# HG changeset patch # User Vladimir Homutov # Date 1598970042 -10800 # Node ID 62b58f0a4711856b7992ee7485132741ab8e385d # Parent b13141d6d2503192852a04603e83c018b878d2a3 QUIC: discard incorrect packets instead of closing the connection. quic-transport 5.2: Packets that are matched to an existing connection are discarded if the packets are inconsistent with the state of that connection. 5.2.2: Servers MUST drop incoming packets under all other circumstances. diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -658,9 +658,8 @@ ngx_quic_new_connection(ngx_connection_t return NGX_ERROR; } - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_ERROR; } if (pkt->version != NGX_QUIC_VERSION) { @@ -1645,7 +1644,6 @@ ngx_quic_skip_zero_padding(ngx_buf_t *b) static ngx_int_t ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_quic_secrets_t *keys; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; @@ -1659,15 +1657,14 @@ ngx_quic_retry_input(ngx_connection_t *c return NGX_OK; } - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_pkt_zrtt(pkt->flags)) { @@ -1679,11 +1676,11 @@ ngx_quic_retry_input(ngx_connection_t *c if (!ngx_quic_pkt_in(pkt->flags)) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid initial packet: 0x%xd", pkt->flags); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_new_dcid(c, &pkt->dcid) != NGX_OK) { @@ -1742,7 +1739,6 @@ ngx_quic_retry_input(ngx_connection_t *c static ngx_int_t ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_ssl_conn_t *ssl_conn; ngx_quic_secrets_t *keys; ngx_quic_send_ctx_t *ctx; @@ -1752,19 +1748,22 @@ ngx_quic_initial_input(ngx_connection_t ssl_conn = c->ssl->connection; - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; + } + + if (ngx_quic_check_peer(c->quic, pkt) != NGX_OK) { + return NGX_DECLINED; } if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } keys = &c->quic->keys[ssl_encryption_initial]; @@ -1787,7 +1786,6 @@ ngx_quic_initial_input(ngx_connection_t static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_queue_t *q; ngx_quic_frame_t *f; ngx_quic_secrets_t *keys; @@ -1808,23 +1806,22 @@ ngx_quic_handshake_input(ngx_connection_ } /* extract cleartext data into pkt */ - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_check_peer(qc, pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_parse_handshake_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } pkt->secret = &keys->client; @@ -1863,7 +1860,6 @@ ngx_quic_handshake_input(ngx_connection_ static ngx_int_t ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { - ngx_int_t rc; ngx_quic_secrets_t *keys; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; @@ -1874,23 +1870,22 @@ ngx_quic_early_input(ngx_connection_t *c qc = c->quic; /* extract cleartext data into pkt */ - rc = ngx_quic_parse_long_header(pkt); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_long_header(pkt) != NGX_OK) { + return NGX_DECLINED; } if (pkt->version != NGX_QUIC_VERSION) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic unsupported version: 0x%xD", pkt->version); - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_check_peer(qc, pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_parse_handshake_header(pkt) != NGX_OK) { - return NGX_ERROR; + return NGX_DECLINED; } keys = &c->quic->keys[ssl_encryption_early_data]; @@ -1970,9 +1965,8 @@ ngx_quic_app_input(ngx_connection_t *c, return NGX_DECLINED; } - rc = ngx_quic_parse_short_header(pkt, &qc->dcid); - if (rc != NGX_OK) { - return rc; + if (ngx_quic_parse_short_header(pkt, &qc->dcid) != NGX_OK) { + return NGX_DECLINED; } pkt->secret = &keys->client; diff --git a/src/event/ngx_event_quic_transport.c b/src/event/ngx_event_quic_transport.c --- a/src/event/ngx_event_quic_transport.c +++ b/src/event/ngx_event_quic_transport.c @@ -276,7 +276,7 @@ ngx_quic_parse_long_header(ngx_quic_head if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) { ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set"); - return NGX_DECLINED; + return NGX_ERROR; } p = ngx_quic_read_uint8(p, end, &idlen); @@ -491,7 +491,7 @@ ngx_quic_parse_short_header(ngx_quic_hea if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) { ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set"); - return NGX_DECLINED; + return NGX_ERROR; } if (ngx_memcmp(p, dcid->data, dcid->len) != 0) {