TLS 1.3: SRV: Implement mbedtls_ssl_read_early_data() #8692
Conversation
ronald-cron-arm
added
enhancement
needs-design-approval
needs-ci
ronald-cron-arm
force-pushed
the
read-early-data
branch
from
fd67189 to
89129fc
Compare
ronald-cron-arm
added
needs-review
tom-cosgrove-arm
added
priority-high
|
@mpg I believe I have addressed your comments. Following our discussions, I have also added documentation to highlight that mbedtls_ssl_handshake(), mbedtls_ssl_write() may now return a new error code. I have also simplified the read API. |
ronald-cron-arm
force-pushed
the
read-early-data
branch
2 times, most recently
from
91b6694 to
cc36a58
Compare
|
I have some troubles with generate_ssl_debug_helpers.py (only on CI, not locally ...), trying to figure out the commit causing the problem. Sorry for the noise. |
ronald-cron-arm
force-pushed
the
read-early-data
branch
3 times, most recently
from
fa45464 to
2614798
Compare
|
CI all green but Windows-2013 not finished, I think this is ready for review. |
There was a problem hiding this comment.
Thanks for addressing my feedback! Looks almost all good to me, just one question and a few suggestions.
The question (about not checking ssl->early_data_state.srv) is the only reason I'm not approving now. The suggestions are minor and could be left to a follow-up in the interest of avoiding another round-trip.
Note about my review: at this point I'm not familiar enough with the spec and our code to be confident we're only accepting early data when we should (for example, I had completely missed the thing about HRR). So, I'm mostly assuming that negotiation of EarlyData is correct as it has been reviewed before, and also we'll have an opportunity to revisit that when adding negative testing.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The main purpose is to know from the status if early data can be received of not and why. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The function will be used by mbedtls_ssl_read_early_data() as well. Signed-off-by: Jerry Yu <jerry.h.yu@arm.com> Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com> Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com> Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com> Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com> Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
MBEDTLS_SSL_EARLY_DATA implies MBEDTLS_SSL_PROTO_TLS1_3 thus MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA is equivalent to MBEDTLS_SSL_EARLY_DATA. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Introduce early_data_state SSL context field to distinguish better this internal state from the status values defined for the mbedtls_ssl_get_early_data_status() API. Distinguish also between the client and server states. Note that the client state are going to be documented and reworked as part of the implementation of mbedtls_ssl_write_early_data(). Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Do not progress the handshake in the API, just read early data if some has been detected by a previous call to mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write(). Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ronald-cron-arm
force-pushed
the
read-early-data
branch
from
2614798 to
abbf960
Compare
This reverts commit 0883b8b. Due to the scope reduction of mbedtls_ssl_read_early_data() it is not necessary anymore to refine the usage of early_data_status/state rather the opposite. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ronald-cron-arm
force-pushed
the
read-early-data
branch
from
abbf960 to
b4cec58
Compare
Due to the scope reduction for mbedtls_ssl_read_early_data(), on server as early data state variable we now only need a flag in the handshake context indicating if the server has accepted early data or not. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ronald-cron-arm
force-pushed
the
read-early-data
branch
from
b4cec58 to
38dbab9
Compare
I have removed it.
I think that's kind of normal you did not spot the need for the change relative to the reception of an HRR while reviewing this PR. The change does not fit well in this PR (I probably should have done it in another PR, sorry about that). It is indeed something we missed when working on and reviewing Otherwise I had to rebase following the merge of #8711. There was only one conflict, that was easy to resolve. |
There was a problem hiding this comment.
Thanks for addressing my feedback - and more, I really like the simplification of state handling on the server.
I still have mostly the same question though, which I've tried to clarify. To be clear: I'm not saying there's something wrong, just that I can't convince myself I know what the code is doing, at this point.
tom-cosgrove-arm
added
approved
Description
Fix #6341
Note for reviewers:
Following the work done in #6621, the implementation of
mbedtls_ssl_read_early_data()started in #6541 with the function following a logic similar as thembedtls_ssl_read()one with the function triggering an handshake sequence until some early data are found and returned to the caller. Working with that guideline I realized that the resulting function could also be used easily as a companion of the mbedtls_ssl_handshake/read/write() functions. These functions all trigger an handshake sequence and if as part of this sequence early data are detected, the functions return with an appropriate return value and then the caller can callmbedtls_ssl_read_early_data()to read the early data. That's convenient to adapt current mbedtls_ssl_handshake/read/write() workflows to read early data as well as I experienced when updating ssl_server2 to support early data. Thus now I am wondering if we should just keep the companion behavior ofmbedtls_ssl_read_early_data()and thus practically remove from it the call tombedtls_ssl_handshake(). This would narrow its scope and thus make it easier to apprehend and use I'd say. I would appreciate opinions, thoughts about that.Opted for the simplest:
mbedtls_ssl_read_early_data()does not trigger or resume the handshake (no call tombedtls_ssl_handshake()). It just read early data that have been detected by a previous call tombedtls_ssl_handshake(),mbedtls_ssl_handshake_step(),mbedtls_ssl_handshake_read()ormbedtls_ssl_handshake_write().PR checklist