]> git.kaiwu.me - nginx.git/commitdiff
QUIC: fixed address validation issues in a new connection.
authorSergey Kandaurov <pluknet@nginx.com>
Mon, 2 Nov 2020 17:38:11 +0000 (17:38 +0000)
committerSergey Kandaurov <pluknet@nginx.com>
Mon, 2 Nov 2020 17:38:11 +0000 (17:38 +0000)
The client address validation didn't complete with a valid token,
which was broken after packet processing refactoring in d0d3fc0697a0.

An invalid or expired token was treated as a connection error.
Now we proceed as outlined in draft-ietf-quic-transport-32,
section 8.1.3 "Address Validation for Future Connections" below,
which is unlike validating the client address using Retry packets.

   When a server receives an Initial packet with an address validation
   token, it MUST attempt to validate the token, unless it has already
   completed address validation.  If the token is invalid then the
   server SHOULD proceed as if the client did not have a validated
   address, including potentially sending a Retry.

The connection is now closed in this case on internal errors only.

src/event/ngx_event_quic.c

index 1962019d5be7026130d867b34546a8b353a96281..9ff09cb050a3621e9e885bf8417b658e570faa19 100644 (file)
@@ -1479,7 +1479,7 @@ bad_token:
     qc->error = NGX_QUIC_ERR_INVALID_TOKEN;
     qc->error_reason = "invalid_token";
 
-    return NGX_ERROR;
+    return NGX_DECLINED;
 }
 
 
@@ -2104,8 +2104,19 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
             }
 
             if (pkt->token.len) {
-                if (ngx_quic_validate_token(c, pkt) != NGX_OK) {
+                rc = ngx_quic_validate_token(c, pkt);
+
+                if (rc == NGX_OK) {
+                    qc->validated = 1;
+
+                } else if (rc == NGX_ERROR) {
                     return NGX_ERROR;
+
+                } else {
+                    /* NGX_DECLINED */
+                    if (conf->retry) {
+                        return ngx_quic_send_retry(c);
+                    }
                 }
 
             } else if (conf->retry) {