Skip over early data in bogo.
Change-Id: Idc93fdca2f1c5c23e4ba48c4efed2edbad1e857b
Reviewed-on: https://boringssl-review.googlesource.com/12521
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 3cbd496..9a65f77 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -38,6 +38,7 @@
haveVers bool // version has been negotiated
config *Config // configuration passed to constructor
handshakeComplete bool
+ skipEarlyData bool
didResume bool // whether this connection was a session resumption
extendedMasterSecret bool // whether this session used an extended master secret
cipherSuite *cipherSuite
@@ -726,6 +727,7 @@
}
func (c *Conn) doReadRecord(want recordType) (recordType, *block, error) {
+RestartReadRecord:
if c.isDTLS {
return c.dtlsDoReadRecord(want)
}
@@ -829,10 +831,24 @@
// Process message.
b, c.rawInput = c.in.splitBlock(b, recordHeaderLen+n)
ok, off, encTyp, alertValue := c.in.decrypt(b)
+
+ // Handle skipping over early data.
+ if !ok && c.skipEarlyData {
+ goto RestartReadRecord
+ }
+
+ // If the server is expecting a second ClientHello (in response to
+ // a HelloRetryRequest) and the client sends early data, there
+ // won't be a decryption failure but it still needs to be skipped.
+ if c.in.cipher == nil && typ == recordTypeApplicationData && c.skipEarlyData {
+ goto RestartReadRecord
+ }
+
if !ok {
return 0, nil, c.in.setErrorLocked(c.sendAlert(alertValue))
}
b.off = off
+ c.skipEarlyData = false
if c.vers >= VersionTLS13 && c.in.cipher != nil {
if typ != recordTypeApplicationData {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 1116d6c..7dad05f 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -509,6 +509,12 @@
}
}
+ // Decide whether or not to accept early data.
+ if hs.clientHello.hasEarlyData {
+ // For now, we'll reject and skip early data.
+ c.skipEarlyData = true
+ }
+
// Resolve PSK and compute the early secret.
if hs.sessionState != nil {
hs.finishedHash.addEntropy(hs.sessionState.masterSecret)