Mercurial > hg > nginx

changeset 8321:e45719a9b148 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Discarding Handshake packets if no Handshake keys yet. Found with a previously received Initial packet with ACK only, which instantiates a new connection but do not produce the handshake keys. This can be triggered by a fairly well behaving client, if the server stands behind a load balancer that stripped Initial packets exchange. Found by F5 test suite.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 06 Apr 2020 14:54:10 +0300
parents 6e1213ef469a
children d9bc33166361
files src/event/ngx_event_quic.c
diffstat 1 files changed, 8 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -870,6 +870,14 @@ ngx_quic_handshake_input(ngx_connection_
 
     qc = c->quic;
 
+    keys = &c->quic->keys[ssl_encryption_handshake];
+
+    if (keys->client.key.len == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "no read keys yet, packet ignored");
+        return NGX_DECLINED;
+    }
+
     /* extract cleartext data into pkt */
     if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
         return NGX_ERROR;
@@ -905,8 +913,6 @@ ngx_quic_handshake_input(ngx_connection_
         return NGX_ERROR;
     }
 
-    keys = &c->quic->keys[ssl_encryption_handshake];
-
     pkt->secret = &keys->client;
     pkt->level = ssl_encryption_handshake;
     pkt->plaintext = buf;