app-layer-ssl: decode early data extension in ClientHello record

Decode early data extension used by 0-RTT that is used to indicate that application data will be sent right after the ClientHello record.
7 years ago · 23993c18cd
parent 7556004a51
commit 23993c18cd
2 changed files with 18 additions and 0 deletions
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -1174,6 +1174,19 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
                break;
            }

+            case SSL_EXTENSION_EARLY_DATA:
+            {
+                if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
+                    /* Used by 0-RTT to indicate that encrypted data will
+                       be sent right after the ClientHello record. */
+                    ssl_state->flags |= SSL_AL_FLAG_EARLY_DATA;
+                }
+
+                input += ext_len;
+
+                break;
+            }
+
            case SSL_EXTENSION_SUPPORTED_VERSIONS:
            {
                ret = TLSDecodeHSHelloExtensionSupportedVersions(ssl_state, input,
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@ -110,6 +110,10 @@ enum {
   to log TLSv1.3 sessions. */
 #define SSL_AL_FLAG_LOG_WITHOUT_CERT            BIT_U32(22)

+/* Encountered a early data extension in client hello. This extension is
+   used by 0-RTT. */
+#define SSL_AL_FLAG_EARLY_DATA                  BIT_U32(23)
+
 /* config flags */
 #define SSL_TLS_LOG_PEM                         (1 << 0)

@ -118,6 +122,7 @@ enum {
 #define SSL_EXTENSION_ELLIPTIC_CURVES           0x000a
 #define SSL_EXTENSION_EC_POINT_FORMATS          0x000b
 #define SSL_EXTENSION_SESSION_TICKET            0x0023
+#define SSL_EXTENSION_EARLY_DATA                0x002a
 #define SSL_EXTENSION_SUPPORTED_VERSIONS        0x002b

 /* SNI types */