Mercurial > hg > nginx
comparison src/event/ngx_event_quic.c @ 8536:c6b963de0c00 quic
QUIC: pass return code from ngx_quic_decrypt() to the caller.
It is required to distinguish internal errors from corrupted packets and
perform actions accordingly: drop the packet or close the connection.
While there, made processing of ngx_quic_decrypt() erorrs similar and
removed couple of protocol violation errors.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Wed, 02 Sep 2020 22:34:15 +0300 |
| parents | eb5aa85294e9 |
| children | 3afaaaa930ab |
comparison
equal
deleted
inserted
replaced
| 8535:eb5aa85294e9 | 8536:c6b963de0c00 |
|---|---|
| 608 | 608 |
| 609 | 609 |
| 610 void | 610 void |
| 611 ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf) | 611 ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf) |
| 612 { | 612 { |
| 613 ngx_int_t rc; | |
| 613 ngx_buf_t *b; | 614 ngx_buf_t *b; |
| 614 ngx_quic_header_t pkt; | 615 ngx_quic_header_t pkt; |
| 615 | 616 |
| 616 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic run"); | 617 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic run"); |
| 617 | 618 |
| 624 pkt.log = c->log; | 625 pkt.log = c->log; |
| 625 pkt.raw = b; | 626 pkt.raw = b; |
| 626 pkt.data = b->start; | 627 pkt.data = b->start; |
| 627 pkt.len = b->last - b->start; | 628 pkt.len = b->last - b->start; |
| 628 | 629 |
| 629 if (ngx_quic_new_connection(c, ssl, conf, &pkt) != NGX_OK) { | 630 rc = ngx_quic_new_connection(c, ssl, conf, &pkt); |
| 630 ngx_quic_close_connection(c, NGX_ERROR); | 631 if (rc != NGX_OK) { |
| 632 ngx_quic_close_connection(c, rc == NGX_DECLINED ? NGX_DONE : NGX_ERROR); | |
| 631 return; | 633 return; |
| 632 } | 634 } |
| 633 | 635 |
| 634 ngx_add_timer(c->read, c->quic->in_retry ? NGX_QUIC_RETRY_TIMEOUT | 636 ngx_add_timer(c->read, c->quic->in_retry ? NGX_QUIC_RETRY_TIMEOUT |
| 635 : c->quic->tp.max_idle_timeout); | 637 : c->quic->tp.max_idle_timeout); |
| 804 pkt->level = ssl_encryption_initial; | 806 pkt->level = ssl_encryption_initial; |
| 805 pkt->plaintext = buf; | 807 pkt->plaintext = buf; |
| 806 | 808 |
| 807 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 809 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 808 | 810 |
| 809 if (ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn) != NGX_OK) { | 811 rc = ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn); |
| 812 if (rc != NGX_OK) { | |
| 810 qc->error = pkt->error; | 813 qc->error = pkt->error; |
| 811 qc->error_reason = "failed to decrypt packet"; | 814 qc->error_reason = "failed to decrypt packet"; |
| 812 | 815 return rc; |
| 813 return NGX_ERROR; | |
| 814 } | 816 } |
| 815 | 817 |
| 816 if (ngx_quic_init_connection(c) != NGX_OK) { | 818 if (ngx_quic_init_connection(c) != NGX_OK) { |
| 817 return NGX_ERROR; | 819 return NGX_ERROR; |
| 818 } | 820 } |
| 1645 | 1647 |
| 1646 | 1648 |
| 1647 static ngx_int_t | 1649 static ngx_int_t |
| 1648 ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1650 ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
| 1649 { | 1651 { |
| 1652 ngx_int_t rc; | |
| 1650 ngx_quic_secrets_t *keys; | 1653 ngx_quic_secrets_t *keys; |
| 1651 ngx_quic_send_ctx_t *ctx; | 1654 ngx_quic_send_ctx_t *ctx; |
| 1652 ngx_quic_connection_t *qc; | 1655 ngx_quic_connection_t *qc; |
| 1653 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | 1656 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; |
| 1654 | 1657 |
| 1715 pkt->level = ssl_encryption_initial; | 1718 pkt->level = ssl_encryption_initial; |
| 1716 pkt->plaintext = buf; | 1719 pkt->plaintext = buf; |
| 1717 | 1720 |
| 1718 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1721 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 1719 | 1722 |
| 1720 if (ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn) != NGX_OK) { | 1723 rc = ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn); |
| 1724 if (rc != NGX_OK) { | |
| 1721 qc->error = pkt->error; | 1725 qc->error = pkt->error; |
| 1722 return NGX_ERROR; | 1726 qc->error_reason = "failed to decrypt packet"; |
| 1727 return rc; | |
| 1723 } | 1728 } |
| 1724 | 1729 |
| 1725 if (ngx_quic_init_connection(c) != NGX_OK) { | 1730 if (ngx_quic_init_connection(c) != NGX_OK) { |
| 1726 return NGX_ERROR; | 1731 return NGX_ERROR; |
| 1727 } | 1732 } |
| 1740 | 1745 |
| 1741 | 1746 |
| 1742 static ngx_int_t | 1747 static ngx_int_t |
| 1743 ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1748 ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
| 1744 { | 1749 { |
| 1745 ngx_ssl_conn_t *ssl_conn; | 1750 ngx_int_t rc; |
| 1746 ngx_quic_secrets_t *keys; | 1751 ngx_ssl_conn_t *ssl_conn; |
| 1747 ngx_quic_send_ctx_t *ctx; | 1752 ngx_quic_secrets_t *keys; |
| 1748 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | 1753 ngx_quic_send_ctx_t *ctx; |
| 1754 ngx_quic_connection_t *qc; | |
| 1755 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | |
| 1749 | 1756 |
| 1750 c->log->action = "processing initial quic packet"; | 1757 c->log->action = "processing initial quic packet"; |
| 1751 | 1758 |
| 1752 ssl_conn = c->ssl->connection; | 1759 ssl_conn = c->ssl->connection; |
| 1753 | 1760 |
| 1759 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 1766 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
| 1760 "quic unsupported version: 0x%xD", pkt->version); | 1767 "quic unsupported version: 0x%xD", pkt->version); |
| 1761 return NGX_DECLINED; | 1768 return NGX_DECLINED; |
| 1762 } | 1769 } |
| 1763 | 1770 |
| 1764 if (ngx_quic_check_peer(c->quic, pkt) != NGX_OK) { | 1771 qc = c->quic; |
| 1772 | |
| 1773 if (ngx_quic_check_peer(qc, pkt) != NGX_OK) { | |
| 1765 return NGX_DECLINED; | 1774 return NGX_DECLINED; |
| 1766 } | 1775 } |
| 1767 | 1776 |
| 1768 if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { | 1777 if (ngx_quic_parse_initial_header(pkt) != NGX_OK) { |
| 1769 return NGX_DECLINED; | 1778 return NGX_DECLINED; |
| 1770 } | 1779 } |
| 1771 | 1780 |
| 1772 keys = &c->quic->keys[ssl_encryption_initial]; | 1781 keys = &qc->keys[ssl_encryption_initial]; |
| 1773 | 1782 |
| 1774 pkt->secret = &keys->client; | 1783 pkt->secret = &keys->client; |
| 1775 pkt->level = ssl_encryption_initial; | 1784 pkt->level = ssl_encryption_initial; |
| 1776 pkt->plaintext = buf; | 1785 pkt->plaintext = buf; |
| 1777 | 1786 |
| 1778 ctx = ngx_quic_get_send_ctx(c->quic, pkt->level); | 1787 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 1779 | 1788 |
| 1780 if (ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn) != NGX_OK) { | 1789 rc = ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn); |
| 1781 c->quic->error = pkt->error; | 1790 if (rc != NGX_OK) { |
| 1782 return NGX_ERROR; | 1791 qc->error = pkt->error; |
| 1792 qc->error_reason = "failed to decrypt packet"; | |
| 1793 return rc; | |
| 1783 } | 1794 } |
| 1784 | 1795 |
| 1785 return ngx_quic_payload_handler(c, pkt); | 1796 return ngx_quic_payload_handler(c, pkt); |
| 1786 } | 1797 } |
| 1787 | 1798 |
| 1788 | 1799 |
| 1789 static ngx_int_t | 1800 static ngx_int_t |
| 1790 ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1801 ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
| 1791 { | 1802 { |
| 1803 ngx_int_t rc; | |
| 1792 ngx_queue_t *q; | 1804 ngx_queue_t *q; |
| 1793 ngx_quic_frame_t *f; | 1805 ngx_quic_frame_t *f; |
| 1794 ngx_quic_secrets_t *keys; | 1806 ngx_quic_secrets_t *keys; |
| 1795 ngx_quic_send_ctx_t *ctx; | 1807 ngx_quic_send_ctx_t *ctx; |
| 1796 ngx_quic_connection_t *qc; | 1808 ngx_quic_connection_t *qc; |
| 1831 pkt->level = ssl_encryption_handshake; | 1843 pkt->level = ssl_encryption_handshake; |
| 1832 pkt->plaintext = buf; | 1844 pkt->plaintext = buf; |
| 1833 | 1845 |
| 1834 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1846 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 1835 | 1847 |
| 1836 if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { | 1848 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); |
| 1849 if (rc != NGX_OK) { | |
| 1837 qc->error = pkt->error; | 1850 qc->error = pkt->error; |
| 1838 return NGX_ERROR; | 1851 qc->error_reason = "failed to decrypt packet"; |
| 1852 return rc; | |
| 1839 } | 1853 } |
| 1840 | 1854 |
| 1841 /* | 1855 /* |
| 1842 * 4.10.1. The successful use of Handshake packets indicates | 1856 * 4.10.1. The successful use of Handshake packets indicates |
| 1843 * that no more Initial packets need to be exchanged | 1857 * that no more Initial packets need to be exchanged |
| 1861 | 1875 |
| 1862 | 1876 |
| 1863 static ngx_int_t | 1877 static ngx_int_t |
| 1864 ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1878 ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) |
| 1865 { | 1879 { |
| 1880 ngx_int_t rc; | |
| 1866 ngx_quic_secrets_t *keys; | 1881 ngx_quic_secrets_t *keys; |
| 1867 ngx_quic_send_ctx_t *ctx; | 1882 ngx_quic_send_ctx_t *ctx; |
| 1868 ngx_quic_connection_t *qc; | 1883 ngx_quic_connection_t *qc; |
| 1869 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; | 1884 static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; |
| 1870 | 1885 |
| 1904 pkt->level = ssl_encryption_early_data; | 1919 pkt->level = ssl_encryption_early_data; |
| 1905 pkt->plaintext = buf; | 1920 pkt->plaintext = buf; |
| 1906 | 1921 |
| 1907 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1922 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 1908 | 1923 |
| 1909 if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { | 1924 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); |
| 1925 if (rc != NGX_OK) { | |
| 1910 qc->error = pkt->error; | 1926 qc->error = pkt->error; |
| 1911 return NGX_ERROR; | 1927 qc->error_reason = "failed to decrypt packet"; |
| 1928 return rc; | |
| 1912 } | 1929 } |
| 1913 | 1930 |
| 1914 return ngx_quic_payload_handler(c, pkt); | 1931 return ngx_quic_payload_handler(c, pkt); |
| 1915 } | 1932 } |
| 1916 | 1933 |
| 1979 pkt->plaintext = buf; | 1996 pkt->plaintext = buf; |
| 1980 | 1997 |
| 1981 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 1998 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 1982 | 1999 |
| 1983 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); | 2000 rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); |
| 1984 | |
| 1985 if (rc != NGX_OK) { | 2001 if (rc != NGX_OK) { |
| 1986 qc->error = pkt->error; | 2002 qc->error = pkt->error; |
| 2003 qc->error_reason = "failed to decrypt packet"; | |
| 1987 return rc; | 2004 return rc; |
| 1988 } | 2005 } |
| 1989 | 2006 |
| 1990 ngx_gettimeofday(&pkt->received); | 2007 ngx_gettimeofday(&pkt->received); |
| 1991 | 2008 |