Only skip early data with HRR when offered.
TLS 1.3 servers should only skip early data if the client offered it.
Our HRR codepath didn't quite get this right. This CL is the minimal fix
for this issue, but I think we should rearrange this logic slightly
rather than deciding to do 0-RTT and then changing our mind. The next CL
will do that.
(This bug does not have any interoperability consequences. When
configured to skip early data, we're happy to vacuously skip over zero
early data records. We were just less strict than we should be.)
Change-Id: Ida42134b92b4df708b2bb959c536580bec454165
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46764
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 3c8c2b2..e076e3c 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -13582,6 +13582,23 @@
testCases = append(testCases, testCase{
testType: serverTest,
+ name: "SkipEarlyData-OmitEarlyDataExtension-HelloRetryRequest-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ // Require a HelloRetryRequest for every curve.
+ DefaultCurves: []CurveID{},
+ Bugs: ProtocolBugs{
+ SendFakeEarlyDataLength: 4,
+ OmitEarlyDataExtension: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_RECORD:",
+ expectedLocalError: "remote error: unexpected message",
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
name: "SkipEarlyData-TooMuchData-TLS13",
config: Config{
MaxVersion: VersionTLS13,
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 4ddb281..adc9d39 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -506,7 +506,9 @@
ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
ssl->s3->early_data_accepted = false;
}
- ssl->s3->skip_early_data = true;
+ if (hs->early_data_offered) {
+ ssl->s3->skip_early_data = true;
+ }
ssl->method->next_message(ssl);
if (!hs->transcript.UpdateForHelloRetryRequest()) {
return ssl_hs_error;
