QUIC: connections with wrong ALPN protocols are now rejected.
Previously, it was not enforced in the stream module. Now, since b9e02e9b2f1d it is possible to specify protocols. Since ALPN is always required, the 'require_alpn' setting is now obsolete.
This commit is contained in:
parent
6c1a6d7bb3
commit
e945e92ece
4 changed files with 13 additions and 15 deletions
|
@ -60,7 +60,6 @@ typedef struct {
|
||||||
ngx_quic_tp_t tp;
|
ngx_quic_tp_t tp;
|
||||||
ngx_flag_t retry;
|
ngx_flag_t retry;
|
||||||
ngx_flag_t gso_enabled;
|
ngx_flag_t gso_enabled;
|
||||||
ngx_flag_t require_alpn;
|
|
||||||
ngx_str_t host_key;
|
ngx_str_t host_key;
|
||||||
u_char av_token_key[NGX_QUIC_AV_KEY_LEN];
|
u_char av_token_key[NGX_QUIC_AV_KEY_LEN];
|
||||||
u_char sr_token_key[NGX_QUIC_SR_KEY_LEN];
|
u_char sr_token_key[NGX_QUIC_SR_KEY_LEN];
|
||||||
|
|
|
@ -175,6 +175,10 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
||||||
ngx_connection_t *c;
|
ngx_connection_t *c;
|
||||||
ngx_quic_send_ctx_t *ctx;
|
ngx_quic_send_ctx_t *ctx;
|
||||||
ngx_quic_connection_t *qc;
|
ngx_quic_connection_t *qc;
|
||||||
|
#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
|
||||||
|
unsigned int alpn_len;
|
||||||
|
const unsigned char *alpn_data;
|
||||||
|
#endif
|
||||||
|
|
||||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||||
qc = ngx_quic_get_connection(c);
|
qc = ngx_quic_get_connection(c);
|
||||||
|
@ -190,21 +194,18 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
|
#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
|
||||||
if (qc->conf->require_alpn) {
|
|
||||||
unsigned int len;
|
|
||||||
const unsigned char *data;
|
|
||||||
|
|
||||||
SSL_get0_alpn_selected(ssl_conn, &data, &len);
|
SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
|
||||||
|
|
||||||
if (len == 0) {
|
if (alpn_len == 0) {
|
||||||
qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
|
qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
|
||||||
qc->error_reason = "unsupported protocol in ALPN extension";
|
qc->error_reason = "unsupported protocol in ALPN extension";
|
||||||
|
|
||||||
|
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||||
|
"quic unsupported protocol in ALPN extension");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
|
||||||
"quic unsupported protocol in ALPN extension");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
|
SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
|
||||||
|
|
|
@ -331,7 +331,6 @@ ngx_http_quic_create_srv_conf(ngx_conf_t *cf)
|
||||||
|
|
||||||
conf->retry = NGX_CONF_UNSET;
|
conf->retry = NGX_CONF_UNSET;
|
||||||
conf->gso_enabled = NGX_CONF_UNSET;
|
conf->gso_enabled = NGX_CONF_UNSET;
|
||||||
conf->require_alpn = 1;
|
|
||||||
|
|
||||||
return conf;
|
return conf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -241,7 +241,6 @@ ngx_stream_quic_create_srv_conf(ngx_conf_t *cf)
|
||||||
* conf->tp.retry_scid = { 0, NULL };
|
* conf->tp.retry_scid = { 0, NULL };
|
||||||
* conf->tp.preferred_address = NULL
|
* conf->tp.preferred_address = NULL
|
||||||
* conf->host_key = { 0, NULL }
|
* conf->host_key = { 0, NULL }
|
||||||
* conf->require_alpn = 0;
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;
|
conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;
|
||||||
|
|
Loading…
Reference in a new issue