From ddd665ca666b677a326a90e3646b8302135ff8a3 Mon Sep 17 00:00:00 2001 From: Vladimir Homutov Date: Mon, 26 Oct 2020 23:58:34 +0300 Subject: [PATCH] QUIC: updated anti-amplification check for draft 32. This accounts for the following change: * Require expansion of datagrams to ensure that a path supports at least 1200 bytes: - During the handshake ack-eliciting Initial packets from the server need to be expanded --- src/event/ngx_event_quic.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c index 4593833da..2eb54c37b 100644 --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -4340,7 +4340,7 @@ ngx_quic_output(ngx_connection_t *c) static ngx_int_t ngx_quic_output_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx) { - size_t len, hlen; + size_t len, hlen, cutoff; ngx_uint_t need_ack; ngx_queue_t *q, range; ngx_quic_frame_t *f; @@ -4391,7 +4391,14 @@ ngx_quic_output_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx) * send more than three times the data it receives; */ - if (((c->sent + hlen + len + f->len) / 3) > qc->received) { + if (f->level == ssl_encryption_initial) { + cutoff = (c->sent + NGX_QUIC_MIN_INITIAL_SIZE) / 3; + + } else { + cutoff = (c->sent + hlen + len + f->len) / 3; + } + + if (cutoff > qc->received) { ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic hit amplification limit" " received:%uz sent:%O",