This PR adds server support for handling trial decryption in order to make test output accessible for the early data rejected case by using ssl_server2.c. Without trial decryption logic, early data rejected tests that use ssl_server2.c will fail due to decryption errors caused by the client sending early data before receiving and parsing the server's extensions.
RFC 8446:
Ignore the extension and return a regular 1-RTT response. The
server then skips past early data by attempting to deprotect
received records using the handshake traffic key, discarding
records which fail deprotection (up to the configured
max_early_data_size). Once a record is deprotected successfully,
it is treated as the start of the client's second flight and the
server proceeds as with an ordinary 1-RTT handshake.
Status
READY
Requires Backporting
NO
Additional comments
The need for the skip_failed_decryption flag is to ensure we no longer drop records which fail deprotection once a record is deprotected successfully with the 1-RTT keys. The motivation was taken from Fizz, but I'd like to know if (1) there's a more appropriate place than mbedtls_ssl_read_record() to disable the flag, and (2) if there's other existing state we can leverage to avoid using an additional flag.
Todos
[x] Tests
[x] Documentation
[ ] Changelog updated
[ ] Backported
Steps to test or reproduce
Run ssl-opt.sh -f 'early data status - rejected' and verify it passes.
Revert the trial decryption changes and run ssl-opt.sh -f 'early data status - rejected' - verify it fails due to MBEDTLS_ERR_SSL_INVALID_MAC.
Description
This PR adds server support for handling trial decryption in order to make test output accessible for the early data rejected case by using
ssl_server2.c. Without trial decryption logic, early data rejected tests that usessl_server2.cwill fail due to decryption errors caused by the client sending early data before receiving and parsing the server's extensions.Status
READY
Requires Backporting
NO
Additional comments
The need for the
skip_failed_decryptionflag is to ensure we no longer drop records which fail deprotection once a record is deprotected successfully with the 1-RTT keys. The motivation was taken from Fizz, but I'd like to know if (1) there's a more appropriate place thanmbedtls_ssl_read_record()to disable the flag, and (2) if there's other existing state we can leverage to avoid using an additional flag.Todos
Steps to test or reproduce
ssl-opt.sh -f 'early data status - rejected'and verify it passes.ssl-opt.sh -f 'early data status - rejected'- verify it fails due toMBEDTLS_ERR_SSL_INVALID_MAC.