From: Matt Caswell Date: Wed, 29 Mar 2023 15:25:00 +0000 (+0100) Subject: Make sure we can query the SSL object for version info when using QUIC X-Git-Tag: openssl-3.2.0-alpha1~1033 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=50769b15ea76123406b5ccebe85b2402e64e9fc6;p=thirdparty%2Fopenssl.git Make sure we can query the SSL object for version info when using QUIC We have the existing functions SSL_version(), SSL_get_version() and SSL_is_dtls(). We extend the first two to return something sensible when using QUIC. We additionally provide the new functions SSL_is_tls() and SSL_is_quic() to provide a mechanism to figure out what protocol we are using. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20650) --- diff --git a/include/openssl/prov_ssl.h b/include/openssl/prov_ssl.h index d3e0896c8e6..b120ca4be47 100644 --- a/include/openssl/prov_ssl.h +++ b/include/openssl/prov_ssl.h @@ -19,6 +19,7 @@ extern "C" { # define SSL_MAX_MASTER_KEY_LENGTH 48 +/* SSL/TLS uses a 2 byte unsigned version number */ # define SSL3_VERSION 0x0300 # define TLS1_VERSION 0x0301 # define TLS1_1_VERSION 0x0302 @@ -28,6 +29,9 @@ extern "C" { # define DTLS1_2_VERSION 0xFEFD # define DTLS1_BAD_VER 0x0100 +/* QUIC uses a 4 byte unsigned version number */ +# define OSSL_QUIC1_VERSION 0x0000001 + # ifdef __cplusplus } # endif diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 5cf6b319dc4..38dc3e51720 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1798,6 +1798,8 @@ __owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx, SSL *SSL_new(SSL_CTX *ctx); int SSL_up_ref(SSL *s); int SSL_is_dtls(const SSL *s); +int SSL_is_tls(const SSL *s); +int SSL_is_quic(const SSL *s); __owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index efd89cf461a..eac7fd659e4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -928,12 +928,41 @@ int SSL_is_dtls(const SSL *s) { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); +#ifndef OPENSSL_NO_QUIC + if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM) + return 0; +#endif + if (sc == NULL) return 0; return SSL_CONNECTION_IS_DTLS(sc) ? 1 : 0; } +int SSL_is_tls(const SSL *s) +{ + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + +#ifndef OPENSSL_NO_QUIC + if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM) + return 0; +#endif + + if (sc == NULL) + return 0; + + return SSL_CONNECTION_IS_DTLS(sc) ? 0 : 1; +} + +int SSL_is_quic(const SSL *s) +{ +#ifndef OPENSSL_NO_QUIC + if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM) + return 1; +#endif + return 0; +} + int SSL_up_ref(SSL *s) { int i; @@ -4741,6 +4770,12 @@ const char *SSL_get_version(const SSL *s) { const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); +#ifndef OPENSSL_NO_QUIC + /* We only support QUICv1 - so if its QUIC its QUICv1 */ + if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM) + return "QUICv1"; +#endif + if (sc == NULL) return NULL; @@ -5077,6 +5112,11 @@ int SSL_version(const SSL *s) { const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); +#ifndef OPENSSL_NO_QUIC + /* We only support QUICv1 - so if its QUIC its QUICv1 */ + if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM) + return OSSL_QUIC1_VERSION; +#endif /* TODO(QUIC): Do we want to report QUIC version this way instead? */ if (sc == NULL) return 0; diff --git a/util/libssl.num b/util/libssl.num index 6bb916d63e5..6e60aa8e938 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -558,3 +558,5 @@ SSL_get_negotiated_client_cert_type ? 3_2_0 EXIST::FUNCTION: SSL_get_negotiated_server_cert_type ? 3_2_0 EXIST::FUNCTION: SSL_add_expected_rpk ? 3_2_0 EXIST::FUNCTION: d2i_SSL_SESSION_ex ? 3_2_0 EXIST::FUNCTION: +SSL_is_tls ? 3_2_0 EXIST::FUNCTION: +SSL_is_quic ? 3_2_0 EXIST::FUNCTION: