QUIC CHANNEL, TXP: Discard INITIAL EL correctly

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)

diff --git a/include/internal/quic_txp.h b/include/internal/quic_txp.h
index d5ca1c4361aba2f600e14f1814e4bc6c588c8e44..5ea464ddd87cd76322ec60fa1ba51d666307f470 100644 (file)
--- a/include/internal/quic_txp.h
+++ b/include/internal/quic_txp.h
@@ -94,6 +94,7 @@ void ossl_quic_tx_packetiser_record_received_closing_bytes(
 
 typedef struct quic_txp_status_st {
     int sent_ack_eliciting; /* Was an ACK-eliciting packet sent? */
+    int sent_handshake; /* Was a Handshake packet sent? */
 } QUIC_TXP_STATUS;
 
 int ossl_quic_tx_packetiser_generate(OSSL_QUIC_TX_PACKETISER *txp,

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index f46b20f5c6c4115cb662d67a313ed43d32c67a6c..fa9866bdde23e518e1dd51f2a7737ec27edd67f1 100644 (file)
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -2200,6 +2200,13 @@ static int ch_tx(QUIC_CHANNEL *ch)
             ch->have_sent_ack_eliciting_since_rx = 1;
         }
 
+        if (!ch->is_server && status.sent_handshake)
+            /*
+             * RFC 9001 s. 4.9.1: A client MUST discard Initial keys when it
+             * first sends a Handshake packet.
+             */
+            ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
+
         if (ch->rxku_pending_confirm_done)
             ch->rxku_pending_confirm = 0;
 

diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c
index 7c52ced09a56aebe401782d32a361c673dccc28e..a85846589935482821a3f76734fffdf67d96e9b6 100644 (file)
--- a/ssl/quic/quic_txp.c
+++ b/ssl/quic/quic_txp.c
@@ -823,6 +823,10 @@ int ossl_quic_tx_packetiser_generate(OSSL_QUIC_TX_PACKETISER *txp,
         ++pkts_done;
     }
 
+    status->sent_handshake
+        = (pkt[QUIC_ENC_LEVEL_HANDSHAKE].h_valid
+           && pkt[QUIC_ENC_LEVEL_HANDSHAKE].h.bytes_appended > 0);
+
     /* Flush & Cleanup */
     res = TX_PACKETISER_RES_NO_PKT;
 out: