Construct the server side early_data extension

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

include/openssl/ssl.h

@@ -1629,6 +1629,12 @@ long SSL_callback_ctrl(SSL *, int, void (*)(void));
 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
 long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
 
+# define SSL_EARLY_DATA_NOT_SENT    0
+# define SSL_EARLY_DATA_REJECTED    1
+# define SSL_EARLY_DATA_ACCEPTED    2
+
+__owur int SSL_get_early_data_status(SSL *s);
+
 __owur int SSL_get_error(const SSL *s, int ret_code);
 __owur const char *SSL_get_version(const SSL *s);
 
@@ -2374,6 +2380,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_TLS_CONSTRUCT_STOC_CERTIFICATE             374
 # define SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG           452
 # define SSL_F_TLS_CONSTRUCT_STOC_DONE                    375
+# define SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA              531
 # define SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO         525
 # define SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS           453
 # define SSL_F_TLS_CONSTRUCT_STOC_EMS                     454

ssl/ssl_err.c

@@ -362,6 +362,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG),
      "tls_construct_stoc_cryptopro_bug"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_DONE), "TLS_CONSTRUCT_STOC_DONE"},
+    {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA),
+     "tls_construct_stoc_early_data"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO),
      "tls_construct_stoc_early_data_info"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS),

ssl/ssl_lib.c

@@ -1663,6 +1663,11 @@ int ssl_end_of_early_data_seen(SSL *s)
     return 0;
 }
 
+int SSL_get_early_data_status(SSL *s)
+{
+    return s->ext.early_data;
+}
+
 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
 {
     if (s->handshake_func == NULL) {

ssl/ssl_locl.h

@@ -1182,8 +1182,8 @@ struct ssl_st {
         /* Set to one if we have negotiated ETM */
         int use_etm;
 
-        /* Set to 1 if we are expecting to receive early data */
-        int expect_early_data;
+        /* Are we expecting to receive early data? */
+        int early_data;
     } ext;
 
     /* Parsed form of the ClientHello, kept around across early_cb calls. */

ssl/statem/extensions.c

@@ -138,7 +138,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
     {
         TLSEXT_TYPE_early_data,
         EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
-        NULL, tls_parse_ctos_early_data, NULL, NULL,
+        NULL, tls_parse_ctos_early_data, NULL, tls_construct_stoc_early_data,
         tls_construct_ctos_early_data, NULL
     },
 #ifndef OPENSSL_NO_EC

ssl/statem/extensions_srvr.c

@@ -170,7 +170,18 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
         return 0;
     }
 
-    s->ext.expect_early_data = 1;
+    if (s->max_early_data == 0 || !s->hit || s->session->ext.tick_identity != 0
+            || s->early_data_state != SSL_EARLY_DATA_ACCEPTING) {
+        s->ext.early_data = SSL_EARLY_DATA_REJECTED;
+    } else {
+        s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
+
+        if (!tls13_change_cipher_state(s,
+                    SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
+            *al = SSL_AD_INTERNAL_ERROR;
+            return 0;
+        }
+    }
 
     return 1;
 }
@@ -832,6 +843,22 @@ int tls_construct_stoc_early_data_info(SSL *s, WPACKET *pkt,
     return 1;
 }
 
+int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx, int *al)
+{
+    if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
+        return 1;
+
+    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
+            || !WPACKET_start_sub_packet_u16(pkt)
+            || !WPACKET_close(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+
+    return 1;
+}
+
 #ifndef OPENSSL_NO_EC
 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
                                      X509 *x, size_t chainidx, int *al)

ssl/statem/statem.c

@@ -154,7 +154,7 @@ void ossl_statem_set_in_handshake(SSL *s, int inhand)
 /* Are we in a sensible state to skip over unreadable early data? */
 int ossl_statem_skip_early_data(SSL *s)
 {
-    if (!s->ext.expect_early_data)
+    if (s->ext.early_data != SSL_EARLY_DATA_REJECTED)
         return 0;
 
     if (s->statem.hand_state != TLS_ST_SW_FINISHED)

ssl/statem/statem_clnt.c

@@ -714,7 +714,7 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
              */
             if (!tls13_change_cipher_state(s,
                         SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
-            return WORK_ERROR;
+                return WORK_ERROR;
         }
         break;
 

ssl/statem/statem_locl.h

@@ -235,6 +235,8 @@ int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
 int tls_construct_stoc_early_data_info(SSL *s, WPACKET *pkt,
                                        unsigned int context, X509 *x,
                                        size_t chainidx, int *al);
+int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx, int *al);
 #ifndef OPENSSL_NO_EC
 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
                                      X509 *x, size_t chainidx, int *al);

util/libssl.num

@@ -431,3 +431,4 @@ SSL_CTX_get_max_early_data              431	1_1_1	EXIST::FUNCTION:
 SSL_write_early                         432	1_1_1	EXIST::FUNCTION:
 SSL_write_early_finish                  433	1_1_1	EXIST::FUNCTION:
 SSL_read_early                          434	1_1_1	EXIST::FUNCTION:
+SSL_get_early_data_status               435	1_1_1	EXIST::FUNCTION: