Add a public flag to disable address validation on listeners

Now that we have the infrastructure to skip address validation, add a
public flag to SSL_new_listener and SSL_new_listener_from to allow the
skipping of address validation on selected quic listener SSL objects

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26114)

diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod
index 517df82a0fb70b3a52196df99cb9905b5cc8e478..dfcacfc842bc2f8a5768426c8aeab0270fe94f93 100644 (file)
--- a/doc/man3/SSL_new_listener.pod
+++ b/doc/man3/SSL_new_listener.pod
@@ -163,6 +163,10 @@ Calling SSL_accept_connection() is an error and will return NULL. One or more
 outgoing connections under a listener can then be created using the call
 SSL_new_from_listener().
 
+To disable client address validation on a listener SSL object, the flag
+B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
+SSL_new_listener() and SSL_new_listener_from(). 
+
 The SSL_new_from_listener() creates a client connection under a given listener
 SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
 conjunction with a listener which does accept incoming connections (i.e., which

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 72731ea7a5aacbb1b153b4dbe6c9c35ed839f4cc..9a69f62545f49204a70b97defe29f709cb608da0 100644 (file)
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2305,6 +2305,7 @@ __owur int SSL_is_connection(SSL *s);
 __owur int SSL_is_listener(SSL *ssl);
 __owur SSL *SSL_get0_listener(SSL *s);
 #define SSL_LISTENER_FLAG_NO_ACCEPT     (1UL << 0)
+#define SSL_LISTENER_FLAG_NO_VALIDATE   (1UL << 1)
 __owur SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
 __owur SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
 __owur SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags);

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index ee360969998c9ed5fab3db6ab38f4be02d3ffe32..e8b0888bcad00636c2547199cff2b30f56c7cb5e 100644 (file)
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4233,6 +4233,8 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)
 
     port_args.channel_ctx       = ctx;
     port_args.is_multi_conn     = 1;
+    if ((flags & SSL_LISTENER_FLAG_NO_VALIDATE) == 0)
+        port_args.do_addr_validation = 1;
     ql->port = ossl_quic_engine_create_port(ql->engine, &port_args);
     if (ql->port == NULL) {
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
@@ -4286,6 +4288,8 @@ SSL *ossl_quic_new_listener_from(SSL *ssl, uint64_t flags)
 
     port_args.channel_ctx       = ssl->ctx;
     port_args.is_multi_conn     = 1;
+    if ((flags & SSL_LISTENER_FLAG_NO_VALIDATE) == 0)
+        port_args.do_addr_validation = 1;
     ql->port = ossl_quic_engine_create_port(ctx.qd->engine, &port_args);
     if (ql->port == NULL) {
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);

diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
index 43c5417eba78c37d5101589be8793f2a33214ce7..a17eeef096ce070a1a4b90bb2986cccbf56971fd 100644 (file)
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@@ -128,7 +128,7 @@ QUIC_TSERVER *ossl_quic_tserver_new(const QUIC_TSERVER_ARGS *args,
 
     port_args.channel_ctx       = srv->ctx;
     port_args.is_multi_conn     = 1;
-
+    port_args.do_addr_validation = 1;
     if ((srv->port = ossl_quic_engine_create_port(srv->engine, &port_args)) == NULL)
         goto err;