Mercurial > hg > nginx-quic
comparison src/event/ngx_event_quic.c @ 7930:5bc9229ec4cf quic
QUIC: raise error on missing transport parameters.
quic-tls, 8.2:
The quic_transport_parameters extension is carried in the ClientHello
and the EncryptedExtensions messages during the handshake. Endpoints
MUST send the quic_transport_parameters extension; endpoints that
receive ClientHello or EncryptedExtensions messages without the
quic_transport_parameters extension MUST close the connection with an
error of type 0x16d (equivalent to a fatal TLS missing_extension
alert, see Section 4.10).
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 15 Jun 2020 17:06:40 +0300 |
parents | ea4899591798 |
children | 9fe7875ce4bb |
comparison
equal
deleted
inserted
replaced
7929:ea4899591798 | 7930:5bc9229ec4cf |
---|---|
398 | 398 |
399 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 399 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
400 "quic SSL_get_peer_quic_transport_params():" | 400 "quic SSL_get_peer_quic_transport_params():" |
401 " params_len %ui", client_params_len); | 401 " params_len %ui", client_params_len); |
402 | 402 |
403 if (client_params_len != 0) { | 403 if (client_params_len == 0) { |
404 p = (u_char *) client_params; | 404 /* quic-tls 8.2 */ |
405 end = p + client_params_len; | 405 qc->error = 0x100 + SSL_AD_MISSING_EXTENSION; |
406 | 406 qc->error_reason = "missing transport parameters"; |
407 if (ngx_quic_parse_transport_params(p, end, &qc->ctp, c->log) | 407 |
408 != NGX_OK) | 408 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
409 { | 409 "missing transport parameters"); |
410 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; | 410 return 0; |
411 qc->error_reason = "failed to process transport parameters"; | 411 } |
412 | 412 |
413 return 0; | 413 p = (u_char *) client_params; |
414 } | 414 end = p + client_params_len; |
415 | 415 |
416 if (qc->ctp.max_idle_timeout > 0 | 416 if (ngx_quic_parse_transport_params(p, end, &qc->ctp, c->log) |
417 && qc->ctp.max_idle_timeout < qc->tp.max_idle_timeout) | 417 != NGX_OK) |
418 { | 418 { |
419 qc->tp.max_idle_timeout = qc->ctp.max_idle_timeout; | 419 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; |
420 } | 420 qc->error_reason = "failed to process transport parameters"; |
421 | 421 |
422 if (qc->ctp.max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE | 422 return 0; |
423 || qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) | 423 } |
424 { | 424 |
425 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; | 425 if (qc->ctp.max_idle_timeout > 0 |
426 qc->error_reason = "invalid maximum packet size"; | 426 && qc->ctp.max_idle_timeout < qc->tp.max_idle_timeout) |
427 | 427 { |
428 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 428 qc->tp.max_idle_timeout = qc->ctp.max_idle_timeout; |
429 "quic maximum packet size is invalid"); | 429 } |
430 return 0; | 430 |
431 } | 431 if (qc->ctp.max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE |
432 | 432 || qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) |
433 if (qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_OUT) { | 433 { |
434 qc->ctp.max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_OUT; | 434 qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; |
435 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 435 qc->error_reason = "invalid maximum packet size"; |
436 "quic client maximum packet size truncated"); | 436 |
437 } | 437 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
438 "quic maximum packet size is invalid"); | |
439 return 0; | |
440 } | |
441 | |
442 if (qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_OUT) { | |
443 qc->ctp.max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_OUT; | |
444 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
445 "quic client maximum packet size truncated"); | |
446 } | |
438 | 447 |
439 #if (NGX_QUIC_DRAFT_VERSION >= 28) | 448 #if (NGX_QUIC_DRAFT_VERSION >= 28) |
440 if (qc->scid.len != qc->ctp.initial_scid.len | 449 if (qc->scid.len != qc->ctp.initial_scid.len |
441 || ngx_memcmp(qc->scid.data, qc->ctp.initial_scid.data, | 450 || ngx_memcmp(qc->scid.data, qc->ctp.initial_scid.data, |
442 qc->scid.len) != 0) | 451 qc->scid.len) != 0) |
443 { | 452 { |
444 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 453 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
445 "quic client initial_source_connection_id " | 454 "quic client initial_source_connection_id " |
446 "mismatch"); | 455 "mismatch"); |
447 return 0; | 456 return 0; |
448 } | 457 } |
449 #endif | 458 #endif |
450 | 459 |
451 qc->client_tp_done = 1; | 460 qc->client_tp_done = 1; |
452 } | |
453 } | 461 } |
454 | 462 |
455 /* | 463 /* |
456 * we need to fit at least 1 frame into a packet, thus account head/tail; | 464 * we need to fit at least 1 frame into a packet, thus account head/tail; |
457 * 17 = 1 + 8x2 is max header for CRYPTO frame, with 1 byte for frame type | 465 * 17 = 1 + 8x2 is max header for CRYPTO frame, with 1 byte for frame type |