Mercurial > hg > nginx

changeset 8895:4b2d259bdadd quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: connections with wrong ALPN protocols are now rejected. Previously, it was not enforced in the stream module. Now, since b9e02e9b2f1d it is possible to specify protocols. Since ALPN is always required, the 'require_alpn' setting is now obsolete.
author Vladimir Homutov <vl@nginx.com>
date Wed, 03 Nov 2021 13:36:21 +0300
parents de7b9af30fc6
children e2ec952dc295
files src/event/quic/ngx_event_quic.h src/event/quic/ngx_event_quic_ssl.c src/http/modules/ngx_http_quic_module.c src/stream/ngx_stream_quic_module.c
diffstat 4 files changed, 13 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic.h	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/event/quic/ngx_event_quic.h	Wed Nov 03 13:36:21 2021 +0300
@@ -60,7 +60,6 @@
     ngx_quic_tp_t              tp;
     ngx_flag_t                 retry;
     ngx_flag_t                 gso_enabled;
-    ngx_flag_t                 require_alpn;
     ngx_str_t                  host_key;
     u_char                     av_token_key[NGX_QUIC_AV_KEY_LEN];
     u_char                     sr_token_key[NGX_QUIC_SR_KEY_LEN];
--- a/src/event/quic/ngx_event_quic_ssl.c	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/event/quic/ngx_event_quic_ssl.c	Wed Nov 03 13:36:21 2021 +0300
@@ -175,6 +175,10 @@
     ngx_connection_t       *c;
     ngx_quic_send_ctx_t    *ctx;
     ngx_quic_connection_t  *qc;
+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
+    unsigned int            alpn_len;
+    const unsigned char    *alpn_data;
+#endif
 
     c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
     qc = ngx_quic_get_connection(c);
@@ -190,21 +194,18 @@
          */
 
 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
-        if (qc->conf->require_alpn) {
-            unsigned int          len;
-            const unsigned char  *data;
 
-            SSL_get0_alpn_selected(ssl_conn, &data, &len);
+         SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
 
-            if (len == 0) {
-                qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
-                qc->error_reason = "unsupported protocol in ALPN extension";
+         if (alpn_len == 0) {
+             qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
+             qc->error_reason = "unsupported protocol in ALPN extension";
 
-                ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                              "quic unsupported protocol in ALPN extension");
-                return 0;
-            }
-        }
+             ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                           "quic unsupported protocol in ALPN extension");
+             return 0;
+         }
+
 #endif
 
         SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
--- a/src/http/modules/ngx_http_quic_module.c	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/http/modules/ngx_http_quic_module.c	Wed Nov 03 13:36:21 2021 +0300
@@ -331,7 +331,6 @@
 
     conf->retry = NGX_CONF_UNSET;
     conf->gso_enabled = NGX_CONF_UNSET;
-    conf->require_alpn = 1;
 
     return conf;
 }
--- a/src/stream/ngx_stream_quic_module.c	Thu Oct 07 13:48:29 2021 +0300
+++ b/src/stream/ngx_stream_quic_module.c	Wed Nov 03 13:36:21 2021 +0300
@@ -241,7 +241,6 @@
      *     conf->tp.retry_scid = { 0, NULL };
      *     conf->tp.preferred_address = NULL
      *     conf->host_key = { 0, NULL }
-     *     conf->require_alpn = 0;
      */
 
     conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;