Change early data flag to input file

[xkqian]

Description

Originally we have one input option to control whether enable early data or not. Currently we need one extra parameter to input various length of early data. This pr will integrate them together.

This is part of #6542

PR checklist

Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")

• changelog provided, or not required
• backport done, or not required
• tests provided , or not required

[tom-cosgrove-arm]

@xkqian Should this PR be part of the Early Data epic?

[xkqian]

@xkqian Should this PR be part of the Early Data epic?

Yes, sure, this is part of #6542 I just want to split it into several small PRs to accelerate the review, and this is the the first one.

[ronald-cron-arm]

This looks almost good to me, just some minor suggestions.

[yuhaoth]

Some comments. I think the implementation looks too complex and miss some features for tests.

[yuhaoth]

Some new comments. And previous early_data option feedback is not addressed

[ronald-cron-arm]

Some minor comments

[ronald-cron-arm]

I am fine with the two options solution. I put a comment in one of Jerry's suggestion.

[yuhaoth]

LGTM

[ronald-cron-arm]

While thinking about what option to add to ssl_client2 for early data testing I think we have lost (at least that's my case) sight of its scope. It is mainly about testing the various TLS options and the compatibility with GnuTLS and OpenSSL. Negative and edge cases testing is not really in scope.

Thus I'd say let's keep things simple, for the time being at least:
one option early_data_file whose default value is "". If a valid file path is set to early_data_file, we enable early data on the client and in the reconnection case, before to call mbedtls_ssl_handshake() to reconnect we call mbedtls_ssl_write_early_data() that tries to write the early_data_file file data.

When we add more testing for early data we will see if they best fit in ssl-opt.sh or test_suite_ssl and we need to add other options in ssl_client2.

[yuhaoth]

While thinking about what option to add to ssl_client2 for early data testing I think we have lost (at least that's my case) sight of its scope. It is mainly about testing the various TLS options and the compatibility with GnuTLS and OpenSSL. Negative and edge cases testing is not really in scope.

Thus I'd say let's keep things simple, for the time being at least: one option early_data_file whose default value is "". If a valid file path is set to early_data_file, we enable early data on the client and in the reconnection case, before to call mbedtls_ssl_handshake() to reconnect we call mbedtls_ssl_write_early_data() that tries to write the early_data_file file data.

My target is to simple this PR. Let's make final decision in next PRs .
But if only one option, we have to do more things in this PR. early_data option come from development, it must be removed. I do not thinks we should remove or change it in this PR. That make things complex.

For the two options from your previous comments, I do not think empty file and invalid file are same. If they are same, we have to check the file length before call mbedtls_ssl_{handshake, write_early_data}() and reduce possible test case. And I do not mean we MUST add the test in ssl-opt.sh. But the amount of code is less and the test coverage is more, why not do like that?

When we add more testing for early data we will see if they best fit in ssl-opt.sh or test_suite_ssl and we need to add other options in ssl_client2.

Agree.
I think this PR just do two things enough.

• add early_data_file option
• add a empty function for writing early data in next PRs .

[xkqian]

Thus I'd say let's keep things simple, for the time being at least:
one option early_data_file whose default value is "". If a valid file path is set to early_data_file, we enable early data on the client and in the reconnection case, before to call mbedtls_ssl_handshake() to reconnect we call mbedtls_ssl_write_early_data() that tries to write the early_data_file file data.

Seems this is the first way which only provide one option, am I right? if yes, then the code before this commit: 57db590 can satisfy the requirements, of course, need addressing some comments.

My target is to simple this PR. Let's make final decision in next PRs . But if only one option, we have to do more things in this PR. early_data option come from development, it must be removed. I do not thinks we should remove or change it in this PR. That make things complex.

This comment prefer to reserve the early_data option and introduce another option named "early_data_file" as the source file read early data from. The latest code is trying to satisfy this requirement.

Seems we should agree with each other that which way we should take. and then I will revert code or keep the code accordingly.
(my original plan is: one option is enough for this case, but I am fine with two options. )

[xkqian]

I just revert the code to use the one option, which uses early_data as the input early data file.
In this PR, we can only replace the option, and in next PR, we can add the test code including: ssl_write_early_data(), and how to call it.
I think we can review it base one current version.

[ronald-cron-arm]

If with this changes you have what you need for your coming PRs implementing mbedtls_ssl_write_early_data() this is good enough to me.

[yuhaoth]

It has got CI failure
One change request and one nitpick comments.

[yuhaoth]

To fix the CI failure

Suggested change

	if (strlen(opt.early_data) > 0) {
	if ((early_data_fp = fopen(opt.early_data, "rb")) == NULL) {
	mbedtls_printf("failed\n ! Cannot open '%s' for reading.\n",
	opt.early_data);
	goto exit;
	}
	early_data_enabled = MBEDTLS_SSL_EARLY_DATA_ENABLED;
	}
	if (opt.early_data) {
	if ((early_data_fp = fopen(opt.early_data, "rb")) == NULL) {
	mbedtls_printf("failed\n ! Cannot open '%s' for reading.\n",
	opt.early_data);
	goto exit;
	}
	early_data_enabled = MBEDTLS_SSL_EARLY_DATA_ENABLED;
	}

[xkqian]

The CI failure is caused by the uninitialized file pointer early_data_fp.
opt.early_data will be default to "", this check maybe useless...

[yuhaoth]

Nitpick comment : move it to option check like previous version

Suggested change

	if (strlen(opt.early_data) > 0) {
	if ((early_data_fp = fopen(opt.early_data, "rb")) == NULL) {
	mbedtls_printf("failed\n ! Cannot open '%s' for reading.\n",
	opt.early_data);
	goto exit;
	}
	early_data_enabled = MBEDTLS_SSL_EARLY_DATA_ENABLED;
	}
	mbedtls_ssl_conf_early_data(&conf, early_data_fp ?MBEDTLS_SSL_EARLY_DATA_ENABLE: MBEDTLS_SSL_EARLY_DATA_DISABLE);

[xkqian]

I just see there are file processings like context_file, will treat it like what I have done, so I prefer that way.

[tom-cosgrove-arm]

@yuhaoth are you happy with this now, too?

[tom-cosgrove-arm]

(nit) presumably early data defaults to disabled, so we could move this into the if() and remove the variable?

[tom-cosgrove-arm]

LGTM