Move early_data meta data to its own map

To reduce memory when updating record states.

lib/ssl/src/ssl_record.erl

@@ -416,9 +416,10 @@ empty_connection_state(ConnectionEnd, Version, MaxEarlyDataSize) ->
     #{security_parameters => SecParams,
       cipher_state  => undefined,
       mac_secret  => undefined,
-      pending_early_data_size => MaxEarlyDataSize,
-      trial_decryption => false,
-      early_data_accepted => false,
+      early_data => #{pending_early_data_size => MaxEarlyDataSize,
+                      trial_decryption => false,
+                      early_data_accepted => false
+                     },
       reneg => #{secure_renegotiation => undefined,
                  client_verify_data => undefined,
                  server_verify_data => undefined}

lib/ssl/src/tls_record.erl

@@ -460,9 +460,10 @@ initial_connection_state(ConnectionEnd, MaxEarlyDataSize) ->
       sequence_number => 0,
       cipher_state  => undefined,
       mac_secret  => undefined,
-      pending_early_data_size => MaxEarlyDataSize,
-      trial_decryption => false,
-      early_data_expected => false,
+      early_data => #{pending_early_data_size => MaxEarlyDataSize,
+                      trial_decryption => false,
+                      early_data_expected => false
+                     },
       reneg => #{secure_renegotiation => undefined,
                  client_verify_data => undefined,
                  server_verify_data => undefined}

lib/ssl/src/tls_record_1_3.erl

@@ -115,9 +115,11 @@ decode_cipher_text(#ssl_tls{type = ?OPAQUE_TYPE,
 				  cipher_type = ?AEAD,
                                   bulk_cipher_algorithm =
                                       BulkCipherAlgo},
-                           pending_early_data_size := PendingMaxEarlyDataSize0,
-                           trial_decryption := TrialDecryption,
-                           early_data_accepted := EarlyDataAccepted
+                           early_data :=
+                               #{pending_early_data_size := PendingMaxEarlyDataSize0,
+                                 trial_decryption := TrialDecryption,
+                                 early_data_accepted := EarlyDataAccepted
+                                }
 			  } = ReadState0} = ConnectionStates0) ->
     case decipher_aead(CipherFragment, BulkCipherAlgo, Key, Seq, IV, TagLen) of
 	#alert{} when TrialDecryption =:= true andalso
@@ -198,24 +200,24 @@ decode_cipher_text(#ssl_tls{type = Type}, _) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-ignore_early_data(ConnectionStates0, ReadState0, PendingMaxEarlyDataSize0,
-              BulkCipherAlgo, CipherFragment) ->
-    PendingMaxEarlyDataSize =
-        approximate_pending_early_data_size(PendingMaxEarlyDataSize0,
-                                            BulkCipherAlgo, CipherFragment),
-    ConnectionStates =
-         ConnectionStates0#{current_read =>
-                                ReadState0#{pending_early_data_size => PendingMaxEarlyDataSize}},
-     if PendingMaxEarlyDataSize < 0 ->
-             %% More early data is trial decrypted as the configured limit
-             ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC, {decryption_failed,
-                                                  {max_early_data_threshold_exceeded,
-                                                   PendingMaxEarlyDataSize}});
-        true ->
-             {no_record, ConnectionStates}
-     end.
-process_early_data(ConnectionStates0, ReadState0, PendingMaxEarlyDataSize0, Seq,
-                   PlainFragment) ->
+ignore_early_data(ConnectionStates0, #{early_data:=EarlyData0} = ReadState0,
+                  PendingMaxEarlyDataSize0,
+                  BulkCipherAlgo, CipherFragment) ->
+    PendingMaxEarlyDataSize = approximate_pending_early_data_size(PendingMaxEarlyDataSize0,
+                                                                  BulkCipherAlgo, CipherFragment),
+    EarlyData = EarlyData0#{pending_early_data_size => PendingMaxEarlyDataSize},
+    ConnectionStates = ConnectionStates0#{current_read => ReadState0#{early_data := EarlyData}},
+    if PendingMaxEarlyDataSize < 0 ->
+            %% More early data is trial decrypted as the configured limit
+            ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC, {decryption_failed,
+                                                 {max_early_data_threshold_exceeded,
+                                                  PendingMaxEarlyDataSize}});
+       true ->
+            {no_record, ConnectionStates}
+    end.
+
+process_early_data(ConnectionStates0, #{early_data:=EarlyData0} = ReadState0,
+                   PendingMaxEarlyDataSize0, Seq, PlainFragment) ->
     %% First packet is deciphered anyway so we must check if more early data is received
     %% than the configured limit (max_early_data_size).
     case Record = decode_inner_plaintext(PlainFragment) of
@@ -225,19 +227,17 @@ process_early_data(ConnectionStates0, ReadState0, PendingMaxEarlyDataSize0, Seq,
                                ReadState0#{sequence_number => Seq + 1}},
             {Record, ConnectionStates};
         #ssl_tls{type=?APPLICATION_DATA, fragment=Data} ->
-            PendingMaxEarlyDataSize =
-                pending_early_data_size(PendingMaxEarlyDataSize0, Data),
+            PendingMaxEarlyDataSize = pending_early_data_size(PendingMaxEarlyDataSize0, Data),
             if PendingMaxEarlyDataSize < 0 ->
                     %% Too much early data received, send alert unexpected_message
                     ?ALERT_REC(?FATAL, ?UNEXPECTED_MESSAGE,
                                {too_much_early_data,
                                 {max_early_data_threshold_exceeded,
                                  PendingMaxEarlyDataSize}});
                true ->
-                    ConnectionStates =
-                        ConnectionStates0#{current_read =>
-                                               ReadState0#{sequence_number => Seq + 1,
-                                                           pending_early_data_size => PendingMaxEarlyDataSize}},
+                    EarlyData = EarlyData0#{pending_early_data_size => PendingMaxEarlyDataSize},
+                    ReadState = ReadState0#{sequence_number => Seq + 1, early_data => EarlyData},
+                    ConnectionStates = ConnectionStates0#{current_read => ReadState},
                     {Record#ssl_tls{early_data = true}, ConnectionStates}
             end
     end.

lib/ssl/src/tls_server_connection_1_3.erl

@@ -791,9 +791,10 @@ send_hello_retry_request(State0, _, _, _) ->
     {ok, {State0, negotiated}}.
 
 update_current_read(#state{connection_states = CS} = State, TrialDecryption, EarlyDataExpected) ->
-    Read0 = ssl_record:current_connection_state(CS, read),
-    Read = Read0#{trial_decryption => TrialDecryption,
-                  early_data_accepted => EarlyDataExpected},
+    #{early_data := EarlyData0} = Read0 = ssl_record:current_connection_state(CS, read),
+    EarlyData = EarlyData0#{trial_decryption => TrialDecryption,
+                            early_data_accepted => EarlyDataExpected},
+    Read = Read0#{early_data := EarlyData},
     State#state{connection_states = CS#{current_read => Read}}.
 
 handle_early_data(State, enabled, #early_data_indication{}) ->

lib/ssl/test/tls_1_3_record_SUITE.erl

@@ -109,9 +109,11 @@ encode_decode(_Config) ->
                            <<92,24,205,75,244,60,136,212,250,32,214,20,37,3,213,87,61,207,
                              147,61,168,145,177,118,160,153,33,53,48,108,191,174>>},
                 sequence_number => 0,
-                pending_early_data_size => 0,
-                trial_decryption => false,
-                early_data_accepted => false},
+                early_data => #{
+                                pending_early_data_size => 0,
+                                trial_decryption => false,
+                                early_data_accepted => false}
+               },
           current_write =>
               #{beast_mitigation => one_n_minus_one,
                 cipher_state =>