Mercurial > hg > nginx
comparison src/event/ngx_event_quic_protection.c @ 8446:df29219988bc quic
Discard short packets which could not be decrypted.
So that connections are protected from failing from on-path attacks.
Decryption failure of long packets used during handshake still leads
to connection close since it barely makes sense to handle them there.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 23 Jun 2020 11:57:00 +0300 |
| parents | 3de1b7399650 |
| children | 011668fc9efd |
comparison
equal
deleted
inserted
replaced
| 8445:3de1b7399650 | 8446:df29219988bc |
|---|---|
| 1049 | 1049 |
| 1050 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) | 1050 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) |
| 1051 != NGX_OK) | 1051 != NGX_OK) |
| 1052 { | 1052 { |
| 1053 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | 1053 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; |
| 1054 return NGX_ERROR; | 1054 return NGX_DECLINED; |
| 1055 } | 1055 } |
| 1056 | 1056 |
| 1057 if (ngx_quic_long_pkt(pkt->flags)) { | 1057 if (ngx_quic_long_pkt(pkt->flags)) { |
| 1058 clearflags = pkt->flags ^ (mask[0] & 0x0f); | 1058 clearflags = pkt->flags ^ (mask[0] & 0x0f); |
| 1059 | 1059 |
| 1129 pkt->payload.data, pkt->payload.len); | 1129 pkt->payload.data, pkt->payload.len); |
| 1130 #endif | 1130 #endif |
| 1131 | 1131 |
| 1132 if (rc != NGX_OK) { | 1132 if (rc != NGX_OK) { |
| 1133 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | 1133 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; |
| 1134 return rc; | 1134 return NGX_DECLINED; |
| 1135 } | 1135 } |
| 1136 | 1136 |
| 1137 if (badflags) { | 1137 if (badflags) { |
| 1138 /* | 1138 /* |
| 1139 * An endpoint MUST treat receipt of a packet that has | 1139 * An endpoint MUST treat receipt of a packet that has |