From: Andrew Dinh <andrewd@openssl.org>
Date: Wed, 15 Jan 2025 15:12:31 +0000 (+0800)
Subject: If server receives NEW_TOKEN frame, respond with PROTOCOL_VIOLATION
X-Git-Tag: openssl-3.5.0-alpha1~271
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d79ef118db48cf599027064e341a80cdaca4e00a;p=thirdparty%2Fopenssl.git

If server receives NEW_TOKEN frame, respond with PROTOCOL_VIOLATION

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26426)
---

diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c
index 31e311554ee..679d6cc3e02 100644
--- a/ssl/quic/quic_rx_depack.c
+++ b/ssl/quic/quic_rx_depack.c
@@ -1181,6 +1181,19 @@ static int depack_process_frames(QUIC_CHANNEL *ch, PACKET *pkt,
                                                        "NEW_TOKEN valid only in 1-RTT");
                 return 0;
             }
+
+            /*
+             * RFC 9000 s. 19.7: "A server MUST treat receipt of a NEW_TOKEN
+             * frame as a connection error of type PROTOCOL_VIOLATION."
+             */
+            if (ch->is_server) {
+                ossl_quic_channel_raise_protocol_error(ch,
+                                                       OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
+                                                       frame_type,
+                                                       "NEW_TOKEN can only be sent by a server");
+                return 0;
+            }
+
             if (!depack_do_frame_new_token(pkt, ch, ackm_data))
                 return 0;
             break;