QUIC QRL: Fix bug in Handshake packet processing

We automatically dropped Initial keys when receiving a Handshake packet, but did this regardless of whether the packet was successfully decrypted and authenticated. Per the RFC, we should only drop Initial keys when successfully processing a Handshake packet. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19176)
2025-01-12 13:36:28 +08:00 · 2022-09-08 14:10:38 +01:00 · 2022-09-08 14:10:38 +01:00 · 45e7ef5fe3
commit 45e7ef5fe3
parent 9ab6b64ac8
1 changed files with 7 additions and 7 deletions
--- a/ssl/quic/quic_record_rx.c
+++ b/ssl/quic/quic_record_rx.c
@ -834,13 +834,6 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
    if (!qrx_validate_hdr(qrx, rxe))
        goto malformed;

-    /*
-     * We automatically discard INITIAL keys when successfully decrypting a
-     * HANDSHAKE packet.
-     */
-    if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE)
-        ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL);
-
    /*
     * The AAD data is the entire (unprotected) packet header including the PN.
     * The packet header has been unprotected in place, so we can just reuse the
@ -878,6 +871,13 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
                              rxe->hdr.key_phase))
        goto malformed;

+    /*
+     * We automatically discard INITIAL keys when successfully decrypting a
+     * HANDSHAKE packet.
+     */
+    if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE)
+        ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL);
+
    /*
     * At this point, we have successfully authenticated the AEAD tag and no
     * longer need to worry about exposing the Key Phase bit in timing channels.