From fc0036bdd6a2a3bec218004e68646a4653328e92 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Tue, 23 Jun 2020 11:57:00 +0300 Subject: Discard short packets which could not be decrypted. So that connections are protected from failing from on-path attacks. Decryption failure of long packets used during handshake still leads to connection close since it barely makes sense to handle them there. --- src/event/ngx_event_quic.c | 6 ++++-- src/event/ngx_event_quic_protection.c | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c index 1a2fdf2d5..29bce24de 100644 --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -1830,9 +1830,11 @@ ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt) ctx = ngx_quic_get_send_ctx(qc, pkt->level); - if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { + rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); + + if (rc != NGX_OK) { qc->error = pkt->error; - return NGX_ERROR; + return rc; } /* switch keys on Key Phase change */ diff --git a/src/event/ngx_event_quic_protection.c b/src/event/ngx_event_quic_protection.c index 8afa9e842..2d49106f3 100644 --- a/src/event/ngx_event_quic_protection.c +++ b/src/event/ngx_event_quic_protection.c @@ -1051,7 +1051,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, != NGX_OK) { pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; - return NGX_ERROR; + return NGX_DECLINED; } if (ngx_quic_long_pkt(pkt->flags)) { @@ -1131,7 +1131,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, if (rc != NGX_OK) { pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; - return rc; + return NGX_DECLINED; } if (badflags) { -- cgit