quic_channel: Handle HRR and the second transport params extension

When HRR happens a second client hello is sent and it consist of a
transport params extension. This must be processed and not cause
failure.

Fixes: https://github.com/openssl/project/issues/1296
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28115)

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index 83253910c4e63c5d2d9e2228eb8b52d82176e1f5..652c653b912046d80c00f9b0270aa08a9ab0a4c7 100644 (file)
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -1331,8 +1331,20 @@ static int ch_on_transport_params(const unsigned char *params,
     ossl_unused uint64_t rx_max_idle_timeout = 0;
     ossl_unused const void *stateless_reset_token_p = NULL;
     QUIC_PREFERRED_ADDR pfa;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ch->tls);
 
-    if (ch->got_remote_transport_params) {
+    /*
+     * When HRR happens the client sends the transport params in the new client
+     * hello again. Reset the transport params here and load them again.
+     */
+    if (ch->is_server && sc->hello_retry_request != SSL_HRR_NONE
+        && ch->got_remote_transport_params) {
+        ch->max_local_streams_bidi = 0;
+        ch->max_local_streams_uni = 0;
+        ch->got_local_transport_params = 0;
+        OPENSSL_free(ch->local_transport_params);
+        ch->local_transport_params = NULL;
+    } else if (ch->got_remote_transport_params) {
         reason = "multiple transport parameter extensions";
         goto malformed;
     }