\ Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
\
\ Permission is hereby granted, free of charge, to any person obtaining 
\ a copy of this software and associated documentation files (the
\ "Software"), to deal in the Software without restriction, including
\ without limitation the rights to use, copy, modify, merge, publish,
\ distribute, sublicense, and/or sell copies of the Software, and to
\ permit persons to whom the Software is furnished to do so, subject to
\ the following conditions:
\
\ The above copyright notice and this permission notice shall be 
\ included in all copies or substantial portions of the Software.
\
\ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
\ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
\ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
\ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
\ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
\ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
\ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
\ SOFTWARE.

\ ----------------------------------------------------------------------
\ Handshake processing code, for the server.
\ The common T0 code (ssl_hs_common.t0) shall be read first.

preamble {

/*
 * This macro evaluates to a pointer to the server context, under that
 * specific name. It must be noted that since the engine context is the
 * first field of the br_ssl_server_context structure ('eng'), then
 * pointers values of both types are interchangeable, modulo an
 * appropriate cast. This also means that "addresses" computed as offsets
 * within the structure work for both kinds of context.
 */
#define CTX  ((br_ssl_server_context *)ENG)

/*
 * Decrypt the pre-master secret (RSA key exchange).
 */
static void
do_rsa_decrypt(br_ssl_server_context *ctx, int prf_id,
	unsigned char *epms, size_t len)
{
	uint32_t x;
	unsigned char rpms[48];

	/*
	 * Decrypt the PMS.
	 */
	x = (*ctx->policy_vtable)->do_keyx(ctx->policy_vtable, epms, &len);

	/*
	 * Set the first two bytes to the maximum supported client
	 * protocol version. These bytes are used for version rollback
	 * detection; forceing the two bytes will make the master secret
	 * wrong if the bytes are not correct. This process is
	 * recommended by RFC 5246 (section 7.4.7.1).
	 */
	br_enc16be(epms, ctx->client_max_version);

	/*
	 * Make a random PMS and copy it above the decrypted value if the
	 * decryption failed. Note that we use a constant-time conditional
	 * copy.
	 */
	br_hmac_drbg_generate(&ctx->eng.rng, rpms, sizeof rpms);
	br_ccopy(x ^ 1, epms, rpms, sizeof rpms);

	/*
	 * Compute master secret.
	 */
	br_ssl_engine_compute_master(&ctx->eng, prf_id, epms, 48);

	/*
	 * Clear the pre-master secret from RAM: it is normally a buffer
	 * in the context, hence potentially long-lived.
	 */
	memset(epms, 0, len);
}

/*
 * Common part for ECDH and ECDHE.
 */
static void
ecdh_common(br_ssl_server_context *ctx, int prf_id,
	unsigned char *xcoor, size_t xcoor_len, uint32_t ctl)
{
	unsigned char rpms[80];

	if (xcoor_len > sizeof rpms) {
		xcoor_len = sizeof rpms;
		ctl = 0;
	}

	/*
	 * Make a random PMS and copy it above the decrypted value if the
	 * decryption failed. Note that we use a constant-time conditional
	 * copy.
	 */
	br_hmac_drbg_generate(&ctx->eng.rng, rpms, xcoor_len);
	br_ccopy(ctl ^ 1, xcoor, rpms, xcoor_len);

	/*
	 * Compute master secret.
	 */
	br_ssl_engine_compute_master(&ctx->eng, prf_id, xcoor, xcoor_len);

	/*
	 * Clear the pre-master secret from RAM: it is normally a buffer
	 * in the context, hence potentially long-lived.
	 */
	memset(xcoor, 0, xcoor_len);
}

/*
 * Do the ECDH key exchange (not ECDHE).
 */
static void
do_ecdh(br_ssl_server_context *ctx, int prf_id,
	unsigned char *cpoint, size_t cpoint_len)
{
	uint32_t x;

	/*
	 * Finalise the key exchange.
	 */
	x = (*ctx->policy_vtable)->do_keyx(ctx->policy_vtable,
		cpoint, &cpoint_len);
	ecdh_common(ctx, prf_id, cpoint, cpoint_len, x);
}

/*
 * Do the full static ECDH key exchange. When this function is called,
 * it has already been verified that the cipher suite uses ECDH (not ECDHE),
 * and the client's public key (from its certificate) has type EC and is
 * apt for key exchange.
 */
static void
do_static_ecdh(br_ssl_server_context *ctx, int prf_id)
{
	unsigned char cpoint[133];
	size_t cpoint_len;
	const br_x509_class **xc;
	const br_x509_pkey *pk;

	xc = ctx->eng.x509ctx;
	pk = (*xc)->get_pkey(xc, NULL);
	cpoint_len = pk->key.ec.qlen;
	if (cpoint_len > sizeof cpoint) {
		/*
		 * If the point is larger than our buffer then we need to
		 * restrict it. Length 2 is not a valid point length, so
		 * the ECDH will fail.
		 */
		cpoint_len = 2;
	}
	memcpy(cpoint, pk->key.ec.q, cpoint_len);
	do_ecdh(ctx, prf_id, cpoint, cpoint_len);
}

static size_t
hash_data(br_ssl_server_context *ctx,
	void *dst, int hash_id, const void *src, size_t len)
{
	const br_hash_class *hf;
	br_hash_compat_context hc;

	if (hash_id == 0) {
		unsigned char tmp[36];

		hf = br_multihash_getimpl(&ctx->eng.mhash, br_md5_ID);
		if (hf == NULL) {
			return 0;
		}
		hf->init(&hc.vtable);
		hf->update(&hc.vtable, src, len);
		hf->out(&hc.vtable, tmp);
		hf = br_multihash_getimpl(&ctx->eng.mhash, br_sha1_ID);
		if (hf == NULL) {
			return 0;
		}
		hf->init(&hc.vtable);
		hf->update(&hc.vtable, src, len);
		hf->out(&hc.vtable, tmp + 16);
		memcpy(dst, tmp, 36);
		return 36;
	} else {
		hf = br_multihash_getimpl(&ctx->eng.mhash, hash_id);
		if (hf == NULL) {
			return 0;
		}
		hf->init(&hc.vtable);
		hf->update(&hc.vtable, src, len);
		hf->out(&hc.vtable, dst);
		return (hf->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
	}
}

/*
 * Do the ECDHE key exchange (part 1: generation of transient key, and
 * computing of the point to send to the client). Returned value is the
 * signature length (in bytes), or -x on error (with x being an error
 * code). The encoded point is written in the ecdhe_point[] context buffer
 * (length in ecdhe_point_len).
 */
static int
do_ecdhe_part1(br_ssl_server_context *ctx, int curve)
{
	unsigned algo_id;
	unsigned mask;
	const unsigned char *order;
	size_t olen, glen;
	size_t hv_len, sig_len;

	if (!((ctx->eng.iec->supported_curves >> curve) & 1)) {
		return -BR_ERR_INVALID_ALGORITHM;
	}
	ctx->eng.ecdhe_curve = curve;

	/*
	 * Generate our private key. We need a non-zero random value
	 * which is lower than the curve order, in a "large enough"
	 * range. We force the top bit to 0 and bottom bit to 1, which
	 * does the trick. Note that contrary to what happens in ECDSA,
	 * this is not a problem if we do not cover the full range of
	 * possible values.
	 */
	order = ctx->eng.iec->order(curve, &olen);
	mask = 0xFF;
	while (mask >= order[0]) {
		mask >>= 1;
	}
	br_hmac_drbg_generate(&ctx->eng.rng, ctx->ecdhe_key, olen);
	ctx->ecdhe_key[0] &= mask;
	ctx->ecdhe_key[olen - 1] |= 0x01;
	ctx->ecdhe_key_len = olen;

	/*
	 * Compute our ECDH point.
	 */
	glen = ctx->eng.iec->mulgen(ctx->eng.ecdhe_point,
		ctx->ecdhe_key, olen, curve);
	ctx->eng.ecdhe_point_len = glen;

	/*
	 * Assemble the message to be signed, and possibly hash it.
	 */
	memcpy(ctx->eng.pad, ctx->eng.client_random, 32);
	memcpy(ctx->eng.pad + 32, ctx->eng.server_random, 32);
	ctx->eng.pad[64 + 0] = 0x03;
	ctx->eng.pad[64 + 1] = 0x00;
	ctx->eng.pad[64 + 2] = curve;
	ctx->eng.pad[64 + 3] = ctx->eng.ecdhe_point_len;
	memcpy(ctx->eng.pad + 64 + 4,
		ctx->eng.ecdhe_point, ctx->eng.ecdhe_point_len);
	hv_len = 64 + 4 + ctx->eng.ecdhe_point_len;
	algo_id = ctx->sign_hash_id;
	if (algo_id >= (unsigned)0xFF00) {
		hv_len = hash_data(ctx, ctx->eng.pad, algo_id & 0xFF,
			ctx->eng.pad, hv_len);
		if (hv_len == 0) {
			return -BR_ERR_INVALID_ALGORITHM;
		}
	}

	sig_len = (*ctx->policy_vtable)->do_sign(ctx->policy_vtable,
		algo_id, ctx->eng.pad, hv_len, sizeof ctx->eng.pad);
	return sig_len ? (int)sig_len : -BR_ERR_INVALID_ALGORITHM;
}

/*
 * Do the ECDHE key exchange (part 2: computation of the shared secret
 * from the point sent by the client).
 */
static void
do_ecdhe_part2(br_ssl_server_context *ctx, int prf_id,
	unsigned char *cpoint, size_t cpoint_len)
{
	int curve;
	uint32_t ctl;
	size_t xoff, xlen;

	curve = ctx->eng.ecdhe_curve;

	/*
	 * Finalise the key exchange.
	 */
	ctl = ctx->eng.iec->mul(cpoint, cpoint_len,
		ctx->ecdhe_key, ctx->ecdhe_key_len, curve);
	xoff = ctx->eng.iec->xoff(curve, &xlen);
	ecdh_common(ctx, prf_id, cpoint + xoff, xlen, ctl);

	/*
	 * Clear the ECDHE private key. Forward Secrecy is achieved insofar
	 * as that key does not get stolen, so we'd better destroy it
	 * as soon as it ceases to be useful.
	 */
	memset(ctx->ecdhe_key, 0, ctx->ecdhe_key_len);
}

/*
 * Offset for hash value within the pad (when obtaining all hash values,
 * in preparation for verification of the CertificateVerify message).
 * Order is MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512; last value
 * is used to get the total length.
 */
static const unsigned char HASH_PAD_OFF[] = { 0, 16, 36, 64, 96, 144, 208 };

/*
 * OID for hash functions in RSA signatures.
 */
static const unsigned char HASH_OID_SHA1[] = {
	0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A
};

static const unsigned char HASH_OID_SHA224[] = {
	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04
};

static const unsigned char HASH_OID_SHA256[] = {
	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
};

static const unsigned char HASH_OID_SHA384[] = {
	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
};

static const unsigned char HASH_OID_SHA512[] = {
	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
};

static const unsigned char *HASH_OID[] = {
	HASH_OID_SHA1,
	HASH_OID_SHA224,
	HASH_OID_SHA256,
	HASH_OID_SHA384,
	HASH_OID_SHA512
};

/*
 * Verify the signature in CertificateVerify. Returned value is 0 on
 * success, or a non-zero error code. Lack of implementation of the
 * designated signature algorithm is reported as a "bad signature"
 * error (because it means that the peer did not honour our advertised
 * set of supported signature algorithms).
 */
static int
verify_CV_sig(br_ssl_server_context *ctx, size_t sig_len)
{
	const br_x509_class **xc;
	const br_x509_pkey *pk;
	int id;

	id = ctx->hash_CV_id;
	xc = ctx->eng.x509ctx;
	pk = (*xc)->get_pkey(xc, NULL);
	if (pk->key_type == BR_KEYTYPE_RSA) {
		unsigned char tmp[64];
		const unsigned char *hash_oid;

		if (id == 0) {
			hash_oid = NULL;
		} else {
			hash_oid = HASH_OID[id - 2];
		}
		if (ctx->eng.irsavrfy == 0) {
			return BR_ERR_BAD_SIGNATURE;
		}
		if (!ctx->eng.irsavrfy(ctx->eng.pad, sig_len,
			hash_oid, ctx->hash_CV_len, &pk->key.rsa, tmp)
			|| memcmp(tmp, ctx->hash_CV, ctx->hash_CV_len) != 0)
		{
			return BR_ERR_BAD_SIGNATURE;
		}
	} else {
		if (ctx->eng.iecdsa == 0) {
			return BR_ERR_BAD_SIGNATURE;
		}
		if (!ctx->eng.iecdsa(ctx->eng.iec,
			ctx->hash_CV, ctx->hash_CV_len,
			&pk->key.ec, ctx->eng.pad, sig_len))
		{
			return BR_ERR_BAD_SIGNATURE;
		}
	}
	return 0;
}

}

\ =======================================================================

: addr-ctx:
	next-word { field }
	"addr-" field + 0 1 define-word
	0 8191 "offsetof(br_ssl_server_context, " field + ")" + make-CX
	postpone literal postpone ; ;

addr-ctx: client_max_version
addr-ctx: client_suites
addr-ctx: client_suites_num
addr-ctx: hashes
addr-ctx: curves
addr-ctx: sign_hash_id

\ Get address and length of the client_suites[] buffer. Length is expressed
\ in bytes.
: addr-len-client_suites ( -- addr len )
	addr-client_suites
	CX 0 1023 { BR_MAX_CIPHER_SUITES * sizeof(br_suite_translated) } ;

\ Read the client SNI extension.
: read-client-sni ( lim -- lim )
	\ Open extension value.
	read16 open-elt

	\ Open ServerNameList.
	read16 open-elt

	\ Find if there is a name of type 0 (host_name) with a length
	\ that fits in our dedicated buffer.
	begin dup while
		read8 if
			read-ignore-16
		else
			read16
			dup 255 <= if
				dup addr-server_name + 0 swap set8
				addr-server_name swap read-blob
			else
				skip-blob
			then
		then
	repeat

	\ Close ServerNameList.
	close-elt

	\ Close extension value.
	close-elt ;

\ Set the new maximum fragment length. BEWARE: this shall be called only
\ after reading the ClientHello and before writing the ServerHello.
cc: set-max-frag-len ( len -- ) {
	size_t max_frag_len = T0_POP();

	br_ssl_engine_new_max_frag_len(ENG, max_frag_len);

	/*
	 * We must adjust our own output limit. Since we call this only
	 * after receiving a ClientHello and before beginning to send
	 * the ServerHello, the next output record should be empty at
	 * that point, so we can use max_frag_len as a limit.
	 */
	if (ENG->hlen_out > max_frag_len) {
		ENG->hlen_out = max_frag_len;
	}
}

\ Read the client Max Frag Length extension.
: read-client-frag ( lim -- lim )
	\ Extension value must have length exactly 1 byte.
	read16 1 <> if ERR_BAD_FRAGLEN fail then
	read8

	\ The byte value must be 1, 2, 3 or 4.
	dup dup 0= swap 5 >= or if ERR_BAD_FRAGLEN fail then

	\ If our own maximum fragment length is greater, then we reduce
	\ our length.
	8 + dup addr-log_max_frag_len get8 < if
		dup 1 swap << set-max-frag-len
		dup addr-log_max_frag_len set8
		addr-peer_log_max_frag_len set8
	else
		drop
	then ;

\ Read the Secure Renegotiation extension from the client.
: read-client-reneg ( lim -- lim )
	\ Get value length.
	read16

	\ The "reneg" value is one of:
	\   0   on first handshake, client support is unknown
	\   1   client does not support secure renegotiation
	\   2   client supports secure renegotiation
	addr-reneg get8 case
		0 of
			\ First handshake, value length shall be 1.
			1 = ifnot ERR_BAD_SECRENEG fail then
			read8 if ERR_BAD_SECRENEG fail then
			2 addr-reneg set8
		endof
		2 of
			\ Renegotiation, value shall consist of 13 bytes
			\ (header + copy of the saved client "Finished").
			13 = ifnot ERR_BAD_SECRENEG fail then
			read8 12 = ifnot ERR_BAD_SECRENEG fail then
			addr-pad 12 read-blob
			addr-saved_finished addr-pad 12 memcmp ifnot
				ERR_BAD_SECRENEG fail
			then
		endof

		\ If "reneg" is 1 then the client is not supposed to support
		\ the extension, and it sends it nonetheless, which means
		\ foul play.
		ERR_BAD_SECRENEG fail
	endcase ;

\ Read the Signature Algorithms extension.
: read-signatures ( lim -- lim )
	\ Open extension value.
	read16 open-elt

	read-list-sign-algos addr-hashes set32

	\ Close extension value.
	close-elt ;

\ Read the Supported Curves extension.
: read-supported-curves ( lim -- lim )
	\ Open extension value.
	read16 open-elt

	\ Open list of curve identifiers.
	read16 open-elt

	\ Get all supported curves.
	0 addr-curves set32
	begin dup while
		read16 dup 32 < if
			1 swap << addr-curves get32 or addr-curves set32
		else
			drop
		then
	repeat
	close-elt
	close-elt ;

\ Read the ALPN extension from client.
: read-ALPN-from-client ( lim -- lim )
	\ If we do not have configured names, then we just ignore the
	\ extension.
	addr-protocol_names_num get16 ifnot read-ignore-16 ret then

	\ Open extension value.
	read16 open-elt

	\ Open list of protocol names.
	read16 open-elt

	\ Get all names and test for their support. We keep the one with
	\ the lowest index (because we apply server's preferences, as
	\ recommended by RFC 7301, section 3.2. We set the 'found' variable
	\ to -2 and use an unsigned comparison, making -2 a huge value.
	-2 { found }
	begin dup while
		read8 dup { len } addr-pad swap read-blob
		len test-protocol-name dup found u< if
			>found
		else
			drop
		then
	repeat

	\ End of extension.
	close-elt
	close-elt

	\ Write back found name index (or not). If no match was found,
	\ then we write -1 (0xFFFF) in the index value, not 0, so that
	\ the caller knows that we tried to match, and failed.
	found 1+ addr-selected_protocol set16 ;

\ Call policy handler to get cipher suite, hash function identifier and
\ certificate chain. Returned value is 0 (false) on failure.
cc: call-policy-handler ( -- bool ) {
	int x;
	br_ssl_server_choices choices;

	x = (*CTX->policy_vtable)->choose(
		CTX->policy_vtable, CTX, &choices);
	ENG->session.cipher_suite = choices.cipher_suite;
	CTX->sign_hash_id = choices.algo_id;
	ENG->chain = choices.chain;
	ENG->chain_len = choices.chain_len;
	T0_PUSHi(-(x != 0));
}

\ Check for a remembered session.
cc: check-resume ( -- bool ) {
	if (ENG->session.session_id_len == 32
		&& CTX->cache_vtable != NULL && (*CTX->cache_vtable)->load(
			CTX->cache_vtable, CTX, &ENG->session))
	{
		T0_PUSHi(-1);
	} else {
		T0_PUSH(0);
	}
}

\ Save the current session.
cc: save-session ( -- ) {
	if (CTX->cache_vtable != NULL) {
		(*CTX->cache_vtable)->save(
			CTX->cache_vtable, CTX, &ENG->session);
	}
}

\ Read and drop ClientHello. This is used when a client-triggered
\ renegotiation attempt is rejected.
: skip-ClientHello ( -- )
	read-handshake-header-core
	1 = ifnot ERR_UNEXPECTED fail then
	dup skip-blob drop ;

\ Read ClientHello. If the session is resumed, then -1 is returned.
: read-ClientHello ( -- resume )
	\ Get header, and check message type.
	read-handshake-header 1 = ifnot ERR_UNEXPECTED fail then

	\ Get maximum protocol version from client.
	read16 dup { client-version-max } addr-client_max_version set16

	\ Client random.
	addr-client_random 32 read-blob

	\ Client session ID.
	read8 dup 32 > if ERR_OVERSIZED_ID fail then
	dup addr-session_id_len set8
	addr-session_id swap read-blob

	\ Lookup session for resumption. We should do that here because
	\ we need to verify that the remembered cipher suite is still
	\ matched by this ClientHello.
	check-resume { resume }

	\ Cipher suites. We read all cipher suites from client, each time
	\ matching against our own list. We accumulate suites in the
	\ client_suites[] context buffer: we keep suites that are
	\ supported by both the client and the server (so the list size
	\ cannot exceed that of the server list), and we keep them in
	\ either client or server preference order (depending on the
	\ relevant flag).
	\
	\ We also need to identify the pseudo cipher suite for secure
	\ renegotiation here.
	read16 open-elt
	0 { reneg-scsv }
	0 { resume-suite }
	addr-len-client_suites dup2 bzero
	over + { css-off css-max }
	begin
		dup while
		read16 dup { suite }

		\ Check that when resuming a session, the requested
		\ suite is still valid.
		resume if
			dup addr-cipher_suite get16 = if
				-1 >resume-suite
			then
		then

		\ Special handling for TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
		\ This fake cipher suite may occur only in the first
		\ handshake.
		dup 0x00FF = if
			addr-reneg get8 if ERR_BAD_SECRENEG fail then
			-1 >reneg-scsv
		then

		\ Special handling for TLS_FALLBACK_SCSV. If the client
		\ maximum version is less than our own maximum version,
		\ then this is an undue downgrade. We mark it by setting
		\ the client max version to 0x10000.
		dup 0x5600 = if
			client-version-max addr-version_min get16 >=
			client-version-max addr-version_max get16 < and if
				-1 >client-version-max
			then
		then

		\ Test whether the suite is supported by the server.
		scan-suite dup 0< if
			\ We do not support this cipher suite. Note
			\ that this also covers the case of pseudo
			\ cipher suites.
			drop
		else
			\ If we use server order, then we place the
			\ suite at the computed offset; otherwise, we
			\ append it to the list at the current place.
			0 flag? if
				2 << addr-client_suites + suite swap set16
			else
				drop
				\ We need to test for list length because
				\ the client list may have duplicates,
				\ that we do not filter. Duplicates are
				\ invalid so this is not a problem if we
				\ reject such clients.
				css-off css-max >= if
					ERR_BAD_HANDSHAKE fail
				then
				suite css-off set16
				css-off 4 + >css-off
			then
		then
	repeat
	drop

	\ Compression methods. We need method 0 (no compression).
	0 { ok-compression }
	read8 open-elt
	begin dup while
		read8 ifnot -1 >ok-compression then
	repeat
	close-elt

	\ Set default values for parameters that may be affected by
	\ extensions:
	\ -- server name is empty
	\ -- client is reputed to know RSA and ECDSA, both with SHA-1
	\ -- the default elliptic curve is P-256 (secp256r1, id = 23)
	0 addr-server_name set8
	0x0404 addr-hashes set32
	0x800000 addr-curves set32

	\ Process extensions, if any.
	dup if
		read16 open-elt
		begin dup while
			read16 case
				\ Server Name Indication.
				0x0000 of
					read-client-sni
				endof
				\ Max Frag Length.
				0x0001 of
					read-client-frag
				endof
				\ Secure Renegotiation.
				0xFF01 of
					read-client-reneg
				endof
				\ Signature Algorithms.
				0x000D of
					read-signatures
				endof
				\ Supported Curves.
				0x000A of
					read-supported-curves
				endof
				\ Supported Point Formats.
				\ We only support "uncompressed", that all
				\ implementations are supposed to support,
				\ so we can simply ignore that extension.
				\ 0x000B of
				\ 	read-ignore-16
				\ endof

				\ ALPN
				0x0010 of
					read-ALPN-from-client
				endof

				\ Other extensions are ignored.
				drop read-ignore-16 0
			endcase
		repeat
		close-elt
	then

	\ Close message.
	close-elt

	\ Cancel session resumption if the cipher suite was not found.
	resume resume-suite and >resume

	\ Now check the received data. Since the client is expecting an
	\ answer, we can send an appropriate fatal alert on any error.

	\ Compute protocol version as the minimum of our maximum version,
	\ and the maximum version sent by the client. If that is less than
	\ 0x0300 (SSL-3.0), then fail. Otherwise, we may at least send an
	\ alert with that version. We still reject versions lower than our
	\ configured minimum.
	\ As a special case, in case of undue downgrade, we send a specific
	\ alert (see RFC 7507). Note that this case may happen only if
	\ we would otherwise accept the client's version.
	client-version-max 0< if
		addr-client_max_version get16 addr-version_out set16
		86 fail-alert
	then
	addr-version_max get16
	dup client-version-max > if drop client-version-max then
	dup 0x0300 < if ERR_BAD_VERSION fail then
	client-version-max addr-version_min get16 < if
		70 fail-alert
	then
	\ If resuming the session, then enforce the previously negotiated
	\ version (if still possible).
	resume if
		addr-version get16 client-version-max <= if
			drop addr-version get16
		else
			0 >resume
		then
	then
	dup addr-version set16
	dup addr-version_in set16
	dup addr-version_out set16
	0x0303 >= { can-tls12 }

	\ If the client sent TLS_EMPTY_RENEGOTIATION_INFO_SCSV, then
	\ we should mark the client as "supporting secure renegotiation".
	reneg-scsv if 2 addr-reneg set8 then

	\ If, at that point, the 'reneg' value is still 0, then the client
	\ did not send the extension or the SCSV, so we have to assume
	\ that secure renegotiation is not supported by that client.
	addr-reneg get8 ifnot 1 addr-reneg set8 then

	\ Check compression.
	ok-compression ifnot 40 fail-alert then

	\ Filter hash function support by what the server also supports.
	\ If no common hash function remains with RSA and/or ECDSA, then
	\ the corresponding ECDHE suites are not possible.
	supported-hash-functions drop 257 * 0xFFFF0000 or
	addr-hashes get32 and dup addr-hashes set32
	\ In 'can-ecdhe', bit 12 is set if ECDHE_RSA is possible, bit 13 is
	\ set if ECDHE_ECDSA is possible.
	dup 0xFF and 0<> neg
	swap 8 >> 0<> 2 and or 12 << { can-ecdhe }

	\ Filter supported curves. If there is no common curve between
	\ client and us, then ECDHE suites cannot be used. Note that we
	\ may still allow ECDH, depending on the EC key handler.
	addr-curves get32 supported-curves and dup addr-curves set32
	ifnot 0 >can-ecdhe then

	\ If resuming a session, then the next steps are not necessary;
	\ we won't invoke the policy handler.
	resume if -1 ret then

	\ We are not resuming, so a new session ID should be generated.
	\ We don't check that the new ID is distinct from the one sent
	\ by the client because probability of such an event is 2^(-256),
	\ i.e. much (much) lower than that of an undetected transmission
	\ error or hardware miscomputation, and with similar consequences
	\ (handshake simply fails).
	addr-session_id 32 mkrand
	32 addr-session_id_len set8

	\ Translate common cipher suites, then squeeze out holes: there
	\ may be holes because of the way we fill the list when the
	\ server preference order is enforced, and also in case some
	\ suites are filtered out. In particular:
	\ -- ECDHE suites are removed if there is no common hash function
	\    (for the relevant signature algorithm) or no common curve.
	\ -- TLS-1.2-only suites are removed if the negotiated version is
	\    TLS-1.1 or lower.
	addr-client_suites dup >css-off
	begin dup css-max < while
		dup get16 dup cipher-suite-to-elements
		dup 12 >> dup 1 = swap 2 = or if
			dup can-ecdhe and ifnot
				2drop 0 dup
			then
		then
		can-tls12 ifnot
			\ Suites compatible with TLS-1.0 and TLS-1.1 are
			\ exactly the ones that use HMAC/SHA-1.
			dup 0xF0 and 0x20 <> if
				2drop 0 dup
			then
		then
		dup if
			css-off 2+ set16 css-off set16
			css-off 4 + >css-off
		else
			2drop
		then
		4 +
	repeat
	drop
	css-off addr-client_suites - 2 >>
	dup ifnot
		\ No common cipher suite: handshake failure.
		40 fail-alert
	then
	addr-client_suites_num set8

	\ Check ALPN.
	addr-selected_protocol get16 0xFFFF = if
		3 flag? if 120 fail-alert then
		0 addr-selected_protocol set16
	then

	\ Call policy handler to obtain the cipher suite and other
	\ parameters.
	call-policy-handler ifnot 40 fail-alert then

	\ We are not resuming a session.
	0 ;

\ Write ServerHello.
: write-ServerHello ( initial -- )
	{ initial }
	\ Compute ServerHello length.
	2 write8 70

	\ Compute length of Secure Renegotiation extension.
	addr-reneg get8 2 = if
		initial if 5 else 29 then
	else
		0
	then
	{ ext-reneg-len }

	\ Compute length of Max Fragment Length extension.
	addr-peer_log_max_frag_len get8 if 5 else 0 then
	{ ext-max-frag-len }

	\ Compute length of ALPN extension. This also copy the
	\ selected protocol name into the pad.
	addr-selected_protocol get16 dup if 1- copy-protocol-name 7 + then
	{ ext-ALPN-len }

	\ Adjust ServerHello length to account for the extensions.
	ext-reneg-len ext-max-frag-len + ext-ALPN-len + dup if 2 + then +
	write24

	\ Protocol version
	addr-version get16 write16

	\ Server random
	addr-server_random 4 bzero
	addr-server_random 4 + 28 mkrand
	addr-server_random 32 write-blob

	\ Session ID
	\ TODO: if we have no session cache at all, we might send here
	\ an empty session ID. This would save a bit of network
	\ bandwidth.
	32 write8
	addr-session_id 32 write-blob

	\ Cipher suite
	addr-cipher_suite get16 write16

	\ Compression method
	0 write8

	\ Extensions
	ext-reneg-len ext-max-frag-len + ext-ALPN-len + dup if
		write16
		ext-reneg-len dup if
			0xFF01 write16
			4 - dup write16
			1- addr-saved_finished swap write-blob-head8
		else
			drop
		then
		ext-max-frag-len if
			0x0001 write16
			1 write16 addr-peer_log_max_frag_len get8 8 - write8
		then
		ext-ALPN-len dup if
			\ Note: the selected protocol name was previously
			\ copied into the pad.
			0x0010 write16
			4 - dup write16
			2- dup write16
			1- addr-pad swap write-blob-head8
		else
			drop
		then
	else
		drop
	then ;

\ Do the first part of ECDHE. Returned value is the computed signature
\ length, or a negative error code on error.
cc: do-ecdhe-part1 ( curve -- len ) {
	int curve = T0_POPi();
	T0_PUSHi(do_ecdhe_part1(CTX, curve));
}

\ Get index of first bit set to 1 (in low to high order).
: lowest-1 ( bits -- n )
	dup ifnot drop -1 ret then
	0 begin dup2 >> 1 and 0= while 1+ repeat
	swap drop ;

\ Write the Server Key Exchange message (if applicable).
: write-ServerKeyExchange ( -- )
	addr-cipher_suite get16 use-ecdhe? ifnot ret then

	\ We must select an appropriate curve among the curves that
	\ are supported both by us and the peer. Right now, we apply
	\ a fixed preference order: Curve25519, P-256, P-384, P-521,
	\ then the common curve with the lowest ID.
	\ (TODO: add some option to make that behaviour configurable.)
	\
	\ This loop always terminates because previous processing made
	\ sure that ECDHE suites are not selectable if there is no common
	\ curve.
	addr-curves get32
	dup 0x20000000 and if
		drop 29
	else
		dup 0x38000000 and dup if swap then
		drop lowest-1
	then
	{ curve-id }

	\ Compute the signed curve point to send.
	curve-id do-ecdhe-part1 dup 0< if neg fail then { sig-len }

	\ If using TLS-1.2+, then the hash function and signature
	\ algorithm are explicitly encoded in the message.
	addr-version get16 0x0303 >= { tls1.2+ }

	12 write8
	sig-len addr-ecdhe_point_len get8 + tls1.2+ 2 and + 6 + write24

	\ Curve parameters: named curve with 16-bit ID.
	3 write8 curve-id write16

	\ Public point.
	addr-ecdhe_point addr-ecdhe_point_len get8 write-blob-head8

	\ If TLS-1.2+, write hash and signature identifiers.
	tls1.2+ if
		\ sign_hash_id contains either a hash identifier,
		\ or the complete 16-bit value to write.
		addr-sign_hash_id get16
		dup 0xFF00 < if
			write16
		else
			0xFF and write8
			\ 'use-rsa-ecdhe?' returns -1 for RSA, 0 for
			\ ECDSA. The byte on the wire shall be 1 for RSA,
			\ 3 for ECDSA.
			addr-cipher_suite get16 use-rsa-ecdhe? 1 << 3 + write8
		then
	then

	\ Signature.
	sig-len write16
	addr-pad sig-len write-blob ;

\ Get length of the list of anchor names to send to the client. The length
\ includes the per-name 2-byte header, but _not_ the 2-byte header for
\ the list itself. If no client certificate is requested, then this
\ returns 0.
cc: ta-names-total-length ( -- len ) {
	size_t u, len;

	len = 0;
	if (CTX->ta_names != NULL) {
		for (u = 0; u < CTX->num_tas; u ++) {
			len += CTX->ta_names[u].len + 2;
		}
	} else if (CTX->tas != NULL) {
		for (u = 0; u < CTX->num_tas; u ++) {
			len += CTX->tas[u].dn.len + 2;
		}
	}
	T0_PUSH(len);
}

\ Compute length and optionally write the contents of the list of
\ supported client authentication methods.
: write-list-auth ( do_write -- len )
	0
	addr-cipher_suite get16 use-ecdh? if
		2+ over if 65 write8 66 write8 then
	then
	supports-rsa-sign? if 1+ over if 1 write8 then then
	supports-ecdsa? if 1+ over if 64 write8 then then
	swap drop ;

: write-signhash-inner2 ( dow algo hashes len id -- dow algo hashes len )
	{ id }
	over 1 id << and ifnot ret then
	2+
	3 pick if id write8 2 pick write8 then ;

: write-signhash-inner1 ( dow algo hashes -- dow len )
	0
	4 write-signhash-inner2
	5 write-signhash-inner2
	6 write-signhash-inner2
	3 write-signhash-inner2
	2 write-signhash-inner2
	-rot 2drop ;

\ Compute length and optionally write the contents of the list of
\ supported sign+hash algorithms.
: write-list-signhash ( do_write -- len )
	0 { len }
	\ If supporting neither RSA nor ECDSA in the engine, then we
	\ will do only static ECDH, and thus we claim support for
	\ everything (for the X.509 validator).
	supports-rsa-sign? supports-ecdsa? or ifnot
		1 0x7C write-signhash-inner1 >len
		3 0x7C write-signhash-inner1 len +
		swap drop ret
	then
	supports-rsa-sign? if
		1 supported-hash-functions drop
		write-signhash-inner1 >len
	then
	supports-ecdsa? if
		3 supported-hash-functions drop
		write-signhash-inner1 len + >len
	then
	drop len ;

\ Initialise index for sending the list of anchor DN.
cc: begin-ta-name-list ( -- ) {
	CTX->cur_dn_index = 0;
}

\ Switch to next DN in the list. Returned value is the DN length, or -1
\ if the end of the list was reached.
cc: begin-ta-name ( -- len ) {
	const br_x500_name *dn;
	if (CTX->cur_dn_index >= CTX->num_tas) {
		T0_PUSHi(-1);
	} else {
		if (CTX->ta_names == NULL) {
			dn = &CTX->tas[CTX->cur_dn_index].dn;
		} else {
			dn = &CTX->ta_names[CTX->cur_dn_index];
		}
		CTX->cur_dn_index ++;
		CTX->cur_dn = dn->data;
		CTX->cur_dn_len = dn->len;
		T0_PUSH(CTX->cur_dn_len);
	}
}

\ Copy a chunk of the current DN into the pad. Returned value is the
\ chunk length; this is 0 when the end of the current DN is reached.
cc: copy-dn-chunk ( -- len ) {
	size_t clen;

	clen = CTX->cur_dn_len;
	if (clen > sizeof ENG->pad) {
		clen = sizeof ENG->pad;
	}
	memcpy(ENG->pad, CTX->cur_dn, clen);
	CTX->cur_dn += clen;
	CTX->cur_dn_len -= clen;
	T0_PUSH(clen);
}

\ Write a CertificateRequest message.
: write-CertificateRequest ( -- )
	\ The list of client authentication types includes:
	\    rsa_sign (1)
	\    ecdsa_sign (64)
	\    rsa_fixed_ecdh (65)
	\    ecdsa_fixed_ecdh (66)
	\ rsa_sign and ecdsa_sign require, respectively, RSA and ECDSA
	\ support. Static ECDH requires that the cipher suite is ECDH.
	\ When we ask for static ECDH, we always send both rsa_fixed_ecdh
	\ and ecdsa_fixed_ecdh because what matters there is what the
	\ X.509 engine may support, and we do not control that.
	\
	\ With TLS 1.2, we must also send a list of supported signature
	\ and hash algorithms. That list is supposed to qualify both
	\ the engine itself, and the X.509 validator, which are separate
	\ in BearSSL. There again, we use the engine capabilities in that
	\ list, and resort to a generic all-support list if only
	\ static ECDH is accepted.
	\
	\ (In practice, client implementations tend to have at most one
	\ or two certificates, and send the chain regardless of what
	\ algorithms are used in it.)

	0 write-list-auth
	addr-version get16 0x0303 >= if
		2+ 0 write-list-signhash +
	then
	ta-names-total-length + 3 +

	\ Message header
	13 write8 write24

	\ List of authentication methods
	0 write-list-auth write8 1 write-list-auth drop

	\ For TLS 1.2+, list of sign+hash
	addr-version get16 0x0303 >= if
		0 write-list-signhash write16 1 write-list-signhash drop
	then

	\ Trust anchor names
	ta-names-total-length write16
	begin-ta-name-list
	begin
		begin-ta-name
		dup 0< if drop ret then write16
		begin copy-dn-chunk dup while
			addr-pad swap write-blob
		repeat
		drop
	again ;

\ Write the Server Hello Done message.
: write-ServerHelloDone ( -- )
	14 write8 0 write24 ;

\ Perform RSA decryption of the client-sent pre-master secret. The value
\ is in the pad, and its length is provided as parameter.
cc: do-rsa-decrypt ( len prf_id -- ) {
	int prf_id = T0_POPi();
	size_t len = T0_POP();
	do_rsa_decrypt(CTX, prf_id, ENG->pad, len);
}

\ Perform ECDH (not ECDHE). The point from the client is in the pad, and
\ its length is provided as parameter.
cc: do-ecdh ( len prf_id -- ) {
	int prf_id = T0_POPi();
	size_t len = T0_POP();
	do_ecdh(CTX, prf_id, ENG->pad, len);
}

\ Do the second part of ECDHE.
cc: do-ecdhe-part2 ( len prf_id -- ) {
	int prf_id = T0_POPi();
	size_t len = T0_POP();
	do_ecdhe_part2(CTX, prf_id, ENG->pad, len);
}

\ Perform static ECDH. The point from the client is the public key
\ extracted from its certificate.
cc: do-static-ecdh ( prf_id -- ) {
	do_static_ecdh(CTX, T0_POP());
}

\ Read a ClientKeyExchange header.
: read-ClientKeyExchange-header ( -- len )
	read-handshake-header 16 = ifnot ERR_UNEXPECTED fail then ;

\ Read the Client Key Exchange contents (non-empty case).
: read-ClientKeyExchange-contents ( lim -- )
	\ What we should get depends on the cipher suite.
	addr-cipher_suite get16 use-rsa-keyx? if
		\ RSA key exchange: we expect a RSA-encrypted value.
		read16
		dup 512 > if ERR_LIMIT_EXCEEDED fail then
		dup { enc-rsa-len }
		addr-pad swap read-blob
		enc-rsa-len addr-cipher_suite get16 prf-id do-rsa-decrypt
	then
	addr-cipher_suite get16 dup use-ecdhe? swap use-ecdh? { ecdhe ecdh }
	ecdh ecdhe or if
		\ ECDH or ECDHE key exchange: we expect an EC point.
		read8 dup { ec-point-len }
		addr-pad swap read-blob
		ec-point-len addr-cipher_suite get16 prf-id
		ecdhe if do-ecdhe-part2 else do-ecdh then
	then
	close-elt ;

\ Read the Client Key Exchange (normal case).
: read-ClientKeyExchange ( -- )
	read-ClientKeyExchange-header
	read-ClientKeyExchange-contents ;

\ Obtain all possible hash values for handshake messages so far. This
\ is done because we need the hash value for the CertificateVerify
\ _before_ knowing which hash function will actually be used, as this
\ information is obtained from decoding the message header itself.
\ All hash values are stored in the pad (208 bytes in total).
cc: compute-hash-CV ( -- ) {
	int i;

	for (i = 1; i <= 6; i ++) {
		br_multihash_out(&ENG->mhash, i,
			ENG->pad + HASH_PAD_OFF[i - 1]);
	}
}

\ Copy the proper hash value from the pad into the dedicated buffer.
\ Returned value is true (-1) on success, false (0) on error (error
\ being an unimplemented hash function). The id has already been verified
\ to be either 0 (for MD5+SHA-1) or one of the SHA-* functions.
cc: copy-hash-CV ( hash_id -- bool ) {
	int id = T0_POP();
	size_t off, len;

	if (id == 0) {
		off = 0;
		len = 36;
	} else {
		if (br_multihash_getimpl(&ENG->mhash, id) == 0) {
			T0_PUSH(0);
			T0_RET();
		}
		off = HASH_PAD_OFF[id - 1];
		len = HASH_PAD_OFF[id] - off;
	}
	memcpy(CTX->hash_CV, ENG->pad + off, len);
	CTX->hash_CV_len = len;
	CTX->hash_CV_id = id;
	T0_PUSHi(-1);
}

\ Verify signature in CertificateVerify. Output is 0 on success, or a
\ non-zero error code.
cc: verify-CV-sig ( sig-len -- err ) {
	int err;

	err = verify_CV_sig(CTX, T0_POP());
	T0_PUSHi(err);
}

\ Process static ECDH.
: process-static-ECDH ( ktu -- )
	\ Static ECDH is allowed only if the cipher suite uses ECDH, and
	\ the client's public key has type EC and allows key exchange.
	\ BR_KEYTYPE_KEYX is 0x10, and BR_KEYTYPE_EC is 2.
	0x1F and 0x12 = ifnot ERR_WRONG_KEY_USAGE fail then
	addr-cipher_suite get16
	dup use-ecdh? ifnot ERR_UNEXPECTED fail then
	prf-id
	do-static-ecdh ;

\ Read CertificateVerify header.
: read-CertificateVerify-header ( -- lim )
	compute-hash-CV
	read-handshake-header 15 = ifnot ERR_UNEXPECTED fail then ;

\ Read CertificateVerify. The client key type + usage is expected on the
\ stack.
: read-CertificateVerify ( ktu -- )
	\ Check that the key allows for signatures.
	dup 0x20 and ifnot ERR_WRONG_KEY_USAGE fail then
	0x0F and { key-type }

	\ Get header.
	read-CertificateVerify-header

	\ With TLS 1.2+, there is an explicit hash + signature indication,
	\ which must be compatible with the key type.
	addr-version get16 0x0303 >= if
		\ Get hash function, then signature algorithm. The
		\ signature algorithm is 1 (RSA) or 3 (ECDSA) while our
		\ symbolic constants for key types are 1 (RSA) or 2 (EC).
		read16
		dup 0xFF and 1+ 1 >> key-type = ifnot
			ERR_BAD_SIGNATURE fail
		then
		8 >>

		\ We support only SHA-1, SHA-224, SHA-256, SHA-384
		\ and SHA-512. We explicitly reject MD5.
		dup 2 < over 6 > or if ERR_INVALID_ALGORITHM fail then
	else
		\ With TLS 1.0 and 1.1, hash is MD5+SHA-1 (0) for RSA,
		\ SHA-1 (2) for ECDSA.
		key-type 0x01 = if 0 else 2 then
	then
	copy-hash-CV ifnot ERR_INVALID_ALGORITHM fail then

	\ Read signature.
	read16 dup { sig-len }
	dup 512 > if ERR_LIMIT_EXCEEDED fail then
	addr-pad swap read-blob
	sig-len verify-CV-sig
	dup if fail then drop

	close-elt ;

\ Send a HelloRequest.
: send-HelloRequest ( -- )
	flush-record
	begin can-output? not while wait-co drop repeat
	22 addr-record_type_out set8
	0 write8 0 write24 flush-record
	23 addr-record_type_out set8 ;

\ Make a handshake.
: do-handshake ( initial -- )
	0 addr-application_data set8
	22 addr-record_type_out set8
	0 addr-selected_protocol set16
	multihash-init
	read-ClientHello
	more-incoming-bytes? if ERR_UNEXPECTED fail then
	if
		\ Session resumption
		write-ServerHello
		0 write-CCS-Finished
		0 read-CCS-Finished
	else
		\ Not a session resumption
		write-ServerHello
		write-Certificate drop
		write-ServerKeyExchange
		ta-names-total-length if
			write-CertificateRequest
		then
		write-ServerHelloDone
		flush-record

		\ If we sent a CertificateRequest then we expect a
		\ Certificate message.
		ta-names-total-length if
			\ Read client certificate.
			0 read-Certificate

			choice
				dup 0< uf
					\ Client certificate validation failed.
					2 flag? ifnot neg fail then
					drop
					read-ClientKeyExchange
					read-CertificateVerify-header
					dup skip-blob drop
				enduf
				dup 0= uf
					\ Client sent no certificate at all.
					drop
					2 flag? ifnot
						ERR_NO_CLIENT_AUTH fail
					then
					read-ClientKeyExchange
				enduf

				\ Client certificate was validated.
				read-ClientKeyExchange-header
				dup ifnot
					\ Empty ClientKeyExchange.
					drop
					process-static-ECDH
				else
					read-ClientKeyExchange-contents
					read-CertificateVerify
				then
			endchoice
		else
			\ No client certificate request, we just expect
			\ a non-empty ClientKeyExchange.
			read-ClientKeyExchange
		then
		0 read-CCS-Finished
		0 write-CCS-Finished
		save-session
	then
	1 addr-application_data set8
	23 addr-record_type_out set8 ;

\ Entry point.
: main ( -- ! )
	\ Perform initial handshake.
	-1 do-handshake

	begin
		\ Wait for further invocation. At that point, we should
		\ get either an explicit call for renegotiation, or
		\ an incoming ClientHello handshake message.
		wait-co
		dup 0x07 and case
			0x00 of
				0x10 and if
					\ The best we can do is ask for a
					\ renegotiation, then wait for it
					\ to happen.
					0 addr-application_data set8
					send-HelloRequest
				then
			endof
			0x01 of
				\ Reject renegotiations if the peer does not
				\ support secure renegotiation, or if the
				\ "no renegotiation" flag is set.
				drop
				addr-reneg get8 1 = 1 flag? or if
					skip-ClientHello
					flush-record
					begin can-output? not while
						wait-co drop
					repeat
					100 send-warning
					\ Put back connection in "application
					\ data" state: it's not dead yet.
					1 addr-application_data set8
					23 addr-record_type_out set8
				else
					0 do-handshake
				then
			endof
			ERR_UNEXPECTED fail
		endcase
	again
	;