commit d63435779fd2634b03976aab5f0cd13daab238a2
author David Benjamin <davidben@google.com> Thu Aug 15 17:29:02 2019 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Tue Aug 27 23:41:41 2019 +0000
tree 13b1e1a7e7c8054ffc7d5f6d16bc0d8e5cf29d09
parent 95dd54e57ff79f5440c424cbd34c781da14269e7

Add initial support for 0-RTT with QUIC.

This adapts our existing API for QUIC, although I'm not entirely
convinced the shape of it fits as it does with TCP. Things that needed
to be changed:

- There is a slight ordering issue on the server with HRR and releasing
  the 0-RTT keys to QUIC.

- Remove EndOfEarlyData.

- At the early return point for the server, QUIC needs to have installed
  the client traffic secrets earlier.

- The maximum early data value is a constant in QUIC.

- QUIC never installs early secrets at the TLS level. (In particular,
  this avoids nuisances with do_send_second_client_hello's null cipher
  not updating the encryption level.)

- The read/write secrets for 0-RTT keys were mixed up.

As the QUIC tests are getting a bit unwieldy, I tidied them up a bit.
This CL does *not* handle the QUIC transport parameters or HTTP/3
server SETTINGS frame interactions with 0-RTT. That will be done in a
separate CL.

I suspect if we ever implement DTLS 1.3, we'll find ourselves wanting to
align some of the QUIC bits here with DTLS and perhaps refine the
handshake/transport abstractions a bit.

Bug: 221
Change-Id: I61f701d7241dbc99e5dbf57ae6c283e10b85b049
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/37145
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>

ssl/tls13_client.cc

diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index a7d0d89..12f4738 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -633,12 +633,16 @@
 
   if (ssl->s3->early_data_accepted) {
     hs->can_early_write = false;
-    ScopedCBB cbb;
-    CBB body;
-    if (!ssl->method->init_message(ssl, cbb.get(), &body,
-                                   SSL3_MT_END_OF_EARLY_DATA) ||
-        !ssl_add_message_cbb(ssl, cbb.get())) {
-      return ssl_hs_error;
+    // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
+    // section 8.3.
+    if (ssl->quic_method == nullptr) {
+      ScopedCBB cbb;
+      CBB body;
+      if (!ssl->method->init_message(ssl, cbb.get(), &body,
+                                     SSL3_MT_END_OF_EARLY_DATA) ||
+          !ssl_add_message_cbb(ssl, cbb.get())) {
+        return ssl_hs_error;
+      }
     }
   }
 
@@ -911,6 +915,15 @@
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
       return false;
     }
+
+    // QUIC does not use the max_early_data_size parameter and always sets it to
+    // a fixed value. See draft-ietf-quic-tls-22, section 4.5.
+    if (ssl->quic_method != nullptr &&
+        session->ticket_max_early_data != 0xffffffff) {
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      return false;
+    }
   }
 
   // Generate a session ID for this session. Some callers expect all sessions to