tls13: srv: Add discard_early_data_record SSL field
Add discard_early_data_record in SSL context for
the record layer to know if it has to discard
some potential early data record and how.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b063360..e0cd79d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -353,6 +353,26 @@
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN 1000
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX 60000
+/*
+ * Whether early data record should be discarded or not and how.
+ *
+ * The client has indicated early data and the server has rejected them.
+ * The server has then to skip past early data by either:
+ * - attempting to deprotect received records using the handshake traffic
+ * key, discarding records which fail deprotection (up to the configured
+ * max_early_data_size). Once a record is deprotected successfully,
+ * it is treated as the start of the client's second flight and the
+ * server proceeds as with an ordinary 1-RTT handshake.
+ * - skipping all records with an external content type of
+ * "application_data" (indicating that they are encrypted), up to the
+ * configured max_early_data_size. This is the expected behavior if the
+ * server has sent an HelloRetryRequest message. The server ignores
+ * application data message before 2nd ClientHello.
+ */
+#define MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 0
+#define MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1
+#define MBEDTLS_SSL_EARLY_DATA_DISCARD 2
+
/**
* \name SECTION: Module settings
*
@@ -1782,6 +1802,16 @@
* within a single datagram. */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * One of:
+ * MBEDTLS_SSL_EARLY_DATA_NO_DISCARD
+ * MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD
+ * MBEDTLS_SSL_EARLY_DATA_DISCARD
+ */
+ uint8_t MBEDTLS_PRIVATE(discard_early_data_record);
+#endif
+
/*
* Record layer (outgoing data)
*/
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c952add..c2f874b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1098,9 +1098,14 @@
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_CLI_C)
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+#endif
+#endif /* MBEDTLS_SSL_EARLY_DATA */
/* Initialize structures */
mbedtls_ssl_session_init(ssl->session_negotiate);
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 8bd70ef..6e87d7b 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1780,28 +1780,15 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
-static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
- int hrr_required)
+static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
- if ((handshake->received_extensions &
- MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) {
- MBEDTLS_SSL_DEBUG_MSG(
- 1, ("EarlyData: no early data extension received."));
- return 0;
- }
-
if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
MBEDTLS_SSL_DEBUG_MSG(
1,
("EarlyData: rejected, feature disabled in server configuration."));
- return 0;
- }
-
- if (hrr_required) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, HRR required."));
- return 0;
+ return -1;
}
if (!handshake->resume) {
@@ -1810,7 +1797,7 @@
resumption. */
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, not a session resumption."));
- return 0;
+ return -1;
}
/* RFC 8446 4.2.10
@@ -1833,7 +1820,7 @@
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected key in "
"`pre_shared_key` is not the first one."));
- return 0;
+ return -1;
}
if (handshake->ciphersuite_info->id !=
@@ -1841,7 +1828,7 @@
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected ciphersuite is not the one "
"of the selected pre-shared key."));
- return 0;
+ return -1;
}
@@ -1850,10 +1837,10 @@
1,
("EarlyData: rejected, early_data not allowed in ticket "
"permission bits."));
- return 0;
+ return -1;
}
- return 1;
+ return 0;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
@@ -1885,15 +1872,24 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
- ssl->handshake->early_data_accepted =
- ssl_tls13_is_early_data_accepted(ssl, hrr_required);
-
- if (ssl->handshake->early_data_accepted) {
- ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(
- 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
- return ret;
+ if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
+ ssl->handshake->early_data_accepted = 0;
+ if (!hrr_required) {
+ ssl->handshake->early_data_accepted =
+ (ssl_tls13_check_early_data_requirements(ssl) == 0);
+ }
+ if (ssl->handshake->early_data_accepted) {
+ ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
+ return ret;
+ }
+ } else {
+ ssl->discard_early_data_record =
+ hrr_required ?
+ MBEDTLS_SSL_EARLY_DATA_DISCARD :
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD;
}
}
#else