From e945e92ece2bddc6e3cbba275129a354b676771d Mon Sep 17 00:00:00 2001 From: Vladimir Homutov Date: Wed, 3 Nov 2021 13:36:21 +0300 Subject: [PATCH] QUIC: connections with wrong ALPN protocols are now rejected. Previously, it was not enforced in the stream module. Now, since b9e02e9b2f1d it is possible to specify protocols. Since ALPN is always required, the 'require_alpn' setting is now obsolete. --- src/event/quic/ngx_event_quic.h | 1 - src/event/quic/ngx_event_quic_ssl.c | 25 +++++++++++++------------ src/http/modules/ngx_http_quic_module.c | 1 - src/stream/ngx_stream_quic_module.c | 1 - 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h index 47359fe85..839570af0 100644 --- a/src/event/quic/ngx_event_quic.h +++ b/src/event/quic/ngx_event_quic.h @@ -60,7 +60,6 @@ typedef struct { ngx_quic_tp_t tp; ngx_flag_t retry; ngx_flag_t gso_enabled; - ngx_flag_t require_alpn; ngx_str_t host_key; u_char av_token_key[NGX_QUIC_AV_KEY_LEN]; u_char sr_token_key[NGX_QUIC_SR_KEY_LEN]; diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c index 8899bc626..839bb3161 100644 --- a/src/event/quic/ngx_event_quic_ssl.c +++ b/src/event/quic/ngx_event_quic_ssl.c @@ -175,6 +175,10 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, ngx_connection_t *c; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; +#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) + unsigned int alpn_len; + const unsigned char *alpn_data; +#endif c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); qc = ngx_quic_get_connection(c); @@ -190,21 +194,18 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, */ #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) - if (qc->conf->require_alpn) { - unsigned int len; - const unsigned char *data; - SSL_get0_alpn_selected(ssl_conn, &data, &len); + SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len); - if (len == 0) { - qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; - qc->error_reason = "unsupported protocol in ALPN extension"; + if (alpn_len == 0) { + qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; + qc->error_reason = "unsupported protocol in ALPN extension"; + + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic unsupported protocol in ALPN extension"); + return 0; + } - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic unsupported protocol in ALPN extension"); - return 0; - } - } #endif SSL_get_peer_quic_transport_params(ssl_conn, &client_params, diff --git a/src/http/modules/ngx_http_quic_module.c b/src/http/modules/ngx_http_quic_module.c index ce13a223f..9e6d17ead 100644 --- a/src/http/modules/ngx_http_quic_module.c +++ b/src/http/modules/ngx_http_quic_module.c @@ -331,7 +331,6 @@ ngx_http_quic_create_srv_conf(ngx_conf_t *cf) conf->retry = NGX_CONF_UNSET; conf->gso_enabled = NGX_CONF_UNSET; - conf->require_alpn = 1; return conf; } diff --git a/src/stream/ngx_stream_quic_module.c b/src/stream/ngx_stream_quic_module.c index 2cd811ad4..b40b17c93 100644 --- a/src/stream/ngx_stream_quic_module.c +++ b/src/stream/ngx_stream_quic_module.c @@ -241,7 +241,6 @@ ngx_stream_quic_create_srv_conf(ngx_conf_t *cf) * conf->tp.retry_scid = { 0, NULL }; * conf->tp.preferred_address = NULL * conf->host_key = { 0, NULL } - * conf->require_alpn = 0; */ conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;