BUG/MINOR: quic: use proper error code on missing CID in TPs

Handle missing received transport parameter value
initial_source_connection_id / original_destination_connection_id.
Previously, such case would result in an error reported via
quic_transport_params_store(), which triggers a TLS alert converted as
expected as a CONNECTION_CLOSE. The issue is that the error code
reported in the frame was incorrect.

Fix this by returning QUIC_TP_DEC_ERR_INVAL for such conditions. This is
directly handled via quic_transport_params_store() which set the proper
TRANSPORT_PARAMETER_ERROR code for the CONNECTION_CLOSE. However, no
error is reported so the SSL handshake is properly terminated without a
TLS alert. This is enough to ensure that the CONNECTION_CLOSE frame will
be emitted as expected.

This should be backported up to 2.6. Note that is relies on previous
patch "MINOR: quic: extend return value on TP parsing".

(cherry picked from commit df6bd4909e8dfa64337662a78adc39ca702c1dc7)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 5eb284aa55fa3a7c12060b3834000dd66f88493e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/quic_tp.c b/src/quic_tp.c
index 9adca0f..cd04730 100644 (file)
--- a/src/quic_tp.c
+++ b/src/quic_tp.c
@@ -598,13 +598,18 @@ quic_transport_params_decode(struct quic_transport_params *p, int server,
                        return err;
        }
 
-       /*
-        * A server MUST send original_destination_connection_id transport parameter.
-        * initial_source_connection_id must be present both for server and client.
+       /* RFC 9000 7.3. Authenticating Connection IDs
+        *
+        * An endpoint MUST treat the absence of the
+        * initial_source_connection_id transport parameter from either endpoint
+        * or the absence of the original_destination_connection_id transport
+        * parameter from the server as a connection error of type
+        * TRANSPORT_PARAMETER_ERROR.
         */
-       if ((server && !p->original_destination_connection_id_present) ||
-           !p->initial_source_connection_id_present)
-               return QUIC_TP_DEC_ERR_TRUNC;
+       if (!p->initial_source_connection_id_present ||
+           (server && !p->original_destination_connection_id_present)) {
+               return QUIC_TP_DEC_ERR_INVAL;
+       }
 
        /* Note that if not received by the peer, active_connection_id_limit will
         * have QUIC_TP_DFLT_ACTIVE_CONNECTION_ID_LIMIT as default value. This