Add Data-less Zero-RTT support.
This adds support on the server and client to accept data-less early
data. The server will still fail to parse early data with any
contents, so this should remain disabled.
BUG=76
Change-Id: Id85d192d8e0360b8de4b6971511b5e8a0e8012f7
Reviewed-on: https://boringssl-review.googlesource.com/12921
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 1feb7d8..3898c1b 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -208,6 +208,18 @@
}
if (!SSL_is_dtls(ssl) || ssl->d1->send_cookie) {
+ if (hs->early_data_offered) {
+ if (!tls13_init_early_key_schedule(hs) ||
+ !tls13_advance_key_schedule(hs, ssl->session->master_key,
+ ssl->session->master_key_length) ||
+ !tls13_derive_early_secrets(hs) ||
+ !tls13_set_traffic_key(ssl, evp_aead_seal,
+ hs->early_traffic_secret,
+ hs->hash_len)) {
+ ret = -1;
+ goto end;
+ }
+ }
hs->next_state = SSL3_ST_CR_SRVR_HELLO_A;
} else {
hs->next_state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
@@ -875,6 +887,12 @@
return 1;
}
+ if (hs->early_data_offered) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto f_err;
+ }
+
ssl_clear_tls13_state(hs);
if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
