Mercurial > hg > nginx
comparison src/event/ngx_event_quic.c @ 8438:a2c34e77cfc1 quic
QUIC: added ALPN checks.
quic-transport draft 29:
section 7:
* authenticated negotiation of an application protocol (TLS uses
ALPN [RFC7301] for this purpose)
...
Endpoints MUST explicitly negotiate an application protocol. This
avoids situations where there is a disagreement about the protocol
that is in use.
section 8.1:
When using ALPN, endpoints MUST immediately close a connection (see
Section 10.3 of [QUIC-TRANSPORT]) with a no_application_protocol TLS
alert (QUIC error code 0x178; see Section 4.10) if an application
protocol is not negotiated.
Changes in ngx_quic_close_quic() function are required to avoid attempts
to generated and send packets without proper keys, what happens in case
of failed ALPN check.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Thu, 18 Jun 2020 13:58:46 +0300 |
| parents | 4e75267865de |
| children | cef417a24755 |
comparison
equal
deleted
inserted
replaced
| 8437:4e75267865de | 8438:a2c34e77cfc1 |
|---|---|
| 391 | 391 |
| 392 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 392 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 393 "quic ngx_quic_add_handshake_data"); | 393 "quic ngx_quic_add_handshake_data"); |
| 394 | 394 |
| 395 if (!qc->client_tp_done) { | 395 if (!qc->client_tp_done) { |
| 396 /* | |
| 397 * things to do once during handshake: check ALPN and transport | |
| 398 * parameters; we want to break handshake if something is wrong | |
| 399 * here; | |
| 400 */ | |
| 401 | |
| 402 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) | |
| 403 { | |
| 404 unsigned int len; | |
| 405 const unsigned char *data; | |
| 406 | |
| 407 SSL_get0_alpn_selected(c->ssl->connection, &data, &len); | |
| 408 | |
| 409 if (len != NGX_QUIC_ALPN_LEN | |
| 410 || ngx_strncmp(data, NGX_QUIC_ALPN_STR, NGX_QUIC_ALPN_LEN) != 0) | |
| 411 { | |
| 412 qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; | |
| 413 qc->error_reason = "unsupported protocol in ALPN extension"; | |
| 414 | |
| 415 ngx_log_error(NGX_LOG_INFO, c->log, 0, | |
| 416 "quic unsupported protocol in ALPN extension"); | |
| 417 return 0; | |
| 418 } | |
| 419 } | |
| 420 #endif | |
| 396 | 421 |
| 397 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, | 422 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, |
| 398 &client_params_len); | 423 &client_params_len); |
| 399 | 424 |
| 400 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 425 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 1296 "quic immediate close due to error: %ui %s", | 1321 "quic immediate close due to error: %ui %s", |
| 1297 qc->error, | 1322 qc->error, |
| 1298 qc->error_reason ? qc->error_reason : ""); | 1323 qc->error_reason ? qc->error_reason : ""); |
| 1299 } | 1324 } |
| 1300 | 1325 |
| 1301 level = (qc->state == ssl_encryption_early_data) | 1326 level = c->ssl ? SSL_quic_read_level(c->ssl->connection) |
| 1302 ? ssl_encryption_handshake | 1327 : ssl_encryption_initial; |
| 1303 : qc->state; | |
| 1304 | 1328 |
| 1305 (void) ngx_quic_send_cc(c, level, err, qc->error_ftype, | 1329 (void) ngx_quic_send_cc(c, level, err, qc->error_ftype, |
| 1306 qc->error_reason); | 1330 qc->error_reason); |
| 1307 | 1331 |
| 1308 if (level == ssl_encryption_handshake) { | 1332 if (level == ssl_encryption_handshake) { |