QUIC: avoid processing 1-RTT with incomplete handshake in OpenSSL.

OpenSSL is known to provide read keys for an encryption level before the level is active in TLS, following the old BoringSSL API. In BoringSSL, it was then fixed to defer releasing read keys until QUIC may use them.
2025-02-25 18:55:26 -06:00 · 2021-07-22 15:00:37 +03:00 · 2021-07-22 15:00:37 +03:00 · 2b5659f350
commit 2b5659f350
parent 6157d0b5c1
1 changed files with 14 additions and 0 deletions
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@ -918,6 +918,20 @@ ngx_quic_process_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
        return NGX_DECLINED;
    }

+#if !defined (OPENSSL_IS_BORINGSSL)
+    /* OpenSSL provides read keys for an application level before it's ready */
+
+    if (pkt->level == ssl_encryption_application
+        && SSL_quic_read_level(c->ssl->connection)
+           < ssl_encryption_application)
+    {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "quic no %s keys ready, ignoring packet",
+                      ngx_quic_level_name(pkt->level));
+        return NGX_DECLINED;
+    }
+#endif
+
    pkt->keys = qc->keys;
    pkt->key_phase = qc->key_phase;
    pkt->plaintext = buf;