Add quic port flag to turn off address validation

Give us the infrastrucute to skip addr validation on the server

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26114)

diff --git a/include/internal/quic_port.h b/include/internal/quic_port.h
index 48a2ecfa09c681ac3bfd944262dc563f469ccf3c..4229cc25be37f5d5c9b2b5d2bfcaccf1528af749 100644 (file)
--- a/include/internal/quic_port.h
+++ b/include/internal/quic_port.h
@@ -54,6 +54,11 @@ typedef struct quic_port_args_st {
      * for a single connection, so a zero-length local CID can be used.
      */
     int             is_multi_conn;
+
+    /*
+     * if 1, this port should do server address validation
+     */
+    int             do_addr_validation;
 } QUIC_PORT_ARGS;
 
 /* Only QUIC_ENGINE should use this function. */

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 073a4e8add4553ad9a12e5f09abcf80763338b0e..c2b1bee7b483c34ac837bfcc409f43031e7ec731 100644 (file)
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -84,6 +84,7 @@ QUIC_PORT *ossl_quic_port_new(const QUIC_PORT_ARGS *args)
     port->engine        = args->engine;
     port->channel_ctx   = args->channel_ctx;
     port->is_multi_conn = args->is_multi_conn;
+    port->validate_addr = args->do_addr_validation;
 
     if (!port_init(port)) {
         OPENSSL_free(port);
@@ -1196,11 +1197,14 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
      * states in TCP. If we reach certain threshold, then we want to
      * validate clients.
      */
-    if (hdr.token == NULL) {
-        port_send_retry(port, &e->peer, &hdr);
-        goto undesirable;
-    } else if (port_validate_token(&hdr, port, &e->peer, &odcid, &scid) != 1) {
-        goto undesirable;
+    if (port->validate_addr == 1) {
+        if (hdr.token == NULL) {
+            port_send_retry(port, &e->peer, &hdr);
+            goto undesirable;
+        } else if (port_validate_token(&hdr, port, &e->peer,
+                                       &odcid, &scid) == 0) {
+            goto undesirable;
+        }
     }
 
     port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id,

diff --git a/ssl/quic/quic_port_local.h b/ssl/quic/quic_port_local.h
index 0b954d6d1cc995790ac7c3d3b0451cfce39cfa30..a60ad00dd3d7cd00b2a4699eecaa3745cf1e4376 100644 (file)
--- a/ssl/quic/quic_port_local.h
+++ b/ssl/quic/quic_port_local.h
@@ -92,6 +92,9 @@ struct quic_port_st {
     /* Is this port created to support multiple connections? */
     unsigned int                    is_multi_conn                   : 1;
 
+    /* Is this port doing server address validation */
+    unsigned int                    validate_addr                   : 1;
+
     /* Has this port sent any packet of any kind yet? */
     unsigned int                    have_sent_any_pkt               : 1;