From a6e67e7b4198d7fb75d73ad7acbe55756703ffb5 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 31 Jul 2025 09:51:24 +0000 Subject: [PATCH] BUG/MEDIUM: mux-quic: ensure Early-data header is set QUIC MUX may be initialized prior to handshake completion, when 0-RTT is used. In this case, connection is flagged with CO_FL_EARLY_SSL_HS, which is notably used by wait-for-hs http rule. Early data may be subject to replay attacks. For this reason, haproxy adds the header 'Early-data: 1' to all requests handled as TLS early data. Thus the server can reject it if it is deemed unsafe. This header injection is implemented by http-ana. However, it was not functional with QUIC due to missing CO_FL_EARLY_DATA connection flag. Fix this by ensuring that QUIC MUX sets CO_FL_EARLY_DATA when needed. This is performed during qcc_recv() for STREAM frame reception. It is only set if QC_CF_WAIT_HS is set, meaning that the handshake is not yet completed. After this, the request is considered safe and Early-data header is not necessary anymore. This should fix github issue #3054. This must be backported up to 3.2 at least. If possible, it should be backported to all stable releases as well. On these versions, the current patch relies on the following refactoring commit : commit 0a53a008d032b69377869c8caaec38f81bdd5bd6 MINOR: mux-quic: refactor wait-for-handshake support --- src/mux_quic.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/mux_quic.c b/src/mux_quic.c index 64b09d79f..65ee6ae44 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -1857,6 +1857,14 @@ int qcc_recv(struct qcc *qcc, uint64_t id, uint64_t len, uint64_t offset, offset = qcs->rx.offset; } + if (len && (qcc->flags & QC_CF_WAIT_HS)) { + if (!(qcc->conn->flags & CO_FL_EARLY_DATA)) { + /* Ensure 'Early-data: 1' will be set on the request. */ + TRACE_PROTO("received early data", QMUX_EV_QCC_RECV|QMUX_EV_QCS_RECV, qcc->conn, qcs); + qcc->conn->flags |= CO_FL_EARLY_DATA; + } + } + left = len; while (left) { struct qc_stream_rxbuf *buf; -- 2.47.2