Don't attempt to send early data in DTLS 1.3.

This implementation doesn't support early data in DTLS 1.3. If
configured to support early data, that configuration should be ignored
and it should not attempt to negotiate early data.

Bug: 42290594
Change-Id: I72799e133cf62a5d81069b610e75921f2f53e437
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/72668
Reviewed-by: David Benjamin <[email protected]>
Reviewed-by: Nick Harper <[email protected]>
Commit-Queue: Nick Harper <[email protected]>

ssl/handshake_client.cc

@@ -426,9 +426,11 @@ static ssl_early_data_reason_t should_offer_early_data(
     return ssl_early_data_disabled;
   }
 
-  if (hs->max_version < TLS1_3_VERSION) {
+  if (hs->max_version < TLS1_3_VERSION || SSL_is_dtls(ssl)) {
     // We discard inapplicable sessions, so this is redundant with the session
     // checks below, but reporting that TLS 1.3 was disabled is more useful.
+    //
+    // TODO(crbug.com/42290594): Support early data in DTLS 1.3.
     return ssl_early_data_protocol_version;
   }
 

ssl/test/bssl_shim.cc

@@ -660,7 +660,7 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume,
   }
 
   // The early data status is only applicable after the handshake is confirmed.
-  if (!SSL_in_early_data(ssl)) {
+  if (!SSL_in_early_data(ssl) && !SSL_is_dtls(ssl)) {
     if ((config->expect_accept_early_data && !SSL_early_data_accepted(ssl)) ||
         (config->expect_reject_early_data && SSL_early_data_accepted(ssl))) {
       fprintf(stderr,
@@ -679,6 +679,12 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume,
     }
   }
 
+  if (SSL_is_dtls(ssl) && SSL_in_early_data(ssl)) {
+    // TODO(crbug.com/42290594): Support early data for DTLS 1.3.
+    fprintf(stderr, "DTLS unexpectedly in early data\n");
+    return false;
+  }
+
   if (!config->psk.empty()) {
     if (SSL_get_peer_cert_chain(ssl) != nullptr) {
       fprintf(stderr, "Received peer certificate on a PSK cipher.\n");

ssl/test/runner/handshake_server.go

@@ -694,6 +694,10 @@ func (hs *serverHandshakeState) doTLS13Handshake() error {
 		hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret())
 	}
 
+	if hs.clientHello.hasEarlyData && c.isDTLS {
+		return errors.New("tls: early data extension received in DTLS")
+	}
+
 	hs.hello.hasKeyShare = true
 	if hs.sessionState != nil && config.Bugs.NegotiatePSKResumption {
 		hs.hello.hasKeyShare = false

ssl/test/runner/runner.go

@@ -1559,10 +1559,15 @@ func runTest(dispatcher *shimDispatcher, statusChan chan statusMsg, test *testCa
 				resumeConfig.MaxEarlyDataSize = 16384
 			}
 
-			// Configure the shim to send some data in early data.
-			flags = append(flags, "-on-resume-shim-writes-first")
-			if resumeConfig.Bugs.ExpectEarlyData == nil {
-				resumeConfig.Bugs.ExpectEarlyData = [][]byte{[]byte(shimInitialWrite)}
+			// In DTLS 1.3, we're setting flags to configure the client to attempt
+			// sending early data, but we expect it to realize that it's incapable
+			// of supporting early data and not send any.
+			if test.protocol != dtls {
+				// Configure the shim to send some data in early data.
+				flags = append(flags, "-on-resume-shim-writes-first")
+				if resumeConfig.Bugs.ExpectEarlyData == nil {
+					resumeConfig.Bugs.ExpectEarlyData = [][]byte{[]byte(shimInitialWrite)}
+				}
 			}
 		} else {
 			// By default, send some early data and expect half-RTT data response.
@@ -5236,6 +5241,21 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
 		})
 	}
 
+	// Test that early data is disabled for DTLS 1.3.
+	if config.protocol == dtls {
+		tests = append(tests, testCase{
+			testType: clientTest,
+			protocol: dtls,
+			name: "DTLS13-EarlyData",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+			},
+			resumeSession: true,
+			earlyData: true,
+		})
+	}
+
 	// TLS client auth.
 	// The following tests have a max version of 1.2, so they are not suitable
 	// for use with QUIC.