diff options
| author | Vladimir Homutov <vl@nginx.com> | 2020-09-01 17:20:42 +0300 |
|---|---|---|
| committer | Vladimir Homutov <vl@nginx.com> | 2020-09-01 17:20:42 +0300 |
| commit | d73a289c432b280913cfff4abffc5d40aa34318f (patch) | |
| tree | 6e973ac9b92f65b23b48232e1a626ae5c781681d /src | |
| parent | 208735967547b989c243b70370061ba422c229d7 (diff) | |
| download | nginx-d73a289c432b280913cfff4abffc5d40aa34318f.tar.gz nginx-d73a289c432b280913cfff4abffc5d40aa34318f.zip | |
QUIC: discard incorrect packets instead of closing the connection.
quic-transport
5.2:
Packets that are matched to an existing connection are discarded if
the packets are inconsistent with the state of that connection.
5.2.2:
Servers MUST drop incoming packets under all other circumstances.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_quic.c | 60 | ||||
| -rw-r--r-- | src/event/ngx_event_quic_transport.c | 4 |
2 files changed, 29 insertions, 35 deletions
diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c index 00d5f5178..913ffc56d 100644 --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -658,9 +658,8 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, return NGX_ERROR; } - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_ERROR; } if (pkt->version != NGX_QUIC_VERSION) { @@ -1645,7 +1644,6 @@ ngx_quic_skip_zero_padding(ngx_buf_t *b) static ngx_int_t ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_quic_secrets_t *keys; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; @@ -1659,15 +1657,14 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) return NGX_OK; } - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_pkt_zrtt(pkt->flags)) { @@ -1679,11 +1676,11 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) if (!ngx_quic_pkt_in(pkt->flags)) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid initial packet: 0x%xd", pkt->flags); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_new_dcid(c, &pkt->dcid) != NGX_OK) { @@ -1742,7 +1739,6 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) static ngx_int_t ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_ssl_conn_t *ssl_conn; ngx_quic_secrets_t *keys; ngx_quic_send_ctx_t *ctx; @@ -1752,19 +1748,22 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) ssl_conn = c->ssl->connection; - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; + } + + if (ngx_quic_check_peer(c->quic, pkt) != NGX_OK) { + return NGX_DECLINED; } if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } keys = &c->quic->keys[ssl_encryption_initial]; @@ -1787,7 +1786,6 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_queue_t *q; ngx_quic_frame_t *f; ngx_quic_secrets_t *keys; @@ -1808,23 +1806,22 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) } /* extract cleartext data into pkt */ - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_check_peer(qc, pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_parse_handshake_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } pkt->secret = &keys->client; @@ -1863,7 +1860,6 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) static ngx_int_t ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_quic_secrets_t *keys; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; @@ -1874,23 +1870,22 @@ ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) qc = c->quic; /* extract cleartext data into pkt */ - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_check_peer(qc, pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_parse_handshake_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } keys = &c->quic->keys[ssl_encryption_early_data]; @@ -1970,9 +1965,8 @@ ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt) return NGX_DECLINED; } - rc = ngx_quic_parse_short_header(pkt, &qc->dcid); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_short_header(pkt, &qc->dcid) != NGX_OK) { + return NGX_DECLINED; } pkt->secret = &keys->client; diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c index 69d17a623..6e0fb8753 100644 --- a/src/event/ngx_event_quic_transport.c +++ b/src/event/ngx_event_quic_transport.c @@ -276,7 +276,7 @@ ngx_quic_parse_long_header(ngx_quic_header_t *pkt) if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) { ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set"); - return NGX_DECLINED; + return NGX_ERROR; } p = ngx_quic_read_uint8(p, end, &idlen); @@ -491,7 +491,7 @@ ngx_quic_parse_short_header(ngx_quic_header_t *pkt, ngx_str_t *dcid) if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) { ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set"); - return NGX_DECLINED; + return NGX_ERROR; } if (ngx_memcmp(p, dcid->data, dcid->len) != 0) { |