Merge branch 'fix_tls_0rtt' into 'master'

fix tls 0rtt See merge request knot/knot-dns!1761
2026-05-28 04:02:31 -04:00 · 2025-04-08 18:22:59 +02:00 · 2025-04-08 18:22:59 +02:00 · c8b8e00bbc
commit c8b8e00bbc
parent 7de5d26216 2666c6ff02
7 changed files with 19 additions and 7 deletions
--- a/src/libknot/quic/quic.c
+++ b/src/libknot/quic/quic.c
@ -132,7 +132,7 @@ static ngtcp2_conn *get_conn(ngtcp2_crypto_conn_ref *conn_ref)
 static int tls_init_conn_session(knot_quic_conn_t *conn, bool server)
 {
 	int ret = knot_tls_session(&conn->tls_session, conn->quic_table->creds,
-	                           conn->quic_table->priority, "\x03""doq",
+	                           conn->quic_table->priority, true,
 	                           true, server);
 	if (ret != KNOT_EOK) {
 		return TLS_CALLBACK_ERR;
--- a/src/libknot/quic/tls.c
+++ b/src/libknot/quic/tls.c
@ -71,7 +71,7 @@ knot_tls_conn_t *knot_tls_conn_new(knot_tls_ctx_t *ctx, int sock_fd)
 	res->fd = sock_fd;

 	int ret = knot_tls_session(&res->session, ctx->creds, ctx->priority,
-	                           "\x03""dot", true, ctx->server);
+	                           false, true, ctx->server);
 	if (ret != KNOT_EOK) {
 		goto fail;
 	}
--- a/src/libknot/quic/tls_common.c
+++ b/src/libknot/quic/tls_common.c
@ -352,19 +352,22 @@ _public_
 int knot_tls_session(struct gnutls_session_int **session,
                     struct knot_creds *creds,
                     struct gnutls_priority_st *priority,
-                     const char *alpn,
+                     bool quic,
                     bool early_data,
                     bool server)
 {
-	if (session == NULL || creds == NULL || priority == NULL || alpn == NULL) {
+	if (session == NULL || creds == NULL || priority == NULL) {
 		return KNOT_EINVAL;
 	}

+	const char *alpn = quic ? "\x03""doq" : "\x03""dot";
 	gnutls_init_flags_t flags = GNUTLS_NO_SIGNAL;
 	if (early_data) {
 		flags |= GNUTLS_ENABLE_EARLY_DATA;
 #ifdef ENABLE_QUIC // Next flags aren't available in older GnuTLS versions.
-		flags |= GNUTLS_NO_AUTO_SEND_TICKET | GNUTLS_NO_END_OF_EARLY_DATA;
+		if (quic) {
+			flags |= GNUTLS_NO_END_OF_EARLY_DATA;
+		}
 #endif
 	}

--- a/src/libknot/quic/tls_common.h
+++ b/src/libknot/quic/tls_common.h
@ -90,7 +90,7 @@ void knot_creds_free(struct knot_creds *creds);
 * \param session      Out: initialized GnuTLS session struct.
 * \param creds        Certificate credentials.
 * \param priority     Session priority configuration.
- * \param alpn         ALPN string, first byte is the string length.
+ * \param quic         Session is for ngtcp2/QUIC (otherwise TLS).
 * \param early_data   Allow early data.
 * \param server       Should be server session (otherwise client).
 *
@ -99,7 +99,7 @@ void knot_creds_free(struct knot_creds *creds);
 int knot_tls_session(struct gnutls_session_int **session,
                     struct knot_creds *creds,
                     struct gnutls_priority_st *priority,
-                     const char *alpn,
+                     bool quic,
                     bool early_data,
                     bool server);

--- a/tests-extra/tests/quic/xfr/test.py
+++ b/tests-extra/tests/quic/xfr/test.py
@ -106,4 +106,7 @@ try:
 finally:
    tcpdump_proc.terminate()

+if not master.log_search("QUIC/0-RTT") or not slave.log_search("QUIC/0-RTT"):
+    set_err("0-RTT NOT WORKING")
+
 t.end()
--- a/tests-extra/tests/tls/bind_knot/test.py
+++ b/tests-extra/tests/tls/bind_knot/test.py
@ -49,4 +49,7 @@ try:
 finally:
    tcpdump_proc.terminate()

+if not slave.log_search("TLS/0-RTT"):
+    set_err("0-RTT NOT WORKING")
+
 t.end()
--- a/tests-extra/tests/tls/xfr/test.py
+++ b/tests-extra/tests/tls/xfr/test.py
@ -107,4 +107,7 @@ try:
 finally:
    tcpdump_proc.terminate()

+if not master.log_search("TLS/0-RTT") or not slave.log_search("TLS/0-RTT"):
+    set_err("0-RTT NOT WORKING")
+
 t.end()