# HG changeset patch
# User Vladimir Homutov <vl@nginx.com>
# Date 1635935781 -10800
# Node ID 4b2d259bdadd24e4a3f88fd259b91aeba99c132c
# Parent  de7b9af30fc60c767a6942d0e314ca267f240f2e
QUIC: connections with wrong ALPN protocols are now rejected.

Previously, it was not enforced in the stream module.
Now, since b9e02e9b2f1d it is possible to specify protocols.

Since ALPN is always required, the 'require_alpn' setting is now obsolete.

diff -r de7b9af30fc6 -r 4b2d259bdadd src/event/quic/ngx_event_quic.h
--- a/src/event/quic/ngx_event_quic.h	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/event/quic/ngx_event_quic.h	Wed Nov 03 13:36:21 2021 +0300
@@ -60,7 +60,6 @@
     ngx_quic_tp_t              tp;
     ngx_flag_t                 retry;
     ngx_flag_t                 gso_enabled;
-    ngx_flag_t                 require_alpn;
     ngx_str_t                  host_key;
     u_char                     av_token_key[NGX_QUIC_AV_KEY_LEN];
     u_char                     sr_token_key[NGX_QUIC_SR_KEY_LEN];
diff -r de7b9af30fc6 -r 4b2d259bdadd src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/event/quic/ngx_event_quic_ssl.c	Wed Nov 03 13:36:21 2021 +0300
@@ -175,6 +175,10 @@
     ngx_connection_t       *c;
     ngx_quic_send_ctx_t    *ctx;
     ngx_quic_connection_t  *qc;
+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
+    unsigned int            alpn_len;
+    const unsigned char    *alpn_data;
+#endif
 
     c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
     qc = ngx_quic_get_connection(c);
@@ -190,21 +194,18 @@
          */
 
 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
-        if (qc->conf->require_alpn) {
-            unsigned int          len;
-            const unsigned char  *data;
 
-            SSL_get0_alpn_selected(ssl_conn, &data, &len);
+         SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
 
-            if (len == 0) {
-                qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
-                qc->error_reason = "unsupported protocol in ALPN extension";
+         if (alpn_len == 0) {
+             qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
+             qc->error_reason = "unsupported protocol in ALPN extension";
 
-                ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                              "quic unsupported protocol in ALPN extension");
-                return 0;
-            }
-        }
+             ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                           "quic unsupported protocol in ALPN extension");
+             return 0;
+         }
+
 #endif
 
         SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
diff -r de7b9af30fc6 -r 4b2d259bdadd src/http/modules/ngx_http_quic_module.c
--- a/src/http/modules/ngx_http_quic_module.c	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/http/modules/ngx_http_quic_module.c	Wed Nov 03 13:36:21 2021 +0300
@@ -331,7 +331,6 @@
 
     conf->retry = NGX_CONF_UNSET;
     conf->gso_enabled = NGX_CONF_UNSET;
-    conf->require_alpn = 1;
 
     return conf;
 }
diff -r de7b9af30fc6 -r 4b2d259bdadd src/stream/ngx_stream_quic_module.c
--- a/src/stream/ngx_stream_quic_module.c	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/stream/ngx_stream_quic_module.c	Wed Nov 03 13:36:21 2021 +0300
@@ -241,7 +241,6 @@
      *     conf->tp.retry_scid = { 0, NULL };
      *     conf->tp.preferred_address = NULL
      *     conf->host_key = { 0, NULL }
-     *     conf->require_alpn = 0;
      */
 
     conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;