[PATCH 02 of 11] QUIC: added safety belt to prevent using discarded keys

[Sergey Kandaurov]

# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1697633594 -14400
#      Wed Oct 18 16:53:14 2023 +0400
# Node ID 0ff1706a4affd40d847fd39d7c3c98f459cae6f1
# Parent  ff98ae7d261e1a7f58963ac91eac9caecc9d6aee
QUIC: added safety belt to prevent using discarded keys.

In addition to triggering alert, it ensures that such packets won't be sent.

With the previous change that marks server keys as discarded by zeroing the
key lengh, it is now an error to send packets with discarded keys.  OpenSSL
based stacks tolerate such behaviour because key length isn't used in packet
protection, but BoringSSL will raise the UNSUPPORTED_KEY_SIZE cipher error.
It won't be possible to use discarded keys with reused crypto contexts as it
happens in subsequent changes.

diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c
--- a/src/event/quic/ngx_event_quic_output.c
+++ b/src/event/quic/ngx_event_quic_output.c
@@ -519,6 +519,21 @@ ngx_quic_output_packet(ngx_connection_t 
 
     qc = ngx_quic_get_connection(c);
 
+    if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
+        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "quic %s write keys discarded",
+                      ngx_quic_level_name(ctx->level));
+
+        while (!ngx_queue_empty(&ctx->frames)) {
+            q = ngx_queue_head(&ctx->frames);
+            ngx_queue_remove(q);
+
+            f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+            ngx_quic_free_frame(c, f);
+        }
+
+        return 0;
+    }
+
     ngx_quic_init_packet(c, ctx, &pkt, qc->path);
 
     min_payload = ngx_quic_payload_size(&pkt, min);