From 9d5dd57981e9bc099a447f1e4c52322ccd1fe5ee Mon Sep 17 00:00:00 2001
From: Libor Peltan <libor.peltan@nic.cz>
Date: Tue, 8 Apr 2025 16:31:04 +0200
Subject: [PATCH 1/2] fix TLS/0-RTT server-side by removing nonsensial relict
 +test

---
 src/libknot/quic/tls_common.c           | 2 +-
 tests-extra/tests/quic/xfr/test.py      | 3 +++
 tests-extra/tests/tls/bind_knot/test.py | 3 +++
 tests-extra/tests/tls/xfr/test.py       | 3 +++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/libknot/quic/tls_common.c b/src/libknot/quic/tls_common.c
index d8a9491d2..a7a9e4f95 100644
--- a/src/libknot/quic/tls_common.c
+++ b/src/libknot/quic/tls_common.c
@@ -364,7 +364,7 @@ int knot_tls_session(struct gnutls_session_int **session,
 	if (early_data) {
 		flags |= GNUTLS_ENABLE_EARLY_DATA;
 #ifdef ENABLE_QUIC // Next flags aren't available in older GnuTLS versions.
-		flags |= GNUTLS_NO_AUTO_SEND_TICKET | GNUTLS_NO_END_OF_EARLY_DATA;
+		flags |= GNUTLS_NO_END_OF_EARLY_DATA;
 #endif
 	}
 
diff --git a/tests-extra/tests/quic/xfr/test.py b/tests-extra/tests/quic/xfr/test.py
index 4d29d122f..e29afbae4 100644
--- a/tests-extra/tests/quic/xfr/test.py
+++ b/tests-extra/tests/quic/xfr/test.py
@@ -106,4 +106,7 @@ try:
 finally:
     tcpdump_proc.terminate()
 
+if not master.log_search("QUIC/0-RTT") or not slave.log_search("QUIC/0-RTT"):
+    set_err("0-RTT NOT WORKING")
+
 t.end()
diff --git a/tests-extra/tests/tls/bind_knot/test.py b/tests-extra/tests/tls/bind_knot/test.py
index f26b169d4..35af155bd 100644
--- a/tests-extra/tests/tls/bind_knot/test.py
+++ b/tests-extra/tests/tls/bind_knot/test.py
@@ -49,4 +49,7 @@ try:
 finally:
     tcpdump_proc.terminate()
 
+if not slave.log_search("TLS/0-RTT"):
+    set_err("0-RTT NOT WORKING")
+
 t.end()
diff --git a/tests-extra/tests/tls/xfr/test.py b/tests-extra/tests/tls/xfr/test.py
index 3d43ce114..ba986587f 100644
--- a/tests-extra/tests/tls/xfr/test.py
+++ b/tests-extra/tests/tls/xfr/test.py
@@ -107,4 +107,7 @@ try:
 finally:
     tcpdump_proc.terminate()
 
+if not master.log_search("TLS/0-RTT") or not slave.log_search("TLS/0-RTT"):
+    set_err("0-RTT NOT WORKING")
+
 t.end()

From 2666c6ff02edc0b0db8693d02cfc6a939a2882cf Mon Sep 17 00:00:00 2001
From: Libor Peltan <libor.peltan@nic.cz>
Date: Tue, 8 Apr 2025 16:54:38 +0200
Subject: [PATCH 2/2] libknot/DoT: use GNUTLS_NO_END_OF_EARLY_DATA for QUIC
 only...

...as ngtcp2 seems to require it
---
 src/libknot/quic/quic.c       | 2 +-
 src/libknot/quic/tls.c        | 2 +-
 src/libknot/quic/tls_common.c | 9 ++++++---
 src/libknot/quic/tls_common.h | 4 ++--
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/libknot/quic/quic.c b/src/libknot/quic/quic.c
index 99a064fd6..33fbaeea5 100644
--- a/src/libknot/quic/quic.c
+++ b/src/libknot/quic/quic.c
@@ -132,7 +132,7 @@ static ngtcp2_conn *get_conn(ngtcp2_crypto_conn_ref *conn_ref)
 static int tls_init_conn_session(knot_quic_conn_t *conn, bool server)
 {
 	int ret = knot_tls_session(&conn->tls_session, conn->quic_table->creds,
-	                           conn->quic_table->priority, "\x03""doq",
+	                           conn->quic_table->priority, true,
 	                           true, server);
 	if (ret != KNOT_EOK) {
 		return TLS_CALLBACK_ERR;
diff --git a/src/libknot/quic/tls.c b/src/libknot/quic/tls.c
index 78b091f65..806ab8529 100644
--- a/src/libknot/quic/tls.c
+++ b/src/libknot/quic/tls.c
@@ -71,7 +71,7 @@ knot_tls_conn_t *knot_tls_conn_new(knot_tls_ctx_t *ctx, int sock_fd)
 	res->fd = sock_fd;
 
 	int ret = knot_tls_session(&res->session, ctx->creds, ctx->priority,
-	                           "\x03""dot", true, ctx->server);
+	                           false, true, ctx->server);
 	if (ret != KNOT_EOK) {
 		goto fail;
 	}
diff --git a/src/libknot/quic/tls_common.c b/src/libknot/quic/tls_common.c
index a7a9e4f95..7fc616f27 100644
--- a/src/libknot/quic/tls_common.c
+++ b/src/libknot/quic/tls_common.c
@@ -352,19 +352,22 @@ _public_
 int knot_tls_session(struct gnutls_session_int **session,
                      struct knot_creds *creds,
                      struct gnutls_priority_st *priority,
-                     const char *alpn,
+                     bool quic,
                      bool early_data,
                      bool server)
 {
-	if (session == NULL || creds == NULL || priority == NULL || alpn == NULL) {
+	if (session == NULL || creds == NULL || priority == NULL) {
 		return KNOT_EINVAL;
 	}
 
+	const char *alpn = quic ? "\x03""doq" : "\x03""dot";
 	gnutls_init_flags_t flags = GNUTLS_NO_SIGNAL;
 	if (early_data) {
 		flags |= GNUTLS_ENABLE_EARLY_DATA;
 #ifdef ENABLE_QUIC // Next flags aren't available in older GnuTLS versions.
-		flags |= GNUTLS_NO_END_OF_EARLY_DATA;
+		if (quic) {
+			flags |= GNUTLS_NO_END_OF_EARLY_DATA;
+		}
 #endif
 	}
 
diff --git a/src/libknot/quic/tls_common.h b/src/libknot/quic/tls_common.h
index 2acf30527..ad791347d 100644
--- a/src/libknot/quic/tls_common.h
+++ b/src/libknot/quic/tls_common.h
@@ -90,7 +90,7 @@ void knot_creds_free(struct knot_creds *creds);
  * \param session      Out: initialized GnuTLS session struct.
  * \param creds        Certificate credentials.
  * \param priority     Session priority configuration.
- * \param alpn         ALPN string, first byte is the string length.
+ * \param quic         Session is for ngtcp2/QUIC (otherwise TLS).
  * \param early_data   Allow early data.
  * \param server       Should be server session (otherwise client).
  *
@@ -99,7 +99,7 @@ void knot_creds_free(struct knot_creds *creds);
 int knot_tls_session(struct gnutls_session_int **session,
                      struct knot_creds *creds,
                      struct gnutls_priority_st *priority,
-                     const char *alpn,
+                     bool quic,
                      bool early_data,
                      bool server);