QUIC CHANNEL: Ensure new packets aren't enforced with old keys

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21029)

1 files changed, 17 insertions, 0 deletions

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index b8f6121b4b..017a1ab28f 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -1767,6 +1767,23 @@ static void ch_rx_handle_packet(QUIC_CHANNEL *ch)
              */
             ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
 
+        if (ch->rxku_in_progress
+            && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_1RTT
+            && ch->qrx_pkt->pn >= ch->rxku_trigger_pn
+            && ch->qrx_pkt->key_epoch < ossl_qrx_get_key_epoch(ch->qrx)) {
+            /*
+             * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
+             * protected with either the same or newer packet protection keys
+             * than packets with lower packet numbers. An endpoint that
+             * successfully removes protection with old keys when newer keys
+             * were used for packets with lower packet numbers MUST treat this
+             * as a connection error of type KEY_UPDATE_ERROR.
+             */
+            ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_KEY_UPDATE_ERROR,
+                                                   0, "new packet with old keys");
+            break;
+        }
+
         /* This packet contains frames, pass to the RXDP. */
         ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */
         break;