]> git.kaiwu.me - nginx.git/commitdiff
QUIC: connections with wrong ALPN protocols are now rejected.
authorVladimir Homutov <vl@nginx.com>
Wed, 3 Nov 2021 10:36:21 +0000 (13:36 +0300)
committerVladimir Homutov <vl@nginx.com>
Wed, 3 Nov 2021 10:36:21 +0000 (13:36 +0300)
Previously, it was not enforced in the stream module.
Now, since b9e02e9b2f1d it is possible to specify protocols.

Since ALPN is always required, the 'require_alpn' setting is now obsolete.

src/event/quic/ngx_event_quic.h
src/event/quic/ngx_event_quic_ssl.c
src/http/modules/ngx_http_quic_module.c
src/stream/ngx_stream_quic_module.c

index 47359fe85862636803496bdb96e0375221dafd63..839570af0b88619381743a79a2de6d083629bf63 100644 (file)
@@ -60,7 +60,6 @@ typedef struct {
     ngx_quic_tp_t              tp;
     ngx_flag_t                 retry;
     ngx_flag_t                 gso_enabled;
-    ngx_flag_t                 require_alpn;
     ngx_str_t                  host_key;
     u_char                     av_token_key[NGX_QUIC_AV_KEY_LEN];
     u_char                     sr_token_key[NGX_QUIC_SR_KEY_LEN];
index 8899bc6269b880898f717c11f5c9e7ba1b3308eb..839bb31615560f65219a8a0179b5fe312a8e97c8 100644 (file)
@@ -175,6 +175,10 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
     ngx_connection_t       *c;
     ngx_quic_send_ctx_t    *ctx;
     ngx_quic_connection_t  *qc;
+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
+    unsigned int            alpn_len;
+    const unsigned char    *alpn_data;
+#endif
 
     c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
     qc = ngx_quic_get_connection(c);
@@ -190,21 +194,18 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
          */
 
 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
-        if (qc->conf->require_alpn) {
-            unsigned int          len;
-            const unsigned char  *data;
 
-            SSL_get0_alpn_selected(ssl_conn, &data, &len);
+         SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
 
-            if (len == 0) {
-                qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
-                qc->error_reason = "unsupported protocol in ALPN extension";
+         if (alpn_len == 0) {
+             qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
+             qc->error_reason = "unsupported protocol in ALPN extension";
+
+             ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                           "quic unsupported protocol in ALPN extension");
+             return 0;
+         }
 
-                ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                              "quic unsupported protocol in ALPN extension");
-                return 0;
-            }
-        }
 #endif
 
         SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
index ce13a223f6cea65e38b00f112e6e82aa416e384d..9e6d17ead87d01b1d47dc1781857c095c194889e 100644 (file)
@@ -331,7 +331,6 @@ ngx_http_quic_create_srv_conf(ngx_conf_t *cf)
 
     conf->retry = NGX_CONF_UNSET;
     conf->gso_enabled = NGX_CONF_UNSET;
-    conf->require_alpn = 1;
 
     return conf;
 }
index 2cd811ad469ea1a03427289546609e88b9509c47..b40b17c93690313ffd7347f33b6365582df1241d 100644 (file)
@@ -241,7 +241,6 @@ ngx_stream_quic_create_srv_conf(ngx_conf_t *cf)
      *     conf->tp.retry_scid = { 0, NULL };
      *     conf->tp.preferred_address = NULL
      *     conf->host_key = { 0, NULL }
-     *     conf->require_alpn = 0;
      */
 
     conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;