From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 14 Dec 2021 18:23:43 +0000 (+0100)
Subject: MINOR: quic: Enable TLS 0-RTT if needed
X-Git-Tag: v2.6-dev1~275
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad3c07ae8188f3fce52bb838954ec638781d1506;p=thirdparty%2Fhaproxy.git

MINOR: quic: Enable TLS 0-RTT if needed

Enable 0-RTT at the TLS context level:
    RFC 9001 4.6.1. Enabling 0-RTT
    Accordingly, the max_early_data_size parameter is repurposed to hold a
    sentinel value 0xffffffff to indicate that the server is willing to accept
    QUIC 0-RTT data.
At the SSL connection level, we must call SSL_set_quic_early_data_enabled().
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 08c4ad11a1..55c45f964b 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -1184,7 +1184,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 #elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 	if (bind_conf->ssl_conf.early_data) {
 		SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
-		SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
+		SSL_CTX_set_max_early_data(ctx, 0xffffffff);
 	}
 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
@@ -5075,6 +5075,10 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx)
 		                     qc->enc_params, qc->enc_params_len) == -1)
 			goto err;
 
+		/* Enabling 0-RTT */
+		if (bc->ssl_conf.early_data)
+			SSL_set_quic_early_data_enabled(ctx->ssl, 1);
+
 		SSL_set_accept_state(ctx->ssl);
 	}