From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 6 Jun 2023 15:25:11 +0000 (+0100)
Subject: QUIC CONFORMANCE: Enforce packet header reserved bits
X-Git-Tag: openssl-3.2.0-alpha1~444
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08cb9a83277e5cd847742c048345fb6c9daf8170;p=thirdparty%2Fopenssl.git

QUIC CONFORMANCE: Enforce packet header reserved bits

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21135)
---

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index d430637a572..1952b7390c8 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -1822,6 +1822,18 @@ static void ch_rx_handle_packet(QUIC_CHANNEL *ch)
          */
         return;
 
+    /*
+     * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
+     * non-zero value for [the reserved bits] after removing both packet and
+     * header protection as a connection error of type PROTOCOL_VIOLATION."
+     */
+    if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)
+        && ch->qrx_pkt->hdr->reserved != 0) {
+        ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
+                                               0, "packet header reserved bits");
+        return;
+    }
+
     /* Handle incoming packet. */
     switch (ch->qrx_pkt->hdr->type) {
     case QUIC_PKT_TYPE_RETRY: