diff options
-rw-r--r-- | src/serv-args.def | 8 | ||||
-rw-r--r-- | src/serv.c | 10 | ||||
-rwxr-xr-x | tests/suite/testcompat-tls13-openssl.sh | 18 |
3 files changed, 35 insertions, 1 deletions
diff --git a/src/serv-args.def b/src/serv-args.def index 6c17998da0..7c4c32479c 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -49,6 +49,14 @@ flag = { }; flag = { + name = maxearlydata; + arg-type = number; + arg-range = "1->4294967296"; + descrip = "The maximum early data size to accept"; + doc = ""; +}; + +flag = { name = nocookie; descrip = "Don't require cookie on DTLS sessions"; doc = ""; diff --git a/src/serv.c b/src/serv.c index d0b5914bc0..2ceb3dbf1f 100644 --- a/src/serv.c +++ b/src/serv.c @@ -408,8 +408,16 @@ gnutls_session_t initialize_session(int dtls) gnutls_session_ticket_enable_server(session, &session_ticket_key); - if (earlydata) + if (earlydata) { gnutls_anti_replay_enable(session, anti_replay); + if (HAVE_OPT(MAXEARLYDATA)) { + ret = gnutls_record_set_max_early_data_size(session, OPT_VALUE_MAXEARLYDATA); + if (ret < 0) { + fprintf(stderr, "Could not set max early data size: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + } if (sni_hostname != NULL) gnutls_handshake_set_post_client_hello_function(session, diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index c573182870..27ca3826e3 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -530,6 +530,24 @@ _EOF_ kill ${PID} wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data with small limit..." + testdir=`create_testdir tls13-openssl-resumption` + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata --maxearlydata 1 >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" + { echo a; sleep 1; } | \ + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out" + grep "^Early data was rejected" "${testdir}/server.out" || \ + fail ${PID} "Failed" + + kill ${PID} + wait rm -rf "${testdir}" } |