nghttpx: Fail h3 connection attempt if no ALPN is negotiated

2021-09-26 15:32:44 +09:00 · 2021-09-26 15:32:44 +09:00 · 886dc93f18
parent 407df2822e
commit 886dc93f18
4 changed files with 20 additions and 2 deletions
--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@ -517,7 +517,6 @@ void ClientHandler::setup_upstream_io_callback() {
 void ClientHandler::setup_http3_upstream(
    std::unique_ptr<Http3Upstream> &&upstream) {
  upstream_ = std::move(upstream);
-  alpn_ = StringRef::from_lit("h3");
  write_ = &ClientHandler::write_quic;

  auto config = get_config();
@ -1599,4 +1598,13 @@ StringRef ClientHandler::get_alpn() const { return alpn_; }

 BlockAllocator &ClientHandler::get_block_allocator() { return balloc_; }

+void ClientHandler::set_alpn_from_conn() {
+  const unsigned char *alpn;
+  unsigned int alpnlen;
+
+  SSL_get0_alpn_selected(conn_.tls.ssl, &alpn, &alpnlen);
+
+  alpn_ = make_string_ref(balloc_, StringRef{alpn, alpnlen});
+}
+
 } // namespace shrpx
--- a/src/shrpx_client_handler.h
+++ b/src/shrpx_client_handler.h
@ -187,6 +187,8 @@ public:

  BlockAllocator &get_block_allocator();

+  void set_alpn_from_conn();
+
 private:
  // Allocator to allocate memory for connection-wide objects.  Make
  // sure that the allocations must be bounded, and not proportional
--- a/src/shrpx_http3_upstream.cc
+++ b/src/shrpx_http3_upstream.cc
@ -479,6 +479,14 @@ int handshake_completed(ngtcp2_conn *conn, void *user_data) {
 } // namespace

 int Http3Upstream::handshake_completed() {
+  handler_->set_alpn_from_conn();
+
+  auto alpn = handler_->get_alpn();
+  if (alpn.empty()) {
+    ULOG(ERROR, this) << "NO ALPN was negotiated";
+    return -1;
+  }
+
  std::array<uint8_t, NGTCP2_CRYPTO_MAX_REGULAR_TOKENLEN> token;
  size_t tokenlen;

--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@ -719,7 +719,7 @@ int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
    p += 1 + proto_len;
  }

-  return SSL_TLSEXT_ERR_NOACK;
+  return SSL_TLSEXT_ERR_ALERT_FATAL;
 }
 } // namespace
 #  endif // OPENSSL_VERSION_NUMBER >= 0x10002000L