From: Hugo Landau Date: Thu, 8 Sep 2022 13:10:38 +0000 (+0100) Subject: QUIC QRL: Fix bug in Handshake packet processing X-Git-Tag: openssl-3.2.0-alpha1~2088 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45e7ef5fe34b3f519f1454c47dc08aa4563e4247;p=thirdparty%2Fopenssl.git QUIC QRL: Fix bug in Handshake packet processing We automatically dropped Initial keys when receiving a Handshake packet, but did this regardless of whether the packet was successfully decrypted and authenticated. Per the RFC, we should only drop Initial keys when successfully processing a Handshake packet. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19176) --- diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index 08c8e7d992c..c0bbb5f504a 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -834,13 +834,6 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, if (!qrx_validate_hdr(qrx, rxe)) goto malformed; - /* - * We automatically discard INITIAL keys when successfully decrypting a - * HANDSHAKE packet. - */ - if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE) - ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL); - /* * The AAD data is the entire (unprotected) packet header including the PN. * The packet header has been unprotected in place, so we can just reuse the @@ -878,6 +871,13 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, rxe->hdr.key_phase)) goto malformed; + /* + * We automatically discard INITIAL keys when successfully decrypting a + * HANDSHAKE packet. + */ + if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE) + ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL); + /* * At this point, we have successfully authenticated the AEAD tag and no * longer need to worry about exposing the Key Phase bit in timing channels.