comparison src/event/quic/ngx_event_quic_ssl.c @ 8895:4b2d259bdadd quic

QUIC: connections with wrong ALPN protocols are now rejected. Previously, it was not enforced in the stream module. Now, since b9e02e9b2f1d it is possible to specify protocols. Since ALPN is always required, the 'require_alpn' setting is now obsolete.
author Vladimir Homutov <vl@nginx.com>
date Wed, 03 Nov 2021 13:36:21 +0300
parents 61b038fb59c6
children ff473a6f656c
comparison
equal deleted inserted replaced
8894:de7b9af30fc6 8895:4b2d259bdadd
173 ngx_quic_tp_t ctp; 173 ngx_quic_tp_t ctp;
174 ngx_quic_frame_t *frame; 174 ngx_quic_frame_t *frame;
175 ngx_connection_t *c; 175 ngx_connection_t *c;
176 ngx_quic_send_ctx_t *ctx; 176 ngx_quic_send_ctx_t *ctx;
177 ngx_quic_connection_t *qc; 177 ngx_quic_connection_t *qc;
178 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
179 unsigned int alpn_len;
180 const unsigned char *alpn_data;
181 #endif
178 182
179 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); 183 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
180 qc = ngx_quic_get_connection(c); 184 qc = ngx_quic_get_connection(c);
181 185
182 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, 186 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
188 * parameters; we want to break handshake if something is wrong 192 * parameters; we want to break handshake if something is wrong
189 * here; 193 * here;
190 */ 194 */
191 195
192 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) 196 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
193 if (qc->conf->require_alpn) { 197
194 unsigned int len; 198 SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
195 const unsigned char *data; 199
196 200 if (alpn_len == 0) {
197 SSL_get0_alpn_selected(ssl_conn, &data, &len); 201 qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
198 202 qc->error_reason = "unsupported protocol in ALPN extension";
199 if (len == 0) { 203
200 qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; 204 ngx_log_error(NGX_LOG_INFO, c->log, 0,
201 qc->error_reason = "unsupported protocol in ALPN extension"; 205 "quic unsupported protocol in ALPN extension");
202 206 return 0;
203 ngx_log_error(NGX_LOG_INFO, c->log, 0, 207 }
204 "quic unsupported protocol in ALPN extension"); 208
205 return 0;
206 }
207 }
208 #endif 209 #endif
209 210
210 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, 211 SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
211 &client_params_len); 212 &client_params_len);
212 213