You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/01/23 02:44:26 UTC
[trafficserver] branch quic-latest updated: Don't decrypt packets
that have unsupported version
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/quic-latest by this push:
new 66f1fc2 Don't decrypt packets that have unsupported version
66f1fc2 is described below
commit 66f1fc25205bd02f666bc151871004ee73dc0f5a
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Tue Jan 23 13:43:36 2018 +1100
Don't decrypt packets that have unsupported version
---
iocore/net/quic/QUICApplication.cc | 3 ++-
iocore/net/quic/QUICPacket.cc | 15 +++++++++++++++
iocore/net/quic/QUICTypes.cc | 11 +++++++++++
iocore/net/quic/QUICTypes.h | 1 +
iocore/net/quic/QUICVersionNegotiator.cc | 15 ++-------------
iocore/net/quic/QUICVersionNegotiator.h | 2 --
6 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/iocore/net/quic/QUICApplication.cc b/iocore/net/quic/QUICApplication.cc
index 2bc9775..e2d73bf 100644
--- a/iocore/net/quic/QUICApplication.cc
+++ b/iocore/net/quic/QUICApplication.cc
@@ -156,7 +156,8 @@ QUICApplication::reenable(QUICStream *stream)
stream_io->read_reenable();
stream_io->write_reenable();
} else {
- Debug(tag, "[%" PRIx64 "] Unknown Stream, id: %" PRIx64, static_cast<uint64_t>(this->_client_qc->connection_id()), stream->id());
+ Debug(tag, "[%" PRIx64 "] Unknown Stream, id: %" PRIx64, static_cast<uint64_t>(this->_client_qc->connection_id()),
+ stream->id());
}
return;
diff --git a/iocore/net/quic/QUICPacket.cc b/iocore/net/quic/QUICPacket.cc
index 0fc20df..097a67e 100644
--- a/iocore/net/quic/QUICPacket.cc
+++ b/iocore/net/quic/QUICPacket.cc
@@ -668,6 +668,21 @@ QUICPacketFactory::create(ats_unique_buf buf, size_t len, QUICPacketNumber base_
}
break;
case QUICPacketType::INITIAL:
+ if (!this->_crypto->is_handshake_finished()) {
+ if (QUICTypeUtil::is_supported_version(header->version())) {
+ if (this->_crypto->decrypt(plain_txt.get(), plain_txt_len, max_plain_txt_len, header->payload(), header->payload_size(),
+ header->packet_number(), header->buf(), header->size(), QUICKeyPhase::CLEARTEXT)) {
+ result = QUICPacketCreationResult::SUCCESS;
+ } else {
+ result = QUICPacketCreationResult::FAILED;
+ }
+ } else {
+ result = QUICPacketCreationResult::SUCCESS;
+ }
+ } else {
+ result = QUICPacketCreationResult::IGNORED;
+ }
+ break;
case QUICPacketType::HANDSHAKE:
if (!this->_crypto->is_handshake_finished()) {
if (this->_crypto->decrypt(plain_txt.get(), plain_txt_len, max_plain_txt_len, header->payload(), header->payload_size(),
diff --git a/iocore/net/quic/QUICTypes.cc b/iocore/net/quic/QUICTypes.cc
index 045b2c9..399df5c 100644
--- a/iocore/net/quic/QUICTypes.cc
+++ b/iocore/net/quic/QUICTypes.cc
@@ -41,6 +41,17 @@ QUICTypeUtil::has_connection_id(const uint8_t *buf)
return (buf[0] & 0x40) == 0;
}
+bool
+QUICTypeUtil::is_supported_version(QUICVersion version)
+{
+ for (auto v : QUIC_SUPPORTED_VERSIONS) {
+ if (v == version) {
+ return true;
+ }
+ }
+ return false;
+}
+
QUICStreamType
QUICTypeUtil::detect_stream_type(QUICStreamId id)
{
diff --git a/iocore/net/quic/QUICTypes.h b/iocore/net/quic/QUICTypes.h
index 5f32dbb..384c13b 100644
--- a/iocore/net/quic/QUICTypes.h
+++ b/iocore/net/quic/QUICTypes.h
@@ -261,6 +261,7 @@ class QUICTypeUtil
public:
static bool has_long_header(const uint8_t *buf);
static bool has_connection_id(const uint8_t *buf);
+ static bool is_supported_version(QUICVersion version);
static QUICStreamType detect_stream_type(QUICStreamId id);
static QUICConnectionId read_QUICConnectionId(const uint8_t *buf, uint8_t n);
diff --git a/iocore/net/quic/QUICVersionNegotiator.cc b/iocore/net/quic/QUICVersionNegotiator.cc
index eba42c2..2329c31 100644
--- a/iocore/net/quic/QUICVersionNegotiator.cc
+++ b/iocore/net/quic/QUICVersionNegotiator.cc
@@ -33,7 +33,7 @@ QUICVersionNegotiator::status()
QUICVersionNegotiationStatus
QUICVersionNegotiator::negotiate(const QUICPacket *initial_packet)
{
- if (this->_is_supported(initial_packet->version())) {
+ if (QUICTypeUtil::is_supported_version(initial_packet->version())) {
this->_status = QUICVersionNegotiationStatus::NEGOTIATED;
this->_negotiated_version = initial_packet->version();
}
@@ -46,7 +46,7 @@ QUICVersionNegotiator::validate(const QUICTransportParametersInClientHello *tp)
if (this->_negotiated_version == tp->initial_version()) {
this->_status = QUICVersionNegotiationStatus::VALIDATED;
} else {
- if (this->_is_supported(tp->initial_version())) {
+ if (QUICTypeUtil::is_supported_version(tp->initial_version())) {
this->_status = QUICVersionNegotiationStatus::FAILED;
this->_negotiated_version = 0;
} else {
@@ -61,14 +61,3 @@ QUICVersionNegotiator::negotiated_version()
{
return this->_negotiated_version;
}
-
-bool
-QUICVersionNegotiator::_is_supported(QUICVersion version)
-{
- for (auto v : QUIC_SUPPORTED_VERSIONS) {
- if (v == version) {
- return true;
- }
- }
- return false;
-}
diff --git a/iocore/net/quic/QUICVersionNegotiator.h b/iocore/net/quic/QUICVersionNegotiator.h
index 576b625..651a7db 100644
--- a/iocore/net/quic/QUICVersionNegotiator.h
+++ b/iocore/net/quic/QUICVersionNegotiator.h
@@ -42,6 +42,4 @@ public:
private:
QUICVersion _negotiated_version = 0;
QUICVersionNegotiationStatus _status = QUICVersionNegotiationStatus::NOT_NEGOTIATED;
-
- bool _is_supported(QUICVersion version);
};
--
To stop receiving notification emails like this one, please contact
maskit@apache.org.