mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-22 22:10:45 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Discarding Handshake packets if no Handshake keys yet.

Browse Source 
Found with a previously received Initial packet with ACK only, which
instantiates a new connection but do not produce the handshake keys.

This can be triggered by a fairly well behaving client, if the server
stands behind a load balancer that stripped Initial packets exchange.

Found by F5 test suite.
This commit is contained in:
Sergey Kandaurov 2020-04-06 14:54:10 +03:00
parent cc704a8c31
commit 3f3315aea6
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/event/ngx_event_quic.c
View File

@ -870,6 +870,14 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
qc = c->quic; qc = c->quic;
keys = &c->quic->keys[ssl_encryption_handshake];
if (keys->client.key.len == 0) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"no read keys yet, packet ignored");
return NGX_DECLINED;
}
/* extract cleartext data into pkt */ /* extract cleartext data into pkt */
if (ngx_quic_parse_long_header(pkt) != NGX_OK) { if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
return NGX_ERROR; return NGX_ERROR;
@ -905,8 +913,6 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
return NGX_ERROR; return NGX_ERROR;
} }
keys = &c->quic->keys[ssl_encryption_handshake];
pkt->secret = &keys->client; pkt->secret = &keys->client;
pkt->level = ssl_encryption_handshake; pkt->level = ssl_encryption_handshake;
pkt->plaintext = buf; pkt->plaintext = buf;