To disable client address validation on a listener SSL object, the flag
B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
-SSL_new_listener() and SSL_new_listener_from().
+SSL_new_listener() and SSL_new_listener_from(). Note that this flag only
+impacts the sending of retry frames for server address validation. Tokens may
+still be communicated from the server via NEW_TOKEN frames, which will still
+be validated on receipt in future connections.
The SSL_new_from_listener() creates a client connection under a given listener
SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
* states in TCP. If we reach certain threshold, then we want to
* validate clients.
*/
- if (port->validate_addr == 1) {
- if (hdr.token == NULL) {
- port_send_retry(port, &e->peer, &hdr);
- goto undesirable;
- } else if (port_validate_token(&hdr, port, &e->peer,
- &odcid, &scid) == 0) {
+ if (port->validate_addr == 1 && hdr.token == NULL) {
+ port_send_retry(port, &e->peer, &hdr);
+ goto undesirable;
+ }
+
+ /*
+ * Note, even if we don't enforce the sending of retry frames for
+ * server address validation, we may still get a token if we sent
+ * a NEW_TOKEN frame during a prior connection, which we should still
+ * validate here
+ */
+ if (hdr.token != NULL) {
+ if (port_validate_token(&hdr, port, &e->peer,
+ &odcid, &scid) == 0)
goto undesirable;
- }
}
port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id,
projects / thirdparty / openssl.git / commitdiff
