Mercurial > hg > nginx

changeset 8895:4b2d259bdadd quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: connections with wrong ALPN protocols are now rejected. Previously, it was not enforced in the stream module. Now, since b9e02e9b2f1d it is possible to specify protocols. Since ALPN is always required, the 'require_alpn' setting is now obsolete.
author Vladimir Homutov <vl@nginx.com>
date Wed, 03 Nov 2021 13:36:21 +0300
parents de7b9af30fc6
children e2ec952dc295
files src/event/quic/ngx_event_quic.h src/event/quic/ngx_event_quic_ssl.c src/http/modules/ngx_http_quic_module.c src/stream/ngx_stream_quic_module.c
diffstat 4 files changed, 13 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@@ -60,7 +60,6 @@ typedef struct {
     ngx_quic_tp_t              tp;
     ngx_flag_t                 retry;
     ngx_flag_t                 gso_enabled;
-    ngx_flag_t                 require_alpn;
     ngx_str_t                  host_key;
     u_char                     av_token_key[NGX_QUIC_AV_KEY_LEN];
     u_char                     sr_token_key[NGX_QUIC_SR_KEY_LEN];
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -175,6 +175,10 @@ ngx_quic_add_handshake_data(ngx_ssl_conn
     ngx_connection_t       *c;
     ngx_quic_send_ctx_t    *ctx;
     ngx_quic_connection_t  *qc;
+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
+    unsigned int            alpn_len;
+    const unsigned char    *alpn_data;
+#endif
 
     c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
     qc = ngx_quic_get_connection(c);
@@ -190,21 +194,18 @@ ngx_quic_add_handshake_data(ngx_ssl_conn
          */
 
 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
-        if (qc->conf->require_alpn) {
-            unsigned int          len;
-            const unsigned char  *data;
 
-            SSL_get0_alpn_selected(ssl_conn, &data, &len);
+         SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
 
-            if (len == 0) {
-                qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
-                qc->error_reason = "unsupported protocol in ALPN extension";
+         if (alpn_len == 0) {
+             qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
+             qc->error_reason = "unsupported protocol in ALPN extension";
 
-                ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                              "quic unsupported protocol in ALPN extension");
-                return 0;
-            }
-        }
+             ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                           "quic unsupported protocol in ALPN extension");
+             return 0;
+         }
+
 #endif
 
         SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
--- a/src/http/modules/ngx_http_quic_module.c
+++ b/src/http/modules/ngx_http_quic_module.c
@@ -331,7 +331,6 @@ ngx_http_quic_create_srv_conf(ngx_conf_t
 
     conf->retry = NGX_CONF_UNSET;
     conf->gso_enabled = NGX_CONF_UNSET;
-    conf->require_alpn = 1;
 
     return conf;
 }
--- a/src/stream/ngx_stream_quic_module.c
+++ b/src/stream/ngx_stream_quic_module.c
@@ -241,7 +241,6 @@ ngx_stream_quic_create_srv_conf(ngx_conf
      *     conf->tp.retry_scid = { 0, NULL };
      *     conf->tp.preferred_address = NULL
      *     conf->host_key = { 0, NULL }
-     *     conf->require_alpn = 0;
      */
 
     conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;