Mercurial > hg > nginx-quic
comparison src/event/ngx_event_quic.c @ 7930:5bc9229ec4cf quic
QUIC: raise error on missing transport parameters.
quic-tls, 8.2:
The quic_transport_parameters extension is carried in the ClientHello
and the EncryptedExtensions messages during the handshake. Endpoints
MUST send the quic_transport_parameters extension; endpoints that
receive ClientHello or EncryptedExtensions messages without the
quic_transport_parameters extension MUST close the connection with an
error of type 0x16d (equivalent to a fatal TLS missing_extension
alert, see Section 4.10).
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Mon, 15 Jun 2020 17:06:40 +0300 |
| parents | ea4899591798 |
| children | 9fe7875ce4bb |
comparison
equal
deleted
inserted
replaced
| 7929:ea4899591798 | 7930:5bc9229ec4cf |
|---|---|
| 398 | 398 |
| 399 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 399 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 400 "quic SSL_get_peer_quic_transport_params():" | 400 "quic SSL_get_peer_quic_transport_params():" |
| 401 " params_len %ui", client_params_len); | 401 " params_len %ui", client_params_len); |
| 402 | 402 |
| 403 if (client_params_len != 0) { | 403 if (client_params_len == 0) { |
| 404 p = (u_char *) client_params; | 404 /* quic-tls 8.2 */ |
| 405 end = p + client_params_len; | 405 qc->error = 0x100 + SSL_AD_MISSING_EXTENSION; |
| 406 | 406 qc->error_reason = "missing transport parameters"; |
| 407 if (ngx_quic_parse_transport_params(p, end, &qc->ctp, c->log) | 407 |
| 408 != NGX_OK) | 408 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
| 409 { | 409 "missing transport parameters"); |
| 410 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; | 410 return 0; |
| 411 qc->error_reason = "failed to process transport parameters"; | 411 } |
| 412 | 412 |
| 413 return 0; | 413 p = (u_char *) client_params; |
| 414 } | 414 end = p + client_params_len; |
| 415 | 415 |
| 416 if (qc->ctp.max_idle_timeout > 0 | 416 if (ngx_quic_parse_transport_params(p, end, &qc->ctp, c->log) |
| 417 && qc->ctp.max_idle_timeout < qc->tp.max_idle_timeout) | 417 != NGX_OK) |
| 418 { | 418 { |
| 419 qc->tp.max_idle_timeout = qc->ctp.max_idle_timeout; | 419 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; |
| 420 } | 420 qc->error_reason = "failed to process transport parameters"; |
| 421 | 421 |
| 422 if (qc->ctp.max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE | 422 return 0; |
| 423 || qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) | 423 } |
| 424 { | 424 |
| 425 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; | 425 if (qc->ctp.max_idle_timeout > 0 |
| 426 qc->error_reason = "invalid maximum packet size"; | 426 && qc->ctp.max_idle_timeout < qc->tp.max_idle_timeout) |
| 427 | 427 { |
| 428 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 428 qc->tp.max_idle_timeout = qc->ctp.max_idle_timeout; |
| 429 "quic maximum packet size is invalid"); | 429 } |
| 430 return 0; | 430 |
| 431 } | 431 if (qc->ctp.max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE |
| 432 | 432 || qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) |
| 433 if (qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_OUT) { | 433 { |
| 434 qc->ctp.max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_OUT; | 434 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; |
| 435 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 435 qc->error_reason = "invalid maximum packet size"; |
| 436 "quic client maximum packet size truncated"); | 436 |
| 437 } | 437 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
| 438 "quic maximum packet size is invalid"); | |
| 439 return 0; | |
| 440 } | |
| 441 | |
| 442 if (qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_OUT) { | |
| 443 qc->ctp.max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_OUT; | |
| 444 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
| 445 "quic client maximum packet size truncated"); | |
| 446 } | |
| 438 | 447 |
| 439 #if (NGX_QUIC_DRAFT_VERSION >= 28) | 448 #if (NGX_QUIC_DRAFT_VERSION >= 28) |
| 440 if (qc->scid.len != qc->ctp.initial_scid.len | 449 if (qc->scid.len != qc->ctp.initial_scid.len |
| 441 || ngx_memcmp(qc->scid.data, qc->ctp.initial_scid.data, | 450 || ngx_memcmp(qc->scid.data, qc->ctp.initial_scid.data, |
| 442 qc->scid.len) != 0) | 451 qc->scid.len) != 0) |
| 443 { | 452 { |
| 444 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 453 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
| 445 "quic client initial_source_connection_id " | 454 "quic client initial_source_connection_id " |
| 446 "mismatch"); | 455 "mismatch"); |
| 447 return 0; | 456 return 0; |
| 448 } | 457 } |
| 449 #endif | 458 #endif |
| 450 | 459 |
| 451 qc->client_tp_done = 1; | 460 qc->client_tp_done = 1; |
| 452 } | |
| 453 } | 461 } |
| 454 | 462 |
| 455 /* | 463 /* |
| 456 * we need to fit at least 1 frame into a packet, thus account head/tail; | 464 * we need to fit at least 1 frame into a packet, thus account head/tail; |
| 457 * 17 = 1 + 8x2 is max header for CRYPTO frame, with 1 byte for frame type | 465 * 17 = 1 + 8x2 is max header for CRYPTO frame, with 1 byte for frame type |