|
92 | 92 | #define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 |
93 | 93 | /** |
94 | 94 | * Early data has been received as part of an on-going handshake. |
95 | | - * This error code can be returned only on server side. This error code can be |
96 | | - * returned by mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), |
97 | | - * mbedtls_ssl_read() and mbedtls_ssl_write() if early data has been received |
98 | | - * as part of the handshake sequence they triggered. To read the early |
99 | | - * data, call mbedtls_ssl_read_early_data(). |
| 95 | + * This error code can be returned only on server side if and only if early |
| 96 | + * data has been enabled by means of the mbedtls_ssl_conf_early_data() API. |
| 97 | + * This error code can then be returned by mbedtls_ssl_handshake(), |
| 98 | + * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if |
| 99 | + * early data has been received as part of the handshake sequence they |
| 100 | + * triggered. To read the early data, call mbedtls_ssl_read_early_data(). |
100 | 101 | */ |
101 | 102 | #define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA -0x7C00 |
102 | 103 | /** Not possible to write early data */ |
@@ -2052,14 +2053,23 @@ void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode); |
2052 | 2053 | * \param conf The SSL configuration to use. |
2053 | 2054 | * \param early_data_enabled can be: |
2054 | 2055 | * |
2055 | | - * MBEDTLS_SSL_EARLY_DATA_DISABLED: early data functionality is disabled |
2056 | | - * This is the default on client and server. |
2057 | | - * |
2058 | | - * MBEDTLS_SSL_EARLY_DATA_ENABLED: early data functionality is enabled and |
2059 | | - * may be negotiated in the handshake. Application using |
2060 | | - * early data functionality needs to be aware of the |
2061 | | - * lack of replay protection of the early data application |
2062 | | - * payloads. |
| 2056 | + * MBEDTLS_SSL_EARLY_DATA_DISABLED: |
| 2057 | + * Early data functionality is disabled. This is the default on client and |
| 2058 | + * server. |
| 2059 | + * |
| 2060 | + * MBEDTLS_SSL_EARLY_DATA_ENABLED: |
| 2061 | + * Early data functionality is enabled and may be negotiated in the handshake. |
| 2062 | + * Application using early data functionality needs to be aware that the |
| 2063 | + * security properties for early data (also refered to as 0-RTT data) are |
| 2064 | + * weaker than those for other kinds of TLS data. See the documentation of |
| 2065 | + * mbedtls_ssl_write_early_data() and mbedtls_ssl_read_early_data() for more |
| 2066 | + * information. |
| 2067 | + * When early data functionality is enabled on server and only in that case, |
| 2068 | + * the call to one of the APIs that trigger or resume an handshake sequence, |
| 2069 | + * namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), |
| 2070 | + * mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code |
| 2071 | + * MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have |
| 2072 | + * been received. To read the early data, call mbedtls_ssl_read_early_data(). |
2063 | 2073 | * |
2064 | 2074 | * \warning This interface is experimental and may change without notice. |
2065 | 2075 | * |
@@ -4781,9 +4791,11 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, |
4781 | 4791 | * this case you must stop using the context (see below). |
4782 | 4792 | * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as |
4783 | 4793 | * defined in RFC 8446 (TLS 1.3 specification), has been |
4784 | | - * received as part of the handshake. This is server specific. |
4785 | | - * You must call mbedtls_ssl_read_early_data() to read the |
4786 | | - * early data before resuming the handshake. |
| 4794 | + * received as part of the handshake. This is server specific |
| 4795 | + * and may occur only if the early data feature has been |
| 4796 | + * enabled on server (see mbedtls_ssl_conf_early_data() |
| 4797 | + * documentation). You must call mbedtls_ssl_read_early_data() |
| 4798 | + * to read the early data before resuming the handshake. |
4787 | 4799 | * \return Another SSL error code - in this case you must stop using |
4788 | 4800 | * the context (see below). |
4789 | 4801 | * |
@@ -4934,10 +4946,11 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); |
4934 | 4946 | * new connection using the same source port. See below. |
4935 | 4947 | * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as |
4936 | 4948 | * defined in RFC 8446 (TLS 1.3 specification), has been |
4937 | | - * received as part of an handshake triggered by the function. |
4938 | | - * This is server specific. You must call |
4939 | | - * mbedtls_ssl_read_early_data() to read the early data before |
4940 | | - * resuming the reading of post handshake application data. |
| 4949 | + * received as part of the handshake. This is server specific |
| 4950 | + * and may occur only if the early data feature has been |
| 4951 | + * enabled on server (see mbedtls_ssl_conf_early_data() |
| 4952 | + * documentation). You must call mbedtls_ssl_read_early_data() |
| 4953 | + * to read the early data before resuming the handshake. |
4941 | 4954 | * \return Another SSL error code - in this case you must stop using |
4942 | 4955 | * the context (see below). |
4943 | 4956 | * |
@@ -5015,10 +5028,11 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); |
5015 | 5028 | * the handshake when you're done attending other tasks. |
5016 | 5029 | * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as |
5017 | 5030 | * defined in RFC 8446 (TLS 1.3 specification), has been |
5018 | | - * received as part of an handshake triggered by the function. |
5019 | | - * This is server specific. You must call |
5020 | | - * mbedtls_ssl_read_early_data() to read the early data before |
5021 | | - * resuming the writing of application data. |
| 5031 | + * received as part of the handshake. This is server specific |
| 5032 | + * and may occur only if the early data feature has been |
| 5033 | + * enabled on server (see mbedtls_ssl_conf_early_data() |
| 5034 | + * documentation). You must call mbedtls_ssl_read_early_data() |
| 5035 | + * to read the early data before resuming the handshake. |
5022 | 5036 | * \return Another SSL error code - in this case you must stop using |
5023 | 5037 | * the context (see below). |
5024 | 5038 | * |
@@ -5101,6 +5115,22 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); |
5101 | 5115 | * \note This API is server specific. |
5102 | 5116 | * |
5103 | 5117 | * \note Early data is defined in the TLS 1.3 specification, RFC 8446. |
| 5118 | + * IMPORTANT NOTE from section 2.3 of the specification: |
| 5119 | + * |
| 5120 | + * "The security properties for 0-RTT data are weaker than |
| 5121 | + * those for other kinds of TLS data. Specifically: |
| 5122 | + * 1.This data is not forward secret, as it is encrypted |
| 5123 | + * solely under keys derived using the offered PSK. |
| 5124 | + * |
| 5125 | + * 2.There are no guarantees of non-replay between connections. |
| 5126 | + * Protection against replay for ordinary TLS 1.3 1-RTT data |
| 5127 | + * is provided via the server’s Random value, but 0-RTT data |
| 5128 | + * does not depend on the ServerHello and therefore has |
| 5129 | + * weaker guarantees. This is especially relevant if the |
| 5130 | + * data is authenticated either with TLS client |
| 5131 | + * authentication or inside the application protocol. The |
| 5132 | + * same warnings apply to any use of the |
| 5133 | + * early_exporter_master_secret." |
5104 | 5134 | * |
5105 | 5135 | * \note This function behaves mainly as mbedtls_ssl_read(). The |
5106 | 5136 | * specification of mbedtls_ssl_read() relevant to TLS 1.3 |
|
0 commit comments