Add wait eoed state

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

include/mbedtls/ssl.h

@@ -533,6 +533,7 @@
 #define MBEDTLS_SSL_HS_SERVER_HELLO             2
 #define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST     3
 #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET       4
+#define MBEDTLS_SSL_HS_END_OF_EARLY_DATA        5
 #define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS     8 // NEW IN TLS 1.3
 #define MBEDTLS_SSL_HS_CERTIFICATE             11
 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE     12
@@ -673,6 +674,7 @@ typedef enum
     MBEDTLS_SSL_HELLO_RETRY_REQUEST,
     MBEDTLS_SSL_ENCRYPTED_EXTENSIONS,
     MBEDTLS_SSL_WAIT_FLIGHT2,
+    MBEDTLS_SSL_END_OF_EARLY_DATA,
     MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY,
     MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED,
     MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,

library/ssl_tls13_server.c

@@ -2674,6 +2674,20 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
         return( ret );
     }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if( mbedtls_ssl_tls13_early_data_is_accepted( ssl ) )
+    {
+        /* TODO: compute early transform here? */
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ( "Switch to early keys for inbound traffic. "
+                     "( K_recv = early data )" ) );
+        mbedtls_ssl_set_inbound_transform(
+            ssl, ssl->handshake->transform_earlydata );
+        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_END_OF_EARLY_DATA );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
     mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
 
@@ -2714,6 +2728,109 @@ static int ssl_tls13_process_wait_flight2( mbedtls_ssl_context *ssl )
     return( 0 );
 }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/*
+ * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA( WAIT_EOED )
+ *
+ * RFC 8446 section A.2
+ *
+ *                 |
+ *    +------> WAIT_EOED -+
+ *    |       Recv |      | Recv EndOfEarlyData
+ *    | early data |      | K_recv = handshake
+ *    +------------+      |
+ *                        |
+ *  WAIT_FLIGHT2 <--------+
+ *                                 |
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_wait_eoed( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_process_wait_eoed" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    /* RFC 8446 section 4.5
+     *
+     * struct {} EndOfEarlyData;
+     */
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE        &&
+        ssl->in_msg[0]  == MBEDTLS_SSL_HS_END_OF_EARLY_DATA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ( "Switch to handshake keys for inbound traffic"
+                     "( K_recv = handshake )" ) );
+        mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
+        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_WAIT_FLIGHT2 );
+
+        mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
+                                            MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
+                                            0 );
+
+        ret = 0;
+        goto cleanup;
+
+    }
+
+    /* RFC 8446 section 2.3 figure 4
+     *
+     * 0-RTT data is sent via application data message.
+     */
+    ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG(
+            2, ( "Unexpected message type %d", ssl->in_msgtype ) );
+        goto cleanup;
+    }
+
+    /* Output early data
+     * TODO: Remove it if `mbedtls_ssl_read_early_data` is implemented and the
+     *       data is printed out.
+     */
+    ssl->in_msg[ssl->in_msglen] = 0;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "\n%s", ssl->in_msg ) );
+
+    /* RFC 8446 section 4.6.1
+     *
+     * A server receiving more than max_early_data_size bytes of 0-RTT data
+     * SHOULD terminate the connection with an "unexpected_message" alert.
+     *
+     * TODO: For time being, we use configured max_early_data_size. But the
+     *       value looks more reasonable, and it is not available now. When
+     *       early data extension of NST is added, below code should be changed.
+     */
+    handshake->received_early_data_size += ssl->in_msglen;
+    if( handshake->received_early_data_size > ssl->conf->max_early_data_size )
+    {
+        MBEDTLS_SSL_DEBUG_MSG(
+            2, ( "EarlyData: Received size exceeds configured limitation."
+                     "(%" MBEDTLS_PRINTF_SIZET " > %u )",
+                 handshake->received_early_data_size,
+                 (unsigned int)ssl->conf->max_early_data_size ) );
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE )
+    {
+        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+                                      MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_process_wait_eoed" ) );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 /*
  * Handler for MBEDTLS_SSL_CLIENT_FINISHED
  */
@@ -3147,6 +3264,12 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
             ret = ssl_tls13_process_wait_flight2( ssl );
             break;
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+        case MBEDTLS_SSL_END_OF_EARLY_DATA:
+            ret = ssl_tls13_process_wait_eoed( ssl );
+            break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
         case MBEDTLS_SSL_CLIENT_FINISHED:
             ret = ssl_tls13_process_client_finished( ssl );
             break;