Merge 50c618c into 69b96b1

rustls/src/error.rs

@@ -73,6 +73,9 @@ pub enum TLSError {
 
     /// The peer sent an oversized record/fragment.
     PeerSentOversizedRecord,
+
+    /// An incoming connection did not support any known application protocol.
+    NoApplicationProtocol,
 }
 
 fn join<T: fmt::Debug>(items: &[T]) -> String {
@@ -137,6 +140,7 @@ impl Error for TLSError {
             TLSError::InvalidDNSName(_) => "invalid DNS name",
             TLSError::HandshakeNotComplete => "handshake not complete",
             TLSError::PeerSentOversizedRecord => "peer sent excess record size",
+            TLSError::NoApplicationProtocol => "peer doesn't support any known protocol",
         }
     }
 }
@@ -172,7 +176,8 @@ mod tests {
                        TLSError::FailedToGetCurrentTime,
                        TLSError::InvalidDNSName("dns something".to_string()),
                        TLSError::HandshakeNotComplete,
-                       TLSError::PeerSentOversizedRecord];
+                       TLSError::PeerSentOversizedRecord,
+                       TLSError::NoApplicationProtocol];
 
         for err in all {
             println!("{:?}:", err);

rustls/src/server/hs.rs

@@ -168,6 +168,14 @@ impl ExtensionProcessing {
             if let Some(ref selected_protocol) = sess.alpn_protocol {
                 debug!("Chosen ALPN protocol {:?}", selected_protocol);
                 self.exts.push(ServerExtension::make_alpn(&[selected_protocol]));
+            } else {
+                // For compatibility, strict ALPN validation is not employed unless targeting QUIC
+                #[cfg(feature = "quic")] {
+                    if sess.common.protocol == Protocol::Quic && !our_protocols.is_empty() {
+                        sess.common.send_fatal_alert(AlertDescription::NoApplicationProtocol);
+                        return Err(TLSError::NoApplicationProtocol);
+                    }
+                }
             }
         }