IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Discard short packets which could not be decrypted.

Browse Source 
So that connections are protected from failing from on-path attacks.
Decryption failure of long packets used during handshake still leads
to connection close since it barely makes sense to handle them there.
This commit is contained in:
Sergey Kandaurov 2020-06-23 11:57:00 +03:00
parent d7baead1e8
commit fc0036bdd6
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/event/ngx_event_quic.c
View File

@ -1830,9 +1830,11 @@ ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
ctx = ngx_quic_get_send_ctx(qc, pkt->level);
if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) {
rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn);
if (rc != NGX_OK) {
qc->error = pkt->error;
return NGX_ERROR;
return rc;
}
/* switch keys on Key Phase change */

4
src/event/ngx_event_quic_protection.c
View File

@ -1051,7 +1051,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
!= NGX_OK)
{
pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
return NGX_ERROR;
return NGX_DECLINED;
}
if (ngx_quic_long_pkt(pkt->flags)) {
@ -1131,7 +1131,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
if (rc != NGX_OK) {
pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
return rc;
return NGX_DECLINED;
}
if (badflags) {