From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 6 Jun 2023 15:25:11 +0000 (+0100)
Subject: QUIC CONFORMANCE: RFC 9000 s. 12.3: PN Limit
X-Git-Tag: openssl-3.2.0-alpha1~449
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a1b1d2be3854581171addfe48bd6457a88c76b3;p=thirdparty%2Fopenssl.git

QUIC CONFORMANCE: RFC 9000 s. 12.3: PN Limit

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21135)
---

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index 4179b7e0862..d430637a572 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -2041,7 +2041,19 @@ static int ch_tx(QUIC_CHANNEL *ch)
 
     case TX_PACKETISER_RES_NO_PKT:
         break; /* No packet was sent */
+
     default:
+        /*
+         * One case where TXP can fail is if we reach a TX PN of 2**62 - 1. As
+         * per RFC 9000 s. 12.3, if this happens we MUST close the connection
+         * without sending a CONNECTION_CLOSE frame. This is actually handled as
+         * an emergent consequence of our design, as the TX packetiser will
+         * never transmit another packet when the TX PN reaches the limit.
+         *
+         * Calling the below function terminates the connection; its attempt to
+         * schedule a CONNECTION_CLOSE frame will not actually cause a packet to
+         * be transmitted for this reason.
+         */
         ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
                                                "internal error");
         break; /* Internal failure (e.g.  allocation, assertion) */