# HG changeset patch # User Sergey Kandaurov # Date 1604338691 0 # Node ID 183275308d9a4a02fb49bc942561ba80c35026a7 # Parent 9c3be23ddbe71fde1d18ee707d8ad260f3a1f4a1 QUIC: fixed address validation issues in a new connection. The client address validation didn't complete with a valid token, which was broken after packet processing refactoring in d0d3fc0697a0. An invalid or expired token was treated as a connection error. Now we proceed as outlined in draft-ietf-quic-transport-32, section 8.1.3 "Address Validation for Future Connections" below, which is unlike validating the client address using Retry packets. When a server receives an Initial packet with an address validation token, it MUST attempt to validate the token, unless it has already completed address validation. If the token is invalid then the server SHOULD proceed as if the client did not have a validated address, including potentially sending a Retry. The connection is now closed in this case on internal errors only. diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -1479,7 +1479,7 @@ bad_token: qc->error = NGX_QUIC_ERR_INVALID_TOKEN; qc->error_reason = "invalid_token"; - return NGX_ERROR; + return NGX_DECLINED; } @@ -2104,8 +2104,19 @@ ngx_quic_process_packet(ngx_connection_t } if (pkt->token.len) { - if (ngx_quic_validate_token(c, pkt) != NGX_OK) { + rc = ngx_quic_validate_token(c, pkt); + + if (rc == NGX_OK) { + qc->validated = 1; + + } else if (rc == NGX_ERROR) { return NGX_ERROR; + + } else { + /* NGX_DECLINED */ + if (conf->retry) { + return ngx_quic_send_retry(c); + } } } else if (conf->retry) {