diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 66407083d..e548a216f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -32,7 +32,6 @@ #error "mbed TLS requires a platform with 8-bit chars" #endif -/* Need std integer definition for checking max_early_data_size */ #include #if defined(_WIN32) @@ -854,9 +853,9 @@ #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) && \ ( !defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) || \ - ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE <= 0 ) || \ + ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE < 0 ) || \ ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE > UINT32_MAX ) ) -#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(1..UINT32_MAX)" +#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(0..UINT32_MAX)" #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f33ce60b7..2172072ba 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1664,8 +1664,6 @@ * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED * -* Requires: MBEDTLS_SSL_MAX_EARLY_DATA_SIZE >= 0 -* * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 * is not enabled, this option does not have any effect on the build. * @@ -1678,9 +1676,13 @@ /** * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE * - * The maximium amount of 0-RTT data(RFC8446 section 4.6.1). - * It only works when MBEDTLS_SSL_EARLY_DATA is enabled and MUST be in range - * 1...UINT32_MAX + * The default maximum amount of 0-RTT data. See the documentation of + * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information. + * + * It must be positive and smaller than UINT32_MAX. + * + * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not + * have any impact on the build. * * This feature is experimental, not completed and thus not ready for * production. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index edc1a9898..7ed735e35 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1524,14 +1524,12 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_CLI_C) int MBEDTLS_PRIVATE(early_data_enabled); /*!< Early data enablement: * - MBEDTLS_SSL_EARLY_DATA_DISABLED, * - MBEDTLS_SSL_EARLY_DATA_ENABLED */ -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - /* The maximium amount of 0-RTT data. RFC 8446 section 4.6.1 */ + /* The maximum amount of 0-RTT data. RFC 8446 section 4.6.1 */ uint32_t MBEDTLS_PRIVATE(max_early_data_size); #endif /* MBEDTLS_SSL_SRV_C */ @@ -1951,7 +1949,6 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_CLI_C) /** * \brief Set the early data mode * Default: disabled on server and client @@ -1973,19 +1970,27 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); */ void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ); -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) /** - * \brief Set the max_early_data_size parameter. + * \brief Set the maximum amount of 0-RTT data in bytes + * Default: #MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + * + * This function sets the value of the max_early_data_size + * field of the early data indication extension included in + * the NewSessionTicket messages that the server may send. + * + * The value defines the maximum amount of 0-RTT data + * in bytes that a client will be allowed to send when using + * one of the tickets defined by the NewSessionTicket messages. + * + * \note When resuming a session using a ticket, if the server receives more + * early data than allowed for the ticket, it terminates the connection. + * The maximum amount of 0-RTT data should thus be large enough + * to allow a minimum of early data to be exchanged. * * \param[in] conf The SSL configuration to use. * \param[in] max_early_data_size The maximum amount of 0-RTT data. - * - 0 Disable 0-RTT feature. - * - * \note max_early_data_size MUST be smaller than - * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE. Otherwise, - * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE will be used. * * \warning This interface is experimental and may change without notice. * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 14ffef20b..227f8841d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1699,13 +1699,11 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_CLI_C) void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ) { conf->early_data_enabled = early_data_enabled; } -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_tls13_conf_max_early_data_size(