BUG/MINOR: quic: avoid freezing 0RTT connections

This issue came with this commit:

	f627b92 BUG/MEDIUM: quic: always validate sender address on 0-RTT

and could be easily reproduced with picoquic QUIC client with -Q option
which splits a big ClientHello TLS message into two Initial datagrams.
A second condition must be fulfilled to reprodue this issue: picoquic
must not send the token provided by haproxy (NEW_TOKEN). To do that,
haproxy must be patched to prevent it to send such tokens.

Under these conditions, if haproxy has enough time to reply to the first Initial
datagrams, when it receives the second Initial datagram it sends a Retry paquet.
Then the client ignores the Retry paquet as mentionned by RFC 9000:

 17.2.5.2. Handling a Retry Packet
    A client MUST accept and process at most one Retry packet for each connection
    attempt. After the client has received and processed an Initial or Retry packet
    from the server, it MUST discard any subsequent Retry packets that it receives.

On its side, haproxy has closed the connection. When it receives the second
Initial datagram, it open a new connection but with Initial packets it
cannot decrypt (wrong ODCID) leaving the client without response.

To fix this, as the aim of the token (NEW_TOKEN) sent by haproxy is to validate
the peer address, in place of closing the connection when no token was received
for a 0RTT connection, one leaves this validation to the handshake process.
Indeed, the peer adress is validated during the handshake when a valid handshake
packet is received by the listener. But as one does not want haproxy to process
0RTT when no token was received, one does not accept the connection before
the successful handshake completion.

Must be backported as far as 2.9.

include/haproxy/quic_conn-t.h

@@ -446,7 +446,6 @@ struct quic_conn_closed {
 #define QUIC_FL_CONN_HPKTNS_DCD                  (1U << 16) /* Handshake packet number space discarded  */
 #define QUIC_FL_CONN_PEER_VALIDATED_ADDR         (1U << 17) /* Peer address is considered as validated for this connection. */
 #define QUIC_FL_CONN_NO_TOKEN_RCVD               (1U << 18) /* Client dit not send any token */
-#define QUIC_FL_CONN_SEND_RETRY                  (1U << 19) /* A send retry packet must be sent */
 /* gap here */
 #define QUIC_FL_CONN_TO_KILL                     (1U << 24) /* Unusable connection, to be killed */
 #define QUIC_FL_CONN_TX_TP_RECEIVED              (1U << 25) /* Peer transport parameters have been received (used for the transmitting part) */

src/quic_conn.c

@@ -811,11 +811,6 @@ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state)
 		goto out;
 	}
 
-	if (qc->flags & QUIC_FL_CONN_TO_KILL) {
-		TRACE_DEVEL("connection to be killed", QUIC_EV_CONN_PHPKTS, qc);
-		goto out;
-	}
-
 	if ((qc->flags & QUIC_FL_CONN_DRAINING) &&
 	    !(qc->flags & QUIC_FL_CONN_IMMEDIATE_CLOSE))
 		goto out;
@@ -888,25 +883,7 @@ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state)
 		quic_nictx_free(qc);
 	}
 
-	if (qc->flags & QUIC_FL_CONN_SEND_RETRY) {
-		struct quic_counters *prx_counters;
-		struct proxy *prx = qc->li->bind_conf->frontend;
-		struct quic_rx_packet pkt = {
-			.scid = qc->dcid,
-			.dcid = qc->odcid,
-		};
-
-		prx_counters = EXTRA_COUNTERS_GET(prx->extra_counters_fe, &quic_stats_module);
-		if (send_retry(qc->li->rx.fd, &qc->peer_addr, &pkt, qc->original_version)) {
-			TRACE_ERROR("Error during Retry generation",
-			            QUIC_EV_CONN_LPKT, NULL, NULL, NULL, qc->original_version);
-		}
-		else
-			HA_ATOMIC_INC(&prx_counters->retry_sent);
-	}
-
-	if ((qc->flags & (QUIC_FL_CONN_CLOSING|QUIC_FL_CONN_TO_KILL)) &&
-	    qc->mux_state != QC_MUX_READY) {
+	if ((qc->flags & QUIC_FL_CONN_CLOSING) && qc->mux_state != QC_MUX_READY) {
 		quic_conn_release(qc);
 		qc = NULL;
 	}

src/quic_ssl.c

@@ -223,12 +223,21 @@ static int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t
 	}
 
 	/* Enqueue this connection asap if we could derive O-RTT secrets as
-	 * listener. Note that a listener derives only RX secrets for this
-	 * level.
+	 * listener and if a token was received. Note that a listener derives only RX
+	 * secrets for this level.
 	 */
 	if (qc_is_listener(qc) && level == ssl_encryption_early_data) {
-		TRACE_DEVEL("pushing connection into accept queue", QUIC_EV_CONN_RWSEC, qc);
-		quic_accept_push_qc(qc);
+		if (qc->flags & QUIC_FL_CONN_NO_TOKEN_RCVD) {
+			/* Leave a chance to the address validation to be completed by the
+			 * handshake without starting the mux: one does not want to process
+			 * the 0RTT data in this case.
+			 */
+			TRACE_PROTO("0RTT session without token", QUIC_EV_CONN_RWSEC, qc);
+		}
+		else {
+			TRACE_DEVEL("pushing connection into accept queue", QUIC_EV_CONN_RWSEC, qc);
+			quic_accept_push_qc(qc);
+		}
 	}
 
 write:
@@ -355,21 +364,6 @@ static int ha_quic_add_handshake_data(SSL *ssl, enum ssl_encryption_level_t leve
 
 	TRACE_PROTO("ha_quic_add_handshake_data() called", QUIC_EV_CONN_IO_CB, qc, NULL, NULL, ssl);
 
-#ifdef HAVE_SSL_0RTT_QUIC
-	/* Detect asap if some 0-RTT data were accepted for this connection.
-	 * If this is the case and no token was provided, interrupt the useless
-	 * secrets derivations. A Retry packet must be sent, and this connection
-	 * must be killed.
-	 * Note that QUIC_FL_CONN_NO_TOKEN_RCVD is possibly set only for when 0-RTT is
-	 * enabled for the connection.
-	 */
-	if ((qc->flags & QUIC_FL_CONN_NO_TOKEN_RCVD) && qc_ssl_eary_data_accepted(ssl)) {
-		TRACE_PROTO("connection to be killed", QUIC_EV_CONN_ADDDATA, qc);
-		qc->flags |= QUIC_FL_CONN_TO_KILL|QUIC_FL_CONN_SEND_RETRY;
-		goto leave;
-	}
-#endif
-
 	if (qc->flags & QUIC_FL_CONN_TO_KILL) {
 		TRACE_PROTO("connection to be killed", QUIC_EV_CONN_ADDDATA, qc);
 		goto out;