Mercurial > hg > nginx
changeset 8446:df29219988bc quic
Discard short packets which could not be decrypted.
So that connections are protected from failing from on-path attacks.
Decryption failure of long packets used during handshake still leads
to connection close since it barely makes sense to handle them there.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 23 Jun 2020 11:57:00 +0300 |
parents | 3de1b7399650 |
children | 97adb87f149b |
files | src/event/ngx_event_quic.c src/event/ngx_event_quic_protection.c |
diffstat | 2 files changed, 6 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_quic.c Tue Jun 23 11:57:00 2020 +0300 +++ b/src/event/ngx_event_quic.c Tue Jun 23 11:57:00 2020 +0300 @@ -1830,9 +1830,11 @@ ctx = ngx_quic_get_send_ctx(qc, pkt->level); - if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { + rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); + + if (rc != NGX_OK) { qc->error = pkt->error; - return NGX_ERROR; + return rc; } /* switch keys on Key Phase change */
--- a/src/event/ngx_event_quic_protection.c Tue Jun 23 11:57:00 2020 +0300 +++ b/src/event/ngx_event_quic_protection.c Tue Jun 23 11:57:00 2020 +0300 @@ -1051,7 +1051,7 @@ != NGX_OK) { pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_long_pkt(pkt->flags)) { @@ -1131,7 +1131,7 @@ if (rc != NGX_OK) { pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; - return rc; + return NGX_DECLINED; } if (badflags) {