QUIC: pass return code from ngx_quic_decrypt() to the caller.

It is required to distinguish internal errors from corrupted packets and
perform actions accordingly: drop the packet or close the connection.

While there, made processing of ngx_quic_decrypt() erorrs similar and
removed couple of protocol violation errors.
This commit is contained in:
Vladimir Homutov 2020-09-02 22:34:15 +03:00
parent ff4cfa80e5
commit fb54f2acd9
2 changed files with 39 additions and 24 deletions

View File

@ -610,6 +610,7 @@ ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level,
void void
ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf) ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf)
{ {
ngx_int_t rc;
ngx_buf_t *b; ngx_buf_t *b;
ngx_quic_header_t pkt; ngx_quic_header_t pkt;
@ -626,8 +627,9 @@ ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_conf_t *conf)
pkt.data = b->start; pkt.data = b->start;
pkt.len = b->last - b->start; pkt.len = b->last - b->start;
if (ngx_quic_new_connection(c, ssl, conf, &pkt) != NGX_OK) { rc = ngx_quic_new_connection(c, ssl, conf, &pkt);
ngx_quic_close_connection(c, NGX_ERROR); if (rc != NGX_OK) {
ngx_quic_close_connection(c, rc == NGX_DECLINED ? NGX_DONE : NGX_ERROR);
return; return;
} }
@ -806,11 +808,11 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl,
ctx = ngx_quic_get_send_ctx(qc, pkt->level); ctx = ngx_quic_get_send_ctx(qc, pkt->level);
if (ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn) != NGX_OK) { rc = ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn);
if (rc != NGX_OK) {
qc->error = pkt->error; qc->error = pkt->error;
qc->error_reason = "failed to decrypt packet"; qc->error_reason = "failed to decrypt packet";
return rc;
return NGX_ERROR;
} }
if (ngx_quic_init_connection(c) != NGX_OK) { if (ngx_quic_init_connection(c) != NGX_OK) {
@ -1647,6 +1649,7 @@ ngx_quic_skip_zero_padding(ngx_buf_t *b)
static ngx_int_t static ngx_int_t
ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt) ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
{ {
ngx_int_t rc;
ngx_quic_secrets_t *keys; ngx_quic_secrets_t *keys;
ngx_quic_send_ctx_t *ctx; ngx_quic_send_ctx_t *ctx;
ngx_quic_connection_t *qc; ngx_quic_connection_t *qc;
@ -1717,9 +1720,11 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
ctx = ngx_quic_get_send_ctx(qc, pkt->level); ctx = ngx_quic_get_send_ctx(qc, pkt->level);
if (ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn) != NGX_OK) { rc = ngx_quic_decrypt(pkt, NULL, &ctx->largest_pn);
if (rc != NGX_OK) {
qc->error = pkt->error; qc->error = pkt->error;
return NGX_ERROR; qc->error_reason = "failed to decrypt packet";
return rc;
} }
if (ngx_quic_init_connection(c) != NGX_OK) { if (ngx_quic_init_connection(c) != NGX_OK) {
@ -1742,9 +1747,11 @@ ngx_quic_retry_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
static ngx_int_t static ngx_int_t
ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
{ {
ngx_int_t rc;
ngx_ssl_conn_t *ssl_conn; ngx_ssl_conn_t *ssl_conn;
ngx_quic_secrets_t *keys; ngx_quic_secrets_t *keys;
ngx_quic_send_ctx_t *ctx; ngx_quic_send_ctx_t *ctx;
ngx_quic_connection_t *qc;
static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE]; static u_char buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
c->log->action = "processing initial quic packet"; c->log->action = "processing initial quic packet";
@ -1761,7 +1768,9 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
return NGX_DECLINED; return NGX_DECLINED;
} }
if (ngx_quic_check_peer(c->quic, pkt) != NGX_OK) { qc = c->quic;
if (ngx_quic_check_peer(qc, pkt) != NGX_OK) {
return NGX_DECLINED; return NGX_DECLINED;
} }
@ -1769,17 +1778,19 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
return NGX_DECLINED; return NGX_DECLINED;
} }
keys = &c->quic->keys[ssl_encryption_initial]; keys = &qc->keys[ssl_encryption_initial];
pkt->secret = &keys->client; pkt->secret = &keys->client;
pkt->level = ssl_encryption_initial; pkt->level = ssl_encryption_initial;
pkt->plaintext = buf; pkt->plaintext = buf;
ctx = ngx_quic_get_send_ctx(c->quic, pkt->level); ctx = ngx_quic_get_send_ctx(qc, pkt->level);
if (ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn) != NGX_OK) { rc = ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn);
c->quic->error = pkt->error; if (rc != NGX_OK) {
return NGX_ERROR; qc->error = pkt->error;
qc->error_reason = "failed to decrypt packet";
return rc;
} }
return ngx_quic_payload_handler(c, pkt); return ngx_quic_payload_handler(c, pkt);
@ -1789,6 +1800,7 @@ ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
static ngx_int_t static ngx_int_t
ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
{ {
ngx_int_t rc;
ngx_queue_t *q; ngx_queue_t *q;
ngx_quic_frame_t *f; ngx_quic_frame_t *f;
ngx_quic_secrets_t *keys; ngx_quic_secrets_t *keys;
@ -1833,9 +1845,11 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
ctx = ngx_quic_get_send_ctx(qc, pkt->level); ctx = ngx_quic_get_send_ctx(qc, pkt->level);
if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn);
if (rc != NGX_OK) {
qc->error = pkt->error; qc->error = pkt->error;
return NGX_ERROR; qc->error_reason = "failed to decrypt packet";
return rc;
} }
/* /*
@ -1863,6 +1877,7 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
static ngx_int_t static ngx_int_t
ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt) ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
{ {
ngx_int_t rc;
ngx_quic_secrets_t *keys; ngx_quic_secrets_t *keys;
ngx_quic_send_ctx_t *ctx; ngx_quic_send_ctx_t *ctx;
ngx_quic_connection_t *qc; ngx_quic_connection_t *qc;
@ -1906,9 +1921,11 @@ ngx_quic_early_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
ctx = ngx_quic_get_send_ctx(qc, pkt->level); ctx = ngx_quic_get_send_ctx(qc, pkt->level);
if (ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn) != NGX_OK) { rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn);
if (rc != NGX_OK) {
qc->error = pkt->error; qc->error = pkt->error;
return NGX_ERROR; qc->error_reason = "failed to decrypt packet";
return rc;
} }
return ngx_quic_payload_handler(c, pkt); return ngx_quic_payload_handler(c, pkt);
@ -1981,9 +1998,9 @@ ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
ctx = ngx_quic_get_send_ctx(qc, pkt->level); ctx = ngx_quic_get_send_ctx(qc, pkt->level);
rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn); rc = ngx_quic_decrypt(pkt, c->ssl->connection, &ctx->largest_pn);
if (rc != NGX_OK) { if (rc != NGX_OK) {
qc->error = pkt->error; qc->error = pkt->error;
qc->error_reason = "failed to decrypt packet";
return rc; return rc;
} }

View File

@ -1026,7 +1026,6 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample)
!= NGX_OK) != NGX_OK)
{ {
pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
return NGX_DECLINED; return NGX_DECLINED;
} }
@ -1103,7 +1102,6 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
#endif #endif
if (rc != NGX_OK) { if (rc != NGX_OK) {
pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
return NGX_DECLINED; return NGX_DECLINED;
} }