/*

 * Copyright (C) 2017-2018 Red Hat, Inc.

 *

 * Author: Nikos Mavrogiannopoulos

 *

 * This file is part of GnuTLS.

 *

 * The GnuTLS is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public License

 * as published by the Free Software Foundation; either version 2.1 of

 * the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with this program.  If not, see <https://www.gnu.org/licenses/>

 *

 */

/* Functions that relate to the TLS handshake procedure.

 */

#include "gnutls_int.h"

#include "errors.h"

#include "dh.h"

#include "debug.h"

#include "algorithms.h"

#include "cipher.h"

#include "buffers.h"

#include "mbuffers.h"

#include "kx.h"

#include "handshake.h"

#include "num.h"

#include "hash_int.h"

#include "db.h"

#include "hello_ext.h"

#include "supplemental.h"

#include "auth.h"

#include "sslv2_compat.h"

#include <auth/cert.h>

#include "constate.h"

#include <record.h>

#include <state.h>

#include <random.h>

#include <dtls.h>

#include "secrets.h"

#include "tls13/hello_retry.h"

#include "tls13/encrypted_extensions.h"

#include "tls13/certificate_request.h"

#include "tls13/certificate_verify.h"

#include "tls13/certificate.h"

#include "tls13/early_data.h"

#include "tls13/finished.h"

#include "tls13/key_update.h"

#include "ext/pre_shared_key.h"

#include "locks.h"

static int generate_rms_keys(gnutls_session_t session);

static int generate_hs_traffic_keys(gnutls_session_t session);

static int generate_ap_traffic_keys(gnutls_session_t session);

#define SAVE_TRANSCRIPT \

	if (session->internals.flags & GNUTLS_POST_HANDSHAKE_AUTH) { \

		/* If post-handshake auth is in use we need a copy of the original \

		 * handshake transcript */ \

		memcpy( &session->internals.post_handshake_hash_buffer, \

			&session->internals.handshake_hash_buffer, \

			sizeof(session->internals.handshake_hash_buffer)); \

		_gnutls_buffer_init(&session->internals.handshake_hash_buffer); \

	}

/*

 * _gnutls13_handshake_client

 * This function performs the client side of the handshake of the TLS/SSL protocol.

 */

int _gnutls13_handshake_client(gnutls_session_t session)

{

	int ret = 0;

	switch (STATE) {

	case STATE99:

	case STATE100:

#ifdef TLS13_APPENDIX_D4

		/* We send it before keys are generated. That works because CCS

		 * is always being cached and queued and not being sent directly */

		ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE100));

		STATE = STATE100;

		IMED_RET("send change cipher spec", ret, 0);

#endif

		FALLTHROUGH;

	case STATE101:

		/* Note that we check IN_FLIGHT, not ACCEPTED

		 * here. This is because the client sends early data

		 * speculatively. */

		if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) {

			ret = _tls13_write_connection_state_init(session, STAGE_EARLY);

			if (ret == 0) {

				_gnutls_epoch_bump(session);

				ret = _gnutls_epoch_dup(session, EPOCH_WRITE_CURRENT);

			}

			STATE = STATE101;

			IMED_RET_FATAL("set early traffic keys", ret, 0);

		}

		FALLTHROUGH;

	case STATE102:

		ret = _gnutls13_send_early_data(session);

		STATE = STATE102;

		IMED_RET("send early data", ret, 0);

		FALLTHROUGH;

	case STATE103:

		STATE = STATE103;

		ret = generate_hs_traffic_keys(session);

		/* Note that we check IN_FLIGHT, not ACCEPTED

		 * here. This is because the client sends early data

		 * speculatively. */

		IMED_RET_FATAL("generate hs traffic keys", ret, 0);

		if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT)

			ret = _tls13_read_connection_state_init(session, STAGE_HS);

		else

			ret = _tls13_connection_state_init(session, STAGE_HS);

		IMED_RET_FATAL("set hs traffic keys", ret, 0);

		FALLTHROUGH;

	case STATE104:

		ret = _gnutls13_recv_encrypted_extensions(session);

		STATE = STATE104;

		IMED_RET("recv encrypted extensions", ret, 0);

		FALLTHROUGH;

	case STATE105:

		ret = _gnutls13_recv_certificate_request(session);

		STATE = STATE105;

		IMED_RET("recv certificate request", ret, 0);

		FALLTHROUGH;

	case STATE106:

		ret = _gnutls13_recv_certificate(session);

		STATE = STATE106;

		IMED_RET("recv certificate", ret, 0);

		FALLTHROUGH;

	case STATE107:

		ret = _gnutls13_recv_certificate_verify(session);

		STATE = STATE107;

		IMED_RET("recv server certificate verify", ret, 0);

		FALLTHROUGH;

	case STATE108:

		ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);

		STATE = STATE108;

		if (ret < 0)

			return gnutls_assert_val(ret);

		FALLTHROUGH;

	case STATE109:

		ret = _gnutls13_recv_finished(session);

		STATE = STATE109;

		IMED_RET("recv finished", ret, 0);

		FALLTHROUGH;

	case STATE110:

		ret = _gnutls13_send_end_of_early_data(session, AGAIN(STATE110));

		STATE = STATE110;

		IMED_RET("send end of early data", ret, 0);

		/* Note that we check IN_FLIGHT, not ACCEPTED

		 * here. This is because the client sends early data

		 * speculatively. */

		if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) {

			session->internals.hsk_flags &= ~HSK_EARLY_DATA_IN_FLIGHT;

			ret = _tls13_write_connection_state_init(session, STAGE_HS);

			IMED_RET_FATAL("set hs traffic key after sending early data", ret, 0);

		}

		FALLTHROUGH;

	case STATE111:

		ret = _gnutls13_send_certificate(session, AGAIN(STATE111));

		STATE = STATE111;

		IMED_RET("send certificate", ret, 0);

		FALLTHROUGH;

	case STATE112:

		ret = _gnutls13_send_certificate_verify(session, AGAIN(STATE112));

		STATE = STATE112;

		IMED_RET("send certificate verify", ret, 0);

		FALLTHROUGH;

	case STATE113:

		ret = _gnutls13_send_finished(session, AGAIN(STATE113));

		STATE = STATE113;

		IMED_RET("send finished", ret, 0);

		FALLTHROUGH;

	case STATE114:

		STATE = STATE114;

		ret =

		    generate_ap_traffic_keys(session);

		IMED_RET_FATAL("generate app keys", ret, 0);

		ret = generate_rms_keys(session);

		IMED_RET_FATAL("generate rms keys", ret, 0);

		/* set traffic keys */

		ret = _tls13_connection_state_init(session, STAGE_APP);

		IMED_RET_FATAL("set app keys", ret, 0);

		STATE = STATE0;

		break;

	default:

		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

	}

	/* no lock of post_negotiation_lock is required here as this is not run

	 * after handshake */

	session->internals.recv_state = RECV_STATE_0;

	session->internals.initial_negotiation_completed = 1;

	SAVE_TRANSCRIPT;

	if (session->internals.resumed != RESUME_FALSE)

		_gnutls_set_resumed_parameters(session);

	return 0;

}

static int generate_non_auth_rms_keys(gnutls_session_t session)

{

	int ret;

	/* we simulate client finished */

	uint8_t finished[MAX_HASH_SIZE+TLS_HANDSHAKE_HEADER_SIZE];

	unsigned spos;

	ret = _gnutls13_compute_finished(session->security_parameters.prf,

					 session->key.proto.tls13.hs_ckey,

					 &session->internals.handshake_hash_buffer,

					 finished+TLS_HANDSHAKE_HEADER_SIZE);

	if (ret < 0)

		return gnutls_assert_val(ret);

	spos = session->internals.handshake_hash_buffer.length;

	finished[0] = GNUTLS_HANDSHAKE_FINISHED;

	_gnutls_write_uint24(session->security_parameters.prf->output_size, finished+1);

	ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer, finished,

					 TLS_HANDSHAKE_HEADER_SIZE+session->security_parameters.prf->output_size);

	if (ret < 0)

		return gnutls_assert_val(ret);

	ret = _tls13_derive_secret(session, RMS_MASTER_LABEL, sizeof(RMS_MASTER_LABEL)-1,

				   session->internals.handshake_hash_buffer.data,

				   session->internals.handshake_hash_buffer.length,

				   session->key.proto.tls13.temp_secret,

				   session->key.proto.tls13.ap_rms);

	if (ret < 0)

		return gnutls_assert_val(ret);

	session->internals.handshake_hash_buffer.length = spos;

	return 0;

}

static int generate_rms_keys(gnutls_session_t session)

{

	int ret;

	ret = _tls13_derive_secret(session, RMS_MASTER_LABEL, sizeof(RMS_MASTER_LABEL)-1,

				   session->internals.handshake_hash_buffer.data,

				   session->internals.handshake_hash_buffer_client_finished_len,

				   session->key.proto.tls13.temp_secret,

				   session->key.proto.tls13.ap_rms);

	if (ret < 0)

		return gnutls_assert_val(ret);

	return 0;

}

static int generate_ap_traffic_keys(gnutls_session_t session)

{

	int ret;

	uint8_t zero[MAX_HASH_SIZE];

	ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1,

				   NULL, 0, session->key.proto.tls13.temp_secret,

				   session->key.proto.tls13.temp_secret);

	if (ret < 0)

		return gnutls_assert_val(ret);

	memset(zero, 0, session->security_parameters.prf->output_size);

	ret = _tls13_update_secret(session, zero, session->security_parameters.prf->output_size);

	if (ret < 0)

		return gnutls_assert_val(ret);

	ret = _tls13_derive_secret(session, EXPORTER_MASTER_LABEL, sizeof(EXPORTER_MASTER_LABEL)-1,

				   session->internals.handshake_hash_buffer.data,

				   session->internals.handshake_hash_buffer_server_finished_len,

				   session->key.proto.tls13.temp_secret,

				   session->key.proto.tls13.ap_expkey);

	if (ret < 0)

		return gnutls_assert_val(ret);

	ret = _gnutls_call_keylog_func(session, "EXPORTER_SECRET",

				       session->key.proto.tls13.ap_expkey,

				       session->security_parameters.prf->output_size);

	if (ret < 0)

		return gnutls_assert_val(ret);

	_gnutls_epoch_bump(session);

	ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);

	if (ret < 0)

		return gnutls_assert_val(ret);

	return 0;

}

static int generate_hs_traffic_keys(gnutls_session_t session)

{

	int ret;

	unsigned null_key = 0;

	if (unlikely(session->key.proto.tls13.temp_secret_size == 0))

		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

	ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1,

				   NULL, 0, session->key.proto.tls13.temp_secret,

				   session->key.proto.tls13.temp_secret);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	if ((session->security_parameters.entity == GNUTLS_CLIENT &&

	      (!(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED) ||

	        (!(session->internals.hsk_flags & HSK_PSK_KE_MODE_DHE_PSK) &&

	           session->internals.resumed != RESUME_FALSE))) ||

	    (session->security_parameters.entity == GNUTLS_SERVER &&

	      !(session->internals.hsk_flags & HSK_KEY_SHARE_SENT))) {

		if ((session->internals.hsk_flags & HSK_PSK_SELECTED) &&

		    (session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK)) {

			null_key = 1;

		}

	}

	if (null_key) {

		uint8_t digest[MAX_HASH_SIZE];

		unsigned digest_size;

		if (unlikely(session->security_parameters.prf == NULL))

			return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

		digest_size = session->security_parameters.prf->output_size;

		memset(digest, 0, digest_size);

		ret = _tls13_update_secret(session, digest, digest_size);

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

	} else {

		if (unlikely(session->key.key.size == 0))

			return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

		ret = _tls13_update_secret(session, session->key.key.data, session->key.key.size);

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

	}

	return 0;

}

/*

 * _gnutls13_handshake_server

 * This function does the server stuff of the handshake protocol.

 */

int _gnutls13_handshake_server(gnutls_session_t session)

{

	int ret = 0;

	switch (STATE) {

	case STATE90:

		ret = _gnutls13_handshake_hash_buffers_synth(session, session->security_parameters.prf, 0);

		STATE = STATE90;

		IMED_RET_FATAL("reset handshake buffers", ret, 0);

		FALLTHROUGH;

	case STATE91:

		ret = _gnutls13_send_hello_retry_request(session, AGAIN(STATE91));

		STATE = STATE91;

		IMED_RET("send hello retry request", ret, 0);

		FALLTHROUGH;

	case STATE92:

#ifdef TLS13_APPENDIX_D4

		ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE92));

		STATE = STATE92;

		IMED_RET("send change cipher spec", ret, 0);

#endif

		FALLTHROUGH;

	case STATE93:

		ret =

		    _gnutls_recv_handshake(session,

					   GNUTLS_HANDSHAKE_CLIENT_HELLO,

					   0, NULL);

		if (ret == GNUTLS_E_INT_RET_0) {

			/* this is triggered by post_client_hello, and instructs the

			 * handshake to proceed but be put on hold */

			ret = GNUTLS_E_INTERRUPTED;

			STATE = STATE94; /* hello already parsed -> move to next state */

		} else {

			STATE = STATE93;

		}

		IMED_RET("recv client hello", ret, 0);

		FALLTHROUGH;

	case STATE94:

		ret = _gnutls_send_server_hello(session, AGAIN(STATE94));

		STATE = STATE94;

		IMED_RET("send hello", ret, 0);

		FALLTHROUGH;

	case STATE99:

	case STATE100:

#ifdef TLS13_APPENDIX_D4

		/* don't send CCS twice: when HRR has already been

		 * sent, CCS should have followed it (see above) */

		if (!(session->internals.hsk_flags & HSK_HRR_SENT)) {

			ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE100));

			STATE = STATE100;

			IMED_RET("send change cipher spec", ret, 0);

		}

#endif

		FALLTHROUGH;

	case STATE101:

		STATE = STATE101;

		if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) {

			ret = _tls13_read_connection_state_init(session, STAGE_EARLY);

			if (ret == 0) {

				_gnutls_epoch_bump(session);

				ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);

			}

			IMED_RET_FATAL("set early traffic keys", ret, 0);

			ret = generate_hs_traffic_keys(session);

			IMED_RET_FATAL("generate hs traffic keys", ret, 0);

			ret = _tls13_write_connection_state_init(session, STAGE_HS);

		} else {

			ret = generate_hs_traffic_keys(session);

			IMED_RET_FATAL("generate hs traffic keys", ret, 0);

			ret = _tls13_connection_state_init(session, STAGE_HS);

		}

		IMED_RET_FATAL("set hs traffic keys", ret, 0);

		FALLTHROUGH;

	case STATE102:

		ret = _gnutls13_send_encrypted_extensions(session, AGAIN(STATE102));

		STATE = STATE102;

		IMED_RET("send encrypted extensions", ret, 0);

		FALLTHROUGH;

	case STATE103:

		ret = _gnutls13_send_certificate_request(session, AGAIN(STATE103));

		STATE = STATE103;

		IMED_RET("send certificate request", ret, 0);

		FALLTHROUGH;

	case STATE104:

		ret = _gnutls13_send_certificate(session, AGAIN(STATE104));

		STATE = STATE104;

		IMED_RET("send certificate", ret, 0);

		FALLTHROUGH;

	case STATE105:

		ret = _gnutls13_send_certificate_verify(session, AGAIN(STATE105));

		STATE = STATE105;

		IMED_RET("send certificate verify", ret, 0);

		FALLTHROUGH;

	case STATE106:

		ret = _gnutls13_send_finished(session, AGAIN(STATE106));

		STATE = STATE106;

		IMED_RET("send finished", ret, 0);

		FALLTHROUGH;

	case STATE107:

		ret = _gnutls13_recv_end_of_early_data(session);

		STATE = STATE107;

		IMED_RET("recv end of early data", ret, 0);

		if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) {

			ret = _tls13_read_connection_state_init(session, STAGE_HS);

			IMED_RET_FATAL("set hs traffic key after receiving early data", ret, 0);

		}

		FALLTHROUGH;

	case STATE108:

		/* At this point our sending keys should be the app keys

		 * see 4.4.4 at draft-ietf-tls-tls13-28 */

		ret =

		    generate_ap_traffic_keys(session);

		IMED_RET_FATAL("generate app keys", ret, 0);

		/* If the session is unauthenticated, try to optimize the handshake by

		 * sending the session ticket early. */

		if (!(session->internals.hsk_flags & (HSK_CRT_REQ_SENT|HSK_PSK_SELECTED))) {

			STATE = STATE108;

			ret = generate_non_auth_rms_keys(session);

			IMED_RET_FATAL("generate rms keys", ret, 0);

			session->internals.hsk_flags |= HSK_EARLY_START_USED;

			_gnutls_handshake_log("HSK[%p]: unauthenticated session eligible for early start\n", session);

		}

		ret = _tls13_write_connection_state_init(session, STAGE_APP);

		IMED_RET_FATAL("set write app keys", ret, 0);

		_gnutls_handshake_log("HSK[%p]: switching early to application traffic keys\n", session);

		FALLTHROUGH;

	case STATE109:

		if (session->internals.resumed != RESUME_FALSE)

			_gnutls_set_resumed_parameters(session);

		if (session->internals.hsk_flags & HSK_EARLY_START_USED) {

			if (!(session->internals.flags & GNUTLS_NO_AUTO_SEND_TICKET))

				ret = _gnutls13_send_session_ticket(session, TLS13_TICKETS_TO_SEND,

								    AGAIN(STATE109));

			STATE = STATE109;

			IMED_RET("send session ticket", ret, 0);

			/* complete this phase of the handshake. We

			 * should be called again by gnutls_record_recv()

			 */

			if (session->internals.flags & GNUTLS_ENABLE_EARLY_START) {

				STATE = STATE113; /* finished */

				gnutls_assert();

				session->internals.recv_state = RECV_STATE_EARLY_START;

				return 0;

			}

		}

		FALLTHROUGH;

	case STATE110:

		ret = _gnutls13_recv_certificate(session);

		STATE = STATE110;

		IMED_RET("recv certificate", ret, 0);

		FALLTHROUGH;

	case STATE111:

		ret = _gnutls13_recv_certificate_verify(session);

		STATE = STATE111;

		IMED_RET("recv certificate verify", ret, 0);

		FALLTHROUGH;

	case STATE112:

		ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);

		STATE = STATE112;

		if (ret < 0)

			return gnutls_assert_val(ret);

		FALLTHROUGH;

	case STATE113: /* can enter from STATE109 */

		ret = _gnutls13_recv_finished(session);

		STATE = STATE113;

		IMED_RET("recv finished", ret, 0);

		FALLTHROUGH;

	case STATE114:

		/* If we did request a client certificate, then we can

		 * only send the tickets here */

		STATE = STATE114;

		if (!(session->internals.hsk_flags & HSK_EARLY_START_USED)) {

			ret = generate_rms_keys(session);

			IMED_RET_FATAL("generate rms keys", ret, 0);

		}

		ret = _tls13_read_connection_state_init(session, STAGE_APP);

		IMED_RET_FATAL("set read app keys", ret, 0);

		FALLTHROUGH;

	case STATE115:

		if (!(session->internals.hsk_flags & (HSK_TLS13_TICKET_SENT|HSK_EARLY_START_USED)) &&

		    !(session->internals.flags & GNUTLS_NO_AUTO_SEND_TICKET)) {

			ret = _gnutls13_send_session_ticket(session, TLS13_TICKETS_TO_SEND,

							    AGAIN(STATE115));

			STATE = STATE115;

			IMED_RET("send session ticket", ret, 0);

		}

		STATE = STATE0;

		break;

	default:

		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

	}

	/* explicitly reset any early start flags */

	gnutls_mutex_lock(&session->internals.post_negotiation_lock);

	session->internals.recv_state = RECV_STATE_0;

	session->internals.initial_negotiation_completed = 1;

	gnutls_mutex_unlock(&session->internals.post_negotiation_lock);

	SAVE_TRANSCRIPT;

	return 0;

}

/* Processes handshake messages received asynchronously after initial handshake.

 *

 * It is called once per message and should return success, or a fatal error code.

 */

int

_gnutls13_recv_async_handshake(gnutls_session_t session)

{

	int ret;

	handshake_buffer_st hsk;

	recv_state_t next_state = RECV_STATE_0;

	/* The following messages are expected asynchronously after

	 * the handshake process is complete */

	if (unlikely(session->internals.handshake_in_progress))

		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);

	do {

		_gnutls_handshake_buffer_init(&hsk;;

		/* the received handshake message has already been pushed into

		 * handshake buffers. As we do not need to use the handshake hash

		 * buffers we call the lower level receive functions */

		ret = _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE_ANY, &hsk, 0);

		if (ret < 0) {

			gnutls_assert();

			goto cleanup;

		}

		session->internals.last_handshake_in = hsk.htype;

		ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1,

					     hsk.data.data, hsk.data.length);

		if (ret < 0) {

			gnutls_assert();

			goto cleanup;

		}

		switch(hsk.htype) {

			case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:

				if (!(session->security_parameters.entity == GNUTLS_CLIENT) ||

				    !(session->internals.flags & GNUTLS_POST_HANDSHAKE_AUTH)) {

					ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);

					goto cleanup;

				}

				_gnutls_buffer_reset(&session->internals.reauth_buffer);

				/* include the handshake headers in reauth buffer */

				ret = _gnutls_buffer_append_data(&session->internals.reauth_buffer,

								 hsk.header, hsk.header_size);

				if (ret < 0) {

					gnutls_assert();

					goto cleanup;

				}

				ret = _gnutls_buffer_append_data(&session->internals.reauth_buffer,

								 hsk.data.data, hsk.data.length);

				if (ret < 0) {

					gnutls_assert();

					goto cleanup;

				}

				if (session->internals.flags & GNUTLS_AUTO_REAUTH) {

					ret = gnutls_reauth(session, 0);

					if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {

						next_state = RECV_STATE_REAUTH;

					} else if (ret < 0) {

						gnutls_assert();

						goto cleanup;

					}

				} else {

					/* Application is expected to handle re-authentication

					 * explicitly.  */

					ret = GNUTLS_E_REAUTH_REQUEST;

				}

				goto cleanup;

			case GNUTLS_HANDSHAKE_KEY_UPDATE:

				ret = _gnutls13_recv_key_update(session, &hsk.data);

				if (ret < 0) {

					gnutls_assert();

					goto cleanup;

				}

				/* Handshake messages MUST NOT span key changes, i.e., we

				 * should not have any other pending handshake messages from

				 * the same record. */

				if (session->internals.handshake_recv_buffer_size != 0) {

					ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);

					goto cleanup;

				}

				break;

			case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:

				if (session->security_parameters.entity != GNUTLS_CLIENT) {

					ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);

					goto cleanup;

				}

				ret = _gnutls13_recv_session_ticket(session, &hsk.data);

				if (ret < 0) {

					gnutls_assert();

					goto cleanup;

				}

				memcpy(session->internals.tls13_ticket.resumption_master_secret,

				       session->key.proto.tls13.ap_rms,

				       session->key.proto.tls13.temp_secret_size);

				session->internals.tls13_ticket.prf = session->security_parameters.prf;

				session->internals.hsk_flags |= HSK_TICKET_RECEIVED;

				break;

			default:

				gnutls_assert();

				ret = GNUTLS_E_UNEXPECTED_PACKET;

				goto cleanup;

		}

		ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1, hsk.data.data, hsk.data.length);

		if (ret < 0) {

			gnutls_assert();

			goto cleanup;

		}

		_gnutls_handshake_buffer_clear(&hsk;;

	} while (_gnutls_record_buffer_get_size(session) > 0);

	session->internals.recv_state = next_state;

	return 0;

 cleanup:

	/* if we have pending/partial handshake data in buffers, ensure that

	 * next read will read handshake data */

	if (_gnutls_record_buffer_get_size(session) > 0)

		session->internals.recv_state = RECV_STATE_ASYNC_HANDSHAKE;

	else

		session->internals.recv_state = next_state;

	_gnutls_handshake_buffer_clear(&hsk;;

	return ret;

}

/**

 * gnutls_session_ticket_send:

 * @session: is a #gnutls_session_t type.

 * @nr: the number of tickets to send

 * @flags: must be zero

 *

 * Sends a fresh session ticket to the peer. This is relevant only

 * in server side under TLS1.3. This function may also return %GNUTLS_E_AGAIN

 * or %GNUTLS_E_INTERRUPTED and in that case it must be called again.

 *

 * Returns: %GNUTLS_E_SUCCESS on success, or a negative error code.

 **/

int gnutls_session_ticket_send(gnutls_session_t session, unsigned nr, unsigned flags)

{

	int ret = 0;

	const version_entry_st *vers = get_version(session);

	if (!vers->tls13_sem || session->security_parameters.entity == GNUTLS_CLIENT)

		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

	if (nr == 0)

		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

	switch (TICKET_STATE) {

	case TICKET_STATE0:

		ret = _gnutls_io_write_flush(session);

		TICKET_STATE = TICKET_STATE0;

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

		FALLTHROUGH;

	case TICKET_STATE1:

		ret =

		    _gnutls13_send_session_ticket(session, nr, TICKET_STATE==TICKET_STATE1?1:0);

		TICKET_STATE = TICKET_STATE1;

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

		break;

	default:

		gnutls_assert();

		return GNUTLS_E_INTERNAL_ERROR;

	}

	TICKET_STATE = TICKET_STATE0;

	return 0;

}