TLS 1.3: Add mbedtls_ssl_write_early_data() API

[ronald-cron-arm]

Description

Second PR of two addressing #6340 .

PR checklist

• changelog not required, will add one for TLS 1.3 early data feature as a whole
• backport not required, new feature
• tests provided

[ronald-cron-arm]

@mpg I have addressed your comments, the Open CI is green, please have another look, thanks.

[mpg]

Btw, out of scope for this PR, but I think the early data APIs are a bit complex (not saying they're bad, I think 0-RTT is just a fairly complex feature of 1.3 so this reflects in the APIs), and a knowledge base article explaining everything a user needs to know (in general, client-side and server-side) would be helpful if we can write one at some point.

[ronald-cron-arm]

Btw, out of scope for this PR, but I think the early data APIs are a bit complex (not saying they're bad, I think 0-RTT is just a fairly complex feature of 1.3 so this reflects in the APIs), and a knowledge base article explaining everything a user needs to know (in general, client-side and server-side) would be helpful if we can write one at some point.

We have already something at the end of tls13-support.md. The read part is outdated but the write part not that much it seems. I've planned to update/fix it when addressing the wrap-up issue.

[mpg]

We have already something at the end of tls13-support.md. The read part is outdated but the write part not that much it seems. I've planned to update/fix it when addressing the wrap-up issue.

Great! Though I'll note as a user I would probably not be looking under docs/architecture. Probably worth splitting the document into two parts: one for developers (same location), one for users (probably just under docs?).

[mpg]

Thanks for addressing my feedback! Looking pretty good, only minor points left.

Also, it seems to me we can now remove the hack used for testing server before we had client support. Btw, now that we have a tls13_write_early_data test function, perhaps tls13_early_data should be renamed to tls13_read_early_data. Also, why doesn't that one have a NO_INDICATION_SENT scenario like the other two? (I'm OK with considering this whole paragraph out of scope as long as it's tracked somewhere.)

[ronald-cron-arm]

Also, it seems to me we can now remove the hack used for testing server before we had client support.

I've removed it in this PR (not used anymore) but I will reintroduced it in max_early_data_size PRs for negative testing purposes.

Btw, now that we have a tls13_write_early_data test function, perhaps tls13_early_data should be renamed to tls13_read_early_data.

Done

Also, why doesn't that one have a NO_INDICATION_SENT scenario like the other two? (I'm OK with considering this whole paragraph out of scope as long as it's tracked somewhere.)

Because not much happens I guess, but better with it thus I've added it.

[ronald-cron-arm]

@mpg @waleed-elmelegy-arm this is ready for the next round of reviews, thanks.

[mpg]

LGTM, thanks for addressing my feedback and answering my questions!

[ronald-cron-arm]

LGTM, thanks for addressing my feedback and answering my questions!

Thanks for the review and the questions. @waleed-elmelegy-arm please have a look, thanks.

[mpg]

Also, it seems to me we can now remove the hack used for testing server before we had client support.

I've removed it in this PR (not used anymore) but I will reintroduced it in max_early_data_size PRs for negative testing purposes.

Perhaps we shouldn't remove it then. #8854 will no longer build (when merged with development) once this is merged.

[ronald-cron-arm]

Also, it seems to me we can now remove the hack used for testing server before we had client support.

I've removed it in this PR (not used anymore) but I will reintroduced it in max_early_data_size PRs for negative testing purposes.

Perhaps we shouldn't remove it then. #8854 will no longer build (when merged with development) once this is merged.

I think if I keep it here the CI will fail on this PR because the function will not be used thus I guess we don't have really the choice.

[mpg]

Ah, good point. We'll just need to rebase 8854 when this one gets merged, then.

[waleed-elmelegy-arm]

Thanks for the PR, just some comments for better clarity but nothing really wrong.

[waleed-elmelegy-arm]

I think this gives the idea that this is a state that track the actual early data not the "early data indication extension" and later on when reading the documentation or the code you realise that it's not, so maybe it's clearer to mention it in the name like with adding "EXT" or "IND" or in any other way that indicates it.

[waleed-elmelegy-arm]

From the first glance it seems that "MBEDTLS_SSL_EARLY_DATA_STATUS_SENT" is the same as "MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE" but it's not because of sending changeCipher compatibility so maybe it's better to mention it here in the comments why it's not the case since I was only able to know from the ticket discussion.

[waleed-elmelegy-arm]

It seems to me that those three states are overlapping with the rest of the states for example "MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED" and "MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED" are both the same state as "MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED" but we still need to know the information of if the server accepted early data or not so maybe this can be split to maybe "Result" and "State" for example? or something close maybe.

[mpg]

Actually should we just use different enums for the return value of this function and the internal state? I think that would be clearer.

[ronald-cron-arm]

@waleed-elmelegy-arm thanks for your comments. The PR is already quite big and I was thinking that I could address your comments in a follow-up PR. @mpg @waleed-elmelegy-arm would you be fine with that?

[mpg]

Fine by me!