QUIC CONFORMANCE: RFC 9000 s. 19.16: RETIRE_CONNECTION_ID frames

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21135)
2023-06-06 16:25:12 +01:00 · 2023-06-06 16:25:12 +01:00 · f37befa048
parent 5cc73695df
commit f37befa048
1 changed files with 21 additions and 1 deletions
--- a/ssl/quic/quic_rx_depack.c
+++ b/ssl/quic/quic_rx_depack.c
@ -851,7 +851,27 @@ static int depack_do_frame_retire_conn_id(PACKET *pkt,
        return 0;
    }

-    /* TODO(QUIC): Post MVP ADD CODE to send |seq_num| to the ch manager */
+    /*
+     * RFC 9000 s. 19.16: "An endpoint cannot send this frame if it was provided
+     * with a zero-length connection ID by its peer. An endpoint that provides a
+     * zero-length connection ID MUST treat receipt of a RETIRE_CONNECTION_ID
+     * frame as a connection error of type PROTOCOL_VIOLATION."
+     *
+     * Since we always use a zero-length SCID as a client, there is no case
+     * where it is valid for a server to send this. Our server support is
+     * currently non-conformant and for internal testing use; simply handle it
+     * as a no-op in this case.
+     *
+     * TODO(QUIC): Revise and implement correctly for server support.
+     */
+    if (!ch->is_server) {
+        ossl_quic_channel_raise_protocol_error(ch,
+                                               QUIC_ERR_PROTOCOL_VIOLATION,
+                                               OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID,
+                                               "conn has zero-length CID");
+        return 0;
+    }
+
    return 1;
 }