Mercurial > hg > nginx-quic
comparison src/event/ngx_event_quic.c @ 7933:a2c34e77cfc1 quic
QUIC: added ALPN checks.
quic-transport draft 29:
section 7:
* authenticated negotiation of an application protocol (TLS uses
ALPN [RFC7301] for this purpose)
...
Endpoints MUST explicitly negotiate an application protocol. This
avoids situations where there is a disagreement about the protocol
that is in use.
section 8.1:
When using ALPN, endpoints MUST immediately close a connection (see
Section 10.3 of [QUIC-TRANSPORT]) with a no_application_protocol TLS
alert (QUIC error code 0x178; see Section 4.10) if an application
protocol is not negotiated.
Changes in ngx_quic_close_quic() function are required to avoid attempts
to generated and send packets without proper keys, what happens in case
of failed ALPN check.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Thu, 18 Jun 2020 13:58:46 +0300 |
parents | 4e75267865de |
children | cef417a24755 |
comparison
equal
deleted
inserted
replaced
7932:4e75267865de | 7933:a2c34e77cfc1 |
---|---|
391 | 391 |
392 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 392 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
393 "quic ngx_quic_add_handshake_data"); | 393 "quic ngx_quic_add_handshake_data"); |
394 | 394 |
395 if (!qc->client_tp_done) { | 395 if (!qc->client_tp_done) { |
396 /* | |
397 * things to do once during handshake: check ALPN and transport | |
398 * parameters; we want to break handshake if something is wrong | |
399 * here; | |
400 */ | |
401 | |
402 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) | |
403 { | |
404 unsigned int len; | |
405 const unsigned char *data; | |
406 | |
407 SSL_get0_alpn_selected(c->ssl->connection, &data, &len); | |
408 | |
409 if (len != NGX_QUIC_ALPN_LEN | |
410 || ngx_strncmp(data, NGX_QUIC_ALPN_STR, NGX_QUIC_ALPN_LEN) != 0) | |
411 { | |
412 qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; | |
413 qc->error_reason = "unsupported protocol in ALPN extension"; | |
414 | |
415 ngx_log_error(NGX_LOG_INFO, c->log, 0, | |
416 "quic unsupported protocol in ALPN extension"); | |
417 return 0; | |
418 } | |
419 } | |
420 #endif | |
396 | 421 |
397 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, | 422 SSL_get_peer_quic_transport_params(ssl_conn, &client_params, |
398 &client_params_len); | 423 &client_params_len); |
399 | 424 |
400 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 425 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
1296 "quic immediate close due to error: %ui %s", | 1321 "quic immediate close due to error: %ui %s", |
1297 qc->error, | 1322 qc->error, |
1298 qc->error_reason ? qc->error_reason : ""); | 1323 qc->error_reason ? qc->error_reason : ""); |
1299 } | 1324 } |
1300 | 1325 |
1301 level = (qc->state == ssl_encryption_early_data) | 1326 level = c->ssl ? SSL_quic_read_level(c->ssl->connection) |
1302 ? ssl_encryption_handshake | 1327 : ssl_encryption_initial; |
1303 : qc->state; | |
1304 | 1328 |
1305 (void) ngx_quic_send_cc(c, level, err, qc->error_ftype, | 1329 (void) ngx_quic_send_cc(c, level, err, qc->error_ftype, |
1306 qc->error_reason); | 1330 qc->error_reason); |
1307 | 1331 |
1308 if (level == ssl_encryption_handshake) { | 1332 if (level == ssl_encryption_handshake) { |