BUG/MINOR: quic: reject NEW_TOKEN frames from clients

As specified by RFC 9000, reject NEW_TOKEN frames emitted by clients.
Close the connection with error code PROTOCOL_VIOLATION.

This must be backported up to 2.6.

(cherry picked from commit 4a5d82a97d9269eb17f9b92af6c8a9cd904705cd)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 21c807cc2233e5ca9f450d767311c8e12bbb9d70)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/quic_rx.c b/src/quic_rx.c
index 49c830e..0490fc1 100644 (file)
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@@ -932,7 +932,21 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
 
                        break;
                case QUIC_FT_NEW_TOKEN:
-                       /* TODO */
+                       if (qc_is_listener(qc)) {
+                               TRACE_ERROR("reject NEW_TOKEN frame emitted by client",
+                                           QUIC_EV_CONN_PRSHPKT, qc);
+
+                               /* RFC 9000 19.7. NEW_TOKEN Frames
+                                * Clients MUST NOT send NEW_TOKEN frames. A server MUST treat receipt
+                                * of a NEW_TOKEN frame as a connection error of type
+                                * PROTOCOL_VIOLATION.
+                                */
+                               quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
+                               goto err;
+                       }
+                       else {
+                               /* TODO */
+                       }
                        break;
                case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F:
                {