QUIC: discard incorrect packets instead of closing the connection.

quic-transport

5.2:
    Packets that are matched to an existing connection are discarded if
    the packets are inconsistent with the state of that connection.

5.2.2:
   Servers MUST drop incoming packets under all other circumstances.

src/event/ngx_event_quic.c

@@ -658,9 +658,8 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl,
         return NGX_ERROR;
     }
 
-    rc = ngx_quic_parse_long_header(pkt);
-    if (rc != NGX_OK) {
-        return rc;
+    if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
+        return NGX_ERROR;
     }
 
     if (pkt->version != NGX_QUIC_VERSION) {
@@ -1645,7 +1644,6 @@ ngx_quic_skip_zero_padding(ngx_buf_t *b)
 static ngx_int_t
 ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
-    ngx_int_t               rc;
     ngx_quic_secrets_t     *keys;
     ngx_quic_send_ctx_t    *ctx;
     ngx_quic_connection_t  *qc;
@@ -1659,15 +1657,14 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
         return NGX_OK;
     }
 
-    rc = ngx_quic_parse_long_header(pkt);
-    if (rc != NGX_OK) {
-        return rc;
+    if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
+        return NGX_DECLINED;
     }
 
     if (pkt->version != NGX_QUIC_VERSION) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic unsupported version: 0x%xD", pkt->version);
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_pkt_zrtt(pkt->flags)) {
@@ -1679,11 +1676,11 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
     if (!ngx_quic_pkt_in(pkt->flags)) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic invalid initial packet: 0x%xd", pkt->flags);
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_parse_initial_header(pkt) != NGX_OK) {
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_new_dcid(c, &pkt->dcid) != NGX_OK) {
@@ -1742,7 +1739,6 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 static ngx_int_t
 ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
-    ngx_int_t             rc;
     ngx_ssl_conn_t       *ssl_conn;
     ngx_quic_secrets_t   *keys;
     ngx_quic_send_ctx_t  *ctx;
@@ -1752,19 +1748,22 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 
     ssl_conn = c->ssl->connection;
 
-    rc = ngx_quic_parse_long_header(pkt);
-    if (rc != NGX_OK) {
-        return rc;
+    if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
+        return NGX_DECLINED;
     }
 
     if (pkt->version != NGX_QUIC_VERSION) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic unsupported version: 0x%xD", pkt->version);
-        return NGX_ERROR;
+        return NGX_DECLINED;
+    }
+
+    if (ngx_quic_check_peer(c->quic, pkt) != NGX_OK) {
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_parse_initial_header(pkt) != NGX_OK) {
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     keys = &c->quic->keys[ssl_encryption_initial];
@@ -1787,7 +1786,6 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 static ngx_int_t
 ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
-    ngx_int_t               rc;
     ngx_queue_t            *q;
     ngx_quic_frame_t       *f;
     ngx_quic_secrets_t     *keys;
@@ -1808,23 +1806,22 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
     }
 
     /* extract cleartext data into pkt */
-    rc = ngx_quic_parse_long_header(pkt);
-    if (rc != NGX_OK) {
-        return rc;
+    if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
+        return NGX_DECLINED;
     }
 
     if (pkt->version != NGX_QUIC_VERSION) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic unsupported version: 0x%xD", pkt->version);
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_check_peer(qc, pkt) != NGX_OK) {
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_parse_handshake_header(pkt) != NGX_OK) {
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     pkt->secret = &keys->client;
@@ -1863,7 +1860,6 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 static ngx_int_t
 ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
-    ngx_int_t               rc;
     ngx_quic_secrets_t     *keys;
     ngx_quic_send_ctx_t    *ctx;
     ngx_quic_connection_t  *qc;
@@ -1874,23 +1870,22 @@ ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
     qc = c->quic;
 
     /* extract cleartext data into pkt */
-    rc = ngx_quic_parse_long_header(pkt);
-    if (rc != NGX_OK) {
-        return rc;
+    if (ngx_quic_parse_long_header(pkt) != NGX_OK) {
+        return NGX_DECLINED;
     }
 
     if (pkt->version != NGX_QUIC_VERSION) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic unsupported version: 0x%xD", pkt->version);
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_check_peer(qc, pkt) != NGX_OK) {
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     if (ngx_quic_parse_handshake_header(pkt) != NGX_OK) {
-        return NGX_ERROR;
+        return NGX_DECLINED;
     }
 
     keys = &c->quic->keys[ssl_encryption_early_data];
@@ -1970,9 +1965,8 @@ ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
         return NGX_DECLINED;
     }
 
-    rc = ngx_quic_parse_short_header(pkt, &qc->dcid);
-    if (rc != NGX_OK) {
-        return rc;
+    if (ngx_quic_parse_short_header(pkt, &qc->dcid) != NGX_OK) {
+        return NGX_DECLINED;
     }
 
     pkt->secret = &keys->client;

src/event/ngx_event_quic_transport.c

@@ -276,7 +276,7 @@ ngx_quic_parse_long_header(ngx_quic_header_t *pkt)
 
     if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) {
         ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set");
-        return NGX_DECLINED;
+        return NGX_ERROR;
     }
 
     p = ngx_quic_read_uint8(p, end, &idlen);
@@ -491,7 +491,7 @@ ngx_quic_parse_short_header(ngx_quic_header_t *pkt, ngx_str_t *dcid)
 
     if (!(pkt->flags & NGX_QUIC_PKT_FIXED_BIT)) {
         ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic fixed bit is not set");
-        return NGX_DECLINED;
+        return NGX_ERROR;
     }
 
     if (ngx_memcmp(p, dcid->data, dcid->len) != 0) {