TLS13: support Early Data and accept CLIENT_EARLY_TRAFFIC_SECRET

Update "early_data" extension to draft 18 (context field is gone).
Add support for "client_early_traffic_secret" to the keylog.
Support decryption of 0-RTT data (required handling cipher in Client
Hello and handling of "end_of_early_data" alert).

Tested with tls13-18-picotls-earlydata.pcap, early data decrypts
correctly. (The server data is messed up, but that is possibly the
result of broken NewSessionTicket handling which throws a dissector
exception and thus breaks the record sequence number.)

Ping-Bug: 12779
Change-Id: I9e6aeeb08111d5d977f2c0ab855f14d6d86ca87d
Reviewed-on: https://code.wireshark.org/review/19989
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>

1 files changed, 3 insertions, 7 deletions

diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index 1a6f9e2c31..8ba3f1c451 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -431,6 +431,7 @@ typedef struct _SslDecryptSession {
     StringInfo psk;
     StringInfo app_data_segment;
     SslSession session;
+    gboolean   has_early_data;
 
 } SslDecryptSession;
 
@@ -458,6 +459,7 @@ typedef struct {
     GHashTable *pms;        /* Client Random to unencrypted pre-master secret */
 
     /* For TLS 1.3: maps Client Random to derived secret. */
+    GHashTable *tls13_client_early;
     GHashTable *tls13_client_handshake;
     GHashTable *tls13_server_handshake;
     GHashTable *tls13_client_appdata;
@@ -702,7 +704,6 @@ typedef struct ssl_common_dissect {
         gint hs_ext_psk_binders_length;
         gint hs_ext_psk_binders;
         gint hs_ext_psk_identity_selected;
-        gint hs_ext_early_data_obfuscated_ticket_age;
         gint hs_ext_supported_versions_len;
         gint hs_ext_supported_versions;
         gint hs_ext_cookie_len;
@@ -958,7 +959,7 @@ ssl_common_dissect_t name = {   \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
-        -1, -1, -1, -1, -1, -1, -1, -1, -1,                             \
+        -1, -1, -1, -1, -1, -1, -1, -1,                                 \
     },                                                                  \
     /* ett */ {                                                         \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
@@ -1122,11 +1123,6 @@ ssl_common_dissect_t name = {   \
         FT_UINT16, BASE_DEC, NULL, 0x0,                                 \
         NULL, HFILL }                                                   \
     },                                                                  \
-    { & name .hf.hs_ext_early_data_obfuscated_ticket_age,               \
-      { "Obfuscated ticket age", prefix ".handshake.extensions.early_data.obfuscated_ticket_age",    \
-        FT_UINT32, BASE_DEC, NULL, 0x0,                                 \
-        "The time since the client learned about the server configuration that it is using, in milliseconds", HFILL }   \
-    },                                                                  \
     { & name .hf.hs_ext_supported_versions_len,                         \
       { "Supported Versions length", prefix ".handshake.extensions.supported_versions_len", \
         FT_UINT8, BASE_DEC, NULL, 0x0,                                  \