From: Neil Horman <nhorman@openssl.org>
Date: Wed, 4 Dec 2024 21:12:02 +0000 (-0500)
Subject: Clarify that this validation only relates to retry packets
X-Git-Tag: openssl-3.5.0-alpha1~292
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f443b4048d0cd8ec17df09b08b9cb04fc293d6de;p=thirdparty%2Fopenssl.git

Clarify that this validation only relates to retry packets

Disabling server address validation here only relates to new connections
that arrive without a token.  Future connections using tokens provided
by the server via NEW_TOKEN frames will still be validated

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26114)
---

diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod
index dfcacfc842b..e8c41fa66be 100644
--- a/doc/man3/SSL_new_listener.pod
+++ b/doc/man3/SSL_new_listener.pod
@@ -165,7 +165,10 @@ SSL_new_from_listener().
 
 To disable client address validation on a listener SSL object, the flag
 B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
-SSL_new_listener() and SSL_new_listener_from(). 
+SSL_new_listener() and SSL_new_listener_from().  Note that this flag only
+impacts the sending of retry frames for server address validation.  Tokens may
+still be communicated from the server via NEW_TOKEN frames, which will still
+be validated on receipt in future connections.
 
 The SSL_new_from_listener() creates a client connection under a given listener
 SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index c2b1bee7b48..28457f3bcd3 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -1197,14 +1197,21 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
      * states in TCP. If we reach certain threshold, then we want to
      * validate clients.
      */
-    if (port->validate_addr == 1) {
-        if (hdr.token == NULL) {
-            port_send_retry(port, &e->peer, &hdr);
-            goto undesirable;
-        } else if (port_validate_token(&hdr, port, &e->peer,
-                                       &odcid, &scid) == 0) {
+    if (port->validate_addr == 1 && hdr.token == NULL) {
+        port_send_retry(port, &e->peer, &hdr);
+        goto undesirable;
+    }
+
+    /*
+     * Note, even if we don't enforce the sending of retry frames for
+     * server address validation, we may still get a token if we sent
+     * a NEW_TOKEN frame during a prior connection, which we should still
+     * validate here
+     */
+    if (hdr.token != NULL) {
+        if (port_validate_token(&hdr, port, &e->peer,
+                                &odcid, &scid) == 0)
             goto undesirable;
-        }
     }
 
     port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id,