QUIC: fixed address validation issues in a new connection.

The client address validation didn't complete with a valid token,
which was broken after packet processing refactoring in d0d3fc0697a0.

An invalid or expired token was treated as a connection error.
Now we proceed as outlined in draft-ietf-quic-transport-32,
section 8.1.3 "Address Validation for Future Connections" below,
which is unlike validating the client address using Retry packets.

   When a server receives an Initial packet with an address validation
   token, it MUST attempt to validate the token, unless it has already
   completed address validation.  If the token is invalid then the
   server SHOULD proceed as if the client did not have a validated
   address, including potentially sending a Retry.

The connection is now closed in this case on internal errors only.

1 files changed, 13 insertions, 2 deletions

diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c
index 1962019d5..9ff09cb05 100644
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -1479,7 +1479,7 @@ bad_token:
     qc->error = NGX_QUIC_ERR_INVALID_TOKEN;
     qc->error_reason = "invalid_token";
 
-    return NGX_ERROR;
+    return NGX_DECLINED;
 }
 
 
@@ -2104,8 +2104,19 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
             }
 
             if (pkt->token.len) {
-                if (ngx_quic_validate_token(c, pkt) != NGX_OK) {
+                rc = ngx_quic_validate_token(c, pkt);
+
+                if (rc == NGX_OK) {
+                    qc->validated = 1;
+
+                } else if (rc == NGX_ERROR) {
                     return NGX_ERROR;
+
+                } else {
+                    /* NGX_DECLINED */
+                    if (conf->retry) {
+                        return ngx_quic_send_retry(c);
+                    }
                 }
 
             } else if (conf->retry) {