QUIC: Retry Source CID is Not Validated Against Transport Parameters

[t-minzheng]

Description
According to RFC 9000 7.3. Authenticating Connection IDs
The codebase does not validate that the retry_source_connection_id transport parameter matches the actual Source Connection ID (SCID) used in the Retry packet. This is a violation of RFC 9000 §7.3, which explicitly requires validating all handshake CIDs, including the Retry SCID.

While the code does check for the presence of the retry_source_connection_id field, it does not compare its value to the SCID received in the Retry packet. This leaves a standards-compliance gap that could allow an attacker to tamper with Retry packets or transport parameters.

In QuicConnValidateTransportParameterCIDs (connection.c), a // TODO - Validate comment suggests this validation was known to be missing.

The encoder stores no record of the Retry SCID, making it impossible to compare it during handshake parameter validation.

Suggested fix
Add a comparison between Connection->RetrySCID and Connection->PeerTransportParams.RetrySourceConnectionID similar to the other validations. If mismatched, return an error (ConnError)."

[guhetier]

MsQuic differs from the RFC here.
We need to understand if it is problematic or has no consequences and re-prioritize.