
    1115             : 
    1116       16521 :         ret = _gnutls_figure_common_ciphersuite(session, &peer_clist, &selected);
    1117       16521 :         if (ret < 0) {
    1118        1094 :                 return gnutls_assert_val(ret);
    1119             :         }
    1120             : 
    1121       15608 :         _gnutls_handshake_log
    1122             :                     ("HSK[%p]: Selected cipher suite: %s\n", session, selected->name);
    1123             : 
    1124       15608 :         ret = _gnutls_set_cipher_suite2(session, selected);
    1125       15608 :         if (ret < 0) {
    1126           1 :                 gnutls_assert();
    1127           1 :                 return ret;
    1128             :         }
    1129             : 
    1130       15607 :         if (!vers->tls13_sem) {
    1131             :                 /* check if the credentials (username, public key etc.) are ok
    1132             :                  */
    1133       10142 :                 kx = selected->kx_algorithm;
    1134       10142 :                 if (_gnutls_get_kx_cred(session, kx) == NULL) {
    1135          31 :                         gnutls_assert();
    1136          31 :                         return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
    1137             :                 }
    1138             : 
    1139             :                 /* set the mod_auth_st to the appropriate struct
    1140             :                  * according to the KX algorithm. This is needed since all the
    1141             :                  * handshake functions are read from there;
    1142             :                  */
    1143       10111 :                 session->internals.auth_struct = _gnutls_kx_auth_struct(kx);
    1144       10111 :                 if (session->internals.auth_struct == NULL) {
    1145           0 :                         _gnutls_handshake_log
    1146             :                             ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
    1147             :                              session);
    1148           0 :                         gnutls_assert();
    1149           0 :                         return GNUTLS_E_INTERNAL_ERROR;
    1150             :                 }
    1151             :         }
    1152             : 
    1153             :         return 0;
    1154             : 
    1155             : }
    1156             : 
    1157             : 
    1158             : /* This checks whether the null compression method is present.
    1159             :  */
    1160             : static int
    1161       15045 : check_if_null_comp_present(gnutls_session_t session,
    1162             :                           uint8_t * data, int datalen)
    1163             : {
    1164       15045 :         int j;
    1165             : 
    1166       16677 :         for (j = 0; j < datalen; j++) {
    1167       16660 :                 if (data[j] == 0)
    1168             :                         return 0;
    1169             :         }
    1170             : 
    1171             :         /* we were not able to find a the NULL compression
    1172             :          * algorithm
    1173             :          */
    1174          17 :         gnutls_assert();
    1175             :         return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
    1176             : 
    1177             : }
    1178             : 
    1179             : /* This function sends an empty handshake packet. (like hello request).
    1180             :  * If the previous _gnutls_send_empty_handshake() returned
    1181             :  * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
    1182             :  * (until it returns ok), with NULL parameters.
    1183             :  */
    1184             : static int
    1185     6989030 : _gnutls_send_empty_handshake(gnutls_session_t session,
    1186             :                              gnutls_handshake_description_t type,
    1187             :                              int again)
    1188             : {
    1189     6989030 :         mbuffer_st *bufel;
    1190             : 
    1191     6989030 :         if (again == 0) {
    1192       10028 :                 bufel = _gnutls_handshake_alloc(session, 0);
    1193       10028 :                 if (bufel == NULL) {
    1194           0 :                         gnutls_assert();
    1195           0 :                         return GNUTLS_E_MEMORY_ERROR;
    1196             :                 }
    1197             :         } else
    1198             :                 bufel = NULL;
    1199             : 
    1200     6989030 :         return _gnutls_send_handshake(session, bufel, type);
    1201             : }
    1202             : 
    1203      302371 : int _gnutls_call_hook_func(gnutls_session_t session,
    1204             :                            gnutls_handshake_description_t type,
    1205             :                            int post, unsigned incoming,
    1206             :                            const uint8_t *data, unsigned data_size)
    1207             : {
    1208      302371 :         gnutls_datum_t msg = {(void*)data, data_size};
    1209             : 
    1210      302371 :         if (session->internals.h_hook != NULL) {
    1211        3618 :                 if ((session->internals.h_type == type
    1212        3422 :                      || session->internals.h_type == GNUTLS_HANDSHAKE_ANY)
    1213        1914 :                     && (session->internals.h_post == post
    1214        1486 :                         || session->internals.h_post == GNUTLS_HOOK_BOTH)) {
    1215             : 
    1216             :                         /* internal API for testing: when we are expected to
    1217             :                          * wait for GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, we
    1218             :                          * do so, but not when doing for all messages. The
    1219             :                          * reason is that change cipher specs are not handshake
    1220             :                          * messages, and we don't support waiting for them
    1221             :                          * consistently (only sending is tracked, not receiving).
    1222             :                          */
    1223        1486 :                         if (type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC &&
    1224             :                             session->internals.h_type != GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
    1225             :                                 return 0;
    1226             : 
    1227        1342 :                         return session->internals.h_hook(session, type,
    1228             :                                                          post, incoming, &msg);
    1229             :                 }
    1230             :         }
    1231             :         return 0;
    1232             : }
    1233             : 
    1234             : /* Note that the "New session ticket" handshake packet behaves differently under
    1235             :  * TLS 1.2 or 1.3. In 1.2 it is included in the handshake process, while in 1.3
    1236             :  * it is sent asynchronously */
    1237             : #define IS_ASYNC(t, v) \
    1238             :         (t == GNUTLS_HANDSHAKE_HELLO_REQUEST || t == GNUTLS_HANDSHAKE_KEY_UPDATE || \
    1239             :          (t == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET && v->tls13_sem))
    1240             : 
    1241             : int
    1242    74912000 : _gnutls_send_handshake(gnutls_session_t session, mbuffer_st * bufel,
    1243             :                        gnutls_handshake_description_t type)
    1244             : {
    1245    74912000 :         return _gnutls_send_handshake2(session, bufel, type, 0);
    1246             : }
    1247             : 
    1248             : /* This function sends a handshake message of type 'type' containing the
    1249             :  * data specified here. If the previous _gnutls_send_handshake() returned
    1250             :  * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
    1251             :  * (until it returns ok), with NULL parameters.
    1252             :  */
    1253             : int
    1254    74918800 : _gnutls_send_handshake2(gnutls_session_t session, mbuffer_st * bufel,
    1255             :                         gnutls_handshake_description_t type, unsigned queue_only)
    1256             : {
    1257    74918800 :         int ret;
    1258    74918800 :         uint8_t *data;
    1259    74918800 :         uint32_t datasize, i_datasize;
    1260    74918800 :         int pos = 0;
    1261    74918800 :         const version_entry_st *vers = get_version(session);
    1262             : 
    1263    74918800 :         if (bufel == NULL) {
    1264             :                 /* we are resuming a previously interrupted
    1265             :                  * send.
    1266             :                  */
    1267    74836000 :                 ret = _gnutls_handshake_io_write_flush(session);
    1268    74836000 :                 return ret;
    1269             : 
    1270             :         }
    1271             : 
    1272             :         /* first run */
    1273       82803 :         data = _mbuffer_get_uhead_ptr(bufel);
    1274       82803 :         i_datasize = _mbuffer_get_udata_size(bufel);
    1275       82803 :         datasize = i_datasize + _mbuffer_get_uhead_size(bufel);
    1276             : 
    1277       82803 :         data[pos++] = (uint8_t) REAL_HSK_TYPE(type);
    1278       82803 :         _gnutls_write_uint24(_mbuffer_get_udata_size(bufel), &data[pos]);
    1279       82803 :         pos += 3;
    1280             : 
    1281             :         /* Add DTLS handshake fragment headers.  The message will be
    1282             :          * fragmented later by the fragmentation sub-layer. All fields must
    1283             :          * be set properly for HMAC. The HMAC requires we pretend that the
    1284             :          * message was sent in a single fragment. */
    1285       82803 :         if (IS_DTLS(session)) {
    1286        2382 :                 _gnutls_write_uint16(session->internals.dtls.
    1287        2382 :                                      hsk_write_seq++, &data[pos]);
    1288        2382 :                 pos += 2;
    1289             : 
    1290             :                 /* Fragment offset */
    1291        2382 :                 _gnutls_write_uint24(0, &data[pos]);
    1292        2382 :                 pos += 3;
    1293             : 
    1294             :                 /* Fragment length */
    1295        2382 :                 _gnutls_write_uint24(i_datasize, &data[pos]);
    1296             :                 /* pos += 3; */
    1297             :         }
    1298             : 
    1299      127092 :         _gnutls_handshake_log("HSK[%p]: %s was queued [%ld bytes]\n",
    1300             :                               session, _gnutls_handshake2str(type),
    1301             :                               (long) datasize);
    1302             : 
    1303             :         /* Here we keep the handshake messages in order to hash them...
    1304             :          */
    1305       82803 :         if (!IS_ASYNC(type, vers)) {
    1306      151686 :                 if ((ret =
    1307       75843 :                      handshake_hash_add_sent(session, type, data,
    1308             :                                                      datasize)) < 0) {
    1309           0 :                         gnutls_assert();
    1310           0 :                         _mbuffer_xfree(&bufel);
    1311           0 :                         return ret;
    1312             :                 }
    1313             :                 /* If we are sending a PSK, generate early secrets here.
    1314             :                  * This cannot be done in pre_shared_key.c, because it
    1315             :                  * relies on transcript hash of a Client Hello. */
    1316       75843 :                 if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO &&
    1317        3747 :                     session->key.binders[0].prf != NULL) {
    1318         506 :                         ret = _gnutls_generate_early_secrets_for_psk(session);
    1319         506 :                         if (ret < 0) {
    1320           0 :                                 gnutls_assert();
    1321           0 :                                 _mbuffer_xfree(&bufel);
    1322           0 :                                 return ret;
    1323             :                         }
    1324             :                 }
    1325             :         }
    1326             : 
    1327      165606 :         ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_PRE, 0,
    1328       82803 :                                      _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
    1329       82803 :         if (ret < 0) {
    1330           0 :                 gnutls_assert();
    1331           0 :                 _mbuffer_xfree(&bufel);
    1332           0 :                 return ret;
    1333             :         }
    1334             : 
    1335       82803 :         session->internals.last_handshake_out = type;
    1336             : 
    1337       82803 :         ret = _gnutls_handshake_io_cache_int(session, type, bufel);
    1338       82803 :         if (ret < 0) {
    1339           0 :                 _mbuffer_xfree(&bufel);
    1340           0 :                 gnutls_assert();
    1341           0 :                 return ret;
    1342             :         }
    1343             : 
    1344      165606 :         ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_POST, 0,
    1345       82803 :                                       _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
    1346       82803 :         if (ret < 0) {
    1347          14 :                 gnutls_assert();
    1348          14 :                 return ret;
    1349             :         }
    1350             : 
    1351       82789 :         if (queue_only)
    1352             :                 return 0;
    1353             : 
    1354             :         /* Decide when to cache and when to send */
    1355       75934 :         if (vers && vers->tls13_sem) {
    1356             : 
    1357       23683 :                 if (session->internals.initial_negotiation_completed) {
    1358             :                         /* we are under TLS1.3 in a re-authentication phase.
    1359             :                          * we don't attempt to cache any messages */
    1360          80 :                         goto force_send;
    1361             :                 }
    1362             : 
    1363             :                 /* The messages which are followed by another are not sent by default
    1364             :                  * but are cached instead */
    1365       23603 :                 switch (type) {
    1366             :                 case GNUTLS_HANDSHAKE_SERVER_HELLO:     /* always followed by something */
    1367             :                 case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: /* followed by finished or cert */
    1368             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:  /* followed by certificate */
    1369             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:  /* this one is followed by cert verify */
    1370             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: /* followed by finished */
    1371             :                         ret = 0; /* cache */
    1372             :                         break;
    1373        5749 :                 default:
    1374             :                         /* send this and any cached messages */
    1375        5749 :                         goto force_send;
    1376             :                 }
    1377             :         } else {
    1378             :                 /* The messages which are followed by another are not sent by default
    1379             :                  * but are cached instead */
    1380       52251 :                 switch (type) {
    1381             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:  /* this one is followed by ServerHelloDone
    1382             :                                                          * or ClientKeyExchange always.
    1383             :                                                          */
    1384             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
    1385             :                 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:      /* as above */
    1386             :                 case GNUTLS_HANDSHAKE_SERVER_HELLO:     /* as above */
    1387             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:      /* as above */
    1388             :                 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:       /* followed by ChangeCipherSpec */
    1389             : 
    1390             :                         /* now for client Certificate, ClientKeyExchange and
    1391             :                          * CertificateVerify are always followed by ChangeCipherSpec
    1392             :                          */
    1393             :                 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
    1394             :                 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
    1395             :                         ret = 0;
    1396             :                         break;
    1397       22761 :                 default:
    1398             :                         /* send this and any cached messages */
    1399       22761 :                         goto force_send;
    1400             :                 }
    1401             :         }
    1402             : 
    1403             :         return ret;
    1404             : 
    1405       28590 :  force_send:
    1406       28590 :         return _gnutls_handshake_io_write_flush(session);
    1407             : }
    1408             : 
    1409             : #define CHECK_SIZE(ll) \
    1410             :   if ((session->internals.max_handshake_data_buffer_size > 0) && \
    1411             :       (((ll) + session->internals.handshake_hash_buffer.length) > \
    1412             :        session->internals.max_handshake_data_buffer_size)) { \
    1413             :     _gnutls_debug_log("Handshake buffer length is %u (max: %u)\n", (unsigned)((ll) + session->internals.handshake_hash_buffer.length), (unsigned)session->internals.max_handshake_data_buffer_size); \
    1414             :     return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE); \
    1415             :     }
    1416             : 
    1417             : 
    1418             : /* This function add the handshake headers and the
    1419             :  * handshake data to the handshake hash buffers. Needed
    1420             :  * for the finished messages calculations.
    1421             :  */
    1422             : static int
    1423       55256 : handshake_hash_add_recvd(gnutls_session_t session,
    1424             :                                  gnutls_handshake_description_t recv_type,
    1425             :                                  uint8_t * header, uint16_t header_size,
    1426             :                                  uint8_t * dataptr, uint32_t datalen)
    1427             : {
    1428       55256 :         int ret;
    1429       55256 :         const version_entry_st *vers = get_version(session);
    1430             : 
    1431       55256 :         if (unlikely(vers == NULL))
    1432           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    1433             : 
    1434       55256 :         if ((vers->id != GNUTLS_DTLS0_9 &&
    1435       55229 :              recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
    1436       55229 :              IS_ASYNC(recv_type, vers))
    1437             :                 return 0;
    1438             : 
    1439       55230 :         CHECK_SIZE(header_size + datalen);
    1440             : 
    1441       55222 :         session->internals.handshake_hash_buffer_prev_len =
    1442       55222 :             session->internals.handshake_hash_buffer.length;
    1443             : 
    1444       55222 :         if (vers->id != GNUTLS_DTLS0_9) {
    1445       55205 :                 ret =
    1446       55205 :                     _gnutls_buffer_append_data(&session->internals.
    1447             :                                                handshake_hash_buffer,
    1448             :                                                header, header_size);
    1449       55205 :                 if (ret < 0)
    1450           0 :                         return gnutls_assert_val(ret);
    1451             :         }
    1452       55222 :         if (datalen > 0) {
    1453       53710 :                 ret =
    1454       53710 :                     _gnutls_buffer_append_data(&session->internals.
    1455             :                                                handshake_hash_buffer,
    1456             :                                                dataptr, datalen);
    1457       53710 :                 if (ret < 0)
    1458           0 :                         return gnutls_assert_val(ret);
    1459             :         }
    1460             : 
    1461             :         /* save the size until client KX. That is because the TLS
    1462             :          * session hash is calculated up to this message.
    1463             :          */
    1464       55222 :         if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
    1465       18659 :                 session->internals.handshake_hash_buffer_client_hello_len =
    1466       18659 :                         session->internals.handshake_hash_buffer.length;
    1467       55222 :         if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
    1468        7762 :                 session->internals.handshake_hash_buffer_client_kx_len =
    1469        7762 :                         session->internals.handshake_hash_buffer.length;
    1470       55222 :         if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
    1471        2009 :                 session->internals.handshake_hash_buffer_server_finished_len =
    1472        2009 :                         session->internals.handshake_hash_buffer.length;
    1473       55222 :         if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
    1474       12423 :                 session->internals.handshake_hash_buffer_client_finished_len =
    1475       12423 :                         session->internals.handshake_hash_buffer.length;
    1476             : 
    1477             :         return 0;
    1478             : }
    1479             : 
    1480             : /* This function will store the handshake message we sent.
    1481             :  */
    1482             : static int
    1483       75843 : handshake_hash_add_sent(gnutls_session_t session,
    1484             :                                 gnutls_handshake_description_t type,
    1485             :                                 uint8_t * dataptr, uint32_t datalen)
    1486             : {
    1487       75843 :         int ret;
    1488       75843 :         const version_entry_st *vers = get_version(session);
    1489             : 
    1490       75843 :         if (unlikely(vers == NULL))
    1491           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    1492             : 
    1493       75843 :         if (IS_ASYNC(type, vers))
    1494             :                 return 0;
    1495             : 
    1496       75843 :         CHECK_SIZE(datalen);
    1497             : 
    1498       75843 :         if (vers->id == GNUTLS_DTLS0_9) {
    1499             :                 /* Old DTLS doesn't include the header in the MAC */
    1500          17 :                 if (datalen < 12) {
    1501           0 :                         gnutls_assert();
    1502           0 :                         return GNUTLS_E_INTERNAL_ERROR;
    1503             :                 }
    1504          17 :                 dataptr += 12;
    1505          17 :                 datalen -= 12;
    1506             : 
    1507          17 :                 if (datalen == 0)
    1508             :                         return 0;
    1509             :         }
    1510             : 
    1511       75842 :         ret =
    1512       75842 :             _gnutls_buffer_append_data(&session->internals.
    1513             :                                        handshake_hash_buffer,
    1514             :                                        dataptr, datalen);
    1515       75842 :         if (ret < 0)
    1516           0 :                 return gnutls_assert_val(ret);
    1517             : 
    1518       75842 :         if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
    1519        3747 :                 session->internals.handshake_hash_buffer_client_hello_len =
    1520        3747 :                         session->internals.handshake_hash_buffer.length;
    1521       75842 :         if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
    1522        1473 :                 session->internals.handshake_hash_buffer_client_kx_len =
    1523        1473 :                         session->internals.handshake_hash_buffer.length;
    1524       75842 :         if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
    1525       12486 :                 session->internals.handshake_hash_buffer_server_finished_len =
    1526       12486 :                         session->internals.handshake_hash_buffer.length;
    1527       75842 :         if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
    1528        2154 :                 session->internals.handshake_hash_buffer_client_finished_len =
    1529        2154 :                         session->internals.handshake_hash_buffer.length;
    1530             : 
    1531             :         return 0;
    1532             : }
    1533             : 
    1534             : /* This function will receive handshake messages of the given types,
    1535             :  * and will pass the message to the right place in order to be processed.
    1536             :  * E.g. for the SERVER_HELLO message (if it is expected), it will be
    1537             :  * passed to _gnutls_recv_hello().
    1538             :  */
    1539             : int
    1540    19836700 : _gnutls_recv_handshake(gnutls_session_t session,
    1541             :                        gnutls_handshake_description_t type,
    1542             :                        unsigned int optional, gnutls_buffer_st * buf)
    1543             : {
    1544    19836700 :         int ret, ret2;
    1545    19836700 :         handshake_buffer_st hsk;
    1546             : 
    1547    19836700 :         ret = _gnutls_handshake_io_recv_int(session, type, &hsk, optional);
    1548    19836700 :         if (ret < 0) {
    1549    19781400 :                 if (optional != 0
    1550    19781400 :                     && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) {
    1551        4236 :                         if (buf)
    1552        1072 :                                 _gnutls_buffer_init(buf);
    1553        4236 :                         return 0;
    1554             :                 }
    1555             : 
    1556    19780400 :                 return gnutls_assert_val_fatal(ret);
    1557             :         }
    1558       55232 :         session->internals.last_handshake_in = hsk.htype;
    1559             : 
    1560       55232 :         ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1, hsk.data.data, hsk.data.length);
    1561       55232 :         if (ret < 0) {
    1562           0 :                 gnutls_assert();
    1563           0 :                 goto cleanup;
    1564             :         }
    1565             : 
    1566      110464 :         ret = handshake_hash_add_recvd(session, hsk.rtype,
    1567       55232 :                                        hsk.header, hsk.header_size,
    1568             :                                        hsk.data.data,
    1569       55232 :                                        hsk.data.length);
    1570       55232 :         if (ret < 0) {
    1571           7 :                 gnutls_assert();
    1572           7 :                 goto cleanup;
    1573             :         }
    1574             : 
    1575       55225 :         switch (hsk.htype) {
    1576       19394 :         case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
    1577             :         case GNUTLS_HANDSHAKE_CLIENT_HELLO:
    1578       19394 :                 if (!(IS_SERVER(session))) {
    1579           0 :                         ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
    1580           0 :                         goto cleanup;
    1581             :                 }
    1582             : 
    1583             : #ifdef ENABLE_SSL2
    1584       19394 :                 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
    1585         735 :                         ret =
    1586         735 :                             _gnutls_read_client_hello_v2(session,
    1587             :                                                          hsk.data.data,
    1588         735 :                                                          hsk.data.length);
    1589             :                 else
    1590             : #endif
    1591             :                 {
    1592             :                         /* Reference the full ClientHello in case an extension needs it */
    1593       18659 :                         ret = _gnutls_ext_set_full_client_hello(session, &hsk);
    1594       18659 :                         if (ret < 0)
    1595           0 :                                 return gnutls_assert_val(ret);
    1596             : 
    1597       18659 :                         ret = read_client_hello(session, hsk.data.data,
    1598       18659 :                                                 hsk.data.length);
    1599             :                 }
    1600             : 
    1601       19394 :                 if (ret < 0) {
    1602        3483 :                         gnutls_assert();
    1603        3483 :                         goto cleanup;
    1604             :                 }
    1605             : 
    1606             :                 break;
    1607             : 
    1608        3093 :         case GNUTLS_HANDSHAKE_SERVER_HELLO:
    1609        3093 :                 if (IS_SERVER(session)) {
    1610           0 :                         ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
    1611           0 :                         goto cleanup;
    1612             :                 }
    1613             : 
    1614        6186 :                 ret = read_server_hello(session, hsk.data.data,
    1615        3093 :                                         hsk.data.length);
    1616             : 
    1617        3093 :                 if (ret < 0) {
    1618         324 :                         gnutls_assert();
    1619         324 :                         goto cleanup;
    1620             :                 }
    1621             : 
    1622             :                 break;
    1623          27 :         case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
    1624          27 :                 if (IS_SERVER(session)) {
    1625           0 :                         ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
    1626           0 :                         goto cleanup;
    1627             :                 }
    1628             : 
    1629          27 :                 ret =
    1630          54 :                     recv_hello_verify_request(session,
    1631             :                                               hsk.data.data,
    1632          27 :                                               hsk.data.length);
    1633          27 :                 if (ret < 0) {
    1634           0 :                         gnutls_assert();
    1635           0 :                         goto cleanup;
    1636             :                 } else {
    1637             :                         /* Signal our caller we have received a verification cookie
    1638             :                            and ClientHello needs to be sent again. */
    1639             :                         ret = 1;
    1640             :                 }
    1641             : 
    1642             :                 break;
    1643          24 :         case GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST: {
    1644             :                 /* hash buffer synth message is generated during hello retry parsing */
    1645          24 :                 gnutls_datum_t hrr = {hsk.data.data, hsk.data.length};
    1646             : 
    1647          24 :                 if (IS_SERVER(session)) {
    1648           0 :                         ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
    1649           0 :                         goto cleanup;
    1650             :                 }
    1651             : 
    1652          24 :                 ret =
    1653          24 :                     _gnutls13_recv_hello_retry_request(session,
    1654             :                                                        &hsk.data);
    1655          24 :                 if (ret < 0) {
    1656           0 :                         gnutls_assert();
    1657           0 :                         goto cleanup;
    1658             :                 } else {
    1659             :                         /* during hello retry parsing, we reset handshake hash buffer,
    1660             :                          * re-add this message */
    1661          48 :                         ret = handshake_hash_add_recvd(session, hsk.htype,
    1662          24 :                                                        hsk.header, hsk.header_size,
    1663             :                                                        hrr.data,
    1664             :                                                        hrr.size);
    1665          24 :                         if (ret < 0) {
    1666           0 :                                 gnutls_assert();
    1667           0 :                                 goto cleanup;
    1668             :                         }
    1669             : 
    1670             :                         /* Signal our caller we have received a retry request
    1671             :                            and ClientHello needs to be sent again. */
    1672       51415 :                         ret = 1;
    1673             :                 }
    1674             : 
    1675             :                 break;
    1676             :         }
    1677        1483 :         case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
    1678        1483 :                 if (hsk.data.length == 0)
    1679             :                         ret = 0;
    1680             :                 else {
    1681           3 :                         gnutls_assert();
    1682           3 :                         ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
    1683           3 :                         goto cleanup;
    1684             :                 }
    1685             :                 break;
    1686       31204 :         case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
    1687             :         case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
    1688             :         case GNUTLS_HANDSHAKE_FINISHED:
    1689             :         case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS:
    1690             :         case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
    1691             :         case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
    1692             :         case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
    1693             :         case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
    1694             :         case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
    1695             :         case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
    1696             :         case GNUTLS_HANDSHAKE_END_OF_EARLY_DATA:
    1697       31204 :                 ret = hsk.data.length;
    1698       31204 :                 break;
    1699           0 :         default:
    1700           0 :                 gnutls_assert();
    1701             :                 /* we shouldn't actually arrive here in any case .
    1702             :                  * unexpected messages should be caught after _gnutls_handshake_io_recv_int()
    1703             :                  */
    1704           0 :                 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
    1705           0 :                 goto cleanup;
    1706             :         }
    1707             : 
    1708       51415 :         ret2 = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1, hsk.data.data, hsk.data.length);
    1709       51415 :         if (ret2 < 0) {
    1710           0 :                 ret = ret2;
    1711           0 :                 gnutls_assert();
    1712           0 :                 goto cleanup;
    1713             :         }
    1714             : 
    1715       51415 :         if (buf) {
    1716       31204 :                 *buf = hsk.data;
    1717       31204 :                 return ret;
    1718             :         }
    1719             : 
    1720       20211 :       cleanup:
    1721       24028 :         _gnutls_handshake_buffer_clear(&hsk);
    1722       24028 :         return ret;
    1723             : }
    1724             : 
    1725             : /* This function checks if the given cipher suite is supported, and sets it
    1726             :  * to the session;
    1727             :  */
    1728             : static int
    1729        2852 : set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
    1730             : {
    1731        2852 :         unsigned j;
    1732        2852 :         int ret;
    1733        2852 :         const gnutls_cipher_suite_entry_st *selected = NULL;
    1734        2852 :         const version_entry_st *vers = get_version(session);
    1735        2852 :         gnutls_kx_algorithm_t kx;
    1736             : 
    1737       24444 :         for (j = 0; j < session->internals.priorities->cs.size; j++) {
    1738       24368 :                 if (suite[0] == session->internals.priorities->cs.entry[j]->id[0] &&
    1739        9211 :                     suite[1] == session->internals.priorities->cs.entry[j]->id[1]) {
    1740             :                         selected = session->internals.priorities->cs.entry[j];
    1741             :                         break;
    1742             :                 }
    1743             :         }
    1744             : 
    1745        2852 :         if (!selected) {
    1746          76 :                 gnutls_assert();
    1747          76 :                 _gnutls_handshake_log
    1748             :                     ("HSK[%p]: unsupported cipher suite %.2X.%.2X was negotiated\n",
    1749             :                      session, (unsigned int) suite[0],
    1750             :                      (unsigned int) suite[1]);
    1751          76 :                 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
    1752             :         }
    1753             : 
    1754        2776 :         ret = _gnutls_set_cipher_suite2(session, selected);
    1755        2776 :         if (ret < 0)
    1756           0 :                 return gnutls_assert_val(ret);
    1757             : 
    1758        2776 :         _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n",
    1759             :                               session,
    1760             :                               selected->name);
    1761             : 
    1762             :         /* check if the credentials (username, public key etc.) are ok.
    1763             :          * Actually checks if they exist.
    1764             :          */
    1765        2776 :         if (!vers->tls13_sem) {
    1766        2176 :                 kx = selected->kx_algorithm;
    1767             : 
    1768        4352 :                 if (!session->internals.premaster_set &&
    1769        2176 :                     _gnutls_get_kx_cred
    1770             :                     (session, kx) == NULL) {
    1771           2 :                         gnutls_assert();
    1772           2 :                         return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
    1773             :                 }
    1774             : 
    1775             :                 /* set the mod_auth_st to the appropriate struct
    1776             :                  * according to the KX algorithm. This is needed since all the
    1777             :                  * handshake functions are read from there;
    1778             :                  */
    1779        4348 :                 session->internals.auth_struct =
    1780        2174 :                     _gnutls_kx_auth_struct(kx);
    1781             : 
    1782        2174 :                 if (session->internals.auth_struct == NULL) {
    1783           0 :                         _gnutls_handshake_log
    1784             :                             ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
    1785             :                              session);
    1786           0 :                         gnutls_assert();
    1787           0 :                         return GNUTLS_E_INTERNAL_ERROR;
    1788             :                 }
    1789             :         } else {
    1790         600 :                 if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
    1791           0 :                         if (session->key.binders[0].prf->id != selected->prf) {
    1792           0 :                                 _gnutls_handshake_log
    1793             :                                     ("HSK[%p]: PRF of ciphersuite differs with the PSK identity (cs: %s, id: %s)\n",
    1794             :                                      session, selected->name, session->key.binders[0].prf->name);
    1795           0 :                                 gnutls_assert();
    1796           0 :                                 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
    1797             :                         }
    1798             :                 }
    1799             :         }
    1800             : 
    1801             :         return 0;
    1802             : }
    1803             : 
    1804             : /* This function returns 0 if we are resuming a session or -1 otherwise.
    1805             :  * This also sets the variables in the session. Used only while reading a server
    1806             :  * hello. Only applicable to TLS1.2 or earlier.
    1807             :  */
    1808             : static int
    1809        2366 : client_check_if_resuming(gnutls_session_t session,
    1810             :                          uint8_t * session_id, int session_id_len)
    1811             : {
    1812        2366 :         char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
    1813        2366 :         int ret;
    1814             : 
    1815        2366 :         _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session,
    1816             :                               session_id_len);
    1817        2366 :         _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
    1818             :                               _gnutls_bin2hex(session_id, session_id_len,
    1819             :                                               buf, sizeof(buf), NULL));
    1820             : 
    1821        2366 :         if ((session->internals.resumption_requested != 0 ||
    1822        2366 :              session->internals.premaster_set != 0) &&
    1823         172 :             session_id_len > 0 &&
    1824         172 :             session->internals.resumed_security_parameters.
    1825             :             session_id_size == session_id_len
    1826         172 :             && memcmp(session_id,
    1827         172 :                       session->internals.resumed_security_parameters.
    1828             :                       session_id, session_id_len) == 0) {
    1829             :                 /* resume session */
    1830         114 :                 memcpy(session->internals.resumed_security_parameters.
    1831             :                        server_random,
    1832         114 :                        session->security_parameters.server_random,
    1833             :                        GNUTLS_RANDOM_SIZE);
    1834         114 :                 memcpy(session->internals.resumed_security_parameters.
    1835             :                        client_random,
    1836         114 :                        session->security_parameters.client_random,
    1837             :                        GNUTLS_RANDOM_SIZE);
    1838             : 
    1839         228 :                 ret = _gnutls_set_cipher_suite2
    1840             :                     (session,
    1841         114 :                      session->internals.resumed_security_parameters.
    1842             :                      cs);
    1843         114 :                 if (ret < 0) {
    1844           0 :                         gnutls_assert();
    1845           0 :                         goto no_resume;
    1846             :                 }
    1847             : 
    1848         114 :                 session->internals.resumed = RESUME_TRUE;    /* we are resuming */
    1849             : 
    1850         114 :                 return 0;
    1851             :         } else {
    1852        2252 : no_resume:
    1853             :                 /* keep the new session id */
    1854        2252 :                 session->internals.resumed = RESUME_FALSE;   /* we are not resuming */
    1855        2252 :                 return -1;
    1856             :         }
    1857             : }
    1858             : 
    1859             : 
    1860             : /* This function reads and parses the server hello handshake message.
    1861             :  * This function also restores resumed parameters if we are resuming a
    1862             :  * session.
    1863             :  */
    1864             : static int
    1865        3093 : read_server_hello(gnutls_session_t session,
    1866             :                   uint8_t * data, int datalen)
    1867             : {
    1868        3093 :         uint8_t session_id_len = 0;
    1869        3093 :         uint8_t *session_id;
    1870        3093 :         uint8_t *cs_pos, *comp_pos, *srandom_pos;
    1871        3093 :         uint8_t major, minor;
    1872        3093 :         int pos = 0;
    1873        3093 :         int ret;
    1874        3093 :         int len = datalen;
    1875        3093 :         unsigned ext_parse_flag = 0;
    1876        3093 :         const version_entry_st *vers, *saved_vers;
    1877             : 
    1878        3093 :         if (datalen < GNUTLS_RANDOM_SIZE+2) {
    1879           3 :                 gnutls_assert();
    1880           3 :                 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
    1881             :         }
    1882             : 
    1883        3090 :         _gnutls_handshake_log("HSK[%p]: Server's version: %d.%d\n",
    1884             :                               session, data[pos], data[pos + 1]);
    1885             : 
    1886        3090 :         DECR_LEN(len, 2);
    1887        3090 :         major = data[pos];
    1888        3090 :         minor = data[pos+1];
    1889             : 
    1890        3090 :         saved_vers = get_version(session); /* will be non-null if HRR has been received */
    1891             : 
    1892        3090 :         vers = nversion_to_entry(major, minor);
    1893        3090 :         if (unlikely(vers == NULL))
    1894          25 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    1895             : 
    1896        3065 :         if (vers->tls13_sem) /* that shouldn't have been negotiated here */
    1897           1 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    1898             : 
    1899        3064 :         if (_gnutls_set_current_version(session, vers->id) < 0)
    1900           0 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    1901             : 
    1902        3064 :         pos += 2;
    1903             : 
    1904        3064 :         DECR_LEN(len, GNUTLS_RANDOM_SIZE);
    1905        3064 :         srandom_pos = &data[pos];
    1906        3064 :         pos += GNUTLS_RANDOM_SIZE;
    1907             : 
    1908             :         /* Read session ID
    1909             :          */
    1910        3064 :         DECR_LEN(len, 1);
    1911        3061 :         session_id_len = data[pos++];
    1912             : 
    1913        3061 :         if (len < session_id_len || session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
    1914           5 :                 gnutls_assert();
    1915           5 :                 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
    1916             :         }
    1917        3056 :         DECR_LEN(len, session_id_len);
    1918        3056 :         session_id = &data[pos];
    1919        3056 :         pos += session_id_len;
    1920             : 
    1921        3056 :         DECR_LEN(len, 2);
    1922        3053 :         cs_pos = &data[pos];
    1923        3053 :         pos += 2;
    1924             : 
    1925             :         /* move to compression
    1926             :          */
    1927        3053 :         DECR_LEN(len, 1);
    1928        3049 :         comp_pos = &data[pos];
    1929        3049 :         pos++;
    1930             : 
    1931             :         /* parse extensions to figure version */
    1932        3049 :         ret =
    1933        6098 :             _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO|
    1934             :                                            GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
    1935             :                                            GNUTLS_EXT_VERSION_NEG,
    1936        3049 :                                            &data[pos], len);
    1937        3049 :         if (ret < 0)
    1938          77 :                 return gnutls_assert_val(ret);
    1939             : 
    1940        2972 :         vers = get_version(session);
    1941        2972 :         if (unlikely(vers == NULL))
    1942           0 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    1943        2972 :         if (vers->tls13_sem) {
    1944         600 :                 if (major != 0x03 || minor != 0x03)
    1945           0 :                         return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    1946             :         }
    1947             : 
    1948        2972 :         if (_gnutls_nversion_is_supported(session, vers->major, vers->minor) == 0)
    1949           3 :                 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    1950             : 
    1951             :         /* set server random - done after final version is selected */
    1952        2969 :         ret = _gnutls_set_server_random(session, vers, srandom_pos);
    1953        2969 :         if (ret < 0)
    1954           3 :                 return gnutls_assert_val(ret);
    1955             : 
    1956             :         /* reset keys and binders if we are not using TLS 1.3 */
    1957        2966 :         if (!vers->tls13_sem) {
    1958        2366 :                 gnutls_memset(&session->key.proto.tls13, 0,
    1959             :                               sizeof(session->key.proto.tls13));
    1960        2366 :                 reset_binders(session);
    1961             :         }
    1962             : 
    1963             :         /* check if we are resuming and set the appropriate
    1964             :          * values;
    1965             :          */
    1966        5332 :         if (!vers->tls13_sem &&
    1967        2366 :             client_check_if_resuming(session, session_id, session_id_len) == 0) {
    1968         114 :                 ret =
    1969         114 :                     _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
    1970             :                                                    GNUTLS_EXT_MANDATORY,
    1971             :                                                    &data[pos], len);
    1972         114 :                 if (ret < 0)
    1973           0 :                         return gnutls_assert_val(ret);
    1974             : 
    1975             :                 return 0;
    1976             :         } else {
    1977        2852 :                 session->security_parameters.session_id_size = session_id_len;
    1978        2852 :                 if (session_id_len > 0)
    1979        1670 :                         memcpy(session->security_parameters.session_id, session_id,
    1980             :                                session_id_len);
    1981             :         }
    1982             : 
    1983             :         /* Check if the given cipher suite is supported and copy
    1984             :          * it to the session.
    1985             :          */
    1986        2852 :         ret = set_client_ciphersuite(session, cs_pos);
    1987        2852 :         if (ret < 0) {
    1988          78 :                 gnutls_assert();
    1989          78 :                 return ret;
    1990             :         }
    1991             : 
    1992        2774 :         if (session->internals.hsk_flags & HSK_HRR_RECEIVED) {
    1993             :                 /* check if ciphersuite matches */
    1994          24 :                 if (memcmp(cs_pos, session->internals.hrr_cs, 2) != 0)
    1995           0 :                         return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
    1996             : 
    1997             :                 /* check if HRR version matches this version */
    1998          24 :                 if (vers != saved_vers)
    1999           0 :                         return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
    2000             :         }
    2001             : 
    2002        2774 :         if (*comp_pos != 0)
    2003          85 :                 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
    2004             : 
    2005        2689 :         if (vers->tls13_sem)
    2006             :                 ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
    2007             :         else
    2008        2089 :                 ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
    2009             : 
    2010             :         /* Parse extensions in order.
    2011             :          */
    2012        2689 :         ret =
    2013        2689 :             _gnutls_parse_hello_extensions(session,
    2014             :                                            ext_parse_flag,
    2015             :                                            GNUTLS_EXT_MANDATORY,
    2016             :                                            &data[pos], len);
    2017        2689 :         if (ret < 0)
    2018           8 :                 return gnutls_assert_val(ret);
    2019             : 
    2020             :         /* check if EtM is required */
    2021        2681 :         if (!vers->tls13_sem && session->internals.priorities->force_etm && !session->security_parameters.etm) {
    2022           2 :                 const cipher_entry_st *cipher = cipher_to_entry(session->security_parameters.cs->block_algorithm);
    2023           2 :                 if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK)
    2024           1 :                         return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
    2025             :         }
    2026             : 
    2027             : 
    2028        2680 :         ret =
    2029        2680 :             _gnutls_parse_hello_extensions(session,
    2030             :                                            ext_parse_flag,
    2031             :                                            GNUTLS_EXT_APPLICATION,
    2032             :                                            &data[pos], len);
    2033        2680 :         if (ret < 0)
    2034           2 :                 return gnutls_assert_val(ret);
    2035             : 
    2036        2678 :         ret =
    2037        2678 :             _gnutls_parse_hello_extensions(session,
    2038             :                                            ext_parse_flag,
    2039             :                                            GNUTLS_EXT_TLS,
    2040             :                                            &data[pos], len);
    2041        2678 :         if (ret < 0)
    2042          18 :                 return gnutls_assert_val(ret);
    2043             : 
    2044        2660 :         ret =
    2045        2660 :             _gnutls_parse_hello_extensions(session,
    2046             :                                            ext_parse_flag,
    2047             :                                            _GNUTLS_EXT_TLS_POST_CS,
    2048             :                                            &data[pos], len);
    2049        2660 :         if (ret < 0)
    2050           5 :                 return gnutls_assert_val(ret);
    2051             : 
    2052             :         /* Calculate TLS 1.3 Early Secret */
    2053        2655 :         if (vers->tls13_sem &&
    2054         598 :             !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
    2055         478 :                 ret = _tls13_init_secret(session, NULL, 0);
    2056         478 :                 if (ret < 0)
    2057           0 :                         return gnutls_assert_val(ret);
    2058             :         }
    2059             : 
    2060        2655 :         ret = set_auth_types(session);
    2061        2655 :         if (ret < 0)
    2062           0 :                 return gnutls_assert_val(ret);
    2063             : 
    2064        2655 :         session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
    2065             : 
    2066        2655 :         return 0;
    2067             : }
    2068             : 
    2069             : /* This function copies the appropriate compression methods, to a locally allocated buffer
    2070             :  * Needed in hello messages. Returns the new data length.
    2071             :  */
    2072             : static int
    2073        3747 : append_null_comp(gnutls_session_t session,
    2074             :                           gnutls_buffer_st * cdata)
    2075             : {
    2076        3747 :         uint8_t compression_methods[2] = {0x01, 0x00};
    2077        3747 :         size_t init_length = cdata->length;
    2078        3747 :         int ret;
    2079             : 
    2080        3747 :         ret =
    2081        3747 :             _gnutls_buffer_append_data(cdata, compression_methods, 2);
    2082        3747 :         if (ret < 0)
    2083           0 :                 return gnutls_assert_val(ret);
    2084             : 
    2085        3747 :         ret = cdata->length - init_length;
    2086             : 
    2087        3747 :         return ret;
    2088             : }
    2089             : 
    2090             : /* This function sends the client hello handshake message.
    2091             :  */
    2092    12413400 : static int send_client_hello(gnutls_session_t session, int again)
    2093             : {
    2094    12413400 :         mbuffer_st *bufel = NULL;
    2095    12413400 :         int type;
    2096    12413400 :         int ret = 0;
    2097    12413400 :         const version_entry_st *hver, *min_ver, *max_ver;
    2098    12413400 :         uint8_t tver[2];
    2099    12413400 :         gnutls_buffer_st extdata;
    2100    12413400 :         int rehandshake = 0;
    2101    12413400 :         unsigned add_sr_scsv = 0;
    2102    12413400 :         uint8_t session_id_len =
    2103             :             session->internals.resumed_security_parameters.session_id_size;
    2104             : 
    2105             : 
    2106    12413400 :         if (again == 0) {
    2107             :                 /* note that rehandshake is different than resuming
    2108             :                  */
    2109        3749 :                 if (session->internals.initial_negotiation_completed)
    2110          89 :                         rehandshake = 1;
    2111             : 
    2112        7178 :                 ret = _gnutls_buffer_init_handshake_mbuffer(&extdata);
    2113        3749 :                 if (ret < 0)
    2114           0 :                         return gnutls_assert_val(ret);
    2115             : 
    2116             :                 /* if we are resuming a session then we set the
    2117             :                  * version number to the previously established.
    2118             :                  */
    2119        3749 :                 if (session->internals.resumption_requested == 0 &&
    2120        3524 :                     session->internals.premaster_set == 0) {
    2121        3517 :                         if (rehandshake)        /* already negotiated version thus version_max == negotiated version */
    2122          89 :                                 hver = get_version(session);
    2123             :                         else    /* new handshake. just get the max */
    2124        3428 :                                 hver = _gnutls_legacy_version_max(session);
    2125             :                 } else {
    2126             :                         /* we are resuming a session */
    2127         232 :                         hver =
    2128             :                             session->internals.resumed_security_parameters.
    2129             :                             pversion;
    2130             : 
    2131         232 :                         if (hver && hver->tls13_sem)
    2132          60 :                                 hver = _gnutls_legacy_version_max(session);
    2133             :                 }
    2134             : 
    2135        3749 :                 if (hver == NULL) {
    2136           2 :                         gnutls_assert();
    2137           2 :                         if (session->internals.flags & INT_FLAG_NO_TLS13)
    2138             :                                 ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
    2139             :                         else
    2140           0 :                                 ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
    2141           2 :                         goto cleanup;
    2142             :                 }
    2143             : 
    2144        3747 :                 if (unlikely(session->internals.default_hello_version[0] != 0)) {
    2145          15 :                         tver[0] = session->internals.default_hello_version[0];
    2146          15 :                         tver[1] = session->internals.default_hello_version[1];
    2147             :                 } else {
    2148        3732 :                         tver[0] = hver->major;
    2149        3732 :                         tver[1] = hver->minor;
    2150             :                 }
    2151        3747 :                 ret = _gnutls_buffer_append_data(&extdata, tver, 2);
    2152        3747 :                 if (ret < 0) {
    2153           0 :                         gnutls_assert();
    2154           0 :                         goto cleanup;
    2155             :                 }
    2156        3747 :                 _gnutls_handshake_log("HSK[%p]: Adv. version: %u.%u\n", session,
    2157             :                                       (unsigned)tver[0], (unsigned)tver[1]);
    2158             : 
    2159        3747 :                 min_ver = _gnutls_version_lowest(session);
    2160        3747 :                 max_ver = _gnutls_version_max(session);
    2161        3747 :                 if (min_ver == NULL || max_ver == NULL) {
    2162           0 :                         gnutls_assert();
    2163           0 :                         ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
    2164           0 :                         goto cleanup;
    2165             :                 }
    2166             : 
    2167             :                 /* if we are replying to an HRR the version is already negotiated */
    2168        3747 :                 if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) || !get_version(session)) {
    2169             :                         /* Set the version we advertized as maximum
    2170             :                          * (RSA uses it). */
    2171        3723 :                         set_adv_version(session, hver->major, hver->minor);
    2172        3723 :                         if (_gnutls_set_current_version(session, hver->id) < 0) {
    2173           0 :                                 ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
    2174           0 :                                 goto cleanup;
    2175             :                         }
    2176             :                 }
    2177             : 
    2178        3747 :                 if (session->internals.priorities->min_record_version != 0) {
    2179             :                         /* Advertise the lowest supported (SSL 3.0) record packet
    2180             :                          * version in record packets during the handshake.
    2181             :                          * That is to avoid confusing implementations
    2182             :                          * that do not support TLS 1.2 and don't know
    2183             :                          * how 3,3 version of record packets look like.
    2184             :                          */
    2185        3746 :                         set_default_version(session, min_ver);
    2186             :                 } else {
    2187           1 :                         set_default_version(session, hver);
    2188             :                 }
    2189             : 
    2190             :                 /* In order to know when this session was initiated.
    2191             :                  */
    2192        3747 :                 session->security_parameters.timestamp = gnutls_time(NULL);
    2193             : 
    2194             :                 /* Generate random data
    2195             :                  */
    2196        3747 :                 if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
    2197        3723 :                     !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
    2198        3696 :                         ret = _gnutls_gen_client_random(session);
    2199        3696 :                         if (ret < 0) {
    2200           0 :                                 gnutls_assert();
    2201           0 :                                 goto cleanup;
    2202             :                         }
    2203             : 
    2204             :                 }
    2205             : 
    2206        7494 :                 ret = _gnutls_buffer_append_data(&extdata,
    2207        3747 :                                                  session->security_parameters.client_random,
    2208             :                                                  GNUTLS_RANDOM_SIZE);
    2209        3747 :                 if (ret < 0) {
    2210           0 :                         gnutls_assert();
    2211           0 :                         goto cleanup;
    2212             :                 }
    2213             : 
    2214             : #ifdef TLS13_APPENDIX_D4
    2215        3747 :                 if (max_ver->tls13_sem &&
    2216        1863 :                     session->security_parameters.session_id_size == 0) {
    2217             : 
    2218             :                         /* Under TLS1.3 we generate a random session ID to make
    2219             :                          * the TLS1.3 session look like a resumed TLS1.2 session */
    2220        1811 :                         ret = _gnutls_generate_session_id(session->security_parameters.
    2221             :                                                           session_id,
    2222             :                                                           &session->security_parameters.
    2223             :                                                           session_id_size);
    2224        1811 :                         if (ret < 0) {
    2225           0 :                                 gnutls_assert();
    2226           0 :                                 goto cleanup;
    2227             :                         }
    2228             :                 }
    2229             : #endif
    2230             : 
    2231             :                 /* Copy the Session ID - if any
    2232             :                  */
    2233        7494 :                 ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
    2234        3747 :                                                         session->internals.resumed_security_parameters.session_id,
    2235             :                                                         session_id_len);
    2236        3747 :                 if (ret < 0) {
    2237           0 :                         gnutls_assert();
    2238           0 :                         goto cleanup;
    2239             :                 }
    2240             : 
    2241             :                 /* Copy the DTLS cookie
    2242             :                  */
    2243        3747 :                 if (IS_DTLS(session)) {
    2244         640 :                         ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
    2245         320 :                                                                 session->internals.dtls.dcookie.data,
    2246         320 :                                                                 session->internals.dtls.dcookie.size);
    2247         320 :                         if (ret < 0) {
    2248           0 :                                 gnutls_assert();
    2249           0 :                                 goto cleanup;
    2250             :                         }
    2251         320 :                         _gnutls_free_datum(&session->internals.dtls.dcookie);
    2252             :                 }
    2253             : 
    2254             :                 /* Copy the ciphersuites.
    2255             :                  */
    2256             : #ifdef ENABLE_SSL3
    2257             :                 /* If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
    2258             :                  * prevention on initial negotiation (but not renegotiation; that's
    2259             :                  * handled with the RI extension below).
    2260             :                  */
    2261             :                 if (!session->internals.initial_negotiation_completed &&
    2262             :                     session->security_parameters.entity == GNUTLS_CLIENT &&
    2263             :                     (hver->id == GNUTLS_SSL3 &&
    2264             :                      session->internals.priorities->no_extensions != 0)) {
    2265             :                         add_sr_scsv = 1;
    2266             :                 }
    2267             : #endif
    2268        3747 :                 ret = _gnutls_get_client_ciphersuites(session, &extdata, min_ver, add_sr_scsv);
    2269        3747 :                 if (ret < 0) {
    2270           0 :                         gnutls_assert();
    2271           0 :                         goto cleanup;
    2272             :                 }
    2273             : 
    2274             :                 /* Copy the compression methods.
    2275             :                  */
    2276        3747 :                 ret = append_null_comp(session, &extdata);
    2277        3747 :                 if (ret < 0) {
    2278           0 :                         gnutls_assert();
    2279           0 :                         goto cleanup;
    2280             :                 }
    2281             : 
    2282             :                 /* Generate and copy TLS extensions.
    2283             :                  */
    2284        3747 :                 if (session->internals.priorities->no_extensions == 0) {
    2285        3742 :                         if (_gnutls_version_has_extensions(hver)) {
    2286             :                                 type = GNUTLS_EXT_ANY;
    2287             :                         } else {
    2288           0 :                                 type = GNUTLS_EXT_MANDATORY;
    2289             :                         }
    2290             : 
    2291        3742 :                         ret =
    2292        3742 :                             _gnutls_gen_hello_extensions(session, &extdata,
    2293             :                                                          GNUTLS_EXT_FLAG_CLIENT_HELLO,
    2294             :                                                          type);
    2295        3742 :                         if (ret < 0) {
    2296           0 :                                 gnutls_assert();
    2297           0 :                                 goto cleanup;
    2298             :                         }
    2299             :                 }
    2300             : 
    2301        3747 :                 bufel = _gnutls_buffer_to_mbuffer(&extdata);
    2302             :         }
    2303             : 
    2304    12413300 :         ret = _gnutls_send_handshake(session, bufel,
    2305             :                                      GNUTLS_HANDSHAKE_CLIENT_HELLO);
    2306             : 
    2307    12413300 :         return ret;
    2308             : 
    2309           2 :  cleanup:
    2310           2 :         _gnutls_buffer_clear(&extdata);
    2311           2 :         return ret;
    2312             : }
    2313             : 
    2314       15916 : int _gnutls_send_server_hello(gnutls_session_t session, int again)
    2315             : {
    2316       15916 :         mbuffer_st *bufel = NULL;
    2317       15916 :         gnutls_buffer_st buf;
    2318       15916 :         int ret;
    2319       15916 :         uint8_t session_id_len =
    2320             :             session->security_parameters.session_id_size;
    2321       15916 :         char tmpbuf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
    2322       15916 :         const version_entry_st *vers;
    2323       15916 :         uint8_t vbytes[2];
    2324       15916 :         unsigned extflag = 0;
    2325       15916 :         gnutls_ext_parse_type_t etype;
    2326             : 
    2327       15916 :         _gnutls_buffer_init(&buf);
    2328             : 
    2329       15916 :         if (again == 0) {
    2330       15905 :                 vers = get_version(session);
    2331       15905 :                 if (unlikely(vers == NULL || session->security_parameters.cs == NULL))
    2332           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    2333             : 
    2334       15905 :                 if (vers->tls13_sem) {
    2335        5104 :                         vbytes[0] = 0x03; /* TLS1.2 */
    2336        5104 :                         vbytes[1] = 0x03;
    2337        5104 :                         extflag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
    2338             :                 } else {
    2339       10801 :                         vbytes[0] = vers->major;
    2340       10801 :                         vbytes[1] = vers->minor;
    2341       10801 :                         extflag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
    2342             :                 }
    2343             : 
    2344       31507 :                 ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
    2345       15905 :                 if (ret < 0) {
    2346           0 :                         gnutls_assert();
    2347           0 :                         goto fail;
    2348             :                 }
    2349             : 
    2350       15905 :                 ret = _gnutls_buffer_append_data(&buf, vbytes, 2);
    2351       15905 :                 if (ret < 0) {
    2352           0 :                         gnutls_assert();
    2353           0 :                         goto fail;
    2354             :                 }
    2355             : 
    2356       31810 :                 ret = _gnutls_buffer_append_data(&buf,
    2357       15905 :                                                  session->security_parameters.server_random,
    2358             :                                                  GNUTLS_RANDOM_SIZE);
    2359       15905 :                 if (ret < 0) {
    2360           0 :                         gnutls_assert();
    2361           0 :                         goto fail;
    2362             :                 }
    2363             : 
    2364       31810 :                 ret = _gnutls_buffer_append_data_prefix(&buf, 8,
    2365       15905 :                                                         session->security_parameters.session_id,
    2366             :                                                         session_id_len);
    2367       15905 :                 if (ret < 0) {
    2368           0 :                         gnutls_assert();
    2369           0 :                         goto fail;
    2370             :                 }
    2371             : 
    2372       15905 :                 _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
    2373             :                                       _gnutls_bin2hex(session->
    2374             :                                                       security_parameters.session_id,
    2375             :                                                       session_id_len, tmpbuf,
    2376             :                                                       sizeof(tmpbuf), NULL));
    2377             : 
    2378       31810 :                 ret = _gnutls_buffer_append_data(&buf,
    2379       15905 :                                                  session->security_parameters.cs->id,
    2380             :                                                  2);
    2381       15905 :                 if (ret < 0) {
    2382           0 :                         gnutls_assert();
    2383           0 :                         goto fail;
    2384             :                 }
    2385             : 
    2386             :                 /* compression */
    2387       15905 :                 ret = _gnutls_buffer_append_prefix(&buf, 8, 0);
    2388       15905 :                 if (ret < 0) {
    2389           0 :                         gnutls_assert();
    2390           0 :                         goto fail;
    2391             :                 }
    2392             : 
    2393       15905 :                 if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE)
    2394             :                         etype = GNUTLS_EXT_MANDATORY;
    2395             :                 else
    2396       15123 :                         etype = GNUTLS_EXT_ANY;
    2397       15905 :                 ret =
    2398       15905 :                     _gnutls_gen_hello_extensions(session, &buf, extflag, etype);
    2399       15905 :                 if (ret < 0) {
    2400           0 :                         gnutls_assert();
    2401           0 :                         goto fail;
    2402             :                 }
    2403             : 
    2404       15905 :                 if (vers->tls13_sem) {
    2405             :                         /* Under TLS1.3, the session ID is used for different purposes than
    2406             :                          * the TLS1.0 session ID. Ensure that there is an internally set
    2407             :                          * value which the server will see on the original and resumed sessions */
    2408        5104 :                         ret = _gnutls_generate_session_id(session->security_parameters.
    2409             :                                                           session_id,
    2410             :                                                           &session->security_parameters.
    2411             :                                                           session_id_size);
    2412        5104 :                         if (ret < 0) {
    2413           0 :                                 gnutls_assert();
    2414           0 :                                 goto fail;
    2415             :                         }
    2416             :                 }
    2417             : 
    2418       15905 :                 bufel = _gnutls_buffer_to_mbuffer(&buf);
    2419             :         }
    2420             : 
    2421       15916 :         ret =
    2422       15916 :             _gnutls_send_handshake(session, bufel,
    2423             :                                    GNUTLS_HANDSHAKE_SERVER_HELLO);
    2424             : 
    2425       15916 : fail:
    2426       15916 :         _gnutls_buffer_clear(&buf);
    2427       15916 :         return ret;
    2428             : }
    2429             : 
    2430             : static int
    2431          27 : recv_hello_verify_request(gnutls_session_t session,
    2432             :                                   uint8_t * data, int datalen)
    2433             : {
    2434          27 :         ssize_t len = datalen;
    2435          27 :         size_t pos = 0;
    2436          27 :         uint8_t cookie_len;
    2437          27 :         unsigned int nb_verifs;
    2438          27 :         int ret;
    2439             : 
    2440          27 :         if (!IS_DTLS(session)) {
    2441           0 :                 gnutls_assert();
    2442           0 :                 return GNUTLS_E_UNEXPECTED_PACKET;
    2443             :         }
    2444             : 
    2445          27 :         nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
    2446          27 :         if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) {
    2447             :                 /* The server is either buggy, malicious or changing cookie
    2448             :                    secrets _way_ too fast. */
    2449           0 :                 gnutls_assert();
    2450           0 :                 return GNUTLS_E_UNEXPECTED_PACKET;
    2451             :         }
    2452             : 
    2453          27 :         DECR_LEN(len, 2);
    2454          27 :         pos += 2;
    2455             : 
    2456          27 :         DECR_LEN(len, 1);
    2457          27 :         cookie_len = data[pos];
    2458          27 :         pos++;
    2459             : 
    2460          27 :         if (cookie_len > DTLS_MAX_COOKIE_SIZE) {
    2461           0 :                 gnutls_assert();
    2462           0 :                 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
    2463             :         }
    2464             : 
    2465          27 :         DECR_LEN(len, cookie_len);
    2466             : 
    2467          27 :         gnutls_free(session->internals.dtls.dcookie.data);
    2468          27 :         ret = _gnutls_set_datum(&session->internals.dtls.dcookie, &data[pos], cookie_len);
    2469          27 :         if (ret < 0)
    2470           0 :                 return gnutls_assert_val(ret);
    2471             : 
    2472          27 :         if (len != 0) {
    2473           0 :                 gnutls_assert();
    2474           0 :                 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
    2475             :         }
    2476             : 
    2477             :         /* reset handshake hash buffers */
    2478          27 :         handshake_hash_buffer_reset(session);
    2479             :         /* reset extensions used in previous hello */
    2480          27 :         session->internals.used_exts = 0;
    2481             : 
    2482          27 :         return 0;
    2483             : }
    2484             : 
    2485             : /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
    2486             :  *
    2487             :  *     Client                                          Server
    2488             :  *
    2489             :  *     ClientHello                -------->
    2490             :  *                                <--------   ServerHello
    2491             :  *
    2492             :  *                                                  Certificate*
    2493             :  *                                            ServerKeyExchange*
    2494             :  *                                <--------   CertificateRequest*
    2495             :  *
    2496             :  *                                <--------      ServerHelloDone
    2497             :  *     Certificate*
    2498             :  *     ClientKeyExchange
    2499             :  *     CertificateVerify*
    2500             :  *     [ChangeCipherSpec]
    2501             :  *     Finished              -------->
    2502             :  *                                              NewSessionTicket
    2503             :  *                                            [ChangeCipherSpec]
    2504             :  *                                <--------       Finished
    2505             :  *
    2506             :  * (*): means optional packet.
    2507             :  */
    2508             : 
    2509             : /* Handshake when resumming session:
    2510             :  *      Client                                          Server
    2511             :  *
    2512             :  *      ClientHello                -------->
    2513             :  *                                                    ServerHello
    2514             :  *                                             [ChangeCipherSpec]
    2515             :  *                                 <--------      Finished
    2516             :  *     [ChangeCipherSpec]
    2517             :  *     Finished               -------->
    2518             :  *
    2519             :  */
    2520             : 
    2521             : /**
    2522             :  * gnutls_rehandshake:
    2523             :  * @session: is a #gnutls_session_t type.
    2524             :  *
    2525             :  * This function can only be called in server side, and
    2526             :  * instructs a TLS 1.2 or earlier client to renegotiate
    2527             :  * parameters (perform a handshake), by sending a
    2528             :  * hello request message.
    2529             :  *
    2530             :  * If this function succeeds, the calling application
    2531             :  * should call gnutls_record_recv() until %GNUTLS_E_REHANDSHAKE
    2532             :  * is returned to clear any pending data. If the %GNUTLS_E_REHANDSHAKE
    2533             :  * error code is not seen, then the handshake request was
    2534             :  * not followed by the peer (the TLS protocol does not require
    2535             :  * the client to do, and such compliance should be handled
    2536             :  * by the application protocol).
    2537             :  *
    2538             :  * Once the %GNUTLS_E_REHANDSHAKE error code is seen, the
    2539             :  * calling application should proceed to calling
    2540             :  * gnutls_handshake() to negotiate the new
    2541             :  * parameters.
    2542             :  *
    2543             :  * If the client does not wish to renegotiate parameters he
    2544             :  * may reply with an alert message, and in that case the return code seen
    2545             :  * by subsequent gnutls_record_recv() will be
    2546             :  * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being
    2547             :  * %GNUTLS_A_NO_RENEGOTIATION.  A client may also choose to ignore
    2548             :  * this request.
    2549             :  *
    2550             :  * Under TLS 1.3 this function is equivalent to gnutls_session_key_update()
    2551             :  * with the %GNUTLS_KU_PEER flag. In that case subsequent calls to
    2552             :  * gnutls_record_recv() will not return %GNUTLS_E_REHANDSHAKE, and
    2553             :  * calls to gnutls_handshake() in server side are a no-op.
    2554             :  *
    2555             :  * This function always fails with %GNUTLS_E_INVALID_REQUEST when
    2556             :  * called in client side.
    2557             :  *
    2558             :  * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
    2559             :  **/
    2560          59 : int gnutls_rehandshake(gnutls_session_t session)
    2561             : {
    2562          59 :         int ret;
    2563          59 :         const version_entry_st *vers = get_version(session);
    2564             : 
    2565             :         /* only server sends that handshake packet */
    2566          59 :         if (session->security_parameters.entity == GNUTLS_CLIENT)
    2567             :                 return GNUTLS_E_INVALID_REQUEST;
    2568             : 
    2569          59 :         if (vers->tls13_sem) {
    2570           5 :                 return gnutls_session_key_update(session, GNUTLS_KU_PEER);
    2571             :         }
    2572             : 
    2573          54 :         _dtls_async_timer_delete(session);
    2574             : 
    2575          54 :         ret =
    2576         108 :             _gnutls_send_empty_handshake(session,
    2577             :                                          GNUTLS_HANDSHAKE_HELLO_REQUEST,
    2578          54 :                                          AGAIN(STATE50));
    2579          54 :         STATE = STATE50;
    2580             : 
    2581          54 :         if (ret < 0) {
    2582           0 :                 gnutls_assert();
    2583           0 :                 return ret;
    2584             :         }
    2585          54 :         STATE = STATE0;
    2586             : 
    2587          54 :         return 0;
    2588             : }
    2589             : 
    2590             : /* This function checks whether the error code should be treated fatal
    2591             :  * or not, and also does the necessary state transition.  In
    2592             :  * particular, in the case of a rehandshake abort it resets the
    2593             :  * handshake's internal state.
    2594             :  */
    2595             : inline static int
    2596    39691700 : _gnutls_abort_handshake(gnutls_session_t session, int ret)
    2597             : {
    2598    39691700 :         switch (ret) {
    2599        1504 :         case GNUTLS_E_WARNING_ALERT_RECEIVED:
    2600        1504 :                 if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
    2601             :                         /* The server always toleretes a "no_renegotiation" alert. */
    2602          59 :                         if (session->security_parameters.entity == GNUTLS_SERVER) {
    2603          16 :                                 STATE = STATE0;
    2604          16 :                                 return ret;
    2605             :                         }
    2606             : 
    2607             :                         /* The client should tolerete a "no_renegotiation" alert only if:
    2608             :                          * - the initial handshake has completed, or
    2609             :                          * - a Server Hello is not yet received
    2610             :                          */
    2611          43 :                         if (session->internals.initial_negotiation_completed ||
    2612          43 :                             !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
    2613          35 :                                 STATE = STATE0;
    2614          35 :                                 return ret;
    2615             :                         }
    2616             : 
    2617           8 :                         return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
    2618             :                 }
    2619             :                 return ret;
    2620           5 :         case GNUTLS_E_GOT_APPLICATION_DATA:
    2621           5 :                 STATE = STATE0;
    2622           5 :                 return ret;
    2623             :         default:
    2624             :                 return ret;
    2625             :         }
    2626             : }
    2627             : 
    2628             : 
    2629          30 : static int _gnutls_send_supplemental(gnutls_session_t session, int again)
    2630             : {
    2631          30 :         mbuffer_st *bufel = NULL;
    2632          30 :         int ret = 0;
    2633             : 
    2634          30 :         _gnutls_debug_log("EXT[%p]: Sending supplemental data\n", session);
    2635             : 
    2636          30 :         if (!again) {
    2637          30 :                 gnutls_buffer_st buf;
    2638          60 :                 ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
    2639          30 :                 if (ret < 0)
    2640           0 :                         return gnutls_assert_val(ret);
    2641             : 
    2642          30 :                 ret = _gnutls_gen_supplemental(session, &buf);
    2643          30 :                 if (ret < 0) {
    2644           0 :                         gnutls_assert();
    2645           0 :                         _gnutls_buffer_clear(&buf);
    2646           0 :                         return ret;
    2647             :                 }
    2648             : 
    2649          30 :                 bufel = _gnutls_buffer_to_mbuffer(&buf);
    2650             :         }
    2651             : 
    2652          30 :         return _gnutls_send_handshake(session, bufel,
    2653             :                                       GNUTLS_HANDSHAKE_SUPPLEMENTAL);
    2654             : }
    2655             : 
    2656          30 : static int _gnutls_recv_supplemental(gnutls_session_t session)
    2657             : {
    2658          30 :         gnutls_buffer_st buf;
    2659          30 :         int ret;
    2660             : 
    2661          30 :         _gnutls_debug_log("EXT[%p]: Expecting supplemental data\n",
    2662             :                           session);
    2663             : 
    2664          30 :         ret =
    2665          30 :             _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
    2666             :                                    1, &buf);
    2667          30 :         if (ret < 0) {
    2668           0 :                 gnutls_assert();
    2669           0 :                 return ret;
    2670             :         }
    2671             : 
    2672          30 :         ret = _gnutls_parse_supplemental(session, buf.data, buf.length);
    2673          30 :         if (ret < 0) {
    2674           0 :                 gnutls_assert();
    2675           0 :                 goto cleanup;
    2676             :         }
    2677             : 
    2678          30 :       cleanup:
    2679          30 :         _gnutls_buffer_clear(&buf);
    2680             : 
    2681          30 :         return ret;
    2682             : }
    2683             : 
    2684             : /**
    2685             :  * gnutls_handshake:
    2686             :  * @session: is a #gnutls_session_t type.
    2687             :  *
    2688             :  * This function performs the handshake of the TLS/SSL protocol, and
    2689             :  * initializes the TLS session parameters.
    2690             :  *
    2691             :  * The non-fatal errors expected by this function are:
    2692             :  * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN,
    2693             :  * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called
    2694             :  * for re-handshake under TLS 1.2 or earlier, the non-fatal error code
    2695             :  * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned.
    2696             :  *
    2697             :  * The former two interrupt the handshake procedure due to the transport
    2698             :  * layer being interrupted, and the latter because of a "warning" alert that
    2699             :  * was sent by the peer (it is always a good idea to check any
    2700             :  * received alerts). On these non-fatal errors call this function again,
    2701             :  * until it returns 0; cf.  gnutls_record_get_direction() and
    2702             :  * gnutls_error_is_fatal(). In DTLS sessions the non-fatal error
    2703             :  * %GNUTLS_E_LARGE_PACKET is also possible, and indicates that
    2704             :  * the MTU should be adjusted.
    2705             :  *
    2706             :  * When this function is called by a server after a rehandshake request
    2707             :  * under TLS 1.2 or earlier the %GNUTLS_E_GOT_APPLICATION_DATA error code indicates
    2708             :  * that some data were pending prior to peer initiating the handshake.
    2709             :  * Under TLS 1.3 this function when called after a successful handshake, is a no-op
    2710             :  * and always succeeds in server side; in client side this function is
    2711             :  * equivalent to gnutls_session_key_update() with %GNUTLS_KU_PEER flag.
    2712             :  *
    2713             :  * This function handles both full and abbreviated TLS handshakes (resumption).
    2714             :  * For abbreviated handshakes, in client side, the gnutls_session_set_data()
    2715             :  * should be called prior to this function to set parameters from a previous session.
    2716             :  * In server side, resumption is handled by either setting a DB back-end, or setting
    2717             :  * up keys for session tickets.
    2718             :  *
    2719             :  * Returns: %GNUTLS_E_SUCCESS on a successful handshake, otherwise a negative error code.
    2720             :  **/
    2721    39706200 : int gnutls_handshake(gnutls_session_t session)
    2722             : {
    2723    39706200 :         const version_entry_st *vers = get_version(session);
    2724    39706200 :         int ret;
    2725             : 
    2726    39706200 :         if (unlikely(session->internals.initial_negotiation_completed)) {
    2727         379 :                 if (vers->tls13_sem) {
    2728           6 :                         if (session->security_parameters.entity == GNUTLS_CLIENT) {
    2729           1 :                                 return gnutls_session_key_update(session, GNUTLS_KU_PEER);
    2730             :                         } else {
    2731             :                                 /* This is a no-op for a server under TLS 1.3, as
    2732             :                                  * a server has already called gnutls_rehandshake()
    2733             :                                  * which performed a key update.
    2734             :                                  */
    2735             :                                 return 0;
    2736             :                         }
    2737             :                 }
    2738             :         }
    2739             : 
    2740    39706200 :         if (STATE == STATE0) {
    2741       23318 :                 unsigned int tmo_ms;
    2742       23318 :                 struct timespec *end;
    2743       23318 :                 struct timespec *start;
    2744             : 
    2745             :                 /* first call */
    2746       23318 :                 if (session->internals.priorities == NULL ||
    2747       23318 :                     session->internals.priorities->cs.size == 0)
    2748           0 :                         return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
    2749             : 
    2750       23318 :                 ret =
    2751       23318 :                     _gnutls_epoch_setup_next(session, 0, NULL);
    2752       23318 :                 if (ret < 0)
    2753           0 :                         return gnutls_assert_val(ret);
    2754             : 
    2755       23318 :                 session->internals.used_exts = 0;
    2756       23318 :                 session->internals.hsk_flags = 0;
    2757       23318 :                 session->internals.handshake_in_progress = 1;
    2758       23318 :                 session->internals.vc_status = -1;
    2759       23318 :                 gnutls_gettime(&session->internals.handshake_start_time);
    2760             : 
    2761       23318 :                 tmo_ms = session->internals.handshake_timeout_ms;
    2762       23318 :                 end = &session->internals.handshake_abs_timeout;
    2763       23318 :                 start = &session->internals.handshake_start_time;
    2764             : 
    2765       23318 :                 if (tmo_ms && end->tv_sec == 0 && end->tv_nsec == 0) {
    2766       13576 :                         end->tv_sec =
    2767       13576 :                                 start->tv_sec + (start->tv_nsec + tmo_ms * 1000000LL) / 1000000000LL;
    2768       13576 :                         end->tv_nsec =
    2769       13576 :                                 (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
    2770             :                 }
    2771             :         }
    2772             : 
    2773    39706200 :         if (session->internals.recv_state == RECV_STATE_FALSE_START) {
    2774           8 :                 session_invalidate(session);
    2775           8 :                 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_DURING_FALSE_START);
    2776             :         }
    2777             : 
    2778    39706200 :         if (session->security_parameters.entity == GNUTLS_CLIENT) {
    2779    20681500 :                 do {
    2780    20681500 :                         ret = handshake_client(session);
    2781    20681500 :                 } while (ret == 1);
    2782             :         } else {
    2783    19024700 :                 ret = handshake_server(session);
    2784             :         }
    2785             : 
    2786    39706200 :         if (ret < 0) {
    2787    39691700 :                 return _gnutls_abort_handshake(session, ret);
    2788             :         }
    2789             : 
    2790             :         /* clear handshake buffer */
    2791       14444 :         if (session->internals.recv_state != RECV_STATE_FALSE_START &&
    2792             :             session->internals.recv_state != RECV_STATE_EARLY_START) {
    2793             : 
    2794       14389 :                 _gnutls_handshake_hash_buffers_clear(session);
    2795             : 
    2796       14389 :                 if (IS_DTLS(session) == 0) {
    2797       13802 :                         _gnutls_handshake_io_buffer_clear(session);
    2798             :                 } else {
    2799         587 :                         _dtls_async_timer_init(session);
    2800             :                 }
    2801             : 
    2802       14389 :                 _gnutls_handshake_internal_state_clear(session);
    2803             : 
    2804       14389 :                 _gnutls_buffer_clear(&session->internals.record_presend_buffer);
    2805             : 
    2806       14389 :                 _gnutls_epoch_bump(session);
    2807             :         }
    2808             : 
    2809             :         /* Give an estimation of the round-trip under TLS1.3, used by gnutls_session_get_data2() */
    2810       14444 :         if (!IS_SERVER(session) && vers->tls13_sem) {
    2811         366 :                 struct timespec handshake_finish_time;
    2812         366 :                 gnutls_gettime(&handshake_finish_time);
    2813             : 
    2814         366 :                 if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
    2815         342 :                         session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/2;
    2816             :                 } else {
    2817          24 :                         session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/4;
    2818             :                 }
    2819             :         }
    2820             : 
    2821             :         return 0;
    2822             : }
    2823             : 
    2824             : /**
    2825             :  * gnutls_handshake_set_timeout:
    2826             :  * @session: is a #gnutls_session_t type.
    2827             :  * @ms: is a timeout value in milliseconds
    2828             :  *
    2829             :  * This function sets the timeout for the TLS handshake process
    2830             :  * to the provided value. Use an @ms value of zero to disable
    2831             :  * timeout, or %GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT for a reasonable
    2832             :  * default value. For the DTLS protocol, the more detailed
    2833             :  * gnutls_dtls_set_timeouts() is provided.
    2834             :  *
    2835             :  * This function requires to set a pull timeout callback. See
    2836             :  * gnutls_transport_set_pull_timeout_function().
    2837             :  *
    2838             :  * Since: 3.1.0
    2839             :  **/
    2840             : void
    2841       13509 : gnutls_handshake_set_timeout(gnutls_session_t session, unsigned int ms)
    2842             : {
    2843       13509 :         if (ms == GNUTLS_INDEFINITE_TIMEOUT) {
    2844           0 :                 session->internals.handshake_timeout_ms = 0;
    2845           0 :                 return;
    2846             :         }
    2847             : 
    2848       13509 :         if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
    2849       10926 :                 ms = DEFAULT_HANDSHAKE_TIMEOUT_MS;
    2850             : 
    2851       13509 :         if (IS_DTLS(session)) {
    2852         578 :                 gnutls_dtls_set_timeouts(session, DTLS_RETRANS_TIMEOUT, ms);
    2853         578 :                 return;
    2854             :         }
    2855             : 
    2856       12931 :         session->internals.handshake_timeout_ms = ms;
    2857             : }
    2858             : 
    2859             : /* Runs the certificate verification callback.
    2860             :  * side is the side that we verify the certificate
    2861             :  * from (either GNUTLS_CLIENT or GNUTLS_SERVER).
    2862             :  */
    2863       16513 : int _gnutls_run_verify_callback(gnutls_session_t session, unsigned int side)
    2864             : {
    2865       16513 :         gnutls_certificate_credentials_t cred;
    2866       16513 :         int ret, type;
    2867             : 
    2868       16513 :         if (session->internals.hsk_flags & HSK_PSK_SELECTED)
    2869             :                 return 0;
    2870             : 
    2871       14929 :         cred =
    2872       14929 :             (gnutls_certificate_credentials_t) _gnutls_get_cred(session,
    2873             :                                                                 GNUTLS_CRD_CERTIFICATE);
    2874             : 
    2875       14929 :         if (side == GNUTLS_CLIENT)
    2876        5845 :                 type = gnutls_auth_server_get_type(session);
    2877             :         else
    2878        9084 :                 type = gnutls_auth_client_get_type(session);
    2879             : 
    2880       14929 :         if (type != GNUTLS_CRD_CERTIFICATE)
    2881             :                 return 0;
    2882             : 
    2883             :         /* verify whether the certificate of the peer remained the same
    2884             :          * as with any previous handshakes */
    2885       10167 :         if (cred != NULL) {
    2886       10167 :                 ret = _gnutls_check_if_cert_hash_is_same(session, cred);
    2887       10167 :                 if (ret < 0) {
    2888           2 :                         return gnutls_assert_val(ret);
    2889             :                 }
    2890             :         }
    2891             : 
    2892       10165 :         if (cred != NULL &&
    2893       10165 :             (cred->verify_callback != NULL || session->internals.verify_callback != NULL) &&
    2894        6935 :             (session->security_parameters.entity == GNUTLS_CLIENT ||
    2895        6665 :              session->internals.send_cert_req != GNUTLS_CERT_IGNORE)) {
    2896        1282 :                 if (session->internals.verify_callback)
    2897          21 :                         ret = session->internals.verify_callback(session);
    2898             :                 else
    2899        1261 :                         ret = cred->verify_callback(session);
    2900        1282 :                 if (ret < -1)
    2901           8 :                         return gnutls_assert_val(ret);
    2902        1274 :                 else if (ret != 0)
    2903          22 :                         return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
    2904             :         }
    2905             : 
    2906             :         return 0;
    2907             : }
    2908             : 
    2909          61 : static bool can_send_false_start(gnutls_session_t session)
    2910             : {
    2911          61 :         const version_entry_st *vers;
    2912             : 
    2913          61 :         vers = get_version(session);
    2914          61 :         if (unlikely(vers == NULL || !vers->false_start))
    2915             :                 return 0;
    2916             : 
    2917          61 :         if (session->internals.selected_cert_list != NULL)
    2918             :                 return 0;
    2919             : 
    2920          61 :         if (!_gnutls_kx_allows_false_start(session))
    2921          18 :                 return 0;
    2922             : 
    2923             :         return 1;
    2924             : }
    2925             : 
    2926             : /*
    2927             :  * handshake_client
    2928             :  * This function performs the client side of the handshake of the TLS/SSL protocol.
    2929             :  */
    2930    20681500 : static int handshake_client(gnutls_session_t session)
    2931             : {
    2932    20681500 :         int ret = 0;
    2933    20682100 :         const version_entry_st *ver;
    2934             : 
    2935    20682100 :  reset:
    2936    20682100 :         if (STATE >= STATE99)
    2937         750 :                 return _gnutls13_handshake_client(session);
    2938             : 
    2939    20681400 :         switch (STATE) {
    2940    12413400 :         case STATE0:
    2941             :         case STATE1:
    2942    12413400 :                 ret = send_client_hello(session, AGAIN(STATE1));
    2943    12413400 :                 STATE = STATE1;
    2944    12413400 :                 IMED_RET("send hello", ret, 1);
    2945      750952 :                 FALLTHROUGH;
    2946             :         case STATE2:
    2947      750952 :                 if (IS_DTLS(session)) {
    2948         348 :                         ret =
    2949         348 :                             _gnutls_recv_handshake(session,
    2950             :                                                    GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
    2951             :                                                    1, NULL);
    2952         348 :                         STATE = STATE2;
    2953         348 :                         IMED_RET("recv hello verify", ret, 1);
    2954             : 
    2955         317 :                         if (ret == 1) {
    2956          27 :                                 STATE = STATE0;
    2957          27 :                                 return 1;
    2958             :                         }
    2959             :                 } else {
    2960      750604 :                         ret =
    2961      750604 :                             _gnutls_recv_handshake(session,
    2962             :                                                    GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST,
    2963             :                                                    1, NULL);
    2964      750604 :                         STATE = STATE2;
    2965      750604 :                         IMED_RET("recv hello retry", ret, 1);
    2966             : 
    2967        2898 :                         if (ret == 1) {
    2968          24 :                                 STATE = STATE0;
    2969          24 :                                 return 1;
    2970             :                         }
    2971             :                 }
    2972        3164 :                 FALLTHROUGH;
    2973             :         case STATE3:
    2974             :                 /* receive the server hello */
    2975        3164 :                 ret =
    2976        3164 :                     _gnutls_recv_handshake(session,
    2977             :                                            GNUTLS_HANDSHAKE_SERVER_HELLO,
    2978             :                                            0, NULL);
    2979        3164 :                 STATE = STATE3;
    2980        3164 :                 IMED_RET("recv hello", ret, 1);
    2981        2769 :                 FALLTHROUGH;
    2982             :         case STATE4:
    2983        2769 :                 ver = get_version(session);
    2984        2769 :                 if (ver->tls13_sem) { /* TLS 1.3 state machine */
    2985         598 :                         STATE = STATE99;
    2986         598 :                         goto reset;
    2987             :                 }
    2988             : 
    2989        2171 :                 ret = _gnutls_ext_sr_verify(session);
    2990        2171 :                 STATE = STATE4;
    2991        2171 :                 IMED_RET_FATAL("recv hello", ret, 0);
    2992        2164 :                 FALLTHROUGH;
    2993             :         case STATE5:
    2994        2164 :                 if (session->security_parameters.do_recv_supplemental) {
    2995           6 :                         ret = _gnutls_recv_supplemental(session);
    2996           6 :                         STATE = STATE5;
    2997           6 :                         IMED_RET("recv supplemental", ret, 1);
    2998             :                 }
    2999        3221 :                 FALLTHROUGH;
    3000             :         case STATE6:
    3001             :                 /* RECV CERTIFICATE */
    3002        3221 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3003        3107 :                         ret = _gnutls_recv_server_certificate(session);
    3004        3221 :                 STATE = STATE6;
    3005        3221 :                 IMED_RET("recv server certificate", ret, 1);
    3006        3634 :                 FALLTHROUGH;
    3007             :         case STATE7:
    3008             : #ifdef ENABLE_OCSP
    3009             :                 /* RECV CERTIFICATE STATUS */
    3010        3634 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3011        3520 :                         ret =
    3012        3520 :                             _gnutls_recv_server_certificate_status
    3013             :                             (session);
    3014        3634 :                 STATE = STATE7;
    3015        3634 :                 IMED_RET("recv server certificate", ret, 1);
    3016             : #endif
    3017        1805 :                 FALLTHROUGH;
    3018             :         case STATE8:
    3019        1805 :                 ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);
    3020        1805 :                 STATE = STATE8;
    3021        1805 :                 if (ret < 0)
    3022           6 :                         return gnutls_assert_val(ret);
    3023             : 
    3024     6981550 :                 FALLTHROUGH;
    3025             :         case STATE9:
    3026             :                 /* receive the server key exchange */
    3027     6981550 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3028     6981440 :                         ret = _gnutls_recv_server_kx_message(session);
    3029     6981550 :                 STATE = STATE9;
    3030     6981550 :                 IMED_RET("recv server kx message", ret, 1);
    3031        1935 :                 FALLTHROUGH;
    3032             :         case STATE10:
    3033             :                 /* receive the server certificate request - if any
    3034             :                  */
    3035             : 
    3036        1935 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3037        1821 :                         ret = _gnutls_recv_server_crt_request(session);
    3038        1935 :                 STATE = STATE10;
    3039        1935 :                 IMED_RET("recv server certificate request message", ret,
    3040             :                          1);
    3041        4075 :                 FALLTHROUGH;
    3042             :         case STATE11:
    3043             :                 /* receive the server hello done */
    3044        4075 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3045        3961 :                         ret =
    3046        3961 :                             _gnutls_recv_handshake(session,
    3047             :                                                    GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
    3048             :                                                    0, NULL);
    3049        4075 :                 STATE = STATE11;
    3050        4075 :                 IMED_RET("recv server hello done", ret, 1);
    3051        1594 :                 FALLTHROUGH;
    3052             :         case STATE12:
    3053        1594 :                 if (session->security_parameters.do_send_supplemental) {
    3054           6 :                         ret =
    3055          12 :                             _gnutls_send_supplemental(session,
    3056           6 :                                                       AGAIN(STATE12));
    3057           6 :                         STATE = STATE12;
    3058           6 :                         IMED_RET("send supplemental", ret, 0);
    3059             :                 }
    3060        1594 :                 FALLTHROUGH;
    3061             :         case STATE13:
    3062             :                 /* send our certificate - if any and if requested
    3063             :                  */
    3064        1594 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3065        1480 :                         ret =
    3066        1480 :                             _gnutls_send_client_certificate(session,
    3067        1480 :                                                             AGAIN
    3068             :                                                             (STATE13));
    3069        1594 :                 STATE = STATE13;
    3070        1594 :                 IMED_RET("send client certificate", ret, 0);
    3071        1594 :                 FALLTHROUGH;
    3072             :         case STATE14:
    3073        1594 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3074        1480 :                         ret =
    3075        1480 :                             _gnutls_send_client_kx_message(session,
    3076        1480 :                                                            AGAIN(STATE14));
    3077        1594 :                 STATE = STATE14;
    3078        1594 :                 IMED_RET("send client kx", ret, 0);
    3079        1587 :                 FALLTHROUGH;
    3080             :         case STATE15:
    3081             :                 /* send client certificate verify */
    3082        1587 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3083        1473 :                         ret =
    3084        1473 :                             _gnutls_send_client_certificate_verify(session,
    3085        1473 :                                                                    AGAIN
    3086             :                                                                    (STATE15));
    3087        1587 :                 STATE = STATE15;
    3088        1587 :                 IMED_RET("send client certificate verify", ret, 1);
    3089        1619 :                 FALLTHROUGH;
    3090             :         case STATE16:
    3091        1619 :                 STATE = STATE16;
    3092        1619 :                 if (session->internals.resumed == RESUME_FALSE) {
    3093        1505 :                         ret = send_handshake_final(session, TRUE);
    3094        1505 :                         IMED_RET("send handshake final 2", ret, 1);
    3095             :                 } else {
    3096         114 :                         ret = _gnutls_recv_new_session_ticket(session);
    3097         114 :                         IMED_RET("recv handshake new session ticket", ret,
    3098             :                                  1);
    3099             :                 }
    3100        1582 :                 FALLTHROUGH;
    3101             :         case STATE17:
    3102        1582 :                 STATE = STATE17;
    3103        1582 :                 if (session->internals.resumed == RESUME_FALSE && (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && can_send_false_start(session)) {
    3104          43 :                         session->internals.hsk_flags |= HSK_FALSE_START_USED;
    3105          43 :                         session->internals.recv_state = RECV_STATE_FALSE_START;
    3106             :                         /* complete this phase of the handshake. We
    3107             :                          * should be called again by gnutls_record_recv()
    3108             :                          */
    3109          43 :                         STATE = STATE18;
    3110          43 :                         gnutls_assert();
    3111             : 
    3112          43 :                         return 0;
    3113             :                 }
    3114        4304 :                 FALLTHROUGH;
    3115             :         case STATE18:
    3116        4304 :                 STATE = STATE18;
    3117             : 
    3118        4304 :                 if (session->internals.resumed == RESUME_FALSE) {
    3119        4159 :                         ret = _gnutls_recv_new_session_ticket(session);
    3120        4159 :                         IMED_RET("recv handshake new session ticket", ret,
    3121             :                                  1);
    3122             :                 } else {
    3123         145 :                         ret = recv_handshake_final(session, TRUE);
    3124         145 :                         IMED_RET("recv handshake final", ret, 1);
    3125             :                 }
    3126      534205 :                 FALLTHROUGH;
    3127             :         case STATE19:
    3128      534205 :                 STATE = STATE19;
    3129      534205 :                 if (session->internals.resumed == RESUME_FALSE) {
    3130      534091 :                         ret = recv_handshake_final(session, FALSE);
    3131      534091 :                         IMED_RET("recv handshake final 2", ret, 1);
    3132             :                 } else {
    3133         114 :                         ret = send_handshake_final(session, FALSE);
    3134         114 :                         IMED_RET("send handshake final", ret, 1);
    3135             :                 }
    3136             : 
    3137        1440 :                 STATE = STATE0;
    3138        1440 :                 FALLTHROUGH;
    3139             :         default:
    3140        1440 :                 break;
    3141             :         }
    3142             : 
    3143             :         /* explicitly reset any false start flags */
    3144        1440 :         gnutls_mutex_lock(&session->internals.post_negotiation_lock);
    3145        1440 :         session->internals.initial_negotiation_completed = 1;
    3146        1440 :         session->internals.recv_state = RECV_STATE_0;
    3147        1440 :         gnutls_mutex_unlock(&session->internals.post_negotiation_lock);
    3148             : 
    3149        1440 :         return 0;
    3150             : }
    3151             : 
    3152             : 
    3153             : 
    3154             : /* This function is to be called if the handshake was successfully
    3155             :  * completed. This sends a Change Cipher Spec packet to the peer.
    3156             :  */
    3157       14683 : ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again)
    3158             : {
    3159       14683 :         uint8_t *data;
    3160       14683 :         mbuffer_st *bufel;
    3161       14683 :         int ret;
    3162       14683 :         const version_entry_st *vers;
    3163             : 
    3164       14683 :         if (again == 0) {
    3165       14679 :                 bufel = _gnutls_handshake_alloc(session, 3); /* max for DTLS0.9 */
    3166       14679 :                 if (bufel == NULL)
    3167           0 :                         return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
    3168             : 
    3169       14679 :                 vers = get_version(session);
    3170       14679 :                 if (unlikely(vers == NULL))
    3171           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    3172             : 
    3173       14679 :                 if (vers->id == GNUTLS_DTLS0_9)
    3174           7 :                         _mbuffer_set_uhead_size(bufel, 3);
    3175             :                 else
    3176       14672 :                         _mbuffer_set_uhead_size(bufel, 1);
    3177       14679 :                 _mbuffer_set_udata_size(bufel, 0);
    3178             : 
    3179       14679 :                 data = _mbuffer_get_uhead_ptr(bufel);
    3180             : 
    3181       14679 :                 data[0] = 1;
    3182       14679 :                 if (vers->id == GNUTLS_DTLS0_9) {
    3183           7 :                         _gnutls_write_uint16(session->internals.dtls.
    3184             :                                              hsk_write_seq, &data[1]);
    3185           7 :                         session->internals.dtls.hsk_write_seq++;
    3186             :                 }
    3187             : 
    3188       14679 :                 ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_PRE, 0,
    3189             :                                              data, 1);
    3190       14679 :                 if (ret < 0) {
    3191           0 :                         _mbuffer_xfree(&bufel);
    3192           0 :                         return gnutls_assert_val(ret);
    3193             :                 }
    3194             : 
    3195       14679 :                 ret =
    3196       14679 :                     _gnutls_handshake_io_cache_int(session,
    3197             :                                                    GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
    3198             :                                                    bufel);
    3199       14679 :                 if (ret < 0) {
    3200           0 :                         _mbuffer_xfree(&bufel);
    3201           0 :                         return gnutls_assert_val(ret);
    3202             :                 }
    3203             : 
    3204       14679 :                 ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_POST, 0,
    3205             :                                              data, 1);
    3206       14679 :                 if (ret < 0) {
    3207           0 :                         return gnutls_assert_val(ret);
    3208             :                 }
    3209             : 
    3210             :                 /* under TLS 1.3, CCS may be immediately followed by
    3211             :                  * receiving ClientHello thus cannot be cached */
    3212       14679 :                 if (vers->tls13_sem) {
    3213        5699 :                         ret = _gnutls_handshake_io_write_flush(session);
    3214        5699 :                         if (ret < 0)
    3215           4 :                                 return gnutls_assert_val(ret);
    3216             :                 }
    3217             : 
    3218       14675 :                 _gnutls_handshake_log("REC[%p]: Sent ChangeCipherSpec\n",
    3219             :                                       session);
    3220             :         }
    3221             : 
    3222             :         return 0;
    3223             : }
    3224             : 
    3225             : /* This function sends the final handshake packets and initializes connection
    3226             :  */
    3227        9015 : static int send_handshake_final(gnutls_session_t session, int init)
    3228             : {
    3229        9015 :         int ret = 0;
    3230             : 
    3231             :         /* Send the CHANGE CIPHER SPEC PACKET */
    3232             : 
    3233        9015 :         switch (FINAL_STATE) {
    3234        8980 :         case STATE0:
    3235             :         case STATE1:
    3236        8980 :                 ret = _gnutls_send_change_cipher_spec(session, FAGAIN(STATE1));
    3237        8980 :                 FINAL_STATE = STATE0;
    3238             : 
    3239        8980 :                 if (ret < 0) {
    3240           0 :                         gnutls_assert();
    3241           0 :                         return ret;
    3242             :                 }
    3243             :                 /* Initialize the connection session (start encryption) - in case of client
    3244             :                  */
    3245        8980 :                 if (init == TRUE) {
    3246        2252 :                         ret = _gnutls_connection_state_init(session);
    3247        2252 :                         if (ret < 0) {
    3248           0 :                                 gnutls_assert();
    3249           0 :                                 return ret;
    3250             :                         }
    3251             :                 }
    3252             : 
    3253        8980 :                 ret = _gnutls_write_connection_state_init(session);
    3254        8980 :                 if (ret < 0) {
    3255           0 :                         gnutls_assert();
    3256           0 :                         return ret;
    3257             :                 }
    3258             : 
    3259        9015 :                 FALLTHROUGH;
    3260             :         case STATE2:
    3261             :                 /* send the finished message */
    3262        9015 :                 ret = _gnutls_send_finished(session, FAGAIN(STATE2));
    3263        9015 :                 FINAL_STATE = STATE2;
    3264        9015 :                 if (ret < 0) {
    3265          37 :                         gnutls_assert();
    3266          37 :                         return ret;
    3267             :                 }
    3268             : 
    3269        8978 :                 FINAL_STATE = STATE0;
    3270             :                 FALLTHROUGH;
    3271             :         default:
    3272             :                 break;
    3273             :         }
    3274             : 
    3275             :         return 0;
    3276             : }
    3277             : 
    3278             : /* This function receives the final handshake packets
    3279             :  * And executes the appropriate function to initialize the
    3280             :  * read session.
    3281             :  */
    3282      542428 : static int recv_handshake_final(gnutls_session_t session, int init)
    3283             : {
    3284      542428 :         int ret = 0;
    3285      542428 :         uint8_t ccs[3];
    3286      542428 :         unsigned int ccs_len = 1;
    3287      542428 :         unsigned int tleft;
    3288      542428 :         const version_entry_st *vers;
    3289             : 
    3290      542428 :         ret = handshake_remaining_time(session);
    3291      542428 :         if (ret < 0)
    3292           0 :                 return gnutls_assert_val(ret);
    3293      542428 :         tleft = ret;
    3294             : 
    3295      542428 :         switch (FINAL_STATE) {
    3296      542340 :         case STATE0:
    3297             :         case STATE30:
    3298      542340 :                 FINAL_STATE = STATE30;
    3299             : 
    3300             :                 /* This is the last flight and peer cannot be sure
    3301             :                  * we have received it unless we notify him. So we
    3302             :                  * wait for a message and retransmit if needed. */
    3303      542340 :                 if (IS_DTLS(session) && !_dtls_is_async(session) &&
    3304      518003 :                     (gnutls_record_check_pending(session) +
    3305      518003 :                      record_check_unprocessed(session)) == 0) {
    3306      517944 :                         ret = _dtls_wait_and_retransmit(session);
    3307      517944 :                         if (ret < 0)
    3308         208 :                                 return gnutls_assert_val(ret);
    3309             :                 }
    3310             : 
    3311      542132 :                 vers = get_version(session);
    3312      542132 :                 if (unlikely(vers == NULL))
    3313           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    3314             : 
    3315      542132 :                 if (vers->id == GNUTLS_DTLS0_9)
    3316           7 :                         ccs_len = 3;
    3317             : 
    3318     1084260 :                 ret =
    3319      542132 :                     _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC,
    3320             :                                      ccs, ccs_len, NULL, tleft);
    3321      542132 :                 if (ret <= 0) {
    3322      532842 :                         gnutls_assert();
    3323      532842 :                         return (ret<0)?ret:GNUTLS_E_UNEXPECTED_PACKET;
    3324             :                 }
    3325             : 
    3326        9290 :                 if (vers->id == GNUTLS_DTLS0_9)
    3327           7 :                         session->internals.dtls.hsk_read_seq++;
    3328             : 
    3329             :                 /* Initialize the connection session (start encryption) - in case of server */
    3330        9290 :                 if (init == TRUE) {
    3331        7159 :                         ret = _gnutls_connection_state_init(session);
    3332        7159 :                         if (ret < 0) {
    3333           0 :                                 gnutls_assert();
    3334           0 :                                 return ret;
    3335             :                         }
    3336             :                 }
    3337             : 
    3338        9290 :                 ret = _gnutls_read_connection_state_init(session);
    3339        9290 :                 if (ret < 0) {
    3340           0 :                         gnutls_assert();
    3341           0 :                         return ret;
    3342             :                 }
    3343        9378 :                 FALLTHROUGH;
    3344             :         case STATE31:
    3345        9378 :                 FINAL_STATE = STATE31;
    3346             : 
    3347        9378 :                 if (IS_DTLS(session) && !_dtls_is_async(session) &&
    3348         337 :                     (gnutls_record_check_pending(session) +
    3349         337 :                      record_check_unprocessed(session)) == 0) {
    3350          88 :                         ret = _dtls_wait_and_retransmit(session);
    3351          88 :                         if (ret < 0)
    3352          30 :                                 return gnutls_assert_val(ret);
    3353             :                 }
    3354             : 
    3355        9348 :                 ret = _gnutls_recv_finished(session);
    3356        9348 :                 if (ret < 0) {
    3357         513 :                         gnutls_assert();
    3358         513 :                         return ret;
    3359             :                 }
    3360        8835 :                 FINAL_STATE = STATE0;
    3361             :                 FALLTHROUGH;
    3362             :         default:
    3363             :                 break;
    3364             :         }
    3365             : 
    3366             :         return 0;
    3367             : }
    3368             : 
    3369             : /*
    3370             :  * handshake_server
    3371             :  * This function does the server stuff of the handshake protocol.
    3372             :  */
    3373    19024700 : static int handshake_server(gnutls_session_t session)
    3374             : {
    3375    19024700 :         int ret = 0;
    3376    19030000 :         const version_entry_st *ver;
    3377             : 
    3378        5257 :  reset:
    3379             : 
    3380    19030000 :         if (STATE >= STATE90)
    3381        5549 :                 return _gnutls13_handshake_server(session);
    3382             : 
    3383    19024400 :         switch (STATE) {
    3384    12042200 :         case STATE0:
    3385             :         case STATE1:
    3386    12042200 :                 ret =
    3387    12042200 :                     _gnutls_recv_handshake(session,
    3388             :                                            GNUTLS_HANDSHAKE_CLIENT_HELLO,
    3389             :                                            0, NULL);
    3390    12042200 :                 if (ret == GNUTLS_E_INT_RET_0) {
    3391             :                         /* this is triggered by post_client_hello, and instructs the
    3392             :                          * handshake to proceed but be put on hold */
    3393           3 :                         ret = GNUTLS_E_INTERRUPTED;
    3394           3 :                         STATE = STATE2; /* hello already parsed -> move on */
    3395             :                 } else {
    3396    12042200 :                         STATE = STATE1;
    3397             :                 }
    3398             : 
    3399    12042200 :                 if (ret == GNUTLS_E_NO_COMMON_KEY_SHARE) {
    3400         219 :                         STATE = STATE90;
    3401         219 :                         session->internals.hsk_flags |= HSK_HRR_SENT;
    3402         219 :                         goto reset;
    3403             :                 }
    3404             : 
    3405    12042000 :                 IMED_RET("recv hello", ret, 1);
    3406       15851 :                 FALLTHROUGH;
    3407             :         case STATE2:
    3408             : 
    3409       15851 :                 ret = _gnutls_ext_sr_verify(session);
    3410       15851 :                 STATE = STATE2;
    3411       15851 :                 IMED_RET_FATAL("recv hello", ret, 0);
    3412       15853 :                 FALLTHROUGH;
    3413             :         case STATE3:
    3414       15853 :                 ret = _gnutls_send_server_hello(session, AGAIN(STATE3));
    3415       15853 :                 STATE = STATE3;
    3416       15853 :                 IMED_RET("send hello", ret, 1);
    3417             : 
    3418       15839 :                 ver = get_version(session);
    3419       15839 :                 if (ver->tls13_sem) { /* TLS 1.3 state machine */
    3420        5038 :                         STATE = STATE99;
    3421        5038 :                         goto reset;
    3422             :                 }
    3423             : 
    3424       10801 :                 FALLTHROUGH;
    3425             :         case STATE4:
    3426       10801 :                 if (session->security_parameters.do_send_supplemental) {
    3427          24 :                         ret =
    3428          48 :                             _gnutls_send_supplemental(session,
    3429          24 :                                                       AGAIN(STATE4));
    3430          24 :                         STATE = STATE4;
    3431          24 :                         IMED_RET("send supplemental data", ret, 0);
    3432             :                 }
    3433             :                 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
    3434       10801 :                 FALLTHROUGH;
    3435             :         case STATE5:
    3436             :                 /* NOTE: these should not be send if we are resuming */
    3437             : 
    3438       10801 :                 if (session->internals.resumed == RESUME_FALSE)
    3439       10019 :                         ret =
    3440       10019 :                             _gnutls_send_server_certificate(session,
    3441       10019 :                                                             AGAIN(STATE5));
    3442       10801 :                 STATE = STATE5;
    3443       10801 :                 IMED_RET("send server certificate", ret, 0);
    3444       10801 :                 FALLTHROUGH;
    3445             :         case STATE6:
    3446             : #ifdef ENABLE_OCSP
    3447       10801 :                 if (session->internals.resumed == RESUME_FALSE)
    3448       10019 :                         ret =
    3449       10019 :                             _gnutls_send_server_certificate_status(session,
    3450       10019 :                                                                    AGAIN
    3451             :                                                                    (STATE6));
    3452       10801 :                 STATE = STATE6;
    3453       10801 :                 IMED_RET("send server certificate status", ret, 0);
    3454             : #endif
    3455       10801 :                 FALLTHROUGH;
    3456             :         case STATE7:
    3457             :                 /* send server key exchange (A) */
    3458       10801 :                 if (session->internals.resumed == RESUME_FALSE)
    3459       10019 :                         ret =
    3460       10019 :                             _gnutls_send_server_kx_message(session,
    3461       10019 :                                                            AGAIN(STATE7));
    3462       10801 :                 STATE = STATE7;
    3463       10801 :                 IMED_RET("send server kx", ret, 0);
    3464       10756 :                 FALLTHROUGH;
    3465             :         case STATE8:
    3466             :                 /* Send certificate request - if requested to */
    3467       10756 :                 if (session->internals.resumed == RESUME_FALSE)
    3468        9974 :                         ret =
    3469        9974 :                             _gnutls_send_server_crt_request(session,
    3470        9974 :                                                             AGAIN(STATE8));
    3471       10756 :                 STATE = STATE8;
    3472       10756 :                 IMED_RET("send server cert request", ret, 0);
    3473     6989760 :                 FALLTHROUGH;
    3474             :         case STATE9:
    3475             :                 /* send the server hello done */
    3476     6989760 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3477     6988980 :                         ret =
    3478     6988980 :                             _gnutls_send_empty_handshake(session,
    3479             :                                                          GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
    3480     6988980 :                                                          AGAIN(STATE9));
    3481     6989760 :                 STATE = STATE9;
    3482     6989760 :                 IMED_RET("send server hello done", ret, 1);
    3483       10755 :                 FALLTHROUGH;
    3484             :         case STATE10:
    3485       10755 :                 if (session->security_parameters.do_recv_supplemental) {
    3486          24 :                         ret = _gnutls_recv_supplemental(session);
    3487          24 :                         STATE = STATE10;
    3488          24 :                         IMED_RET("recv client supplemental", ret, 1);
    3489             :                 }
    3490             :                 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
    3491       10827 :                 FALLTHROUGH;
    3492             :         case STATE11:
    3493             :                 /* receive the client certificate message */
    3494       10827 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3495       10045 :                         ret = _gnutls_recv_client_certificate(session);
    3496       10827 :                 STATE = STATE11;
    3497       10827 :                 IMED_RET("recv client certificate", ret, 1);
    3498        9084 :                 FALLTHROUGH;
    3499             :         case STATE12:
    3500        9084 :                 ret = _gnutls_run_verify_callback(session, GNUTLS_SERVER);
    3501        9084 :                 STATE = STATE12;
    3502        9084 :                 if (ret < 0)
    3503           2 :                         return gnutls_assert_val(ret);
    3504       11901 :                 FALLTHROUGH;
    3505             :         case STATE13:
    3506             :                 /* receive the client key exchange message */
    3507       11901 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3508       11119 :                         ret = _gnutls_recv_client_kx_message(session);
    3509       11901 :                 STATE = STATE13;
    3510       11901 :                 IMED_RET("recv client kx", ret, 1);
    3511        8384 :                 FALLTHROUGH;
    3512             :         case STATE14:
    3513             :                 /* receive the client certificate verify message */
    3514        8384 :                 if (session->internals.resumed == RESUME_FALSE)      /* if we are not resuming */
    3515        7602 :                         ret =
    3516        7602 :                             _gnutls_recv_client_certificate_verify_message
    3517             :                             (session);
    3518        8384 :                 STATE = STATE14;
    3519        8384 :                 IMED_RET("recv client certificate verify", ret, 1);
    3520        8125 :                 FALLTHROUGH;
    3521             :         case STATE15:
    3522        8125 :                 STATE = STATE15;
    3523        8125 :                 if (session->internals.resumed == RESUME_FALSE) {    /* if we are not resuming */
    3524        7343 :                         ret = recv_handshake_final(session, TRUE);
    3525        7343 :                         IMED_RET("recv handshake final", ret, 1);
    3526             :                 } else {
    3527         782 :                         ret = send_handshake_final(session, TRUE);
    3528         782 :                         IMED_RET("send handshake final 2", ret, 1);
    3529             :                 }
    3530        7396 :                 FALLTHROUGH;
    3531             :         case STATE16:
    3532        7396 :                 ret =
    3533       14792 :                     _gnutls_send_new_session_ticket(session,
    3534        7396 :                                                     AGAIN(STATE16));
    3535        7396 :                 STATE = STATE16;
    3536        7396 :                 IMED_RET("send handshake new session ticket", ret, 0);
    3537        7463 :                 FALLTHROUGH;
    3538             :         case STATE17:
    3539        7463 :                 STATE = STATE17;
    3540        7463 :                 if (session->internals.resumed == RESUME_FALSE) {    /* if we are not resuming */
    3541        6614 :                         ret = send_handshake_final(session, FALSE);
    3542        6614 :                         IMED_RET("send handshake final", ret, 1);
    3543             : 
    3544        6614 :                         if (session->security_parameters.entity ==
    3545             :                             GNUTLS_SERVER
    3546        6614 :                             && !(session->internals.hsk_flags & HSK_TLS12_TICKET_SENT)) {
    3547             :                                 /* if no ticket, save session data */
    3548        5820 :                                 _gnutls_server_register_current_session
    3549             :                                     (session);
    3550             :                         }
    3551             :                 } else {
    3552         849 :                         ret = recv_handshake_final(session, FALSE);
    3553         849 :                         IMED_RET("recv handshake final 2", ret, 1);
    3554             :                 }
    3555             : 
    3556        7395 :                 STATE = STATE0;
    3557        7395 :                 FALLTHROUGH;
    3558             :         default:
    3559        7395 :                 break;
    3560             :         }
    3561             : 
    3562             :         /* no lock of post_negotiation_lock is required here as this is not run
    3563             :          * after handshake */
    3564        7395 :         session->internals.initial_negotiation_completed = 1;
    3565             : 
    3566        7395 :         return _gnutls_check_id_for_change(session);
    3567             : }
    3568             : 
    3569       19520 : int _gnutls_generate_session_id(uint8_t * session_id, uint8_t *len)
    3570             : {
    3571       19520 :         int ret;
    3572             : 
    3573       19520 :         *len = GNUTLS_DEF_SESSION_ID_SIZE;
    3574             : 
    3575       19520 :         ret =
    3576       19520 :             gnutls_rnd(GNUTLS_RND_NONCE, session_id,
    3577             :                         GNUTLS_DEF_SESSION_ID_SIZE);
    3578       19520 :         if (ret < 0) {
    3579           0 :                 gnutls_assert();
    3580           0 :                 return ret;
    3581             :         }
    3582             : 
    3583             :         return 0;
    3584             : }
    3585             : 
    3586             : 
    3587             : /**
    3588             :  * gnutls_handshake_set_max_packet_length:
    3589             :  * @session: is a #gnutls_session_t type.
    3590             :  * @max: is the maximum number.
    3591             :  *
    3592             :  * This function will set the maximum size of all handshake messages.
    3593             :  * Handshakes over this size are rejected with
    3594             :  * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code.  The default value is
    3595             :  * 128kb which is typically large enough.  Set this to 0 if you do not
    3596             :  * want to set an upper limit.
    3597             :  *
    3598             :  * The reason for restricting the handshake message sizes are to
    3599             :  * limit Denial of Service attacks.
    3600             :  *
    3601             :  * Note that the maximum handshake size was increased to 128kb
    3602             :  * from 48kb in GnuTLS 3.5.5.
    3603             :  **/
    3604             : void
    3605       23098 : gnutls_handshake_set_max_packet_length(gnutls_session_t session,
    3606             :                                        size_t max)
    3607             : {
    3608       23098 :         session->internals.max_handshake_data_buffer_size = max;
    3609       23098 : }
    3610             : 
    3611             : /**
    3612             :  * gnutls_handshake_get_last_in:
    3613             :  * @session: is a #gnutls_session_t type.
    3614             :  *
    3615             :  * This function is only useful to check where the last performed
    3616             :  * handshake failed.  If the previous handshake succeed or was not
    3617             :  * performed at all then no meaningful value will be returned.
    3618             :  *
    3619             :  * Check %gnutls_handshake_description_t in gnutls.h for the
    3620             :  * available handshake descriptions.
    3621             :  *
    3622             :  * Returns: the last handshake message type received, a
    3623             :  * %gnutls_handshake_description_t.
    3624             :  **/
    3625             : gnutls_handshake_description_t
    3626           7 : gnutls_handshake_get_last_in(gnutls_session_t session)
    3627             : {
    3628           7 :         return session->internals.last_handshake_in;
    3629             : }
    3630             : 
    3631             : /**
    3632             :  * gnutls_handshake_get_last_out:
    3633             :  * @session: is a #gnutls_session_t type.
    3634             :  *
    3635             :  * This function is only useful to check where the last performed
    3636             :  * handshake failed.  If the previous handshake succeed or was not
    3637             :  * performed at all then no meaningful value will be returned.
    3638             :  *
    3639             :  * Check %gnutls_handshake_description_t in gnutls.h for the
    3640             :  * available handshake descriptions.
    3641             :  *
    3642             :  * Returns: the last handshake message type sent, a
    3643             :  * %gnutls_handshake_description_t.
    3644             :  **/
    3645             : gnutls_handshake_description_t
    3646           9 : gnutls_handshake_get_last_out(gnutls_session_t session)
    3647             : {
    3648           9 :         return session->internals.last_handshake_out;
    3649             : }
    3650             : 
    3651             : /* This returns the session hash as in draft-ietf-tls-session-hash-02.
    3652             :  */
    3653        5150 : int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t *shash)
    3654             : {
    3655        5150 :         const version_entry_st *ver = get_version(session);
    3656        5150 :         int ret;
    3657        5150 :         uint8_t concat[2*MAX_HASH_SIZE];
    3658             : 
    3659        5150 :         if (unlikely(ver == NULL))
    3660           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    3661             : 
    3662        5150 :         if (session->internals.handshake_hash_buffer_client_kx_len == 0 ||
    3663        5150 :             (session->internals.handshake_hash_buffer.length <
    3664        5150 :             session->internals.handshake_hash_buffer_client_kx_len)) {
    3665           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    3666             :         }
    3667             : 
    3668        5150 :         ret =
    3669       10300 :             _gnutls_hash_fast((gnutls_digest_algorithm_t)session->security_parameters.prf->id,
    3670        5150 :                               session->internals.handshake_hash_buffer.
    3671             :                               data,
    3672             :                               session->internals.handshake_hash_buffer_client_kx_len,
    3673             :                               concat);
    3674        5150 :         if (ret < 0)
    3675           0 :                 return gnutls_assert_val(ret);
    3676             : 
    3677        5150 :         return _gnutls_set_datum(shash, concat, session->security_parameters.prf->output_size);
    3678             : }

Generated by: LCOV version 1.14