From 609af6e31d5a74b4a59f2b769fe75b2ab736433e Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Mon, 2 Nov 2020 17:38:11 +0000 Subject: [PATCH] QUIC: fixed address validation issues in a new connection. The client address validation didn't complete with a valid token, which was broken after packet processing refactoring in d0d3fc0697a0. An invalid or expired token was treated as a connection error. Now we proceed as outlined in draft-ietf-quic-transport-32, section 8.1.3 "Address Validation for Future Connections" below, which is unlike validating the client address using Retry packets. When a server receives an Initial packet with an address validation token, it MUST attempt to validate the token, unless it has already completed address validation. If the token is invalid then the server SHOULD proceed as if the client did not have a validated address, including potentially sending a Retry. The connection is now closed in this case on internal errors only. --- src/event/ngx_event_quic.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c index 1962019d5..9ff09cb05 100644 --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -1479,7 +1479,7 @@ bad_token: qc->error = NGX_QUIC_ERR_INVALID_TOKEN; qc->error_reason = "invalid_token"; - return NGX_ERROR; + return NGX_DECLINED; } @@ -2104,8 +2104,19 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf, } if (pkt->token.len) { - if (ngx_quic_validate_token(c, pkt) != NGX_OK) { + rc = ngx_quic_validate_token(c, pkt); + + if (rc == NGX_OK) { + qc->validated = 1; + + } else if (rc == NGX_ERROR) { return NGX_ERROR; + + } else { + /* NGX_DECLINED */ + if (conf->retry) { + return ngx_quic_send_retry(c); + } } } else if (conf->retry) {