Mercurial > hg > nginx-quic
comparison src/event/ngx_event_quic.c @ 8074:c6b963de0c00 quic
QUIC: pass return code from ngx_quic_decrypt() to the caller.
It is required to distinguish internal errors from corrupted packets and
perform actions accordingly: drop the packet or close the connection.
While there, made processing of ngx_quic_decrypt() erorrs similar and
removed couple of protocol violation errors.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 02 Sep 2020 22:34:15 +0300 |
parents | eb5aa85294e9 |
children | 3afaaaa930ab |
comparison
equal
deleted
inserted
replaced
8073:eb5aa85294e9 | 8074:c6b963de0c00 |
---|---|
608 | 608 |
609 | 609 |
610 void | 610 void |
611 ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf) | 611 ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf) |
612 { | 612 { |
613 ngx_int_t rc; | |
613 ngx_buf_t *b; | 614 ngx_buf_t *b; |
614 ngx_quic_header_t pkt; | 615 ngx_quic_header_t pkt; |
615 | 616 |
616 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic run"); | 617 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic run"); |
617 | 618 |
624 pkt.log = c->log; | 625 pkt.log = c->log; |
625 pkt.raw = b; | 626 pkt.raw = b; |
626 pkt.data = b->start; | 627 pkt.data = b->start; |
627 pkt.len = b->last - b->start; | 628 pkt.len = b->last - b->start; |
628 | 629 |
629 if (ngx_quic_new_connection(c, ssl, conf, &pkt) != NGX_OK) { | 630 rc = ngx_quic_new_connection(c, ssl, conf, &pkt); |
630 ngx_quic_close_connection(c, NGX_ERROR); | 631 if (rc != NGX_OK) { |
632 ngx_quic_close_connection(c, rc == NGX_DECLINED ? NGX_DONE : NGX_ERROR); | |
631 return; | 633 return; |
632 } | 634 } |
633 | 635 |
634 ngx_add_timer(c->read, c->quic->in_retry ? NGX_QUIC_RETRY_TIMEOUT | 636 ngx_add_timer(c->read, c->quic->in_retry ? NGX_QUIC_RETRY_TIMEOUT |
635 : c->quic->tp.max_idle_timeout); | 637 : c->quic->tp.max_idle_timeout); |
804 pkt->level = ssl_encryption_initial; | 806 pkt->level = ssl_encryption_initial; |
805 pkt->plaintext = buf; | 807 pkt->plaintext = buf; |
806 | 808 |
807 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 809 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
808 | 810 |
809 if (ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn) != NGX_OK) { | 811 rc = ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn); |
812 if (rc != NGX_OK) { | |
810 qc->error = pkt->error; | 813 qc->error = pkt->error; |
811 qc->error_reason = "failed to decrypt packet"; | 814 qc->error_reason = "failed to decrypt packet"; |
812 | 815 return rc; |
813 return NGX_ERROR; | |
814 } | 816 } |
815 | 817 |
816 if (ngx_quic_init_connection(c) != NGX_OK) { | 818 if (ngx_quic_init_connection(c) != NGX_OK) { |
817 return NGX_ERROR; | 819 return NGX_ERROR; |
818 } | 820 } |
1645 | 1647 |
1646 | 1648 |
1647 static ngx_int_t | 1649 static ngx_int_t |
1648 ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1650 ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
1649 { | 1651 { |
1652 ngx_int_t rc; | |
1650 ngx_quic_secrets_t *keys; | 1653 ngx_quic_secrets_t *keys; |
1651 ngx_quic_send_ctx_t *ctx; | 1654 ngx_quic_send_ctx_t *ctx; |
1652 ngx_quic_connection_t *qc; | 1655 ngx_quic_connection_t *qc; |
1653 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | 1656 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; |
1654 | 1657 |
1715 pkt->level = ssl_encryption_initial; | 1718 pkt->level = ssl_encryption_initial; |
1716 pkt->plaintext = buf; | 1719 pkt->plaintext = buf; |
1717 | 1720 |
1718 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1721 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
1719 | 1722 |
1720 if (ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn) != NGX_OK) { | 1723 rc = ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn); |
1724 if (rc != NGX_OK) { | |
1721 qc->error = pkt->error; | 1725 qc->error = pkt->error; |
1722 return NGX_ERROR; | 1726 qc->error_reason = "failed to decrypt packet"; |
1727 return rc; | |
1723 } | 1728 } |
1724 | 1729 |
1725 if (ngx_quic_init_connection(c) != NGX_OK) { | 1730 if (ngx_quic_init_connection(c) != NGX_OK) { |
1726 return NGX_ERROR; | 1731 return NGX_ERROR; |
1727 } | 1732 } |
1740 | 1745 |
1741 | 1746 |
1742 static ngx_int_t | 1747 static ngx_int_t |
1743 ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1748 ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
1744 { | 1749 { |
1745 ngx_ssl_conn_t *ssl_conn; | 1750 ngx_int_t rc; |
1746 ngx_quic_secrets_t *keys; | 1751 ngx_ssl_conn_t *ssl_conn; |
1747 ngx_quic_send_ctx_t *ctx; | 1752 ngx_quic_secrets_t *keys; |
1748 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | 1753 ngx_quic_send_ctx_t *ctx; |
1754 ngx_quic_connection_t *qc; | |
1755 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | |
1749 | 1756 |
1750 c->log->action = "processing initial quic packet"; | 1757 c->log->action = "processing initial quic packet"; |
1751 | 1758 |
1752 ssl_conn = c->ssl->connection; | 1759 ssl_conn = c->ssl->connection; |
1753 | 1760 |
1759 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 1766 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
1760 "quic unsupported version: 0x%xD", pkt->version); | 1767 "quic unsupported version: 0x%xD", pkt->version); |
1761 return NGX_DECLINED; | 1768 return NGX_DECLINED; |
1762 } | 1769 } |
1763 | 1770 |
1764 if (ngx_quic_check_peer(c->quic, pkt) != NGX_OK) { | 1771 qc = c->quic; |
1772 | |
1773 if (ngx_quic_check_peer(qc, pkt) != NGX_OK) { | |
1765 return NGX_DECLINED; | 1774 return NGX_DECLINED; |
1766 } | 1775 } |
1767 | 1776 |
1768 if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { | 1777 if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { |
1769 return NGX_DECLINED; | 1778 return NGX_DECLINED; |
1770 } | 1779 } |
1771 | 1780 |
1772 keys = &c->quic->keys[ssl_encryption_initial]; | 1781 keys = &qc->keys[ssl_encryption_initial]; |
1773 | 1782 |
1774 pkt->secret = &keys->client; | 1783 pkt->secret = &keys->client; |
1775 pkt->level = ssl_encryption_initial; | 1784 pkt->level = ssl_encryption_initial; |
1776 pkt->plaintext = buf; | 1785 pkt->plaintext = buf; |
1777 | 1786 |
1778 ctx = ngx_quic_get_send_ctx(c->quic, pkt->level); | 1787 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
1779 | 1788 |
1780 if (ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn) != NGX_OK) { | 1789 rc = ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn); |
1781 c->quic->error = pkt->error; | 1790 if (rc != NGX_OK) { |
1782 return NGX_ERROR; | 1791 qc->error = pkt->error; |
1792 qc->error_reason = "failed to decrypt packet"; | |
1793 return rc; | |
1783 } | 1794 } |
1784 | 1795 |
1785 return ngx_quic_payload_handler(c, pkt); | 1796 return ngx_quic_payload_handler(c, pkt); |
1786 } | 1797 } |
1787 | 1798 |
1788 | 1799 |
1789 static ngx_int_t | 1800 static ngx_int_t |
1790 ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1801 ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
1791 { | 1802 { |
1803 ngx_int_t rc; | |
1792 ngx_queue_t *q; | 1804 ngx_queue_t *q; |
1793 ngx_quic_frame_t *f; | 1805 ngx_quic_frame_t *f; |
1794 ngx_quic_secrets_t *keys; | 1806 ngx_quic_secrets_t *keys; |
1795 ngx_quic_send_ctx_t *ctx; | 1807 ngx_quic_send_ctx_t *ctx; |
1796 ngx_quic_connection_t *qc; | 1808 ngx_quic_connection_t *qc; |
1831 pkt->level = ssl_encryption_handshake; | 1843 pkt->level = ssl_encryption_handshake; |
1832 pkt->plaintext = buf; | 1844 pkt->plaintext = buf; |
1833 | 1845 |
1834 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1846 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
1835 | 1847 |
1836 if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { | 1848 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); |
1849 if (rc != NGX_OK) { | |
1837 qc->error = pkt->error; | 1850 qc->error = pkt->error; |
1838 return NGX_ERROR; | 1851 qc->error_reason = "failed to decrypt packet"; |
1852 return rc; | |
1839 } | 1853 } |
1840 | 1854 |
1841 /* | 1855 /* |
1842 * 4.10.1. The successful use of Handshake packets indicates | 1856 * 4.10.1. The successful use of Handshake packets indicates |
1843 * that no more Initial packets need to be exchanged | 1857 * that no more Initial packets need to be exchanged |
1861 | 1875 |
1862 | 1876 |
1863 static ngx_int_t | 1877 static ngx_int_t |
1864 ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1878 ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
1865 { | 1879 { |
1880 ngx_int_t rc; | |
1866 ngx_quic_secrets_t *keys; | 1881 ngx_quic_secrets_t *keys; |
1867 ngx_quic_send_ctx_t *ctx; | 1882 ngx_quic_send_ctx_t *ctx; |
1868 ngx_quic_connection_t *qc; | 1883 ngx_quic_connection_t *qc; |
1869 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | 1884 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; |
1870 | 1885 |
1904 pkt->level = ssl_encryption_early_data; | 1919 pkt->level = ssl_encryption_early_data; |
1905 pkt->plaintext = buf; | 1920 pkt->plaintext = buf; |
1906 | 1921 |
1907 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1922 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
1908 | 1923 |
1909 if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { | 1924 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); |
1925 if (rc != NGX_OK) { | |
1910 qc->error = pkt->error; | 1926 qc->error = pkt->error; |
1911 return NGX_ERROR; | 1927 qc->error_reason = "failed to decrypt packet"; |
1928 return rc; | |
1912 } | 1929 } |
1913 | 1930 |
1914 return ngx_quic_payload_handler(c, pkt); | 1931 return ngx_quic_payload_handler(c, pkt); |
1915 } | 1932 } |
1916 | 1933 |
1979 pkt->plaintext = buf; | 1996 pkt->plaintext = buf; |
1980 | 1997 |
1981 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1998 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
1982 | 1999 |
1983 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); | 2000 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); |
1984 | |
1985 if (rc != NGX_OK) { | 2001 if (rc != NGX_OK) { |
1986 qc->error = pkt->error; | 2002 qc->error = pkt->error; |
2003 qc->error_reason = "failed to decrypt packet"; | |
1987 return rc; | 2004 return rc; |
1988 } | 2005 } |
1989 | 2006 |
1990 ngx_gettimeofday(&pkt->received); | 2007 ngx_gettimeofday(&pkt->received); |
1991 | 2008 |