/*

 * Copyright (C) 2000-2016 Free Software Foundation, Inc.

 * Copyright (C) 2015-2017 Red Hat, Inc.

 *

 * Author: Nikos Mavrogiannopoulos

 *

 * This file is part of GnuTLS.

 *

 * The GnuTLS is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public License

 * as published by the Free Software Foundation; either version 2.1 of

 * the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>

 *

 */

/* Functions that relate to the TLS handshake procedure.

 */

#include "gnutls_int.h"

#include "errors.h"

#include "dh.h"

#include "debug.h"

#include "algorithms.h"

#include "cipher.h"

#include "buffers.h"

#include "mbuffers.h"

#include "kx.h"

#include "handshake.h"

#include "num.h"

#include "hash_int.h"

#include "db.h"

#include "extensions.h"

#include "supplemental.h"

#include "auth.h"

#include "sslv2_compat.h"

#include <auth/cert.h>

#include "constate.h"

#include <record.h>

#include <state.h>

#include <ext/srp.h>

#include <ext/session_ticket.h>

#include <ext/status_request.h>

#include <ext/safe_renegotiation.h>

#include <auth/anon.h>		/* for gnutls_anon_server_credentials_t */

#include <auth/psk.h>		/* for gnutls_psk_server_credentials_t */

#include <random.h>

#include <dtls.h>

#define TRUE 1

#define FALSE 0

static int check_if_null_comp_present(gnutls_session_t session,

					     uint8_t * data, int datalen);

static int handshake_client(gnutls_session_t session);

static int handshake_server(gnutls_session_t session);

static int

read_server_hello(gnutls_session_t session,

		  uint8_t * data, int datalen);

static int

recv_handshake_final(gnutls_session_t session, int init);

static int

send_handshake_final(gnutls_session_t session, int init);

/* Empties but does not free the buffer

 */

static inline void

handshake_hash_buffer_empty(gnutls_session_t session)

{

	_gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");

	session->internals.used_exts_size = 0;

	session->internals.handshake_hash_buffer_prev_len = 0;

	session->internals.handshake_hash_buffer.length = 0;

	return;

}

static int

handshake_hash_add_recvd(gnutls_session_t session,

				 gnutls_handshake_description_t recv_type,

				 uint8_t * header, uint16_t header_size,

				 uint8_t * dataptr, uint32_t datalen);

static int

handshake_hash_add_sent(gnutls_session_t session,

				gnutls_handshake_description_t type,

				uint8_t * dataptr, uint32_t datalen);

static int

recv_hello_verify_request(gnutls_session_t session,

				  uint8_t * data, int datalen);

/* Clears the handshake hash buffers and handles.

 */

void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)

{

	session->internals.handshake_hash_buffer_prev_len = 0;

	session->internals.handshake_hash_buffer_client_kx_len = 0;

	_gnutls_buffer_clear(&session->internals.handshake_hash_buffer);

}

/* this will copy the required values for resuming to

 * internals, and to security_parameters.

 * this will keep as less data to security_parameters.

 */

static int resume_copy_required_values(gnutls_session_t session)

{

	int ret;

	/* get the new random values */

	memcpy(session->internals.resumed_security_parameters.

	       server_random, session->security_parameters.server_random,

	       GNUTLS_RANDOM_SIZE);

	memcpy(session->internals.resumed_security_parameters.

	       client_random, session->security_parameters.client_random,

	       GNUTLS_RANDOM_SIZE);

	/* keep the ciphersuite and compression 

	 * That is because the client must see these in our

	 * hello message.

	 */

	ret = _gnutls_set_cipher_suite2(session,

				       session->internals.

				       resumed_security_parameters.

				       cs);

	if (ret < 0)

		return gnutls_assert_val(ret);

	/* or write_compression_algorithm

	 * they are the same

	 */

	session->security_parameters.entity =

	    session->internals.resumed_security_parameters.entity;

	if (session->internals.resumed_security_parameters.pversion ==

	    NULL)

		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

	if (_gnutls_set_current_version(session,

				    session->internals.

				    resumed_security_parameters.pversion->

				    id) < 0)

		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

	session->security_parameters.cert_type =

	    session->internals.resumed_security_parameters.cert_type;

	memcpy(session->security_parameters.session_id,

	       session->internals.resumed_security_parameters.session_id,

	       sizeof(session->security_parameters.session_id));

	session->security_parameters.session_id_size =

	    session->internals.resumed_security_parameters.session_id_size;

	return 0;

}

/* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data

 * and put it to dst.

 */

static int create_tls_random(uint8_t * dst)

{

	int ret;

	/* Use nonce rng level for the most of the

	 * buffer except for the first 4 that are the

	 * system's time.

	 */

#if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)

	/* When fuzzying avoid timing dependencies */

	memset(dst, 1, 4);

#else

	uint32_t tim;

	tim = gnutls_time(NULL);

	/* generate server random value */

	_gnutls_write_uint32(tim, dst);

#endif

	ret =

	    gnutls_rnd(GNUTLS_RND_NONCE, &dst[3], GNUTLS_RANDOM_SIZE - 3);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	return 0;

}

int _gnutls_set_client_random(gnutls_session_t session, uint8_t * rnd)

{

	int ret;

	if (rnd != NULL)

		memcpy(session->security_parameters.client_random, rnd,

		       GNUTLS_RANDOM_SIZE);

	else {

		/* no random given, we generate. */

		if (session->internals.sc_random_set != 0) {

			memcpy(session->security_parameters.client_random,

			       session->internals.

			       resumed_security_parameters.client_random,

			       GNUTLS_RANDOM_SIZE);

		} else {

			ret =

			    create_tls_random(session->

					      security_parameters.

					      client_random);

			if (ret < 0)

				return gnutls_assert_val(ret);

		}

	}

	return 0;

}

int _gnutls_set_server_random(gnutls_session_t session, uint8_t * rnd)

{

	int ret;

	if (rnd != NULL)

		memcpy(session->security_parameters.server_random, rnd,

		       GNUTLS_RANDOM_SIZE);

	else {

		/* no random given, we generate. */

		if (session->internals.sc_random_set != 0) {

			memcpy(session->security_parameters.server_random,

			       session->internals.

			       resumed_security_parameters.server_random,

			       GNUTLS_RANDOM_SIZE);

		} else {

			ret =

			    create_tls_random(session->

					      security_parameters.

					      server_random);

			if (ret < 0)

				return gnutls_assert_val(ret);

		}

	}

	return 0;

}

#ifdef ENABLE_SSL3

/* Calculate The SSL3 Finished message

 */

#define SSL3_CLIENT_MSG "CLNT"

#define SSL3_SERVER_MSG "SRVR"

#define SSL_MSG_LEN 4

static int

_gnutls_ssl3_finished(gnutls_session_t session, int type, uint8_t * ret,

		      int sending)

{

	digest_hd_st td_md5;

	digest_hd_st td_sha;

	const char *mesg;

	int rc, len;

	if (sending)

		len = session->internals.handshake_hash_buffer.length;

	else

		len = session->internals.handshake_hash_buffer_prev_len;

	rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));

	if (rc < 0)

		return gnutls_assert_val(rc);

	rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));

	if (rc < 0) {

		_gnutls_hash_deinit(&td_sha, NULL);

		return gnutls_assert_val(rc);

	}

	_gnutls_hash(&td_sha,

		     session->internals.handshake_hash_buffer.data, len);

	_gnutls_hash(&td_md5,

		     session->internals.handshake_hash_buffer.data, len);

	if (type == GNUTLS_SERVER)

		mesg = SSL3_SERVER_MSG;

	else

		mesg = SSL3_CLIENT_MSG;

	_gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);

	_gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);

	rc = _gnutls_mac_deinit_ssl3_handshake(&td_md5, ret,

					       session->security_parameters.

					       master_secret,

					       GNUTLS_MASTER_SIZE);

	if (rc < 0) {

		_gnutls_hash_deinit(&td_md5, NULL);

		_gnutls_hash_deinit(&td_sha, NULL);

		return gnutls_assert_val(rc);

	}

	rc = _gnutls_mac_deinit_ssl3_handshake(&td_sha, &ret[16],

					       session->security_parameters.

					       master_secret,

					       GNUTLS_MASTER_SIZE);

	if (rc < 0) {

		_gnutls_hash_deinit(&td_sha, NULL);

		return gnutls_assert_val(rc);

	}

	return 0;

}

#endif

/* Hash the handshake messages as required by TLS 1.0

 */

#define SERVER_MSG "server finished"

#define CLIENT_MSG "client finished"

#define TLS_MSG_LEN 15

static int

_gnutls_finished(gnutls_session_t session, int type, void *ret,

		 int sending)

{

	const int siz = TLS_MSG_LEN;

	uint8_t concat[MAX_HASH_SIZE];

	size_t hash_len;

	const char *mesg;

	int rc, len, algorithm;

	if (sending)

		len = session->internals.handshake_hash_buffer.length;

	else

		len = session->internals.handshake_hash_buffer_prev_len;

	algorithm = session->security_parameters.prf_mac;

	rc = _gnutls_hash_fast(algorithm,

			       session->internals.

			       handshake_hash_buffer.data, len,

			       concat);

	if (rc < 0)

		return gnutls_assert_val(rc);

	hash_len = _gnutls_hash_get_algo_len(mac_to_entry(algorithm));

	if (type == GNUTLS_SERVER) {

		mesg = SERVER_MSG;

	} else {

		mesg = CLIENT_MSG;

	}

	return _gnutls_PRF(session,

			   session->security_parameters.master_secret,

			   GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len,

			   12, ret);

}

/* returns the 0 on success or a negative error code.

 */

int

_gnutls_negotiate_version(gnutls_session_t session,

			  gnutls_protocol_t adv_version, uint8_t major, uint8_t minor)

{

	int ret;

	/* if we do not support that version  */

	if (adv_version == GNUTLS_VERSION_UNKNOWN || _gnutls_version_is_supported(session, adv_version) == 0) {

		/* if we get an unknown/unsupported version, then fail if the version we

		 * got is too low to be supported */

		if (!_gnutls_version_is_too_high(session, major, minor))

			return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

		/* If he requested something we do not support

		 * then we send him the highest we support.

		 */

		ret = _gnutls_version_max(session);

		if (ret == GNUTLS_VERSION_UNKNOWN) {

			/* this check is not really needed.

			 */

			gnutls_assert();

			return GNUTLS_E_UNKNOWN_CIPHER_SUITE;

		}

	} else {

		ret = adv_version;

	}

	if (_gnutls_set_current_version(session, ret) < 0)

		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);

	return ret;

}

/* This function returns:

 *  - zero on success

 *  - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback

 *  - a negative error code on other error

 */

int

_gnutls_user_hello_func(gnutls_session_t session,

			gnutls_protocol_t adv_version, uint8_t major, uint8_t minor)

{

	int ret, sret = 0;

	if (session->internals.user_hello_func != NULL) {

		ret = session->internals.user_hello_func(session);

		if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {

			gnutls_assert();

			sret = GNUTLS_E_INT_RET_0;

		} else if (ret < 0) {

			gnutls_assert();

			return ret;

		}

		/* Here we need to renegotiate the version since the callee might

		 * have disabled some TLS versions.

		 */

		ret = _gnutls_negotiate_version(session, adv_version, major, minor);

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

	}

	return sret;

}

/* Read a client hello packet. 

 * A client hello must be a known version client hello

 * or version 2.0 client hello (only for compatibility

 * since SSL version 2.0 is not supported).

 */

static int

read_client_hello(gnutls_session_t session, uint8_t * data,

			  int datalen)

{

	uint8_t session_id_len;

	int pos = 0, ret;

	uint16_t suite_size, comp_size;

	int ext_size;

	gnutls_protocol_t adv_version;

	int neg_version, sret = 0;

	int len = datalen;

	uint8_t major, minor;

	uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;

	DECR_LEN(len, 2);

	_gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n",

			      session, data[pos], data[pos + 1]);

	adv_version = _gnutls_version_get(data[pos], data[pos + 1]);

	major = data[pos];

	minor = data[pos+1];

	set_adv_version(session, major, minor);

	neg_version = _gnutls_negotiate_version(session, adv_version, major, minor);

	if (neg_version < 0) {

		gnutls_assert();

		return neg_version;

	}

	pos += 2;

	_gnutls_handshake_log("HSK[%p]: Selected version %s\n",

		     session, gnutls_protocol_get_name(neg_version));

	/* Read client random value.

	 */

	DECR_LEN(len, GNUTLS_RANDOM_SIZE);

	ret = _gnutls_set_client_random(session, &data[pos]);

	if (ret < 0)

		return gnutls_assert_val(ret);

	pos += GNUTLS_RANDOM_SIZE;

	ret = _gnutls_set_server_random(session, NULL);

	if (ret < 0)

		return gnutls_assert_val(ret);

	session->security_parameters.timestamp = gnutls_time(NULL);

	DECR_LEN(len, 1);

	session_id_len = data[pos++];

	/* RESUME SESSION 

	 */

	if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {

		gnutls_assert();

		return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;

	}

	DECR_LEN(len, session_id_len);

	session_id = &data[pos];

	pos += session_id_len;

	if (IS_DTLS(session)) {

		int cookie_size;

		DECR_LEN(len, 1);

		cookie_size = data[pos++];

		DECR_LEN(len, cookie_size);

		pos += cookie_size;

	}

	/* move forward to extensions and store other vals */

	DECR_LEN(len, 2);

	suite_size = _gnutls_read_uint16(&data[pos]);

	pos += 2;

	if (suite_size == 0 || (suite_size % 2) != 0)

		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);

	suite_ptr = &data[pos];

	DECR_LEN(len, suite_size);

	pos += suite_size;

	DECR_LEN(len, 1);

	comp_size = data[pos++]; /* the number of compression methods */

	if (comp_size == 0)

		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);

	comp_ptr = &data[pos];

	DECR_LEN(len, comp_size);

	pos += comp_size;

	ext_ptr = &data[pos];

	ext_size = len;

	/* Parse only the mandatory to read extensions for resumption.

	 * We don't want to parse any other extensions since

	 * we don't want new extension values to override the

	 * resumed ones.

	 */

	ret =

	    _gnutls_parse_extensions(session, GNUTLS_EXT_MANDATORY,

				     ext_ptr, ext_size);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	ret =

	    _gnutls_server_restore_session(session, session_id,

					   session_id_len);

	if (session_id_len > 0)

		session->internals.resumption_requested = 1;

	if (ret == 0) {		/* resumed using default TLS resumption! */

		ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);

		if (ret < 0)

			return gnutls_assert_val(ret);

		ret = resume_copy_required_values(session);

		if (ret < 0)

			return gnutls_assert_val(ret);

		session->internals.resumed = RESUME_TRUE;

		return _gnutls_user_hello_func(session, adv_version, major, minor);

	} else {

		_gnutls_generate_session_id(session->security_parameters.

					    session_id,

					    &session->security_parameters.

					    session_id_size);

		session->internals.resumed = RESUME_FALSE;

	}

	/* Parse the extensions (if any)

	 *

	 * Unconditionally try to parse extensions; safe renegotiation uses them in

	 * sslv3 and higher, even though sslv3 doesn't officially support them.

	 */

	ret = _gnutls_parse_extensions(session, GNUTLS_EXT_APPLICATION,

				       ext_ptr, ext_size);

	/* len is the rest of the parsed length */

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	/* we cache this error code */

	sret = _gnutls_user_hello_func(session, adv_version, major, minor);

	if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {

		gnutls_assert();

		return sret;

	}

	/* Session tickets are parsed in this point */

	ret =

	    _gnutls_parse_extensions(session, GNUTLS_EXT_TLS, ext_ptr, ext_size);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	/* resumed by session_ticket extension */

	if (session->internals.resumed != RESUME_FALSE) {

		/* to indicate the client that the current session is resumed */

		memcpy(session->internals.resumed_security_parameters.

		       session_id, session_id, session_id_len);

		session->internals.resumed_security_parameters.

		    session_id_size = session_id_len;

		session->internals.resumed_security_parameters.

		    max_record_recv_size =

		    session->security_parameters.max_record_recv_size;

		session->internals.resumed_security_parameters.

		    max_record_send_size =

		    session->security_parameters.max_record_send_size;

		ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);

		if (ret < 0)

			return gnutls_assert_val(ret);

		ret = resume_copy_required_values(session);

		if (ret < 0)

			return gnutls_assert_val(ret);

		return 0;

	}

	/* select an appropriate cipher suite (as well as certificate)

	 */

	ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	/* select appropriate compression method */

	ret =

	    check_if_null_comp_present(session, comp_ptr,

					      comp_size);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	/* call extensions that are intended to be parsed after the ciphersuite/cert

	 * are known. */

	ret =

	    _gnutls_parse_extensions(session, _GNUTLS_EXT_TLS_POST_CS, ext_ptr, ext_size);

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	return sret;

}

/* This is to be called after sending CHANGE CIPHER SPEC packet

 * and initializing encryption. This is the first encrypted message

 * we send.

 */

static int _gnutls_send_finished(gnutls_session_t session, int again)

{

	mbuffer_st *bufel;

	uint8_t *data;

	int ret;

	size_t vdata_size = 0;

	const version_entry_st *vers;

	if (again == 0) {

		bufel =

		    _gnutls_handshake_alloc(session, 

					    MAX_VERIFY_DATA_SIZE);

		if (bufel == NULL) {

			gnutls_assert();

			return GNUTLS_E_MEMORY_ERROR;

		}

		data = _mbuffer_get_udata_ptr(bufel);

		vers = get_version(session);

		if (unlikely(vers == NULL))

			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

#ifdef ENABLE_SSL3

		if (vers->id == GNUTLS_SSL3) {

			ret =

			    _gnutls_ssl3_finished(session,

						  session->

						  security_parameters.

						  entity, data, 1);

			_mbuffer_set_udata_size(bufel, 36);

		} else {	/* TLS 1.0+ */

#endif

			ret = _gnutls_finished(session,

					       session->

					       security_parameters.entity,

					       data, 1);

			_mbuffer_set_udata_size(bufel, 12);

#ifdef ENABLE_SSL3

		}

#endif

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

		vdata_size = _mbuffer_get_udata_size(bufel);

		ret =

		    _gnutls_ext_sr_finished(session, data, vdata_size, 0);

		if (ret < 0) {

			gnutls_assert();

			return ret;

		}

		if ((session->internals.resumed == RESUME_FALSE

		     && session->security_parameters.entity ==

		     GNUTLS_CLIENT)

		    || (session->internals.resumed != RESUME_FALSE

			&& session->security_parameters.entity ==

			GNUTLS_SERVER)) {

			/* if we are a client not resuming - or we are a server resuming */

			_gnutls_handshake_log

			    ("HSK[%p]: recording tls-unique CB (send)\n",

			     session);

			memcpy(session->internals.cb_tls_unique, data,

			       vdata_size);

			session->internals.cb_tls_unique_len = vdata_size;

		}

		ret =

		    _gnutls_send_handshake(session, bufel,

					   GNUTLS_HANDSHAKE_FINISHED);

	} else {

		ret =

		    _gnutls_send_handshake(session, NULL,

					   GNUTLS_HANDSHAKE_FINISHED);

	}

	return ret;

}

/* This is to be called after sending our finished message. If everything

 * went fine we have negotiated a secure connection 

 */

static int _gnutls_recv_finished(gnutls_session_t session)

{

	uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;

	gnutls_buffer_st buf;

	int data_size;

	int ret;

	int vrfy_size;

	const version_entry_st *vers = get_version(session);

	if (unlikely(vers == NULL))

		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);

	ret =

	    _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED,

				   0, &buf;;

	if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	vrfy = buf.data;

	vrfy_size = buf.length;

#ifdef ENABLE_SSL3

	if (vers->id == GNUTLS_SSL3)

		data_size = 36;

	else

#endif

		data_size = 12;

	if (vrfy_size != data_size) {

		gnutls_assert();

		ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;

		goto cleanup;

	}

#ifdef ENABLE_SSL3

	if (vers->id == GNUTLS_SSL3) {

		ret =

		    _gnutls_ssl3_finished(session,

					  (session->security_parameters.

					   entity + 1) % 2, data, 0);

	} else /* TLS 1.0+ */

#endif

		ret =

		    _gnutls_finished(session,

				     (session->security_parameters.entity +

				      1) % 2, data, 0);

	if (ret < 0) {

		gnutls_assert();

		goto cleanup;

	}

#if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)

	/* When fuzzying allow to proceed without verifying the handshake

	 * consistency */

# warning This is unsafe for production builds

#else

	if (memcmp(vrfy, data, data_size) != 0) {

		gnutls_assert();

		ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;

		goto cleanup;

	}

#endif

	ret = _gnutls_ext_sr_finished(session, data, data_size, 1);

	if (ret < 0) {

		gnutls_assert();

		goto cleanup;

	}

	if ((session->internals.resumed != RESUME_FALSE

	     && session->security_parameters.entity == GNUTLS_CLIENT)

	    || (session->internals.resumed == RESUME_FALSE

		&& session->security_parameters.entity == GNUTLS_SERVER)) {

		/* if we are a client resuming - or we are a server not resuming */

		_gnutls_handshake_log

		    ("HSK[%p]: recording tls-unique CB (recv)\n", session);

		memcpy(session->internals.cb_tls_unique, data, data_size);

		session->internals.cb_tls_unique_len = data_size;

	}

	session->internals.initial_negotiation_completed = 1;

      cleanup:

	_gnutls_buffer_clear(&buf;;

	return ret;

}

/* This selects the best supported ciphersuite from the given ones. Then

 * it adds the suite to the session and performs some checks.

 *

 * When @scsv_only is non-zero only the available SCSVs are parsed

 * and acted upon.

 */

int

_gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,

			    unsigned int datalen, unsigned scsv_only)

{

	int ret;

	unsigned int i;

	ciphersuite_list_st peer_clist;

	const gnutls_cipher_suite_entry_st *selected;

	int retval;

	peer_clist.size = 0;

	for (i = 0; i < datalen; i += 2) {

		/* we support the TLS renegotiation SCSV, even if we are

		 * not under SSL 3.0, because openssl sends this SCSV

		 * on resumption unconditionally. */

		/* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */

		if (session->internals.priorities->sr != SR_DISABLED &&

		    data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&

		    data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {

			_gnutls_handshake_log

			    ("HSK[%p]: Received safe renegotiation CS\n",

			     session);

			retval = _gnutls_ext_sr_recv_cs(session);

			if (retval < 0) {

				gnutls_assert();

				return retval;

			}

		}

		/* TLS_FALLBACK_SCSV */

		if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&

		    data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {