QUIC QRL: Fix bug in Handshake packet processing

We automatically dropped Initial keys when receiving a Handshake packet,
but did this regardless of whether the packet was successfully decrypted
and authenticated. Per the RFC, we should only drop Initial keys when
successfully processing a Handshake packet.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19176)

diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c
index 08c8e7d992c0270c3b39ac59649fd82d911da688..c0bbb5f504a42547caabd8ebd6a9468c55a8f79f 100644 (file)
--- a/ssl/quic/quic_record_rx.c
+++ b/ssl/quic/quic_record_rx.c
@@ -834,13 +834,6 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
     if (!qrx_validate_hdr(qrx, rxe))
         goto malformed;
 
-    /*
-     * We automatically discard INITIAL keys when successfully decrypting a
-     * HANDSHAKE packet.
-     */
-    if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE)
-        ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL);
-
     /*
      * The AAD data is the entire (unprotected) packet header including the PN.
      * The packet header has been unprotected in place, so we can just reuse the
@@ -878,6 +871,13 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
                               rxe->hdr.key_phase))
         goto malformed;
 
+    /*
+     * We automatically discard INITIAL keys when successfully decrypting a
+     * HANDSHAKE packet.
+     */
+    if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE)
+        ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL);
+
     /*
      * At this point, we have successfully authenticated the AEAD tag and no
      * longer need to worry about exposing the Key Phase bit in timing channels.