Add Data-less Zero-RTT support.
This adds support on the server and client to accept data-less early
data. The server will still fail to parse early data with any
contents, so this should remain disabled.
BUG=76
Change-Id: Id85d192d8e0360b8de4b6971511b5e8a0e8012f7
Reviewed-on: https://boringssl-review.googlesource.com/12921
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/internal.h b/ssl/internal.h
index 99980d8..ed5172c 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -865,6 +865,11 @@
* It returns one on success and zero on error. */
int tls13_init_key_schedule(SSL_HANDSHAKE *hs);
+/* tls13_init_early_key_schedule initializes the handshake hash and key
+ * derivation state from the resumption secret to derive the early secrets. It
+ * returns one on success and zero on error. */
+int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs);
+
/* tls13_advance_key_schedule incorporates |in| into the key schedule with
* HKDF-Extract. It returns one on success and zero on error. */
int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
@@ -876,6 +881,10 @@
const uint8_t *traffic_secret,
size_t traffic_secret_len);
+/* tls13_derive_early_secrets derives the early traffic secret. It returns one
+ * on success and zero on error. */
+int tls13_derive_early_secrets(SSL_HANDSHAKE *hs);
+
/* tls13_derive_handshake_secrets derives the handshake traffic secret. It
* returns one on success and zero on error. */
int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);
@@ -930,6 +939,7 @@
ssl_hs_channel_id_lookup,
ssl_hs_private_key_operation,
ssl_hs_pending_ticket,
+ ssl_hs_read_end_of_early_data,
};
struct ssl_handshake_st {
@@ -957,6 +967,7 @@
size_t hash_len;
uint8_t secret[EVP_MAX_MD_SIZE];
+ uint8_t early_traffic_secret[EVP_MAX_MD_SIZE];
uint8_t client_handshake_secret[EVP_MAX_MD_SIZE];
uint8_t server_handshake_secret[EVP_MAX_MD_SIZE];
uint8_t client_traffic_secret_0[EVP_MAX_MD_SIZE];
@@ -1100,6 +1111,9 @@
* Start. The client may write data at this point. */
unsigned in_false_start:1;
+ /* early_data_offered is one if the client sent the early_data extension. */
+ unsigned early_data_offered:1;
+
/* next_proto_neg_seen is one of NPN was negotiated. */
unsigned next_proto_neg_seen:1;
@@ -1398,6 +1412,7 @@
int (*read_app_data)(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
int peek);
int (*read_change_cipher_spec)(SSL *ssl);
+ int (*read_end_of_early_data)(SSL *ssl);
void (*read_close_notify)(SSL *ssl);
int (*write_app_data)(SSL *ssl, const uint8_t *buf, int len);
int (*dispatch_alert)(SSL *ssl);
@@ -1629,9 +1644,11 @@
uint8_t write_traffic_secret[EVP_MAX_MD_SIZE];
uint8_t read_traffic_secret[EVP_MAX_MD_SIZE];
uint8_t exporter_secret[EVP_MAX_MD_SIZE];
+ uint8_t early_exporter_secret[EVP_MAX_MD_SIZE];
uint8_t write_traffic_secret_len;
uint8_t read_traffic_secret_len;
uint8_t exporter_secret_len;
+ uint8_t early_exporter_secret_len;
/* Connection binding to prevent renegotiation attacks */
uint8_t previous_client_finished[12];
@@ -1933,6 +1950,9 @@
* hash of the peer's certificate and then discard it to save memory and
* session space. Only effective on the server side. */
unsigned retain_only_sha256_of_client_certs:1;
+
+ /* early_data_accepted is true if early data was accepted by the server. */
+ unsigned early_data_accepted:1;
};
/* From draft-ietf-tls-tls13-18, used in determining PSK modes. */
@@ -2049,6 +2069,7 @@
int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
int peek);
int ssl3_read_change_cipher_spec(SSL *ssl);
+int ssl3_read_end_of_early_data(SSL *ssl);
void ssl3_read_close_notify(SSL *ssl);
int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len);
int ssl3_write_app_data(SSL *ssl, const uint8_t *buf, int len);
