From b2cc7f313ec1c8386ace3b351457c33af8861ce2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 23 Feb 2017 11:53:12 +0000
Subject: [PATCH] Implement client side parsing of the early_data extension

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
---
 ssl/statem/extensions.c      |  4 ++--
 ssl/statem/extensions_clnt.c | 28 ++++++++++++++++++++++++++++
 ssl/statem/statem_locl.h     |  2 ++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index f8bd47a1e0..2b137701f0 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -138,8 +138,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
     {
         TLSEXT_TYPE_early_data,
         EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
-        NULL, tls_parse_ctos_early_data, NULL, tls_construct_stoc_early_data,
-        tls_construct_ctos_early_data, NULL
+        NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
+        tls_construct_stoc_early_data, tls_construct_ctos_early_data, NULL
     },
 #ifndef OPENSSL_NO_EC
     {
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index d80080740f..1dbc355e2b 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -125,6 +125,12 @@ int tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, unsigned int context,
         return 0;
     }
 
+    /*
+     * We set this to rejected here. Later, if the server acknowledges the
+     * extension, we set it to accepted.
+     */
+    s->ext.early_data = SSL_EARLY_DATA_REJECTED;
+
     return 1;
 }
 
@@ -917,6 +923,28 @@ int tls_parse_stoc_early_data_info(SSL *s, PACKET *pkt, unsigned int context,
     return 1;
 }
 
+int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
+                              X509 *x, size_t chainidx, int *al)
+{
+    if (PACKET_remaining(pkt) != 0) {
+        *al = SSL_AD_DECODE_ERROR;
+        return 0;
+    }
+
+    if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) {
+        /*
+         * If we get here then we didn't send early data, so the server should
+         * not be accepting it.
+         */
+        *al = SSL_AD_ILLEGAL_PARAMETER;
+        return 0;
+    }
+
+    s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
+
+    return 1;
+}
+
 #ifndef OPENSSL_NO_EC
 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h
index 9dc9b1f515..eb80b71353 100644
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -339,6 +339,8 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
                                X509 *x, size_t chainidx, int *al);
 int tls_parse_stoc_early_data_info(SSL *s, PACKET *pkt, unsigned int context,
                               X509 *x, size_t chainidx, int *al);
+int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
+                              X509 *x, size_t chainidx, int *al);
 #ifndef OPENSSL_NO_EC
 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al);
-- 
2.25.1