Read 0-RTT data in Bogo.
Change-Id: I878dfb9f5d3736c3ec0d5fa39052cca58932dbb7
Reviewed-on: https://boringssl-review.googlesource.com/12981
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 38925e9..d8ab1a5 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -509,12 +509,6 @@
}
}
- // Decide whether or not to accept early data.
- if hs.clientHello.hasEarlyData {
- // For now, we'll reject and skip early data.
- c.skipEarlyData = true
- }
-
// Resolve PSK and compute the early secret.
if hs.sessionState != nil {
hs.finishedHash.addEntropy(hs.sessionState.masterSecret)
@@ -658,6 +652,30 @@
}
}
+ // Decide whether or not to accept early data.
+ // TODO(nharper): This does not check that ALPN or SNI matches.
+ if hs.clientHello.hasEarlyData {
+ if !sendHelloRetryRequest && hs.sessionState != nil {
+ encryptedExtensions.extensions.hasEarlyData = true
+ earlyTrafficSecret := hs.finishedHash.deriveSecret(earlyTrafficLabel)
+ c.in.useTrafficSecret(c.vers, hs.suite, earlyTrafficSecret, clientWrite)
+
+ for _, expectedMsg := range config.Bugs.ExpectEarlyData {
+ if err := c.readRecord(recordTypeApplicationData); err != nil {
+ return err
+ }
+ if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) {
+ return errors.New("ExpectEarlyData: did not get expected message")
+ }
+ c.in.freeBlock(c.input)
+ c.input = nil
+
+ }
+ } else {
+ c.skipEarlyData = true
+ }
+ }
+
// Resolve ECDHE and compute the handshake secret.
if hs.hello.hasKeyShare {
// Once a curve has been selected and a key share identified,
@@ -731,8 +749,8 @@
// Switch to handshake traffic keys.
serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel)
c.out.useTrafficSecret(c.vers, hs.suite, serverHandshakeTrafficSecret, serverWrite)
+ // Derive handshake traffic read key, but don't switch yet.
clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel)
- c.in.useTrafficSecret(c.vers, hs.suite, clientHandshakeTrafficSecret, clientWrite)
// Send EncryptedExtensions.
hs.writeServerHash(encryptedExtensions.marshal())
@@ -865,6 +883,19 @@
}
}
+ // Read end_of_early_data alert.
+ if encryptedExtensions.extensions.hasEarlyData {
+ if err := c.readRecord(recordTypeAlert); err != errEndOfEarlyDataAlert {
+ if err == nil {
+ panic("readRecord(recordTypeAlert) returned nil")
+ }
+ return err
+ }
+ }
+
+ // Switch input stream to handshake traffic keys.
+ c.in.useTrafficSecret(c.vers, hs.suite, clientHandshakeTrafficSecret, clientWrite)
+
// If we requested a client certificate, then the client must send a
// certificate message, even if it's empty.
if config.ClientAuth >= RequestClientCert {