1TLS 1.3 support 2=============== 3 4Overview 5-------- 6 7Mbed TLS provides a partial implementation of the TLS 1.3 protocol defined in 8the "Support description" section below. The TLS 1.3 support enablement 9is controlled by the MBEDTLS_SSL_PROTO_TLS1_3 configuration option. 10 11The development of the TLS 1.3 protocol is based on the TLS 1.3 prototype 12located at https://github.com/hannestschofenig/mbedtls. The prototype is 13itself based on a version of the development branch that we aim to keep as 14recent as possible (ideally the head) by merging regularly commits of the 15development branch into the prototype. The section "Prototype upstreaming 16status" below describes what remains to be upstreamed. 17 18 19Support description 20------------------- 21 22- Overview 23 24 - Mbed TLS implements both the client and the server side of the TLS 1.3 25 protocol. 26 27 - Mbed TLS supports ECDHE key establishment. 28 29 - Mbed TLS does not support DHE key establishment. 30 31 - Mbed TLS supports pre-shared keys for key establishment, pre-shared keys 32 provisioned externally as well as provisioned via the ticket mechanism. 33 34 - Mbed TLS supports session resumption via the ticket mechanism. 35 36 - Mbed TLS does not support sending or receiving early data (0-RTT data). 37 38- Supported cipher suites: depends on the library configuration. Potentially 39 all of them: 40 TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, 41 TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. 42 43- Supported ClientHello extensions: 44 45 | Extension | Support | 46 | ---------------------------- | ------- | 47 | server_name | YES | 48 | max_fragment_length | no | 49 | status_request | no | 50 | supported_groups | YES | 51 | signature_algorithms | YES | 52 | use_srtp | no | 53 | heartbeat | no | 54 | apln | YES | 55 | signed_certificate_timestamp | no | 56 | client_certificate_type | no | 57 | server_certificate_type | no | 58 | padding | no | 59 | key_share | YES | 60 | pre_shared_key | YES | 61 | psk_key_exchange_modes | YES | 62 | early_data | no | 63 | cookie | no | 64 | supported_versions | YES | 65 | certificate_authorities | no | 66 | post_handshake_auth | no | 67 | signature_algorithms_cert | no | 68 69 70- Supported groups: depends on the library configuration. 71 Potentially all ECDHE groups: 72 secp256r1, x25519, secp384r1, x448 and secp521r1. 73 74 Finite field groups (DHE) are not supported. 75 76- Supported signature algorithms (both for certificates and CertificateVerify): 77 depends on the library configuration. 78 Potentially: 79 ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, 80 rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_rsae_sha256, 81 rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512. 82 83 Note that in absence of an application profile standard specifying otherwise 84 rsa_pkcs1_sha256, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256 are 85 mandatory (see section 9.1 of the specification). 86 87- Supported versions: 88 89 - TLS 1.2 and TLS 1.3 with version negotiation on the client side, not server 90 side. 91 92 - TLS 1.2 and TLS 1.3 can be enabled in the build independently of each 93 other. 94 95 - If both TLS 1.3 and TLS 1.2 are enabled at build time, only one of them can 96 be configured at runtime via `mbedtls_ssl_conf_{min,max}_tls_version` for a 97 server endpoint. Otherwise, `mbedtls_ssl_setup` will raise 98 `MBEDTLS_ERR_SSL_BAD_CONFIG` error. 99 100- Compatibility with existing SSL/TLS build options: 101 102 The TLS 1.3 implementation is compatible with nearly all TLS 1.2 103 configuration options in the sense that when enabling TLS 1.3 in the library 104 there is rarely any need to modify the configuration from that used for 105 TLS 1.2. There are two exceptions though: the TLS 1.3 implementation requires 106 MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options 107 must be enabled. 108 109 Most of the Mbed TLS SSL/TLS related options are not supported or not 110 applicable to the TLS 1.3 implementation: 111 112 | Mbed TLS configuration option | Support | 113 | ---------------------------------------- | ------- | 114 | MBEDTLS_SSL_ALL_ALERT_MESSAGES | no | 115 | MBEDTLS_SSL_ASYNC_PRIVATE | no | 116 | MBEDTLS_SSL_CONTEXT_SERIALIZATION | no | 117 | MBEDTLS_SSL_DEBUG_ALL | no | 118 | MBEDTLS_SSL_ENCRYPT_THEN_MAC | n/a | 119 | MBEDTLS_SSL_EXTENDED_MASTER_SECRET | n/a | 120 | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE | no (1) | 121 | MBEDTLS_SSL_RENEGOTIATION | n/a | 122 | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | no | 123 | | | 124 | MBEDTLS_SSL_SESSION_TICKETS | yes | 125 | MBEDTLS_SSL_SERVER_NAME_INDICATION | yes | 126 | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | no | 127 | | | 128 | MBEDTLS_ECP_RESTARTABLE | no | 129 | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no | 130 | | | 131 | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) | 132 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a | 133 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | 134 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a | 135 | MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a | 136 | MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED | n/a | 137 | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a | 138 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a | 139 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a | 140 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED | n/a | 141 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | n/a | 142 | | | 143 | MBEDTLS_PSA_CRYPTO_C | no (1) | 144 | MBEDTLS_USE_PSA_CRYPTO | yes | 145 146 (1) These options must remain in their default state of enabled. 147 (2) See the TLS 1.3 specific build options section below. 148 149- TLS 1.3 specific build options: 150 151 - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE enables the support for middlebox 152 compatibility mode as defined in section D.4 of RFC 8446. 153 154 - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED enables the support for 155 the PSK key exchange mode as defined by RFC 8446. If it is the only key 156 exchange mode enabled, the TLS 1.3 implementation does not contain any code 157 related to key exchange protocols, certificates and signatures. 158 159 - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED enables the 160 support for the ephemeral key exchange mode. If it is the only key exchange 161 mode enabled, the TLS 1.3 implementation does not contain any code related 162 to PSK based key exchange. The ephemeral key exchange mode requires at least 163 one of the key exchange protocol allowed by the TLS 1.3 specification, the 164 parsing and validation of x509 certificates and at least one signature 165 algorithm allowed by the TLS 1.3 specification for signature computing and 166 verification. 167 168 - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED enables the 169 support for the PSK ephemeral key exchange mode. If it is the only key 170 exchange mode enabled, the TLS 1.3 implementation does not contain any code 171 related to certificates and signatures. The PSK ephemeral key exchange 172 mode requires at least one of the key exchange protocol allowed by the 173 TLS 1.3 specification. 174 175 176Prototype upstreaming status 177---------------------------- 178 179The following parts of the TLS 1.3 prototype remain to be upstreamed: 180 181- Sending (client) and receiving (server) early data (0-RTT data). 182 183- New TLS Message Processing Stack (MPS) 184 185 The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer, 186 encompassing low-level details such as record parsing, handshake reassembly, and 187 DTLS retransmission state machine. 188 189 MPS has the following components: 190 - Layer 1 (Datagram handling) 191 - Layer 2 (Record handling) 192 - Layer 3 (Message handling) 193 - Layer 4 (Retransmission State Machine) 194 - Reader (Abstracted pointer arithmetic and reassembly logic for incoming data) 195 - Writer (Abstracted pointer arithmetic and fragmentation logic for outgoing data) 196 197 Of those components, the following have been upstreamed 198 as part of `MBEDTLS_SSL_PROTO_TLS1_3`: 199 200 - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) 201 202 203Coding rules checklist for TLS 1.3 204---------------------------------- 205 206The following coding rules are aimed to be a checklist for TLS 1.3 upstreaming 207work to reduce review rounds and the number of comments in each round. They 208come along (do NOT replace) the project coding rules 209(https://mbed-tls.readthedocs.io/en/latest/kb/development/mbedtls-coding-standards). They have been 210established and discussed following the review of #4882 that was the 211PR upstreaming the first part of TLS 1.3 ClientHello writing code. 212 213TLS 1.3 specific coding rules: 214 215 - TLS 1.3 specific C modules, headers, static functions names are prefixed 216 with `ssl_tls13_`. The same applies to structures and types that are 217 internal to C modules. 218 219 - TLS 1.3 specific exported functions, structures and types are 220 prefixed with `mbedtls_ssl_tls13_`. 221 222 - Use TLS1_3 in TLS 1.3 specific macros. 223 224 - The names of macros and variables related to a field or structure in the 225 TLS 1.3 specification should contain as far as possible the field name as 226 it is in the specification. If the field name is "too long" and we prefer 227 to introduce some kind of abbreviation of it, use the same abbreviation 228 everywhere in the code. 229 230 Example 1: #define CLIENT_HELLO_RANDOM_LEN 32, macro for the length of the 231 `random` field of the ClientHello message. 232 233 Example 2 (consistent abbreviation): `mbedtls_ssl_tls13_write_sig_alg_ext()` 234 and `MBEDTLS_TLS_EXT_SIG_ALG`, `sig_alg` standing for 235 `signature_algorithms`. 236 237 - Regarding vectors that are represented by a length followed by their value 238 in the data exchanged between servers and clients: 239 240 - Use `<vector name>_len` for the name of a variable used to compute the 241 length in bytes of the vector, where <vector name> is the name of the 242 vector as defined in the TLS 1.3 specification. 243 244 - Use `p_<vector_name>_len` for the name of a variable intended to hold 245 the address of the first byte of the vector length. 246 247 - Use `<vector_name>` for the name of a variable intended to hold the 248 address of the first byte of the vector value. 249 250 - Use `<vector_name>_end` for the name of a variable intended to hold 251 the address of the first byte past the vector value. 252 253 Those idioms should lower the risk of mis-using one of the address in place 254 of another one which could potentially lead to some nasty issues. 255 256 Example: `cipher_suites` vector of ClientHello in 257 `ssl_tls13_write_client_hello_cipher_suites()` 258 ``` 259 size_t cipher_suites_len; 260 unsigned char *p_cipher_suites_len; 261 unsigned char *cipher_suites; 262 ``` 263 264 - Where applicable, use: 265 - the macros to extract a byte from a multi-byte integer MBEDTLS_BYTE_{0-8}. 266 - the macros to write in memory in big-endian order a multi-byte integer 267 MBEDTLS_PUT_UINT{8|16|32|64}_BE. 268 - the macros to read from memory a multi-byte integer in big-endian order 269 MBEDTLS_GET_UINT{8|16|32|64}_BE. 270 - the macro to check for space when writing into an output buffer 271 `MBEDTLS_SSL_CHK_BUF_PTR`. 272 - the macro to check for data when reading from an input buffer 273 `MBEDTLS_SSL_CHK_BUF_READ_PTR`. 274 275 These macros were introduced after the prototype was written thus are 276 likely not to be used in prototype where we now would use them in 277 development. 278 279 The three first types, MBEDTLS_BYTE_{0-8}, MBEDTLS_PUT_UINT{8|16|32|64}_BE 280 and MBEDTLS_GET_UINT{8|16|32|64}_BE improve the readability of the code and 281 reduce the risk of writing or reading bytes in the wrong order. 282 283 The two last types, `MBEDTLS_SSL_CHK_BUF_PTR` and 284 `MBEDTLS_SSL_CHK_BUF_READ_PTR`, improve the readability of the code and 285 reduce the risk of error in the non-completely-trivial arithmetic to 286 check that we do not write or read past the end of a data buffer. The 287 usage of those macros combined with the following rule mitigate the risk 288 to read/write past the end of a data buffer. 289 290 Examples: 291 ``` 292 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); 293 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); 294 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); 295 ``` 296 297 - To mitigate what happened here 298 (https://github.com/Mbed-TLS/mbedtls/pull/4882#discussion_r701704527) from 299 happening again, use always a local variable named `p` for the reading 300 pointer in functions parsing TLS 1.3 data, and for the writing pointer in 301 functions writing data into an output buffer and only that variable. The 302 name `p` has been chosen as it was already widely used in TLS code. 303 304 - When an TLS 1.3 structure is written or read by a function or as part of 305 a function, provide as documentation the definition of the structure as 306 it is in the TLS 1.3 specification. 307 308General coding rules: 309 310 - We prefer grouping "related statement lines" by not adding blank lines 311 between them. 312 313 Example 1: 314 ``` 315 ret = ssl_tls13_write_client_hello_cipher_suites( ssl, buf, end, &output_len ); 316 if( ret != 0 ) 317 return( ret ); 318 buf += output_len; 319 ``` 320 321 Example 2: 322 ``` 323 MBEDTLS_SSL_CHK_BUF_PTR( cipher_suites_iter, end, 2 ); 324 MBEDTLS_PUT_UINT16_BE( cipher_suite, cipher_suites_iter, 0 ); 325 cipher_suites_iter += 2; 326 ``` 327 328 - Use macros for constants that are used in different functions, different 329 places in the code. When a constant is used only locally in a function 330 (like the length in bytes of the vector lengths in functions reading and 331 writing TLS handshake message) there is no need to define a macro for it. 332 333 Example: `#define CLIENT_HELLO_RANDOM_LEN 32` 334 335 - When declaring a pointer the dereferencing operator should be prepended to 336 the pointer name not appended to the pointer type: 337 338 Example: `mbedtls_ssl_context *ssl;` 339 340 - Maximum line length is 80 characters. 341 342 Exceptions: 343 344 - string literals can extend beyond 80 characters as we do not want to 345 split them to ease their search in the code base. 346 347 - A line can be more than 80 characters by a few characters if just looking 348 at the 80 first characters is enough to fully understand the line. For 349 example it is generally fine if some closure characters like ";" or ")" 350 are beyond the 80 characters limit. 351 352 If a line becomes too long due to a refactoring (for example renaming a 353 function to a longer name, or indenting a block more), avoid rewrapping 354 lines in the same commit: it makes the review harder. Make one commit with 355 the longer lines and another commit with just the rewrapping. 356 357 - When in successive lines, functions and macros parameters should be aligned 358 vertically. 359 360 Example: 361 ``` 362 int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, 363 unsigned hs_type, 364 unsigned char **buf, 365 size_t *buf_len ); 366 ``` 367 368 - When a function's parameters span several lines, group related parameters 369 together if possible. 370 371 For example, prefer: 372 373 ``` 374 mbedtls_ssl_start_handshake_msg( ssl, hs_type, 375 buf, buf_len ); 376 ``` 377 over 378 ``` 379 mbedtls_ssl_start_handshake_msg( ssl, hs_type, buf, 380 buf_len ); 381 ``` 382 even if it fits. 383 384 385Overview of handshake code organization 386--------------------------------------- 387 388The TLS 1.3 handshake protocol is implemented as a state machine. The 389functions `mbedtls_ssl_tls13_handshake_{client,server}_step` are the top level 390functions of that implementation. They are implemented as a switch over all the 391possible states of the state machine. 392 393Most of the states are either dedicated to the processing or writing of an 394handshake message. 395 396The implementation does not go systematically through all states as this would 397result in too many checks of whether something needs to be done or not in a 398given state to be duplicated across several state handlers. For example, on 399client side, the states related to certificate parsing and validation are 400bypassed if the handshake is based on a pre-shared key and thus does not 401involve certificates. 402 403On the contrary, the implementation goes systematically though some states 404even if they could be bypassed if it helps in minimizing when and where inbound 405and outbound keys are updated. The `MBEDTLS_SSL_CLIENT_CERTIFICATE` state on 406client side is a example of that. 407 408The names of the handlers processing/writing an handshake message are 409prefixed with `(mbedtls_)ssl_tls13_{process,write}`. To ease the maintenance and 410reduce the risk of bugs, the code of the message processing and writing 411handlers is split into a sequence of stages. 412 413The sending of data to the peer only occurs in `mbedtls_ssl_handshake_step` 414between the calls to the handlers and as a consequence handlers do not have to 415care about the MBEDTLS_ERR_SSL_WANT_WRITE error code. Furthermore, all pending 416data are flushed before to call the next handler. That way, handlers do not 417have to worry about pending data when changing outbound keys. 418 419### Message processing handlers 420For message processing handlers, the stages are: 421 422* coordination stage: check if the state should be bypassed. This stage is 423optional. The check is either purely based on the reading of the value of some 424fields of the SSL context or based on the reading of the type of the next 425message. The latter occurs when it is not known what the next handshake message 426will be, an example of that on client side being if we are going to receive a 427CertificateRequest message or not. The intent is, apart from the next record 428reading to not modify the SSL context as this stage may be repeated if the 429next handshake message has not been received yet. 430 431* fetching stage: at this stage we are sure of the type of the handshake 432message we must receive next and we try to fetch it. If we did not go through 433a coordination stage involving the next record type reading, the next 434handshake message may not have been received yet, the handler returns with 435`MBEDTLS_ERR_SSL_WANT_READ` without changing the current state and it will be 436called again later. 437 438* pre-processing stage: prepare the SSL context for the message parsing. This 439stage is optional. Any processing that must be done before the parsing of the 440message or that can be done to simplify the parsing code. Some simple and 441partial parsing of the handshake message may append at that stage like in the 442ServerHello message pre-processing. 443 444* parsing stage: parse the message and restrict as much as possible any 445update of the SSL context. The idea of the pre-processing/parsing/post-processing 446organization is to concentrate solely on the parsing in the parsing function to 447reduce the size of its code and to simplify it. 448 449* post-processing stage: following the parsing, further update of the SSL 450context to prepare for the next incoming and outgoing messages. This stage is 451optional. For example, secret and key computations occur at this stage, as well 452as handshake messages checksum update. 453 454* state change: the state change is done in the main state handler to ease the 455navigation of the state machine transitions. 456 457 458### Message writing handlers 459For message writing handlers, the stages are: 460 461* coordination stage: check if the state should be bypassed. This stage is 462optional. The check is based on the value of some fields of the SSL context. 463 464* preparation stage: prepare for the message writing. This stage is optional. 465Any processing that must be done before the writing of the message or that can 466be done to simplify the writing code. 467 468* writing stage: write the message and restrict as much as possible any update 469of the SSL context. The idea of the preparation/writing/finalization 470organization is to concentrate solely on the writing in the writing function to 471reduce the size of its code and simplify it. 472 473* finalization stage: following the writing, further update of the SSL 474context to prepare for the next incoming and outgoing messages. This stage is 475optional. For example, handshake secret and key computation occur at that 476stage (ServerHello writing finalization), switching to handshake keys for 477outbound message on server side as well. 478 479* state change: the state change is done in the main state handler to ease 480the navigation of the state machine transitions. 481 482 483Writing and reading early or 0-RTT data 484--------------------------------------- 485 486An application function to write and send a buffer of data to a server through 487TLS may plausibly look like: 488 489``` 490int write_data( mbedtls_ssl_context *ssl, 491 const unsigned char *data_to_write, 492 size_t data_to_write_len, 493 size_t *data_written ) 494{ 495 *data_written = 0; 496 497 while( *data_written < data_to_write_len ) 498 { 499 ret = mbedtls_ssl_write( ssl, data_to_write + *data_written, 500 data_to_write_len - *data_written ); 501 502 if( ret < 0 && 503 ret != MBEDTLS_ERR_SSL_WANT_READ && 504 ret != MBEDTLS_ERR_SSL_WANT_WRITE ) 505 { 506 return( ret ); 507 } 508 509 *data_written += ret; 510 } 511 512 return( 0 ); 513} 514``` 515where ssl is the SSL context to use, data_to_write the address of the data 516buffer and data_to_write_len the number of data bytes. The handshake may 517not be completed, not even started for the SSL context ssl when the function is 518called and in that case the mbedtls_ssl_write() API takes care transparently of 519completing the handshake before to write and send data to the server. The 520mbedtls_ssl_write() may not been able to write and send all data in one go thus 521the need for a loop calling it as long as there are still data to write and 522send. 523 524An application function to write and send early data and only early data, 525data sent during the first flight of client messages while the handshake is in 526its initial phase, would look completely similar but the call to 527mbedtls_ssl_write_early_data() instead of mbedtls_ssl_write(). 528``` 529int write_early_data( mbedtls_ssl_context *ssl, 530 const unsigned char *data_to_write, 531 size_t data_to_write_len, 532 size_t *data_written ) 533{ 534 *data_written = 0; 535 536 while( *data_written < data_to_write_len ) 537 { 538 ret = mbedtls_ssl_write_early_data( ssl, data_to_write + *data_written, 539 data_to_write_len - *data_written ); 540 541 if( ret < 0 && 542 ret != MBEDTLS_ERR_SSL_WANT_READ && 543 ret != MBEDTLS_ERR_SSL_WANT_WRITE ) 544 { 545 return( ret ); 546 } 547 548 *data_written += ret; 549 } 550 551 return( 0 ); 552} 553``` 554Note that compared to write_data(), write_early_data() can also return 555MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA and that should be handled 556specifically by the user of write_early_data(). A fresh SSL context (typically 557just after a call to mbedtls_ssl_setup() or mbedtls_ssl_session_reset()) would 558be expected when calling `write_early_data`. 559 560All together, code to write and send a buffer of data as long as possible as 561early data and then as standard post-handshake application data could 562plausibly look like: 563 564``` 565ret = write_early_data( ssl, data_to_write, data_to_write_len, 566 &early_data_written ); 567if( ret < 0 && 568 ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA ) 569{ 570 goto error; 571} 572 573ret = write_data( ssl, data_to_write + early_data_written, 574 data_to_write_len - early_data_written, &data_written ); 575if( ret < 0 ) 576 goto error; 577 578data_written += early_data_written; 579``` 580 581Finally, taking into account that the server may reject early data, application 582code to write and send a buffer of data could plausibly look like: 583``` 584ret = write_early_data( ssl, data_to_write, data_to_write_len, 585 &early_data_written ); 586if( ret < 0 && 587 ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA ) 588{ 589 goto error; 590} 591 592/* 593 * Make sure the handshake is completed as it is a requisite to 594 * mbedtls_ssl_get_early_data_status(). 595 */ 596while( !mbedtls_ssl_is_handshake_over( ssl ) ) 597{ 598 ret = mbedtls_ssl_handshake( ssl ); 599 if( ret < 0 && 600 ret != MBEDTLS_ERR_SSL_WANT_READ && 601 ret != MBEDTLS_ERR_SSL_WANT_WRITE ) 602 { 603 goto error; 604 } 605} 606 607ret = mbedtls_ssl_get_early_data_status( ssl ); 608if( ret < 0 ) 609 goto error; 610 611if( ret == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED ) 612 early_data_written = 0; 613 614ret = write_data( ssl, data_to_write + early_data_written, 615 data_to_write_len - early_data_written, &data_written ); 616if( ret < 0 ) 617 goto error; 618 619data_written += early_data_written; 620``` 621 622Basically, the same holds for reading early data on the server side without the 623complication of possible rejection. An application function to read early data 624into a given buffer could plausibly look like: 625``` 626int read_early_data( mbedtls_ssl_context *ssl, 627 unsigned char *buffer, 628 size_t buffer_size, 629 size_t *data_len ) 630{ 631 *data_len = 0; 632 633 while( *data_len < buffer_size ) 634 { 635 ret = mbedtls_ssl_read_early_data( ssl, buffer + *data_len, 636 buffer_size - *data_len ); 637 638 if( ret < 0 && 639 ret != MBEDTLS_ERR_SSL_WANT_READ && 640 ret != MBEDTLS_ERR_SSL_WANT_WRITE ) 641 { 642 return( ret ); 643 } 644 645 *data_len += ret; 646 } 647 648 return( 0 ); 649} 650``` 651with again calls to read_early_data() expected to be done with a fresh SSL 652context. 653
