From 2b5659f350974dc1659c512d5681971c857c2deb Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Thu, 22 Jul 2021 15:00:37 +0300
Subject: [PATCH] QUIC: avoid processing 1-RTT with incomplete handshake in
 OpenSSL.

OpenSSL is known to provide read keys for an encryption level before the
level is active in TLS, following the old BoringSSL API.  In BoringSSL,
it was then fixed to defer releasing read keys until QUIC may use them.
---
 src/event/quic/ngx_event_quic.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
index 0d61be837..8f57b9f5d 100644
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -918,6 +918,20 @@ ngx_quic_process_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
         return NGX_DECLINED;
     }
 
+#if !defined (OPENSSL_IS_BORINGSSL)
+    /* OpenSSL provides read keys for an application level before it's ready */
+
+    if (pkt->level == ssl_encryption_application
+        && SSL_quic_read_level(c->ssl->connection)
+           < ssl_encryption_application)
+    {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic no %s keys ready, ignoring packet",
+                      ngx_quic_level_name(pkt->level));
+        return NGX_DECLINED;
+    }
+#endif
+
     pkt->keys = qc->keys;
     pkt->key_phase = qc->key_phase;
     pkt->plaintext = buf;