Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_ssl.c @ 8895:4b2d259bdadd quic
QUIC: connections with wrong ALPN protocols are now rejected.
Previously, it was not enforced in the stream module.
Now, since b9e02e9b2f1d it is possible to specify protocols.
Since ALPN is always required, the 'require_alpn' setting is now obsolete.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 03 Nov 2021 13:36:21 +0300 |
parents | 61b038fb59c6 |
children | ff473a6f656c |
comparison
equal
deleted
inserted
replaced
8894:de7b9af30fc6 | 8895:4b2d259bdadd |
---|---|
173 ngx_quic_tp_t ctp; | 173 ngx_quic_tp_t ctp; |
174 ngx_quic_frame_t *frame; | 174 ngx_quic_frame_t *frame; |
175 ngx_connection_t *c; | 175 ngx_connection_t *c; |
176 ngx_quic_send_ctx_t *ctx; | 176 ngx_quic_send_ctx_t *ctx; |
177 ngx_quic_connection_t *qc; | 177 ngx_quic_connection_t *qc; |
178 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) | |
179 unsigned int alpn_len; | |
180 const unsigned char *alpn_data; | |
181 #endif | |
178 | 182 |
179 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 183 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
180 qc = ngx_quic_get_connection(c); | 184 qc = ngx_quic_get_connection(c); |
181 | 185 |
182 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 186 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
188 * parameters; we want to break handshake if something is wrong | 192 * parameters; we want to break handshake if something is wrong |
189 * here; | 193 * here; |
190 */ | 194 */ |
191 | 195 |
192 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) | 196 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) |
193 if (qc->conf->require_alpn) { | 197 |
194 unsigned int len; | 198 SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len); |
195 const unsigned char *data; | 199 |
196 | 200 if (alpn_len == 0) { |
197 SSL_get0_alpn_selected(ssl_conn, &data, &len); | 201 qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; |
198 | 202 qc->error_reason = "unsupported protocol in ALPN extension"; |
199 if (len == 0) { | 203 |
200 qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; | 204 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
201 qc->error_reason = "unsupported protocol in ALPN extension"; | 205 "quic unsupported protocol in ALPN extension"); |
202 | 206 return 0; |
203 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 207 } |
204 "quic unsupported protocol in ALPN extension"); | 208 |
205 return 0; | |
206 } | |
207 } | |
208 #endif | 209 #endif |
209 | 210 |
210 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, | 211 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, |
211 &client_params_len); | 212 &client_params_len); |
212 | 213 |