From f783dd959b3e0b1670ab622d6e0cd8930f7c9ad3 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Tue, 23 Jan 2024 11:41:44 +0100 Subject: [PATCH] MINOR: quic: Enable early data at SSL session level (aws-lc) This patch impacts only the haproxy build against aws-lc TLS stack (USE_OPENSSL_AWSLC). Implement qc_set_quic_early_data_enabled() new function to enable early data at session level. To make QUIC O-RTT work, a context string must be set calling SSL_set_quic_early_data_context(). This is a subset of the encoded transport parameters which is used for this. Note that some application level settings should be also added (TODO). This patch is required to make 0-RTT work for haproxy builds against aws-lc. --- src/quic_ssl.c | 40 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 314f58797a..af4ca7e543 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -713,6 +713,40 @@ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl) return ret; } +/* Enable early data for QUIC TLS session. + * Return 1 if succeeded, 0 if not. + */ +static int qc_set_quic_early_data_enabled(struct quic_conn *qc, SSL *ssl) +{ +#if defined(OPENSSL_IS_AWSLC) + struct quic_transport_params p = {0}; + unsigned char buf[128]; + size_t len; + + /* Apply default values to

transport parameters. */ + quic_transport_params_init(&p, 1); + /* The stateless_reset_token transport parameter is not needed. */ + p.with_stateless_reset_token = 0; + len = quic_transport_params_encode(buf, buf + sizeof buf, &p, NULL, 1); + if (!len) { + TRACE_ERROR("quic_transport_params_encode() failed", QUIC_EV_CONN_RWSEC, qc); + return 0; + } + + /* XXX TODO: Should also add the application settings. XXX */ + if (!SSL_set_quic_early_data_context(ssl, buf, len)) { + TRACE_ERROR("SSL_set_quic_early_data_context() failed", QUIC_EV_CONN_RWSEC, qc); + return 0; + } + + SSL_set_early_data_enabled(ssl, 1); +#else + SSL_set_quic_early_data_enabled(ssl, 1); +#endif + + return 1; +} + /* Allocate the ssl_sock_ctx from connection . This creates the tasklet * used to process received packets. The allocated context is stored in * . @@ -748,11 +782,11 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc) if (qc_is_listener(qc)) { if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl) == -1) goto err; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_AWSLC) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) #ifndef USE_QUIC_OPENSSL_COMPAT /* Enabling 0-RTT */ - if (bc->ssl_conf.early_data) - SSL_set_quic_early_data_enabled(ctx->ssl, 1); + if (bc->ssl_conf.early_data && !qc_set_quic_early_data_enabled(qc, ctx->ssl)) + goto err; #endif #endif