QUIC QRX: Don't process 1-RTT packets until handshake is complete

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21547)
author: Hugo Landau <hlandau@openssl.org> 2023-07-25 11:32:25 +0100
committer: Matt Caswell <matt@openssl.org> 2023-08-08 14:33:42 +0100
commit: 2a6f1f2f6e321abe6deb2ce89084ece4aa50b3de (patch)
tree: ad11f25a84b0237d8e148f6ed943130ae04d9bc7 /include
parent: 0c1cc36bbb3b29a43cf08572b1176e5ee8e37ce2 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/include/internal/quic_record_rx.h b/include/internal/quic_record_rx.h
index 19545c3e3a..ed5cdefb2f 100644
--- a/include/internal/quic_record_rx.h
+++ b/include/internal/quic_record_rx.h
@@ -339,6 +339,17 @@ int ossl_qrx_set_late_validation_cb(OSSL_QRX *qrx,
 void ossl_qrx_inject_urxe(OSSL_QRX *qrx, QUIC_URXE *e);
 
 /*
+ * Decryption of 1-RTT packets must be explicitly enabled by calling this
+ * function. This is to comply with the requirement that we not process 1-RTT
+ * packets until the handshake is complete, even if we already have 1-RTT
+ * secrets. Even if a 1-RTT secret is provisioned for the QRX, incoming 1-RTT
+ * packets will be handled as though no key is available until this function is
+ * called. Calling this function will then requeue any such deferred packets for
+ * processing.
+ */
+void ossl_qrx_allow_1rtt_processing(OSSL_QRX *qrx);
+
+/*
  * Key Update (RX)
  * ===============
  *
author	Hugo Landau <hlandau@openssl.org>	2023-07-25 11:32:25 +0100
committer	Matt Caswell <matt@openssl.org>	2023-08-08 14:33:42 +0100
commit	2a6f1f2f6e321abe6deb2ce89084ece4aa50b3de (patch)
tree	ad11f25a84b0237d8e148f6ed943130ae04d9bc7 /include
parent	0c1cc36bbb3b29a43cf08572b1176e5ee8e37ce2 (diff)