From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 6 Jun 2023 15:25:11 +0000 (+0100)
Subject: QUIC CONFORMANCE: RFC 9000 s. 19.7
X-Git-Tag: openssl-3.2.0-alpha1~440
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b5b40c4e183bf9a00ed086b72aa16369172a0054;p=thirdparty%2Fopenssl.git

QUIC CONFORMANCE: RFC 9000 s. 19.7

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21135)
---

diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c
index c75363d0387..aa107455078 100644
--- a/ssl/quic/quic_rx_depack.c
+++ b/ssl/quic/quic_rx_depack.c
@@ -314,6 +314,19 @@ static int depack_do_frame_new_token(PACKET *pkt, QUIC_CHANNEL *ch,
     /* This frame makes the packet ACK eliciting */
     ackm_data->is_ack_eliciting = 1;
 
+    if (token_len == 0) {
+        /*
+         * RFC 9000 s. 19.7: "A client MUST treat receipt of a NEW_TOKEN frame
+         * with an empty Token field as a connection error of type
+         * FRAME_ENCODING_ERROR."
+         */
+        ossl_quic_channel_raise_protocol_error(ch,
+                                               QUIC_ERR_FRAME_ENCODING_ERROR,
+                                               OSSL_QUIC_FRAME_TYPE_NEW_TOKEN,
+                                               "zero-length NEW_TOKEN");
+        return 0;
+    }
+
     /* TODO(QUIC): ADD CODE to send |token| to the session manager */
 
     return 1;