diff options
author | Daiki Ueno <dueno@redhat.com> | 2018-07-16 11:30:05 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2018-08-06 10:51:58 +0200 |
commit | 68c21a22c45cfe6ea80f542dc8ef3a9b84c1498b (patch) | |
tree | 8484f7d12bcd431c984e07c6f6b820faf481d371 /lib/record.c | |
parent | 8f90d5bd7a79b3e69145c3d2fde583d24372f143 (diff) | |
download | gnutls-68c21a22c45cfe6ea80f542dc8ef3a9b84c1498b.tar.gz |
TLS 1.3: ignore "early_data" extension
As 0-RTT is still not implemented in GnuTLS, the server responds with
1-RTT, by skipping decryption failure up to max_early_data_size, as
suggested in 4.2.10 Early Data Detection.
Resolves #512
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'lib/record.c')
-rw-r--r-- | lib/record.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/lib/record.c b/lib/record.c index 1cc328cb93..4589765524 100644 --- a/lib/record.c +++ b/lib/record.c @@ -1334,6 +1334,44 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, _mbuffer_head_remove_bytes(&session->internals.record_recv_buffer, record.header_size + record.length); + + /* FIXME: as 0-RTT is not implemented yet, when early data is + * indicated, skip decryption failure up to + * max_early_data_size. Otherwise, if the record is properly + * decrypted, treat it as the start of client's second flight. + * + * This implements the first way suggested in 4.2.10 of + * draft-ietf-tls-tls13-28. + */ + if (unlikely(session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT)) { + if (record.type == GNUTLS_APPLICATION_DATA && + (ret < 0 || + /* early data must always be encrypted, treat it + * as decryption failure if otherwise */ + record_params->cipher->id == GNUTLS_CIPHER_NULL)) { + if (record.length > + session->security_parameters.max_early_data_size - + session->internals.early_data_received) { + _gnutls_record_log + ("REC[%p]: max_early_data_size exceeded\n", + session); + ret = GNUTLS_E_UNEXPECTED_PACKET; + goto sanity_check_error; + } + + _gnutls_record_log("REC[%p]: Discarded early data[%u] due to invalid decryption, length: %u\n", + session, + (unsigned int) + _gnutls_uint64touint32(packet_sequence), + (unsigned int) + record.length); + session->internals.early_data_received += record.length; + goto discard; + } else { + session->internals.hsk_flags &= ~HSK_EARLY_DATA_IN_FLIGHT; + } + } + if (ret < 0) { gnutls_assert(); _gnutls_audit_log(session, |