MEDIUM: quic: adjust address validation

When a new QUIC connection is created, server consider the peer address
has not validated. The server must limit its sending up to 3 times the
content already received. This is defensive measure to avoid flooding a
remote host victime of address spoofing.

This patch adjust the condition to consider the peer address as
validated. Two conditions are now considered :
* successful handling of a received HANDSHAKE packet. This was already
  done before this patch although not quite similarly.
* validation of a Retry token. This was not considered prior despite the
  RFC recommandation.

This patch also changes how a connection is labelled with a validated
peer address. Before, above conditions were checked via
quic_peer_validated_addr(). Now, a flag QUIC_FL_CONN_PEER_VALIDATED_ADDR
is set to labelled this. This flag was already existing but only used
for quic_cc_conn. This should be more explicit now.

include/haproxy/quic_conn-t.h

@@ -394,7 +394,7 @@ struct quic_conn_cntrs {
 #define QUIC_FL_CONN_IO_TO_REQUEUE               (1U << 14) /* IO handler must be requeued on new thread after connection migration */
 #define QUIC_FL_CONN_IPKTNS_DCD                  (1U << 15) /* Initial packet number space discarded  */
 #define QUIC_FL_CONN_HPKTNS_DCD                  (1U << 16) /* Handshake packet number space discarded  */
-#define QUIC_FL_CONN_PEER_VALIDATED_ADDR         (1U << 17) /* Connection with peer validated address */
+#define QUIC_FL_CONN_PEER_VALIDATED_ADDR         (1U << 17) /* Peer address is considered as validated for this connection. */
 #define QUIC_FL_CONN_TO_KILL                     (1U << 24) /* Unusable connection, to be killed */
 #define QUIC_FL_CONN_TX_TP_RECEIVED              (1U << 25) /* Peer transport parameters have been received (used for the transmitting part) */
 #define QUIC_FL_CONN_FINALIZED                   (1U << 26) /* QUIC connection finalized (functional, ready to send/receive) */

src/quic_conn.c

@@ -150,9 +150,7 @@ int quic_peer_validated_addr(struct quic_conn *qc)
 	if (!qc_is_listener(qc))
 		return 1;
 
-	if ((qc->hpktns && (qc->hpktns->flags & QUIC_FL_PKTNS_PKT_RECEIVED)) ||
-	    (qc->apktns && (qc->apktns->flags & QUIC_FL_PKTNS_PKT_RECEIVED)) ||
-	    qc->state >= QUIC_HS_ST_COMPLETE)
+	if (qc->flags & QUIC_FL_CONN_PEER_VALIDATED_ADDR)
 		return 1;
 
 	BUG_ON(qc->bytes.prep > 3 * qc->bytes.rx);
@@ -845,8 +843,6 @@ static struct quic_cc_conn *qc_new_cc_conn(struct quic_conn *qc)
 	if (qc->fd >= 0)
 		fdtab[cc_qc->fd].owner = cc_qc;
 	cc_qc->flags = qc->flags;
-	if (quic_peer_validated_addr(qc))
-	    cc_qc->flags |= QUIC_FL_CONN_PEER_VALIDATED_ADDR;
 	cc_qc->err = qc->err;
 
 	cc_qc->nb_pkt_for_cc = qc->nb_pkt_for_cc;
@@ -1355,6 +1351,13 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	LIST_APPEND(&th_ctx->quic_conns, &qc->el_th_ctx);
 	qc->qc_epoch = HA_ATOMIC_LOAD(&qc_epoch);
 
+	/* If token_odcid is not NULL, it means that the INITIAL packet that
+	 * triggers connection allocations has a token which has been accepted.
+	 * In this case, the connection address can be considered as validated.
+	 */
+	if (token_odcid)
+		qc->flags |= QUIC_FL_CONN_PEER_VALIDATED_ADDR;
+
 	TRACE_LEAVE(QUIC_EV_CONN_INIT, qc);
 
 	return qc;

src/quic_rx.c

@@ -1371,6 +1371,16 @@ int qc_treat_rx_pkts(struct quic_conn *qc)
 				else {
 					struct quic_arng ar = { .first = pkt->pn, .last = pkt->pn };
 
+					/* RFC 9000 8.1. Address Validation during Connection Establishment
+					 *
+					 * Connection establishment implicitly provides address validation for
+					 * both endpoints. In particular, receipt of a packet protected with
+					 * Handshake keys confirms that the peer successfully processed an
+					 * Initial packet.
+					 */
+					if (qel == qc->hel)
+						qc->flags |= QUIC_FL_CONN_PEER_VALIDATED_ADDR;
+
 					if (pkt->flags & QUIC_FL_RX_PACKET_ACK_ELICITING) {
 						int arm_ack_timer =
 							qc->state >= QUIC_HS_ST_COMPLETE &&