# HG changeset patch # User Vladimir Homutov # Date 1592230000 -10800 # Node ID 5bc9229ec4cfa5fa3555c68dd48b4091e6a0b81e # Parent ea48995917980ee87c2e5947430b857dde8db4c6 QUIC: raise error on missing transport parameters. quic-tls, 8.2: The quic_transport_parameters extension is carried in the ClientHello and the EncryptedExtensions messages during the handshake. Endpoints MUST send the quic_transport_parameters extension; endpoints that receive ClientHello or EncryptedExtensions messages without the quic_transport_parameters extension MUST close the connection with an error of type 0x16d (equivalent to a fatal TLS missing_extension alert, see Section 4.10). diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -400,56 +400,64 @@ ngx_quic_add_handshake_data(ngx_ssl_conn "quic SSL_get_peer_quic_transport_params():" " params_len %ui", client_params_len); - if (client_params_len != 0) { - p = (u_char *) client_params; - end = p + client_params_len; - - if (ngx_quic_parse_transport_params(p, end, &qc->ctp, c->log) - != NGX_OK) - { - qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; - qc->error_reason = "failed to process transport parameters"; - - return 0; - } - - if (qc->ctp.max_idle_timeout > 0 - && qc->ctp.max_idle_timeout < qc->tp.max_idle_timeout) - { - qc->tp.max_idle_timeout = qc->ctp.max_idle_timeout; - } - - if (qc->ctp.max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE - || qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) - { - qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; - qc->error_reason = "invalid maximum packet size"; - - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic maximum packet size is invalid"); - return 0; - } - - if (qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_OUT) { - qc->ctp.max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_OUT; - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "quic client maximum packet size truncated"); - } + if (client_params_len == 0) { + /* quic-tls 8.2 */ + qc->error = 0x100 + SSL_AD_MISSING_EXTENSION; + qc->error_reason = "missing transport parameters"; + + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "missing transport parameters"); + return 0; + } + + p = (u_char *) client_params; + end = p + client_params_len; + + if (ngx_quic_parse_transport_params(p, end, &qc->ctp, c->log) + != NGX_OK) + { + qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; + qc->error_reason = "failed to process transport parameters"; + + return 0; + } + + if (qc->ctp.max_idle_timeout > 0 + && qc->ctp.max_idle_timeout < qc->tp.max_idle_timeout) + { + qc->tp.max_idle_timeout = qc->ctp.max_idle_timeout; + } + + if (qc->ctp.max_udp_payload_size < NGX_QUIC_MIN_INITIAL_SIZE + || qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) + { + qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR; + qc->error_reason = "invalid maximum packet size"; + + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic maximum packet size is invalid"); + return 0; + } + + if (qc->ctp.max_udp_payload_size > NGX_QUIC_MAX_UDP_PAYLOAD_OUT) { + qc->ctp.max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_OUT; + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic client maximum packet size truncated"); + } #if (NGX_QUIC_DRAFT_VERSION >= 28) - if (qc->scid.len != qc->ctp.initial_scid.len - || ngx_memcmp(qc->scid.data, qc->ctp.initial_scid.data, - qc->scid.len) != 0) - { - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic client initial_source_connection_id " - "mismatch"); - return 0; - } + if (qc->scid.len != qc->ctp.initial_scid.len + || ngx_memcmp(qc->scid.data, qc->ctp.initial_scid.data, + qc->scid.len) != 0) + { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic client initial_source_connection_id " + "mismatch"); + return 0; + } #endif - qc->client_tp_done = 1; - } + qc->client_tp_done = 1; } /*