diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 28cd33b115..e6ebd8e1df 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -122,7 +122,7 @@ int main(void) #define DFL_SNI NULL #define DFL_ALPN_STRING NULL #define DFL_GROUPS NULL -#define DFL_MAX_EARLY_DATA_SIZE NULL +#define DFL_MAX_EARLY_DATA_SIZE 0 #define DFL_SIG_ALGS NULL #define DFL_DHM_FILE NULL #define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM @@ -427,17 +427,11 @@ int main(void) #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#define ARRAY_LENGTH(a) (sizeof(a)/sizeof(a[0])) #if defined(MBEDTLS_SSL_EARLY_DATA) - #define USAGE_EARLY_DATA \ - " max_early_data_size=%%d default: -1 (disabled)\n" \ - " The max amount of 0-RTT data for 1st and 2nd connection\n" \ - " format: 1st_connection_value[,2nd_connection_value]\n" \ - " available values: < 0 (disabled), >= 0 (enabled).\n" \ - " The absolute value is the max amount of 0-RTT data \n" \ - " up to UINT32_MAX. \n" - + " max_early_data_size=%%d default: -1 (disabled)\n" \ + " options: -1 (disabled), " \ + " >= 0 (enabled, max amount of early data )\n" #else #define USAGE_EARLY_DATA "" #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -700,7 +694,7 @@ struct options { const char *cid_val_renego; /* the CID to use for incoming messages * after renegotiation */ int reproducible; /* make communication reproducible */ - const char *max_early_data_size; /* max amount list of early data */ + uint32_t max_early_data_size; /* max amount of early data */ int query_config_mode; /* whether to read config */ int use_srtp; /* Support SRTP */ int force_srtp_profile; /* SRTP protection profile to use or all */ @@ -1616,9 +1610,7 @@ int main(int argc, char *argv[]) #endif /* MBEDTLS_SSL_DTLS_SRTP */ #if defined(MBEDTLS_SSL_EARLY_DATA) - long long max_early_data_size_list[2]; - size_t max_early_data_size_count = 0; - size_t tls13_connection_counter = 0; + int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED; #endif #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); @@ -1988,23 +1980,12 @@ usage: #endif #if defined(MBEDTLS_SSL_EARLY_DATA) else if (strcmp(p, "max_early_data_size") == 0) { - char *endptr, *str; - opt.max_early_data_size = q; - str = endptr = q; - for (size_t early_data_size_iter = 0; - early_data_size_iter < ARRAY_LENGTH(max_early_data_size_list); - early_data_size_iter++) { - long long value = strtoll(str, &endptr, 0); - if (str == endptr || (*endptr != ',' && *endptr != '\0')) { - mbedtls_printf("fail\n illegal digital number for max_early_data_size %s\n", - endptr); - goto exit; - } - max_early_data_size_list[max_early_data_size_count++] = value; - if (*endptr == '\0') { - break; - } - str = endptr + 1; + long long value = atoll(q); + tls13_early_data_enabled = + value >= 0 ? MBEDTLS_SSL_EARLY_DATA_ENABLED : + MBEDTLS_SSL_EARLY_DATA_DISABLED; + if (tls13_early_data_enabled) { + opt.max_early_data_size = atoi(q); } } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -2826,6 +2807,14 @@ usage: mbedtls_ssl_conf_cert_req_ca_list(&conf, opt.cert_req_ca_list); } +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_conf_early_data(&conf, tls13_early_data_enabled); + if (tls13_early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { + mbedtls_ssl_conf_max_early_data_size( + &conf, opt.max_early_data_size); + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by @@ -3323,17 +3312,6 @@ usage: mbedtls_printf(" ok\n"); reset: - -#if defined(MBEDTLS_SSL_EARLY_DATA) - if (tls13_connection_counter < max_early_data_size_count) { - long long max_early_data_size = max_early_data_size_list[tls13_connection_counter]; - mbedtls_ssl_conf_early_data( - &conf, max_early_data_size < 0 ? MBEDTLS_SSL_EARLY_DATA_DISABLED : - MBEDTLS_SSL_EARLY_DATA_ENABLED); - mbedtls_ssl_conf_max_early_data_size(&conf, (uint32_t) llabs(max_early_data_size)); - } - tls13_connection_counter++; -#endif /* MBEDTLS_SSL_EARLY_DATA */ #if !defined(_WIN32) if (received_sigterm) { mbedtls_printf(" interrupted by SIGTERM (not in net_accept())\n"); diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 74b6aa2d01..a4742030bc 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -490,22 +490,6 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ EARLY_DATA_INPUT_LEN_BLOCKS=$(( ( $( cat $EARLY_DATA_INPUT | wc -c ) + 31 ) / 32 )) EARLY_DATA_INPUT_LEN=$(( $EARLY_DATA_INPUT_LEN_BLOCKS * 32 )) -requires_gnutls_next -requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -run_test "TLS 1.3 G->m: EarlyData: feature is disabled, fail." \ - "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL -d 10 -r --earlydata $EARLY_DATA_INPUT" \ - 1 \ - -s "ClientHello: early_data(42) extension exists." \ - -s "EncryptedExtensions: early_data(42) extension does not exist." \ - -s "NewSessionTicket: early_data(42) extension does not exist." \ - -s "Last error was: -29056 - SSL - Verification of the message MAC failed" - requires_gnutls_next requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \