BUG/MEDIUM: mux-quic: ensure Early-data header is set

QUIC MUX may be initialized prior to handshake completion, when 0-RTT is used. In this case, connection is flagged with CO_FL_EARLY_SSL_HS, which is notably used by wait-for-hs http rule. Early data may be subject to replay attacks. For this reason, haproxy adds the header 'Early-data: 1' to all requests handled as TLS early data. Thus the server can reject it if it is deemed unsafe. This header injection is implemented by http-ana. However, it was not functional with QUIC due to missing CO_FL_EARLY_DATA connection flag. Fix this by ensuring that QUIC MUX sets CO_FL_EARLY_DATA when needed. This is performed during qcc_recv() for STREAM frame reception. It is only set if QC_CF_WAIT_HS is set, meaning that the handshake is not yet completed. After this, the request is considered safe and Early-data header is not necessary anymore. This should fix github issue #3054. This must be backported up to 3.2 at least. If possible, it should be backported to all stable releases as well. On these versions, the current patch relies on the following refactoring commit : commit 0a53a008d0 MINOR: mux-quic: refactor wait-for-handshake support
2025-08-05 22:56:57 +02:00 · 2025-07-31 09:51:24 +00:00 · 2025-07-31 09:51:24 +00:00 · a6e67e7b41
commit a6e67e7b41
parent 697f7d1142
1 changed files with 8 additions and 0 deletions
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@ -1857,6 +1857,14 @@ int qcc_recv(struct qcc *qcc, uint64_t id, uint64_t len, uint64_t offset,
 		offset = qcs->rx.offset;
 	}

+	if (len && (qcc->flags & QC_CF_WAIT_HS)) {
+		if (!(qcc->conn->flags & CO_FL_EARLY_DATA)) {
+			/* Ensure 'Early-data: 1' will be set on the request. */
+			TRACE_PROTO("received early data", QMUX_EV_QCC_RECV|QMUX_EV_QCS_RECV, qcc->conn, qcs);
+			qcc->conn->flags |= CO_FL_EARLY_DATA;
+		}
+	}
+
 	left = len;
 	while (left) {
 		struct qc_stream_rxbuf *buf;