Mercurial > hg > nginx
changeset 8622:183275308d9a quic
QUIC: fixed address validation issues in a new connection.
The client address validation didn't complete with a valid token,
which was broken after packet processing refactoring in d0d3fc0697a0.
An invalid or expired token was treated as a connection error.
Now we proceed as outlined in draft-ietf-quic-transport-32,
section 8.1.3 "Address Validation for Future Connections" below,
which is unlike validating the client address using Retry packets.
When a server receives an Initial packet with an address validation
token, it MUST attempt to validate the token, unless it has already
completed address validation. If the token is invalid then the
server SHOULD proceed as if the client did not have a validated
address, including potentially sending a Retry.
The connection is now closed in this case on internal errors only.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Mon, 02 Nov 2020 17:38:11 +0000 |
| parents | 9c3be23ddbe7 |
| children | 8550b91e8e35 |
| files | src/event/ngx_event_quic.c |
| diffstat | 1 files changed, 13 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -1479,7 +1479,7 @@ bad_token: qc->error = NGX_QUIC_ERR_INVALID_TOKEN; qc->error_reason = "invalid_token"; - return NGX_ERROR; + return NGX_DECLINED; } @@ -2104,8 +2104,19 @@ ngx_quic_process_packet(ngx_connection_t } if (pkt->token.len) { - if (ngx_quic_validate_token(c, pkt) != NGX_OK) { + rc = ngx_quic_validate_token(c, pkt); + + if (rc == NGX_OK) { + qc->validated = 1; + + } else if (rc == NGX_ERROR) { return NGX_ERROR; + + } else { + /* NGX_DECLINED */ + if (conf->retry) { + return ngx_quic_send_retry(c); + } } } else if (conf->retry) {