This also:
- corrects use of hs::incompatible for client certificate verification
failure.
- moves sni varying across hello retries to be a PeerMisbehaved, since
that is explicitly disallowed by the standard.
Stores the parsed data for a handshake message payload alongside
the encoded version to avoid having to re-encode the message when
updating the transcript hash. Also avoids encoding outgoing handshake
message payloads twice.
Allow `inappropriate_handshake_message` to handle cases where
non-handshake messages are also accepted. This simplifies more callers.
I intentionally didn't try to simplify `check_message` because my next
set of commits would remove it.
At the same time, support the -resumption-delay flag in bogo_shim.
This is achieved by editing the session data as it is persisted.
This also enables bogo tests that we respect TLS1.2 ticket lifetimes.
This previously existed, but only for QUIC.
There are some unfortunate shortcomings with the protocol design here:
Because the client must send 0-RTT data whether or not the server
accepts it or even the client hello, there must be several
disjoint methods for identifying and skipping these messages. One
of these is in the record_layer.rs, and works by trial decryption.
Another happens if the server rejects the client's hello altogether,
and skips encrypted messages between the two client hellos.
The amount of data to skip is limited but -- because the design
appears to be defective -- the quantity is expressed (in
`max_early_data_size` provided with a ticket) in units of plaintext
bytes, but skipping data requires it in units of padded, tagged
ciphertext bytes. The server cannot compute one from the other,
so we're interpretting `max_early_data_size` as both at the same time.
This means the server can send application data in its first
flight. We only do this, though, if no client auth is in play
(as otherwise we'd be sending data to an unauthenticated peer,
and that would be exceedingly bad.)
This is useful for server-speaks-first protocols, as well as
replying to a 0-RTT request in a client-speaks-first one.
In terms of code changes, this splits start_traffic() into
start_incoming_traffic() and start_outgoing_traffic().
This represents the state that state machine `State` implementers
can manipulate. As such, we want the lifetime of references to
`CommonState` to be outlived by the `ConnectionCommon`'s handshake
joiner and deframer.