static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
/* At this point, most ClientHello extensions have already been processed by
* the common handshake logic. Resolve the remaining non-PSK parameters. */
SSL *const ssl = hs->ssl;
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
ssl->init_num)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
/* Negotiate the cipher suite. */
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (hs->new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
* deferred. Complete it now. */
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
/* The PRF hash is now known. Set up the key schedule and hash the
* ClientHello. */
if (!tls13_init_key_schedule(hs) ||
!ssl_hash_current_message(hs)) {
return ssl_hs_error;
}
hs->tls13_state = state_select_session;
return ssl_hs_ok;
}
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* The short record header extension is incompatible with early data. */
if (ssl->s3->skip_early_data && ssl->s3->short_header) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
return ssl_hs_error;
}
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
ssl->init_num)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
/* Negotiate the cipher suite. */
ssl->s3->tmp.new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (ssl->s3->tmp.new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
/* Decode the ticket if we agree on a PSK key exchange mode. */
uint8_t alert = SSL_AD_DECODE_ERROR;
SSL_SESSION *session = NULL;
CBS pre_shared_key, binders;
if (hs->accept_psk_mode &&
ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
TLSEXT_TYPE_pre_shared_key)) {
/* Verify that the pre_shared_key extension is the last extension in
* ClientHello. */
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
client_hello.extensions + client_hello.extensions_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
&alert, &pre_shared_key)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
}
if (session != NULL &&
!ssl_session_is_resumable(ssl, session)) {
SSL_SESSION_free(session);
session = NULL;
}
/* Set up the new session, either using the original one as a template or
* creating a fresh one. */
if (session == NULL) {
if (!ssl_get_new_session(hs, 1 /* server */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
ssl->s3->new_session->cipher = ssl->s3->tmp.new_cipher;
/* On new sessions, stash the SNI value in the session. */
if (hs->hostname != NULL) {
OPENSSL_free(ssl->s3->new_session->tlsext_hostname);
ssl->s3->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
if (ssl->s3->new_session->tlsext_hostname == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
}
} else {
/* Check the PSK binder. */
if (!tls13_verify_psk_binder(ssl, session, &binders)) {
SSL_SESSION_free(session);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
return ssl_hs_error;
}
/* Only authentication information carries over in TLS 1.3. */
ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
if (ssl->s3->new_session == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
ssl->s3->session_reused = 1;
SSL_SESSION_free(session);
/* Resumption incorporates fresh key material, so refresh the timeout. */
ssl_session_renew_timeout(ssl, ssl->s3->new_session,
ssl->initial_ctx->session_psk_dhe_timeout);
}
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
* deferred. Complete it now. */
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
/* The PRF hash is now known. Set up the key schedule and hash the
* ClientHello. */
size_t hash_len =
EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
if (!tls13_init_key_schedule(hs) ||
!ssl_hash_current_message(ssl)) {
return ssl_hs_error;
}
/* Incorporate the PSK into the running secret. */
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,
ssl->s3->new_session->master_key_length)) {
return ssl_hs_error;
}
} else if (!tls13_advance_key_schedule(hs, kZeroes, hash_len)) {
return ssl_hs_error;
}
ssl->method->received_flight(ssl);
/* Resolve ECDHE and incorporate it into the secret. */
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
hs->tls13_state = state_send_hello_retry_request;
return ssl_hs_ok;
}
return ssl_hs_error;
}
hs->tls13_state = state_send_server_hello;
return ssl_hs_ok;
}