*/
# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U
+/*
+ * Switches off automatic TLSv1.3 anti-replay protection for early data. This
+ * is a server-side option only (no effect on the client).
+ */
+# define SSL_OP_NO_ANTI_REPLAY 0x01000000U
+
# define SSL_OP_NO_SSLv3 0x02000000U
# define SSL_OP_NO_TLSv1 0x04000000U
# define SSL_OP_NO_TLSv1_2 0x08000000U
if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
&& (!SSL_IS_TLS13(s)
|| !s->server
- || s->max_early_data > 0
+ || (s->max_early_data > 0
+ && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)
|| s->session_ctx->remove_session_cb != NULL
|| (s->options & SSL_OP_NO_TICKET) != 0))
SSL_CTX_add_session(s->session_ctx, s->session);
# endif
SSL_psk_find_session_cb_func psk_find_session_cb;
SSL_psk_use_session_cb_func psk_use_session_cb;
+
+ int (*allow_early_data_cb)(SSL *s, SSL_SESSION *sess);
+
SSL_CTX *ctx;
/* Verified chain of peer */
STACK_OF(X509) *verified_chain;
* is no point in using full stateless tickets.
*/
if ((s->options & SSL_OP_NO_TICKET) != 0
- || s->max_early_data > 0)
+ || (s->max_early_data > 0
+ && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
ret = tls_get_stateful_ticket(s, &identity, &sess);
else
ret = tls_decrypt_ticket(s, PACKET_data(&identity),
/* Check for replay */
if (s->max_early_data > 0
+ && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
&& !SSL_CTX_remove_session(s->session_ctx, sess)) {
SSL_SESSION_free(sess);
sess = NULL;
* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
* is no point in using full stateless tickets.
*/
- if (((s->options & SSL_OP_NO_TICKET) != 0 || s->max_early_data > 0)
- && SSL_IS_TLS13(s)) {
+ if (SSL_IS_TLS13(s)
+ && ((s->options & SSL_OP_NO_TICKET) != 0
+ || (s->max_early_data > 0
+ && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
/* SSLfatal() already called */
goto err;