Mercurial > hg > nginx
comparison src/event/ngx_event_quic_protection.c @ 8446:df29219988bc quic
Discard short packets which could not be decrypted.
So that connections are protected from failing from on-path attacks.
Decryption failure of long packets used during handshake still leads
to connection close since it barely makes sense to handle them there.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 23 Jun 2020 11:57:00 +0300 |
parents | 3de1b7399650 |
children | 011668fc9efd |
comparison
equal
deleted
inserted
replaced
8445:3de1b7399650 | 8446:df29219988bc |
---|---|
1049 | 1049 |
1050 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) | 1050 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) |
1051 != NGX_OK) | 1051 != NGX_OK) |
1052 { | 1052 { |
1053 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | 1053 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; |
1054 return NGX_ERROR; | 1054 return NGX_DECLINED; |
1055 } | 1055 } |
1056 | 1056 |
1057 if (ngx_quic_long_pkt(pkt->flags)) { | 1057 if (ngx_quic_long_pkt(pkt->flags)) { |
1058 clearflags = pkt->flags ^ (mask[0] & 0x0f); | 1058 clearflags = pkt->flags ^ (mask[0] & 0x0f); |
1059 | 1059 |
1129 pkt->payload.data, pkt->payload.len); | 1129 pkt->payload.data, pkt->payload.len); |
1130 #endif | 1130 #endif |
1131 | 1131 |
1132 if (rc != NGX_OK) { | 1132 if (rc != NGX_OK) { |
1133 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | 1133 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; |
1134 return rc; | 1134 return NGX_DECLINED; |
1135 } | 1135 } |
1136 | 1136 |
1137 if (badflags) { | 1137 if (badflags) { |
1138 /* | 1138 /* |
1139 * An endpoint MUST treat receipt of a packet that has | 1139 * An endpoint MUST treat receipt of a packet that has |