MINOR: quic-be: validate the 0-RTT transport parameters

During 0-RTT sessions, some server transport parameters are reused after having been save from previous sessions. These parameters must not be reduced when it resends them. The client must check this is the case when some early data are accepted by the server. This is what is implemented by this patch. Implement qc_early_tranport_params_validate() which checks the new server parameters are not reduced. Also implement qc_ssl_eary_data_accepted() which was not implemented for TLS stack without 0-RTT support (for instance wolfssl). That said this function was no more used. This is why the compilation against wolfssl could not fail.
2026-02-20 00:10:41 -05:00 · 2025-08-04 18:39:08 +02:00 · 2025-08-04 18:39:08 +02:00 · d84463f9f6
commit d84463f9f6
parent 6419b9f204
5 changed files with 70 additions and 9 deletions
--- a/include/haproxy/quic_ssl.h
+++ b/include/haproxy/quic_ssl.h
@ -81,7 +81,12 @@ static inline const char *quic_ssl_early_data_status_str(const SSL *ssl)
 	}
 #endif
 }
-#else
+#else /* !HAVE_SSL_0RTT_QUIC */
+static inline int qc_ssl_eary_data_accepted(const SSL *ssl)
+{
+	return 0;
+}
+
 static inline const char *quic_ssl_early_data_status_str(const SSL *ssl)
 {
 	return "NOT_SUPPORTED";
--- a/include/haproxy/quic_tp.h
+++ b/include/haproxy/quic_tp.h
@ -18,7 +18,7 @@ int quic_transport_params_encode(unsigned char *buf,

 int quic_transport_params_store(struct quic_conn *conn, int server,
                                const unsigned char *buf,
-                                const unsigned char *end);
+                                const unsigned char *end, int edata_accepted);
 void qc_early_transport_params_cpy(struct quic_conn *qc,
                                   struct quic_early_transport_params *e,
                                   struct quic_transport_params *p);
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@ -309,9 +309,12 @@ write:
 		if (qc_is_back(qc)) {
 			const unsigned char *tp;
 			size_t tplen;
+			int edata_accepted = qc_ssl_eary_data_accepted(ssl);

+			TRACE_PROTO("storing peer transport parameters",
+			            QUIC_EV_CONN_IO_CB, qc, NULL, NULL, ssl);
 			SSL_get_peer_quic_transport_params(ssl, &tp, &tplen);
-			if (!tplen || !quic_transport_params_store(qc, 1,tp, tp + tplen)) {
+			if (!tplen || !quic_transport_params_store(qc, 1,tp, tp + tplen, edata_accepted)) {
 				TRACE_ERROR("Could not parse remote transport paratemers",
 				            QUIC_EV_CONN_RWSEC, qc);
 				goto leave;
@ -602,8 +605,12 @@ static int ha_quic_ossl_got_transport_params(SSL *ssl, const unsigned char *para
 		            QUIC_EV_TRANSP_PARAMS, qc);
 		ret = 1;
 	}
-	else if (!quic_transport_params_store(qc, qc_is_back(qc), params, params + params_len)) {
-		goto err;
+	else {
+		TRACE_PROTO("storing peer transport parameters",
+		            QUIC_EV_CONN_IO_CB, qc, NULL, NULL, ssl);
+		if (!quic_transport_params_store(qc, qc_is_back(qc), params, params + params_len,
+		                                 qc_ssl_eary_data_accepted(ssl)))
+			goto err;
 	}

 	ret = 1;
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@ -12,6 +12,10 @@

 #define QUIC_MAX_UDP_PAYLOAD_SIZE     2048

+static int qc_early_tranport_params_validate(struct quic_conn *qc,
+                                             struct quic_transport_params *p,
+                                             struct quic_early_transport_params *e);
+
 /* This is the values of some QUIC transport parameters when absent.
 * Should be used to initialize any transport parameters (local or remote)
 * before updating them with customized values.
@ -734,17 +738,25 @@ quic_transport_params_decode(struct quic_transport_params *p, int server,
 *
 * Returns 1 on success, or 0 if parsing is interrupted on a truncated field.
 * Note that if invalid values are used, success is returned by this function
- * but the connection is scheduled for CONNECTION_CLOSE emission.
+ * but the connection is scheduled for CONNECTION_CLOSE emission. This is also
+ * the case when the early transport parameters could not be validated.
 */
 int quic_transport_params_store(struct quic_conn *qc, int server,
                                const unsigned char *buf,
-                                const unsigned char *end)
+                                const unsigned char *end, int edata_accepted)
 {
 	enum quic_tp_dec_err err;
 	struct quic_transport_params *tx_params = &qc->tx.params;
 	struct quic_transport_params *rx_params = &qc->rx.params;
 	/* Initial source connection ID */
 	struct tp_cid *iscid;
+	struct quic_early_transport_params etps;
+
+	BUG_ON(edata_accepted && !qc_is_back(qc));
+	if (edata_accepted) {
+		/* Local copy of early transport parameters */
+		qc_early_transport_params_cpy(qc, &etps, tx_params);
+	}

 	/* initialize peer TPs to RFC default value */
 	quic_dflt_transport_params_cpy(tx_params);
@ -760,6 +772,12 @@ int quic_transport_params_store(struct quic_conn *qc, int server,
 		return 0;
 	}

+	if (edata_accepted && !qc_early_tranport_params_validate(qc, tx_params, &etps)) {
+		TRACE_ERROR("could not validate early transport parameters", QUIC_EV_TRANSP_PARAMS, qc);
+		quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
+		return 1;
+	}
+
 	if (server && qc->retry_token) {
 		if (!tx_params->retry_source_connection_id.len ||
 		    (qc->odcid.len != tx_params->retry_source_connection_id.len ||
@ -896,3 +914,34 @@ void qc_early_transport_params_reuse(struct quic_conn *qc,
 	TRACE_PROTO("\nTX(remote) reuse early transp. params.", QUIC_EV_EARLY_TRANSP_PARAMS, qc, e);
 	TRACE_PROTO("\nTX(remote) transp. params.", QUIC_EV_TRANSP_PARAMS, qc, p);
 }
+
+static int qc_early_tranport_params_validate(struct quic_conn *qc,
+                                             struct quic_transport_params *p,
+                                             struct quic_early_transport_params *e)
+{
+	/* RFC 9000
+	 * 7.4.1. Values of Transport Parameters for 0-RTT
+	 * If 0-RTT data is accepted by the server, the server MUST NOT reduce any
+	 * limits or alter any values that might be violated by the client with its
+	 * 0-RTT data. In particular, a server that accepts 0-RTT data MUST NOT set
+	 * values for the following parameters (Section 18.2) that are smaller than
+	 * the remembered values of the parameters.
+	 * - active_connection_id_limit
+	 * - initial_max_data
+	 * - initial_max_stream_data_bidi_local
+	 * - initial_max_stream_data_bidi_remote
+	 * - initial_max_stream_data_uni
+	 * - initial_max_streams_bidi
+	 * - initial_max_streams_uni
+	 */
+	if (e->active_connection_id_limit > p->active_connection_id_limit ||
+	    e->initial_max_data > p->initial_max_data ||
+	    e->initial_max_stream_data_bidi_local > p->initial_max_stream_data_bidi_local ||
+	    e->initial_max_stream_data_bidi_remote > p->initial_max_stream_data_bidi_remote ||
+	    e->initial_max_stream_data_uni > p->initial_max_stream_data_uni ||
+	    e->initial_max_streams_bidi > p->initial_max_streams_bidi ||
+	    e->initial_max_streams_uni > p->initial_max_streams_uni)
+		return 0;
+
+	return 1;
+}
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@ -206,7 +206,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 		}

 		if (!quic_transport_params_store(qc, 0, extension_data,
-		                                 extension_data + extension_len))
+		                                 extension_data + extension_len, 0))
 			goto abort;

 		qc->flags |= QUIC_FL_CONN_TX_TP_RECEIVED;
@ -565,7 +565,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 		}

 		if (!quic_transport_params_store(qc, 0, extension_data,
-		                                 extension_data + extension_len))
+		                                 extension_data + extension_len, 0))
 			return SSL_TLSEXT_ERR_NOACK;

 		qc->flags |= QUIC_FL_CONN_TX_TP_RECEIVED;