app-layer-ssl: decode early data extension in ClientHello record

Decode early data extension used by 0-RTT that is used to indicate that
application data will be sent right after the ClientHello record.

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index b6a5c9b30da95b00267513cb77ebb37770d053e9..d2a0cc3022bd90f20291b20058a00c00b57acb5c 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1174,6 +1174,19 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
                 break;
             }
 
+            case SSL_EXTENSION_EARLY_DATA:
+            {
+                if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
+                    /* Used by 0-RTT to indicate that encrypted data will
+                       be sent right after the ClientHello record. */
+                    ssl_state->flags |= SSL_AL_FLAG_EARLY_DATA;
+                }
+
+                input += ext_len;
+
+                break;
+            }
+
             case SSL_EXTENSION_SUPPORTED_VERSIONS:
             {
                 ret = TLSDecodeHSHelloExtensionSupportedVersions(ssl_state, input,

diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 468f445302c1a5da0a27b016de5e08dfa6e3c78a..d5e4adb03d674801db75169c34d2cbc3baa6a7ae 100644 (file)
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -110,6 +110,10 @@ enum {
    to log TLSv1.3 sessions. */
 #define SSL_AL_FLAG_LOG_WITHOUT_CERT            BIT_U32(22)
 
+/* Encountered a early data extension in client hello. This extension is
+   used by 0-RTT. */
+#define SSL_AL_FLAG_EARLY_DATA                  BIT_U32(23)
+
 /* config flags */
 #define SSL_TLS_LOG_PEM                         (1 << 0)
 
@@ -118,6 +122,7 @@ enum {
 #define SSL_EXTENSION_ELLIPTIC_CURVES           0x000a
 #define SSL_EXTENSION_EC_POINT_FORMATS          0x000b
 #define SSL_EXTENSION_SESSION_TICKET            0x0023
+#define SSL_EXTENSION_EARLY_DATA                0x002a
 #define SSL_EXTENSION_SUPPORTED_VERSIONS        0x002b
 
 /* SNI types */