]> git.ipfire.org Git - thirdparty/openssl.git/commit
If our server channel creates its own qrx, set its initial secret
authorNeil Horman <nhorman@openssl.org>
Sat, 8 Mar 2025 02:52:03 +0000 (21:52 -0500)
committerNeil Horman <nhorman@openssl.org>
Sat, 8 Mar 2025 02:56:34 +0000 (21:56 -0500)
commit8f74d8cee3630ede41a4dfa1a85c469d2200c58d
tree600488b4104eb01c0b7bf75d74acd36db94f0752
parent8d6fd6142b0b55ce029df6d7b63dda5f7cb8ce54
If our server channel creates its own qrx, set its initial secret

With the addition of larger client hellos, stemming from the use of
larger PQC key shares, it may happen that we get a client hello accross
multiple datagrams. Normally this is not a problem as
port_default_packet_handler allocates a qrx and initializes its initial
secret immediately.  But if server address validation is disabled, then
the channel creates the qrx in port_bind_channel itself, without initial
secrets.  As a result, we validate the first datagram in
port_default_packet_handler, but the subsequent datagrams containing the
remaining client hello fragments fail decode.

Fix it by ensuring that we add the initial secret in port_bind_channel
if we don't give it a preconfigured qrx

Fixes openssl/project#1131

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27006)
ssl/quic/quic_port.c