/*
* Copyright (C) 2017 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>
*
*/
/* This file contains the code the Key Share TLS 1.3 extension.
*/
#include "gnutls_int.h"
#include "errors.h"
#include "num.h"
#include "ext/supported_groups.h"
#include <state.h>
#include <num.h>
#include <algorithms.h>
#include "auth/psk.h"
#include "auth/cert.h"
#include "handshake.h"
#include "../ecc.h"
#include "../algorithms.h"
#include "pk.h"
static int key_share_recv_params(gnutls_session_t session,
const uint8_t * data,
size_t data_size);
static int key_share_send_params(gnutls_session_t session,
gnutls_buffer_st * extdata);
const hello_ext_entry_st ext_mod_key_share = {
.name = "Key Share",
.tls_id = 51,
.gid = GNUTLS_EXTENSION_KEY_SHARE,
.parse_type = _GNUTLS_EXT_TLS_POST_CS,
.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO |
GNUTLS_EXT_FLAG_HRR,
.recv_func = key_share_recv_params,
.send_func = key_share_send_params,
.pack_func = NULL,
.unpack_func = NULL,
.deinit_func = NULL,
.cannot_be_overriden = 1
};
/*
* Generates key exchange parameters, and stores them in
* session->key.kshare_*_params.
*
* struct {
* NamedGroup group;
* opaque key_exchange<1..2^16-1>;
* } KeyShareEntry;
*
*/
static int client_gen_key_share(gnutls_session_t session, const gnutls_group_entry_st *group, gnutls_buffer_st *extdata)
{
gnutls_datum_t tmp = {NULL, 0};
int ret;
if (group->pk != GNUTLS_PK_EC && group->pk != GNUTLS_PK_ECDH_X25519 &&
group->pk != GNUTLS_PK_DH) {
_gnutls_debug_log("Cannot send key share for group %s!\n", group->name);
return GNUTLS_E_INT_RET_0;
}
_gnutls_handshake_log("EXT[%p]: sending key share for %s\n", session, group->name);
ret =
_gnutls_buffer_append_prefix(extdata, 16, group->tls_id);
if (ret < 0)
return gnutls_assert_val(ret);
if (group->pk == GNUTLS_PK_EC) {
gnutls_pk_params_release(&session->key.kshare.ecdh_params);
gnutls_pk_params_init(&session->key.kshare.ecdh_params);
ret = _gnutls_pk_generate_keys(group->pk, group->curve,
&session->key.kshare.ecdh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_ecc_ansi_x962_export(group->curve,
session->key.kshare.ecdh_params.params[ECC_X],
session->key.kshare.ecdh_params.params[ECC_Y],
&tmp);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
_gnutls_buffer_append_data_prefix(extdata, 16, tmp.data, tmp.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
session->key.kshare.ecdh_params.algo = group->pk;
session->key.kshare.ecdh_params.curve = group->curve;
ret = 0;
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
gnutls_pk_params_init(&session->key.kshare.ecdhx_params);
ret = _gnutls_pk_generate_keys(group->pk, group->curve,
&session->key.kshare.ecdhx_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
_gnutls_buffer_append_data_prefix(extdata, 16,
session->key.kshare.ecdhx_params.raw_pub.data,
session->key.kshare.ecdhx_params.raw_pub.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
session->key.kshare.ecdhx_params.algo = group->pk;
session->key.kshare.ecdhx_params.curve = group->curve;
ret = 0;
} else if (group->pk == GNUTLS_PK_DH) {
/* we need to initialize the group parameters first */
gnutls_pk_params_release(&session->key.kshare.dh_params);
gnutls_pk_params_init(&session->key.kshare.dh_params);
ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G],
group->generator->data, group->generator->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P],
group->prime->data, group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q],
group->q->data, group->q->size);
if (ret < 0)
return gnutls_assert_val(ret);
session->key.kshare.dh_params.algo = group->pk;
session->key.kshare.dh_params.dh_group = group->id; /* no curve in FFDH, we write the group */
session->key.kshare.dh_params.qbits = *group->q_bits;
session->key.kshare.dh_params.params_nr = 3;
ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
_gnutls_buffer_append_prefix(extdata, 16, group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare.dh_params.params[DH_Y],
group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = 0;
}
cleanup:
gnutls_free(tmp.data);
return ret;
}
/*
* Sends server key exchange parameters
*
*/
static int server_gen_key_share(gnutls_session_t session, const gnutls_group_entry_st *group, gnutls_buffer_st *extdata)
{
gnutls_datum_t tmp = {NULL, 0};
int ret;
if (group->pk != GNUTLS_PK_EC && group->pk != GNUTLS_PK_ECDH_X25519 &&
group->pk != GNUTLS_PK_DH) {
_gnutls_debug_log("Cannot send key share for group %s!\n", group->name);
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
_gnutls_handshake_log("EXT[%p]: sending key share for %s\n", session, group->name);
ret =
_gnutls_buffer_append_prefix(extdata, 16, group->tls_id);
if (ret < 0)
return gnutls_assert_val(ret);
if (group->pk == GNUTLS_PK_EC) {
ret = _gnutls_ecc_ansi_x962_export(group->curve,
session->key.kshare.ecdh_params.params[ECC_X],
session->key.kshare.ecdh_params.params[ECC_Y],
&tmp);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
_gnutls_buffer_append_data_prefix(extdata, 16, tmp.data, tmp.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
ret =
_gnutls_buffer_append_data_prefix(extdata, 16,
session->key.kshare.ecdhx_params.raw_pub.data,
session->key.kshare.ecdhx_params.raw_pub.size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = 0;
} else if (group->pk == GNUTLS_PK_DH) {
ret =
_gnutls_buffer_append_prefix(extdata, 16, group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare.dh_params.params[DH_Y],
group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = 0;
}
cleanup:
gnutls_free(tmp.data);
return ret;
}
/* Generates shared key and stores it in session->key.key
*/
static int
server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *group,
const uint8_t * data, size_t data_size)
{
const gnutls_ecc_curve_entry_st *curve;
int ret;
if (group->pk == GNUTLS_PK_EC) {
gnutls_pk_params_st pub;
gnutls_pk_params_release(&session->key.kshare.ecdh_params);
gnutls_pk_params_init(&session->key.kshare.ecdh_params);
curve = _gnutls_ecc_curve_get_params(group->curve);
gnutls_pk_params_init(&pub);
if (curve->size*2+1 != data_size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* generate our key */
ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare.ecdh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
/* read the public key */
ret = _gnutls_ecc_ansi_x962_import(data, data_size,
&pub.params[ECC_X],
&pub.params[ECC_Y]);
if (ret < 0)
return gnutls_assert_val(ret);
pub.algo = group->pk;
pub.curve = curve->id;
pub.params_nr = 2;
/* generate shared */
ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdh_params, &pub);
gnutls_pk_params_release(&pub);
if (ret < 0) {
return gnutls_assert_val(ret);
}
ret = 0;
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
gnutls_pk_params_st pub;
gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
gnutls_pk_params_init(&session->key.kshare.ecdhx_params);
curve = _gnutls_ecc_curve_get_params(group->curve);
if (curve->size != data_size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* generate our key */
ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare.ecdhx_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
/* read the public key and generate shared */
gnutls_pk_params_init(&pub);
pub.algo = group->pk;
pub.curve = curve->id;
pub.raw_pub.data = (void*)data;
pub.raw_pub.size = data_size;
/* We don't mask the MSB in the final byte as required
* by RFC7748. This will be done internally by nettle 3.3 or later.
*/
ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdhx_params, &pub);
if (ret < 0) {
return gnutls_assert_val(ret);
}
ret = 0;
} else if (group->pk == GNUTLS_PK_DH) {
gnutls_pk_params_st pub;
/* we need to initialize the group parameters first */
gnutls_pk_params_release(&session->key.kshare.dh_params);
gnutls_pk_params_init(&session->key.kshare.dh_params);
if (data_size != group->prime->size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* set group params */
ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G],
group->generator->data, group->generator->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P],
group->prime->data, group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q],
group->q->data, group->q->size);
if (ret < 0)
return gnutls_assert_val(ret);
session->key.kshare.dh_params.algo = GNUTLS_PK_DH;
session->key.kshare.dh_params.qbits = *group->q_bits;
session->key.kshare.dh_params.params_nr = 3;
/* generate our keys */
ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
/* read the public key and generate shared */
gnutls_pk_params_init(&pub);
ret = _gnutls_mpi_init_scan_nz(&pub.params[DH_Y],
data, data_size);
if (ret < 0)
return gnutls_assert_val(ret);
pub.algo = group->pk;
/* generate shared key */
ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare.dh_params, &pub);
_gnutls_mpi_release(&pub.params[DH_Y]);
if (ret < 0)
return gnutls_assert_val(ret);
ret = 0;
} else {
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
}
_gnutls_debug_log("EXT[%p]: server generated %s shared key\n", session, group->name);
return ret;
}
/* Generates shared key and stores it in session->key.key
*/
static int
client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *group,
const uint8_t * data, size_t data_size)
{
const gnutls_ecc_curve_entry_st *curve;
int ret;
if (group->pk == GNUTLS_PK_EC) {
gnutls_pk_params_st pub;
curve = _gnutls_ecc_curve_get_params(group->curve);
gnutls_pk_params_init(&pub);
if (session->key.kshare.ecdh_params.algo != group->pk || session->key.kshare.ecdh_params.curve != curve->id)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
if (curve->size*2+1 != data_size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* read the server's public key */
ret = _gnutls_ecc_ansi_x962_import(data, data_size,
&pub.params[ECC_X],
&pub.params[ECC_Y]);
if (ret < 0)
return gnutls_assert_val(ret);
pub.algo = group->pk;
pub.curve = curve->id;
pub.params_nr = 2;
/* generate shared key */
ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdh_params, &pub);
gnutls_pk_params_release(&pub);
if (ret < 0) {
return gnutls_assert_val(ret);
}
ret = 0;
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
gnutls_pk_params_st pub;
curve = _gnutls_ecc_curve_get_params(group->curve);
if (session->key.kshare.ecdhx_params.algo != group->pk || session->key.kshare.ecdhx_params.curve != curve->id)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
if (curve->size != data_size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* read the public key and generate shared */
gnutls_pk_params_init(&pub);
pub.algo = group->pk;
pub.curve = curve->id;
pub.raw_pub.data = (void*)data;
pub.raw_pub.size = data_size;
/* We don't mask the MSB in the final byte as required
* by RFC7748. This will be done internally by nettle 3.3 or later.
*/
ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdhx_params, &pub);
if (ret < 0) {
return gnutls_assert_val(ret);
}
ret = 0;
} else if (group->pk == GNUTLS_PK_DH) {
gnutls_pk_params_st pub;
if (session->key.kshare.dh_params.algo != group->pk || session->key.kshare.dh_params.dh_group != group->id)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
if (data_size != group->prime->size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* read the public key and generate shared */
gnutls_pk_params_init(&pub);
ret = _gnutls_mpi_init_scan_nz(&pub.params[DH_Y],
data, data_size);
if (ret < 0)
return gnutls_assert_val(ret);
pub.algo = group->pk;
/* generate shared key */
ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare.dh_params, &pub);
_gnutls_mpi_release(&pub.params[DH_Y]);
if (ret < 0)
return gnutls_assert_val(ret);
ret = 0;
} else {
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
}
_gnutls_debug_log("EXT[%p]: client generated %s shared key\n", session, group->name);
return ret;
}
static int
key_share_recv_params(gnutls_session_t session,
const uint8_t * data, size_t data_size)
{
int ret;
size_t size;
unsigned gid;
const version_entry_st *ver;
const gnutls_group_entry_st *group;
unsigned used_share = 0;
if (session->security_parameters.entity == GNUTLS_SERVER) {
ver = get_version(session);
if (ver == NULL || ver->key_shares == 0)
return gnutls_assert_val(0);
DECR_LEN(data_size, 2);
size = _gnutls_read_uint16(data);
data += 2;
if (data_size != size)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
/* if we do PSK without DH ignore that share */
if ((session->internals.hsk_flags & HSK_PSK_SELECTED) &&
(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK)) {
reset_cand_groups(session);
return 0;
}
while(data_size > 0) {
DECR_LEN(data_size, 2);
gid = _gnutls_read_uint16(data);
data += 2;
DECR_LEN(data_size, 2);
size = _gnutls_read_uint16(data);
data += 2;
DECR_LEN(data_size, size);
/* at this point we have already negotiated a group;
* find the group's share. */
group = _gnutls_tls_id_to_group(gid);
if (group != NULL)
_gnutls_handshake_log("EXT[%p]: Received key share for %s\n", session, group->name);
if (group != NULL && group == session->internals.cand_group) {
_gnutls_session_group_set(session, group);
ret = server_use_key_share(session, group, data, size);
if (ret < 0)
return gnutls_assert_val(ret);
used_share = 1;
break;
}
data += size;
continue;
}
/* we utilize GNUTLS_E_NO_COMMON_KEY_SHARE for:
* 1. signal for hello-retry-request in the handshake
* layer during first client hello parsing (server side - here).
* This does not result to error code being
* propagated to app layer.
* 2. Propagate to application error code that no
* common key share was found after an HRR was
* received (client side)
* 3. Propagate to application error code that no
* common key share was found after an HRR was
* sent (server side).
* In cases (2,3) the error is translated to illegal
* parameter alert.
*/
if (used_share == 0) {
return gnutls_assert_val(GNUTLS_E_NO_COMMON_KEY_SHARE);
}
session->internals.hsk_flags |= HSK_KEY_SHARE_RECEIVED;
} else { /* Client */
ver = get_version(session);
if (unlikely(ver == NULL || ver->key_shares == 0))
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
if (_gnutls_ext_get_msg(session) == GNUTLS_EXT_FLAG_HRR) {
if (unlikely(!(session->internals.hsk_flags & HSK_HRR_RECEIVED)))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
DECR_LEN(data_size, 2);
gid = _gnutls_read_uint16(data);
group = _gnutls_tls_id_to_group(gid);
if (group == NULL)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
_gnutls_handshake_log("EXT[%p]: HRR key share with %s\n", session, group->name);
/* check if we support it */
ret = _gnutls_session_supports_group(session, group->id);
if (ret < 0) {
_gnutls_handshake_log("EXT[%p]: received share for %s which is disabled\n", session, group->name);
return gnutls_assert_val(ret);
}
_gnutls_session_group_set(session, group);
return 0;
}
/* else */
DECR_LEN(data_size, 2);
gid = _gnutls_read_uint16(data);
data += 2;
DECR_LEN(data_size, 2);
size = _gnutls_read_uint16(data);
data+=2;
if (data_size != size)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
group = _gnutls_tls_id_to_group(gid);
if (group == NULL)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* check if we support it */
ret = _gnutls_session_supports_group(session, group->id);
if (ret < 0) {
_gnutls_handshake_log("EXT[%p]: received share for %s which is disabled\n", session, group->name);
return gnutls_assert_val(ret);
}
_gnutls_session_group_set(session, group);
session->internals.hsk_flags |= HSK_KEY_SHARE_RECEIVED;
ret = client_use_key_share(session, group, data, size);
if (ret < 0)
return gnutls_assert_val(ret);
}
return 0;
}
/* returns data_size or a negative number on failure
*/
static int
key_share_send_params(gnutls_session_t session,
gnutls_buffer_st * extdata)
{
unsigned i;
int ret;
unsigned char *lengthp;
unsigned int cur_length;
unsigned int generated = 0;
const gnutls_group_entry_st *group;
const version_entry_st *ver;
/* this extension is only being sent on client side */
if (session->security_parameters.entity == GNUTLS_CLIENT) {
ver = _gnutls_version_max(session);
if (unlikely(ver == NULL || ver->key_shares == 0))
return 0;
if (!have_creds_for_tls13(session))
return 0;
/* write the total length later */
lengthp = &extdata->data[extdata->length];
ret =
_gnutls_buffer_append_prefix(extdata, 16, 0);
if (ret < 0)
return gnutls_assert_val(ret);
cur_length = extdata->length;
if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
group = get_group(session);
if (unlikely(group == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
ret = client_gen_key_share(session, group, extdata);
if (ret == GNUTLS_E_INT_RET_0)
return gnutls_assert_val(GNUTLS_E_NO_COMMON_KEY_SHARE);
if (ret < 0)
return gnutls_assert_val(ret);
} else {
gnutls_pk_algorithm_t selected_groups[3];
unsigned max_groups = 2; /* GNUTLS_KEY_SHARE_TOP2 */
if (session->internals.flags & GNUTLS_KEY_SHARE_TOP)
max_groups = 1;
else if (session->internals.flags & GNUTLS_KEY_SHARE_TOP3)
max_groups = 3;
assert(max_groups <= sizeof(selected_groups)/sizeof(selected_groups[0]));
/* generate key shares for out top-(max_groups) groups
* if they are of different PK type. */
for (i = 0; i < session->internals.priorities->groups.size; i++) {
group = session->internals.priorities->groups.entry[i];
if (generated == 1 && group->pk == selected_groups[0])
continue;
else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
continue;
selected_groups[generated] = group->pk;
ret = client_gen_key_share(session, group, extdata);
if (ret == GNUTLS_E_INT_RET_0)
continue; /* no key share for this algorithm */
if (ret < 0)
return gnutls_assert_val(ret);
generated++;
if (generated >= max_groups)
break;
}
}
/* copy actual length */
_gnutls_write_uint16(extdata->length - cur_length, lengthp);
} else { /* server */
ver = get_version(session);
if (unlikely(ver == NULL || ver->key_shares == 0))
return gnutls_assert_val(0);
if (_gnutls_ext_get_msg(session) == GNUTLS_EXT_FLAG_HRR) {
group = session->internals.cand_group;
if (group == NULL)
return gnutls_assert_val(GNUTLS_E_NO_COMMON_KEY_SHARE);
_gnutls_session_group_set(session, group);
_gnutls_handshake_log("EXT[%p]: requesting retry with group %s\n", session, group->name);
ret =
_gnutls_buffer_append_prefix(extdata, 16, group->tls_id);
if (ret < 0)
return gnutls_assert_val(ret);
} else {
/* if we are negotiating PSK without DH, do not send a key share */
if ((session->internals.hsk_flags & HSK_PSK_SELECTED) &&
(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK))
return gnutls_assert_val(0);
group = get_group(session);
if (unlikely(group == NULL))
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
ret = server_gen_key_share(session, group, extdata);
if (ret < 0)
return gnutls_assert_val(ret);
}
session->internals.hsk_flags |= HSK_KEY_SHARE_SENT;
}
return 0;
}