Use early_exporter_secret inside of early_data

[arcusfelis]

Hi,

I am trying to use early_exporter_secretdata (from https://datatracker.ietf.org/doc/html/draft-ietf-tls-rfc8446bis#section-2.3-5.2.1) for Channel Binding, for the data we put inside 0rtt (early_data). We need early channel binding data to put as a part of the auth token.

The code probably should be something like that:

get_early_exporter_secret(PSK, ClientHello, HashAlgo) ->
    % 1. Derive early_secret from PSK
    EarlySecret = tls_v1:early_secret(PSK, HashAlgo),

    % 2. Get early_exporter_secret using OTP's built-in function
    tls_v1:early_exporter_master_secret(
        HashAlgo,
        {early_secret, EarlySecret},
        ClientHello
    ).

Could take PSK from the session ticket.
But the issue is that we cannot call it, because we don't know ClientHello, until we open the socket.
And the data early_data should be set as an argument for ssl:connect.

Ideally it could be nice if early_data instead of just {early_data, binary(}} could accept something like {early_data, fun(ClientHello) -> ... returns binary() end} or {early_data, fun(EarlyExporterSecret) -> ... returns binary() end}.

There are not many docs about that and I am not sure how to check how other SSL implementations handle that though.

Alternatively, do we even need channel binding in the early_data? Maybe server could derive the auth hash token based on PSK and just ensure that PSK is the same? And share that token with the client. But it starts reminding the token binding protocol more and more in this case, which has its own issues and I think generally not recommend nowadays.